[En] Orange Business Live

the broadband revolution will not be televised

2012-02-06T05:10:30Z

Mobile operators have been looking lasciviously at the spectrum freed up by the switchover from analogue TV to digital. They want the extra spectrum for 4G LTE services to satiate our appetite for mobile broadband.

But there is a new broadband kid on the block that also wants a share of the digital dividend (the name for the analogue switchover), and it's happy to settle in between the TV broadcaster and mobile operators.

TV white space technology is an innovative way of interlacing wireless data communications alongside TV broadcast. Proposed by the IEEE and the Wireless Innovation Alliance, it can deliver very high data rates over extremely long distances with low latency and at low cost. One company claims it can deliver 8Mbps at ranges of up to 5.5km using a single TV channel's worth of spectrum. The range can be extended much further with a comparable trade-off in throughput.

There have been a number of proposed applications for this unlicensed technology including smart grids, home automation and "Super Wi-Fi".

white space tech can use unlicensed spectrum

In the US, the FCC now permits the use of white space devices (WSDs) without a licence. In the UK, Ofcom recently also announced it intends to allow white space devices to operate without a licence, with regulation set to appear next year.

Practically, the technology faced resistance from broadcasters concerned with potential TV signal interference and with TV equipment such as microphones. This prompted development of management systems to mitigate it. Such solutions direct devices to clear white space channels, so-called "spectrum harvesting".

The first US-approved solution comes from Spectrum Bridge, a company now collaborating with others (including InterDigital) to develop Dynamic Spectrum Management tools. Telcordia is also working to develop its own system, suggesting similar harvesting tools from other third-party developers as yet unknown will emerge in future.

Seen as a model for future smart city development, this relatively unpopulated bandwidth could also provide an internet connection for future M2M (Machine-to-machine) devices . White space devices could manage traffic congestion, energy efficiency and environmental sensing - or any application where there is a need for long-range communications but does not depend on real time, guaranteed quality of service.

Super Wi-Fi goes live in North Carolina

The first white space-based smart city switched on in Wilmington, North Carolina back in January. There, Spectrum Bridge offers a cloud-based spectrum management platform that uses those TV frequencies left behind by the digital TV transition. No surprise Wilmington is the first US city to have already made the transition to digital broadcasting. Now the city is using the tech to enable public Internet access and broadband-based video security systems, under the monikor of Super Wi-Fi.

With the digital switchover in the UK set to reach its finale later this year (PDF), a company called Neul recently delivered 16 megabits per second over a range of 10 kilometers in UK tests. "That puts white spaces on a par with 4G," notes Akshay Sharma, Gartner’s research director.

White space broadband is expected to evolve as complementary to existing technologies, though could play a part in bringing remote rural areas online and in connecting those new generations of M2M devices in future, Sharma predicts.

But don't expect too much too soon. A recent Cambridge Consultants report claims we'll see enterprise White Space devices begin to appear this year, with a range of consumer-focused solutions entering the market in five years. The challenge will be in establishing common standards to enable manufacturers to bring their solutions to market.

"A priority now should be establishing standards to allow for common platforms, economies of scale and large scale uptake. Without standards, White Space could be a footnote, but effectively marshalled White Space has the potential to deliver even greater innovation and new services that we have seen in previously unlicensed spectrum such as Wi-Fi and Bluetooth," said Fraser Edwards, Head of Radio Frequency Systems at Cambridge Consultants.

will "ultrabooks" take over tablets?

2012-02-01T04:15:25Z

Early January I had the fantastic opportunity to attend CES 2012 in Las Vegas and got a taste of the latest major IT trends and newest technologies. From a mobility perspective, one area really stood out: the ultrabook and its impact on the B2B market.

For many of us, tablets (which includes the iPad and Android-based devices like the Samsung Galaxy Tab) are a major milestone in term of mobility, access to information and content reachability while on the go. There are many innovative and customized applications or connected devices that make the most of tablets and these capabilities. We have to acknowledge that tablets have clearly transformed the way we see & access information on the move.

However, tablets have inherent major limitations that prevent them becoming a PC replacement: they are mostly limited to email read/reply/forward, displaying documents with limited editing capability, and they lack a proper keyboard & mouse, and standard connectors like USB and video out.

If you already have a tablet, you will easily remember the last time you tried to edit a spreadsheet, word document or presentation on the device, tried to recover an archived email, not been able to view a Flash-based site or forced onto a “mobile-formatted” web site. As a professional user, the tablet is fairly limiting.

In addition to the above limitations, as most tablets are iOS and Android based, and in order embed internal processes, companies will need, to redevelop any customized interfaces to run on the new devices, which would make migrating or incorporating those devices to a tablet-friendly interface fairly costly.

The arrival of the Ultrabooks, based on Microsoft Windows 7 (and Windows 8 with all its “touchscreen features”), is extremely interesting. For Microsoft and Intel, it is a great opportunity to level the playing field against Apple and Google..

From my perspective, the ultrabook has a good balance of cost, ease of compatibility with corporate applications and usability and therefore, transfoms tablets of any kind, into a way less attractive device.

Among the major advantages of ultrabooks, I see the following:

MS Windows-based, so fully compatible with the corporate environment and existing ecosystem (application)
includes all the major connectors (USB, video, memory slots, Ethernet…)
a range of interfaces: keyboard, mouse and rich touchscreen features when Windows 8 launches in 2012
powered by an outstanding new family of processors
boots in seconds

So, to wrap it up, I would say that for all the users needing more than a consultative device, ultrabooks are an ideal alternative to tablets. They also mean you only need one device both while on the go and in the office.

What do you think? Have Microsoft and Intel finally found a way to turn this market upside down??

how do you evaluate a password's strength?

2012-01-31T05:07:49Z

Whether you are a project manager, IT manager, head of a development project, or in charge of any other activity involving direct user contact, you have undoubtedly heard the question: “Why are there so many password rules?”

The answer is strength. The stronger the password, the better it will resist attacks. As with a bike chain or padlock combination, the strength of the code often determines how much time an attacker will need to crack it.

The definition of strength depends on the type of threat. Here we will address brute-force attacks and cracking.

brute-force attacks

The goal of a brute-force attack is to discover a password by trying all possible combinations:

in the case of an online application/system, the attacker aims to reach a screen other than the authentication page (which will indicate the operation’s success)
in the case of encrypted data theft, the attacker tries to obtain “clear” content (decrypted file) or an identical encrypted password (attack by comparing results)

After all, who hasn’t attempted a brute-force attack on their old luggage lock after forgetting the combination?

strength criteria

There are three criteria for creating strong passwords:

password length: the longer it is, the more possible combinations there are
size of the character set: the longer the character set, the more available combinations
password shelf life: the longer it’s used, the more vulnerable it becomes

We have set aside the issue of social engineering attacks, as they exploit weaknesses other than password strength.

tools

Many password generation tools are available in the form of user interfaces and libraries for developers.

However, the increasing number of passwords (for system sessions, inboxes, web interfaces, e-commerce sites, social networks, etc.) does not allow account managers to implement a policy that generates passwords for users.

The current (quite natural) trend is to enable users to define their own passwords while imposing a certain number of requirements to ensure password strength (using at least one capital letter, one special character, one number, etc.).

How should a password strength policy be created? Below are four online tools to help everyone approach this topic in a fun, educational way.

how secure Is my password?

The website howsecureismypassword.net attempts to answer the question in simple, layman’s terms. It shows users how long a machine (powerful enough to analyze 10 million combinations per second) would take to break a given password.

informative value: low
layman’s value: high
target audience: uninformed users
comments: giving a specific time period helps the tool raise awareness

Microsoft Password Checker

The Password Checker tool in Microsoft’s PC security section is not on par with what the software giant could offer.

informative value: low
layman’s value: low
target audience: uninformed users (those unfamiliar with security)
comments: the primary colors make it look like a game for kids

Password Meter

Much more elaborate than the two previous tools, Password Meter explains the criteria it uses to assess password strength. It gives your password a grade of “Failure”, “Warning”, “Sufficient” or “Exceptional” in each of its categories.

informative value: high
layman’s value: average
target audience: people who want to learn more about password strength criteria
comments: though unattractive at first glance, the tool is highly informative

Password Strength Test

In the same vein, Password Strength Test has a pared-down look but provides a wealth of important information. It succinctly outlines the metrics used to generate the final grade (character set size, entropy). An accompanying text explains which contexts are appropriate for the password and how users can improve their score, if desired.

informative value: average
layman’s value: average
target audience: people who want to learn more about password strength criteria
comments: the tool’s visually austere display will not encourage use

additional notes

The technologies used by these kinds of websites rely on JavaScript. As a general rule, no data is transmitted to the server, which limits the risk of attackers hiding behind the tool’s host website. Nevertheless, using your real password is not recommended. It’s better to use a variation that moves or reverses certain characters, for example.

The websites listed above are in English, which may make it difficult for non-English speakers to understand the analyses they provide. If you know of any educational (non-commercial) password security websites in other languages, they will be added to this article with pleasure.

This article does not go into dictionary attacks. Indeed, many brute-force attacks begin with predefined combinations (first names, cities, common nouns, etc.), which can considerably speed things up. More complex mechanisms, like rainbow tables, also help significantly reduce the time needed to break a password.

top tips for project managers: you have 10 mins to get executive buy-in

2012-01-30T04:55:20Z

I read an article by Ty Kiisel on his blog that made me think about key things to consider when presenting a project to one or more senior executives.

His article is entitled “When Presenting to Stakeholders—You’ve Only Got About a Minute”.

Like Ty, I have also noticed that a common trait among senior executives is that they’re often time strapped. As a result, their attention span can be quite limited, to say the least, so you had better not waste the opportunity to get to the point quickly. (Having said that, everybody’s time is precious). So, be concise, adapt your language to the other party, tease their interest, and be specific.

All 10 tips proposed by Ty are certainly worth the reading. From my experience of presenting to senior executives, I would say three are really key, and I would add my own fourth tip.

Top tips for project managers: communicating with senior executives

1. Keep it simple: Be straightforward. Expose the facts and why the exec's involvement is required. Don’t overwhelm them with information, be concise, avoid jargon. Doing otherwise would be a waste of time and they’ll think that you can’t synthesize a situation effectively or can’t express yourself intelligibly.

2. Always offer a solution: Offer a couple of options for a solution (but no more than two). As Ty points out, there is no point in bringing up problems without potential solutions. The boss can decide between two solutions but it is your job to come up with well articulated options that highlight pros, cons, costs and project impact.

3. Specify the actions required of them: What exactly do you need from them? A memo or phone call to unlock a situation, more money, more time, more resources, arbitration, prioritization decision? Make sure they know what they need to do to help.

4. Big picture (this is my personal tip): Remind them of the overall context of the project or issue that you want to discuss. Do not assume that they recall who you are or what your project is about. They have many things to juggle. So start from the basics of how your project supports one or more of their strategic objectives before diving into any detail. Then, provide a rapid overview of the project scope, investments, duration and key milestones. Be clear on where you stand at present against these.

I believe these are the key tips to ensuring executive buy-in.

social networks - what are risks and implications for IT security?

2012-01-24T05:26:58Z

Social networks such as Facebook, LinkedIn and Twitter have become an integral part of everyday life. These sites are 21st century phenomena, though, along with that promise and opportunity come risk and implications when users access these networks from the office and share information about themselves.

Social networking is viral and, in some cases, anonymous in nature, leading to social sites being viewed as fertile targets for hackers and criminals alike. Reasons being that social media itself allows the users to personalize their online identity and easily share information.

risks

lack of visibility and control

Many organizations have limited or no control of social networking. Reference to this link. This might stem from ignorance of the technology or simply a naive approach to protect the organization from social network perils. These organizations usually use URL filters to either allow complete access to a site and every bit of content therein – or fully restricted access.

The problem lies in identifying and controlling what users access once they get onto the site, including inappropriate material and compromised documents. Most organizations lack the ability to see and analyze content once users are on the site in order to enforce policy at that level.

broadening attack surface

People have a misconception that malicious code is only coming from the dark abyss of the web, like pornography or gaming sites. How wrong this is: according to the Websense State of Internet Security, Q1-Q2 2009 survey, almost 80% of the malicious codes come from legitimate sites. Traditional security mechanisms are defenseless against these threats.

They have “mutated” into such sophisticated states that they are able to slip through the gaps of anti-virus and URL filters. These could result in a user downloading a malware application that can uncover a company’s trade secrets.

potential for data loss

Social networking is about making connections and sharing experiences and information, however, sometimes that information is not meant to be made public. It is not uncommon that users intentionally post confidential information on the site. Imagine a software programmer inadvertently posts a proprietary software code to social networking sites, disclosing intellectual property. All these could seriously impact the organization’s reputation or even put the company at the competitive disadvantage.

needing a unified organizational approach

A unified approach is the best way to ensure a comprehensive protection against what social network throws at the organizations. Organizations today need to find new ways to leverage the power of Web 2.0 without worrying about malware, inappropriate content disclosure of sensitive information.

These should include user security awareness training which should also cover the common social network malware scams and social engineering techniques used to procure personal or login information. Of course the use of strong passwords should be mandatory. Web monitoring tool should also include DLP tool that prevent accidental or intentional data disclosures.

Ultimately, social networking is here to stay, in personal and business domains; IT executives need to think hard when it comes to maximizing the potential benefits of social networking and minimizing the risks.

Who says life is easy?

Kenneth

three cloud services trends for 2012

2012-01-23T05:48:13Z

Is this the year of the Cloud, like 2011 or 2010 before it? The difference is that it's on the verge of a tipping point. Microsoft, Google and Amazon have already nailed their flag to the mast of cloud services, and with iCloud, Apple has joined the club. It may now be a term that consumers recognise but many businesses have concerns about security, service quality and integration. Here's what the analysts have to say:

security

Security is high on 2012’s agenda. Analysts warn that at least one major cloud-based services vendor will go down in a mass of malware as hackers target cloud services to see how easy they might be to attack.

The need to deploy best-in-class security protection for cloud-based data will drive many enterprises to outsource their infrastructure, particularly as over 50% of the world’s biggest 1,000 companies will store customer-sensitive data in the cloud by the end of 2016.

“While on-premises applications are typically licensed in perpetual license agreements and SaaS in subscription deals, these lines are blurring as customers demand more flexibility in their deals,” predicts Forrester, as it reports the evolution of new “cloud broker” solutions providers.

The impact of bring your own device (BYOD) models and the fervent pace of smartphone evolution will change consumer expectation for what cloud services can do. Those consumers work in your offices. By the end of 2012: “Nearly 1 in 5 professionals with three or more devices will adopt a personal cloud service for online storage, backup and synching,” warns the Yankee Group.

The biggest challenge to cloud-based services? Smaller businesses (sub-500 employees) actually suffer more cyber attacks than larger firms. That’s a market ready to be won by successful cloud service providers, or one to be lost if the security fails.

service quality

To get the business, cloud brokers must provide verifiable proof of independent security testing, Gartner advises.

“While enterprises are evaluating the potential cloud benefits in terms of management simplicity, economies of scale and workforce optimization, it is equally critical that they carefully evaluate cloud services for their ability to resist security threats and attack,” the analysts say. Such low-cost cloud services will cannibalize up to 15% of top outsourcing players' revenue by 2015.

Gartner also expects low-cost managed IT services will become ever more important in the next five years, adding: "The projected $1 trillion IT services market is at the beginning of a phase of further disruption, similar to the one the low-cost airlines have brought in the transportation industry."

That wave of disruption is encouraging existing providers to improve their offering. Forrester: “All cloud vendors are trying to move up the value chain to deliver higher-value cloud services. In 2012, you will see more and more infrastructure-as-a-service (IaaS) vendors offer technology platform services, platform vendors offering software services, and applications vendors packaging business process services into their offerings.”

“Large enterprise software companies will start to panic if they don’t have a good cloud story to tell. They’ve either got it under control and they’ll release cloud versions of their existing products or they’ll scramble and start to acquire cloud companies. We’re starting to see it with Oracle’s recent purchase of RightNow Technologies and SAP’s acquisition of SuccessFactors. I think more acquisitions like this are likely to follow,” warns Rackspace CTO, John Engates.

integration

The dream of unified services is that everything - your social and email feeds, your calendar, address book and company data - all the information you need should be made easily available using cloud-based services and all via one single portal.

The shadow here is that while the vision may be unified, today’s early cloud service adopters are attempting to weave together multiple cloud-based services: file-sharing, email, live chat, video conferencing, social media, for example.

“In 2012, we’ll see more collaborative cloud solutions emerging where business partners collaborate on information, business objects, or even end-to-end business processes in the cloud. Cloud collaboration will become a key business driver to move to cloud solutions,” Forrester predicts.

This will also spawn new cloud-based service opportunities in new sectors, including solutions like product life-cycle management (PLM), business intelligence (BI), and supply chain management (SCM).

Last word goes to IDC: “Due to increased use of cloud computing, CIOs will spend up to 20% of their time in 2012 reviewing the terms and conditions of service-level agreements and move toward standardization.”

quicklook: five security trends in 2012

2012-01-17T04:00:00Z

The saddest thing about security is that it only wins recognition when it fails. Next year’s evolution of cloud and mobile services will give new opportunities to everybody, including hackers. What should CIO's get ready for? Here are five hot topics:

social media

Social media usage is growing fast. The world's leading social-list, Facebook will inevitably become a vector for attack. WatchGuard forecasts Facebook-based attacks will increase next year driving the network to improve security in order to protect its users. "If Facebook doesn't "like" security they'll surely get "poked"," WatchGuard warns in its note.

bring your own device (BYOD)

Consumer technology is already in the workplace. It's time to get to grips with managing security on these devices, virtual device management and outsourced services may be part of the approach. You also need strategies to manage and support app installation and download on both corporate and personal devices.

In Ponemon Institute's recent State of the Endpoint survey (PDF) 17% of 688 information and security managers said more than 75% of employees in their organizations already use personal devices in the workplace, while 20% said over half did.

Are these things protected? The evidence says many are not. Recent Ponemon Institute research on healthcare providers' patient privacy practices revealed that: "81 percent of respondents say employees in their healthcare organizations are using mobile devices to collect, store and/or transmit some form of PHI [Protected Health Information], 49 percent admit their organizations are not doing anything to protect these devices."

Beware: a recent Gartner report warns to expect new breeds of malware optimized to attack tablets and smartphones.

virtualization

Has your company virtualized your servers? If so then you'll already be considering what new security controls and options most make sense. Aren’t you?

The Stuxnet attack showed the need to protect your equipment physically as well as with software. "Expect at least one digital attack in 2012 to cause a significant repercussion to a physical infrastructure system," WatchGuard warns. Expect to protect yourself against software-driven attacks against your company's physical infrastructures.

Cloud

Don't jump into the cloud too quickly. Next year will see a mushrooming of cloud-based solutions, but you'll also see new security challenges and big name failures. Despite this, the cloud is here to stay so be aware of the changing security environment.

"One of the biggest challenges for companies is moving into the cloud space and virtualizing a lot of the products they use," says Lenin Aboagyue, principal security architect at Apollo Group.

Gartner says that 40% of enterprises will ask their providers to offer proof of independent security testing before they use their service by 2016. They also believe over 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud.

Perhaps more threatening: small and medium-sized businesses lacking the budget to provide extensive security protection must beware. IT consultants, Kroll, believe hackers will target SMBs to get hold of their valuable data.

"Common modes of attack include everything from social engineering to SQL injection. In addition, ongoing use of legacy systems — weakened by postponed or overlooked upgrades and replacements — put SMBs at heightened risk.”

management

Security isn't just about protection, it's also understanding the nature of new business changes.

"As the world of IT moves forward, CIOs are finding that they must coordinate their activities in a much wider scope than they once controlled. While this might be a difficult prospect for IT departments, they must now adapt or be swept aside," said Daryl Plummer, managing vice president and Gartner fellow.

Larger firms will deploy rapid response security teams to defend against these new challenges. As I mentioned, we're in a time of rapid change. As devices grow more sophisticated, so will hacker attacks.

When did your firm last review your tech security measures? Can these be improved for the mobile age?

Anthony

which applications can access your Facebook, Twitter, LinkedIn and/or Google+ accounts?

2012-01-10T04:00:00Z

Social networks like Facebook, Twitter, LinkedIn and Google+ make it easy to share information with people from different personal and professional circles. Users can access these networks from standard PCs or specific applications on their smartphones or tablets.

So how can you find out – and control -- which applications are able to access your Facebook, LinkedIn, Twitter and Google accounts?

keyword: transparency

To make sharing on the Web as simple and seamless as possible, these social networks provide “widgets” (mini applications) that can be integrated into other websites. These widgets enable users to tweet a page or “like” it on Facebook in a single click. Some specialized websites even let you consolidate all your social networks, so you can post a message to several accounts at once.

one-time authorization and you’re done

When you open or launch an application for the first time, you are asked to grant it certain rights to access your Facebook, Twitter, LinkedIn and/or Google+ accounts. Once you’ve done so, the application automatically connects to your account and uses it in your name.

the dangers of unmonitored use

The catch is that over time these applications tend to add up. That’s why it’s important to periodically check your application authorizations and clean house if necessary.

Another risk is that an intruder could add itself to your list of authorized applications without you noticing. This is especially dangerous because an application’s ability to access your accounts doesn’t change, even if you change your main password. Actually, third-party applications and websites (fortunately) never have your main password. The secret to this trick is software called OAuth.

checking your list of authorized applications, websites and services

Each service provides a specific page to check the list of authorized applications and access rights:

Facebook: Account Settings > Apps
Twitter: Settings > Applications
LinkedIn: Settings > Groups, Companies & Applications > View your applications
Google: My account - Sites, applications, and connected services

no-risk housecleaning

Don’t hesitate to delete access for applications you don’t know or no longer use. And don’t worry: if you accidentally delete an application that you want to keep, you can always authorize it again the next time you use it!

tracing access rights: Facebook stands apart

Thumbs up to Facebook for being the only service that gives you an application access history. This makes it possible to identify any possible issues or misuse.

So, what do you think?

Jean-François

photo credit: Gautheron

source: Lenny Zeltser, “Which Apps Are Authorized to Access Your Social Networking Accounts?”

quicklook: mobile in 2012

2012-01-09T04:21:28Z

Mobile will be massive in 2012, and beyond. The smartphone-driven explosion is changing everything and they are taking over some of the ancillary functions traditionally handled by laptops and other PCs.

Stock control, equipment manifests, customer contacts, digital signatures, translation devices, input tools; many applications in many different industries are potentially affected. For example, airline pilots can use tablets such as the iPad for their flight maps and data. In the long run, how many low-level PCs could be replaced by portable devices?

that post-PC thing? It’s real

In 2011, shipments of mobile devices exceeded those of PCs. IDC predicts that in 895 million mobile devices ($277 billion) will ship in comparison with under 400 million PCs ($257 billion) in 2012.

"By 2016, at least 50 percent of enterprise email users will rely primarily on a browser, tablet or mobile client instead of a desktop client,” informs Gartner. It believes that the pace of change over the next four years will be breathtaking, with collaboration requirements and mobile device management at the forefront of this revolution.

“In what should come as little surprise, governments will see "explosive new growth" in mobile applications and devices, not only for citizen outreach, but also for more internal business use,” according to IDC, as reported by Information Week. Concrete recent evidence of this when sources confirm Downing Street is developing an iPad app for UK PM, David Cameron. This will give him access to all available government-released data, for example National Health Service (NHS) waiting-list figures, crime statistics and unemployment numbers.

emerging markets matter

As the global wealth balance continues to reconfigure itself, anticipated future weakness in established markets means emerging markets are incredibly important. As evidence of this potential, Apple’s attempts to boost business in China have generated a 270% climb in its revenues there.

"We purposely put the bulk of our emphasis from an emerging market point of view on China to really learn, and then we're going to take that learning to other markets," said then-COO now CEO, Tim Cook last April.

“In 2020, half of the world’s middle class population will come from Asia,” writes AT Kearney. With business booming in Asia, mobile device makers are focusing on Brazil and Latin America for future growth. Asia-Pacific will see almost 39 million tablet sales next year, reports Yankee Group.

our machines are talking

The number of global mobile subscriptions will pass the 6 billion mark in February. Asia-Pacific alone will pass 3 billion in January, says Pyramid Research. 2012 is also the year of LTE, it says. Broadband penetration will pass 10 percent globally. IPTV, software as service, cloud-based solutions, the app economy and new media services will drive the mobile offering.

LTE will also boost new markets in machine-to-machine (M2M) families of connected devices as connected devices become every day in the home. This will create a new future opportunity for mobile carriers, some reports suggest.

“Two areas that are beginning to see growth in the M2M segment are the in-home and automotive sectors. Both segments witnessed initial traction with Bluetooth technologies that allowed for the connection of devices using the short-range technology. But more powerful radio technologies are now making their way into both avenues, providing greater capabilities and opportunities,” according to a recent report from IDATE Consulting and Research.

How do you think mobile technology will change your business in 2012?

mobile devices and hidden threats

2012-01-06T04:07:19Z

For my first blog around mobility for business, I thought that the basic security experience is a good point to start with.

In this “hyper techno-world" mobility is being promoted in a broad sense, how useful it can be and how it will improve your productivity and reactivity. Many are also predicting the end of traditional ways of working and switch from an 8 -5 job to always being connected.

As we are all “important” ;=)) and require the latest electronic mobile gadgets, a couple months ago I have decided to get a brand new tablet in order to test the promising new applications and capabilities that have been hyped up.

A couple days after installing the only corporate-approved applications (MS Exchange), I started to browse the application store and did install completely non-secured and un-approved applications such as dropbox, google apps, SIP/video applications, games, file-sharing etc.. . and for most of them .. this included the capability for these applications to access sensitive data.

To make this point and by using Netqin security tool, you can see a fairly scary example of applications accessing various parts of my device:

22 applications accessing my address book
4 applications accessing my SMS and mail
27 applications accessing my location
37 applications accessing my device information

So, even if an application seems to be benign, by giving access to stored on a device, which is sometimes connected to corporate information (such as corporate directory) the user's device -- and thus the enterprise -- is potentially vulnerable to spyware, malware, viruses, etc.

Most people working in IT acknowledge the fact that adding tablets and smartphones, aka a bring-your-own-device (BYOD) policy, to the corporate ecosystem contains a lot of threats that need to be taken extremely seriously without delay before talking about any potential business opportunity.

Some food for thought around security to think about before letting new devices access corporate data:

authenticated access -- If a tablet is lost, stolen or left unattended, enforcing native, device-level authentication (PINs, passwords) can reduce the risk of a stored data breach or device application and connection misuse.
anti-loss measures -- Native remote lock, find and wipe capabilities can often be used to recover a lost device or permanently prevent it from becoming a security liability, including devices issued to employees who have left the organization. .
authorization -- Mobile operating systems support native techniques like code signing, application data protection, and device feature restrictions that enterprises can use to reduce risks posed by mobile malware or inappropriate use. Devices don't come with native anti-virus, anti-spam, or intrusion detection, but these can be obtained from third parties.
data protection and encryption -- Mobile operating systems provide native support for security data traffic including SSL and selected VPN protocols.
device management – Various solutions exist (afaria, Mobile Iron, 3LM…) to centrally provision and control tablets and smartphones, enforce their security settings, manage applications and monitor their usage.

To wrap this up, I would reinforce the point that, prior to to seeing mobile devices as an opportunity, top-down mobile security enforcement is becoming a must have for any secured corporate mobile usage.

Philippe

HELP! I'm becoming a project sponsor... what do I need to do?

2012-01-05T04:44:44Z

In the literature on project management, the role of project sponsors seems to have appeared in the 70s. It is at this time that project management spread to all industries and activities instead of being limited to big construction projects, military and aeronautics. Certain companies then started to reorganize by project and it rapidly became apparent that there were not enough business leaders to directly lead all projects. These leaders had to rely on more operational project managers while keeping the role of the business sponsor as the person ultimately responsible for the project.

Being a project manager, becoming the sponsor of a project is like crossing the mirror. The PM who I am has very strong expectations (but nevertheless realistic) of his sponsor. If I were to become a sponsor, which would or should be my first concerns?

Certainly first of all to define precisely my role and expectations of the PM, in the same way as he or she will have expectations of what I should bring to the project. It is thus necessary to establish mutual trust between us based on clearly established roles and responsibilities, regular communications, and common rules.

Let us try to establish a few elements that will help better understand the sponsor’s role.

]]> business champion, legitimacy

To perform successfully his role, the sponsor must be listened to and recognized by his peers in the business and by his management. It is therefore critical that I get in touch with all stakeholders of the project. I need to understand clearly their expectations of the project, their necessary level of involvement, and listen to their points of view. It will be particularly useful at this time to obtain access to their expert resources of the domain. And, also these discussions shall enable me to appreciate the problems to be addressed from the insiders’ view.

direction and support in decision-making

Here is one of my sponsor’s key roles. It is a matter of giving a direction and management support to the project manager. It is thus imperative that I have an excellent and very clear overall view of the objectives of the project and that I am able to articulate and to communicate these simply and effectively. And this for all the stakeholders: the project manager and his team of course, but also the management of my company, including or maybe even in particular towards those who seem less impacted by the project but have a large influence in the company (not always high-ranking individuals).

review and approve plans and deliverables

Beyond the adequacy of the deliverables and project plans to the concrete objectives of the project, the sponsor’s role is to improve these project’s deliverables and to approve them formally. The best sponsors that I've had as PM were those who had the capacity to see farther than the deliverables in themselves. They perceived early how these products would be welcomed according to the expectations of the many stakeholders. They anticipated the potential negative reactions to prevent these, often by modifications which may seem to be cosmetic but which made a huge difference. They were always one or two steps forward in their reflection with regard to my inevitably more operational focus.

Guarantee availability of the assigned resources in due time (including my own)

I shall be demanding and even inflexible on the provision in due time of the resources promised to the project team to succeed. How could I be strict on any drift of the project if the authorized means are not provided? The most difficult one will be probably my own availability to the project manager. It must be easy to obtain, immediate, and especially with a 100 % of my attention dedicated to the project on these occasions.

remove the obstacles

In addition to supplying the necessary resources, I have the obligation to unlock complex situations or crises that the PM despite of all his/her efforts (because it is first of all his/her role to do so) would not know how to address. It doesn't mean removing the responsibility from the PM’s shoulders but rather supplying the required support when necessary.

establish and decide on the priorities

What should we do? Delay the project production date by a few days or to exceed the budget? The PM will supply me the arguments in favor and against these two alternatives, and possibly his/her recommendation. The decision will be on me and I shall have to take into account all of the following: the objectives and the imperatives of the business, the operational and commercial impacts, the stakeholders… This type of decision cannot be put off and, very often, no decision is worse than making an error which we will correct later.

examine progress regularly

A combination of formal and informal sessions seems to me an efficient approach. Formal project committees and the other gates or milestones reviews are necessary but often insufficient. Indeed, reading a report or listening to a well prepared presentation speech will not allow me to understand what’s really happening. It is necessary to read between lines, to hear the unsaid, the intangible, to appreciate the difficulties of the PM and to have a real human relationship. In my past projects, brief (30 minutes) and regular (weekly) sessions appeared to me to be the most effective.

promote frank and open communications (put down the masks!)

To get the vital info, including the bad news that are difficult to hear, I need on my side to be frank and open with the PM. To communicate without taboo or hidden agenda is a must. A part from information that could place the company at risk such as the legal issues (some financial information for example, or reorganizations and mergers/acquisitions), everything can be explained with a little bit of intelligence and trust.

provide standards of performance

To be opened and approachable does not mean being permissive. My best sponsors were inflexible with me and my team. I had very clearly their support and knew perfectly what they expected from me. We had high standards of quality and performance and these were mutually shared.

develop an organization that learns from its mistakes and successes

Finally, as the sponsor of an important project of the company and thus member of its senior management, I owe to develop the skills and the know-how of the resources which are under my leadership and to make sure that the lessons learned will benefit future projects.

DDoS attacks over spam

2012-01-03T04:35:47Z

In early May 2011, the Czech Republic hosted the "Security and Protection of Information" conference, featuring an opening speech on "Denial-of-service (DoS) attacks using white horse systems: new proof-of-concept DoS against the domain name system (DNS) servers".

The presentation covered a new attack method that denies service on DNS servers using spam campaigns.

the idea

Below is the theoretical architecture presented by researchers Jakub Alimov (seznam.cz) and Minor (zone-h.org) in their article.

appetizer: DNS toast

This tasty bite is standard because attackers modify the DNS zone with a domain name in order to register the target server as a name server (e.g., foobar.com NS 1.2.3.4). Any Simple Mail Transfer Protocol (SMTP) server attempting to send an email to the domain name has to collect all necessary information (as outlined by Request for Comments 2821 by asking the responsible DNS server (in this case, 1.2.3.4).

first course: spam salad

The first course of attacks features typical techniques that send spam using the address(es) belonging to a domain previously declared on the DNS server (e.g., user.123@foobar.com, user.456@foobar.com). It is also possible to use sub-domain names (e.g., user.789@dummy.foobar.com).

Note: researchers have identified more than 14,000 unique IP addresses (apparently issued by the same botnet) for spam operations.

main course: white horse steak

The chef’s secret here is using what researchers call “white horses,” which are servers with high bandwidths. Big SMTP server hosts such as Yahoo Mail, Microsoft and Google are favorite targets.

Since each one has the strength to hit hard, these servers can effectively fight spam attacks, although many cases require an analysis of the sender’s legitimacy. In compliance with the RFC in force, SMTP servers verify all information associated with the domain name of each message (in this case, a "MX RR" or "A RR" DNS request for the foobar.com zone).

Researchers note that it’s possible to use a botnet of 50,000 machines, with each machine sending messages to 100 different white horse systems.

dessert: DNS medley with distributed DoS sauce

To perform their task, SMTP servers directly or indirectly ask the responsible DNS server about the domain name, directing a large volume of DNS requests to the target server (in this case, 1.2.3.4).

As the server does not necessarily have the capacity to handle these requests, it becomes a victim of service denial. As a reminder, servers requesting information are among the white horses that have access to significant resources.

Working with the figures listed above, we quickly arrive at 50,000 machines x 100 white horses x 1 message = 5 million messages or MX RR requests to the targeted DNS server.

anti-indigestion remedies

Protecting DNS zones is obviously the first line of defense. However, nothing can guarantee that a cyber-squatted zone will not choose your DNS server as a target.

Blacklisting the domains in question is also an easy form of protection, but it is not very effective. Attackers are free to use several domain names during operations (thus adapting their spam campaigns to blacklists).

Only protection mechanisms on the white horse side will be effective, such as anti-spam protection and setting up rules to limit DNS request streams.

Another solution is anti-distributed DoS protection, which can be set up with or before your infrastructure.

homomorphic encryption: a giant in the clouds

2011-12-27T05:33:16Z

Cloud computing makes it necessary to send data to the cloud provider. If this is a storage service, the data can be encrypted prior to sending. In this case, data confidentiality is protected, and the provider can neither use nor analyze the data.

However, in the case of a cloud computing service like Software as a Service (SaaS) or even Infrastructure as a Service (IaaS), data can be encrypted during the transfer phase but must be unencrypted in the cloud. In fact, if you want your Virtual Machine (VM) to work, you have to make sure that its code can be executed.

For the moment, companies using cloud computing services have to have faith in the service provider they choose. Techniques for encrypting a VM and disk volumes are available, but they are only partial solutions: for at least a moment, as short as it may be, the data is unencrypted. This can be problematic – or at least slow the turn to cloud services – for the most sensitive data.

moving toward a solution

Homomorphic encryption addresses this need to "encrypt everything all the time”, both during data transfer to the cloud and data use in the cloud. It’s the holy grail of data confidentiality in the cloud.

On 8 August 2011, Microsoft’s research laboratory for cloud cryptography announced a significant advance toward this holy grail in the MIT Technology Review: "A Cloud that Can't Leak". Don’t get too excited yet, though, since this new method of data encryption is still in its beginnings. We’re still far from being able to execute VMs in a cloud using homomorphic encryption. Maybe the first applications will be more for SaaS or Platform as a Service (PaaS), or for handling specific data types.

For those who are into technical details, the published papers are available. The most interesting (or the most understandable for amateurs in the crypto field like me) is this one: "Can Homomorphic Encryption Be Practical?"

operating principle

Homomorphic encryption works like this: the customer sends encrypted data to the cloud. The encrypted data then undergoes processing (a calculation, for example), which yields a result. The result itself is also encrypted, so the cloud service provider cannot read it. Finally, the cloud service provider relays the result to the customer, who then decrypts it to obtain the end result.

With homomorphic encryption, the final result of the processing is the same as when the data is not encrypted, and data is never unencrypted during transmission or treatment.

it’s coming along, but it won’t be ready tomorrow

While waiting for research to advance, we can look at some solutions that currently offer an initial response to the need for confidential cloud-stored data. For VMs, file systems can be encrypted using application programming interfaces (APIs) integrated into operating systems (BitLocker, dm-crypt, etc) or to use solutions like SafeNet ProtectV or FreeOTFE.

The main shortcoming of all these solutions is that they require the decryption key to be transmitted at a given moment (typically when booting up the VM). The storage and transmission of encryption/decryption keys is a lengthy subject: it’s the field of Virtual Trusted Platform Module (TPM).

These are solutions that are practical but perfectible. They offer us a temporary response while we wait for something better. Homomorphic encryption is a hot topic that we will follow in the years to come. In the meantime, we’ll have to make due with what’s out there!

It's the most wonderful time of the year...

2011-12-23T04:20:04Z

…or, so sings Andy Williams.

Here at Orange Business Services, we wish all of our readers a happy and relaxing holiday season. Many of us are taking some time off as well, so things will be a little slower than usual around here (but never fear, for our multinational customers, we’re always on call).

We’ll still publish a few articles during this slow-as-molasses time of year, as not all of our readers – who, incredibly, come from more than 135 countries and territories -- will be taking time off from the office.

Best wishes for the holiday season and we’ll see you again in 2012!

ciao Knowledge11 ... looking forward to Knowledge12

2011-12-21T04:51:00Z

About 400 customers, partners and ServiceNow employees gathered in Frankfurt earlier this month to attend Knowledge11 and share experiences on the ServiceNow platform.

Fred Luddy, ServiceNow founder, presented the coming enhancements to the platform and, more particularly, automation, archiving and the new scalability of the architecture. These new features will allow IT organizations to manage larger volume of incidents or requests while optimizing performance; this is especially important as there are 20 million end users using ServiceNow to interact with their IT organizations.

My take-aways from this conference:

some organization using ServiceNow as a Platform As A Service are also developing their own awesome applications. For example, Verisign is able to view their datacenter setup directly in ServiceNow so they know exactly where each server is physically located in their datacenter; and CERN is using ServiceNow for all types of requests, even non-IT request such as hotel reservations or car rentals.
cloud is key for IT organizations, but strong guarantees are needed around security, scalability, performance. The SaaS solution provided by ServiceNow is aligned with this view by providing a reliable platform without customers needing to worry about the infrastructure
social IT Service Management is on the way with chat and feeds. Interaction with IT users will be simplified by allowing them to exchange via their usual channels such as Facebook or Windows Live Messenger.

]]> automating tasks using the CMDB

If there were one particularly intriguing take-away from Knowledge 11, it would be the SwissRe presentation on task automation using the Configuration Management DataBase (CMDB – the database that stores relationships between the configuration items).

SwissRe is standardizing their workflows for incident, change and service request management, in order to have only one dynamic workflow in ServiceNow per defined ITSM process. Depending on the information provided by the requestor (incident, request, change), the different tasks to be performed will be automatically populated following the tasks associated to the Configuration Item (CI). The tasks associated to this CI would be the responsibility of the Service Owner.

This is a very interesting approach. The main challenges that I see would be the level of granularity of the CMDB (the more tasks you will have to define and maintain) and the willingness of the service owner to automate tasks on their service portfolio. Are people ready to spend time to detail their own activities and to detail the tasks associated to the services they provide? And what needs to be done in the CMDB (structure and granularity) in order to limit the Service Owners’ level of effort and to keep the CMDB and tasks updated through the change process?

What were your take-aways from the event? If you weren’t able to attend, ServiceNow has published the presentations from the event on SlideShare.net.

photo credit: Sue Berry
diagram credit: ServiceNow