Security concerns influence organizational enthusiasm for adopting cloud technologies, says Launchpad Europe

Launchpad Europe IT Security Index 2009 reveals that security plays an important role in whether organizations will choose to adopt cloud technologies

Key findings:

● Half of respondents (49.5%) said their organizations were not using or planning to use any cloud technologies within the next 12 months

● "Security concerns" was the primary reason why organizations were not using the cloud (50%), followed by budgetary restraints (21.4%)

● Respondents' top priority when considering vendor of cloud services was "security of the cloud infrastructure," with the top vote of 37.9%.

by Michael Smith (Veshengro) from material via Omarketing Limited

London, UK – November 2009 – A survey by global business accelerator Launchpad Europe today revealed that security is the biggest reason why many organisations (49.5% of those surveyed) are not using or planning to use any cloud technologies within the next 12 months. Of the respondents who said their organisations were not planning to use cloud technologies within the next 12 months, 50% cited "security concerns" as the primary reason why. "Budgetary restraints" was the second-biggest reason for avoiding the cloud, with 21.4% of respondents claiming tight budgets precluded them from migrating to cloud-based services. Less than five percent claimed there was a lack of available cloud technology to meet their particular needs.

The Launchpad Europe IT Security Index 2009 covered the year's most pressing IT security issues, including data leakage, cloud security and the role of the trusted IT advisor. Respondents included 105 IT security experts from a range of industries worldwide.

The results suggest that security eclipses most other criteria when organizations are considering cloud services vendors. Respondents' top priority when considering cloud vendors was "security of the cloud infrastructure," with the top vote of 37.9%. Cloud infrastructure security was considered more important than due diligence and track record of the service provider (18.4%); security procedures in place to protect data center (12.6%); ease of exporting data from one vendor's service to a new service (including any hidden export fees) (11.7%); and legal terms when it came to ownership of data (6.8%).

"While cloud computing remains high on the corporate agenda, organisations' concerns about cloud security will not go away overnight," said Mike Burkitt, technical director of Launchpad Europe. "Before businesses will feel comfortable transitioning to cloud-based services, they first need to be convinced that the business benefits of the cloud outweigh the security risks - and that goes for both service providers and the cloud infrastructure itself."

"For organisations with in-house technical capabilities and a good financial situation, the answer to their security fears may lay in the private cloud," said Launchpad's Burkitt. "Developing your own cloud-based system gives you choice, power and flexibility. Many companies, including IBM, Novell, Unisys and others, have already begun reaping the financial, business and security benefits of tailoring their own private cloud environments."

Full results of the Launchpad Europe IT Security Index 2009 will be published in December.

The Launchpad Europe IT Security Index 2009 is intended to help understand how IT security professionals and their organizations approach and view current IT security challenges and opportunities.

There are four sections in the survey: security in the cloud, data leakage, managed services, and IT in the recession and the role of the trusted adviser.

The breakdown of respondents per geographic region was as follows:

UK - 29.9%

Mainland Europe - 12.6%

North America - 39.1%

South America - 1.1%

Middle East - 5.7%

Far East - 4.6%

Australasia – 6.9%

Full results of the research gathered in September, October and November 2009 will be published in December on the Launchpad Europe IT Security practice blog at: http://countdown2infosecurity.com/

Launchpad Europe is a global reaching company specialising in providing internationally focused organisations with a presence throughout Europe and beyond. Our service ranges from individual sales representation to building an entire, fully functional business entity.

Launchpad provides and supports the full range of:

● sales and marketing activities

● direct and indirect third party channel representation

● distribution

● technical backup and support services

● legal and financial advice

● HR functionality

However, and I assume that the survey, which will have been working with tick boxes, may not have covered aspects other than security, another reason for the lack of uptake of the “cloud” is the fact that many services have a clause in the EULA which lays claim to copyright of all materials stored with them online.

Now, as far as I am concerned, the copyright of material that I write and produce is mine and I am hardly going to share it with whichever online service provider and the same feelings, I am sure, are also shared by businesses that are concerned as to the “cloud”.

If I were a company I would not want to use the “cloud” for storage when the provider might be able, legally even, because I have signed the EULA (maybe, as many people do without reading all the small print) with the clause that they, due to me using their service, have a claim to a shared copyright of all of my materials, and the right, to use the material or the contents as and how and where they see fit for their own purposes. Methinks not.

This concern may outrank even the concerns out security of the cloud itself.

© 2009

<>

With UK Climate Research Unit is hacked experts say great reason for secure collaborative working

61 million reasons for secure collaborative working as major UK Climate Research Unit is hacked

by Michael Smith (Veshengro)

21st November 2009 - Reports are coming in that the one of the UK's major Climate Research Unit (CRU) computer systems have been hacked and, says Cyber-Ark, the secure collaborative data sharing specialist, this is a classic casestudy for the reason why secure collaborative working systems exist.

"Details on this breaking story are still sketchy, but from what we know, around 61 megabytes of sensitive data were downloaded from the University of East Anglia's CRU servers and published on an anonymous FTP server in Russia," said Mark Fullbrook, Cyber-Ark's UK and Ireland director.

"It appears that the data stolen includes more than 1,000 emails and 70-odd documents that are highly contentious as regards the issue of global warming - something that various groups have alleged the governments of the world have kept a lid on for years," he added.

According to Fullbrook, it remains to be seen how explosive the data that has been stolen is, but unconfirmed reports suggest that the information is potentially embarrassing to several of the leading academics in the field of climate research in the UK and US.

What's interesting about the story, Fullbrook went on to say, is that the FTP link (http://ftp.tomcity.ru/incoming/free/FOI2009.zip) is on a Russian server that the data thief has chosen carefully – apparently for fear that the data might be taken down, when the server owners realize the political dynamite it contains.

However, by lunchtime of Saturday, November 21, 2009 the link comes up with “Object not found” and servers such as Tiscali immediately redirect to their search page.

Regardless of what happens in the aftermath of the data breach, Fullbrook said it is a textbook case of why secure collaborative systems like Cyber-Ark''s Inter-Business Vault exist. The big question, the Cyber-Ark director noted, is why the University's CRU hadn't installed some form of security on the potentially explosive data held on its servers.

And, he explained, with references to the US government's apparently negative stance on climate warming - which former vice president Al Gore has been trying to publicise for years - the data leak could cause severe ructions on Capitol Hill.

"Once the political fall-out from this data breach incident has settled, questions will undoubtedly be asked by those in charge about why better IT security systems weren't installed on the University CRU's servers," he said.

"I find it astonishing that politically sensitive data like this wasn't kept under highly encrypted protection. This data leak has the potential to add weight to the climate change cause, as well as acting as a case study on the need for secure collaborative data working," he added.

For more on the University of East Anglia CRU data leak fiasco: http://preview.tinyurl.com/yhdua5w

© 2009

<>

Security & Secrecy

by Michael Smith (Veshengro)

Two of information security's best known experts, John Colley and Howard Schmidt, said during the RSA Europe Conference in London that cloud computing could provide government with the chance to make significant improvements to protecting data.

However, Colley added that it would help if the government's information security specialist, CESG - the information assurance arm of GCHQ - got involved with the work.
It is only a few years since GCHQ's offices in Cheltenham were actually added to Ordnance Survey's maps. Prior to that they acted as if they did not exist. Much in the same way as the government kept denying for so long that MI5 and especially MI6 even existed.

But government infosecurity is now a vital part of the work of the GCHQ, with CESG certifying products and services as fit for state sector use. It now even has online maps to help you find its offices.
However, CESG remains linked to the secretive world of surveillance. Among infosecurity experts, the UK government has a decent reputation for protecting its most sensitive information, its secrets.

The problem is, thought, that the British government has a terrible reputation for protecting its citizens' data, along with its surveillance state approach to harvesting it.

Having said that, however, Germany is beginning to lead the field in Europe in the data mining from its citizens and we can but hope that that is not a sign of things to come.

It would appear though as if Germany, on the other hand, seems to be better in protecting people's data and does not seem to be losing all that many CDs and USB sticks with sensitive unencrypted data on it as do British government agencies.

I mean, come on, for the lack of a £30 AES 256 hardware encrypted – and some of them are still cheaper nowadays – an entire intelligence network got compromised because some idiot left an flash drive on a railway station in Colombia.

When a secret agent and its agency are that stupid then what hope is there and while the country is over secret and also thinks it has to have all that information on its citizens those protected with safeguarding that information – not that they should data mine such information from the pubic in the first place – could not be trusted with monopoly money.
Government information security has to continue to improve if public trust in state sector data handling is ever to recover. Maybe it time for CESG to leave Cheltenham and GCHQ, and seek a higher profile for its important work.

GCHQ has never been very good in securing its secrets either and I well remember the fiasco some years back when they sold surplus PCs – we are talking before the Internet – with the hard drives – then in the region of 40MB – yes there was a time when we thought that was more than we would ever need – not wiped and very sensitive data on them. Not much has changed, eh?

© 2009

<>

Storage Expo Evolves in 2010 into 360°IT

by Michael Smith (Veshengro)

During Storage Expo 2009 Reed Exhibitions announced that Storage Expo, in recognition of the current and future needs of its stakeholders, is evolving in the new show called 360°IT.

360°IT, which will be incorporating Storage Expo, is supposed to be a new and new kind of event dedicated to the IT community and professionals working to deliver next generation IT Infrastructure.

Extensive research with the Storage Expo vendors, IT professionals and end-users has shown that the time is now right for the event to evolve to meet the needs of agile organizations working collaboratively to add significant value to their stakeholders.

360°IT will address the needs of IT professionals responsible for the management and development of a flexible, secure and dynamic IT infrastructure. 360°IT – The IT Infrastructure Event takes place at Earls Court 1 on 22nd - 23rd September 2010 www.360itevent.com.

“The content of Storage Expo has expanded over the years to incorporate cloud, virtualization, information management and infrastructure,” says Natalie Booth, Event Director of Storage Expo, “and the event now needs to reflect these changes. 360°IT will facilitate vendor and end user collaboration to create the IT infrastructure necessary to achieve key business objectives - improving service, reducing cost and managing risk whilst gaining competitive advantage and growth.”

“Today’s IT infrastructures can no longer be considered in terms of technology silos, for two reasons: first, that a number of innovations like virtualisation and cloud run across infrastructure layers such as storage, server infrastructure and so on, and second that the dependencies between the layers themselves make it impossible to consider any one technology area by itself. For this reason, I welcome and strongly support Reed Exhibitions efforts to define an event which meets the real needs of IT decision makers today” said Jon Collins, CEO and Managing Director of Freeform Dynamics.

“In the storage market over the last few years, we have seen major vendors acquiring and collaborating with companies in the information management, ECM, IT security, business continuity, risk management and most recently, virtualisation and cloud fields,” Booth continued.

“We also recognize that the roles of IT professionals are changing and a 360° vision of the IT infrastructure and IT department is needed, combined with the ability to support the growth requirements of a business,” she said.

Reed Exhibitions presents 360°IT, an all encompassing IT event that will provide IT professionals with the opportunity to see the full spectrum of technology and education under one roof.

Offering a 360° experience, end users will be able to see, hear and experience first hand current and innovative technologies, strategies and solutions and how they interface with a business’s IT infrastructure.

360°IT will offer the entire IT department, from the Network Manager to the CIO, the opportunity to gain crucial knowledge and advice on the latest products, solutions and trends to drive a business forward.

The event will also provide IT professionals with the forum to debate, network and interact with renowned industry specialists and their peers in dedicated educational areas on the hottest topics, to suit all levels of specialism and expertise, to gain crucial, business critical information.

With high level strategic content, product demonstrations and technical workshops, 360° IT will provide an essential road map of current and emerging technologies to deliver end to end solutions.

Building on Reed Exhibition’s reputation of launching and successfully running events worldwide – Reed Exhibitions presents 360° IT – The IT Infrastructure Event.

For further information, please visit www.360itevent.com.

One can but say that it remains to be seen as to whether this really is a good move or whether it is yet another case of a show changing for change's sake or because of the fact that the interest in the show, as it stands, has waned somewhat. I guess we aill have to wait and see how this new event shapes up.

On the other hand having, basically, all IT events under one roof combined into one show will save the organizers money but also, I should think, the employers of all those IT professionals that are attending such events as it is but one show.

© 2009

<>

Yahoo jobs website hack

Imperva warns on Yahoo jobs web site hack

16th November 2009 (Eskenzi PR) - Imperva, the data security specialist, has reported to Yahoo! a potential SQL injection flaw - known as a Blind SQLi problem - on the Yahoo jobs site.

"This is a flaw that could mean that the personal information of large numbers of people are compromised," Amichai Shulman, Imperva's chief technology officer said.

"Data like this can be extremely useful as far as identity thieves are concerned. This is exactly the sort of data that is traded on so-called carder forums (http://amazingforums.com/forum1/DAGAME/forum.html)," he added.

According to Shulman, although illegal data exchanges are shut down on a regular basis, the scale of the Internet means that as one closes, another opens elsewhere on the Net.

It's a very difficult situation for the law enforcement authorities, as while every identity theft data can be harvested on the Internet from site hacks caused by SQL injection hacks, the forums will act as an auction/exchange for that data, he explained. Shulman is saying that some hackers are selling the fish – that is the stolen data itself, while others provide the fishing polls – the exploits that can be used to extract the information.

"This is why it's important to warn about potential SQL injection-hacked problems like this. If the potential problem is allowed to continue for any length of time, then the risk of a hacker attack rises as a result," he said.

"SQL injection is a major thorn in the side for the Web site hosting community. It can be tackled with careful research and high levels of security. Unfortunately, some site operators overlook this simple fact at high risk," he added.

Yahoo was contacted and has deployed a fix to resolve the problem.

For more on Imperva: http://www.imperva.com

<>

Kingston Digital Releases New Multifunctional Flash Card Reader

Media Reader Makes Digital Data Transfer Easy

London, UK - October 2009 - Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., the independent world leader in memory products, today announced the release of the Kingston MobileLiteG2 card reader. The Kingston MobileLiteG2 is the second generation of the popular MobileLite Flash card reader, which allows easy data transfer between Flash memory cards and PC or Mac. Supported card formats include SD, SDHC, microSD, microSDHC, *Memory Stick® PRO Duo™, *Memory Stick® PRO-HG Duo™ and *Memory Stick® Micro™ (*M2).

“The Kingston MobileLiteG2 is a small, portable reader that makes managing content quick and convenient between a device like a mobile phone, digital camera or MP3 player, and a host device with a USB connection such as a PC,” said Kirsty Miller, Product Marketing Manager – Consumer, Kingston Technology Europe. “For consumers and business users, the compact size and simple plug-and-play ability makes it an essential part of one’s mobile gear.”

The Kingston MobileLiteG2 has retractable covers on each side to protect the USB connector and the Flash memory cards from damage. It ships with a lanyard and short USB extension cable to make it easier to use with harder-to-reach USB slots. When in use, the MobileLiteG2 appears as two drive letters (e.g. E:\, F:\). Data transfer between cards or host device is as simple as drag and drop.

The Kingston MobileLiteG2 ships as a stand-alone reader and is also available as a bundle with a 4GB or 8GB Class 4 SDHC card. The Kingston MobileLiteG2 is backed by a two-year warranty while Kingston® cards carry a lifetime warranty. For more information, visit www.kingston.com/europe

MobileLiteG2 Features and Specifications:

  • Compliant: with the USB 2.0 specification, SD 2.00, SDHC 4.1 standard, new *MS PRO-HG Duo™ standard

  • Versatile: multi-functional USB card reader supports SD/SDHC, microSD/SDHC, *MSPD™, *MS PRO-HG Duo™ and *M2

  • Portable: easily fits into your pocket

  • Easy: plug and play into any USB 2.0 or 1.1 port

  • Dimensions: 2.45" x 1.16" x 0.646" (62.15mm x 29.40mm x 16.40mm)

  • Weight: 18.90g

  • Operating Temperature: -40°F to 140°F (-40°C to 60°C)

  • Storage Temperature: -4°F to 158°F (-20°C to 70°C)

  • Guaranteed: two-year warranty

* MSPD (Memory Stick® Pro Duo™), M2, MS PRO-HG Duo™ and Memory Stick®

Micro™ are trademarks and/or registered trademarks of Sony Corporation. Kingston is not affiliated with Sony Corporation. Other names and brands may be claimed as the property of others.

Compatibility Table

Kingston MobileLiteG2 Part NumberCapacity and FeaturesMSRP FCR-MLG2MobileLiteG2 Flash Card Reader£4.54FCR-MLG2+SD4/4GBMobileLiteG2 + 4GB Class 4 SDHC£11.76FCR-MLG2+SD4/8GBMobileLiteG2 + 8GB Class 4 SDHC£18.78Check out Kingston’s new consumer website full of news, competitions and tips & tricks: www.rememberkingston.com

About Kingston Digital, Inc.

Kingston Digital, Inc. (“KDI”) is the Flash memory affiliate of Kingston Technology Company, Inc., the world’s largest independent manufacturer of memory products. Established in 2008, KDI is headquartered in Fountain Valley, California, USA.

SSD vs HDD

The future of storage?

by Michael Smith (Veshengro)

This is indeed the question. From many points and aspects SSD, that is to say solid state drives, do look to be the way forward as this is also a more environmentally friendly way and can reduce the carbon and environmental footprint but...

...and here it comes...

(1) SSD compared to the old HDD technology is much more expensive though this may – or may not – be balanced out by the reduction in running costs in the long run.

(2) Safety and reliability of SSDs and their chip technology are still something that I, for one, am much concerned about. Having managed to crash more than one SSD USB device by now I personally still am somewhat dubious about SSDs in the long term reliability context for storage in the long run.

Claims are made by makers as to guarantees of a minimum of ten years but thaqt may be OK if you do not write and rewrite and such to the drive but just use it for writing data to it once and then just leaving it sitting there.

Having used USB drives, which too are SSD chips, as basically external hard drives and crashing them while working on the as HDDs has me still concerned as to their reliability.

For that same reason, I guess, I am a hoarder of USB thumb drives.

I am though quite prepared to have someone prove to me a greater reliability of SSDs.

Having said before as well SSDs are also still rather expensive as regards to bucks per byte, or megabyte in this case, and chip prices too seem to be on the up in the late autumn of 2009 that I am not seeing the prices of good SSDs coming down soon.

The main advantage of the SSD or the conventional mechanical magnetic hard drive is the fact that the former requires far less energy to run it and as there are no moving parts SSDs are better for the rugged environment where knocks, duct, etc., could adversely affect the conventional HDDs and cause them to have permanent failure.

The SSDs that I crashed were also permanent failures and no data could be retrieved from them nor could they be reformatted and soo far no one has been able to give me explanations as to why and how this happened and the possible cause of it. All I can think of is that the drives, the chips, must have been inferior ones. My caution, however, does remain.

© 2009

<>

AES256 secure USB disk U256 from Netac/Weast – Product Review

Review by Michael Smith (Veshengro)

The new AES256 Encryption USB disk U256 from Netac/Weast is claimed by the makers to be the securest removable data storage solution on the market.

Netac/Weast say that this device has already attracted attention from MOD, Met Police, down to ordinary customers who might be only concerned with their sensitive photos and personal files. They were, apparently, genuinely impressed by the most powerful feature of destroying the data after password error time expired.

The specs and main features of U256 disk according to the manufacturers are as follows:

  • AES256 bit encryption built-in, which means that the data inside is protected by world's highest security standard AES256 bit encryption with the only access by user's pre-set password.
  • The error times of password can be pre-set from 1 to 255 times, after which the data inside will be automatically destroyed without any trace.
  • The disk idle time protection can be pre-set from 0 to 120 minutes, after which the disk will be password locked.
  • The U256 disk has 2 zones, one secure and the other non-secure, with their capacities totally self-definable, or just merge into one single secure zone.
  • The U256 disk can encrypt and decrypt any files in your computer, with AES256 bit encryption technology.
  • The U256 disk can completely shred any files in the disk, which can not be recovered by any means.
  • The U256 disk's security function is supported in both admin and non-admin mode.
    The device is encased in a slim, stylish and solid metal case, works USB2.0 high speed with up to 30Mb/s (read) and 20Mb/s (write) and supports USB, ZIP and USB HDD BIOS booting.
  • On the case there is a write-protection switch and LED light indication.
  • It is fitted with a patented Ultra-stable (U-SAFE) technology by Netac to prevent data transfer corruption.

Right, so much for the information from the makers.

The device is very much like the Kingston Data Traveler Vault in that it has 2 drives, one non-secure and one secure and, in the same way, as with the DT Vault the encryption engine needs to be launched by the user.

While I have, so far, not encountered any problems in using the device the initial set up was problematic as the instructions provided by the Netac, the manufacturers, were more than confusing.

Once I realized – due to the fact of being an experienced IT user – that, for instance there was no need to format the drive, as talked about in the instructions, things were OK until the launch of the encryption engine. This took and still takes well over 60 seconds for the interface to open that prompts for the password.

Opening the device then to set my own password also was far from easy for nowhere in the instructions is that mentioned, e.g. the factory pre-set password which, in fact, is blank. The user just clicks on enter and the drive then opens. It is then ready to have one's own password set.

Now that that has been achieved, however, the U256 (sounds a little like a German U-Boat, I know) drive works well, considering though that it takes over a minute to bring up the password prompt interface in order to the secure drive then, after entering the password, too open in about 10 to 15 seconds.

The latter time is fine and more than acceptable, I should think, but, as far as I am concerned, the time for the launching of the password interface in order to be able to open the secure drive is way too long a delay.

On the other hand, the price that I was quoted by the representative of the company at Storage Expo 2009, where I received the review sample, for the 2GB version of 15 Pounds Sterling is in that bracket that one could be happy enough, I guess, to accept that delay that I mentioned above.

If the price is correct then this is a dual-drive that comes at a very reasonable price and the one or other hiccup could be overlooked. The instruction manual, on the other hand, needs serious re-translating as a few things – and I am rather gentle here in what I am saying – have been completely wrongly interpreted and some is outright Chinglish.

While it is said that the drive also, aside from Windows 98/98SE/2000/XP/Vista & Windows 7, works on Mac OS 9x/X and Linux 2.4x kernel. However, the AES256 encryption does only work with the Windows operating systems.

Maybe one day we will actually get a AES256 secured device that will work on Linux seeing that many governments and agencies are migrating to Linux OS. We can but wish and hope, I guess.

© 2009

<>

Win7 vulnerability to viruses highlights modern code auditing problems

November 2009 (Eskenzxi PR) - A blog report from Sophos that Windows 7, the newly-released Microsoft operating system, is vulnerable to 80 per cent of viruses comes as no surprise says Fortify, the application vulnerability specialist.

"Chester Wisniewski's observations that, on a clean machine, Win7 became infected with eight out of the ten viruses tested sounds bad, but, in our opinion, this is indicative of the sheer volume of code that goes into operating systems today," said Richard Kirk, Fortify's European director.

"When you factor in the issue that there are often more than a million lines of code in a typical Windows application, you begin to understand the scale of the problem for software developers," he added.

According to Kirk, the only piece of good news to come out of the Win7 vulnerability reports is that two of the eight pieces of malware loaded in the tests did not run correctly under the new operating system.

And, he went on to say, since there are a range of free-to-use anti-malware applications - as well as a plethora of low-cost pay-for IT security suites available - the problem is not a major one for most Win7 users.

When you realise that most new machines come bundled with some form of IT security software, it's not such a big deal, Mr Kirk explained.

"The volume of code-auditing and checking that is required for a modern operating system and its applications software is a big deal, however, and one that companies using customised or in-house-developed applications should be aware of," he said.

"This is one of the reasons our company was founded and, as our growing base of clients have discovered,addressing security issues throughout the software development process can save a lot of grief further down the line," he added.

For more on the Win7 virus vulnerabilities: http://preview.tinyurl.com/yzxvzd3

For more on Fortify: http://www.fortify.com

<>