Enterprise IT Watch Blog


October 7, 2010  8:52 AM

The S/M/L of Software-as-a-Service Adoption: Which companies embrace the cloud?

Michael Morisy Michael Morisy Profile: Michael Morisy

Enterprise software-as-a-service seems to be garnering much of the press these days, but which companies are actually ditching the traditional out-of-the-box for, shall we say, out of the box thinking? Like with almost all things cloud, the numbers get fuzzy very quickly, but I like the sound of two recent reports.

The duo of interesting surveys have shed some light on the question of actual Software-as-a-Service adoption in various-sized companies, as NASDAQ News’ Steve Monfort reports:

Techaisle, an IT market research firm, reports that companies begin to use cloud computing services when they expand beyond 20 employees. As companies grow to 250-plus employees, they become more likely to move IT operations in-house – and if they continue to grow past 500 workers, they turn once again to the cloud. 

Monfort also notes a Novell study that indicated 77% of 2,500-person companies are using “some form of cloud computing today,” mostly to complement rather than replace existing IT infrastructure. Both studies jibe with what I’ve seen anecdotally: The smallest companies are often relying as much as they can on SaaS, whether it’s free products like Google Docs or low-cost SaaS options like Quick Books Online. And the big companies almost cannot avoid it, with the sales force demanding, well, Salesforce.

It’s the medium-sized companies, however, that are being the most cautious: They’re too big with too-specific needs for the “trimmed down” offerings available to the low-end, but not able to afford enough customization and cloud redundancy on the high-end to make it worth their while.

As mentioned, the data itself can be a bit cloudy. See a recent CompTIA study which found mid-sized businesses being the largest “cloud” adopters. Sure, cloud can cover a lot of things beyond SaaS, but perhaps the most important lesson from all this is that the right cloud strategy isn’t what your peers are doing, it’s what’s right for your company.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

October 4, 2010  6:00 AM

James Urquhart helps us find the Cloud’s silver lining

Michael Morisy Melanie Yarbrough Profile: MelanieYarbrough

The perennial search for innovation serves as the greatest threat to traditional IT: Has the cloud – with its nebulous definition (pun not intended but appreciated) – simply become the face to blame?

James Urquhart, Market Strategist for Cloud Computing and Data Center Virtualization at Cisco, was recently traveling in Australia. What struck him the most, he said, was how they were equating cloud computing with outsourcing. “They’re not the same thing,” he assured me. “Though they do have a loose relationship with one another. They have the same concerns: service levels, security, liability, legal concerns and all that. They’re still there.”

So, what can cloud computing offer the enterprise? Continued »


October 1, 2010  6:21 AM

Trust No One: Info Security’s Biggest Weakness

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

I came across an intriguing article in a 2009 issue of Fortune magazine about how businesswoman Dina Wein Reis duped high-profile executives, ultimately costing their corporations millions of dollars. In the final paragraph the author states:

Don deKieffer, the lawyer who pursued Wein Reis for years, says that companies will always be susceptible to such schemes as long as executives are so trusting. “In almost every case you had people inside the company not paying attention to the good of the entire enterprise,” says deKieffer. “There are bad people out there — wolves who will eat you unless you pay attention.”

If this doesn’t summarize the very essence of the problem we have with information security today, I don’t know what does. It’s really nothing new. Just look at the infamous hackers from our time – many of them preyed upon this very weakness. Very enlightening insight into the executive psyche. I’ve always believed that as long as people are involved with IT, we’ll always have information security problems.

For further reading, check out these pieces I’ve written on the subject of people and information security.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 30, 2010  3:12 PM

Loosen the reigns: Telecommuting in 2010

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

I’ve been commuting into downtown Atlanta a good bit recently and I’m about done…not with my projects but with the traffic, and even more so, the nasty air. It seems I can’t catch a break from the diesel trucks sputtering their filth, smokers with their cigarettes hanging out their windows, and old junker cars burning oil (I guess a lot of people missed “cash for clunkers”). Having a family member who suffered from lung cancer, I’m extra sensitive to this stuff.

All the traffic and filth in the air reminded me of telecommuting. Where the heck are all the telecommuters? It seems like everyone who has a job is driving into work. Why!!?? It’s 2010, for crying out loud!

I think it’s crazy not to let people work from home as long as the security issues that come along with it (i.e. unsecured home computers, unsecured wireless network usage, weak passwords, and unencrypted laptops/mobile devices) are addressed. Telecommuting helps morale. It helps productivity. You can’t tell me no one is goofing off at the office anyway. I see people doing that all the time. Furthermore, research has shown that when you’re interrupted it takes 20 minutes to get back into the groove of what you were doing. Interruptions occur in the workplace about every 20 minutes; does that mean no one is really getting anything done?

I’ve been ranting about telecommuting for a while, and unfortunately there’s a huge double standard. It’s okay for management to do it but not for regular employees. I have a good friend who has been subjected to this at multiple companies. Does management not trust its employees enough to let them work from home at least a few days a week? Why? If you ask me, this is an HR problem – managers not hiring the right people – more than anything else.

It’s time to step into the 21st century and use some of these technologies we’ve paid so much to put in place. Make telecommuting work for your business and be done with it. It’s not only a matter of thinking things through to do it right – it’s also a matter of choice.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 29, 2010  6:01 AM

Policies for the sake of policies

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Security policies are those “talk is cheap” enablers of compliance and risk management. The problem is they’re often poorly written, disjointed, inaccurate and so on – often creating the very risks they’re supposed to mitigate.

Everyone treats policies differently, so your needs and mileage will no doubt vary. For what it’s worth, I wrote an article for SearchEnterpriseDesktop.com regarding Windows desktop security policies. If you need to create your own policies or revamp your existing ones, I included a security policy template which  can be tweaked to suit your business needs.

Keep in mind that you don’t want to create policies just for the sake of having policies. This practice can end up creating more problems than it solves. You need to understand where your business is at risk and then shape your policies around those risks. Once you understand where the focus is needed, you can go about building out your policy documents into something that truly enables information security in your business.

For further reading including common oversights and mistakes, check out my security policy articles, podcasts and webcasts.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 28, 2010  6:00 AM

Would you like some snake oil with that network assessment?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

There are many IT services firms – including some run by friends and colleagues of mine – that perform something called “network assessments.” The purpose of these assessments, which are usually aimed at SMBs, is to determine the overall health of your network and computing environment, supposedly including security.

First, let me be clear that these are legitimate services to see where your network stands. That’s fine and dandy – a useful service indeed. The problem is that these network assessments are being pushed/sold under the guise of security assessments that, at least on paper, would compete with more in-depth security vulnerability assessments. But they’re not the same.

I saw recent descriptions of such services that claim to “check the security environment of your network” and “help ensure your sensitive data remains protected.” In discussions with my friends and colleagues, none of them have ever claimed to be security experts, yet they still offer these services. I don’t believe “in-depth security assessments” are their intent, but what exactly are such companies purporting to do? Many are just visual inspections or basic questionnaires and may incorporate rudimentary security scanning tools such as Microsoft Baseline Security Analyzer.

My point is: Be careful. Just because a network engineer “checks” your systems, recommends some software updates or network design changes, and ultimately installs a few new security products in your environment, don’t assume that you’ve had a proper information security assessment or that your information is truly secure. Your best bet is to determine what you want and then ask specific questions to help ensure you’re getting the deliverable you really need before you start the project.

Here are some information security assessment articles, screencasts, podcasts, and webcasts you can peruse to help you fine-tune your requirements the next time this comes up.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 28, 2010  5:09 AM

Is a new Obama mandate putting IT security at risk?

Kevin Beaver Melanie Yarbrough Profile: MelanieYarbrough

We’re not here to discuss politics, but one of the big stories today is the Obama administration’s development of plans to require that backdoors be placed on Internet-based communication services, allowing for compliance to federal wiretap orders.

The bill, slated for 2011, would require communication service providers to have the capability to intercept and decrypt messages. The proposal, as related to the Communications Assistance to Law Enforcement Act (CALEA), which requires telecom providers to provide interception capabilities for law enforcement, is an extension into the realm of the Internet. In the New York Times article on the bill, FBI’s Valerie Caproni said:

We’re not talking expanding authority. We’re talking about preserving our ability to execute our existing authority in order to protect the public safety and national security.

But does “public safety and national security” come at the cost of personal and enterprise security? Extending interception capabilities to the Internet could prove disastrous if not executed correctly. Computer science professor at Columbia University Steven Bellovin thinks “it’s a disaster waiting to happen. If they start building in all these back doors, they will be exploited.” Just like in 2005, he cites, when “hackers [took] advantage of a legally mandated wiretap function to spy on top officials’ phones, including the prime minister’s.”

On the flipside, there may be side-effects to adding to the already overwhelming honey-do lists of enterprise IT. Former Sun Microsystems engineer Susan Landau worries that the mandate would hinder the progress of small startups. Engineers would be dedicated to incorporating wiretapping capabilities rather than innovation and product release dates.

Federal response to the privacy community’s uproar is hardly comforting: Service providers would be the sole carriers of the decryption capabilities, for which the agency would need a court order to utilize. Ira Winkler, president of the Internet Security Advisors Group told Computerworld that his main concern isn’t the “government’s ability to intercept communications for legitimate law enforcement purposes, the real concern should be over continued compromise of personal data online.”

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.


September 27, 2010  6:15 AM

Two simple but essential steps for all laptop owners

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Not too long ago I experienced the equivalent of a disaster for larger businesses: My laptop computer died. I’m a technical guy and so I was able to limp along with some workarounds at first. I had an old laptop that I could use for most things, but it wasn’t pretty.

Little did I know that in the process of recovering, I was going to be consumed with other unrelated computer problems. All in all, I lost three full days of work troubleshooting and getting things rebuilt back to normal. I got behind on articles I needed to write. I neglected my blogs. I missed out on some consulting work, and I even missed a book deadline.

But it could’ve been much worse. Through thick and thicker, I saved my rear end by doing two things:

1) Warranty it up: When I purchased my laptop, I paid $295 for an on-site warranty. This not only got me next-day service, but it also kept me from having to spend a couple thousand dollars on a new laptop. I had to have my processor and system board replaced – arguably the best $250 I’ve ever spent. This also kept me from having to send my computer off loaded with sensitive information, something I simply can’t do in my line of work.

2) Back it up: I had a backup; it’s something I do religiously every day. It’d be hypocritical of me, an information security consultant, to not have one, right?

Imagine how much time I would’ve lost had I not done these two things.

So do yourself a BIG, BIG favor and backup your laptop. Do it now. Most laptop users I see in my work are required to do their own backups and guess what? Very few people are backing up their laptops. Use Windows Backup, purchase TrueImage, or just manually copy your data to an external drive (make sure you get everything though!). Just do something.

In the future, spend the extra money for the on-site warranty; pay extra for the drop/spill coverage too. If you’re like me, you will need it (I’ve needed this coverage three times with Dell, IBM, and HP), and you’ll kick yourself for not having it when that day comes down the road.

Even if you work for someone else who’s calling the shots on this stuff, ask for it or buy it yourself. It’s money well invested.

Here’s to planning ahead!

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 24, 2010  6:58 AM

Security, huh! What is it good for?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Not too long ago an ad for a mortgage company on my local radio station said something that caught my ear. The owner of the company was talking about identity theft and the need to be careful with the sensitive information you hand over to people, especially when it comes to getting a mortgage. He said, “You’ve got to differentiate between a mortgage company and a mortgage professional or your information is at risk.”

I’ve always said that information security can be a competitive differentiator, and this business is capitalizing on it. Good for them!! It’s about time some business owners step up to the plate with enough confidence in their information security that they can use it to their advantage. Of course, talk is cheap, so who knows the reality of what they’re advertising. At least their thinking is on the right track.

On a related note, some companies in the financial sector tout their “fraud and identity theft insurance” – something I’m not too keen on since it can be used as a crutch to cover up otherwise poor information security practices. But if your business has gone past the checklist audits and is performing in-depth security assessments of your network, your Web applications, and your IT operations on a periodic and consistent basis, then providing such insurance as an option certainly won’t hurt. Yet another competitive differentiator that’s ultimately good for all of us.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 23, 2010  2:21 PM

ISSA International Conference Recap: More of the same

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

The 2010 ISSA International show was just here in my hometown of Atlanta. With the experienced speakers – many of whom work for highly-visible companies and government agencies – I was expecting some new ideas and solutions around security. The quality of the speakers was good; the problem was with the messages that I heard (at least in the keynotes). It was the same old stuff we’ve been hearing since the beginning of “Internet security” as we know it. “You need to have policies,” “You need to train  your people,” “You can’t rely on vendor products completely,” “You need to take a risk-based approach,” “The cloud is our great savior” – blah, blah, blah. Looking around, I could tell that others in the audience were tiring of the same old messages as well.

Is this the way information security is going to be from here on out? I’m not so sure that preaching the same old stuff is viable long-term. Maybe I’m just being impatient; perhaps there is no good solution. Maybe we’re just going to have to keep doing what we’re doing and trust that it’ll eventually sink in. Time will tell.

Although it’s a never-ending and frustrating cycle, it’s good for job security, so I guess I shouldn’t complain.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: