Justin Timberlake, Asset Disposition & Rocking IT Security; Knowledge 16 – Day 2

Day 2 of Vegas!

After an amazing breakfast (cake!) it was time for the first keynote of the day.

Drive The Service Revolution – Dan McGee, Chief Operating Officer, ServiceNow

Dan opened the day in style with his take on what customers want: “what matters most to our customers? Ease of use!” Dan went on to explain the challenges faced by most organisations wrangling with complexity whilst trying to deliver value.

Dan talked about how moving to a single platform makes life easier:

Dan continued by talking about how just having a single platform isn’t the answer. To be truly efficient, we need a platform that enables people to collaborate easily; giving customers a connected experience across the platform.

Dan talked about the new ServiceNow Connect model for managing inbound communications “Connect is way more than chat, people can subscribe to information so that the right information can find you”. Dan continued by explaining that the Connect experience is available on every application within the ServiceNow platform using visual task boards to promote ease of use.

Kevin Murray (Senior Director of Product Marketing at ServiceNow) and Farrell Hough (GM & VP ITSM & Product Operations at ServiceNow) joined the stage to demonstrate how easy Connect is to use, raising, assigning and escalating an Incident in mere seconds.

The next part of the session focused on the sparkly new partnership between ServiceNow and Microsoft

It’s always nice when companies play nicely with each other and this collaboration means that companies transitioning to a public cloud environment can better manage their cloud resources with a single system of record;  letting users track all their cloud resources through a self-service portal.

Dan moved the session on to talk about security. According to Dan “security is broken. It takes organisations an average of 206 days just to spot a breach”. Dan continued by running a demo of how ServiceNow can handle security showing how the connected workflow can patch a security threat in seconds going through the Incident – Emergency Change process.

Dan talked about the practical experience that went into ServiceNow’s security ethos, “the last thing you want to do at three o’clock in the morning when you’re dealing with a crisis is to pull out a long procedure, written on a pdf by a consultant” I hear you Dan, as a former Major Incident Manager for a large investment bank, I’ve been there. Dan talked about how important security was to ServiceNow sharing that third party penetration tests are carried out on every single ServiceNow release.

The Penultimate part of Dan’s session focused on customer service management. As Dan explained it, only 8% of customers think they’re experiencing good customer service. Doing nothing is not an option”. The ServiceNow customer service management technology will help customers “get off the ticket treadmill” and customers are reporting an average of 92% less time being spent on recurring Incidents. Campbell Soup and Bector Dickinson both shared their experience of how ServiceNow have helped them to be more efficient. It was then time for more product demonstrations as Deepak Bharadwaj (General Manager, HR Unit at ServiceNow) and Pat Calhoun (SVP Product at ServiceNow) joined Dan on stage to show how ServiceNow can be used to onboard a new hire just from a mobile phone app.

Dan finished on a preview of forthcoming attractions. A full benchmarking analysis tool of how ServiceNow compares against other industry players will be released in the autumn (or the fall if you’re reading this from the US) so watch this space!

The IT Asset Disposition Marketplace at eBay – Richard Donaldson, Director of Business Operations & Strategy, eBay

Richard’s session was about the Asset Management journey at eBay. Richard started by giving the audience some background on eBay. Not only is it the world’s largest online marketplace, it manages over 900 million live listings, has 83,000 physical servers and more than 433,000 network ports. That’s one complex environment.

Richard recounted how he had discovered the need for an Asset Management strategy when he realised that his organisation was paying over the odds for support costs, sometimes paying for support on assets that had already been returned.

Richard talked about the strategy used, meaning that eBay were able to move towards a leaner asset and inventory model. On talking about generating business support for Asset Management, Richard had this to say: “I’d love for Justin Timberlake to make Asset Management sexy because the cost savings are astronomical”. Us too Richard, I’m bringing Asset Management back anyone?

Richard explained about the need for business buy in and the need for service refreshes “we use Amazon, eBay and Google at home, then we head into work and it’s like going back to the stone age” Richard then shared some of the benefits realised from doing Asset Management; on retired hardware alone, his company makes over $20 million dollars a year by selling it on to be refurbished and resold after wiping the data “believe me with what we use to wipe our servers, not even a cockroach could survive”.

Richard concluded by sharing his three top tips:

  1. Asset disposition is a key pillar of lean inventory management
  2. Purchasing, management and disposal of assets is inefficient across all industries
  3. A market place for IT asset disposition can create value for all organisations

Panel Session: The Service Revolution in Risk & Compliance

Next up was an panel of experts talking all things ServiceNow risk and compliance. The panel was made up of:

  • Nathan Dupirack – Product Manager – ServiceNow
  • Carri Thompson – Director of Governance, Risk Management & Compliance – ServiceNow
  • Andrew Wheatley – Head of Internal Audit – ServiceNow
  • Tina Price – AVP IT Security & Governance – Careworks
  • John Johnson – Director of Internal Audit and SOX Compliance – Red Robin

The first topic up for discussion was how ServiceNow can support Governance Risk & Compliance or GRC.  John talked about how ServiceNow had enabled his organisation to move from spreadsheets to a single out of the box SOX solution and Tina shared how using a dedicated tool had given her organisation a more holistic view of risk enabling her department to be more streamlined and efficient.

Andrew gave the audience some background to GRC and ServiceNow explaining “our priority was to step away from the 90s technology and automate the workflow to manage risk;  our main focus is automation, self service and transparency”. Carri gave the audience an idea of the commitment ServiceNow has to GRC, ServiceNow is aligned to 15 different standards and frameworks.

The second topic of discussion was how GRC can evolve over time. Tina talked about how GRC can be applied beyond auditing to support other areas such as IT Service Continuity Management. Tina shared her top tips for GRC transformation “look for quick wins to drive adoption and evolution; it gives your stakeholders and auditors the message that compliance is important to you”. John advised delegates looking to introduce continuous monitoring to ensure that ownership is in place and that a process exists to manage exceptions.

CMDB Optimisation At Johnson & Johnson – Anders Rajka, Senior Business and Information Technology Executive at Johnson & Johnson

My afternoon was rounded off by a session on CMDB optimisation. Anders opened the session by giving the audience some background information on Johnson & Johnson. J&J are a global leader in healthcare (and baby shampoo) with 128,000 employees. The J&J CMDB has over 5 million CIs, over 4,600 service requests for CI reports and over 4,000 ServiceNow users or as Anders put it “a big company with big complexities and lots of technical debt.”

The J&J Configuration Management mission was to reduce the number of applications by 40%.  They did this by moving to a federated CMDB model in order to support IT operations, enable a move to a cloud based environment and increase transparency. This led to cost savings through removing duplicated and legacy assets as well as increased customer satisfaction.

The J&J CMDB optimisation project was implemented over 3 main releases, using Agile to keep the project on track. This included 38 user stories, 1o epics over 3 releases and 8 sprints proving that you can use Agile and Lean in a validated environment. Anders talked about the need for effective organisational Change Management to drive service transformation sharing that he used the CIO newsletter to promote the benefits of the CMDB.

The benefits of the project were impressive; a 47% reduction in CIs, 895 reduction in relationships and 1,000 end users trained. The downtime associated with product upgrades was reduced by 50%, data quality was improved and the improved service visibility lead to a reduction in Incident resolution times.

Anders concluded by sharing his three top tips:

  1. Keep your CMDB simple and federate where you can
  2. Adopt Agile and Lean for a quick return on value
  3. Enable transformation via effective organisational change

 

That’s all for now; come back soon for our recap of Day 3!

 

Image Credit

 

Protecting our Data; a quick guide to password management

So here it is. I think we can safely say that it hasn’t been a great few weeks for security or protecting people’s personal information. At the time of press both Vodafone and Talk Talk had been hit by security breaches and there are lots of anxious customers worried if their personal data has been compromised.

In the case of Vodafone, the data breach was external to Vodafone i.e. the data had been found elsewhere and the hackers were trying their luck on the Vodafone corporate site from some other breach to see how many customers has reused their passwords.

Screen Shot 2015-11-03 at 09.43.19

Password Management Best Practice

In a digital age, how do we keep our data safe? Here are our top tips for password management best practice (and no, we don’t recommend you try squirrel noises!).

VARIETY

– Do NOT use the same password for everything. I know, I know it’s a pain in the hoop having to remember multiple passwords but research shows that if your credentials are compromised, hackers will often try the same login details on Amazon, Ebay, Pay Pal etc. Nothing is bullet proof 100% of the time so let’s at least apply some damage limitation to the situation.

STRONG PASSWORDS

I had a real “ah here” moment a few months ago. I was given access to a corporate system for an organisation that will remain nameless. The system in question gave me access to the corporate e-mail & SharePoint systems as well as some key competitor & market trend analysis. What was the password? Wecome1. Come on people, we can do better than that!

A few simple hints and tips are:

  • Use long, complex passwords. Use multiple cases (i.e. capital & small letters), numbers & symbols / special characters.
  • Don’t use words that can be found in a dictionary. There are password cracking tools freely available on the internet which can crack passwords using what’s known as a “brute force” attack.
  • Don’t use your e-mail address, network id or personal information such as your National Insurance number or date of birth.
  • Don’t use common passwords such as “password” (and yes, people still do this) or “welcome”.
  • Don’t use sequential passwords such as 1 2 3 4 or QWERTY. No, just no!
  • Try using part of a saying to make a complex password easy to remember. One example we all know is Money Makes The World Go Round – so how do we make a secure password? Abbreviate, mix the cases up & substitute letters with characters and add in some numbers – suddenly you have a password that’s much harder to guess for example 20mMtw9R*15
  • You could also consider using a password manager. Password managers are software applications that securely store all your passwords so you only have to remember one password. The stored passwords are encrypted so you have to create one strong, master password that will give you access to the rest of your saved passwords. There are lots of password managers available online; Roboform, Dashlane and Password box are some examples the have been recommended by c|net, Infoworld, and PC Mag.

So there you have it. It’s a jungle out there so stay safe people! One last thought though, it’s not all doom and gloom. Check out Vodafone Ireland’s latest TV ad if you need cheering up if you’re an anxious Vodafone UK or Talk Talk customer. Guaranteed to make you smile, promise.

That’s all folks.

Image credit

ITSM Industry News Roundup – Incl JP Morgan Chase Hack

8055196341_faa1890499_zNo time to read all the interesting news and info floating around social media and appearing in your inbox? Read our round up of what we’ve found interesting this week.

  • Why You Should Drop Staff Who Are Not Cloud Savvy – Cliff Saran explains why CIO’s need to lose traditional staff not ready to move to the cloud. Read more here
  • Understanding Services – It’s Not Really Magic – Ryan Ogilvie talks the magic of service. Read more here
  • This is Why the Enormous JP Morgan Chase Hack is so Scary – Chris Gayomali at Fast Company asks if banks are still our safest institutions. Read more here
  • I Tried Living on One Browser Tab and Almost Died – Remember last weeks People Who Jump From Screen to Screen Have Less Gray Matter post? Well here’s what happened to John Ness when he tried working in only one browser tab.
  • The Interface from Dev to Ops isn’t Going Away; it’s Rotating – Donnie Berkholz talks how the shift changes the roles of developers and operations teams Read more here (via @mselheimer)
  • The Unpatchable Malware That Infects USBs is Now on the Loose – Stakes are raised for USB makers after undetectable malware code is released on Github. Read more here
  • Big Data for Small Business –Why it Matters! – Bernard Marr explains why you don’t have to be big for big data to apply- read more here (Via LinkedIn)

Got some interesting news to share – say hello via @gobbymidget 

Image Credit

ITSM Industry Roundup

Fetching you the news!
Fetching you the news!

No time to read all the interesting info floating around social media and appearing in your inbox? Read our round up of what we’ve found interesting this week.

  1. Firms failing on security basics, says Websense – Businesses still failing on the basic requirements for information security such as visibility of their data assets, says security firm Websense. Read more here
  2. ITIL Exam Figures Dropping – ITIL Exam figures for the first half of show a considerable loss compared to 2013. Read more here
  3. Cherwell release major new version – Oooh shiny! check out version 5 here
  4. People Who Jump From Screen To Screen Have Less Gray Matter In One Brain Region, Study Finds – As if we needed any more reason not to multi-task! Read more here
  5. Get More from Difficult People by Shaping Your Requests as Questions – Who doesn’t have to deal with someone on at least a semi-regular basis who lives to be just plain awkward? Read more on how to deal with it here
  6. You’re building what?! More bad CIO decisions – Not focused on the areas where technology will have the greatest impact? Then you’re doing it wrong. Read more here
  7. Employees waste 54 minutes per day as IT systems keep businesses in the slow lane – read more here (Via @knowledgebird)
  8. BMC sues ServiceNow – things are getting nasty between the two ITSM industry giants, read more here.
  9. Around 35% of Australian workers complain they are hindered at work by issues with legacy IT systems. Would be interesting to see the numbers in the UK. Read more here

Got some interesting news to share – say hello via @gobbymidget 

Image credit

How to manage third-party service, support and security

U.S. retailer Target saw one of the largest thefts of credit card data in recent history
U.S. retailer Target saw one of the largest thefts of credit card data in recent history

Productivity expert David Allen once stated that his approach, “Getting Things Done,” was based on the simple premise that you can’t do everything. In IT, we face this problem every day. Whether it is due to lack of domain specific expertise or simply not enough resources to handle all of our IT services, there are many reasons why we might look to third parties to help support our requirements.

Third party access can come in various guises – from full IT support and service operations, to specialist knowledge that is required on an irregular basis. The majority of this support is delivered remotely over the internet, making third-party outsourcers an even more cost-effective solution.

A research report by Ovum last year highlighted how many third parties have access to company IT networks. While 12% of organisations ran everything themselves, the majority of companies (56.3%) surveyed across Western Europe had granted access to between one and four suppliers, while 28.3% had between five and 29 suppliers. One company admitted that it had more than one hundred organisations with permission to access their networks.

Why does this matter? 

One word: Security.

Third party access is only going to grow, as more devices become internet-enabled and more specialist knowledge is required to keep them running. However, third party access is also one of the areas where control and management is often overlooked. There are plenty of options out there for remote access to networks, but the security and management of those tools is not as mature. Too often, access is binary and broad. The third-party either has access to the entire network, or it doesn’t.

This is a significant security risk, as witnessed by the attack on U.S. retailer Target last year, one of the largest thefts of credit card data in recent history. Poor third party access management opened the door for hackers to access the entire Target network via the vendor responsible for managing the firm’s air conditioning services. Once in, the attackers were able to use a variety of tricks to navigate from that section of the network and to the credit card database servers.

The current press attention around remote access security should drive better industry practices, but there are further proactive steps that service desks can take now to protect themselves.

Steps to take

For companies running their own service desks, security around third party access should be part of the overall request management process. When internal customers ask for new services or need help that a third party will provide, consider the management of the session as part of the request process.

This includes being able to control access. Why should a third party have access to everything on the network, when they are being asked to fix a specific problem? Locking down access – either to a specific section of the network, or only allowing the third party access to access certain devices or applications – is one option that service desks can look at in more detail. Service desks should also capture a full audit trail of every action a third-party technician takes while on their network, and set up alerts for any suspicious activity, such as a vendor logging in in the middle of the night.

For third-party service providers, keeping their customers’ networks secure should be top of mind. Just as the Doctor’s Hippocratic oath states, “Do No Harm”, so too should third-party providers reduce security risks to their customers around remote access. Implementing secure remote access tools and best practices will help service providers set themselves apart from competitors and improve customer loyalty.

Ultimately, third party access has to be secure, auditable and controlled. At the same time, the requirement for more flexibility in how services are delivered will make remote access by third parties even more common than it is today. Within the overall service delivery strategy, keeping this third party access under control is a key management task to consider.

Image Credit

Eight Principles for Transforming Cybersecurity

5267355952_c10d5272fe_z
Enterprises today not only have to defend their assets – they must hunt.

This article was contributed by Robert Stroud, Vice President at CA Technologies.

Just five short years ago, cybercrime represented just 1% of all economic crime (source: PricewaterhouseCoopers, Global State of Information Security Survey, 2011). By 2011, that number jumped to 23%, and we can continue to expect those numbers to climb.

The numbers aren’t the only thing increasing – so too are the complexity and persistence of these crimes. According to an ISACA survey of more than 1,000 security professionals, more than 9 in 10 respondents believe advanced persistent threats (APTs) represent a credible threat to national security or economic stability. Among the enterprises that have experienced an APT attack, one in three were unable to determine the source (source: ISACA, Advanced Persistent Threat Awareness Study Results, 2014 (publishing in April).

There is no question that cybercriminals are more sophisticated than ever before. Enterprises today not only have to defend their assets – they must hunt. Detection and response, rather than prevention, are becoming the focus. But with a growing skills gap, still-lean budgets and constantly evolving threats, where can enterprises start?

Eight principles

In its Transforming Cybersecurity Using COBIT 5, global association ISACA recommends starting with these eight principles:

  1. Know the potential impact of cybercrime and warfare. Make sure you are aware of the potential damage a cyber attack can cause and the wide-ranging impact it may have. The organization must decide the risk level it can tolerate in order to ensure the appropriate level of cybersecurity governance.
  2. Understand end users, their cultural values and their behavior patterns. As the ISACA guide notes, “Business impact and business risk relating to cybersecurity arrangements are strongly influenced by organizational and individual culture.” The culture – and the resulting end-user behavior and patterns – should be accounted for in the enterprise’s strategic, tactical and operational security measures.
  3. Clearly state the business case for cybersecurity and the risk appetite of the enterprise. The business case outlining expected value and tolerable risk will drive the overall cybersecurity strategy. As a result, the business case must have depth and definition. Among its contents, it must include cost-benefit considerations and the organization’s culture and values pertaining to cybersecurity.
  4. Establish cybersecurity governance. There is no need to reinvent the wheel here. Adopting and customizing a governance framework such as COBIT will give you the tried, tested and proven governance guidance you need. By effectively governing cybersecurity, an organization provides a clear sense of direction and boundaries.
  5. Manage cybersecurity using principles and enablers. The principles and enablers found in COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.
  6. Know the cybersecurity assurance universe and objectives. Cybersecurity covers multiple areas and aspects within information security. To provide adequate assurance over cybersecurity, the cybersecurity universe must be well defined, and the assurance objectives must be clear and manageable.
  7. Provide reasonable assurance over cybersecurity. This principle requires all three lines of defense within an enterprise to be defined and managed. This includes monitoring, internal reviews, audits and, as needed, investigative and forensic analysis.
  8. Establish and evolve systemic cybersecurity. Cyber attacks target the weakest link in the system. As a result, cybersecurity must be looked at as a system of interdependent elements and the links between them. To optimize cybersecurity, the enterprise must have complete understanding of this dynamic system and must be fully aware that security governance, management and assurance cannot be viewed in isolation.

Using COBIT

While no company can be 100% secure, regardless of the controls and security measures it has in place, companies that use good practices such as COBIT are off to a good start. COBIT treats cybersecurity systemically. It helps ensure that an organization has end-to-end policies and processes in place, which helps them recover more quickly and effectively after a breach.

Using COBIT 5, enterprises approach cybersecurity as a business process that is aligned with the enterprise’s governance, risk management and compliance arrangements.  They divide it into four phases: prepare, investigate, remediate/respond and transform. The “transform” phase is especially key, as it ensures that the post-incident analysis leads to key insights and improvements that are put into practice. By using COBIT 5 to transform cybersecurity in your enterprise, you can help ensure that cybersecurity is transformed systemically.

Consider this sobering statistic from the ISACA APT survey: one in five enterprises have experienced an APT attack. That number is only going to grow. Take advantage of the excellent guidance out there and make sure your enterprise is following these eight principles; to make sure you are ready to prepare for, detect and respond to a cybersecurity attack.

Image Credit

Security after Snowden – what do I need to do?

securityThe implications of the revelations of ex-NSA employee Edward Snowden have been much discussed and many people who were not previously concerned with cyber-security are now wondering what they should be doing. This is a good thing – but the danger has not changed, only the perception of it. Most of the ideas outlined here were well known, at least in broad terms, before this, but those who argued for them were considered paranoid.

If you’ve been asked to put a presentation together; maybe your Board is suddenly wanting to know what can be done. Then this, I hope, will be just the article for you. It is intended to be a quick, high-level guide to exactly that. The solution is not all, or even mainly, technical, the solution is actually a matter of sound service governance, as I’ll describe. So, what to do?

First; don’t panic! There is not very much that can be done in the short term – rushing about trying to fix firewalls is likely to make things worse, a worthwhile solution must be thought out properly.

Secondly; do you need to do anything at all? Maybe not. It is only worth spending money to address a risk if the risk is credible and, if it happens, will have a large impact. If the worst happened and your most important competitor and all your customers and suppliers, were to see all your corporate information, in detail, would your business suffer? For a good many businesses, the answer is ‘no, not really, not much’. If that is the genuine answer, then there is no need to waste money on expensive security measures. Many companies, on the other hand, would go out of business quite quickly in this situation – for them, it is essential, for good governance, to be certain that a proper cyber-security policy is in place, and then put into action.

What is the threat? Exactly the scenario outlined above. If somebody can access your information through a secret trapdoor in your firewalls, your applications, or your operating systems, then, in principle, anybody can.

Governance and Cyber-Security

The biggest risk to security isn’t technical at all. Anybody in your organisation can, if disgruntled, take what they’re allowed to have access to and share it with your competitor, the regulators or a foreign government. This is always the biggest risk.

How do you mitigate this one? Staff Satisfaction. If you have good governance, so that, as an organisation, you have fair policies, you are a good corporate citizen, so you help your community and you look after your staff by treating them fairly, giving them opportunities for advancement and training them, then you will have satisfied staff who will be loyal to you and won’t wish to let you down by revealing your corporate secrets to competitors.

So the first firewall you need to build is a wall of trust between your organisation and your staff – the same applies to suppliers and customers, you need to make sure that they also are part of your circle of trust so they don’t reveal things that could damage the organisation.

It helps too, because good governance ensures that the organisation is behaving ethically, so there are no skeletons in the cupboard waiting to be revealed by whistle-blowers.

Beyond that, you can make sure that your infrastructure is safe from cyber-criminals, spies (both genuine spies and industrial spies), hackers and so forth. This is not as easy as it seems, so it is worth considering technical solutions to cyber-security in a bit more detail.

Firewalls

The most obvious danger highlighted by the Snowdon’s revelations was how vulnerable organisations are to closed source solutions. In the past the simple-minded solution many people saw to security was to put everything behind a firewall. This has three problems:

  1. The firewall can be breached through any trap doors in its firmware and this breach will be undetectable
  2. Even if the firewall isn’t breached, closed-source operating systems can communicate back to the ‘mother ship’ through the firewall through their trap doors
  3. Even if your closed operating systems and closed firewalls are not letting anybody in, your closed applications can be.

On that last point, if you’re running Microsoft Office products on your computer, have a look at the activity monitor. Even if you’ve not used word, say, for many hours, you’ll see it has clocked up lots of activity. What is it doing? It’s connecting back to Microsoft to check that your license is OK – that’s it, you’re paying for it to do this several times a day, on your CPU. If Microsoft wanted it to send other information back, would you have any way of knowing?

Can you trust any closed-source firewalls, Operating Systems or Applications? Snowdon has shown that you can’t. It makes sense for anybody wanting to spy to put their bugs (in the sense of listening devices) as close to you as they can – and putting secret trapdoors into these devices simply makes sense (to a spy).

Why is open source any different?

It is still possible to put trapdoors into open source software. The difference is that you can get somebody to check the software and cut out anything in it that you don’t need, or looks suspicious – and you can get open source software to log what it is doing honestly. Closed source software can put what it wants to into a log, if it leaves out certain things it doesn’t want you to see it is doing, you can’t even know that they are missing.

If you look on the market, you will find that there are no open source firewalls, at least not hardware boxes. There is an open source operating system, though, Linux (let’s hope that in future there will be more, and better ones), open source word processing and spreadsheet software and other open source applications.

To reduce the risk, where possible, remove proprietary closed-source devices and replace them with open source ones. It would be expensive overkill to throw out everything proprietary at once. Rather, produce a service portfolio and concentrate on the services that are most important to the organisation and replace them with open source solutions first.

If you have a firewall made in China, and a firewall made in the US, you could try putting one firewall inside the other – that way you’re banking on the Chinese firewall blocking the US secret trapdoor and vice versa. Even if this worked, though, you still have the problem with operating system and application trapdoors.

A better solution is to shut down your firewalls. That seems a bit extreme, but, if you have physical boxes as firewalls, you can’t do anything about the firmware they are running, so don’t. Make a Linux box your firewall with a software firewall. It might be a bit slower, but it will be safer.

What can be done in the long term?

If you have closed source solutions, see if your supplier can give you, or sell you, the source code. Then you can check that for trap doors and remove anything you think suspicious or unnecessary.

Invest in open source development. There is no reason why an ‘open source’ router or firewall can’t be developed, where the hardware and firmware are all revealed and can be tested to see they have no trapdoors. This takes money, so organisations interested in long-term solutions need to invest in such efforts.

If you are going to have firewalls, make sure that they are governed properly. Do you actually know what the rules are on your firewalls at the moment? Probably not. Usually the rules are written in ‘techie-speak’ and only a few experts know what they are. This is bad governance. Invest in rule-based firewalls where the rules can be set by the policy you have for each service in a way that is understandable to non-technical people.

If you do invest in open source development, the most promising area for fast, easily configured and effective cyber-security is using the same machines that are currently being used for bit-coin mining. They are getting cheaper all the time and are very, very fast. They are seen to be difficult to programme though, and, again, only experts know what they are doing.

There is a solution, though, which is to invest in open source development in Ada for these boxes (FPGA, or field-programmable gate arrays – to give the jargon). Ada is a language invented by the US DoD to be reliable. It is very fast, it is proven to be faster to write and faster to execute than assembler. It is possible to produce secure routers and firewalls with no trapdoors that can be configured at the service level (so the rules are understandable in business terms) using Ada – but a number of companies need to put up the investment capital to achieve this.

What can I do about it now?

Here is a short checklist of actions that should lead towards a more secure organisation. Not every organisation will need to do all of them, and not all will need to start with them at once, but this is the basis:

Short Term:

  • Audit your staff satisfaction
  • Audit your customer satisfaction
  • Audit your business and technical infrastructure
  • Identify the greatest risks from weaknesses in the above
  • Produce a plan to address these

Medium & Long Term:

  • Fund a programme to govern services.
  • Establish a service portfolio to enable the board to understand which business services deliver most value, what they cost, what risks they are exposed to and how to mitigate those risks.
  • Use this portfolio to prioritise the requirements for the organisation into a corporate requirements register.
  • Design a set of solutions to address these requirements
  • Build business cases for these solutions
  • Execute the plans from the most appropriate business cases

Conclusion

Security has never been a truly technical matter. The best security in the world can be circumvented in a few seconds by a whistle-blower. The correct response is not to panic, but to put in place a set of well thought-out policies and then, through well-designed procedures and processes, make sure that these policies are complied with. It takes time and money, but it is the only route to reaching a tolerable level of security. If you use a modern governance framework, such as that proposed by the King III commission, it will ensure that you act to be a good corporate citizen – which will reduce the risk of whistle-blowers by achieving satisfied staff, customers and suppliers.

It is worthwhile establishing service governance as the organisation’s main governance tool because it enables and improves all business processes, delivering value to stakeholders by ensuring, along with many other things, a proper balance between risk and investment in cyber-security. Decisions to invest in an aspect of security should be based on the appropriate requirements of each particular service and its stakeholders.

Much needs to be done to develop the secure infrastructure that can be used to implement the cyber-security policy. In an ideal world, companies exposed to the risk would invest collaboratively in producing components for secure infrastructure.

Why not suggest to your board, as part of good corporate citizenship (an important part of governance) investing in a secure open source project?

Image Credit

Enterprise Mobility Management: Concepts in Endpoint Management

Roberto_Casetta_5343
Robert Casetta

The following article has been contributed by Roberto Casetta, Vice President EMEA, at FrontRange.

Empowering a mobile workforce is essential in any modern enterprise to meet business goals and remain competitive.  Mobility increases end user productivity, agility and job satisfaction, resulting in improved business performance.  Although workforce mobility is most often associated with the adoption of portable devices (i.e. smartphones and tablets), the topic is actually more applicable to the portability of IT services.  The core goal of mobility is to enable users to access business resources – including applications, data and other services (such as email, messaging and databases) – from any device at any location at any time.

Ironically, most end users have already embraced mobility concepts and incorporated them into their regular work experience.  In fact, according to research by industry analyst firm Enterprise Management Associates (EMA), roughly 58% of mobile device users and 29% of laptop users actually purchased the devices themselves and brought them into their workplace.

No longer content with being chained to an office environment, workers are demanding unprecedented mobile access to business IT resources.  In many cases, IT managers have been caught unprepared to support the influx of new requirements for supporting mobility. Introducing enterprise mobility is therefore primarily a challenge for IT operations to accept changes to its processes that will foster improved workforce productivity.

However, introducing process changes to support mobility is not a trivial matter. IT administrators are already exceptionally busy meeting existing server and desktop support requirements and service level agreements, while meeting security and compliance objectives.  Typically, IT administrators spend the bulk of their time on reactionary “firefighting,” often requiring an inordinate amount of out-of-hours support.  This leaves little time to implement new procedures for extending support to an additional set of mobile devices and operating systems.

Further resistance to supporting enterprise mobility comes from the fact that IT administrators are used to having complete control of the endpoints they support and are often reluctant to allow end users the freedom to select and use devices without restrictions.

To be effective in supporting workforce mobility, IT administrators must focus on the secure delivery of services, rather than maintaining control over the endpoints.  Devices also still need to be managed, but just to ensure they are optimally configured to perform business tasks, rather than fully governed by IT operations. This can be a difficult concept for IT administrators to accept as they must let end users take some or all responsibility for their own devices.

Enterprise mobility management processes shift the role of IT administrators to focus primarily on the secure and reliable delivery of business IT resources in order to empower end users with the flexibility to perform business tasks on any device with which they will be most effective.

Transitioning IT Operations to Support Workforce Mobility

In order for IT administrators to successfully enable enterprise mobility, management processes must be adopted that effectively reduce administrative efforts and costs while enabling broad but secure end user access to business IT resources.  Methods for achieving this can be logically segmented into three key areas.

Consolidate Management Processes and Resources

All user devices used to perform business tasks – including smartphones, tablets, laptops and desktop – should be monitored and managed from a single unified console.  Begin by discovering configuration and status details on all devices and recording them in a consolidated asset data repository.  This enables a holistic view across the support stack to facilitate a rapid identification of issues and provides administrators with the strategic information necessary to make informed decisions on optimal configurations and proactive improvements.

Business applications, data, and services should also be consolidated onto enterprise servers (rather than distributed on endpoints) and then delivered to remote devices as a services. This creates a single point of management for business resources, greatly simplifying tasks such as patching, updating, and configuring.  By shifting the primary management focus towards securing and delivering IT resources (rather than physical devices) administrators are able to address business-facing challenges while reducing support efforts.  Additionally, delivering business resources as services allows end users to provision them on any device they wish.

Isolate Business Resources from Users’ Personal Resources

To ensure users have the freedom to employ their devices (whether employee or business-owned) in any capacity they choose, only the business resources that are served to the endpoints should be subject to enterprise restrictions.  To enable this, business resources must be isolated from personal applications and data.  The most common processes for achieving this include ‘containerisation’, virtualisation, and application wrapping.  Regardless of which method is employed, the ability to move between business and personal resources should be simple and intuitive to the end users to ensure they remain productive.  In this way IT administrators can enforce business requirements on the isolated resources without impacting or diminishing the users’ ability to perform personal tasks on the devices.

Enable End User Self-Service

End users should have the ability to provision their own devices with little or no interaction with IT operations.  This can be accomplished with a consolidated application delivery system, such as a mobile AppStore, that provides a “one stop shopping” experience for accessing all business applications, including static applications, virtual applications, and web applications.  Similarly, data can be stored and distributed via a secure share or other centralised and commonly accessed repository.  All provisioning procedures should include approval and authentication processes to ensure resources are only accessed by authorised personnel.

In Summary

At the core of enterprise mobility management is the need to enable a secure, user-focused delivery of IT resources and services.  However, this cannot be effectively implemented unless it also includes processes for minimising administrative efforts.  By not trying to “drink the ocean” in supporting everything installed on every device employed by every user, and instead focusing on the secure delivery of business IT resources as a service, administrator time is used more efficiently – the number of user requests are greatly reduced, management complexities are minimised, and the need for out-of-hours support becomes a rare event.  In reducing requirements, administrators are freed up to implement new and enhanced business-facing IT services and transform the delivery of endpoint management services into being proactive, rather than reactive.

This article was contributed by Roberto Casetta, Vice President EMEA, at FrontRange.

The BYOD battle… and the ITSM war

The BYOD battle.... and the ITSM war
38% of respondents think the IT department should be supporting any personal device, regardless of how much it is used for work purposes.

Pat Bolger is chief evangelist at Hornbill Service Management.

Bolger writes in this guest post for the ITSM Review to underline the big picture that exists across the BYOD landscape and how this use case model has affected and continues to impact the IT service manager’s current set of challenges.

BYOD is an increasingly inevitable feature of the business landscape and its reach is only set to grow. In this current scenario IT departments are under growing pressure to support devices which fall outside of their traditional remit; whilst this presents a challenge, the alternative is a serious impact on the productivity and bottom line of an organisation.

Better the BYOD you know

It shouldn’t be a shock that people prefer using the smartphones, tablets and mobile devices that they know and are familiar with at work. What is surprising is the number of businesses that are failing to deal with BYOD.

Corporate IT departments that do not support the movement risk becoming divorced from both the needs of the business and the expectations of users.

An unwillingness to get to grips with BYOD not only reduces the effectiveness of the IT department; it is also costing UK enterprise (as a whole) dearly. Hornbill recently sponsored an independent study of 1500 UK office workers.

Those surveyed estimated that being able to use their personal device in the workplace would save them two hours a month. When this figure is applied nationally it shows a staggering total of £2 billion in lost productivity across the UK; a stark example for those businesses who are not embracing BYOD.

Taking the Law Into Their Own Hands

“The consensus among the corporate workforce itself summarises the situation best:  53% of office workers said IT departments are failing to keep pace with business needs. Because of this failure, some 40% of employees are taking matters into their own hands and using their personal devices without the permission of the IT department, an issue that will only worsen without intervention.”

The results were even more pronounced amongst workers in the 16-34 years old category; with 49% of 16-24 year olds and 48% of 25-34 year olds saying they would use their devices regardless of IT’s knowledge. The longer businesses fight their employees by failing to offer support, the greater the likelihood they will lose out on potential productivity benefits and further expose themselves to other risks around data security and governance, especially as younger generations enter the workplace.

Who Runs What?

The research also had interesting implications for ITSM teams trying to decide when exactly a device becomes their responsibility. A total of 38% of respondents think the IT department should be supporting any personal device, regardless of how much it is used for work purposes. Whilst this is unfeasible for many ITSM teams, it emphasises that personal devices have become so intrinsically linked with both the work and personal lives of UK workers that many do not draw a line between work or pleasure use.

“Setting employees’ expectations by introducing concise and clear policies around the use of personal devices will help ensure the IT department is not over-stretching itself?”

Patrick Bolger, Hornbill Service Management
Patrick Bolger, Hornbill Service Management

Despite this apparent insistence from employees that IT departments should be on hand for any device, one of the most thought-provoking findings concerns who workers turn to with a problem. A whopping 82% said they would ask a colleague for help with simple IT questions or problems, rather than going directly to the IT department. This willingness to use peer-to-peer (P2P) or community knowledge can work in the favour of the IT department; fostering this kind of activity, offering self-service tools and hosting discussion forums, means IT departments can save a significant amount of time in dealing with ‘utility’ or ‘fire-fighting’ issues.

Ultimately, reticence in getting behind BYOD is damaging both the reputation and effectiveness of IT departments; businesses need to start looking at BYOD as something which can actually be of benefit, rather than just an operational and technical headache. In short, BYOD must be a movement which supports the ITSM team, rather than holding it back. The consumerisation of IT may not yet be complete, but IT departments can still reap the benefits of a much needed upgrade.

Pat Bolger is chief evangelist at Hornbill Service Management.