1. Art and Diseño

NOV/DEC 2014
Enterprise gamification:
where did it all go wrong?
Storage outlook:
15 predictions
for 2015
How to get
through the new
EU data regulation
Virtual builders
BAM Nuttall leads the way in 3D printing and augmented reality
VMware
SDDC: Start
InformationAge (UK) June 13h, 2014 insertion
Full page bleed: 211x279, 205x273, 185x254
50 40 40
3.1 2.2 2.2 10.2 7.4 7.4 25 19 19
0000
70 40 40
70 70 40
20 70 70
10 40 40
40 100
100 40
100 40
30 30
70 70
100 100 60 100 100
30 30
70 70
100 100 60 100 100
70
100
100 60
A
vmware.com/uk/sddc
30 30
innovation and increases revenue.
70 70
and capital expenditures, while IT drives
30
businesses are reducing operating costs
70
adopting this IT-as-a-Service approach,
ISO 12647-7 Digital Control Strip 2009
new levels of agility and efficiency. By
100
storage, network and security can reach
30
automates management. So computing,
100 100 60 100 100
virtualizes all data center resources and
B
3%
70
100
100 60
VMware’s software-defined data center
100 60
The
Software-Defined
Data Center.
30
100 40
40 100
40 100
40 70 40
70 40 40
40 70 40
40 70 40
70 40 40
3
10
25
50
75
90
100
Want your business
to be more agile,
efficient and
profitable?
Start with your
data center.
75 66 66 100 100 100 80 70 70 100
Copyright © 2014 VMware, Inc.
editor’s letter
Remember
privacy?
H
aving recently
attended a screening of
CITIZENFOUR , a
documentary about
Edward Snowden, I feel inclined to
reignite the debate around data
protection in the digital age.
I fear that people are becoming
desensitised to the loss of what was
once deemed a vital component of a
free society: privacy.
This was, of course, born from the
emergence of ubiquitous
telecommunications and the
internet, which now touch almost
everything we do in our daily lives.
As a contractor for the USA’s
National Security Agency (NSA),
Snowden became aware of the vast
scale and intrusion of numerous
global surveillance programs,
including in the UK.
CITIZENFOUR documents the
meetings in a hotel room with
filmmaker Laura Poitras and The
Guardian, where Snowden leaked the
huge extent of government spying on
the public’s phone and data records.
Snowden has been heavily painted
as a villain by governments around
the world, but I suspect – or, at least,
hope – that he will be written into
history books as a brave
whistleblower who defied the law to
prevent an escalating abuse of power.
In the recorded footage, Snowden
makes it clear that his opinion on
blanket surveillance is irrelevant in
his decision to leak the highly
classified information.
Instead, he sacrificed his home, job
and family – he had to leave the US
immediately to avoid arrest and is
now taking temporary asylum in
Russia – to stand up for the people’s
right to debate issues that challenge
their civil liberties.
As the first generation to grow up
with the internet enter the
workforce, I have begun to witness
the public’s concern for this
fundamental right gradually fade.
Too many people now simply accept
that the government is essentially
watching their every move –
supposedly for their security –
without challenging it.
As technology’s impact on our lives
continues to grow, it is imperative
that influencers fight for
transparency – before true privacy is
nothing but a distant memory.
Ben Rossi, Editor
November/December 14 information-age.com
3
contents
NOVEMBER/DECEMBER 2014 l information-age.com
19 On the cover
As a profession as old as the hills, it would be easy
to dismiss the innovation credentials of those who
work in construction. But, as BAM Nuttall displays,
it is in fact an innovation-leading industry that is
leading the way in emerging technologies like 3D
printing and augmented reality
‘Augmented reality is
demonstrating to the client that
they can visually see what is
being built’
Gamification focus
22 2015 storage outlook
26 Mobile untangled
32
Information Age investigates where it all
went wrong for enterprise gamification,
and how it can rise again
15 storage predictions for the coming
year – what is around the corner for the
storage world in 2015?
Information Age attempts to find a
definitive mobile strategy to support the
connected enterprise
innovationage
storageage
networkage
4
information-age.com November/December 14
NEWS FLASH
8
Rounding up the top industry news and trends of the past month
INSIDER
10
How an old mainframe firm is enabling the Internet of Things
INSIDER
14
The inside track on this year’s Data Leadership conference
DEPLOYMENT WATCH
17
A look at some of the latest deployments across the UK
Going soft
on security
36
The software-defined trend
has bulldozed its way
through the server, storage
and networking markets, but
what does it mean for
security?
securityage
IN THE BOARDROOM
42
Dell’s CCO paints a healthy picture – but a dire one for HP
ANALYST EYE
44
IDC on how organisations can get through new EU data laws
PRODUCT CORNER
COMMERCIAL
Sales Manager Edward Young (020 7250 7950)
SUBSCRIPTIONS – INFORMATION AGE
Helena Smith (020 7250 7031)
VITESSE EVENTS
Head of Events Ben Brougham (020 7250 7051)
Events Manager Julie Leggatt (020 7250 7043)
VITESSE MEDIA PLC
Executive Chairman Sara Williams (020 7250 7010)
Deputy Chairman
David Smith (020 7250 7010)
Chief Executive Officer Niki Baker (020 7250 7010)
Head of Investment Nick Britton (020 7250 7035)
Director of Digital and Social Media
Jonathan Sumner (020 7250 7032)
Online Sales Manager (SME titles)
John Bromley (020 7250 7954)
Sales Manager (What Investment)
Les Lubwama (020 7250 7033)
Marketing Manager
Jemma Redpath (020 7250 7039)
Marketing Executive
Carly O’Donoghue (020 7250 7055)
Finance Manager Deborah Cummings (020 7250 7963)
Accounts/Admin Assistant
Ajith Benjamin (020 7250 7046)
Email All email addresses are of the form
[email protected]
48
Reprints & Licensing 020 7501 1086
Information Age is published by Vitesse Media Plc,
Octavia House, 50 Banner Street, London EC1Y 8ST
ISSN: 1359-4214
50
Printed by Stephens & George Magazines Ltd
© Vitesse Media Plc. All rights reserved.
Contents may not be reproduced in whole or part
without the written consent of the publishers.
Apple’s iPad Air 2 takes this month’s product crown
COLUMN
EDITORIAL
Editor Ben Rossi (020 7250 7961)
Staff Writer Chloe Green (020 7250 7956)
Group Sub-Editor Alan Dobie
Researcher Stephen Grainger
Senior Designer John Howe
Junior Designer Ashley Humphrey
Richard Lee gives his view on the latest open-data initiatives
November/December 14 information-age.com
5
12 FEBRUARY 2015 | CENTRAL LONDON
Security Leadership: The antidote to the
raft of hyperbolic, scaremongering security
conferences that fill the IT calendar
Yes, the threat of cybercrime is real and a
massive concern for organisations – large and
small – throughout the world. The huge weight of
responsibility to fend off attacks falls firmly on the
shoulders of IT leaders.
However, they have to work tirelessly to see
through the waves of hype in order to gain a truly
360 view of security in their enterprise. This has left a
large disconnect between the content and resources
constantly pushed onto CIOs, CISOs and the like,
and exactly what they need to do to ensure their
organisation isn’t the next highly publicised victim.
By focusing on exactly what matters to businesses
when it comes to protecting their data, assets
and infrastructure, Security Leadership takes a
mature and sophisticated approach to educating its
audience on threats, solutions and a clear roadmap
for 2015.
Through four targeted sections – people and
process, infrastructure and cloud, mobile and
BYOD, and prevention and business continuity –
Security Leadership ensures its attendees leave
with genuine insight into formulating an effective
security strategy.
SPEAKERS INCLUDE
MARTYN CROFT - CIO, Salvation Army ///
RICHARD GODFREY - ICT Strategy, Infrastructure and
Programme Manager, Peterborough City Council ///
MARK RIDLEY - Director of Technology, Reed.co.uk ///
EUSEBIO ECHEVARRIA - IT and Compliance Director,
The Quintessentially Group /// JAGDEEP BHAMBRA Independent Security Advisor /// JULIE GEORGE Head of Information Security and Assurance, Post Office
/// MIKE LOGINOV - Executive Director, ISSA UK ///
DR CHRISTOPHER RICHARDSON - Head of BU Cyber
Crime Unit /// SARAH LAWSON - Head of IT and
Information Security, NPEU, University of Oxford ///
HUSSEIN HASSANALI - CISO, Bank AL Habib ///
GRAHAM FRANCIS - Director of IT Services, Havering
Sixth Form College
SECURITYLEADERSHIP.CO.UK
newsflash
NEWS / TRENDS / EVENTS
@informationage
^
winners
AWS
Amazon Web
Service (AWS)
has helped
allay EU privacy concerns
by opening a data centre in
Frankfurt. The data centre
is the company’s second in
Europe, which it says will
allow its customers’ content
to fall entirely under the
umbrella of European data
protection laws. It hopes
this will trigger more
acceptance for the cloud.
losers
INTEL
The computing
giant saw a 9%
revenue
increase year on year in its
third quarter of 2014, with
revenue of $14.6 billion, after
shifting record numbers of
its PCs and microservers. It
sold more than 100 million
microservers in a quarter for
the first time. However,
Intel’s mobile business
continued to generate large
losses for the company.
IBM
Big Blue is
going through
a rough
financial transition as it
shifts its strategy from
hardware to cloud, with a
marked slowdown in sales.
Its third quarter results
showed net income had
shrunk by 17% and revenue
was down 4% year on year.
CEO Ginni Rometty called
the performance
‘disappointing’.
DRUPAL
The content
management
platform
issued a security warning
to users saying more than
12 million websites may
have been compromised by
attackers who took
advantage of a bug in its
software. The warning said
users who did not update
their software within seven
hours should assume their
site was attacked.
^
EU PLEDGES €7.8 MILLION
TO OPEN-DATA STARTUPS
The European Union has
committed €7.8 million to a Europewide programme for open-data
entrepreneurs.
The call for submissions will open in
spring 2015 to startups looking to
build their business models around
using or publishing data in order to
create insight into their own products
or services, or create new ones.
In collaboration with London’s Open
Data Institute (ODI) and the University
of Southampton, the programme will
recruit approximately 50 startups over
30 months, with €5.5 million allocated
to each successful applicant to develop
8
their concept. They will also receive
mentoring, technology, infrastructure
and networking support.
The new EU incubator is based on
the success of the ODI’s own startup
programme, which provides funding
and hands-on support for small and
fast-growth businesses. In the last 12
months, ODI startups that use or
produce data as part of their services
have generated over £12 million.
The new EU-wide open-data
incubator forms part of a €14.4
million initiative to catalyse opendata initiatives across Europe, which
will also include an EU-wide research
network and an academy for training
data scientists. information-age.com November/December 14
GCHQ HEAD SAYS WEB GIANTS
ARE AIDING TERRORISTS
US web companies including Twitter,
Facebook and WhatsApp have become
‘command and control centres’ for
extremist groups and are in denial
about their platforms’ misuse,
according to GCHQ chief Robert
Hannigan.
Extremist group Islamic State (IS)
uses these messaging services as ‘a
noisy channel in which to promote
itself, intimidate people, and radicalise
new recruits’ thanks to their use of
encrypted traffic, said Hannigan.
He also warned that GCHQ and other
international intelligence agencies,
such as MI5 and the Secret Intelligence
Service, could not tackle these
challenges ‘at scale’ without greater
cooperation from the technology
companies.
Hanningan added that he
understands why tech giants ‘have an
uneasy relationship with government’
as they aspire to be neutral conduits
of data and to sit outside or above
politics, ‘but privacy has never been
an absolute right and this should not
become a reason for postponing
urgent and difficult decisions’.
WHITE HOUSE ATTACKED
BY RUSSIAN HACKERS
The White House has revealed that its
internal networks were targered by
hackers thought to be working for the
Russian government.
Agencies such as the FBI and Secret
Service were drafted into
investigating the three-week-long
breach, which bears the hallmarks of a
state-sponsored attack. The extent of
the breach and data loss has yet to be
established.
‘Our computers and systems have
not been damaged, though some
elements of the unclassified network
have been affected,’ said a White
House spokesperson in a statement.
‘In this case, we took immediate
measures to evaluate and mitigate the
activity.’
Security firm FireEye identified
Russia as a possible culprit, saying that
a cyber-espionage campaign had been
directed at potential targets of
interest to them, such as European
governments, militaries and securities
organisations.
HP TO SPLIT
HP has confirmed
reports that it
plans to break
into two
companies to
help support its
turnaround plan.
One company
will comprise its
enterprise hardware, software and
services, and will be known as HP
Enterprise, while the other will be
made up of its consumer PC and
printing business, known simply as
HP Inc.
HP said it will complete the break-up
by the end of next year, and that both
companies will remain publically
traded. Shareholders will retain
shares in both.
The month in numbers
68% of organisations believe
‘business-at-the-speed-of-paper’
will soon be ‘unacceptable’ (AIIM)
The average UK business loses 65
hours of employee time a day due
to IT underperformance (Epson)
29% of businesses reported
accidental data leaks by staff
(Kaspersky)
The UK economy faces a
£10 billion deficit if smart
technology usage doesn’t pick
up in the next 12 months
(Samsung)
IT budgets are set to grow 3.3%
in 2015, hitting a five-year high (CEB)
68%
18,000
65 15%
Microsoft has almost
concluded plans to
eliminate 18,000
positions as part of
major job cuts it’s carried
out over the course of the year
29%
£10BN
3.3%
As of October, IT job postings on
Indeed.co.uk have increased 15%
since September 2013. There are
currently 139,833 IT job postings, the
largest of any sector except retail
(Indeed)
60%
60% of Gen X and Gen Y professionals
feel their organisation’s HR department
is adjusting to enable a more mobile,
flexible work style for its employees,
though two in five feel this is not
happening quickly enough (Cisco)
November/December 14 information-age.com
9
insider
German-engineered innovation
Information Age got the inside track on how a 45-year-old German mainframe
company is re-emerging as a global integration enabler for the Internet of Things
T
he software vendor
market is a lot like
natural selection: in
the constantly shifting
landscape of enterprise technology, it’s
a matter of ‘survival of the fittest’ and
‘evolve or die’. As a result, some of the
most interesting and ambitious players
are the ones that have been to the
brink of extinction and had to fight
tooth and nail to stay in the game.
German vendor Software AG may
well be one of them, and if its recent
company conference – Innovation
World in New Orleans – was anything
to go by, it has firmly established itself
back in the pecking order.
When current CEO Karl-Heinz
Streibich took over in 2003, the
company’s bread and butter had
been its mainframe database since it
appeared on the scene in 1969, but like
so many others it was floundering
in the emerging environment of
virtualisation and the cloud. After a
difficult transition period in which it
saw net losses of €9.3 million in the
first quarter of that year, Streibich
successfully steered the company
back to profit a year later, through an
intense focus on innovating around
its business process management
(BPM) business line.
>> CEO Karl-Heinz Streibich has
re-engineered Software AG as an
innovative integration partner
Now Software AG turns over more
than €1 billion and is Germany’s
second-largest software vendor
behind SAP. BPM is its biggest earner,
accounting for around 60% of the
company’s revenue and projected to
reach 80% by 2018.
As well as some major changes to
internal structure and the expansion
of the Software AG partner ecosystem,
Streibich oversaw the acquisition of
several key additions to the serviceoriented architecture (SOA) arsenal,
including the webMethods BPM suite
in 2007. This was complemented by
10 information-age.com November/December 14
multiple buys such as in-memory
platform Terracotta in 2011 and
complex event processing (CEP)
platform Apama Streaming Analytics
in 2013, as well as several other
investments in the analytics space.
It also got portfolio and project
management pinned down with its
Alfabet acquisition last year.
Forrester identified 52 vendors in
2013, making it a crowded marketplace.
A few years ago, many were wondering
how Software AG would level itself
against mega-vendors in the space
such as Oracle and IBM. But although
still quietly modest in its marketing, it
has a loyal enterprise customer base
that includes 70% of Bloomberg
Businessweek’s Global 1,000
companies, and has proven itself
hugely competitive as a ‘middleware
hub’, building on more than 35 years of
experience in good, reliable Germanengineered mainframe computing to
take on the integration challenge.
Global transformation
It’s fair to say that Software AG has
methodically transformed itself from
its German and mainframe roots into
a global integration player with a
comprehensive, functionally rich
suite for the digital enterprise.
insider
Though a few years ago it might have
been accused of not yet being capable of
the kind of product integration that
larger players like IBM could offer, its
plan for total integration of its suite
into customers’ hybrid environments
is now coming into sharp focus, as it
demonstrated to some of its 10,000
customers in New Orleans this October.
‘The interoperability of enterprise
systems – both on-premise and in
the cloud – is becoming crucial as
complexity of IT grows, and apps,
data, SaaS and on-premise products
all have to work seamlessly,’ said
Streibich, explaining Software AG’S
vision for the ‘connected enterprise’
in his keynote speech.
Ahead of the cloud
Now that it has successfully crossed the
bridge to the cloud, Streibich says his
company is positioning itself ahead of
the cloud’s next phase, aimed at the
creation of business applications in a
flexible way. It is building this on the
back of the ‘Oreo cookie theory’ – the
idea that it is what’s in the middle that
counts, and an update to the notion that
middleware should be rigid and fixed.
According to Streibich, the journey
to this new phase started decades ago
with standardised applications,
followed by the cloud.
‘All that standardisation makes
things reliable and is wonderful, but
companies must have the means to
differentiate themselves from the
competition,’ he explained. ‘We need
the new layer for differentiation – a
middleware layer containing all the
different functions for fast, agile
application provision.
‘We asked ourselves what we can do
to add value to customers’ projects,
and what we hear is that companies
rely on technology-driven innovation
in their new business models. The core
challenge of this is that connectivity
has to be present whenever and
wherever it’s needed, and the siloed
function of applications is very often
the source of all problems.’
He hopes to address this with the
launch of new integration-platformas-a-service (iPaaS) webMethods
Integration Cloud to provide cloud,
on-premise and hybrid integration
capabilities, along with streaming
analytics from Apama to allow users
to gain insights from business events
in real time.
As CTO Wolfram Jost explained at
the event, the company is setting itself
up as an integration partner for the
kinds of ‘wide and deep’ scenarios that
the emerging Internet of Things
environment will demand.
‘We are fast moving from a
traditional business-intelligence
approach to a world where you can
adjust your business by making
continuous decisions,’ he said. ‘You
can’t make the mistake of thinking the
Internet of Things is just about an
injection platform taking data in from
‘The
interoperability of
enterprise systems
is becoming crucial
as complexity of IT
grows, and apps,
data, SaaS and onpremise products
all have to work
seamlessly’
sensors and “things” and putting it
somewhere else. Companies using
streaming data to optimise their
businesses are already doing a lot of
exciting stuff that is helping them
seize revenue opportunities and
identify problems in real time. When
it comes to creating consumer-facing
apps, they will become contextual
across locations and devices, so
consumers will demand the kind of
customised experiences that come
from real-time analytics.
‘The world of the IoT is going to need
a completely new software
architecture that can handle the scale,
and we believe that our suite is
positioned to provide that.’
November/December 14 information-age.com 11
insider
How to be a data leader in 2014
This year’s Data Leadership delegates went away with an updated, 360˚ view
of how to be an enterprise data leader in 2014
I
n 2014, those wishing to
lead data projects in their
organisations are no
longer just looking for a
confirmation of the hype of ‘big data’
and its surrounding technology: it’s
high time that the discussion entered a
more mature stage, looking at the
depth and breadth of data use.
That’s what Information Age believes,
and why last month 200 senior
members of the IT community flocked
to this year’s Data Leadership event at
the Grange Tower Bridge Hotel,
London, to enjoy a day of wellrounded, business-focused talks from
esteemed peers, research leaders and
vendors in the field.
A major theme of the day was
integration, and much of the discussion
focused on how to take all of the data
that organisations have now amassed
out of its siloed individual business
functions and fully assimilate it with
process, context, the humans
producing and operating it, and the
wider world of data beyond an
organisation’s walls.
JP Rangaswami, chief scientist at
Salesforce.com and director at the Web
Science Trust, asked how organisations
are going to reorchestrate what they
do so as to deal with the ‘porous
membrane’ between their external and
internal data.
explored, he said, it’s time that we
brought it to bear on the enterprise
environment as a whole.
‘Architecture is continuing to evolve,
and I would suggest that it’s ready
for prime-time and enterprise
deployment,’ said Jennings. ‘We just
need to build the security and control
into these tools that enterprise
requires, since they were not built
for wider enterprise deployments.’
>> Ovum’s Tim Jennings said it’s time to
‘bring data off its island’ and integrate it as a
‘first-class citizen’ of the enterprise
‘Perhaps we are heading to a point
where data cleaning is not possible, and
we will need new immune levels for
outside data,’ he suggested.
‘It’s time to respond differently – in
today’s data landscape, relationships
matter much more than transactions.
The transaction is just numbers unless
the person, time and context are added.’
This was echoed in the message of
Tim Jennings, chief research officer at
analyst house Ovum, who said he
strongly believes that the time has
arrived to ‘bring data off its island’ and
integrate it as a ‘first-class citizen’ of
the enterprise. Now that big data tools
such as Hadoop have begun to be
12 information-age.com November/December 14
Don’t forget the human
Hugh Cox, founder and chief data
officer of British analytics company
Rosslyn Analytics, argued that
businesses need to move ‘from data
factory to data refinery’.
‘This means not just pumping all data
through software, but using a mix of
machine learning and human
assistance to intelligently and
dynamically identify errors or
wrongly classified or associated
information,’ he said.
‘Analysis of data by individuals with
expertise – and making use of the
human knowledge asset within an
organisation – is just as important as
having faster or better technology.’
Through this approach, said Cox, data
leaders can get maximum value from
data, and finally make use of ‘elusive
information’ – the 90% of data that is
not ready or available for analysis
insider
90%
Industries’ complex
within an
data requirements on
organisation.
haulage analysis and
Richard Lee,
of data within an organisation
telemetry to the data
managing
is not ready or available
revolution happening
partner of
behind the scenes at
executive
for analysis
the world’s oldest
consulting
railway, Network Rail.
firm IMECS
Martyn Croft, CIO of The
and regular
Salvation Army, is using analytics
Information Age columnist,
to weed out ‘philanthropic phishing’
returned to the Data Leadership
attacks that occur around big
stage for the second year in a row to
argue that fundamental to being a truly humanitarian disasters, while Adrian
‘analytics enterprise’ is the creation of a Carr, VP EMEA of enterprise NoSQL
culture of pervasive analytics within an firm Mark Logic, showcased how his
company helped design the BBC’s
organisation – to make real-time,
10,000-plus semantic pages for the
exacting business decisions.
London 2012 Olympics.
David McNally, director of digital
systems at Macmillan Science and
Education, gave the audience insight
into how the use of rich semantic
search capabilities to enable open
access to ‘hidden science’ is driving a
transformation in science and
education publishing.
And Professor Yike Guo from the
Data Science Institute showcased
some fascinating examples of
‘interdisciplinary’ data analytics,
bringing together data disciplines such
as TV broadcasting and neuroscience
in order to shed light on previously
unknown audience responses.
Continuous improvement
UBS Investment Bank’s director of BI
services, Paul Banoub, told us how his
organisation is doing this by building
a thriving community of learning
around BI tools, and being committed
to constant improvement.
‘Don’t just sit down and admire your
service,’ he said. ‘Evolve it, make it more
secure, make it work on mobile, listen
to what users want.’
Delegates also benefited from the
firsthand experience of those leading
data innovation in a variety of industry
sectors from charity to finance and
infrastructure – from construction
products manufacturer Aggregate
November/December 14 information-age.com 13
insider
Chasing liberty
The inventor of the World Wide Web, Sir Tim Berners-Lee, criticises the
government’s approach to surveillance, and calls for increased accountability
S
ir Tim Berners-Lee,
inventor of the World
Wide Web, has called for
greater resistance to
government-enforced
blanket surveillance.
In July, prime minister David
Cameron announced that emergency
powers to allow public bodies to
access phone and internet records are
being rushed through Parliament.
The legislation overpowered a
European Court of Justice ruling three
months earlier that deemed the
storing of metadata by telecoms
companies illegal as it infringes
privacy rights.
‘I think we should be really resistant
to it,’ Berners-Lee told Information
Age. While accepting that government
snooping is an ‘inevitable’ form of
crime prevention in the internet
age, he criticised the approach of
Cameron, who presented him with an
outstanding achievement award at the
Daily Mirror’s Pride of Britain Awards,
held in London on 6 October.
‘There’s an emergency today and
there will be an emergency tomorrow
all know about, in which an agency
watches the watchers and guards the
guards. We need to build that system
up and have public discussions about
it.’
>> Sir Tim Berners-Lee calls for more
transparency when it comes to the
government’s access to data
– there’s always an emergency,’ he
said. ‘So I don’t think one should use
the term “emergency” to be able to
push through powers.’
Instead, he has called for a more
‘transparent’ and ‘powerful’ system of
surveillance, which is kept in check by
an independent body.
‘We should make sure – emergency
or not – that there is a system that we
14 information-age.com November/December 14
Under the microscope
The agency that currently oversees
electronic surveillance in the UK,
the Government Communications
Headquarters (GCHQ), has faced
extensive scrutiny since Edward
Snowden exposed its access to the
controversial US internet monitoring
program PRISM.
Snowden also accused GCHQ of
eavesdropping on phone calls and
emails from politicians visiting the
2009 G-20 London Summit, and
collecting 1.8 million private webcam
images from Yahoo users.
Berners-Lee revealed that he has
spoken to Robert Hannigan, who
became the new head of GCHQ this
autumn following a six-year
leadership stint by Sir Iain Lobban.
‘He asked, “How should we build a
system?” and “How should GCHQ do
what the British public needs it to be
insider
able to do; to be a powerful force and
still be accountable?”’
The answer is tricky, Berners-Lee
acknowledged. ‘It’s a difficult problem,
but with the government we really
have to go through and design that
system and force them to put it in
place.
‘There’s a tradition in England
of trusting the government and
government agencies, but we
have to have a system with more
powerful checks.’
Happy anniversary
As this year marks the 25th
anniversary of the World Wide Web,
Berners-Lee decided to share his
vision for the next 25 years with
delegates at Europe’s biggest cloud
and IT infrastructure event, IP Expo.
In an impassioned speech to
delegates, he laid out what he called
‘instructions, not predictions’ for the
future of the web and data, and how
the industry must continue to work
hard to keep the web a decentralised
platform.
‘When the web first started, no-one
could imagine that you could click on
a link and go to anything in the world,’
he said. ‘What started out as simple
HTML documents linked together has
become dynamic.
‘The value and excitement of the web
is what we can build on it, and the
>> David Cameron announced emergency
powers in July to allow public bodies to
access phone and internet records
mind-blowing creativity it has
enabled over the past 25 years. But to
continue to do that, we must keep
fighting to keep it a platform without
central control.’
As the pace of innovation continues
to get faster, what will be most
important is not the speed of
communications networks, but the
development of ‘smarter’ computing,
said Berners-Lee. The potential of
artificial intelligence is a key part of
this that is only just now beginning to
be realised.
But apart from the technology
revolution, there will need to be a
turnaround in the way people, the
web and data work in a social sense.
Berners-Lee described the use of big
data on the web as a ‘marvel’, but said
consumers are still struggling with a
‘queasy feeling’ when met with
targeted advertising, and the
foundation of trust and control must
come first.
‘I want to build a world in which I’m
in control of my own data,’ he said. ‘As
an individual, I should have the legal
ownership of that data and should be
able to sell it when I see fit.
‘If we allow individuals the control
and understanding of the way their
data is used, it will open up huge
opportunities to build apps and make
use of that data, as they’ll be much
happier to open up that data for
important benefits.’
Berners-Lee went on to foresee that
the future lies not in big data but in
‘rich’ data.
To enable the ‘new world’ of data,
companies will need to build systems
that are not only powerful but able to
handle endless different types of data
from a variety of sources combined in
novel and useful ways.
Once these building blocks are
put in place, big data could have
wide-ranging applications – not
just in business, but it could be
powerfully transformative in areas
such as healthcare, democracy
and economics.
November/December 14 information-age.com 15
Prevent value leakage in strategic
Prevent value leakage in strategic
IT value
services
contracts!
Prevent
leakage
in
Prevent
value
leakage
in strategic
strategic
IT services contracts!
15 to 30 percent
of value
in complex sourcing
arrangements is lost due
IT
services
contracts!
ITof value
services
contracts!
to
relationship
and
lack
ofarrangements
an effective governance
15 poor
to 30buyer-supplier
percent
in complex
sourcing
is lost due
framework.
SirionLabs'
unique
approach
to supplier
governance
can due
help
to
relationship
and
lack
ofarrangements
an effective
governance
15 poor
to 30buyer-supplier
percent
of value
in complex
sourcing
is lost
15
to
30
percent
of
value
in
complex
sourcing
arrangements
is
lost
due
CIOs
plug
this
leakage unique
and increase
ROIlack
of supplier
outsourcing
engagements
by
framework.
SirionLabs'
approach
to
governance
can help
to poor
buyer-supplier
relationship
and
of an effective
governance
to poor
buyer-supplier
relationship
and
of
an effective
governanceby
enabling
management
allincrease
key
elements
supplier
management
CIOs
plug
this
leakage of
and
ROIlack
ofof
outsourcing
engagements
framework.
SirionLabs'
unique
approach
to
supplier
governance
can help
framework.
SirionLabs'
unique
approach
to
supplier
governance
can
help
lifecycle
from
contract
to
risk
management
on
a
unified
pl
atform,
enabling
all increase
key elements
supplier management
CIOs plugmanagement
this leakageof
and
ROI ofofoutsourcing
engagements by
CIOs
plugfrom
this
leakage
and increase
ROI of outsourcing
engagements
geared
today's
challenges
of elements
multi-sourcing
cloud
computing. by
lifecycle
contract
to
management
onsupplier
a and
unified
pl atform,
enablingfor
management
of risk
all key
of
management
enabling
management
of all key
of supplier
management
geared
today's
challenges
of elements
multi-sourcing
cloud
computing.
lifecyclefor
from
contract
to risk management
on aand
unified
platform,
lifecycle from contract to risk management on a unified pl atform,
geared for today's challenges of multi-sourcing and cloud computing.
geared for today's challenges of multi-sourcing and cloud computing.
Set up an online demo at [email protected]
or
now
+1.313.300.0588
Setcall
up an
online
demo at [email protected]
or
now
+1.313.300.0588
Setcall
up an
online
demo at [email protected]
Set
an online demo at [email protected]
w w up
w .sirionlabs.com
or call now +1.313.300.0588
or
now +1.313.300.0588
w wcall
w .sirionlabs.com
w w w .sirionlabs.com
w w w .sirionlabs.com
deployment watch
The Met Office
WHERE? Exeter
WHAT’S THE BUSINESS CASE?
The Met Office is the UK’s national
weather service and is recognised as
one of the world’s most accurate
forecasters. It uses more than 10
million weather observations a day and
an advanced atmospheric model to
create 3,000 tailored forecasts and
briefings each day, so needs the most
powerful systems available.
Manchester
Airports Group
WHERE? Manchester
WHAT’S THE BUSINESS CASE?
Given the proximity of some of the
car parks to the airstrip at Manchester
Airport and subsequent aircraft noise,
sudden sound surges were beginning
to cause concerns for many of the
staff.
WHAT ARE THEY DOING ABOUT IT?
A health and safety representative
informed management that
specialised headsets would be
required to eliminate the chance of
staff suffering from these effects.
Since staff often have to remain
mobile while on the phone, a wireless
solution was recommended.
WHO’S HELPING?
Sennheiser, a global leader in
premium headset and UC
solutions, was chosen to supply
the Manchester location with
headsets for control room staff.
The DW series of headsets
fulfilled all of the requirements
and, importantly, guards against
the risk of sound surges due to
their acoustic shock protection.
WHAT ARE THEY DOING ABOUT IT?
Signed a multi-year, multi-phase
contract for supercomputers and
storage valued at more than $128 million
for operational weather prediction and
climate research. Multiple system
deliveries are expected between 2014
and 2017, with the major deliveries
expected between 2015 and 2017.
WHO’S HELPING?
Cray will provide its XC
supercomputers and Sonexion storage
systems in its largest ever
supercomputer contract outside of the
United States. In their final
configurations, the Cray
supercomputers will have 13 times
more supercomputing power than the
Met Office’s current systems. ‘We are
very excited about this investment in
UK science,’ said Met Office chief
executive Rob Varley.
Eversheds
WHERE? London
WHAT’S THE BUSINESS CASE?
Global law firm Eversheds is in the
process of moving to a more agile
working model and it is important it
has a strong wireless network. Its
previous Wi-Fi was no longer fit for
corporate use, as it restricted the way
staff worked and communicated while
on the go.
WHAT ARE THEY DOING ABOUT IT?
Deployed a wireless network to
support its mobility strategy enabling
flexible working and increased
collaboration. The network has been
deployed across eight countries in
Europe, the Middle East and Asia to
support up to 4,000 staff, clients and
guests. It will also support the firm’s
recent deployment of Microsoft Lync,
which provides instant online
conferencing, including voice, video
and shared content, allowing staff to
easily and quickly share knowledge,
ideas and content.
WHO’S HELPING?
The global Meru 802.11ac deployment
encourages collaboration, improves
efficiency of meeting spaces and
creates more flexible work styles.
November/December 14 information-age.com 17
205x273+5mm
DOMAINS | MAIL | HOSTING | eCOMMERCE | SERVERS
NEW: DEDICATED
SERVER
BUSINESS LINE
Trust is important when it comes to choosing the right server provider.
With 13 years of server experience and 6,000 employees in 11 countries,
1&1 is one of the largest Internet service providers in the world and a company
you can trust. Benefit from our expertise and the maximum security offered
by our high-tech data centres.
NEW!
Dedicated Server Business Line X8i and X10i,
built on Dell™ PowerEdge™ R630 hardware
■
1
TRIAL
TRY FOR
30 DAYS
Latest Intel® Xeon® processors E5-2600
V3 (up to 10 cores HT/2.3 GHz) and
128 GB DDR4 RAM
■
Up to 6 TB HDD, Hardware RAID 6 and
optional Intel® SSD hard drive
■
1 Gbit/s connection with unlimited traffic
■
Maximum security due to redundant
components
1
MONTH
SHORT TERM
CONTRACTS
■
Conveniently connect your server to your
existing Dell™ infrastructure with Dell™
OpenManage™ Essential Tools
BUSINESS LINE by Dell
199
£
From
TM
.99
per month*
excl. 20% VAT
The complete 1&1 Server range: Great
entry-level web servers from £19.99 per
month, to high-end servers with the
highest capabilities. Visit 1and1.co.uk
®
1
CALL
SPEAK TO
AN EXPERT
0330 123 0274
* 1&1 Dedicated Server X8i from £199.99/month with 24 month contract term. 1&1 Dedicated Server X10i from £249.99/month with 24 month contract term. 12 month and 1 month
contract terms also available (prices vary). £99 setup fee applies for all contract terms. All prices exclude VAT. Visit www.1and1.co.uk for full offer details, terms and conditions.
Dell, the Dell logo, the Dell badge and PowerEdge are trademarks of Dell Inc.
MAPGB1410S1P_205x273+5_KB_46L.indd 1
1and1.co.uk
23.09.14 16:31
on the cover
A dose of reality
BAM Nuttall displays how construction is an innovative industry by leading the
way in 3D printing and augmented reality
A
s a profession as old as
the hills, it would be
easy to dismiss the
innovation credentials of
those who work in construction and
civil engineering.
Traditionally seen as a typically
blue-collar job, you’d be forgiven for
characterising people in this
industry as being most effective
with their hands – and less
experimental with the latest and
greatest IT solutions.
But one chat with Rob Youster,
head of ICT at Bam Nuttall, and
you’ll probably change your mind.
Youster has been with the company
for over 25 years and has witnessed
a massive change in the
expectations of users and clients
when it comes to technology.
One recent example of this is the
two-year legacy project to transform
the Olympic Park from a dedicated
sports and events area into a
residential park, known as Queen
Elizabeth Olympic Park.
When the contract was awarded to
start clearing the land reclamation
of the Olympic Park in 2007, Bam
Nuttall was the prime candidate.
As the original contractor of the
Olympic Park, it had put in place
>> Rob Youster, head of ICT
at Bam Nuttall
high-capacity data lines coming out
of Guy’s Hospital – with a five-mile
point-to-point going across London
and straight into the park.
With this infrastructure already in
place, Bam Nuttall was first in line
for the reclamation project as it
allowed it to include the capex in the
new tender.
The transformation project began
almost immediately after the
Olympics finished and involved the
various stadiums and arenas being
either entirely dismantled or
modified, and a complete redesign
of footpaths, cycle ways, roads and
bridges.
From an IT infrastructure
perspective, the most critical aspect
was the connectivity to allow all
contractors and other parties
involved on the project to
communicate and operate
seamlessly.
‘The challenge we had was to
provide wireless because new
construction sites were being placed
all around the park,’ says Youster, ‘So
we had to have generators with
cabins that then provided the
wireless link because there was no
electricity that we could just have a
wireless link in any location.’
BAM had to mobilise slightly
differently than it normally would.
It had its main links back into Guy’s
Hospital, but had to create another
cabin office that was just outside the
Park as well.
It turned to wireless specialist
Trellisworks to provide the network,
as well as an IP-CCTV infrastructure
to ensure the site was secure over
the two years – all delivered as a
managed service.
‘We got involved with Trellisworks
early because of their involvement
with the governing body of the
Olympic Park,’ Youster adds, ‘and out
November/December 14 information-age.com 19
on the cover
of Canary Wharf we were designing,
even at an early stage, how that
wireless infrastructure was going to
be in place.’
Once it had made sure that the
entire perimeter of the site was
tailorable with a wireless
connection, the project settled down
for a year – and it is now moving
into the final stages of demobilising
the IT equipment and disconnecting
in stages. The residential park
opened in June 2014.
‘We knew it was going to be a
challenge to get this IT infrastructure
in place,’ Youster says. ‘With over 500
acres of land making up the project
site, we had to move the locations of
our temporary cabins on an almost
six-monthly basis.
‘Knowing there was a lot of
restrictions when it comes to
fixed-line connections around the
park and security issues, we knew
we had to think on our feet about
how we would accommodate the
connections that were required.’
Multi dimensional
But innovation at BAM Nuttall,
which employees 2,600 people,
stretches further than laying out a
complex, mass wireless network.
In a job that involves having to
constantly learn about new
infrastructures and requirements,
Youster often finds himself at the
cusp of new innovation.
In 2007, he was awarded for being
one of the first to use the digital pen
for a project with Cheshire
Highways. Around the same time, he
became a first adopter in 3D printing
and augmented reality.
All of BAM’s construction sites now
adhere to the government’s BIM
(building information modeling)
initiative, which generates and
manages digital representations of
physical and functional
characteristics of places.
‘We build the construction project
twice,’ Youster says, ‘one in the virtual
world and one in the real world.’
‘We go one step further by
producing it on a 3D printer – I was
one of the first to introduce 3D
printing in civil engineering about
seven years ago, and we’ve done an
amazing model that shows the client
what we’re building.
BIM goes further than that by
producing something in 3D, then 4D
and then 5D.
‘That means that we produce a
model, which looks lovely and
everyone can understand, but then
we actually show how it’s been
constructed over time, which is
moving into the 4D arena.
‘So it’s actually showing an
animation of if being built over time.
By moving it into 5D, we’re then
showing it not only over time but also
over how much it is costing over time.’
Every surface and bolt has a value
20 information-age.com November/December 14
against it, along with things like
labour and materials, which the client
has the opportunity to look at in
detail – zooming in and out to see
what exactly are the items are being
used.
Further to this, BAM is now doing
using BIM and Apple iPads to overlay
using augmented reality.
Youster has successfully led BAM in
the innovation stakes, but he is keen
to point out that these technologies
are not just gimmicks.
‘It really is offering value,’ he says.
‘Augmented reality is demonstrating
to the client that they can visually
see what is being built.’
And that goes for all new
innovations at BAM. Youster is part
of business committees where he
ensures he gets buy-in for every
investment.
‘It would be easy for me to go and
find the latest technology and spend
£20,000,’ he says. ‘With my
experience with the business, I have
a very good feeling of what they are
looking for.
‘The one thing that is very difficult,
not just for Bam Nuttall but a lot of
business out there, is that
technology is going that quickly that
people don’t understand sometimes
what can save them money and what
can improve processes.
’So my strategy is always to
demonstrate with a very low profile
solution and show what is possible.’
If your business needs funding to fulfill its ambitions, Lombard could help.
From hat boxes to ammunition boxes, Welsh Boxes has always adapted to
changing customer needs. So, when ageing equipment began to restrict
their ability to meet the demand for extra large packaging products, they
knew it was time to invest for growth.
With the help of Lombard’s tailor-made finance solution, they acquired
new machinery that increased production capacity while protecting
their cash flow – allowing the business to grow the size of its packaging
products and its workforce.
Security may be required. Product fees may apply.
Awards 014
2
Call the UK’s no. 1 for asset finance today on
0800 028 7164, Text Relay 18001 0800 028 7164.
lombard.co.uk
Lines are open 9am to 5pm Monday to Friday. Calls may be recorded.
Lombard North Central PLC. Registered Office: 135 Bishopsgate, London EC2M 3UR. Registered in England No. 337004.
92909.008_Information Age_Welsh Boxes_273x205_aw1.indd 1
29/09/2014 15:30
innovationage
22 information-age.com November/December 14
innovationage
Gamification – where did
it all go wrong?
What was once deemed a massive emerging technology has not nearly hit the
traction that analysts predicted. Information Age investigates the trials and
tribulations of enterprise gamification
I
t wasn’t long ago
that the technology
industry was singing
the praises of enterprise
gamification.
The software tool, which aims
to motivate employees to achieve
their goals by measuring and scoring
their data in the context of an
in-house competition, was destined
for big things.
In April 2011, analyst house Gartner
predicted that 50% of organisations
that managed innovation processes
would gamify those processes by 2015.
By 2014, it wrote, a gamified service
for consumer goods marketing and
customer retention would become as
important as Facebook, eBay or
Amazon, and more than 70% of Global
2000 organisations would have at
least one gamified application.
The technology industry, however,
is notoriously fickle.
Two years ago, Gartner predicted
that four out of five gamified
applications will fail to deliver
business objectives in the following
two years due to a lack of game
design talent within businesses.
That brings us to the present day,
and the future of gamification
remains up in the air. Many still
criticise the solution’s longevity and
ability to motivate employees and
‘This industry has
been plagued with
companies that have
devalued their users’
>> Jeremy Boudinet, marketing director,
Ambition
engage customers, but Gartner now
believes that it will be an ‘essential
part’ of any digital business strategy.
The vast majority of gamification
implementations are still shallow
tools featuring points, badges and
leader boards without any viable
long-term engagement of any digital
business strategy.
According to Jeremy Boudinet,
marketing director at Ambition,
gamification is not over, but has just
entered a ‘trough of disillusionment’
phase. ‘This industry has been
plagued with companies that have
devalued their users, skimped on
product engineering and forgotten
that collaboration and good business
intelligence are the true paths to
fulfilling their fundamental purposes:
better culture and improved ROI,’ he
says.
Robert Yardy, marketing manager
at MMT Digital, adds, ‘I am reluctant
to agree that gamification is truly
over – however, my fears, and those
of many others, seem to have come
to fruition.’
A game for all
There are clearly plenty of positives
to take from encouraging employees
to work more efficiently. However,
many enterprise gamification
strategies have encouraged employees
to work harder but not better.
‘I have heard of one high-profile
travel agent that encourages its call
centre staff to deal with as many calls
as possible and record the details of
the calls accurately, with points being
allocated for velocity and accuracy,’
Yardy says.
A common flaw in many
gamification strategies is that the
people who top the leader board or
November/December 14 information-age.com
23
innovationage
get the most badges, are those who
were already the outstanding
performers.
It is arguably more important
to motivate those who are
underachieving, and many strategies
demotivate people once they realise
that they have no chance of winning.
Ultimately, if the gamification
software doesn’t add tangible benefit
to the employees, it will add to the
pile of failed initiatives.
Just because gamification software
is supposed to be an inherently ‘fun’
product, does not mean that groundlevel users don’t need further
financial incentive to actually obtain
value from the product.
‘If you want your employees to care
less about whether they’re being
tracked, you should empower them to
perform better at their job, make
more money and get a promotion,’
Boudinet says.
Lack of enthusiasm
Another common mistake is for
gamification projects to bypass the
people in the organisation who can
really make them a success.
Often driven by HR, gamified
applications will frequently lack the
technical proficiency to make the
user experience enjoyable. This is
where the IT team can and should be
called upon to enhance the project.
An HR team that is plugged into the
strategy of the company can be a
great source of information for the
CIO – aligning incentives in a way
that adds gamification value
throughout the company.
‘The insight from HR can be further
incentives for employees and ensure
that the fun element of gamification
is not lost.
‘This often comes down to the
personality of the CIO, which in turn
links to hiring people rather than
CVs,’ says Yardy.
‘I am reluctant to agree
that gamification is truly
over – however, my fears,
and those of many
others, seem to have
come to fruition’
>> Robert Yardy, marketing manager,
MMT Digital
enhanced by analysis of the
comments and microblogs on the
company’s internal social networks,’
says Satya Ramaswamy, VP and global
head of TCS digital enterprise at Tata
Consultancy Services.
Most importantly, however, there
must be a recognised business need
for investing time and resources into
a gamification strategy, as well as a
fun element to engage the users.
It’s not revolutionary to say that
people will perform better if they are
enjoying what they are doing. This is
where the CIO is fundamental.
They have to provide clear
24 information-age.com November/December 14
Sucking out the fun
That fun factor can very quickly be
swallowed up if the gamification
strategy is too shallow in its method
of judging employee productivity.
Rather than just focusing on results,
a truly effective gamification solution
will gain a deeper understanding of
employee performance.
The important thing, therefore, is
how gamification results are used to
assess performance as a whole.
Decision criteria for determining
winners should be based on
measurable statistics, such as being
rated highly by a customer, rather
than just the number of deals that
have been closed.
Organisations should create tiered
rewards that motivate players to
continually do better, level up and be
able to show off their rewards.
And they should mix it up by
applying different rewards for
different teams at different times,
while making sure that players are
competing against colleagues
performing similar tasks.
‘Gaming scenarios should be aligned
with business objectives to keep them
real and meaningful,’ says Neil Penny,
product director at Sunrise Software,
which has deployed gamification.
‘After all, gamification is all about
supporting the business.’
innovationage
In a digital world where people are
increasingly wary about being spied
on, organisations should also
approach gamification carefully to
ensure that its ‘Big Brother’ nature
doesn’t actually have a negative effect
on employees.
Unlike a straightforward internal
business-intelligence tool,
gamification is often implemented
with the message to employees that
its foremost purpose is to improve
their culture and everyday experience
at work.
According to Boudinet, that is the
wrong message to send. He says
businesses must own the elephant
in the room: employees are being
tracked, and a fundamental purpose
of gamification is in fact to spur
productivity and improve
transparency.
‘Then you have to demonstrate
tangible benefit and lay out how the
software is going to directly and
tangibly benefit the user,’ he says.
‘When you’re considering adopting
gamification software, you’d better be
thinking about how you’re going to
explain to its everyday users where
that tangible value comes in.
‘If there’s one thing that the
growing disillusionment with
the current state of enterprise
gamification has taught us, it’s that
you can’t get away with deceiving
your employees. And what makes
employee backlash against the “Big
Brother” impact of gamification
worse is the fundamental dishonesty
in trying to disguise tracking
software that lacks tangible benefit
as something fun.’
‘Gaming scenarios should
be aligned with business
objectives to keep them
real and meaningful’
>> Neil Penny, product director,
Sunrise Software
Reward and review
In the six months that Sunrise has
been using gamification, it claims to
have improved response times, and
its incidents are now logged much
more quickly.
‘We’ve seen a positive impact on
camaraderie on the desk with some
friendly competition,’ Penny says.
‘We have also found that gamification
can be used to monitor workloads,
ensuring that it is shared more
equally among the team.
The important thing for CIOs to
consider, Penny believes, is that
gamification can only work if it’s
constantly reviewed.
It is important to listen to staff
feedback and evolve to meet new
challenges. In this way, employees
will see it as a positive way of working
towards corporate goals.
There is no doubt that using clever
technology that integrates the
concepts of game theory is essential
to gaining the support of younger
staff members. At the end of the day,
they are tomorrow’s business leaders.
Engaging them in a way that
entertains and educates is vital to
creating a dynamic and thriving
work environment.
For companies that are swift to
adapt, there are opportunities to
implement gamification to motivate
customers with personalised,
interactive apps that can be
downloaded on a phone or tablet
– increasing engagement with its
products and brand.
‘This approach can also be extended
to staff to send rewards and
incentives directly to motivate,
engage or train online,’ Penny says.
‘We are only at the start of this
journey.’
Going forward, gamification tools
must incorporate more advanced
analytics to enhance their value to
the enterprise.
Increasing use of big data will
provide game designers with the tools
to have more inputs into the game
design, and the use of analytics will
impact the game dynamically.
‘These enhancements in inputs and
analytics will mean that users can
gain insights about their performance
and automated advice on how to
perform better,’ says Ramaswamy.
‘This will be supported by increased
use of machine-learning techniques.’
November/December 14 information-age.com
25
innovationage
Information Age takes a forward-facing look at the coming year and asks industry experts what they think is just around the corner for the storage world
26 information-age.com November/December 14
storageage
Storage industry outlook:
15 predictions for 2015
Information Age takes a forward-facing look at the coming year and asks industry
experts what they think is around the corner for the storage world
Flexibility will be the
biggest issue facing
storage in 2015
Sean Horne, CTO and senior
director of enterprise and
mid-range storage, EMC
The biggest questions that IT decisionmakers will be tackling over the coming
year will be: how do I deploy a platform
that can deal with abrupt changes in the
business landscape (be that in scaling to
large demands in storage or delivering
performance for next-generation
workloads); how do we deliver this
flexibility at an affordable cost, without
pushing the organisation to take
uncomfortable risks; and how do we do
this with the responsiveness required?
Organisations both scale up and scale
out, and, therefore, while storage needs
to move with this change, it will be
important to not let this disrupt the
whole IT ecosystem. This will result
in an increase in investments in
developing hybrid cloud in order
to give organisations the flexibility to
direct workloads where they need
to go, as they are needed.
Security and
compliance will
continue to impact
decisions around hybrid
cloud setups
Sean Horne, CTO and senior director
of enterprise and mid-range storage,
EMC
to capitalise on the economies of public
cloud without incurring undue risk.
‘[Tiering] is clearly
showing its limitations as
a stop-gap on the way to
all-flash primary storage’
>> Dave Wright, CEO, SolidFire
In my opinion, there are four types of
control over organisational data that are
needed: privacy, trust, compliance and
security. For example, data centres have
huge compliance requirements that
they need to adhere to, but the privacy
of data, how it is stored and who has
access to it is – it can be argued – an
emotional and subjective decision,
between the company and its customers.
Understandably, many businesses are
not comfortable with their private data
sitting in a public cloud, so a degree of
flexibility is needed to allow businesses
Policy-based lifecycle
management will help
spiralling storage
growth
Radek Dymacz, head of R&D,
Databarracks
The key to reducing backup costs is
good management and not applying
blanket policies to all data. It’s about
having the right retention and archive
policies in place for the right data.
I think that too many organisations
struggle with data management
because they regard ‘deletion’ as a scary
word. No one really takes responsibility
for corporate data or even knows who
the ultimate owner is, so deletion is
regarded as someone else’s job. As
software becomes more integrated,
we’ll have real-time, 360˚ visibility –
storage decisions will be based on
evidence and so ‘deletion anxiety’ will
be less of an issue.
WAN optimisation will
be the key to ensuring
optimal data delivery
Everett Dolgner, director of replication product
management, Silver Peak
All the bandwidth in the world will
not matter if packets are being
dropped or delivered out of order due
to congestion, as is often the case in
November/December 14 information-age.com
27
aruba-ad-205x273-print.pdf
1
9/12/14
3:40 PM
C
M
Y
CM
MY
CY
CMY
K
Enabling the All-Wireless
Workplace for #GenMobile
www.arubanetworks.com
Come and visit us on Stand C118
storageage
MPLS and internet connections.
To overcome these challenges
and ensure optimal data delivery,
organisations must establish a fully
equipped network that will cope with
the increased flow of traffic that cloud
storage initiatives bring. Failing to do so
will result in an environment that is
plagued by issues that will only lead to
performance and business benefits
being compromised.
Optimising the WAN can reduce over
90% of the traffic across the network
and is key to providing the scalability
needed to support all current and
emerging applications.
We will see an
accelerated move to
software-defined
storage
Nigel Edwards, VP, EMEA sales
and channel marketing, HGST
Thanks to commercially supported
open-source initiatives such as
GlusterFS, Inktank Ceph Enterprise
and SwiftStack for OpenStack
Object Storage, we can expect to
see software-defined storage
systems cross from cloud into more
mainstream enterprise data centres
across multiple deployment options.
We can also expect to see a rise in
startup-developed software-defined
storage offerings as more data centres
recognise the benefits of this approach.
With commercial support for open
storage software, traditional IT will be
able to use approaches that were once
limited to the largest operators.
IT teams will be forced
to invest in training to
educate staff on the
increasing complexities
of virtualisation
Patrick Hubbard, head geek,
SolarWinds
End users these days cannot make
buying decisions without considerable
education, and vendors aren’t
necessarily forthcoming about
educating them in a practical manner.
With ever smaller IT teams managing
ever more complex solutions, they’re
becoming ever more challenged in
implementation. Software-defined
networking is driving things like the
importability and containerisation
across OpenStack, AWS and VMWare,
and each one of these things brings with
it an opportunity for things to go wrong
if there is not additional expertise.
Companies’ reaction too often is to call
in an outside contractor, which doesn’t
necessarily stop and educate the team
that’s going to maintain it after they’re
gone, and doesn’t help the IT team move
forward and maintain that level of skill
in something they’ve purchased.
Those organisations that send off
staff for refresher courses are more
likely to be successful with new
technology. So vendors will have to
move into cross-disciplinary education
in the next few years.
Software will be the
biggest investment in
storage management
Andy Dean, development
manager, HPC
Physical hardware costs have been
coming down for a long time. Plus,
storage capacity on hardware is
increasing – we’ve seen 6TB hard disk
drives available already and 10TB tapes
aren’t far off – meaning less physical
hardware is necessary (again, this means
less expenditure). Therefore, I think the
biggest expense item will be software.
In future, we’re going to need a more
intelligent software stack to manage the
huge quantity of data that people are
storing. If a customer has 6PBs of data,
for example, they will not want to leave
that on an unsupported platform.
Storage and other IT
resources will come
together as
convergence continues
Sean Horne, CTO and senior
director of enterprise and mid-range
storage, EMC
Storage managers will need to think
in terms of application requirements
beyond pure capacity and latency terms
– rather, in terms of how they interact
with the other IT components.
As organisations progress on their
journey to a hybrid cloud, these
converged infrastructure experts have
the opportunity to become strategic
supporters of the business – enabling
agility and innovation by delivering
resource when it is needed, and advising
on what’s possible within their new
infrastructure context.
Organisations will
increasingly embrace
technology that
enables them to deliver
public cloud as-a-service
Ian Finlay, VP, Abiquo
Most organisations are already
operating a hybrid IT estate in one form
or another, and we can expect this trend
to continue over the next 12 months.
However, as it becomes easier to acquire
multiple cloud services, visibility and
control over data – and who has access
to it – will continue to increase, posing
security and governance risks to
enterprises. As a result, we can expect to
see organisations embracing technology
that enables them to deliver public
November/December 14 information-age.com
29
storageage
cloud-as-a-service. This provides
flexibility to internal customers, while
maintaining the control that IT is tasked
with delivering to the business.
We can also expect to see cloud service
providers (CSPs) continue to add public
cloud providers to their service
portfolios, in order to strengthen
customer relationships and add value to
the fairly generic public cloud offerings.
The smart approach to
flash adoption will be
in hybrid arrays
Robin Kuepers, EMEA storage
marketing director, Dell
IT leaders are attracted to the hybridflash storage route as it offers the best
of both worlds: high-performance
flash for fastest performance with the
most frequently accessed and most
demanding applications, and low-cost
bulk storage for ageing, or colder, data.
While some workloads call for high
speeds at all times, organisations
usually need to support both highperformance applications and less
accessed data, which doesn’t require
expensive storage. This is why most
organisations can benefit from a single
SAN that handles both ends of the
spectrum at the same time.
Hybrid arrays can support SSDs and
hard disk drives (HDDs) to offer this
combination of high performance and
lower overall cost. With the hybrid array
approach, the SSD layer provides the
fast performance processing while the
HDDs retain all the older, colder storage
that organisations need or want to
retain but don’t access as often.
Tiering may not
continue to be the
most commercially
sound decision
Dave Wright, CEO, SolidFire
Flash is clearly having a huge impact on
the storage space, offering ten times the
performance of disk at a fraction of the
cost. That trend will only continue
and increase over time, until disk is
completely relegated to cold storage.
Tiering, on the other hand, is clearly
showing its limitations as a stop-gap on
the way to all-flash primary storage.
Customers who initially embraced
tiering are now dealing with the
negative ramifications, including
inconsistent performance and a need
to add an ever-increasing amount of
flash to the flash tier to maintain
performance.
Commoditisation will
start to benefit every
area of storage
Patrick Hubbard, head geek,
SolarWinds
It’s interesting with virtualisation that
there’s a sort of complexity and diversity
funnel. At one end you have the end
points, which are workstations, BYOD
devices and Internet of Things or smart
connected devices, but then in the
centre you have this fairly wellconstrained data centre, now with a
number of technologies that integrate
well together and are fairly easy to
manage but still sitting on top of storage
that is highly vendor specific.
From controllers all the way down to
how storage is implemented from one
vendor to another, there is a lot of
variation, so that seems to be one
area where commoditisation and
standardisation in the operations of data
centres is actually finally pushing some
long-overdue commoditisation in the
way that storage is snapped into the
compute and application delivery
frameworks, especially for hybrid cloud.
30 information-age.com November/December 14
The OpenStack value
debate will continue
Ian Finlay, vice president,
Abiquo
From a storage perspective, OpenStack
provides a useful abstraction layer. Yet,
in many ways it is still immature and is
considered more of a toolkit than a
solution. That said, it will be worth
keeping an eye on the technology over
the next 12 months, as it may prove to be
a valuable solution for specific use cases.
awareness around
archiving-and-backup
options will grow
Paul Rylett, systems
engineer, Netgear
As the volume of data stored continues
to increase, organisations will
increasingly need a simple and effective
way of both archiving and backing up
data. Businesses often don’t have the
time or resources to dedicate to
complicated backup and recovery
processes, so we can expect to see more
businesses embracing next-generation
storage technology that can take
frequent incremental snapshots and
generate full backups instantly.
Storage will move from
operational necessity
to strategic business
enabler
Sean Horne, CTO and senior
director of enterprise and mid-range
storage, EMC
Once you achieve the software-defined
nirvana – with tiered storage easily and
dynamically allocated to applications as
they need it based on specific, policydriven requirements – a new world
order has arrived. The storage and IT
teams have become strategic enablers of
the business.
Terradata-205x273_Layout 1 11/04/2014 13:04 Page 1
THE BEST
DECISION
POSSIBLE™
Teradata is the world’s
leading analytic data
solutions company
focused on integrated data
warehousing, big data
analytics, and business
applications. We empower
organisations to make the
best decisions possible for
competitive advantage.
Contact us to make the move to Teradata
and turn Big Data into Business Advantage
Teradata UK Limited
206 Marylebone Road
London NW1 6LY
0207 535 3618
[email protected]
teradata.com
Teradata and the Teradata logo are registered trademarks of Teradata
Teradata Corporation All Rights Reserved. Produced in UK.
innovationage
32 information-age.com November/December 14
networkage
The mobile network
untangled
Amid much confusion and disagreement, Information Age attempts to find a
definitive mobile strategy that will support the connected enterprise in the
coming years
T
he pros and cons of bring
your own device (BYOD),
choose your own device
(CYOD), corporate-owned
personally enabled (COPE) and the
alphabet soup of other trendy mobile
device strategies have been argued ad
infinitum over the past few years – and
the acronym war doesn’t seem to be
showing any signs of concluding.
Each approach comes with its unique
set of challenges, but as Nisha Sharma,
managing director of Accenture
Mobility, argues, giving employees the
option to choose their own corporateapproved devices with appropriate
security and standardisation appears
to be a good compromise, and one
that is fast gaining headway over the
compliance headache of BYOD.
‘From an end-user perspective, the
primary benefit of CYOD is having
some flexibility with their corporateliable device,’ she says. ‘And apart from
email, users would expect company
websites, portals and apps to work on
their device, so a CYOD programme
allows companies to focus their efforts
on providing that access on a limited
number of platforms rather than trying
to make them work on everything.’
Gartner analyst Rob Smith also
believes we’re going to end up with a
‘A CYOD programme
allows companies to focus
their efforts on providing
access on just a limited
number of platforms’
>> Nisha Sharma, managing director,
Accenture Mobility
mostly CYOD enterprise landscape in
the UK, thanks to the legal and financial
challenges that it allows companies to
bypass. But ultimately, he says, there is
one golden rule: ‘Never trust a mobile
device unless you control 100% of the
data and apps on it.’
Doing this is virtually impossible for
modern smartphones, of course, and
the idea of asking an employee not to
install a certain app on their device is
unrealistic, whether you are running a
BYOD or CYOD policy.
‘With that in mind, since you can
never trust these devices, the first piece
of architecture you should tackle is the
creation of a separate network segment
on your wireless network that your
mobile devices connect into,’ advises
Smith. ‘All that traffic should be routed
over your internal security, such as
your firewall and antivirus, before it
even touches your internal network.’
Keeping it simple
There are other ways to simplify and
control a mobile environment.
Consolidating all communications
networks under one supplier can help
reduce total costs.
The only spanner in the works, says
Smith, is when you involve Android
devices. This is because every device is
controlled by the telco, not the handset
manufacturer, unless you buy it directly
from the manufacturer. So a device
won’t get the latest firmware unless the
operator releases that firmware.
‘Take the Galaxy S5 for example,’ says
Smith. ‘If there’s a security bug in it
then Samsung will fix it and put out
November/December 14 information-age.com 33
networkage
the security fix immediately for
anybody who’s bought the device from
them. But then it goes to Vodafone, or
EE, or 02, who have to add their own
customisations for Android and then
reinsert it into their networks. This
can take forever, and it’s designed for
consumers, not corporations.’
‘So the best strategy for IT and
business in terms of security,’ he
argues, ‘is to buy directly from the
handset manufacturer – but this loses
the discount that telcos give, so it’s
always a balance.’
Apple has cornered three-quarters of
the corporate device market thanks to
this problem, and the fact that all their
devices run the same software no
matter where they are bought from.
With Android, there is severe
fragmentation of both the devices and
software versions. According to this
year’s report on the fragmented
Android landscape from wireless
network data mapping specialist Open
Signal, there are somewhere in the
region of 18,700 Android devices in use
in the UK, running any number of
software versions.
So the key with Android, says Smith, is
to cut through the jungle of different
devices and allow only a small subset
by limiting the number of devices to
choose from and specifying the carriers
they are on.
Big-picture thinking
Whatever the end-point device
landscape they’re dealing with,
corporations must take into account all
the other elements involved in creating
a complete strategy for mobile working.
Unification and consolidation, if
approached strategically, can deliver
greater efficiencies and ensure
‘Never trust a mobile
device unless you
control 100% of the
data and apps on it’
>> Rob Smith, analyst, Gartner
widespread business improvement.
‘Network complexity can be extremely
harmful to business success, so the
sooner businesses begin the journey
towards simplification, the more likely
they will deliver positive business
outcomes,’ says Graham Fry, managing
director of avsnet.
‘Wired, wireless, remote access – these
disparate access methods need to be
unified under a single policy and a
unified management solution.’
Fry’s advice is to look for a provider
that can design, implement and support
a network that puts mobility at the
heart of everything regardless of device.
This means a platform with a contextbased central policy, system-wide
visibility and comprehensive lifecycle
management across all connected
devices, mobile or not.
Designing a network that pre-empts
34 information-age.com November/December 14
advancing technology, connectivity
methods and usage trends is crucial,
considering how expensive and difficult
it can be for organisations to adapt a
legacy network once implemented.
As Francis Cripps, head of mobility
at Fujitsu, argues that identity access
management (IAM) should form part
of the solution, particularly now that
wireless connectivity is becoming a
need-to-have in the enterprise and is
dissolving traditional boundaries of
internal and external networks.
‘Increasingly, we all walk around with
smart devices and expect to use them
wherever we are,’ says Cripps. ‘At a
supplier, partner or customer site, it’s
no different. Allowing guest wireless
access is not really much different to
BYOD. It is important to identify the
device that is connecting to the network
and potentially the user of the device.’
Most of the leading products in this
space now interact with the mainstream
enterprise mobility management
(EMM) or mobile device management
(MDM) products, in some cases being
part of the same vendor product suite.
‘By deploying both network IAM and
EMM as an integrated solution, it is
possible to control device and user
access with granular efficiency, thus
future-proofing the organisation for
multiple use cases,’ Cripps explains.
The future’s an open door
Cripps believes that in the near
future, enterprise networks will be a
communication hub – the front door
of an enterprise.
‘I’ve already touched on the security
and management, but what about the
value-add?’ he asks. ‘For example, in
retail, wireless networks are used
not only to enhance the customer
networkage
experience but also as a marketing
tool. Simply set up a sign saying “Free
Wi-Fi here – just enter your details”,
and a CRM is born with landing pages
for advertising.
‘Add location services via Wi-Fi or
emerging options such as RFID or
Bluetooth LE and a tracking and
targeted advertising tool is available. It
will be possible to know that the buyer
from company X is about to walk into
your HQ reception and change the
reception displays accordingly, while
notifying the sales director that they are
arriving and catering that they take
their coffee white with two sugars.’
For communication consolidation,
4G/5G offload onto WLAN could make
fixed/mobile convergence a reality
rather than a clunky pipe dream, while
VoIP devices or apps will become
the default.
Connecting people
Mobilising collaboration capabilities
for employees must also be an integral
strand of any enterprise mobility
strategy. The trend of moving to a
more global and mobile workforce
makes the ability to collaborate at any
time and from any location critical to
achieving business objectives.
‘The proliferation of devices and
communications channels is driving
dramatic growth in collaboration
solutions, including rising video traffic
and document sharing,’ says Accenture
Mobility’s Nisha Sharma. ‘Mobility
enhances the value of such social
collaboration tools.’
Sharma argues that strategies must
reflect this in order to achieve the
greatest business value, and this means
creating broader digital strategies that
remove the siloes between tools such as
social and mobile in order to get the
greater benefits from them.
‘A business case must be built based on
the impact of these technologies to a
network, and how it’s reshaping how
networks operate,’ argues Sharma. With
the rise of mobile collaboration, voice
and data now move across the same,
converged network. Collaboration
solutions are increasingly delivered
from the cloud, and this – alongside the
rise in volume and type of device
accessing the network and increases in
data and analytics – can often require
major network redesigns.
‘Just adding additional bandwidth
often isn’t enough because many new
applications require higher quality of
service (QoS) with guaranteed
availability,’ says Sharma.
‘At the same time, IT organisations
are under pressure to reduce costs.
Solving these network challenges will
clearly require careful investments, so
a business case needs to stress both
the strain on infrastructure and its
business consequences.’
Back to business
Fundamentally, while it may be easy for
an IT organisation to approach a mobile
strategy based on integrating the latest
shiny device or killer app into the
workforce, falling into this trap without
focusing on business outcomes could
result in an expensive mistake.
Everything from internal app
development and BYOD policies to
external engagement via mobile
channels, and the use of traditional
business applications via mobile
devices, should really be addressed
through the creation of a formal,
enterprise-wide mobility strategy.
‘Any mobile strategy must focus on
how this new approach will add value
to the core business,’ says Cripps. ‘For
example, by increasing staff efficiency
and work-life balance, or improving
customer satisfaction. Once desired
business outcomes are established then
prioritise for business need, budget,
etc. Only then should technology
become a step.’
Try not to get drawn into expensive
niche solutions that might have a finite
lifespan or only support a small scope of
apps and devices, he advises. ‘It is vital
to keep any technical mobile IT enabling
services as agile and flexible as possible.’
Cultural understanding
Fully understanding usage costs,
including mobile network usage,
is another key element, as is not
forgetting the softer requirements,
such as human resources input. ‘Not
everyone suddenly wants corporate
instant messaging live on their phone
at midnight,’ says Cripps.
And a future-proof mobility strategy
should be created and adopted with
input from teams including HR, legal,
IT and the business itself – a C-level
strategy, not a CIO-level strategy.
‘It is vital to understand what is
needed to support business objectives,
and to build a network of peer partners
from the start,’ says Sharma.
‘Many of these partners will be
responsible for providing the nontechnical capabilities of a collaboration
strategy, leading the support and
participation amongst their teams.’
Only when all that’s in place and a
clear roadmap is planned can the
adoption of mobility technology really
begin to transform an organisation,
along with the relationships with its
customers and employees.
November/December 14 information-age.com 35
innovationage
36 information-age.com November/December 14
securityage
Going soft
The software-defined trend has bulldozed its way through the data centre market,
affecting servers, storage and networks. But what does it mean for security?
T
he concept of softwaredefined infrastructure
has gained vast
momentum as
organisations seek to reduce their
reliance upon expensive hardware
and find better solutions for dealing
with data growth.
What started out as a server craze
– compute virtualisation is now
widely deployed – has spread across
the data centre through the network
and storage layers.
By virtualising the components,
and wrapping them with highly
automated software, organisations
can gain new levels of scalability and
the ability to deliver applications on
any hardware.
Now, security is also joining the
party. Security conversations are
often steered by the individual
solutions that can make IT
environments less vulnerable – but
what about the model in which they
are implemented and managed?
With software-defined security,
most or all of the security controls are
automated and managed through
software, depending on how
virtualised or cloud-supported the
infrastructure it sits on is.
Such a model sees any new devices
‘This term is most often used by
vendors to describe an approach to
automation and virtualisation that
abstracts infrastructure to the point
that it’s primarily controlled through
higher-level functions and policies,’
says Paul Briault, director at CA
Technologies.
‘Software-defined
security services need
to be part of a larger
process. The more
efficient it is, the more
effective it will be’
>> David Robinson, chief security officer,
Fujitsu UK and Ireland
in the environment controlled under
the base security policy, allowing
underlying environments to scale
with increasing resources and
seamlessly moved or migrated
if necessary.
Not the end
By negating the bulk of the heavy
lifting with infrastructure, IT
organisations can shift resources
to more innovation-oriented and
application-centric endeavours.
It is a part of a number of defences
that organisations must now consider
in order to protect their assets and
analyse where attack vectors are.
However, that doesn’t mean the end
of hardware-based security.
‘Software-defined security services
need to be part of a larger process,’
says David Robinson, chief security
officer at Fujitsu UK and Ireland. ‘The
more efficient it is, the more effective
it will be.’
Just like traditional security,
software solutions still need
maintenance, updates and reviews
of its efficacy, and will still require
some hardware.
‘I think there will continue to be a
November/December 14 information-age.com
37
securityage
blend of hardware- and softwarebased security, with perhaps an
increased focus on the software
aspect,’ says Kevin Linsell, head of
service development at Adapt.
‘But the move towards this type of
security is more around enabling
devices and solutions to be driven by
software calls from a wider softwaredefined environment.’
This will definitely see the reliance
on security hardware gradually
decrease. The significance of access
controls will move up the stack,
while the hard network boundary
approach to security will diminish
in importance – a trend that has
already begun.
Changeover period
Of course, anyone expecting a sudden
shift away from hardware will be
disappointed, and organisations that
have been relying on hardware for
authentication purposes will not be
able to go ‘all software’ quickly.
‘Part of the problem is that
organisations are not yet ready to
embrace an all-software approach,’
says Briault. ‘Many are still struggling
to properly implement BYOD and, as
such, the industry can expect a
significant phasing-out period,
throughout which hardware will
continue to play its part in IT security.’
In response to the software-defined
paradigm, more and more security
vendors are attempting to become
hardware agnostic.
There are still appliances that are
being specifically tweaked to run a
‘The move towards this
type of security is more
around enabling devices
and solutions to be driven
by software calls from a
wider software-defined
environment’
>> Kevin Linsell, head of service
development, Adapt
vendor’s software, but many
organisations have realised that
implementing software-defined
services is easier and cheaper –
especially in cloud and virtualised
solutions.
‘Creating an organisation that is
hardware agnostic is the way that
many businesses are heading,’ says
Robinson. ‘Hardware will still be
needed because, without it, software
cannot be run, but development and
services are now more reliant upon
38 information-age.com November/December 14
the management of the software.’
The shift towards software-defined
security will also result in much
more granular and appropriate
security policies.
The focus will be to use digital
identity attributes to enforce finegrain access entitlements to gain
access to systems and applications.
It will make security more intrinsic
and integrated within a business,
which will be particularly obvious
from a change process perspective.
‘Removing the human error risk can
be a big positive, but there will still be
a need for strong governance, control,
testing and ultimately accountability,’
says Linsell.
Briault adds, ‘Security will become
more real-time and transaction based,
with a focus on data and user access
requests, irrespective of the channel
being used.’
So, going forward, will the real value
and intelligence of security come
predominantly from software?
Common issues in relation to
authentication and access
management could be solved by
software-defined behavioural
analytics, which will vastly improve
organisations’ risk posture and
real-time transaction decisions.
‘It will also lead to better user
experience, which is key to business
success today,’ says Briault.
Getting the balance right
But, as always, there needs to be a
balance between technology, people
and process.
Aisgra guide full page AD_Layout 1 08/05/2014 13:32 Page 1
InformationAge
presents...
A guide for Cloud Back and Recovery
in partnership with Asigra
In association with
Visit information-age.com/white-papers
to sign up for your free copy.
securityage
‘The industry can expect
a significant phasing-out
period, throughout which
hardware will continue
to play its part in IT
security’
>> Paul Briault, director, CA Technologies
The technology piece will always be
a mix of software and hardware, but
the change in ratio will enable faster
design and deployment – without
having to invest in lots of training,
hardware and assets.
Mixed bag
It’s important to remember, however,
that value cannot be attributed to
software alone.
‘It will always be a mix,’ says
Robinson. ‘You can’t run a service
without people or process, and you
can’t run software without hardware.’
But, as long as it’s hardware agnostic,
it will be easy for organisations to
implement software architecture,
helping to drive down costs and
reduce operational time.
Its usability is dependent upon how
it’s written and created. If it’s complex
then it’s going to take more effort for
a business to implement and use.
Like any project, its size and
complexity will require larger
numbers of people and project
management. Ease of implementation
will always drive the project and help
manage it over its life cycle.
If an organisation is already using a
virtualised service, the process of
moving environments is pretty
straightforward. But if businesses are
thinking of embracing a completely
software-defined data centre, they
must first ensure that it is the right
step and do a thorough risk
assessment and due diligence.
‘This transition has already
happened,’ says Robinson. ‘There is
no specific challenge – the barriers
are often cultural and fear.
‘When you have invested in
software-defined security, you aren’t
reliant upon customised hardware
and the need to have a return on
investment for the purpose it
was bought.
‘Moving onto something that is
capable of switching software services
onto standard architecture is a
positive step. But like all software,
it has to be kept up to date, and
organisations cannot just fit
and forget.’
40 information-age.com November/December 14
‘We are seeing
people move away
from traditional
hardware to a
more agile
approach’
It is important for businesses to
measure risk and configure software in
a way that is right for the organisation.
Those vendors that make it easier to
implement software are faring well,
highlighting the fact that this trend is
certainly on the rise.
Although hardware is getting
cheaper, margins are becoming more
difficult. The virtualised approach
is only going to become more
attractive, with businesses moving
away from hardware and investing
instead in ‘as a service’ models.
‘We are seeing people move away
from traditional hardware to a more
agile approach,’ says Robinson. ‘There
is always going to be a mix of software
and hardware defences, but either
way an organisation’s protection
needs to be based upon the risks that
it faces and how it can manage them.
‘The adoption of software-defined
security is a natural evolution, but it’s
vital that businesses embrace it in the
right way – not get frightened – and
have a balanced approach.’
Actuate_Layout 1 09/05/2014 15:57 Page 1
in the boardroom
A private affair
Since last year’s $24.9 billion buyout of Dell, the IT industry has debated whether
going private was a good decision. In this exclusive interview with Information
Age, Dell’s chief commercial officer and enterprise president, Marius Haas, paints a
healthy picture – but a dire one for his former company, HP
M
uch of the reason for
Dell going private was
attributed to the desire
to restructure the
organisation in order to help
salvage the PC business and let
the enterprise division drive the
growth. How is that going?
We’ve changed the operating model
so that two of us are responsible for
all of the back-end – supply chain,
procurement, logistics, etc – of two
divisions: enterprise solutions (me)
and client solutions (Jeffrey Clarke).
Then a year ago, I also inherited
management of the front-end
of everything.
So in addition to my enterprise
responsibility, I run the commercial
sales organisation for the company
worldwide, which is a pretty big
change but it creates a very nice
continuity.
A big part of the transformation that
we need to drive is around a solutionselling architecture, and changing and
enabling the sales organisation to talk
about a more workload-orientated,
application-driven and business
>> Marius Haas, chief commercial officer
and enterprise president, Dell
outcomes-driven organisation. I have
so much more influence in being
able to make that transformation
in the organisation because I have
responsibility to build out those
capabilities for us.
We’ve shifted quite a bit, with a lot
more visibility on an end-to-end
basis – from product all the way
to customer – so we can make
everything more customer-centric.
42 information-age.com November/December 14
Having worked at HP before Dell, do
you believe that the split of HP’s
enterprise and PC divisions makes
sense – and is it something that could
also make sense for Dell?
I don’t think it makes sense. I think
they ran out of options, to be honest.
I remember when Léo Apotheker
[former CEO of HP] announced it a few
years ago and Meg [Whitman, current
CEO of HP) called it a dumb idea. Three
years later, we’re back to Léo.
Look at history: in the past 30 years,
any IT solutions provider that has sold
off its PC division has not been able
to successfully maintain a server
division. The synergies of being an
end-to-end solutions provider is
critically important in order to have
the right scale across all the different
business units.
The industry is migrating to a more
converged-architecture strategy
because more and more of the CIOs
focus on and care about security,
cloud, big data and applications.
They don’t want to have to worry
about what sits beneath it from an
infrastructure perspective; they just
in the boardroom
want to make sure that it’s the best
performing, gives them the most
agility and is the best cost they can
get on the planet. Dell will be the only
end-to-end solutions provider in the
industry that has all of those pieces
when HP splits up.
If you look at the rationale that they
use – about being two Fortune 500
companies that will be able to make
faster decisions – none of that is
anything that they couldn’t have done
as one company. The incremental
cost and complexity of having two
companies is a huge distraction. So
we are very happy to become the only
end-to-end solutions provider in the
industry, and will always be that way.
We’ve seen all the biggest IT players
in the industry face the challenging
transition from hardware to IT
services. Where do you believe
companies have gone right and wrong?
I think HP sits there as IBM envy.
Everything they’re doing is to look
and feel like IBM, but at the same time
IBM’s results haven’t been all that
compelling. So I think they’re both
chasing old IT.
I believe we’re in a perfect spot in
the sense that we don’t want to be
an application provider. We think
we’ve got all of the key pieces in the
portfolio and we believe we can hit
the value proposition for any size of
customer. If you look at it today, our
business performance is better than
it’s been in a decade, so the alignment
of strategy, clarity around priorities
and execution, and a good solid
operation model is really paying off.
Where is the enterprise division
sitting in terms of revenue compared
with the rest of the company?
It is growing extremely fast. Our core
server business is growing double
digits, and we’re very pleased with
the receptiveness in the market and
taking share around the world. We’re
literally thousands of units away from
being the number one worldwide, so
that will be a big milestone for us.
But more important is the customer
receptivity of our proposition. We’re
growing every region and we’re
growing every line of business in Dell
across the board. I don’t think any
other enterprise company can show
that they’re growing every line of
business in every region.
Dell revenue has been around the
$60 billion mark for a few years.
Can we expect to see that rise now?
We are growing exponentially. We had
a decline in our PC division when we
were still a public company and the
whole market suffered a decline. We’ve
seen a nice resurgence in the PC space,
but now we’ve seen an acceleration of
growth in the enterprise space. We’re
growing at multiples of market across
our servers, storage and networking
businesses. We were at a 17% growth in
networking last quarter, so very
healthy. We see double-digit growth in
our software portfolio and our services
segment is growing very nicely too.
Look at HP: its services business is
declining, its high-end servers
business is declining and its overall
profitability in enterprise is declining.
It still has the Autonomy issue, and
who knows what will happen with
that, and its printing division is
declining in revenue. So I would much
rather have a portfolio where every
line of business is growing than have
big chunks of my profit pools in a
cyclical decline.
Has going private allowed Dell to
innovate faster than public
organisations?
It has certainly provided the agility
and flexibility to make decisions much
faster. We’re thinking long-term now.
When I first got here, we were
thinking 90-day cycles for the most
part – it’s night-and-day difference
now. We are investing for the long
term to scale the business predictably
in IT, business-process automation,
frictionless order for all of our
partners, long-term coverage in the
market, audience reach and making
our sales forces the most productive
on the planet. Michael Dell says he has
freed up 30% of his time. When you
get someone like that who now has
30% more time to focus on customers
and the technology, things happen.
November/December 14 information-age.com 43
analyst eye
Risk and regulation
Fayaz Khaki, associate research director for information security at IDC, reveals
how organisations can get through the new EU data regulation
F
or the first time in
many years, the
European Commission
(EC) is re-evaluating the
European Union (EU)’s data
protection regulations.
While technology has moved on,
the current regulations have
remained stagnant and woefully
inadequate to protect an individual’s
or an organisation’s data.
Aside from updating the regulations
to align with the technology changes
in the market, the EC is also aiming
to create a single, pan-European law
for data protection, replacing the
current patchwork of national laws
across the EU.
It also aims to create a onestop-shop approach, allowing
organisations to deal with a single
supervisory authority (at a local
level, generally where organisations’
main European base is located),
rather than 28.
IDC believes that a single Europewide data protection regulation is a
step in the right direction. It is also
good for organisations doing
business in Europe, as it cuts down
Therefore, organisations will need
to ensure that they fully understand
the flow of their data throughout the
data lifecycle.
Business leaders within an
organisation have to take more
responsibility towards risk
ownership.
>> Fayaz Khaki, associate research
director, IDC
on the overhead of complying with
multiple local data protection acts.
However, the new EU Data
Protection Regulation forces
organisations to apply a different
perspective towards compliance and
risk management.
The regulation places a greater
weight on the need for organisations
to demonstrate the deletion of data
linked to an individual (the data
subject) under the right to erasure
clauses.
44 information-age.com November/December 14
Getting serious
Increasingly, stakeholders within an
organisation – and external
stakeholders such as shareholders
– are asking questions not only from
technology leaders but also from
business leaders when there is a
failure of security controls.
The regulation introduces larger
fines for noncompliance — up to 2%
of global turnover or €100,000,000
– and will require organisations to
build and implement new processes
to satisfy the breach notification
clauses that are currently in place.
Organisations need to notify the
supervising authority once it has
become aware of a breach. Crucially,
however, they will also need to
communicate the breach to the
data subjects.
analyst eye
Privacy by design and privacy
impact assessments will become
mandatory. Therefore, organisations
need to ensure that risk analysis is
embedded into business processes.
Developing a data protection
framework with appropriate
governance ensures that data
protection is tied into business
processes and that business
executives are forced to continually
assess the risk of noncompliance.
Future outlook
The current timetable for the EU
Data Protection Regulation is
for it to be finalised in 2014,
with organisations expected
to be compliant two years later.
However, IDC does not believe that
will happen.
In an increasingly connected
economy, the regulation is
necessary to make sure that the
rights of data subjects are not
abused but protected with
appropriate security controls.
The large fines that are set to be
introduced will ensure that
organisations will suffer a real
impact to their bottom line as a
result of noncompliance.
However, the exhaustive process
that the regulation needs to go
through within the EU does mean
that a number of delays are to be
expected before the final version
is published.
While the regulation brings in
stricter legislation (e.g. increased
fines and breach notification), there
are questions on the availability of
resources within data protection
authorities.
Enforcing the new regulation will
require a large amount of training
resources to ensure compliance with
the regulation.
As a result of the potential lack of
resources, IDC believes that data
protection authorities will have to
be selective on their enforcement
of the regulation. For example,
larger multinational organisations
will initially be targeted because of
the potential for levying larger
fines for breaches.
Despite all the rhetoric in Europe
— primarily as a result of the US
National Security Agency leaks –
about having a separate European
internet or forcing international
organisations to keep European
citizen data within Europe, the reality
is that the dominant technology
firms are mostly US based.
As a result, US organisations will
continue to process European citizen
data and host that data in data
centres located in the US.
Indeed, global organisations
such as Microsoft and Amazon are
taking steps towards setting up
European data centres. However,
this is not as a result of a particular
European regulation.
November/December 14 information-age.com 45
ICC ExCeL London
19–20 November 2014
THE OPEN
MINDED DATA
CENTER EVENT
DCD Converged London brings
together the people, processes
and technologies necessary to
help our delegates develop a world
class data center strategy.
Join over 2,500 of Europe’s
leading data center professionals.
FEATURED SPEAKERS
CO-LOCATED
BONUS CONFERENCE
ICC ExCeL London
19–20 November 2014
JR Rivers
CEO
Cumulus Networks
Cole Crawford
Executive Director
Open Compute
Mark McLoughlin
Technical Committee,
Foundation Board of Directors
OpenStack
Dr. Steven Fawkes
Founder
EnergyPro
CONVERGED SECURITY STRATEGIES FOR
AN “EVERYTHING” CONNECTED WORLD
mcs-summit.com/london
SAVE
25%
BOOK
QUOTIN
G
Reg14
4 THOUGHT LEADERSHIP TRACKS THAT
GET TO THE HEART OF THE MATTER
IT + NETWORKS
ENVIRONMENT
DESIGN + STRATEGY
APP > CLOUD
Focused on helping senior
strategists understand the
implications of IT and Network
transformation on data center
design and architecture.
Focused on the issues
faced by professionals who
manage the performance,
efficiency and resilience of the
critical environment.
•Supercharging the data
center LAN
•Embracing the
‘Open’ philosophy
•Exploring the Virtualisation to
Software-Defined continuum
Focused on the issues
faced by senior decision
makers responsible for the
organisational strategy and
design of on-premise data
centers.
Focused on issues faced by
professionals that manage
blended/hybrid infrastructures
and the technical/regulatory
challenges of delivering critical
ICT through the cloud.
•Designing dynamic MEP
•Managing app migration
•Designing cloud ready data
infrastructure
•Making sense of TCO and
centers
•Re-engineering the data
capacity management
•Managing the disparity between
center in a box
•Defining the new
facility and IT life cycles
•Operating in a cost conscious
availability landscape
•Moving from retail to
environment
wholesale to self-build
Who should attend?
Head of Network Architecture,
Head of Network Infrastructure,
IT Enterprise Architect, Network
Analyst, CIO, CTO
Who should attend?
M&E Engineer, Consulting
Engineer, IT Managers,
Facilities Manager, Real Estate,
DC Manager
Who should attend?
Head of Operations,
Corporate Real Estate, Head
of Engineering, Head of IT,
Financial Officers, CTO, CIO
Who should attend?
Network Architects, Head
of Engineering, Head of IT,
Head of DevOPs, CTO, CIO,
Enterprise IT Architects
Dean Nelson
Vice President, Global
Foundation Services
eBay
Francois Sterin
Google
Gary Walker
Principal Design Consultant,
Data Centers
Spark New Zealand
Ian Massingham
Technical Evangelist
Amazon Web Services
Joe Stevens
Chief Security
& Risk Officer
Interoute
Lester Towse
Director of European Data
Center Operations
NTT
Jonathan Koomey
Research Fellow
Stanford University
Adrian Gregory
Senior Vice President,
Managed Services
Atos UK&I
Gavin Jackson
VP & GM vCloud Air
EMEA
VMware
Neil Stinchcombe
Director, Eskenzi PR &
Board Member
ISSA UK
FOR MORE INFORMATION AND TO REGISTER TODAY
WWW.DCD-CONVERGED.COM
product corner
PRODUCT OF THE MONTH
IPad Air 2
>> THE STORY
After the success of its wildly popular predecessor,
Apple is on a mission to monopolise the enterprise
device market with the launch of the muchanticipated iPad Air 2. For some time, Apple products
have been gaining ground in IT departments thanks
to consumer popularity and the perception of a safer
and more managable platform than other vendors.
Apple has now caught onto this and is seeking to beef
up its tablet range with as much workplace
functionality as users expect from the iPhone. As
such, the latest iPad Air builds on the usability and
sleekness of design that is the range’s trademark, but
packs quite a few impressive productivity-enhancing
features for business users as well. Despite the
extensive time Apple has spent talking up the camera,
it’s actually the enhanced continuity of the user
experience that is its secret superpower.
48 information-age.com November/December 14
>> THE FEATURES
The iPad Air 2 has the same 9.7-inch, 1536 x 2048 264ppi
display as its predecessor, but – believe it or not – it’s
even slinkier at just 6.1mm thick, making it the thinnest
tablet on the market. Apple claims its new A8X processor
performs 40% better than even the iPhone 6. It’s the
first iPad to include a fingerprint scanner, and has
introduced a new continuity feature that allows users to
link their iPhone and iPad to open up a number of new
features. Users will be able to read and respond to text
messages through the iPad Air 2, and take calls using the
speaker and microphone. Another new feature called
Handoff lets users seamlessly switch between Apple
devices over the same wireless network by beaming
work from one device to another mid-stream. With this,
they can start working on something on an iPad and
finish it on a Mac, without losing their work, by
connecting the devices through an iCloud account.
product corner
Microsoft
Dynamics Sales
Productivity
Nationwide
smartwatch app
>> THE STORY
Nationwide has become the first UK
financial services provider to release a
smartwatch app that gives customers
real-time access to their account
balance. This is the latest attempt
from the building society to increase
its innovation credentials. It recently
also became the first high-street
provider to launch 24/7 Twitter to
answer customer questions, and the
first UK organisation, with Visa, to
offer V.me, a new digital wallet
designed to make online shopping
more convenient and secure.
>> THE FEATURES
Users can check their live account
balance by speaking into their Android
smartwatch. The app also has the ability
to make payments, transfer money,
manage overdrafts and open savings
accounts quickly and easily. ‘Providing
customers with a variety of ways to
manage their money, whenever and
however they want, is a priority for us,’
said Nationwide’s COO Tony Prestedge.
‘Our customers have the peace of mind
that they can do business with us on
their terms, not ours.’
>> THE STORY
In the spirit of Microsoft’s drive to
reinvent itself as the business software
Jack of all trades, it has continuosly
improved its Office 365 product over the
last few years. In further competition to
the likes of Salesforce, it has now
bundled its Office 365 suite together
with its Dynamics CRM Online and
Power BI offerings into a package called
Microsoft Dynamics Sales Productivity.
>> THE FEATURES
As well as more cost effective and
simpler price plans, Office 365 itself
offers far more functionality for
businesses than just the standard
Word and Excel. Microsoft has
extended the full Office 2013 to Office
365 Enterprise so companies can run
it on the new versions of Office
servers including Exchange, Lync and
Sharepoint. It includes services like
public folders, data loss prevention
and rights management, and
Microsoft has also tweaked its
offerings so that users can edit
documents in Office Web Apps as part
of all Enterprise plans.
Google Nexus 9
>> THE STORY
If you are looking for a powerful
tablet at a slightly less hard-hitting
price than the iPad Air 2, Google is
really promoting its Nexus 9 for
productivity and value for money,
starting at £319 for the 16GB model. It
comes with automatic encryption for
bring-your-own-device (BYOD) peace
of mind, and multiple user support via
the Samsung Knox security suite
designed for enterprise. Paired with
the official Nexus keyboard cover,
soon to be released, it can convert into
a light weight laptop – and it offers a
wide range of keyboard shortcuts to
Google Docs.
>> THE FEATURES
With its super-fast 64-bit processor
– and as the first tablet running the
new Lollipop 5.0 software – Google’s
Nexus 9 is designed to push the limits
of Android performance. In terms of
connectivity, only the Wi-Fi version is
available for now, and considering
Google is expecting people to lean on
cloud services by giving them no
options for physical storage
expansion, it might be wise to wait
until the end of the year when its
32GB LTE model for £459 will be
available.
November/December 14 information-age.com 49
column
IA’s resident thought leader Richard Lee
cracks the whip on the latest IT issues
The state of open data
O
ver the past year, I have
attended a number of
events in the US and the
UK sponsored by their
respective open data communities.
Clearly, the UK is well ahead of the
US – as well as many other countries
across the globe – in seeing its vision of
empowering citizens and organisations
via the wide availability of governmentcreated data come to fruition.
I recently attended the Open Data
Institute’s annual summit in London,
where all of the major participants
in this community – including
government, academia and industry –
gathered to learn and celebrate their
accomplishments to date.
The event included a set of awards
given to those individuals and start-ups
that have taken the most innovative
approaches to exploiting open data for
commercial applications, as well as a
pre-day of training for all levels of
open data users.
In my opinion, this concept has legs –
and as long as the funding, citizen
advocacy and corporate support remain
strong, there will be a bright future for
all involved.
However, in spite of the UK’s success
to date, everything is far from perfect
in the world of open data across the
rest of the globe. There continue to be
numerous challenges and impediments
in seeing any vision of open data come
to fruition. Many are technical in
nature, but there are a number of
cultural ones.
What is open data?
Open data in its broadest definition
is data that is made available by
organisations, businesses and individuals
for anyone to access, use and share. It is
free of copyright, audit and all other
types of control. In most cases, it is
government-based data, but there is a
growing movement for commercial
organisations to provide it as well.
First is the extremely poor quality of
the data products being provided by
government entities, including the lack
of appropriate metadata to add the
necessary historical and use-case
context. Then there is the limited range
of rich data products available from
government in spite of mandates to do
so, copyright wavers and public interest.
And finally, the timeliness and latency
of data products in respect to the
currency of events.
These impediments to success are in
most cases products of a culture of
fear and retribution found in most
bureaucracies.
Most government agencies still
struggle to make their internal systems
fit for purpose in respect to the
fundamental services they deliver, and
require an inordinate level of analysis,
remediation and reconciliation to meet
the service delivery levels associated
with their individual missions.
Exposing this data to others with little
control over its use is a frightening
50 information-age.com November/December 14
scenario for far too many of them.
This has been the biggest obstacle to
overcome in the US so far in spite of
hundreds of billions of dollars spent on
IT architecture and applications over
the past decade. This should come as no
surprise to any enterprise architects
regardless of the sector they work in.
Much work is being done to align
legislated mandates with specific
behaviours and deliverables using
internal task forces and direct
intervention by senior civil servants.
I believe that in spite of strong
resistance there is no going back in
terms of becoming closed once again.
Strong commercial applications are
being proffered, and the industry
sectors representing these organisations
have strong lobbyists working on their
behalf to foster these interests with
appropriate funding mechanisms.
One dirty little secret in most US
agencies is that they are mandated to
provide open data by a certain date but
have not been given any additional
headcount or funding to do so.
Open data is a growing force in the
world of big data and analytics. It brings
new assets into the mix for developers
and service providers to use in
providing feature-rich apps and
services for their customers.
Unfortunately, like all other data
sources, it suffers from major issues
that good governance and provenance
practices could easily surmount.
We must all remember that data is an
asset and must be treated accordingly.
Women-in-IT-2015_Layout 1 27/11/2014 10:44 Page 1
29 JANUARY 2015
Join us in recognising the outstanding innovation
achieved by women in the IT industry
In partnership with
Supported by
Despite technology becoming an
increasingly integral part of our
business and personal lives, the
amount of female IT professionals
in the UK has halved in the last 20
years to just 17%.
This rapid decline is a cause of
great concern. One research
report found that tech companies
with women on management
teams have a 34% higher return
on investment, while another
predicted that increasing the
number of women working in IT
could generate an extra £2.6
billion a year for the UK economy.
As well as raising awareness of
these issues, the Women in IT
Awards 2015 will recognise the
outstanding innovation that was
Judges
achieved by women in the
previous year.
Through a series of end-user,
vendor and special recognition
awards, the gala evening will gather
the industry to highlight the
tremendous value that women can
bring to the industry, and the
satisfaction that such a career can
bring them.
Carrie Hartnell
Associate Director, TechUK
Richard Lloyd-Williams
Former IT Director, Net-A-Porter
Claire Vyvyan
General Manager and Executive Director, Dell UK
Kevin Griffin
CIO, GE Capital International
Eileen O’Mara
Senior Area VP, Commercial Sales,
Salesforce.com
Kate Craig-Wood
Managing Director, Memset Hosting
Susan Cooklin
CIO, Network Rail
Michael Ibbitson
CIO, Gatwick Airport
Gillian Arnold
Chair, BCSWomen
Karen Price OBE
CEO, e-Skills UK
Ursula Morgenstern
CEO, Atos UK&I
Gerry Pennell
Director of IT, The University of Manchester
Emma McGuigan
Managing Director, Accenture Technoloy UK/I
Mark Maddocks
CIO, Cambridge University Press
Paul Clarke
Director of Technology, Ocado
For more information contact Rebecca Stanley on 020 7250 7050 or email: [email protected]
or visit womeninitawards.com
Virtualisation
Security Myths
– Busted!
Defending Against
Drive-by Downloads
FREE Audiobook
Easy Network
Access Control
WatchGuard’s Corey Nachreiner
examines modern (DbD)
cyber attacks
Christian Bücker from Macmon
explains why IT security fails
without NAC
Cyber Tradecraft
Kirill Slavin and David Emm from
Kaspersky Lab discuss the demands
on virtual infrastructure
See Page 10
See Page 7
See Page 6
Volume 3
To Advise, Not Advertise
Ian Kilpatrick, chairman of Wick Hill
Group, looks at how you can get visibility
back in today’s extended networks and
suggests appropriate solutions.
IF YOU CAN’T
SEE IT, YOU
PROBABLY
CAN’T FIX IT
The data security challenges facing companies
today are threatening to overwhelm existing
security measures. Developments such as
mobility, cloud, wireless, big data, convergence of
data, communications and media, virtualisation,
mobile IPV6 and 802.11ac all bring benefits, but
also bring with them an increase in the intensity
and nature of threats.
Alongside this, the sophistication, spread and
complexity of threats continues to increase,
while the time from vulnerability to mass attack
deployment, continues to decrease. Individual
users, inside and outside the perimeter, represent
an ever-increasing challenge, both as perpetrators
and as victims of data theft.
This presents organisations with major challenges,
particularly where compliance is a core requirement.
Clearly, strategically a major challenge is risk
analysis and management. However, in the real
world of threats, budgets and resources mean
that risk mitigation needs to be prioritised and
unfortunately there is no single universal panacea.
In order to manage risks and deploy solutions, it is
crucial to know what is going on.
One of the key problems for organisations of all types is
that they have lost visibility into what is happening with
their networks and users, leaving it difficult to deal with
individual threats. Fortunately, there are many solutions
available to provide visibility and/or remediation.
Full Story - See Page 2
Can Security Grow the Top-Line...
By Stephen Millard, Channel Manager, Tibco Loglogic
National Security
IT Survey 2014
IT Professionals insights
I doubt you’ll ever hear a CIO or CISO say “Yeah,
I’ve got all the budget I need.” Most often
technology spend is seen as a bottom-line item,
which means squeeze, squeeze, squeeze. But, if
you can relate spend requests to projects that
help grow the business, then the purse strings
become a little looser. So, what’s the secret
sauce for security?
Here’s a real story as told to me by a security
consultant that starts us down the road of impact
on the top-line:
One day some guy wearing cuff-links stops
by my desk and says “I hear you’re keeping
our weblogs in some kind of system.” Let’s be
honest here, cuff-links are a pretty sure sign
this guy is not in the security chain-of-command
which was more than a little disquieting to
me. Unsure if I was in some sort of trouble, I
tentatively answered “I keep some stuff we need
for security.” not volunteering too much info and
covering my butt in terms of why I was doing it.
@wickhill l
Help us
security
Security
we are
to understand the current trends and
needs by completing the National IT
Survey. As a Thank You for taking part
offering some truly great incentives.
Full Story - See Page 4
Full Story - See Page 5
www.wickhill.com | 01483 227 600 | [email protected] |
As an IT professional we are very interested
in how you see security plans and concerns
for the coming year. IT Security is an ever
changing environment, and we want to
understand what your priorities are for 2015.
wickhill.com/linkedin
IF YOU CAN’T
SEE IT, YOU
PROBABLY
CAN’T FIX IT
Hacking the Connected Home
By Kaspersky Lab
devices. We also need to keep in mind that our
information is not secure just because we have
a strong password, and that there are a lot of
things that we cannot control. It took me less
than 20 minutes to find and verify extremely
serious vulnerabilities in a device which looks
like a safe one and even alludes to security in
its own name”
Continued from Page 1
For small and medium sized organisations,
WatchGuard Dimension is a security visibility
solution which works in conjunction with
WatchGuard’s UTM appliances and delivers
intelligence and visibility on actionable threats.
So just how secure is the technology in your
home? There are simple steps you can take to
help keep it secure and protect the valuable data
stored on your devices:
Check Point solutions include features such
as threat emulation; DLP data oversight
and leakage prevention; Smart Reporter for
overview visibility; and Smart Event for real
time information trends and anomalies.
ThreatTrack provides visibility to enable
threat identification, threat analysis and
elimination, with a public sandbox capability.
Guidance Software has a range of solutions
covering e-discovery, analytics, digital
forensics and incident response and Tibco
provides a range of log and data analysis
options including some interesting splunk
integration capabilities. Many people talk
about the single, universal panacea for
network security, but this just doesn’t exist.
However, while there is no single solution to
the current wide range of security challenges,
visibility is essential to understand where
you are today so you can take action to make
your network as secure as possible!.
For more
information visit:
wickhill.com/whg/wh1a
1. Make the hacker’s life harder: all your devices
should be updated with all the latest security and
firmware updates. This will minimise the risk of
exploiting known vulnerabilities.
The modern home is no longer one that simply
contains a number of separate products but is
becoming more and more “connected” with
devices such as TV’s, music systems, mobile
devices and computing equipment all linked
together. Popular connected home entertainment
devices pose a real cyber security threat due to
vulnerabilities in their software, and a lack of
elementary security measures such as strong
default administrator passwords and encryption
of Internet connection.
Kaspersky Lab security analyst David Jacoby
conducted a research experiment in his own
living room to find out how safe his home is
in terms of cyber security. He inspected home
entertainment devices such as network-attached
storage models (NAS), Smart TV, router, Blu-ray
player, etc. to find out if they are vulnerable to
cyber-attacks. And it turned out they are. Overall
David managed to find 14 vulnerabilities in the
NAS models, one in the Smart TV and several
potentially hidden remote control functions in
the router.
2. Most home routers and switches have the
option of setting up your own network for each
device, and also restrict access to the device.
For example if you have a TV, you might want
to restrict access to that TV and only allow it to
access a particular resource within your network.
There isn’t much reason for your printer to be
connected to your TV.
3. Make sure that the default username and
password is changed on things such as modems
and networking equipment – this is the first
thing an attacker will try when attempting to
compromise your device.
For more
information visit:
wickhill.com/whg/kl2a
David said upon discovering these flaws that
“Individuals and also companies need to
understand the security risks around connected
THE MIXED BLESSING
OF ENFORCED HTTPS
By Geraldine Osman, EMEA Marketing Director
at Barracuda Networks
In a move that analysts expect will markedly
improve the general security of the internet, Google
has announced that it will be boosting the search
rankings of sites using HTTPS.
Websites that continue to transport passwords
in plaintext (and there remain some large and
popular offenders) will be effectively forced to
comply with best practice on pain of Google
penalisation, and man-in-the-middle attacks that
affect internet users will decrease.
But MITM attacks aren’t the only threat facing the
web, and the widespread introduction of HTTPS will
present a new set of responsibilities and hazards to
your systems’ integrity. HTTPS essentially provides
a secure container in which important data can be
transported – the data is definitely sent to the right
place, unharmed, encrypted and in good condition.
But there’s no way of ensuring it’s the right data
in the secure container, nor is there any guarantee
that the data you remove from the container will be
what you wanted.
2
Baddies wearing your uniform
If your name’s not down...
HTTPS can be problematic in terms of perimeter
security. Because the data within the secure
container is encrypted, it’s impossible for
conventional perimeter security solutions – systems
like IDS/IPS and firewalls – to accurately guage
whether the incoming data is malicious or not.
HTTPS effectively gives criminals, hackers and
vandals a way of escaping detection if they want to
target your servers.
As with a border post, the security systems in
place must (at the very least) include a blacklist
– a list of individuals who can’t be let through
the checkpoint. Even more secure would be a
whitelist – a list of all the individuals who can
enter through the checkpoint.
Indeed, the same applies in reverse. Your systems
can’t discern the nature of the data within these
secure containers, and nor can your users’ –
malicious exploits could target your customers,
whose security won’t be able to detect them thanks
to your HTTPS.
One solution is a proxy-based that can not only
open the secure containers and investigate
the contents, but can keep out the malicious
data using SSL offloading. This involves the
proxy decrypting the HTTPS traffic and then
communicating its findings with the protected
servers using HTTP or through encrypted
means. SSL offloading is an important tool in
other contexts.
This problem is compounded by the little padlock
icon that appears when a site is connected to using
HTTPS. Your site visitors will enjoy a false sense
of security, assuming that they are safe from all
threats. Ironically, a transition from HTTP to HTTPS
using non-proxy security solutions may in fact
damage your security rather than improve it.
Keeping application security current often
necessitates rewriting of legacy web applications
on-the-fly. This could involve injecting response
headers of HSTS (HTTP Strict Transport Policy)
and clickjacking prevention, preventing CSRF by
injecting randomised tokens, cooking encryption
and more.
It’s important to look ahead and understand that
attackers may become more sophisticated, and
that current data could be compromised in the
future. Your HTTPS traffic, if captured today, could
be decrypted in the future by criminals equipped
with more advanced hardware. Perfect Forward
Secrecy – PFS – renders IPDS and span port
based application proxies useless, since they can’t
actually decrypt the PFS communication.
Non-security benefits
Nobody wants a message on Google stating that
their site could infect a user’s computer with
malware. For most companies with a significant
web presence, it’s precisely the kind of thing that
could cost an enormous amount of revenue. The
precipitous fall from grace (and search rankings)
that would result from a breach of any sort
could be disastrous for the reputation of your
organisation, whether your systems are equipped
with HTTPS or not.
www.wickhill.com | 01483 227 600 | [email protected] |
For more
information visit:
wickhill.com/whg/bn2a
@wickhill l
wickhill.com/linkedin
TREATING
YOUR EMAILS
LIKE THE BIG
“GENUINE BYOD” When mobile
device management is not enough!
DATA THEY ARE
By Geraldine Osman, EMEA Marketing
Director at Barracuda Networks
The phrase “big data” refers to datasets
so large that they’re unwieldy – awkward
to work with on account of their sheer size
and complexity. Generally speaking, this
sort of data will be stored in databases, but
it can be applied to an organisation’s email
storage, too.
A company’s email data is stored on a
database of sorts – the Exchange Server. This
in itself could be referred to as “big data”, in
that it may be so vast that it’s hard to work
with. But complicating the matter is email
data stored elsewhere, for example on file
servers or even on individual workstations.
By Christian Bücker, Managing Director / CEO, macmon secure gmbh
A dataset of this magnitude, stored in this
fashion, presents an enormous problem.
This is partly because there are currently
very few ways of managing this data in a
meaningful way. Archiving it is a possibility,
but this only moves the “big data” from the
Exchange Server to somewhere else – it’s
still very difficult to manage the dataset.
The buzzword “Bring Your Own Device” is now
in more widespread use for all kinds of different
products and “solutions”. Or - the other way
around; almost every provider of IT security
solutions purport to provide a golden answer for
this underestimated situation. But what actually
happens in the business?
functional capacity for unrestricted access
within its own core functions. Consider also
that the majority of third party-service agents
would automatically accept any corporate level
“monitoring functions” being applied to their
non-standard device, as a matter of corporate
security policy.
Let’s initially consider the situation, as defined
by a company - and also recognise what is
ignored; the term “Bring Your Own Device”,
in literal terms, would appear to suggest a
situation in which employees are encouraged
to bring their own devices. There are no
restrictions on smartphones and the like - it can
just as well mean someone bringing a MacBook
to work, because they prefer Apple to Microsoft
Windows. It should be clear that none of these
“non-corporate devices” are generally catered
for within the central administration, with
regard to essential IT systems such as patch
management, antivirus, etc. The end results
being that an employee’s terminal security and
safety is a great concern - not to mention the
possibility of a complete data leakage through
unprotected device access.
It is, therefore, becoming more and more
necessary to rise to the challenge of managing
these strange and unidentified devices in some
way. Since security vendors have not covered
all eventualities in this sphere - leaving obvious
drawbacks, there remains a mass of work to
determine risks through continual assessments.
Through these assessments, companies are
able to determine if the risk factors involved are
justifiable - or if the risks are too high.
Making sense of the numbers
In order to make this mass of data useful, you
need a tool that enables you to understand
it. For example, processes will enable you to
identify who the emails belong to (separating
human resources correspondence from
messages sent to ground keeping staff will
be helpful) or to sort the emails by size and
age. But once you’ve understood the data,
you should then be able to manage it –
carrying out the correct action on the right
set of data.
This could be something as simple as deleting
all emails that are more than 10 years old,
if you deem them to be irrelevant. Backup
actions, like moving all PST files to a central
location or instigating a seven-year archive
retention plan for customer email, are more
complex but can be undertaken with the
right tools. Preserving and collecting all data
between a specified list of custodians, or
categorizing all the email data from a certain
department using a relevant taxonomy, are
also feasible actions.
For more
information visit:
wickhill.com/whg/bn1a
Insofar as being the ultimate security solution,
mobile device management has an existing
requirement that simply does not exist in some
companies: the general acceptance of a thirdparty/service agent at an employee’s terminal.
The generic rejection of access for the third party/
service agent is quite understandable - even if
there are valid assurances that surreptitious
access is denied. And that also means applying
a blanket “denial of service” for devices which
it is generally understood do not have the
www.wickhill.com | 01483 227 600 | [email protected] |
@wickhill l
wickhill.com/linkedin
So, the overall requirement to discover a
network-level solution (terminal-level solutions
are not as feasible) has led to the strong revival
of Network Access Control Technologies. If a
business decision has already been made to
allow employees devices on the network, NAC
provides the advantage of granular control,
rather than simply apply a blanket “Yes or
No”. NAC can create access rules whereby
only specific Services are provided across an
already protected LAN or WAN. In that respect,
no device would have full network access. In
this way, the whole network can be protected as
much as possible from any risk - and additional
safety measures such as intrusion prevention
systems or firewalls may also detect possible
attacks and separate the relevant systems
through an intelligent coupling with the NAC
solution from the network.
Using the methods described above,
significantly better protection of the entire
network is established. However - there is a still
a general lack of appropriate methods providing
an overview of the devices in situ. Coupled with
this is the lack of clarity in real-time access.
As a frequently underestimated consequence,
the overall reporting and recording strategy
fails to monitor adequately - and that includes
authorized devices. It is here where macmon
NAC offers the BYOD Portal - a new form of
Tracking and Managing (all) employee devices.
Using a customizable Web portal, eligible
(authorised) employees have the ability to
identify and register their own devices. To
achieve this, the employee authenticates at the
portal only, using his standard usual username/
password, then accepts the rules of use of
the company network - and thus registers the
device as his own. Using this simple approach,
the company receives a constant overview of
the registered systems/devices per user. These
aspects aside, macmon NAC also ensures
concurrent usage and automatically removes
access for users who have left the company.
macmon NAC is exceptionally easy to establish
within a company infrastructure, without the
added expense of administration and provides
controlled access to valid users, whilst ensuring
that former employees have no further access
to the corporate network.
For more
information visit:
wickhill.com/whg/mm3a
3
Don’t Become the Next Code Spaces –
treat your IaaS server as if it was your own
By Ian Porteous, SE Manager at Check Point Software Technologies UK
Code Spaces was just one of the firms targeted
by cyber criminals this year. Following attacks
on Feedly and Evernote, the Distributed Denial of
Service (DDoS) attack on Code Spaces began on
June 17 – usually a precursor to a ransom demand
from criminals attempting to extort money from
companies to make the DDoS attack stop.
multiple individuals leaves you much more vulnerable
to someone taking control. This is what happened to
Code Spaces, and the result was disastrous.
Give access to as few people as possible. Do not
use the root account on a regular basis – instead,
through third-party hardware (like those in use by
UK consumer banks) or via text message to the
user’s phone. In the case of Code Spaces, this
would have enabled the company to see whose key
fob or supplementary access code was being used.
A DDoS response plan. This is a DDoS-specific
plan that explains how your company should reach
to a distributed denial-of-service attack. This
document should help you minimise disruption
during and after a DDoS attack.
In this case, however, the DDoS attack was
supplemented with a much more injurious attack
on Code Space. The attackers managed to
commandeer Code Space’s panel access and cause
untold damage to the company and its customers.
A business continuity plan. How will your business
cope with an attack, and what steps can it
take to minimise the effect of criminal activity?
How can disruption be mitigated, and how can
permanent damage be eliminated? This is one
area in which Code Spaces faltered – a relatively
straightforward security breach destroyed their
intellectual property, demolished their reputation
and ultimately forced the company to close.
“We finally managed to get our panel access back
but not before he had removed all EBS snapshots,
S3 buckets, all AMI’s, some EBS instances and
several machine instances,” the company stated
on its website.
“In summary, most of our data, backups, machine
configurations and offsite backups were either
partially or completely deleted.”
Your enterprise is likely to have all sorts of
emergency plans in place, such as in case of a fire.
These protocols are familiar to all and are tested
regularly – the same must be true of your network
security protocols and contingency plans.
The result of this was that Code Spaces ceased
trading. The firm conceded that the damage done
and the resultant costs had “put Code Spaces in an
irreversible position both financially and in terms of
ongoing credibility”.
Cloud-based infrastructure – an obvious
vulnerability
Companies, charities, governments and other
organisations are using cloud services because of the
obvious benefits they bring – swift, remote access
to resources and databases. But as Code Spaces
discovered, services can be rendered useless with
relatively simple attacks from criminals or vandals.
In addition, a shocking number of companies have
no plan in place in case of a DDoS attack or similar.
Forrester Research found in a study that 43% of
companies surveyed did not have a formal DDoS
attack response plan.
All companies can take steps to minimise the
chances of being compromised, and to dramatically
reduce the amount of damage that an attacker to do
if they do gain access.
Define and optimise user access to the
management console
Access to the panel comes in two stages. Firstly,
access itself – providing unrestricted access to
what constitutes an incident in the context of
network security, as well as outlining the protocol
for each type of attack. It is helpful to understand
in advance what a security incident is and how it
should be escalated if necessary.
Protect your IaaS server
make an administrative account for normal use and
keep the root account sacred.
The second stage is simple – only allow individuals
access to what they actually need for their work.
Assign minimal rights to users, so that if their
accounts are compromised or their credentials
stolen somehow, the damage that can be done can
be limited.
Over-reliance on passwords is complacency
– don’t do it
Authentication that relies entirely on an easy-toguess username and a memorable word chosen by
the user is not an inherently strong system. It’s open
to all sorts of abuse, misuse, bad practise, leakage,
and social engineering, all of which can be exploited
by an attacker.
Multi-factor authentication presents yet another
obstacle to a criminal who wants to gain access
to your computer systems – an additional code is
required to log in, and this code can only be aquired
Protect your network
Consider using Security Assertion Markup
Language (SAML). SAML is an open standard that
can be utilised in conjunction with other identity
mechanisms (such as Windows Active Directory
Fedoration Services).
Antivirus software must be up-to-date and active.
Intrusion prevention systems (IPS) and network
firewalls go some way to prevent attacks, while
threat emulation could help you understand new
and unknown risks.
Create a response plan
Your company needs to know how to react to a
threat, whether that’s a DdoS attack or something
more sinister (or a combination, as faced by Code
Spaces). There are three recommended elements to
this, but more protocols could be in place depending
on the needs and responsibilities of your company:
The benefits of IaaS offerings are enormous and
obvious, but so are some of the security risks. When
implementing an environment on any IaaS offering,
the servers require the same level of security as they
would if they were in-house. All the same security
systems are available to IaaS offerings. Connecting
your IaaS to your LAN can be secure through VPN,
and Amazon-specific security is widely available.
So many companies use IaaS, but a firm as
reliant on AWS as Code Spaces should have had
better security in place. Your firm can learn from
the failings of Code Spaces, where, ultimately, a
hacker gained access to the panel and was able
to swiftly delete backups. Optimise user access,
implement multi-factor authentication, and draw
up emergency plans for use in the event of the
breech. Don’t be the next Code Spaces – protect
IaaS servers as if they were your own.
For more
information visit:
wickhill.com/whg/cp1a
An incident response plan. This document defines
THE NATIONAL SECURITY SURVEY 2014
Continued from Page 1
We will also send the survey results to every
participant when the survey closes giving you
the opportunity to analyse the results and see if
your opinions match up to other professional IT
employees.
Prizes on offer:
• Beats by Dre Headphones • GoPro Cameras
• Sonos Play HiFi systems • Parker Duofold pen
Complete the survey now to be in with a chance of
winning one of the above prizes.
Charities we support for the donation are the Syrian
Refugee Appeal, Transform Housing or MacMillan
Cancer Care.
Support and sponsorship from some of the biggest
names in Network Security allows us to offer some
exceptional prizes awarded in a unique ongoing
way so that you don’t have to wait months to win
something.
About the Survey
Our National Security Survey consists of questions
based around current business needs and
requirements for any organisation. If you’re an IT
professional, we’d love to invite you to participate.
Plus, everyone that completes the survey will
receive a mobile PowerBank or a donation to
charity will be made on your behalf.
4
Topics include general security risks and concerns
for businesses both presently and in the future.
Other topics such as Remote Access, Advanced
Persistent Threats (APTs), Endpoint Security, Data
Management and Leakage, Internal Security and
Encryption are all present in the survey and will
hopefully produce some fascinating results which
will be sent to you for free if you take part.
Want to give your input? Visit
www.wickhill.com/whg/wh8a
www.wickhill.com | 01483 227 600 | [email protected] |
For more
information visit:
wickhill.com/whg/wh8a
@wickhill l
wickhill.com/linkedin
IT CONTRACTORS
NOT A BUYERS MARKET
By Geraldine Osman, EMEA Marketing Director at Barracuda Networks
Surveys have made clear something that
analysts have been noticing in the industry for
some time – IT contractors are not only thin on
the ground, but expensive too.
These two points are related. There’s a limited
supply of an in-demand service, and hourly
rates reflect this. The use of IT contractors is
certainly on the rise, and this trend is expected
to continue for the rest of 2014 and beyond.
Why passwords
don’t cut it anymore
By Jan Valcke, President & COO at VASCO Data Security
A survey conducted by Guardian Analytics
showed that nearly 1,000 SME business owners
and executives questioned, experienced fraud.
SMEs tend to be perceived as less robust
with their security policies and procedures.
Furthermore, any security vulnerabilities they
have could be gateways to their customers’ or
clients’ data; which could be a far richer reward
for those with malicious intentions.
The approach for any company, whether big or
small, should be around the concept of ‘securely
letting the good guys in’, security procedures
such as cloud-based two-factor authentication
solution, such as VASCO’s MYDIGIPASS.COM, is
an effective way for SMEs to keep up with the
security operations of a corporate company.
Whether it’s an SME’s staff logging into business
critical applications, or the SME’s customers
buying something from them online, it is essential
that that data is secure.
functionality while still remaining secure, and a
rewarding tool to ease the minds of IT staff who
could feel overwhelmed in a small business, high
risk situation.
VASCO’s MYDIGIPASS.COM is such a platform
that is capable of delivering on all of the above
and more. Added features such as full branding
and customisation can give the feel of never
leaving a company’s operating system to manage
security, as well as single-sign on functionality
to ensure ease-of-use is not affected while
performing tasks and configuration.
This solution definitely contributes to boosting
an SME’s business. Security, convenience and
scalability can be adapted as needed, delivering a
more rewarding and secure online experience for
customers; a contributing factor in strengthening
customer relationships.
For more
information visit:
wickhill.com/whg/v4a
A good platform for SME security is one that is
scalable and convenient for users. Something
that isn’t too intrusive, features easy sign on
A lot of these IT contractors are working on
critical IT projects. According to FierceCIO, what
has surprised IT shops is that they are competing
with cloud providers to hire the IT contractors
who are proficient with cloud technology – even
after they have deployed cloud services from
those same providers.
Across the pond
The situation is similar on both sides of
the Atlantic – there are certain similarities
between the US and the UK. Companies
that were forced to cut costs in the recent
recession, according to Contractor UK, are
feeling forced to “up their game” or to find
lower-quality IT contractors (less qualified,
and cheaper) who will work for the rates that
they can afford. This obviously has a knock-on
effect on quality – a lower-rate IT contractor
working on a critical or important project
could be a disaster. Contractor UK reports on
both the UK and the US IT contractor markets.
Computerworld reports that this trend of hiring
in IT contractors is likely to remain the same, at
least for the foreseeable future. Nearly half the
companies that were surveyed indicated that
they planned to hire IT contractors in the coming
year. The percentage of IT contractors in some
departments is at 17%, reported the firms.
The solution?
Unfortunately for IT managers, the most
straightforward way to minimise the effect of the
prevailing economic conditions is to simply spend
more on IT contractors. But companies without
that luxury, or for organisations with the capacity to
enhance their efficiency, there are several key areas
where spending can be minimised. The following
have been identified as drains on resources:
PST-related help desk calls. At some firms, calls
pertaining to the antiquated PST file system
account for 15% of help desk activity. This is a
clear area to clean up – a “PST elimination project”
is a solid investment that will save you money,
especially if your customer support department is
already struggling with its workload.
Irrelevant IT activities. There’s no need for IT
departments to take responsibility for eDiscovery
or eDisclosure collections, especially as the
legal teams that request them are unlikely to
receive the data they need – even with great
communication. Advanced search products will
enable the legal team itself to take ownership of
the eDiscovery and eDisclosure actions, which
would be a win-win: they get the results they
want first time, and the IT department’s workload
is significantly reduced.
Sloppy migrations. Exchange 2003 is no longer
current, and those using Exchange 2007 will
be migrating to Exchange 2013 or Exchange
Online. But some companies are migrating
before undertaking their archiving project,
which results in unnecessary costs and delays
as useless, out-of-date emails are migrated to
the new system before being deleted.
Saving everything. Companies are often found
to have kept emails that should definitely be
deleted, and as a result spend vast amounts of
needless time and money reviewing them as
part of legal discovery. Barracuda finds that all
too often, companies that save everything end up
discovering everything, too.
All of these are areas that could be cleaned up in
order to save money and ensure that resources
are used to fund critical projects.
The world of IT is in a state of constant flux,
buffeted by a changing business landscape
and constant technological innovation. But by
changing their expectations and investing in
money-saving projects, firms can streamline
their IT departments while meeting the demands
of an evolving industry.
For more
information visit:
wickhill.com/whg/bn4a
Can Security Grow the Top-Line...
By Stephen Millard, Channel Manager, Tibco Loglogic
Continued from Page 1
Then he says “Could you give me a history of
web pages by visitor -- we track them with a
cookie.” Turns out this guy was the CMO and was
under the gun for some type of conversion metric
and, after exploring a bunch of other options that
didn’t work, was coming to me as a last ditch
effort. So I ripped of my shirt, exposing the big
red “S” emblazoned on my tight blue one-piece
and said “I’ll be your hero!”. OK, ok, didn’t rip
off my shirt or anything like that. But I was able
to make a couple quick searches and determine
that I had the data he needed. In the end he was
really happy that I had the data and I worked with
the marketing team to develop reports about
visitor behaviour and conversions.
There are a couple critical elements to this story that
may not be that obvious. The first thing is to realize
that the story paints a picture of how separated the
security team was from the rest of the business -the security guy didn’t even recognize the CMO! It
is imperative that the IT and security teams be able
to relate better to the business. Creating isolated
pockets of information only serves to mystify and
www.wickhill.com | 01483 227 600 | [email protected] |
@wickhill l
wickhill.com/linkedin
isolate, decreasing the opportunity for security
to contribute to the business. The second critical
factor is that the security guy didn’t share his
data -- he just generated reports and gave them
to the marketing department. What other valuable
insights were hidden in the web log data? How can
the marketing team extract the business value if
their access to data is so severely gated?
just like transactional data. Data availability is
just the first step -- the analytics tools need to
be de-geekified so that mere mortals can ask
questions about their business and get answers.
Democratizing data and actively engaging the
lines of business are two key steps that IT and
security organizations must undertake to address
their budgetary challenges.
This story portends a fundamental shift that our
industry needs to undertake. IT and especially
Security need to make machine and log data
available to their constituents to be analysed
For more
information visit:
wickhill.com/whg/tc1a
5
THE EVOLUTION
OF EMAIL
MANAGEMENT
By Geraldine Osman, EMEA Marketing
Director at Barracuda Networks
Email archiving solutions now provide far more
than capacity management. Because email
archives are becoming so large and rich in data,
thanks to email’s position as the main means
of both internal and external communication,
it is essential for organisations to manage
this resource effectively. The capabilities
of modern systems include the delivery of
compliance, discovery and PST management
– all-in-all, enabling you to manage the
complete email life cycle.
The data stored in your email archives
is rich but often dauntingly large and
sometimes unstructured. Until recently,
email management consisted of little more
than archiving itself – essentially a capacity
issue rather than analysis. Today, advanced
techniques allow you to develop a much
greater understanding of your email dataset
and will eventually become standard in this
type of information management system.
CYBER TRADECRAFT;
Defending Against Drive-by Downloads
By Corey Nachreiner, CISSP, Director of Security Strategy, WatchGuard
Imagine this… You’re perusing the ancient
and colourful Grand Bazaar in Istanbul, feeling
overwhelmed by all the interesting sights, sounds, and
smells. An excited and charismatic shop owner waves
you over to his wares, enticing you to contemplate the
colourful baubles he has on display. As you’re thus
distracted, a quiet, inconspicuous character jostles
you lightly from behind, whispering an apology as
she hurries past. You walk away from the ordinary
encounter perfectly unaware that she also planted a
powerful bug on your person, and can now track your
every move, and monitor whatever you do, potentially
using this newfound power to swipe the confidential
documents you have holed up in your hotel safe.
You’re probably thinking, the description above
sounds a lot like the fantastical tales you’ve read
about in pulpy spy novels. Yet, it is surprisingly close to
what the average user risks every day while browsing
web sites online—the risk of the drive-by download.
Developing solutions for your
organisation’s needs
Organisations now have the ability, using
information management, to determine and
implement bespoke data retention policies,
and to swiftly retrieve the information they
need from email “big data”.
Drive-by download? Sounds like something
cyber gangs do in South Central.
Regardless of the prevailing economic
climate, but especially in times of recession,
IT departments are under enormous pressure
to minimise expenditure wherever possible.
One of the main ways IT departments can
maximise their efficiency is to cascade tasks
(that would previously have been the sole
responsibility of IT) to other stakeholders
within the organisation.
By default, web sites can’t just download and run code
on your computer, so a successful DbD attack relies
on some sort of programmatic flaw or vulnerability in
the software you use to surf the web. For instance,
browsers like Internet Explorer (IE), Firefox, Safari, and
Chrome make the most obvious targets. However,
nowadays most users install many other web-related
products, which attackers can exploit in DbD attacks.
For instance, products like Java, Flash, Shockwave,
Reader, QuickTime, and many others insert plugins
into your web browser, which allows them to render
the dynamic content you encounter when visiting
modern web sites. The problem is these plugins
also give attackers access to this software as well—
providing more attack surface opportunities.
An example of this could be the legal
department, which will need to use email
records and extract relevant data from email
archives. The legal team will also, while
undertaking a legal Discovery action, require
the email to appear in full and unabridged for
as long as necessary. The opportunity for end
users such as this one to undertake the actions
themselves has accelerated the development
of more role-based solutions designed for end
users rather than service providers.
Future proofing information management
While email has been the primary method of
communication for many organisations for
two decades now, the popularity of instant
messaging has soared in recent years. This new
type of data – which has the potential to result
in far bigger, more complex datasets – will need
to be managed in the same way as we manage
email now. Intelligent archiving and information
management solutions are evolving to include
support for these communication methods.
In addition, information management solutions
are having to adapt to a changing business
landscape and the onward march of technology.
Email archives are steadily increasing in
size, and Discovery exercises are becoming
more resource-intensive. Organisations of
all sizes are starting to rely on the intelligent
management of their “big data”, and email
archives are an absolutely essential part of this.
For more
information visit:
wickhill.com/whg/bn3a
6
offered for free on the Internet, chances are you’ll pay
in ways you don’t quite know.
Another way to get victims to malicious sites is just
to invite them to visit. Cyber criminals use every
Internet messaging mechanism they can to spam
out links to their malicious pages. They send emails,
instant messages (IMs), or post to social networks,
sharing links that go direct to booby-trapped
websites. Of course, they dress up their message in
some way to get you interested, citing the latest pop
culture event, or pretending to be your friend sharing
a fun link. They also often use link-shortening
services to make their malicious links seem more
benign. Since many users still don’t realise web
links can be dangerous, many fall for the bait and
click the link for an unwelcome surprise.
How do hackers get me to malicious sites?
“But wait a second,” you might exclaim, “I’m not naive
enough to visit suspicious web sites on the Internet.
They can’t infect me if they can’t get me there, right?”
Of course, you are correct. Unless an attacker can get
you to his booby-trapped web site, his DbD attack will
not succeed. However, you might be surprised at how
easy it is to lure victims to booby-trapped sites today.
Lets start with the old, tried-and-true techniques. In
the past, you might have heard security professionals
warn you against visiting the seedier side of the
Internet. Just like in the red-light districts found in the
real world, lots of questionably legal activities happen
in some of sleazier parts of the Internet. Sites catering
to pornography, software piracy, drugs sales, and
more, often partner with cyber criminals (knowingly or
unknowingly), and serve up malware to their visitors
via DbD attacks. Anytime you see something shady
• Don’t click unsolicited links – Simply put, avoid
clicking unsolicited links sent to you via email and
IM. I probably can’t convince you not to click on links
from your friends (or ones that seem like they come
from your friends), but at least remain wary of them,
and look at the URL for the link before clicking it. I
would also be careful around shortened links, and
leverage tools to expand and preview these links
before following them. Here’s a quick tip; if you add
a “+” character to the end of a bit.ly link, you will
see a preview of the actual URL before visiting it.
• Use antivirus (AV) and intrusion prevention (IPS)
– While vigilance and good practices can help you
avoid many attacks, no one is perfect. There will
be a day that even the best of us stumble on DbD
attack sites. IPS systems can frequently detect
the network exploits these attacks leverage, and
AV systems can often recognise the malicious
payloads they try to silently download. Use AV and
IPS systems, and keep them up to date. By the way,
Unified Threat Management (UTM) solutions and
Next Generation Firewalls (NGFW) can make these
security systems easy to manage for business.
In case you haven’t heard the term before, a
drive-by download (DbD) is a class of cyber attack
where you visit a booby-trapped web site and it
automatically, and silently, downloads and executes
malicious code on your computer.
In short, if an attacker can find any vulnerability in
the diverse software-set you use to browse the web,
and he can entice you to a web site containing a bit
of malicious code, he can exploit these flaws to force
your computer to infect itself with malware without
you even knowing it. Much like the fictional spy scene
in the Turkish market, by luring you to a special place
and distracting you, these network criminals can
quietly compromise you behind your back.
programming flaws in the software you run. Many of
the DbD attacks seen in the wild exploit flaws that
vendors have already fixed. If you keep your software
up to date, most of attacks will fail. Obviously patch
you web browser, but also know hackers are
focusing on exploiting Java and Flash vulnerabilities
lately. You should patch these packages just as
aggressively as the browser itself. In fact, I would
recommend disabling Java if you can.
However, the most nefarious way to draw victims
to booby-trapped DbD web sites is the watering
hole attack, a three phase attack where the attacker
focusses on a particular group and observes which
websites the group frequents. The attacker infects
those websites with malware so eventually some
of the targeted group members get infected. All
the methods described previously depend on
getting someone to a site that they may not visit
on their own accord… but what if you could hijack
a site they frequented regularly? Just like the lions
stalking prey in the Savannah, hackers know that if
they can poison your favorite “watering hole” web
site, you’ll surely stumble upon their DbD code. The
attackers search for web application vulnerabilities
in popular and legitimate web sites, such as SQL
injection (SQLi) and cross-site scripting (XSS) flaws,
then exploit these problems to inject malicious code
into the legitimate site, redirecting anyone who visits
the site to malicious DbD code.
• Use reputation-based web-filtering solutions –
The malicious sites that serve DbD attacks change
quite frequently, as do the legitimate sites that
have been hijacked. Security organisations and
vendors, like WatchGuard, use many automated
techniques to keep track of the latest malware
distributing sites, and offer reputation services
that can keep you and your users away from them.
You should consider using web-filtering solutions
to help you avoid dangerous sites on the Internet.
In the past, I could warn you against visiting sordid
web sites to avoid DbD attacks. However, today
any site on the Internet—even the ones you trust
the most—may have been hijacked and could be
hiding a drive-by download.
Corey Nachreiner, Director of Security Strategy.
Drive-by download defense and “tradecraft”
Part of being a good spy is understanding your
adversary’s techniques, and then learning the
tradecraft that can protect you in the field. Now
that you know what a drive-by download is, and
how they work, here’s a few cyber tradecraft tips
that will protect you online:
• Patch, patch, and then patch some more – In
“computer-ese,” patching means to apply the latest
updates to your computer software. As mentioned,
web sites can’t forcefully download software to
your computer unless they can take advantages of
Black hats have become extremely sneaky and
sophisticated in their cyber attacks. Drive-by
downloads have become the silent but deadly, de
facto attack that criminals have chosen to deliver
most of their malware, and watering hole attacks
make providing victims child’s play. However, with a
little vigilance and knowledge, anyone can avoid
this web-based infection vector. Diligently apply
the cyber tradecraft you learned and you’ll survive
most DbD malware encounters unscathed.
Corey Nachreiner has been with WatchGuard since 1999
and has since written more than a thousand concise
security alerts and easily-understood educational articles
for WatchGuard users. His security training videos have
generated hundreds of letters of praise from thankful
customers and accumulated more than 100,000 views on
YouTube and Google Video. A Certified Information Systems
Security Professional (CISSP), Corey speaks internationally
and is often quoted by other online sources, including
C|NET, eWeek, and Slashdot. Corey enjoys “modding” any
technical gizmo he can get his hands on, and considers
himself a hacker in the old sense of the word.
www.wickhill.com | 01483 227 600 | [email protected] |
For more
information visit:
wickhill.com/whg/wg1a
@wickhill l
wickhill.com/linkedin
Kaspersky Lab Reveals Main Sources of
Stolen Banking Information
By Kaspersky Lab
According to a Kaspersky Lab survey of IT
professionals worldwide, 48 per cent of e-commerce/
online retail businesses and 41 per cent of financial
services organisations have reported losing some
type of finance-related information to cybercriminal
activities within a 12 month period.
Kaspersky Lab’s survey also surprisingly found that
the e-commerce/online retailer business segment is
the least likely to deploy and update specialised antifraud measures to protect financial transactions.
The e-commerce/online retail and financial services
business sectors both depend on their abilities
to receive, process and store sensitive financial
information from customers. Through a combination
of targeted attacks, application vulnerabilities and
other forms of cyberattacks, almost half of businesses
in both sectors will lose some of this information over
the course of a year. Such a loss can not only damage
the reputations of these businesses, which are highly
dependent on trust, but can also trigger costly legal
penalties, removal and clean-up costs. But while these
two segments share these similarities, their attitudes
towards security technology are markedly different.
Only 53 per cent of the e-commerce/online retail
segment indicated that they “make every effort to
keep anti-fraud measures up to date,” which is ten
per cent lower than the overall global average, and
the lowest overall of any business segment. Since
the entire business model of online merchants is
based on online and electronic payment processing,
this reluctance to invest in anti-fraud measures
seems highly counter-intuitive.
financial data. When asked if they “make every effort
to keep anti-fraud measures up to date,” 64 per cent
of financial services providers agreed, a response rate
tied for highest across all segments. This enthusiastic
response is the complete opposite of the attitudes in
the e-commerce/online retail segment. Additionally,
52 per cent of the financial services segment
reported a desire to implement new technologies to
protect financial transactions, compared to 46 per
cent of the e-commerce/online retail segment.
Reduce the risks:
Kaspersky Endpoint Security for Business helps
protect a business network from an onslaught of
malware, phishing, and other cyberthreats. Financial
institutions need advanced endpoint security across
their entire network, including mobile devices
and virtual machines as well as PCs. Kaspersky
Endpoint Security for Business can bring protection
for all these endpoints to a single administrator
console, giving IT managers superior visibility and
policy control over the security of their network.
Kaspersky Fraud Prevention unites a number of
technologies to monitor the “back-end” processing of
banks for malicious activity, ensures the protection of
customer endpoints, including their mobile devices,
and provides an SDK for reinforcing the security of
mobile banking applications. This fraud protection
platform also uses Kaspersky Lab’s threat intelligence
services to increase bank employees’ levels of cyber
threat knowledge and bolster the effectiveness of
technologies used to protect financial data.
For more
information visit:
wickhill.com/whg/kl4a
The financial services segment takes a more positive
and proactive approach towards securing their
Network Access
Control Made Easy
Why IT Security without NAC fails
NAC is a constant issue for Businesses Since the
introduction of network sockets, the control and
support for Network Access Control (NAC) has been
an ongoing issue within every company. In this day and
age of WLAN and the rapidly expanding acceptance of
mobile devices within an enterprise, NAC has returned
and is again a major focus. However, it is a fact
that very few companies know exactly who or what
devices are accessing their network - and how they
can be effectively protected For some considerable
time, there have been many reasons why a suitable
solution has not been introduced; comprehensive care,
significant project costs, substantial costs associated
with modifying the infrastructure or the highly complex
nature of a solution.
“Network Access Control (NAC) reloaded” is an update
to the first and only professional audio book on the
subject of NAC. The content of this essential guide is
provided in a direct style, giving audio descriptions of
the available technologies and the solution strategies
by providing comprehensive examples.
Christian Bücker, CEO of macmon secure GmbH, says;
“Guides for reading are a dime a dozen. But this
guide does not just inform - it also entertains and
engages - and we feel that we have come up with
something special. With this guide, the audience
is privy to appropriate strategies and approaches
on how to avoid network threats. It is a particularly
convenient way for persons interested in IT, to learn
everything worth knowing about this important topic
in a simple and pleasant way. The audio provides
information in a formal but friendly way, which can
be taken virtually anywhere - whether at home, in the
car or on an airplane”
In the audio book you will learn:
• What exactly NAC (Network Access Control) is.
• Why IT Security without NAC fails.
• Which NAC technologies are currently available
on the market.
• What added value NAC delivers, in addition to
standard security gains.
• Why every company should consider a reliable
NAC solution.
• Detailed descriptions of NAC for;
- Microsoft Active Directory (AD)
- Lightweight Directory Access Protocol (LDAP)
- Bring Your Own Device (BYOD)
- Guest management
• Automated Compliance Enforcement
• Added values such as; interactive displays,
graphical reporting and statistics/reporting tools
• How to integrate NAC simply, effectively and
successfully.
A NAC solution provides a real-time view of all of the
devices on your network - and also ensures that those
devices are automatically connected to the areas provided
for them on that network. Your network guests can quickly
and easily “plug in” and simply use the services intended
solely for their use. Employees own devices can easily and
secure be integrated into the corporates network. For any
unknown or non-secure devices network access is denied,
avoiding data and economic espionage. When used to
secure a corporate network, NAC must accommodate
new device additions and be adaptable for new solutions
and demands. Each of these aspects are amply provided
through the flexibility built into the macmon NAC solution.
www.wickhill.com | 01483 227 600 | [email protected] |
For more
information visit:
wickhill.com/whg/mm1a
@wickhill l
wickhill.com/linkedin
Security from Obscurity
Corey Nachreiner, Director of Security Strategy and Research at WatchGuard
Technologies explains why it’s time to re-evaluate the idea of ‘security by obscurity’
I am sure many of us think that hiding our house
keys under a plant pot or fake rock will do a
good job of stopping people breaking into our
house. After all, how many burglars are likely to
find a key if it is well hidden from sight? The
only problem is that if the key is discovered by
a diligent intruder or simply by accident - your
entire house security falls apart.
Maybe that is why most information security
professionals deride the idea of ‘security by
obscurity’ when it comes to protecting critical
systems and data. Security by obscurity simply
refers to relying on an aspect of secrecy to protect
your systems, rather than on secure design.
And certainly, when I started my formal infosec
training, security by obscurity was considered as
no security at all.
This dismissal of security by obscurity in our industry
probably originates from an old cryptographer’s
axiom called the Kerckhoff’s principle, which
proposes that a cryptosystem should remain
secure even if the attacker knows exactly how
the system works. Assuming, the attacker doesn’t
have the key to the system, of course.
There’s no doubt that this axiom holds true; the
best security systems are ones that attackers
fully understand, but still can’t break without the
proper keys or credentials. For instance, bank
robbers may understand how a vault door works,
but they can’t open it without a disproportionate
amount of time, tools, and effort - or having the
actual combination to the vault.
So, it’s realistic to believe that most of your defences
should rely on securely engineered systems and
not on obscurity. However, that doesn’t mean
there is not some value in the concept. Combined
with proven security controls, obscurity can offer
valuable additional protection, creating a worthy
layer to a defence-in-depth strategy and posing
significant speed bumps to an attack, causing
hackers to move on to softer targets.
It’s like a bear chasing a group of people; you
don’t have to run faster than the bear to survive,
only faster than the slowest member. A little
obscurity might just give you the edge to stay
ahead of your peers’ defences.
So let’s talk concrete examples. Here are three
practices many consider security by obscurity
that could supplement your defences:
Changing a server’s default port. Internet and
network services tend to run on common, default
ports. For instance, SSH is port 22, Telnet is 23,
RDP is 3389 and so on. However, there is nothing
stopping you from changing these default ports. If
you want your SSH server to listen on port 7624,
it can; and this simple change will make it harder
to find by automated network scans. Smart,
persistent attackers targeting your network can
still use full-range port scans and fingerprinting
techniques to find your SSH server. However, a
huge percentage of the malicious ports scans on
the Internet are targeting common server ports.
So this simple obfuscation can help.
Server header masquerading. Unfortunately,
servers are a little too friendly, often totally
identifying themselves in their reply headers. For
instance, a Web server reply contains a Server:
header, where it identifies what software and
version it’s running. Here’s an example:
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.42ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g
That header is gold to an attacker, who now knows
exactly what software your server runs, including
any additional packages. If any of that software is
unpatched, the attacker might have his or her way
in. But you can change this. Many servers have
configuration options that allow you to share less
information about the server version. There are
also network security tools that totally masquerade
these server headers. A security stickler will argue
that if you keep your servers patched and hardened,
it won’t matter if an attacker knows what software
they run. I say, patch and harden your servers,
but go ahead and masquerade their headers too,
making them a bit harder to enumerate.
Use non-standard naming conventions. Operating
systems and servers often have default users and
groups. Why not rename them? Rename the default
‘administrator’ username to ‘neo’, or whatever
comes to mind. A smart attacker may still be able
to discover how you renamed all the default users
and groups, but any attack tools or scripts that rely
on default installs will fail to operate.
These are just three examples of worthwhile
obscurity examples, but I could go on.
By itself, security through obscurity is not to be
relied on. However, obscurity can further bolster
your defences when added as a complementary
layer to true security controls. The fake rock with
the key under it only offers the illusion of defence,
since the burglar can enter by the front door if he
finds your key. But imagine the same fake rock with
a combination lock. Though the lock is the only true
security control, coupling the lock with the hidden
rock presents a far stronger security solution.
So, the lesson to learn is that not everything is
what it seems on face value. In this fight against
cyber criminals and hackers, we need to take a
fresh look at all the options.
For more
information visit:
wickhill.com/whg/wg2a
7
IS YOUR VIRTUAL
A CRITICAL VULNERABILITY
NETWORK SECURE? IN THE MEDIAWIKI
By David Phillips, Kaspersky Lab Product Manager, Wick Hill
You’ve moved to virtualisation and everything is up
and running. You have probably virtualised all your
servers, so that your business-critical databases,
CRM systems, ERP applications and email all reside
in a virtual environment. You’ve started to experience
the operational, performance and cost gains you’d
hoped for, but there may be something critical you
have overlooked. Have you thought about security?
There are a lot of misconceptions about security in
a virtual environment and one of the most common
is that a virtual environment is more secure than a
physical one. It would be nice, but, unfortunately it
just isn’t true. Malware attacks don’t discriminate.
Have no doubts - you’re just as much at risk with a
virtual device as a physical one.
Other reactions to the question of security in a
virtualised environment include “Security is not my
responsibility.” or ‘”Yes I have considered this and
we have implemented the same security as we had
in our physical environment.”
Sad to say, cybercriminals pay little regard to the
environment. They are just looking for the easiest
way in! Being virtual won’t protect you. There are
even Trojan attacks designed specifically to attack
virtual machines.
Another mistaken idea is that malware cannot
survive the decommissioning of non-persistent
virtual machines (VM). Unfortunately, also not true.
Some malware can jump from VM to VM and from
host to host. The volume of malware is constantly
growing, adapting and redefining itself so it can do
the most damage, leaving both physical and virtual
environments at risk.
There are three options for securing your virtual
infrastructure – that is, of course, excluding the
fourth option of having no security at all!
1. Traditional ‘agent-based’ security
This can provide you with a good solution, although
there are some significant disadvantages. Your
reasons for moving to a virtual environment
probably included cost savings and optimisation.
If you install software which isn’t optimised for
a virtual estate, you are loading a separate copy
of anti-malware, software and signature updates
on every endpoint. This duplication is massively
wasteful in a VM environment.
On top of this you have the resource nightmare of
potential ‘AV storms’. All your VMs updating at the
same time slows everything down and can even
bring your environment to a complete halt. You can
also leave your systems vulnerable through what’s
known as an ‘Instant On Gap,’ the window of time
after a VM spins up, but before the agent on that
VM downloads the latest security updates.
For virtual systems, optimum consolidation ratios
(the greatest possible density of VMs for your
money) is the main goal. Traditional protection
is inefficient in virtual environments, taking up
resources which could be used to add more
VMs. However, at least with this approach, you
are protected and have not left your systems
vulnerable to attack.
2. ‘Agentless’ Security
This is specifically designed to optimise security
in a virtual infrastructure. The security software
is loaded onto its own secure virtual machine
and no agent resides on the other VMs in the
estate. This allows them to run smoothly with no
duplication or redundancies, helping to make the
most of your investment. It also means you can
get the security up and running very quickly and
8
there is no need for time consuming reboots.
This approach is at the other end of the spectrum
to the ‘agent-based’ approach, addressing most,
if not all, of the downsides. However, there are a
few drawbacks.
Firstly, you are relying on your security vendor
integrating with the virtualisation vendor. This
means that the range of advanced features such as
application control, device control and web control
may not be available to you. Also, some virtualisation
vendors don’t have the technology inbuilt to enable
this approach. You are moving back to pure antivirus/anti-malware protection, with none of the
enhanced options endpoint security gives you.
So if ‘agent- based’ is at one end of the spectrum
and ‘agentless’ is at the other, is there another
option that gives you the best of both worlds? The
answer is yes - with ‘light-agent’ security.
3. ‘Light-agent’ security
In this architecture, the security software is still
loaded onto a secure virtual machine, but an
additional lightweight agent is installed on each
VM. This unlocks the potential for deeper, multilayered protection, including features such as
web, device and application policy enforcement.
Now you have achieved most of the benefits of the
‘agent-based’ and ‘agentless’ approach, giving
you the flexibility to set up the most appropriate
security posture for your environment.
However, you might be wondering how you
are supposed to manage all of this, and your
workstations, laptops and mobile devices. You
are managing enough different consoles at the
moment. You want to keep things as simple and
straightforward as possible because complexity is
the enemy of security.
It is possible to manage all types of endpoints from
one single console and there are security vendors
providing this type of solution. One which allows
you to effectively manage your security policies
and close any gaps that would exist, when using
multiple products and management consoles.
However, be aware that not all ‘single’ consoles are
identical. Some provide a portal into multiple other
consoles (with different interfaces).
Conclusion
Kaspersky Lab has a platform that supports all
of these options. Kaspersky Endpoint Security for
Business is ‘agent-based’ and offers a full range of
endpoint security features including application, web
and device control; mobile security and mobile device
management; encryption; systems management;
and, of course, award winning, multi-layered, antimalware technology. This can be installed on a
wide range of virtual platforms. Kaspersky also have
Kaspersky Security for Virtualization, if you decide to
go for the ‘agentless’ and ‘light agent’ approach.
Whatever you choose, you can still manage
everything through one single console because The
Kaspersky Security Center gives you the flexibility to
have a mixed physical and virtual environment, all
managed from one place.
There are other solutions out there that provide
many of the above benefits. However, with the
continuing rapid changes in the threat landscape,
one thing is certain - doing nothing is no longer a
viable option.
For more
information visit:
wickhill.com/whg/wh4a
WEB PLATFORM
By Ian Porteous, SE Manager at Check Point Software Technologies UK
When a web platform is widely adopted, any
vulnerability in the code is amplified across the
internet. So when an update to the MediaWiki
platform – the simple, distinctive database used
by Wikipedia and similar websites – appeared to
have introduced a dangerous Achilles heel, the
effects could have been serious.
The Check Point vulnerability research team
found a flaw in the MediaWiki code that would
have allowed an attacker to perform remote code
execution, or RCE. This in turn would have given
them access to the system, enabling vandals or
criminals to alter files and settings and potentially
gain complete control.
The vulnerability, assigned CVE-2014-1610
by the MITRE organisation, appeared to have
stemmed from the 1.8 update. All systems
running MediaWiki version 1.8 and onwards are
affected by it.
A specific non-default setting must be activated
before the vulnerability presents itself on a
system. Security experts remain unsure how many
MediaWiki deployments have been affected, but
the impact was confirmed to have hit some of the
largest – including Wikipedia itself.
Patching the hole
Check Point notified the WikiMedia Foundation
– the organisation that developed MediaWiki
and that runs Wikipedia, Wiktionary, Wikimedia
Commons and more – as soon as this potential
hazard was discovered. Once the organisation
had verified the threat, it developed a software
update to patch the hole and had utilised it on
its own servers within 45 minutes. The fix itself
is described on Wikimedia’s bug report system
as “trivial”.
On the same ‘immediate critical’ thread in the
bug report system, developer and security
expert Chris Steipp states that: “Shell meta
characters can be passed in the page parameter
to the thumb.php”, which would allow anyone to
execute shell code on that particular server. He
describes the threat as “very serious”.
“It only takes a single vulnerability on a widely
adopted platform for a hacker to infiltrate and
wreak widespread damage,” said Dorit Dor, vice
president of products at Check Point Software
Technologies.
“The Check Point Vulnerability Research Group
focuses on finding these security gaps and
deploying the necessary real-time protections
to secure the Internet. We’re pleased that the
MediaWiki platform is now protected against
attacks on this vulnerability, which would have
posed great security risk for millions of daily
‘wiki’ site users.”
MediaWiki platform use the security patch.
Hackers being able to compromise and infect an
application as widespread as MediaWiki could
be disastrous for the hundreds of thousands of
installations deployed worldwide – and for their
millions of daily users.
Only two similar vulnerabilities have been
discovered in the MediaWiki web platform since
2006, so this revelation will be of significance
to both the internet security industry and the
hacker community.
A giant target
The MediaWiki web platform is an extremely
popular, widely-used
and
open-source
collaborative database system that allows
for very straightforward indexing and linking
between pages. In addition, it enables users to
easily create, delete, modify and edit content
without using code.
The most famous MediaWiki web platform
application is Wikipedia, the sixth most visited
website in the world. With 2 million sites linking to
it and monthly traffic of approximately 94 million
unique visitors, an attack would be disruptive and
very high profile. As such, it would be a prized
target for hackers, criminals or vandals.
But tens of thousands of additional websites,
ranging from collaborative health encyclopaedias
to popular online resources such as WikiLeaks,
also use the MediaWiki software and were
therefore vulnerable to this type of attack. The
same is true of some internal sites and databases
that also run the MediaWiki platform.
It is hoped that large sites will quickly patch their
installation of MediaWiki, but many of the smaller
sites run by amateurs may not be organised or
run in accordance with best practice, and could
remain unpatched if their administrators do not
follow guidance on the subject.
In addition to the patch, Check Point has
delivered updated protections via ThreatCloud,
a collaborative knowledge base that distributes
dynamic intelligence to security gateways in
real time.
The fact that the patch has been released, wider
protections are in place, and that there have
been no known instances of the vulnerability
being exploited, does not mean that the threat
has gone away. Criminals may attempt to exploit
this hole on any MediaWiki applications that have
not yet been patched. Anybody currently running
MediaWiki for any purposes, internal or webfacing, should patch their installation as soon as
possible and follow any further guidance from the
Wikimedia Foundation.
There is also the possibility that malicious
software could be spread to users’ computers,
making it imperative that all users of the
www.wickhill.com | 01483 227 600 | [email protected] |
For more
information visit:
wickhill.com/whg/cp4a
@wickhill l
wickhill.com/linkedin
People Are The New Perimeter
Martin Lethbridge, a senior security consultant at WatchGuard Technologies, looks at the
changing nature of the network perimeter and how to secure it
The traditional idea of the network perimeter
and how to defend it is changing. The fact is that
people are the new perimeter. More often than
ever before, they are working offsite and a recent
global WatchGuard survey of IT professionals
showed that 75% of high value employees work
from home at least one day a week. And the
higher-level the executive, the more likely he or she
is to be working with the most valuable company
intellectual property and sensitive information on
their home devices or in their email files.
The problem is that these executives in their Small
Office Home Office (SOHO) environments present
a weak link in an organisation’s security. “It’s no
secret that attackers go for the weakest link when
trying to get into a corporate network and this is
often a home office or small office user. Yet, many
organisations continue to rely on little or no security,”
said Mike Jude, senior analyst at Frost & Sullivan.
Researchers at the security firm Team Cymru
recently underlined this threat when they traced a
campaign that successfully compromised 300,000
SOHO routers – mainly in Europe and Asia - using
man-in-the-middle attacks to two UK IP addresses.
This type of compromise has the potential to redirect
connected end users to malicious websites that steal
banking passwords or push booby-trapped software.
The campaign comes just weeks after researchers
from several unrelated organisations uncovered
separate ongoing mass hacks of other routers.
The WatchGuard study found that 56 percent of IT
professionals believe basic VPN access provides
the necessary protection against today’s SOHO
threat landscape. But while VPN access has long
been the standard for protecting communications
for home-based employees, if your endpoint
device is not protected at the same level as
your enterprise network, the VPN tunnel simply
provides an open window into your business. A
VPN may establish a secure connection between a
home user and an enterprise, but it can’t deal with
threats, infections or malware, etc., which may
already exist on the end-users’ laptops or PCs,
leaving data vulnerable to theft and compromise.
According to the survey, more than 82 percent of
companies allow employees to access the corporate
network from a small office or home office location;
but nearly 30 percent do not require a gateway
security device. For those that do, only 23 percent
require users to use security products similar to those
used in the corporate headquarters, with features
such as intrusion prevention, anti-virus, data loss
prevention, application control, anti-SPAM and more.
So, it’s clear that it is time to ‘beef up’ SOHO
security in this new distributed enterprise where
people are the new boundaries. New gateway
security is needed to provide defence in depth for
employees working from a remote location with
layers of security to safeguard an organisation’s IP,
data and confidential records.
With a new generation of low-cost SOHO Unified
Threat Management (UTM) platforms, enterprises
can now extend powerful network security to small
office home office (SOHO) environments. The ability
to leverage the power of a UTM solution in remote
locations and manage them from a single, central
console gives IT a powerful tool for administering and
enforcing policy. With new real-time security visibility
tools, IT administrators can also get ‘big-data’-style
views of key threats and top site usage across an
entire user base, giving them a clear understanding of
what’s happening across their national or international
distributed network. And with a full UTM suite on site,
SOHO users will not experience the latency normally
caused by backhauling traffic thorough the corporate
servers to ensure protection.
There is no turning back to the simpler days of
protecting a fixed network perimeter. IT professionals
need to realise where the threats exist and take the
right measures to protect all points of weakness,
wherever they are.
For more
information visit:
wickhill.com/whg/wg4a
360° APP SECURITY
By Jan Valcke, President & COO at VASCO Data Security
The mobile revolution is inexorable. Mobile devices
such as smart phones, netbooks and tablets proliferate
in today’s personal and professional environment. In
order to adapt to the fast-paced virtualization and
mobilization trend, organizations worldwide will
have to make their applications, data and corporate
information accessible from any portable device for
customers, suppliers and employees.
Protecting access to applications such as
m-commerce or m-banking services or access to
corporate networks becomes essential. However, any
security system is only as effective as its weakest
link. Consumers and employees often use the
same passwords for a multitude of professional and
personal applications. By reusing the same password
over and over again, they put every application
containing confidential information – although
unwillingly and perhaps unknowingly – at risk.
Furthermore, mobile devices are often not passwordenabled and lack the ability to authenticate users and
control access to data stored on the devices.
component of an application poses a potential
security risk. Nowadays, software development
kits are available that will provide comprehensive
modules, giving you all the necessary building
blocks to customize your security at entry level.
WEARABLE TECH;
JUST HOW SECURE IS IT?
By Kaspersky Lab
Smartwatches and miniature electronic devices
like Google Glass are part of the continued
development of electronics that no longer just
sits in your pocket, but also represents a change
in the way we engage with our technology.
This new class of personal devices, that allow
access to the Web and applications with even
greater convenience than smartphones and
tablets. However, this plethora of new devices
also brings several new security risks that their
owners will have to address.
There are two ways to surf the Web from
Google Glass: through Bluetooth pairing with
a mobile device that shares its data network
connection, or directly through Wi-Fi. The
latter gives the user more freedom since it
doesn’t require a separate mobile device in
order to get to the Web. However, according
to Roberto Martinez, researcher at Kaspersky
Lab, this functionality also means that the
Glass is exposed to network vector attacks,
particularly MiTM when a communication
between two systems can be intercepted.
This was discovered in an experiment
conducted by Kaspersky Lab researchers: they
attached the device to a monitored network
and checked the data it transmitted. The
results of the captured data analysis showed
that not all the traffic exchanged between the
device and the hot spot was encrypted. In
particular it was possible to find out that the
attacked user was looking for airlines, hotels
and tourist destinations. In other words it was
possible to perform a profiling task, a simple
form of surveillance.
he discovered the device is deliberately
designed to make a loud noise and warn
people nearby if it is being used to take a
photo. A deeper look into the software of
Galaxy Gear 2 revealed that after rooting
the device and using Samsung’s publicly
available proprietary software tool ODIN, it
is possible to enable Galaxy Gear 2 to take
pictures with its embedded camera silently.
This obviously opens the door to possible
scenarios in which Galaxy Gear 2 could
violate other people’s privacy.
Silencing the camera is not the only way to turn
the smartwatch into a spying tool. Dedicated
apps for Galaxy Gear 2 are loaded onto the
device with help of Gear Manager, a special
app by Samsung designed to transmit an app
from the smartphone to the smartwatch. As
Juan discovered, when an app is installed on
the smartwatch’s operating system there is no
notification shown on the watch display. This
obviously makes targeted attacks involving
silent app installation possible.
“At this time there is no evidence to suggest
that wearables are currently being targeted
by professional APT actors,” commented Juan
Andres Guerrero. “However there is a twofold
appeal presented by wearables that make them
a likely future target if they are widely adopted
by consumers. In future the data collected
by wearable devices is going to attract new
players to the cyber-espionage scene.”
“We admit that it is not a very damaging
vulnerability, but even so, profiling via meta
data from Web traffic exchange could become
the first step of a more complex attack against
the device’s owner,” said Roberto Martinez,
who performed the investigation.
When the Samsung Galaxy Gear 2
was examined by Kaspersky Lab
researcher Juan Andres Guerrero
Secure storage, secure channel, secure
environment
Additionally, these solutions also offer features to
secure the environment in which the application
resides, such as jailbreak and rootkit detection
and geolocation. Also secure storage is provided,
as well as a secure channel to ensure end-toend encryption of business critical data whereby
relying on mainstream technologies like HTTPS
may not be enough. It is not enough to secure
the perimeter: solutions need to ensure files are
secure while they are being worked on.
The mobile ecosystem is a rapidly growing platform
for delivering a wide variety of services, and software
development kits can bring a 360° security.
Strong authentication
Application security must be addressed across
different components and at multiple layers. Each
www.wickhill.com | 01483 227 600 | [email protected] |
For more
information visit:
wickhill.com/whg/v2a
@wickhill l
wickhill.com/linkedin
For more
information visit:
wickhill.com/whg/kl3a
9
GETTING DEEPER
INTO NETWORK TRAFFIC
Corey Nachreiner, CISSP and Director
of Security Research, WatchGuard
First impressions only tell us so much. A book
cover for example, may give you some idea of
what to expect — but you won’t really know
what it’s all about until you read it. But in the
world of traditional network security, many
solutions treat network traffic a bit like people
who judge books by their cover.
VIRTUALISATION SECURITY
MYTHS – BUSTED!
Kirill Slavin, UK General Manager and David Emm, Senior Security Researcher at Kaspersky Lab
machines by spreading across a virtual network,
allowing it to return when new virtual machines
are created.
These legacy appliances look at just enough of
the network traffic to make educated guesses
about its risk; but they lack sufficient context to
make robust security decisions. To get enough
security intelligence to protect against today’s
sophisticated threat landscape, you have to dig
deeper. You have to go to Layer-7.
If the policy allows new machines to be easily
created on-demand, this can also result in “virtual
machine sprawl,” where a virtual machine could
be created and forgotten, creating the risk of
unmaintained virtual endpoints operating outside
your IT department’s knowledge or control.
Layer-7 is the application layer of the Open
Systems Interconnection (OSI) model that
characterises network communications in seven
abstract layers. Most traditional network security
appliances, like stateful firewalls, only pay attention
to the first three or four OSI layers. The networking
Layer-3 tells you about the IP addresses and ports
associated with a particular communication while
the transport Layer-4 provides information about
the state of connections.
But the information found in these first four
layers only gives you basic knowledge about
network traffic. It tells you the sending and
receiving IP addresses and the network port the
traffic uses but this is barely enough to decide
whether to block or allow it. And it is what it
allows that causes the problem.
Today, changes in the threat landscape and
IT environment have significantly lessened
the protection four-layer inspection offers.
Attackers and software developers have
realised that everyone allows certain businesscritical protocols —things like Web, DNS,
and email. And as a result, new attacks and
business tools exploit these protocols to ensure
communications can get through.
For example, the rise of Web 2.0 has resulted in
thousands of network applications communicating
using standard web ports; port 80 (HTTP) and
443 (HTTPS). To a traditional four-layer security
appliance, Facebook, SalesForce, Dropbox, Skype
and Bittorrent all look the same. If you allow any
web traffic through these legacy devices, your
users can reach all these applications despite
their differing risk and productivity profiles.
From a threat perspective, if attackers know
web traffic is allowed, they will exploit drive-by
download flaws to infect browsers and leverage
web application flaws to steal data from servers.
Since Layer-4 security appliances only act as an
on/off switch for traffic, if you let any web traffic
through, it all gets through.
Modern security appliances analyse all seven
layers of network traffic, including the application
layer. By understanding the application layer,
these devices offer more intelligence about
communications passing through ports. For
instance, they can identify specific applications
being uses, what files are transferred, users
associated with the communication and even
do security scanning at an application level to
tell the difference between good and malicious
traffic. This extra intelligence provides the
context necessary to catch modern threats and
to create more business-based security policies.
Security professionals can no longer rely on first
impressions and rules simply based on ports and
IPs. Layer-7 inspection is the only way to provide
the necessary level of intelligence to create granular
policies based on users, applications and risk.
For more
information visit:
wickhill.com/whg/wg3a
10
The requirements from today’s modern business,
mean that the demands on virtual infrastructure
and networks are ever growing. Virtualisation is
becoming an increasingly mission-critical part
of IT infrastructure and a growing platform for
managing customer data, financial transactions,
and the applications that businesses use
every minute of every day. This reliance on the
virtualised environment has moved the issue of
how to secure it higher up the business agenda,
with Kaspersky Lab research suggesting that for
21 per cent of enterprise-level IT managers, it is
one of their top three IT security priorities.
It is therefore imperative that virtual
environments work as planned and are secure
for modern businesses to be successful. Despite
this, however, securing a virtual network is
still something of a dark art, and all too often
businesses apply security measures developed
for physical machines, which can leave the
business exposed to a whole raft of risks - from
performance issues to security vulnerabilities.
With this growing global focus on virtualisation
in mind and in a bid to ensure businesses stay
protected whilst getting the most from their
investment, we’d like to highlight a few common
misconceptions about virtualisation security, to
guide CIOs and their IT managers towards smarter
decisions about their IT security policies.
“I don’t need additional security. The endpoint
security software I use to protect my PCs,
mobile devices and servers can protect my
virtual environment too.”
This is a very common perception, and can be the
root cause of many challenges that IT departments
face while trying to secure their virtual network.
Most traditional endpoint security solutions aren’t
virtual-aware. So while they may provide the
same protection they deliver on physical systems,
they do so at the expense of performance – for
example, having to download updates separately
for each and every virtual machine.
“It may not be perfect, but my existing antimalware doesn’t interfere with the operations
of my virtual environment”
It does, and performance issues can create
security gaps that didn’t exist before.
Traditional endpoint security uses what’s known
as an agent-based model where each physical
and virtual machine gets a copy of the security
program’s agent and this agent communicates
with the server while performing its security tasks.
This works fine for physical machines, but if you
have 100 virtual machines, this means you have
100 instances of this security agent plus 100
instances of its malware signature database
running on a single virtual host. This high level of
duplication impacts performance, wastes storage
capacity and can result in a time-lag between
boot-up and protection of the virtual machines.
“Virtual environments are inherently more
secure than physical environments”
This just isn’t true. Remember, virtualisation is
designed to allow software, including malware, to
behave as it normally would. In the end, malwarewriters will target any and all weak points in a
business network to accomplish their criminal
goals. As virtual networks become hosts for more
critical business operations, the bigger the target
they’ll become.
Take into consideration the data held on your
virtual network; it’s just the same as it was
on your physical machines. Virtual machines
may be gateways to a server, or the server
itself may be a virtual machine. Either way, the
cybercriminals want access to the data. If an
attacker compromises one virtual machine, it’s
possible for them to replicate their code across
all virtual machines on the same physical server,
further maximising their opportunity to steal
important business data.
“Using non-persistent virtual machines is an
effective way to secure my network.”
Even if the rest of your virtual machines are
secure, it’s possible for one virtual machine to
“eavesdrop” on the traffic to another, creating
a privacy and security risk. And even a ‘nonpersistent’ infection can compromise sensitive
information (a login or password, for example).
Not to mention the fact that most virtual
machines are “persistent” servers, meaning
they’re not shut-down even in the event of a
security threat. Recent research found that more
than 65 per cent of businesses worldwide will
have some form of server virtualisation within the
next 12 months, and these servers need to be
“on” all the time for the business to function, so
the “tear-down” approach to security isn’t viable
in this situation.
“If I decide to use a specialised virtual security
program, they’re all more or less the same.”
Most traditional endpoint security measures
take an agent-based approach, but a virtualised
environment needs flexibility to ensure total
protection. In many cases this will be a blend of
agent-less and light-agent security, to provide
advanced protection for a whole spectrum of
different virtual environments - including VMware,
Citrix and Microsoft. There is no one-size-fits-all
solution and the right application, or combination
of applications, depends entirely on what you’re
trying to protect. A non-web-connected server
is going to have entirely different security needs
to a virtual desktop or a server that manages
customer information.
The agent-less model offers performance
advantages by performing security tasks away
from the virtual machine. This means, for
example, that you only need to download antivirus updates once, for all virtual machines. But
there are limits to the ability of agent-less software
to perform advanced security management and
network protection tasks on virtual endpoints. A
light-agent solution, on the other hand, can offer
the best of both worlds over existing agent-less
and agent-based security models by combining
centralised control with extra security features,
including application controls and web usage
policy enforcement, to virtualised environments.
Specialised software and expertise is required
to build and maintain a virtual network. So as
virtualised environments become a standard
feature of the business environment, it is critical
that businesses deploy appropriate solutions that
allow growth but maintain security.
In theory, this makes sense, as any machine that
encounters malware is wiped away and recreated
cleanly, something that happens with virtual
desktop infrastructure every day. But security
firms have begun seeing malware that is designed
to survive the “tear-down” of individual virtual
www.wickhill.com | 01483 227 600 | [email protected] |
For more
information visit:
wickhill.com/whg/kl1a
@wickhill l
wickhill.com/linkedin
FIGHTING THE WAR ON TACKLING MOBILE
DRUGS WITH REGEX...
DEVICE SECURITY
By Stephen Millard, Channel Manager , Tibco Loglogic
One of the universal truths is that man will always
use tools in ways for which they weren’t intended.
That theme, I’ve noticed, applies to log data and
other forms of machine data more and more each
day. I almost didn’t believe one of my colleagues at
TIBCO LogLogic when he said he was using RegEx
as a weapon in America’s “War on Drugs”.
One of the drug problems in the US is the everincreasing use of prescription medications for nonmedical purposes. The Center for Disease Control
estimates that 1 in 20 Americans falls into this
category. Some states have implemented electronic
prescription programs that require all prescriptions
to be routed through the state’s servers. That’s
where RegEx comes in.
My colleague was asked if he could automate
the process of ferreting out potentially fraudulent
prescriptions. The problem has two incarnations
– (1) so called “pill mills” -- doctors that write
medically unnecessary prescriptions in exchange
for cash and (2) drug users that alter expired
prescriptions. Armed with RegEx and loaded with
a list of target drugs, my colleague established a
set of search filters that look for suspicious things
like doctors who write an abnormally high level of
prescriptions for one or more of the target drugs.
Using TIBCO LogLogic’s searching and alerting
system, the potentially illegal transactions were
automatically sent to a policing agency via email,
where agents could follow-up based on the scope
and frequency of the reported abuse. How surprised
would you be if you were a “pill mill” doctor and
a law enforcement officer showed up just minutes
later with a list of questionable prescriptions you
had just written?!
This is just one of the many unexpected uses
I’ve seen of log and machine data recently. The
implications for both the supply-side and buyer-side
are huge. For example, as the number of use cases
grow the need for unification of log and other data
management solution becomes imperative. The
cost, complexity, and risk associated with storing
data in different systems forces that decision. The
increased business agility is icing on the cake.
Similarly, the trend shows that making data easier
to access and analyse by more and more users
will separate the solution providers. Access to data
is currently gated because most vendors need a
swarm of highly technical contributors to collect and
operationalize the data. Besides being excessively
costly, this limits the number of potential business
usages to only those with the highest ROI. Many
solvable problems remain unsolved due to the cost
and complexity.
Massive improvements in user accessibility
and “de-geekification” of implementations are
necessary to achieve the promise of Operational
Intelligence. A recent Spiceworks survey you can
find on our TIBCO blog shows that only 19% of
people are happy with their logging solution. What
is preventing you from making better use of your
log and other machine data?
For more
information visit:
wickhill.com/whg/tc2a
Making Sure That Cybercrime Doesn’t Pay
By Ian Porteous, SE Manager at Check Point Software Technologies UK
Ransomware is a prolific family of malware that
has risen to prominence over the past five years.
Originally popular in Russia, ransomware infects
a computer with some sort of restriction before
pressuring the user into paying for its removal.
It shares certain elements with “scareware”, a
similarly heavy-handed and potentially frightening
method of extorting money from computer users.
This is a highly effective tactic for the criminals,
as most computer users are unaware that the
problem could be dealt with like any other piece of
malware – using software remedies rather than by
caving in to the demands of the attacker.
The archetypal ransomware attack involves the
criminals restricting access to a user’s computer
in some way, either by encrypting files so that
the user can’t use them or by compromising the
operating system itself. Visual or email messages
will then appear stipulating the criminals’ demands,
sometimes masquerading as a legitimate piece
of antivirus or antimalware software. Payment is
usually through non-conventional, low-accountability
methods like MoneyPak or Bitcoin, which make it
nearly impossible for the criminals to be traced.
It’s one of the most unpleasant forms of malware
currently attacking the general public, as it places
direct psychological pressure on victims and
threatens them with the permanent loss of their data.
enables criminals to extort money from computer
users and to exploit the weaknesses inherent in it,
just as they would any piece of software.
An example of this is DirCrypt, a type of malware
that targets the documents and images on a victim’s
computer and “pretends” to replace them with .rtf
ransom notes. The damage appears to already have
been done by the time the victim tries to open one
of their documents, and is greeted instead by a text
file outlining the criminals’ demands and payment
details. What makes DirCrypt particularly irksome
is that the same will happen to any files the user
subsequently creates.
Reducing the proceeds of crime
Security experts discovered that this could be
reversed, and that the user could successfully
retrieve their data without having to pay the
ransom. This was done through careful exploitation
of the code involved, which had an “achilles heel”
that had not been addressed.
This development goes some way to reducing the
profitability of ransomware, thus slowing its advance
and making it a less lucrative trade for criminals. By
minimising (or at least denting) the profits from each
wave of ransomware, and by exploiting the fact
that cybercriminals make mistakes just like other
coders, the IT security industry is making the online
landscape slightly safer for all computer users.
Victims pay up because they don’t know what to do
Each successful “hit” only fuels the spread of this
type of malware. But efforts have been made by
the IT security industry to tear apart the code that
www.wickhill.com | 01483 227 600 | [email protected] |
For more
information visit:
wickhill.com/whg/cp2a
@wickhill l
wickhill.com/linkedin
Ian Kilpatrick, chairman Wick Hill Group, specialists in secure IP infrastructure solutions,
suggests a way forward for dealing with mobile device security.
They only happen perhaps once in a generation,
but right now we are at one of those key points
of change in the computer industry that demand
we look at things in a new light.
I’m talking about the convergence of
communications, mobile devices and
applications, high speed wireless, and cloud
access at a personal level. These are all driving
functionality demands on businesses and
creating new network environments. For many
organisations, these changes are happening at
too fast a rate.
The growth of mobile devices is at the centre
of these developments. With their large data
capacities, always on capabilities, and global
communications access, they can represent
both a business applications’ dream and a
business risk nightmare.
For those in the security industry, the focus
is mainly on deploying “solutions” to provide
protection in this situation.
For some organisations, going into “lockdown”
is the chosen solution. For other organisations,
the legitimate business benefits of mobile
devices mean they must learn to live with
the situation and try their best to make it
work securely.
Even organisations on “lockdown” can have
challenging times dealing with staff “guerrilla”
deployments, as many staff have mobile device
skills and experience from their home use.
Undoubtedly, part of the solution is deploying
the right tools to both minimise and report on
the risks, such as mobile device management,
tracking and RF management, authentication,
encryption, and behaviour management - as
well as basic security measures on mobile
devices). Such solutions are available from a
variety of suppliers, including Kaspersky Lab,
WatchGuard, Check Point, SafeNet, Becrypt,
VASCO and Allot.
Securing mobile devices
Risk analysis and risk acceptance
Before any mobile device, access, application
or service is added, it should be signed off as
accepted by the Board
Planning
Planning for deployment should include security
implementation or overt acceptance of the risk
Embedding security
Security needs to be deployed with the solution,
not after implementation.
Policies
Policies need to be clearly explained, not just set
out in a policy document
Processes
Processes need to be clear, as do consequences
Education and staff involvement
Staff education is essential. This should be real
education and not just a list of things staff can’t
do. If employees don’t understand why they need
to secure their own mobile devices or wireless
connections, they certainly aren’t going to be
overly concerned about yours.
Deployment
Deployment of mobile devices, including security
elements, needs to be sold to staff i.e. get buyin from staff that security is a key element of
deployment, rather than presenting it as ‘security
needs to be there, so live with it.’ Mobile device
security and monitoring need to be introduced at
the point of deployment. If this is a sign off/buy-in
situation, it gets management commitment and cuts
negative activities around mobile device usage.
Monitoring and feedback loop.
Monitoring is crucial. Making it clear to staff that you
are monitoring is just as important.. High visibility
and regular feedback to all staff, on both success
and failure in mobile device security, are key.
The human element
A much more important element, however, is
actually changing the way that staff interact with
the problem - and not just IT staff.
Analysis
The Board needs to have regular reporting of the
security landscape, so they are aware of the level of
threat, and the levels of risk that they have accepted.
Currently, many organisations see dealing with
these unprecedented risks as a challenge for
the IT security team, whose role it is to protect
the organisation.
Forensics
If a security breach occurs, through mobile device
use, organisations need to know why it happened
if it could have been prevented and how it can
be shandled in the future.. Forensic tools are an
important here. They are provided by companies,
such as Guidance Software.
Traditionally, that was a good working model.
However, in our new, changed and rapidly
developing network environment, which is
experiencing immense pressure for fast change
and fast deployment of new applications, it is
not possible for most IT security teams to carry
the responsibility of securing the whole business
and every user singlehandedly.
Security must be the responsibility of each
individual user, every manager and every
member of the Board. However, in practice, this
is not actually happening. Only a small number
of staff are formally sanctioned or sacked for
failure to comply with mobile device policies.
Conclusion
Implementing a mobile device security strategy
obviously then involves the deployment of the correct
tools and reporting. Clearly this also raises issue of
the integration (or replacement) of existing tools with
broader management and reporting solutions - but
that is something to discuss on another day!
For more
information visit:
wickhill.com/whg/wh2a
11
TO ENCRYPT OR NOT TO ENCRYPT?
By James Taylor, Product Manager, Wick Hill Group
Encryption has always been a key part of network
security and in today’s rapidly changing network
environment of BYOD, the convergence of
communications, the widespread use of wireless
and the growing use of the cloud, it is more
important than ever.
of question will help us make informed choices
about protecting data.
physical and logical) where servers are housed, the
data on them could be considered as being safe.
sensitive data should have both encryption and
two-factor authentication protecting it.
It’s important never to forget the role of staff
in security. If you give them responsibility for
the management of sensitive information, it
If you have a VDI infrastructure, there is probably
no need for end-point encryption, as the device you
remotely connect on should be just a piece of glass
For portable users, encrypting the VPN traffic back
to head office should be fairly standard, with SSL
or IPSec sessions being the norm. Portal access
through public hot spots needs some special
attention and you should always make sure the
wireless here is securely encrypted.
Encryption ensures that when data is at rest, it
cannot be compromised, and that when data is
in motion, it cannot be deciphered. And, very
importantly, in today’s increasingly mobile world,
it prevents unauthorised access to any lost or
stolen device.
By adopting a protective data marking scheme,
managing data loss at the gateway becomes a lot
easier. You can now set a policy to allow or block
sensitive data from being sent via the gateway.
You can write a policy to automatically encrypt
sensitive e-mails, dependent on the document
type, the sender or the recipient. Equally, for
remote users, appropriate access permissions can
be managed. All other points of egress can now be
controlled - Drop Box, Hotmail, etc.
Sounds like we should encrypt everything, but
that’s certainly not necessary. First we need
to understand and define the risk by asking
questions such as “Where is our sensitive data
stored?” and “With whom do we want to share our
date?” and “How do we want to share our data?”
Such questions will help us decide what should be
encrypted and what should not.
Company payroll information, for example, could
be classified as ‘Company Sensitive’; commercial
affairs could be classified as ‘Company
Confidential.’ The canteen menu, however, does
not require any classification or encryption!
The next step is to review who accesses what
data and how they access it. Questions that
apply here might be “Does the HR officer work
from home?” “Do we need to share any financial
records with our external accountant, or other
external organisations?” The answers to this type
links them into the company’s security policy.
Staff training, and making sure employees
have a thorough comprehension of their role in
protecting data, is important and this training
should be regularly reinforced.
Because encryption for data at rest is mainly about
theft or accidental loss, not every drive needs to
be encrypted. If there is sufficient security (both
with a keyboard. If you’re operating on a fat client,
however, then the ability to store sensitive documents
on a local machine becomes a major concern.
Encryption should be used on desktop devices
where sensitive data is stored locally and might
be vulnerable. It would be very easy, for example,
for a cleaner to open a desktop case and remove
a drive. Of course, any portable device storing
Although encryption is an essential part of any
data leakage protection policy, it is not a complete
solution. Port control, gateway protection, etc.
should all complement encryption measures.
However, one way to keep the Information
Commissioner’s Office off your back when that
USB stick goes missing, is to report that it was
robustly encrypted. It’s not a complete defence,
but it does carry some weight..
For more
information visit:
wickhill.com/whg/wh3a
Protecting Patients By Protecting IT
By Christian Bücker, Managing Director / CEO, macmon secure gmbh
Why IT security and Network Access Control
in medical IT networks can make an essential
contribution to patient security.
We hear a great deal about IT security in
hospitals, and standards such as DIN EN 800011 preach the necessity of relevant risk analyses
and precautionary measures. But what specific
situations can actually be identified and at which
points can IT security and the technology for
Network Access Control in particular help here?
Every medical technician and every IT employee in a
hospital knows that modern or newly acquired medical
devices can – or generally must – also be connected
to an IT network. At the same time, the office systems
of the doctors must be in the same network segment
or at least be able to communicate with the devices
in order for any results of examinations which have
been produced to be transmitted and processed
digitally. Manual transmission paths are now so
complicated that they are no longer acceptable.
Mobile devices with live access to patient information
are likewise becoming increasingly desirable as they
enable medical staff to act flexibly and quickly whilst
having continuous access to detailed information. In
brief, the requirements for a medical IT network have
already become so high that medical technicians
are finding it increasingly difficult to get to grips with
these requirements – this requires knowledge of IT,
which is not necessarily readily available.
12
It is generally very easy to make synergies
between medical engineering and the internal
IT department if the right solutions are put to
good use. Thus, for example, Network Access
Control is able to ensure a continually updated
overview of the entire network and to make
sure that no external devices can access the
network. The leading technology solution from
the German manufacturer macmon secure
even provides a graphical representation of
the topology, which achieves a very high level
of network transparency. At the same time, it
means that medical engineering can be given
the opportunity, via a simple portal solution, to
authorise new devices for the network any time
they are needed without having to inform and
involve the IT department.
If the hospital does not have the technical
resources to physically separate the networks (as
is recommended in DIN EN 80001-1), NAC is also
an extremely convenient way of separating them
based on VLANs and still maintaining flexibility.
The possible risks associated with using nonmedical devices in the medical IT network are
thus significantly reduced. This also means that
the desire of medical staff to bring in and use their
own devices (smartphones, etc.) can also be fulfilled
and nonetheless be made secure. When choosing
the right NAC solution, we should therefore bear in
mind that it is also possible for users themselves to
register their own devices using a web portal, for
example. This reduces the time and effort involved,
the overview of the devices in operation remains
the same and it is possible to define in advance in
which network segments the “external” devices are
automatically located. As a result, unsecured and
unmonitored employee devices no longer end up in
the medical IT network “by mistake”. The overview
also automatically ensures that the devices of
former employees no longer have access.
However, managing and controlling network accesses
and authorisations also offers further benefits and
opportunities. For example, unsecured but necessary
devices can also be operated in a separate network
area which can communicate with the medical IT
network via a specified route. This route can then
be monitored and secured far more easily and costeffectively than in widely distributed network segments.
In accordance with the EN ISO 60601-1 standard,
medical devices must, where reasonable, be fitted
with network isolators in order to protect any lifesaving devices (and thus patients) from overvoltages.
Many older devices have not yet implemented this
protective mechanism, which means that mobile
network isolators are needed which are installed at
the network socket rather than on the device itself.
However, since medical staff cannot be expected to
check the network socket and the device before (often
spontaneous) use, automatic control can also be a
tremendous help or be the only way of controlling the
situation in this case too. Using NAC, the unprotected
devices and the network sockets fitted with an
isolator can be documented and monitored so that
the responsible medical technician is immediately
informed if an unprotected device is operated at an
unprotected socket.
With the correct solution, a hospital’s security level
can therefore be considerably increased both quickly
and easily while at the same time various processes
are simplified or even made possible for the first
time. macmon secure even provides a separate
manual on introducing its Network Access Control
solution in hospitals which describes and supports
the introduction in accordance with DIN EN 800011. The roles and responsibilities of risk management,
the obligation to document the relevant information
and the necessary information on risk assessment
is described in full in this manual. As part of this,
possible hazardous situations associated with
incorporating macmon NAC in the medical IT
network are listed and analysed. This means that
all potential sources of danger can be thought out,
assessed and dealt with in advance with respect to
their risk for patients, users and third parties.
www.wickhill.com | 01483 227 600 | [email protected] |
For more
information visit:
wickhill.com/whg/mm4a
@wickhill l
wickhill.com/linkedin