Don’t you wish your IT was hot like me

Magpie2_i-love-shiny-thingsThe IT industry is an odd beast and i think sometimes it forgets its ultimate purpose. What do I mean? Often many of us work in the technology industry because (spoiler alert) we kind of like technology, we love a gadget, we love a bit of innovation and a bit like my magpie friend, we love a shiny bauble! In itself, that’s not a problem, it’s great to spend time with people who are enthusiastic about their technology, who come up with innovate ways to tackle the ever changing landscape in which we all operate, heck if it wasn’t for innovation we’d all still be driving around like Fred and Barney. flintstones Innovation is of course a marvellous thing and technology providers should indeed be looking to do things better, so that we, the users of technology can do things more efficiently and effectively, or even do things that previously we couldn’t. Do we still want to be buying rooms of physical underutilised servers? Do we still want to be tied to our desk as the only way of doing our job? Do we still want phones that are tethered to the wall? Do we really want our Internet connectivity to be accompanied by the ever cherished noise of a modem at all of it’s 14.4k performance… of course we don’t and we can go back further, do we still want kids sweeping chimneys? (fill in your own jokes!). child-Chimney-Sweep-Concept So if innovation is such a great thing, why my initial complaint about IT forgetting its ultimate purpose? Well I suppose, it’s when the IT industry gets excited about innovation for innovations sake, the IT industry and its watchers and commentators (says me.. someone blogging on technology!), get excited about innovation because, well it’s shiny and new and we begin to forget that the users and consumers of IT are often not technology enthusiasts, they are people tasked with a job, a job of using IT to deliver services to their users, so that their organisation can do its job. I’ve had lots of conversations with companies recently about all kinds of things – should we use this, how about that, we’ve been told this new technology is great how can we deploy it, the chief exec is telling me the cloud is the future and we need to use it… and a whole bunch of other things as well.. It’s not just users though, industry watchers (i know, pot and kettle) can be big part of the problem, which was what prompted the title (well that and my use of tenuous musical links in my blog posts). The industry can get very excited about certain technology and technology providers, telling everyone that whatever the current flavour is, this is absolutely the future and if you’re not on it, your lagging behind, what tends to happen of course is that these technologies always tends to be the newboys – well who doesn’t love a new bit of tech eh! – and normally it’s the established big boys that are lagging and failing, be it Microsoft, IBM, HP or any other line of big IT vendors you can think of – these guys are lagging behind, not innovating, have no future… add the doom mongering phrase of your choice! So is that the reality – are the only people capable of delivering hot technology, the new boys and the giants of the tech industry are too slow and lumbering and set in their ways? Of course they are not, not saying that new guys, or emerging technology and trends are not capable of delivering hot technology, of course they are, hot and the kind of stuff that can change the game, however that doesn’t mean the big boys can’t. Look at the changes in Microsoft over the last year, the entire shift of the company in the last 12 months is remarkable, go and check out what they are doing with Azure and see the massive range of service offerings available in a few clicks, look at how AzureStack allows you to take that and deploy it on premise – 12 months ago, Microsoft where going nowhere, the popular press had Apple and Google eating them for breakfast (and at the consumer device end, maybe they are) but as an organisation they have the financial clout and experience to innovate like many others simply can’t and it’s not just them, things like IBM’s Softlayer repositioning them as a a global IaaS provider or current tech watcher whipping boys NetApp, when you look at what they are doing in flash and cloud integration, these guys are innovating at a massive rate – but they just ain’t sexy! Well what does all that mean, to all those people I speak to on a weekly basis about their IT decisions, it means the world is very confusing, as a company you know you want your IT to come from a provider who understands your enterprise needs, who has the support and channel infrastructure to help, has a history of delivering services to businesses – but on the other hand, you’re told those guys are offering nothing in innovation and you need the sexy new kid on the block! How do we square this little circle then? With that in mind I’d like to round off this BLOG with some ideas about how we can ensure we don’t get lost in the techie hype and the shinyness of our technical baubles, but look at the things we should focus on, this comes from a bit of experience in helping people to architect solutions over the last 20 years, so maybe I can save you some time. In those 20 years, it’s been extremely rare that people need a technology because they are desperate for a new toy, more so today than ever, when all of our technology choices need to deliver a return, it’s important to understand what we want out technology to do. I had this conversation with someone this week, they where confused about how they go about comparing technology choices, to not only what they currently have, but how any solution fits in to what they want to achieve as a business. So here’s 5 things to consider when buying that new tech bauble!

  1. Understand what you want – what are you trying to achieve with this technology purchase, what problem are you trying to solve?
  2. Don’t waste time on features – it’s way too easy to get lost in the technology bingo nonsense – my product does this, mine does that, mine has a golden doobary (you get the picture) – the question isn’t about what “things” does it do – but whether the technology that is being presented to you fixes your challenge and meets your needs, not necessarily how it does it (not saying at some point you don’t want to pay attention to that, but maybe not the first thing to worry about).
  3. Does the solution provider you’re considering meet your business needs – so if you are an organisation that needs 24×7 country wide coverage for example – can the provider you are looking at give you that?
  4. Does the tech provider have a long term plan? – we very rarely make short term technical decisions – so is the organisation whose technology you are looking at have a long term vision for where their solution is going and how it will work and adapt to your changing needs?
  5. Do you have the skills to support the solution – somebody made a great point to me this week – it’s great putting in sexy new tech, but not if as an organisation you don’t invest in ensuring your team can support the technology long term – so if you are going with new tech, make sure you’re investing in a support solution for the long term.

They are just the first five things that spring to mind, and the first five things I try to advise people to look at when they are considering a technical investment.

To sum up, am I saying all “trendy” technology is bad, absolutely not, there’s some excellent innovative tech out there across storage, hardware, mobility, cloud services, lots and lots of stuff. But I am saying, that the established players ,Microsoft, IBM, NetApp, HP for example, have huge investments in research and development and are delivering innovative solutions and technology to the market, but often this gets lost in the glare created by the shinyness of someone’s new technology.

If you are buying technology, I fully understand how difficult it is to look at the industry and see past some of, not only the slick marketing and sales presentations that you will undoubtedly get, but also the plethora of opinion that industry “watchers” are throwing your way.

The only thing you can do is understand what the challenge is that you are looking to solve and ask your prospective technology suitors, how are they going to help you do that, but in doing so, we don’t want to hear how rubbish the opposition are, just how you can help us achieve what we want.

Hopefully there is something in here that can help you when you are considering your next technology investment and that investment is indeed hot and helps you achieve what you need.

More data security onions or Data Security is like a great big onion-Part 2

more onions

A couple of weeks ago I wrote a post about some security events we’d been running and how in between the sessions exploring I’d covered where each solutions sat and the problems that we were trying to solve.

A few people suggested that a post about the multiple layers of data security problems we where addressing would be useful, this lead to what turned out to be a popular post, with a very tenuous music link, Data security is like a great big onion part one (feel free to have a read) and as we all know, data security is one heck of a big tear inducing onion, with lots of layers, so big in fact that it needed two posts to deal with just the bit we covered during our events.

Since then, we’ve run our final event in the series and now I’ve finally had the chance to write part two of this onionesque data security post.

By way of a quick recap, the event we ran brought together 6 leading data security vendors  to look at the challenges that our day to day usage of our data brings, what those problems are and how we address them.

We where not covering the more “traditional” data security tools anti-virus, firewall, anti-spam etc. not because we feel they are any less important, but we had to assume that our attendees, as probably with most readers of this BLOG, already deal with that problem with well established solutions. The areas we looked at where some of the problems we don’t necessarily consider.

The areas covered fell into these categories;

In part one we dealt with the initial core parts of the challenge, understanding who’s accessing our data, how we ensure compliance in our key systems and how to manage encryption on all of our devices, (feel free to check part one out if you need too)

So now let’s move a little further outside of the core and out to our edge devices, as we look at three further challenges.

The Endpoints

One of the most overlooked areas we find in securing data is those plethora of end point devices, we often see these devices remain relatively unmanaged and uncontrolled in many environments.. but why!?

Think of the risk, it’s great securing our core data and our line of business applications, however once the data gets out to the endpoints, where that unstructured data spends most of it’s time, it really is only as secure as the endpoint it sits on and today of course, how many of those endpoints sit within the safety of our network?

Of course the mobility and the range of devices makes it hard to secure them and besides, if we are securing the data in the core, is the endpoint really that big a risk?

Our friends at Lumension where happy to share exactly why it is such a problem;

The main challenge out on the endpoints, was not one of lack of AV, but almost that organisations believe that in itself that is enough, but the challenge of protecting these devices is as multi layered and oniony (sure that is a word!) than anywhere else, the threat comes from unauthorised software, unauthorised devices, lack of patching and of course the inability to look for behaviours outside of what we understand, especially if we are relying on signature based AV or application blocklisting.

Over 90% of cyber attacks exploit known security flaws for which a remediation is available” – Gartner

Lumension covered some key areas, as they looked at the importance of patching, understanding of behaviour and also some really smart technology around software application control, and anyone who’s used group policy to manage that, knows any smart tech is a big help!

Having full and smart control of our endpoints is hugely important and something that does tend to get overlooked more than it should, but something our attendees really grabbed and took away from the event.

Edge Data

At last we are right out at the extremities of where we put our data, the outer layer of our big juicy onion.

One of the huge changes in IT usage over the last 10 years (at least) has been the massive increase in technology mobility, today we have our data on laptops, tablets, smartphones, heck even watches, and our users have an expectation that we can give them access to data on all of these devices all of the time.

Our guests from Druva shared a really interesting statistic with us;

Recent figures from Gartner and IDC suggested that 28% of corporate data now resides only on endpoint devices.

Gartner and IDC suggested that 28% of corporate data now resides only on endpoint devices

82074d1272615744-gordon-browns-face-palm-yesterday-priceless-trading-during-election-run-up-brown_facepalmYep, i did repeat that, read that statement again, 28% of corporate data residing only on endpoint devices. Think about what we’ve done so far with our onion, we’ve controlled out data access in the core, we’ve added compliance to our corporate apps, we’ve encrypted, we’ve controlled the endpoints, all of these really good things, however we’ve got people in our organisations running around with key data, only on their mobile devices, heck it’s a good job those devices never go missing with that data on!

Of course the reality is, this is extremely high risk, we risk permanent data loss, potential for easy breach and a real problem when it comes to compliance – if we want to search all the data we have, then how do we pick that data up when its only hidden away on someone’s tablet?

It goes without saying then, that it’s a critical element of our overall strategy that we take care of all of these areas and that we have a strategy that allows us to;

  • Captures and Centralises our data
  • Ensures we have strong rules and controls on data at the edge to avoid data loss
  • Making sure we can analyse and discover all of our data out at the edge
  • All of this while ensuring this is a simple and unobtrusive process for each of our client devices.

Quite a challenge, but one we really have to take…unless you want to be having face meet palm at high speed!

Pesky Users

The last layer of this challenge (or the first layer if you came to the Manchester event!) was all pesky kidsaround the people, yep those pesky kids…I mean users!

That brought up our final speakers NETconsent who posed some very interesting questions around the human factor in information security.

We’ve said all along the issue of data protection is multi layered and, of course, so are the solutions, there isn’t a magic bullet out there that is going to cure it for us with one press of a button. However what is also the case is that without our users understanding why we are securing the data and how to make sure they use our systems and data in a way that keeps it secure, we are probably wasting our time.

I’ve recently done some work with a local organisation about data leak prevention and one of the very first questions we asked was;

What buy in do you have for data security?

Because if you don’t have buy in from the leadership of your organisation, then your data protection strategy is never going anywhere, it’s equally important however, that not only your leadership buys in but that there is an understanding of why you have a data security strategy across all levels of your business, because if you are putting strategies and solutions in place, that may appear to users as an inconvenience, regardless of how minor, then if everyone across the business doesn’t understand how to adhere to your policies and maybe even more importantly why data protection is important at all, you really are fighting a losing battle.

In reality the only way we achieve all of this is a mixture of things it’s having buy in, having technology to help implement our policies is of course key, however none of this delivery and enforcement can be done, without documented policies and user education, which is a huge task, to manage the process and measure the effectiveness is very difficult to many organisations.

Our Partners from NETconsent shared a range of techniques and solutions to ensure that we have a controlled and centralised repository, that we ensured our documentation and training was up to date and that we could measure the effectiveness of all of this.

Well none of us want to be saying “my data would of been secure if it wasn’t for those pesky users!”

Sliced and Diced

chopped%20onionSo there it is, our data security onion sliced and diced, hopefully if you’ve been able to follow this post all the way through, you’ve not shed too many tears!

As I said right back at the beginning, data security is a huge problem, one that’s ever changing, even the stuff I’ve covered in these two lengthy posts, are only looking at a subset of the areas that you should consider and of course the threat is ever evolving, even with these things in place, don’t rest on your laurels thinking you have your data secured, you need to keep looking at the ever changing landscape and the threats it contains, to ensure you keep your data secure and safe and that it isn’t wandering out of your organisation and you only find out when it’s to late.

Hope you enjoyed this onion related set of posts and I hope that it’s given you some food for thought (collective groan!) and at least has helped a couple of you to develop some new areas of your data security strategy.