Friday, February 26, 2010

No Internet or Laptop for you!

A couple of weeks ago I blabbered about a world with no IT resources. Since then I had a chance to discuss it with friends, especially the end device ownership part and thought it is interesting enough to share with others.

During the 15th century the Feudalism system was very common in Europe. The lucky ones played the role of lords and “life was good,” for the rest (vassals) the story was slightly different…
Let’s look at the employee-employer relationship back then. A common “compensation” package a vassal could expect would include a very small component of “salary” and a relatively large component of benefits consisting of food, clothing, housing, security, and possibly heritage rights. In return the lords practically “owned” them.
Therefore the equation was you (the vassal) will work your butt off for me (the lord) and in return I’ll give you everything you need to barely live + some change.

Through the years gradually the salary portion grew while the benefit component has gone down.

Looking at today’s common compensation package, it includes a large component of salary and a relatively small component of benefits. Food, clothing, housing, security, heritage rights? Are you kidding me?

This trend continues and will affect the “end device ownership” dilemma previously discussed.

Companies already take it for granted consumer employees will have internet access at home, so they are capable of continue working (if needed). Now who pays for the internet, electricity, etc.?
End devices are next in line (cell phone, laptop, tablet, etc.). Surprisingly we have an unusual case of common interest. Most consumer employees will be happy using their own device for both home and work activities. We already see today some companies funding the purchase of personal device for work.
As you are expected to show up to work dressed up, employers will mandate end devices capable of doing your work. The good news is as most/all the computing will happen in backend systems (virtual desktop solution), so the requirement for your device is going to be pretty basic.

If we’ll look at the futuristic equation (right around the corner) the employer (i.e. the lords) will give you (the consumer employee) salary only, and in return you’ll be responsible for everything needed to do your work (and obviously work).

Next week it is RSA conference week, therefore no post for you (but many sessions, meetings and dinners for me).
See you in a couple of weeks.

Wednesday, February 17, 2010

There is an App (war) for that

Once upon a time many, many years ago Apple has lost the OS = Operating System battle (at least the first round). Some believe the main reason was Microsoft’s smart platform play. The Redmond giant bet on building an open OS, not open source but rather a set of robust, easy to use, well documented, supported APIs. They figure out early in the game the simple ‘law of nature’ – easiness of creating applications cause more applications to be created which cause higher value to the underlying platform (OS) resulting in more money to the OS vendor (which is … Microsoft of course).

< Side comment - today in the era of Cloud Computing Microsoft is betting again on the platform, through their Azure offering.>

Fast forward to early 2008 (if I got it right), Apple has launched the AppStore (less than a year after launching the iPhone). Well, it seems Steve Jobs has done his homework. He created an ‘open’ platform (iPhone OS) and invested/promoted the AppStore concept (more than 150k apps and counting).

Apple in the role of Microsoft? Doh!

A different school of thought claims what Microsoft has done to the Macs, Google is doing now to the iPhone/AppStore. Apple still has a one HW-one SW strategy; as far as they’re concerned apps can only run on their HW. Google is making friends with many HW vendors and their Android OS/apps can run on a slew of devices. While Google only has to focus on the SW, Apple needs to be best at both fronts (HW & SW) in order to continue dominating the market.

Though a history fan, why do I open with a history lesson?

News from early this week: ‘Biggest mobile operators join forces on app store project’. It was all over the media (e.g. Should we assume the battle on the apps has just begun?

Of course not! This battle is as old as the Operating Systems. Mostly it was the OS owners fighting for position (Microsoft, Apple, Google, etc.), however occasionally others get greedy (given the size of the turf). It is easier making money selling services/apps in the mobile space, mainly as users are used to paying extra for extra. PC consumers expect everything to be provided as a service (over the internet) and for free. When was the last time you paid for services/apps?

While these 24 carriers claim their motivation is pure - ‘developers will be able to go to one place to get their applications distributed instead of having to go through multiple application approval processes’ (Yeah right…), it is clear they are after piece of the action. Apple’s appStore and Google's Android Market are being challenged by mobile network operators (per article).

Apple’s appStore, Google's Android Market and recent initiative (by mobile network operators) are all about consumer apps, but what about the enterprise?

If I’m an enterprise bought into Apple’s vision and seeking to provide customized (business) apps for my staff, how do I achieve it? How can I enable the iPhone in a similar fashion to laptops? I just want to have my own apps catalogue (similar to my software catalogue solution).

Is it time for a ‘private app store’ for enterprise unlike the ‘public app stores’ previously discussed?

Well, the first signs are here: ‘Google to open app store for business software ( Sounds like the right direction, isn’t it? Despite the promising title it is actually not really what I was looking for. It is mainly a marketplace for business applications focusing (as a first step) on Google Apps (rather than Android Market).

As for enterprise app store solutions, the Apple/Google of the world will probably approach it as an extension of their consumer solution. This will leave the door wide open for security vendors to address question such as access control, application governance etc.

So do we have an App (store) for that?

Tuesday, February 9, 2010

A world with no IT Resources – Should Admins get nervous?

The reality of organization’s IT resources (starting with SMBs) as we know it is about to dramatically change. The Cloud movement along with the new “Consumer employee” phenomenon (employee at day, consumer at night) drives organizations to reduce ownership of IT resources. Eventually IT resources free.

How is it going to work (most of the technology is already available)?

1. Server infrastructure
     Entire server infrastructure will run in the cloud (pick your favorite vendor)

2. Employees workspace
     Desktop virtualization will run on the cloud server infrastructure

3. Applications
     SaaS where possible, else application virtualization on top of the cloud server infrastructure

4. Desktop/Laptop/endpoint device
     That’s where things become interesting. Since your workspace is virtualized all that is needed is a device with basic capabilities to connect (e.g. browser). Now if the “consumer employee” prefers using his own cool/customized/private/latest/greatest device anyway, why should the organization buy an extra one? Instead, every several years (e.g. 3Y) the organization will grant each employee with an allowance (e.g. $3k) to purchase a personal device (desktop, laptop, netbook, tablet, etc.). While I think the real revolution is going to happen around the device ownership, I will leave this topic to my next post (stay tuned).

Information protection is going to become key in the described setup. As data will reside elsewhere (in the cloud or personal devices), controlling who can access it, who has accessed it and where is it, are going to be critical capabilities for future security solutions. Think about asset management and even identity management in this hybrid world…

I’m no prophet, by all means, but the day is coming and we better accept (even embrace, God forbid) the changing landscape and start preparing.

Now regarding my opening question (should IT personnel become nervous in this world with no IT resource) - of course not! Their current role will change/expand, rather than spending most of their time deep in the infrastructure (such as AD configuration/administration), they will be instrumental with this virtual/cloudy infrastructure. Vendor selection and ongoing benchmarking will occupy a greater portion of their time.

Are you convinced by now? I must be missing something and be happy to hear your take.

Tuesday, February 2, 2010

If you have the same problem for a long time, maybe it is a fact not a problem…

Recently the topic of weak passwords (= hacking made easy), has reared its ugly head once again.
You probably mumble now – please don’t let it be yet another passwords related post, we already know our passwords are weak, hackers can (and will) share our identity and we are all going to die…

Unfortunately I could not resist.

As long as users are responsible to create their own passwords, it will not matter how high the security walls are built. Let’s face it - we all want the ultimate user experience, just let me use the service without the entire authentication mumbo jumbo. When it comes to passwords, most of us create simple passwords, don’t change them at all, and use similar passwords for all our accounts (where possible). And BTW – since forgetting passwords is a hassle we tend to conveniently write it on a piece of paper or simply save it in a file on our computer (the sophisticated among us might even “hide it” by not placing it on the desktop).

Through the years many vendors attempted to tackle this issue introducing a slew of solutions - secret questions, images, graphics, second passwords, and the list go on and on. These are all just sophisticated passwords (password 1.0, password 2.0 or password 3.0), still subjected to the users will/motivation.

Security experts in the audience will explain that regardless of password strength or rotation frequency, hackers will manage to break them. Terms such as session hijack or Man-in-the-middle will be used to further scare us. I must admit it is all true, however with so many identities out there you simply need to be slightly better than your neighbors to postpone destiny (like the well known joke about two friends, a jungle, a hungry lion and a pair of running shoes). In addition, a large customer recently confessed that changing passwords every 90 days addressed a very large portion of their identity problems. Today I read that Twitter asks users to reset passwords after possible phishing attack (

So why do we consistently write about it for years and years? Is it because there is no solution for the problem? It keeps changing on us? The solutions provided by vendors are not valid anymore?
Well, as I have already stated the root cause of this problem is us, the (lazy) users. Once this parameter will change the problem will simply go away (flying angles play harp, rainbow in the background).

A quick recap:
Problem – weak passwords = hacking made easy
Root cause – us, the (lazy) users
Solution – replace us, the (lazy) users
Problem solved, moving on!

How can we replace us, the (lazy) users in a process intended to authenticate us (the …)?
While there are many solutions out there strengthening user authentication (e.g. out of band), I’ll mention two ways to better manage authentication:
1. Software replaces users – software manage the entire authentication process, including password generation (a non-lazy program will ensure password strength), maintenance (frequently modify) and seamlessly login. Implemented right this will address the challenges previously described and improve security while reducing the hassle.
2. Behavioral characteristics – base authentication on user’s behavioral characteristics/patterns, rather than parameters subjected to his will. Answer the question “who he is” (I’m not referring to physical aspect such as fingerprint) rather than “what he knows”.

Consumers are mainly concerned with their own identity. For enterprise the problem is a hairy one. Organizations measure everything using the “risk lenses” (and they should), therefore not all identities are born equal. While most identities are associated with “real” employees, some such as shared administrative accounts are not tied to any particular “real” identity. The paradox is that while the number of these accounts is relatively small the risk associated with their capabilities is huge.
Recently we’ve heard of a financial services company with poor password management controls for shared administrative accounts that resulted in a data breach affecting 1.2 million of their customers. The realization of this challenge contributed greatly to the spike of the PIM (privileged Identity Management).

My recommendation for organizations is: “worry when you should worry, don’t worry when you should not worry”. Brilliant, isn’t it? A more professional way to put it will be: your security controls should be proportional to the risk. While providing better password management capabilities and controls for the entire organizations has value, you lose focus on your priorities. Focus stands for better controls in a timely manner for the high risk accounts.