NOV/DEC 2014 Enterprise gamification: where did it all go wrong? Storage outlook: 15 predictions for 2015 How to get through the new EU data regulation Virtual builders BAM Nuttall leads the way in 3D printing and augmented reality VMware SDDC: Start InformationAge (UK) June 13h, 2014 insertion Full page bleed: 211x279, 205x273, 185x254 50 40 40 3.1 2.2 2.2 10.2 7.4 7.4 25 19 19 0000 70 40 40 70 70 40 20 70 70 10 40 40 40 100 100 40 100 40 30 30 70 70 100 100 60 100 100 30 30 70 70 100 100 60 100 100 70 100 100 60 A vmware.com/uk/sddc 30 30 innovation and increases revenue. 70 70 and capital expenditures, while IT drives 30 businesses are reducing operating costs 70 adopting this IT-as-a-Service approach, ISO 12647-7 Digital Control Strip 2009 new levels of agility and efficiency. By 100 storage, network and security can reach 30 automates management. So computing, 100 100 60 100 100 virtualizes all data center resources and B 3% 70 100 100 60 VMware’s software-defined data center 100 60 The Software-Defined Data Center. 30 100 40 40 100 40 100 40 70 40 70 40 40 40 70 40 40 70 40 70 40 40 3 10 25 50 75 90 100 Want your business to be more agile, efficient and profitable? Start with your data center. 75 66 66 100 100 100 80 70 70 100 Copyright © 2014 VMware, Inc. editor’s letter Remember privacy? H aving recently attended a screening of CITIZENFOUR , a documentary about Edward Snowden, I feel inclined to reignite the debate around data protection in the digital age. I fear that people are becoming desensitised to the loss of what was once deemed a vital component of a free society: privacy. This was, of course, born from the emergence of ubiquitous telecommunications and the internet, which now touch almost everything we do in our daily lives. As a contractor for the USA’s National Security Agency (NSA), Snowden became aware of the vast scale and intrusion of numerous global surveillance programs, including in the UK. CITIZENFOUR documents the meetings in a hotel room with filmmaker Laura Poitras and The Guardian, where Snowden leaked the huge extent of government spying on the public’s phone and data records. Snowden has been heavily painted as a villain by governments around the world, but I suspect – or, at least, hope – that he will be written into history books as a brave whistleblower who defied the law to prevent an escalating abuse of power. In the recorded footage, Snowden makes it clear that his opinion on blanket surveillance is irrelevant in his decision to leak the highly classified information. Instead, he sacrificed his home, job and family – he had to leave the US immediately to avoid arrest and is now taking temporary asylum in Russia – to stand up for the people’s right to debate issues that challenge their civil liberties. As the first generation to grow up with the internet enter the workforce, I have begun to witness the public’s concern for this fundamental right gradually fade. Too many people now simply accept that the government is essentially watching their every move – supposedly for their security – without challenging it. As technology’s impact on our lives continues to grow, it is imperative that influencers fight for transparency – before true privacy is nothing but a distant memory. Ben Rossi, Editor November/December 14 information-age.com 3 contents NOVEMBER/DECEMBER 2014 l information-age.com 19 On the cover As a profession as old as the hills, it would be easy to dismiss the innovation credentials of those who work in construction. But, as BAM Nuttall displays, it is in fact an innovation-leading industry that is leading the way in emerging technologies like 3D printing and augmented reality ‘Augmented reality is demonstrating to the client that they can visually see what is being built’ Gamification focus 22 2015 storage outlook 26 Mobile untangled 32 Information Age investigates where it all went wrong for enterprise gamification, and how it can rise again 15 storage predictions for the coming year – what is around the corner for the storage world in 2015? Information Age attempts to find a definitive mobile strategy to support the connected enterprise innovationage storageage networkage 4 information-age.com November/December 14 NEWS FLASH 8 Rounding up the top industry news and trends of the past month INSIDER 10 How an old mainframe firm is enabling the Internet of Things INSIDER 14 The inside track on this year’s Data Leadership conference DEPLOYMENT WATCH 17 A look at some of the latest deployments across the UK Going soft on security 36 The software-defined trend has bulldozed its way through the server, storage and networking markets, but what does it mean for security? securityage IN THE BOARDROOM 42 Dell’s CCO paints a healthy picture – but a dire one for HP ANALYST EYE 44 IDC on how organisations can get through new EU data laws PRODUCT CORNER COMMERCIAL Sales Manager Edward Young (020 7250 7950) SUBSCRIPTIONS – INFORMATION AGE Helena Smith (020 7250 7031) VITESSE EVENTS Head of Events Ben Brougham (020 7250 7051) Events Manager Julie Leggatt (020 7250 7043) VITESSE MEDIA PLC Executive Chairman Sara Williams (020 7250 7010) Deputy Chairman David Smith (020 7250 7010) Chief Executive Officer Niki Baker (020 7250 7010) Head of Investment Nick Britton (020 7250 7035) Director of Digital and Social Media Jonathan Sumner (020 7250 7032) Online Sales Manager (SME titles) John Bromley (020 7250 7954) Sales Manager (What Investment) Les Lubwama (020 7250 7033) Marketing Manager Jemma Redpath (020 7250 7039) Marketing Executive Carly O’Donoghue (020 7250 7055) Finance Manager Deborah Cummings (020 7250 7963) Accounts/Admin Assistant Ajith Benjamin (020 7250 7046) Email All email addresses are of the form [email protected] 48 Reprints & Licensing 020 7501 1086 Information Age is published by Vitesse Media Plc, Octavia House, 50 Banner Street, London EC1Y 8ST ISSN: 1359-4214 50 Printed by Stephens & George Magazines Ltd © Vitesse Media Plc. All rights reserved. Contents may not be reproduced in whole or part without the written consent of the publishers. Apple’s iPad Air 2 takes this month’s product crown COLUMN EDITORIAL Editor Ben Rossi (020 7250 7961) Staff Writer Chloe Green (020 7250 7956) Group Sub-Editor Alan Dobie Researcher Stephen Grainger Senior Designer John Howe Junior Designer Ashley Humphrey Richard Lee gives his view on the latest open-data initiatives November/December 14 information-age.com 5 12 FEBRUARY 2015 | CENTRAL LONDON Security Leadership: The antidote to the raft of hyperbolic, scaremongering security conferences that fill the IT calendar Yes, the threat of cybercrime is real and a massive concern for organisations – large and small – throughout the world. The huge weight of responsibility to fend off attacks falls firmly on the shoulders of IT leaders. However, they have to work tirelessly to see through the waves of hype in order to gain a truly 360 view of security in their enterprise. This has left a large disconnect between the content and resources constantly pushed onto CIOs, CISOs and the like, and exactly what they need to do to ensure their organisation isn’t the next highly publicised victim. By focusing on exactly what matters to businesses when it comes to protecting their data, assets and infrastructure, Security Leadership takes a mature and sophisticated approach to educating its audience on threats, solutions and a clear roadmap for 2015. Through four targeted sections – people and process, infrastructure and cloud, mobile and BYOD, and prevention and business continuity – Security Leadership ensures its attendees leave with genuine insight into formulating an effective security strategy. SPEAKERS INCLUDE MARTYN CROFT - CIO, Salvation Army /// RICHARD GODFREY - ICT Strategy, Infrastructure and Programme Manager, Peterborough City Council /// MARK RIDLEY - Director of Technology, Reed.co.uk /// EUSEBIO ECHEVARRIA - IT and Compliance Director, The Quintessentially Group /// JAGDEEP BHAMBRA Independent Security Advisor /// JULIE GEORGE Head of Information Security and Assurance, Post Office /// MIKE LOGINOV - Executive Director, ISSA UK /// DR CHRISTOPHER RICHARDSON - Head of BU Cyber Crime Unit /// SARAH LAWSON - Head of IT and Information Security, NPEU, University of Oxford /// HUSSEIN HASSANALI - CISO, Bank AL Habib /// GRAHAM FRANCIS - Director of IT Services, Havering Sixth Form College SECURITYLEADERSHIP.CO.UK newsflash NEWS / TRENDS / EVENTS @informationage ^ winners AWS Amazon Web Service (AWS) has helped allay EU privacy concerns by opening a data centre in Frankfurt. The data centre is the company’s second in Europe, which it says will allow its customers’ content to fall entirely under the umbrella of European data protection laws. It hopes this will trigger more acceptance for the cloud. losers INTEL The computing giant saw a 9% revenue increase year on year in its third quarter of 2014, with revenue of $14.6 billion, after shifting record numbers of its PCs and microservers. It sold more than 100 million microservers in a quarter for the first time. However, Intel’s mobile business continued to generate large losses for the company. IBM Big Blue is going through a rough financial transition as it shifts its strategy from hardware to cloud, with a marked slowdown in sales. Its third quarter results showed net income had shrunk by 17% and revenue was down 4% year on year. CEO Ginni Rometty called the performance ‘disappointing’. DRUPAL The content management platform issued a security warning to users saying more than 12 million websites may have been compromised by attackers who took advantage of a bug in its software. The warning said users who did not update their software within seven hours should assume their site was attacked. ^ EU PLEDGES €7.8 MILLION TO OPEN-DATA STARTUPS The European Union has committed €7.8 million to a Europewide programme for open-data entrepreneurs. The call for submissions will open in spring 2015 to startups looking to build their business models around using or publishing data in order to create insight into their own products or services, or create new ones. In collaboration with London’s Open Data Institute (ODI) and the University of Southampton, the programme will recruit approximately 50 startups over 30 months, with €5.5 million allocated to each successful applicant to develop 8 their concept. They will also receive mentoring, technology, infrastructure and networking support. The new EU incubator is based on the success of the ODI’s own startup programme, which provides funding and hands-on support for small and fast-growth businesses. In the last 12 months, ODI startups that use or produce data as part of their services have generated over £12 million. The new EU-wide open-data incubator forms part of a €14.4 million initiative to catalyse opendata initiatives across Europe, which will also include an EU-wide research network and an academy for training data scientists. information-age.com November/December 14 GCHQ HEAD SAYS WEB GIANTS ARE AIDING TERRORISTS US web companies including Twitter, Facebook and WhatsApp have become ‘command and control centres’ for extremist groups and are in denial about their platforms’ misuse, according to GCHQ chief Robert Hannigan. Extremist group Islamic State (IS) uses these messaging services as ‘a noisy channel in which to promote itself, intimidate people, and radicalise new recruits’ thanks to their use of encrypted traffic, said Hannigan. He also warned that GCHQ and other international intelligence agencies, such as MI5 and the Secret Intelligence Service, could not tackle these challenges ‘at scale’ without greater cooperation from the technology companies. Hanningan added that he understands why tech giants ‘have an uneasy relationship with government’ as they aspire to be neutral conduits of data and to sit outside or above politics, ‘but privacy has never been an absolute right and this should not become a reason for postponing urgent and difficult decisions’. WHITE HOUSE ATTACKED BY RUSSIAN HACKERS The White House has revealed that its internal networks were targered by hackers thought to be working for the Russian government. Agencies such as the FBI and Secret Service were drafted into investigating the three-week-long breach, which bears the hallmarks of a state-sponsored attack. The extent of the breach and data loss has yet to be established. ‘Our computers and systems have not been damaged, though some elements of the unclassified network have been affected,’ said a White House spokesperson in a statement. ‘In this case, we took immediate measures to evaluate and mitigate the activity.’ Security firm FireEye identified Russia as a possible culprit, saying that a cyber-espionage campaign had been directed at potential targets of interest to them, such as European governments, militaries and securities organisations. HP TO SPLIT HP has confirmed reports that it plans to break into two companies to help support its turnaround plan. One company will comprise its enterprise hardware, software and services, and will be known as HP Enterprise, while the other will be made up of its consumer PC and printing business, known simply as HP Inc. HP said it will complete the break-up by the end of next year, and that both companies will remain publically traded. Shareholders will retain shares in both. The month in numbers 68% of organisations believe ‘business-at-the-speed-of-paper’ will soon be ‘unacceptable’ (AIIM) The average UK business loses 65 hours of employee time a day due to IT underperformance (Epson) 29% of businesses reported accidental data leaks by staff (Kaspersky) The UK economy faces a £10 billion deficit if smart technology usage doesn’t pick up in the next 12 months (Samsung) IT budgets are set to grow 3.3% in 2015, hitting a five-year high (CEB) 68% 18,000 65 15% Microsoft has almost concluded plans to eliminate 18,000 positions as part of major job cuts it’s carried out over the course of the year 29% £10BN 3.3% As of October, IT job postings on Indeed.co.uk have increased 15% since September 2013. There are currently 139,833 IT job postings, the largest of any sector except retail (Indeed) 60% 60% of Gen X and Gen Y professionals feel their organisation’s HR department is adjusting to enable a more mobile, flexible work style for its employees, though two in five feel this is not happening quickly enough (Cisco) November/December 14 information-age.com 9 insider German-engineered innovation Information Age got the inside track on how a 45-year-old German mainframe company is re-emerging as a global integration enabler for the Internet of Things T he software vendor market is a lot like natural selection: in the constantly shifting landscape of enterprise technology, it’s a matter of ‘survival of the fittest’ and ‘evolve or die’. As a result, some of the most interesting and ambitious players are the ones that have been to the brink of extinction and had to fight tooth and nail to stay in the game. German vendor Software AG may well be one of them, and if its recent company conference – Innovation World in New Orleans – was anything to go by, it has firmly established itself back in the pecking order. When current CEO Karl-Heinz Streibich took over in 2003, the company’s bread and butter had been its mainframe database since it appeared on the scene in 1969, but like so many others it was floundering in the emerging environment of virtualisation and the cloud. After a difficult transition period in which it saw net losses of €9.3 million in the first quarter of that year, Streibich successfully steered the company back to profit a year later, through an intense focus on innovating around its business process management (BPM) business line. >> CEO Karl-Heinz Streibich has re-engineered Software AG as an innovative integration partner Now Software AG turns over more than €1 billion and is Germany’s second-largest software vendor behind SAP. BPM is its biggest earner, accounting for around 60% of the company’s revenue and projected to reach 80% by 2018. As well as some major changes to internal structure and the expansion of the Software AG partner ecosystem, Streibich oversaw the acquisition of several key additions to the serviceoriented architecture (SOA) arsenal, including the webMethods BPM suite in 2007. This was complemented by 10 information-age.com November/December 14 multiple buys such as in-memory platform Terracotta in 2011 and complex event processing (CEP) platform Apama Streaming Analytics in 2013, as well as several other investments in the analytics space. It also got portfolio and project management pinned down with its Alfabet acquisition last year. Forrester identified 52 vendors in 2013, making it a crowded marketplace. A few years ago, many were wondering how Software AG would level itself against mega-vendors in the space such as Oracle and IBM. But although still quietly modest in its marketing, it has a loyal enterprise customer base that includes 70% of Bloomberg Businessweek’s Global 1,000 companies, and has proven itself hugely competitive as a ‘middleware hub’, building on more than 35 years of experience in good, reliable Germanengineered mainframe computing to take on the integration challenge. Global transformation It’s fair to say that Software AG has methodically transformed itself from its German and mainframe roots into a global integration player with a comprehensive, functionally rich suite for the digital enterprise. insider Though a few years ago it might have been accused of not yet being capable of the kind of product integration that larger players like IBM could offer, its plan for total integration of its suite into customers’ hybrid environments is now coming into sharp focus, as it demonstrated to some of its 10,000 customers in New Orleans this October. ‘The interoperability of enterprise systems – both on-premise and in the cloud – is becoming crucial as complexity of IT grows, and apps, data, SaaS and on-premise products all have to work seamlessly,’ said Streibich, explaining Software AG’S vision for the ‘connected enterprise’ in his keynote speech. Ahead of the cloud Now that it has successfully crossed the bridge to the cloud, Streibich says his company is positioning itself ahead of the cloud’s next phase, aimed at the creation of business applications in a flexible way. It is building this on the back of the ‘Oreo cookie theory’ – the idea that it is what’s in the middle that counts, and an update to the notion that middleware should be rigid and fixed. According to Streibich, the journey to this new phase started decades ago with standardised applications, followed by the cloud. ‘All that standardisation makes things reliable and is wonderful, but companies must have the means to differentiate themselves from the competition,’ he explained. ‘We need the new layer for differentiation – a middleware layer containing all the different functions for fast, agile application provision. ‘We asked ourselves what we can do to add value to customers’ projects, and what we hear is that companies rely on technology-driven innovation in their new business models. The core challenge of this is that connectivity has to be present whenever and wherever it’s needed, and the siloed function of applications is very often the source of all problems.’ He hopes to address this with the launch of new integration-platformas-a-service (iPaaS) webMethods Integration Cloud to provide cloud, on-premise and hybrid integration capabilities, along with streaming analytics from Apama to allow users to gain insights from business events in real time. As CTO Wolfram Jost explained at the event, the company is setting itself up as an integration partner for the kinds of ‘wide and deep’ scenarios that the emerging Internet of Things environment will demand. ‘We are fast moving from a traditional business-intelligence approach to a world where you can adjust your business by making continuous decisions,’ he said. ‘You can’t make the mistake of thinking the Internet of Things is just about an injection platform taking data in from ‘The interoperability of enterprise systems is becoming crucial as complexity of IT grows, and apps, data, SaaS and onpremise products all have to work seamlessly’ sensors and “things” and putting it somewhere else. Companies using streaming data to optimise their businesses are already doing a lot of exciting stuff that is helping them seize revenue opportunities and identify problems in real time. When it comes to creating consumer-facing apps, they will become contextual across locations and devices, so consumers will demand the kind of customised experiences that come from real-time analytics. ‘The world of the IoT is going to need a completely new software architecture that can handle the scale, and we believe that our suite is positioned to provide that.’ November/December 14 information-age.com 11 insider How to be a data leader in 2014 This year’s Data Leadership delegates went away with an updated, 360˚ view of how to be an enterprise data leader in 2014 I n 2014, those wishing to lead data projects in their organisations are no longer just looking for a confirmation of the hype of ‘big data’ and its surrounding technology: it’s high time that the discussion entered a more mature stage, looking at the depth and breadth of data use. That’s what Information Age believes, and why last month 200 senior members of the IT community flocked to this year’s Data Leadership event at the Grange Tower Bridge Hotel, London, to enjoy a day of wellrounded, business-focused talks from esteemed peers, research leaders and vendors in the field. A major theme of the day was integration, and much of the discussion focused on how to take all of the data that organisations have now amassed out of its siloed individual business functions and fully assimilate it with process, context, the humans producing and operating it, and the wider world of data beyond an organisation’s walls. JP Rangaswami, chief scientist at Salesforce.com and director at the Web Science Trust, asked how organisations are going to reorchestrate what they do so as to deal with the ‘porous membrane’ between their external and internal data. explored, he said, it’s time that we brought it to bear on the enterprise environment as a whole. ‘Architecture is continuing to evolve, and I would suggest that it’s ready for prime-time and enterprise deployment,’ said Jennings. ‘We just need to build the security and control into these tools that enterprise requires, since they were not built for wider enterprise deployments.’ >> Ovum’s Tim Jennings said it’s time to ‘bring data off its island’ and integrate it as a ‘first-class citizen’ of the enterprise ‘Perhaps we are heading to a point where data cleaning is not possible, and we will need new immune levels for outside data,’ he suggested. ‘It’s time to respond differently – in today’s data landscape, relationships matter much more than transactions. The transaction is just numbers unless the person, time and context are added.’ This was echoed in the message of Tim Jennings, chief research officer at analyst house Ovum, who said he strongly believes that the time has arrived to ‘bring data off its island’ and integrate it as a ‘first-class citizen’ of the enterprise. Now that big data tools such as Hadoop have begun to be 12 information-age.com November/December 14 Don’t forget the human Hugh Cox, founder and chief data officer of British analytics company Rosslyn Analytics, argued that businesses need to move ‘from data factory to data refinery’. ‘This means not just pumping all data through software, but using a mix of machine learning and human assistance to intelligently and dynamically identify errors or wrongly classified or associated information,’ he said. ‘Analysis of data by individuals with expertise – and making use of the human knowledge asset within an organisation – is just as important as having faster or better technology.’ Through this approach, said Cox, data leaders can get maximum value from data, and finally make use of ‘elusive information’ – the 90% of data that is not ready or available for analysis insider 90% Industries’ complex within an data requirements on organisation. haulage analysis and Richard Lee, of data within an organisation telemetry to the data managing is not ready or available revolution happening partner of behind the scenes at executive for analysis the world’s oldest consulting railway, Network Rail. firm IMECS Martyn Croft, CIO of The and regular Salvation Army, is using analytics Information Age columnist, to weed out ‘philanthropic phishing’ returned to the Data Leadership attacks that occur around big stage for the second year in a row to argue that fundamental to being a truly humanitarian disasters, while Adrian ‘analytics enterprise’ is the creation of a Carr, VP EMEA of enterprise NoSQL culture of pervasive analytics within an firm Mark Logic, showcased how his company helped design the BBC’s organisation – to make real-time, 10,000-plus semantic pages for the exacting business decisions. London 2012 Olympics. David McNally, director of digital systems at Macmillan Science and Education, gave the audience insight into how the use of rich semantic search capabilities to enable open access to ‘hidden science’ is driving a transformation in science and education publishing. And Professor Yike Guo from the Data Science Institute showcased some fascinating examples of ‘interdisciplinary’ data analytics, bringing together data disciplines such as TV broadcasting and neuroscience in order to shed light on previously unknown audience responses. Continuous improvement UBS Investment Bank’s director of BI services, Paul Banoub, told us how his organisation is doing this by building a thriving community of learning around BI tools, and being committed to constant improvement. ‘Don’t just sit down and admire your service,’ he said. ‘Evolve it, make it more secure, make it work on mobile, listen to what users want.’ Delegates also benefited from the firsthand experience of those leading data innovation in a variety of industry sectors from charity to finance and infrastructure – from construction products manufacturer Aggregate November/December 14 information-age.com 13 insider Chasing liberty The inventor of the World Wide Web, Sir Tim Berners-Lee, criticises the government’s approach to surveillance, and calls for increased accountability S ir Tim Berners-Lee, inventor of the World Wide Web, has called for greater resistance to government-enforced blanket surveillance. In July, prime minister David Cameron announced that emergency powers to allow public bodies to access phone and internet records are being rushed through Parliament. The legislation overpowered a European Court of Justice ruling three months earlier that deemed the storing of metadata by telecoms companies illegal as it infringes privacy rights. ‘I think we should be really resistant to it,’ Berners-Lee told Information Age. While accepting that government snooping is an ‘inevitable’ form of crime prevention in the internet age, he criticised the approach of Cameron, who presented him with an outstanding achievement award at the Daily Mirror’s Pride of Britain Awards, held in London on 6 October. ‘There’s an emergency today and there will be an emergency tomorrow all know about, in which an agency watches the watchers and guards the guards. We need to build that system up and have public discussions about it.’ >> Sir Tim Berners-Lee calls for more transparency when it comes to the government’s access to data – there’s always an emergency,’ he said. ‘So I don’t think one should use the term “emergency” to be able to push through powers.’ Instead, he has called for a more ‘transparent’ and ‘powerful’ system of surveillance, which is kept in check by an independent body. ‘We should make sure – emergency or not – that there is a system that we 14 information-age.com November/December 14 Under the microscope The agency that currently oversees electronic surveillance in the UK, the Government Communications Headquarters (GCHQ), has faced extensive scrutiny since Edward Snowden exposed its access to the controversial US internet monitoring program PRISM. Snowden also accused GCHQ of eavesdropping on phone calls and emails from politicians visiting the 2009 G-20 London Summit, and collecting 1.8 million private webcam images from Yahoo users. Berners-Lee revealed that he has spoken to Robert Hannigan, who became the new head of GCHQ this autumn following a six-year leadership stint by Sir Iain Lobban. ‘He asked, “How should we build a system?” and “How should GCHQ do what the British public needs it to be insider able to do; to be a powerful force and still be accountable?”’ The answer is tricky, Berners-Lee acknowledged. ‘It’s a difficult problem, but with the government we really have to go through and design that system and force them to put it in place. ‘There’s a tradition in England of trusting the government and government agencies, but we have to have a system with more powerful checks.’ Happy anniversary As this year marks the 25th anniversary of the World Wide Web, Berners-Lee decided to share his vision for the next 25 years with delegates at Europe’s biggest cloud and IT infrastructure event, IP Expo. In an impassioned speech to delegates, he laid out what he called ‘instructions, not predictions’ for the future of the web and data, and how the industry must continue to work hard to keep the web a decentralised platform. ‘When the web first started, no-one could imagine that you could click on a link and go to anything in the world,’ he said. ‘What started out as simple HTML documents linked together has become dynamic. ‘The value and excitement of the web is what we can build on it, and the >> David Cameron announced emergency powers in July to allow public bodies to access phone and internet records mind-blowing creativity it has enabled over the past 25 years. But to continue to do that, we must keep fighting to keep it a platform without central control.’ As the pace of innovation continues to get faster, what will be most important is not the speed of communications networks, but the development of ‘smarter’ computing, said Berners-Lee. The potential of artificial intelligence is a key part of this that is only just now beginning to be realised. But apart from the technology revolution, there will need to be a turnaround in the way people, the web and data work in a social sense. Berners-Lee described the use of big data on the web as a ‘marvel’, but said consumers are still struggling with a ‘queasy feeling’ when met with targeted advertising, and the foundation of trust and control must come first. ‘I want to build a world in which I’m in control of my own data,’ he said. ‘As an individual, I should have the legal ownership of that data and should be able to sell it when I see fit. ‘If we allow individuals the control and understanding of the way their data is used, it will open up huge opportunities to build apps and make use of that data, as they’ll be much happier to open up that data for important benefits.’ Berners-Lee went on to foresee that the future lies not in big data but in ‘rich’ data. To enable the ‘new world’ of data, companies will need to build systems that are not only powerful but able to handle endless different types of data from a variety of sources combined in novel and useful ways. Once these building blocks are put in place, big data could have wide-ranging applications – not just in business, but it could be powerfully transformative in areas such as healthcare, democracy and economics. November/December 14 information-age.com 15 Prevent value leakage in strategic Prevent value leakage in strategic IT value services contracts! Prevent leakage in Prevent value leakage in strategic strategic IT services contracts! 15 to 30 percent of value in complex sourcing arrangements is lost due IT services contracts! ITof value services contracts! to relationship and lack ofarrangements an effective governance 15 poor to 30buyer-supplier percent in complex sourcing is lost due framework. SirionLabs' unique approach to supplier governance can due help to relationship and lack ofarrangements an effective governance 15 poor to 30buyer-supplier percent of value in complex sourcing is lost 15 to 30 percent of value in complex sourcing arrangements is lost due CIOs plug this leakage unique and increase ROIlack of supplier outsourcing engagements by framework. SirionLabs' approach to governance can help to poor buyer-supplier relationship and of an effective governance to poor buyer-supplier relationship and of an effective governanceby enabling management allincrease key elements supplier management CIOs plug this leakage of and ROIlack ofof outsourcing engagements framework. SirionLabs' unique approach to supplier governance can help framework. SirionLabs' unique approach to supplier governance can help lifecycle from contract to risk management on a unified pl atform, enabling all increase key elements supplier management CIOs plugmanagement this leakageof and ROI ofofoutsourcing engagements by CIOs plugfrom this leakage and increase ROI of outsourcing engagements geared today's challenges of elements multi-sourcing cloud computing. by lifecycle contract to management onsupplier a and unified pl atform, enablingfor management of risk all key of management enabling management of all key of supplier management geared today's challenges of elements multi-sourcing cloud computing. lifecyclefor from contract to risk management on aand unified platform, lifecycle from contract to risk management on a unified pl atform, geared for today's challenges of multi-sourcing and cloud computing. geared for today's challenges of multi-sourcing and cloud computing. Set up an online demo at [email protected] or now +1.313.300.0588 Setcall up an online demo at [email protected] or now +1.313.300.0588 Setcall up an online demo at [email protected] Set an online demo at [email protected] w w up w .sirionlabs.com or call now +1.313.300.0588 or now +1.313.300.0588 w wcall w .sirionlabs.com w w w .sirionlabs.com w w w .sirionlabs.com deployment watch The Met Office WHERE? Exeter WHAT’S THE BUSINESS CASE? The Met Office is the UK’s national weather service and is recognised as one of the world’s most accurate forecasters. It uses more than 10 million weather observations a day and an advanced atmospheric model to create 3,000 tailored forecasts and briefings each day, so needs the most powerful systems available. Manchester Airports Group WHERE? Manchester WHAT’S THE BUSINESS CASE? Given the proximity of some of the car parks to the airstrip at Manchester Airport and subsequent aircraft noise, sudden sound surges were beginning to cause concerns for many of the staff. WHAT ARE THEY DOING ABOUT IT? A health and safety representative informed management that specialised headsets would be required to eliminate the chance of staff suffering from these effects. Since staff often have to remain mobile while on the phone, a wireless solution was recommended. WHO’S HELPING? Sennheiser, a global leader in premium headset and UC solutions, was chosen to supply the Manchester location with headsets for control room staff. The DW series of headsets fulfilled all of the requirements and, importantly, guards against the risk of sound surges due to their acoustic shock protection. WHAT ARE THEY DOING ABOUT IT? Signed a multi-year, multi-phase contract for supercomputers and storage valued at more than $128 million for operational weather prediction and climate research. Multiple system deliveries are expected between 2014 and 2017, with the major deliveries expected between 2015 and 2017. WHO’S HELPING? Cray will provide its XC supercomputers and Sonexion storage systems in its largest ever supercomputer contract outside of the United States. In their final configurations, the Cray supercomputers will have 13 times more supercomputing power than the Met Office’s current systems. ‘We are very excited about this investment in UK science,’ said Met Office chief executive Rob Varley. Eversheds WHERE? London WHAT’S THE BUSINESS CASE? Global law firm Eversheds is in the process of moving to a more agile working model and it is important it has a strong wireless network. Its previous Wi-Fi was no longer fit for corporate use, as it restricted the way staff worked and communicated while on the go. WHAT ARE THEY DOING ABOUT IT? Deployed a wireless network to support its mobility strategy enabling flexible working and increased collaboration. The network has been deployed across eight countries in Europe, the Middle East and Asia to support up to 4,000 staff, clients and guests. It will also support the firm’s recent deployment of Microsoft Lync, which provides instant online conferencing, including voice, video and shared content, allowing staff to easily and quickly share knowledge, ideas and content. WHO’S HELPING? The global Meru 802.11ac deployment encourages collaboration, improves efficiency of meeting spaces and creates more flexible work styles. November/December 14 information-age.com 17 205x273+5mm DOMAINS | MAIL | HOSTING | eCOMMERCE | SERVERS NEW: DEDICATED SERVER BUSINESS LINE Trust is important when it comes to choosing the right server provider. With 13 years of server experience and 6,000 employees in 11 countries, 1&1 is one of the largest Internet service providers in the world and a company you can trust. Benefit from our expertise and the maximum security offered by our high-tech data centres. NEW! Dedicated Server Business Line X8i and X10i, built on Dell™ PowerEdge™ R630 hardware ■ 1 TRIAL TRY FOR 30 DAYS Latest Intel® Xeon® processors E5-2600 V3 (up to 10 cores HT/2.3 GHz) and 128 GB DDR4 RAM ■ Up to 6 TB HDD, Hardware RAID 6 and optional Intel® SSD hard drive ■ 1 Gbit/s connection with unlimited traffic ■ Maximum security due to redundant components 1 MONTH SHORT TERM CONTRACTS ■ Conveniently connect your server to your existing Dell™ infrastructure with Dell™ OpenManage™ Essential Tools BUSINESS LINE by Dell 199 £ From TM .99 per month* excl. 20% VAT The complete 1&1 Server range: Great entry-level web servers from £19.99 per month, to high-end servers with the highest capabilities. Visit 1and1.co.uk ® 1 CALL SPEAK TO AN EXPERT 0330 123 0274 * 1&1 Dedicated Server X8i from £199.99/month with 24 month contract term. 1&1 Dedicated Server X10i from £249.99/month with 24 month contract term. 12 month and 1 month contract terms also available (prices vary). £99 setup fee applies for all contract terms. All prices exclude VAT. Visit www.1and1.co.uk for full offer details, terms and conditions. Dell, the Dell logo, the Dell badge and PowerEdge are trademarks of Dell Inc. MAPGB1410S1P_205x273+5_KB_46L.indd 1 1and1.co.uk 23.09.14 16:31 on the cover A dose of reality BAM Nuttall displays how construction is an innovative industry by leading the way in 3D printing and augmented reality A s a profession as old as the hills, it would be easy to dismiss the innovation credentials of those who work in construction and civil engineering. Traditionally seen as a typically blue-collar job, you’d be forgiven for characterising people in this industry as being most effective with their hands – and less experimental with the latest and greatest IT solutions. But one chat with Rob Youster, head of ICT at Bam Nuttall, and you’ll probably change your mind. Youster has been with the company for over 25 years and has witnessed a massive change in the expectations of users and clients when it comes to technology. One recent example of this is the two-year legacy project to transform the Olympic Park from a dedicated sports and events area into a residential park, known as Queen Elizabeth Olympic Park. When the contract was awarded to start clearing the land reclamation of the Olympic Park in 2007, Bam Nuttall was the prime candidate. As the original contractor of the Olympic Park, it had put in place >> Rob Youster, head of ICT at Bam Nuttall high-capacity data lines coming out of Guy’s Hospital – with a five-mile point-to-point going across London and straight into the park. With this infrastructure already in place, Bam Nuttall was first in line for the reclamation project as it allowed it to include the capex in the new tender. The transformation project began almost immediately after the Olympics finished and involved the various stadiums and arenas being either entirely dismantled or modified, and a complete redesign of footpaths, cycle ways, roads and bridges. From an IT infrastructure perspective, the most critical aspect was the connectivity to allow all contractors and other parties involved on the project to communicate and operate seamlessly. ‘The challenge we had was to provide wireless because new construction sites were being placed all around the park,’ says Youster, ‘So we had to have generators with cabins that then provided the wireless link because there was no electricity that we could just have a wireless link in any location.’ BAM had to mobilise slightly differently than it normally would. It had its main links back into Guy’s Hospital, but had to create another cabin office that was just outside the Park as well. It turned to wireless specialist Trellisworks to provide the network, as well as an IP-CCTV infrastructure to ensure the site was secure over the two years – all delivered as a managed service. ‘We got involved with Trellisworks early because of their involvement with the governing body of the Olympic Park,’ Youster adds, ‘and out November/December 14 information-age.com 19 on the cover of Canary Wharf we were designing, even at an early stage, how that wireless infrastructure was going to be in place.’ Once it had made sure that the entire perimeter of the site was tailorable with a wireless connection, the project settled down for a year – and it is now moving into the final stages of demobilising the IT equipment and disconnecting in stages. The residential park opened in June 2014. ‘We knew it was going to be a challenge to get this IT infrastructure in place,’ Youster says. ‘With over 500 acres of land making up the project site, we had to move the locations of our temporary cabins on an almost six-monthly basis. ‘Knowing there was a lot of restrictions when it comes to fixed-line connections around the park and security issues, we knew we had to think on our feet about how we would accommodate the connections that were required.’ Multi dimensional But innovation at BAM Nuttall, which employees 2,600 people, stretches further than laying out a complex, mass wireless network. In a job that involves having to constantly learn about new infrastructures and requirements, Youster often finds himself at the cusp of new innovation. In 2007, he was awarded for being one of the first to use the digital pen for a project with Cheshire Highways. Around the same time, he became a first adopter in 3D printing and augmented reality. All of BAM’s construction sites now adhere to the government’s BIM (building information modeling) initiative, which generates and manages digital representations of physical and functional characteristics of places. ‘We build the construction project twice,’ Youster says, ‘one in the virtual world and one in the real world.’ ‘We go one step further by producing it on a 3D printer – I was one of the first to introduce 3D printing in civil engineering about seven years ago, and we’ve done an amazing model that shows the client what we’re building. BIM goes further than that by producing something in 3D, then 4D and then 5D. ‘That means that we produce a model, which looks lovely and everyone can understand, but then we actually show how it’s been constructed over time, which is moving into the 4D arena. ‘So it’s actually showing an animation of if being built over time. By moving it into 5D, we’re then showing it not only over time but also over how much it is costing over time.’ Every surface and bolt has a value 20 information-age.com November/December 14 against it, along with things like labour and materials, which the client has the opportunity to look at in detail – zooming in and out to see what exactly are the items are being used. Further to this, BAM is now doing using BIM and Apple iPads to overlay using augmented reality. Youster has successfully led BAM in the innovation stakes, but he is keen to point out that these technologies are not just gimmicks. ‘It really is offering value,’ he says. ‘Augmented reality is demonstrating to the client that they can visually see what is being built.’ And that goes for all new innovations at BAM. Youster is part of business committees where he ensures he gets buy-in for every investment. ‘It would be easy for me to go and find the latest technology and spend £20,000,’ he says. ‘With my experience with the business, I have a very good feeling of what they are looking for. ‘The one thing that is very difficult, not just for Bam Nuttall but a lot of business out there, is that technology is going that quickly that people don’t understand sometimes what can save them money and what can improve processes. ’So my strategy is always to demonstrate with a very low profile solution and show what is possible.’ If your business needs funding to fulfill its ambitions, Lombard could help. From hat boxes to ammunition boxes, Welsh Boxes has always adapted to changing customer needs. So, when ageing equipment began to restrict their ability to meet the demand for extra large packaging products, they knew it was time to invest for growth. With the help of Lombard’s tailor-made finance solution, they acquired new machinery that increased production capacity while protecting their cash flow – allowing the business to grow the size of its packaging products and its workforce. Security may be required. Product fees may apply. Awards 014 2 Call the UK’s no. 1 for asset finance today on 0800 028 7164, Text Relay 18001 0800 028 7164. lombard.co.uk Lines are open 9am to 5pm Monday to Friday. Calls may be recorded. Lombard North Central PLC. Registered Office: 135 Bishopsgate, London EC2M 3UR. Registered in England No. 337004. 92909.008_Information Age_Welsh Boxes_273x205_aw1.indd 1 29/09/2014 15:30 innovationage 22 information-age.com November/December 14 innovationage Gamification – where did it all go wrong? What was once deemed a massive emerging technology has not nearly hit the traction that analysts predicted. Information Age investigates the trials and tribulations of enterprise gamification I t wasn’t long ago that the technology industry was singing the praises of enterprise gamification. The software tool, which aims to motivate employees to achieve their goals by measuring and scoring their data in the context of an in-house competition, was destined for big things. In April 2011, analyst house Gartner predicted that 50% of organisations that managed innovation processes would gamify those processes by 2015. By 2014, it wrote, a gamified service for consumer goods marketing and customer retention would become as important as Facebook, eBay or Amazon, and more than 70% of Global 2000 organisations would have at least one gamified application. The technology industry, however, is notoriously fickle. Two years ago, Gartner predicted that four out of five gamified applications will fail to deliver business objectives in the following two years due to a lack of game design talent within businesses. That brings us to the present day, and the future of gamification remains up in the air. Many still criticise the solution’s longevity and ability to motivate employees and ‘This industry has been plagued with companies that have devalued their users’ >> Jeremy Boudinet, marketing director, Ambition engage customers, but Gartner now believes that it will be an ‘essential part’ of any digital business strategy. The vast majority of gamification implementations are still shallow tools featuring points, badges and leader boards without any viable long-term engagement of any digital business strategy. According to Jeremy Boudinet, marketing director at Ambition, gamification is not over, but has just entered a ‘trough of disillusionment’ phase. ‘This industry has been plagued with companies that have devalued their users, skimped on product engineering and forgotten that collaboration and good business intelligence are the true paths to fulfilling their fundamental purposes: better culture and improved ROI,’ he says. Robert Yardy, marketing manager at MMT Digital, adds, ‘I am reluctant to agree that gamification is truly over – however, my fears, and those of many others, seem to have come to fruition.’ A game for all There are clearly plenty of positives to take from encouraging employees to work more efficiently. However, many enterprise gamification strategies have encouraged employees to work harder but not better. ‘I have heard of one high-profile travel agent that encourages its call centre staff to deal with as many calls as possible and record the details of the calls accurately, with points being allocated for velocity and accuracy,’ Yardy says. A common flaw in many gamification strategies is that the people who top the leader board or November/December 14 information-age.com 23 innovationage get the most badges, are those who were already the outstanding performers. It is arguably more important to motivate those who are underachieving, and many strategies demotivate people once they realise that they have no chance of winning. Ultimately, if the gamification software doesn’t add tangible benefit to the employees, it will add to the pile of failed initiatives. Just because gamification software is supposed to be an inherently ‘fun’ product, does not mean that groundlevel users don’t need further financial incentive to actually obtain value from the product. ‘If you want your employees to care less about whether they’re being tracked, you should empower them to perform better at their job, make more money and get a promotion,’ Boudinet says. Lack of enthusiasm Another common mistake is for gamification projects to bypass the people in the organisation who can really make them a success. Often driven by HR, gamified applications will frequently lack the technical proficiency to make the user experience enjoyable. This is where the IT team can and should be called upon to enhance the project. An HR team that is plugged into the strategy of the company can be a great source of information for the CIO – aligning incentives in a way that adds gamification value throughout the company. ‘The insight from HR can be further incentives for employees and ensure that the fun element of gamification is not lost. ‘This often comes down to the personality of the CIO, which in turn links to hiring people rather than CVs,’ says Yardy. ‘I am reluctant to agree that gamification is truly over – however, my fears, and those of many others, seem to have come to fruition’ >> Robert Yardy, marketing manager, MMT Digital enhanced by analysis of the comments and microblogs on the company’s internal social networks,’ says Satya Ramaswamy, VP and global head of TCS digital enterprise at Tata Consultancy Services. Most importantly, however, there must be a recognised business need for investing time and resources into a gamification strategy, as well as a fun element to engage the users. It’s not revolutionary to say that people will perform better if they are enjoying what they are doing. This is where the CIO is fundamental. They have to provide clear 24 information-age.com November/December 14 Sucking out the fun That fun factor can very quickly be swallowed up if the gamification strategy is too shallow in its method of judging employee productivity. Rather than just focusing on results, a truly effective gamification solution will gain a deeper understanding of employee performance. The important thing, therefore, is how gamification results are used to assess performance as a whole. Decision criteria for determining winners should be based on measurable statistics, such as being rated highly by a customer, rather than just the number of deals that have been closed. Organisations should create tiered rewards that motivate players to continually do better, level up and be able to show off their rewards. And they should mix it up by applying different rewards for different teams at different times, while making sure that players are competing against colleagues performing similar tasks. ‘Gaming scenarios should be aligned with business objectives to keep them real and meaningful,’ says Neil Penny, product director at Sunrise Software, which has deployed gamification. ‘After all, gamification is all about supporting the business.’ innovationage In a digital world where people are increasingly wary about being spied on, organisations should also approach gamification carefully to ensure that its ‘Big Brother’ nature doesn’t actually have a negative effect on employees. Unlike a straightforward internal business-intelligence tool, gamification is often implemented with the message to employees that its foremost purpose is to improve their culture and everyday experience at work. According to Boudinet, that is the wrong message to send. He says businesses must own the elephant in the room: employees are being tracked, and a fundamental purpose of gamification is in fact to spur productivity and improve transparency. ‘Then you have to demonstrate tangible benefit and lay out how the software is going to directly and tangibly benefit the user,’ he says. ‘When you’re considering adopting gamification software, you’d better be thinking about how you’re going to explain to its everyday users where that tangible value comes in. ‘If there’s one thing that the growing disillusionment with the current state of enterprise gamification has taught us, it’s that you can’t get away with deceiving your employees. And what makes employee backlash against the “Big Brother” impact of gamification worse is the fundamental dishonesty in trying to disguise tracking software that lacks tangible benefit as something fun.’ ‘Gaming scenarios should be aligned with business objectives to keep them real and meaningful’ >> Neil Penny, product director, Sunrise Software Reward and review In the six months that Sunrise has been using gamification, it claims to have improved response times, and its incidents are now logged much more quickly. ‘We’ve seen a positive impact on camaraderie on the desk with some friendly competition,’ Penny says. ‘We have also found that gamification can be used to monitor workloads, ensuring that it is shared more equally among the team. The important thing for CIOs to consider, Penny believes, is that gamification can only work if it’s constantly reviewed. It is important to listen to staff feedback and evolve to meet new challenges. In this way, employees will see it as a positive way of working towards corporate goals. There is no doubt that using clever technology that integrates the concepts of game theory is essential to gaining the support of younger staff members. At the end of the day, they are tomorrow’s business leaders. Engaging them in a way that entertains and educates is vital to creating a dynamic and thriving work environment. For companies that are swift to adapt, there are opportunities to implement gamification to motivate customers with personalised, interactive apps that can be downloaded on a phone or tablet – increasing engagement with its products and brand. ‘This approach can also be extended to staff to send rewards and incentives directly to motivate, engage or train online,’ Penny says. ‘We are only at the start of this journey.’ Going forward, gamification tools must incorporate more advanced analytics to enhance their value to the enterprise. Increasing use of big data will provide game designers with the tools to have more inputs into the game design, and the use of analytics will impact the game dynamically. ‘These enhancements in inputs and analytics will mean that users can gain insights about their performance and automated advice on how to perform better,’ says Ramaswamy. ‘This will be supported by increased use of machine-learning techniques.’ November/December 14 information-age.com 25 innovationage Information Age takes a forward-facing look at the coming year and asks industry experts what they think is just around the corner for the storage world 26 information-age.com November/December 14 storageage Storage industry outlook: 15 predictions for 2015 Information Age takes a forward-facing look at the coming year and asks industry experts what they think is around the corner for the storage world Flexibility will be the biggest issue facing storage in 2015 Sean Horne, CTO and senior director of enterprise and mid-range storage, EMC The biggest questions that IT decisionmakers will be tackling over the coming year will be: how do I deploy a platform that can deal with abrupt changes in the business landscape (be that in scaling to large demands in storage or delivering performance for next-generation workloads); how do we deliver this flexibility at an affordable cost, without pushing the organisation to take uncomfortable risks; and how do we do this with the responsiveness required? Organisations both scale up and scale out, and, therefore, while storage needs to move with this change, it will be important to not let this disrupt the whole IT ecosystem. This will result in an increase in investments in developing hybrid cloud in order to give organisations the flexibility to direct workloads where they need to go, as they are needed. Security and compliance will continue to impact decisions around hybrid cloud setups Sean Horne, CTO and senior director of enterprise and mid-range storage, EMC to capitalise on the economies of public cloud without incurring undue risk. ‘[Tiering] is clearly showing its limitations as a stop-gap on the way to all-flash primary storage’ >> Dave Wright, CEO, SolidFire In my opinion, there are four types of control over organisational data that are needed: privacy, trust, compliance and security. For example, data centres have huge compliance requirements that they need to adhere to, but the privacy of data, how it is stored and who has access to it is – it can be argued – an emotional and subjective decision, between the company and its customers. Understandably, many businesses are not comfortable with their private data sitting in a public cloud, so a degree of flexibility is needed to allow businesses Policy-based lifecycle management will help spiralling storage growth Radek Dymacz, head of R&D, Databarracks The key to reducing backup costs is good management and not applying blanket policies to all data. It’s about having the right retention and archive policies in place for the right data. I think that too many organisations struggle with data management because they regard ‘deletion’ as a scary word. No one really takes responsibility for corporate data or even knows who the ultimate owner is, so deletion is regarded as someone else’s job. As software becomes more integrated, we’ll have real-time, 360˚ visibility – storage decisions will be based on evidence and so ‘deletion anxiety’ will be less of an issue. WAN optimisation will be the key to ensuring optimal data delivery Everett Dolgner, director of replication product management, Silver Peak All the bandwidth in the world will not matter if packets are being dropped or delivered out of order due to congestion, as is often the case in November/December 14 information-age.com 27 aruba-ad-205x273-print.pdf 1 9/12/14 3:40 PM C M Y CM MY CY CMY K Enabling the All-Wireless Workplace for #GenMobile www.arubanetworks.com Come and visit us on Stand C118 storageage MPLS and internet connections. To overcome these challenges and ensure optimal data delivery, organisations must establish a fully equipped network that will cope with the increased flow of traffic that cloud storage initiatives bring. Failing to do so will result in an environment that is plagued by issues that will only lead to performance and business benefits being compromised. Optimising the WAN can reduce over 90% of the traffic across the network and is key to providing the scalability needed to support all current and emerging applications. We will see an accelerated move to software-defined storage Nigel Edwards, VP, EMEA sales and channel marketing, HGST Thanks to commercially supported open-source initiatives such as GlusterFS, Inktank Ceph Enterprise and SwiftStack for OpenStack Object Storage, we can expect to see software-defined storage systems cross from cloud into more mainstream enterprise data centres across multiple deployment options. We can also expect to see a rise in startup-developed software-defined storage offerings as more data centres recognise the benefits of this approach. With commercial support for open storage software, traditional IT will be able to use approaches that were once limited to the largest operators. IT teams will be forced to invest in training to educate staff on the increasing complexities of virtualisation Patrick Hubbard, head geek, SolarWinds End users these days cannot make buying decisions without considerable education, and vendors aren’t necessarily forthcoming about educating them in a practical manner. With ever smaller IT teams managing ever more complex solutions, they’re becoming ever more challenged in implementation. Software-defined networking is driving things like the importability and containerisation across OpenStack, AWS and VMWare, and each one of these things brings with it an opportunity for things to go wrong if there is not additional expertise. Companies’ reaction too often is to call in an outside contractor, which doesn’t necessarily stop and educate the team that’s going to maintain it after they’re gone, and doesn’t help the IT team move forward and maintain that level of skill in something they’ve purchased. Those organisations that send off staff for refresher courses are more likely to be successful with new technology. So vendors will have to move into cross-disciplinary education in the next few years. Software will be the biggest investment in storage management Andy Dean, development manager, HPC Physical hardware costs have been coming down for a long time. Plus, storage capacity on hardware is increasing – we’ve seen 6TB hard disk drives available already and 10TB tapes aren’t far off – meaning less physical hardware is necessary (again, this means less expenditure). Therefore, I think the biggest expense item will be software. In future, we’re going to need a more intelligent software stack to manage the huge quantity of data that people are storing. If a customer has 6PBs of data, for example, they will not want to leave that on an unsupported platform. Storage and other IT resources will come together as convergence continues Sean Horne, CTO and senior director of enterprise and mid-range storage, EMC Storage managers will need to think in terms of application requirements beyond pure capacity and latency terms – rather, in terms of how they interact with the other IT components. As organisations progress on their journey to a hybrid cloud, these converged infrastructure experts have the opportunity to become strategic supporters of the business – enabling agility and innovation by delivering resource when it is needed, and advising on what’s possible within their new infrastructure context. Organisations will increasingly embrace technology that enables them to deliver public cloud as-a-service Ian Finlay, VP, Abiquo Most organisations are already operating a hybrid IT estate in one form or another, and we can expect this trend to continue over the next 12 months. However, as it becomes easier to acquire multiple cloud services, visibility and control over data – and who has access to it – will continue to increase, posing security and governance risks to enterprises. As a result, we can expect to see organisations embracing technology that enables them to deliver public November/December 14 information-age.com 29 storageage cloud-as-a-service. This provides flexibility to internal customers, while maintaining the control that IT is tasked with delivering to the business. We can also expect to see cloud service providers (CSPs) continue to add public cloud providers to their service portfolios, in order to strengthen customer relationships and add value to the fairly generic public cloud offerings. The smart approach to flash adoption will be in hybrid arrays Robin Kuepers, EMEA storage marketing director, Dell IT leaders are attracted to the hybridflash storage route as it offers the best of both worlds: high-performance flash for fastest performance with the most frequently accessed and most demanding applications, and low-cost bulk storage for ageing, or colder, data. While some workloads call for high speeds at all times, organisations usually need to support both highperformance applications and less accessed data, which doesn’t require expensive storage. This is why most organisations can benefit from a single SAN that handles both ends of the spectrum at the same time. Hybrid arrays can support SSDs and hard disk drives (HDDs) to offer this combination of high performance and lower overall cost. With the hybrid array approach, the SSD layer provides the fast performance processing while the HDDs retain all the older, colder storage that organisations need or want to retain but don’t access as often. Tiering may not continue to be the most commercially sound decision Dave Wright, CEO, SolidFire Flash is clearly having a huge impact on the storage space, offering ten times the performance of disk at a fraction of the cost. That trend will only continue and increase over time, until disk is completely relegated to cold storage. Tiering, on the other hand, is clearly showing its limitations as a stop-gap on the way to all-flash primary storage. Customers who initially embraced tiering are now dealing with the negative ramifications, including inconsistent performance and a need to add an ever-increasing amount of flash to the flash tier to maintain performance. Commoditisation will start to benefit every area of storage Patrick Hubbard, head geek, SolarWinds It’s interesting with virtualisation that there’s a sort of complexity and diversity funnel. At one end you have the end points, which are workstations, BYOD devices and Internet of Things or smart connected devices, but then in the centre you have this fairly wellconstrained data centre, now with a number of technologies that integrate well together and are fairly easy to manage but still sitting on top of storage that is highly vendor specific. From controllers all the way down to how storage is implemented from one vendor to another, there is a lot of variation, so that seems to be one area where commoditisation and standardisation in the operations of data centres is actually finally pushing some long-overdue commoditisation in the way that storage is snapped into the compute and application delivery frameworks, especially for hybrid cloud. 30 information-age.com November/December 14 The OpenStack value debate will continue Ian Finlay, vice president, Abiquo From a storage perspective, OpenStack provides a useful abstraction layer. Yet, in many ways it is still immature and is considered more of a toolkit than a solution. That said, it will be worth keeping an eye on the technology over the next 12 months, as it may prove to be a valuable solution for specific use cases. awareness around archiving-and-backup options will grow Paul Rylett, systems engineer, Netgear As the volume of data stored continues to increase, organisations will increasingly need a simple and effective way of both archiving and backing up data. Businesses often don’t have the time or resources to dedicate to complicated backup and recovery processes, so we can expect to see more businesses embracing next-generation storage technology that can take frequent incremental snapshots and generate full backups instantly. Storage will move from operational necessity to strategic business enabler Sean Horne, CTO and senior director of enterprise and mid-range storage, EMC Once you achieve the software-defined nirvana – with tiered storage easily and dynamically allocated to applications as they need it based on specific, policydriven requirements – a new world order has arrived. The storage and IT teams have become strategic enablers of the business. Terradata-205x273_Layout 1 11/04/2014 13:04 Page 1 THE BEST DECISION POSSIBLE™ Teradata is the world’s leading analytic data solutions company focused on integrated data warehousing, big data analytics, and business applications. We empower organisations to make the best decisions possible for competitive advantage. Contact us to make the move to Teradata and turn Big Data into Business Advantage Teradata UK Limited 206 Marylebone Road London NW1 6LY 0207 535 3618 [email protected] teradata.com Teradata and the Teradata logo are registered trademarks of Teradata Teradata Corporation All Rights Reserved. Produced in UK. innovationage 32 information-age.com November/December 14 networkage The mobile network untangled Amid much confusion and disagreement, Information Age attempts to find a definitive mobile strategy that will support the connected enterprise in the coming years T he pros and cons of bring your own device (BYOD), choose your own device (CYOD), corporate-owned personally enabled (COPE) and the alphabet soup of other trendy mobile device strategies have been argued ad infinitum over the past few years – and the acronym war doesn’t seem to be showing any signs of concluding. Each approach comes with its unique set of challenges, but as Nisha Sharma, managing director of Accenture Mobility, argues, giving employees the option to choose their own corporateapproved devices with appropriate security and standardisation appears to be a good compromise, and one that is fast gaining headway over the compliance headache of BYOD. ‘From an end-user perspective, the primary benefit of CYOD is having some flexibility with their corporateliable device,’ she says. ‘And apart from email, users would expect company websites, portals and apps to work on their device, so a CYOD programme allows companies to focus their efforts on providing that access on a limited number of platforms rather than trying to make them work on everything.’ Gartner analyst Rob Smith also believes we’re going to end up with a ‘A CYOD programme allows companies to focus their efforts on providing access on just a limited number of platforms’ >> Nisha Sharma, managing director, Accenture Mobility mostly CYOD enterprise landscape in the UK, thanks to the legal and financial challenges that it allows companies to bypass. But ultimately, he says, there is one golden rule: ‘Never trust a mobile device unless you control 100% of the data and apps on it.’ Doing this is virtually impossible for modern smartphones, of course, and the idea of asking an employee not to install a certain app on their device is unrealistic, whether you are running a BYOD or CYOD policy. ‘With that in mind, since you can never trust these devices, the first piece of architecture you should tackle is the creation of a separate network segment on your wireless network that your mobile devices connect into,’ advises Smith. ‘All that traffic should be routed over your internal security, such as your firewall and antivirus, before it even touches your internal network.’ Keeping it simple There are other ways to simplify and control a mobile environment. Consolidating all communications networks under one supplier can help reduce total costs. The only spanner in the works, says Smith, is when you involve Android devices. This is because every device is controlled by the telco, not the handset manufacturer, unless you buy it directly from the manufacturer. So a device won’t get the latest firmware unless the operator releases that firmware. ‘Take the Galaxy S5 for example,’ says Smith. ‘If there’s a security bug in it then Samsung will fix it and put out November/December 14 information-age.com 33 networkage the security fix immediately for anybody who’s bought the device from them. But then it goes to Vodafone, or EE, or 02, who have to add their own customisations for Android and then reinsert it into their networks. This can take forever, and it’s designed for consumers, not corporations.’ ‘So the best strategy for IT and business in terms of security,’ he argues, ‘is to buy directly from the handset manufacturer – but this loses the discount that telcos give, so it’s always a balance.’ Apple has cornered three-quarters of the corporate device market thanks to this problem, and the fact that all their devices run the same software no matter where they are bought from. With Android, there is severe fragmentation of both the devices and software versions. According to this year’s report on the fragmented Android landscape from wireless network data mapping specialist Open Signal, there are somewhere in the region of 18,700 Android devices in use in the UK, running any number of software versions. So the key with Android, says Smith, is to cut through the jungle of different devices and allow only a small subset by limiting the number of devices to choose from and specifying the carriers they are on. Big-picture thinking Whatever the end-point device landscape they’re dealing with, corporations must take into account all the other elements involved in creating a complete strategy for mobile working. Unification and consolidation, if approached strategically, can deliver greater efficiencies and ensure ‘Never trust a mobile device unless you control 100% of the data and apps on it’ >> Rob Smith, analyst, Gartner widespread business improvement. ‘Network complexity can be extremely harmful to business success, so the sooner businesses begin the journey towards simplification, the more likely they will deliver positive business outcomes,’ says Graham Fry, managing director of avsnet. ‘Wired, wireless, remote access – these disparate access methods need to be unified under a single policy and a unified management solution.’ Fry’s advice is to look for a provider that can design, implement and support a network that puts mobility at the heart of everything regardless of device. This means a platform with a contextbased central policy, system-wide visibility and comprehensive lifecycle management across all connected devices, mobile or not. Designing a network that pre-empts 34 information-age.com November/December 14 advancing technology, connectivity methods and usage trends is crucial, considering how expensive and difficult it can be for organisations to adapt a legacy network once implemented. As Francis Cripps, head of mobility at Fujitsu, argues that identity access management (IAM) should form part of the solution, particularly now that wireless connectivity is becoming a need-to-have in the enterprise and is dissolving traditional boundaries of internal and external networks. ‘Increasingly, we all walk around with smart devices and expect to use them wherever we are,’ says Cripps. ‘At a supplier, partner or customer site, it’s no different. Allowing guest wireless access is not really much different to BYOD. It is important to identify the device that is connecting to the network and potentially the user of the device.’ Most of the leading products in this space now interact with the mainstream enterprise mobility management (EMM) or mobile device management (MDM) products, in some cases being part of the same vendor product suite. ‘By deploying both network IAM and EMM as an integrated solution, it is possible to control device and user access with granular efficiency, thus future-proofing the organisation for multiple use cases,’ Cripps explains. The future’s an open door Cripps believes that in the near future, enterprise networks will be a communication hub – the front door of an enterprise. ‘I’ve already touched on the security and management, but what about the value-add?’ he asks. ‘For example, in retail, wireless networks are used not only to enhance the customer networkage experience but also as a marketing tool. Simply set up a sign saying “Free Wi-Fi here – just enter your details”, and a CRM is born with landing pages for advertising. ‘Add location services via Wi-Fi or emerging options such as RFID or Bluetooth LE and a tracking and targeted advertising tool is available. It will be possible to know that the buyer from company X is about to walk into your HQ reception and change the reception displays accordingly, while notifying the sales director that they are arriving and catering that they take their coffee white with two sugars.’ For communication consolidation, 4G/5G offload onto WLAN could make fixed/mobile convergence a reality rather than a clunky pipe dream, while VoIP devices or apps will become the default. Connecting people Mobilising collaboration capabilities for employees must also be an integral strand of any enterprise mobility strategy. The trend of moving to a more global and mobile workforce makes the ability to collaborate at any time and from any location critical to achieving business objectives. ‘The proliferation of devices and communications channels is driving dramatic growth in collaboration solutions, including rising video traffic and document sharing,’ says Accenture Mobility’s Nisha Sharma. ‘Mobility enhances the value of such social collaboration tools.’ Sharma argues that strategies must reflect this in order to achieve the greatest business value, and this means creating broader digital strategies that remove the siloes between tools such as social and mobile in order to get the greater benefits from them. ‘A business case must be built based on the impact of these technologies to a network, and how it’s reshaping how networks operate,’ argues Sharma. With the rise of mobile collaboration, voice and data now move across the same, converged network. Collaboration solutions are increasingly delivered from the cloud, and this – alongside the rise in volume and type of device accessing the network and increases in data and analytics – can often require major network redesigns. ‘Just adding additional bandwidth often isn’t enough because many new applications require higher quality of service (QoS) with guaranteed availability,’ says Sharma. ‘At the same time, IT organisations are under pressure to reduce costs. Solving these network challenges will clearly require careful investments, so a business case needs to stress both the strain on infrastructure and its business consequences.’ Back to business Fundamentally, while it may be easy for an IT organisation to approach a mobile strategy based on integrating the latest shiny device or killer app into the workforce, falling into this trap without focusing on business outcomes could result in an expensive mistake. Everything from internal app development and BYOD policies to external engagement via mobile channels, and the use of traditional business applications via mobile devices, should really be addressed through the creation of a formal, enterprise-wide mobility strategy. ‘Any mobile strategy must focus on how this new approach will add value to the core business,’ says Cripps. ‘For example, by increasing staff efficiency and work-life balance, or improving customer satisfaction. Once desired business outcomes are established then prioritise for business need, budget, etc. Only then should technology become a step.’ Try not to get drawn into expensive niche solutions that might have a finite lifespan or only support a small scope of apps and devices, he advises. ‘It is vital to keep any technical mobile IT enabling services as agile and flexible as possible.’ Cultural understanding Fully understanding usage costs, including mobile network usage, is another key element, as is not forgetting the softer requirements, such as human resources input. ‘Not everyone suddenly wants corporate instant messaging live on their phone at midnight,’ says Cripps. And a future-proof mobility strategy should be created and adopted with input from teams including HR, legal, IT and the business itself – a C-level strategy, not a CIO-level strategy. ‘It is vital to understand what is needed to support business objectives, and to build a network of peer partners from the start,’ says Sharma. ‘Many of these partners will be responsible for providing the nontechnical capabilities of a collaboration strategy, leading the support and participation amongst their teams.’ Only when all that’s in place and a clear roadmap is planned can the adoption of mobility technology really begin to transform an organisation, along with the relationships with its customers and employees. November/December 14 information-age.com 35 innovationage 36 information-age.com November/December 14 securityage Going soft The software-defined trend has bulldozed its way through the data centre market, affecting servers, storage and networks. But what does it mean for security? T he concept of softwaredefined infrastructure has gained vast momentum as organisations seek to reduce their reliance upon expensive hardware and find better solutions for dealing with data growth. What started out as a server craze – compute virtualisation is now widely deployed – has spread across the data centre through the network and storage layers. By virtualising the components, and wrapping them with highly automated software, organisations can gain new levels of scalability and the ability to deliver applications on any hardware. Now, security is also joining the party. Security conversations are often steered by the individual solutions that can make IT environments less vulnerable – but what about the model in which they are implemented and managed? With software-defined security, most or all of the security controls are automated and managed through software, depending on how virtualised or cloud-supported the infrastructure it sits on is. Such a model sees any new devices ‘This term is most often used by vendors to describe an approach to automation and virtualisation that abstracts infrastructure to the point that it’s primarily controlled through higher-level functions and policies,’ says Paul Briault, director at CA Technologies. ‘Software-defined security services need to be part of a larger process. The more efficient it is, the more effective it will be’ >> David Robinson, chief security officer, Fujitsu UK and Ireland in the environment controlled under the base security policy, allowing underlying environments to scale with increasing resources and seamlessly moved or migrated if necessary. Not the end By negating the bulk of the heavy lifting with infrastructure, IT organisations can shift resources to more innovation-oriented and application-centric endeavours. It is a part of a number of defences that organisations must now consider in order to protect their assets and analyse where attack vectors are. However, that doesn’t mean the end of hardware-based security. ‘Software-defined security services need to be part of a larger process,’ says David Robinson, chief security officer at Fujitsu UK and Ireland. ‘The more efficient it is, the more effective it will be.’ Just like traditional security, software solutions still need maintenance, updates and reviews of its efficacy, and will still require some hardware. ‘I think there will continue to be a November/December 14 information-age.com 37 securityage blend of hardware- and softwarebased security, with perhaps an increased focus on the software aspect,’ says Kevin Linsell, head of service development at Adapt. ‘But the move towards this type of security is more around enabling devices and solutions to be driven by software calls from a wider softwaredefined environment.’ This will definitely see the reliance on security hardware gradually decrease. The significance of access controls will move up the stack, while the hard network boundary approach to security will diminish in importance – a trend that has already begun. Changeover period Of course, anyone expecting a sudden shift away from hardware will be disappointed, and organisations that have been relying on hardware for authentication purposes will not be able to go ‘all software’ quickly. ‘Part of the problem is that organisations are not yet ready to embrace an all-software approach,’ says Briault. ‘Many are still struggling to properly implement BYOD and, as such, the industry can expect a significant phasing-out period, throughout which hardware will continue to play its part in IT security.’ In response to the software-defined paradigm, more and more security vendors are attempting to become hardware agnostic. There are still appliances that are being specifically tweaked to run a ‘The move towards this type of security is more around enabling devices and solutions to be driven by software calls from a wider software-defined environment’ >> Kevin Linsell, head of service development, Adapt vendor’s software, but many organisations have realised that implementing software-defined services is easier and cheaper – especially in cloud and virtualised solutions. ‘Creating an organisation that is hardware agnostic is the way that many businesses are heading,’ says Robinson. ‘Hardware will still be needed because, without it, software cannot be run, but development and services are now more reliant upon 38 information-age.com November/December 14 the management of the software.’ The shift towards software-defined security will also result in much more granular and appropriate security policies. The focus will be to use digital identity attributes to enforce finegrain access entitlements to gain access to systems and applications. It will make security more intrinsic and integrated within a business, which will be particularly obvious from a change process perspective. ‘Removing the human error risk can be a big positive, but there will still be a need for strong governance, control, testing and ultimately accountability,’ says Linsell. Briault adds, ‘Security will become more real-time and transaction based, with a focus on data and user access requests, irrespective of the channel being used.’ So, going forward, will the real value and intelligence of security come predominantly from software? Common issues in relation to authentication and access management could be solved by software-defined behavioural analytics, which will vastly improve organisations’ risk posture and real-time transaction decisions. ‘It will also lead to better user experience, which is key to business success today,’ says Briault. Getting the balance right But, as always, there needs to be a balance between technology, people and process. Aisgra guide full page AD_Layout 1 08/05/2014 13:32 Page 1 InformationAge presents... A guide for Cloud Back and Recovery in partnership with Asigra In association with Visit information-age.com/white-papers to sign up for your free copy. securityage ‘The industry can expect a significant phasing-out period, throughout which hardware will continue to play its part in IT security’ >> Paul Briault, director, CA Technologies The technology piece will always be a mix of software and hardware, but the change in ratio will enable faster design and deployment – without having to invest in lots of training, hardware and assets. Mixed bag It’s important to remember, however, that value cannot be attributed to software alone. ‘It will always be a mix,’ says Robinson. ‘You can’t run a service without people or process, and you can’t run software without hardware.’ But, as long as it’s hardware agnostic, it will be easy for organisations to implement software architecture, helping to drive down costs and reduce operational time. Its usability is dependent upon how it’s written and created. If it’s complex then it’s going to take more effort for a business to implement and use. Like any project, its size and complexity will require larger numbers of people and project management. Ease of implementation will always drive the project and help manage it over its life cycle. If an organisation is already using a virtualised service, the process of moving environments is pretty straightforward. But if businesses are thinking of embracing a completely software-defined data centre, they must first ensure that it is the right step and do a thorough risk assessment and due diligence. ‘This transition has already happened,’ says Robinson. ‘There is no specific challenge – the barriers are often cultural and fear. ‘When you have invested in software-defined security, you aren’t reliant upon customised hardware and the need to have a return on investment for the purpose it was bought. ‘Moving onto something that is capable of switching software services onto standard architecture is a positive step. But like all software, it has to be kept up to date, and organisations cannot just fit and forget.’ 40 information-age.com November/December 14 ‘We are seeing people move away from traditional hardware to a more agile approach’ It is important for businesses to measure risk and configure software in a way that is right for the organisation. Those vendors that make it easier to implement software are faring well, highlighting the fact that this trend is certainly on the rise. Although hardware is getting cheaper, margins are becoming more difficult. The virtualised approach is only going to become more attractive, with businesses moving away from hardware and investing instead in ‘as a service’ models. ‘We are seeing people move away from traditional hardware to a more agile approach,’ says Robinson. ‘There is always going to be a mix of software and hardware defences, but either way an organisation’s protection needs to be based upon the risks that it faces and how it can manage them. ‘The adoption of software-defined security is a natural evolution, but it’s vital that businesses embrace it in the right way – not get frightened – and have a balanced approach.’ Actuate_Layout 1 09/05/2014 15:57 Page 1 in the boardroom A private affair Since last year’s $24.9 billion buyout of Dell, the IT industry has debated whether going private was a good decision. In this exclusive interview with Information Age, Dell’s chief commercial officer and enterprise president, Marius Haas, paints a healthy picture – but a dire one for his former company, HP M uch of the reason for Dell going private was attributed to the desire to restructure the organisation in order to help salvage the PC business and let the enterprise division drive the growth. How is that going? We’ve changed the operating model so that two of us are responsible for all of the back-end – supply chain, procurement, logistics, etc – of two divisions: enterprise solutions (me) and client solutions (Jeffrey Clarke). Then a year ago, I also inherited management of the front-end of everything. So in addition to my enterprise responsibility, I run the commercial sales organisation for the company worldwide, which is a pretty big change but it creates a very nice continuity. A big part of the transformation that we need to drive is around a solutionselling architecture, and changing and enabling the sales organisation to talk about a more workload-orientated, application-driven and business >> Marius Haas, chief commercial officer and enterprise president, Dell outcomes-driven organisation. I have so much more influence in being able to make that transformation in the organisation because I have responsibility to build out those capabilities for us. We’ve shifted quite a bit, with a lot more visibility on an end-to-end basis – from product all the way to customer – so we can make everything more customer-centric. 42 information-age.com November/December 14 Having worked at HP before Dell, do you believe that the split of HP’s enterprise and PC divisions makes sense – and is it something that could also make sense for Dell? I don’t think it makes sense. I think they ran out of options, to be honest. I remember when Léo Apotheker [former CEO of HP] announced it a few years ago and Meg [Whitman, current CEO of HP) called it a dumb idea. Three years later, we’re back to Léo. Look at history: in the past 30 years, any IT solutions provider that has sold off its PC division has not been able to successfully maintain a server division. The synergies of being an end-to-end solutions provider is critically important in order to have the right scale across all the different business units. The industry is migrating to a more converged-architecture strategy because more and more of the CIOs focus on and care about security, cloud, big data and applications. They don’t want to have to worry about what sits beneath it from an infrastructure perspective; they just in the boardroom want to make sure that it’s the best performing, gives them the most agility and is the best cost they can get on the planet. Dell will be the only end-to-end solutions provider in the industry that has all of those pieces when HP splits up. If you look at the rationale that they use – about being two Fortune 500 companies that will be able to make faster decisions – none of that is anything that they couldn’t have done as one company. The incremental cost and complexity of having two companies is a huge distraction. So we are very happy to become the only end-to-end solutions provider in the industry, and will always be that way. We’ve seen all the biggest IT players in the industry face the challenging transition from hardware to IT services. Where do you believe companies have gone right and wrong? I think HP sits there as IBM envy. Everything they’re doing is to look and feel like IBM, but at the same time IBM’s results haven’t been all that compelling. So I think they’re both chasing old IT. I believe we’re in a perfect spot in the sense that we don’t want to be an application provider. We think we’ve got all of the key pieces in the portfolio and we believe we can hit the value proposition for any size of customer. If you look at it today, our business performance is better than it’s been in a decade, so the alignment of strategy, clarity around priorities and execution, and a good solid operation model is really paying off. Where is the enterprise division sitting in terms of revenue compared with the rest of the company? It is growing extremely fast. Our core server business is growing double digits, and we’re very pleased with the receptiveness in the market and taking share around the world. We’re literally thousands of units away from being the number one worldwide, so that will be a big milestone for us. But more important is the customer receptivity of our proposition. We’re growing every region and we’re growing every line of business in Dell across the board. I don’t think any other enterprise company can show that they’re growing every line of business in every region. Dell revenue has been around the $60 billion mark for a few years. Can we expect to see that rise now? We are growing exponentially. We had a decline in our PC division when we were still a public company and the whole market suffered a decline. We’ve seen a nice resurgence in the PC space, but now we’ve seen an acceleration of growth in the enterprise space. We’re growing at multiples of market across our servers, storage and networking businesses. We were at a 17% growth in networking last quarter, so very healthy. We see double-digit growth in our software portfolio and our services segment is growing very nicely too. Look at HP: its services business is declining, its high-end servers business is declining and its overall profitability in enterprise is declining. It still has the Autonomy issue, and who knows what will happen with that, and its printing division is declining in revenue. So I would much rather have a portfolio where every line of business is growing than have big chunks of my profit pools in a cyclical decline. Has going private allowed Dell to innovate faster than public organisations? It has certainly provided the agility and flexibility to make decisions much faster. We’re thinking long-term now. When I first got here, we were thinking 90-day cycles for the most part – it’s night-and-day difference now. We are investing for the long term to scale the business predictably in IT, business-process automation, frictionless order for all of our partners, long-term coverage in the market, audience reach and making our sales forces the most productive on the planet. Michael Dell says he has freed up 30% of his time. When you get someone like that who now has 30% more time to focus on customers and the technology, things happen. November/December 14 information-age.com 43 analyst eye Risk and regulation Fayaz Khaki, associate research director for information security at IDC, reveals how organisations can get through the new EU data regulation F or the first time in many years, the European Commission (EC) is re-evaluating the European Union (EU)’s data protection regulations. While technology has moved on, the current regulations have remained stagnant and woefully inadequate to protect an individual’s or an organisation’s data. Aside from updating the regulations to align with the technology changes in the market, the EC is also aiming to create a single, pan-European law for data protection, replacing the current patchwork of national laws across the EU. It also aims to create a onestop-shop approach, allowing organisations to deal with a single supervisory authority (at a local level, generally where organisations’ main European base is located), rather than 28. IDC believes that a single Europewide data protection regulation is a step in the right direction. It is also good for organisations doing business in Europe, as it cuts down Therefore, organisations will need to ensure that they fully understand the flow of their data throughout the data lifecycle. Business leaders within an organisation have to take more responsibility towards risk ownership. >> Fayaz Khaki, associate research director, IDC on the overhead of complying with multiple local data protection acts. However, the new EU Data Protection Regulation forces organisations to apply a different perspective towards compliance and risk management. The regulation places a greater weight on the need for organisations to demonstrate the deletion of data linked to an individual (the data subject) under the right to erasure clauses. 44 information-age.com November/December 14 Getting serious Increasingly, stakeholders within an organisation – and external stakeholders such as shareholders – are asking questions not only from technology leaders but also from business leaders when there is a failure of security controls. The regulation introduces larger fines for noncompliance — up to 2% of global turnover or €100,000,000 – and will require organisations to build and implement new processes to satisfy the breach notification clauses that are currently in place. Organisations need to notify the supervising authority once it has become aware of a breach. Crucially, however, they will also need to communicate the breach to the data subjects. analyst eye Privacy by design and privacy impact assessments will become mandatory. Therefore, organisations need to ensure that risk analysis is embedded into business processes. Developing a data protection framework with appropriate governance ensures that data protection is tied into business processes and that business executives are forced to continually assess the risk of noncompliance. Future outlook The current timetable for the EU Data Protection Regulation is for it to be finalised in 2014, with organisations expected to be compliant two years later. However, IDC does not believe that will happen. In an increasingly connected economy, the regulation is necessary to make sure that the rights of data subjects are not abused but protected with appropriate security controls. The large fines that are set to be introduced will ensure that organisations will suffer a real impact to their bottom line as a result of noncompliance. However, the exhaustive process that the regulation needs to go through within the EU does mean that a number of delays are to be expected before the final version is published. While the regulation brings in stricter legislation (e.g. increased fines and breach notification), there are questions on the availability of resources within data protection authorities. Enforcing the new regulation will require a large amount of training resources to ensure compliance with the regulation. As a result of the potential lack of resources, IDC believes that data protection authorities will have to be selective on their enforcement of the regulation. For example, larger multinational organisations will initially be targeted because of the potential for levying larger fines for breaches. Despite all the rhetoric in Europe — primarily as a result of the US National Security Agency leaks – about having a separate European internet or forcing international organisations to keep European citizen data within Europe, the reality is that the dominant technology firms are mostly US based. As a result, US organisations will continue to process European citizen data and host that data in data centres located in the US. Indeed, global organisations such as Microsoft and Amazon are taking steps towards setting up European data centres. However, this is not as a result of a particular European regulation. November/December 14 information-age.com 45 ICC ExCeL London 19–20 November 2014 THE OPEN MINDED DATA CENTER EVENT DCD Converged London brings together the people, processes and technologies necessary to help our delegates develop a world class data center strategy. Join over 2,500 of Europe’s leading data center professionals. FEATURED SPEAKERS CO-LOCATED BONUS CONFERENCE ICC ExCeL London 19–20 November 2014 JR Rivers CEO Cumulus Networks Cole Crawford Executive Director Open Compute Mark McLoughlin Technical Committee, Foundation Board of Directors OpenStack Dr. Steven Fawkes Founder EnergyPro CONVERGED SECURITY STRATEGIES FOR AN “EVERYTHING” CONNECTED WORLD mcs-summit.com/london SAVE 25% BOOK QUOTIN G Reg14 4 THOUGHT LEADERSHIP TRACKS THAT GET TO THE HEART OF THE MATTER IT + NETWORKS ENVIRONMENT DESIGN + STRATEGY APP > CLOUD Focused on helping senior strategists understand the implications of IT and Network transformation on data center design and architecture. Focused on the issues faced by professionals who manage the performance, efficiency and resilience of the critical environment. •Supercharging the data center LAN •Embracing the ‘Open’ philosophy •Exploring the Virtualisation to Software-Defined continuum Focused on the issues faced by senior decision makers responsible for the organisational strategy and design of on-premise data centers. Focused on issues faced by professionals that manage blended/hybrid infrastructures and the technical/regulatory challenges of delivering critical ICT through the cloud. •Designing dynamic MEP •Managing app migration •Designing cloud ready data infrastructure •Making sense of TCO and centers •Re-engineering the data capacity management •Managing the disparity between center in a box •Defining the new facility and IT life cycles •Operating in a cost conscious availability landscape •Moving from retail to environment wholesale to self-build Who should attend? Head of Network Architecture, Head of Network Infrastructure, IT Enterprise Architect, Network Analyst, CIO, CTO Who should attend? M&E Engineer, Consulting Engineer, IT Managers, Facilities Manager, Real Estate, DC Manager Who should attend? Head of Operations, Corporate Real Estate, Head of Engineering, Head of IT, Financial Officers, CTO, CIO Who should attend? Network Architects, Head of Engineering, Head of IT, Head of DevOPs, CTO, CIO, Enterprise IT Architects Dean Nelson Vice President, Global Foundation Services eBay Francois Sterin Google Gary Walker Principal Design Consultant, Data Centers Spark New Zealand Ian Massingham Technical Evangelist Amazon Web Services Joe Stevens Chief Security & Risk Officer Interoute Lester Towse Director of European Data Center Operations NTT Jonathan Koomey Research Fellow Stanford University Adrian Gregory Senior Vice President, Managed Services Atos UK&I Gavin Jackson VP & GM vCloud Air EMEA VMware Neil Stinchcombe Director, Eskenzi PR & Board Member ISSA UK FOR MORE INFORMATION AND TO REGISTER TODAY WWW.DCD-CONVERGED.COM product corner PRODUCT OF THE MONTH IPad Air 2 >> THE STORY After the success of its wildly popular predecessor, Apple is on a mission to monopolise the enterprise device market with the launch of the muchanticipated iPad Air 2. For some time, Apple products have been gaining ground in IT departments thanks to consumer popularity and the perception of a safer and more managable platform than other vendors. Apple has now caught onto this and is seeking to beef up its tablet range with as much workplace functionality as users expect from the iPhone. As such, the latest iPad Air builds on the usability and sleekness of design that is the range’s trademark, but packs quite a few impressive productivity-enhancing features for business users as well. Despite the extensive time Apple has spent talking up the camera, it’s actually the enhanced continuity of the user experience that is its secret superpower. 48 information-age.com November/December 14 >> THE FEATURES The iPad Air 2 has the same 9.7-inch, 1536 x 2048 264ppi display as its predecessor, but – believe it or not – it’s even slinkier at just 6.1mm thick, making it the thinnest tablet on the market. Apple claims its new A8X processor performs 40% better than even the iPhone 6. It’s the first iPad to include a fingerprint scanner, and has introduced a new continuity feature that allows users to link their iPhone and iPad to open up a number of new features. Users will be able to read and respond to text messages through the iPad Air 2, and take calls using the speaker and microphone. Another new feature called Handoff lets users seamlessly switch between Apple devices over the same wireless network by beaming work from one device to another mid-stream. With this, they can start working on something on an iPad and finish it on a Mac, without losing their work, by connecting the devices through an iCloud account. product corner Microsoft Dynamics Sales Productivity Nationwide smartwatch app >> THE STORY Nationwide has become the first UK financial services provider to release a smartwatch app that gives customers real-time access to their account balance. This is the latest attempt from the building society to increase its innovation credentials. It recently also became the first high-street provider to launch 24/7 Twitter to answer customer questions, and the first UK organisation, with Visa, to offer V.me, a new digital wallet designed to make online shopping more convenient and secure. >> THE FEATURES Users can check their live account balance by speaking into their Android smartwatch. The app also has the ability to make payments, transfer money, manage overdrafts and open savings accounts quickly and easily. ‘Providing customers with a variety of ways to manage their money, whenever and however they want, is a priority for us,’ said Nationwide’s COO Tony Prestedge. ‘Our customers have the peace of mind that they can do business with us on their terms, not ours.’ >> THE STORY In the spirit of Microsoft’s drive to reinvent itself as the business software Jack of all trades, it has continuosly improved its Office 365 product over the last few years. In further competition to the likes of Salesforce, it has now bundled its Office 365 suite together with its Dynamics CRM Online and Power BI offerings into a package called Microsoft Dynamics Sales Productivity. >> THE FEATURES As well as more cost effective and simpler price plans, Office 365 itself offers far more functionality for businesses than just the standard Word and Excel. Microsoft has extended the full Office 2013 to Office 365 Enterprise so companies can run it on the new versions of Office servers including Exchange, Lync and Sharepoint. It includes services like public folders, data loss prevention and rights management, and Microsoft has also tweaked its offerings so that users can edit documents in Office Web Apps as part of all Enterprise plans. Google Nexus 9 >> THE STORY If you are looking for a powerful tablet at a slightly less hard-hitting price than the iPad Air 2, Google is really promoting its Nexus 9 for productivity and value for money, starting at £319 for the 16GB model. It comes with automatic encryption for bring-your-own-device (BYOD) peace of mind, and multiple user support via the Samsung Knox security suite designed for enterprise. Paired with the official Nexus keyboard cover, soon to be released, it can convert into a light weight laptop – and it offers a wide range of keyboard shortcuts to Google Docs. >> THE FEATURES With its super-fast 64-bit processor – and as the first tablet running the new Lollipop 5.0 software – Google’s Nexus 9 is designed to push the limits of Android performance. In terms of connectivity, only the Wi-Fi version is available for now, and considering Google is expecting people to lean on cloud services by giving them no options for physical storage expansion, it might be wise to wait until the end of the year when its 32GB LTE model for £459 will be available. November/December 14 information-age.com 49 column IA’s resident thought leader Richard Lee cracks the whip on the latest IT issues The state of open data O ver the past year, I have attended a number of events in the US and the UK sponsored by their respective open data communities. Clearly, the UK is well ahead of the US – as well as many other countries across the globe – in seeing its vision of empowering citizens and organisations via the wide availability of governmentcreated data come to fruition. I recently attended the Open Data Institute’s annual summit in London, where all of the major participants in this community – including government, academia and industry – gathered to learn and celebrate their accomplishments to date. The event included a set of awards given to those individuals and start-ups that have taken the most innovative approaches to exploiting open data for commercial applications, as well as a pre-day of training for all levels of open data users. In my opinion, this concept has legs – and as long as the funding, citizen advocacy and corporate support remain strong, there will be a bright future for all involved. However, in spite of the UK’s success to date, everything is far from perfect in the world of open data across the rest of the globe. There continue to be numerous challenges and impediments in seeing any vision of open data come to fruition. Many are technical in nature, but there are a number of cultural ones. What is open data? Open data in its broadest definition is data that is made available by organisations, businesses and individuals for anyone to access, use and share. It is free of copyright, audit and all other types of control. In most cases, it is government-based data, but there is a growing movement for commercial organisations to provide it as well. First is the extremely poor quality of the data products being provided by government entities, including the lack of appropriate metadata to add the necessary historical and use-case context. Then there is the limited range of rich data products available from government in spite of mandates to do so, copyright wavers and public interest. And finally, the timeliness and latency of data products in respect to the currency of events. These impediments to success are in most cases products of a culture of fear and retribution found in most bureaucracies. Most government agencies still struggle to make their internal systems fit for purpose in respect to the fundamental services they deliver, and require an inordinate level of analysis, remediation and reconciliation to meet the service delivery levels associated with their individual missions. Exposing this data to others with little control over its use is a frightening 50 information-age.com November/December 14 scenario for far too many of them. This has been the biggest obstacle to overcome in the US so far in spite of hundreds of billions of dollars spent on IT architecture and applications over the past decade. This should come as no surprise to any enterprise architects regardless of the sector they work in. Much work is being done to align legislated mandates with specific behaviours and deliverables using internal task forces and direct intervention by senior civil servants. I believe that in spite of strong resistance there is no going back in terms of becoming closed once again. Strong commercial applications are being proffered, and the industry sectors representing these organisations have strong lobbyists working on their behalf to foster these interests with appropriate funding mechanisms. One dirty little secret in most US agencies is that they are mandated to provide open data by a certain date but have not been given any additional headcount or funding to do so. Open data is a growing force in the world of big data and analytics. It brings new assets into the mix for developers and service providers to use in providing feature-rich apps and services for their customers. Unfortunately, like all other data sources, it suffers from major issues that good governance and provenance practices could easily surmount. We must all remember that data is an asset and must be treated accordingly. Women-in-IT-2015_Layout 1 27/11/2014 10:44 Page 1 29 JANUARY 2015 Join us in recognising the outstanding innovation achieved by women in the IT industry In partnership with Supported by Despite technology becoming an increasingly integral part of our business and personal lives, the amount of female IT professionals in the UK has halved in the last 20 years to just 17%. This rapid decline is a cause of great concern. One research report found that tech companies with women on management teams have a 34% higher return on investment, while another predicted that increasing the number of women working in IT could generate an extra £2.6 billion a year for the UK economy. As well as raising awareness of these issues, the Women in IT Awards 2015 will recognise the outstanding innovation that was Judges achieved by women in the previous year. Through a series of end-user, vendor and special recognition awards, the gala evening will gather the industry to highlight the tremendous value that women can bring to the industry, and the satisfaction that such a career can bring them. Carrie Hartnell Associate Director, TechUK Richard Lloyd-Williams Former IT Director, Net-A-Porter Claire Vyvyan General Manager and Executive Director, Dell UK Kevin Griffin CIO, GE Capital International Eileen O’Mara Senior Area VP, Commercial Sales, Salesforce.com Kate Craig-Wood Managing Director, Memset Hosting Susan Cooklin CIO, Network Rail Michael Ibbitson CIO, Gatwick Airport Gillian Arnold Chair, BCSWomen Karen Price OBE CEO, e-Skills UK Ursula Morgenstern CEO, Atos UK&I Gerry Pennell Director of IT, The University of Manchester Emma McGuigan Managing Director, Accenture Technoloy UK/I Mark Maddocks CIO, Cambridge University Press Paul Clarke Director of Technology, Ocado For more information contact Rebecca Stanley on 020 7250 7050 or email: [email protected] or visit womeninitawards.com Virtualisation Security Myths – Busted! Defending Against Drive-by Downloads FREE Audiobook Easy Network Access Control WatchGuard’s Corey Nachreiner examines modern (DbD) cyber attacks Christian Bücker from Macmon explains why IT security fails without NAC Cyber Tradecraft Kirill Slavin and David Emm from Kaspersky Lab discuss the demands on virtual infrastructure See Page 10 See Page 7 See Page 6 Volume 3 To Advise, Not Advertise Ian Kilpatrick, chairman of Wick Hill Group, looks at how you can get visibility back in today’s extended networks and suggests appropriate solutions. IF YOU CAN’T SEE IT, YOU PROBABLY CAN’T FIX IT The data security challenges facing companies today are threatening to overwhelm existing security measures. Developments such as mobility, cloud, wireless, big data, convergence of data, communications and media, virtualisation, mobile IPV6 and 802.11ac all bring benefits, but also bring with them an increase in the intensity and nature of threats. Alongside this, the sophistication, spread and complexity of threats continues to increase, while the time from vulnerability to mass attack deployment, continues to decrease. Individual users, inside and outside the perimeter, represent an ever-increasing challenge, both as perpetrators and as victims of data theft. This presents organisations with major challenges, particularly where compliance is a core requirement. Clearly, strategically a major challenge is risk analysis and management. However, in the real world of threats, budgets and resources mean that risk mitigation needs to be prioritised and unfortunately there is no single universal panacea. In order to manage risks and deploy solutions, it is crucial to know what is going on. One of the key problems for organisations of all types is that they have lost visibility into what is happening with their networks and users, leaving it difficult to deal with individual threats. Fortunately, there are many solutions available to provide visibility and/or remediation. Full Story - See Page 2 Can Security Grow the Top-Line... By Stephen Millard, Channel Manager, Tibco Loglogic National Security IT Survey 2014 IT Professionals insights I doubt you’ll ever hear a CIO or CISO say “Yeah, I’ve got all the budget I need.” Most often technology spend is seen as a bottom-line item, which means squeeze, squeeze, squeeze. But, if you can relate spend requests to projects that help grow the business, then the purse strings become a little looser. So, what’s the secret sauce for security? Here’s a real story as told to me by a security consultant that starts us down the road of impact on the top-line: One day some guy wearing cuff-links stops by my desk and says “I hear you’re keeping our weblogs in some kind of system.” Let’s be honest here, cuff-links are a pretty sure sign this guy is not in the security chain-of-command which was more than a little disquieting to me. Unsure if I was in some sort of trouble, I tentatively answered “I keep some stuff we need for security.” not volunteering too much info and covering my butt in terms of why I was doing it. @wickhill l Help us security Security we are to understand the current trends and needs by completing the National IT Survey. As a Thank You for taking part offering some truly great incentives. Full Story - See Page 4 Full Story - See Page 5 www.wickhill.com | 01483 227 600 | [email protected] | As an IT professional we are very interested in how you see security plans and concerns for the coming year. IT Security is an ever changing environment, and we want to understand what your priorities are for 2015. wickhill.com/linkedin IF YOU CAN’T SEE IT, YOU PROBABLY CAN’T FIX IT Hacking the Connected Home By Kaspersky Lab devices. We also need to keep in mind that our information is not secure just because we have a strong password, and that there are a lot of things that we cannot control. It took me less than 20 minutes to find and verify extremely serious vulnerabilities in a device which looks like a safe one and even alludes to security in its own name” Continued from Page 1 For small and medium sized organisations, WatchGuard Dimension is a security visibility solution which works in conjunction with WatchGuard’s UTM appliances and delivers intelligence and visibility on actionable threats. So just how secure is the technology in your home? There are simple steps you can take to help keep it secure and protect the valuable data stored on your devices: Check Point solutions include features such as threat emulation; DLP data oversight and leakage prevention; Smart Reporter for overview visibility; and Smart Event for real time information trends and anomalies. ThreatTrack provides visibility to enable threat identification, threat analysis and elimination, with a public sandbox capability. Guidance Software has a range of solutions covering e-discovery, analytics, digital forensics and incident response and Tibco provides a range of log and data analysis options including some interesting splunk integration capabilities. Many people talk about the single, universal panacea for network security, but this just doesn’t exist. However, while there is no single solution to the current wide range of security challenges, visibility is essential to understand where you are today so you can take action to make your network as secure as possible!. For more information visit: wickhill.com/whg/wh1a 1. Make the hacker’s life harder: all your devices should be updated with all the latest security and firmware updates. This will minimise the risk of exploiting known vulnerabilities. The modern home is no longer one that simply contains a number of separate products but is becoming more and more “connected” with devices such as TV’s, music systems, mobile devices and computing equipment all linked together. Popular connected home entertainment devices pose a real cyber security threat due to vulnerabilities in their software, and a lack of elementary security measures such as strong default administrator passwords and encryption of Internet connection. Kaspersky Lab security analyst David Jacoby conducted a research experiment in his own living room to find out how safe his home is in terms of cyber security. He inspected home entertainment devices such as network-attached storage models (NAS), Smart TV, router, Blu-ray player, etc. to find out if they are vulnerable to cyber-attacks. And it turned out they are. Overall David managed to find 14 vulnerabilities in the NAS models, one in the Smart TV and several potentially hidden remote control functions in the router. 2. Most home routers and switches have the option of setting up your own network for each device, and also restrict access to the device. For example if you have a TV, you might want to restrict access to that TV and only allow it to access a particular resource within your network. There isn’t much reason for your printer to be connected to your TV. 3. Make sure that the default username and password is changed on things such as modems and networking equipment – this is the first thing an attacker will try when attempting to compromise your device. For more information visit: wickhill.com/whg/kl2a David said upon discovering these flaws that “Individuals and also companies need to understand the security risks around connected THE MIXED BLESSING OF ENFORCED HTTPS By Geraldine Osman, EMEA Marketing Director at Barracuda Networks In a move that analysts expect will markedly improve the general security of the internet, Google has announced that it will be boosting the search rankings of sites using HTTPS. Websites that continue to transport passwords in plaintext (and there remain some large and popular offenders) will be effectively forced to comply with best practice on pain of Google penalisation, and man-in-the-middle attacks that affect internet users will decrease. But MITM attacks aren’t the only threat facing the web, and the widespread introduction of HTTPS will present a new set of responsibilities and hazards to your systems’ integrity. HTTPS essentially provides a secure container in which important data can be transported – the data is definitely sent to the right place, unharmed, encrypted and in good condition. But there’s no way of ensuring it’s the right data in the secure container, nor is there any guarantee that the data you remove from the container will be what you wanted. 2 Baddies wearing your uniform If your name’s not down... HTTPS can be problematic in terms of perimeter security. Because the data within the secure container is encrypted, it’s impossible for conventional perimeter security solutions – systems like IDS/IPS and firewalls – to accurately guage whether the incoming data is malicious or not. HTTPS effectively gives criminals, hackers and vandals a way of escaping detection if they want to target your servers. As with a border post, the security systems in place must (at the very least) include a blacklist – a list of individuals who can’t be let through the checkpoint. Even more secure would be a whitelist – a list of all the individuals who can enter through the checkpoint. Indeed, the same applies in reverse. Your systems can’t discern the nature of the data within these secure containers, and nor can your users’ – malicious exploits could target your customers, whose security won’t be able to detect them thanks to your HTTPS. One solution is a proxy-based that can not only open the secure containers and investigate the contents, but can keep out the malicious data using SSL offloading. This involves the proxy decrypting the HTTPS traffic and then communicating its findings with the protected servers using HTTP or through encrypted means. SSL offloading is an important tool in other contexts. This problem is compounded by the little padlock icon that appears when a site is connected to using HTTPS. Your site visitors will enjoy a false sense of security, assuming that they are safe from all threats. Ironically, a transition from HTTP to HTTPS using non-proxy security solutions may in fact damage your security rather than improve it. Keeping application security current often necessitates rewriting of legacy web applications on-the-fly. This could involve injecting response headers of HSTS (HTTP Strict Transport Policy) and clickjacking prevention, preventing CSRF by injecting randomised tokens, cooking encryption and more. It’s important to look ahead and understand that attackers may become more sophisticated, and that current data could be compromised in the future. Your HTTPS traffic, if captured today, could be decrypted in the future by criminals equipped with more advanced hardware. Perfect Forward Secrecy – PFS – renders IPDS and span port based application proxies useless, since they can’t actually decrypt the PFS communication. Non-security benefits Nobody wants a message on Google stating that their site could infect a user’s computer with malware. For most companies with a significant web presence, it’s precisely the kind of thing that could cost an enormous amount of revenue. The precipitous fall from grace (and search rankings) that would result from a breach of any sort could be disastrous for the reputation of your organisation, whether your systems are equipped with HTTPS or not. www.wickhill.com | 01483 227 600 | [email protected] | For more information visit: wickhill.com/whg/bn2a @wickhill l wickhill.com/linkedin TREATING YOUR EMAILS LIKE THE BIG “GENUINE BYOD” When mobile device management is not enough! DATA THEY ARE By Geraldine Osman, EMEA Marketing Director at Barracuda Networks The phrase “big data” refers to datasets so large that they’re unwieldy – awkward to work with on account of their sheer size and complexity. Generally speaking, this sort of data will be stored in databases, but it can be applied to an organisation’s email storage, too. A company’s email data is stored on a database of sorts – the Exchange Server. This in itself could be referred to as “big data”, in that it may be so vast that it’s hard to work with. But complicating the matter is email data stored elsewhere, for example on file servers or even on individual workstations. By Christian Bücker, Managing Director / CEO, macmon secure gmbh A dataset of this magnitude, stored in this fashion, presents an enormous problem. This is partly because there are currently very few ways of managing this data in a meaningful way. Archiving it is a possibility, but this only moves the “big data” from the Exchange Server to somewhere else – it’s still very difficult to manage the dataset. The buzzword “Bring Your Own Device” is now in more widespread use for all kinds of different products and “solutions”. Or - the other way around; almost every provider of IT security solutions purport to provide a golden answer for this underestimated situation. But what actually happens in the business? functional capacity for unrestricted access within its own core functions. Consider also that the majority of third party-service agents would automatically accept any corporate level “monitoring functions” being applied to their non-standard device, as a matter of corporate security policy. Let’s initially consider the situation, as defined by a company - and also recognise what is ignored; the term “Bring Your Own Device”, in literal terms, would appear to suggest a situation in which employees are encouraged to bring their own devices. There are no restrictions on smartphones and the like - it can just as well mean someone bringing a MacBook to work, because they prefer Apple to Microsoft Windows. It should be clear that none of these “non-corporate devices” are generally catered for within the central administration, with regard to essential IT systems such as patch management, antivirus, etc. The end results being that an employee’s terminal security and safety is a great concern - not to mention the possibility of a complete data leakage through unprotected device access. It is, therefore, becoming more and more necessary to rise to the challenge of managing these strange and unidentified devices in some way. Since security vendors have not covered all eventualities in this sphere - leaving obvious drawbacks, there remains a mass of work to determine risks through continual assessments. Through these assessments, companies are able to determine if the risk factors involved are justifiable - or if the risks are too high. Making sense of the numbers In order to make this mass of data useful, you need a tool that enables you to understand it. For example, processes will enable you to identify who the emails belong to (separating human resources correspondence from messages sent to ground keeping staff will be helpful) or to sort the emails by size and age. But once you’ve understood the data, you should then be able to manage it – carrying out the correct action on the right set of data. This could be something as simple as deleting all emails that are more than 10 years old, if you deem them to be irrelevant. Backup actions, like moving all PST files to a central location or instigating a seven-year archive retention plan for customer email, are more complex but can be undertaken with the right tools. Preserving and collecting all data between a specified list of custodians, or categorizing all the email data from a certain department using a relevant taxonomy, are also feasible actions. For more information visit: wickhill.com/whg/bn1a Insofar as being the ultimate security solution, mobile device management has an existing requirement that simply does not exist in some companies: the general acceptance of a thirdparty/service agent at an employee’s terminal. The generic rejection of access for the third party/ service agent is quite understandable - even if there are valid assurances that surreptitious access is denied. And that also means applying a blanket “denial of service” for devices which it is generally understood do not have the www.wickhill.com | 01483 227 600 | [email protected] | @wickhill l wickhill.com/linkedin So, the overall requirement to discover a network-level solution (terminal-level solutions are not as feasible) has led to the strong revival of Network Access Control Technologies. If a business decision has already been made to allow employees devices on the network, NAC provides the advantage of granular control, rather than simply apply a blanket “Yes or No”. NAC can create access rules whereby only specific Services are provided across an already protected LAN or WAN. In that respect, no device would have full network access. In this way, the whole network can be protected as much as possible from any risk - and additional safety measures such as intrusion prevention systems or firewalls may also detect possible attacks and separate the relevant systems through an intelligent coupling with the NAC solution from the network. Using the methods described above, significantly better protection of the entire network is established. However - there is a still a general lack of appropriate methods providing an overview of the devices in situ. Coupled with this is the lack of clarity in real-time access. As a frequently underestimated consequence, the overall reporting and recording strategy fails to monitor adequately - and that includes authorized devices. It is here where macmon NAC offers the BYOD Portal - a new form of Tracking and Managing (all) employee devices. Using a customizable Web portal, eligible (authorised) employees have the ability to identify and register their own devices. To achieve this, the employee authenticates at the portal only, using his standard usual username/ password, then accepts the rules of use of the company network - and thus registers the device as his own. Using this simple approach, the company receives a constant overview of the registered systems/devices per user. These aspects aside, macmon NAC also ensures concurrent usage and automatically removes access for users who have left the company. macmon NAC is exceptionally easy to establish within a company infrastructure, without the added expense of administration and provides controlled access to valid users, whilst ensuring that former employees have no further access to the corporate network. For more information visit: wickhill.com/whg/mm3a 3 Don’t Become the Next Code Spaces – treat your IaaS server as if it was your own By Ian Porteous, SE Manager at Check Point Software Technologies UK Code Spaces was just one of the firms targeted by cyber criminals this year. Following attacks on Feedly and Evernote, the Distributed Denial of Service (DDoS) attack on Code Spaces began on June 17 – usually a precursor to a ransom demand from criminals attempting to extort money from companies to make the DDoS attack stop. multiple individuals leaves you much more vulnerable to someone taking control. This is what happened to Code Spaces, and the result was disastrous. Give access to as few people as possible. Do not use the root account on a regular basis – instead, through third-party hardware (like those in use by UK consumer banks) or via text message to the user’s phone. In the case of Code Spaces, this would have enabled the company to see whose key fob or supplementary access code was being used. A DDoS response plan. This is a DDoS-specific plan that explains how your company should reach to a distributed denial-of-service attack. This document should help you minimise disruption during and after a DDoS attack. In this case, however, the DDoS attack was supplemented with a much more injurious attack on Code Space. The attackers managed to commandeer Code Space’s panel access and cause untold damage to the company and its customers. A business continuity plan. How will your business cope with an attack, and what steps can it take to minimise the effect of criminal activity? How can disruption be mitigated, and how can permanent damage be eliminated? This is one area in which Code Spaces faltered – a relatively straightforward security breach destroyed their intellectual property, demolished their reputation and ultimately forced the company to close. “We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI’s, some EBS instances and several machine instances,” the company stated on its website. “In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.” Your enterprise is likely to have all sorts of emergency plans in place, such as in case of a fire. These protocols are familiar to all and are tested regularly – the same must be true of your network security protocols and contingency plans. The result of this was that Code Spaces ceased trading. The firm conceded that the damage done and the resultant costs had “put Code Spaces in an irreversible position both financially and in terms of ongoing credibility”. Cloud-based infrastructure – an obvious vulnerability Companies, charities, governments and other organisations are using cloud services because of the obvious benefits they bring – swift, remote access to resources and databases. But as Code Spaces discovered, services can be rendered useless with relatively simple attacks from criminals or vandals. In addition, a shocking number of companies have no plan in place in case of a DDoS attack or similar. Forrester Research found in a study that 43% of companies surveyed did not have a formal DDoS attack response plan. All companies can take steps to minimise the chances of being compromised, and to dramatically reduce the amount of damage that an attacker to do if they do gain access. Define and optimise user access to the management console Access to the panel comes in two stages. Firstly, access itself – providing unrestricted access to what constitutes an incident in the context of network security, as well as outlining the protocol for each type of attack. It is helpful to understand in advance what a security incident is and how it should be escalated if necessary. Protect your IaaS server make an administrative account for normal use and keep the root account sacred. The second stage is simple – only allow individuals access to what they actually need for their work. Assign minimal rights to users, so that if their accounts are compromised or their credentials stolen somehow, the damage that can be done can be limited. Over-reliance on passwords is complacency – don’t do it Authentication that relies entirely on an easy-toguess username and a memorable word chosen by the user is not an inherently strong system. It’s open to all sorts of abuse, misuse, bad practise, leakage, and social engineering, all of which can be exploited by an attacker. Multi-factor authentication presents yet another obstacle to a criminal who wants to gain access to your computer systems – an additional code is required to log in, and this code can only be aquired Protect your network Consider using Security Assertion Markup Language (SAML). SAML is an open standard that can be utilised in conjunction with other identity mechanisms (such as Windows Active Directory Fedoration Services). Antivirus software must be up-to-date and active. Intrusion prevention systems (IPS) and network firewalls go some way to prevent attacks, while threat emulation could help you understand new and unknown risks. Create a response plan Your company needs to know how to react to a threat, whether that’s a DdoS attack or something more sinister (or a combination, as faced by Code Spaces). There are three recommended elements to this, but more protocols could be in place depending on the needs and responsibilities of your company: The benefits of IaaS offerings are enormous and obvious, but so are some of the security risks. When implementing an environment on any IaaS offering, the servers require the same level of security as they would if they were in-house. All the same security systems are available to IaaS offerings. Connecting your IaaS to your LAN can be secure through VPN, and Amazon-specific security is widely available. So many companies use IaaS, but a firm as reliant on AWS as Code Spaces should have had better security in place. Your firm can learn from the failings of Code Spaces, where, ultimately, a hacker gained access to the panel and was able to swiftly delete backups. Optimise user access, implement multi-factor authentication, and draw up emergency plans for use in the event of the breech. Don’t be the next Code Spaces – protect IaaS servers as if they were your own. For more information visit: wickhill.com/whg/cp1a An incident response plan. This document defines THE NATIONAL SECURITY SURVEY 2014 Continued from Page 1 We will also send the survey results to every participant when the survey closes giving you the opportunity to analyse the results and see if your opinions match up to other professional IT employees. Prizes on offer: • Beats by Dre Headphones • GoPro Cameras • Sonos Play HiFi systems • Parker Duofold pen Complete the survey now to be in with a chance of winning one of the above prizes. Charities we support for the donation are the Syrian Refugee Appeal, Transform Housing or MacMillan Cancer Care. Support and sponsorship from some of the biggest names in Network Security allows us to offer some exceptional prizes awarded in a unique ongoing way so that you don’t have to wait months to win something. About the Survey Our National Security Survey consists of questions based around current business needs and requirements for any organisation. If you’re an IT professional, we’d love to invite you to participate. Plus, everyone that completes the survey will receive a mobile PowerBank or a donation to charity will be made on your behalf. 4 Topics include general security risks and concerns for businesses both presently and in the future. Other topics such as Remote Access, Advanced Persistent Threats (APTs), Endpoint Security, Data Management and Leakage, Internal Security and Encryption are all present in the survey and will hopefully produce some fascinating results which will be sent to you for free if you take part. Want to give your input? Visit www.wickhill.com/whg/wh8a www.wickhill.com | 01483 227 600 | [email protected] | For more information visit: wickhill.com/whg/wh8a @wickhill l wickhill.com/linkedin IT CONTRACTORS NOT A BUYERS MARKET By Geraldine Osman, EMEA Marketing Director at Barracuda Networks Surveys have made clear something that analysts have been noticing in the industry for some time – IT contractors are not only thin on the ground, but expensive too. These two points are related. There’s a limited supply of an in-demand service, and hourly rates reflect this. The use of IT contractors is certainly on the rise, and this trend is expected to continue for the rest of 2014 and beyond. Why passwords don’t cut it anymore By Jan Valcke, President & COO at VASCO Data Security A survey conducted by Guardian Analytics showed that nearly 1,000 SME business owners and executives questioned, experienced fraud. SMEs tend to be perceived as less robust with their security policies and procedures. Furthermore, any security vulnerabilities they have could be gateways to their customers’ or clients’ data; which could be a far richer reward for those with malicious intentions. The approach for any company, whether big or small, should be around the concept of ‘securely letting the good guys in’, security procedures such as cloud-based two-factor authentication solution, such as VASCO’s MYDIGIPASS.COM, is an effective way for SMEs to keep up with the security operations of a corporate company. Whether it’s an SME’s staff logging into business critical applications, or the SME’s customers buying something from them online, it is essential that that data is secure. functionality while still remaining secure, and a rewarding tool to ease the minds of IT staff who could feel overwhelmed in a small business, high risk situation. VASCO’s MYDIGIPASS.COM is such a platform that is capable of delivering on all of the above and more. Added features such as full branding and customisation can give the feel of never leaving a company’s operating system to manage security, as well as single-sign on functionality to ensure ease-of-use is not affected while performing tasks and configuration. This solution definitely contributes to boosting an SME’s business. Security, convenience and scalability can be adapted as needed, delivering a more rewarding and secure online experience for customers; a contributing factor in strengthening customer relationships. For more information visit: wickhill.com/whg/v4a A good platform for SME security is one that is scalable and convenient for users. Something that isn’t too intrusive, features easy sign on A lot of these IT contractors are working on critical IT projects. According to FierceCIO, what has surprised IT shops is that they are competing with cloud providers to hire the IT contractors who are proficient with cloud technology – even after they have deployed cloud services from those same providers. Across the pond The situation is similar on both sides of the Atlantic – there are certain similarities between the US and the UK. Companies that were forced to cut costs in the recent recession, according to Contractor UK, are feeling forced to “up their game” or to find lower-quality IT contractors (less qualified, and cheaper) who will work for the rates that they can afford. This obviously has a knock-on effect on quality – a lower-rate IT contractor working on a critical or important project could be a disaster. Contractor UK reports on both the UK and the US IT contractor markets. Computerworld reports that this trend of hiring in IT contractors is likely to remain the same, at least for the foreseeable future. Nearly half the companies that were surveyed indicated that they planned to hire IT contractors in the coming year. The percentage of IT contractors in some departments is at 17%, reported the firms. The solution? Unfortunately for IT managers, the most straightforward way to minimise the effect of the prevailing economic conditions is to simply spend more on IT contractors. But companies without that luxury, or for organisations with the capacity to enhance their efficiency, there are several key areas where spending can be minimised. The following have been identified as drains on resources: PST-related help desk calls. At some firms, calls pertaining to the antiquated PST file system account for 15% of help desk activity. This is a clear area to clean up – a “PST elimination project” is a solid investment that will save you money, especially if your customer support department is already struggling with its workload. Irrelevant IT activities. There’s no need for IT departments to take responsibility for eDiscovery or eDisclosure collections, especially as the legal teams that request them are unlikely to receive the data they need – even with great communication. Advanced search products will enable the legal team itself to take ownership of the eDiscovery and eDisclosure actions, which would be a win-win: they get the results they want first time, and the IT department’s workload is significantly reduced. Sloppy migrations. Exchange 2003 is no longer current, and those using Exchange 2007 will be migrating to Exchange 2013 or Exchange Online. But some companies are migrating before undertaking their archiving project, which results in unnecessary costs and delays as useless, out-of-date emails are migrated to the new system before being deleted. Saving everything. Companies are often found to have kept emails that should definitely be deleted, and as a result spend vast amounts of needless time and money reviewing them as part of legal discovery. Barracuda finds that all too often, companies that save everything end up discovering everything, too. All of these are areas that could be cleaned up in order to save money and ensure that resources are used to fund critical projects. The world of IT is in a state of constant flux, buffeted by a changing business landscape and constant technological innovation. But by changing their expectations and investing in money-saving projects, firms can streamline their IT departments while meeting the demands of an evolving industry. For more information visit: wickhill.com/whg/bn4a Can Security Grow the Top-Line... By Stephen Millard, Channel Manager, Tibco Loglogic Continued from Page 1 Then he says “Could you give me a history of web pages by visitor -- we track them with a cookie.” Turns out this guy was the CMO and was under the gun for some type of conversion metric and, after exploring a bunch of other options that didn’t work, was coming to me as a last ditch effort. So I ripped of my shirt, exposing the big red “S” emblazoned on my tight blue one-piece and said “I’ll be your hero!”. OK, ok, didn’t rip off my shirt or anything like that. But I was able to make a couple quick searches and determine that I had the data he needed. In the end he was really happy that I had the data and I worked with the marketing team to develop reports about visitor behaviour and conversions. There are a couple critical elements to this story that may not be that obvious. The first thing is to realize that the story paints a picture of how separated the security team was from the rest of the business -the security guy didn’t even recognize the CMO! It is imperative that the IT and security teams be able to relate better to the business. Creating isolated pockets of information only serves to mystify and www.wickhill.com | 01483 227 600 | [email protected] | @wickhill l wickhill.com/linkedin isolate, decreasing the opportunity for security to contribute to the business. The second critical factor is that the security guy didn’t share his data -- he just generated reports and gave them to the marketing department. What other valuable insights were hidden in the web log data? How can the marketing team extract the business value if their access to data is so severely gated? just like transactional data. Data availability is just the first step -- the analytics tools need to be de-geekified so that mere mortals can ask questions about their business and get answers. Democratizing data and actively engaging the lines of business are two key steps that IT and security organizations must undertake to address their budgetary challenges. This story portends a fundamental shift that our industry needs to undertake. IT and especially Security need to make machine and log data available to their constituents to be analysed For more information visit: wickhill.com/whg/tc1a 5 THE EVOLUTION OF EMAIL MANAGEMENT By Geraldine Osman, EMEA Marketing Director at Barracuda Networks Email archiving solutions now provide far more than capacity management. Because email archives are becoming so large and rich in data, thanks to email’s position as the main means of both internal and external communication, it is essential for organisations to manage this resource effectively. The capabilities of modern systems include the delivery of compliance, discovery and PST management – all-in-all, enabling you to manage the complete email life cycle. The data stored in your email archives is rich but often dauntingly large and sometimes unstructured. Until recently, email management consisted of little more than archiving itself – essentially a capacity issue rather than analysis. Today, advanced techniques allow you to develop a much greater understanding of your email dataset and will eventually become standard in this type of information management system. CYBER TRADECRAFT; Defending Against Drive-by Downloads By Corey Nachreiner, CISSP, Director of Security Strategy, WatchGuard Imagine this… You’re perusing the ancient and colourful Grand Bazaar in Istanbul, feeling overwhelmed by all the interesting sights, sounds, and smells. An excited and charismatic shop owner waves you over to his wares, enticing you to contemplate the colourful baubles he has on display. As you’re thus distracted, a quiet, inconspicuous character jostles you lightly from behind, whispering an apology as she hurries past. You walk away from the ordinary encounter perfectly unaware that she also planted a powerful bug on your person, and can now track your every move, and monitor whatever you do, potentially using this newfound power to swipe the confidential documents you have holed up in your hotel safe. You’re probably thinking, the description above sounds a lot like the fantastical tales you’ve read about in pulpy spy novels. Yet, it is surprisingly close to what the average user risks every day while browsing web sites online—the risk of the drive-by download. Developing solutions for your organisation’s needs Organisations now have the ability, using information management, to determine and implement bespoke data retention policies, and to swiftly retrieve the information they need from email “big data”. Drive-by download? Sounds like something cyber gangs do in South Central. Regardless of the prevailing economic climate, but especially in times of recession, IT departments are under enormous pressure to minimise expenditure wherever possible. One of the main ways IT departments can maximise their efficiency is to cascade tasks (that would previously have been the sole responsibility of IT) to other stakeholders within the organisation. By default, web sites can’t just download and run code on your computer, so a successful DbD attack relies on some sort of programmatic flaw or vulnerability in the software you use to surf the web. For instance, browsers like Internet Explorer (IE), Firefox, Safari, and Chrome make the most obvious targets. However, nowadays most users install many other web-related products, which attackers can exploit in DbD attacks. For instance, products like Java, Flash, Shockwave, Reader, QuickTime, and many others insert plugins into your web browser, which allows them to render the dynamic content you encounter when visiting modern web sites. The problem is these plugins also give attackers access to this software as well— providing more attack surface opportunities. An example of this could be the legal department, which will need to use email records and extract relevant data from email archives. The legal team will also, while undertaking a legal Discovery action, require the email to appear in full and unabridged for as long as necessary. The opportunity for end users such as this one to undertake the actions themselves has accelerated the development of more role-based solutions designed for end users rather than service providers. Future proofing information management While email has been the primary method of communication for many organisations for two decades now, the popularity of instant messaging has soared in recent years. This new type of data – which has the potential to result in far bigger, more complex datasets – will need to be managed in the same way as we manage email now. Intelligent archiving and information management solutions are evolving to include support for these communication methods. In addition, information management solutions are having to adapt to a changing business landscape and the onward march of technology. Email archives are steadily increasing in size, and Discovery exercises are becoming more resource-intensive. Organisations of all sizes are starting to rely on the intelligent management of their “big data”, and email archives are an absolutely essential part of this. For more information visit: wickhill.com/whg/bn3a 6 offered for free on the Internet, chances are you’ll pay in ways you don’t quite know. Another way to get victims to malicious sites is just to invite them to visit. Cyber criminals use every Internet messaging mechanism they can to spam out links to their malicious pages. They send emails, instant messages (IMs), or post to social networks, sharing links that go direct to booby-trapped websites. Of course, they dress up their message in some way to get you interested, citing the latest pop culture event, or pretending to be your friend sharing a fun link. They also often use link-shortening services to make their malicious links seem more benign. Since many users still don’t realise web links can be dangerous, many fall for the bait and click the link for an unwelcome surprise. How do hackers get me to malicious sites? “But wait a second,” you might exclaim, “I’m not naive enough to visit suspicious web sites on the Internet. They can’t infect me if they can’t get me there, right?” Of course, you are correct. Unless an attacker can get you to his booby-trapped web site, his DbD attack will not succeed. However, you might be surprised at how easy it is to lure victims to booby-trapped sites today. Lets start with the old, tried-and-true techniques. In the past, you might have heard security professionals warn you against visiting the seedier side of the Internet. Just like in the red-light districts found in the real world, lots of questionably legal activities happen in some of sleazier parts of the Internet. Sites catering to pornography, software piracy, drugs sales, and more, often partner with cyber criminals (knowingly or unknowingly), and serve up malware to their visitors via DbD attacks. Anytime you see something shady • Don’t click unsolicited links – Simply put, avoid clicking unsolicited links sent to you via email and IM. I probably can’t convince you not to click on links from your friends (or ones that seem like they come from your friends), but at least remain wary of them, and look at the URL for the link before clicking it. I would also be careful around shortened links, and leverage tools to expand and preview these links before following them. Here’s a quick tip; if you add a “+” character to the end of a bit.ly link, you will see a preview of the actual URL before visiting it. • Use antivirus (AV) and intrusion prevention (IPS) – While vigilance and good practices can help you avoid many attacks, no one is perfect. There will be a day that even the best of us stumble on DbD attack sites. IPS systems can frequently detect the network exploits these attacks leverage, and AV systems can often recognise the malicious payloads they try to silently download. Use AV and IPS systems, and keep them up to date. By the way, Unified Threat Management (UTM) solutions and Next Generation Firewalls (NGFW) can make these security systems easy to manage for business. In case you haven’t heard the term before, a drive-by download (DbD) is a class of cyber attack where you visit a booby-trapped web site and it automatically, and silently, downloads and executes malicious code on your computer. In short, if an attacker can find any vulnerability in the diverse software-set you use to browse the web, and he can entice you to a web site containing a bit of malicious code, he can exploit these flaws to force your computer to infect itself with malware without you even knowing it. Much like the fictional spy scene in the Turkish market, by luring you to a special place and distracting you, these network criminals can quietly compromise you behind your back. programming flaws in the software you run. Many of the DbD attacks seen in the wild exploit flaws that vendors have already fixed. If you keep your software up to date, most of attacks will fail. Obviously patch you web browser, but also know hackers are focusing on exploiting Java and Flash vulnerabilities lately. You should patch these packages just as aggressively as the browser itself. In fact, I would recommend disabling Java if you can. However, the most nefarious way to draw victims to booby-trapped DbD web sites is the watering hole attack, a three phase attack where the attacker focusses on a particular group and observes which websites the group frequents. The attacker infects those websites with malware so eventually some of the targeted group members get infected. All the methods described previously depend on getting someone to a site that they may not visit on their own accord… but what if you could hijack a site they frequented regularly? Just like the lions stalking prey in the Savannah, hackers know that if they can poison your favorite “watering hole” web site, you’ll surely stumble upon their DbD code. The attackers search for web application vulnerabilities in popular and legitimate web sites, such as SQL injection (SQLi) and cross-site scripting (XSS) flaws, then exploit these problems to inject malicious code into the legitimate site, redirecting anyone who visits the site to malicious DbD code. • Use reputation-based web-filtering solutions – The malicious sites that serve DbD attacks change quite frequently, as do the legitimate sites that have been hijacked. Security organisations and vendors, like WatchGuard, use many automated techniques to keep track of the latest malware distributing sites, and offer reputation services that can keep you and your users away from them. You should consider using web-filtering solutions to help you avoid dangerous sites on the Internet. In the past, I could warn you against visiting sordid web sites to avoid DbD attacks. However, today any site on the Internet—even the ones you trust the most—may have been hijacked and could be hiding a drive-by download. Corey Nachreiner, Director of Security Strategy. Drive-by download defense and “tradecraft” Part of being a good spy is understanding your adversary’s techniques, and then learning the tradecraft that can protect you in the field. Now that you know what a drive-by download is, and how they work, here’s a few cyber tradecraft tips that will protect you online: • Patch, patch, and then patch some more – In “computer-ese,” patching means to apply the latest updates to your computer software. As mentioned, web sites can’t forcefully download software to your computer unless they can take advantages of Black hats have become extremely sneaky and sophisticated in their cyber attacks. Drive-by downloads have become the silent but deadly, de facto attack that criminals have chosen to deliver most of their malware, and watering hole attacks make providing victims child’s play. However, with a little vigilance and knowledge, anyone can avoid this web-based infection vector. Diligently apply the cyber tradecraft you learned and you’ll survive most DbD malware encounters unscathed. Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys “modding” any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word. www.wickhill.com | 01483 227 600 | [email protected] | For more information visit: wickhill.com/whg/wg1a @wickhill l wickhill.com/linkedin Kaspersky Lab Reveals Main Sources of Stolen Banking Information By Kaspersky Lab According to a Kaspersky Lab survey of IT professionals worldwide, 48 per cent of e-commerce/ online retail businesses and 41 per cent of financial services organisations have reported losing some type of finance-related information to cybercriminal activities within a 12 month period. Kaspersky Lab’s survey also surprisingly found that the e-commerce/online retailer business segment is the least likely to deploy and update specialised antifraud measures to protect financial transactions. The e-commerce/online retail and financial services business sectors both depend on their abilities to receive, process and store sensitive financial information from customers. Through a combination of targeted attacks, application vulnerabilities and other forms of cyberattacks, almost half of businesses in both sectors will lose some of this information over the course of a year. Such a loss can not only damage the reputations of these businesses, which are highly dependent on trust, but can also trigger costly legal penalties, removal and clean-up costs. But while these two segments share these similarities, their attitudes towards security technology are markedly different. Only 53 per cent of the e-commerce/online retail segment indicated that they “make every effort to keep anti-fraud measures up to date,” which is ten per cent lower than the overall global average, and the lowest overall of any business segment. Since the entire business model of online merchants is based on online and electronic payment processing, this reluctance to invest in anti-fraud measures seems highly counter-intuitive. financial data. When asked if they “make every effort to keep anti-fraud measures up to date,” 64 per cent of financial services providers agreed, a response rate tied for highest across all segments. This enthusiastic response is the complete opposite of the attitudes in the e-commerce/online retail segment. Additionally, 52 per cent of the financial services segment reported a desire to implement new technologies to protect financial transactions, compared to 46 per cent of the e-commerce/online retail segment. Reduce the risks: Kaspersky Endpoint Security for Business helps protect a business network from an onslaught of malware, phishing, and other cyberthreats. Financial institutions need advanced endpoint security across their entire network, including mobile devices and virtual machines as well as PCs. Kaspersky Endpoint Security for Business can bring protection for all these endpoints to a single administrator console, giving IT managers superior visibility and policy control over the security of their network. Kaspersky Fraud Prevention unites a number of technologies to monitor the “back-end” processing of banks for malicious activity, ensures the protection of customer endpoints, including their mobile devices, and provides an SDK for reinforcing the security of mobile banking applications. This fraud protection platform also uses Kaspersky Lab’s threat intelligence services to increase bank employees’ levels of cyber threat knowledge and bolster the effectiveness of technologies used to protect financial data. For more information visit: wickhill.com/whg/kl4a The financial services segment takes a more positive and proactive approach towards securing their Network Access Control Made Easy Why IT Security without NAC fails NAC is a constant issue for Businesses Since the introduction of network sockets, the control and support for Network Access Control (NAC) has been an ongoing issue within every company. In this day and age of WLAN and the rapidly expanding acceptance of mobile devices within an enterprise, NAC has returned and is again a major focus. However, it is a fact that very few companies know exactly who or what devices are accessing their network - and how they can be effectively protected For some considerable time, there have been many reasons why a suitable solution has not been introduced; comprehensive care, significant project costs, substantial costs associated with modifying the infrastructure or the highly complex nature of a solution. “Network Access Control (NAC) reloaded” is an update to the first and only professional audio book on the subject of NAC. The content of this essential guide is provided in a direct style, giving audio descriptions of the available technologies and the solution strategies by providing comprehensive examples. Christian Bücker, CEO of macmon secure GmbH, says; “Guides for reading are a dime a dozen. But this guide does not just inform - it also entertains and engages - and we feel that we have come up with something special. With this guide, the audience is privy to appropriate strategies and approaches on how to avoid network threats. It is a particularly convenient way for persons interested in IT, to learn everything worth knowing about this important topic in a simple and pleasant way. The audio provides information in a formal but friendly way, which can be taken virtually anywhere - whether at home, in the car or on an airplane” In the audio book you will learn: • What exactly NAC (Network Access Control) is. • Why IT Security without NAC fails. • Which NAC technologies are currently available on the market. • What added value NAC delivers, in addition to standard security gains. • Why every company should consider a reliable NAC solution. • Detailed descriptions of NAC for; - Microsoft Active Directory (AD) - Lightweight Directory Access Protocol (LDAP) - Bring Your Own Device (BYOD) - Guest management • Automated Compliance Enforcement • Added values such as; interactive displays, graphical reporting and statistics/reporting tools • How to integrate NAC simply, effectively and successfully. A NAC solution provides a real-time view of all of the devices on your network - and also ensures that those devices are automatically connected to the areas provided for them on that network. Your network guests can quickly and easily “plug in” and simply use the services intended solely for their use. Employees own devices can easily and secure be integrated into the corporates network. For any unknown or non-secure devices network access is denied, avoiding data and economic espionage. When used to secure a corporate network, NAC must accommodate new device additions and be adaptable for new solutions and demands. Each of these aspects are amply provided through the flexibility built into the macmon NAC solution. www.wickhill.com | 01483 227 600 | [email protected] | For more information visit: wickhill.com/whg/mm1a @wickhill l wickhill.com/linkedin Security from Obscurity Corey Nachreiner, Director of Security Strategy and Research at WatchGuard Technologies explains why it’s time to re-evaluate the idea of ‘security by obscurity’ I am sure many of us think that hiding our house keys under a plant pot or fake rock will do a good job of stopping people breaking into our house. After all, how many burglars are likely to find a key if it is well hidden from sight? The only problem is that if the key is discovered by a diligent intruder or simply by accident - your entire house security falls apart. Maybe that is why most information security professionals deride the idea of ‘security by obscurity’ when it comes to protecting critical systems and data. Security by obscurity simply refers to relying on an aspect of secrecy to protect your systems, rather than on secure design. And certainly, when I started my formal infosec training, security by obscurity was considered as no security at all. This dismissal of security by obscurity in our industry probably originates from an old cryptographer’s axiom called the Kerckhoff’s principle, which proposes that a cryptosystem should remain secure even if the attacker knows exactly how the system works. Assuming, the attacker doesn’t have the key to the system, of course. There’s no doubt that this axiom holds true; the best security systems are ones that attackers fully understand, but still can’t break without the proper keys or credentials. For instance, bank robbers may understand how a vault door works, but they can’t open it without a disproportionate amount of time, tools, and effort - or having the actual combination to the vault. So, it’s realistic to believe that most of your defences should rely on securely engineered systems and not on obscurity. However, that doesn’t mean there is not some value in the concept. Combined with proven security controls, obscurity can offer valuable additional protection, creating a worthy layer to a defence-in-depth strategy and posing significant speed bumps to an attack, causing hackers to move on to softer targets. It’s like a bear chasing a group of people; you don’t have to run faster than the bear to survive, only faster than the slowest member. A little obscurity might just give you the edge to stay ahead of your peers’ defences. So let’s talk concrete examples. Here are three practices many consider security by obscurity that could supplement your defences: Changing a server’s default port. Internet and network services tend to run on common, default ports. For instance, SSH is port 22, Telnet is 23, RDP is 3389 and so on. However, there is nothing stopping you from changing these default ports. If you want your SSH server to listen on port 7624, it can; and this simple change will make it harder to find by automated network scans. Smart, persistent attackers targeting your network can still use full-range port scans and fingerprinting techniques to find your SSH server. However, a huge percentage of the malicious ports scans on the Internet are targeting common server ports. So this simple obfuscation can help. Server header masquerading. Unfortunately, servers are a little too friendly, often totally identifying themselves in their reply headers. For instance, a Web server reply contains a Server: header, where it identifies what software and version it’s running. Here’s an example: Server: Apache/2.2.8 (Ubuntu) PHP/5.2.42ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g That header is gold to an attacker, who now knows exactly what software your server runs, including any additional packages. If any of that software is unpatched, the attacker might have his or her way in. But you can change this. Many servers have configuration options that allow you to share less information about the server version. There are also network security tools that totally masquerade these server headers. A security stickler will argue that if you keep your servers patched and hardened, it won’t matter if an attacker knows what software they run. I say, patch and harden your servers, but go ahead and masquerade their headers too, making them a bit harder to enumerate. Use non-standard naming conventions. Operating systems and servers often have default users and groups. Why not rename them? Rename the default ‘administrator’ username to ‘neo’, or whatever comes to mind. A smart attacker may still be able to discover how you renamed all the default users and groups, but any attack tools or scripts that rely on default installs will fail to operate. These are just three examples of worthwhile obscurity examples, but I could go on. By itself, security through obscurity is not to be relied on. However, obscurity can further bolster your defences when added as a complementary layer to true security controls. The fake rock with the key under it only offers the illusion of defence, since the burglar can enter by the front door if he finds your key. But imagine the same fake rock with a combination lock. Though the lock is the only true security control, coupling the lock with the hidden rock presents a far stronger security solution. So, the lesson to learn is that not everything is what it seems on face value. In this fight against cyber criminals and hackers, we need to take a fresh look at all the options. For more information visit: wickhill.com/whg/wg2a 7 IS YOUR VIRTUAL A CRITICAL VULNERABILITY NETWORK SECURE? IN THE MEDIAWIKI By David Phillips, Kaspersky Lab Product Manager, Wick Hill You’ve moved to virtualisation and everything is up and running. You have probably virtualised all your servers, so that your business-critical databases, CRM systems, ERP applications and email all reside in a virtual environment. You’ve started to experience the operational, performance and cost gains you’d hoped for, but there may be something critical you have overlooked. Have you thought about security? There are a lot of misconceptions about security in a virtual environment and one of the most common is that a virtual environment is more secure than a physical one. It would be nice, but, unfortunately it just isn’t true. Malware attacks don’t discriminate. Have no doubts - you’re just as much at risk with a virtual device as a physical one. Other reactions to the question of security in a virtualised environment include “Security is not my responsibility.” or ‘”Yes I have considered this and we have implemented the same security as we had in our physical environment.” Sad to say, cybercriminals pay little regard to the environment. They are just looking for the easiest way in! Being virtual won’t protect you. There are even Trojan attacks designed specifically to attack virtual machines. Another mistaken idea is that malware cannot survive the decommissioning of non-persistent virtual machines (VM). Unfortunately, also not true. Some malware can jump from VM to VM and from host to host. The volume of malware is constantly growing, adapting and redefining itself so it can do the most damage, leaving both physical and virtual environments at risk. There are three options for securing your virtual infrastructure – that is, of course, excluding the fourth option of having no security at all! 1. Traditional ‘agent-based’ security This can provide you with a good solution, although there are some significant disadvantages. Your reasons for moving to a virtual environment probably included cost savings and optimisation. If you install software which isn’t optimised for a virtual estate, you are loading a separate copy of anti-malware, software and signature updates on every endpoint. This duplication is massively wasteful in a VM environment. On top of this you have the resource nightmare of potential ‘AV storms’. All your VMs updating at the same time slows everything down and can even bring your environment to a complete halt. You can also leave your systems vulnerable through what’s known as an ‘Instant On Gap,’ the window of time after a VM spins up, but before the agent on that VM downloads the latest security updates. For virtual systems, optimum consolidation ratios (the greatest possible density of VMs for your money) is the main goal. Traditional protection is inefficient in virtual environments, taking up resources which could be used to add more VMs. However, at least with this approach, you are protected and have not left your systems vulnerable to attack. 2. ‘Agentless’ Security This is specifically designed to optimise security in a virtual infrastructure. The security software is loaded onto its own secure virtual machine and no agent resides on the other VMs in the estate. This allows them to run smoothly with no duplication or redundancies, helping to make the most of your investment. It also means you can get the security up and running very quickly and 8 there is no need for time consuming reboots. This approach is at the other end of the spectrum to the ‘agent-based’ approach, addressing most, if not all, of the downsides. However, there are a few drawbacks. Firstly, you are relying on your security vendor integrating with the virtualisation vendor. This means that the range of advanced features such as application control, device control and web control may not be available to you. Also, some virtualisation vendors don’t have the technology inbuilt to enable this approach. You are moving back to pure antivirus/anti-malware protection, with none of the enhanced options endpoint security gives you. So if ‘agent- based’ is at one end of the spectrum and ‘agentless’ is at the other, is there another option that gives you the best of both worlds? The answer is yes - with ‘light-agent’ security. 3. ‘Light-agent’ security In this architecture, the security software is still loaded onto a secure virtual machine, but an additional lightweight agent is installed on each VM. This unlocks the potential for deeper, multilayered protection, including features such as web, device and application policy enforcement. Now you have achieved most of the benefits of the ‘agent-based’ and ‘agentless’ approach, giving you the flexibility to set up the most appropriate security posture for your environment. However, you might be wondering how you are supposed to manage all of this, and your workstations, laptops and mobile devices. You are managing enough different consoles at the moment. You want to keep things as simple and straightforward as possible because complexity is the enemy of security. It is possible to manage all types of endpoints from one single console and there are security vendors providing this type of solution. One which allows you to effectively manage your security policies and close any gaps that would exist, when using multiple products and management consoles. However, be aware that not all ‘single’ consoles are identical. Some provide a portal into multiple other consoles (with different interfaces). Conclusion Kaspersky Lab has a platform that supports all of these options. Kaspersky Endpoint Security for Business is ‘agent-based’ and offers a full range of endpoint security features including application, web and device control; mobile security and mobile device management; encryption; systems management; and, of course, award winning, multi-layered, antimalware technology. This can be installed on a wide range of virtual platforms. Kaspersky also have Kaspersky Security for Virtualization, if you decide to go for the ‘agentless’ and ‘light agent’ approach. Whatever you choose, you can still manage everything through one single console because The Kaspersky Security Center gives you the flexibility to have a mixed physical and virtual environment, all managed from one place. There are other solutions out there that provide many of the above benefits. However, with the continuing rapid changes in the threat landscape, one thing is certain - doing nothing is no longer a viable option. For more information visit: wickhill.com/whg/wh4a WEB PLATFORM By Ian Porteous, SE Manager at Check Point Software Technologies UK When a web platform is widely adopted, any vulnerability in the code is amplified across the internet. So when an update to the MediaWiki platform – the simple, distinctive database used by Wikipedia and similar websites – appeared to have introduced a dangerous Achilles heel, the effects could have been serious. The Check Point vulnerability research team found a flaw in the MediaWiki code that would have allowed an attacker to perform remote code execution, or RCE. This in turn would have given them access to the system, enabling vandals or criminals to alter files and settings and potentially gain complete control. The vulnerability, assigned CVE-2014-1610 by the MITRE organisation, appeared to have stemmed from the 1.8 update. All systems running MediaWiki version 1.8 and onwards are affected by it. A specific non-default setting must be activated before the vulnerability presents itself on a system. Security experts remain unsure how many MediaWiki deployments have been affected, but the impact was confirmed to have hit some of the largest – including Wikipedia itself. Patching the hole Check Point notified the WikiMedia Foundation – the organisation that developed MediaWiki and that runs Wikipedia, Wiktionary, Wikimedia Commons and more – as soon as this potential hazard was discovered. Once the organisation had verified the threat, it developed a software update to patch the hole and had utilised it on its own servers within 45 minutes. The fix itself is described on Wikimedia’s bug report system as “trivial”. On the same ‘immediate critical’ thread in the bug report system, developer and security expert Chris Steipp states that: “Shell meta characters can be passed in the page parameter to the thumb.php”, which would allow anyone to execute shell code on that particular server. He describes the threat as “very serious”. “It only takes a single vulnerability on a widely adopted platform for a hacker to infiltrate and wreak widespread damage,” said Dorit Dor, vice president of products at Check Point Software Technologies. “The Check Point Vulnerability Research Group focuses on finding these security gaps and deploying the necessary real-time protections to secure the Internet. We’re pleased that the MediaWiki platform is now protected against attacks on this vulnerability, which would have posed great security risk for millions of daily ‘wiki’ site users.” MediaWiki platform use the security patch. Hackers being able to compromise and infect an application as widespread as MediaWiki could be disastrous for the hundreds of thousands of installations deployed worldwide – and for their millions of daily users. Only two similar vulnerabilities have been discovered in the MediaWiki web platform since 2006, so this revelation will be of significance to both the internet security industry and the hacker community. A giant target The MediaWiki web platform is an extremely popular, widely-used and open-source collaborative database system that allows for very straightforward indexing and linking between pages. In addition, it enables users to easily create, delete, modify and edit content without using code. The most famous MediaWiki web platform application is Wikipedia, the sixth most visited website in the world. With 2 million sites linking to it and monthly traffic of approximately 94 million unique visitors, an attack would be disruptive and very high profile. As such, it would be a prized target for hackers, criminals or vandals. But tens of thousands of additional websites, ranging from collaborative health encyclopaedias to popular online resources such as WikiLeaks, also use the MediaWiki software and were therefore vulnerable to this type of attack. The same is true of some internal sites and databases that also run the MediaWiki platform. It is hoped that large sites will quickly patch their installation of MediaWiki, but many of the smaller sites run by amateurs may not be organised or run in accordance with best practice, and could remain unpatched if their administrators do not follow guidance on the subject. In addition to the patch, Check Point has delivered updated protections via ThreatCloud, a collaborative knowledge base that distributes dynamic intelligence to security gateways in real time. The fact that the patch has been released, wider protections are in place, and that there have been no known instances of the vulnerability being exploited, does not mean that the threat has gone away. Criminals may attempt to exploit this hole on any MediaWiki applications that have not yet been patched. Anybody currently running MediaWiki for any purposes, internal or webfacing, should patch their installation as soon as possible and follow any further guidance from the Wikimedia Foundation. There is also the possibility that malicious software could be spread to users’ computers, making it imperative that all users of the www.wickhill.com | 01483 227 600 | [email protected] | For more information visit: wickhill.com/whg/cp4a @wickhill l wickhill.com/linkedin People Are The New Perimeter Martin Lethbridge, a senior security consultant at WatchGuard Technologies, looks at the changing nature of the network perimeter and how to secure it The traditional idea of the network perimeter and how to defend it is changing. The fact is that people are the new perimeter. More often than ever before, they are working offsite and a recent global WatchGuard survey of IT professionals showed that 75% of high value employees work from home at least one day a week. And the higher-level the executive, the more likely he or she is to be working with the most valuable company intellectual property and sensitive information on their home devices or in their email files. The problem is that these executives in their Small Office Home Office (SOHO) environments present a weak link in an organisation’s security. “It’s no secret that attackers go for the weakest link when trying to get into a corporate network and this is often a home office or small office user. Yet, many organisations continue to rely on little or no security,” said Mike Jude, senior analyst at Frost & Sullivan. Researchers at the security firm Team Cymru recently underlined this threat when they traced a campaign that successfully compromised 300,000 SOHO routers – mainly in Europe and Asia - using man-in-the-middle attacks to two UK IP addresses. This type of compromise has the potential to redirect connected end users to malicious websites that steal banking passwords or push booby-trapped software. The campaign comes just weeks after researchers from several unrelated organisations uncovered separate ongoing mass hacks of other routers. The WatchGuard study found that 56 percent of IT professionals believe basic VPN access provides the necessary protection against today’s SOHO threat landscape. But while VPN access has long been the standard for protecting communications for home-based employees, if your endpoint device is not protected at the same level as your enterprise network, the VPN tunnel simply provides an open window into your business. A VPN may establish a secure connection between a home user and an enterprise, but it can’t deal with threats, infections or malware, etc., which may already exist on the end-users’ laptops or PCs, leaving data vulnerable to theft and compromise. According to the survey, more than 82 percent of companies allow employees to access the corporate network from a small office or home office location; but nearly 30 percent do not require a gateway security device. For those that do, only 23 percent require users to use security products similar to those used in the corporate headquarters, with features such as intrusion prevention, anti-virus, data loss prevention, application control, anti-SPAM and more. So, it’s clear that it is time to ‘beef up’ SOHO security in this new distributed enterprise where people are the new boundaries. New gateway security is needed to provide defence in depth for employees working from a remote location with layers of security to safeguard an organisation’s IP, data and confidential records. With a new generation of low-cost SOHO Unified Threat Management (UTM) platforms, enterprises can now extend powerful network security to small office home office (SOHO) environments. The ability to leverage the power of a UTM solution in remote locations and manage them from a single, central console gives IT a powerful tool for administering and enforcing policy. With new real-time security visibility tools, IT administrators can also get ‘big-data’-style views of key threats and top site usage across an entire user base, giving them a clear understanding of what’s happening across their national or international distributed network. And with a full UTM suite on site, SOHO users will not experience the latency normally caused by backhauling traffic thorough the corporate servers to ensure protection. There is no turning back to the simpler days of protecting a fixed network perimeter. IT professionals need to realise where the threats exist and take the right measures to protect all points of weakness, wherever they are. For more information visit: wickhill.com/whg/wg4a 360° APP SECURITY By Jan Valcke, President & COO at VASCO Data Security The mobile revolution is inexorable. Mobile devices such as smart phones, netbooks and tablets proliferate in today’s personal and professional environment. In order to adapt to the fast-paced virtualization and mobilization trend, organizations worldwide will have to make their applications, data and corporate information accessible from any portable device for customers, suppliers and employees. Protecting access to applications such as m-commerce or m-banking services or access to corporate networks becomes essential. However, any security system is only as effective as its weakest link. Consumers and employees often use the same passwords for a multitude of professional and personal applications. By reusing the same password over and over again, they put every application containing confidential information – although unwillingly and perhaps unknowingly – at risk. Furthermore, mobile devices are often not passwordenabled and lack the ability to authenticate users and control access to data stored on the devices. component of an application poses a potential security risk. Nowadays, software development kits are available that will provide comprehensive modules, giving you all the necessary building blocks to customize your security at entry level. WEARABLE TECH; JUST HOW SECURE IS IT? By Kaspersky Lab Smartwatches and miniature electronic devices like Google Glass are part of the continued development of electronics that no longer just sits in your pocket, but also represents a change in the way we engage with our technology. This new class of personal devices, that allow access to the Web and applications with even greater convenience than smartphones and tablets. However, this plethora of new devices also brings several new security risks that their owners will have to address. There are two ways to surf the Web from Google Glass: through Bluetooth pairing with a mobile device that shares its data network connection, or directly through Wi-Fi. The latter gives the user more freedom since it doesn’t require a separate mobile device in order to get to the Web. However, according to Roberto Martinez, researcher at Kaspersky Lab, this functionality also means that the Glass is exposed to network vector attacks, particularly MiTM when a communication between two systems can be intercepted. This was discovered in an experiment conducted by Kaspersky Lab researchers: they attached the device to a monitored network and checked the data it transmitted. The results of the captured data analysis showed that not all the traffic exchanged between the device and the hot spot was encrypted. In particular it was possible to find out that the attacked user was looking for airlines, hotels and tourist destinations. In other words it was possible to perform a profiling task, a simple form of surveillance. he discovered the device is deliberately designed to make a loud noise and warn people nearby if it is being used to take a photo. A deeper look into the software of Galaxy Gear 2 revealed that after rooting the device and using Samsung’s publicly available proprietary software tool ODIN, it is possible to enable Galaxy Gear 2 to take pictures with its embedded camera silently. This obviously opens the door to possible scenarios in which Galaxy Gear 2 could violate other people’s privacy. Silencing the camera is not the only way to turn the smartwatch into a spying tool. Dedicated apps for Galaxy Gear 2 are loaded onto the device with help of Gear Manager, a special app by Samsung designed to transmit an app from the smartphone to the smartwatch. As Juan discovered, when an app is installed on the smartwatch’s operating system there is no notification shown on the watch display. This obviously makes targeted attacks involving silent app installation possible. “At this time there is no evidence to suggest that wearables are currently being targeted by professional APT actors,” commented Juan Andres Guerrero. “However there is a twofold appeal presented by wearables that make them a likely future target if they are widely adopted by consumers. In future the data collected by wearable devices is going to attract new players to the cyber-espionage scene.” “We admit that it is not a very damaging vulnerability, but even so, profiling via meta data from Web traffic exchange could become the first step of a more complex attack against the device’s owner,” said Roberto Martinez, who performed the investigation. When the Samsung Galaxy Gear 2 was examined by Kaspersky Lab researcher Juan Andres Guerrero Secure storage, secure channel, secure environment Additionally, these solutions also offer features to secure the environment in which the application resides, such as jailbreak and rootkit detection and geolocation. Also secure storage is provided, as well as a secure channel to ensure end-toend encryption of business critical data whereby relying on mainstream technologies like HTTPS may not be enough. It is not enough to secure the perimeter: solutions need to ensure files are secure while they are being worked on. The mobile ecosystem is a rapidly growing platform for delivering a wide variety of services, and software development kits can bring a 360° security. Strong authentication Application security must be addressed across different components and at multiple layers. Each www.wickhill.com | 01483 227 600 | [email protected] | For more information visit: wickhill.com/whg/v2a @wickhill l wickhill.com/linkedin For more information visit: wickhill.com/whg/kl3a 9 GETTING DEEPER INTO NETWORK TRAFFIC Corey Nachreiner, CISSP and Director of Security Research, WatchGuard First impressions only tell us so much. A book cover for example, may give you some idea of what to expect — but you won’t really know what it’s all about until you read it. But in the world of traditional network security, many solutions treat network traffic a bit like people who judge books by their cover. VIRTUALISATION SECURITY MYTHS – BUSTED! Kirill Slavin, UK General Manager and David Emm, Senior Security Researcher at Kaspersky Lab machines by spreading across a virtual network, allowing it to return when new virtual machines are created. These legacy appliances look at just enough of the network traffic to make educated guesses about its risk; but they lack sufficient context to make robust security decisions. To get enough security intelligence to protect against today’s sophisticated threat landscape, you have to dig deeper. You have to go to Layer-7. If the policy allows new machines to be easily created on-demand, this can also result in “virtual machine sprawl,” where a virtual machine could be created and forgotten, creating the risk of unmaintained virtual endpoints operating outside your IT department’s knowledge or control. Layer-7 is the application layer of the Open Systems Interconnection (OSI) model that characterises network communications in seven abstract layers. Most traditional network security appliances, like stateful firewalls, only pay attention to the first three or four OSI layers. The networking Layer-3 tells you about the IP addresses and ports associated with a particular communication while the transport Layer-4 provides information about the state of connections. But the information found in these first four layers only gives you basic knowledge about network traffic. It tells you the sending and receiving IP addresses and the network port the traffic uses but this is barely enough to decide whether to block or allow it. And it is what it allows that causes the problem. Today, changes in the threat landscape and IT environment have significantly lessened the protection four-layer inspection offers. Attackers and software developers have realised that everyone allows certain businesscritical protocols —things like Web, DNS, and email. And as a result, new attacks and business tools exploit these protocols to ensure communications can get through. For example, the rise of Web 2.0 has resulted in thousands of network applications communicating using standard web ports; port 80 (HTTP) and 443 (HTTPS). To a traditional four-layer security appliance, Facebook, SalesForce, Dropbox, Skype and Bittorrent all look the same. If you allow any web traffic through these legacy devices, your users can reach all these applications despite their differing risk and productivity profiles. From a threat perspective, if attackers know web traffic is allowed, they will exploit drive-by download flaws to infect browsers and leverage web application flaws to steal data from servers. Since Layer-4 security appliances only act as an on/off switch for traffic, if you let any web traffic through, it all gets through. Modern security appliances analyse all seven layers of network traffic, including the application layer. By understanding the application layer, these devices offer more intelligence about communications passing through ports. For instance, they can identify specific applications being uses, what files are transferred, users associated with the communication and even do security scanning at an application level to tell the difference between good and malicious traffic. This extra intelligence provides the context necessary to catch modern threats and to create more business-based security policies. Security professionals can no longer rely on first impressions and rules simply based on ports and IPs. Layer-7 inspection is the only way to provide the necessary level of intelligence to create granular policies based on users, applications and risk. For more information visit: wickhill.com/whg/wg3a 10 The requirements from today’s modern business, mean that the demands on virtual infrastructure and networks are ever growing. Virtualisation is becoming an increasingly mission-critical part of IT infrastructure and a growing platform for managing customer data, financial transactions, and the applications that businesses use every minute of every day. This reliance on the virtualised environment has moved the issue of how to secure it higher up the business agenda, with Kaspersky Lab research suggesting that for 21 per cent of enterprise-level IT managers, it is one of their top three IT security priorities. It is therefore imperative that virtual environments work as planned and are secure for modern businesses to be successful. Despite this, however, securing a virtual network is still something of a dark art, and all too often businesses apply security measures developed for physical machines, which can leave the business exposed to a whole raft of risks - from performance issues to security vulnerabilities. With this growing global focus on virtualisation in mind and in a bid to ensure businesses stay protected whilst getting the most from their investment, we’d like to highlight a few common misconceptions about virtualisation security, to guide CIOs and their IT managers towards smarter decisions about their IT security policies. “I don’t need additional security. The endpoint security software I use to protect my PCs, mobile devices and servers can protect my virtual environment too.” This is a very common perception, and can be the root cause of many challenges that IT departments face while trying to secure their virtual network. Most traditional endpoint security solutions aren’t virtual-aware. So while they may provide the same protection they deliver on physical systems, they do so at the expense of performance – for example, having to download updates separately for each and every virtual machine. “It may not be perfect, but my existing antimalware doesn’t interfere with the operations of my virtual environment” It does, and performance issues can create security gaps that didn’t exist before. Traditional endpoint security uses what’s known as an agent-based model where each physical and virtual machine gets a copy of the security program’s agent and this agent communicates with the server while performing its security tasks. This works fine for physical machines, but if you have 100 virtual machines, this means you have 100 instances of this security agent plus 100 instances of its malware signature database running on a single virtual host. This high level of duplication impacts performance, wastes storage capacity and can result in a time-lag between boot-up and protection of the virtual machines. “Virtual environments are inherently more secure than physical environments” This just isn’t true. Remember, virtualisation is designed to allow software, including malware, to behave as it normally would. In the end, malwarewriters will target any and all weak points in a business network to accomplish their criminal goals. As virtual networks become hosts for more critical business operations, the bigger the target they’ll become. Take into consideration the data held on your virtual network; it’s just the same as it was on your physical machines. Virtual machines may be gateways to a server, or the server itself may be a virtual machine. Either way, the cybercriminals want access to the data. If an attacker compromises one virtual machine, it’s possible for them to replicate their code across all virtual machines on the same physical server, further maximising their opportunity to steal important business data. “Using non-persistent virtual machines is an effective way to secure my network.” Even if the rest of your virtual machines are secure, it’s possible for one virtual machine to “eavesdrop” on the traffic to another, creating a privacy and security risk. And even a ‘nonpersistent’ infection can compromise sensitive information (a login or password, for example). Not to mention the fact that most virtual machines are “persistent” servers, meaning they’re not shut-down even in the event of a security threat. Recent research found that more than 65 per cent of businesses worldwide will have some form of server virtualisation within the next 12 months, and these servers need to be “on” all the time for the business to function, so the “tear-down” approach to security isn’t viable in this situation. “If I decide to use a specialised virtual security program, they’re all more or less the same.” Most traditional endpoint security measures take an agent-based approach, but a virtualised environment needs flexibility to ensure total protection. In many cases this will be a blend of agent-less and light-agent security, to provide advanced protection for a whole spectrum of different virtual environments - including VMware, Citrix and Microsoft. There is no one-size-fits-all solution and the right application, or combination of applications, depends entirely on what you’re trying to protect. A non-web-connected server is going to have entirely different security needs to a virtual desktop or a server that manages customer information. The agent-less model offers performance advantages by performing security tasks away from the virtual machine. This means, for example, that you only need to download antivirus updates once, for all virtual machines. But there are limits to the ability of agent-less software to perform advanced security management and network protection tasks on virtual endpoints. A light-agent solution, on the other hand, can offer the best of both worlds over existing agent-less and agent-based security models by combining centralised control with extra security features, including application controls and web usage policy enforcement, to virtualised environments. Specialised software and expertise is required to build and maintain a virtual network. So as virtualised environments become a standard feature of the business environment, it is critical that businesses deploy appropriate solutions that allow growth but maintain security. In theory, this makes sense, as any machine that encounters malware is wiped away and recreated cleanly, something that happens with virtual desktop infrastructure every day. But security firms have begun seeing malware that is designed to survive the “tear-down” of individual virtual www.wickhill.com | 01483 227 600 | [email protected] | For more information visit: wickhill.com/whg/kl1a @wickhill l wickhill.com/linkedin FIGHTING THE WAR ON TACKLING MOBILE DRUGS WITH REGEX... DEVICE SECURITY By Stephen Millard, Channel Manager , Tibco Loglogic One of the universal truths is that man will always use tools in ways for which they weren’t intended. That theme, I’ve noticed, applies to log data and other forms of machine data more and more each day. I almost didn’t believe one of my colleagues at TIBCO LogLogic when he said he was using RegEx as a weapon in America’s “War on Drugs”. One of the drug problems in the US is the everincreasing use of prescription medications for nonmedical purposes. The Center for Disease Control estimates that 1 in 20 Americans falls into this category. Some states have implemented electronic prescription programs that require all prescriptions to be routed through the state’s servers. That’s where RegEx comes in. My colleague was asked if he could automate the process of ferreting out potentially fraudulent prescriptions. The problem has two incarnations – (1) so called “pill mills” -- doctors that write medically unnecessary prescriptions in exchange for cash and (2) drug users that alter expired prescriptions. Armed with RegEx and loaded with a list of target drugs, my colleague established a set of search filters that look for suspicious things like doctors who write an abnormally high level of prescriptions for one or more of the target drugs. Using TIBCO LogLogic’s searching and alerting system, the potentially illegal transactions were automatically sent to a policing agency via email, where agents could follow-up based on the scope and frequency of the reported abuse. How surprised would you be if you were a “pill mill” doctor and a law enforcement officer showed up just minutes later with a list of questionable prescriptions you had just written?! This is just one of the many unexpected uses I’ve seen of log and machine data recently. The implications for both the supply-side and buyer-side are huge. For example, as the number of use cases grow the need for unification of log and other data management solution becomes imperative. The cost, complexity, and risk associated with storing data in different systems forces that decision. The increased business agility is icing on the cake. Similarly, the trend shows that making data easier to access and analyse by more and more users will separate the solution providers. Access to data is currently gated because most vendors need a swarm of highly technical contributors to collect and operationalize the data. Besides being excessively costly, this limits the number of potential business usages to only those with the highest ROI. Many solvable problems remain unsolved due to the cost and complexity. Massive improvements in user accessibility and “de-geekification” of implementations are necessary to achieve the promise of Operational Intelligence. A recent Spiceworks survey you can find on our TIBCO blog shows that only 19% of people are happy with their logging solution. What is preventing you from making better use of your log and other machine data? For more information visit: wickhill.com/whg/tc2a Making Sure That Cybercrime Doesn’t Pay By Ian Porteous, SE Manager at Check Point Software Technologies UK Ransomware is a prolific family of malware that has risen to prominence over the past five years. Originally popular in Russia, ransomware infects a computer with some sort of restriction before pressuring the user into paying for its removal. It shares certain elements with “scareware”, a similarly heavy-handed and potentially frightening method of extorting money from computer users. This is a highly effective tactic for the criminals, as most computer users are unaware that the problem could be dealt with like any other piece of malware – using software remedies rather than by caving in to the demands of the attacker. The archetypal ransomware attack involves the criminals restricting access to a user’s computer in some way, either by encrypting files so that the user can’t use them or by compromising the operating system itself. Visual or email messages will then appear stipulating the criminals’ demands, sometimes masquerading as a legitimate piece of antivirus or antimalware software. Payment is usually through non-conventional, low-accountability methods like MoneyPak or Bitcoin, which make it nearly impossible for the criminals to be traced. It’s one of the most unpleasant forms of malware currently attacking the general public, as it places direct psychological pressure on victims and threatens them with the permanent loss of their data. enables criminals to extort money from computer users and to exploit the weaknesses inherent in it, just as they would any piece of software. An example of this is DirCrypt, a type of malware that targets the documents and images on a victim’s computer and “pretends” to replace them with .rtf ransom notes. The damage appears to already have been done by the time the victim tries to open one of their documents, and is greeted instead by a text file outlining the criminals’ demands and payment details. What makes DirCrypt particularly irksome is that the same will happen to any files the user subsequently creates. Reducing the proceeds of crime Security experts discovered that this could be reversed, and that the user could successfully retrieve their data without having to pay the ransom. This was done through careful exploitation of the code involved, which had an “achilles heel” that had not been addressed. This development goes some way to reducing the profitability of ransomware, thus slowing its advance and making it a less lucrative trade for criminals. By minimising (or at least denting) the profits from each wave of ransomware, and by exploiting the fact that cybercriminals make mistakes just like other coders, the IT security industry is making the online landscape slightly safer for all computer users. Victims pay up because they don’t know what to do Each successful “hit” only fuels the spread of this type of malware. But efforts have been made by the IT security industry to tear apart the code that www.wickhill.com | 01483 227 600 | [email protected] | For more information visit: wickhill.com/whg/cp2a @wickhill l wickhill.com/linkedin Ian Kilpatrick, chairman Wick Hill Group, specialists in secure IP infrastructure solutions, suggests a way forward for dealing with mobile device security. They only happen perhaps once in a generation, but right now we are at one of those key points of change in the computer industry that demand we look at things in a new light. I’m talking about the convergence of communications, mobile devices and applications, high speed wireless, and cloud access at a personal level. These are all driving functionality demands on businesses and creating new network environments. For many organisations, these changes are happening at too fast a rate. The growth of mobile devices is at the centre of these developments. With their large data capacities, always on capabilities, and global communications access, they can represent both a business applications’ dream and a business risk nightmare. For those in the security industry, the focus is mainly on deploying “solutions” to provide protection in this situation. For some organisations, going into “lockdown” is the chosen solution. For other organisations, the legitimate business benefits of mobile devices mean they must learn to live with the situation and try their best to make it work securely. Even organisations on “lockdown” can have challenging times dealing with staff “guerrilla” deployments, as many staff have mobile device skills and experience from their home use. Undoubtedly, part of the solution is deploying the right tools to both minimise and report on the risks, such as mobile device management, tracking and RF management, authentication, encryption, and behaviour management - as well as basic security measures on mobile devices). Such solutions are available from a variety of suppliers, including Kaspersky Lab, WatchGuard, Check Point, SafeNet, Becrypt, VASCO and Allot. Securing mobile devices Risk analysis and risk acceptance Before any mobile device, access, application or service is added, it should be signed off as accepted by the Board Planning Planning for deployment should include security implementation or overt acceptance of the risk Embedding security Security needs to be deployed with the solution, not after implementation. Policies Policies need to be clearly explained, not just set out in a policy document Processes Processes need to be clear, as do consequences Education and staff involvement Staff education is essential. This should be real education and not just a list of things staff can’t do. If employees don’t understand why they need to secure their own mobile devices or wireless connections, they certainly aren’t going to be overly concerned about yours. Deployment Deployment of mobile devices, including security elements, needs to be sold to staff i.e. get buyin from staff that security is a key element of deployment, rather than presenting it as ‘security needs to be there, so live with it.’ Mobile device security and monitoring need to be introduced at the point of deployment. If this is a sign off/buy-in situation, it gets management commitment and cuts negative activities around mobile device usage. Monitoring and feedback loop. Monitoring is crucial. Making it clear to staff that you are monitoring is just as important.. High visibility and regular feedback to all staff, on both success and failure in mobile device security, are key. The human element A much more important element, however, is actually changing the way that staff interact with the problem - and not just IT staff. Analysis The Board needs to have regular reporting of the security landscape, so they are aware of the level of threat, and the levels of risk that they have accepted. Currently, many organisations see dealing with these unprecedented risks as a challenge for the IT security team, whose role it is to protect the organisation. Forensics If a security breach occurs, through mobile device use, organisations need to know why it happened if it could have been prevented and how it can be shandled in the future.. Forensic tools are an important here. They are provided by companies, such as Guidance Software. Traditionally, that was a good working model. However, in our new, changed and rapidly developing network environment, which is experiencing immense pressure for fast change and fast deployment of new applications, it is not possible for most IT security teams to carry the responsibility of securing the whole business and every user singlehandedly. Security must be the responsibility of each individual user, every manager and every member of the Board. However, in practice, this is not actually happening. Only a small number of staff are formally sanctioned or sacked for failure to comply with mobile device policies. Conclusion Implementing a mobile device security strategy obviously then involves the deployment of the correct tools and reporting. Clearly this also raises issue of the integration (or replacement) of existing tools with broader management and reporting solutions - but that is something to discuss on another day! For more information visit: wickhill.com/whg/wh2a 11 TO ENCRYPT OR NOT TO ENCRYPT? By James Taylor, Product Manager, Wick Hill Group Encryption has always been a key part of network security and in today’s rapidly changing network environment of BYOD, the convergence of communications, the widespread use of wireless and the growing use of the cloud, it is more important than ever. of question will help us make informed choices about protecting data. physical and logical) where servers are housed, the data on them could be considered as being safe. sensitive data should have both encryption and two-factor authentication protecting it. It’s important never to forget the role of staff in security. If you give them responsibility for the management of sensitive information, it If you have a VDI infrastructure, there is probably no need for end-point encryption, as the device you remotely connect on should be just a piece of glass For portable users, encrypting the VPN traffic back to head office should be fairly standard, with SSL or IPSec sessions being the norm. Portal access through public hot spots needs some special attention and you should always make sure the wireless here is securely encrypted. Encryption ensures that when data is at rest, it cannot be compromised, and that when data is in motion, it cannot be deciphered. And, very importantly, in today’s increasingly mobile world, it prevents unauthorised access to any lost or stolen device. By adopting a protective data marking scheme, managing data loss at the gateway becomes a lot easier. You can now set a policy to allow or block sensitive data from being sent via the gateway. You can write a policy to automatically encrypt sensitive e-mails, dependent on the document type, the sender or the recipient. Equally, for remote users, appropriate access permissions can be managed. All other points of egress can now be controlled - Drop Box, Hotmail, etc. Sounds like we should encrypt everything, but that’s certainly not necessary. First we need to understand and define the risk by asking questions such as “Where is our sensitive data stored?” and “With whom do we want to share our date?” and “How do we want to share our data?” Such questions will help us decide what should be encrypted and what should not. Company payroll information, for example, could be classified as ‘Company Sensitive’; commercial affairs could be classified as ‘Company Confidential.’ The canteen menu, however, does not require any classification or encryption! The next step is to review who accesses what data and how they access it. Questions that apply here might be “Does the HR officer work from home?” “Do we need to share any financial records with our external accountant, or other external organisations?” The answers to this type links them into the company’s security policy. Staff training, and making sure employees have a thorough comprehension of their role in protecting data, is important and this training should be regularly reinforced. Because encryption for data at rest is mainly about theft or accidental loss, not every drive needs to be encrypted. If there is sufficient security (both with a keyboard. If you’re operating on a fat client, however, then the ability to store sensitive documents on a local machine becomes a major concern. Encryption should be used on desktop devices where sensitive data is stored locally and might be vulnerable. It would be very easy, for example, for a cleaner to open a desktop case and remove a drive. Of course, any portable device storing Although encryption is an essential part of any data leakage protection policy, it is not a complete solution. Port control, gateway protection, etc. should all complement encryption measures. However, one way to keep the Information Commissioner’s Office off your back when that USB stick goes missing, is to report that it was robustly encrypted. It’s not a complete defence, but it does carry some weight.. For more information visit: wickhill.com/whg/wh3a Protecting Patients By Protecting IT By Christian Bücker, Managing Director / CEO, macmon secure gmbh Why IT security and Network Access Control in medical IT networks can make an essential contribution to patient security. We hear a great deal about IT security in hospitals, and standards such as DIN EN 800011 preach the necessity of relevant risk analyses and precautionary measures. But what specific situations can actually be identified and at which points can IT security and the technology for Network Access Control in particular help here? Every medical technician and every IT employee in a hospital knows that modern or newly acquired medical devices can – or generally must – also be connected to an IT network. At the same time, the office systems of the doctors must be in the same network segment or at least be able to communicate with the devices in order for any results of examinations which have been produced to be transmitted and processed digitally. Manual transmission paths are now so complicated that they are no longer acceptable. Mobile devices with live access to patient information are likewise becoming increasingly desirable as they enable medical staff to act flexibly and quickly whilst having continuous access to detailed information. In brief, the requirements for a medical IT network have already become so high that medical technicians are finding it increasingly difficult to get to grips with these requirements – this requires knowledge of IT, which is not necessarily readily available. 12 It is generally very easy to make synergies between medical engineering and the internal IT department if the right solutions are put to good use. Thus, for example, Network Access Control is able to ensure a continually updated overview of the entire network and to make sure that no external devices can access the network. The leading technology solution from the German manufacturer macmon secure even provides a graphical representation of the topology, which achieves a very high level of network transparency. At the same time, it means that medical engineering can be given the opportunity, via a simple portal solution, to authorise new devices for the network any time they are needed without having to inform and involve the IT department. If the hospital does not have the technical resources to physically separate the networks (as is recommended in DIN EN 80001-1), NAC is also an extremely convenient way of separating them based on VLANs and still maintaining flexibility. The possible risks associated with using nonmedical devices in the medical IT network are thus significantly reduced. This also means that the desire of medical staff to bring in and use their own devices (smartphones, etc.) can also be fulfilled and nonetheless be made secure. When choosing the right NAC solution, we should therefore bear in mind that it is also possible for users themselves to register their own devices using a web portal, for example. This reduces the time and effort involved, the overview of the devices in operation remains the same and it is possible to define in advance in which network segments the “external” devices are automatically located. As a result, unsecured and unmonitored employee devices no longer end up in the medical IT network “by mistake”. The overview also automatically ensures that the devices of former employees no longer have access. However, managing and controlling network accesses and authorisations also offers further benefits and opportunities. For example, unsecured but necessary devices can also be operated in a separate network area which can communicate with the medical IT network via a specified route. This route can then be monitored and secured far more easily and costeffectively than in widely distributed network segments. In accordance with the EN ISO 60601-1 standard, medical devices must, where reasonable, be fitted with network isolators in order to protect any lifesaving devices (and thus patients) from overvoltages. Many older devices have not yet implemented this protective mechanism, which means that mobile network isolators are needed which are installed at the network socket rather than on the device itself. However, since medical staff cannot be expected to check the network socket and the device before (often spontaneous) use, automatic control can also be a tremendous help or be the only way of controlling the situation in this case too. Using NAC, the unprotected devices and the network sockets fitted with an isolator can be documented and monitored so that the responsible medical technician is immediately informed if an unprotected device is operated at an unprotected socket. With the correct solution, a hospital’s security level can therefore be considerably increased both quickly and easily while at the same time various processes are simplified or even made possible for the first time. macmon secure even provides a separate manual on introducing its Network Access Control solution in hospitals which describes and supports the introduction in accordance with DIN EN 800011. The roles and responsibilities of risk management, the obligation to document the relevant information and the necessary information on risk assessment is described in full in this manual. As part of this, possible hazardous situations associated with incorporating macmon NAC in the medical IT network are listed and analysed. This means that all potential sources of danger can be thought out, assessed and dealt with in advance with respect to their risk for patients, users and third parties. www.wickhill.com | 01483 227 600 | [email protected] | For more information visit: wickhill.com/whg/mm4a @wickhill l wickhill.com/linkedin
© Copyright 2024