Three recent trends in communications technologies – network convergence,
social media and consumerisation – have on the surface appeared to be about
simplification, but they have actually made life more complicated for some.

Convergence takes all of the silos of proprietary telecoms functions –
voice and data, fixed and mobile – and blends them together around a single
common set of universal open protocols borne out of the IT industry and the
internet. All services are becoming combined and unified.

It sounds simple in principle, but all these proprietary technologies
existed for a reason – commercial control – so the reality is that many
vested interests need to be dragged sometimes kicking and screaming into
line. The fallout has been the emergence of dominant vendors like Apple,
Google and Amazon from the IT world and some casualties in the telecoms
industry, perhaps most notably Nortel, but also the significant weakening
of giants like Motorola and Nokia.

While the economies of scale achieved through the unification and
convergence on common standards are evident in the massive boosts in
performance and reductions in the cost of sending data anywhere on the
planet, it is not without other challenges.

Converged networks can struggle to deliver differentiated and predictable
performance for services that need it. While common protocols mean that all
traffic looks the same, different needs mean it should not all be treated
the same. Network neutrality is a worthy aspiration for equality of access
to technology, but it is not adequate for the deterministic transport of
packets of data.

What of social media? It democratizes the provision and supply of content.
Anyone, anywhere can be a citizen journalist, organise an uprising or share
pictures of funny looking cats with an army of friends, followers or
like-minded ‘individuals’. The opinions and wisdom of the crowd has never
been more accessible, but the signal-to-noise ratio has dramatically
worsened. Finding relevant, accurate and accredited information is getting
harder even for those organizations with the power to search ‘big data’,
let alone for individuals.

As for consumerisation (in particular the use of mobile devices) this means
that the same tools are available and usable for business or personal
activities – the work/life division is completely blurred. Many individuals
find this liberating, but those tasked with managing services, costs and
security in organizations consider it a nightmare.

Many of the historical barriers – between work and home life, between
network services, between friends – might have seemed arbitrary and often
opaque, but they provided some control and resistance to anarchy. Without
some elements of structure and separation, systems become error prone,
difficult to test properly, impossible to identify root causes – in short,
unreliable and insecure.

Many will suggest this is not a problem; this ‘hyperconnectivity’ (a term
once promoted by the now absent Nortel) is the natural evolution of
technology and its total adoption is vital for employing the digital
generation. This smacks of an abdication of responsibility by those who
suggest a ‘do nothing’ approach.

There are others, who will argue, like King Canute, that these changes
should be stopped, the clock turned back, the genie squeezed back into the
bottle. They ban social media in the office, ignore the appearance of
tablets and impose departmental firewalls to keep telecoms, office
facilities and IT functions apart. This is not a realistic approach for
businesses either.

Effective solutions need to emerge not for imposing total control, but
applying coordination – herding cats – keeping data safe, not behind
firewalls, but in ‘bubbles’ and protecting business processes in virtual
pathways. This co-ordination has to be built not around the vested interests
of suppliers, but about the needs of end users – business, social and
personal processes.

The barriers of old have crumbled and been torn down, but without some
shape and definition the revolutions that led to their destruction will
lead only to inefficiency and insecurity. Business processes no longer need
top down re-engineering, they need to be rebuilt from the bottom up from
their constituent tasks, virtualized and properly co-ordinated. Otherwise
these communication trends may not have created democracy, but anarchy.

Rob Bamforth, Principal Analyst, Communication, Collaboration and
Convergence, Quocirca

Network and security devices age just like any other IT equipment. As the IT industry moves toward 100 gigabit/second Ethernet and 100 megabit/second broadband connections, many existing devices will no longer cope with traffic volumes. The need to replace routers, firewalls, load-balancers, content filtering devices etc. is an on-going process.
 
Some devices may be reusable by smaller organisations and have a second-hand value; others may just be fit for the dump; when the latter is the case they must be disposed of in-line with environment regulations such as the UK Environment Agency’s waste electrical and electronic equipment (WEEE) directive.
 
Either way, such devices will end up in the hands of third-parties, and their eventual destination will not be guaranteed. These devices have all sorts of confidential data and settings stored on them, such as user details and network access settings. In the wrong hands these could be used to gain access to private networks, and anyway, the leaking of such data may constitute a data privacy breach. If is therefore necessary to ensure all such data is securely deleted before devices are disposed of.
 
It varies by industry, but a recent Quocirca research report shows that around 40% of all organisations said they were not confident all such data was safely removed prior to device deposal. Quocirca suspects that even those who claim to have done so have not actually shredded data but just “deleted” it, and a determined hacker may still be able to retrieve it. Only audited disk shredding or secure reformatting tools, carried out by screened staff, can ensure such devices are completely safe to dispose of.
 
To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – click here.
 

Bob Tarzey, Analyst and Director, Quocirca
 

New Quocirca research – sponsored by on-demand software code security specialist Veracode – underlines a problem faced by financial services organisations when it comes to security and compliance; they track around twice as many critical software applications as other organisations.
 
This is not just an issue when it comes to ensuring that all the code of all their commercially acquired and in-house developed software is secure (as a new Quocirca report to be published in early 2012 will discuss); it is also an issue when it comes to monitoring and restricting access to all those applications.
 
There is more for banks to worry about than their own employees. A previous Quocirca research report ("The Distributed Business Index", sponsored by network acceleration vendor Riverbed) showed that banks are more likely than other organisations to make their applications accessible to outsiders, namely contractors, partners, suppliers and customers.
 
Providing access to so many applications for such a broad range of users is of course a big security headache. However, it is also a compliance issue. The financial services industry is heavily regulated, with national, EU and global watchdogs keeping an eye on them. Compliance often means proving who has been doing what; some are specific about this. For example, PCI DSS v2.0 Requirement 8 states that organisations that handle payment card data should “assign a unique ID to each person with computer access” and “ensure that each individual is uniquely accountable for his or her actions”.
 
Achieving this requires a way to centrally manage identities and associate a single identity with all a user’s actions, whatever the systems and applications they are accessing. How these issues affect financial services organisation i is a subject of a webinar Quocirca is speaking at on Dec 7th in conjunction with Centrify (an identify management specialist).
 
To find out more and register for the webinar, click here.
 
Bob Tarzey, Analyst and Director, Quocirca

The global reach of the internet and access to billions of potential customers via their desks, laps and pockets through an abundance of communications methods from social media to email on a myriad of devices is a fine thing. The fundamental question remains, is the right person actually listening to the right message at the right time and in the right place to be able to make the right response?

The Martini-esque mantra coined by Sun Microsystems in the 1990s – anyone, anytime, anywhere on anything – was great for touting the need for a universal infrastructure. But that is just the open network plumbing that connects everything together and without some intelligence layered above it, all the universal network can do is raise the level of noise.

For first movers this is not necessarily a problem. Those quick-witted organizations who get in early to a new domain can often exploit it sufficiently before it gets too crowded and the dynamics change. Then when well-structured heavyweights get involved, consolidation kicks in, dominant players emerge making it harder and harder for new entrants to get a toehold. Witness the high street and Tesco, e-commerce and Amazon, social networking and Facebook, tablets and Apple.

Sometimes in the technology world it is slow-moving incumbents that take over, but often it is the fleet of foot, who were not necessarily first to market, but are first to volume. Market momentum, like Newtonian momentum, is about velocity – speed and direction – as well as size or mass.

So what about the majority of ‘wannabe’ suppliers who then become followers, can they ever hope to get their message out?

Sure any supplier can make a marketing push to set up Facebook pages, tweet on Twitter, have downloadable mobile apps and pay for search engine optimization on the web, but for all their digital SHOUTING, are they actually taking time to listen to their prospects and customers?

One way to get ahead in the game, even of those who currently dominate, is to use all the information available and listen carefully to user requirements, build relevant market intelligence and so outsmart the incumbents. Just as good salespeople pay more attention to listening and understanding rather than simply speaking, so good marketing, even in a highly connected digital age, depends on good listening. This is the key to businesses engaging in the current social networking boom – how much information can be collected, analysed and understood, rather than how much can be pumped out.

Unlike traditional channels that are more oriented to public one-way communications with perhaps only a ‘call to action’ response, today’s highest profile digital channels - social media, video, mobile - are personal and bi-directional or virally shared. They are also highly treasured and far more sensitive to abuse.

The negative reactions seen with the explosion of spam in email, pales in comparison to the feelings stoked up by misuse of these highly personal contact points. Even a service provider’s attempts at change can be viewed by the digital society as negative – e.g. Facebook’s continual tinkering with privacy settings – and so much so that they can cause significant and rapid uprising among highly connected and vocal users.

Businesses need to tread carefully and keep within the evolving online etiquette and mores as they develop their social media strategies. Most importantly they should remember the ‘two ears and one mouth’ sales mantra to listen carefully, build understanding and then reflect that back into the marketplace. Social networking brings many opportunities for businesses to build relationships with their customers and prospects, but these will need care and attention to avoid being seen as intrusive. For a more detailed exploration of the business use of social media, download Quocirca’s free report, “Community, Connection, Conversation or Channel”

Rob Bamforth, Principal Analyst, Communication, Collaboration and Convergence, Quocirca

It is pretty obvious that in order to audit the use of IT resources and applications, you need to know who is doing what. This is especially true when it comes to system administrators (sys-admins), who are operating with increased levels of privilege.

Certain regulations and standards make strong statements on the subject. One of the controls in the IT service management standard (ITSM) ISO270001 states that “the allocation and use of privileges shall be restricted and controlled”.  The Payment Card Industries Data Security Standard (PCI-DSS) recommends “auditing all privileged user activity”.

Neither of these requirements can be met if it is not possible to identify individual privileged users and link them to the actions they have carried out. This means that either a privileged user must always act under an assigned personal identity or must be individually assigned privileged access rights for a given set of resources for a limited period of time, using tools that will provide a clear audit trail.

Many organisations cannot achieve this due to poor privileged user management practices, especially in the use of group access accounts. Recent Quocirca research shows that more than 50% of organisations do not stop the use of such accounts. This means that when a particular action is carried out under privilege, it could be any one of a range of users who know the group access details that were active at the time.

Things get worse. The passwords for such accounts are rarely changed: informing all the potential users is too arduous, and the passwords used are often chosen to be easy to remember and so are also easier to guess and hack. Ex-employees and/or contractors will also retain the details of these shared privileged user access accounts, which they could still use if they were motivated to do so.

A new Quocirca research report, entitled Conquering the sys-admin challenge (November 2011), looks at current practices around sys-admin, privileged user management and auditing, and is available for free here.

Bob Tarzey, analyst and director, Quocirca