RSA hack demonstrates need for proactive security and multi-layer protection

The recent news that RSA Security suffered a security attack and breach that resulted in the theft of sensitive and confidential Intellectual Property relating to SecurID should be a cause of concern for many.

The good thing is that RSA Security had agressive security measures in place that detected the attack and allowed it to take proactive steps to limit the scope of the attack and to quickly identify what had been accessed and stolen.

The downside is that the source code to the technology behind a good proportion of multi-factor authentication solutions is now most likely available for inspection to aid the creation of cracks or subversions. We can only hope that the information was limited in scope, and that RSA has been thorough in developing the code in a Secure Development Lifecycle approach that will limit the attack surface and potential vulnerabilities.

The event once again raises the issue of how to tackle security, and in particular the protection of the core information assets of a company. We've written on this is the past, particularly on the need to protect data across the company, and not just on devices such as laptops, tablets or smart phones. There is a prevailing mindset that because servers are located within a secure environment such as an access controlled data centre, the data on them is also secure and access can be controlled by security policy such as Access Control Lists.



The reality is that this only works for employees, and particularly those employees who follow policy. Protecting data on servers needs more than this, and encrypting the data is a proven method for doing this. If crackers do gain access to the bits and bytes, making sense of it is rather more difficult. Coming back to the RSA attack, it is somewhat ironic that a company that started out as the leader in encryption has itself fallen foul of having the stolen data potentially able to be exploited because it was unencrypted.

Getting to grips with software licencing

Building a solid platform for licence management

Andrew Buss, Service Director, Freeform Dynamics

We are told time and again that software licencing and management is a major headache. The situation remains a problem, and far from improving it is often getting progressively more difficult to manage. IT is becoming more embedded within the business, with more use of IT for business processes and communications.

Things are changing more quickly too. Virtualisation is now well established and accepted and there is a small but growing movement to dynamic IT infrastructure such as resource pooling or internal private cloud.

On the client side, desktop and application virtualisation are adding another layer of complexity. This is all putting pressure on companies to comply with licencing terms, but contrary to many other areas of IT management this area for many remains a ‘black art’.

When it comes to licencing, there are three main areas to consider. The first is the basis on which licencing takes place, whether it is by server, socket, core on the physical side, or per seat, concurrent or subscription on the user side, never mind any limits to enterprise or site licenses. This would also take into account things like support and maintenance.

The second aspect is the terms and conditions that govern the use of the software. This affects aspects such as the term of usage, resale potential, the flexibility of deployment for allocation or reallocation, and the ability to ramp up or down as demands dictate. It can also determine how independently different software licences ‘pools’ can be negotiated, whether as a single block or as independent groups.

The third, and the focus of the discussion in this article, deals with the real foundations of licence practice - and how that is management. This covers what has been purchased, what is actually in use or duplicated, what comes under support, how everything is audited or verified and whether licencing meets the requirements of the business.

It would seem obvious that in this day and age that something as fundamental as the building blocks of IT infrastructure would be moving towards commoditisation. This has been steadily happening in terms of the industry standard servers and to some degrees also the networking. But when it comes to software, problems abound.
Software procurement may seem less about buying and managing IT and more about qualifying as a lawyer. Things are made even more complex because every vendor seems to have a different take on how to do things. The end result is that licencing for end-to-end service delivery that takes in operating systems, databases, middleware and applications is a massive challenge and far more difficult than it needs to, or should, be.

Given the complex constraints that many IT buyers and managers work to, it is little wonder that licence management is frequently cited as a major issue. This is not helped by the fact that in a recent survey we ran, IT asset management and software licence management tools were cited as the tools that IT managers were most unhappy with. When it comes to licence management, there is a lot of manual work going on trying to keep on top of things with very little formal policy. With IT operations staff often overstretched, having up to date records is difficult to achieve and things fall through the cracks.

The end result is that many companies take a conservative approach to licencing in order to achieve compliance with licencing terms. Rather than buying from a position of strength with solid information on actual usage, they instead compensate for uncertainty by buying more licences than necessary to cover all possible use cases rather than what is needed. Gaps in knowledge also mean that shelfware (software no longer in active use) keeps being renewed and support costs remain higher than necessary. Others may just run what is needed and wait for an assessment to bring things into line, potentially putting themselves at risk of fines or damages for non-compliance.

So what can be done to improve the situation? Given the costs of licencing overall, simplifying and rationalising the approach can pay big rewards. Getting started is often the hardest thing, when there is little structure in place. The potential rewards are high, so it will be a good strategy to dedicate some resource to it.
The best path for many will be to try out or purchase discovery tools to get a feel for the licencing situation, then choosing the best plan of action. This may involve further investment in training and tools.

It may even lead to bringing in some of the increasing number of licencing specialists to do an audit. They can help to establish a baseline and advise on ways to manage, optimise and negotiate licences. Longer term, if the benefits are good enough, it may justify implementing dedicating resource to optimising licencing and putting in place a management infrastructure keeping in mind the difficulties associated with the current generation of tools.

In it’s own way, the difficulties of managing software licencing is a wake up call for the industry at large – for how much longer can this ‘last-century’ approach to licencing persist? Vendors are making it much harder than necessary for companies to buy and implement software. Predictability, commonality and transparency are needed to build a management practice that works reasonably practically. In most cases it could be argued that all of this is lacking. For all those vendors talking about the journey to the cloud, it’s time to put the money where your mouth is.

Originally published on Computer Weekly

Desktop virtualisation: Myths jar with realities

Vendors have been pushing desktop virtualisation hard over the course of the past year. So to give IT professionals a better picture of what’s really going on in this field, Freeform Dynamics recently published a report looking at the overall state of desktop virtualisation adoption and how far expectations measure up to the experiences of those who have already undertaken projects.

Over recent months, each of the major approaches to desktop virtualisation has continued to mature, especially in terms of reliability and usability. The same cannot be said for the overall level of understanding among organisations of the options available and their suitability for deployment to support various user requirements.

Desktop virtualisation is not a point solution or indeed a single architectural approach. That fact has not been well communicated by vendors and their channel partners to the IT community. It is fair to say that organisations have a poor grasp of the possible approaches and their suitability.

But while the overall levels of understanding remain low, it is interesting that the views of IT managers with practical experience of the technology are strikingly different in some important areas from those who have yet to deploy any virtualised desktops to end users.

Overestimating associated challenges

The research highlights that in the absence of practical experience, IT professionals tend to underestimate the relevance and value of desktop virtualisation while often overestimating the associated challenges.

In particular, those who have never deployed systems are more likely to discount it as an option for demanding users, even though experienced adopters have often made use of desktop virtualisation in those same scenarios. This finding complements another that suggests organisations yet to undertake projects consistently find it more challenging to make acceptable business cases than those who have already begun to use the technology.

Obstacles to desktop virtualisation

That finding may sound obvious but a deeper look shows that among the inexperienced, the perception is that desktop virtualisation involves significant investment in upfront infrastructure systems, especially servers, storage and networking. The perception is also that the benefits deliverable may be difficult to value in monetary terms. Together, these obstacles can make it difficult to move forward at all with any degree of confidence.

Conversely, organisations that have started to deploy desktop virtualisation have faced these challenges head on, many by seeking to extend the debate. Factors to consider include the impact of enabling modern working practices, such as hotdesking, efficient home and remote working, perhaps coupled with the ability to provide secure access to corporate systems for mobile users.

These factors can have a significant monetary impact when translated into direct savings on real estate and travel, as well as an increased contribution through the associated boosting of end-user productivity. Because these benefits typically surface over extended periods, they can pose challenges when capital budgets are tight.

With so many options available, organisations considering desktop virtualisation, perhaps as part of projects to roll out new desktop and laptop hardware along with Windows 7, have considerable upfront work to undertake beyond that normally associated with desktop refresh projects.

Varying requirements for desktop service

Chief among this work is establishing which types of user exist in the business and how their requirements for desktop service vary. This requirement in turn necessitates having an accurate knowledge of their use of applications and business services, as well as an in-depth understanding of how and where users work and need to access systems.

Only with this core information can managers identify appropriate desktop virtualisation approaches for each class of user. Attempts to roll out inappropriate systems to any group of users could well endanger, or at least significantly delay, the widespread adoption of desktop virtualisation.

Bad news travels fast and discussion of poor initial experiences will spread like wildfire, making further rollouts problematic.

Desktop virtualisation holds great promise, but it adds complexity to the ongoing management of systems and makes it more challenging to ensure that each user group gets appropriate systems. Effort expended here will pay dividends in the short and long terms for the whole business.