Security 365 – Toilet Paper & Tea bags!

April 19, 2013 1 Comment


OK the title got you this far, so what has Toilet Paper and Tea bags got to do with Security? There is a genuine point to it, please read on …..

Following a recent Cloud Computing event I found myself increasingly alarmed by the prevalence of red herrings being thrown around by vendors with respect to how their solutions and or products solved Cloud security issues when in fact they did little more than try to address them individually at best.

The reality is that DATA must be exposed to the software we use to orchestrate it, be that photo’s in Photoshop, a Document in Microsoft Office Word or a record in a database or a record spread across multiple databases. That is where the issue lies in the exposure of Data. The challenge is how we protect that which is of true value. No longer the network boundary, but protecting the DATA, wherever it goes, however it is being accessed, regardless of its form factor. Not how a software solution can provide a secure environment in which to process data, albeit an important factor, it is not a solution in itself.

Bring on the day when data in its raw form is encrypted and the owner can manage that encryption with convenience and ease whilst ensuring complete control over whom they elect to share any part of that data set with. Imagine being able to share data and attach an expiry date, or revoke data usage at will (regulatory retention aside) instead of having to go through lengthy protracted third party information disclosure requests, which even then are often questionable in their accuracy.

What is appealing about this concept is the reality that it places the control of data back into the hands of the individual. The individual or corporation can then dictate whom, when and for how long they share their data. It opens up possibilities like levying a micro payment charge in cases where that data sharing has a commercial value transfer to any benefiting third party. Assuming a trusted platform that can orchestrate this according to a set of user defined sharing rules (policies), such micro payments would soon add up to reasonable sums of money when considering the current spread of personal data. Sadly we are currently a long way from that Holy Grail. It would certainly sober up the Internet Corporatocracy (Facebook, Twitter, Google and their ilk) of this world who have been building personal value by gorging themselves dining at the Internet table of free data. Their addiction to the concept of free data will I suspect see little support from that quarter for such a solution.

Data security software solutions and products largely address a single issue and do not materially protect the critical payload in transit, rest and during its consumption. The payload being none other than data and the information that is ‘data’.

Erosion of privacy through data seepage into the public domain out with owner’s control or intent is an issue of paramount importance and at a corporate and enterprise scale the exposure and risk grows exponentially. On a private individual level that is often of singular concern, attitudes towards privacy of data influenced largely through the Social Media behavioural contagion, massaged by the Internet’s Corporatocracy, who work hard at breaking down the principles of privacy for self-interest. At some point the Social Media lemmings of the world will wake up to find themselves victims of ‘The Emperor’s New Clothes’, loss of privacy and control of one’s personal data is a sorrowful state of affairs many will have to come to terms with. Reminds me of the immortal words ‘For fools rush in where angels fear to tread’ from the poem ‘An essay on criticism’ by Alexander Pope, or for the more contemporary and more poignantly named song ‘Jokerman’ by Bob Dylan.

I digress, Social Media aside, the simple acts of transmitting and collaborating on information present the largest risk surface area(s) for data compromise. Surfaces that are being built out faster than ever before with the boom in personal / portable compute devices (PCD’s) be that a smartphone, tablet, laptop or the next gadget that gets christened off a keyboard with a stuck ‘i’ key!

For every collaborative event requires a transmission of data, and such events are infrequently constrained within Local Area Network (LAN) but at some point transit a public fixed or wireless network (Internet) exposing or depositing data en-route as well as compute devices out with any structured realm of control. Increasingly the securing of the communication conduit is addressed using HTTPS (Hypertext Transfer Protocol Secure), an encrypted transmission that secures data in transit. But that is only part of the exchange process, and one that has had its security reliability tested and questioned, with early iterations of its underlying protocol having been hacked, ref; Infoworld Article ‘HTTPS has been hacked’. So far we have secured the trickiest part of the information exchange to compromise, the transmission, leaving the easiest, the PC and or Server, available and ready to be compromise. An email attachment click away and data on any unsuspecting PCD regularly falls victim to malware.

This gives a false impression of security, rarely are the end points to a data exchange, the PC, Servers or PCD’s similarly encrypted. But it is not JUST end points is it. Every device en-route between exchanging parties holds the data be it for milliseconds or in some cases longer. A veritable pass the parcel where, Data is cached and stored in a myriad of places, where the parcel is little more than a colander raining data and the information life blood of companies and individuals into the public domain.

A recent study released by Team Cymru reveals that hackers misappropriate more than 1TB of data daily from corporate networks alone. If they can do that from corporate systems what hope is there for the Silver Surfers (60+ generation), one of the fastest growing use bases on the internet today. This is not an isolated issue either. With a global population of Zombie computers in the millions the bad guys capacity to leverage compute power with malicious intent outnumbers the good guys. Moving briefly off theme a bit, the escalation of this power was clearly demonstrated recently with the 300GB Distributed Denial of Service (DoS) attack on Spamhaus ‘When spammers go to war: Behind the Spamhaus DDoS’. This was a x6 increase on the previously largest recorded DoS attack of 50GB. At this scale of escalation attacks are having a collateral impact affect beyond the targeted systems. Subject for a future article I would hazard.

Back on theme, we have all heard of ‘Data Security’, but as a term its use is more often not a full truth. As with the data in transit example above, data security is subjective when it needs to be objective. The security that vendors address today is addressing an environmental state that the data is not persisting in, or not persistent in for long. Securing the protocol’s that we communicate data through, or the servers, datacentres, PCD’s that we store data on or the software applications with which we orchestrate our data, is not true ‘DATA’ security. Access to any of these environments, whether authorised or not, means data can readily be harvested, and believe me it is and most of you will not even know it is happening off your own computers.

I feel like shouting in frustration sometimes – it’s in the name ‘DATA’ security, so secure the DATA itself, as I have blogged before ‘Data Security – It’s in the Name!‘ OK good that you secure the other servers, datacentres, PCD’s or software application assets but what about the DATA! I am not proposing we stop securing servers, datacentres, PCD’s and software application, but their security is addressing THEIR security profile and the DATA security is largely by association only. As we currently deal with security at the server, datacentre, PCD and software application level we create security silo’s that require gatekeeping. Thus the cracks start to appear and data fall’s through or the hacker sneaks in, every other which way the data is exposed to higher risk and the prospect if not likelihood of compromise.

Now throw into the mix the structural nature of Cloud Computing architectures and its fastest growing method of interfacing systems with the use of Web/Cloud services. A Web or Cloud service being little more than a traditional API (Application Programming Interface) exposed to a public network. Designed to link disparate systems to deliver richer and often more real time functionality at scale and with collaborative resources unattainable until now to single organisations. Web/Cloud Services live for data exchange and data retention follows hard on the heals of those exchanges between API exposed entities. API’s = more joins and cracks, not to mention interactions to be audited and jurisdictions that will be challenging to reach into to audit and truly validate Service Level and or compliance. This is no scare tactic, I work with programmers every day, and these are some of the smartest guys around, but they are human, and ‘humanum est errare’ (it is human to err).

With an Industry average of “about 15 – 50 errors per 1,000 lines of delivered code” Quote Steve McDonnell from his book ‘Code Complete’ (2nd Edition. Redmond, Microsoft Press, 2004. 960 pages. ISBN), there is an inevitable high risk in API’s, they are just code after all. Yes errors can be ironed out, but the effort is often not commercially viable. For example only after using extensive format development methods, peer reviews, and statistical testing did the space-shuttle project achieved a level of 0 defects in a random sample of 500,000 lines of code. The ‘Cleanroom Development’ technique pioneered by Harlan Miles achieves consistent rates as low as 3 errors per 1,000 lines of code (Cobb and Mills 1990), so there are no easy options. All said and done commercial realities turn this into a real concern, the cost of this diligence means API’s will not all be tested to such robustly high quality levels as the space shuttle which means there are errors, and where there are errors there will be means to an end for hackers:

But what if the data itself was of no use once the hackers got hold of it? Do you think they would bother spending long ours gaining access to it if they found it worthless?

What I am getting at is the act of encrypting the DATA itself, the raw data packets, only then are we starting to address the nub of the issue – making the data secure. Encryption (to encipher) and Cryptography (hidden, secret) is a powerful resource. I like the core message in these terms because they point to the essence of what we must achieve with our data to make it truly secure to turn it into something of ‘no value or importance to anyone else’ = cipher to encipher / encrypt our data. Whilst that may sound simple I and the rest of the security community are under no pretence of the challenge this would represent to manage.

Encryption is no small undertaking, by its nature it is very unforgiving to the forgetful or unstructured amongst us which is why all but the very large Enterprises can afford data encryption systems. It is no wonder Enterprise Digital Rights Management (E-DRM) has become a familiar term transposed onto the more generic Information Rights Management (IRM). At a private level it is almost non-existent, for even if you understand the principles of Public Key Infrastructure (PKI) and can wield the tools of Pretty Good Privacy (PGP) to manage you data in an encrypted way you will find yourself limited in terms of who you can interact with as this is far from user-friendly or mainstream.

Do not be misled, poor adoption of PKI, PGP and their ilk are not an early adopter issue, it is a fundamental structure issue. These mechanism are complex to get to work optimally, and in a sub-optimum deployment they are compromised so its worth is questionable and in a corporate world ‘it works some of the time’ does not win much in budget debates. At an individual level it is simply the complexity of management and exchange of encryption keys and their associated Certificates validating key ownership that renders it unusable.

The best we have at present for securing our data files is through forms of IRM / E-DRM, but this has until recently been out of reach of not just the Small and Medium Size Business (SMB / SME’s) but even large Corporates. OK there are proprietary application level encryption and password locking features, but they lack the truly ‘in-line’ capacity as a real time solution and after all the internet is full of solutions that can break these within seconds just head over to the likes of:

Not all is lost though. Most of us have come up against the power of IRM in the form of Digital Rights Management (DRM) with online music purchase, finding that if we try to share a music file bought through one of the online stores we cannot. Why? Because the data is secured and has been locked for use to a single user account. Reflect, the data itself is secured this is the DATA protected, OK the software you use to play the media has to know how to read the data. The data compliance with a standard supported by the software that allows the software to interpret how to authorise the user to use the data, but again I point out this is the DATA that is secured, secured by encryption that refers a user (be it individual or software) to comply with a policy set by the data owner.

Welcome to the future of corporate and personal data, where software (any software) conforms to a standard whereby data is encrypted and software has to comply with that standard to use that data. Just as your Windows Media Player or iTunes software does today through their respective online stores which act as a validation and authorisation proxy for the music industry who are the ultimate rights owners of the tunes you play. In such a new world of data, you could perceivably leave you data anywhere and it would be secure. Why? Because it is encrypted, available to those authorised by the data owner. In such a utopia hackers would gain little from stealing data, and Google would not be able to scan your documents and emails so readily!

IRM as stated above has been the exclusive realm of large Enterprises with the deep pockets to invest in the necessary infrastructure and process discipline mandatory to ensure such an environment works seamlessly and critically data encryption keys are not lost! Until now….

May I introduce or re-introduce you to Microsoft Office 365, Microsoft’s Software as a Service platform for business of all sizes, affordable even for individuals. Microsoft Office 365, delivers Enterprise grade email, collaboration, conferencing and productivity software amongst other benefits. It reset’s the bar in terms of empowering organisations and even individuals and most poignantly stands alone in its security capabilities with its Information Protection and Control (IPC) in the form of Windows Azure Rights Management Service:

Microsoft Office 365 forges a Grand Canyon of a chasm between it and the following herd of online Saas business productivity service vendors when it comes to its compliance credentials and security capabilities, and at a price point that is challenging for any serious functionality and data conscious business executive to not consider very, very seriously. Microsoft Office 365 scales from 1 to 50,000 user environments OUT OF THE BOX! Now NO organisation has an excuse for inappropriate document or email disclosure. It allows ANY organisation to Rights Manage their documents and emails, applying Enterprise class encryption helping to ensure they are only visible to those that have been given explicit rights. This protects organisations in the following common risk scenarios:

  • Laptop theft.
  • Portable media loss.
  • Dismissed employee data retention.
  • Inadvertent CC’ing of emails or sending to the wrong recipient
  • Email interception.
  • Internet vendor document/data scanning.
  • ….. amongst others

Not 100% full proof by any means but 100% better than about 95% of the ‘Data’ security being implemented by organisations today. Be assured that just because you believe you have not been compromised does not mean you have not. In fact I would challenge an organisation, IF you have any Intellectual Property worthy of being stolen KNOW that you are either compromised and you don’t know it or adversaries are going after it, if you don’t believe me I fear your falling foul of the old ‘Struthio camelus’ syndrome of head in the sand!

The elephant in the room then becomes how to validate the identity of those access in the data, how do you prove that you are who you are and not an impersonator or a middle man ‘borrowing’ someone access code(s). Single factor Username + Password authentication mechanism are too weak for true identity security, multi-factor authentication (something you know and something you have) is a step in the right direction but many multi-factor authentication approaches remain vulnerable, and thus the goalposts move …. that’s a subject for another day.

Conclusion
So whether you believed me at the start of this article or not here it is, for little more than the cost each year most organisations spend on toilet paper and tea bags (Ok and coffee) per employee they can enjoy Enterprise grade document and email security amongst a bucket load of other powerful features with Microsoft Office 365, no excuses.

——————–

Toilet Paper & Tea Bags Analysis

Thanks to Discovery Channel and MySupermarket.com:

  • Average usage per employee/yr = 30,000 sheets/year or 134 rolls/year (@ 150 sheets per roll).
  • Average price of 50p/roll

Total £67/year per individual on toilet rolls + Tea breaks at £300 per employee per year – Epiphany research 2012 quoted on ‘The Workplace Savings and benefits’ website.

Filed under Cloud Computing, Computers and Internet, Home Computing, Legal, Office 365 and Azure, Privacy, Security

Data Security – It’s in the Name!

December 20, 2012 2 Comments


I have just come out of my last meeting before Christmas in which security has been forefront (again) on both business and IT principles minds, and tongues…

The bizarre thing is that despite the obvious, the prevalence of IT security systems protect the ‘Environment Boundary’ in which data resides or is transmitted, whilst understandable form a certain perspective, it is somewhat medieval in its approach to the core ‘Data Security’ problems facing organisations and individuals today.

It is all good and well using SSL (Secure Socket Layers ) to ensure your communications (data exchanges in transit) are secure. BUT a waste of time if the communicating entities do not apply similar levels of security when the data is stored (data at rest). Even the most inept hacker knows that the easiest point to attack in any data exchange is the client (workstation, notebook, mobile device). The server end of the chain is likely to be more secure environment (not necessarily) than the end users. Hence the prevalence of end user vectored attacks, email being the weakest and most convenient conduit to perpetrate a hack. Once a Hacker can get some malware on a user’s PC they can just about do what they want with it, and that includes all the data unless the documents and or data is encrypted.

Thus we get to the headline of the article. DATA SECURITY. If all data adopted the same protective measures as the entertainment industry tries to do with their music and movies then less of our private lives would become public, and organised crime feeding off corporate systems selling inside secrets or blackmail would be poorer overnight. Organisations should be securing their CONTENT as well as their IT environments. Currently most organisations actually do ‘Environment Security‘ NOT ‘Data Security’.

Information Rights Management (IRM) has been around for decades in various guises.. ISV’s (Independent Software Vendors) are largely ignoring a HUGE market opportunity to tap this capability. Some understand it and build their business on this core feature, but most ignore it and defer security to the IT department’s ability to secure a whole environment. IRM has never been easier today to implement, without even needing to deploy a service it is possible to tap Windows Azure AD Rights Management and have this capability on tap. For organisations using the Microsoft Office 365 Online Software as a Service (SaaS) suite it is possible to enable this with ease:

Microsoft Office 365 with Windows Azure AD Rights Management enabled represents one of the most secure and feature complete collaboration environments available on the market today. I would challenge some enterprises to prove a more secure data environment, and this is available to the smallest of organisations for less than £15/mth per user. This default functionality in Microsoft Office 365 is just a baseline, for the more security conscious this can be enhanced exponentially with third party products.

IRM is not full proof, nothing can stop someone re-typing a document or photographing a screen. BUT it represents a significant convenience barrier to those perpetrating corporate espionage and removes any ‘accidental’ disclosures.

I suspect though there will be a few more fruitful Christmas seasons for the corporate espionage crime syndicates to roam deserted corporate systems before the penny drops.

Filed under Cloud Computing, Computers and Internet, Home Computing, Legal, Mobile, Office 365 and Azure, Privacy, Security, Small Medium Enterprise (SME)

Windows 8, Microsoft Account & Skype – A Tsunami of support in the making!

October 31, 2012 5 Comments


With the launch of Windows 8 Microsoft has laid out its house for increased adoption of what is now known as the ‘Microsoft Account’, formerly known as Live ID/Hotmail ID/ Passport amongst others.

Like many I have always been fastidious about keeping my Business and Private online existence separate. As such dual Microsoft Accounts have been the name of the game for as long as I can remember. This has a practical side apart from the Privacy dimension, in this modern age most individuals will move between employee’s at least once if not multiple times, therefore committing to a single corporate profile would be building in headache at transitions. Furthermore I know many organisations recommend the practice, for compliance amongst other reasons, that insist employee’s create separate corporate related identities to which corporate online assets or benefits may then be associated. This allows the organisation to maintain ultimate control over its assets and to provide a clear demarcation line for employee’s when they engage in social media amongst other online activities.

As for managing multiple Microsoft Accounts (Live ID/Passport etc) as far as I can see the whole Microsoft Account situation has been a challenge for Microsoft. Merging all the disparate backend resources is no mean task, Hotmail, Passport, Partner ID’s, Windows Azure and that is before you get to their new family of online services Office 365, CRM Online and latterly Skype.

The Microsoft Account ‘attach’ feature which is available in the account management section of your Microsoft Account user profile used to allow you to attach two or more Live ID and simplify login’s etc. Unfortunately it appears to not be working and has been broken for weeks (There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later). This is regrettable at such a critical time with the launch of Windows 8 which is encouraging users to adopt a Microsoft Account as their principle login. Users cannot enjoy the convenience of this ‘attach’ feature’.

Users are now having to confront a change in behaviour from traditionally using multiple accounts and flexibility across services to selecting a single one as services are now becoming inflexible and demanding connection to a single account. Logically I feel users are better off consolidating on a Private Microsoft Account versus a corporate version. The latter could of course change if they moved jobs and present the associated headaches. Not to mention the risk of snooping that could occur as many corporate systems are open to monitoring for compliance amongst other legitimate administrative reasons. But then having to work across two separate accounts makes the whole Bring Your Own Device (BYOD) somewhat awkward as you start confronting the risk of confusing private and business data when accounts get ‘Connected’ either through Active Directory or Microsoft Online services (including Skype).

The biggest concern with the Microsoft Account in general is the distinct absence of any end user management. Users lack the ability to control their own Account associations, to ‘Dis-connect’ or elect at a granular level how to assign data sharing rights.

This is illustrated in stark terms by the less than congenial way Skype has decided to encourage (force on Windows 8 RT) users to adopt a Microsoft Account as their Skype login. In my recent experience with this I feel there is the potential of a 3 way cock up building a Tsunami of support headache for Microsoft as Windows 8 RT, Skype and the Microsoft Account converge.

My experience follows the receipt of a nice shiny new Microsoft Surface running windows 8 RT. I tested this with both my corporate and private account to see how it worked as part of a natural Techie’s curiosity, before settling on running my Private Microsoft Account as this device is for personal use.

That is when things went from great (see my Windows 8 RT Blog – ‘The iPad Killer) to grotesque (read on) when I attempted to configure Skype on my Personal Microsoft Account having tested it on my Corporate one.

Grotesque in that someone has not thought this through, or at least not got their priorities in the right order, summed up by the following:

  • At the time of writing, Windows 8 and Windows 8 RT are detected on the Skype site and make it VERY hard for you to get the traditional Skype desktop app, by forcing users to the new Windows 8 App store. As such users are in ignorance going to be installing the Windows Modern UI App version. (You can get the original desktop version with some laborious workarounds ie: login to the Skype website from a Windows 7 machine!)
  • Users of Windows 8 are encouraged to use their Microsoft Account as their principle login so that they can get all the benefits of replication across devices etc. Also internal AD accounts can now be ‘Connected’ to a Microsoft Account to also extend this to corporate accounts.
  • The Windows Modern UI App version of Skype prompts users to ‘Connect’ their Microsoft Account if it detects a user is using their Microsoft Account on their Windows 8 device and to use this now as the principle form of login to Skype.

All very innocent until you realise:

  • The Skype Microsoft Account attach is one way and CANNOT currently be reversed. I spend an hour on support with Skype trying to address this issue. Then had to repeat the exercise three times over a week and awaiting resolution.
  • The setting that should allow you to ‘Manage settings for all the apps and accounts you’ve connected’ in your Microsoft Account Profile is absent of any Skype option. So clearly the ALL word in this statement has some Microsoft hidden meaning, ALL non-Microsoft it would seem.
  • IF you have inadvertently Connected the wrong Microsoft Account and you are a proud owner of a new Windows 8 RT device then you cannot use Skype:
    • Because it will not let you login using your original Skype account login OR Connect using another Microsoft Account. It wants the one you connected.
    • Because Windows 8 RT does not support traditional desktop Apps you cannot revert to the desktop version so again Skype have successfully alienated users.

Skype suggested fixes’ are absurd:

  1. Create a new Skype account and connect it to the other Microsoft Account! (What and lose all my contacts, credits, Skype in and Out number etc)
  2. Create a second user account with the Connected Microsoft Account on the Windows 8 RT device and use that when you want to use Skype. (Oh nice one and what happens when people want to call me?)

Absolutely ludicrous!

So currently I have a nice new Microsoft Surface and cannot use Skype on it. Someone at Skype/Microsoft should be reviewing critical path practices and asking WHY enable a connected account BEFORE building in a dis-connect. IT history is FULL of similar situations where end user practices insist on such roll-back or flexibility. As a result the support desk at Skype is going to get heated, and from my experience they are poorly trained to address this, so a second faux pas for not getting the help desk up to speed first. The individual I got did not understand the difference and constraints on Windows 8 RT and Windows 8 or he would not have suggested using the desktop application!

The saga is ongoing, and I am not alone it appears http://community.skype.com/t5/Windows-8/Windows-8-Disconnecting-a-Microsoft-Account-and-a-Skype-account/m-p/1149344#M31  & http://community.skype.com/t5/Windows-8/Windows-8-Disconnecting-a-Microsoft-Account-and-a-Skype-account/m-p/1167114#M783

MESSAGE TO SKYPE - Release an interim patch version of the Windows 8 app that enables ‘Skype Account’ login as an option alongside the ‘Microsoft Account’ option whilst you sort out the sorry mess and enable end user ‘Microsoft Account’ connection management.

As and when this is resolved I will do an update.


UPDATE:

The Skype online support process referred to above DOES WORK. Advise is if you do not get a confirmation email soon after the online support session you should repeat the exercise. It took me 3 attempts so do persist. They will manually disconnect a Microsoft Account. But this is hit and miss in terms of the speed of response and far from convenient. Re associating a Microsoft Account will again commit you to a one way trip that will demand the manual support process should you wish to change it again.

Filed under Cloud Computing, Computers and Internet, Home Computing, Office 365 and Azure, Security, Small Medium Enterprise (SME), Windows 8

Windows 8 Tablet ‘Surface’ – Rumbles in the Partner Ecosystem Jungle

June 19, 2012 2 Comments


The Microsoft Partner Ecosystem is the envy of the IT industry, and an example to any business trying to build channel to market. It is unique as marketing and customer facing engine and a force for good fostering business development and growth especially across the Small Medium enterprise sector. Here in the UK for example these partners employ over 500,000 people and contribute approximately 40% of IT GDP. No other vendor in history I would challenge has fostered such goodwill, contributed such economic wealth generation and supported a clear divide between its own marketing and that of its partners.

The Chinese Wall that has always existed to avoid conflicts of interest with its partners that senior Microsoft Exec’s from Steve Bulmer down, and Bill Gates before him, stood by that they would never compete head to head with their partners is now showing the signs of wear and torn in a few places.

The maturity of this unique relationship is demonstrated by the establishment over the last decade and a half of the ‘International Association of Microsoft Channel Partners’ an independent business collective of Microsoft Partners. An association of more than 5,000 SME’s globally that protects the independent interests of Microsoft Partners within the Microsoft Ecosystem. It has been instrumental for example at policy level and in other global forum’s addressing the realities of many of the Microsoft anti-trust cases that in fact do more harm to the independent Partners than to Microsoft. This last point is something that Google and its ilk should pay attention to if they wish to make friends in the industry.

Cloud computing has been the first challenge to the Microsoft Partner unique relationship. A thin end of a wedge that has just received another tap to widen the crack from yesterday’s announcement unveiling by Microsoft of the Surface Windows 8 tablets.

Microsoft weathered the storm over their foray into direct market compete with partners with its Cloud offerings (Microsoft Office 365 and Windows Azure). It was and still remains a tightrope act as they continue to stumble up the steep learning curve as to how to maintain Partner engagement around these offerings and avoid breaching the delicate covenant that exists.

What now with the Windows Surface Tablet? I thought Microsoft Surface was a table based multi-touch system, but now I am seeing it is a line of tablet ultra-portables? Magic clearly happening as the former Surface experience has been on a diet!

Apart from the fact that once again Microsoft have outdone themselves in the naming stakes and made a complete meal of this. They have managed to build in Windows + Surface + Windows 8 + Tablet into the communiqué that will add to the obfuscation in the consumers mind as to what is going on here.

· Windows = Desktop OS and OS platform.

· Microsoft Surface = Table based multi-touch system and OS platform. (Now apparently  a line of tabletultra-portables)

· Windows 8 = Next generation Windows and OS platform.

· Tablet = iPad generation device NOT associated with desktop functionality.

In my blog only last week, ‘Windows RT – The new Windows OS’  I flagged up Microsoft’s predisposition to naming faux pas only for them to champion the act by coming out with this great mash-up!

Far from consolidate and maximize leverage of a brand this could risk confusion in consumers’ minds and do more damage than good to the desirable adoption curve. Does the Microsoft marketing machine have the light footed marketing ability to reach into the current mind-sets and align them? Time will tell.

The biggest issue here though must be the blatant challenge to their traditional hardware OEM (original equipment manufacturer) Partner channel. Details are thin on the ground but I dare say Microsoft will be leveraging their ability to make margin from their OS licensing with their hardware, a margin play their partners will not enjoy. Or will Microsoft pay itself a license for the Windows 8 software which it imposes on its partners? I doubt it, and thus could end a unique relationship in the industry as Microsoft OEM Partners investments into the Tablet space come up against the mother of all competition!

It is early days and I truly hope to be eating humble pie on this subject, be assured the imminent ‘Microsoft World Wide Partner Conference’ is going to be hot with debate on this and the continued Cloud issue.

Filed under Cloud Computing, Computers and Internet, Mobile, Office 365 and Azure, Small Medium Enterprise (SME), Windows 8

Microsoft Office 365 – Public Folder Crisis!

April 30, 2012 Leave a comment


So you have seen the light and enjoying the spread of joined up Enterprise systems that for many SME’s (Small Medium Enterprise) Companies was till Microsoft Office 365 arrived a pipe dream, not just in cost terms but configuration and management.

For those without any legacy Microsoft Exchange positions this is a no brainer. BUT for those with historic Microsoft Exchange on premise servers there will be the challenge of what to do with:

  • Public Folders.
  • Shared Mailbox’s.

Microsoft Office 365 does not provide Public Folders and the traditional way of managing shared mailbox’s would mean paying for additional licenses.

Of course a desirable route would have been to leverage email enabled Microsoft SharePoint Document Libraries, supported in on premise SharePoint and a fantastic solution to silos of data languishing in Public Folders on Exchange. But in their infinite wisdom Microsoft have not enabled that feature in Office 365! Instead they have offered a half-way house solution in what they call ‘Shared Mailbox’.

The SharePoint solution is not completely unavailable, for a more graceful integration though it will entail third party licenses to use Outlook plugins that can then connect to SharePoint as if it was a Public Folder Resource. However these third party plugins tend to come with a per user cost. Some options that you may wish to look at that offer FREE but limited functionality solutions are:

Or if you have budget then something like Colligo Email Manager is probably amongst the best for email.

If you are looking for migration tools from Exchange, SharePoint, file shares or even Google then MetaVis Technologies ‘Tools for Office 365’ is a must. It is also a great offline archiving tool for Office 365 and for the Uber paranoid provides Office 365 backup functionality for SharePoint, yes it can even inject an Office 365 SharePoint site into a local on Premise, now that is a first!

For most however the shift to the Shared Mailbox option in Office 365 will do the job. At least until Microsoft opens SharePoint up with email enabled Document Libraries and or lists!

They Share Mailbox feature on the face of it they appear to be just like any traditional shared mailbox. The goodwill gesture by Microsoft being that they do not incur an additional Office 365 user license. That does however come with a catch, one that no doubt exists to prevent these from being abused.

A shared mailbox is a mailbox that multiple users can open to read and send e-mail messages. Allowing groups of users to view and send e-mail from a common mailbox. They also allow users to share a common calendar, so they can schedule and view vacation time or work shifts.

The gotcha’s are:

The cat now is out of the bag and there is a nice albeit simple GUI (Graphic User Interface) tool available to help the self-serving Office 365 SME. Fir eup a browser and point it at the ‘Shared Mailboxes with GUI-based Tool’ WiKi and get going. http://community.office365.com/en-us/w/exchange/1712.aspx

For those who frustrate at the 5GB mailbox size limit them you can always use a fully licensed user mailbox option in the traditional fashion. I suggest however you consider the following lessons learnt from ‘bloated’ shared mailbox’s in Office 365. Having large shared mailbox’s have significant setbacks when you move to the Cloud and no longer have Local Area Network grade speeds to mast the overhead. Perhaps why these have been constrained. Issues include:

  • Set-up sees escalation in support calls as user Outlook ‘appears’ to lock up and desktop network activities grind to a halt as local copies of the Shared Mailbox’s get replicated to ALL users.
  • Set-up can be especially challenging for mobile users on low bandwidth connections.
  • Mobile users risk heavy overhead on data tariffs as they are connecting to multiple mailbox’s.
  • Significant changes to shared mailbox data and folder structures can cause fall-out as noted above across all users.
  • Security risk is heightened with the more users who have local copies of mailboxes.
  • Corporate Bandwidth congestion at the network edge can be overloaded requiring some form of packet filtering to prioritise traffic.

You get the drift, network impact and user experience issues sums it up. So if you do have LARGE shared mailboxes try to keep them to smaller user groups.

Filed under Cloud Computing, Mobile, Office 365 and Azure, Small Medium Enterprise (SME)

Guide – Advanced eMail Routing in Microsoft Office 365

April 4, 2012 1 Comment


For many organisations the use of additional email handling services for compliance (metadata cleansing or advanced archiving) or simply cosmetics (adding email stationary) is a requirement. This How-To provides a quick heads up and signpost to resources that will I hope answer many of your questions.

Also available as a PDF download at – ‘NRG Advanced eMail routing with Microsoft Office365 Guide

For many SME (Small Medium Enterprise) and even large enterprise customers the challenge of a new set of skills to integrate with Office3365 can be a barrier to adoption of real benefits from this platform. For many scenarios we are dealing with technology professionals who have deep expertise with, or attachment to, on-premise computing for whom this can be a blocker.

In fact Office 365 like the majority of Microsoft products is highly interoperable despite what some sectors of the technical community may believe. The following focuses on how to enable Advanced Email Flow Scenarios in Microsoft Office365.

Microsoft Office 365 uses Microsoft Forefront Online Protection for Exchange (FOPE) providing you with the ability to implement several advanced email flow scenarios. These scenarios can be extended with the use of Microsoft Windows Azure, but that is beyond the scope of this Guide. Some Microsoft resources that expand on these scenarios can be found at:

· Overview of Complex Mail Flow Scenarios in FOPE

· Outbound Smart Host Scenario for FOPE Connectors

· Configure Messaging with a Regulated Partner and Forced TLS in FOPE

· FOPE 11.1 New Features

To use FOPE fully the caveat is you have to be subscribed to the Microsoft Office 365 for enterprises, Live@edu, or former Business Productivity Online Suite (BPOS) dedicated cloud hosting service versions of Microsoft Office 365.

Remember we are now into Cloud Software as a Service (SaaS) and this is the world of subscription based consumption. As with the genre of Cloud product solution managed service models Microsoft Office 365 has a tiered structure that provides increasing functionality at variable price points.

The FOPE functionality likewise varies depending on the Office365 subscription. This is unlikely to be an issue with the class of customer looking for advanced services/product email integration as they are likely to be in at the Enterprise Plan levels but please start here to check if you are subscribed at the right level:

· ‘Feature Set Comparison for FOPE Deployments’

Assuming you are at the right level, or would like to check that you can do what you want before upgrading to the right Office365 subscription level I would suggest looking at FOPE user guide at:

· Using FOPE Connectors to Configure Advanced Email Flow Scenarios’

And last but not least assuming all the above is in order and you now want to actually access FOPE for your Office365 subscription then you want to head over to the FOPE administration URL at:

· FOPE Administration Portal

If you have not yet set-up a user account on FOPE, don’t panic, there is a link from your Office 365 Outlook Web Access Account (assuming you have administrative rights for your Office 365 subscription). Or through the Office 365 Admin Portal by following these simple steps:

Step 1 – Login

Login to your Office 365 Admin Portal with an account which has administrative rights at https://login.microsoftonline.com/

1. Sign-In

Step 2. Exchange Management

Under the Admin Overview link on the left you will be presented with links in the main window with links to manage Office 365 server systems. Click on the ‘Manage’ link under the Exchange option.

2 Admin Portal

Step 3. Manage Organisation

Make sure you are managing your organisation and not yourself individually. In Exchange Management at the top left of the screen mouse over the ‘Manage My Organisation’ menu item and you will get a pop-out that will give you menu options, select ‘My Organisation’:

3 My Org

Step 4. Mail Control

Once you have confirmed you are managing your organisation select ‘Mail Control’ from the left hand menu.

4 Mail Control

Step 5. FOPE Access

Once you are into the ‘Mail Control’ section you will see on the right ‘Additional Security Settings’ and a box with a text link in it ‘Configure IP safelisting, perimeter message tracing and email policies’. Something like the image below:

5 FOPE

Step 6. FOPE Portal

Clicking on the link as directed above will take you into the FOPE administrative portal where you have all the glory of the FOPE reporting and administrative tools.

Please review the FOPE help is you are not familiar with this environment BEFORE you start making changes.

NB:

Remember you are on a subscription service now and new features and updates are coming online on a regular basis, please ensure you keep up to date so new features do not impact any external services you may be linking into.

Filed under Computers and Internet, Office 365 and Azure

Microsoft Office365 – Sharing at its heart

February 22, 2012 Leave a comment


Sharing in Microsoft Office365 is not restricted to users registered in your Office365 profile. Through Microsoft SharePoint Online it is possible to invite external users into your collaborative workspaces and extend your teams securely. Most importantly this can be done at NO extra charge, or at least for the first 50 external users.

Microsoft provides by default with Office 365 SharePoint x50 external user licenses. More can be purchased if this limit is hit.

The challenge most organisations have had with this feature is the lack of clarity around what these external users must do to be able to be invited. For some customers it has been a frustrating experience as Microsoft’s multiple online account systems and talent with naming conventions help to muddy the water.

Microsoft has amongst other logins which it is in the process of unifying (but is not there yet):

  • Microsoft Live ID (formerly Microsoft Passport) – Allows you to register using your own domain.
  • Hotmail – You must use a ‘Hotmail’ domain email.
  • Microsoft Online Services ID- This is what you get when you become an Office365 user.

All of which serve to provide external users with a user account that can be used by an Office365 admin to invite them into an Office365 SharePoint collaboration environment. The first two listed will establish a Microsoft Live ID account on www.live.com whether you want it or not.

For established Office365 uses other companies with Office365 can invite them into their SharePoint collaborations very easily using their ‘Windows Online Service ID’ (Office365 login).

The process starts when an Office365 user with the correct administrative rights invites you as a ‘Shared User’ through Office 365 SharePoint.

This action will trigger an invitation email to the email address used in the invitation, with a link invitation.

The link WILL NOT WORK, unless the invited user has a Windows Live ID or an Office365 account.

The following process outlines how a user would go about creating a Windows Live ID using their own email (not a Hotmail account).

Why not use a Hotmail account?

I would strongly recommend that organisations inviting external users insist Shared Users use their ‘corporate’ email accounts NOT an existing Hotmail account, despite the convenience this may appear to have. This provides two levels of security:

  • If the employee leaves the company you have engaged then they lose access to the email account and that act provides a degree of user control for you.
  • A corporate account is unlikely to be shared with family members or left open on home PC’s that could see uninvited eye’s finding their way into what should be controlled environments.
    One final benefit of using a corporate email address is the ability to do Lync federation. This is beyond the remit of this blog, but in summary companies can federate Instant Messaging and enjoy the benefits of presence awareness with external parties.

So how to guide your prospective Shared Users in the art of set-up an account they can use:

  • Setting up a Windows Live ID if you do not already have one
  • Accessing the SharePoint Online resource thereafter.
    The following has been drafted so you can easily cut and paste it into a word document and use it yourself to guide your prospects.

User Guide:

1. Do you have an existing Windows Live ID?

There are some circumstances that will mean you already have a Windows Live ID for example your organisation is an existing Microsoft Office 365 customer and you are using Microsoft Office 365.

If you already have a Windows Live ID with your corporate email address then you do not need to create a new one. You can jump straight to 3. ‘Accessing Office365 SharePoint’.

2. Creating a Windows Live ID using your corporate e-mail address

a) Navigate to www.passport.com (see image below)

image

NB: – Use the URL above, other Hotmail or Windows Live account creation links do not provide the flexibility to use your own email address.

b) Select ‘Sign Up’ in the left hand menu which will take you to the following screen.

image

c) Make sure that ‘Yes, use my e-mail address’ is selected and select continue.

d) You will then be presented with a form that must be completed. Enter your corporate e-mail address, a memorable password and security question with answer and the verification words. (see image below)

image

e) You will then be presented with a ‘Review and sign the Agreements’ page. To accept, simply re-enter your desired e-mail address and click the ‘I Accept’ button.

image

f) You will then be directed to a default Windows Live Home Page.

image

No further action is required here, you can at your leisure investigate the features and functionality that this offers, but it has no further bearing on the Office365 purpose for this account. The creation of the Windows Live ID account is what is important.

3. Accessing Office365 SharePoint

a) Access the Invitation to collaborate e-mail that should have arrived in your corporate email In Box. It should look similar to the image below. Click on the button labelled ‘Accept your invitation!’ You will be automatically directed to the collaboration site that you have been invited to.

image

b) Before you can access the collaboration site you will be presented with the web page that is shown in the image below. This will be the same login you will get each time you visit this resource. Either of the two options should work, but for consistency we direct clients to click on ‘Microsoft Online Service ID’

NB: Existing Microsoft Office365 users may not see a login prompt as they are likely to already be logged in using their corporate email to their own corporate Microsoft Office 365 environment. Microsoft conveniently does the authentication in the background recognising the user.

image

c) You will be directed to a log-in page where you should enter your desired e-mail that you used when creating your Windows Live ID and also, the Password that you chose when setting this up (Image also below).

image

d) After you have entered your Credentials to this page you are ready to begin collaborating.

e) Please bookmark the link for ease of future reference.

I hope the above proves useful, if you find as I am sure it will, the process evolves as Microsoft consolidates its own systems please feel free to contact me to get this page updated if I have not done so already.

Filed under Cloud Computing, Office 365 and Azure, Small Medium Enterprise (SME)

Follow

Get every new post delivered to your Inbox.

Join 181 other followers