The growing use of globally distributed computing services and resources, with huge amounts of data being moved regularly from one country to another, there is a great deal of concern among data owners over the risk that their data and the hardware that stores and moves it could be implicated in a violation of international…
For some time now, we’ve been writing about how traditional methods of identifying stranded IT assets fall far short, because of the fact that utilization-based metrics do not accurately reflect value returned to the business by the IT asset. Enterprises are living with substantial drag on their IT operations budgets because of unused or underused servers and server software.
Through some of the work that I do for my Clients, I’ve helped to identify and reduce Shadow IT as a part of better aligning IT delivery with strategic business goals. It has been sort of a mantra, that Shadow IT is a bad thing and must be eliminated. Over the past couple of years though, I’ve increasingly found myself second guessing that mantra.
While governance and security are even more important now than in times past, the characteristics of IT services have changed around us. Take end user devices for example.
I was having a drink with an old friend of mine, who is a very prominent and globally sought after risk management professional, and we got around to talking about Disaster Recovery Planning Software. I asked him, “have you ever found one of those that you like?” His response was not positive.
Quite often, I am called by a potential Client needing help with DR planning, and who is at the make/break point of a relationship with a DR planning tool vendor. The conversation often goes something like this:
This morning I was reading a short piece by Gary Beach, Publisher Emeritus of CIO Magazine in which he asks if he’s “certifiably nuts” for encouraging broad-based, state-administered technology certification programs. The short answer from me- no, not really. I would though, like to support the spirit of Gary’s call with my own encouragement.
Undoubtedly you’ve heard by now that Intel has a bid on the table to buy McAfee (for $7.7B). ¬†We’ve written before about the collaboration that’s been going on between the two companies for almost two years now, which we suspect is a leveraging of features at both ends of the stack to improve security of data processing devices. ¬†Indeed the two companies share a vision of combined secure hardware and software to protect the full spectrum of Internet connected devices.
So what does this mean for us chickens? ¬†Well, there’s quite a variety of opinion in the industry so far. ¬†The official company line(s) are of course that this will lead to technology that improves security for network connected devices of all types (something we certainly can benefit from), and of course that there is a great opportunity for more sales of security software if every new CPU is seen as an opportunity for that. ¬†However, there is a good bit of open endedness around this. ¬†We’ll at least give you our opinions.
As someone with a strong operational ethic, one of my pet peeves is the colo site that resembles a monthly self-storage facility.¬† I’m referring here, to allowing (or tolerating) tenants storing boxes, material, and debris in their cages.
A colocation facility that has cardboard and other such material in customer cages shows very poorly.¬† That is, new customers touring the site as a potential future data center will not be impressed by the apparent state of operational controls when trash is visible in cages.
More importantly though, storage of cardboard and packaging material on the IT floor is a security risk.¬† This material is likely the most flammable of any present in the environment, and fire is an availability and safety exposure.
In my classes at the university, I sometimes give students a project to create a malware pet shop or malware zoo.¬† The purpose is to make the students more aware of the “biodiversity” that really exists out there in the malware world.¬† We also often talk about the increasing use of malware and other network-based attacks by governments against other governments or industries within a country.¬† Then of course there is the extension of that in the form of cyber terrorism.
Over the past few weeks there has been a lot of press for the Stuxnet (Trojan) worm.¬† What is interesting to share with you about this malware du jour is that rather than targeting personal information or productivity on a person’s PC, this critter is designed specifically to target control systems commonly used in manufacturing plants and other industrial facilities including critical public utility infrastructure.
Stuxnet exploits a previously undisclosed vulnerability in Windows to access management software for Siemens SCADA (Supervisory Control and Data Acquisition) systems that are commonly found in manufacturing, industrial, and utility systems.¬† These types of systems are typically not connected to the Internet, but the malware travels by USB device (e.g., a thumb drive).¬† Once the malware discovers the Siemens application software, it copies project files to an external web site.¬† Other actions are not yet reported, but it’s clear that with access to key control systems, serious disruption could be accomplished even beyond theft of manufacturing process information.¬† Stuxnet has the ability to upload code to programmable logic controllers (PLCs) in SCADA systems.¬† The PLCs determine how industrial systems operate.
In my IS Security class at the university, I was recently moderating a discussion thread where my students posted their opinions on Internet content filtering. The question was a simple one, “Some schools and libraries use Internet content filters to prohibit users from accessing undesirable Web sites. These filters are designed to protect individuals, yet some claim it is a violation of their freedom. What are your opinions about Internet content filters? Do they provide protection for users or are they a hindrance?”
The class is composed of a collection of Generation X and a few Boomers.¬† The opinions collected were very consistent and surprising, at least, to me.
Through several posts on this blog, we discussed the many aspects of confusion around the term, “Cloud Computing.”¬† After attending this year’s Cloud Expo in New York City and seeing the same three-layer stack (IaaS, PaaS, SaaS) slide in fifty half of the presentations, I have to conclude that confusion still exists in the minds of the IT community trying to come to terms with the ongoing commotion over “Cloud.”¬† In this writer’s humble opinion, there is very little new food for thought that’s emerged from the Cloud conversation over the past year.*¬† ¬†The proliferation of genuine commercially available cloud services, and the proliferation of conferences and articles on cloud computing seemingly have not improved the understanding of those who are confused about what is and what isn’t cloud computing.¬† ¬†In this article, we will touch upon those old misunderstandings and some of the new ones.