By: Louella Fernandes, Principal Analyst, Quocirca Posted: 2nd February 2012 Copyright Quocirca © 2012

Nuance is a company with a plethora of products that cover the gamut of voice recognition, document capture and print management. Nuance has largely grown through acquisition (about 50 in the last ten years) so it is probably better known by its product names which include established brands such as PaperPort (desktop productivity), OmniPage (OCR), Dragon Dictate (voice recognition), eCopy (document capture and workflow) and Equitrac (print management) – its most recent acquisition. Overall, Nuance’s 2011 revenue reached $1.318 billion in 2011 with 2012 sales expected to reach $1.6 billion.  Boosted by its eCopy and Equitrac acquisitions, its imaging division growth has been strong, revenue reaching $177m in 2011 and expected to exceed $200m in 2012.

At its first European analyst event in London, Nuance discussed its strategic priorities for 2012, which include integration of its scan and print products and expansion of mobile and cloud delivery platforms. Nuance’s goal is to become the “MFP software standard” through delivering integrated cross-platform document capture and print management products – eCopy and Equitrac. Today, both products are well established, and Equitrac is already widely used to control and monitor print usage and costs across many verticals, with a particularly strong presence in the legal market – Nuance estimates that, globally, over 3,000 law firms use Equitrac. Its strong MFP and printer partner alliances mean Equitrac has long been used by major printer and copier OEMs such as HP, Ricoh and Xerox to provide enhanced multivendor print management capabilities for tracking, monitoring and reporting on scan, copy and print usage to their managed print services (MPS) customers.

This broadens the already strong OEM relationships on the eCopy side, including Canon, Konica Minolta and others.  With Equitrac, eCopy and its desktop products, Nuance has business relationships with nearly all major MFP, printer and scanner manufacturers worldwide.

Capturing the MPS opportunity
Nuance sees MPS as a key driver for its growth in the coming year and views the Equitrac and Nuance document imaging solutions as important components of helping MPS providers to succeed. Indeed there is rapid adoption - Quocirca research shows that around 45% of large corporates now have some form of MPS as they seek to reduce the cost and complexity of operating previously unmanaged printer fleets, typically characterised by a patchwork of devices from different manufacturers, with different consumables, paper, supplier and service requirements. Few organisations have the tools to track and monitor usage leading to spiralling print costs – both financial and environmental. Security is also an issue as all too often documents are left in output trays exposed to prying eyes.

MPS addresses these issues through three major phases – assessment, optimisation and on-going continuous management. Nuance’s Equitrac products have a strong part to play in all phases, helping organisations to not only reduce print wastage through tracking and reporting, but also enhance security, promote user mobility and reduce environmental impact. Key to this is Equitrac’s “Follow-You” or pull-printing which releases documents only upon user authentication – through either user PIN or smart card authentication. The results are compelling - Liverpool John Moores University discussed how they had saved £100,000 and reduced page volumes by 4.5 million per year through implementing Equitrac.

Nuance is also looking to address the largely untapped opportunity for MPS in the SMB market, via the reseller channel. Many resellers lack the resources or skills to deliver their own MPS, and are looking for a low-cost approach based on 3rd party platforms. Nuance intends to participate in this market which is seeing the emergence of cloud-based MPS offerings from vendors such as HP and Xerox. To capitalize on the emergence of cloud-based technologies and to support its partners’ Managed Services initiatives, Nuance will continue to expand its product portfolio (print management, capture and OCR) from on-premise deployments to off-premise (cloud) models. This will provide a set of cloud-based print management, document capture and OCR technology services to partners who wish to include them as part of their own managed services offerings. 

With the likes of HP and Xerox already having established cloud MPS platforms, Quocirca believes that Nuance will need to get these solutions to market quickly, particularly if it wishes to target the emerging ecosystem of independent MPS providers who will be looking for multivendor supported cloud-based services.

Quocirca believes that Nuance has product breadth, technical resources and channel reach to create a compelling set of enterprise cloud services around its eCopy and Equitrac products. However, given that both eCopy and Equitrac platforms have been gained through acquisition, Nuance still has some work to integrate them.

Talking to printers?
Given its heritage in speech recognition consumer technology, Nuance is uniquely positioned to apply this technology to enhance the printer and MFP user experience. The printer industry is far from immune from IT consumerisation, which continues to influence user expectations in the workplace. Whilst employees are used to the convenience, elegance and usability of tablets and smartphones, MFPs, in comparison, are in danger of becoming the elephant in the room.

Whilst most people are familiar with how to press print or copy, few users bother navigating complex nested menus to access finishing options or scan features. Businesses may therefore miss opportunities to minimise paper wastage through using features as duplex or booklet printing instead of single side printing. 

One technology that could improve the use of MFPs is voice recognition. Nuance has long been a leader in this field, and quietly provides back-end voice recognition functionality for Apple’s Siri. Could we in the future be telling our printers to print and staple 5 copies of a document – or scan and document and email it to a colleague? Yes - according to Nuance, the technology is already here to make it possible. It remains to be seen whether hardware vendors will embrace this opportunity to bring printers and MFPs into the 21st century.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 5th January 2012 Copyright Interarbor Solutions © 2012

This special BriefingsDirect thought leadership interview comes in conjunction with The Open Group Conference this January in San Francisco.

The conference will focus on how IT and enterprise architecture support enterprise transformation. Speakers in conference events will also explore the latest in service oriented architecture (SOA), cloud computing, and security.

We’re here now with one of the main speakers, Joseph Menn, Cyber Security Correspondent for the Financial Times and author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet.

Joe has covered security since 1999 for both the Financial Times and then before that, for the Los Angeles Times. Fatal System Error is his third book, he also wrote All the Rave: The Rise and Fall of Shawn Fanning's Napster.

As a lead-in to his Open Group presentation, entitled "What You're Up Against: Mobsters, Nation-States, and Blurry Lines," Joe Menn explores the current cyber-crime landscape, the underground cyber-gang movement, and the motive behind governments collaborating with organized crime in cyber space. The interview is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: Have we entered a new period where just balancing risks and costs isn't a sufficient bulwark against burgeoning cyber crime?

Menn: Maybe you can make your enterprise a little trickier to get into than the other guy’s enterprise, but crime pays very, very well and, in the big picture, their ecosystem is better than ours. They do capitalism better than we do. They specialize to a great extent. They reinvest in R&D.

On our end, on the good guys’ side, it's hard if you're a chief information security officer (CISO) or a chief security officer (CSO) to convince the top brass to pay more. You don’t really know what's working and what isn't. You don’t know if you've really been had by something that we call advanced persistent threat (APT). Even the top security minds in the country can't be sure whether they’ve been had or not. So it's hard to know what to spend on.

The other side doesn’t have that problem. They’re getting more efficient in the same way that they used to lead technical innovation. They're leading economic innovation. The freemium model is best evidenced by crimeware kits like ZeuS, where you can get versions that are pretty effective and will help you steal a bunch of money for free. Then if you like that, you have the add-on to pay extra for—the latest and greatest that are sure to get through the antivirus systems.

Gardner: When you say "they," who you are really talking about?

Menn: They, the bad guys? It's largely Eastern European organized crime. In some countries, they can be caught. In other countries they can't be caught, and there really isn't any point in trying.

It's a geopolitical issue, which is something that is not widely understood, because, in general, officials don’t talk about it. Working on my book, and in reporting for the newspapers, I've met really good cyber investigators for the Secret Service and the FBI, but I’ve yet to meet one that thinks he's going to get promoted for calling a press conference and announcing that they can’t catch anyone.

So the State Department, meanwhile, keeps hoping that the other side is going to turn a new leaf, but they’ve been hoping that for 10 or more years, and it hasn’t happened. So it's incumbent upon the rest of us to call a spade a spade here.

What's really going on is that Russian intelligence and, depending on who is in office at a given time, Ukrainian authorities, are knowingly protecting some of the worst and most effective cyber criminals on the planet.

Gardner: And what would be their motivation?

Menn: As a starting point, the level of garden-variety corruption over there is absolutely mind-blowing. More than 50 percent of Russian citizens responding to the survey say that they had paid a bribe to somebody in the past 12 months. But it's gone well beyond that.

The same resources, human and technical, that are used to rob us blind are also being used in what is fairly called cyber war. The same criminal networks that are after our bank accounts were, for example, used in denial-of-service (DOS) attacks on Georgia and Estonian websites belonging to government, major media, and Estonia banks.

It's the same guy, and it's a "look-the-other-way" thing. You can do whatever crime you want, and when we call upon you to serve Mother Russia, you will do so. And that has accelerated. Just in the past couple of weeks, with the disputed elections in Russia, you've seen mass DOS attacks against opposition websites, mainstream media websites, and live journals. It's a pretty handy tool to have at your disposal. I provide all the evidence that would be needed to convince the reasonable people in my book.

Gardner: In your book you use the terms "bringing down the Internet." Is this all really a threat to the integrity of the Internet?

Menn: Well integrity is the key word there. No, I don’t think anybody is about to stop us all from the privilege of watching skateboarding dogs on YouTube. What I mean by that is the higher trust in the Internet in the way it's come to be used, not the way it was designed, but the way it is used now for online banking, ecommerce, and for increasingly storing corporate—and heaven help us, government secrets—in the cloud. That is in very, very great trouble.

I don’t think that now you can even trust transactions not to be monitored and pilfered. The latest, greatest versions of ZeuS gets past multi-factor authentication and are not detected by any antivirus that’s out there. So consumers don’t have a prayer, in the words of Art Coviello, CEO of RSA, and corporations aren’t doing much better.

So the way the Internet is being used now is in very, very grave trouble and not reliable. That’s what I mean by it. If they turned all the botnets in the world on a given target, that target is gone. For multiple root servers and DNS, they could do some serious damage. I don’t know if they could stop the whole thing, but you're right, they don’t want to kill the golden goose. I don’t see a motivation for that.

Gardner: If we look at organized crime in historical context, we found that there is a lot of innovation over the decades. Is that playing out on the Internet as well?

Menn: Sure. The mob does well in any place where there is a market for something, and there isn’t an effective regulatory framework that sustains it—prohibition back in the day, prostitution, gambling, and that sort of thing.

... The Russian and Ukrainian gangs went to extortion as an early model, and ironically, some of the first websites that they extorted with the threat were the offshore gambling firms. They were cash rich, they had pretty weak infrastructure, and they were wary about going to the FBI. They started by attacking those sites in 2003-04 and then they moved on to more garden-variety companies. Some of them paid off and some said, "This is going to look little awkward in our SEC filings" and they didn’t pay off.

Once the cyber gang got big enough, sooner or later, they also wanted the protection of traditional organized crime, because those people had better connections inside the intelligence agencies and the police force and could get them protection. That's the way it worked. It was sort of an organic alliance, rather than "Let’s develop this promising area."

... That is what happens. Initially it was garden-variety payoffs and protection. Then, around 2007, with the attack on Estonia, these guys started proving their worth to the Kremlin, and others saw that with the attacks that ran through their system.

This has continued to evolve very rapidly. Now the DOS attacks are routinely used as the tool for political repression all around the world—Vietnam, Iran and everywhere you’ll see critics that are silenced from DOS attacks. In most cases, it's not the spy agencies or whoever themselves, but it's their contract agents. They just go to their friends in the similar gangs and say, "Hey do this." What's interesting is that they are both in this gray area now, both Russia and China, which we haven't talked about as much.

In China, hacking really started out as an expression of patriotism. Some of the biggest attacks, Code Red being one of them, were against targets in countries that were perceived to have slighted China or had run into some sort of territorial flap with China, and, lo and behold, they got hacked.

In the past several years, with this sort of patriotic hacking, the anti-defense establishment hacking in the West that we are reading a lot about finally, those same guys have gone off and decided to enrich themselves as well. There were actually disputes in some of the major Chinese hacking groups. Some people said it was unethical to just go after money, and some of these early groups split over that.

In Russia, it went the other way. It started out with just a bunch of greedy criminals, and then they said, "Hey—we can do even better and be protected. You have better protection if you do some hacking for the motherland." In China, it's the other way. They started out hacking for the motherland, and then added, "Hey—we can get rich while serving our country."

So they're both sort of in the same place, and unfortunately it makes it pretty close to impossible for law enforcement in [the U.S.] to do anything about it, because it gets into political protection. What you really need is White House-level dealing with this stuff. If President Obama is going to talk to his opposite numbers about Chinese currency, Russian support of something we don’t like, or oil policy, this has got to be right up there too—or nothing is going to happen at all.

Gardner: What about the pure capitalism side, stealing intellectual property (IP) and taking over products in markets with the aid of these nefarious means? How big a deal is this now for enterprises and commercial organizations?

Menn: It is much, much worse than anybody realizes. The U.S. counterintelligence a few weeks ago finally put out a report saying that Russia and China are deliberately stealing our IP, the IP of our companies. That's an open secret. It's been happening for years. You're right. The man in the street doesn’t realize this, because companies aren’t used to fessing up. Therefore, there is little outrage and little pressure for retaliation or diplomatic engagement on these issues.

I'm cautiously optimistic that that is going to change a little bit. This year the Securities and Exchange Commission (SEC) gave very detailed guidance about when you have to disclose when you’ve been hacked. If there is a material impact to your company, you have to disclose it here and there, even if it's unknown.

Gardner: So the old adage of shining light on this probably is in the best interest of everyone. Is the message then keeping this quiet isn’t necessarily the right way to go?

Menn: Not only is it not the right way to go, but it's safer to come out of the woods and fess up now. The stigma is almost gone. If you really blow the PR like Sony, then you're going to suffer some, but I haven’t heard a lot of people say, "Boy, Google is run by a bunch of stupid idiots. They got hacked by the Chinese."

It's the definition of an asymmetrical fight here. There is no company that's going to stand up against the might of the Chinese military, and nobody is going to fault them for getting nailed. Where we should fault them is for covering it up.

I think you should give the American people some credit. They realize that you're not the bad guy, if you get nailed. As I said, nobody thinks that Google has a bunch of stupid engineers. It is somewhere between extremely difficult to impossible to ward off against "zero-days" and the dedicated teams working on social engineering, because the TCP/IP is fundamentally broken and it ain't your fault.

...[These threats] are an existential threat not only to your company, but to our country and to our way of life. It is that bad. One of the problems is that in the U.S., executives tend to think a quarter or two ahead. If your source code gets stolen, your blueprints get taken, nobody might know that for a few years, and heck, by then you're retired.

With the new SEC guidelines and some national plans in the U.K. and in the U.S., that’s not going to cut it anymore. Executives will be held accountable. This is some pretty drastic stuff. The things that you should be thinking about, if you’re in an IT-based business, include figuring out the absolutely critical crown jewel one, two, or three percent of your stuff, and keeping it off network machines.

Gardner: So we have to think differently, don’t we?

Menn: Basically, regular companies have to start thinking like banks, and banks have to start thinking like intelligence agencies. Everybody has to level up here.

Gardner: What do the intelligence agencies have to start thinking about?

Menn: The discussions that are going on now obviously include greatly increased monitoring, pushing responsibility for seeing suspicious stuff down to private enterprise, and obviously greater information sharing between private enterprise, and government officials.

But, there's some pretty outlandish stuff that’s getting kicked around, including looking the other way if you, as a company, sniff something out in another country and decide to take retaliatory action on your own. There’s some pretty sea-change stuff that’s going on.

Gardner: So that would be playing offense as well as defense?

Menn: In the Defense Authorization Act that just passed, for the first time, Congress officially blesses offensive cyber-warfare, which is something we’ve already been doing, just quietly.

We’re entering some pretty new areas here, and one of the things that’s going on is that the cyber warfare stuff, which is happening, is basically run by intelligence folks, rather by a bunch of lawyers worrying about collateral damage and the like, and there's almost no oversight because intelligence agencies in general get low oversight.

Gardner: Just quickly looking to the future, we have some major trends. We have an increased movement toward mobility, cloud, big data, social. How do these big shifts in IT impact this cyber security issue?

Menn: Well, there are some that are clearly dangerous, and there are some things that are a mixed bag. Certainly, the inroads of social networking into the workplace are bad from a security point of view. Perhaps worse is the consumerization of IT, the bring-your-own-device trend, which isn't going to go away. That’s bad, although there are obviously mitigating things you can do.

The cloud itself is a mixed bag. Certainly, in theory, it could be made more secure than what you have on premise. If you’re turning it over to the very best of the very best, they can do a lot more things than you can in terms of protecting it, particularly if you’re a smaller business.

If you look to the large-scale banks and people with health records and that sort of thing that really have to be ultra-secure, they're not going to do this yet, because the procedures are not really set up to their specs yet. That may likely come in the future. But, cloud security, in my opinion, is not there yet. So that’s a mixed blessing.

You need to think strategically about this, and that includes some pretty radical steps. There are those who say there are two types of companies out there—those that have been hacked and those that don’t know that they’ve been hacked.

Everybody needs to take a look at this stuff beyond their immediate corporate needs and think about where we’re heading as a society. And to the extent that people are already expert in the stuff or can become expert in this stuff, they need to share that knowledge, and that will often mean, saying "Yes, we got hacked" publicly, but it also means educating those around them about the severity of the threat.

One of the reasons I wrote my book, and spent years doing it, is not because I felt that I could tell every senior executive what they needed to do. I wanted to educate a broader audience, because there are some pretty smart people, even in Washington, who have known about this for years and have been unable to do anything about it. We haven't really passed anything that's substantial in terms of legislation.

As a matter of political philosophy, I feel that if enough people on the street realize what's going on, then quite often leaders will get in front of them and at least attempt to do the right thing. Senior executives should be thinking about educating their customers, their peers, the general public, and Washington to make sure that the stuff that passes isn't as bad as it might otherwise be.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 20th December 2011 Copyright Bloor Research © 2011

Criminals are criminals. Although there are some novel crimes committed against computer systems, almost all of these crimes fit into the mould of a good old fashioned offences such as theft, fraud and harassment. Unfortunately the often remote, cross jurisdictional and complex technical nature of many computer crimes make these offences far more difficult to investigate and successfully prosecute. Physical crimes are normally so much more straightforward to deal with.

Another complicating factor of computer crime is the sheer scale of the offences being committed. Adding more zeros to a fraudulent bank transfer is easy - so why not go for tens of millions rather than just millions? Creating a Botnet controlling 5 computers is as easy as creating a Botnet of 5 million.

Intellectual property theft and industrial espionage have been around ever since one person was seen to have a better idea than another. The problem with computerised intellectual theft is that we see the stealing of designs, plans and technical documents on an industrial scale - way beyond the imagination of a cold war spy equipped with a micro camera.

We now face organised attempts to steal intellectual property in whatever form it may take. It seems to me that, in many cases, there are organised attempts to suck up as much intellectual property as can possibly be found.

Motivations may be commercial espionage or, in many instances but difficult to prove, state-sponsored espionage designed to enable, in the main, emerging economies to accelerate their growth.

Much of the reporting around this area is accompanied by a nudge and a wink, and the usual state perpetrators alluded to rather than open and direct accusations being made, probably as the diplomatic fall out could be considerable. With the current state of western economies, upsetting the provider of your country's national loan may not be the wisest of strategies.

IP Protection
Returning from the macro to the micro what can companies and organisations do today to protect their intellectual property?

The good news is that by applying some good user education and sound, proven technologies most intellectual property attacks can be thwarted. In many instances these attacks are successful due to people doing silly things rather than deliberate theft. I call this type of inside threat the incompetent and non-malicious rather than the competent and malicious. In many instances, and we have all seen it and maybe done it, accidentally sending an email attachment to the wrong email address can happen all to often.

The ability for many email client applications to automatically resolve addresses is often to blame, as one Fred Smith may be your boss and another Fred Smith may be your competitor. A couple of years ago this type of problem was attracting the attention of IT security vendors selling data loss prevention products, designed to stop just such accidental leaks. This was done by building up a data flow knowledge base and trapping out of course errors. Unfortunately for a number of reasons this type of solution didn't take off as much as I thought it might do. I think this was down to implementation issues and the fact that this type of intelligence-based solution is quite difficult to get right.

Tools and Technologies
There are a number of tools and technologies placed to help protect against intellectual property loss or theft. There is no silver bullet and technologies across all of these areas will need to be carefully considered.

Turning plain data into unreadable gibberish using encryption enables a business to protect its data. Modern day encryption technologies are effectively unbreakable without a suitable key and the implementation of a good system should not see any detrimental affect on speed of data transfer or a slowing of business systems. The encryption system should include recovery and accessibility options so that in both the short term and long term the data can be made available to the business. Key management is a vital part of any data encryption strategy.

There are increasing amounts of technology that can detect a pattern of behaviour symptomatic of an inside threat. Intrusion detection systems, coupled with intrusion prevention systems working as a form of smart firewall, can be extremely useful tools.

Access controls enable an audit trail such that if there is a data leak it can be traced back to a likely culprit. Combining identity management with a separation of duties strategy can prevent the likelihood of any one individual having such a holistic view of systems that they could compromise the data by themselves. A strategy of "least privileges" to do their job should be implemented for all staff.

As emails are now regarded on the same legal basis as a note on headed paper, outbound emails can easily violate a company's security policy either following a deliberate act or one of incompetence. Putting in place tools to enforce best practice email management can help reduce this risk. These tools can also reduce the chances of intellectual property slipping out unnoticed..

Preventing the download of a customer or product design database is probably high up on the agenda for anyone monitoring an inside threat. Some attacks can be more sinister and less obvious than an entire download, such as financial data being queried at the wrong time of year. By putting in a database assurance layer to the threat protection matrix you can detect and deal with any out of course or abnormal database access behaviour.

By putting in place an Enterprise Security Management product it is possible to have a holistic view of your inside threat from a central monitoring point. Risk can be uncovered by monitoring contextual data to see what is going on inside the business and algorithms used to flag unusual or threatening behaviour in real time. These issues can be flagged to IT or the business for immediate, appropriate action.

Inappropriate or unusual web-based activity can be an indicator that there may be an emerging inside threat. By using a tool to help enforce corporate web usage and Instant Messaging guidelines you can also detect an inside threat in real time, be it reputational as users visit unauthorised sites, or a more direct threat as they start a business in direct competition to their employer.

Software development is complex at the best of times - but how do you know that one of your developers has not written code that either accidentally or deliberately compromises your product or internal systems? Few IT security professionals understand software development as well as they do IT security, and this weakness can and has been exploited by developers.

Monitoring data as it moves through an organisation is critical, as it can easily be diverted to a USB key and taken outside the business with a couple of mouse clicks. By putting in place a data loss management system each data move can be monitored and unusual movements flagged for immediate action. Contextualising data access is important, for example product design data being accessed from home at 3 am on a Sunday morning could be suspicious.

Solutions are now available that can restrict device and port control at an extremely granular level, such as defining specific data that can be copied to a specific USB key with a particular serial number. These products will often use encryption technologies to protect data on the USB key.

Users, maybe frustrated with poor applications, can very easily start to threaten the stability of a software estate. Tools and policies need to be implemented and then monitored to ensure that only approved software is loaded and used. Unlicensed software can also prove a reputational risk as it is illegal to use and the associated publicity can be an embarrassment.

Anti Virus and Malware has a big part to play in terms of offering a basic line of defence and good quality advice, training and consultancy at the right time can save an organisation a lot of time and money. The more objective the advice, the more valuable it is likely to be.

The Smartphone Risk
I do want to mention what I consider to be a big threat to intellectual property protection and that is the huge increase in the use of smartphones. Every company I work with has an executive team fully equipped with these fantastic tools that I believe are the most intimate form of IT we have ever had. We take them everywhere and their capability is every bit as good as fully fledged PCs were only a few years ago. Unfortunately smartphones are now coming under the spotlight of hackers and malcontents as they fully understand that the value of intellectual property on these devices can be significant. This data is often the freshest and most relevant to the business being targeted as it is residing on executives' mobile devices ready for immediate access.

The security industry has failed to embrace these devices as quickly as the consumer, resulting in some major security issues remaining unfixed, increasing smartphone vulnerability. For many companies, securing these devices should be a top of the list priority.

In Summary
The threat to intellectual property is very real. Even the most motivated, committed and enthusiastic staff can and will make mistakes that may result in significant data loss. By investing in appropriate technology solutions coupled with regular staff training and awareness sessions to mitigate your inside threat, you are taking proactive steps that should see this problem significantly reduce.

By: Fran Howarth, Practice Leader, Bloor Research Posted: 18th November 2011 Copyright Bloor Research © 2011

Location-based mobile applications such as Facebook, Google and others are used by a large percentage of adults and teenagers. Applications that pinpoint a user's physical location introduce unprecedented new risks. The potential threats range from fraud and identity theft to crimes such as burglary or physical violence.

Geolocation is your physical location and is derived by technology using data from your computer or mobile device. It could relate to your physical location (position on the earth's surface) or the virtual (internet) environment. Both can be collected in many ways:

• Web browsing via your computer (IP[1] address is your identification)
• Mobile phone usage
• GPS (Global Positioning System) devices
• Credit/debit card transactions
• Tags in photographs and postings (Facebook and Twitter).

Location can be collected in an active or passive mode. The active mode is a user device that provides the Geolocation using software to determine the user's position by wireless, GPS[2] or by "request and response". The passive mode is server-based and determines the position via IP (internet protocol), 3G or 4G and wireless positioning.

What are the benefits location brings?

• To the Customer: optimal request routing or navigation, instant purchasing decisions (shopping, restaurants), nearest station or bus stop and social networking opportunities.
• To Business: targeted marketing, delivery and asset management, insurance risk management, logistics etc. The list is endless.

Location, combined with other personally identifiable information, can be used or abused. The capabilities of this technology empower social networking, support law enforcement, enable many mobile services and also provide a serious concern in the hands of criminals.

Location information can be seriously abused. For example, an individual who announces holiday plans or activities on a social networking site may be signalling to a criminal that their house is currently unoccupied, leading to a higher risk of being burgled, whilst more general personal information could be used in social engineering attacks against them.

For organisations, location information can lead to unwarranted surveillance of their current activities. An example could be tracking the location of a company's executives. This could provide its competitors with pointers regarding ongoing business negotiations, such as potential mergers or acquisitions. This could affect the organisation's brand and reputation, or even dent it financially if the competitor were able to scupper the deal. Organisations must also be wary themselves when using location-based services. They should be careful that information collected regarding the location of their employees does not constitute illegal tracking of their activities outside of business hours. In addition, any location-based services offered to customers or suppliers should take into account the privacy and ethical concerns of those parties.

In dealing with such risks, ISACA[3], which provides issues and guidance with regard to the governance, security and audit of information systems, cautions that the legal obligations of users and developers of geolocation data are currently unclear. In the absence of legal guidelines, it cautions that organisations need to carefully consider what controls are appropriate. These could be strong access controls and anonymisation techniques or the use of encryption for all personally identifiable information. It urges all organisations using geolocation to develop its own framework to address privacy and security locations, making use of existing information security frameworks such as CobIT[4].

How to safeguard yourself? We quote the ISACA recommends this 5-step practice:

1. Read your mobile application agreements to see what information you are sharing.
2. Only enable Geolocation when the benefits outweigh the risks.
3. Understand that others can track your current and past locations.
4. Think before posting tagged photos to social-media sites.
5. Embrace the technology, and educate yourself.

With such safeguards in place, you will be in a much better position to embrace the exciting benefits that are offered by geolocation technologies.

This article was prompted by the discussion within "Why geolocation apps can be dangerous" and the ISACA's new white paper, "Geolocation: Risk, Issues and Strategies."

[1] IP - Internet Protocol
[2] GPS - Global Positioning Systems
[3] ISACA - Information Systems Audit Control Association
[4] CobIT - Control objectives for Information and related Technology

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 14th November 2011 Copyright Quocirca © 2011

Two recent events with rather different audiences reveal that not everyone is convinced that the benefits of technology adoption will be evenly shared. In particular, what was highlighted were some disconnects between organisational gain and personal risk.

At a gathering of senior IT executives at a CBR dining club dinner sponsored by Riverbed and Dimension Data, a number of CIOs voiced their thoughts regarding the IT industry’s current apparently all-enveloping rising star—‘cloud’. While there was widespread appreciation of the possibilities and potential for the deployment of IT resources into the cloud, there were some significant reservations about the reality.

Vendors and service providers have been keen to promote the benefits of cloud, but they need to appreciate how implementation will affect their customers, in particular one part of the decision making process; the CIO, IT director or individual IT manager most directly responsible. This is the person that gets it in the neck when something goes wrong—irrespective of who in the external cloud ecosystem is really to blame.

The selling job elsewhere in the organisation is slightly less daunting. Those involved directly on the financial side recognise the cost savings of pushing (human and/or IT asset) resource demands into a virtual infrastructure provider, especially if they can cut precious capital expenditure at a time when borrowing is difficult. Many users recognise the flexibility of ‘on demand’ access to IT, storage and services, especially while on the move. Mobile and remote access, fuelled by consumer behaviours and social media, have become a regular expectation and a perceived necessity.

However, IT managers, whose jobs depend on the reliability, fidelity and robustness of the services being delivered, see risk. And who can blame them when recent downtime and outages from what seemed unshakeable cloud service providers—Google, RIM, Amazon, Microsoft—demonstrate that even large and well planned IT systems can fail?

Quocirca regularly advocates the use of a total value proposition to understand the wider benefits and drawbacks of technology adoption. This goes beyond a simple ROI or TCO financial proposition, to encompass the less tangible positive and negative impact on the organisation, its competitive positioning and, crucially, on the individual or individuals making a technology implementation decision. In this context the total value proposition also considers an element often missed out by those looking at technology change in an organisation—a “total liability proposition”, perhaps—to understand the potential negative consequences, as these weigh most heavily on those making the decision, as it is their neck on the line.

The second event indicated where a respectful approach to risk might emanate where other critical players in the value chain discussed where they might contribute and benefit from cloud adoption. This was a gathering of diverse telecoms companies and service providers at the NetEvents, Italy conference. Here the interest in cloud as potential new sources of revenue and enterprise influence was strong, but it was dosed with a heavy realisation that significant credibility would be at stake if something went wrong.

Telecoms providers, unlike some of the IT industry, have a healthy respect for Murphy’s Law (if something can go wrong, it will), in addition to the more famous ones that are attributed to the value and growth of Moore’s Law of transistor numbers doubling every eighteen months and Metcalfe’s Law of the increasing value of connectedness. They know that their survival is dependent on fundamental attributes that some vendors in the IT industry like to portray as differentiated marketing benefits, like security, availability, interoperability and predictability.

The telecoms industry’s measured approach and involvement in the blossoming cloud market is to be welcomed, and should, over time, start to allay the understandable fears of those within enterprise who are responsible for delivering IT services. As well as trusting them to provide resilient networks, CIOs and IT directors might look to their telecoms providers to supply computer power. Then maybe Sun Microsystems (and Oracle, through its acquisition) was right after all, the network really is the computer?

By: Bob Tarzey, Service Director, Quocirca Posted: 3rd November 2011 Copyright Quocirca © 2011

In the old days, those tasked with ensuring their organisation’s networks were secure, reliable and sufficient for their needs were dealing with known resources and predictable usage. Network equipment was confined to the organisation’s various premises, the larger of which were linked via dedicated leased lines; smaller locations were often deemed unworthy of network access. The applications that ran over the network were nearly all planned and provisioned by the IT department. That has all changed in the last twenty years as the internet has become a fundamental business resource and employees have become far more mobile.

Today, ensuring the performance, reliability and security of network usage requires that a holistic view is taken of internal network resources, the internet and mobile network services. Only when this is the case can the impact the network has on the end-to-end user experience be understood and a minimum acceptable service level aspired to.

The problem is exacerbated by unpredictable workloads. IT departments themselves have been loading networks with ever more resource hungry applications, for example voice and video conferencing. They have also been cramming more and more processing power in to data centres through the use of virtualisation, which means more network resource is required per physical server. They are also using online resources to supplement internal infrastructure which requires a reliable and suitably “broad” interface to the internet.

On-demand services also make it easy for lines of business to provision their own applications and IT resources. Employees can do this too; accessing social media sites and firing up mobile apps at will, sometimes for good business reasons, but more likely for personal use. Such unplanned use makes ensuring network performance and security problematic, to say the least.

Data from Plan B Disaster recovery reported in Quocirca’s recent report, “Don’t forget the network”, shows that the most common reason for application failure is a network communications breakdown of some sort. In other words the network is the soft under belly of most organisations’ IT infrastructure. To get on top of this requires that the user experience is constantly monitored and that when that experience is not good enough, the impact that the network is having is understood.

Mitigation may require upgrades to network services or equipment, but it may be sufficient in some cases to simply adjust and optimise usage of the existing network. A port assessment by Networks First, a network management company (who sponsored Quocirca’s recent report), shows that in many cases network equipment is actually underutilised. With intelligent application it should be possible to drive more performance out of existing resources.

For many it makes sense to hand the complexities of ensuring minimum network service levels to a third party management company. The initial stage of any such assignment is discovery. What equipment and services are in place and how do they map together to form the total network. It may seem surprising that a given organisation does not already know this; however, most networks have been cobbled together over a number of years by a succession of network managers and contractors, often dealing with tactical issues without regard for an overall long term network strategy.

Once the network components are understood, the network’s current base performance and loading can be assessed. Whether this is good or bad, it is a necessary measure to provide a benchmark for measuring how the management company improves service levels going forward. The user experience needs to be measured on an on-going basis and ensuring it does not regularly drop below a target baseline and that when it does this the reasons why are understood, and if necessary, remedied.

The tools required for monitoring and managing network performance tend to be sophisticated and expensive. Open source ones are available but need good technical skills to make effective use of. Smaller organisation may not have access to any such tools and larger organisations may lack the time or wherewithal to get the most out of them. Network management companies will have developed the expertise to use such tools and can share their cost over a number of customers, making them available to their customers, whatever their size.

Whatever steps are taken to ensure the on-going performance, availability and security of a network, the cost of doing so must be justified by three factors. First, it must be possible to reduce running costs, or at least ensure better on-going performance, without excessive short to medium term investments in new equipment and/or services. Second, the business risks posed by the network and problems with its performance and security must be mitigated and minimum service levels guaranteed. Third, a stable network that performs well and has excess capacity should be able to be relied upon to provide new business value as and when required.

The majority of businesses will not have the in depth understanding of their networks to be sure of achieving many of these goals. Most will not even have had a recent network assessment. If they did, they may well be surprised at how poorly it is serving them and how much may be gained from addressing this. A functional network is imperative for a 21st century business. A well-managed high-availability, high-performance and secure network can be a distinct competitive advantage; a poorly managed one a fundamental business risk.

Quocirca’s report, sponsored by Networks First, “Don’t forget the network”, is freely available here: http://www.networksfirst.com/dontforgetthenetwork.aspx

By: Bob Tarzey, Service Director, Quocirca Posted: 2nd November 2011 Copyright Quocirca © 2011

From recent briefings with a number of IT security vendors, it would seem that most can now identify any new threat immediately and that at the same time none of them can. This contradiction is down to the “we can, they can’t” mantra that any vendor of any product is bound to use against its competitors. Of course, they can’t all be right; in fact all who make such claims are wrong.

One thing most are right about is that relying on signatures of known malware to protect their customers has not been enough for a long time now. Signature based recognition is still an important way to cut down the amount of malware moving around; better that spam-bearing emails are stopped in the cloud than at the desktop. However, many of the IT security threats that businesses face cannot be characterised by a simple digital signature.

Security vendors are also right when they identify one of the biggest risks to their customers as zero day threats (i.e. new ones that have not been seen before and cannot therefore be recognised by existing signatures). Such threats are becoming more and more common as the tools for writing and distributing malware become more sophisticated. It is now possible to ensure every incidence of a new virus is different enough from its siblings to appear unique compared go any existing signature.

So IT security vendors are rightly focussing more and more on identifying and stopping previously unknown threats and coming up with increasingly clever ways of doing so; the IT security arms race continues apace. Where they overreach themselves is to claim they can spot any new threat. This was brought home to Quocirca recently when a new entrant to the IT security market made such a claim, but then said it has delayed its launch because the rise of WikiLeaks and LulzSec had led it to make further changes to its product. In other words it has not foreseen some threats that customers may face.

No single IT security vendor can spot every existing threat and identify every new one. However, between them they are doing a pretty good job. None of us, businesses or consumers, can rely completely on a single security technology. Even if you believe you have catch-all anti-virus software on your PC, iPad or smartphone, it does not make sense to turn off security at your wireless router or decline spam and malware filtering services from your internet and/or email service provider.

Good IT security will always be about multiple layers of protection and using products from a variety of vendors. When well-managed, to ensure all know threat vectors are covered, using various security technologies will maximise the chance of recognising and stopping malware. But, even this is not enough. Other measures should also be in place.

For example, organisations should reconsider their security posture; a more open approach to business could mean less worry about protecting intellectual property. Training employees of their responsibilities with regard to personally identifiable information (PII) and providing regular reminders about this are as important a part of ensuring compliance as any security technology. With IT and data security, belts and braces is the only approach. Beware the vendor who promises all.

By: Bob Tarzey, Service Director, Quocirca Posted: 26th October 2011 Copyright Quocirca © 2011

A recent Quocirca blog post pointed out there were good business reasons for disclosing data breaches as well as an increasing number of regulatory ones. For those organisations not convinced by these arguments and still intent on attempting to brush leaks under the carpet, there is new evidence that consumers think they should come clean too.

New research commissioned by LogRhythm, a vendor of SIEM (security information and event management) tools, surveyed 2,000 UK consumers and concludes that they are “losing patience with organisations that endanger their customers’ data”. 80% were “concerned” about trusting organisation to keep their data safe from hackers, up 17% from a similar survey in 2010. 26% assert they would “definitely” not transact with the affected organisation again, with a further 61% saying they would try to avoid future interactions.

Of course, for many, their bark will be louder than their bite; it is often said that a man is more likely to change his wife than his bank. However, what the research does show is that all the recent press coverage of data leaks has not gone unnoticed. There is widespread awareness amongst consumers of the issues and the responsibilities of organisation to who they entrust their data and the importance of disclosure.

SIEM tools help in two ways. First, they can monitor network traffic and help spot unusual activity, providing a feed to intrusion prevention systems (IPS) and data loss prevention (DLP) tools to block attempted data thefts. Second, they help clear up afterwards, enabling affected organisations to rapidly gather the information about what data has been lost and who has been affected. It is not good enough for an affected organisation to lazily issue a blanket warning to all customers, instead they should be in a position to inform those (and only those) whose data has definitely been compromised.

LogRhythm claims to be the biggest independent vendor of SIEM tools. This follows a recent round of acquisitions of its rivals by larger vendors. In 2010, HP acquired ArcSight, and this month two more intended acquisitions were announced; IBM targeting Q1 Labs while Nitro Security was approached by McAfee. There is no shortage of other vendors; for example, Symantec has its Security Information Manager and EMC/RSA has tools based around the acquisitions of Network Intelligence and enVision. However, this has not put off new entrants, such as Red Lambda, a high-end data processing vendor attempting to re-position itself in the network security market by treating it as a 'big-data' problem.

Businesses rightly expect consumers to be careful with their confidential information, account details, login credentials and so on. In return, consumers should expect business to take good care of the same data and come clean when it is stolen or they have screwed-up and leaked it to the public domain.

By: Bob Tarzey, Service Director, Quocirca Posted: 21st October 2011 Copyright Quocirca © 2011

Quocirca saw an estimate recently that IT security managers can spend as much as 30% of their time preparing for and delivering audits. This is mundane and uninteresting work and if it can be automated – all the better. However, recent Quocirca research, sponsored by sys-admin tools vendor Osirium, shows that less than 20% of organisations fully automate the gathering of data for audits and less than 10% automate the remediation of audit gaps.

What’s more, over 70% admitted that in some cases system administrators (sys-admins) made informal, uncontrolled changes to sys-admin procedures immediately prior to audits in order to meet the audit requirements, which then lapse following the audit, with 8% saying this was a regular practice. Obviously, this is extremely bad practice; if auditors uncovered the fact the procedures had been temporarily changed to satisfy them, then the audit would surely be failed anyway?

Osirium has published the research and some suggestions for achieving better practices as the first of its Alpha Files, a series of short reports on sys-admin, privileged user management and auditing practices. Quocirca will be publishing a new free report later in 2011 that will detail and analyse in detail all the new research.

By: Bob Tarzey, Service Director, Quocirca Posted: 18th October 2011 Copyright Quocirca © 2011

Recent Quocirca research among European, US and Australian small businesses shows how far the trend to consumerisation of user access to IT has progressed. Over 70% of those interviewed said they allowed at least some of their employees to access certain data and applications from their personally owned devices.

When Quocirca speaks with chief information security officers (CISO) in larger businesses they admit that one of the reasons their organisations are also observing the same trend is that in practice it is hard to stop. Senior staff will insist on such access, junior ones will seek ways around controls, including the use of other communications channels if they are blocked from access to formal ones, such as corporate email, from the personal devices.

However, as the Quocirca research shows, there are positive reasons for allowing such access. The use of smartphones is fundamental to enabling remote working. Over 90% of the small business managers interviewed had staff that worked out of the office at some point during the week and they were the ones most likely to be using such devices for remote IT access.

Of course, it is not just smartphones. Many of those employees will already have notebook and laptop computers and they are also rapidly turning to tablets. Over 40% of the respondents in the recent research said some of their employees were using such devices and another 20% expected this to be the case within 12 months.

In many cases, remote workers, for example field service engineers logging faults and social workers filing home visit reports, will be using company-issued mobile devices to participate in locked down business processes. However, for a growing majority it is simply about more flexible working and access to information as and when it is needed—such information workers are behind the mobility revolution that is going on in the IT industry and readers here will mostly fit that category.

However, regardless of all the benefits, information workers present their employers with a problem. How do you keep control of the information itself? How do you benefit from mobility and consumerisation without losing control, becoming a victim of data loss and coming to the notice of regulators? There is also a problem for the users themselves. As they switch from one device to another for convenience, how do they get a consistent view of their data?

There is no silver bullet for solving the employer’s problem, but there are ways of reducing the risks. First, a business must take as much control of its data as it can. It is possible to secure mobile devices using encryption and host based end-point security, but there is the problem of device ownership; installing software on the users’ own devices creates licencing and management issues.

For many, a better way is to impose centralised controls; that is, to provide a means of accessing data which is easy to use and requires minimal modification of the user’s device. There are three basic approaches, to achieve its goals a given organisation may need to use one or more of them: 

1. Virtual desktops. Here, data is not actually processed on the device, but the device is simply an access tool to a desktop that is available anywhere the user can get online. There are limitations with this approach when it comes to smartphones (due to screen and keyboard size), but software in this area is improving fast (for example Citrix Receiver). However, it may still require some locally installed software for some advanced functions.
2. Provide access to applications that allow data to be viewed and updated, but not copied. For example, just because you allow employees to read email remotely does not mean the actual content need be copied to a device. Such applications can be provided through the creation of corporate app stores that support the range of devices employees want to use and the users can proactively download providing their consent for installation in the process. This is the best way to provide access to corporate applications (CRM, ERP etc.) for those on the move.
3. Provide direct access to central document stores. Here, with the right products, access can be provided to view files with appropriate caveats. Public domain documents (e.g. market materials) can be freely copied and used later offline, whilst restricted documents can only be viewed whilst online helping to protect an organisation’s digital rights. Some products require no local software be installed to provide such access.  Offerings here include portals such as Microsoft SharePoint or specific file sharing/backup services such as Trend Micro SafeSync and Druva InSynch.

The last of these also helps solve the employee’s problem; if the central data store supports access from multiple operating systems (iOS, Windows, Android etc.) it gives them access to documents from whatever device they happen to be using. Providing this is a secure service it also helps prevent another insidious problem; if there is no easy to use a method for centrally storing documents then employees may synch their devices using other services—some secure, some less so—employers may then have no idea where their data is ending up.

Generally speaking, the benefits of embracing consumerisation outweigh the risks, providing those risks our mitigating in so far as is possible. Employers that are proactive in doing that will ultimately find they get more out of their employees, without taking unnecessary risks with their data.

Quocirca’s report; The data sharing paradox, is freely available here: http://www.quocirca.com/reports/620/the-data-sharing-paradox

 This article first appeared in Oct 2011 on http://www.silicon.com

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 12th October 2011 Copyright Interarbor Solutions © 2011

This latest BriefingsDirect discussion takes on the rapidly increasing threat that enterprises face from complex IT security breaches.

In just the past year, the number of attacks are up, the costs associated with them are higher and more visible, and the risks of not securing systems and processes are therefore much greater. Some people have even called the rate of attacks a pandemic.

The path to reducing these risks, even as the threats escalate, is to confront security at the framework and strategic level, and to harness the point solutions approach into a managed and ongoing security enhancement lifecycle.

As part of the series of recent news announcements from HP, this discussion examines how such a framework process can unfold, from workshops that allow a frank assessment of an organization’s vulnerabilities, to tailored framework-level approaches that can transform a company based on its own specific needs.

Here to describe how a "fabric of technology," a "framework of processes," and a "lifecycle of preparedness" can all work together to help organizations become more secure—and keep them secure—is Rebecca Lawson, Director of Worldwide Security Initiatives at HP. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: Why has the security vulnerability issue come to a head?

Lawson: Open up the newspaper and you see another company getting hit almost every day. As an industry, we've hit a tipping point with so many different security related issues—for example, cyber crime, hacktivism, nation-state attacks. When you couple that with the diversity of devices that we use, and the wide range of apps and data we access every day, you can see how these dynamics create a very porous environment for an enterprise.

So we are hearing from our customers that they want to step back and think more strategically about how they're going to handle security, not just for the short term, when threats are near and present, but also from a longer term point of view.

Gardner: What do you think are some of the trends that are supporting this vulnerability?

Lawson: In HP’s recent research, we've found that thirty percent of the people know that they've had a security breach by an unauthorized internal access, and over 20 percent have experienced an external breach. So breaches happen both internally and externally, and they happen for different reasons. Sometimes a breach is caused by a disgruntled customer or employee. Sometimes, there is a political motive. Sometimes, it's just an honest error ... Maybe they grab some paper off a printer that has some proprietary information, and then it gets into the wrong hands.

There are so many different points at which security incidents can occur; the real trick is getting your arms around all of them and focusing your attention on those that are most likely to cause reputation damage or financial damage or operational damage.

We also noticed in our research that the number of attacks, particularly on web applications, is just skyrocketing. One of the key areas of focus for HP is helping our customers understand why that’s happening, and what they can do about it.

Gardner: It also seems to me that, in the past, a lot of organizations could put up a walled garden, and say, "We're not going to do a lot of web stuff. We're not going to do mobile. We're going to keep our networks under our control." But nowadays that’s really just not possible.

If you're not doing mobile, not looking seriously at cloud, not making your workers able to access your assets regardless of where they are, you're really at a disadvantage competitively. So it seems to me that this is not an option, and that the old defensive posture just doesn’t work anymore.

Lawson: That is exactly right. In the good old days, we did have a walled garden, and it was easy for IT or the security office to just say “no” to newfangled approaches to accessing the web or building web apps. Of course, today they can still say no, but IT and security offices realize that they can't thwart the technology-related innovation that helps drive growth.

Our customers are keenly aware that their information assets are the most important assets now. That’s where the focus is, because that’s where the value is. The problem is that all the data and information moves around so freely now. You can send data in the blink of an eye to China and back, through multiple applications, where it’s used in different contexts. The context can change so rapidly that you have to really think differently about what it is you're protecting and how you're going to go about protecting it. So it's a different game now.

Gardner: And as we confront this "new game," it also appears that our former organizational approach is wanting. If we've had a variety of different security approaches under the authority of different people—not really coordinated, not talking to each other, not knowing what the right hand and left hand are doing—that’s become a problem.

So how do we now elevate this to a strategic level, getting a framework, getting a comprehensive plan? It sounds like that’s what a lot of the news you've been making these days is involved with.

Lawson: You're exactly right. Our customers are realizing that there is no one silver bullet. You have to think across functional areas, lines of business, and silos.

Job number one is to bring the right people together and to assess the situation. The people are going to be from all over the organization—IT, security and risk, AppDev, legal, accounting, supply chain—to really assess the situation. Everyone should be not only aware of where vulnerabilities might be, or where the most costly vulnerabilities might be, but to look ahead and say, "Here is how our enterprise is innovating with technology—let's make sure we build security into them from the get-go."

There are two takeaways from this. A structured methodical framework approach helps our customers get the people on the same page, getting the processes from top-down really well-structured so that everyone is aware of how different security processes work and how they benefit the organizations so that they can innovate.

[But] it's also about long-term thinking, about building security in from the get-go; this is where companies can start to turn the corner. I'll go back again to web apps, building security into the very requirement and making sure all the way through the architecture design, testing, production, all the way through that you are constantly testing for security.

Gardner: What are the high-level building blocks to the framework approach?

Lawson: The framework that I just mentioned is our way of looking at what you have to do across securing data, managing suppliers, ensuring physical assets, or security, but our approach to executing on that framework is a four-point approach.

We help our customers first assess the situation, which is really important just to have all eyes on what's currently happening and where your current vulnerabilities may lie. Then, we help them to transform their security practices from where they are today to where they need to be.

Then, technologies and services to help them manage that on an ongoing basis, so that you can get more and more of the security controls automated. And then, we help them optimize that, because security just doesn't stand still. So we have tools and services that help our customers keep their eye on the right ball, as all of the new threats evolve or new compliance requirements come down the pike.

Gardner: What is HP Secure Boardroom, and why is it an important as part of this organizational shift?

Lawson: The Secure Boardroom combines dashboard technology with a good dose of intellectual property we have developed that helps us generate the APIs into different data sources within an organization.

The result is that a CISO can look at a dashboard and instantly see what's going on all across the organization. What are the threats that are happening? What's the rate of incidents? What's going on across your planning spectrum?

To have the visibility into disparate systems is step one. We've codified this over the several years that we've been working on this into a system that now any enterprise can use to pull together a consistent C-level view, so that you have the right kind of transparency.

Half the battle is just seeing what's going on every day in a consistent manner, so that you are focused on the right issues, while discovering where you might need better visibility or where you might need to change process. The Secure Boardroom helps you to continually be focused on the right processes, the right elements, and the right information to better protect financial, operational, and reputation-related assets.

... Because we've been in the systems management and business service management business for so long, I would elevate this up to the level of the business service management.

We already have a head start with our customers, because they can already see the forest for the trees with regard to any one particular service. Let's just say it's a service in the supply chain, and that service might comprise network elements and systems and software and applications and all kinds of data going through it. We're able to tie the management of that through traditional management tools, like what we had with OpenView and what we have with our business service management to the view of security.

When you think about vulnerabilities, threats, and attacks, the first thing you have to do is have the right visibility. The technology in our security organization that helps us see and find the vulnerabilities really quickly.

Because we have our security technology tied with IT operations, there is an integration between them. When the security technology detects something, they can automatically issue an alert that is picked up from our incident management system, which might then invoke our change management system, which might then invoke a prescribed operations change, and we can do that through HP Operations Orchestration.

It really is a triad—security, applications, operations. At HP, we’re making them work together. And because we have such a focus now on data correlation, on Big Data, we're able to bring in all the various sources of data and turn that into actionable information, and then execute it through our automation engine.

... For example, we have a technology that lets you scan software and look for vulnerabilities, both dynamic and static testing. We have ways of finding vulnerabilities in third-party applications. We do that through our research organization, which is called DVLabs. DV stands for Digital Vaccine. We pull data in from them every day as to new vulnerabilities and we make that available to the other technologies so we can blend that into the picture.

The right kind of security fabric has to be composed of different technologies that are very focused on certain areas. For example, technologies like our intrusion protection technology, which does the packet inspection and can identify bad IP addresses. They can identify that there are certain vulnerabilities associated with the transaction, and they can stop a lot of traffic right at the gate before it gets in.

The reason we can do that so well is because we've already weaved in information from our applications group, information from our researchers out there in the market. So we've been able to pull these together and make more value out of them working as one.

Gardner: Is there a path now toward security as a service, or some sort of a managed service, hybrid model?

Lawson: A lot of people think that when the words cloud and security are next to each other, bad things happen, but in fact, that’s not always the case.

Once an enterprise has the right plan and strategy in place, they start to prioritize what parts of their security are best suited in-house, with your own expertise, or what parts of the security picture can you or should you hand off to another party. In fact, one of our announcements this week is that we have a service for endpoint threat management.

If you're not centrally managing your endpoint devices, a lot of incidents can happen and slip through the cracks—everything from an employee just losing a phone to an employee downloading an application that may have vulnerabilities.

So managing your endpoints devices in general, as well as the security associated with the endpoints, make a lot of sense. And it’s a discrete area where you might consider handing the job to a managed services provider, who has more expertise as well as better economic incentives.

Another great example of using a cloud service for security is application testing. We are finding that a lot of the web apps out in the market aren't necessarily developed by application developers who understand that there's a whole lifecycle approach involved.

In fact, I've been hearing interesting statistics about the number of web apps that are written by people formerly known as webmasters. These folks may be great at designing apps, but if you're not following a full application lifecycle management practice, which invokes security as one of the base principles of designing an app, then you're going to have problems.

What we found is that this explosion of web apps has not been followed closely enough by testing. Our customers are starting to realize this and now they're asking for HP to help, because in fact there are a lot of app vulnerabilities that can be very easily avoided. Maybe not all of them, but a lot of them, and we can help customers do that.

So testing as a service as a cloud service or as a hosted or managed service is a good idea, because you can do it immediately. You don't incur the time and money to spin up a testing of center of excellence—you can use the one that HP makes available through our SaaS model.

Gardner: As part of your recent announcements, you're moving more toward a managed services provider role.

Lawson: One of the great things about many of the technologies that we've purchased and built in the last few years is that we're able to use them in our managed services offerings.

I'll give you an example. Our ArcSight product for Security Information and Event Management is now offered as a service. That's a service that really gets better the more expertise you have and the more focused you are on that type of event correlation and analysis. For a lot of companies they just don't want to invest in developing that expertise. So they can use that as a service.

We have other offerings, across testing, network security, endpoint security, that are all offered as a service. So we have a broad spectrum of delivery model choices for our customers. We think that’s the way to go, because we know that most enterprises want a strategic partner in security. They want a trusted partner, but they're probably not going to get all of their security from one vendor of course, because they're already invested.

We like to come in and look first at establishing the right strategy, putting together the right roadmap, making sure it's focused on helping our customer innovate for the future, as well as putting some stopgap measures in so that you can thwart the cyber threats that are near and present danger. And then, we give them the choice to say what's best for their company, given their industry, given the compliance requirements, given time to market, and given their financial posture?

There are certain areas where you're going to want to do things yourself, certain areas where you are going to want to outsource to a managed service. And there are certain technologies already at play that are probably just great in a point solution context, but they need to be integrated.

Most of our customers have already lots of good things going on, but they just don't all come together. That's really the bottom line here. It has to be an integrative approach. It has to be a comprehensive approach. And the reason is that the bad guys are so successful causing havoc is that they know that all of this is disconnected. They know that security technologies tend to be fragmented and they're going to take advantage of that.

I'd definitely suggest going to hp.com/go/enterprisesecurity. In particular, there is a report that you can download and read today called the "HP DVLabs’ Cyber Security Risks Report." It’s a report that we generate twice a year and it has got some really startling information in it. And it’s all based on, not theoretical stuff, but things that we see, and we have aggregated data from different parts of the industry, as well as data from our customers that show the rate of attacks and where the vulnerabilities are typically located. It’s a real eye opener.

So I would just suggest that you search for the DVLabs’ Cyber Security Risks Report and read it, and then pass it on to other people in your company, so that they can become aware of what the situation really is. It’s a little startling, when you start to look at some of the facts about the costs associated with application breaches or the nature of complex persistent attacks. So awareness is the right place to start.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Bob Tarzey, Service Director, Quocirca Posted: 11th October 2011 Copyright Quocirca © 2011

There is a paradox at the heart of 21st century business processes. The effective sharing of data makes these processes more efficient but carries an inherent risk that the data may be compromised. This applies both to providing access to data for mobile and remote employees and the sharing of data with external users. In the latter case, Quocirca research has recently suggested that improving the way business processes operate, among SMBs at least, is the primary motivation for such sharing (Figure 1).

The risks involved with sharing data can be mitigated. How this is best done depends on a number of factors, including the user, the device, who owns the device, the application involved and the type of connection. Historically, users have gained access to centrally managed data and applications via employer-owned and -managed mobile PC devices using VPN connections to internal servers.

Today, many SMBs do not have their own physical servers, often turning to cloud, and while VPN access can be set up relatively easily on employer-supplied laptops, it is harder if external users are using their own devices. It is also more likely to involve smartphones and tablets than traditional PCs, due to consumerisation (Figure 2). In theory, VPN access can be provided for these, but this creates a host of management issues, such as those surrounding the licensing of corporate software on externally owned devices.

Regardless, business data is at risk, as it is most commonly shared using ad hoc methods such as email and memory sticks, over which the business has little control (Figure 3). Not only can data be shared insecurely, it can also end up on those mobile devices owned by employees or outsiders, and be completely unprotected if such devices are lost or stolen.

There is no silver bullet here, but there are ways of reducing the risks. A business must take as much control of its data as it can. It is possible to secure mobile devices themselves using encryption and host-based end-point security, but again there is the problem of device ownership. It may make sense to allow employees to use their own devices—the employees will probably do so anyway—but managing the devices, and installing and licensing software on them, can be costly and difficult.

A better way of reducing risks is to impose centralised controls. That is, provide a means of accessing and sharing data that is easy to use and requires minimal modification of the user’s device. There are three basic approaches:

1. Virtual desktops. Here, data is not actually processed on the device, which is used simply to gain access to the desktop, anywhere the user can get online. There are limitations to this approach when it comes to smartphones due to screen and keyboard size, but software that makes this a better user experience is improving fast (see, for example, Citrix Receiver). However, this option still requires some locally installed software.
2. Provide access to applications that allow data to be viewed and updated but not copied. Just because you allow employees to read email remotely does not mean the actual content has to be copied to a mobile device. Such applications can be provided through the creation of corporate app stores that support the range of devices employees want to use. Staff can download from there, providing their consent for installation in the process.
3. Provide direct access to central data stores. Using this approach, access can be provided to view files through the right products, with caveats. Public domain documents such as marketing collateral can be freely copied and used later offline, while restricted documents can be viewed only online, helping to protect an organisation’s intellectual property. No local software is needed to do this. Offerings here include portals, such as Microsoft SharePoint, or specific file-sharing/backup services, such as Trend Micro SafeSync.

One thing is certain: no business can ignore the mobility revolution. All need a strategy to manage it. Those who embrace it with controls in place will benefit in the long term, while those who bury their heads in the sand will lag behind.

This article first appeared on http://www.channelweb.co.uk and in the print edition of Computer Reseller News (CRN)

By: Bob Tarzey, Service Director, Quocirca Posted: 20th September 2011 Copyright Quocirca © 2011

There has been plenty written, not least by Quocirca, on the danger of data loss and how to prevent it. Less has been said about how to clear up afterwards; when the measures taken to protect a business from such losses have failed or were not present in the first place. In particular the responsibilities an organisation has when it comes to disclosing that such an incident has occurred.

One of the reasons for this is that legal situation is a bit vague, so there is a temptation to think that the problem can be brushed under the carpet.  Organisations that do this may find themselves in hot water if details emerge at a later date, or at least hotter water than they would have been had the leak been reported in the first place.

For any UK based business, the first stop is the Data Protection Act (DPA) enforced by the Information Commissioners Office (ICO). The specific advice on the ICO web site with regard to disclosure is as follows:

“Although there is no legal obligation in the DPA for data controllers to report breaches of security which result in loss, release or corruption of personal data, the information Commissioner believes serious breaches should be brought to the attention of his Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA”

So that’s alright then, keeping hush-hush is OK? Not really, just because the “data controller” (that is the person in any given business charged with the security of personal data) is not required to report a leak, it does not mean that the leak has not occurred. If the problem comes to light at a later date, and this is when the ICO finds out, then he is likely to take a dimmer view than if the leak had been reported up front. And remember, if personal data is involved, “data subjects” (that is you and me, in our roles as private citizens) may the first to find out and their privacy is enshrined in the Europe Human rights Act (article 8).

Furthermore, the pressure to disclose was increased on May 26th 2011, at least for certain organisations. The “Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011” (PECR), specifically requires service providers to notify the ICO, and in some cases individuals themselves, of personal data security breaches. PECR was introduced mainly to target the use of cookies that internet service providers can use to gather personal data to personalise web services.

Beyond the DPA and ICO there are other pressures to disclose. For example, the Financial Services Authority (FSA) arguably obliges the firms it regulates to notify data breaches as part of their general reporting duties. Another standard that requires disclosure and already affects many businesses is the Payment Card Industry Data Security Standard it (PCI-DSS).

PCI-DSS compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one. It is enforced via the major card brands (VISA, MasterCard, AMEX, Discover and JCB) and the obligation to disclose is in their contracts. For example VISA advises the following steps be taken:

• Contact law enforcement
• Contact bank
• Contact VISA fraud control
• Preserve logs
• Make notes of all these actions

VISA also advises:

“Make sure you have a written policy with an incident response plan and make sure all employees are aware of it”.

VISAs advice is pretty good for handling any data loss, getting control of the situation at early stage and informing effect parties makes sense for any data leak.

Beyond payment card data, there is plenty of other advice available.  Field, Fisher and Waterhouse, a law firm specialising in data protection law has a 10 point plan for handling the theft of a laptop. One point it makes is to have a media strategy, not just to get the media on side ASAP, but it may also be the most effective way of informing data subjects. This will depend on the nature of the data loss and if a criminal investigation is likely to ensue.

The trend towards an obligation to disclose data leaks is clearly happening on a number of fronts. However, even if you think a given circumstance you can get away without disclosing a leak, you would almost certainly be wrong to do so. A leak is a leak, whether you disclose it or not, it needs pro-active management from the moment it has occurred and your organisation needs to be prepared for the seemingly inevitable.

Quocirca will be presenting at the UK Infosecurity Virtual Conference on Sept 27th 2011 on the topic of “Responsible Data Braech Disclosure”, for more information go here.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 20th September 2011 Copyright Quocirca © 2011

Consumerisation of IT has been a popular recent discussion point, and it is the encroachment of consumer mobile devices – in particular smartphones and tablets – that appears to be causing most passion. The pro argument generally starts with one of the following; employees are already used to better tools in their personal life, we have to do this to recruit younger workforce, our brand will suffer if we’re not seen as leading edge, or it’s cheaper.

Whatever the reality or merits of the first three, the last point deserves closer investigation along with the impacts on organizational security. The problem is that allowing employees to pick, choose, buy and bring their own mobile tools into the workplace seems like a simple outsourcing of a particular procurement issue to someone who cares more passionately about it. However, it brings a lot more complex baggage than the neat little black or white cardboard box the hardware arrives in and aligns into three significant aspects to mobile consumerisation – device, contract, content.

Device is the part that most focus on, and why not? It’s the shiny gadget that has become cool and desirable. It taps into people’s feelings about self-esteem and status as well as any social needs for connection or geeky desire for the latest toy. These devices are expensive, and so on the face of it encouraging employees to BYOD (bring/buy your own device) saves money.

However there are bigger costs and risks at stake elsewhere for the organisation. Mobile devices typically need network contracts, unless relying on pay-as-you-go or free Wi-Fi for connection. All-embracing corporate contracts come with many financial economies of scale that a chaotic collection of independent employee ones will lack. Quocirca has explored this challenging issue more fully in its recent free to download report “Carrying the can”.

The third area, content, is equally complex, as whoever owns and pays for a mobile device - employee or employer - its use is likely to straddle personal and business activities. In addition to communications tools and access for business applications there will always be a mass of consumer content. For smartphones and tablets, “content” includes both software and data. The line is often blurred, and despite many technical and religious discussions along the lines of “app or browser”, the underlying issues of enterprise control of costs and risks apply either way.

The convergence of work and personal content on one device, no matter who purchased the hardware or pays for the connection, raises the issues of content security, suitability and diligence.

For most organisations mobile security is a major concern, and rightly so, as it is not only malicious acts such as theft and hacking or the careless loss of a device that might lead to breaches of security. Simply cutting corners for the sake of ‘expediency’ will not do. Two doctors were recently overheard on the train discussing how their operation lists were being downloaded to their iPhones. They found it useful, but wondered if it might not really be good practice, although they ‘presumed’ there was insufficient detail to indentify patients.

Whether this procedure was instigated by the users trying to make their lives simpler or someone in IT wanting to appear useful, is irrelevant. Mobile security needs to be seen to be taken seriously as well as actually being addressed through suitable on-device software, content access practices and services from providers. All too often it appears that there has been only a limited mobile security risk assessment or insufficient user training. These aspects may lack the intellectual pizzazz of security software, VPNs and all things prefixed ‘cyber’, but the social or human elements are critical for addressing the weakest link – the user.

For mobile devices, even the technical aspects of security are rarely completely understood in IT departments, and the more complex issues involving the diligence of checking suitability of use can really only be answered by those responsible for business processes. What is the right usage of any given application on a mobile device? It might depend on the individual role or department, work needs, employee location at the moment of access and actual device in use at the time. This is a complex mix of business and social requirements that need suitable policies and tools for enforcement.

Employees should know where they stand, what is acceptable and what is not. There are a number of mobile device management tools vendors that have stepped into this adjacent area of monitoring, directing and curtailing user behaviours. While this might seem a bit ‘big brother’ to some, many organisations will need audit trails to show they have sufficient safeguards in place to protect sensitive data. If the details of someone’s operation was found on the train, the health authority or employer would be where blame would be cast first, not the employee.

With BYOD these management tools now have the more difficult task of projecting the need for organisational control onto the personal device of an individual. They need to do this without compromising the integrity of business activities or violating the individual’s personal content or device. It is a fine line, and an easier way to tackle it would be to have one device for work, one for home - as many do now - but ultimately a portfolio of functions or personalities will need to reside on a single device.

The wave of virtualisation that hit the datacenter is already travelling through the network as virtual private networks and virtual desktop infrastructures. These offer an insight into how businesses might secure BYOD, and may extend virtualisation further into multiple virtual personalities (and operating systems) on the mobile devices at the edge. 

All of this has cost implications, and these content considerations as well as the contract issues need taking into account when organisations consider the savings of allowing employees to acquire their own devices. ‘Consumerisation’ is looking as simple and pain free as ‘convergence’.

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 7th September 2011 Copyright Bloor Research © 2011

This article, based on a recent webinar I undertook with IHS Janes, explores the technology behind cyberterrorism and, in particular, the use of modern technologies to spread propaganda in support of cyberterror. It then moves on to the process of improving the resilience of computer systems to resist attack, in particular control systems that have recently been exposed as being extremely vulnerable. It then concludes with some practical steps you can take to help prevent your business or organisation becoming a victim of cyber terrorism.

The Internet and Jihadists
The internet and worldwide web is a fantastic, capable business tool but this capability is being harnessed to meet the objectives of terrorists and malevolent groups alike. Back in 2005 a web forum for Muslim extremists called on its members to organise an Islamist hackers' army to carry out internet attacks against the U.S. government. The site posted hints and tips, software and links to other resources to help potential hacktivists.

Called al-Farooq, the forum "represents a how-to manual for the disruption and/or destruction of enemy electronic resources, including e-mail, web sites and computer hardware." according to The Jamestown Foundation, a US-based research group. One member of the forum called for the creation of an Islamist organisation, which he dubbed "Jaish al-Hacker al-Islami," or the Islamic Hacker's Army.

Reportedly, there was a set of tools maintained in a "hackers library" on the al-Farooq site, offering a range of malware designed tosteal passwords, anonomise web surfing and otherwise mess with a targeted computer system.

There is no doubt that the internet is an important tool for various political groups wishing to spread their propaganda, share new ideas, recruit new members and develop tools and techniques for attacking targets.

Common mainstream social media and file sharing sites, such as YouTube and Facebook, are used as ways of demonstrating terrorist acts or spreading propaganda to an audience they may otherwise not be able to reach, simply due to the massive adoption of these sites by so many people. Facebook today has over 500 million users, presenting a rich hunting ground for all types of hacktivist groups, all of whom can sidestep conventional ways to prevent them spewing propaganda (such as website take downs) and go direct to a readymade and often receptive user base. After all, the use of these sites by corporations as part of their outbound marketing mix gives credence to the effectiveness of this approach!

Mobile Phone Jihadists
In October 2009 the Arabic "al-Ansar al-Mujahideen Forum" offered a special data-package designed for mobile phones. Published by a newly created "Mobile Detachment" the contents are aimed at sympathizers and adherents of jihadist principles. Provided with a special software the mobile users can access the documents or watch videos on their portable device while being able to send out these highly indoctrinating and radicalising sources via Bluetooth to other, unwary, Bluetooth enabled devices. The data offered in these conveniently administrated packages provides nearly everything of the grand-genre of jihadist materials.

Open Source Intelligence Gathering (OSINT)
One significant use of the internet has to be the gathering of information and intelligence in preparation for criminal activities - terrorist or otherwise. The current culture of information sharing, most notably by those who are not quite middle-aged, provides a wealth of data that can be harvested by criminals and terrorists.

Quite frankly, everything and anything about some people's lives is now published for all and sundry to see. In fact I would suggest that it is harder to find someone that doesn't have a profile rather than one that does... Open source intelligence has now become a specialist art (or science), assisted in the main by many people's stupidity.

The Please Rob Me website extracted users' profile and location information and highlighted when they were not at home - mostly as they "Tweeted" that they were elsewhere. This level of open source intelligence gathering has been extended by others into a mapping service so that when users Tweet and their GPS logs their position, this data is sent to a mapping site and their location displayed for all to see.

The huge number of webcams available across the internet enables target reconnaissance to be carried out from the comfort of home. Admittedly a lot of official "traffic cams" have built in delays of a few minutes, undoubtedly to reduce their real time usefulness to criminals and enable the authorities to cut the feed if needed, but there is a vast number of other webcams available for viewing. Many of these are intentionally webcasting for marketing purposes in hotels, restaurants and tourist areas but others are local security cameras that have not been secured and can be used by anyone. Of course, if these existing cameras fail to provide appropriate target coverage it is trivial for many groups to set up their own facilities for target reconnaissance or even in support of an action.

Attacks on computer systems
There are a variety of ways in which websites and public-facing computer systems can be attacked by hacktivists and attacks on websites continues to be a popular form of political demonstration.

In December 2010, around 36 Pakistani government websites were hacked by an online hacker group called the Indian Cyber Army. All hosted on the same server, the sites that were hacked included the Pakistan Army, the Ministry of Foreign Affairs, Ministry of Education and the Ministry of Finance. The attacks consisted of messages and graphics inserted into the web pages with political messages, some of which related to the attacks in Mumbai.

Also in December 2010 a number of financial payment websites were subject to denial of service attacks by hacktivists disgruntled at these companies no longer processing payments to the WikiLeaks website.

For commercial websites that trade across the internet, this can be catastrophic and is the equivalent of having all their real-life stores closed down in one go. Denial of service attacks can range in their level of sophistication from destruction of physical internet connection points through to the flooding of websites with extraneous data that overwhelms web servers, forcing them to close down. This is similar to blocking the switchboard of a business with lots of phone calls that are terminated as soon as they are picked up, but uses the TCP/IP protocol that runs the internet to flood servers with bogus messages. These attacks can be coordinated using hijacked networks of computers, called botnets, which, in turn, are forced to send high levels of spurious data to target websites. There are steps that designers can take to mitigate such attacks but, in reality, a significant attack can be difficult to manage, and often the best course of action is to take down the servers and hope the attackers go away.

Improving the resilience of cyber control systems
I recently saw an advert in a professional publication asking for retired computer engineers or those with knowledge of computer systems from the 1970s to come and work for a very significant player in the power generation market in the UK. They were specifically looking for skills around maintenance and support as it appears that these systems need to be nursed along in their dotage. Are these systems more or less secure than more modern systems? Maybe they are more secure as fewer people seem to have the understanding of how they work!

Some cyber control systems are now starting to use standard and freely available operating systems and networking components as they are relatively cheap and there are lots of engineers that have been trained and understand those platforms.  What these engineers fail to see are the security implications of their work. They simply don't think about bad people doing bad things in the way that us security people do.

So my advice to secure these systems is this:

• By all means use commoditised operating systems and hardware, but think long and hard about the security implications of what you are doing. It may not be easy for you to think about bad people but it needs to be done.
  
• Consider why a cyber control system is being connected to a network - can it really be justified or can the system be unplugged for most of the time?
• Limit access to the hardware as best as you can. Stuxnet was believed to have been propagated by a USB drive, and the hardware I am talking about is just as susceptible to this type of attack.

By taking these simple steps a lot (but not all) of your control system problems can be addressed.

Are you a Target?
It could be argued that, in the great scheme of things, most businesses and organisations will never appear on a cyberterrorist's radar, as the type of work they do is not one that attracts attention from such people. On the other hand it could be argued that every person and organisation is a target for cybercriminals, so a reasoned, objective risk assessment should always be undertaken to gauge a likely risk profile. This must include all aspects of a business, including the supply chain, employee travel, executive profiles, nature of the business and, of course, the ever-changing worldwide geopolitical situation.

This risk assessment needs to be continuous and fully integrated into the decision-making process of the leadership team. Informing this risk assessment must be intelligence gained and shared with colleagues, industry communities and the authorities ensuring a two-way flow of up-to-date, actionable and relevant information. Polices and procedures need to be built that encompass this risk assessment and it is vital that a converged approach is taken, such that information security experts work with physical security experts to develop plans and skills to manage a cyberterrorist attack. These attacks will rarely come from nowhere and the sharing of skills and information is vital.

Employees are often in the front line against cyberterrorists, as their day-to-day activities are often subject to reconnaissance and investigation from potential attackers. Phishing emails, social engineering phone calls and strange conversations are just some of the indicators that an organisation is being scoped for attack. These users must be educated about the importance of both physical and information security, supporting a converged approach, in their day-to-day jobs and have a means to raise their concerns in an open way that supports these reports and avoids any embarrassment if a genuine report is false.

We have seen that the internet is awash with threats to organisations and individuals, but it is also an amazing force for good in the world supporting commerce and the freer flow of information. Inevitably, criminals, rogue states and terrorists will see the internet as an ideal tool in their armoury but by taking some reasonable precautionary steps many of these threats can be significantly reduced.

By: Bob Tarzey, Service Director, Quocirca Posted: 5th September 2011 Copyright Quocirca © 2011

A snippet in Private Eye earlier this year (8 July, 2011) showed how touchy companies can get about the use of their brand names. Following the unfortunate death of a festival goer in a toilet at Glastonbury (who also happened to be a political activist and friend of the UK’s Prime Minister), a number of publications reported that the body has been found in a Portaloo®. Apparently, this was not true; it was not a Portaloo®, but some other brand of “mobile toilet”. Portakabin, who owns the Portaloo® brand, had written to the publications in question complaining at this misrepresentation. This seems an unnecessary quibble, there was no suggestion the toilet had contributed to the death and no maligning of the brand per se. However, other misuses of brand names are not so innocuous.

A growing concern over the past decade or so has been the abuse of brand names online. This includes both the misleading use of domain names and misrepresentation and/or illegal use of brands in other ways. Back in 2000, the UK rock band Jethro Tull won a case against a cyber-squatter who had registered a number of domains including www.jethrotull.com and was trying to sell them on to those with an obvious interest. The World Intellectual Property Organisation (WIPO) found in the band’s favour; ruling that the squatter “had set up the addresses in bad faith and failed to show a legitimate interest in them”.

While most well-known organisations now have control of the high-level domains associated with their brand, the growing number of available domains still makes it relatively easy for someone to mislead through the use of a slightly more obscure domain. This might mean that cyber-squatting is less prevalent but it does mean brand-jacking is easier. There are two reasons for doing this; to benefit by association and, more seriously, to perpetrate fraud. The later involves either selling fake branded products or convincing someone to give up personal information thinking they are visiting a legitimate branded web site, for example, that of a bank (usually attracting them in the first place with phishing emails or messages on social media sites). "It is essential, therefore, to ensure that all uses of a brand online lead to legitimate sources and the potential customers find your organisation and not the bad guys pretending to be you"

Of course, the selling a fake branded goods does not need a spoofed web site, this can just as easily be done via markets such as eBay. So, the need to monitor and protect brands is a far-reaching exercise. To that end, a number of services have been developed to help organisations achieve just that from vendors such as MarkMonitor, Envisional and PICA. Their services range through domain name monitoring, identifying online brand name misuse, spotting sales of counterfeit goods and getting rogue sites associated with phishing campaigns shut down.

MarkMonitor publishes a freely available Brandjacking Index report, which shows the prevalence of brand abuse over the years and focuses in on specific issues, such as diverting genuine enquiries for hotel bookings (spring 2011 edition).  Its customers include manufacturers like Epson and Deckers, where it has helped stem the sale of counterfeit goods, and pharmaceutical giant Novartis, where it consolidated and protected its wide range of domain names.

A strong recognisable brand is an invaluable asset for any organisation; however, misuse can see strong brands rapidly devalued. The exploitation of brands has become much easier as the world has moved online over the last few decades. It is essential, therefore, to ensure that all uses of a brand online lead to legitimate sources and the potential customers find your organisation and not the bad guys pretending to be you. Failing to ensure this will lead to a loss of business and may cause rapid deterioration of your brand's value.

By: Bob Tarzey, Service Director, Quocirca Posted: 3rd August 2011 Copyright Quocirca © 2011

This week Quocirca had a briefing with a security vendor which provided an insight into a fundamental change going on in the use of IT and one of the major drivers for that change. The vendor was Bradford Networks, named not for the city in Yorkshire UK, but small town in New Hampshire USA).

Bradford provides products to carry out a range of network management and control capabilities; network discovery, end-point management, network access control and policy enforcement around network usage. None of that is unique to Bradford, which is perhaps why, when it started selling this product line back in 2005/6, it focused on a niche—higher education. Not any old aspect of network usage in the sector, but specifically student dorms, or halls of residence as they are called than in the UK.

The problem Bradford helps university IT administrators manage is the wide variety and ever-changing identities of devices students want to attach to the network services offered in such places. Even five years ago, this included Windows PCs, Macs, gaming devices and early smartphones (mainly BlackBerrys). Today of course you can add in Android devices, iPhones, iPads and others. The range of devices supported by Bradford, which extends to CCTV cameras, door entry systems and firewalls is impressive.

Bradford has been successful selling to this niche in the USA and also in the UK, where, via a single reseller, Khipu Networks, it has signed up many UK universities, including Oxford, Nottingham and Durham. A case study for Durham University can be seen here.

What makes Bradford’s story interesting to Quocirca is the speed at which its business is changing. In the last couple of years Bradford says the profile of its business has switched from almost all higher education to 85% other sectors including healthcare, manufacturing and banking. Bradford says this change has been demand driven and is not the result of deliberate targeting (for example, it still has just the one reseller in the UK, but is planning to change that).

There are two reasons for this change in the business profile at Bradford. The first is the range of devices that organisations now have to support, as Bradford says; “now the rest of the world has started to look like [the higher] education [sector]”. But the second reason is perhaps more profound; the students of 5 or 6 years ago are the employees of today; the change at Bradford is surely a bell-wether for the growing tide of consumerisation, a big driver for which is the entry to the work place of the IT savvy “generation Y”.

Of course, Bradford is not alone in addressing this issue. It will have to make its own case against a range of larger vendors all targeting end-point management and security. This includes end-point management vendors such as Kaseya, LANDesk and IBM/BigFix, but also IT security vendors—for example McAfee, Symantec and Trend Micro are all now investing in managing end-points as well as securing them.

There is another vendor that could be added to both these last two lists; Microsoft. It too is in the end-point management business with it Systems Centre Configuration Manager (SCCM) and recently announced InTune on-demand service, which Quocirca wrote about in a previous blog post. Microsoft is also in the end security business with its Forefront End-point Protection (FEP) product which Quocirca wrote about here.

However, as both posts point out, Microsoft is missing the point. As ever, it lives in its own Microsoft bubble. Its end-point management and security products only address Windows PCs, not even its own struggling Windows Mobile operating system. Generation Y has certainly found there is more to life that Microsoft and Bradford Networks is benefiting from this. If Microsoft does not change its game its fortunes will surely head south like that of its new mobile devices partner, Nokia.

For Microsoft this tide of consumerisation impacts two of its biggest product lines that account for over half its business; Windows desktop and Office. Quocirca would not be the first to speculate about the long term future of Microsoft. In its June 9th leader celebrating the 100th birthday of IBM, The Economist speculated which of today’s IT vendors might reach a similar age. Microsoft was not one of them.

Two recent Quocirca reports, sponsored by Kaseya, cover end-point security are available for free download: The IT Profit Centre and The total MSP.

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 3rd August 2011 Copyright Bloor Research © 2011

The first duty of any government should be to protect its citizens, and in terms of cyber security we are seeing various governments investing heavily into this area as they wake up to this increasing threat.

In deed the UK government cites hostile attacks upon UK cyber space by other states, and large scale cybercrime, as number 2 in the tier one threats facing the UK. This is second only to International terrorism affecting the UK or its interests, including a chemical, biological, radiological or nuclear attack by terrorists; and/or a significant increase in the levels of terrorism relating to Northern Ireland.

Threat definition
Of course not all threats are equal. Whilst the realization that some threats could be very damaging (and possibly catastrophic, depending on your view) other attacks will probably remain more irritating than damaging.

To this end I put potential threats into one of three cyber threat categories;

• Tier one threats involve a cyber attack on critical national infrastructure such as water, gas, electricity supplies or indeed any other important computer controlled system that runs a modern society. These attacks would be designed to cause major disruption or damage that has a physical effect citizens in a country. In Cyber Shockwave, an exercise conducted in February 2010 by a think tank based in Washington DC, a scenario was created in which a cyber attack was responsible for  40 million people without power in the Eastern United States, 60 million cell phones out of service and Wall Street closed for a week. Another significant attack would be one that affected a key piece of the internet's infrastructure such as the Border Gateway Protocol that enables Internet Service Providers to communicate. We have seen an example of the impact of messing with such important protocols in March 2010 when around 15% of the world's internet traffic was briefly diverted through China. This BGP related problem affected networks used by companies such as Apple, Dell and CNN. Although debate rages about the reason for this momentary diversion it highlights the vulnerability of these key internet protocols and how they are susceptible to attack.

• Tier two threats are attacks against intellectual property and financial systems for criminal gain and include widespread fraud and thefts. These attacks are prevalent occurring day in and day out. That said any affect is normally localized, and not likely to immediately impact critical national infrastructure. Although most citizens would be blissfully unaware of such attacks the end result can be damaging. The constant and corrosive effect of intellectual property draining away over a period of years, coupled with criminal gangs targeting individual and organizational funds is very damaging to an economy.

• Tier three attacks are more annoying than outright damaging. For instance a denial of service attack, which I will talk about later, on a corporate website that does not affect online transactions but puts the website off line is hardly likely to destroy a business during the few hours an attack is live. In many cases by ignoring an attack it may simply go away, certainly a cheaper option than putting in place huge computing horsepower that can be brought into use just in case such an attack happens. Website defacement and similar cyber vandalism is highly unlikely to destroy a nation, but it may be the equivalent of broken windows and graffiti in the real world. This leads to a poor perception of a local area or street and can damage reputations.   

Examples of Cyber Attacks
Many cyber attacks are never made public, even if they are discovered. What we do know is that cyber threats occur every day as governments, organisations and companies are probed for weaknesses that may reveal sensitive or secret information. 

Speaking in February this year (2011) the UK's Foreign Secretary said some computers belonging to the British government had been infected with the "Zeus" computer virus after users had opened an e-mail purporting to come from the White House and followed a link.

Zeus is a Trojan horse virus that acts as a keyboard logger, keeping a record of the keys a user presses and then sending them to a remote server. It is normally used to capture banking data, enabling user's accounts to be raided once their login and password details have been captured.

But I would pose this question. Was this a targeted attempt to gain national security data or a clumsy attempt to gain civil servants bank details?

In the same speech the Foreign Secretary said that defence contractors in the UK were also being targeted, describing an attempt by someone masquerading as an employee of another defence firm to send a malicious file designed to steal information. Mr Hague also said that three of his staff had been sent an e-mail apparently from another colleague in the Foreign Office. In fact the e-mail was "from a hostile state intelligence agency" and contained "code embedded in the attached document that would have attacked [a users] machine."

This type of malware, in whatever guise it takes, can have a variety of uses for a cyber attacker. Once installed on a computer system it can quietly sit collecting data, leaking it out bit by bit so as not to raise any suspicion. It can also act as a logic bomb, capable of taking action according to a set criteria such as a specific date or time, or command signal from a remote control. When initiated the logic bomb would then take whatever action it was programmed to, including destroying data or undermining critical systems.  

Typical Scope of a Cyber Threat
We all know what guns and tanks do, they shoot and blow things up. But what would be the scope of a cyber attack?

I mentioned a distributed denial of service (DDOS) attack earlier. These attacks are the equivalent of having someone call your switch board and then hanging up just as the call is answered. Your operator is tied up dealing with silent calls and can't do the rest of their job.  In the same way a website can be bombarded with the internet equivalent of a silent call resulting in the computer servers buckling under the workload. These attacks are normally conducted by multiple computers, in some cases tens of thousands, working under the control of a bot net. This is a rogue command and control system that relies on malware to infect a computer that is then corralled into sending spam messages or taking part in a denial of service attack, unknown to the user of the infected computer. Bot nets are used to spread the Zeus virus by using emails sent to users in the hope they will click on a link and download the malware, as we saw in the case highlighted by the British Foreign Secretary.

At the national security level if a system may become susceptible to a DDOS attack resources need to be quickly added to a computer system so that its performance remains acceptable. The majority of critical systems would normally be air gapped from the internet. This was ably demonstrated only recently when the UK's Serious and Organised Crime Agency's  web site was subject to a denial of service attack. Yes it took their website off line but it didn't affect internal systems and I think the attack was met with a "So what", and a shrugging of shoulders.

Of more concern are code exploits that can provide a huge reservoir of potential cyber threats. These exploits may be deliberately engineered into software code or more likely remain as undiscovered bugs, buried deep in millions of lines of code. Of concern to those working in sensitive industries is the security of the software used in their systems, especially that brought in from third parties that may have been written thousands of miles away in a different country.

The good news is that there are a variety of tools that can undertake automatic scanning of programming code to search for known bugs and errors as well as those planted by rogue hackers, but how many organisations actively check the software code provided by a supplier? Not that many I would suggest. And certainly if it is done once how often would they recheck the code for hidden malware, in case it has been tampered with?

The Danger of Threat Inflation
At this point I must discuss the danger of threat inflation.

My concern is with the more esoteric attacks that seem to be reported on a regular basis. By definition the general public are never informed of the full details of ongoing attacks, real or otherwise, as the targets are often secure systems inside secure agencies.

We therefore have to believe the stories we hear as being true on face value, rather than get the chance to analyse the evidence independently. In a kinetic war we have news footage of tanks rolling across the hills and aircraft bombing targets. Even the most uninformed person would agree that such images depict a battlefield, and can form an opinion on the threat that this may pose to their lifestyle or country.

How can we educate our users and businesses to understand the cyber threat in a calm and mature manner, without resorting to scare stories, which in many cases cannot be verified by independent observers?  

If we are unable to address cyber threats appropriately there is a real danger of threat inflation as vested interests take hold and any limited verifiable data becomes swamped with excitable language full of doom and gloom. The use of military speak often makes matters worse, and whilst it does have a place it is beholden on us all to use it wisely.

In my experience the information security industry is often at fault, as vendors see cyber war as a cool new way to sell their latest gadget or software, which will often have only tenuous capabilities relevant to a cyber war discussion.

I am sure this is designed to stir up concern amongst citizens who in turn don't complain when hard earned tax dollars get diverted to address the evils of cyber war, real or otherwise. We need to strike a balance.

To Conclude
I started this presentation stating that the primary duty of a government is to protect its citizens. I strongly believe that we really do face a whole new set of threats relating to cyber security and I am glad that my government sees fit to invest in appropriate protective measures. It is my job, as a citizen, taxpayer and information security worker to make sure that money is spent wisely and cautiously against the real cyber threats we face and not wasted on programs that deliver glitz and glamour but no threat protection.

We need to remember that perpetrator attribution can be extremely difficult in the world of cyber threats. In conventional war it is normally pretty obvious who has initiated an attack, as the physical evidence is manifest. Finding out who really conducted an attack, hidden behind layers of proxy servers is problematic and may result in accusations flying unnecessarily, and maybe even starting a kinetic war if a wrongly accused party is sufficiently aggrieved. That doesn't bear thinking about and it is beholden on our governments to have in place the processes and systems to determine absolutely where an attack emanated from for fear of retaliating on an innocent country or entity. This must be coupled with governments focusing their efforts on preventative measures so that the chances of an attack being successful are minimized.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 21st July 2011 Copyright Quocirca © 2011

Selecting the right mobile business device is no longer a simple matter. When mobile phones just looked like phones and laptops were the only type of mobile computer with a “qwerty” keyboard the criteria most often used would be latest, lightest and largely the same (as each other ie consistency). Most 'road warriors' would be equipped with a ‘standard build’ of each device and the job of procurement/facilities departments would be to ensure that those who needed a particular device would get it.

This task has always been beset with challenges. In the past some employees would try anything to get upgraded to the newer (typically smaller) phones and the latest (typically better specified) laptops. With only a relatively small number of employees having mobile devices, there would often be a (possibly grudging) recipient for the hand-me-downs of those fortunate to benefit from upgrades. No wonder so many phones were ‘accidently’ dropped, driven over or lost.

How times have changed. Now far more employees have experienced the latest technology as consumers and expect to be well equipped with mobile devices at work. Most now want bigger phones with more features or functions and smaller laptops or even tablets with fewer.

However, according to a recent survey conducted by EMC owned Mozy, a specialist in online backup, some less desirable ways to get the latest hardware are still prevalent. This research looked into the rates of replacement for various IT devices and the reasons given by those in small and medium sized businesses; it produced some interesting results, especially for mobile phones. While 60% cited corporate process and a sensible business justification to get a new mobile, 13% would try to break their old device and 4% would claim the new one was for a (non-existent) new starter.

From the earliest business use of mobile phones, desire for personal choice may not have changed, but there are at least more acceptable ways for personal preferences to be achieved. The research also showed that 15% would go to a store to trade in and buy a new device in order to get the one they wanted.

This 'bring-your-own-device' (BYOD) approach has been gathering momentum in recent months, but does vary across regions, and acceptance depends on the size of the organisation. Small and medium sized businesses are more likely to be more tolerant of variety, whereas large enterprises like uniformity, standards, and commonality. This is particularly important when considering who is responsible for maintaining and supporting the various devices, and even more critically when dealing with the inevitable security concerns.

However there is a bigger issue that is often missed—ownership of mobile contracts. These have cost implications far larger than what’s included in the tariff, from intra-company phones calls, to the loss of economies of scale for corporate discounts. Simply allowing or encouraging employees to choose their own service provider as well as the devices themselves could introduce costs that far outweigh any perceived savings from not having to buy devices. UK based mobile communications management specialist, ttMobiles, predicts that companies adopting an uncontrolled BYOD policy could see overall company phone costs rise by 27%.

Anecdotal evidence suggests ever more sophisticated commercial models are becoming used to support personal choice, including providing employees with a mobile 'allowance' and then allowing them to top this up from their own funds in order to have a higher spec or more personalised preference. This further blurs the question of responsibility and liability associated with the mobile device, the software that is acquired for it and the data that may end up on it.

This in particular raises further issues, especially when the taxing complexities of write off or personal benefit are considered. There may be some slight tax pain for some employees, but most will happily pay to get their favourite device. Organisations however, strive to get the best lifetime book value out of their assets for the benefits of shareholders and need to ensure that, whoever does the choosing, the company accounts still look good.

A balanced approach that combines personal choice with corporate control and responsibility is now required. But while the old centralised control of 'standard issue or nothing' has gone out of the window, organisations will still need to monitor, mediate and manage employee mobile choices to a greater or lesser extent. This is especially important when it comes to selecting mobile contracts, where significant economies of scale can kick in, and the organisation is typically footing the monthly bill.

This issue is explored further in Quocirca’s report “Carrying the can” which is freely available for download.

By: Kirsty Warren, Writer, GDS International Posted: 30th June 2011 Copyright GDS International © 2011

New looming threats of larger, more organised hacking groups are arising with the development of the Lulzsec group, disbanding themselves, only to rename themselves under the Antisec name which has attracted a large amount of media attention. The group aims to breach security rights and obtain information on large organisations, a move that recently saw Citibank and Sony have to re-think their security policies and, last year, hacking was estimated to cost businesses an average €1.3m a year. The coming year presents a year of change for many security professionals, as information is now moving towards the cloud, a new wave of challenges arise.

Over the weekend, the online hacking group, notorious for obtaining security information on  corporate giants and governments, announced that it was disbanding through its Twitter feed. Following on from this, one member told Associated Press over the internet voice calling system, Skype, that it was not because of increasing pressure from law enforcement such as FBI, or enemy hackers, but more out of 'boredom' from the media.

“We’re not quitting because we’re afraid of law enforcement,” the LulzSec member said. “The press are getting bored of us, and we’re getting bored”.

But the attention it gained as a result, seems to have wet their appetites for more mayhem and, in a statement, has announced that they are back with a vengeance out to inflict more security troubles on companies and governments.

“It has been a week since the LulzBoat reeled the LulzSec flag in and now proudly flies with the AntiSec flag”, the statement read.

In what they called the final release from Lulzsec, with the tagline of 'laughing at your security since 2011', Lulzsec's message was clear—that they had intended to plant a seed of inspiration amongst other hackers, and wished for the internet hacking community to continue on with their work.  But now, the birth of a new development, 'Antisec', has been born which continues on with the work with the alliance network, Annoymous, which confirms doubts that the Lulzboat would not dock permanently.

 “We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us”, the release, posted onto the site, Pastebin, said. “Please don't stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve”.

Speculation as to why they decided to quit when they were building up a momentous movement has been that the group was becoming too big, but its goal to inspire other hackers to continue their work was done and so hackers could continue what, the self proclaimed “captain of the Lulz Boat”, nicknamed Whirlpool, “politically motivated hacking”.

Kevin Mitnick, a security consultant and former hacker, said that if the group continued to swell in size, that eventually they would trip and get caught, rather it was easier and less risky to encourage copycats to carry on their work independently.

"They can sit back and watch the mayhem and not risk being captured," Mitnick said

The message brings a stark warning to organisations and their security departments as the sophisticated methods deployed by the hacking community seems to know no boundaries, as giants such as US telecoms company, AT&T, are rumoured to be the latest victim following on from developments that government and law enforcement data had been obtained. In the interview with the Lulzsec member, they claimed that they were in possession of at least 5 gigabytes of data, which it planned to release in the next few weeks, potentially similar to the data dump that was transferred onto the file sharing site, PirateBay. On their hit list, they have named governments such as Zimbabwe, and companies such as Universal and Viacom.

At the last Next Generation Security Summit which took place on 14th–16th June, Paolo Campobasso, SVP & Group CSO of UniCredit Group said that in order to tackle these ongoing security dilemmas, it was crucial that everyone in the organisation worked together with the same vision in mind, and that security wasn't just the responsibility of one department, but rather should be viewed as a competitive asset to a company.

“The challenge is to try to have a big important dialogue with other functions within the company”, Campobasso said. “It is important that security is a concept that is widely understood from people working together”.

The information security front is changing rapidly with advancements in technology. Further adoption of cloud technologies will continue to present CISOs with new threats, and companies adopting social media strategies allow for new opportunities to lure unsuspecting users to the hands of cyber criminal activity, so security professionals must remain vigilant in their approaches to protect their customers. The Next Generation Security Summit EU held in Spain, 12th–14th December, is an exclusive industry forum that brings together the industry's leaders, experts and most experienced members to address the key challenges that the industry is facing and to share expertise and experience.

For more information please visit: www.ngsecurityeu.com

By: Bob Tarzey, Service Director, Quocirca Posted: 28th June 2011 Copyright Quocirca © 2011

From 14-16 June, Quocirca attended the inaugural European NG (Next Generation) Security Summit in Lisbon, organised by GDS International (a company whose Events division exists primarily to organise such things).

Being the first such event, the main concern for Quocirca and many other attendees was, would it achieve the critical mass of attendees required to make it all worthwhile? In Quocirca's view it did.

The attendees that make an event like this worthwhile are the real world practitioners, which, when it comes to IT security, are CISOs (chief information security officers). The event attracted about 50 such individuals (or at least their underlings) from well-known banks, manufacturers, retailers, charities and other large users of IT.

For the CISOs (and guest analysts) it is a freebie and a chance to network with and learn how their peers are addressing the ever growing list of security issues posed by the use of IT.

However, someone has to pay for such events. Here GDS had done a good job of attracting some high-profile sponsors from the IT industry. These included Symantec, BlackBerry, Verizon and Intel.

These vendors were also taking a risk; would they achieve their goals, which were being associated with a worthwhile event and access to the CISOs? The presence of so many senior IT security professionals was the key to achieving the first and GDS ensured the second, by keeping the CISOs to their committed meetings with vendors.

The issues covered in the workshops and panel sessions that comprised the main body of the conference ranged across the whole gamut of IT security. Quocirca ran two of these.

The first was on end-point security, where there was general recognition of the growing tide of consumer devices entering the workplace and the security challenge this introduced (presentation available here).

The second was data leak prevention (DLP). About 25 per cent of the CISOs in the workshop had deployed specific DLP technology and all agreed it had a value, which corroborated the findings of Quocirca's 2010 DLP report, "You sent what?", published in 2010 and freely available here.

Other workshops that aroused interest were on brand protection (an increasing concern), next-generation identity management (owning your own identity) and cyber "warfare" (only call it war if it really is war).

Quocirca came away from the event with new ideas and insights into IT security and is glad to hear GDS already plans a second event in Dec 2011, details of which can be found http://www.ngsecurityeu.com/.

By: Louella Fernandes, Principal Analyst, Quocirca Posted: 27th June 2011 Copyright Quocirca © 2011

Many organisations are reducing the complexity, cost and risk of operating an unmanaged print environment by adopting a managed print service (MPS). However, while cost reduction has long been the primary objective for MPS, sustainability is also working its way up the agenda.

At Kyocera's recent European analyst briefing, sustainability was a key theme for its Managed Document Services (MDS) offering. Certainly, the environmental impact of unmanaged printing should not be ignored. Poor print management results in wasteful printing and the use of out-dated or redundant devices can also lead to high energy consumption. Implementing responsible printing practices can therefore go a long way to improving an organisation's environmental credentials as well as significantly reducing costs.

As paper remains an important part of many a business's workflows, the focus must be on the "less paper office" rather than the utopian ideal of the paperless office. The nature of printing may be changing—rather than outsourcing high-quality printing, it is conducted in-house and rather than printing and distributing reports, information is distributed electronically and printed only when the recipient feels it is necessary. Meanwhile, the increase in mobile working is creating demand for printing on the move. MPS seeks to address these new requirements for printing in the 21st Century, while ensuring the print environment operates cost effectively and securely with a minimal environmental impact.

Of course there are many simple steps to reducing the environmental impact of printing. These include using recycled paper, enforcing duplex printing and implementing company-wide print policies that encourage employees to print responsibly. But to make real savings—both financial and environmental—businesses need to have a complete visibility on printing volumes and overall costs. This requires a true picture of how many devices there are in an organisation and what is being printed where and by whom.

MPS addresses these needs in three main stages—the assessment, optimisation and ongoing management of the print environment. Most of the MPS measures to reduce printing costs also have an environmental benefit. Device consolidation brings order to the printer chaos that characterises a typical unmanaged print environment. Replacing single function outdated inefficient devices with modern energy efficient multi-function ones (MFPs) reduces energy usage and also enables enforced policies such as duplex printing to be enforced.

But probably one of the most important factors in eliminating paper waste is through the use of "follow-me printing", which eliminates the common occurrence of "print and forget". When a printer job is sent to a network-enabled MFP, the document is only released when an employee authenticates at the device using either a password or swipe card. Documents within individual print queues not printed after a certain amount of time are automatically deleted.

The added bonus of "follow-me printing" is that documents can be released at any location within a corporate network, promoting user mobility. This not only reduces paper waste by eliminating uncollected output, it promotes document security and mobile working. Quocirca believes these will be the driving factors for the adoption of MPS over the coming year.

Kyocera shared details of its MPS engagement with the Royal Sun Alliance (RSA) in the UK. Over five years, Project SPEC (Simplifying Print through Enhancement and Consolidation) aims to reduce RSA's fleet of more than 3,000 printers, managed by a number of vendors, to just 282 high-performance devices, operated through a centralised system. After one year, RSA has reduced print volume by 13 per cent, paper consumption by 21 per cent and energy consumption by 55 per cent. These milestones are showcased in RSA's Corporate Social Responsibility report highlighting the quantifiable cost and environmental benefits of operating a managed print environment.

Green IT should no longer be a nice-to-have afterthought behind cost reduction. More businesses now consider sustainability as a key priority due to combined customer demands, new regulations on carbon trading and constrained financial circumstances. More suppliers are expected to meet environmental criteria—according to Kyocera, sustainability is a key part of almost 80 per cent of MPS tenders with a typical weighting of 35 per cent, from about 10 per cent a few years ago. As sustainability rises up the CIO agenda, they will expect the capability to quantify the environmental impact of their print environment to meet reporting requirements.

Vendors such as HP and Xerox already address such needs through the provision of carbon calculators to assess energy consumption and associated carbon output. Quocirca believes that more MPS vendors will need to provide such analysis as part of their MPS arsenal to demonstrate how MPS can boost cost savings and environmental credentials. With a broader product range planned for the coming year, and plans to unify its offerings across Europe, Kyocera's MDS initiatives show it is catching up with the main players in the market.

By: Bob Tarzey, Service Director, Quocirca Posted: 27th June 2011 Copyright Quocirca © 2011

During the first week of June 2011, Quocirca attended the IT Security Analysts Forum in London which was organised by Eskenzi PR. This is now an established annual event, having run every year since 2007, and it attracts a surprising number of US-based IT security analysts as well as many of the high-profile European ones.

That seems to be down to its unique (as far as Quocirca is aware) format, which involves two formal sessions over two days with plenty of networking in between.

Day 1 is a kind of speed dating for security vendors with analyst firms. The challenge for the analyst is to take on so much in one go from as many as ten individual vendor meetings.

For the vendor reps, the challenge is to tell their story ten times over without getting bored—something they seem to achieve admirably: most of them are still smiling at the final meetings scheduled to end at 18:00.

The event attracts a wide range of vendors, from the largest—HP eager to talk about its recent acquisitions that have seen it re-enter the IT security market, to the smallest—Iddapcom wanting to raise the profile of its software for testing firewall configurations. Perhaps the main reminder for Quocirca after such an intense session is that there is always more than one way to skin the IT security cat.

For example, a pressing issue is the protection of data. You can move it about on encrypted memory sticks (Kingston Technology), encrypt data on end points and during transmission (SafeNet), locate and make safe/wipe lost devices (Absolute Software), restrict access to data (Varonis), or stop it leaving the organisation in the first place (M86). Few organisations need all of this protection, but a wise selection will go a long way towards providing the protection needed.

Day 2 is chance to meet the real-world practitioners of IT security: the CISOs (chief information security officers). The event is now attracting some of the top UK-based CISOs. The Chatham House rules under which the event is run prevent Quocirca from reporting the names of the companies or individuals represented, but some of the biggest banks, oil companies, pharmaceutical manufacturers and media organisations were there.

Many of the topics discussed were raised by the CISOs themselves. Perhaps the most interesting thing was an issue not raised explicitly by the CISOs: cloud computing.

Although it has hard to avoid the topic in any discussion about IT these days, the old questions—"should we", "shouldn't we", "can if ever be secure"—have disappeared with an implicit acceptance that the cloud is now an integral part of the delivery of IT. As one participant said: "Well-run public cloud infrastructure can be indistinguishable from internal IT infrastructure."

It was agreed that getting the contracts right was as important as security when engaging with cloud providers. Some complained there was not enough choice. Others stated that due diligence was needed when dealing with smaller providers to ensure SLAs would be delivered on.

Having said that, some complained that standards of service may drop off when a small cloud provider is acquired by a larger established IT vendor. It was also noted that regulators do not really understand the public cloud.

With that in mind, the CISOs raised plenty of concerns about business risk and governance—for example, how to determine the impact of managing data across different environments and how to quantify and assess the impact of IT security failures. One priority here was to ensure a media strategy was in place for when the inevitable occurs, and this strategy must include new media.

Another issue accepted as a reality was the rising tide of IT consumerisation. First, this includes the acceptance and control of consumer-based cloud services such as Facebook and Twitter. Most CISOs accept the use of these as inevitable and now govern their usage thorough a mix of HR policy and technology.

Second, it covers the use of personal devices to access IT. The rise of the iPad, the iPhone and the Android smartphone were accepted, and most CISOs seek to enable their use (or, in some cases, saw no way of easily preventing it).

There was a discussion about working with auditors: are they friends or foes? Most agreed that, however you view of them, it is better to work with auditors, rather than against them, and that they could also be a source of free advice, with useful experience from a range of industries. Some CISOs said their agenda was largely driven by auditors.

And there is demand for all those vendors with products to help securing the use of data. Most CISOs said they enforce encryption, at least on Windows notebook PCs. Nearly all the CISOs said they had a policy for using secure USB drives ("if laptops are encrypted, why would you not enforce it on USBs too?").

However, it was agreed that more than encryption is needed, including controls to keep sensitive data of the network wherever it is possible to install them. Perhaps the most interesting admission was that, in the age of WikiLeaks, one of the best strategies was to be more transparent and publish data more widely, only protecting the data that really needs to be protected: "If only we could persuade users to classify it in the first place."

One CISO bemoaned the numerous sales calls he received and advised vendors to wait for him to call. This advice is unlikely to be heeded; the sales process will go on. One day he will be sitting a draughty living room aghast at the size of the heating bill and a double glazing sales rep will happen to ring with a special offer: "How fortunate!" he will think.

The CISOs also had some advice for us analysts. Make it clear when personal opinion is being provided as opposed to opinion gathered through research. Don't just say what is happening today; say what is coming down the line. And keep reports short; there's no time to read long ones. Time to polish the crystal ball, and this article has probably gone on long enough already.

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 20th June 2011 Copyright Bloor Research © 2011

I recently took part in a webinar with IHS Janes, the defence analysts, on cyberwar, cyberterrorism and cybercrime. I presented alongside Dr Dave Sloggett, an expert on terrorism and asymmetric threats, Jerry Dixon from Team Cymru and Alex Von Rosenbach a lead analyst at IHS Janes.

Expect to see a recording of the webinar coming along soon, but in the meantime here is a transcript of my thoughts on the subject:

The intensity of cyber threats is relentless
Only recently the International Monetary Fund (IMF) became the target of a hack attack resulting in the agency temporarily suspending network connections with the World Bank to protect its systems.

Apparently this disconnection of network systems followed the detection of some suspicious file transfers. A subsequent investigation found that an IMF personal computer had been compromised and used to access other IMF systems. Some reports suggest that the IMF was the target of a spear phishing attack designed to plant malware inside its systems.

A spear phishing attack normally takes the form of a well crafted and convincing looking email that appears to come from a close colleague. Often contained in the email is a malware payload disguised as a word document or image. Once the attachment is opened the malware is discreetly installed on the user's computer and will then start to gather data including key strokes and user credentials.

In another, unrelated, incident, Lockheed Martin said that it had come under attack from hackers using information gleaned from an earlier high-profile attack on RSA, a security company, back in March of this year. This demonstrates the relentless attack on intellectual property that many aerospace and defence companies are coming under. Many attacks come from state-sponsored entities trying to gain access to confidential data and industrial secrets that could be worth millions of dollars.

We seem to be in the middle of cyber turmoil, as criminals, spies and rogue states try to get to our data, financial details and industrial secrets. These stories make good headlines but truth is often more disturbing.

Defining cyberwar is tough
The commonly cited examples of the Estonian and Georgian governments attacked in 2007/8 could arguably be categorised as aggressive hacktivism rather than cyberwar, depending on what parties you believe were involved. Indeed some research indicates that the attacks, which affected some government agencies, emanated from hackers based in Russia acting on their own initiative rather than being a state-sponsored punch up.

In contrast, cyberterrorism has been defined by the US National Infrastructure Protection Centre, now part of the Department for Homeland Security as, "a criminal act perpetrated through computers resulting in violence, death and/or destruction, and creating terror for the purpose of coercing a government to change its policies" Herein lays an interesting debate. I would suggest that we see very few criminal acts that truly fit into this definition. Hacktivism is another term intermingled with the three cyber terms we are discussing. Hacktivism combines hacking and activism in one term. It means the use of digital tools in the pursuit of political ends and normally results in a plethora of mainly annoying attacks such as defacement of websites and the stealing of low level information. Rarely does it result in what could be described as cyberterrorism, but that said there is no doubt that aggressive hacktivism is on the rise.

The scale of cybercrime is difficult to assess, although recent research indicates the cost to the UK alone from cyber crime to be around $45 billion per year, of which a large proportion relates to stolen intellectual property. What is certain is that for many people it is a real and present problem, but remains under-reported for reasons of embarrassment, ignorance or a lack of faith in the authorities to investigate any possible offences.

So what are the typical attack tools used in cyberwar, cyberterrorism and cybercrime?
There are a variety of ways in which websites and public-facing computer systems can be attacked by hacktivists and attacks on websites continues to be a popular form of political demonstration. In December 2010 around 36 Pakistani government websites were hacked by an online hacker group called the Indian Cyber Army. All hosted on the same server, the sites that were hacked included the Pakistan Army, the Ministry of Foreign Affairs, Ministry of Education and the Ministry of Finance. The attacks consisted of messages and graphics inserted into the web pages with political messages, some of which related to the attacks in Mumbai.

Also in December 2010 a number of financial payment websites were subject to denial of service attacks by hacktivists disgruntled at these companies no longer processing payments to the WikiLeaks website. For commercial websites that trade across the internet this can be catastrophic and is the equivalent of having all their real world stores closed down in one go.

Denial of service attacks can range in their level of sophistication from destruction of physical internet connection points through to the flooding of websites with extraneous data that overwhelms web servers forcing them to close down. This is similar to blocking the switch board of a business with lots of phone calls that are terminated as soon as they are picked up, but uses the TCP/IP protocol that runs the internet to flood servers with bogus messages. These attacks can be coordinated using hijacked networks of computers, called botnets, that in turn are forced to send high levels of spurious data to target websites. There are steps that network designers can take to mitigate such attacks but, in reality, a significant attack can be difficult to manage, and often the best course of action is to take down the servers and hope the attackers go away.

More sinister is a malware threat that emerged in 2010 called Stuxnet. Researchers had been aware of this malware for many months, but it hit the media headlines when reports emerged of Stuxnet finding its way into Iranian nuclear plants. The malware was apparently written to target industrial control systems such as those used in manufacturing and processing plants. Its ultimate aim is to reprogram control systems by modifying computer code on programmable logic controllers (PLCs) in such a way that plant operators would never suspect anything was wrong. In contrast to a denial of service attack that is extremely noisy, Stuxnet is a very clever and covert attack. Bundled with the Stuxnet malware is a whole arsenal of additional components designed to assist in this control system attack, including zero-day exploits, antivirus evasion and a Windows rootkit, an advanced form of malware. So why bother to mess with PLCs? In fact Stuxnet only affects specific PLCs controlling electric motors that run at special high speeds and frequencies. These are only available from two specified companies and the attack will only be initiated if there are at least 33 of these devices present. The majority of Stuxnet infections were found in Iran and these devices are regulated for export by the United States Nuclear Regulatory Commission as they can be used in centrifuges used for uranium enrichment.

Yes, the implication is that Stuxnet is a powerful piece of malware created to disrupt the enrichment of uranium by the Iranian government. Clearly this advanced malware has not been developed by a back bedroom hacker as it needed very specific insight into the workings of complex industrial control systems. This is a high watermark in terms of malware, and evidence is starting to emerge that conventional cybercriminals are adapting Stuxnet for more conventional criminal activities.

As those that propagate cyberthreats become more creative they are targeting devices other than conventional computers. The rise in popularity of smartphones has seen an upsurge in hacker interest, as well as more sinister use of these devices to spread propaganda by jihadist groups.

There are now specialized propaganda units creating materials to be spread via Bluetooth wireless interfaces. A typical data-package is designed for a mobile operating system such as Symbian and allows quick installation of the jihadists' materials. It also enables the sympathizers to adhere to the jihadists' principles of religious conduct and warfare by assuming an active role in spreading this material. The data contained in these packages has nearly everything from a range of jihadist materials; from Afghanistan to Iraq, Somalia, Yemen, the 9/11 attacks, Fort Hood shooting and attempted operations in the West.

Whatever the realities of current cyber threats companies, organisations and individuals can do a lot to protect themselves, their intellectual property and their systems. Putting in place good anti-malware, regular computer patches and good end user education to help people spot attacks such as phishing emails will go a long way to prevent becoming a victim to cyber threats.

The good news is that preparing defences for a cyberthreat, be it cyber war, cyber terrorism or cybercrime, is basically the same. Most companies are more at risk from cybercrime than they are cyberwar or cyber terrorism. We just need to make sure that business decision makers understand the threat in a measured way so they can support us as we protect the systems and networks. Less hyperbole and more grounded assessment with practical advice is what we all need to protect our data, financial systems and intellectual property.

By: Bob Tarzey, Service Director, Quocirca Posted: 14th June 2011 Copyright Quocirca © 2011

New Quocirca research has been published to coincide with the launch of a service from Trend Micro called SafeSync for Business. The research shows that among SMBs in Europe, the US and Australia, 88 per cent say that at least some of their employees are using smartphones for business purposes and 43 per cent report at least one or more of their employees using tablet PCs. These devices are not always owned by the business; 74 per cent of SMBs say some of the devices used are employee-owned (part of the so-called consumerisation of IT).
 
This underlines a growing problem for organisations of all sizes. They have to manage and secure a growing variety of devices and operating systems—and, at the same time, deal with the rising tide of consumerisation. From a security perspective, there are an increasing number of products coming to market for securing mobile devices.

Examples include:

• Juniper’s Junos Pulse Mobile Security Suite, following its acquisition of S-Mobile (supports Android, Blackberry, Windows Mobile, Symbian, Apple iOS
• Symantec’s Norton Mobile Security (for Android)
• Webroot Mobile Security for Android
• ESET Mobile Security Business Edition for Windows Mobile and Symbian

It is notable that two of these products are, for now, only available for Android. The reason for this is twofold; first, use of Android is growing faster than any other mobile operating system, so it is worth targeting (it was reported last week that 400,000 Android devices were being activated per day). There have already been problems; for example in March, Google removed 21 free apps from the Android Market which it identified as malware aimed at stealing personal information. Second, Android is the most open of the mobile operating systems and therefore easier for both malware writers and security vendors to develop for.
 
For businesses, host device-based protection is just one approach to protecting mobile data use. Indeed, relying on device-based malware detection can be problematic if the devices are user owned. Another approach is to centralise data access and to minimise the need for data to be stored on mobile devices in the first place. This is the aim of Trend Micro’s new product, which enables such sharing. Another way to centralise access is via virtualisation using products such as Citrix’s Xen Desktop.
 
With the proliferation of such devices all businesses need to be thinking about the security of the devices themselves and, perhaps more urgently, about safe access to data. Enabling such access may make certain business processes more efficient but is also likely to be putting intellectual property and personally identified information at risk.
 
In June 2011, Quocirca will be running a workshop on end-point security and management at the NextGen Security European Summit 2011. More information is available here. The subject of end-point management is also covered in a freely available Quocirca report The IT Profit Centre sponsored by Kaseya.

By: Bob Tarzey, Service Director, Quocirca Posted: 13th June 2011 Copyright Quocirca © 2011

The increasing reliance being placed by businesses on mobile IT access will nearly always lead to increased risk, at least in the short term. One of the main reasons for this is that the growth in use of mobile devices is often ad-hoc and unplanned. Of course the way mobile devices are deployed varies; the allocation of laptop computers and BlackBerry smartphones may well be planned, whilst the use of iPads and Android smartphones may be ad hoc, driven by users with their own devices.

One reaction could be to attempt to block all unplanned usage of devices. However, this is not necessarily desirable or practical. There are many benefits from allowing remote access; the flexible working they enable mean employees can be more responsive and that can lead to more efficient business processes. Try blocking access from their devices and an employee will find a work around, sending an urgent message to a customer may be done via an open social network rather than the corporate email system, where the communication can be archived and is auditable at a later date.

What risks arise from the use of mobile devices and how can their use be controlled, so that the benefits can be realised and the threats mitigated? Before addressing this it is worth pointing out that there are two broad approaches to putting controls in place:

1. On the device itself (which may be limited depending on ownership)
2. Centrally, protecting the applications and data being accessed from mobile devices.

There are four broad categories of risk—access, data, malware and business continuity. This article details how each of these can be approached and concludes with a fifth issue; an end-point management regime is needed to pull them altogether.

Security of access
This requires addressing access to the device itself and access to the network resources that the user is permitted to use. With any device a passcode for access can be put in place; that leads to all the usual problems with password management—users forgetting them and the need to reset them.

However, the bad guys find ways around device-level passwords, so additional strong authentication of the user is desirable; especially if sensitive data is to be stored on a device. Examples are bio-metrics (most commonly a finger print), hardware tokens or a mechanism for distributing one-time passwords. Strong authentication has mostly been used for laptop device access and not smartphones and tablets. In fact, smartphones can be used for enabling strong authentication of access to laptops (see below). However, with the increasing power of these devices perhaps they should require strong authentication too.

It need not be the case that gaining access to the device itself opens up the available network resources, although in some will deem this enough to do so. Others will require secondary authentication for opening up a VPN connection or gaining access to applications. Here, the management overheads need to be balanced against risk. Too many passwords to remember, too many times they get forgotten. So it makes sense to use the mobile device to authenticate access to a single sign on system, but get this wrong and there is a lot at stake.

To counter this there are a range of additional measures that can be taken. These include:

• Hardware recognition – only allowing access from known devices that can be recognised through a range of characteristics or an agent installed on the device.
• Geolocation – using IP address analysis of GPS software to identify the user’s location and decide if this is as expected; a UK-based sales person should not be requesting access from Moscow!
• Out of band authentication – for example, sending one time passwords via an independent device to the one being authenticated (e.g. to a mobile phone to authenticate a laptop).

Security of data
Businesses worry about two types of data with respect to security. First, there us intellectual property (IP), keeping this safe is key to competiveness. Second, there is personally identifiable data (PID); it is in a business’s interests to keep much of this confidential too. However, PID is also what regulators take an interest in and many cases brought against businesses for failure to protect PID are through the loss of unsecured mobile devices.

On the device itself, the ultimate way to ensure data is protected, should the device be lost or stolen, is to encrypt stored data. However, there are caveats. Encryption introduces management overheads for two reasons; first there is a danger that data can be lost forever if encryption keys are forgotten – management tools can provide a backup mechanism through the secure assignment and storage of keys. Second, encryption will only satisfy regulators if it can be proved a lost device was encrypted, which requires the process of enabling encryption to be audited.

It must also be recognised that encryption is not the be-all-and-end-all. Data is only ever of use if can be decrypted and used. A user may choose to do things with decrypted data, which can lead it to end up in the wrongs hands—for example copying to unencrypted storage devices, printed or sent by email. So to be fully secure, end-point security software can be deployed on the device itself to control what the user can do.

Perhaps the best approach is to making sure that confidential data is never stored on mobile devices in the first place by enabling only for access and viewing, not for storage. There are caveats here too—first the benefits of the user having the device, from a business perspective, can only ever be realised when the user is online. Second, users can create data on the fly, for example making notes following a customer meeting.

A final measure that can be taken is to put in place the ability to remotely disable and/or wipe devices. From the point of view of data protection, if encryption is in place then this is a “belt and braces”, approach. However, being able to remotely disable devices ensures on-going connectivity and calling charges are not incurred.

Malware protection
Many consider it irresponsible not to have anti-malware software on user end points, but actually, much of the necessary protection can be provided through central controls that limit what ends up on a device in the first place. Most obviously, it makes sense to filter email traffic before it reaches a user’s device, however this is done, whether using server-based software, a network appliance or a cloud based service; the user’s corporate email should be clean.

Such controls can be extended to general web access, forcing access via a central proxy that checks for URLs with a bad reputation and web borne malware. Such proxies can also be used to extend web usage policy to remote users, for example limiting access to social networks. To make such web access controls work, the user must be blocked from opening up other uncontrolled internet connections, for instance via a mobile service provider. This is of course limiting what the user can then use the device for and is not practical for user owned devices.

At the end of the day many will only feel comfortable if there is protection from malware on the device itself, as part of an end-point protection suite; users can still potentially load data from USB devices or CDs of unknown origin. Most malware is still aimed at Microsoft Windows, because of its widespread use. However, as other operating systems become more common it will become practical for data thieves to attack them too. Security software suppliers are only just starting to roll out end point protection suites for smartphone and tablet operating system and businesses are slow to deploy them. The first major compromise of Google Android, Apple iOS or some other non-Windows based system should change that.

Business continuity
The flexible working enabled through the use of mobile end points, and the consequent increased efficiency of business processes, will only happen whilst the end-points and the network access they require remains available. The theft and loss of end-points is inevitable and procedures must be in place for the rapid replacement and re-provisioning of end points. It is worth pointing out that the trend for employees to use personally-owned devices to access IT has a positive aspect when it comes to risk—they will take more care of something they own than something supplied by their employer.

The urgency to replace will depend on the job-role of a given user. A field service engineer who can no longer log faults because their smartphone has been dropped in a puddle (maybe they should have had water proof one in the first place) may be given priority over salesperson who can longer read emails because their BlackBerry has been stolen (they can always visit an internet café).

However, replacing the device itself is not enough, if the creation and storage of business data on the device is allowed, then this must be restored too. This can only be done if a rigorous backup regime has been put in place. In the past, IT managers often waited until devices came back on to local area networks to perform backups. The advent of high bandwidth remote connectivity and cheap storage has led to a proliferation of cloud-based services that provide continuous data protection. From consumer to large enterprise, if data is valued, there is little excuse these days for it not being regularly backed up.

Ensuring a user can do their jobs remotely and cost effectively requires that their devices are connected as often, and as cheaply as possible. This requires working with network access providers that provide multiple means of communications, reverting to the cheapest, fastest method whenever possible. For example, using public wireless access points by default and only switching to more expensive mobile networks when there is no other option.

End point management
Policing encryption, making sure backups are performed and anti-malware software is up to date and ensuring timely re-provisioning of lost devices, across communities of tens, hundreds or thousands of mobile users is challenge for any IT department. However, the management tools for achieving this have been evolving rapidly. They allow routine tasks to be automated across groups of devices or users freeing IT staff for other tasks. Such tools can be deployed on-premise but are also increasingly available as cloud-based services.

That said, IT departments may still find the task daunting. Many have turned to managed service providers (MSPs) to provide data centre and desktop management services and some MSPs are now starting to provide mobile device management services too. Working across multiple customers, MSPs can scale their services up to cover tens of thousands of end points and build up the experience and expertise to ensure service levels that many IT departments would struggle to achieve for themselves.

Whether it is carried out in-house or outsourced, failing to put in place a management regime for mobile devices and thus mitigate much of the risk they represent is something that no business should overlook.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 19th May 2011 Copyright Interarbor Solutions © 2011

The IT news headlines are full of incidents of major cloud instances brought down for days, and unfortunately often weeks, with some of the largest of these due to network issues in association with virtualization and storage sprawl. The price in the cloud era for such disruptions is very high and very public.

A big part of the solution to preventing such outages comes from comprehensive, automated, and increasingly integrated network management capabilities. The tasks before network managers have never been more daunting. There are far more devices, hybrid networks, hybrid compute resources, higher levels of virtualization, and there is a need to maintain security and compliance requirements throughout.

What’s more, the pressure to keep cost down and to seek lower cost alternatives for converged infrastructure remains a constant companion to business and IT architects, and therefore an ongoing network challenge.

Into this environment, HP this week delivered a wide-ranging update to its Network Management Center suite Version 9.1. The emphasis is on a comprehensive lifecycle approach to network management with deep data gathering, automated root cause analytics, and intelligent and proactive response features that enable consistently high performance and network reliability.

BriefingsDirect recently sat down with Ashish Kuthiala, Director of Product Marketing for HP Software’s Network Management Center, to dig into the new offerings and to better understand why previous fragmented approaches to network performance and stability just won’t hold up for most enterprises. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: What it is about the new IT environment that is taxing the older ways of network management?

Kuthiala: When you're looking at the network today, it has become very complex and is increasingly becoming more complex. With new domains coming in, such as voice over IP (VoIP), webcasts, and video traffic, multiprotocol label switching (MPLS) services, unified communications, and cloud computing and virtualization, it just becomes a nightmare to manage your network for your business.

Then, you look at the volume of network devices coming online. Now, everyone wants to be in the instant-on enterprise mode. Everyone has to be connected. Everything has to be connected. Everyone expects immediate gratification and instant results. You have to respond to this opportunity continuously, and "any time, anywhere, any way" is the new tagline for anybody who is working.

Let’s look at the job of the director of network ops in a particular IT organization. Not only does he have to configure, manage, and standardize a network, he has to provision, he has to deliver, and he has to report on it. He has to do it very proactively and he has to do it very strategically at the lowest cost possible.

IT budgets are shrinking or remaining flat, whereas the demands on IT are really going up. It’s estimated that a customer can lose about $70,000 a minute during network outage, as I'm sure you’ve seen in the recent news. It's a big business inhibitor if the network goes down. It is what provides the experience to the end user for all the IT services that they experience.

Gardner: Why isn’t the previous mode of network management able to keep up?

Kuthiala: Today, if you were to look into a customer’s IT department managing a network environment, you would often see a war-room like approach to managing networks. ...They're very reactive. They have multiple tools, legacy approaches, and a lot of band-aids. The inability in tying together what used to be separate domains has become unacceptable.

If your shopping cart goes down doing the Christmas shopping season, and a customer tells you about it, that is just unacceptable.

The inability to cope up with the scale and complexity, the different teams hunched over their different monitors, is what I call the "swiveling chair syndrome." If there is a network outage, you have these 8 or 10 different operators looking at different aspects of the network. They are just swiveling in their chairs, talking to each other and looking for data that should really be on one screen for them to manage. The lack of scalability of such tools just adds to the problem.

Gardner: How does an automated approach work better?

Kuthiala: To manage your network today, you really need to understand how your network is constructed from the bottom up, how it ties together, how it changes over time, and how it self-organizes. You need to build that kind of intelligence into your root-cause analysis.

The design of the tools has to be built ground up, based on these decisions. That’s how you need to construct the tools. That’s how they need to be integrated. For an operator, all these need to build upon each other.

It has to be in the right context. It cannot be siloed. It is a nightmare to manage. The desired nirvana for a network team is to reduce the numerous point tools to manage various aspects of network management. It has to be proactive, not reactive.

You have compliance management diagnostics and change issues that you need to take human error out of, and you need to automate that. You want to reduce the manual effort, the errors and increase control over your environment. You want to reduce the mean time to repair network outages, and maintain cost optimization as your network grows.

Today for customers, “performance is the new fault." So just because a network device is up and running, and you can ping it, doesn't mean it is providing the quality of service it should to the end user. It’s really the performance that the network is being measured against.

It’s all about efficiency, how you reduce your errors, and increase your speed through automation.

... Customers are looking for a solution that's efficient, automated, and secure for them. When they manage a network, they should be able to do things like fault, performance, change, configuration, compliance, trending and reporting, and this ties into their business services.

So, HP looked at this problem. As you know, we've had a long history of about 20 years with the HP OpenView product in network management. As we acquired other companies such as Opsware, they bought in additional tools with them. We looked at the tools and the evolving landscape of the network management domain and about five years ago, embarked on a re-architecture plan for these products from the ground up.

The approach wasn’t to make these products just work together by putting in connectors, but we wanted them to be integrated from bottom up, from the data level itself, where the data would build upon each other.

Now, as we look at the Network Management Center (NMC), it is a complete portfolio of solutions and tools that lets you do network management in an integrated and automated way.

This really builds upon the HP Network Node Manager i (NNMi), the related special plug-ins that handle complex services such as multicast traffic, VoIP, etc., as well as the network automation piece of it which really helps customers automate and manage their change, compliance, and configuration of network devices that they need to do on an ongoing basis.

The five-year journey of re-architecting our NMC portfolio completes with the 9.1 release that we are talking about today.

So, the earlier 9.0 release introduced a number of features including better user interfaces, the ability to scale to large environments, and tying our products together into better functioning solutions. With 9.1, we are building on that.

We've strengthened the ability of our customers to manage cloud services. The most critical capability that a customer must have is to manage the network the same way that they have managed traditional networks, and it doesn’t matter if they have to go across the cloud or are looking at private or public clouds.

Gaining visibility into the network elements, whether they are local, off-premise or the health and quality of the cloud services that's being delivered, is the most important step. Can I reach my device? Is it healthy? Is it performing to the expected levels of business needs?

And, of course, configuration compliance management of these devices across the cloud is very important, and corrective actions and rollbacks are very important. Our tools are able to do that across different environments.

The 9.1 release is also focused on the managed service provider’s (MSP's) market needs. There is a big trend of IT outsourcing to MSPs, and one of the things that customers want to outsource is network management services. So this is a big, growing market, and our MSPs need platforms to manage their customers' network environments in a way that that maximizes their profit.

They need to scale and grow with their customer in expanding network environments, reduce their hardware spend and their training costs, as well as grow their revenues and create new lines of business, as their own customers move to new and complex services.

For example, a customer might go from traditional phones to IP telephones, and at that point, the MSP has to manage that aspect of their customer’s environment as well, and they don’t want at this point to buy a new tool.

This helps them manage multiple customers, departments or sites per single software instance, driving down their cost and giving them a flexible architecture.

The size of the customer's network might increase, and you don’t want to buy another server, another set of tools and deploy another set of operators to manage that.

We have introduced multi-tenancy capability and security groups that allow our customers to separate their data and views into secure partitions. This helps them manage multiple customers, departments or sites per single software instance, driving down their cost and giving them a flexible architecture.

We’ve also done a lot of work on the performance-based, time-based thresholds for better alerting. What this means is that the performance data is in the context of the network topology providing a unique point of your fault monitoring. It helps them with proactive notification of performance degradation, fix it proactively and guarantee service delivery levels.

We've also increased the number of months that the data is retained. It's up to 13 months now which allows you to do forecasting and trending capabilities. This is a sufficient data retention period for compliance requirements for real-time and historical data, and allows a very efficient analysis.

Our user interface (UI) has been enhanced based on the feedback we’ve gotten from customers. The common look and feel UI across all the products and our solution set ensures lower training cost—train once, leverage across all these tools.

The UIs show relevant contextual information on the nodes and incidents they're managing, giving them a lot of operational efficiency. The breadcrumb history and the easy navigation with right-click menus also allows the operators to get to the root cause more quickly, making them much more efficient and improving the time to resolution.

The analysis pane shows you a number of system components and help enables you to get key information including availability and performance graphs really quickly.

Gardner: In some of these high-profile outages that we've had recently, it seems that they were doing updates and that caused the cascading or spiraling effect and ultimately brought the network down. What is it about your suite and your comprehensive approach that could help ameliorate something like that?

Kuthiala: A network constantly needs updates, whether its configuration updates or being in compliance with a number of different policies—Sarbanes-Oxley (SOX) or the Health Insurance Portability and Accountability Act (HIPAA), and government regulations.

Typically, customers have a set of people who use multiple tools or manually log into a number of these devices and do these configuration changes manually. This is very dangerous. One, there is human error involved. Second, when something goes wrong, you don't know what has gone wrong, and you are scrambling to fix it. Think about doing this across 50,000, 60,000, 70,000 devices in your network.

Our network automation capabilities allow customers to automatically make these changes through our tools. As they implement these changes, it takes minutes and hours, versus days, to keep these devices configured to the latest and greatest configurations and in compliance.

Think about when you are on the 59,000th device that you are updating and you realize there is an error. This was not the right thing to do, and you need to roll back. If you're doing this manually, you're spending many hours fixing the error while your business is suffering during that time. Our automation capabilities help customers; with a few clicks of buttons they are able to automate all of this.

Today, customers might be looking at a number of incidents—10,000, to 15,000 incidents. For example, if somebody yanks a LAN cord out and puts it back in, what really has happened is the interface has gone down and come back up. And now that is flagged as an incident or an event that the operator has to pay attention to.

With our root cause analysis engine, and the ability to map the topology dynamically in a spiral discovery fashion, the network topology is always up-to-date. The root cause analysis engine helps figure out whether this is an incident that needs to be paid attention to or not, auto-resolving some of that.

The incidents that boil up to the operators are meaningful, and therefore are reduced in number to those that are actionable. We have had customers whose incidents have been reduced from 10,000–12,000 down to 400, and only about 100 of those have to be acted upon and escalated to the next level of management.

Automation really takes a lot of the work out of your hands and enables you to fix errors very proactively, and if there is a mistake, fix it right away with a few clicks.

... I'm talking very specifically about the configuration of network devices. The software that your network device comes with is the key differentiator in how they act, and the intelligence that they provide. So this has to be not only managed really well, but there are patches and upgrades, just as you have software patches and upgrades on your servers. These have to be managed. Sometimes, there are government regulations or company regulations that you want to propagate across these devices.

It's essential to understand what type of traffic is flowing on your network. This gives you the ability to optimize your network performance and network resiliency.

But tying to the business service management set of tools or the suite stems from the fact that, when you look at it from a business service availability aspect, it’s not just about the network. There are servers, there are applications, and they are all tied together. For example, if application business service is not working, do you know if it’s the server? Do you know if it’s the application? Do you know if it is the network?

Our Business Service Management offering ties in these aspects through our runtime service model. This ties your network, to your application, to your server and is able to give your business a look into how your business service is going to be affected by the failure of any one of these infrastructure elements.

Gardner: Now Network Management Center is a fairly significant set of different products, but most people already have something in place. So this is not a matter of starting greenfield. This is a matter of coexistence, migration, and transformation. How do you get started?

Kuthiala: Most customers today have in place something to monitor their networks, but a lot of customers have not automated their configuration, compliance, and diagnostic capabilities that we talked about.

We've seen a trend in our customer base where they buy smaller node packs to manage a small number of devices with our automation capabilities. Once they have put that in place, they start to see other efficiency use cases that they can achieve using our network automation capabilities.

We observe that these customers come back and buy more licenses for managing a greater number of network devices. So, that’s almost like a greenfield opportunity here.

But, when we look at most customers looking at managing their networks and doing performance and monitoring, for example, if they have an instance of our software, it’s an in-place upgrade. We offer a dual entitlement and run a parallel program that allows customers is to seamlessly set up another parallel environment and bring the network up there, start to manage it, and seamlessly shift.

We’ve had an instance of a customer in the EMEA region, where they were testing our latest software and running it in parallel to see how it was functionally different and what effect of productivity it would have on their operators. A couple of weeks went by and their senior management started getting escalations for network problems.

Once they have put that in place, they start to see other efficiency use cases that they can achieve using our network automation capabilities.

Now, when senior management turned to the network operations team and asked, "We have all these incidents showing up. What is going on? Is something wrong?"

Almost sheepishly, the network operator team had to acknowledge that they were testing the new platform and had completely forgotten about the old tool which they needed to shut down because the new platform ignored the incidents that were not meaningful. They had “accidentally” migrated to the new platform to managing the network much more efficiently.

A lot of our customers use this approach to migrate to the new platform, and of course, our approach is modular. Start with the core product and add the special plug-ins to manage your IP telephony MPLS or multicast capabilities.

To see the HP Automated Network Management (ANM) Solution in action, you can watch a short overview and the ANM 9.10 Video Demo. This recording will explain the NMC components that make up the ANM solution and walk you through a use case to demonstrate the automated capabilities of HP Automated Network Management 9.10.

We also have an hp.com page, which is www.hp.com/go/nmc for downloading trial software, reading whitepapers, customer case studies, product capabilities and features. That’s a good starting point. We also blog about customer experiences and the stories they share with us as well.

Listen to the podcast. Find it on iTunes/iPod. Read a transcript or download a copy.

By: Bob Tarzey, Service Director, Quocirca Posted: 17th May 2011 Copyright Quocirca © 2011

There's little doubt that employees want to use a growing range of devices to access data. Recent Quocirca research shows that while Windows-based desktop and notebook PCs still dominate, they are fast being supplemented by a diverse range of alternative form factors and operating systems.

In the new survey, which was sponsored by Trend Micro, 88 per cent of small and mid-sized businesses say at least some of their employees are using smartphones for business purposes and 43 per cent report at least one or more of their employees use tablet PCs.

These devices are not always owned by the business. Some 74 per cent of the firms questioned say some of the devices used belong to staff.

Respondents to the survey cite more efficient business processes as the biggest benefit of enabling access to data from mobile devices. However, whatever the benefits, such sharing creates security headaches for IT managers, especially as most of the sharing is over public networks.

Only if data can be shared safely will businesses have the confidence to embed mobile users and their chosen devices into business processes. That is the message of a recent Check Point-sponsored report by Quocirca called A value proposition for IT security, which is available for free download.

The report advocates putting in place a compliance-oriented architecture, or COA. The justification for any investment required to achieve a compliance-oriented architecture is as much about creating business value as it is about reducing business risk.

Discussions about IT security usually focus on reducing the risk posed by outsiders or malicious insiders. Mitigating these risks remains paramount but it is also important to make sure that a compliance-oriented architecture protects well-intentioned employees from themselves.

The most common way data leaks occur is through the accidental actions of employees. They need to share data but may accidentally share the wrong data with the wrong person by email or some other communication channel.

And of course they may, if it is not controlled in some way, store data on mobile devices that are subsequently lost or stolen. Theft, accidental loss and erroneous disclosure are by far the most common reasons for self-report data breaches, as data in the report shows.

The irony is that while data loss is a common problem, despite the many high-profile incidents—not least the recent problems at Sony—lost data is actually rarely compromised. The thief who steals an iPad is more likely to be interested in the resale value of the device than the data stored on it.

Yet that fact does not cut any ice with regulators. Good management of personally identifiable information is obligatory. Organisations must comply and be seen to comply.

A compliance-oriented architecture involves putting in place the ability to control the use of data, monitoring and controlling what is being sent by email and what is being copied where. It should also be used to control the printing of data, an often overlooked source of data leakage.

Data loss prevention, or DLP, tools are designed to track the movement of data and allow the enforcement of policies regarding its use, including the copying of data to mobile devices.

However, data loss prevention is not enough on its own for ensuring the safe use of data on mobile devices. One of two approaches to the use of data on mobile end points must be adopted. The first is to stop data ever being copied to them in the first place.

This approach involves only allowing access to sensitive data that is stored centrally, either through the use of virtual desktops—such as Citrix XenDesktop and Microsoft Remote Desktop Services—or via a secure file-sharing service, for example Trend Micro's recently announced Safe Sync for Business or portal services such as Microsoft SharePoint.

If it is accepted that sensitive data will end up on mobile devices then a second approach to end-point security must be taken, through the securing of the device itself. This approach involves encrypted storage. Deploying and managing encryption has a cost, especially with a growing diversity of operating systems, and while encryption might sound like the only foolproof way of protecting data, it is not the be-all and end-all.

Remember that the devices are increasingly personally owned and therefore there are limits to what IT departments can do with them. Furthermore, encryption only protects stored data and data in transit.

Employees must be able to decrypt data to use it, and then it becomes vulnerable again. Other points of vulnerability are if users select weak passwords or if strong policies result in passwords being written on a piece of paper that is held with the device.

There is no silver bullet for securing the use of data. It involves implementing a number of measures that add up to a compliance-oriented architecture. The range of measures required will depend on how a business approaches IT and its attitude to risk.

However, when broaching the subject of investing in technology to increase the security of data, it is essential to point out the value that any given investment will bring to a business as well as the risk it will mitigate.

This article first appeared in May 2011 on http://www.silicon.com

By: Bob Tarzey, Service Director, Quocirca Posted: 5th May 2011 Copyright Quocirca © 2011

Good IT security has been fundamental to the success of the network computing revolution that has occurred over the past two decades; poor IT security has led to some of the most high-profile data breaches that have occurred during that time. Much of that security was provided by specialist suppliers, but today more and more of it is incorporated in the IT infrastructure. When should buyers rely on what is provided by infrastructure suppliers and when should they turn to IT specialists?

The largest acquisition during 2010 in the IT industry was that of security giant McAfee by Intel, at $7.7bn (Figure 1). This deal even surpassed the amount paid by Oracle for Sun in 2009 ($7.4bn). While the deal took industry watchers by surprise, it clearly underlines this trend of IT infrastructure suppliers adding security to their portfolios.

There has been plenty of debate about what Intel will do with McAfee. So far it has taken a fairly hands-off approach; the parent company is not even mentioned on the opening page of the McAfee website. It has been stated that Intel wants to make sure security is more tightly integrated with silicon by better integrating security software at the chip level, but this only makes sense for some McAfee products, such as anti-virus and end-point security.

Quite a few McAfee products are delivered as appliances, some of which are not currently based on Intel hardware, so there is a minor opportunity for migration. Other areas that McAfee operates in, such as content security and security management (enhanced in 2010 by two McAfee acquisitions; Trusted Digital and 10 Cube), would not be implemented purely at the chip level. So the move by Intel into the IT security space, its largest ever acquisition, is probably best seen as recognition of the continuing importance of IT security and an area where Intel can grow revenues faster and with better margins than its core business.

Intel is not alone. HP, which has had its ups and downs with IT security in the past, has been marching back into the IT security arena over the past few years. It made two acquisitions in 2010; privately held Fortify for code testing, and ArcSight for security and information event management (SIEM), the latter valued at $1.5bn (Figure 1). HP also picked up UK-based security services provider Vistorm when it acquired EDS in 2008, and TippingPoint for network security when it acquired 3Com in 2009.

Figure #1 - Largest IT acquisitions in 2010 ($Bn)

IBM added code testing to its portfolio last year when it acquired Ounce Labs, which now sits in its Rational software development division. IBM already had a broad range of security products, through it 2006 acquisition of Internet Security Systems and other existing products in its Tivoli division for identity and access management and compliance. That was enhanced by another 2010 acquisition of privately held BigFix for end-point management. Such tools are required to deliver end-point security effectively and consistently.

Cisco, the world's leading networking supplier has also been building on its established firewall business, with acquisitions such as IronPort for e-mail security in 2007 and ScanSafe for web content security in 2009. EMC, the world's largest storage supplier, acquired the major player in identity and access management, RSA, in 2006. Looked at through the lens of the joint venture - the Virtual Computing Environment (VCE) coalition - Cisco and EMC (along with VMware) can boast a broad, all-round security portfolio.

During 2010, Microsoft launched news versions across much of its Forefront security range, which includes Forefront End-point Protection (FEP), Forefront Server Security (for Windows Server SharePoint, Exchange, Lync), Forefront Threat Management Gateway (formerly ISA Server) and Forefront Unified Access Gateway (formerly Intelligent Application Gateway). The Forefront range had been built up over a number of years through the acquisition of various small and relatively unknown security suppliers (Figure 2).

Figure #2 - Microsoft security acquisitions

The motivation for Microsoft's long journey into IT security is clear: to make sure its customers can use its products more safely. Security was one of the key pillars of Microsoft's Trustworthy Computing initiative, launched in 2003. Many gauge that to have been a success, with Microsoft's products generally considered to be more secure than they were a decade or so ago. But Microsoft only protects Microsoft, to the extent that it often scraps support for third-party products provided by the suppliers it acquires.

For most organisations, IT security needs to cover a wider range of heterogeneous platforms. The situation looks set to get worse as the diversity of devices and operating systems (OS) increases, particularly when it comes to user end points. Whereas Microsoft continues to dominate the PC OS market for the moment, it is currently an also-ran when it comes to smartphones and tablets. It hopes to reverse this through its new partnership with Nokia, but only time will tell if these two giants of their respective industries can make a go of it against Apple, HTC, Google, RIM and others (Figure 3).

That need to secure and manage heterogeneous IT environments brings us full circle. It is the reason why security specialists exist in the first place. Whatever Intel chooses to do with McAfee, it would be crazy to defocus on its generic capabilities to look at securing just Intel-based devices. McAfee once proudly claimed it was "the world's largest independent security supplier", a crown it took from Symantec only because the latter had diversified into storage software through the 2004 acquisition of Veritas.

Figure #3 - The battle of the smartphones

Despite its previous bluster, it seems likely that McAfee will maintain its credentials as a specialist with the ability to manage security across much of its customers' infrastructure, just as Symantec and CA, another broad-based software supplier with a security portfolio, have done. And it is for this reason that security specialists will continue to be the key providers of security for many organisations rather than purely relying on what other suppliers have embedded in their infrastructure offerings.

With that said, there is still plenty of choice. Following the loss of its independence last year, McAfee passed its crown to Japan-based Trend Micro, whose revenues for 2010 approached $1.1Bn (Figure 4). Trend Micro has a fairly broad IT security portfolio, but it has started to diversify, for example into data protection with the 2010 acquisition of Humyo (rebadged SafeSync). Israel-based Check Point, the original firewall supplier, is not far behind with 2010 revenues of $830m.

Figure #4 - Selected independent IT security vendor revenues

Behind these two are a host of smaller security suppliers, including Blue Coat, SafeNet, Websense, Sophos, Webroot, SonicWALL and Kaspersky. All have their own focus which generally needs to be supplemented with products from elsewhere. All are potential targets for infrastructure suppliers to plug further gaps or acquire market share. Who knows who will be wearing McAfee's former crown 12 months from now, but overall the market for IT security looks set to remain lucrative for infrastructure suppliers and security specialists alike.

Buyers should evaluate what is available from their chosen infrastructure suppliers in the first instance, but this will rarely meet all requirements. More importantly, buyers must make sure they have in place a coherent IT security strategy across all their IT assets with the ability to manage it. Many will find that it will still be the IT security specialists that will enable them to best keep ahead of the rapidly changing threat landscape.

This article first appeared at:http://www.computerweekly.com/Articles/2011/04/01/246163/Quocirca-Where-to-buy-good-IT-security.htm

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 4th May 2011 Copyright Interarbor Solutions © 2011

This guest BriefingsDirect post comes courtesy of Jason Bloomberg, managing partner at ZapThink.

By Jason Bloomberg

Have you noticed that ZapThink’s crystal ball has been working overtime? We sounded the warnings about cyberwarfare mere days before the Stuxnet worm hit. Then we predicted the fall of enterprise architecture frameworks right before the Zachman organization imploded. Next, we heralded a secondary market for IP addresses as the IPv4 space ran out of them. Sure enough, that secondary market is now here. And last week, we warned against putting all your eggs in any one cloud provider’s basket. Sure enough, Amazon’s public cloud went belly up immediately afterward. All I can say is that if we make a prediction that will impact your business, you’d better take heed!

In all seriousness, there’s no supernatural clairvoyance at work here. What you’re seeing is the power of the ZapThink 2020 vision for Enterprise IT, which delineates the interrelationships among the numerous trends in the IT marketplace. Just as the best psychics are in reality masters at picking up subtle clues in human behavior, we’re tuning into the complex subtleties that the multiple forces of change in our midst present to us.

One of the primary insights of the ZapThink 2020 vision is that individual trends, let alone single events, should never be taken in isolation. This insight is particularly useful when a crisis like the Amazon crash presents itself.

At this point in time, we’re experiencing a backlash from this crash. People are reconsidering the wisdom of moving to the cloud, and in particular, public clouds. Perhaps the large infrastructure vendors who were warning their customers about the security and reliability issues with public clouds in order to sell more gear to build private clouds were right after all?

Not so fast. If we place the Amazon crash into its proper context, we are in a better position to learn the right lessons from this crisis, rather than reacting out of fear to an event taken out of that context. Here, then, are some essential lessons we should take away from the crash:

• There is no such thing as 100 percent reliability. In fact, there’s nothing 100 percent about any of IT—no code is 100 percent bug free, no system is 100 percent crashproof, and no security is 100 percent impenetrable. Just because Amazon came up snake eyes on this throw of the dice doesn’t mean that public clouds are any less reliable than they were before the crisis. Whether investing in the stock market or building a high availability IT infrastructure, the best way to lower risk is to diversify. You got eggs? The more baskets the better.
• This particular crisis is unlikely to happen ever again. We can safely assume that Amazon has some wicked smart cloud experts, and that they had already built a cloud architecture that could withstand most challenges. Suffice it to say, therefore, that the latest crisis had an unusual and complex set of causes. It also goes without saying that those experts are working feverishly to root out those causes, so that this particular set of circumstances won’t happen again.
• The unknown unknowns are by definition inherently unpredictable. Even though the particular sequence of events that led to the current crisis is unlikely to happen again, the chance that other entirely unpredictable issues will arise in the future is relatively likely. But such issues might very well apply to private, hybrid, or community clouds just as much as they might impact the public cloud again. In other words, bailing on public clouds to take refuge in the supposedly safer private cloud arena is an exercise in futility.
• The most important lesson for Amazon to learn is more about visibility than reliability. The weakest part of Amazon’s cloud offerings is the lack of visibility they provide their customers. This “never mind the man behind the curtain” attitude is part of how Amazon supports the cloud abstraction I discussed in the previous ZapFlash. But now it’s working against them and their customers. For Amazon to build on its success, it must open the kimono a bit and provide its customers a level of management visibility into its internal infrastructure that it’s been uncomfortable delivering to this point.

The ZapThink take

Abstractions hide complexity from consumers of technology, but if you do too good a job hiding the underlying complexity, then the abstraction can backfire. But that doesn’t mean that abstractions are bad; rather, you need different abstractions for different audiences.

The latest crisis impacted a wide swath of small cloud-based vendors, from Foursquare to DigitalChalk to EDU 2.0. These firms’ customers simply wanted their tools to work, and were disappointed and inconvenienced when they stopped working. But the end-user customer may not have even been aware that Amazon’s cloud was behind their tool of choice. Clearly, those customers wouldn’t find better visibility into the cloud particularly useful.

No, it’s the technology departments at the small vendors that require better visibility. They are the people who require management tools that enable them to gain a greater level of control over the cloud environments they leverage in their own products. Once Amazon supports such management tools, then Amazon’s customers will be better able to provide the seamless abstraction to the cloud end user, who simply wants stuff to work properly. And there’s nothing supernatural about that!

This guest BriefingsDirect post comes courtesy of Jason Bloomberg, managing partner at ZapThink.

SPECIAL PARTNER OFFER

SOA and EA Training, Certification,
and Networking Events

In need of vendor-neutral, architect-level SOA and EA training? ZapThink's Licensed ZapThink Architect (LZA) SOA Boot Camps provide four days of intense, hands-on architect-level SOA training and certification.

Advanced SOA architects might want to enroll in ZapThink's SOA Governance and Security training and certification courses. Or, are you just looking to network with your peers, interact with experts and pundits, and schmooze on SOA after hours? Join us at an upcoming ZapForum event. Find out more and register for these events at http://www.zapthink.com/eventreg.html.

You may also be interested in:

• Amazon apologizes for last week's cloud crash
• Cloud brokering: Building a cloud of clouds
• Open Group cloud panel forecasts cloud as spurring useful transition for enterprise architecture
• Cloud computing drives need for open standards to define and describe a new enterprise environment