The market for hyper-converged systems is quickly evolving. Traditional storage infrastructure vendors remain the largest installed base, but software-defined and hyper-converged storage providers represent the fastest growing market segment, with some of the latter vendors rapidly increasing their market share.
This get-up-to-speed guide posted here will help you navigate the hyper-converged infrastructure options.
Virtual desktop infrastructure, better known as VDI, is undergoing a new life. A few years ago, it was plagued by lackluster user experiences and cost overruns. Now, thanks to an injection of new technology and better implementations, there’s a lot to like. Faster, cheaper technology has made it an interesting option for companies seeking a way to support flexible, work-from-anywhere environments.
How does this transformation happen? This get-up-to-speed guide posted on ITworld explores how VDI can help organizations navigate shifts in business, and user needs.
Making a case for moving legacy apps to the cloud is becoming easier, with the biggest driver being the ability to shift costs from capital to operating expenses, which can save money. Also, renting capacity rather than owning servers and network infrastructure allows more flexibility in how computing resources are provisioned, enabling workloads to be matched to demand. Quick provisioning is key: New servers can be brought up in the cloud in just minutes, not only making it easier to improve availability but also enabling more flexible disaster recovery mechanisms.
This get-up-to-speed guide explores the key approaches to migrating legacy apps to the cloud, and the value each can bring to your business. You can download my guide here.
Keeping track of your monthly cloud computing bills isn’t easy. While it is great that cloud providers usually charge you on the resources you consume, the various elements of your bill are very complex and made up of dozens of different factors, such as CPU core, storage units, RAM size and data transfers. Fortunately, there are a number of online services (see chart below) that can help you save money by using a series of clever choices. In this article for CIO (email reg. req.), I will look at five questions that you can ask to try to reduce your monthly cloud computing bill.
| Service, link | Number of Cloud Providers | Expertise | Free or paid? |
| Cloudability | AWS | Cost monitoring | Paid |
| Cloudorado Cloud Hosting Comparison | 27 | CPU benchmarks | Free (paid by participating vendors) |
| Cloudyn | AWS, Azure, Google | Costing trends | Both |
| CloudHarmony CloudSquare | 101 | Uptime status | Free |
| CloudSpectator | Varies | Custom analytics | Both; paid reports are $400 each |
| CloudHealth Technologies | AWS, Google | Costing, performance and security analytics | Paid services start at $250/mo |
| Datapipe Analytics | AWS, Azure | Management tools | Paid services start at $3500/mo |
| RightScale PlanForCloud | 6 | Deployment scenarios | Both; paid services start at $6000/mo |
Whether you think Ed Snowden is a patriot or a traitor or somewhere in between, it certainly has been an interesting couple of years in the secure email business. It is a continued series of ironies, starting with the fact that Snowden had trouble convincing his chosen scribes to make use of encrypted email technology itself to transmit his documents. As I wrote about earlier this year, since Snowden’s revelations, more people have been motivated to employ encryption than ever before.
Ironically, it seems that the type of encryption that you use can make you a target of the spy agencies, who can scoop up your transmissions and figure out your origins. As Bruce Schneier said in a post last year, “There’s nothing that screams “hack me” more than using specially designed al Qaeda encryption software.”
That is a scary thought. But I don’t want to debate this here; instead I wanted to take a closer look at both new and older email encryption technologies and how much they actually protect your communications.
I took this two-year mark of Snowden’s unintended flight to Russia to write this review of seven different products for Network World. They include Hushmail, ProtonMail, Datamotion SecureMail, HP’s Voltage SecureMail, Tutanota, Virtru and AppRiver. Using one of them will certainly be better than not using any encryption, even if it raises your profile with certain three-lettered agencies. Tutanova’s Outlook plug-in is pictured above.
You can read my full review here.
I recently came across a company with amazingly poor security practices. Over the course of time, the company was so lax about tracking its laptops that many were either lost or stolen with sensitive customer data, of course kept unencrypted on the laptop’s hard drives. For many months, the company had no Internet firewall. It didn’t track any network egress traffic and didn’t routinely examine any of its network log files to see what what actually going on across its infrastructure. Routine software updates were ignored, many of which had security implications. And the final coup de grace: it never kept any records of who had administrative access to various critical resources.
None of these things are hard to do. All can be done with technology that is common at least ten years ago, in some cases 20 years old. All require some diligence, and staying on top of things, and having the personnel who are responsible for these tasks to actually be doing them on a routine basis. So what happened? You probably won’t be surprised when I tell you that all of these activities were common IT practice at several US government agencies. We aren’t even talking about government contractors (which also fall down on the security job). These are full-time employees, and at agencies that should know better, such as the SEC or NRC. People that handle sensitive stuff.
As an aside, both agencies are among the top places to work for midsized agencies.The SEC actually has two IT specialist job openings (at least for now) that pay quite well. Sounds like a pretty cushy position to me, since you probably spend your time playing computer games or surfing the web.
And I haven’t even gotten to the latest revelations about Chinese hacking into the database of people who have applied for security clearances, which has been happening over the last year. This gives new meaning to being “red flagged.” Quite literally, and one with five yellow stars on it too.
My story gets worse. I should mention that many users were found with that old bugaboo, using “password” as their access passwords. Really? This is more than embarrassing.
And all jokes aside about going with the lowest bidder or cost overruns on $500 toilet seats. These agencies don’t have to buy anything much to cover the basics.
If a private industry CIO had this sort of security record, they would never work in IT ever again, unless to become a motivational speaker and tell people what not to do. Instead, because they are the Feds, we just shake our heads and wonder what is going on, and some how give them a free pass to mess something else up again. It really boils my blood.
I recently had a friend of mine ask me to serve as a reference for his security clearance renewal interviews. So chances are my name is in the hands of the Chinese somewhere. It was an interesting moment for me: when I met the investigator, he showed me his credentials, and I joked with him that I wouldn’t know if they were legit or not, I didn’t even know the name of the agency that he was supposed to be working for. As my friend explained, they aren’t looking for youthful indiscretions (not that I knew him when he was younger) but things that he hasn’t revealed on his application that can somehow be used to compromise him. Too bad the network administrators already blew it for him and millions of other Americans that are serving their country.
Okay, we lived through Healthcare.gov and all that mess. We made it through some pretty massive screw-ups where our 57 different intelligence agencies couldn’t even share basic threat information, or where innocent people with names that are similar to the bad guys are flagged by the TSA. This takes government tech to a new low.
When we can’t have basic, simple IT security practice that just involves people doing their jobs, that gets my goat. This is not a technology problem, it is a leadership and people problem.
We all know what polymorphic malware is: the ability of malware to adapt to current conditions and try to evade security software to do its dirty business on a target computer. This type of malware can easily evade signature-based scanners and other standard means of detection since it is always changing the nature of its attack vectors whenever it executes. But what if we could harness this same behavior and use this defensively, so that we could do good instead of harm?
The idea is for the target computer to appear to be changing, so a piece of malware can’t easily infect it. That seems like a very sophisticated notion and it is gaining traction.
Indeed, polymorphism is just a new way of describing what many academic security researchers have long been calling a “moving target defense,” something that has been under study for quite some time. An Association of Computing Machinery (ACM) conference last November in Arizona covered many ways of implementing such a defense, such as with game theory and other advanced algorithms. Another academic paper goes into lots of implementation detail here.
These research projects have moved into the next stage with a new series of security products from vendors such as JumpSoft, Morphisec, Shape Security (now part of F5) and CyActive, among others. Each of these vendor’s products is still very early, but you can get an idea of what they are trying to do and how quickly this area is evolving.
Certainly, defending Internet-based assets has gotten more complex. Dudu Mimran has blogged about the growing digital gap because “security tools did not evolve at the same pace as IT infrastructure…. Polymorphic defense aims to undermine this prior knowledge foundation and to make attacks much more difficult to craft.” This is because many attackers rely on knowledge about particular operating systems, devices or applications, and then target their weaknesses with their exploits. Making systems harder to identify makes them harder to attack and thus improves online security. Mimram is the CTO for Morphisec, which plans on announcing its first product at the time of the RSA show in April.
Shape Security calls its ShapeShifter product “the first botwall” and is designed as an appliance to protect the user interface to your web servers. As they explain on their website, “The use of polymorphism lets you preserve the functionality of code while transforming how it is expressed. In this example, a simplified login form has certain attributes replaced with random strings. The resulting code breaks malware, bots, or other attacks programmed to submit that form, but renders identically to the original.” By using this polymorphic defense, you can block DDoS, man-in-the-browser, and account takeover attacks. The appliance is installed behind the load balancer and with a few simple firewall rules to direct traffic to it can be up and running.
One way many websites have been protected in the past is by putting in place rate and volume and IP address limitations to prevent a large series of automated login attempts. Malware actors get around these limits by using a large database of stolen login credentials that are injected using a large-scale distributed botnet running on a huge number of IP addresses. Another popular past method is to use CAPTCHAs to protect logins; this is falling out of fashion as a number of automated or large-scale manual methods have been developed to defeat them.
Shape’s appliance dynamically changes the underlying code of the protected website each time a page is viewed to defeat the types of scripts used in these kinds of login exploits.
“The ‘poly’ part is the cool factor of this approach in that changes to the architecture can be made continuously and on-the-fly, making the guesswork higher by magnitudes. With polymorphism in place, attackers cannot build effective repurposable attacks against the protected area, “ says Mimram on his blog. He suggests that all polymorphic defenses share the following four attributes:
CyActive uses bio-inspired algorithms as training data for a smart detector that can identify and stop future malware variants. Earlier this month PayPal acquired their technology, showing just how serious this market segment is getting.
JumpSoft claimed to protect all layer 7 applications with their code.
Whether these polymorphic defenses will prove vulnerable to even more sophisticated exploits isn’t yet clear. But at least turnabout is fair play, and the bad guys are finally getting a taste of their own evil-tasting medicine.
With distributed workforces and mobile technologies, the network perimeter has evolved beyond the physical limits of most corporate campuses. The days when the perimeter was an actual boundary are a fond memory. Back then, firewalls did a decent job of protecting the network from outside threats, and intrusion prevention tools protected against insiders. But over time, the bad guys have gotten better: Spear phishing has made it easier to infiltrate malware, and poor password controls have made it easier to exfiltrate data. This means that the insiders are getting harder to detect, and IT assets are getting more distributed and harder to defend.
You can read my story in SearchSecurity here about four strategies for defending the new network edge. Or watch my video slideshow where I cover some additional points.
Tech is back in demand and at a height not seen since the dot-com bubble burst at the beginning of the millennium. The IT sector has about half a million unfilled job openings across the country, accounting for about 12% of all open positions. I talk about several organizations around the country that can help fill these positions, by helping to train, mentor and place tech talent. These include LaunchCode in St. Louis (where I am doing some consulting), Code Oregon which is a partnership between Worksystems and Treehouse, one of the nation’s leading online interactive education platforms. There is also Code Louisville in Kentucky and Grand Circus in Detroit.
You can read my post in ITWorld today here.
Citrix has long offered mobile device management software in cloud and on-premises versions. The latest version, XenMobile 10, offers some welcome enhancements to the user experience and security. In my review for CDW’s State Tech Magazine, I walk through some of the notable features. Citrix sells three different software bundles under its XenMobile brand: XenMobile MDM, XenMobile App and XenMobile Enterprise editions.There are differences that you should be aware of.