Cloud Security: Plenty of Worry to Go Around

Along with the security trends from 2012 you’d expect to see (mobility of data, access from anywhere, malware attacks on new platforms, Web as the leading malware distribution medium), Gerhard Eschelbeck, the CTO of Sophos, points to cloud security as a key IT concern.

In its Security Threat Report 2013, Sophos acknowledges how attacks followed the hundreds of millions of users participating in social networks -- moving beyond Facebook to attack mature platforms such as Twitter and up-and-comers such as Pinterest (where an account takeover in September drew special notice). The report is available free for download here; no registration is required.

What struck me, however, was mention of risks posed by cloud services. As services such as Dropbox gain ground, “companies have also begun investing more heavily in private clouds build with virtualization technology. This move raises more questions about what cloud users can and should do to keep the organization secure and compliant.” The article includes a set of 3 suggestions for protecting your data in the cloud.

Concern about cloud security isn’t new, but I found most interesting a report sponsored by Symplified written by Forrester Research and released in mid-November. The study was conducted in July, and although six months may seem like an eternity in IT time, the information is just as relevant today as it was “back then.”

Access Management for the Extended Enterprise: A Timely Challenge” discusses at some length IT’s use of (and concern about) security in the cloud. IT would prefer security be someone else’s responsibility. For example, 23 percent of 703 U.S. enterprise IT security managers said they would prefer security to be embedded into the cloud vendor’s solution, and 20 percent would prefer solutions from a third-party security vendor as an on-premises solution.

Like the Sophos study, Forrester says the “BYOD phenomenon” is problematic when IT opens access “to people who are using unmanaged networks and devices.”

It was also interesting to note that IT doesn’t like to put sensitive data in the cloud, but they’re doing it anyway. “Business functions involving high-risk data of all types -- such as intellectual property, financial data, and even regulated healthcare data -- are participating at relatively high levels in the SaaS app marketplace.” Enterprises either using or planning to expand their use of cloud for such data ranges between 29 and 34 percent (depending on type of data and industry).

A recent report from Symantec, 2012 State of Information Report: Digital Information Index, found that “combined with smartphones, tables, and laptops, 46 percent of business information is being stored outside the firewall.” For U.S. enterprises, the figure is just 32 percent, for India it is 83 percent, for China, Indonesia, and Singapore, the figure is 60 percent. The report is most useful for its breakdown of cloud use by 31 countries or geographic regions; it examines smartphone and tablet storage, smartphone and tablet access to corporate data, and percent of businesses using the cloud to store information (combining public, private, and hybrid deployments). The report is available here at no cost; no registration is required.

I see trouble ahead from some of the Forrester findings. For example, 38 percent expressed “a little concern” that “my existing IAM structure is incompatible with the cloud IAM solution,” and nearly a third (32 percent) were similarly a bit concerned that “my attestation and access request processes won’t fit with the cloud IAM solution.”

Forrester concludes: “The data collected shows that IT managers are living with a gap between cloud usage and corresponding cloud security.”

-- James E. Powell
Editorial Director, ESJ


Users Don’t Perceive IT as a Business Partner

In a new survey of 200 IT professionals conducted by Serena Software, an orchestrated IT solutions provider, it’s clear that what’s missing from IT service management is service. IT has no one to blame but itself.

How serious is the problem? Very serious. “The survey shows the majority of those polled (92 percent) agreed business groups do not perceive IT as a true partner and in some cases report that IT actually impedes their success.”

If ever it was clear that IT is not properly focused (or its staff is misaligned), it’s in the survey, which found that when asked to identify the source of the problem, the development and operations groups are pointing fingers at each other. “Three quarters cited operations as a roadblock to agile development, and 72 percent cite development as not supporting the goals of operations. The research shows a clear divide between Development and Operations, helping to explain the aspirational popularity of DevOps this past year.”

A press release from Serena quotes Amita Abraham, Group Product Marketing Manager at Serena Software and the report’s author: “There is massive interest in DevOps within enterprises today, as there should be. What our survey revealed, however, is the distance that IT organizations need to evolve to realize the promise of DevOps. This data was telling in that we were able to learn about today’s key ITSM issues, in particular, the need to improve Service Transition, the ITIL set of processes that cover the juncture of Development and Operations.”

What juncture? It sounds more like a complete disconnect. The report lists as its first key finding: “Business-IT and Dev-Ops distrust abounds.” Now there’s an understatement.

Among the survey’s findings:

  • ITSM practices are inconsistent or manual; they’re too slow for an online, agile enterprise. Seventy percent rate their release management processes as “poor.”

  • Disconnected processes are making it difficult for development and operations to “collaborate and rapidly fulfill business requests.” Nearly three in four respondents (72 percent) say that “operational change and release management, which are central to the Service Transition prescribed by ITILv3, were the most disconnected.”

  • Visibility of planned changes are limited because of “rudimentary communication practices” such as e-mail, spreadsheets, and word of mouth. The survey found that 60 percent claimed to have “little to no visibility into planned changes.”

  • Status updates are inaccurate thanks to poor reporting. A measly six percent said they share release calendars across development and operations. Are you kidding me?

The full report, IT Service Management Trends 2012: The State of the Dev-Ops Union, including recommendations for streamlining the development and operations team, is available here (no registration is required).

-- James E. Powell
Editorial Director, ESJ


Mobile App Use High but Satisfaction Low

Quickbase, an enterprise cloud database offering from Intuit, released the results of a survey of 448 "information workers" from companies with at least 100 employees about their use of cloud applications.

Forty percent of respondents say they use a mobile device for work; most of these were mid-level managers. On average, respondents say they use five mobile business apps to manage their day-to-day business tasks; 58 percent of their mobile apps come from their company’s IT department, another 37 percent were purchased or downloaded from an app store. However, a third of these users said the apps don't adequately meet their needs.

What they want is a way to build their own mobile apps; over half (53 percent) "said they would build an app if they could do so easily."  Over 40 percent said such a homegrown app would be used primarily for management and collaboration functions.  What's getting in their way?  Well, the first reason is obvious -- their inability to write code.  Another impediment: the lack of IT approval.

(Full disclosure: A few years ago we experimented with Quickbase for the first time; in less than 10 minutes I had built a custom database application running in the cloud to track ESJ articles.  As a former enterprise applications programmer and novice database developer, I was mightily impressed with the ease of development, its flexibility, and its speed of execution.  We continue to use the application we developed to this day.)

-- James E. Powell
Editorial Director, ESJ


Study Shows Increasing Reliance on Business E-Mail

We used to call them information workers. New research from Mimecast suggests that a more apt name would be inbox workers -- users “who spend the majority of their time on e-mail and shun social media at work.”

The survey asked 2,500 information workers in the U.S., U.K., and South Africa about their “average” employee’s attitudes about (and frustration with) e-mail. According to Mimecast, an information worker will use e-mail for four hours per day on average. That doesn’t mean they’re happy with e-mail -- only a quarter of them report high levels of satisfaction with their e-mail functionality.” One third say they “expect e-mail and social media to converge in the next five years.”

Increasingly, e-mail isn’t just for communication -- it’s being used a file store, search engine, and a collaboration platform. Apparently, I’m not alone -- 86 percent of e-mail users claim to rely on e-mail “as a search tool to find documents or information from within their inbox or archive.” Of course, that’s not what e-mail systems are designed to do (which explains why Copernic Desktop Search is running on my desktop), and why users report that searches take an average of two minutes to return results.

In spite of its lack of speed, 49 percent of users say e-mail is “reducing the need for other file storage systems.”

I’m often told that enterprises are using social media for internal and external communications. In fact, in a previous Mimecast survey, one-third of IT “decision makers” thought that “the use of social collaboration tools had reduced employees’ reliance on corporate e-mail.” When you ask actual e-mail users, you get a different picture. This survey pointed out that “Inbox Workers use social media, but it is primarily for personal use. The rise of social media has had little impact on their reliance upon work e-mail.” E-mail is still preferred for exchanging documentation, setting up meetings, and requesting information by 88 percent of respondents.

This dependency on e-mail may be leading to bad corporate habits. Mimecast says their survey showed that “39 percent of information workers regularly send and receive workplace e-mail outside of working hours, 25 percent of e-mail users admit that they have sent e-mails late in the evening purely to ‘show commitment’.” That’s just the tip of the behavior iceberg: three-quarters of those surveyed admit to having sent e-mails they have later regretted (just three quarters?). Your storage administrator probably won’t be surprised with another finding: 40 percent deleted e-mails they shouldn’t have (and presumably wanted them back).

We’re inundated with e-mail, but we seem to want even more. Almost half (45 percent) say it’s “useful to be copied on e-mails internally, with 35 percent saying that they find Cc e-mail a really useful way of staying on top of external communications.” Only a fifth think people overuse the “carbon copy” feature at their enterprise. That explains, I think, why only 14 percent of all e-mail received is considered “business critical.”

Here’s the part I really envy: “on average, e-mail users receive 32 e-mails a day, containing 4.5 megabytes of data in total.” Just 32? If only I were so lucky.

Mimecast supplies cloud-based e-mail archiving, continuity, and security solutions for Microsoft Exchange, Hosted Exchange, and Office 365. You can read more from their report here (registration is required for access).

-- James E. Powell
Editorial Director, ESJ


Enterprises Lax on Rogue Cloud Usage; Data Protection Top Cloud Issue

Sure, we all know the cloud security is an important part of IT’s job, but how do actual cloud practices match up with IT’s stated policies? According to new research released today, the answer is not very well -- at least not for the enterprises with such policies. What’s worse, almost one in five enterprises doesn’t even have a clear security policy or standard when it comes to use of the cloud by employees or departments, even though most allow such use including access to corporate data from cloud apps.

The research conducted last month about cloud utilization, security, and policies surveyed workers in almost 500 enterprises of all sizes; it was commissioned by Symform, a cloud backup service provider. Eighteen percent of respondents work in enterprises, one-third (34 percent) come from small and midsize enterprises.

According to Symform, concerns over data growth are diverting attention from cloud adoption. “Coupled with BYOD and the consumerization of IT, the survey reveals that many businesses are slow to acknowledge cloud adoption within their organization and, as a result, determine the proper IT security and policies to govern this cloud usage.” The study points out that of the 39 percent of respondents who said they are not currently using cloud, almost two thirds (65 percent) said their companies allow employees or teams to use cloud services, and 35 percent said their companies allow employees to store company data in cloud apps.

In a prepared statement, Margaret Dawson, Symform’s vice president of product management, highlights how control of the cloud is slipping away from IT. “This research validates how cloud applications and services are being purchased and managed increasingly by non-IT departments, and illustrates the need for IT to re-claim control from a policy and governance standpoint while still enabling the business to benefit from the cloud’s agility and cost-effectiveness.” She also explained: “I always advise IT leaders to be the centralized source of all IT policy, vendor criteria, compliance management and the definition of ‘trust’ for their organizations. Cloud usage is inevitable but loss of control is not.”

Concern over cloud security seems to be declining. Symform survey found that half (50 percent) of respondents believe that “even sensitive data can be secured in the cloud” with the exception of credit card data -- 70 percent said they wouldn’t store credit card data there. In fact, security is seen as a benefit of their cloud use: almost half said cloud services “allow them to spend less time managing data protection and on IT security overall.” Among those not using the cloud, security is seen as a bonus: “over 50 percent believe that better data protection would be the top benefit gained by moving services to the cloud.”

IT managers still worry about controlling access to the cloud. Also of concern: auditing and tracking, securing data (in motion and at rest), vulnerability management, and maintaining strong security SLAs.

The full survey results are available here (very short registration required).

-- James E. Powell
Editorial Director, ESJ


Learn SQL Server 2012's Analytic Functions

SQL Server 2012 introduced several new analytic functions.  We've published an excerpt from Murach's SQL Server 2012 for Developers by Bryan Syverson and Joel Murach that provides the syntax and example usage of these functions.

Read the excerpt here.


Enterprises Understand Automation’s Benefits but Many Tasks Still Manual

Redwood Software released results this week from a survey of corporate “decision-makers” at 300 firms in the U.S. and UK that shows that nearly every enterprise (99 percent) spends “considerable personnel time doing repetitive manual tasks.” Nearly three-quarters of them (74 percent) spend “over a quarter of their time doing so.” That’s a lot of time wasted.

The researchers at Vanson Bourne found that “all organizations claim to automate processes to some degree, but this is largely limited to certain tasks and functions within organizations.” Top of the automation list: billing (at 16 percent) and human resources/payroll (at 15 percent) and billing. (One caveat: the survey only asked about a limited number of application categories.)

On average, only 44 percent of respondents said their enterprise automates their IT and business processes; about half do it on-premise, a quarter use the cloud.

Survey participants understand the benefits. Respondents thought the biggest benefit would come from automating IT processes and business intelligence and reporting.

Nearly four in five (79 percent) that have automated processes at their enterprise acknowledge that automation has delivered time savings. More than two thirds (69 percent) claim that automation improved their business productivity, though I’m surprised the number wasn’t higher. Nearly as many (61 percent) agree that automation regularly provides cost savings. These aren’t theoretical or expected benefits -- these are the benefits they’re enjoying now.

Given that the benefits are clear, why aren’t enterprises automating more tasks?

At the top of their list (at 64 percent): “Not being able to integrate legacy applications with new applications.” Next in line: it’s tough to use automation to manage complex processes (63 percent). Just over half (52 percent) chalk it up to “not having the right knowledge.”

Tijl Vuyk, CEO at Redwood Software, says that all of these issues can be solved by a process automation solution. He should know -- that solutions are Redwood’s specialty. In a prepared release, he noted, “It seems that businesses have just cherry-picked the ‘easy’ automation targets across a range of processes rather than tackling them from A-Z, despite seeing the value in doing so -- it’s a contradiction in terms.”

Though half of respondents use the cloud for private data storage, only a quarter of all respondents (25 percent) run business process automation in the cloud. Those who don’t say it’s because they lack resources (23 percent) or are worried about the perceived risk of doing so (20 percent).

A graphic summarizing the survey’s results is available at no cost here (no registration required).

-- James E. Powell
Editorial Director, ESJ


Two New Tools Tackle Downtime Dilemmas

Tracking down possible external causes of downtime is always tough. Compuware Corporation is trying to make it a bit easier.

This week the company announced a new, free, online performance analytics solution that it says “raises the intelligence of software-as-a-service (SaaS) application performance management (APM).” The service -- Outage Analyzer -- displays in real-time a map of outages and service degradation of third-party Web services applications around the world, detailing the scope of the problem, its duration, and an explanation of the probably cause of the outage. A separate view shows how the outage has spread or contracted over time, so you can, in essence, replay the problem’s history.

In a preview of the service last week, Jeff Loeb, VP of global marketing for Compuware, told me that the service helps enterprises explore what could be causing product slowdowns or outages. According to a company release, the service uses “big data technologies and a proprietary anomaly detection engine” to correlate over eight billion bits of information every day. This data comes from its Compuware’s Gomez Performance Monitoring Network, which includes over 150,000 global test locations.

Tracing an application’s performance can be tough. Compuware says research shows that “the typical Web site has more than 10 separate hosts contributing to a single transaction, many of which come from third-party cloud services such as social media, ecommerce platforms, Web analytics, ad servers, and content delivery networks.”

Users can view just the most recent outages, look for problems by severity, search for a specific or range of IP addresses (so IT can find service problems that may impact their enterprise), and set up alerts via RSS feeds or Twitter.

Calculating Downtime Costs

Prolexic, a firm that specializes in protecting enterprises from distributed denial of service (DDoS) attacks, and released a DDoS downtime cost calculator, available here.

The calculator factors in several DDoS attack variables that can directly impact revenue. By completing a questionnaire about technologies, experience, and cost savings, Prolexic offers tips and advice to help you develop your strategy. Users can use to tool to view a detailed risk assessment and calculate the associated downtime costs with such an attack. The tool lets you play “what-if” scenarios by adjust the formula’s variables.

In a prepared statement, Prolexic president Stuart Scholly noted, “Prolexic developed this calculator so businesses can evaluate their unique DDoS risk and downtime cost based on hard numbers, not guesswork. We know from previous years that DDoS attacks ramp up during the critical holiday sales period, so this calculator will help businesses make more informed decisions about DDoS protection in the coming weeks.”