David Edborg – InFocus Blog | Dell EMC Services https://infocus.dellemc.com DELL EMC Global Services Blog Fri, 20 Apr 2018 15:17:21 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.2 Transforming Security for our Next Generation Systems https://infocus.dellemc.com/davidedborg/transform-security-cybersecurity-framework/ https://infocus.dellemc.com/davidedborg/transform-security-cybersecurity-framework/#respond Tue, 25 Apr 2017 09:00:03 +0000 https://infocus.dellemc.com/?p=31037 Cyberattacks on IT assets are reaching new highs. Just when you think you are caught up, another unforeseen attack vector has opened.  Look at just about any security architecture – it has been implemented slowly over time in a piece-meal fashion; leaving a mix of old and new technologies and overlapping parts and pieces, with […]

The post Transforming Security for our Next Generation Systems appeared first on InFocus Blog | Dell EMC Services.

]]>
Cyberattacks on IT assets are reaching new highs. Just when you think you are caught up, another unforeseen attack vector has opened.  Look at just about any security architecture – it has been implemented slowly over time in a piece-meal fashion; leaving a mix of old and new technologies and overlapping parts and pieces, with few pieces talking to each other.

CISOs looking across their security architectures can only hope their solutions will withstand the onslaught of a cyber-attack.  A scary proposition indeed.  Recently, a CISO for a large financial services organization shared that his security architecture is composed of over 190 products. Despite this, he still feels vulnerable.

How do you manage 190 security products?  Can you imagine the overlaps and the potential for gaps?

The US National Institute of Standards and Technology published a Cybersecurity Framework, also called the CSF and just released a draft for the next version.

The Cybersecurity Framework was developed to “enable organizations to apply the principals and best practices of risk management to improve the security and resilience of critical infrastructure.” The original CSF was released in 2014 and consolidates security research, international standards, and best-practices into a comprehensive protection guide.

At a high-level, the framework has five functions, and under these functions are categories and sub-categories.

Identify

I’ll leave it to you to read the full details on the NIST Cybersecurity Framework site, but essentially the five functions boil down to:

Identify—understand your assets, risks, governance, and create a cyber-risk management strategy

Protect—protect the assets, train your people, and keep up on maintenance

Detect—create the processes and implement the technologies to detect cyber mischief, and monitor for anomalies

Respond—develop a cyber-incident response plan and continue to improve

Recover—develop a recovery plan, test it, and continue to improve

The CSF is a great way to organize approaches to cybersecurity – although at the lowest levels of the framework, reference standards and tiers of implementation, are enormously complex.  One of the collaborators of the Cybersecurity Framework explained at the February 2017 RSA Conference that the latest CSF pointed to over 120 security controls in these areas.  Yikes!!! There’s got to be a better way.

We have made 2017 the year of Security Transformation. Now is the time to prioritize your organization’s cyber-security practices and evolve to combat new threats. We are joining the expertise of RSA, SecureWorks, VMware, and Dell EMC to produce adaptive security products and services to help you lead your security transformation.

DEW Twitter Image IWe’ll be starting the conversation over the next few months and will be making major announcements related to Security Transformation.  We are starting the conversation at Dell EMC World this May 8-11 in Las Vegas.  I’ll be leading a session titled, “Learn How to Put Security at the Very Core of Your Organization with Secure Infrastructure”.

It’s an exciting time for us at Dell Technologies and we look forward to the year of Security Transformation. I invite you to join us during this exciting time and look forward to seeing and talking with you at Dell EMC World.

The post Transforming Security for our Next Generation Systems appeared first on InFocus Blog | Dell EMC Services.

]]>
https://infocus.dellemc.com/davidedborg/transform-security-cybersecurity-framework/feed/ 0
Can the Internet Ever Be Secure? https://infocus.dellemc.com/davidedborg/can-internet-ever-secure/ https://infocus.dellemc.com/davidedborg/can-internet-ever-secure/#respond Fri, 10 Feb 2017 16:34:47 +0000 https://infocus.dellemc.com/?p=30265 By some estimates, over 150 million phishing emails are sent every day.  Think about that number for a moment, that’s 1,736 attempted crimes every second of every day.  And by and large, it’s those phishing emails that get through our cyber defense mechanisms that lead to a substantial portion of cybercrime losses.  What’s worse, cybercrime […]

The post Can the Internet Ever Be Secure? appeared first on InFocus Blog | Dell EMC Services.

]]>
By some estimates, over 150 million phishing emails are sent every day.  Think about that number for a moment, that’s 1,736 attempted crimes every second of every day.  And by and large, it’s those phishing emails that get through our cyber defense mechanisms that lead to a substantial portion of cybercrime losses.  What’s worse, cybercrime is the perfect ghost crime with attackers coming and going without a trace, emboldened by anonymity.  How can we solve this? Can the internet ever be secure?

In 2015, Inga Beale, Lloyd’s of London CEO, estimated that cyberattacks globally cost businesses $400 billion a year in damages and business disruption. 

Another report by Cybersecurity Ventures, a US based research firm whose board of advisors includes the likes of John McAfee and Michelle Finneran Dennedy, the VP & Chief Privacy Officer at Cisco, predicts that the potential worldwide cost of cybercrime will exceed $6 trillion by 2021. $6 Trillion?  That’s more than the projected 2016 GDP of Germany and the UK combined. 

So, what are industry expert’s best response?  Spend more money.  According to IDC, worldwide IT organizations spent almost $74 billion on security related hardware, software, and services in 2016. This is expected to increase to over $1 trillion over the next four years according to Cybersecurity Ventures. 

Will the increased spending change the trajectory of criminal activity?  Hardly; a trillion dollars spent and up to $6 trillion in losses, that’s a losing battle in my book.

The greatest failure in existing cyber defense strategies is that criminals are not being held accountable. In all of 2015, the most recent year that annual statistics are available, the FBI only made 49 Computer Criminal Intrusion Arrests. 

Why the huge disconnect between the damages of the crimes and the number of arrests?  The short answer is that in order to arrest someone, you need evidence.  And unfortunately, cybercrime today is the perfect ghost crime; criminals usually do not leave behind any useful evidence. Whereas in most traditional crimes, criminals can be identified through facial recognition, fingerprints, DNA or other evidence.

So why we are completely feckless in collecting cybercrime evidence?  This is because the Internet, created through the ARPANET project, designed the underlying communication protocols for openness, leaving them devoid of security.  Yes, a US Department of Defense funded electronic communications project produced the early Internet protocols without any security at the protocol layer.

Okay, so what’s the fix?  It’s surprisingly simple, borrowing a technology used by ransomware criminals themselves, Blockchain.  Blockchain protects information we don’t want accessed or tampered with by only verifying data transactions that follow the rules. Redesigning the Internet Protocols with Blockchain technologies will allow us to irrefutably identify the sender.

Irrefutable identity in Internet communications would allow organizations that have been victimized by a cybercrime to provide law enforcement with the cyber-DNA evidence to prosecute the crime.

Certainly, the devil is in the details and it won’t happen overnight; but the cost to create irrefutable Internet communication transactions through the use of Blockchain has certainly got to be cheaper than trillions spent on other solutions.

The post Can the Internet Ever Be Secure? appeared first on InFocus Blog | Dell EMC Services.

]]>
https://infocus.dellemc.com/davidedborg/can-internet-ever-secure/feed/ 0
Putting Ransomware Criminals Out of Business https://infocus.dellemc.com/davidedborg/putting-ransomware-criminals-business/ https://infocus.dellemc.com/davidedborg/putting-ransomware-criminals-business/#respond Tue, 18 Oct 2016 09:00:46 +0000 https://infocus.dellemc.com/?p=29201 The advent of anonymous peer-to-peer networks such as bitcoin have enabled cyber-criminals to not only steal and sell your data, they can cut out the middleman and get their ill-gotten rewards directly. This can happen with the added benefit of no trail for law enforcement to follow. Cyber-attacks continue to morph, and now cyber-criminals have […]

The post Putting Ransomware Criminals Out of Business appeared first on InFocus Blog | Dell EMC Services.

]]>
The advent of anonymous peer-to-peer networks such as bitcoin have enabled cyber-criminals to not only steal and sell your data, they can cut out the middleman and get their ill-gotten rewards directly. This can happen with the added benefit of no trail for law enforcement to follow.

Cyber-attacks continue to morph, and now cyber-criminals have the infrastructure available to hold your data for ransom. So rather than steal-and-sell data, they now can encrypt data and hold it for ransom. Effectively, with ransomware cyber-criminals can get their money quicker and hold-up a victim over and over until the attack vector is closed.

A dire situation? It is for those that take no action. As well, it seems like no matter how much you invest in security infrastructure and closing vulnerabilities, it’s a never ending battle. But for most of us, it’s another mole to whack. If we step up and take the profit out, Ransomware attacks can be curtailed.

Okay how? The answer is in the US National Institutes of Standards and Technology (NIST) Cybersecurity Framework.

NIST developed a Cybersecurity Framework to “enable organizations to apply the principals and best practices of risk management to improve the security and resilience of critical infrastructure”. The NIST Cybersecurity Framework was released in 2014 and consolidates security research, international standards, and best-practices into a comprehensive protection structure.

At a high-level, the framework has five functions, and under the functions are categories and sub-categories.

5 framework functions

I’ll leave it to you to read the details on the NIST Cybersecurity site, but essentially the five functions boil down to:

Identify—understand your assets, risks, governance, and create a cyber-risk management strategy

Protect—protect the assets, train your people, and keep up on maintenance

Detect—create the processes and implement the technologies to detect cyber mischief, and monitor for anomalies

Respond—develop a cyber-incident response plan and continue to improve

Recover—develop a recovery plan, test it, and continue to improve

Okay, I took a little bit of literary license and interpretation. In some respects, if you have any kind of a cyber-security program or have security protection mechanisms in place, you are probably already doing the first four functions in some fashion. Maybe not as organized as the framework, or the level of practice, but most organizations have something in place. If not a Cyber Incident Response Center, then perhaps a help desk with a notification and response tree.

What most organizations don’t have is the ability to systematically recover from a destructive cyber-attack; ransomware, destruction, or wiping event because we’ve not had to do that in the past. A cyber-criminal used to come in, steal the data, and leave. But when a cyber-criminal encrypts, destroys, or tampers with your data, the malware tool they used is still with you and needs to be removed, eradicated, and the vulnerability fixed.

Dell EMC’s Isolated Recovery Solutions provide you with the ability to recover.

isolated recovery environment

In the Dell EMC Isolated Recovery Solution, copies of your critical data are protected in an isolated vault. Data is periodically copied into the vault over secured local networks, and at the end of the copy-in cycle the isolated recovery environment is segregated from the network. Inside the isolated vault, layers of additional security provide added protection.

In the event of a destructive cyber-attack, isolated copies of your data are available to begin your recovery.

But can’t you simply recover from last night’s backup? Certainly, provided the backup infrastructure was not compromised. In the Sony Pictures attack and several other attacks, backup data was destroyed first. Can you recover from tape? Yes you can recover from tape; after all, tape is the ultimate air gap. But consider how long it takes to recover from tape, and how many generations of tape do you need to go through to find clean data sets? Can’t I recover at a DR site? Recovering from a DR site is possible, but what’s the likelihood that the DR site was also compromised?

Adopting an Isolated Recovery Architecture is the best way to put ransomware attackers out of business. If an attacker doesn’t get a reward, then they will move on to something else.

Consider how the banking industry cut down the rash of bank robberies that periodically pop up. They implement increased controls, surveillance, man-traps, time-controlled-locks on safes, dye packs, etc. Unfortunately they couldn’t completely control stupid, but the measures have had the impact of reducing bank thefts. Likewise, we too in IT and IT Security can take the profit out of ransomware and move the cyber criminals onto to another endeavor.

While we will probably never get to a state of completely eradicating all vulnerabilities, and we won’t be able to control stupid, with an isolated recovery solution, we can recover and mitigate the impact of an attack.

In my next blog post I’ll go over some strategies on how to recover from a cyber-attack.

The post Putting Ransomware Criminals Out of Business appeared first on InFocus Blog | Dell EMC Services.

]]>
https://infocus.dellemc.com/davidedborg/putting-ransomware-criminals-business/feed/ 0
[RECORDED WEBINAR – ASIA PACIFIC] Build the Last Line of Defense Against Cyber Attacks https://infocus.dellemc.com/davidedborg/protect-cyber-attacks-ransomware/ https://infocus.dellemc.com/davidedborg/protect-cyber-attacks-ransomware/#respond Fri, 05 Aug 2016 19:09:14 +0000 https://infocus.dellemc.com/?p=28553 Webinar Name: Build the Last Line of Defense Against Cyber Attacks Date and Time: View Recording Here >> Duration: 45 Minutes The very nature of security attacks and the methodologies to detect and prevent those attacks are shifting equally as fast as businesses are today. Customers must now analyze and protect both traditional and cloud native applications on […]

The post [RECORDED WEBINAR – ASIA PACIFIC] Build the Last Line of Defense Against Cyber Attacks appeared first on InFocus Blog | Dell EMC Services.

]]>
Webinar Name: Build the Last Line of Defense Against Cyber Attacks
Date and Time: View Recording Here >>
Duration: 45 Minutes

The very nature of security attacks and the methodologies to detect and prevent those attacks are shifting equally as fast as businesses are today. Customers must now analyze and protect both traditional and cloud native applications on any infrastructure both on or off-premises. Join us to critically analyze these new paradigms and gain practical advice for enabling and securing the rapidly evolving IT landscape.

What Do You Learn

  • Benefits of an Isolated Recovery Solution – how Isolated Recovery protects your organization from attacks focused on cyber destruction or having data held hostage for the purpose of extortion or blackmail.
  • Key factors in determining which data should be protected using Isolated Recovery. What to look for when deciding on a partner to assist in building your Isolated Recovery Solution. What combination of skills, expertise, and technology will deliver the results you need.
  • Where to begin. See how others are implementing Isolated Recovery Solutions close the gap and get moving on a protection model appropriate for their business.

View Recording Here >>

 

The post [RECORDED WEBINAR – ASIA PACIFIC] Build the Last Line of Defense Against Cyber Attacks appeared first on InFocus Blog | Dell EMC Services.

]]>
https://infocus.dellemc.com/davidedborg/protect-cyber-attacks-ransomware/feed/ 0
[RECORDED WEBINAR] Survive a Modern Cyber-Attack with Isolated Recovery https://infocus.dellemc.com/davidedborg/survive-cyber-attack-isolated-recovery/ https://infocus.dellemc.com/davidedborg/survive-cyber-attack-isolated-recovery/#respond Wed, 27 Jul 2016 09:00:32 +0000 https://infocus.dellemc.com/?p=28483 We’ve been talking about Cyber Attacks over the past couple of months, and the feedback from readers is you want a deeper understanding of how these attacks are different and  tangible actions you can take to protect your organization. This webinar is going to take you through a “typical” cyber-attack and discuss how traditional protection […]

The post [RECORDED WEBINAR] Survive a Modern Cyber-Attack with Isolated Recovery appeared first on InFocus Blog | Dell EMC Services.

]]>
We’ve been talking about Cyber Attacks over the past couple of months, and the feedback from readers is you want a deeper understanding of how these attacks are different and  tangible actions you can take to protect your organization. This webinar is going to take you through a “typical” cyber-attack and discuss how traditional protection approaches fall short.  Finally we will discuss strategies and approaches to leverage Isolated Recovery as a means to address the latest threats and ensure your critical data can withstand a cyber-attack.  Sign up now!

Webinar Name: Survive a Modern Cyber Attack with Isolated Recovery
Date and Time: August 10th at 10am PT/1pm ET
Duration: 60 Minutes

Cyber-attacks are becoming more sophisticated and devastating.  Hackers are not just corrupting your data, but going after your backups or cutting off your data access and holding it for ransom. Are you really protected? Isolated Recovery is the latest protection mechanism to address the latest threats to ensure your critical data can withstand a cyber-attack.
Register_now

 

The post [RECORDED WEBINAR] Survive a Modern Cyber-Attack with Isolated Recovery appeared first on InFocus Blog | Dell EMC Services.

]]>
https://infocus.dellemc.com/davidedborg/survive-cyber-attack-isolated-recovery/feed/ 0
The Real Reason Why Cybercriminals Steal https://infocus.dellemc.com/davidedborg/real-reason-cybercriminals-steal/ https://infocus.dellemc.com/davidedborg/real-reason-cybercriminals-steal/#respond Wed, 15 Jun 2016 09:00:19 +0000 https://infocus.dellemc.com/?p=27758 Legend has it that when Willie Sutton, a prolific bandit in the US during the Depression era, was asked by a reporter why he robbed banks, his response was, “Because that’s where the money is.” Mr. Sutton was so good at robbing banks, that one biographer estimated that Mr. Sutton committed over 100 bank robberies […]

The post The Real Reason Why Cybercriminals Steal appeared first on InFocus Blog | Dell EMC Services.

]]>
Legend has it that when Willie Sutton, a prolific bandit in the US during the Depression era, was asked by a reporter why he robbed banks, his response was, “Because that’s where the money is.” Mr. Sutton was so good at robbing banks, that one biographer estimated that Mr. Sutton committed over 100 bank robberies and stole over $27 million in today’s dollars.

When I think about how much money Mr. Sutton stole and the number of robberies he committed, I can’t help but think of the similarities to the state of cybercrime today. Data is highly valuable, both to steal, or hold for ransom. As well, Cybercrime is rampant and the data held by IT in many cases is incredibly easy to steal.

Part of the problem lies in how companies value data assets. The other is how we protect those assets. On the valuation side, organizations tend to think in terms of the cost of a breach, loss of business, or the loss of reputation. Cybercriminals on the other hand, value stolen data or data held for ransom in different terms.

A recent study published by Dell SecureWorks pegged the value of various types of business and consumer data. Here are some quick numbers:

  • Banking credentials – 1% to 5% of the account balance
  • Corporate email account credentials – $500
  • 300,000 airline points – $90
  • America Express Card – $30

At the same time, cyber extortionists are demanding $600 to $1800 for encryption keys to unlock data held for ransom.

The value of individual items may sound trivial, but if you put them into context of data volume, there’s an awful of money to be made in cybercrime. Consider a company which employs about 70,000 people; If a hacker got into their provider’s online travel system and stole 70,000 credit cards at $30 a card, the value of the cards to the broker would be around $2.1 million. The purchasers of the 70,000 credit cards could have netted $128 million dollars in fraudulent charges based on an average loss of $1,830 per card according FBI 2014 statistics.

Understanding the nature of the crime can help us construct appropriate defenses.

IT organizations need to adapt their security approaches to address these emerging threats such as cyber destruction, cyber extortion, or blackmail. In the past we focused on protecting ourselves from the outside world with protection technologies such as firewalls, DMZs, VPNs, and access controls. However, many of today’s new threats are unleashed on the inside: disgruntled employees, malicious Internet sites, phishing, spear phishing, and whaling emails that release malware on the inside of IT’s perimeter defenses.

These emerging threats are rocking many organizations. Cybercriminals seem to stay a step ahead with new malware variants and encrypted viruses, while regulatory agencies are drafting new rules describing how we need to protect and test our protection schemes.

Oh before I forget; the real reason that cybercriminals steal and hold data for ransom, to paraphrase Mr. Sutton, “is because that’s where the money is”.

So how are we going to slow-down cybercrime? With vigilance, better approaches to security, and improved crime fighting techniques, the likes of Willie Sutton, Al Capone, Bonnie and Clyde, John Dillinger, “Pretty Boy” Floyd, and “Baby Face” Nelson, were pretty much put out of business by the end of the late 1930’s. We in IT too have hope that with vigilance, better approaches to cyber security, and improved cybercrime fighting techniques that we will soon be able to put an end to cyber plagues that seem to engulf us.

The post The Real Reason Why Cybercriminals Steal appeared first on InFocus Blog | Dell EMC Services.

]]>
https://infocus.dellemc.com/davidedborg/real-reason-cybercriminals-steal/feed/ 0
Securing the Modern Data Center https://infocus.dellemc.com/davidedborg/securing-modern-data-center/ https://infocus.dellemc.com/davidedborg/securing-modern-data-center/#respond Tue, 19 Apr 2016 12:00:27 +0000 https://infocus.dellemc.com/?p=27031 The nature of cyber-attacks is evolving. Traditional cyber-crime centered on the theft of information and attacks to shut down an organization’s Internet presence. Emerging threats include cyber destruction and cyber extortion or blackmail. The data that runs our businesses has a lot of value to criminals, particularly data about our customers. A recent study published […]

The post Securing the Modern Data Center appeared first on InFocus Blog | Dell EMC Services.

]]>
The nature of cyber-attacks is evolving. Traditional cyber-crime centered on the theft of information and attacks to shut down an organization’s Internet presence. Emerging threats include cyber destruction and cyber extortion or blackmail.

The data that runs our businesses has a lot of value to criminals, particularly data about our customers. A recent study published by Dell SecureWorks pegged the value of banking credentials at 1% to 5% of the account balance, $90 for 300,000 airline points, $30 for an America Express Card, and $500 for credentials to a corporate email account. And cyber extortionists are demanding $600 to $1800 for encryption keys to unlock data held for ransom.

There are basically two primary motivations behind these crimes: criminals that steal information for profit, and hacktivists who seek to shutdown Internet sites or destroy data for ideological reasons.

Understanding the nature of the crime can help us construct appropriate defenses.

IT organizations need to adapt their security approach to address these new threats. In the past we focused on protecting ourselves from the outside world with protection technologies such as firewalls, DMZs, VPNs and access controls. However, many of today’s new threats are unleashed on the inside; disgruntled employees, malicious Internet sites, phishing, spear phishing, and whaling emails that release malware inside of IT’s perimeter defenses.

These emerging threats are rocking our organizations. Cyber criminals seem to stay a step ahead with new malware variants and encrypted viruses, while regulatory agencies are drafting new rules on how we need to protect and test our protection schemes.

At EMC World on May 2-5, I will go over the details on these emerging threats and the challenges we face in protecting against them. I invite you to join me on Monday with my colleague Azeem Aleem from RSA to our session is titled “Securing the Modern Data Center”. Later on Monday, I will be joined by Nazir Vellani from Ernst & Young for a session titled, “Ernst & Young: Isolated Recovery Solutions” where we will cover the associated regulatory, compliance, testing, and governance for an organization’s data assets.

I’ll also be patrolling the Global Solutions booth and the Core Technologies Division booth (#364). Visit the live data center and meet the experts Stefan Voss (@VossmanVoss) and Alex Almeida (@alxjalmeida) who designed the infrastructure piece of this solution. Please to stop by either location to introduce yourself, or ask more detailed questions.

The post Securing the Modern Data Center appeared first on InFocus Blog | Dell EMC Services.

]]>
https://infocus.dellemc.com/davidedborg/securing-modern-data-center/feed/ 0
Resiliency and The Case For Hybrid Cloud https://infocus.dellemc.com/davidedborg/resiliency-and-the-case-for-hybrid-cloud/ https://infocus.dellemc.com/davidedborg/resiliency-and-the-case-for-hybrid-cloud/#respond Tue, 16 Feb 2016 17:16:39 +0000 https://infocus.dellemc.com/?p=25854 It seems that virtually every organization that I talk to these days is moving something to the cloud; whether it’s lightweight marketing applications, customer-facing transaction systems, or full-blown application systems. The reality is that IT struggles to complete with the economies of scale that the larger cloud service providers offer. But many have found that […]

The post Resiliency and The Case For Hybrid Cloud appeared first on InFocus Blog | Dell EMC Services.

]]>
It seems that virtually every organization that I talk to these days is moving something to the cloud; whether it’s lightweight marketing applications, customer-facing transaction systems, or full-blown application systems.

The reality is that IT struggles to complete with the economies of scale that the larger cloud service providers offer.

But many have found that while public cloud direct costs are low, the services come with risks that need to be understood. One of the reasons that internal IT services cost so much is that they are built on a foundation of quality and resiliency. When IT services are provided internally it’s a lot easier for line of business owners to exert control and demand nothing but the best. IT has years of experience of developing resilient systems and the services they deliver almost always come with high-availability, disaster recovery, and data protection schemes that can meet organizational compliance standards.

The risk an organization takes with public cloud-based services is the lowering of standards for availability and compliance. If you check out the SLAs of some of the largest service providers it’s hard to find any that can match the resiliency capabilities of internal IT. There are few providers that offer greater than three-9’s of availability. Is that enough for your business?

For certain classes of applications, three-nines of availability and roll-your-own security are acceptable. At the end of the day, you as a purchaser of public cloud services need to assess the risk and whether you are willing put your business on the line.

The news of unplanned downtime and breaches of cloud service providers in the IT trade and popular media are increasing. Maybe it’s because the risks are becoming more publicized as incidents affect more organizations – every few months we seem to hear of an outage at one of the major cloud providers. And you breathe a sigh of relief and say to yourself, “I’m glad it didn’t happen to me.” But the reality is that as organizations migrate more applications and services to the public clouds, especially business and mission critical apps, the risk exposure increases.

I’m not trying to condemn public cloud services, rather I’m suggesting that you need to help your end-users and business stakeholders understand the risk associated in using external service providers and help them make a business decision about whether the risk is worth the potential savings.

Another adage to consider is one I learned from Jeremy Burton, EMC’s President of Products and Marketing, who asks: “How does a farmer treat a sick cow versus a sick chicken? Well a farmer has a vet come out and treat the cow, but he shoots the chicken.” The truth is that a cow has high value and worth special care and treatment, whereas a chicken is low in value and can easily be replaced.

Likewise too with your applications. If an application has a low data protection or risk compliance profile; they are ideal candidates for the public cloud. But if your application has a high compliance risk profile, or is mission critical, a hybrid cloud solution may be the best option.

So look at public cloud services not as a threat to your organization, but rather as a way shed low-value applications to service providers. Moving low-value applications to the external service providers allows you to take the resiliency infrastructure savings and invest them in innovation and your core applications. EMC IT recognized the emerging trend years ago and shed a lot of our non-critical applications to external service providers. We then invested the savings in what we do best – our core business: engineering, quality management, along with customer and professional services.

By understanding the value and requirements of your applications, you too can be enabled to make the best decisions for your organization by adopting a hybrid cloud model. Put low-value – low-risk applications in the public cloud with one of several cloud service providers, and put your high-value – high-risk applications in a private cloud. By aggregating the two, you have created a hybrid cloud. And you will have the ability to leverage the best cost model available.

The post Resiliency and The Case For Hybrid Cloud appeared first on InFocus Blog | Dell EMC Services.

]]>
https://infocus.dellemc.com/davidedborg/resiliency-and-the-case-for-hybrid-cloud/feed/ 0
Did a Lack of Resiliency Cost the Patriots a Super Bowl Trip? https://infocus.dellemc.com/davidedborg/did-a-lack-of-resiliency-cost-the-patriots-a-super-bowl-trip/ https://infocus.dellemc.com/davidedborg/did-a-lack-of-resiliency-cost-the-patriots-a-super-bowl-trip/#comments Fri, 05 Feb 2016 10:00:09 +0000 https://infocus.dellemc.com/?p=25846 This year’s AFC Championship game was one of the most memorable in years.  Two of the league’s top teams with two quarterbacks destined for the Hall of Fame slugging it out for the privilege to compete in the Super Bowl 50.  Denver fans were elated with the results of the game, while Patriot fans play […]

The post Did a Lack of Resiliency Cost the Patriots a Super Bowl Trip? appeared first on InFocus Blog | Dell EMC Services.

]]>
This year’s AFC Championship game was one of the most memorable in years.  Two of the league’s top teams with two quarterbacks destined for the Hall of Fame slugging it out for the privilege to compete in the Super Bowl 50.  Denver fans were elated with the results of the game, while Patriot fans play a game of what-if.

One of the what-if’s the Patriot’s fans are talking about is a 20-minute outage of their team’s sideline tablets.  During the first-half of the game, a problem with a network cable took the Patriot’s access to a league provided Sideline Viewing app offline.  The app is used by coaches and players during the game to review opponent’s offensive and defensive tendencies or to dissect why a problem occurred.  While the Patriots lost access, the Broncos were able to maintain their access to the system.  So the argument goes, did the Broncos have an unfair advantage during the outage, [yes] and did the advantage cost the Patriots the victory?  Certainly that’s a debate that may not have a clear answer, but what we can do is look at problem and learn from it.

The NFL takes great pride in their preparations for every game.  They spend a lot of time validating the conditions of the field along with all of the logistics that it takes to put on a game.  Radio communications are checked to ensure that there is no interference and that no one else is using the same frequencies.  Sideline trunks are deployed with radios, backup power supplies, and a wired alternative if the coaches’ wireless communications fail.

Unfortunately for the Patriots, a single point of failure, one network cable failed when it mattered most –  in a win or go-home situation.  While backups for power and voice communications were in place, the new Sideline Viewing System did not have complete redundancy.

Sideline Viewing was rolled out in 2014 as a replacement for an ancient black-and-white photo album system.  In the past, snapshots of formations and plays were relayed over fibre-optic cables to a printer behind each team’s bench.  Runners would assemble the photos in binders and get them to the sideline coaches and players as quickly as possible.

Now, snapshots are relayed wirelessly to tablets on each team’s sideline.  This gets information into the coaches’ hands 30-seconds faster than the old photo album system – roughly the time between plays.  It’s a technology triumph that allows coaches to make quicker adjustments during the game.

We too in IT sometimes get wrapped up in technology triumphs.  The cloud is reducing the cost of IT and big data is helping our organizations make nimble decisions that affect efficiency and profitability.  What hasn’t changed over time is risk.  Everything we do has a risk profile and a cost associated with potential loss.

Many of our IT systems are designed with resiliency to reduce our risk profile.  However, the cost of resiliency is sometimes higher than the risk warrants, or a level of resiliency may seem downright silly.  I mean, do I really need to wear both a belt and suspenders?  Certainly not.  Should the NFL have designed network resiliency into their sideline viewing system?  They probably thought they did, yet the Patriots and their fans could argue they should fix the single-point-of-failure.

We too in IT face similar dilemmas.  Should a particular system have redundancy or not?  One way of looking at application systems is through the lens of a Business Impact Analysis or BIA.  In a BIA, business units apply a monetary value to downtime.  Business management in-turn can use the valuations to make investment decisions.

While the BIA has fallen out of wide-spread use, it is still used in the financial and healthcare industries and in some other regulated environments.  Two of the problems with the BIA are that it overstated financial loss and it fails to consider other factors.  On the financial side, the BIA lost credibility because the aggregate loss potential of all the applications often exceeded the revenue of the organization.  At the same time, other factors are not considered, such as the impact of a failure on the organization’s brand. It’s hard to make decisions if you can’t trust your numbers.

Replacing the BIA are measurements of maturity aligned to International Organization for Standardization (ISO) standards along with risk assessments.  The notion of a maturity analysis helps an organization to understand process and people strengths and weaknesses.  As well, the risk analysis helps organizations understand the potential impact of that risk and helps develop strategies for risk mitigation.

Do you know your risk profile? Is there a single point of failure lurking somewhere you didn’t know about? It’s often difficult to internally evaluate the maturity of your processes and people, understanding infrastructure single-points-of-failure, and fully understanding your risk and potential mitigation strategies. Engaging someone outside the organization with significant experience and a proven approach is often the better way to go.

While debate will never definitively answer the question, “Did a Lack of Resiliency Cost the Patriots a Trip to the Super Bowl?” A detailed risk analysis should have identified the loss potential, and analysis of the risk may have been either a recommendation to increase the resiliency or to mitigate the risk by simply cutting off the Sideline Viewing System to both teams. Not every weakness in resiliency requires spending money. But having risk mitigation options lets business management decide whether to invest, or to mitigate, or accept the risk.  And in the case of the Patriots loss of the Sideline Viewing System communications, money may or may not need to be spent.  But having a risk mitigation option of cutting communications to both teams, while inconvenient, would have provided fairness to both teams and to their fans.

The post Did a Lack of Resiliency Cost the Patriots a Super Bowl Trip? appeared first on InFocus Blog | Dell EMC Services.

]]>
https://infocus.dellemc.com/davidedborg/did-a-lack-of-resiliency-cost-the-patriots-a-super-bowl-trip/feed/ 1
Who’s Your Data Protection Officer [DPO]? https://infocus.dellemc.com/davidedborg/whos-your-data-protection-officer-dpo/ https://infocus.dellemc.com/davidedborg/whos-your-data-protection-officer-dpo/#respond Wed, 23 Dec 2015 12:00:40 +0000 https://infocus.dellemc.com/?p=25631 That’s right, who is your Data Protection Officer or DPO?  Under proposed European Union regulations your organization will need to appoint a Data Protection Officer if your company is based in, or does business in the EU; employs 250 or more persons or whose core activities consist of processing data.  For years, the EU has […]

The post Who’s Your Data Protection Officer [DPO]? appeared first on InFocus Blog | Dell EMC Services.

]]>
That’s right, who is your Data Protection Officer or DPO?  Under proposed European Union regulations your organization will need to appoint a Data Protection Officer if your company is based in, or does business in the EU; employs 250 or more persons or whose core activities consist of processing data.  For years, the EU has had a DPO officer in each member state and in most EU institutions.  The proposed regulations would extend the DPO position requirement to private organizations.

If you’re like me, an IT practitioner, you think of data protection as protecting your organization’s data assets with backup, offsite replication, security and encryption.  EMC even has a Data Protection and Availability Division that employs thousands of employees dedicated to helping organizations protect data.

But that’s not really what the DPO requirement is about.  In the EU, a Data Protection Officer is concerned about protecting the privacy and handling of personal data.  In IT we think about the organization’s data assets whereas the EU’s General Data Protection Regulations are concerned with the people the information is about.  And the fines for violating the regulations are significant; either 2% of an organization’s annual revenues or €100m for each infraction.

What are the data privacy regulations that you need to be concerned about?

Certainly your organization will need to seek appropriate legal advice; but, in general the precepts are based on right to privacy with respect to the processing of personal data, and that institutions shall not restrict or prohibit the free flow of personal data. There also are requirements that organizations that possess personal data to obtain permission to transfer data along with the individual’s right to be forgotten.

In some respects the regulations simply extend the responsibilities of IT’s stewardship of data.  In addition to the data protection processes we employ today, we will need to add additional controls and capabilities.  Over the next few months we will see more information in the media about the upcoming regulations.

How can you get ahead?

Be aware of the impending changes and start to think about the impact on your processes.  Think about what you need to do differently, and be prepared to advise your compliance teams on the options and costs to implement.  That’s the easy part.  Implementation could disruptive if your controls and security is lax.  But if you have been keeping up with best practices and advances in technology you should be okay.

Want to help your organization keep the cost down?  Clean-up your data; get rid of data you don’t need.  If you reduce the overall number of bytes in your house, the cost to protect and comply will be lower.  Consider that the vast amount of data most organizations have has not been accessed in over six months.

The Federation Companies, EMC, Vmware, Pivotal, Virtustream, and RSA Professional Services can help you comply with the regulations and we can help you clean-up and retire old data.  Reach out to your EMC Client Solutions Director or Account Team Rep to be directed to the right help.

The proposed Data Protection Regulations should be good news to most IT professionals.  On the one hand it increases awareness of the 2-way stewardship relationship of data; to the people the data is about and to the organization that uses data as an asset.  On the other hand it puts pressure on the organization to take data protection seriously; secure the data and implement appropriate governance controls.  But at the end of the day, it’s all about stewardship of the data, and ultimately about you, the steward of the data.

The post Who’s Your Data Protection Officer [DPO]? appeared first on InFocus Blog | Dell EMC Services.

]]>
https://infocus.dellemc.com/davidedborg/whos-your-data-protection-officer-dpo/feed/ 0