Enterprise IT Watch Blog


February 8, 2011  3:12 PM

Blue Coat jumps on as-a-service bandwagon with web security

Melanie Yarbrough Profile: MelanieYarbrough

Guest blogger David Strom pointed out that many concerns surrounding cloud security can be traced to applications that were faulty long before being deployed in the cloud. Blue Coat’s new web security as a service is one way to keep track of the applications you’re currently deploying in the cloud. Following the model of cloud service itself, the service is pay-as-you-go and based on a subscription system that allows a certain level of customization depending on your company’s needs. The biggest selling point? Your ability to manage and deploy the service from anywhere in the world.
Continued »

February 8, 2011  7:00 AM

Maybe the cloud is more secure

Guest Author Profile: Guest Author

Is all the cloud concern justified? Today’s guest post comes from David Strom, and he argues that while it isn’t the cloud that’s insecure, it might be your own cloud implementation and basic IT policies that are at fault.

With cloud security, sometimes perception trumps reality. Interestingly, a report in May 2010 by Derek Brink of the Aberdeen Group shows that users of cloud-based Web security tools fared better than their on premises equivalents with fewer malware incidents.

Perhaps all the fuss is more about insecure Web applications than the cloud itself. Many of the top Web security exploits – like cross-site scripting and SQL injection – are things that have been around almost since the early days when Web servers were invented, and for some reason still vex many corporate installations. Going to the cloud doesn’t change that: If you have an insecure Web app, it will be just as insecure in the cloud or on a server in your data center.
Continued »


February 7, 2011  11:25 PM

Cloud security standards commissioned from the NIST by America’s CIO

Melanie Yarbrough Profile: MelanieYarbrough

In an effort to increase government adoption of cloud computing, America’s CIO Vivek Kundra commissioned the National Institute of Standards and Technology (NIST) to create the Guidelines on Security and Privacy in Public Cloud Computing. If the guidelines provide even a working definition of cloud computing and how to secure it, it would appear to be a success. From the report:

Cloud computing can and does mean different things to different people. The common
characteristics most share are on-demand scalability of highly available and reliable pooled
computing resources, secure access to metered services from nearly anywhere, and dislocation of data from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.

But the standards aren’t just for the government’s benefit. If you’re company’s considering cloud computing, take some notes on how to secure your own data in someone else’s data center.
Continued »


February 3, 2011  3:38 PM

IT Security: Oversharing in the Forums?

Melanie Yarbrough Profile: MelanieYarbrough

Member Batye recently reviewed Stealing the Network: The Complete Series Collector’s Edition for our Bookworm Blog. It’s a collection of fictional stories that takes a look at the possibilities available to hackers with some time and bad intentions. While the collection is meant to be an aid to ethical hackers and security professionals looking to be proactive, it brings up a moral dilemma. How can you ever ensure that the knowledge you’re passing on will be used for good rather than evil?

A question was recently posted in the IT Forums regarding embedding executable files into a JPEG, a common tactic for spreading malware to unsuspecting end users. The community responded with mixed feelings toward the intentions of the asker. Who draws the line between helping out your fellow IT professionals and providing ill intent with the recipe for possible harm?

The simple answer is that no one draws that line except for you. IT Knowledge Exchange doesn’t expect you to provide any information you feel uncomfortable disclosing, and that goes for answering deceivingly innocuous questions. Member Chippy088 shares his own philosophy on the dilemma:

[It's] not a good idea to help everyone without thinking about their reason for the question first.

Have there been circumstances in your tech career that have made you uncertain about passing on your own knowledge? What are some nuggets of advice you’d want to pass on to those who are new to IT Knowledge Exchange or IT in general?

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.


February 2, 2011  3:59 PM

Ex-Salesforce.com exec simplifies cloud security with Okta

Melanie Yarbrough Profile: MelanieYarbrough

Despite the progress SaaS has made in the enterprise, security concerns remain a hindrance to the growth of the market. Enter former Salesforce.com executive, Tod McKinnon, now CEO of Okta, with a lofty goal: To accelerate enterprise adoption of cloud and web-based apps.

All the ROI in the world doesn’t mean a thing if your mission-critical apps are a floating security risk. As McKinnon told Newsfactor.com, “Okta is the only enterprise-class, on-demand service purpose built to help customers secure and manage their entire cloud-services network and the people who need access to it, with no professional services required.”
Continued »


February 1, 2011  9:22 AM

Securing your cloud the Facebook way

Michael Morisy Michael Morisy Profile: Michael Morisy

While cloud computing isn’t necessarily moving IT security into uncharted waters, it is highlighting some old vulnerabilities that many organizations just never got around to patching up, from shoddy encryption practices to allowed poor user practices. Leading the way, in both stumbles and recoveries, might be Facebook, which probably has its own recent security struggles more closely watched than any other company.

Phishing for fame and friends

Today, most attacks on corporate infrastructure are driven by monetary gain: Long gone are the days where embarrassing defacements dumped a company’s dirty laundry and embarrassing taunts onto its domain. Instead, the criminals are largely organized, stealthily going in and making off with the valuable digital loot without being noticed until it’s far too late. Facebook still sees its share of these types of criminals. However, its high-profile nature, and mixed track record on privacy, has made it a favored target for the type of attacker who still likes to put on a show. Nicolas Sarkozy’s account was recently hacked, posting a message stating the president would not seek office again (he has made no official statement on his plans). Facebook founder Mark Zuckerberg then had his fan page hacked, pleading for the company to become a ‘social business.’
Continued »


February 1, 2011  7:26 AM

Veracode offers free Cross-site scripting (XSS) check tool

Michael Morisy Melanie Yarbrough Profile: MelanieYarbrough

Application security company Veracode is demonstrating to developers how easy it is to test and identify vulnerabilities in their applications by granting free access to one of its services. Veracode’s offerings include automated binary analysis in the cloud and as of today, developers can register to upload one application to the cloud and test for cross-site scripting (XSS) vulnerabilities at no cost. XSS, a common security exploit where attackers put malicious coding into a link that releases itself when a user clicks the link, is a veteran problem in application development and responsible for major security breaches.

Veracode hopes to demonstrate how avoidable XSS vulnerabilities are while highlighting their application security testing offerings, boasting their ability to serve both SMBs and large organizations. Most development oversights are minor, but can have major repercussions, which is why Veracode is doing its part to aid in the “long road to eliminating XSS.” In a recent blog post, application security researcher at Veracode Chris Eng likens fixing XSS vulnerabilities to squashing ants, but that doesn’t mean the problem isn’t major just because its solution can be:

At Veracode, we see thousands — sometimes tens of thousands — of XSS vulnerabilities a week. Many are of the previously described trivial variety that can be fixed with a single line of code. Some of our customers upload a new build the following day; others never do. Motivation is clearly a factor. Think about the XSS vulnerabilities that hit highly visible websites such as Facebook, Twitter, MySpace, and others. Sometimes those companies push XSS fixes to production in a matter of hours! Are their developers really that much better? Of course not. The difference is how seriously the business takes it. When they believe it’s important, you can bet it gets fixed.

In a climate that’s teeming with new security threats every hour, a company’s security priority list can be the difference between a close call and a major setback. Proactivity is key. There’s no such thing as a free lunch, but when a company is offering free security testing, it makes reprioritizing not only appealing but affordable. What does your company have at the top of its security priority list this year? Do you anticipate taking application security testing in the cloud for a spin? Let us know in the comments or send me an email at Melanie@ITKnowledgeExchange.com.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.


January 27, 2011  4:26 PM

Desktop Virtualization Round Up

Michael Morisy Melanie Yarbrough Profile: MelanieYarbrough

It’s been a pretty busy month around IT Knowledge Exchange, and we’ve learned a lot about desktop virtualization. We’ve compiled some of the highlights to serve as your go-to list for some of the top considerations from planning to deployment.

Blogging About Virtual Desktops

One Stop Shop: Desktop Virtualization Experts

Twitter is bursting at the seams with virtual desktop experts and enthusiasts. Take advantage of your chance to interact and ask questions. If you’re still stumped, head over to IT answers, and be sure to tag your question desktop virtualization.

Not a fan of Twitter? Don’t worry, we’ve got an impressive list of virtual desktop blogs for you, too.

IT Answers

We’ve always got some good discussions happening in the forums. Here are some of the top discussions and questions from desktop virtualization month:

Multimedia Fun

Brian Madden, Gabe Knuth, and SearchVirtualDesktop.com editor Bridget Botelho sit down and discuss their hopes and predictions for desktop virtualization in 2011.

VDI is no small undertaking, so be sure to avoid some of the common VDI deployment problems.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitteror send her an email at Melanie@ITKnowledgeExchange.com.


January 26, 2011  1:03 PM

Amazon Simple Email Service unleashed on bulk messaging

Michael Morisy Michael Morisy Profile: Michael Morisy

Amazon’s cloud empire floated a little higher yesterday with the announcement that the web giant is adding bulk messaging to its cloud services. From the announcement:

We’re excited to announce the beta release of Amazon Simple Email Service (Amazon SES), a highly scalable and cost-effective bulk and transactional email-sending service for businesses and developers. Amazon SES eliminates the complexity and expense of building an in-house email solution or licensing, installing, and operating a third-party email service. The service integrates with other AWS services, making it easy to send emails from applications being hosted on services such as Amazon EC2. With Amazon SES there is no long-term commitment, minimum spend or negotiation required – businesses can utilize a free usage tier, and after that, enjoy low fees for the number of emails sent plus data transfer.

The horizontal play isn’t particularly surprising. While e-mail is something Amazon has been supporting via EC2 instances, the results aren’t always pretty. The dynamic IPs, for example, often get Amazon-powered e-mail flagged as spam. A dedicated service will help push past these problems, particularly for businesses where e-mail is an important tool but not necessarily the prime competitive advantage, leaving one less thing for your average IT department to puzzle through.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.


January 26, 2011  10:59 AM

With VERDE, IBM offers virtualization to the little guy

Michael Morisy Melanie Yarbrough Profile: MelanieYarbrough

Who says the big guys never make room for the little guys? Whoever they are, IBM is making them think again with its latest offering suited for small- to medium-sized businesses: IBM Virtual Desktop for Smart Business. Using the Virtual Enterprise Remote Desktop Environment (VERDE) software from Virtual Bridges, IBM’s offering provides connection to Windows or Linux desktops for numerous devices. Enterprises have several options with Virtual Desktop for Smart Business: Windows XP or Windows 7 operating system, Linux (Ubuntu, Red Hat, Novell), and deploying on existing infrastructure or through an IBM reseller host.

The requirement for devices to access the desktop? If your device is capable of connecting to the server via a browser, you’re in. VDI, IT’s latest buzz acronym, appears to be stumping enterprises big and small. Aimed at companies from 100 to 1,000 end users, IBM’s virtual desktop offering provides VDI without the complexities SMBs can’t afford to navigate for just $150 per user, per year. The service is available through IBM’s approximately 100 resellers and integrators around the world.

Not quite as simple as Kaviza’s VDI-in-a-box offering, IBM’s virtual desktop requires configuration, design, and installation. The VDI package runs on IBM System X server running Suse Linux and VERDE, altogether with the capacity for up to 200 desktops on a server.

The offering is exciting for the desktop virtualization market for a couple reasons. Continued »


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: