Archive

Posts Tagged ‘collaboration’

Mobility – Magic or Mayhem

April 7th, 2011 Comments off
Reading Time: 5 minutes

Love it or hate it, mobile computing is here to stay. Be it smart phone, tablet, netbook or ultra-portable, society as a whole seem stupidly addicted to information being at the tips of out fingers.

Mobile device sales now seem to outpace population growth, a cool statistic that Padmasree Warrior ( @padmasree ) wheeled out at a recent Cisco event was that every second 4 babies are born in the world, but in that same second 40 mobile devices are sold! Take a quick look around, how many iPhones, iPads, Android devices, eReaders, etc are in your household (I’ve got 3 iDevices alone in my house and both my kids are under 3).

Brought on by the modern need to be always connected and “there’s an app for that” approach to mobile computing (Social networking, collaboration tools, and other resources being some of these drivers), there is little wonder what “the next target” will be.

Criminals in general will target the best return for their investment, i.e. hit the biggest deployment base via the easiest means in the hope that a percentage of attacks will be successful. It’s called return on investment.

Attacks

These are still early days and attacks have come along way from a simple “Rick-rolling” of someone’s phone to embedding root-kits into applications, opening up the potential for much much more.

Google Android App store pulls 21 infected apps because of malware, with other stories suggesting upward of 50 applications were actually affected shouldn’t really come as a surprise

Whilst there are a variety of reasons why this happens, essentially it all boils down to money.

The growth of the smart phone deployment base, and the popularity of app stores in general, it makes perfect sense that we are seeing a rise in mobile platform exploits hitting the news. This form of exploit, embedding malicious code in applications that otherwise appear harmless, is certainly low hanging fruit that is ripe for the picking.

Whilst there is a relatively strong Desktop security software market along with a general heightened awareness when it comes to viruses, malware and even information classification in general, the mobile computing platform everyone seems to have a laissez-faire attitude.

Mobile security

While many say 2011 is the year of the Cloud, I’m going to suggest it is also the year of the mobile device exploit. I’m willing to bet that a lot of the bigger players out there are thinking along the same lines; as can be seen through some acquisitions and announcements.

The Enterprise

Always-connected comes at a price. Everyone wants these devices and wants them connected to the corporate network so they can access email, intranet pages, documents and even remote manage infrastructure.

I see there being a number of different issues.

  1. People will bring them in regardless of policy, so how are you going to change your policies?
  2. How do you provide secure access to the information and resources people need?

Policy – the fix all?

Before you say, but corporate policy disallows the use of XYZ device on the network so people won’t be connecting or using them, guess again! I can guarantee that in your organisation people are using the likes of Dropbox and Evernote to get access to the files and information that they need to do their job.

As I’ve said previously

policy only gets you so far. As with any security policy, if it is too restrictive or just too complex , people will just ignore it and do what they want, or need to do

People will connect their devices in ways that would make you cringe.

How do you provide secure access?

With the move to any device anywhere model in organisations this could be a real issue. What happens when a device, corporate or personal, gets compromised?

At this stage this is all up for debate as the industry hasn’t taken mobile device security seriously enough for long enough. The easiest way is to start by providing the tools that give both control to you as a business and your people the access they require.

Open or Closed?

Now there is the debate between open and closed platforms coupled with open or closed marketplaces, but even closed platforms have vulnerabilities that are exploitable, be it in hidden features or bugs in the code. It does, however, make sense that an open platform with an open marketplace would offer an easier target to that of a closed one, but as mentioned previously the user-base also plays a large part in the overall equation; again, these are early days.

Best choice is providing the platform so you can control, to some degree, what goes on. Else look at other measures that will allow functional, secure access to services.

Ultimately the open vs. closed system is one that has been raging for years, regardless of the platform. Only time, and statistics, will tell.

So?

What does this mean to Joe Average and the Enterprise? There needs to be a strategy. How will you address this, and one that is flexible enough to take in to consideration that this is a fast changing area.

A good start;  your mobile device is a computing device and at a minimium the same security precautions need to be taken as for traditional computing devices, arguably, given the device is more susceptable to both “locking down” or  being “lost” than that of  a desktop or  laptop, some additional device specific considerations should be considered.

Thanks to Ben for critique and edits.

is CloudCamp relevant?

August 24th, 2010 Comments off
Reading Time: 4 minutes

Currently on the twittrsphere there is was a debate on the value and benifits of CloudCamp:

This was quickly followed by a number of points of view, rants, and seemingly irrelevant comments.

When you look at the the “mission” of CloudCamp,

CloudCamp was formed to provide a common ground for the introduction and advancement of cloud computing

Or look at the opening statement on the homepage:

CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas. With the rapid change occurring in the industry, we need a place we can meet to share our experiences, challenges and solutions. At CloudCamp, you are encouraged you to share your thoughts in several open discussions, as we strive for the advancement of Cloud Computing. End users, IT professionals and vendors are all encouraged to participate.

Ruv (Ruven Cohen) responds with:

Whilst these are all well and good what seems to happen, from my own experience, is that a number of the louder attendees take over the sessions they are involved in either to push their product or get an answer to a specific problem (the last one in Sydney was a perfect example of that).

I think that the education part is a little tired now and there are more than a few resources online that can sufficiently educate the masses. As for furthering Cloud Computing… at this early stage, I don’t see any of it happening.

The standard format of CloudCamp is:

  1. Lightening talks – Sponsor presentations that go for ~5 minutes
  2. Unpanel – an impromptu panel of “experts” who get to respond to questions from the audience.
  3. Unconference Breakout Session planning – attendees get to put up options for discussion and the ones with the most votes get discussed in breakouts
  4. Breakout Session 1 – Topics get discussed  (groups formed and scattered around the conference facilities)
  5. Breakout Session 2 – second round of topics discussed
  6. Social event – normally drinks somewhere

The biggest issue is actually being able to measure the effectiveness or the value of the current CloudCamp model. As by definition it is an unconference, therefore it’s pretty hard to get a solid handle on any measurement criteria ahead of time.

With all that said, I think that they are still useful, especially outside of the U.S. where there isn’t really another Cloud Computing related conference to attend as a single place to go to see what is happening in your local market.

A couple of points where I think improvements can be made:

  • Pick a theme for the event:
    • This way attendees can have a clear understanding of what they will learn.
    • It will also curb the tendancy for “Lightening Talks” to be vendor pitches
    • hopefully this will also stop irrelevant talks.
  • Supply some form of online feedback ability – You can’t make it better/more relevant if there isn’t the ability to have an open dialogue with the actual community (locally that is).

</rant>

… and I’m back!

June 16th, 2010 Comments off
Reading Time: 1

It’s official, after an eight (8) month stint in the back of house looking after new business for the delivery arm of the big T I’m moving back into a technical role.

Whilst I’ve learnt many things and worked with some great people, I really am looking forward to getting back into the thick of it, rather than watching from the sidelines. So this time next month I’ll have taken over the reigns of the Lead Security Architect for Telstra Enterprise and Government.

I have some pretty HUGE shoes to fill but I’m really looking forward to the challenge.

Collaboration becoming more attractive.

October 15th, 2009 Comments off
Reading Time: 1

Piggy bankThoughtlet: Just saw this article on ARN Daily :”Collaboration tools worth the investment, survey says”.

Apart from the sales pitch at the end of the article, it’s interesting to see that the Frost and Sullivan study now sees the return on investment is up from what I wrote in a previous article to four and a half (4.5) times.

This goes to show that technology is becoming cheaper and easier to use and more and more businesses will look to take on these tools.

What is your businesses collaboration, and supporting security, strategy?

Security – data in a collaborative world

September 5th, 2009 Comments off
Reading Time: 6 minutes

OMFG WTF Did this really happen?

Recently, whilst working on a customer proposal around introducing collaboration capabilities within their environment, I was struck with the security implications of exposing business critical information (data, documentation, strategies)  to partners, suppliers and potentially random onlookers.

Why Collaboration?

As the businesses requires greater flexibility and connectivity (as it becomes more time critical and complex), collaboration tools enable authentic and productive working relationships regardless of geographic or time zone differences (what I like to call Geo-Temporal restrictions). Collaboration encompasses a broad range of tools that enable groups of people to work together including wikis, web sharing, video & audio conferencing, instant messaging, blogging services and even email.

Just as the market has become more flexible and connected, so too has the workforce. The evolution of the personal workspace has seen the progression from mobiles to laptops to smart devices, allowing people to communicate wherever and whenever they wish.

Whether it be a corporate wiki or a Microsoft hosted instance of SharePoint, collaboration isn’t something that is going to go away, and security zealots along with network and system administrators will have to concede (at some point) that people are going to start to use these tools, either by hook or by crook, and therefore should be prepared.

Criticality of these tools to businesses

Businesses are not only taking collaboration more and more seriously; today they rely on it to get things done.

Quote from “Meetings Around the World: The Impact of Collaboration on Business Performance” — conducted by Frost & Sullivan and sponsored by Verizon Business and Microsoft Corp via the Microsofts Press site:

Collaboration is a key driver of overall performance of companies around the world. Its impact is twice as significant as a company’s aggressiveness in pursuing new market opportunities (strategic orientation) and five times as significant as the external market environment (market turbulence)

What that statement means is collaboration has a real impact and those that embrace it reap the rewards. What that translates to in the real world is “we need these tools now and don’t care what it takes!”.

Risk to the Business

Business data is exposed. This applies regardless of where the data is stored locally or *gasp* in the cloud. For the security focused of you, the principals around confidentiality,  integrity and availability (CIA) are screaming out. For the rest, the questions are, how do you ensure that only those who should see the information are the ones who are seeing the information? How do you ensure that information shared via collaboration is not accidentallyor maliciously altered? And, will the information be available when you actually need it?

When you realise how simple it is for someone to start sharing your business’s’ innermost secrets, or how that urgent proposal is now inaccessible because the portal is down, all the benefits of collaboration come in to question.

Measures to reduce risk

There are a number of different measures that can be put in place to help reduce risk as well as increase the overall awareness.

  • Security Policy
  • Data Classification
  • Restriction  – Access Control
  • Company provided and sanction tools
  • Use a large stick.

I’ve loosly applied parts of the ISO27001:2006 framework to my measures (well, the bits that are generically applicable) and, depending on what is being used, more of the management framework could be applied.

Security Policy

It always starts with policy, but policy only gets you so far. As with any security policy, if it is too restrictive or just too complex , people will just ignore it and do what they want, or need to do. As Bruce Schneier recently pointed out in ablog post:

They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren’t serious.

He goes on to say that unless you impose harsh penalties and make a public spectacle of the infringer, little will change. Collaboration tools add to the temptation for users to go around the system to get their job done. I personally have done and am currently guilty of this particular sin.

Data Classification

Data needs to be restricted and classified. More now than ever, you need to clearly define the data, what can and cannot be distributed or used in in this manner. If it’s being cached/stored externally, do you trust that facility and if so to what level? What do they do when you close that account? Is the information still kept?

Restriction

Collaboration tools need to be able to authenticate (provide a mechanism to verify) participants in order to ensure that only the correct people are accessing not only the tools themselves, but the data within. These tools need to support the ability to restrict the functions based on role as you might not want the average user, say, accidentally sharing their desktop, be able to involve participants external to the organisation or even try starting up his own corporate blog.

Provide the tools

One of the simplest ways to stop people going around the policies and procedures and reducing some of the risk is to give people access to the tools they need. That way they can be controlled, logged and audited as required. Users that dont’ have access to the tools they NEED to be efficient at what they do, WILL use them anyway; regardless of the policies as pointed out above, people know the real risk is not performing. Simplistic examples are:

  • Executives with BlackBerry or iPhones wanting to access their corporate mail now from unpoliced, uncontrolled decices.
  • IT staff who bring in their own Netbooks or Laptops to be able to be portable and work on the road or from a cafe.
  • Sales staff who use web collaboration and meeting tools, share documents and give presentations that do not have authentication mechanisms.

Accountability (Use a large Stick)

When an incident happens it needs to be dealt with and dealt with swiftly. Ultimately, unless people are held accountable nothing will get them “thinking” about the risks and acting differently. This goes for everything from classification and restriction of data, to using the tools.

I don’t think that this a complete list, it is just a subset of the issues faced. The funniest thing is the parallels when looking at utility computing, as collaborative tools these days are also more and more “Cloud” based.

There is certainly a lot more that could be added. Anyone care to add their thoughts?