Posts Tagged security

The Internet of Things Gains Traction

The Internet of Things (IoT) appears finally to be gaining real traction with both Gartner and IDC putting out reports on it. The opportunity, however, can best be understood in terms of vertical applications because the value of IoT is based on individual use cases across all verticals. “Successful sales and marketing efforts by vendors will be based on understanding the most lucrative verticals that offer current growth and future potential and then creating solutions for specific use cases that address industry-specific business processes,” said Scott Tiazkun, senior research analyst, IDC’s Global Technology and Industry Research Organization.” Similarly, enterprise IT needs to understand which vertical use cases will benefit first and most.

Tiazkun was referring to IDC’s latest Worldwide Internet of Things Spending by Vertical Market 2014-2017 Forecast.  To tap that market, IDC advises consultants to focus on the individual vertical opportunity that arises from IoT already in play.  Here is where a vertical business savvy IT exec can win. As IDC noted, realizing the existence of the vertical opportunity is the first step to understanding the impact and, therefore, to understanding an IoT market opportunity that exists – for enterprises and IT vendors and consultants.

The idea of IoT has been kicking around for years. BottomelineIT wrote about it early in 2011 here. It refers to the idea of embedding intelligence into things in the form of computer processors and making them IP addressable. Linking them together over a network gives you IoT.  The idea encompasses almost anything from the supply chain to consumer interests. Smart appliances, devices, and things of all sorts can participate in IoT.  RFID, all manner of sensors and monitors, big data, and real time analytics play into IoT.

In terms of dollars, IoT is huge. Specifically, IDC has found:

  • The technology and services revenue from the components, processes, and IT support for IoT to expand from $4.8 trillion in 2012 to $7.3 trillion by 2017 at an 8.8% compound annual growth rate (CAGR), with the greatest opportunity initially in the consumer, discrete manufacturing, and government vertical industries.
  • The IoT/machine-to-machine (M2M) market is growing quickly, but the development of this market will not be consistent across all vertical markets. Industries that already understand IoT will see the most immediate growth, such as industrial production/automotive, transportation, and energy/utilities. However, all verticals eventually will reflect great opportunity.
  • IoT is a derivative market containing many elements, including horizontal IT components as well as vertical and industry-specific IT elements. It is these vertical components where IT consultants and vendors will want to distinguish themselves to address industry-specific IoT needs.
  • IoT also opens IT consultants and vendors to the consumer market by providing business-to-business-to-consumer (B2B2C) services to connect and run homes and automobiles – all places that electronic devices increasingly  will have networking capability.

 Already, leading vendors are positioning themselves for the IoT market. To Oracle IoT brings tremendous promise to integrate every smart thing in this world.  Cisco, too, jumped early on IoT bandwagon dubbing it the Internet of Everything.

IBM gets almost cosmic about IoT, which it describes as the emergence of a kind of global data field. The planet itself—natural systems, human systems, physical objects—have always generated an enormous amount of data, but until recent decades, we weren’t able to hear, see, or capture it. Now we can because all of these things have been instrumented with microchips, UPC codes, and other technologies. And they’re all interconnected, so now we can actually access the data. Of course, this dovetails with IBM’s Smarter Planet marketing theme.

Enterprise IT needs to pay close attention to IoT too. First, it will change the dynamics of your network, affecting everything from network architecture to bandwidth to security. Second, once IT starts connecting the various pieces together, it opens interesting new possibilities for using IT to advance business objectives and even generate revenue. It can help you radically reshape the supply chain, the various sales channels, partner channels, and more. It presents another opportunity for IT to contribute to the business in substantive business terms.

IDC may have laid out the best roadmap to IoT for enterprise IT. According to IDC, the first step will be to understand the components of IoT/M2M IT ecosphere. Because this is a derivative market, there are many opportunities for vendors and consultants to offer pieces, product suites, and services that cover the needed IoT technology set. Just make sure this isn’t just about products. Make sure services, strategies, integration, and business execution are foremost. That’s how you’ll make it all pay off.

The promise of IoT seems open ended. Says Tiazkun: “The IoT solutions space will expand exponentially and will offer every business endless IoT-focused solutions. The initial strategy of enterprise IT should be to avoid choosing IoT-based solutions that will solve only immediate concerns and lack staying power. OK, you’re been alerted.

Follow BottomlineIT on Twitter: @mainframeblog


, , , , , , , , , , , ,


Bitcoin Means for Micro-Transactions for IT

Bitcoin may be the world’s newest currency. If not, it is certainly the most unconventional. But, it is catching on. As Reuters wrote recently: “Venture capitalists show no sign of shying away from investing in startups related to Bitcoin.”

Think of Bitcoin as electronic money, or maybe virtual money since no government backs it or controls it. Yet, businesses already are doing business with bitcoins. According to Reuters, there are 11.7 million bitcoins in circulation, with a market capitalization of over $1.7 billion. The price (value) fluctuates, but so does the value of conventional currencies although bitcoin fluctuations may be less well understood.

Wikipedia describes Bitcoin as a cryptocurrency—a type of currency that relies on cryptography to create and manage the currency—specifically, the creation and transfer of bitcoins is based on an open- source cryptographic protocol that is independent of any central authority.  Bitcoins can be transferred through a computer or smartphone without involving an intermediate financial institution. The concept was introduced in a 2008 as a peer-to-peer (P2P), electronic cash system.

For IT, Bitcoin promises to the way financial transactions, especially very small (micro) transactions, can be conducted fast and securely with little or no overhead.  Today, about the best you can do is PayPal, but with a slew of middlemen it is not very efficient when it comes to micro transactions.

A product or service selling at a micro price today isn’t really feasible from either an IT perspective or a financial perspective. But, with Bitcoin it might be since it removes a lot of financial and technical overhead.

The same big name investors that invested in Facebook Inc, Twitter, Groupon Inc, and Founders Fund, which includes three founders of PayPal, are putting serious money into Bitcoin investments even though the currency exists solely in cyber form. Proponents see it as the future of money, and in some investing circles, according to Reuters, it has created a buzz reminiscent of the early Internet.

For IT, Bitcoin may be the currency you will need as the global digital economy ramps up big. The benefits on bitcoins or something like it may be tremendous.  For starters, Bitcoin appears to address the problem of micro-transaction payments, where the cost of processing a credit or debit card transaction greatly exceeds the value of the transaction.  If you can do a lot of micro-transactions at almost no cost, the payback adds up.  The value of, say, 10 million half-cent transactions adds up to real money.

Then there is what Bitcoin itself says about the product.  For example, Bitcoin’s high cryptographic security allows it to process transactions in a very efficient and inexpensive way. You can make and receive payments using the Bitcoin network with almost no fees.

Furthermore, any business that accepts credit card or PayPal payments knows the problem of payments that are later reversed because the sender’s account was hacked or they fraudulently claimed non-delivery. The only way businesses can defend themselves against this kind of fraud is with complex risk analysis and increased prices to cover the losses. Bitcoin payments are irreversible and wallets can be kept highly secure, meaning that the cost of theft is no longer pushed onto the shoulders of the merchants.

Accepting credit cards online typically requires extensive security checks in order to comply with PCI compliance. Bitcoin security, however, makes this approach obsolete. Your payments are secured by the network and not at your expense. OK, maybe that is not completely reassuring, but it is as good as or better than you have now.

Finally, there is what Bitcoin calls accounting transparency. Many organizations are required to produce accounting documents about their activity and to adopt good transparency practices. Bitcoin allows you to offer the highest level of transparency since you can provide the detailed information you use to verify your balances and transactions.

OK, it isn’t perfect, but when Europe was precariously balanced on the edge of insolvency and countries like Greece, Cyprus, Italy, and Spain were in grave financial danger interest in bitcoins apparently soared and their value rose dramatically. Bloomberg Businessweek reported that Spaniards apparently were active buyers of bitcoins during the crisis, viewing the currency as a safe hedge against their own government seizing bank accounts and savaging their own conventional currency.

Maybe the most important thing to say about Bitcoin is that it is the future as the digital economy ramps up to rival the conventional economy. As users all over the world turn to smartphones for online commerce, IT will need something like Bitcoin. Besides, you don’t want some all-powerful government dictating even more regulations and issuing compliance mandates. Several governments are skeptical, to say the least, about the idea of Bitcoin but none apparently have shut it down.  As a P2P technology, Bitcoin is governed by the people that ultimately use it, maybe that will even be your own organization, and not by Big Brother.

, , , , , , , , , , , ,

Leave a comment

New Products Reduce Soaring Storage Costs

The latest EMC-sponsored IDC Digital Universe study projects that the digital universe will reach 40 zettabytes (ZB) by 2020, a 50-fold growth from the beginning of 2010!! Do you wonder why your storage budget keeps increasing? And the amount of data that requires protection—backup on some sort—is growing faster than the digital universe itself.  This clearly is not good for the organization’s storage budget.

Worse yet, from a budget standpoint, the investment on IT hardware, software, services, telecommunications and staff that could be considered the infrastructure of the digital universe will grow by 40% between 2012 and 2020. Investment in storage management, security, big data, and cloud computing will grow considerably faster.

Last July BottomlineIT partially addressed this issue with a piece of reducing your storage debt, here. Recent products from leading storage players promise to help you do it more easily.

Let’s start with EMC, whose most recent storage offering is the VMAX 40K Enterprise Storage System. Enterprise-class, it promises to deliver up to triple the performance and more than twice the usable capacity of any other offering in the Industry, at least that was the case seven months ago. But things change fast.

With the VMAX comes an enhanced storage tool that simplifies and streamlines storage management, enabling fewer administrators to handle more storage. EMC also brings a revamped storage tiering tool, making it easier to move data to less costly and lower performing storage when appropriate. This allows you to conserve your most costly storage for the data most urgently requiring it.

HP, which has been struggling in general through a number of self-inflicted wounds, continues to offer robust storage products. Recognizing that today’s storage challenges—vastly more data, different types of data, and more and different needs for the data—require new approaches HP revamped its Converged Storage architecture. According to an Evaluator Group study many organizations only use 30% of their physical disk capacity, effectively wasting the rest while forcing their admins to wrestle with multiple disparate storage products.

The newest HP storage products address this issue for midsize companies. They include the HP 3PAR StoreServ7000, which offers large enterprise-class storage availability and quality-of-service features at a midrange price point.  HP StoreAll, a scalable platform for object and file data access that provides a simplified environment for big data retention and cloud storage while reducing the need for additional administrators or hardware.  Finally, it introduced the HP StoreAll Express Query, a special data appliance that allows organizations to conduct search queries orders of magnitude faster than previous file system search methods. This expedites informed decision-making based on the most current data.

IBM revamped its storage line too for the same reasons.  Its sleekest offering, especially for midsize companies, is the Storwize V7000 Unified, which handles block and file storage.  It also comes as a blade for IBM’s hybrid (mixed platforms) PureSystems line, the Storwize Flex V7000. Either way it includes IBM’s Real-Time Compression (RtC).

RtC alone can save considerable money by reducing the amount of storage capacity an organization needs to buy, by delaying the need to acquire more storage as the business grows, and by speeding performance of storage-related functions. While other vendors offer compression, none can do what RtC does; it compresses active (production) data and with no impact on application performance. This is an unmatched and valuable achievement.

On top of that the V7000 applies built-in expertise to simplify storage management. It enables an administrator who is not skilled in storage to perform almost all storage tasks quickly, easily, and efficiently. Fewer lesser-skilled administrators can handle increasingly complex storage workloads and perform sophisticated storage tasks flawlessly.  This substantially reduces the large labor cost associated with storage.

NetApp also is addressing the same storage issues for midsize companies through its NetApp FAS3200 Series. With a new processor and memory architecture it promises up to 80% more performance, 100% more capacity, non-disruptive operations, and industry-leading storage efficiency.

Data keeps growing, and you can’t NOT store it. New storage products enable you to maximize storage utilization, optimize the business value from data, and minimize labor costs.

, , , , , , , , ,

Leave a comment

Cybercrime Costs More Than You Think

 As CIO you probably don’t break out the cost of cybercrime. Of course you tally security costs as part of the IT budget, but unless you have been hit by a large and readily apparent cyber attack the specific cost probably is not on your radar screen.

Cybercrime is a form of criminal activity using computers over the Internet—that’s where the cyber comes in. It includes anything from downloading illegal music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary attacks, such as creating and distributing viruses and deploying malware on other computers, posting confidential business information on the Internet, or distributed denial of service (DDOS) attacks. Maybe the most apparent form of cybercrime is identity theft—apparent mainly because of numerous state laws and various government regulations addressing privacy and identity theft. But any organization that has been hit with a computer virus has experienced cybercrime.

This week HP published the latest research indicating that the cost and frequency of cybercrime have both continued to rise for the third straight year. According to this third annual study of U.S. companies, conducted by the Ponemon Institute the occurrence of cyberattacks has more than doubled over a three-year period, while the financial impact has increased by nearly 40 percent.

A few weeks ago, IBM released its latest quarterly X-Force security report. Specifically, it found a sharp increase in browser related exploits, renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.

The HP/Ponemon report found the average annualized cost of cybercrime incurred by a benchmark sample of U.S. organizations was $8.9 million. This represents a 6% increase over the average cost reported in 2011, and a 38% increase over 2010. The 2012 study also revealed a 42% increase in the number of cyberattacks, with organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010. The only positive news here is that the cost of the attacks is not increasing as fast as the number of attacks, but that probably small consolation.

The most costly cybercrimes, HP noted, continue to be those caused by malicious code, denial of service, stolen or hijacked devices, and malevolent insiders. When combined, these account for more than 78% of annual cybercrime costs per organization. Maybe even more disturbing is that many of losses resulted from careless behavior (i.e. leaving a laptop on a taxi seat) by employees or poor employee relations, which motivate some of the malevolent attacks.

Cyber attacks can be costly if not resolved quickly, HP concluded. The average time to resolve a cyber attack is 24 days, but it can take up to 50 days according to this year’s study. The average cost incurred during this 24-day period was $591,780, up 42% over the previous year.

IBM’s X-Force also reported some new disturbing trends. For example, attackers continue to target specific individuals by directing them to a trusted URL or site that has been injected with malicious code. Then, through browser vulnerabilities, the attackers are able to install the malware on the target system. Sadly, X-Force notes, the websites of many well-established and trustworthy organizations are still susceptible to these types of threats.  Similarly the growth of SQL injection, a technique used by attackers to access a database through a website, is keeping pace with the increased usage of cross-site scripting and directory traversal commands.

As computing penetrates into every aspect of business the security threats are only going to increase.  Traditional IT security—access controls, user authentication, firewalls, perimeter defense, and anti-virus tools—simply are not sufficient for the variety of threats companies are experiencing today, from socially engineered attacks to APT.  For that reason organizations need an ongoing security strategy that encompasses everything—GRC, data, applications, networks, systems, storage, mobile, cloud, social networks, and whatever else may come next. And then drive it all home through policy, repeated training, and insistence on accountability.

, , , , , , , , , , , , ,

Leave a comment

Technology Trends for 2012

The big technology trends in 2012 will be extensions of trends that began in 2011 or earlier.  For example, BottomlineIT noted the Consumerization of IT  back in September. Expect it to pick up speed in 2012. Similarly you read about The Internet of Things here back in February. That too will drive technology trends in 2012.

The big IT research firms published their trends projections for 2012. You can find Gartner’s here.  Maybe more interesting to a CIO will be IDC’s security trends for 2012 here.

The tech trends below are based on the numerous vendor briefings and conferences BottomlineIT attends as well as talking with dozens of IT and business managers. Most shouldn’t surprise you if you have been reading BottomlineIT, but a few might.

Here are the technology trends for 2012:

BYOD—smartphones mainly and other devices. The twist is the growing adoption of Bring-Your-Own-Device (BYOD) in which workers are encouraged to bring their personal smartphones to work while IT will be asked to support a range of popular devices, selectively open interfaces to data and applications, and insist on a certain level of security, such as data encryption. The business will have to resolve reimbursement issues, currently policies vary from zero to all.

Social Networking for Business—will only grow in the coming year.  Social networking is the way the next generation of workers live and increasingly work.  Businesses will want to identify and capitalize on opportunities in social networking starting with collaboration.

The Internet of Things—the digital transformation of the economy continues as chips are embedded in more things from consumer appliances to packaging materials, allowing companies to meter and monitor processes and activity. RFID is just the start. Watch for more digital instrumentation appearing.

 Automated, Real-time Data Analytics—a part of the Big Data trend. Expect to see the growing adoption of advanced data analytics, which increasingly will be automated to keep up with the high volume and in near-real time to allow for dynamic data-based decision-making. And the analytics will be baked in, relieving the business from having to maintain a stable of PhD quants.

Bio-metric Authentication—passwords provide poor security. Watch for increased adoption of bio-metrics in the form of fingerprints, retina scans, facial/voice recognition, and such to replace the use of passwords for authentication.

The Cloud goes Mainstream—most companies will develop a cloud strategy at some level, whether for backup to the cloud, SaaS, to augment existing capabilities, or something else.

Virtualized Enterprise—look for increasing virtualization of every digital aspect of the enterprise, from data networking to voice communications.

Solid state memory for storage—in one form or another solid state memory will be an increasing part of almost every storage strategy as costs continue to drop and vendors get better at integrating it into the products to boost performance.

Further out:

Electronic Wallets—smart devices, including smartphones, used for almost anything from buying a can of soda to proving who you are. Big vendors already are fighting over who provides the e-wallet. Think you worry about security now? This merits close scrutiny.

Geo-Location—between smart devices and GPS look for businesses increasingly to take advantage of geographic data, first for marketing (combined with QR codes) and then much more.

In-memory Computing—combining processing with memory speeds performance.  Expect to see entire databases processed in memory.

Gamification—applying aspects of computer gaming to business software offers the possibility of more compelling and engaging business applications.  Could ERP be improved through gamification? For sure.

However things shake out, 2012 should be an interesting year for technology, and BottomlineIT will stay on top of it.

, , , , , , , , , , ,

Leave a comment

Productivity vs. Security: Find the Right Balance

Security concerns around IT systems seem to only get worse. Now organizations must contend with cloud computing, social networking, and mobile computing, all of which ratchet up security concerns. Of course, you can boost security but business will suffer. Restrict social networking and risk losing customers. Let managers access data from smartphones and risk compromising data.

“When Security is around, Productivity disappears. And when Productivity shows up on the scene, Security has to take a coffee break,” writes Aaron Weiss for Dell here.

Workers aren’t stupid. They feel the pressure from management to do more, work harder, work faster, no excuses. They know it is a tough economy; layoffs could come at any time. So they take shortcuts, and a handy place to find those shortcuts is security. How can you strike the right balance?

Here are five telltale signs workers are opting for expediency over security:

  1. Passwords hidden in the most obvious places—convenient, easy to find by anyone, almost never changed
  2. Leaving a workstation, even for a few minutes, with a session running and connection open—anyone who sits down can do anything
  3. Putting data unencrypted on insecure, easily misplaced devices (laptops, smartphones, tablets, flash cards)—usually in an effort to be more productive
  4. Sending confidential data unencrypted via email—no guaranteed delivery, no assurance the recipient will be the one opening it, no control of the data after it passes the firewall
  5. Failure to follow social media policy—spontaneous discussions with little awareness of security and confidentiality implications

In each case convenience, usually in the name of productivity, trumps security. It is faster and easier to do it this way, workers reason.

But don’t blame the workers. Management, too, sends clear signals that security is less important than productivity:

  1. Lack of a security policy and social media policy that reflect how efficient workers actually operate
  2. Failure to cultivate security awareness through regular communication and training
  3. Reluctance to invest in automated security tools that remove much of the burden of complying with security policy
  4. Failure to model and enforce proper security behavior, with accountability for security lapses
  5. Unreasonable productivity demands that drive workers to take careless shortcuts

When management by its actions conveys the message that throughput is more important than sensible protection of valuable data and systems assets inevitably productivity will trump security.

Here are signs the security-productivity issue risks falling out of balance, notes Rakkhi Samaresekera here.  The most obvious, of course, is a major security incident. Before you suffer that, however, consider minor security incidents or near-misses as warnings that something is amiss. This might be an increase in thefts of laptops or more frequent virus attacks.

Audit reports should give you a good sense of potential security problems. Don’t just bury these in a file folder that never gets opened. Similarly, have consultants periodically assess current security in light of industry best practices. Again, once you get the report, don’t ignore it.

There are, however, proactive things you can do to enable security without killing productivity or triggering a worker revolt. For example, you can deploy single sign-on which greatly expedites application and data access while reducing the need to manage passwords. To get rid of passwords altogether, you can implement bio-metric authentication. It’s a bit pricey, but once deployed users reportedly love it. Also consider automated ID management tools to rein in multiple worker IDs and roles. Finally, make sure the help desk knows to respond fast when workers have trouble with passwords or otherwise get tangled in security.

Start to minimize the conflict between security and productivity by streamlining business processes within the context of effective security practices with the input of workers. This includes the new employee on-boarding process too. And new tools, as noted above, can eliminate the most cumbersome aspects of security. Of course, all of this requires an investment of time and budget. The payoff, however, is security with productivity.

, , , , ,

Leave a comment

Findings: Verizon Data Breach Investigations Report

According to a study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit, a total of 3.8 million data records were compromised across 760 reported data breaches in 2010. Was yours one of them?

Actually, this is good news. The study indicated a significant decrease in the number of compromised records from the prior two years. The researchers attributed the declining trend of data breaches to the collaborative effort between the US Secret Service and the industry to combat computer cybercrimes and increased security awareness.

Last week, IBM also released results from its mid-year X-Force 2011 Trend and Risk Report, highlighting that public and private organizations around the world faced increasingly sophisticated, customized IT security threats in 2011.  The results demonstrate the rapidly changing security landscape characterized by high-profile attacks, growing mobile vulnerabilities and more sophisticated threats such as whaling, a form of phishing that focuses on a small targeted group within an organization.

As the X-Force report notes, the security environment is changing: the boundaries of business infrastructure are being extended or obliterated by the emergence of cloud, mobility, social business, big data and more. At the same time, the attacks are getting more sophisticated, often showing evidence of extensive intelligence collection and careful, patient, long term planning. The repercussions of these attacks are large enough to move security discussions out of technical circles and into the board room.

Paradoxically, there have been significant gains in the fight to secure the Internet this year with many vulnerability and attack statistics significantly improving as the Verizon Data Breach data suggests. The good guys may be winning some key battles,  but the fight is far from over. The bad guys are simply moving on to new battlefields, including smartphones and tablets. The rapid proliferation of these devices combined with a consolidation of operating systems has caused attackers to finally warm up to the opportunities these devices represent. As such, IBM X-Force research is predicting that exploits targeting vulnerabilities that affect mobile operating systems will more than double from 2010.

Computer forensic and IT security expert Peter Kiilu reviewed the key findings and learning points from the Verizon 2011 Data Breach Investigations Report. As part of the report, he suggests controls that companies can implement to significantly reduce the risk of data breach and the related financial losses.

Let’s look at just a few of key findings. For example, the victims of these breaches usually weren’t even aware they had lost data or experienced a breach until they were notified by a third party. That’s bad, especially if the party notifying you is a customer or a regulator. Not surprisingly, Kiilu noted that most of the victims subject to PCI-DSS had not achieved compliance. If you handle credit card information don’t shortchange PCI compliance.

Hacking and malware were the most common threat actions. In fact, the top four threat events all involved external agents hacking into and installing malware to compromise the confidentiality and integrity of the servers.

The goal of these attacks is to get data; this isn’t just joyriding through your systems. The three most common types of data misuse observed last year were embezzlement, skimming, and related fraud. The victims, by the way, were targets of opportunity rather than specifically chosen. You can probably conclude they were targeted because they were easy targets. As Kiilu noted, almost all the breaches were avoidable, without difficult or expensive corrective measures.

Many managers, especially CFOs, voice concern about cloud computing over security. While there are legitimate concerns about cloud security the study makes it clear that cloud computing and any technology specific to the cloud were not the main culprits behind the data breaches.

What were the main culprits? According to Kiilu, the problems revolved around giving up control of information assets and data and not controlling the associated risk. In an upcoming report, BottomlineIT will take up Kiilu’s recommended defensive actions.

, , , , ,

Leave a comment