The Writing is on ‘The Wall’

April 26, 2013 Leave a comment


As I wrote back in 2011 ‘A fickle prospect – Business dependent on the Social Flocking collective’ and then again in July 2012 ‘Facebook and the ‘The Emperor’s New Clothes’  it looks like Facebook is nothing unique and is reproducing a user analysis declining trend of past failed social media sites.

The article in the Business Insider Why Mobile-First Teens Are A Big Threat To Facebook’ highlights the weakness of the Facebook business model and this in turn points to the complete lack of ANY structured alternative on the Facebook strategic roadmap. This is not however the first time this decline has been reported, New drop in number of UK users’ user fickle attitudes go back to this report in June 2011.

As I have stated before with its hyped IPO Facebook achieved a valuation that allows it to effectively buy a business model. The recent Facebook Home on Android attempt at re-inventing itself as a Mobile device ‘Skin’ seems to have flopped Facebook Home flops, gets terrible reviews’ so where will they throw their next wad of shareholder cash?

However the latest reports do have greater substance, and the failing of the Facebook Home initiative supports this. The analysis reflects maturing use patterns on the internet and the simple nature that Information and collaborative resources are becoming very fragmented in the nature of how users consume them. No single resource satisfies, with the resource platforms recognising this and the need to interact through cross-posting and ‘mash-ups’. This is after all the strength of Cloud Computing and the new Application Programming Interface (API) orientated service environment that is being built out. All of which waters down the traction any single site or vendor is able to have on their audience, placing greater emphasis on DEPTH versus BREADTH of service delivery capability. It is the vendors demonstrating greater domain expertise in DEPTH that are the ones that will retain their niche user base, and those vendors that provide flexible well documented and user friendly API’s to allow third parties to integrate their unique offering instead of trying to compete.

If Facebook had any imagination, instead of copying other ideas and or closing its environment to cross-posting by trying to be all things to all users, it should open up to the new API world. BUT this is where its poor privacy record and attitude to data makes it a dinosaur, and one that will constrain how any API data sharing will benefit the platform. So until Facebook matures its data usage, retention and privacy attitude it is likely to continue to miss out on the next wave of Internet innovation.

That having been said for better or worse the Internet has not heard the last of this Data Privacy predator.

Filed under Cloud Computing, Computers and Internet, Legal, Privacy, Security

Security 365 – Toilet Paper & Tea bags!

April 19, 2013 1 Comment


OK the title got you this far, so what has Toilet Paper and Tea bags got to do with Security? There is a genuine point to it, please read on …..

Following a recent Cloud Computing event I found myself increasingly alarmed by the prevalence of red herrings being thrown around by vendors with respect to how their solutions and or products solved Cloud security issues when in fact they did little more than try to address them individually at best.

The reality is that DATA must be exposed to the software we use to orchestrate it, be that photo’s in Photoshop, a Document in Microsoft Office Word or a record in a database or a record spread across multiple databases. That is where the issue lies in the exposure of Data. The challenge is how we protect that which is of true value. No longer the network boundary, but protecting the DATA, wherever it goes, however it is being accessed, regardless of its form factor. Not how a software solution can provide a secure environment in which to process data, albeit an important factor, it is not a solution in itself.

Bring on the day when data in its raw form is encrypted and the owner can manage that encryption with convenience and ease whilst ensuring complete control over whom they elect to share any part of that data set with. Imagine being able to share data and attach an expiry date, or revoke data usage at will (regulatory retention aside) instead of having to go through lengthy protracted third party information disclosure requests, which even then are often questionable in their accuracy.

What is appealing about this concept is the reality that it places the control of data back into the hands of the individual. The individual or corporation can then dictate whom, when and for how long they share their data. It opens up possibilities like levying a micro payment charge in cases where that data sharing has a commercial value transfer to any benefiting third party. Assuming a trusted platform that can orchestrate this according to a set of user defined sharing rules (policies), such micro payments would soon add up to reasonable sums of money when considering the current spread of personal data. Sadly we are currently a long way from that Holy Grail. It would certainly sober up the Internet Corporatocracy (Facebook, Twitter, Google and their ilk) of this world who have been building personal value by gorging themselves dining at the Internet table of free data. Their addiction to the concept of free data will I suspect see little support from that quarter for such a solution.

Data security software solutions and products largely address a single issue and do not materially protect the critical payload in transit, rest and during its consumption. The payload being none other than data and the information that is ‘data’.

Erosion of privacy through data seepage into the public domain out with owner’s control or intent is an issue of paramount importance and at a corporate and enterprise scale the exposure and risk grows exponentially. On a private individual level that is often of singular concern, attitudes towards privacy of data influenced largely through the Social Media behavioural contagion, massaged by the Internet’s Corporatocracy, who work hard at breaking down the principles of privacy for self-interest. At some point the Social Media lemmings of the world will wake up to find themselves victims of ‘The Emperor’s New Clothes’, loss of privacy and control of one’s personal data is a sorrowful state of affairs many will have to come to terms with. Reminds me of the immortal words ‘For fools rush in where angels fear to tread’ from the poem ‘An essay on criticism’ by Alexander Pope, or for the more contemporary and more poignantly named song ‘Jokerman’ by Bob Dylan.

I digress, Social Media aside, the simple acts of transmitting and collaborating on information present the largest risk surface area(s) for data compromise. Surfaces that are being built out faster than ever before with the boom in personal / portable compute devices (PCD’s) be that a smartphone, tablet, laptop or the next gadget that gets christened off a keyboard with a stuck ‘i’ key!

For every collaborative event requires a transmission of data, and such events are infrequently constrained within Local Area Network (LAN) but at some point transit a public fixed or wireless network (Internet) exposing or depositing data en-route as well as compute devices out with any structured realm of control. Increasingly the securing of the communication conduit is addressed using HTTPS (Hypertext Transfer Protocol Secure), an encrypted transmission that secures data in transit. But that is only part of the exchange process, and one that has had its security reliability tested and questioned, with early iterations of its underlying protocol having been hacked, ref; Infoworld Article ‘HTTPS has been hacked’. So far we have secured the trickiest part of the information exchange to compromise, the transmission, leaving the easiest, the PC and or Server, available and ready to be compromise. An email attachment click away and data on any unsuspecting PCD regularly falls victim to malware.

This gives a false impression of security, rarely are the end points to a data exchange, the PC, Servers or PCD’s similarly encrypted. But it is not JUST end points is it. Every device en-route between exchanging parties holds the data be it for milliseconds or in some cases longer. A veritable pass the parcel where, Data is cached and stored in a myriad of places, where the parcel is little more than a colander raining data and the information life blood of companies and individuals into the public domain.

A recent study released by Team Cymru reveals that hackers misappropriate more than 1TB of data daily from corporate networks alone. If they can do that from corporate systems what hope is there for the Silver Surfers (60+ generation), one of the fastest growing use bases on the internet today. This is not an isolated issue either. With a global population of Zombie computers in the millions the bad guys capacity to leverage compute power with malicious intent outnumbers the good guys. Moving briefly off theme a bit, the escalation of this power was clearly demonstrated recently with the 300GB Distributed Denial of Service (DoS) attack on Spamhaus ‘When spammers go to war: Behind the Spamhaus DDoS’. This was a x6 increase on the previously largest recorded DoS attack of 50GB. At this scale of escalation attacks are having a collateral impact affect beyond the targeted systems. Subject for a future article I would hazard.

Back on theme, we have all heard of ‘Data Security’, but as a term its use is more often not a full truth. As with the data in transit example above, data security is subjective when it needs to be objective. The security that vendors address today is addressing an environmental state that the data is not persisting in, or not persistent in for long. Securing the protocol’s that we communicate data through, or the servers, datacentres, PCD’s that we store data on or the software applications with which we orchestrate our data, is not true ‘DATA’ security. Access to any of these environments, whether authorised or not, means data can readily be harvested, and believe me it is and most of you will not even know it is happening off your own computers.

I feel like shouting in frustration sometimes – it’s in the name ‘DATA’ security, so secure the DATA itself, as I have blogged before ‘Data Security – It’s in the Name!‘ OK good that you secure the other servers, datacentres, PCD’s or software application assets but what about the DATA! I am not proposing we stop securing servers, datacentres, PCD’s and software application, but their security is addressing THEIR security profile and the DATA security is largely by association only. As we currently deal with security at the server, datacentre, PCD and software application level we create security silo’s that require gatekeeping. Thus the cracks start to appear and data fall’s through or the hacker sneaks in, every other which way the data is exposed to higher risk and the prospect if not likelihood of compromise.

Now throw into the mix the structural nature of Cloud Computing architectures and its fastest growing method of interfacing systems with the use of Web/Cloud services. A Web or Cloud service being little more than a traditional API (Application Programming Interface) exposed to a public network. Designed to link disparate systems to deliver richer and often more real time functionality at scale and with collaborative resources unattainable until now to single organisations. Web/Cloud Services live for data exchange and data retention follows hard on the heals of those exchanges between API exposed entities. API’s = more joins and cracks, not to mention interactions to be audited and jurisdictions that will be challenging to reach into to audit and truly validate Service Level and or compliance. This is no scare tactic, I work with programmers every day, and these are some of the smartest guys around, but they are human, and ‘humanum est errare’ (it is human to err).

With an Industry average of “about 15 – 50 errors per 1,000 lines of delivered code” Quote Steve McDonnell from his book ‘Code Complete’ (2nd Edition. Redmond, Microsoft Press, 2004. 960 pages. ISBN), there is an inevitable high risk in API’s, they are just code after all. Yes errors can be ironed out, but the effort is often not commercially viable. For example only after using extensive format development methods, peer reviews, and statistical testing did the space-shuttle project achieved a level of 0 defects in a random sample of 500,000 lines of code. The ‘Cleanroom Development’ technique pioneered by Harlan Miles achieves consistent rates as low as 3 errors per 1,000 lines of code (Cobb and Mills 1990), so there are no easy options. All said and done commercial realities turn this into a real concern, the cost of this diligence means API’s will not all be tested to such robustly high quality levels as the space shuttle which means there are errors, and where there are errors there will be means to an end for hackers:

But what if the data itself was of no use once the hackers got hold of it? Do you think they would bother spending long ours gaining access to it if they found it worthless?

What I am getting at is the act of encrypting the DATA itself, the raw data packets, only then are we starting to address the nub of the issue – making the data secure. Encryption (to encipher) and Cryptography (hidden, secret) is a powerful resource. I like the core message in these terms because they point to the essence of what we must achieve with our data to make it truly secure to turn it into something of ‘no value or importance to anyone else’ = cipher to encipher / encrypt our data. Whilst that may sound simple I and the rest of the security community are under no pretence of the challenge this would represent to manage.

Encryption is no small undertaking, by its nature it is very unforgiving to the forgetful or unstructured amongst us which is why all but the very large Enterprises can afford data encryption systems. It is no wonder Enterprise Digital Rights Management (E-DRM) has become a familiar term transposed onto the more generic Information Rights Management (IRM). At a private level it is almost non-existent, for even if you understand the principles of Public Key Infrastructure (PKI) and can wield the tools of Pretty Good Privacy (PGP) to manage you data in an encrypted way you will find yourself limited in terms of who you can interact with as this is far from user-friendly or mainstream.

Do not be misled, poor adoption of PKI, PGP and their ilk are not an early adopter issue, it is a fundamental structure issue. These mechanism are complex to get to work optimally, and in a sub-optimum deployment they are compromised so its worth is questionable and in a corporate world ‘it works some of the time’ does not win much in budget debates. At an individual level it is simply the complexity of management and exchange of encryption keys and their associated Certificates validating key ownership that renders it unusable.

The best we have at present for securing our data files is through forms of IRM / E-DRM, but this has until recently been out of reach of not just the Small and Medium Size Business (SMB / SME’s) but even large Corporates. OK there are proprietary application level encryption and password locking features, but they lack the truly ‘in-line’ capacity as a real time solution and after all the internet is full of solutions that can break these within seconds just head over to the likes of:

Not all is lost though. Most of us have come up against the power of IRM in the form of Digital Rights Management (DRM) with online music purchase, finding that if we try to share a music file bought through one of the online stores we cannot. Why? Because the data is secured and has been locked for use to a single user account. Reflect, the data itself is secured this is the DATA protected, OK the software you use to play the media has to know how to read the data. The data compliance with a standard supported by the software that allows the software to interpret how to authorise the user to use the data, but again I point out this is the DATA that is secured, secured by encryption that refers a user (be it individual or software) to comply with a policy set by the data owner.

Welcome to the future of corporate and personal data, where software (any software) conforms to a standard whereby data is encrypted and software has to comply with that standard to use that data. Just as your Windows Media Player or iTunes software does today through their respective online stores which act as a validation and authorisation proxy for the music industry who are the ultimate rights owners of the tunes you play. In such a new world of data, you could perceivably leave you data anywhere and it would be secure. Why? Because it is encrypted, available to those authorised by the data owner. In such a utopia hackers would gain little from stealing data, and Google would not be able to scan your documents and emails so readily!

IRM as stated above has been the exclusive realm of large Enterprises with the deep pockets to invest in the necessary infrastructure and process discipline mandatory to ensure such an environment works seamlessly and critically data encryption keys are not lost! Until now….

May I introduce or re-introduce you to Microsoft Office 365, Microsoft’s Software as a Service platform for business of all sizes, affordable even for individuals. Microsoft Office 365, delivers Enterprise grade email, collaboration, conferencing and productivity software amongst other benefits. It reset’s the bar in terms of empowering organisations and even individuals and most poignantly stands alone in its security capabilities with its Information Protection and Control (IPC) in the form of Windows Azure Rights Management Service:

Microsoft Office 365 forges a Grand Canyon of a chasm between it and the following herd of online Saas business productivity service vendors when it comes to its compliance credentials and security capabilities, and at a price point that is challenging for any serious functionality and data conscious business executive to not consider very, very seriously. Microsoft Office 365 scales from 1 to 50,000 user environments OUT OF THE BOX! Now NO organisation has an excuse for inappropriate document or email disclosure. It allows ANY organisation to Rights Manage their documents and emails, applying Enterprise class encryption helping to ensure they are only visible to those that have been given explicit rights. This protects organisations in the following common risk scenarios:

  • Laptop theft.
  • Portable media loss.
  • Dismissed employee data retention.
  • Inadvertent CC’ing of emails or sending to the wrong recipient
  • Email interception.
  • Internet vendor document/data scanning.
  • ….. amongst others

Not 100% full proof by any means but 100% better than about 95% of the ‘Data’ security being implemented by organisations today. Be assured that just because you believe you have not been compromised does not mean you have not. In fact I would challenge an organisation, IF you have any Intellectual Property worthy of being stolen KNOW that you are either compromised and you don’t know it or adversaries are going after it, if you don’t believe me I fear your falling foul of the old ‘Struthio camelus’ syndrome of head in the sand!

The elephant in the room then becomes how to validate the identity of those access in the data, how do you prove that you are who you are and not an impersonator or a middle man ‘borrowing’ someone access code(s). Single factor Username + Password authentication mechanism are too weak for true identity security, multi-factor authentication (something you know and something you have) is a step in the right direction but many multi-factor authentication approaches remain vulnerable, and thus the goalposts move …. that’s a subject for another day.

Conclusion
So whether you believed me at the start of this article or not here it is, for little more than the cost each year most organisations spend on toilet paper and tea bags (Ok and coffee) per employee they can enjoy Enterprise grade document and email security amongst a bucket load of other powerful features with Microsoft Office 365, no excuses.

——————–

Toilet Paper & Tea Bags Analysis

Thanks to Discovery Channel and MySupermarket.com:

  • Average usage per employee/yr = 30,000 sheets/year or 134 rolls/year (@ 150 sheets per roll).
  • Average price of 50p/roll

Total £67/year per individual on toilet rolls + Tea breaks at £300 per employee per year – Epiphany research 2012 quoted on ‘The Workplace Savings and benefits’ website.

Filed under Cloud Computing, Computers and Internet, Home Computing, Legal, Office 365 and Azure, Privacy, Security

EU Cyber Strategy – A Risk of Overkill!

February 11, 2013 Leave a comment


Last Thursday the European Commission of the European Union (EU) released their much leaked and awaited Cybersecurity plan to protect open internet and online freedom and opportunity – ‘Cyber Security strategy and Proposal for a Directive’

The challenge that faces all Nations and individuals alike is the increased impact of Cyber Thread. This is fundamentally what the European Commission is attempting to address for the whole of the European Union (EU) by encompassing an eye watering range of disciplines and jurisdictions from law enforcement, defence, the digital agenda, security, and foreign policy. On the face of it the format fits the EU objectives of greater integration and harmony, but under the surface it has all the hall marks of an exercise in herding cats. The rubber will not really hit the road till we see the action plans, and the monitoring process to qualify results, that are going to be fundamental to exercising and delivering on this ambitious strategy. This latter point being the Achilles heal of the exercise in tight economic times when the EU budget has to reflect the austerity measures of its members with NO exceptions.

Most worryingly cost of delivery is in the timescales this whole process is going to take to implement. In the meantime Cyber Crime becomes more creative maturing as fast as, if not faster, than the creative innovation engine that drives the digital landscape, itself moving at a faster and faster rate of evolution.

In summary the politicians and unelected cohorts of bureaucrats will forever be playing catch up. The fear is that in their haste they will be riding rough shod over some of our core democratic rights. As the Dutch Member of the European Parliament, Sophie in ‘t Veld was quoted saying “The lines are being blurred and we need to safeguard the fundamental rights we expect in a democracy and not cede disproportionate powers to law enforcement”.

The rolling up of all these powers does have a very dark side. One that is open to abuse. The danger here is that once in place the temptation / convenience can become too compelling for any elected governing entity to leverage, and the European Commission has inadequately addressed historical challenges to its own Trust and Credibility record across too many areas to be endowed with this level of centralised power.

This exercise the EU is going through is communicating a need for a new approach. Instead of a Big Brother flavour about it, an approach that can reflect the nature of the changing environs that are being addressed. The problem is it is easier said than done to teach an old dog new tricks, especially when we are talking about what goes on largely behind the closed doors from behind which unelected bureaucrats influence our elected politicians and launch sallies of conditions on our lives.

Actions speak louder than words and one thing the new digital economy is good at is making things happen, and happen FAST.

Estonia and their implementation of X-Road and individual digital certificate usage demonstrates where there is a will there is a way, and leveraging the technology (not having to reinvent anything) can be an effective remedy. It is encouraging to see that Thomas Hendrik Ilves, the President of Estonia, has been elected as Chairman for the European Cloud Partnership governance Steering Board. But more needs to be done faster.

As I wrote just before Christmas ‘Data Security – It’s in the Name!’ We should perhaps be taking a fresh perspective on the problem. Protecting the DATA itself and less worrying about the actual environments that data exists in (networks/cables, computers/serves/PC’s, smart devices, datacenters/offices etc). Why? It’s actually about managing the risk of the loss of DATA availability, and this is an EDUCATIONAL issue more than a regulatory and legislative requirement. Risk management is an acceptance that there will be failures, and that is REAL WORLD.

Take for example:

  1. The internet – It was designed to withstand nuclear impact! It is largely self-healing and can route around network failures or even whole geographical regional blackouts. If so much of the Internet goes down that it ceases to function then no EU strategy is going to help. Furthermore Cyber Terrorists are unlikely to see much gain in the digital equivalent of triggering an extinction event by killing the Internet!
  2. Datacentres – Deigned for failure, or perhaps you should be re-evaluating your datacentre provider ;-)
  3. Computers – These are commodities today and with the exception of a few specialist systems, disposable with affordable options for data resilience through external backup storage media or cloud computing empowering even the most economically distressed with scalable backup. Or for the more paranoid both!
  4. Smart Devices – It’s in the name. If they are doing their job they should be replicating core data and configuration settings to resilient external storage options which will allow a new device to be provisioned conveniently.
  5. Data – Use of Information Rights management (similar or that used by the music Industry) encrypts data objects such as a digital document (Microsoft Office files) so they can only be read by those the creator has intended the document to be shared with. Theft of these files then becomes futile, remove the attraction, the threat is expunged. The same principles apply to an automated function of databases and exported record sets.
  6. Digital Certificates – A means for individuals to identify themselves consistently so that access to Data can be reliably managed and TRUSTED.

The demands of society are actually on mandatory digital education and should be taught like learning how to tie up your shoe laces. To cover the following areas amongst others:

  • Backup (and restore).
  • Encryption.
  • Digital Certificates.

At the moment society is learning by osmosis and Urban Myth. Times have changed, so must needs, and the EU Cybersecurity plan may have a place at a National response level but quite possibly there are more practical and immediate means of addressing needs further down the social hierarchy that will not have the cost burden on Small Medium Enterprises (SME’s) that the current strategy would impose.

Remove the ease with which data can be breached and the requirement for security and data breach notification regimes start to look somewhat dated controls.

Filed under Cloud Computing, Computers and Internet, Legal, Privacy, Security, Small Medium Enterprise (SME)

Data Security – It’s in the Name!

December 20, 2012 2 Comments


I have just come out of my last meeting before Christmas in which security has been forefront (again) on both business and IT principles minds, and tongues…

The bizarre thing is that despite the obvious, the prevalence of IT security systems protect the ‘Environment Boundary’ in which data resides or is transmitted, whilst understandable form a certain perspective, it is somewhat medieval in its approach to the core ‘Data Security’ problems facing organisations and individuals today.

It is all good and well using SSL (Secure Socket Layers ) to ensure your communications (data exchanges in transit) are secure. BUT a waste of time if the communicating entities do not apply similar levels of security when the data is stored (data at rest). Even the most inept hacker knows that the easiest point to attack in any data exchange is the client (workstation, notebook, mobile device). The server end of the chain is likely to be more secure environment (not necessarily) than the end users. Hence the prevalence of end user vectored attacks, email being the weakest and most convenient conduit to perpetrate a hack. Once a Hacker can get some malware on a user’s PC they can just about do what they want with it, and that includes all the data unless the documents and or data is encrypted.

Thus we get to the headline of the article. DATA SECURITY. If all data adopted the same protective measures as the entertainment industry tries to do with their music and movies then less of our private lives would become public, and organised crime feeding off corporate systems selling inside secrets or blackmail would be poorer overnight. Organisations should be securing their CONTENT as well as their IT environments. Currently most organisations actually do ‘Environment Security‘ NOT ‘Data Security’.

Information Rights Management (IRM) has been around for decades in various guises.. ISV’s (Independent Software Vendors) are largely ignoring a HUGE market opportunity to tap this capability. Some understand it and build their business on this core feature, but most ignore it and defer security to the IT department’s ability to secure a whole environment. IRM has never been easier today to implement, without even needing to deploy a service it is possible to tap Windows Azure AD Rights Management and have this capability on tap. For organisations using the Microsoft Office 365 Online Software as a Service (SaaS) suite it is possible to enable this with ease:

Microsoft Office 365 with Windows Azure AD Rights Management enabled represents one of the most secure and feature complete collaboration environments available on the market today. I would challenge some enterprises to prove a more secure data environment, and this is available to the smallest of organisations for less than £15/mth per user. This default functionality in Microsoft Office 365 is just a baseline, for the more security conscious this can be enhanced exponentially with third party products.

IRM is not full proof, nothing can stop someone re-typing a document or photographing a screen. BUT it represents a significant convenience barrier to those perpetrating corporate espionage and removes any ‘accidental’ disclosures.

I suspect though there will be a few more fruitful Christmas seasons for the corporate espionage crime syndicates to roam deserted corporate systems before the penny drops.

Filed under Cloud Computing, Computers and Internet, Home Computing, Legal, Mobile, Office 365 and Azure, Privacy, Security, Small Medium Enterprise (SME)

Social Media Corporatocracy – Self-Regulate or Be Damned

November 17, 2012 Leave a comment


My earlier Blog on the subject ‘Social Media – Accountability’ made for some heated debate in a post event drinks session championed by a defensive cadre of the twitterati advocating the freedom of speech argument. An old chestnut I empathise with, but see it as a worn out defence. My view being it is time the Social Media Corporatocracy confronted their responsibilities and got their house in order. Addressing a need to become more accountable for the content they syndicate from their membership or put in place mechanism’s that prevent the kind of free-for-all we have recently witnessed to the detriment of innocent parties.

That appeared un-satisfactory to the twitterati, I came away somewhat disturbed by their underlying attitude, that of a ‘brave new frontier’, somehow exempt from societies rules on defamation, slander, denigration amongst other poignant terms. I do not believe it has, and on a broader canvas of the Internet this is a dangerous attitude that strikes at the heart of the Internet’s credibility as a platform for democracy and in the battle against ‘Big Government’ to coin a phrase championed by Ron Paul in his ‘Farewell to Congress’ speech in which he champions the Internet in this very context.

Back to the point ….

The issue I believe is the engagement process by which social media sites attract membership and the mechanisms put in place by those site operators. It is time that the Social Media Corporatocracy applied a Moral Compass to their actions if they wish to avoid litigation and formal regulation which means they need to better self-regulate.

I would suggest more robust self-regulation as a minimum reasonable demand by the litigants who have recently fallen victim of the invidious public social media feeds, as part of any settlement. Such self-regulation could include:

  1. Social Media owners who wish to have an uncontrolled (no mediation or content validation delay) public information feed accept and take FULL responsibility and are FULLY accountable for that which they publish.
  2. Making their environments EXCLUSIVE MEMEBERS ONLY, with a clear set of warnings that content is unregulated, un-validated and not mediated, and as such individuals consume at their own risk.
  3. The option of a Public information feed service as an Opt-In for members. By so Opting-In members accept FULL responsibility and are FULLY accountable for that which they publish.
  4. It would be mandatory that any individuals wishing to Opt-In to public and unprotected Social Media information services have their identities validated BEFORE they are permitted to publish to an unprotected live feed. Validation through a current Credit Card would suffice, with public feed rights withdrawn in the event of the Card Expiring and non- renewal.

The above suggested self-regulation measures are by no means exhaustive in detail but aim to provide a flavour of what would help address the current waves of Social Media abuse.

A by-product of this type of self-regulation is the containment of the ‘anonymous’ voices. The proposition is that the ‘anonymous’ can still persist BUT they are contained behind the membership closed doors of their elected Social Media forum.

I have no doubt that this would be contested very strongly by the social media corporatocracy after all they feed on this kind of perverse publicity, which in turn pumps there hugely overinflated and in many cases economic gravity defying valuations.

The reality is the Social Media Corporatocracy must start to demonstrate a responsibility to protect the innocent from rogue users, they have little more than a fig leaf in their own defence at the moment. …..  The Emperor’s New Clothes.

Filed under Cloud Computing, Computers and Internet, Legal, Privacy, Security

A 2nd Hand Software Market Challenge for ISV’s

July 16, 2012 Leave a comment


On 3 July 2012, the Court of Justice of the European Union (CJEU) ruled in UsedSoft v. Oracle that irrespective of the terms stated in any licensing agreement, software bought with a perpetual right of use that acquiring third party could re-sell the license 2nd hand without any recourse to the software vendor. This is irrespective of the fact that the software may have been downloaded or supplied as a boxed physical media set purchasers of software may resell copies of their downloads provided that they render the original download unusable.

There is a good summary online by Edwards Wildman

What this means for the software industry is that there is now legitimate scope, for a second-hand software industry to emerge. Legitimate in so far as there is now a basis of judicial precedent. Although it is unlikely this will be the last word on the matter and broader challenges will help to clarify this.

This ruling however does not apply to any software purchased under a subscription, rental or lease agreement.

Irrespective of any potential reversal of this ruling this should be taken as a wake up call by the Independent Software Vendor (ISV) community that it is time to stop ignoring the inevitable. This is a precursor event building on the wider shift that has been rumbling under the surface of traditional software production, delivery and pricing models influenced by Cloud computing and the new generation of subscription licensing models that underpin a new way of delivering and servicing software to shifting expectations of consumers and enterprises alike.

A precursor event because it will not be defining in itself. It heralds the prospect of a very different software future. Whilst it may not be the floodgates opening it confirms that change is inevitable at a deepening institutional level across ISV’s. Change that will challenge not just pricing and licensing models but the way software is developed, delivered and maintained at the core of organisations operations and culture. As the perpetual fixed incensing model get’s subsumed by the new agile subscription orientated licensing models it will demand a new type of business cultural and agility that many big ISV’s will struggle with. I can point to the short horizon strategic myopia that Cisco is demonstrating and HP’s doldrums’ to highlight two household names, which will be the tip of the iceberg.

Some points that jump out at me:

  1. An important undertow is the judgment seems to reflect common practice across both consumer and commercial entities that vendors have turned a blind eye to notably reselling and make copying of software media (albeit the latter for internal use). Many have and do re-sell licenses, furthermore vendors in part are inadvertently underwriting this. In cases where these licenses are of significance, the 2nd hand owner contacts vendors to review support and or upgrades. Vendors see the loss of a sale as ‘cost of sale’ for persisting or regenerating support/maintenance/upgrade revenue from a new customer. Often these are customers who would not have made the leap to such a product outside a 2nd hand market, but once on the ramp they represent fish in the net.
  2. This hints at acknowledging a shift change which has started to be driven by the new wave of Cloud based licensing models, largely led by subscription formulas. This I believe across many broader horizontal markets will be inevitable, the niche specialised industries less so, at least for now.
  3. As Cloud enables the cheaper development, delivery support and maintenance of software the niche markets will slowly feel the pressure of attack from ‘Born in the Cloud’ start-ups who will see opportunity in the big margins and price tag’s that specialised software areas attract. For now there is plenty of easier low hanging fruit.
  4. For Vendors in specialised areas they need to move, now and create roadmap at a strategic level. If they are not able to have flexible discussions with customers then they will be heading towards the off-ramp, flexibility in the future will be lower initial costs of purchase but a readiness to commit to slow burn subscription value use payment models. There are many permutations in between; there is no one size fits all in this new generation.

So what is the answer?

Reflecting on one of the industry’s largest and software vendors, Microsoft, who has undoubtedly the broadest range of software it is possible to see how ISV’s can adopt some best practices learnt at Microsoft’s expense. This reflection could deliver short term ‘Quick Fix’ adaptation to address any immediate exposures with minimal impact on product development but cannot replace an inevitable need to start now to plan product roadmap for the medium and long-term sustainability.

A Software Assurance ‘Quick Fix

For some years now Microsoft has included a new dimension to their traditional Software Enterprise Agreements (EA) and Volume Licensing called Software Assurance (SA). The thinking behind SA being to give users the ability to spread payments over multiple years, while offering inclusive upgrades to newer versions during that time period. Many additional benefits were also bundled in to sweeten the price premium of SA, these vary depending on the type of EA and product licensed but include:

  • Deployment Planning days.
  • Training
  • Employee home use rights
  • Enhanced telephone support
  • Technical resource access normally chargeable such desktop support and virtualisation tools.

Historically SA has been criticised for the lack of included updates during a contractual period, but in latter years the move to a faster release cycle has started to demonstrate much stringer value in this and Microsoft has reported acceleration in the SA adoption over the more traditional fixed EA.

An interesting survey supporting this value was produced by IDC ‘The Business Value of Microsoft Software Assurance for Volume Licensing’

My idea of a short term ‘Quick Fix’ here is where a form of Software Assurance (not strictly the Microsoft Model of today) is adopted and the licensee’s principle value point in the agreement is the SA benefits rather than the perpetual license right. This could side step the CJEU ruling with minimal impact on Enterprise customers as the updates and benefits are subscription based. The perpetual license right being the baseline license that was acquired when the agreement commences NOT the upgraded. As such should there come a point when the licensee moves off that software platform the value of the license they hold to sell is negligible having been eroded by the age of the agreement.

Medium &Long Term Sustainability

As SA demands a regular flow of value to the licensee the ISV must adapt and optimise their development and deployment cycles and ultimately their support and maintenance to a subscription, real time anytime model.

Examples of such models are already in existence. I spoke last week at Microsoft’s Partner Conference on the subject (Making Money with Microsoft Cloud, the Real-World How-To) and had accompanying me on the stage to communicate first-hand the benefits Peter Senescu CEO of Metavis Technologies. MetavisTech have the definitive value proposition for todays Cloud world. A solution that is delivered maintained and supported across the Internet from the Cloud, with bug fix refreshes every weekend. Their solution is by no means simple, it is an Enterprise grade migration and management platform for Microsoft SharePoint and demonstrates the agility that is possible with correctly optimally architected product to deliver seamlessly in the cloud.

Returning to the case in point Oracles problem is the way they price and license their products. This drives an asset sweating behaviour in their customers who max out the utilisation of licenses. This means as competing products level the playing field and customers Oracle upgrade horizons becomes imminent there is an increasing shift to alternative more cost effective and value driven solutions from SAP and Microsoft Dynamics. The perception being that to upgrade Oracle the pain can be as much as a shift to a more cost effective platform. At which point they will liquidate and recover whatever value they can from the Oracle asset by selling it on. In essence Oracles licensing model allows itself to be swapped out.

On the other hand deliver more core productivity stack based software such as Microsoft Office and or desktop or server OS is harder to get rid of, these vendor offerings have less exposure in their core market.

There will need to be a reflection as to how this judgment stand’s up to a wider market response and inevitable challenge. Will the market accept the changing state of software and make a licensing shift or push back and drive some review of the ruling that will see some degree of reversal? I would bet on the former rather than the latter.

For now if you are an ISV don’t stand still, for the agile this type of threat is a receding legacy issue as product is moved to a Cloud based, real time subscription modus operandi. For the laggards who are sticking firm to traditional proprietary models this is another unwelcomed challenge to bottom line margin.

As for the rest of us, we will be watching this space….

Filed under Cloud Computing, Legal

ACTA – Legislating for Anarchy

February 8, 2012 Leave a comment


The debate on Internet freedom of speech and data regulation rumbles on to its next chapter. No sooner have the US attempts to weasel control over the Internet been quashed than the spotlight swings across the pond onto Europe.

Up comes ACTA (Anti-Counterfeiting Trade Agreement). Or should I say, ACTA’s long gestation in closed sessions, has come up against strong opposition in Europe which is hoped will derail what is a pernicious piece of Trade Negotiation. The European Parliament may be the last hope to reign in ACTA (Anti-Counterfeiting Trade Agreement).

Anti-Counterfeiting, sounds all good stuff and something the good guys of the Net would likely support. But for the fact that this has been an initiative conducted behind closed doors, and by a group of parties that gives a frighteningly distorted representation of all the parties who should have a voice in such discussions. Driven largely by commercial interests, both directly in open voiced support as well as through the shady world of high stakes lobbying.

ACTA can be synthesised into a simple sentence – The empowerment of corporate interests to police Internet content and impose penalties that extend to the restriction of an individual’s freedom if a large intellectual property-based organizations feels their business has been harmed.

This is not confined to the EU, ACTA is planned for adoption across the US, EU and other countries including Australia, Canada, Japan, Morocco, New Zealand, Singapore and South Korea, as a precursor to global roll-out. Furthermore this has been on a slow burn now for almost 4 years!

I am not going to relay the details of the agreement; you can read a good potted history and the salient elements on the venerable Wikipedia at http://en.wikipedia.org/wiki/Anti-Counterfeiting_Trade_Agreement

The impact this will have extends beyond just the freedom of speech the Internet has become a bastion for, but the more practical economics’ that the Internet is stimulating and risks supressing innovation as well as imposing an onerous overhead on an already distressed Small Medium Enterprise community. The ability for SME’s to manage their online activities will become a minefield, for many this could mean cutting off liberal use of a rich information resource, at a cost to their full potential.

Whilst we all recognise that the digital network realm is challenging the traditional laws on Copyright, Intellectual Property and Trademark protection, the ACTA approach is counterproductive as a practical solution. It is regressive in its thinking, instead of encouraging these large intellectual property-based organizations to adapt and innovate in the face of these challenges to the betterment of their own shareholders as well as the global user community at large, the agreement is taking a silo approach. Trying to build walls on crumbling foundations of a state of being that the world is moving on from.

The Internet ‘gift economy’ has already suffered extensive compromises to the good faith and trust of a global audience without the help of regulators. (See my earlier blog on Digital Enslavement ) As the freely given time and resources of users that fostered the term ‘gift economy’ is being harvested by large corporates such as Google, Facebook, Twitter and Flickr amongst others, far from the egalitarian impact potential hoped for. It has instead inadvertently accelerated the concentration of wealth in the hands of large intellectual property-based organizations. Organisations that are now with their Billion Dollar war chests hooked deep into policy makers and clawing for greater control.

We need to support the converse; it would be more beneficial to global economic regeneration to relax the rules that give large intellectual property-based organizations such power. To cut away at the Intellectual Property ‘thickets’ that restrict innovation and tie up creativity. For Magic happens here……….

Filed under Legal, Security, Small Medium Enterprise (SME)

Internet Giants show their true colours – Brazen at best

January 26, 2012 Leave a comment


The EU has hardly heard the echo’s fade from its announcement to redress the imbalance of data harvesting and controls enjoyed by the likes of Google, Facebook et al to the cries from these self-same organization.

Organizations that only yesterday were crying foul, that it is not necessary, then demonstrate arrogantly to us precisely WHY these changes to the law are so overdue:

1. Facebook risk their members privacy by forcing user profile changes that will expose millions of users previously private data and life events when they switch on their Timeline.

2. Google collapse all their data across all their divisions into a single resource.

For Facebook this is par for the course. It has always put its own interests and the use of its member’s data first before the wishes of their users. This action is a blatant challenge to regulatory authority in the face of the new EU regulation proposal that state users will have a ‘right to be forgotten’. Such a basic right challenges and strikes at the heart of the Facebook business model, placing the rights firmly back into the hands of the individual where they belong.

For Google it rips away the pretences of fair play in their handling of the huge volumes of personal data as they give unilateral access to it across all its divisions. Flying in the face of best practice they demonstrate a crass arrogance, this is not just the merging of one or two associated lines of business but 70 different service streams. The pretence that this has been done in the best interests of users would be laughable if not so serious and assault on users trust. The truth is it will add value to Google and their marketing/advertising engine and blend users data without recourse.

As I said only yesterday in my blog ‘New EU Data Laws’ commending the EU announcement for its bold step in which I champion the regulators to withstand the prospective onslaught to their authority and ultimate credibility that is coming from Commercial interest and to see these proposals into legislation. Law’s that will need teeth to tame the feral business models and cash cows like Google and Facebook.

Filed under Cloud Computing, Computers and Internet, Legal, Security

New EU Data Laws – Free Lunch over for Google and Facebook et al

January 25, 2012 2 Comments


What you need to know – http://www.zdnet.com/blog/london/european-draft-data-law-announced-what-you-need-to-know/2609

The European Commission has put forward suggestions for changes to EU data laws, championing the privacy of European citizens. http://www.bbc.co.uk/news/technology-16721546 

Other articles are less objective as the depressionists come out in force crying down the new plans by the EU with scare tactics that they will cost business Billions. Running like a pack with showboating lawyers getting their 15 seconds of fame in the media columns frightening all and sundry with spurious legal scenarios.

My Blog back in November 2010, ‘Digital Enslavement’, touched on the impact on individuals that this regulation is going to redress. Better late than never it should stimulate a much needed maturing of the pernicious business models that have taken advantage of a ‘Wild West’ Internet frontier and innocence of individual participants.

As with any new frontier, the days of free for all are coming to an end I commend the EU for taking a first tentative step and a brave lead in making the beneficiaries of individual’s data truly accountable.

This legislation is an Internet and community maturity test as well as a much needed correction in the power balance of who controls individual’s data. If successful it will herald a new way of working, where individuals have the potential of full control and anonymity when disclosing their data and Corporatocracy will have to change their attitudes to cherish the granting of access to individuals data rather than the converse. My Blog Last October ‘A New age of data ownership’ takes one view on how this can be readily implemented using technology that has been in place for years, this is not rocket science and well within the capabilities of operators, individuals and legislators to realise today.

My word to our legislators is HOLD FIRM, you are on the right road. it is going to be a long road to member state ratification, possibly not till 2014 or 2015, during which you will need to hold fast to your principles to avoid having the core tenants of this legislation eroded by pressure from commercial interests.

The reality is the regulation blows away Billions of Pounds worth of cost and simplifies the regulatory landscape, albeit putting the burden on the Corporates who have been building their business models on the premise of free data at almost zero cost. Now they need to dip into their cash piles that they squander so readily, and become accountable and responsible at last.

The immediate reaction we are seeing is more than the conventional resistance to change. We must maintain a candid guard in the face of the messaging pouring out from Big Corp press machines who are having a field day protecting their sponsors, Google and Facebook leading the pack. Why? Simple they wish to continue the data feeding frenzy that has fed their balance sheets and business models without check for too long.

With Facebook due to IPO shortly this could not come at a worst time. For the populous who have in blind trust allowed their data to be consumed and mined by such entities with little regard for the owners privacy or reward, it has come possibly just too late for yet another entity to cash in on individuals data.

We have a long way to go yet, but I for one am optimistic there is a positive change in the air.

Filed under Cloud Computing, Computers and Internet, Legal, Security

Power to all my Friends – A New age of data ownership

October 17, 2011 2 Comments


Once again sitting around a dinner table immersed in the conversational euphoria of many great online experiences shared amongst friends the threads of a more invidious undertow weave a sobering reality. The horror stories of data that has been compromised, band details exposed, Facebook images that went public without permission, disconcertingly targeted advertising appearing on webpages and even phone calls from unknown vendor call centres offering unwanted services.

As a technologist and security specialist I frustrate at the cavalier attitude that many organisations take to individuals data. From ecommerce entities that do not comply with basic PCI-DSS (Payment card Industry Standards and Data Security Standards) to social media and search sites that return questionable value to the individual when balanced against the against the risk the retention and data mining of that data will have.

Technologies exist and practices are already well developed that can empower users to enjoy the Internet and third party services AND keep control over their identities and data.

There are many permutations and tools out there to achieve this, but let me take one blend by way of illustration which is by no means exhaustive in detail but will demonstrate that there is a better way. A way that I predict, in not to dissimilar form, will one day become prevalent, be it once legislators finally say ENOUGH in the face of public outrage and force the initiative, or as I would prefer to think the industry would lead by best practice and self-regulate by adoption. Call me a cynic but I regret that the former rather than the latter is likely the case based on current attitudes of the Google and Facebook’s of this world.

The concept I would suggest would go something like this:

a) Principle establish = individual’s data is owned by the Individual.

b) Principle established = title/ownership of individuals data can never be perpetually transferred to a third party; it can only be grated for a ‘term’.

c) Principle established = On the expiry of a ‘term’ grant of any data by an individual that data will expire automatically and be ERASED.

d) Principle established = data can only be used by the entity it is granted to.

e) Principle established = data can only be used for the purpose it is granted.

f) Adoption of an authentication standard that is well established across multiple platforms and can integrate with multiple vendor solutions.

g) Adoption of an authentication model that allows fractional disclosures of data that can be controlled by the data owner wither anonymously or identifying the individual.

h) Adoption of an orchestration system that can ensure users data is held

i) Websites should have a mandatory rating that categories content to allow better protection of the innocent and to lend some degree of legitimacy.

· Claims based authentication meets the authentication ideals noted above, it is already built into many operating systems, from Windows to Mac and Linux.

· The principles suggested are no more than what individuals already assume when they disclose data.

· Document records management and retention systems already automate the archiving and expiry of data in corporate systems.

· Compliance practices and Trustmark programs already exist to ensure data management is of the highest standards.

· Regulatory penalties exist for non-compliance, but are poorly implemented and policed.

· Many well established and accepted rating systems exist. These can be aligned to websites and automated so browsers respect a user’s elected or policy enforced filters.

Finally I would support a special measure to protect our children. Our children should be allowed to safely explore the online realm without laying down a virtual shadow that can come back and haunt them into their future. As in the physical world children need to understand boundaries and develop their own identities safely, they do this by pushing back and sometime through over exuberant expression. Recruitment agencies are already delving into social network sites and profiling individuals with historic discretions that would otherwise have been forgotten as the expressions of an adolescent.

All we need is a will, the way is already paved, let’s take the journey willingly as the alternative is a force march.

Filed under Cloud Computing, Computers and Internet, Home Computing, Legal, Security

Older posts

Follow

Get every new post delivered to your Inbox.

Join 181 other followers