Consumerism of IT..

I have recently been asked a few times, by multiple companies, for my thoughts on the trend for consumerism of IT, and more importantly what it means for IT departments.  This is likely due to consumerism being up there as one of what seem to be the top three buzz terms at the moment;

– Cloud

– Consumerism of IT

– BYOD (Bring Your Own Device)

Putting cloud to one side for a moment as I like to cover that separately, consumerism of IT and BYOD are to me very linked so let’s discuss them both together.

First I’ll briefly cover what consumerism and BYOD are, then in a subsequent post I’ll give my thoughts on their current and future impacts on IT (or ICT as is now becoming the more common term) departments.

What is Consumerism of IT?

–         Consumerism of IT is concerned with the blurring of the lines between consumer and business IT devices.  Obvious examples include smartphones that can easily provide access to both personal and work emails from a single device, and tablet PCs such as the iPad that can be used for viewing and updating business presentations and emails along with consuming media and accessing the internet as a personal device.  The fact that devices like these have been driving change in the business world via their use as consumer devices is leading to the consumerism of IT.

What is BYOD?

–         BYOD refers to the moves of some businesses / IT departments to allow users to bring their own equipment such as a laptop rather than using company owned laptops.  As an example; this is often part of a program where the company would provide a budget for the staff to purchase a laptop, with certain rules such as 3 year extended support must be bought, the staff would then be able to use the laptop as both their own personal device and as their business laptop.  This can also often applies to other devices such as tablets and most commonly phones / smartphones.

While technically the two things can be taken in isolation it is the consumerism that aids BYOD in many circumstances – if smartphones couldn’t easily sync to business and personal email systems at the same time there would be limited desire from users to make use of a BYOD phone policy. However this ability enables users to carry a single rather than multiple phones so has obvious benefits to them while also offering business benefits such as lower costs and reduced management overhead.

K

Linus Torvalds interview on BBC website

Linux creator Linus Torvalds was recently awarded the Millennium Technology Prize by his home country of Finland.  Shortly before receiving the award he gave an interesting interview to the BBC titled;

Linus Torvalds: Linux succeeded thanks to selfishness and trust

The interview can be found on the BBC News website here;

http://www.bbc.co.uk/news/technology-18419231

K

Attack Mitigation – Assume the worst

I have recently been catching up on what was happening at the RSA conference from San Francisco this year and what some of the key security trends are.  One thing that has jumped out is the move from ‘we can protect you’ to you are or will be hacked so what can we do to mitigate the damage and catch the malicious individual or group.

This has been coming for a few years with the increasing use of cyber-warfare by governments and the military, and the emergence of APT (Advanced Persistent Threat) where well funded criminal gangs will expend a lot of time, money and skill to gain long term and potentially subtle footholds in company systems.  These factors, along with all the ‘standard’, existing threats and continued successes of social engineering attacks such as Phishing have lead many security leaders to suggest that you have likely already experienced a breach and you will, not may, experience breaches in the future.

This is backed up by research from the Ponemon institute that suggests 70-80% of organisations have experienced a data breach within the last 20 months.

So in addition to the standard perimeter and control type solutions there are now vendors and consultancy firms offering solutions to limit the damage that occurs when these preventative measures fail, and at the same time capture as much information as possible to aid in the tracking down and capture of the attacker(s).

This is an interesting wake up call for both the security industry and all companies – the protective measures we have relied upon for years work, but they are far from infallible and will fail when face with a concerted effort or a duped user who already has system access.

A couple of interesting references covering this in more depth;

Dark Reading – http://www.darkreading.com/advanced-threats/167901091/security/news/232602708/security-s-new-reality-assume-the-worst.html

Bruce Schneier – http://www.schneier.com/blog/archives/2012/04/attack_mitigati.html

The Dark Reading article is particularly interesting, and it’s well worth reading both sections.

Remember – your company’s systems will be breached.. What will you have in place to minimise the damage and assist in preventing the attackers from doing the same to more organisations?

K

Your smartphone is your PC!

Well nearly..

You can now run a full version of Ubuntu on your Android phone;

http://news.cnet.com/8301-1035_3-57424335-94/androids-new-ally-against-the-iphone-ubuntu/?tag=nl.e703

While phones are clearly not yet as powerful as laptops, they are becoming powerful enough to run standard productivity applications and web browsers etc which accounts for the majority of non gaming PC / Mac use.

This clearly marks a leap forward in that direction as well, allowing you to run what is in reality a fully fledged O/S with full versions of Open Office etc.

Plug your phone into a TV or monitor, use a Bluetooth keyboard and you are all set with a mini PC..

Luckily enough I’m about at the end of my current contract so will be swapping to an HTC one X in the near future.  I’ll download and give this mobile Ubuntu version a try then report back.

The future with your PC in your pocket, literally, is almost here!

K

IOPS and latency are not related – HDD performance explored

Recently came across this interesting and thought provoking post around IOPS and Latency.

We all know we need to consider IOPS as well as and often more critically than overall storage volume – 10TB of storage can effectively be saturated from a performance perspective but under 1TB of data that is read / written to at a high rate.  This is a message that many people don’t consider when they just say project X or application Y just needs xx GB of storage.

However even with the understanding of the need to assess IOPS required by a solution it is still possible to get caught out if you don’t consider the profile of these IOPS, and the impact of random reads and writes on the actual performance of the drives / array.  Add to this the fact that many manufacturers’ figures for their products are somewhat on the optimistic side and it is very easy to deploy a solution that at first glance appears to meet the performance requirements, but turns out to be very inadequate in practice.

So; of course consider your storage volume requirements, but make sure you pay great attention to the IOPS and latency requirements along with the usage profile. Then carefully design and test the storage solution to make sure it works as expected.

Post can be found here, interesting reading;

http://blog.richardelling.com/2012/03/iops-and-latency-are-not-related-hdd.html

K

Malware everywhere, even on Apples..

Various sources have been reporting on the recent Java hole that enabled malicious individuals to infect upwards of 600,000 Apple Macs that were running the latest, fully patched version of the O/S.

This Java vulnerability was actually known about sometime last year and has been patched on other systems.  Apple in it’s continued, and frankly misguided, belief that it’s systems are safe and don’t need protection like anti-virus software chose not to patch the hole until 100s of thousands of it’s customers had been infected.

The reality is that all consumer computer systems have vulnerabilities and it should be the expected duty of vendors to patch these as quickly as possible to protect their customers and their privacy.

We have all knocked companies like Microsoft for the amount of vulnerabilities and attacks that have occurred against their software, but the reality is that over the last few years Microsoft has made huge progress in producing more secure software, patching in a very timely manner, providing free tools like anti-virus, and working with law enforcement to bring down criminal bot nets.

Apple has avoided many exploits being created as it has historically been such a niche player.  Why create an exploit for a few machines when you can create one for orders of magnitude more?  As Apple has become more successful and there has been an increased uptake of it’s products in office it has become a more interesting and valuable target for criminals to try and exploit any vulnerabilities.

It is time for Apple to pull it’s socks up from a security stand point, and to become both more proactive and transparent in how it deals with issues and helps protect it’s customers.

For us users of any operating system it’s yet another reminder that we should keep our systems patched and run software to protect us from viruses etc.  Oh and not to trust vendors when then tell us their systems are safe and don’t need further protection.

Some detail and commentary on this issue can be found here at the links below;

http://nakedsecurity.sophos.com/2012/04/04/apple-patches-java-hole-that-was-being-used-to-compromise-mac-users/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=a6d16b7680-naked%252Bsecurity

http://news.cnet.com/8301-13579_3-57410476-37/apples-security-code-of-silence-a-big-problem/?part=rss&subj=news&tag=2547-1_3-0-20&tag=nl.e703

K

Firefox to use Google secure search by default

Now that the Google secure search offering has matured in terms of scale and performance Firefox is moving to use Google secure search as it’s default search provider.

From a privacy / security perspective this is great news as it makes it much more difficult for people to view your searches / search terms.  As always, the solution is not foolproof and Google breaks the ‘security’ for paid advertiser links etc.  However this is a good step in the right direction for improving security / privacy and specifically search security / privacy online.

More details can be found here;

http://searchengineland.com/firefox-to-use-google-secure-search-by-default-116231

If you want to use Google secure search yourself, just replace http with https in the address bar when you use Google search.

K

TSA’s good catches of 2011 or Terrorists can’t use ziplock bags

As an interesting follow up to my previous post ‘real security – safety vs. liberty’ that can be found here;

http://kevinfielder.wordpress.com/2011/01/03/real-security-safety-vs-liberty/

I came across the TSA (Transportation Security Administration) blog posting on their 10 best good catches of 2011.  Now bear in mind this is their own blog, not an independent news report so can be expected to paint them in the best possible light..;

http://blog.tsa.gov/2012/01/tsa-top-10-good-catches-of-2011.html

So mostly forgetful / stupid passengers, the odd criminal and 1 person who took C4 through one airport and only got caught on the return flight.

You will notice ZERO terrorists or terrorist plots foiled.  We are beholden to more and more checks that in fact do nothing to catch or prevent terrorism.  When will the voice of reason prevail over checks that appear ill conceived and only get enacted as poorly thought knee jerk reactions to previous issues.

The chairman of BA has echoed similar sentiments as quoted in this Daily Telegraph report;

http://www.telegraph.co.uk/travel/travelnews/8089096/Airport-security-checks-are-completely-redundant-BA-chairman-says.html

To further back up my opinions on how ridiculous many of these new checks are, I recently flew from Luton to Dublin.  On my out I duly had my clear plastic bag of toiletries, all less than 100ml, and a total of well under 1 litre.  No problem I thought, I am well prepared.  However my bag was a clear tie-handle bag.  I was stopped and told they have to be in a resalable zip-lock type bag.

How this will reduce terrorism I do not know?  As per the title, has recent research proven that those inclined to blow up or take control of aeroplanes struggle with zip-lock, but can tie handles together?

The problem with all of this is that we as the people who are not actually being served or protected by these extra checks cannot question or challenge them – if you argue or protest you can’t fly, simple as that.  It’s about time someone saved us all time, and airports money by reviewing exactly what checks are sensible and needed.

K

Cloud computing is complex..

Recently came across an excellent article around the complexity of cloud here;

http://blog.theloosecouple.com/2012/01/10/cloud-complexity-its-a-wrench/

If you just use / consume cloud computing the concept seems simple enough, and on the surface it is.  However if you are implementing a cloud type service whether a huge public cloud or a smaller private cloud the work involved is considerably more complex.

The cloud concept is to deliver IT services as a utility much like power or other utilities.  From a consumer viewpoint this makes the consumption of the services a simple idea.  The provision of these services in a reliable, location independent, scalable manner is far from simple.  Many larger businesses are either implementing or at least considering the idea of a private cloud, if you are in this camp, or just interested in the complexities of implementing cloud computing then this article makes a great read!

K

Hackers outwit on-line banking security

If you ever doubted either the inventiveness of criminals, or the need for taking sensible security precautions this story should be a wake up call;

http://www.bbc.co.uk/news/technology-16812064

Hackers have developed ‘Man in the Browser’ attacks that potentially allow them to circumvent even the relatively new 2-factor chip and pin security many banks now implement.  These attacks also have the potential to at least temporarily evade protection such as AV software and any blacklists as they will redirect to new sites that are not yet known by security firms.

In short stay vigilant, keep your computer(s) protected and up to date, and always use security software such as anti virus etc.  And as documented by Bruce Schneier several years ago we need to look at authenticating each transaction.

K