Tag Archives: security

Data Insanity Will Slow the IoT

The promise of the IoT is improved service interactions between business and their customers, and between governments and their citizens. Realizing these promises relies on collecting, managing, and analyzing data. But the IoT generates data streams in unprecedented volumes, frequency, and variety. These data streams can choke the networks, applications, and target systems. The data goes into data management systems that are in many cases unable to process adequately.

With existing systems often unable to support IoT demands, enterprises assume they must add new infrastructure. IoT deployments require infrastructure expansion: new devices and applications are the norm. But the IoT data streams define the scale.

Just because we can collect data from connected objects frequently, should we? It’s not a secret that most IoT data remain underused, misused, and unused. Data misuse means added deployment costs and project time. Adequate and appropriate data planning is critical to attractive ROI of IoT deployment.

Instead of assuming the need to collect as much data as possible and then filter it later, more attention should go into planning the data lifecycle. Users, developers, and providers of IoT-related offerings need to consider the potential costs of careless data collection. Planning questions should start with the application requirements. Continue reading Data Insanity Will Slow the IoT

Poor Interoperability Will Slow the IoT

At least half of the expected real economic value of the IoT will come from interoperability – connecting devices to each other and external systems. But interoperability in the IoT is costly and complex. Standards efforts are nascent and confusing. The pace of innovations is outrunning the ability to connect the devices.

Plus, the IoT is perhaps the most hyped technology trend in the last decade. Its promise touches almost every aspect of human existence. From smart factories to smart cities, connected devices are changing the way enterprises and governments operate and provide services. But something stands in the way of the IoT reaching its full potential: reality. The reality is a web of poorly connected sensors feeding data streams in unprecedented volumes and variety into systems that are unable to process adequately.

While it is easy to blame the providers, success in IoT interoperability goes beyond the IT Master Brands working together. The age-old position that competitive advantage comes from proprietary technologies is passé. Instead, the winners will be providers who flexibly support needed enterprise transactions required by business constituents. And successful enterprises will engage those providers and tackle interoperability head-on to address business requirements. Collaborative pilot projects are cropping up to show how the IoT can address specific applications. Continue reading Poor Interoperability Will Slow the IoT

IBM’s Bernie Meyerson Set to Keynote 2015 Cloud Business Summit NYC

We’re pleased to announce that Bernie Meyerson, VP and Chief Innovation Officer at IBM will deliver the opening keynote at Saugatuck Technnology’s upcoming 2015 Cloud Business Summit, taking place on November 4th at the Yale Club of NYC.

In a presentation entitled “Information Technology: A Tectonic Shift,” Meyerson will explore what’s next after Moore’s Law – as the advent of new forms of parallelism become a leading framework defining IT over the planning horizon.

Since the invention of the first solid-state computers, IT has relished in consistent, predictable advances in performance that were quite easy to assimilate – as the number of transistors on a circuit chip would doBernard Meyerson Picuble approximately every two years. Fortunately for the IT industry, increasing circuit density yielded increasing performance while reducing costs ranging from device manufacturing to electrical power consumption. Such performance increases were easy to exploit . . . and addictive. Unfortunately, as circuits have now approached the dimensions of only a few atoms, the end of increasing circuit density is near. In essence, Moore’s Law has been repealed. Meanwhile, technology advances such as predictive analytics, big data, and mobility (among others) have only continued to drive the need for IT capacity at an accelerating pace.

The consequence is that designers of IT application and infrastructure architectures will have to turn in a new, more challenging direction. As Meyerson will share, one likely scenario is Continue reading IBM’s Bernie Meyerson Set to Keynote 2015 Cloud Business Summit NYC

Making Threat Intelligence, Intelligent

The old joke about military intelligence is that the term is an oxymoron. This came into being not because people serving in the military were unintelligent, but from the experience of many who served in the military witnessed orders that appeared unintelligent, but which had to be followed. The fact that many military orders start with policy initiated by politicians may put the phrase into a different context had it been politician intelligence.

In fact, military intelligence is a discipline with a very long history that collects a lot of data and information, analyzes the data and provides guidance to commanders who need to make decisions. This places it close to the reality of where the average enterprise finds itself today: at war with smart cyber-attackers who are hired by competitors and criminal gangs, or battling well-equipped and superbly-trained State actors with very different motives, and from an onset of hacktivists and terrorists.

Current cyber threat intelligence services are in their infancy and childhood. Some of the Cloud-based services are delivering raw data masquerading under the rubric intelligence, while others are delivering data that has been evaluated and analyzed by human intelligence analysts. Continue reading Making Threat Intelligence, Intelligent

How the Security Game of Whack-a-mole Changes

Vulnerability management is the area of security that can best be compared with playing
whack-o-mole, a world where rubber mole heads pop up and out at random from the holes in which they are hiding. Your job is to whack away at the head of each mole with a rubber mallet, thereby forcing the head of the mole back into the hole from which it came. You score points for each mole you force back into a hole and the more points you score in the allotted time of play the higher your total score.

In the game of vulnerability management, you are hitting the heads of the moles by applying patches and configuration changes to IT assets to eliminate or minimize the attack surfaces available to hackers. The problem is that hacker moles like to operate silently and you don’t know which ones are there and which holes they are operating in, unless of course you are constantly searching all the holes to determine if hacker-moles have enough space to get into and through the holes.

Determining where the holes are that will attract the moles is the job of vulnerability scanners, most of which are now operated as Cloud service subscriptions. And it’s not working. And the reason it’s not working has little to do with the scanning services and almost everything to do with the lack of the other tools and services you need to run your score up by smashing the moles faster and in less time. Having access to information about where the moles are, how many there are, where they are lurking and what their cycle-times are would make you invincible in the face of the onslaught of hacker-moles attacking the enterprise network. Continue reading How the Security Game of Whack-a-mole Changes

Dangers Lurking in the Shadows of IT

In light of high-profile security breaches – some, possibly sponsored or performed by governments – enterprise IT assets seem more exposed than ever before. And, every IT manager is excruciatingly aware his fundamental mission is to ensure the security of the data, applications, and infrastructure under his purview. However, even as they are developing plans for evolving their infrastructure to include Cloud alternatives, IT organizations are becoming increasingly aware of the extent of Cloud-based solutions in use by the company organizations they support. This Shadow IT consists of ad hoc Cloud-based solutions implemented or adopted with little or no involvement of the IT organization.

As a result of that awareness, security is under increasing scrutiny across all industry segments. Saugatuck projects the focus on security will continue to increase to become a major focus – on a par with the focus on adoption of Cloud offerings – by mid-2016. In a recently published Strategic Perspective, Saugatuck identifies that the security exposures posed by Shadow IT are increased due to:

  • Abuse of privileges on approved Cloud applications;
  • Access of Cloud applications by former employees;
  • Cloud app security that fails to comply with internal or industry requirements;
  • Lack of monitoring and control of documents shared through Cloud collaboration tools; and
  • Lack of audit trail of changes to user authorizations, configuration settings, etc.

Continue reading Dangers Lurking in the Shadows of IT

Gorillas in Our Midst: Mobile App Security Issues

From a security perspective, mobile apps are much more than they seem. They may appear as harmless and benevolent creatures, yet their potential for security issues resembles something more like King Kong. Mobile apps can wreak havoc with security because they are easily introduced, easily developed, and easily deployed. Their usefulness leads to complacency. Yet they increasingly gain access to critical information and important corporate applications through APIs in the cloud. Mobile apps also have access to a wide variety of personal data, such as location information, social information, contacts, photos and videos, and anything else that a user may care to contribute to social streams. If this weren’t enough cause for concern, they contain codes, passwords, and information that would be critical for gaining access to corporate data directly, or through social engineering techniques.

Attack Vectors for Mobile Apps
Attack Vectors for Mobile Apps — Source: Saugatuck Technology

Despite these issues and their valuable content, mobile apps are notoriously insecure. Relatively little attention has been paid to them due to their relative recent introduction and the fact that their development coincides with general changes in software development. Apps create security concerns going well beyond what has previously been considered with their desktop cousins. They may be vulnerable in every area from development to deployment and, afterwards, maintenance and security updates. On top of this, there are special concerns that are particular to mobile devices.

Continue reading Gorillas in Our Midst: Mobile App Security Issues

Cloud Security Services – On the Move

Is the security profile of your organization partly cloudy with a chance of meatballs? Is the security budget not expanding fast enough to cover required projects or simply never enough? Can you easily explain the difference between managed security services, subscription security services, and Cloud infrastructure security including VM monitoring services, virtual machine, and hypervisor notification agents?

It may be time to climb out of the Cloud and look at alternatives to onsite security programs and controls. Security subscription services, managed security services, Identity services, Cloud infrastructure and data center services may be just the fixes for never enough money, staff turnovers, and the need to deliver more in less time.

Saugatuck recently published a five-page Strategic Perspective entitled The Rise of Cloud Security Services (1562STR, 17Apr2015 – see link at bottom of this blog post if you are a premium subscriber to Saugatuck’s CRS research service to access) that analyzes available Cloud security service alternatives across five key dimensions (see Figure 1). The piece includes identification of some of the leading vendors delivering Cloud security services in each of the five categories, what the different services are best suited for and why, and provides insight into the multiple apparitions of Cloud security.

Figure 1: Cloud Security Services


Source: Saugatuck Technology, 2015

It seems that all security products and services are being labeled as “Cloud security” these days, and that every vendor in the business of delivering security is now a Cloud security vendor. There’s good reason why vendors are toeing the “Cloud” line as organizations transition from legacy systems and application workloads to virtualized Cloud data centers: the Cloud and in the transition to the Cloud is where the money is. Continue reading Cloud Security Services – On the Move

Fear and Ignorance, Finance Leaders, and Cloud Hesitancy

What’s stopping the largest percentage of enterprise leaders, including Finance executives, from trusting even some of their systems and data to Cloud providers?

Ignorance-based fear.

December’s Saugatuck survey on Cloud and Finance, which has provided fodder for a terrific series of strategic reports, Strategic Perspectives, blog posts, and other insights published for and used by Saugatuck’s clients, included hundreds of open-ended responses regarding current and expected Finance IT systems and infrastructures. And while an encouraging plurality of survey participants indicated that they are moving, typically judiciously, toward using more and more Cloud for Finance, more than 20 percent of those writing in responses still expressed security-related concerns as their primary reasons for not even considering Cloud-based Finance systems.

The ones that stood out included the following:

  • “Every time our financial managers look at ‘the cloud,’ they only see that the information is outside our firewall and therefore perusable by anyone and everyone. Only completely public information will ever be stored off-site or outside of our company’s direct control.” – Controller, Healthcare, Upper-midsize company
  • “We are concerned about cloud security and competitors being able to access cloud information.” – Finance Director, Business / Professional Services, Midsize
  • “We have a fear of using the cloud based on possible hacking and fraud capabilities. Until it’s a proven technology we will keep everything in-house.” – VP Finance, Financial Services, Large
  • “Organizationally, we are evaluating the movement towards cloud-based computing, and are aware of the potential cost savings, but are tempered by the continuing risk of breaches.” – Director of IT, Healthcare, Upper-midsize company

First, let me vent in a blunt manner, then I’ll get to the more reasoned content.

Positions such as those expressed above border on willful ignorance. They are based almost entirely on perception, opinion, and Continue reading Fear and Ignorance, Finance Leaders, and Cloud Hesitancy

The Business of Digital Identity

In the old days in each village, access to personally identifiable information was in your face: it occurred when the other villagers looked into your eyes. The days of the village and up-close eye contact have been replaced by vast amounts of digital data representing identity. The modern digital equivalent of identity information is stored in repositories in digital networks throughout the world. Continue reading The Business of Digital Identity