How a strike at the Louvre can be seen as an analogy to fighting cyber attacks on enterprises
Coming back from a security systems and services (ISS) briefing by IBM at a Heathrow hotel, I was reading on the BBC website an article on how the staff at the Louvre went on strike this week because of more aggressive, continuous pick pocketing attempts by organized gangs targeting both employees and tourist visitors.
To me, this sounded familiar to the discussions we had been having all day about the increased threats to enterprises by APT (advanced persistent threat) activities, known as the low and slow attacks over prolonged periods of time by strategic cyber attackers who know what they want to achieve and plan to entrench themselves in the IT fabric of the organization.
Pickpockets see the tourists as rich in wealth, and want to help themselves to this resource by means of strategy, brute force and continuous approaches without let up. Cyber attackers (I do not like the “T” word, implies political intent which is realistically more economically oriented) aim for the currency of choice which is data. And with data they can do things with that allow them to remain anonymous, just like cash does for the pickpocket.
I applaud the Louvre staff for making a fuss and asking for a solution. I wish more enterprises would not turn a blind eye to security intrusions by not utilizing the tools and resources available to them to protect their currency. Enterprises should at least assess who is trying to pick their pockets.
More on APT can be heard next week on the Info Security webinar panel in which I take part on Thursday, 18 April.
What I found interesting about this IBM briefing is that it was focused at a more proactive level and on education, services, and enhanced strategic approaches to enterprise security. Not the speeds and feeds of a normal software briefing, or the sales pitch of a services briefing, but a more pragmatic view of what is happening in the last three years in the enterprise space, and how the different viewpoints of the CISO on how to protect their assets. So I applaud IBM as well, and look forward to more interaction with their ISS Security organization.
Yes, I am packing up the sun lotion and trying to hunt up some shorts that are not weightlifting shorts. I’m off to Orlando this coming weekend, heading out for next week’s SNW, which has the theme: Intelligent Architecture for the Data-Driven Business. This sets the tone for both the technical aspects, and the practical reality of data’s role in the business model for innovative enterprises.
Produced by Computerworld — and co-owned by Computerworld and the Storage Networking Industry Association (SNIA) — SNW tries to maintain its unbiased and vendor agnostic positioning amongst a sea of PPT slides. It includes roughly 100 expert sessions, and a vendor expo to me to meander around.
What do I expect to hear?
The first day has a theme on clouds and the data center of the future, starting the show off with discussions on COIT, virtualization, legal issues, and networking. I will be attending the Data Center Networking track, and look forward to a few of the presentations around performance and consolidation.
The theme of the second day is big data, mobility and data management. Besides finding me having some quality time at the pool,you will also likely find me at the track on Big Data Infrastructure, attending presentations from folks from SNIA’s Data Protection & Capacity Optimization (DPCO) Committee, HDS, IBM and Oracle.
And the final day focuses on storage trends, and includes a panel session at 4pm with yours truly and colleagues on Quality of Service (QoS) and performance in cloud storage.
Not going to the House of the Mouse, having worked there in CA while in college. It is a small world, after all……
It has been a cloudy week for me, first at the European Cloud Conference in Brussels, then some interesting briefings with Calligo and Flexiant. The theme here, if a theme is required, is cloud differentiation. This can be seen either via a unique business model (Calligo), cloud enablement tools (Flexiant) or via regulatory policy (DG CONNECT and DG MARKT).
First off, the European Cloud Conference. Now, as an analyst, I rarely pay to go to a conference, but I have to admit this one was worth the price of admission. I say this not only for the speaker line-up, but the quality of the audience. I had some great chats with Red Hat and Dell public affairs folks, as well as the public affairs officer from Renault. And of course, hearing Viviane Reding who was also looking lovely in a bright green top in front of a panel of dark suited lawyers! Discussion was on European cloud enablement and citizen protection, with a focus for my taste on data security, availability, and infrastructure resiliency.
My next day was spent at the EC as an expert on behalf of the OFE on text and data mining in academia, but afraid I cannot talk more about that at this time, as the next set of discussions are coming in April.
The two interesting cloud briefings of this week:
Calligo: The Channel Islands’ only dedicated cloud services provider (CSP) has a very unique business model, and since our last chat in January, has made some significant inroads into their specific niche. Calligo specialises in specific jurisdictions that are data-sensitive geographies. They started in the Channel Islands, and now have expanded jurisdiction plans for other geographically sensitive areas. Their value proposition is on data security and cloud performances, and having recently brought on board a Chief Security Officer and some new partnering to increase the focus on performance and customer service, have a real go-to-market drive that is quite admirable.
Flexiant: I love talking with Jim Foley, and he and his team gave me a great demo of their cloud orchestration and cloud service provisioning solutions. Again, they highlighted simplicity, ease of use, ROI – the theme of cloud differentiation again with making cloud control and management that much simpler to understand.
My view: Cloud should be about differentiation of service and ease of use, and hybrid/public clouds are a natural extension of the core IT infrastructure. Private clouds are for those still with internal control and process issues.
As for me, busy this week with SolidFire and ViaWest finalising our deck for our panel presentation on QoS in cloud storage at SNW in Orlando on April 4th.
Note: The OECD report on cloud computing should be out this week — interesting to note due to the geographies they are examining go beyond the normal market research report.
The ENISA report released on 14 February examined Cloud computing from a Critical Information Infrastructure Protection (CIIP) perspective, and identified Cloud computing as a critical issue given the concentration of users and data and its growing use in critical sectors, such as finance, health and insurance. The report also provides nine recommendations for bodies responsible for critical information infrastructures. This included large cloud services in national risk assessments, track cloud dependencies, and work with providers on incident reporting schemes. This report comes a week after the EU launched its Cybersecurity Directive.
My thoughts on two of the key findings:
“Cloud services are themselves becoming a critical information infrastructure”. That quote, given some of the recent cloud service failures, is recognition that infrastructure as a service (IaaS) goes beyond basic foundations and drives into the operational heart of many mainstream businesses which the public rely on, such as financial services and utilities. Cloud as a business model choice allows firms to focus on the core competencies of their IT infrastructures, which are not necessarily the volume activities of the business. However, data exploitation has a tendency to occur in the high volume transactional operations.
“Physical redundancy does not safeguard against certain cyber attacks, such as data breaches exploiting software flaws”, also is telling in that many firms are not aware of their possible exposure to breaches, as the weakest link may be the software, not the hardware or the network.
Firms are building out cloud services with external partners for both economic and resource-oriented reasons. To focus on providing a good service, risk assessment and building in resilience and security become even more important when a value chain is created for mission-critical service provisioning.
Is it worth me saying “it’s about the infrastructure, stupid”? J
It seems firms outsourcing data centres have not learned not to put all your eggs in one basket. Handing your crown jewels in the form of corporate data to one firm is a risk. If a supplier overextended themselves within the traditional value chain, the clients either lost inventory or money. In this case, the clients stood to lose their data operations and even their kit.
Data centres and cloud have the power to shape our businesses in powerful ways. It is important that we choose a wise strategy for dealing with this technology shift and business model choice. To do so, we need to look at lessons learned in outsourcing from the 1990s. In other words, who’s got your data? And can you get it back?
Telco player Daisy Group has now taken control of defunct 2e2′s data centre operations. Daisy Group already runs services from data centres in Manchester, Southampton and London but according to Daisy, the addition of these 2e2 facilities doubles total available power from two megawatts to four megawatts. Under the terms of the deal, Peter Dubens, owner of Oakley Capital and chairman at Daisy Group has created a special purpose vehicle (SPV) Daisy Data Centre Solutions to buy the business and assets which include server farms in Gateshead and Reading.
The defunct Berkshire-based 2e2 had been rumoured to have broken a banking covenant in December 2012 and was running up to its credit limits in distribution. This was a cause for concern among many wholesalers and vendors due to its massive debt and has reported significant losses in the last couple of years. 2e2 had been active in acquisition, buying both NetStore and Morse while racking up long-term debts in its inorganic growth.
According to an article in The Channel, sources said that as a result 2e2 had approached numerous resellers to secure supplies by offering to split some of the margin on deals. There are also claims from some in the channel that 2e2 approached customers last month offering 10 per cent cash back on any orders in December. In the last month, 2e2 data centre services customers were asked by administrator FTI Consulting to collectively stump up £960,000 to keep the lights on. The administrator was running out of cash to fund the operation since its appointment on 28 January – 2e2 was losing £300k a day – and had no other option but to ask its data centre customers to keep things running by stumping up amounts between £4,000 and £40,000.
FTI was asked to seek out a buyer for the business. The problem got more tricky still as the kit in 2e2′s data centre is leased from HP Global Financial Services so the “validity of title” needs to be passed by 2e2 to each customer, according to an article in The Channel. However the administrator said that due to the “critical nature” of 2e2′s data centre services it was seeking to “maintain the data centre infrastructure and keep personnel who operate the data centres, to facilitate an orderly migration of the data and systems or some other alternative solutions”. The difference for 2e2 customers saved by Daisy will be that Daisy has a very strong balance sheet, with low debt and are looking to grow organically in the data centre and managed services space.
Too much too fast? 2e2 grew via inorganic growth, and bit off more than they could chew financially. Organisations of all sizes need to be agile and responsive, and want to make adjustments to their business model as they grow. But client beware, if the firm cannot deal with its own growth, it is unlikely to beneficial in helping with yours! It’s all about the business model, and choosing a partner to outsource your operations and data requires the same due diligence as choosing a key supplier for assets for your business activities.
This event leads to the continual question: Is there a need for CSP oversight? If a service provider is regulated, there is someone behind in case of failure. But not every industry has a regulator, and it is not clear that cloud services is ready for that regulation as of yet.
Using Cloud infrastructure offers an entry point that allows smaller companies to benefit from resource capabilities that would otherwise not be within their reach. But firms need to choose a partner that share its risk profile, and provides a level of comfort as to their continued existence.
Dr. Alea Fairchild, Director, The Constantia Institute bvba
First of all, I would like to note to the reader that I am no longer affiliated with Constellation Research as of the end of Dec 2012.
This blog is a function of my work at The Constantia Institute bvba, where we work on technology innovation and governance. Issues such as privacy, info security, and ability for innovative collaboration are important to create positive impact on business processes.
I am a member of a panel on agile development and information security next Tuesday 15 Jan, discussing the role of info security in collaborative development.
I am also finishing research work on the need for enterprise collaboration tools and information security, focusing on building in such tools as encryption and two factor authentication into the collaboration process under the hood, so collaborating parties can work at ease while maintaining enterprise security policy. This should be out in a few weeks, if you are interested in either (last minute) participating or reading once it is released. Just a heads up.
Hope your 2013 has started well!
All the best for a successful and peaceful new year!
As we start to clean the desk and whip out the new agenda for next year, let me stop and take a minute to address research direction and intent for 2013.
What do I see as trends in my research area for 2013?
Cloud is still seen as a continuation of infrastructure consolidation and homogeneity that started with server and desktop virtualization. Drivers will continue to be lowered operational costs and faster go-to-market delivery. Companies will begin to adopt leaner, more automated operational paradigms to match the quality demanded of cloud infrastructure. It will still be more about the business model than the technology. And very much focused on the business process, not on the reliance of internal infrastructure. Which leads to my next comment….
Workload automation will be a bigger focus in 2013. Moving workloads to cloud means migration of far more than just the compute needs. IaaS solutions should provide network topographies, storage, firewalls and content routing. Other elements, such as databases, load-balancers, monitoring and security services will continue to become more integrated into platforms.
PaaS however will remain the domain of less risk averse projects within established enterprises.
Where am I focusing my research efforts this year?
If I had to categorize my research efforts in the next year, I would say:
- IT infrastructure management and modernization
- Enterprise collaboration infrastructure (as a function of data protection)
- Cloud services, storage and security (including encryption)
- Identity and role-based access management
- Business process management and IT change management
- IT service management
- Governance, risk and compliance (GRC)
What reports am I working on for the next six months? (And how can you get on my research radar? )
- Policy Automation and Encryption: Closing the Compliance Loop for Collaboration
- Clear as Mud: Defining the Business Value of IT Service Offerings
- The Morphing Market of BPM: 2013
- Optimizing performance: Focus on User Experience & IT QoS
- Managing an efficient IT lifecycle
As for my radar, try Twitter, email and/or the good old fashioned telephone!
Happy New Year!
As it is getting to be the time for writing the annual family holiday card, it is also time to take a few moments to reflect on IT trends for the next year, and why we believe things will evolve in a particular way. This is the first of three blog posts to explain my research directions for 2013, and what to expect going forward.
Many analyst firms are claiming that 2013 is THE year we will see cloud computing evolve rapidly. I would agree, but from a different angle, that of cost and complexity, not from enterprise take-up and industry acceptance. But I am focusing on the view of the enterprise, not that of the IT vendor.
From a cost perspective, giving the slowing investment in ICT in the next calendar year due to economic conditions and restrained growth in business operations, cloud computing will take the role of outcome optimizer in terms of cost trade-offs. The real cloud benefits are not in the CAPEX cost of the hardware and software but in other OPEX costs, such as support, resource location, availability and maintenance. Providing the infrastructure with cost and capacity alternatives provides a more flexible footprint to deal with uncertainty and scaling in a less than stable operational environment.
Secondly, the cloud introduces flexibility and agility into an organization, because of ease of use and speed to react when there is a need to add new locations, additional users, and new business processes. Given changing business relationships and mergers, complex ecosystems need to be wired and unwired quickly. This means, however, one needs to take care in the SLA when entering an agreement and one needs to understand the data security issues in this flexible approach to adding capacity and meeting demand.
What will truly be unique this next year is the business models that cloud providers are using, which is a combination of new technologies and an enhanced focus on business operations versus max. headroom and bandwidth. New metrics and new ways of working are on the horizon, and this is part of my own research agenda for 2013 in the theme of technology optimization. Expect to see something shortly on QoE and QoS in cloud storage, almost ready for the editor!
Next post will be on my work in the enterprise collaboration space, and the following post will be on my work in ILM and data governance.
In your post-US election hangover, you may not get a chance to register and listen to the virtual conference on Information Security that I have taken part in today, so I thought I might include a sneak peak at my portion of the presentation. See here for more details: http://www.infosecurity-magazine.com/virtualconference/infosecurity-magazine-us-fall-virtual-conference
My panel counterparts from Deloitte and Stroz Friedberg were quite good, and our discussion on ‘Tackling the data privacy challenge’ was very interesting.
My portion of the discussion focused on the Four “E”s of Enterprise Data Privacy:
The three main points I hit upon in my presentation were:
If you want to know more, then click on the link above to register, or hear a replay.