Tag Archives: Services

The workspace of the future is exciting – but?

Posted on by
Reply

The digital tsunami and the move to mobile have changed the way we work forever. It is not all that long ago that we accepted our jobs as being part mobile – or at least where you could get a signal – and part tied to a desk. But no more; mobile is the new normal, it is here to stay, and the ‘workplace’ has become something altogether new and different.

At the heart of this workplace transformation has been an ongoing cycle of technological evolution. As networks have become faster and faster and support more apps and more data, the cloud has come into play. Cloud computing is now second nature to most people, and processing data through or storing it in the cloud has grown exponentially.

This faster computing power married to mobility’s always-on-anywhere nature has in turn led to richer content and applications at end-user level, for which end-users want ever smarter mobile devices, hence the astonishing rise in smartphone and tablet proliferation. Then, having faster, smarter mobile devices and ever-faster mobile broadband, end-users consume more and more data and digital content, which in its own turn has the knock-on effect of needing faster networks. This is the mobility and virtualization lifecycle, and its impact on the workplace has been revolutionary.

The point is that the traditional way of working has changed, and with it the workplace itself. And this has been powered not just by technology, but by people themselves. Mobile technology has empowered people to shape their workplaces to their own demands. It is a brave new world all right, and a truly exciting one.

How workers and ways of working are changing

Mobile has changed so much of what we’re used to. The typical ‘office job’ has transformed into something which through mobile empowers the employee and benefits the employer, in the form of greater freedom and increased productivity respectively. The consumerization of IT led us to bring your own device (BYOD) policies, with research showing that 87 per cent of employees have used a personal device in the workplace. Sales of smartphones and tablets now outstrip all PCs put together, including notebooks. 79 per cent of IT decision-makers say virtual desktops are in their current or future plans, while enterprise social networking is also high on agendas. The world of work went and got mobile, and employers have had no choice but to embrace it.

Buildings, ways of working and ICT strategy

The new workplace has become a seamless environment, where personal and professional crossover and interchange. Even workplace buildings themselves have become part of the mix; intelligent building projects are in place now which differ hugely from offices and factories of days gone by. The need for intelligent buildings now informs a company’s ICT strategy, as the new, mobile first way of working requires this new workplace to make it a reality.

When previously kitting out an office building IT departments generally focused on wireless connection models and protocols, wired and wireless access points and so on. There were no interfaces in place for seamless integration of multiple mobile devices, networks and platforms were largely proprietary (and not very interoperable with multiple different devices and protocols) and legacy services were limited. In short, the workplace was a relatively dumb environment.

The shift to new ways of working has created the need for new, intelligent buildings to support progressive companies. New working environments are looking to the Internet of Things as a driver, with its need for embedded systems with local computing. Next generation communications systems like MiFi and Zigbee must be worked into the mix, as must multimodal interactive interfaces like NFC, digital signage and all the various smart devices that now enter the workplace.

Intelligent buildings can also have a positive environmental impact thanks to increased numbers of sensors, monitoring systems and controllability of systems making them greener places to work. All of these elements are now making their way into organisations’ real estate acquisition strategies, making them part of an overall business strategy. Including smart intelligence to the building itself’s design makes for a smarter workplace and happier employees. This means thinking about your ICT strategy can separate digital, Business Intelligence and legacy systems while still looking to generate interaction between unified communications and collaboration (UCC) tools, human resources, security and suppliers.

In short, companies must now think not just from their own perspective but also from what their employees want and expect from a workplace. Take a technology-agnostic approach, and think ahead – use your building systems to deliver open, integrated services to workers – not just to manage your building. That’s the way to moving to the cloud-enabled, flexible and any place, anywhere, anytime method of working.

The security imperative

The new way of working is exciting, progressive and more productive – but it of course remains vital not to ignore the potential security risks. BYOD and smart building initiatives have helped empower workers in unprecedented ways, but they do bring with them traditional worries. Company data now resides on more devices in more places than ever, and IT departments have no choice but to accept this and mitigate it.

Lost or stolen mobile devices naturally remain a key concern for IT professionals, while employees placing data in cloud-based file-hosting apps such as Dropbox is also a potential problem. Traditional security threats like hacking and DoS (denial of service) attacks are still present too of course. So the IT department must manage both the old threats and the new.

They can begin by implementing a mobility policy which lays out the rules and precautionary measures needed to keep sensitive corporate data and systems as safe as possible. Employees bringing own devices into the workplace have to play their part and commit to safeguarding data and not abusing their newfound flexibility. Device management systems married to good quality encryption tools can help guard against data loss via stolen or lost mobile devices, but with both mobility and new, intelligent building systems to manage, companies should think about both hardware and software encryption policies.

The new workplace is a thrilling prospect, taking our now second nature mobility, partnering it to intelligent building environments and using it to help us enjoy greater freedom and flexibility in our jobs than ever. It’s an exciting time – but nonetheless one that requires good planning and the factoring in of expansive security measures at each step on the journey.

The journey into the cloud – making the right choices

Posted on by
Reply

The cloud is now, quite literally, everywhere. IT end-users interact with the cloud on a daily basis, organizations are engaged in cloud services at all times, and the cloud powers much of the way business operates today. The business benefits of cloud computing are now well-established and acknowledged, yet 37% of IT decision makers think staff have bought cloud services outside of the IT department without permission – meaning not everyone has thought the process through as well as they probably should have.

The cloud journey has now become a strategic imperative and no longer just a tactical IT choice – greater flexibility, improved productivity, increased collaboration, remote working and greatly reduced CAPEX can all be found through a smart cloud policy. But as with any strategic business initiative, making the right choices of suppliers, partners and relationships is the route to these dividends. And put simply, the cloud has gone mainstream.

So how do you ensure that you get these choices right and maximize the benefits of cloud computing to your organization while minimizing risk? Well, in all honesty, it genuinely depends on where you are starting from.

The greenfield approach

Companies and organizations which are taking a “greenfield approach” to cloud computing face a different set of challenges. Coming from this angle, the most beneficial way forward can be the lease and configure model. Instead of having to go on out and buy expensive hardware, and then also manage it, organizations are finding value in the managed services route. The main advantage here to “greenfield companies” is that they can simply pay a leasing fee and have their cloud solution specified and configured precisely to meet their needs.

What this means is that start-up companies or start-up divisions can operate independently and go straight into the cloud. They don’t need to set anything up, whether that is databases or ERP tools, and they are freeing themselves from risk and also responsibility. They enjoy all the benefits of the “greenfield approach”, under which they can test out new initiatives and processes, while just paying a fee for their expert partner to service their storage, virtual machines and applications in the cloud. It can very much be argued that companies in this category can make the move to the cloud more easily than their more established counterparts.

brownfield transformation

More mature companies and organizations can face a more complicated time of it however. If they have greater experience, have existing IT assets on their balance sheet and have a range of business processes in place, then they face a trickier journey into the cloud. By being in the “brownfield” category they can’t simply plug into managed cloud services without a transformation journey – they have totransform their existing operations and systems to the new environment.

These companies also have to address the financial equation which centers on those existing assets, while also managing greater levels of fear, uncertainty and risk than their “greenfield” peers. Meaning they are often in the market for a trusted third party who they can partner with and agree on the required Service Level Agreements (SLAs).

changing times for the CIO

Each of these approaches however means a range of challenges for the CIO. In days gone by the CIO needed to have in-depth technical skills and knowledge, and true IT project management expertise – today the CIO needs to be much more commercially and partnership savvy.

Today’s CIO must specialize in partnerships and relationships, SLAs and vendor management – in essence, the CIO has transformed too, from technologists to commercial decision-maker. In addition to far greater commercial know-how in general, today’s CIO needs to be much more marketing aware to leverage the opportunities that social media and mobile cloud apps offer in marketing leverage.

So whether the “greenfield” or “brownfield” approach, the burden when formulating that essential cloud strategy falls on the company CIO and IT department. They no longer have to build, install and operate systems, they need to specify, partner, transition, configure and manage commercial outcomes. The worldwide cloud market is forecast to grow from $40.7 billion in 2011 to $241 billion in 2020, and research regularly places cloud high among CIO priorities.

So a different way of thinking is required, since organizations are no longer just picking products and boxes, they are picking partners and service providers.  The old approach of buying the market leading product vendor to reduce the risk of technical obsolescence no longer applies. CIOs are now charged with helping make corporate IT agile, flexible and relevant to market discontinuities. Cloud computing, as a disruptive technology, was always going to disrupt the CIO’s traditional way of doing things. CIO’s now need to help reduce the risk of business model obsolescence.

The pace of technological change is accelerating and driving business model change. The CIO challenge has moved from technology obsolescence to business model obsolescence if IT cannot support the business model changes.

Gordon

Cyber threats makes it to number 4 on the Global WEF Agenda

Posted on by
Reply

A recent report released by the World Economic Forum (WEF) focused on the Global Agenda for 2014 and the top 10 trends facing the world. As one might expect, topping the list were globally pertinent and vital topics like; growing societal tensions in the Middle East and North Africa; income disparity around the world; and ongoing unemployment.

However in fourth place was “intensifying cyber threats”, which was considered a more significant issue than climate change and diminishing confidence in economic policies.

This is a truly insightful conclusion – such a global focused, facts-based organisation marking cyber threats at such a high threat level – shows how rapidly technological threats have evolved. It’s not that long ago that ‘being online’, whether as an organisation or as an individual, meant merely having your own server – relatively secure and simple to fireproof – against typical cyber-attacks and threats.

The evolution of IT into cloud computing, machine to machine (M2M) communications and the Internet of Things (IoT), presents a whole new generation of dangers – ones against which most industries, companies and end-users are not safe.

The cloud of course means more devices and machines than ever are connected through the same network, making it an even bigger target for cyber terrorists. Get one denial-of-service (DoS) attack through successfully and it can grow exponentially through the cloud to other domains, taking many other websites with it.

Similarly the IoT has presented cyber attackers with a particularly attractive playground – the network infrastructure and technological capabilities are really transforming at a rate that is too fast for cybersecurity to keep pace.

Many IoT machines and devices remain quite unsecured, with communications between them being unencrypted. This is clearly a major worry when so much private, personal and sensitive data is communicated via the internet.

Changing habits, changing threats

The nature of how we use IT has also helped form the evolution in cyber security threats. We love all the benefits that come with our increasingly mobile-powered lives; more flexible work practices, greater productivity, increased control and choice over our consumer habits, but we do need to be aware that these changes carry new threats too.

Through 2014 and beyond, it is highly likely that we will see cyber threats piggyback this trend to make attacks more personal. Where previously generic data was the target for cyber-attacks, they may now shift to specific, individual information. These attacks will target mobile operating systems, since thanks too trends like BYOD, mobile devices now very often carry both personal and corporate data on them. In 2013 there was 1000 per cent growth in malicious Android apps, demonstrating the shift in focus by cyber attackers. Factor in SMS floods, development of malicious apps and even fraudulent developer credentials appearing in app marketplaces and it becomes clear that mobile is a fertile hunting ground for the modern cyber criminal.

The growth in social media use presents another big target too. Social is a true modern-day technology success story, enabling people to keep in touch and share experiences in whole new ways, no matter where they are.

That ubiquity however does present new territory for cyber threats, with social attacks likely to increase massively in the near future. Social media utilises personal data, passwords, contacts, location-based activities and more – all of which is highly attractive bait to cyber criminals. So it is perhaps no surprise that earlier this year even President Obama was banned from using his smartphone due to security concerns.

Another modern day advancement that carries its own new threats is online currencies. Ransomware has been developed and targets currencies like Bitcoin, while online currencies also offer cyber criminals the opportunity for money laundering. Currency exchanges are also potential areas of attack. Traditional threats of course remain too – 2013 saw the biggest cyber fraud case in history, as 160 million credit cards were compromised in the US, to the tune of $300 million.

In short, new technologies and the growth of the cloud and increased mobility mean more targets for cybercriminals. Gartner suggests that by 2020 governments and enterprises will leave a massive 75 per cent of sensitive data unprotected – so organisations are going to need to think long and carefully about the security policies they implement to mitigate this threat and tighten up cybersecurity as much as possible.

Malware hasn’t gone away

Another threat which is not gone but merely evolving is malware. Previously the preserve of desktops and the enterprise environment, malware has transformed to take its dangers to the mobile landscape as well. Malware has adapted to target mobile authentication processes via fake SMS confirmations and other means. Android malware is also on the rapid rise.

This year will also likely see malware architects continue with covert command-and-control (CnC) attacks on networks. Encryption techniques go on getting smarter and stealthier and malware is now smarter than ever in evading traditional network defences.

Time to evolve thinking

The changing nature of technology in the mobile era – with disruptive solutions being developed all the time – means that the CSO has to always think one step ahead. As the WEF report indicates, cyber threats will continue to grow and evolve throughout 2014, with the only predictable thing about them being their unpredictability.

Traditional perimeter-based security solutions are today less effective than usual because of disruptors like cloud, mobile and social. M2M, the IoT, wearable technology in the workplace and more will continue to render the perimeter security model less powerful and the financial imperative of modern cyber threats is clear. Some estimates forecast that failure to implement sufficient cyber security solutions and capabilities quickly enough could mean a $3 trillion hit to the world economy by 2020.

Fourth on the Global WEF Agenda – cyber threats

Cyber threats is number 4 on the World Economic Forum of top 10 trends, so it is time to plan ahead and be proactive about new security threats. Allocate sufficient resources and people to head off cyber threats before they attack and organisations can still win the battle and the war.

Devices, Devices, Devices everywhere – it’s time for next generation “Mobile Device Management as a Service”

Posted on by
Reply

As mobile devices continue to increase in both variety and number, it seems to me it is a good time to revisit mobile device management (MDM) strategy. MDM has been around since mobile devices came to the fore, but because of the rapidly changing nature of the mobile landscape, it has had a hard time keeping pace.

A quick definition; MDM policy and tools secure, monitor and manage mobile devices throughout organizations and across various platforms, networks and operators. However as mobile devices have become ubiquitous, both at enterprise and consumer level, there has come a need for MDM to evolve too, to offer greater control and confidence to organizations without compromising all the benefits of the modern mobile user experience.

So what is it that has changed the landscape the most? Well, quite simply, it is the sheer number of devices. The mobile experience is no longer simply about a phone – it’s now smartphones of numerous types and operating systems, tabletsphabletsultrabooks, wearable technology and much more besides. This is the new ‘mobile’, this is now how big mobile is. Over two-thirds of people say they use personal mobile devices in the workplace today. This is what MDM has to cope with.

more devices, more data, more risks

So as mobility takes hold in the enterprise, and more and more critical or sensitive corporate data is at risk of being transported into the public domain by accident or design, the need for a comprehensive MDM approach becomes essential. Global companies want to design and implement global security policies that keep their data as free from threat as possible, but how do you achieve this in the face of such massive mobile device proliferation?

The threats are clear. While it is not really all that long ago that malware, Trojan horses and viruses were considered the chief menace to corporate data, mobility has today brought with it a whole raft of new, more subtle, dangers. Lost or stolen mobile devices and insecure communications now rank high on the list of information security professionals’ worries, and without the right tools and policies in place can be more damaging. Organizations can only realistically secure and control the threats that they know about – mobile devices in the workplace are more difficult to track and maintain in the enterprise environment than inward-bound attacks.

So the main threat is as simple as staff members using their personal devices to access corporate data – with or without their knowledge or intent – and then taking it outside the network. The traditional walled garden is now so compromised as to be obsolete. Nine out of ten executives recently confessed to accessing corporate data on their own mobiles – so how do organizations deal with this fast-growing problem?

everything needs to be managed

Everything is mobile and everything needs to be managed. This is the premise from which to start. Smartphones, tablets and phablets in the workplace, ultrabooks as replacements for traditional laptops, and while not so common just yet, smartwatches and other wearable technology like Google Glass will soon enter the workplace and fall under the remit of the IT department. So an organization’s MDM strategy needs to be robustwide-reaching and most of all progressive – it needs to be able to grow with the rapidly changing landscape.

Furthermore, the rise of the Internet of Things (IoT) and its accompanying machine-to-machine (M2M) communications will also play a part. The IoT means yet more mobile devices, all communicating over the network and all in need of management. The connected car is now a reality and gives mobile employees a new workplace, while other M2M devices that can also store data will need to be managed. So organizations need to address all of these developments, both cost-effectively and efficiently.

on-premise or in the cloud?

Traditionally, MDM policy forming and implementation would be done at ground level, on-premises, so that the IT department could be involved in each step of the process. However, a comprehensive MDM strategy has many bases to cover, and with more mobile devices than ever entering the corporate environment, even the most efficient IT department could find itself stretched too thin. There is basic encryption of devices required, protection against data breach should a device be stolen or lost. Corporate app stores are gaining popularity as a means of controlling the applications that users can install on devices, but more devices with more operating systems again means more complexity here.

So in the event that in-house resources are insufficient to cover MDM on premises, we turn again to the cloud. The benefits to enterprise of cloud-based solutions are well-documented, but when it comes to MDM, the cloud model brings with it the big benefit of lower set-up fees – CAPEX – but also lower ongoing OPEX as well. Cloud-based MDM – or in fact as it is becoming known, MDM as a Service – can give organizations scalable mobile device management on-demand, so they can use it as much or as little as they need to. As mobile devices continue to evolve and end-users continue to lap them up, the flexible MDM in the cloud solution, provided by a specialist partner, looks like offering a highly desirable way ahead.

Original Publication  

 

The Ins and Outs of Cloud and Outsourcing

Posted on by
Reply

The speed at which IT is developing and the general nature of modern business means that many enterprises rely on specialists to manage our systems and applications. Economic and competitive pressures have made it imperative for organisations of all sizes to focus on their core competencies and turn to third-parties to assume responsibility for key corporate functions. The most common form of outsourcing is the cloud. The cloud simplifies many aspects of IT and the business services world.

Outsourcing is by no means a new or revolutionary concept and to date, it continues to deliver consistent financial benefits. By engaging a cloud service, a small organisation can have access to leading technology without large investments, while global enterprises can ensure that business sectors are managed effectively and efficiently.

Aside from obvious financial benefits, the list of incentives continues to grow: service quality, access to innovation, the removal of non-core functions, access to leading IT skills and resources, and forecast future IT spending all contribute.

For any enterprise, the benefits of outsourcing to the cloud are only guaranteed if certain guidelines and precautions are put in place, and in order to do this, you must understand the challenges:
• Potential loss of control over certain business functions
• Rigidity and a general lack of flexibility in the services received
• Time and effort involved in managing the service provider

The key is to select a provider whose cloud portfolio is as flexible and varied as the workloads it may handle—today and into the future. For many enterprises, the cloud is no longer a curiosity, but an opportunity to transform IT. As they think beyond one or two isolated workloads, their criteria in selecting a cloud provider become more stringent. To meet business goals for efficiency, cost-reduction, and simplification of processes, enterprises must look for a cloud provider that offers a range of services that meet today’s needs and can grow with the business.

Understanding the organisation you are outsourcing to is pivotal in addressing potential security problems, so below are some basic guidelines:

Understand the current security model

It sounds obvious, but often it is taken for granted. Evaluating the security controls currently in place in your organisation and what risks they should be eliminating, is important in knowing what you need to ask for when you seek a cloud service. This process also helps identify what is working and what isn’t, and provides you with the ability to request the same security standards in your cloud service provider (CSP). If this assessment uncovers gaping holes, you have the opportunity to rectify this with your new CSP, or if your security is up to scratch, then you have a benchmark by which to measure. Ensuring that internal security measures and your new CSP security credentials matchup is critical in delivering the safest environment possible for your organisation.

The variety of cloud solutions available – from infrastructure through to network – your cloud choice may need to integrate with existing security standards. In such cases, firewalls and other traditional security measures can be adapted to integrate with new security policies. In theory, this is the case; however a full assessment and understanding of these traditional measures may uncover non-compatibility with current systems. Understanding the full scope of your business, your requirements and your current security measures will direct you to what you need from your CSP.

Keep in mind: Change can be difficult, and risky. Have a safety net in place. Your security systems are going to change in your organisation, and to make sure it is for the better means you need to understand the security bottom line.

Don’t be afraid to: Take this security investigation as an opportunity to give your security system an overhaul.

 Ask tough questions and assess the risks

Managing your outsourcers’ security levels should not be overlooked. The CSP’s internal security policies, regulations and laws (if you are looking offshore) need to be understood and evaluated. They will help develop a picture of what the security spectrum of your business will look like in an outsourced environment and most importantly identify any current gaps.

A cloud has different avenues for attack than would otherwise be available in a traditional data centre. The increased surface of a cloud increases its vulnerabilities which puts your organisation at higher risk. Things such as virtual switches, the item connecting virtual machines with virtual networks by directing communication and data packets, and software programs that allow machines to communicate with each other, are characteristics that previously your organisation may not have been exposed to, so it is critical to understand the potential impact of this new environment.

Transferring part or all of your organisations IT footprint to the cloud is a big change with sometimes unpreventable mishaps. If a problem arises based on an unexpected incident, who is to blame? The organisation or the provider? Allocating the right responsibility needs to be determined in the initial phase to avoid any confusions in the long run. Responsibility here is in relation to your organisation and the outsourcer. Be upfront when embarking on this new relationship and opening the doors between your current IT staff and your future provider to ensure that expectations and responsibilities are measured and tracked.

Keep in mind: What you expect your outsourcer to deliver may not always be clear. Define and determine responsibilities. Ensure that your CSP offers the levels of customer service you are accustomed to, with access to expert technicians (either on-staff or through a certified partner network). For additional levels of support, find a provider that offers a range of managed and professional services to help you develop a cloud strategy, migrate to the cloud, and maintain optimal cloud performance.

Don’t be afraid to: Look up specific international security standards and be informed and aggressive when dealing with your future (or current) CSP.

 Investigate the environment

Knowing what needs to be outsourced is very different from knowing what the ripple effect will be when that segment of your organisation is actually outsourced and placed on the cloud.

Your cloud provider is now the first line of defence in your external incident management process. They must be able to detect, evaluate and report any incident in a suitable timeframe and in the process already expected by your company. Consider, too, the legal and operational impacts. By outsourcing, you are in a way, joining with another organisation, so be sure of the overall compatibility.

Consider this, too: Multi tenancy. You could be one of numerous companies that the CSP is providing service to. There is no physical separation. Investigate whether you are entering into a multi-tenant environment, and what exactly this means for your organisation and its information.

The outsourcer will be retaining a lot of information about your internal organisation workings, too. If any internal incidents occur, accessibility around records must be agreed upon and understood. Identifying individuals within the outsourcing organisation will help increase transparency and reaction around any issues.

Keep in mind: Your information is now housed inside other organisations (metaphorical) walls. This is an integrated service, designed to know the ins and outs of your organisation. Don’t be afraid to: Look for evidence that shows whether each service provider has experienced serving enterprises like yours. These include sample customer lists, reputation, track record, and existing customer base. Service providers with experience in your company’s industry or have similar customers are likely to understand your business and technology needs.

Original Publication

Managing trouble if your Cloud is in a Storm

Posted on by
Reply

Cloud computing comes with many key decision and considerations. There are decisions to be made around whom to choose, what to look for and what specific service it is that you ultimately need for your organisation.

When an organisation starts to think about moving to the cloud, the driving force is usually twofold: achieving a competitive edge in business and the cost saving benefits the cloud promises. While these are the incentives, the considerations when choosing a cloud service provider (CSP) need to be a lot more detailed. You are migrating your business from one form of technology to a newer and still developing one, and hence must consider scalability, control and security.

This can be a long, slow and painful process. CSPs are, ultimately, still subject the same cyber problems as your company was back when the humble server was the apple of the CIO’s eye. You may have decided on a CSP boasting near 100 per cent up time. But what about errors in the file system, misconfigurations, abuse attempts, programming errors and bugs? When they hit, service outages happen. Maybe not every time, but they can happen.

The Australian Government Department of Defence, Intelligence and Security have an online resource dedicated to advice for “Cloud Computing Security Considerations”. Aimed to assess the benefits and risk associated to cloud, the site also investigates the potential disasters associated when cloud provider drop outs occur.

The question the site raises is this: what happens if your data is housed in the cloud and your cloud service provider, for some unknown reason, becomes unavailable?

And this is one of the true problems of cloud computing. By placing your organisation’s data, information and trust in a service provider, you ultimately lose the ability to directly and independently fix problems if and when they occur. There is a whole world of security threats floating around that have the potential to wreak havoc with a business’ critical data and applications, and that can damage an organisation’s reputation and bottom line.

And, even more concerning, what happens if your trusted CSP unexpectedly goes out of business. Where does your data go? Who has rights to it? How do you recover it? Is it still secure? The plethora of questions that this potential situation brings up is enough to warrant serious concern, consideration and preparation.

So, below are five tips which you need to consider if and when, and ideally before, you migrate to the cloud to ensure that business can go on as usual if your provider becomes unavailable.

1. Demand connectivity and availability

The Cloud Computing Security Considerations highlights availability, bandwidth, latency and packet loss as the four key concerns when looking at network capacity from vendor to organisation. If there is inadequate connectivity, then ultimately your organisation will reduce its capacity to function as it should when working on the cloud. Similarly, you need to understand the provider’s availability. Availability can be affected by a host of things: targeted attacks, unsuccessful an ineffective maintenance, hardware problems and so the list goes on. As always, doing due diligence on your cloud service provider is critical. You need to ensure that the provider will meet your organisation’s cost, quality-of-service, regulatory compliance and risk management requirements.

The system housing your organisations information and identity must have capacity and ability to deliver a connected and available service, otherwise the CSP is redundant.

Ask yourself: is there any room to compromise on connectivity and availability when looking at my service provider?

Understand the service level agreement (SLA) so there is no confusion around the level and quality of service you are signing up for.

2. Be realistic – the threats are largely the same

Physical systems in offices can crash and fail – losing your data on site and in your office. Whether you have just migrated to the cloud, or have been a long-time resident, the risks you now face are the same as those you faced with a server purring in the back room. The loss of important data is another concern that businesses ignore at their own peril. A hacker or a disgruntled employee could delete important data. However, hackers and employees are not the only ones who might be responsible for such a circumstance. Important, mission critical data can be lost due to the negligence of a cloud service provider.

So what was your plan then? Assess the guidelines you had in place before migration, and then adapt these to the new technology.

Ask yourself: What are the bottom line security standards our organisation needs? Understand your key areas of weakness so you can develop a plan to protect them.

3. Back up. Again. And again.

Moving data to the cloud means it is no longer housed underneath your organisations roof. It is housed in a data centre somewhere across the globe. To future proof your data and ensure that you are not left in the lurch without important information and applications; your best option is to work with two cloud suppliers and house your data in both. This means that when one provider goes down its extremely unlikely the other will.

Either way, the cost is generally a good investment for peace of mind.

Ask yourself: is it worthwhile spending additional money on a second back up to ensure that business can run as usual if one CSP goes down?

4. Your SLA: The scheduled, the unexpected and the unsaid

Any service level agreement (SLA) will have listed the maximum possible unscheduled downtime that can occur without breaching it. The Cloud Computing Security Considerations notes that “typical SLAs that guarantee 99.9% availability can have up to nine hours of unscheduled outages every year without breaching the SLA”. 9 hours may sounds small in the scheme of things, but timing and deadlines could potentially render an ‘unscheduled outage’ catastrophic.

Likewise, your SLA should have an estimate on scheduled downtime, for key activities like maintenance. Understand what notice your contact says you will be given and what the parameters are here.

Another key consideration when it comes to SLA is compensation. Downtime can have huge effects on your businesses functionality and depending on severity could tarnish reputation.

By understanding your SLA you are more capable to assess the potential impact an outage could have, what you should expect in relation to downtime and if your organisation could manage this in day to day workings.

Ask yourself: how much time out can your business take without your business suffering. Is it an inconvenience or a hindrance?

There are huge discrepancies across SLAs for CSPs. Understand your SLA, and be aware that it is likely skewed in the providers favour. Knowledge is power.

5. Good relationships are founded on trust

You are putting sensitive data and critical applications in the hands of your provider. You need to have trust that if they can manage this data, they can manage to get you back on board in a reasonable time frame and without real stresses to your business.

Your provider needs to be reliable and secure, and ultimately be able to protect your data even when there is down time.

There should be minimal doubt when you sign that dotted line.

Ask yourself: what do you know about this provider, their history and their capacity. Understand your demands and their solutions. Do your research, and if you find any red flags, don’t hesitate to ask.

Original publication on CSO.

Cyber security threats through the Cloud

Posted on by
Reply

As with most of technology, security goes through periodic changes, cycles and generations. Hardware, software, applications and methodologies all arrive, become commoditised and standardized to the point of being invisible, and then come back in a new evolved form. New platforms and new devices create new opportunities but are also subject to new evolved threats – something that remains true of security.

Cloud Computing: a brand new landscape for threats

IT security threats evolve and adapt to the new IT environment. As corporate and personal IT usage habits have changed, so too have the types of security threats present in the world. New IT practices like Cloud Computing give end-users great benefits in terms of mobility, flexibility and productivity, but they also give malicious third parties new routes to breaching security and increase risks. So while the Cloud has given users a whole new world of mobile computing, it has also created a whole new landscape for hackers and viruses to attack from.

The rise and rise of mobile usage and the Cloud have seen third party attackers change their approaches. Cloud services, social media websites and Android operating system devices have all become new targets, while traditional user data and website denial of service hacks remain popular.

Recent malicious examples in Australasia have included the damaging loss of over 20,000 customer passwords by surf wear brand Billabong and Web giant Google having its Australia office’s building control system hacked into. Similarly it was revealed recently that the Reserve Bank of Australia wascompromised by a phishing attack, while the Commonwealth Bank of Australia recently stated, in the light of hacking attacks on Australia Security Intelligence Organization, that cyber security is among its top concerns.

The risks posed by hackers and phishing attacks haven’t gone away, they’ve just evolved.

the ever-changing nature of the cyber security threat

Cyber security attacks and the ways in which they affect people and organizations are always in a state of transformation. As one IT specialist finds a solution to a particular problem or type of attack, so the creative hackers out there come up with something new and improved.

So as the Cloud has played out its role as both a disruptor and an enabler in the technology world, so too new threats have emerged from it. The leading threat to both organizations and individuals is data breaches. Companies fear sensitive corporate data falling into the hands of competitors, private citizens fear their bank details and credit card information being misappropriated and abused. This is of course not a new threat in itself, but the Cloud enables new routes to the hack, virtual machines and poorly-designed multitenant databases both offering different access points.

In addition to data breaches and data loss, there are the ever-present threats of account hijacking and denial of service, both of which can now be attempted differently thanks to the Cloud. API keys – the coding that Cloud applications use to identify each other – are another tool in the hacker’s armory, allowing malicious parties to launch denial of service attacks or accumulate fees and charges on a victim’s account.

cyber security: a critical business issue

So while the threat is still similar in nature to previously, the avenues to getting in have increased. What this means is that it is time for companies to start thinking about security as a defined strategic issue.

Data security threats and attacks are major factors in successfully achieving regulatory compliance, whatever industry a company might be in. Non-compliance through having inadequate protection of corporate and customer data is a terrifying thought for any company director, so cyber security now really needs to sit at the top of any senior executive’s ‘to do’ list.

but end-users suffer too

At an individual level, the Cloud has helped to bring phishing into the mainstream of cyber security threats. Phishing was previously quite an insidious tactic, but today it has become incredibly brazen and up front, particularly in the mobile world. Because people now use their mobile devices by second nature, often inputting their password dozens of times a day, users are simply less vigilant.

It is estimated that mobile users look at their devices for one reason or another up to 150 times per day – this means entering that precious four-digit PIN code repeatedly – and how many end-users are really certain about what site they are distractedly tapping their password into?

changing threats mean changing strategy

To address this ever-changing security threat, a change of thinking is required. For many years companies and governments acknowledged the need for IT security, were both aware of and concerned about the threats involved, but were still very reactive. So this change in thinking means no longer considering IT security as ‘just’ an IT issue. The focus must change to making cyberspace a strategic asset which requires as much security as physical borders and buildings do.

The Australian government has recently taken the proactive step of investing in cyber security, identifying the threat as a strategic one which affects not just ‘the Web’, but the country’s entire economy, infrastructure and the nation’s future prosperity. It has been estimated that during 2012, 5 million Australians were affected by cyber security issues, at a cost to the country of around $1.6 billion. So it is to the government’s credit that even in an election year it has given the problem due consideration and taken the initiative, ploughing money into cyber security. That’s how significant an issue cyber security and the new threats available through the Cloud have become.

risk management is required at all three levels

The evolution of cyber security threats to the new environment means that the threat exists at three different levels

  • the personal
  • the organizational
  • and the nation state or community level.

At each of these levels the consequences can be dramatic and risk management is required at all three levels.

Original Publication

The rise and rise of the “as-a-service” (XaaS)

Posted on by
Reply

I recently blogged about Unified Communications as a Service (UCaaS) and how its cloud-based communications and collaboration tools can help companies be more productive. The “as-a-service” (XaaS) approach is really at the heart of so much business transformation at the moment and it is fair to say that it is becoming a strategy in its own right. It is creating a whole new paradigm for customers and service providers.

XaaS: what’s new?

In the past we typically used to ship or download physical products as we needed them, but the introduction of cloud computing as a heavyweight enabler has given rise to the XaaS model. The XaaS approach brings with it an ongoing relationship between customer and supplier, in which there is constant communication, regular status updates and a genuine two-way, real-time exchange of information.

Original Publication

This makes XaaS an attractive approach for customers, they really seem to be buying into it – the managed service nature of the relationship means they have to commit less money up front while enjoying less risk and still keeping up-to-date with the very latest technologies and product developments. Plus companies can also scale up or down, depending on their needs at a given moment in time – another important influencer on costs and another of those flexibility enhancers.

how mobile is helping power the XaaS revolution

So in the same way that the cloud itself has been a disruptive development for conventional IT’s ways of getting things done, so the as-a-service model is also changing the game. It is fair to say that the cloud is effectively the next step in the evolution of the internet, and the cloud is the conduit through which everything will in future be delivered as a service.

The XaaS model is changing everything in that it is both taking over applications and also taking over service delivery channels and basically cutting out the traditional middle man. With mobility becoming the new norm and the standard way of doing things, people can access the services and applications they want no matter where they are. Mobility, mobile device proliferation and the shift to faster mobile broadband connectivity are all helping to accelerate the process.

XaaS going mainstream

Software as a Service (SaaS) was arguably the first area in which the cloud delivery XaaS model found its way into the commercial mainstream, and the sector has gained significant momentum since then. Gartner predicts that the worldwide SaaS market will exceed $22 billion in 2015, almost double its value in 2011.

The benefits that SaaS brings to companies are true of all the other XaaS alternatives, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Storage as a Service, Security as a Service, UCaaS and others. The big data revolution is seeing more organizations look into the possibilities offered by storage as a service – companies are creating more internal and external communications data, more video and so on, which means that storing data securely becomes an increasingly significant legal and compliance issue.

So by outsourcing these service provisions to a qualified expert partner, organizations immediately get lower “Total Cost of Ownership” (TCO) than with traditional, on-premises solutions. Deployment of services and applications is faster and easier which means that companies can reduce OPEX and get new offerings and services to market faster. The initial CAPEX is lower, IT support expenditure is reduced through the XaaS model and scalability is built-in to the proposition. Design obsolescence is also a thing of the past under an XaaS model. So it becomes another major disruptor for suppliers.

Overall people are switching on to the XaaS model because it takes the TCO and converts it from being a concern into something which is more controllable, and which has agreed service levels. Traditionally, IT initiatives were known for suffering from project overruns, where companies didn’t know what they would get at the end of a process which took longer than intended and which of course cost more. Those types of incidents were what cost CIOs their jobs. The XaaS approach removes this risk and while there can be a worry about having less control over the whole, companies have come round to seeing the benefits as outweighing this.

but the network remains key

So while the benefits and reduced risks of the XaaS model are clear, the network backbone is what powers the proposition forward. Cloud services all rely on a robust network to give the reliability that services need and that end-users expect, so as companies make the shift to the XaaS paradigm, they must always think about their networks too. If reliable, high speed connectivity is not available then the user experience declines and the proposition weakens.

innovation acceleration

Perhaps the real proof point of the XaaS model is that it genuinely accelerates innovation. No customer likes deploying something and then finding that a new version of the software, hardware or whatever has come along a few months later and they are already behind the curve. Under the XaaS approach, innovation can occur in real-time, customer feedback can be gathered and acted on immediately, organizations – and their own customer offerings – are able to stay at the cutting edge with minimal effort.

This is where XaaS distinguishes itself from the traditional thinkers who still believe that it’s better to build things themselves – the traditionalists will end up spending a lot more money to be locked into something that could pretty soon be out of date. Open integration environments that encourage application development are flourishing. And through this kind of innovation the smart providers of today are set to kill off the old paradigm by opensourcing this ongoing innovation and new ideas.

This new paradigm, now has a number of competing labels emerging. We will see with increasing frequency XaaS from our industry, no matter which label the industry adopts, the ‘Everything as a Service’ or ‘Anything as a Service’ label. One thing is guaranteed, we will continue to see the rise and rise of the “Everything-as-a-Service” /  “Anything-as-a-Service” (XaaS) model.

Unified Communications as a Service – the third way?

Posted on by
Reply

In my last blog post I wrote about how Technology can be used by ‘disruptors’ to change the competitive landscape and challenge long established segment leaders. In this piece I would like to explore a related technology that can be leveraged to disrupt the current landscape and one that I think is a reality now – Unified Communications as a Service (UCaaS).

UNIFIED COMMUNICATIONS YOU SAID?

The reason I call it a disruptor is that UCaaS is another specific application that is moving into the cloud and having a major impact on the way companies collaborate and communicate.

So what is UC? Unified Communications is an approach to business communication that groups together all the various tools under one umbrella and connects them up, making it easier for company team members to stay in touch. The UC suite typically includes all the communication apps you would expect to find in an average office, including the likes of

  1. voice calling
  2. video conferencing
  3. web conferencing
  4. and instant messenger (IM)

UC is about flexibility. Workers are able to be more productive and effective because they can choose the communication mechanism that works best for them at that time – such as taking a call on a landline, smartphone or tablet device. Bringing all of these ways of communicating together in an integrated format is what UC is all about.

challenges along the way

So UC can genuinely help organizations to see positive impacts on their productivity, worker effectiveness and even staff morale thanks to them being able to do their work more on their own terms. Many companies have attempted to raise productivity through UC and increased collaboration, and different organizations have had varying degrees of success with it.

There are challenges involved however – with the biggest expense being CAPEX, while integration and interoperability can also present problems. Companies must choose whether they want to roll UC out and manage the technology, training and risks themselves or whether they would rather outsource it – which may still require a significant investment upfront for the CAPEX which must be paid up front. It’s a balancing act, and one that causes many companies quite a degree of soul-searching.

“as a service” – the third way

There is a new paradigm that is a reality today and that is Unified Communications as a Service(UCaaS). The cloud continues to change the way that companies work, and it enables us to be more flexible in how we do things. In relation to UC, it means that companies can, rather than having that big initial CAPEX or big PBX, actually use a cloud-hosted service that gives all the benefits and control of an on-premise service. This is a potentially huge benefit for many companies.

Put simply, UCaaS makes Unified Communications and collaboration tools more affordable for all – vital at a time when companies need to reduce costs wherever possible. If you’re looking to manage costs then moving to an OPEX model is very attractive – and UCaaS also means smart outsourcing too. Working with an external partner means having a service level agreement (SLA) in place which covers you in unforeseen circumstances – when many companies have only one or two people responsible for their UC, who could be away on vacation or sick, this kind of safety net is a real advantage.

A further benefit of UCaaS is that it can offer event-based billing as well, meaning companies can offer support at times of greatly increased usage – such as delegates and staff collaborating around an annual conference, for example. The flexibility of UCaaS allows you to offer tools like video conferencing or Web conferencing which you might not otherwise need through the rest of the year.

Cloud – the enabler

One of the other advantages that the Cloud delivers is that of managing transitions of technology, again helping companies to reduce costs. By basing UC tools in the Cloud you don’t need to manage expensive upgrade cycles and you’re able to enjoy all the latest new features and versions as they become available.

What this also means is that companies can better manage the transitions of business models too – relocations, mergers, acquisitions and so on, any big changes to operational routines are more easily supported thanks to the agility of UCaaS. Take an example like mining companies which move operations around to where the next project demand is – starting up and shutting down projects is far easier in the Cloud.

Conclusion

These ideas have been around for quite a while now really, but only now are the service catalogues offering them come to market to make UCaaS a reality. The technology has caught up, meaning that companies can enjoy multi-tenanted Cloud offerings which allow more than one user on a box now. Similarly virtual machines can be had today with a compelling cost versus service proposition. It’s my belief that we are going to being seeing a big shift of people from on-premise UC suites to the cloud version, and adoption of the UC tools themselves is going to continue rising too.

At the end of the day, what UCaaS is about is

  • managing risk
  • cutting costs
  • and increasing collaboration.

By outsourcing your UC needs to a service provider who is an expert in that area you reduce CAPEX risks and the need for costly, long IT equipment recycle periods. You’re not putting all your UC eggs in one basket and get to enjoy the flexibility and agility that comes with the “as a Service” strategy.

Original Publication

Six tips for mobile device management security

Posted on by
Reply

There has been a lot of discussion this year about the increasing influx of consumer devices being used for both professional and personal purposes. Many organisations are feeling a little overwhelmed as they try to work out appropriate security levels and device management boundaries. When you take into consideration all the platform and application updates chewing through corporate bandwidth, plus the potential for rogue applications and malware to gain illicit access to company data, there are many headaches for security managers to deal with.

Here are six tips to help get the efficient and secure management of mobile devices under control:

1. Have a strong mobile policy

This may seem like an obvious tip, but there is often a clear disconnect between employees and employers’ expectations of how consumer devices will be used in the enterprise. Research from IDC found that not only were workers using their devices at twice the rate, they also tended to think employers were far more permissive of the use of consumer devices than they actually were. It is therefore very important to have a mobile use policy clearly defined to avoid these kinds of misunderstandings.

A mobile usage policy is a framework that defines who the users are and what devices, platforms and applications they can and can’t use. Enterprises must clearly define policies around reimbursement for services and what applications users can access via personal devices, along with clear guidance on who controls the data on devices.

2. Create an inventory of assets

How can you be assured of the security of employees’ mobile devices if you don’t know how many are out there and what they are? Implementing a robust and regularly updated inventory management system is a vital part of any mobile device management system. While many businesses do have an inventory of fixed and wireless assets, the majority of them are not updated and validated on a regular basis, leading to the potential for security issues to slip through the cracks via unknown devices or inappropriate usage. Businesses with accurate inventories have much clearer insight into their telecommunication environments and as such, more reliable information on which to base policy decisions.

3. Ensure proper configuration of devices

The sheer number of different devices and platforms out there can make the configuration of devices a challenging process. Factor in entry level handsets, smartphones, tablets with different operating systems and employees working in numerous different locations and the issue becomes even more complex. However, if a device is enrolled with a mobile device management server, a configuration profile defined and managed by IT admin can be implemented, enabling the device to interact with enterprise systems. An appropriate level of encryption can also be added to any commands coming from the server to ensure that settings cannot be altered without proper authorisation.

4. Implement appropriate security

Despite the influx of consumer devices into the workplace, many organisations haven’t implemented stronger security controls in response, leaving them at risk of security breaches or loss of sensitive data. Data encryption is a powerful piece of the mobile security puzzle and yet many businesses do not use it on a regular basis. In addition to implementing data encryption, enterprises need to inform workers about the risks of failing to comply with security protocols – there is a good chance that they are unaware of the risks associated with using their personal devices for professional purposes.

5. Regulate application protocols

Taking into consideration that there are thousands upon thousands of mobile applications out there, strong protocols need to be instituted for the deployment of any new applications and the management of existing applications. Malware is steadily creeping into the app world, so even applications from the app store need to be checked before they are allowed into the enterprise. Such malicious applications can take over the mobile device and operate in the background without the user knowing, searching for sensitive information such as passwords or banking details.

6. Provide training and end-user support

A relatively small percentage of the overall functionality of the average mobile device is used on a regular basis. With devices becoming more and more sophisticated, users could end up massively under-utilising all the functions that are at their disposal. As a result, most enterprises would benefit from providing user training, including how to set up email, device customisation, application selection and usage, understanding browser capabilities, using instant messaging, and mobile data services and understanding device functions and shortcuts. Support and training can increase worker efficiency and also reduce security risks, as employees better understand how their devices work.

Managing employee mobility doesn’t need to be a nightmare. With the right systems put into place, employees and employers alike can reap the benefits of mobility.

Original Publication