www.philiphall.com

2012… Who’d have thought only 5 to 10 years ago that we would now be in what can only be described as a revolutionary change within the IT industry. Well – I’m hoping you may have noticed… we’ve now reached a pinnacle point in time where those who are brave enough will reap the benefits and will be rewarded with growth in the next few years ahead. Yes – I’m talking about cloud adoption in business & the enterprise.

Thanks to technology advancements over the past decade, the business world has become an increasingly adaptive, and fast paced competitive world, where only those who are prepared to fail (but fail quickly and cost effectively) will survive. It’s therefore time to become a part of the journey, and to adapt to what can only be described as an industrial revolution within the world of IT… before your competitors leave you far behind.   It’s “IT Transformation” Time!!

There have been various radical advancements in technology over the past few years, including virtualization, consumer driven advancements in mobility, and ultimately changes in how as individuals and business we interact and consume IT services within today’s world. Yes – I have to agree that the term “cloud” is the most over-hyped but often misunderstood topic, however let’s get straight to the point here and demystify just how big a change we are about to witness within the world of IT and business.

The key thing I need to re-iterate is that there are some HUGE opportunities for businesses that are brave enough to embark on what can only be described as a transformational change in the use of Information Technology.  OK, so everyone has heard of the term “cloud”, but the majority of us don’t fully comprehend just what it is or how much it will change the way in which we consume IT and operate as a business.

There are so many myths and misconceptions about cloud adoption which ultimately prevent most large businesses and enterprises from embarking on the cloud journey. For clarities sake, I’m predominantly talking about Infrastructure (IaaS) and Software (SaaS) Services in the cloud in this context.

Enterprise Cloud Adoption Strategy Tips

So, without further ado, I wanted to share my initial recommendations & tips for any large business or enterprise considering cloud adoption….

1. BRING THE OUTSIDE IN

Bring the outside in – and drive some interest and excitement from a cloud adoption perspective with your influential leaders by demonstrating what other competitors and market leaders are doing in this space. Most are very vocal online about what they have achieved, and what they intend to do from a cloud adoption perspective. Check out some of the big banks within Australia…

2. BUSINESS AGILITY THROUGH CLOUD ADOPTION

Ensure your leaders understand that it’s not just about “cost saving” being the driver for cloud adoption, but more importantly it’s all about true “business agility”.

The focus here should be around having the ability as a business to be quick to adapt – both in providing new services, solutions and the required IT environments to bear fruit of new business opportunities, but also to be able to “fail quick”.  Enabling the business to fail, cut their losses quickly and cheaply when a new product, service or concept doesn’t work out can make a huge difference financially. It also encourages businesses to innovate and try more “out there” ideas.

Gone are the days of procuring new IT hardware, or signing a 3 to 4 year lease agreement with your IT vendor for IT services. Stranded IT costs for failed projects should be a thing of the past. If not – your commercials and ultimately your relationship with your IT vendor needs some focus.

3. START SMALL… THEN GET BIG

Start your cloud adoption journey in small palatable pieces. Consider running a proof of concept for low hanging fruit so you can build some further interest and momentum from an adoption perspective. Pick low profile systems which are not critical, don’t have customer data, and are easy pickings.

4. PARTNER WITH THOSE IN THE KNOW

Consider partnering with cloud adoption specialists who fully understand the technology offerings and common misconceptions and challenges. They should help you visualise how cloud will integrate and change how you operate as an IT function. They should be able to help draw together a starting position, and a plan of attack for cloud adoption.

5. RELATIONSHIPS, RELATIONSHIPS, RELATIONSHIPS…

There is a mammoth amount of change in the relationships, roles and the related processes wrapped around IT that needs to occur in order for our new IT world to materialise. The traditional IT roles, and IT outsourcing models, need to adapt to enable a new cloud model. Reconsider the relationships you have, and the approach you need to take on new service providers, whilst building in adaptability from a commercial perspective.

6. SECURITY AS AN ENABLER FOR CLOUD ADOPTION

Lastly, and most importantly, build security right in from the start. Security can ultimately be the enabler for cloud adoption, so businesses need to change their perception of IT security, and put in the time and effort to partner and work proactively with security to get the best outcomes.

What are your experiences or views of enterprise cloud adoption? Feel free to share your thoughts, experiences and opinions here.

I am very passionate about what is happening within the world of  cloud adopton and mobility, so if you wish to discuss this topic direct – please get in touch using the contact page on this site, or tweet me @PhilHall - http:/www.twitter.com/philhall

Share/Bookmark

Let’s just say that there’s lots of the usual speculation and rumours when it comes to news from the Apple camp re the impending release of the Apple iPhone 5 and the latest iteration of the integrated Apple iTV. iOS6 is looking very promising, however obviously my agreement with Apple prevents me from saying anything about it!

Apple Venture into Smart TVs…. the Apple TV (not a box under it, but part of it- integrated TV!)

The Apple iTV release will be another innovative change in consumer land, whereby voice or gesture commands will rule supreme overlaying on demand IP based content. Who can argue with paying twice as much for a tv (they’re much cheaper any way these days), when it integrates with your other Apple devices, let’s you “airplay” at the flick of a wrist onto your Apple TV 55″ screen if you find something interesting whilst internet surfing on your hand held device, and enables you to enjoy the delights of on-demand IP based TV. Oh… and with voice & Microsoft Kinect style movement recognition for interacting… the nirvana of consumer home entertainment is about to arrive!

NFC Apple Style

The thing in my mind that will be the game changer this year from Apple is the introduction of NFC (Near Field Communication) to Apple devices. It’s nothing new from a technology perspective, but in the hands of Apple they have the potential to make NFC into the innovative game changer – like what they did with iTunes and the music scene.

Let me explain… think of your new shiny iPhone 5 as your complete virtual wallet in the air, paying for goods at the swipe of a reader, integrated as your electronic pass to enter your company building, a hotel room key, bus / train ticket or taxi ride, a secure means of logging onto your laptop or computer, or any kind of electronic payment / ID or fingerprint… and then you’re only just scratching the surface as to how this technology will change how we live and interact on a daily basis.

Enterprise Opportunities – MDM & NFC

The next few months from an Apple NFC & Mobile Device Management capability technology perspective are going to continue to be a game changer from a consumer and enterprise perspective, however the key thing I re-iterate to businesses and large enterprises is to be brave, and to invest in branching out in ways to make the most of the new opportunities this technology evolution presents.

For Enterprise IT departments…. if you haven’t already deployed a Mobile Device Management capability – you need to do so, so that you can make the most of the technology and the opportunities presented.

Lastly, the majority of IT departments in Enterprises now understand that security aspects relating to these opportunities become increasingly paramount, and in essence a true business “enabler” to make this all possible and for the future to take shape.

It’s like thinking of why you have brakes on your fast sports car?…… to make them STOP?……..

No.

We actually have brakes on cars so you can drive FASTER.

It’s the same for IT security – a business enabler. Especially applies to mobility, and the security challenges we need to understand & address.

Feel free to add your views, thoughts or opinions on any of the topics above.

Share/Bookmark

Over the next couple of months, it’s all going to go nuts yet again with Apple frenzy, hype and excitement over the new iPhone 4S  and the release of iOS version 5….  but after all the dust has settled – what will the real impact be from an enterprise & security perspective?

OK… so maybe that’s why I love my job when it comes to situations like these, as I get to play with the new toys and enlighten people about all the cool changes, the business opportunities, and what we can do from a technical perspective to minimise any associated risks. Before we get to the heart of it – if you didn’t already know based on my previous posts – it’s probably worth being up front and mentioning that I am indeed an Apple fan, however never-the-less that doesn’t mean I’m blinkered or oblivious to some of the security problems we will come across from an enterprise perspective when these new devices and changes hit us.

So…. let’s get started…

Huge Uptake of new devices & iOS5 for existing users

Firstly, I think yet again there will be an increased uptake in the new Apple iPhone device, and even more people moving away from Blackberrys (poor RIM) to the new iPhone 4S. Apple Insider recently released some interesting study results indicating 45% of Blackberry users and 24% of Android device owners said they would purchase the upcoming new Apple handset.

Whilst I don’t think there’s going to be a huge quantum shift in terms of the phone or the technology (yes the new CPU will be great, but something I’m already used to on my iPad 2 running the Apple iOS5 beta), the combination of a new device plus all the cool features of iOS5 will draw more people to buy it.

Most people I know are already finding excuses for why they will upgrade their iPhone 4… and it will be the same no doubt in the enterprise.  The C level execs will push to get a brand new phone as soon as they’re available – as we’ve seen a change in the way in which shiny new gadgets find their way from the top down into the enterprise… as the big boys often compete with their peers in the boardroom.

Then we also need to consider how many existing iPhone 4 and iPad 2 devices are already out there in the enterprise – just waiting for all those funky new iOS5 features.

So what?

Well, before the majority of your company have these new devices in their hands or already have existing iPhone 4 or iPad 1 or 2′s, there’s a few things to consider from an enterprise security perspective:

iOS 5 – iCloud and Security in the Enterprise.

iOS 5 introduces many new features, but the most newsworthy is iCloud. I’m not going to cover what it is in detail, or how it works, however I want us to focus on what issues we will see in the enterprise relating to it. It’s not that iCloud is insecure – and I’m sure no doubt there will be hackers out there trying their hardest to break into it. It’s more about the staff member who has this new technology, and what they choose to do with it which is more worrying.

Up until now, enterprises have struggled to control / contain the risks relating to file sharing / syching capabilities already available through services such as Google Docs, SugarSync, Dropbox, Box.net etc. What Apple are about to do though is make this type of cloud based file storage & synchronisation functionality available natively in the iOS, Apple applications, and 3^rd party apps using iCloud… the problem is about to become much bigger, and no doubt just like when the cloud hype hit our shores, governing parties such as APRA will start to take notice, and will start to ask interesting questions, and pushing more expectations onto companies that they govern.

So worst case is that documents created on a device used in the enterprise will be sucked into the cloud, and then replicated automatically onto a number of other devices outside of the enterprise. Many large companies have managed to keep some sort of control by restricting the use of Dropbox etc through web proxies, however the main thing from a security perspective is not necessarily a concern of the strength of security controls, but more so about what the user will do with it.

Most staff who don’t care about security (after all that’s someone else’s job to worry about company risk) so will happily and naively store sensitive documents all over the place… it’s just that the Apple iCloud will make this so much easier to do, and a much much BIGGER problem.

Your Apple ID & Password – Keys to the Apple iCloud Kingdom… your docs, your photos, your music…

One important concept to understand is that with iCloud your Apple ID and password will become much more important …. it will be your ID and keys to your photostreams, synchronised documents, music etc etc –  access to everything will be just an Apple ID and password click away!! Now no one shares their Apple ID’s… do they!!!?!?!? ;-0

Bandwidth & Data Usage Impacts

There are other impacts such as data / bandwidth utilisation – as music streaming, iCloud synching and OTA udpates will surely have an impact. But just how much we will soon find out.

Solving Your Enterprise Security iCloud Concerns

So what to do about it?… Mobile Device Management platforms will obviously help (if you have one!), Microsoft Exchange ActiveSync policies will potentially improve things too, however that depends if you’re willing to lock down on the use of iCloud. Stop users from using the cloud?! Sounds like a hard thing to do.

Hopefully Apple will offer some more granular control for this technology – but maybe by the time most enterprises start to worry about this the horse has already bolted.

User Awareness & Risk Acceptance

The other things you can do is to ensure that end users are made aware of the risks, and that they take accountability and responsibility. Force anyone using your enterprise service to sign an “Acceptable Use” agreement, whereby there are informed of the risks, data considerations, and what responsibilities they take on when using an Apple iOS5 device within the enterprise.

Lastly – make sure your company has done the right thing from a risk management perspective – especially if you are governed from a compliance point of view. Ensure that a full risk review and assessment has been completed, whereby senior execs and CIO level are formally made aware of this risks & concerns, and sign off any risks at an appropriate level with full evidence and traceability back to those that made the decision.

Follow “PhilHall” on twitter, and be sure that you’ll be kept up-to-date from a security perspective.

Share/Bookmark

Another hack – another potential compromise of customer data….  and this time the target was Sony.  This event is starting to spark calls for the government to legislate mandatory disclosure – but will it ever happen!?

The Sony Hack incident is said to have occurred between the 17th and 19th of April 2011, whereby hackers gained access to Sony’s PlayStation network, potentially gaining access to the account information of a reported 77 million users.  It is understood that this includes names, addresses and…. drum roll please….  customer credit card information. Uhh ooo!

Sony posted details on a Sony blog on the 22nd of April, indicating that there had been an ‘external breach’. They have also reported to have released a further statement today.

What’s more interesting about this story is that it’s sparked some discussions relating to mandatory disclosure. In recent comments on the Sony hack by Rob Forsyth (A/NZ managing director of Sophos), Forsyth is reported to have suggested that the government must legislate for mandatory disclosure, noting that it has been proposed in a large number of privacy recommendations.

If personally identifiable information is lost, companies must notify both the general public and the individuals whose information has been stolen…

“Sony was not quick to notify people that there had been a breach of security,” RMIT lecturer Dr Mark Gregory told the same programme, even though the speed with which the network was shut down demonstrated that Sony was aware of the problem before it went public. Gregory backed Forsyth’s call for a disclosure regime.

Government needs to legislate a proper regime for this – said Gregory.

Your Views Needed!

There’s been talk of the need for changes to disclosure laws for a few years now, but does anyone think this will ever happen in Australia? The majority of security vendors often talk of this happening, but maybe we need to see a few more major data breaches / incidents before people start to take this more seriously and finally do something about it!

What’s your view on mandatory disclosure laws in Australia?

Keen to hear your views – so feel free to comment / reply on this post.

Share/Bookmark

The recent news about the RSA Advanced Persistent Threat (APT) hack  and its potential impact on SecureID users has been a hot topic in the IT security world over the past few days, with many security experts speculating about what the real impact and exposure may in fact be for current RSA SecureID customers and users.  I’m not going to provide background info here as to how RSA tokens work, as this has been suitably covered by many others -  click here to read more if interested.

The alorythm RSA uses for SecureID tokens isn’t a secret, but the key concern (pun intended) is that RSA have neither confirmed or denied whether seed records were involved in the breach.   

Since the first initial Open Letter to RSA Customers there have been further details released in the RSA  SecureCare Online Note guides published on March 17.  Of the various statements, the main one causing most interest to many relates to advice about the token serial number (the number printed on the back of each token).

Never give the token serial number, PIN, tokencode, token passcode or passwords to anyone.

What’s raising eyebrows and driving further interest in this story is that people are now speculating that maybe the bad guys who hacked and obtained data from RSA could potentially generate a token-code using the serial number of the SecureID.  Many of us do not believe this is possible, however let’s see if any further news articles or press releases come out over the next few days.  Companies using RSA SecureIDs will no doubt be given further specific information after signing NDAs.

What we do know for sure is that there will be further speculation and rumours as to the exact potential impact of this recent incident.  The main thing RSA will need to do is to re-assure their customers, as many are concerned as to how this situation came to be in the first place… surely RSA have tight security for their own systems?  Hopefully RSA can turn things around.

For now we can only sit and wait for further details before providing advice to customers and SecureID users as to the true potential impact. Worst outcome may be that RSA will need to replace the various tokens out there.

Share/Bookmark

It seems to be a continuing arms race between Apple and the iOS jailbreak community, whereby new exploits and techniques are being publicised literally days after Apple release newer versions of their iOS.

For now it looks as though Apple are losing the battle, as again it’s only been a week since Apple released iOS4.3, and already there’s confirmation fro i0n1c (Stefan Esser) that an untethered jailbreak method is possible.

httpv://www.youtube.com/watch?v=v9DL5nj_SC8

For those who aren’t familiar with tethered / untethered jailbreaks, traditional jailbreaking methods have changed, whereby newer methods rely on booting a jailbroken device whilst being connected via USB to the jailbreak install / program on a PC / Mac.

Subsequent full reboots of a device must be done whilst being connected to the PC / MAC running the jailbreak app. Fine for those who don’t reboot, however a pain for those that run out of juice or need to reboot on a regular basis! An untethered jailbreak is basically where the device is jailbroken, and can then boot independantly without needing to be connected to the machine running the Jailbreak App.

So as Apple patch more of the holes and exploits – will things change in this arms race, or will it continue whereby new jailbreaks are found, and literally released just days after Apple update?

Obviously the size of the iOS updates are becoming increasingly larger – so the update required by end users becomes more noticable. Will Apple start to provide more regular iOS updates in shorter time frames to minimise the impact?

Personally – I don’t think so. I’m guessing things will remain the same until Apple make some additional hardware changes to combat some of the exploits out there and make things harder for the likes of Comex, i0n1c and the Chronic Dev Team.

Feel free to share your views, thoughts on the arms race topic.

Share/Bookmark

Looking through the various IT Security predictions for 2011, as well as some of the themes relating to technology trends, it’s pretty obvious that there already is and will be a growing demand for allowing the use of new mobile devices in the enterprise. 

The iPad 2 and iPhone 5 - will need an MDM!

There’s also some big challenges ahead when it comes to the convergence of personal and corporate mobile device usage  – whereby there’s a huge desire to allow employees to Bring Your Own (BYO) devices into the enterprise. Some companies are even taking this idea as far as looking to allow employees to bring not only their mobile smart phone devices, but also their own laptops into the work place and doing away with the traditional standard supported environment build on a company laptop or desktop workstation.

So from a security perspective – is this possible, and can it be achieved without degrading the level of security / risk exposure for an enterprise?

Well… if you’d asked me this question a year ago, there were only a few select and expensive ways of doing this…. however I’d say the answer is now a definite “YES” from a smartphone / mobile device perspective  – due to the number of technology companies now providing Mobile Device Management (MDM) Platform capabilities.

If you look through the various offerings out there, you’ll quickly discover that there are now way too many MDM platforms to consider. Some of these solutions have been proven and in this space for a while, whereas others are new and definately unproven.

I know several companies who have successfully gone down various paths – including Good Technologies, one of the large Australian banks has just signed up with McAfee, and other banks / financial institutions are currently considering and reviewing Mobile Iron, as well as AirWatch.

The Mobile Device Management (MDM) market will move quickly, especially as Apple will shortly be moving on from the Apple iPhone 4 and releasing more and more devices and updates such as the next Apple iPhone 5, the Apple iPad 2, as well as a new iOS 5 operating system.  Lots of phone reviews in the making!! Other predictions is that the telcos will move into the MDM game, and will provide this as an additional offering on top of your corporate data service. Will definately be an interesting and fast paced time in this space – and I intend to provide more updates on this site, so come back soon.

2011 The Year of …..?

So…. my big prediction for 2011, is that this is actually the year of the MDM platform – which in turn as it matures will enable businesses to offer more flexibility when it comes to mobile devices.

Beyond this will be a wave of interest in technologies that allow employees to BYO their own devices.  It’s also another good opportunity to solve some of the traditional security issues by incorporating virtual desktop solutions, whereby mobile devices only has access to corporate data processing and stored on a secure virtual desktop instance – thus minimising some of the security challenges.

Your Opinions, Views, Thoughts, Questions….?

Are you looking at any enterprise MDM platforms – if so, feel free to get in touch, share your experiences, or pick my brains for any offerings you are currently considering.

Share/Bookmark

Obviously lots of stuff hitting the press this week with the impending reveal of the Apple iPad 2 (still can’t get over we have an announcement about an annoucement!)…. however one interesting piece of news was about the new Thunderbolt interface on the latest release of the Apple MacBook Pro.

I for one am a huge fan of Apple Macbook Pros and was very keen to hear about the latest interface that promises 10Gbit/s speeds… Wow!

However it did get me thinking as to if this new interface is any more secure than some of the previous issues we’ve seen with bits of copper… as some have recently theorised about whether  Thunderbolt will have unrestricted access to the computer and therefore may be a way to hack onto a device.

This method was previously presented by Metl at Rux a few years ago along with Nick Breese (who now works at securusglobal.com)

According to a recent blog post by Robert Graham (the CEO of security consultancy Errata Security), Thunderbolt may give attackers yet another way to exploit a target machine.
“Imagine that you are at a conference,” Graham writes. 

“You innocently attach your DisplayPort to a projector to show your presentation on the big screen. Unknown to you, while giving your presentation, the projector is downloading the entire contents of your hard disk.”

Such attacks rarely work on USB ports because they are based on a “master-slave” design. That means the computer has full access to the attached device but the attached device has limited access to the computer. Firewire and now Thunderbolt, by contrast, have full access to a Mac’s entire memory.

Graham offers an anecdote from a recent penetration testing exercise:

A company gave employees laptops that were secured using all the latest technology, such as encrypted boot disks and disabled USB ports. Users weren’t given admin privileges. But the Firewire ports were open.

We connected a device to the Firewire port on a laptop, and broke in with administrator access. Once in, we grabbed the encrypted administrator password (the one the owner of the laptop didn’t know).

We cracked it using L0phtcrack. That password was the same for all notebooks handed out by the company, so we now could log onto anybody’s notebook. Worse — that administrator account was also on their servers, so we could simply log into their domain controllers using that account and take control of the entire enterprise.

Until this theorised technique is proven, it’s to early to say if this will be a legitimate way to hack a Macbook Pro – however for now all we have is a theorised approach, which will surely stur up some discussion and debate prior to someone actually trying it for real.

For further details, view Graham’s web site at:

http://erratasec.blogspot.com/2011/02/thunderbolt-introducing-new-way-to-hack.html

Share/Bookmark