The end of April was a busy time for IT security analysts. April 24 to 26 was Infosecurity Europe (InfoSec) at Earl’s Court, the biggest such trade show in Europe, and the following week was the Eskenzi PR annual IT Security Analysts Conference and CISO Forum (a gathering of chief information security officers, vendors and analysts), earlier than usual this year to avoid the Olympics. 

Quocirca chaired two events on the opening day of InfoSec. The first was titled “The Rising Role of The CISO” with interesting contributions from Yell’s Phil Cracknell and Network Rail’s Peter Gibbons and plenty of searching questions from audience, which numbered in the hundreds. The consensus was that the role of CISO is rising in importance but, with exception of technology companies, not currently to a board-level role or a board-level report. Quocirca gave an interview to InfoSec TV straight after the session which can be viewed here. The second session in the Technical Theatre entitled “Modern-day NAC: a tale of two users experiences from testing to deployment” was sponsored by ForeScout. NAC is short for “network access control”.

The session included contributions from Steve Orman of the Sussex NHS and Tony Whelton of Wellington College, who both recounted how NAC (in their case ForeScout’s CounterACT product) was helping them to cope with the increasing use of personal devices on private networks, a particular issue in their respective sectors, health and education. 

As well as walking the show floor, Quocirca had scheduled meetings with a number vendors including:

· Industry stalwart Symantec, full of excitement about its O3 web single sign on (SSO) initiative (watch this space for more)

· Blue Coat, which has recently reverted to private ownership in $1bn+ deal and is now re-emphasising its network acceleration as well as its security credentials

· Trustwave which recounted how its recent acquisition of M86 had rounded out its product portfolio with content security technology

· Barracuda, another vendor that has acquired its way from being a point provider of email security appliances to a broader portfolio including web security, network firewalls, web application firewalls (WAF) and backup/archive

· Cyber Ark, a leader in the privilege user management (PUM) space, which has just attracted around $40M new funding from Goldman Sachs

· Lieberman Software, another player in PUM that is aiming to increase awareness in Europe

· Valid EDGE which has a technology for ensuring there are no memory or process leaks between virtual machines running on the same hypervisor that it is now positioning for safe parallel malware analysis. The organisers say it was the “Best Ever” InfoSec and that the success “reaffirms it is Europe’s No 1 Information Security Event”. Quocirca hopes all the vendors see a return on their investment to participate.

However, the greatest value for Quocirca comes from meeting the security practitioners and hearing their stories of applied info security; thanks to all who gave their time in the sessions chaired by Quocirca.

A report on the IT Security Analysts Conference and CISO Forum will follow. 

Bob Tarzey, Analyst and Director, Quocirca

As predicted and wished for by many, work is becoming something done, rather than a place to go. The once solid delineation of the workplace is breaking down and the impermeable barriers are becoming porous. A number of technologies are driving this – mobile, cloud, social – and ultimately the pervasive nature of lower cost, high speed and open networks are behind it.

This brings predictable challenges around security, management and control, which have been exacerbated by the increasing desire for consumer technologies to be used for work activities. At one time the tools of ICT – fixed or mobile phone, desktop or laptop – were corporate standard issue, now many employees want choice, personal preference and BYOD – bring your own device.

Beyond the clear technical issues that many are already attempting to address, organisations need to deal with the changes required in their cultural and management style, and this is somewhat harder and often overlooked. While the dreams of future work embodied in terms such as mobile, remote home and flexible working have been in common use for a couple of decades, the reality is being slowed by certain aspects of human nature.

These can be found in any workplace. Employees will refer to an absent colleague as ‘working from home’ (often drawing the inverted comms in the air), they will say how hard it is to get hold of so-and-so while they’re on the road, or they might wander round cubicles looking to see who’s in to deal with an emerging crisis. Tele-working for some has the air of ‘tele-shirking’ for others.

Managers and management culture generally doesn’t help. Many organisations claim flexible and mobile working strategies, but in reality they have desks allocated to individual employees (who fight over location during office desk reorgs and mark their territory with personal objects) that are overseen by a glass-walled manager’s office at the far end. This is not a new way of working, but the old with better décor.

The problems are visibility and responsibility. Some employees, especially when times are threatening, feel they need to be seen – hence the ‘presentee-ism’ prevalent in many work places; others just want to know they can get hold of a colleague when they need to – for help, support or simply to offload – or to know they are pulling their weight. Managers like to know where their direct reports are and what they’re up to.

Fortunately technology provides a number of ways to restore visibility (and some cultural cohesion) to remote, flexible and mobile or distributed teams of co-workers. These have been available for some time, but Quocirca research often shows that adoption has thus far been slow. While mobile working was for the relatively few independent ‘road warriors’ this was acceptable, but distributed teams need communications and collaborative support at several levels to visibly demonstrate they are involved and committed.

Companies could go the whole hog and implement unified communications, social business tools and video conferencing or some blend of them, but there’s a simple first step – get the mobile phones onto the same footing as desktop phones. This means that the mobile phones of remote workers are seen just like their deskbound colleagues as extensions of the PBX; calls can be simply transferred and everyone can pick up their responsibility on a hunt group. Rather than lone wolves and road warriors everyone can be seen to be on the same team.

It doesn’t matter whether this is delivered by on-premise equipment or a hosted service, although for many smaller organisations or those for whom a PBX upgrade is not on the short terms plans, a cloud based service might make most sense. As for players in this space, there are plenty to chose from, including mobile operators (Vodafone’s One Net, AT&T’s Office@Hand), telecoms and PBX hardware vendors (Avaya, Aastra, Alcatel-Lucent) and specialist communications providers (Gradwell, Calyx, Sangoma, Gintel).

The key questions to ask service providers are similar to those for other cloud applications around service assurance, reliability, scalability and security, but for mobile integration there are other issues to consider too. It is important to understand costs, especially when calls are being re-routed, and if there are any limitations or additional costs when roaming.

This may only be a first step on a much more sophisticated and involved route towards unified communications, a collaborative workplace and desktop video conferencing, but these require an even greater evolution in working practices and the business culture, which will rarely happen overnight.

The functions of the switchboard – from simple call divert, waiting, transfer and pickup to more sophisticated features – are well used and understood and therefore easily adopted. It is a far simpler task to extend this to mobile phones – whether employer provider or employee owned – to provide more cultural structure and team cohesion to distributed individuals.

By all means unify your communications, but unify your people first.

Rob Bamforth, Principal Analyst, Communication, Collaboration and Convergence, Quocirca

As the financial climate cooled, Quocirca came across more and more organisations that sang the same song – do more with less, and batten down the hatches of expenditure to ride out the crisis.

Part of the response back from IT on this was to keep assets for longer that they would normally do; “sweating” them to try and gain more value from them before assigning them to the great scrapheap in the sky.

However, older assets can have multiple problems.  They may lack the raw power to meet the needs of the business’ workload requirements.  There may be more failures at the equipment level and a lack of spares with which to replace the failed parts.  Energy usage may be many times more than modern equipment.
Yet, the cost of forklift upgrading hardware is still perceived as being too high – and then there is the cost of equipment disposal to take into account as well.  Securely disposing of IT equipment can be a complex task.

Most pieces of IT equipment – from servers and storage systems, through networking routers and edge of network appliances to individual end points, as well as printers and multi-function devices – will have some form of data storage built in.  This may be via nicely accessibly disk drives, may be in reasonably easily identifiable flash storage cards, or could be hidden within the systems as flash or on-chip memory stores.  Ensuring that all the data stored on different types of devices is securely disposed of can be a task that seems overwhelming and so puts off replacement.  Even when a device has reached a complete end of life, many organisations do a bad job of ensuring that what is thrown out (or disposed of via the waste electronic and electrical equipment (WEEE) directive) is truly done in a secure manner.

To the rescue comes IT lifecycle management, or ITLM.  Although this has been talked about in the past, the main thrust has just been on managing the lifecycle of IT equipment from acquisition through to end of life on a provide and disposal basis.  Now, however, there is a different way of looking at ITLM, taking into account that IT equipment has a curve of inherent value that can be used to an organisation’s benefit.

For example, for the sake of argument, assume that a piece of IT equipment costs £10,000 brand new.  The organisation may write the piece of equipment off over 4 years, using a straight line model.  Therefore, after 12 months, it will have a book value of £7,500, after two year, £5,000 and so on down to zero after 5 years.
But this does not reflect the real actual value of the equipment.  Taking it out of the box, putting it back in the box and selling it on as second hand would probably lower the “inherent value” to, say, £7,000.  As the equipment ages, the inherent value will then drop away in a curve similar to many other goods, such as a car.  In the early days, it is likely to see a relatively fast drop in inherent value which then begins to level out over time.  However, the introduction of new models of the equipment may introduce step changes in the value of the equipment as buyers stop looking to buy this equipment, instead looking to the new model.

As can be seen, this more realistic inherent value model is completely at odds with the book value model.
Now look at this in relation to trying to sweat assets.  The longer you hold an asset, the less its value will be – both at the book and inherent levels.  By being able to intelligently identify the moment at which the inherent value and the incremental business value of new equipment cross over, the costs of maintaining an optimised business IT platform are lowered to the best possible point.

A good ITLM partner should be able to identify this sweet spot for your organisation.  Not only this, but they should also be able to optimise the inherent value through helping to identify the best options for disposal – this may be to hold them for further use, or it could be to directly repurpose the item for resale, or to strip down for parts.  The partner should also be able to offer a range of services for secure data disposal – from over-writing through to maceration of disk drives to the point where data restoration is impossible. Even where this is carried out, the cost of such secure disposal should be able to be offset somewhat through the scrap value of macerated disk drives – each contains a fair amount of precious and rare earth metals that have considerable value in the market.

A full and proper ITLM approach allows a business to manage its total IT platform to provide the best platform for the business’ use.  It is not about sweating assets, but it is about ensuring that the right equipment is in the right place at the right time – and at the right cost.

Quocirca has a free report that provides a model for organisations to adopt when looking at applying ITLM for their business.  The report can be downloaded free of charge here.

Clive Longbottom, Service Director, Business Process Analysis, Quocirca

Most IT users will have suffered the frustration of losing work because their access device (PC, tablet, smartphone etc.) fails and has not been backed up, or indeed they may have deleted a file accidentally. This is inconvenient for the individual and those associated with the project they are working on. If they are lucky, a deleted file may have been on a file server and if this is the case a friendly system administrator may be able to recover it for them; more than 60% of file servers are backed up daily (although worrying 38% of users may have to rely on recovered files that may be week or more old!)
 
File servers and user access devices are not the only devices that need backing up. Important information for the functioning of IT is stored on a wide range of other devices, especially those used for networking and security. Firewalls have complex rules programmed into them; content filtering devices have policies about what users can and cannot do with content. Load balancers are programmed to handle network traffic under pressure and decide what should be prioritised and how workloads can be distributed.
 
Just like servers and end user devices these devices can also fail and need replacing. Furthermore, system administrators make mistakes and may wrongly reconfigure a device or delete some settings and want to return it to an earlier configuration. This can only be done if the device has been previously backed-up.
 
In around 50% of organisation such devices are not even backed on a weekly basis, less that 30% do so daily. When there is a problem with one of these devices it may take hours to get them functioning again if they have to be rebuilt using out of date settings or in the worst case from scratch.
 
This need not be the case. The backup of such devices can be automated. Because all organisations will use devices from a range of network and security vendors rather than having a specific backup up tool for each one, a generic tool that addresses devices from a wide range of vendors via a single interface should be considered.
 
To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – click here.
 
 
Bob Tarzey, Analyst and Director, Quocirca

Quocirca has written extensively about privileged user management over the years, including two research reports, Conquering the sys-admin challenge in 2011 and Privileged user management – it’s time to take control in 2009. One of the dangers highlighted in both reports is that if privileged user accounts are compromised the results can be far more serious than when the same happens with the accounts of “normal” unprivileged users. Several vendors specialise in the management of privilege and sys-admin rights including CA, Cyber-Ark, Centrify, Lieberman Software, Quest Software, Thycotic and UK-based Osirium, which sponsored Quocirca’s most recent report.

It is odd then that many businesses leave “normal” users with full admin rights in one area; their Windows desktops. IT departments are prone to do this because it makes life easy as it means they are do not get constant user account control (UAC) requests to their helpdesks (to install Active-X components etc.) However, Windows desktops with full admin rights are a gift to malware writers. Once compromised it is far easier to recruit such PCs to botnets, install key-loggers or use them as a springboard to deeper penetration of an organisation’s infrastructure. The default position should be than no desktops runs with full admin rights and that such rights should only be granted for limited periods of time and to enable certain tasks.

This has led to the emergence of a second group of privilege management vendors whose main focus is to get the problem of Windows desktop admin under control. They enable automated granting of admin rights based on predefined policies, which can apply to applications as well as users. This helps minimising the number of UAC requests as when a user needs to install or update a commonly use application their privilege level can be temporarily elevated. Most of the vendors above do not address these specific issues and are therefore partnering in this area. Quocirca has been speaking to two of these vendors recently.

First is Avecto, a UK-based vendor that is doing half its business in North America. Its product is called Privilege Guard and it has a partnership with Cyber-Ark. Its focus to date has largely been selling direct to large enterprises where it links in with Active Directory and its Group Policy engine. However, it can also now link in with McAfee’s ePolicy Orchestrator (ePO), creating a partnership which Avecto sees as key to building a multi-tenancy on-demand version of Privilege Guard that will open up the SMB market, where practices regarding management of Windows privilege tend to be at their worst.

Second is Viewfinity, an Israeli vendor, which has just opened its first European office in Amsterdam.  It already does 60% of its business via an on-demand platform; the other 40% being on-premise installs at large enterprises. It has partnerships with Lieberman Software, CA and is integrated with Microsoft Systems Centre Configuration Manager (SCCM) and, of course, Active Directory. Viewfinity has just released V4 of its product. It also has a free “Local Admin Discovery” tool, which allows you to find out for free just how widespread the allocation of admin rights is across your Windows desktop estate. The approach is a bit like those free malware detection tools that tell you of all the gremlins that are present on your PC but will not let you delete them until you cough up a fee (although Viewfinity should actually work!)

Regardless of the vendor selected (a third player is BeyondTrust), that may well be a price worth paying. At this level most malware is opportunist; it will seek out the most vulnerable and easiest to exploit PCs. Once malware has found its way on to a PC, finding full admin rights is a gift; an open invite to take full advantage of opportunities for data theft or deeper penetration into the infrastructure of the organisation that owns the device and thought it could trust it on its network.

As Quocirca research over the years has shown, there is much poor practice in businesses of all sizes when it comes to the management and privilege and sys-admin rights. Just as was stated in 2009 with regard the management of core it infrastructure, when it comes to user desktops, it is time to take control.
 
Bob Tarzey, Analyst and Director, Quocirca