The article in the Business Insider ‘Why Mobile-First Teens Are A Big Threat To Facebook’ highlights the weakness of the Facebook business model and this in turn points to the complete lack of ANY structured alternative on the Facebook strategic roadmap. This is not however the first time this decline has been reported, ‘New drop in number of UK users’ user fickle attitudes go back to this report in June 2011.

As I have stated before with its hyped IPO Facebook achieved a valuation that allows it to effectively buy a business model. The recent Facebook Home on Android attempt at re-inventing itself as a Mobile device ‘Skin’ seems to have flopped ‘Facebook Home flops, gets terrible reviews’ so where will they throw their next wad of shareholder cash?

However the latest reports do have greater substance, and the failing of the Facebook Home initiative supports this. The analysis reflects maturing use patterns on the internet and the simple nature that Information and collaborative resources are becoming very fragmented in the nature of how users consume them. No single resource satisfies, with the resource platforms recognising this and the need to interact through cross-posting and ‘mash-ups’. This is after all the strength of Cloud Computing and the new Application Programming Interface (API) orientated service environment that is being built out. All of which waters down the traction any single site or vendor is able to have on their audience, placing greater emphasis on DEPTH versus BREADTH of service delivery capability. It is the vendors demonstrating greater domain expertise in DEPTH that are the ones that will retain their niche user base, and those vendors that provide flexible well documented and user friendly API’s to allow third parties to integrate their unique offering instead of trying to compete.

If Facebook had any imagination, instead of copying other ideas and or closing its environment to cross-posting by trying to be all things to all users, it should open up to the new API world. BUT this is where its poor privacy record and attitude to data makes it a dinosaur, and one that will constrain how any API data sharing will benefit the platform. So until Facebook matures its data usage, retention and privacy attitude it is likely to continue to miss out on the next wave of Internet innovation.

That having been said for better or worse the Internet has not heard the last of this Data Privacy predator.

Following a recent Cloud Computing event I found myself increasingly alarmed by the prevalence of red herrings being thrown around by vendors with respect to how their solutions and or products solved Cloud security issues when in fact they did little more than try to address them individually at best.

The reality is that DATA must be exposed to the software we use to orchestrate it, be that photo’s in Photoshop, a Document in Microsoft Office Word or a record in a database or a record spread across multiple databases. That is where the issue lies in the exposure of Data. The challenge is how we protect that which is of true value. No longer the network boundary, but protecting the DATA, wherever it goes, however it is being accessed, regardless of its form factor. Not how a software solution can provide a secure environment in which to process data, albeit an important factor, it is not a solution in itself.

Bring on the day when data in its raw form is encrypted and the owner can manage that encryption with convenience and ease whilst ensuring complete control over whom they elect to share any part of that data set with. Imagine being able to share data and attach an expiry date, or revoke data usage at will (regulatory retention aside) instead of having to go through lengthy protracted third party information disclosure requests, which even then are often questionable in their accuracy.

What is appealing about this concept is the reality that it places the control of data back into the hands of the individual. The individual or corporation can then dictate whom, when and for how long they share their data. It opens up possibilities like levying a micro payment charge in cases where that data sharing has a commercial value transfer to any benefiting third party. Assuming a trusted platform that can orchestrate this according to a set of user defined sharing rules (policies), such micro payments would soon add up to reasonable sums of money when considering the current spread of personal data. Sadly we are currently a long way from that Holy Grail. It would certainly sober up the Internet Corporatocracy (Facebook, Twitter, Google and their ilk) of this world who have been building personal value by gorging themselves dining at the Internet table of free data. Their addiction to the concept of free data will I suspect see little support from that quarter for such a solution.

Data security software solutions and products largely address a single issue and do not materially protect the critical payload in transit, rest and during its consumption. The payload being none other than data and the information that is ‘data’.

Erosion of privacy through data seepage into the public domain out with owner’s control or intent is an issue of paramount importance and at a corporate and enterprise scale the exposure and risk grows exponentially. On a private individual level that is often of singular concern, attitudes towards privacy of data influenced largely through the Social Media behavioural contagion, massaged by the Internet’s Corporatocracy, who work hard at breaking down the principles of privacy for self-interest. At some point the Social Media lemmings of the world will wake up to find themselves victims of ‘The Emperor’s New Clothes’, loss of privacy and control of one’s personal data is a sorrowful state of affairs many will have to come to terms with. Reminds me of the immortal words ‘For fools rush in where angels fear to tread’ from the poem ‘An essay on criticism’ by Alexander Pope, or for the more contemporary and more poignantly named song ‘Jokerman’ by Bob Dylan.

I digress, Social Media aside, the simple acts of transmitting and collaborating on information present the largest risk surface area(s) for data compromise. Surfaces that are being built out faster than ever before with the boom in personal / portable compute devices (PCD’s) be that a smartphone, tablet, laptop or the next gadget that gets christened off a keyboard with a stuck ‘i’ key!

For every collaborative event requires a transmission of data, and such events are infrequently constrained within Local Area Network (LAN) but at some point transit a public fixed or wireless network (Internet) exposing or depositing data en-route as well as compute devices out with any structured realm of control. Increasingly the securing of the communication conduit is addressed using HTTPS (Hypertext Transfer Protocol Secure), an encrypted transmission that secures data in transit. But that is only part of the exchange process, and one that has had its security reliability tested and questioned, with early iterations of its underlying protocol having been hacked, ref; Infoworld Article ‘HTTPS has been hacked’. So far we have secured the trickiest part of the information exchange to compromise, the transmission, leaving the easiest, the PC and or Server, available and ready to be compromise. An email attachment click away and data on any unsuspecting PCD regularly falls victim to malware.

This gives a false impression of security, rarely are the end points to a data exchange, the PC, Servers or PCD’s similarly encrypted. But it is not JUST end points is it. Every device en-route between exchanging parties holds the data be it for milliseconds or in some cases longer. A veritable pass the parcel where, Data is cached and stored in a myriad of places, where the parcel is little more than a colander raining data and the information life blood of companies and individuals into the public domain.

A recent study released by Team Cymru reveals that hackers misappropriate more than 1TB of data daily from corporate networks alone. If they can do that from corporate systems what hope is there for the Silver Surfers (60+ generation), one of the fastest growing use bases on the internet today. This is not an isolated issue either. With a global population of Zombie computers in the millions the bad guys capacity to leverage compute power with malicious intent outnumbers the good guys. Moving briefly off theme a bit, the escalation of this power was clearly demonstrated recently with the 300GB Distributed Denial of Service (DoS) attack on Spamhaus ‘When spammers go to war: Behind the Spamhaus DDoS’. This was a x6 increase on the previously largest recorded DoS attack of 50GB. At this scale of escalation attacks are having a collateral impact affect beyond the targeted systems. Subject for a future article I would hazard.

Back on theme, we have all heard of ‘Data Security’, but as a term its use is more often not a full truth. As with the data in transit example above, data security is subjective when it needs to be objective. The security that vendors address today is addressing an environmental state that the data is not persisting in, or not persistent in for long. Securing the protocol’s that we communicate data through, or the servers, datacentres, PCD’s that we store data on or the software applications with which we orchestrate our data, is not true ‘DATA’ security. Access to any of these environments, whether authorised or not, means data can readily be harvested, and believe me it is and most of you will not even know it is happening off your own computers.

I feel like shouting in frustration sometimes – it’s in the name ‘DATA’ security, so secure the DATA itself, as I have blogged before ‘Data Security – It’s in the Name!‘ OK good that you secure the other servers, datacentres, PCD’s or software application assets but what about the DATA! I am not proposing we stop securing servers, datacentres, PCD’s and software application, but their security is addressing THEIR security profile and the DATA security is largely by association only. As we currently deal with security at the server, datacentre, PCD and software application level we create security silo’s that require gatekeeping. Thus the cracks start to appear and data fall’s through or the hacker sneaks in, every other which way the data is exposed to higher risk and the prospect if not likelihood of compromise.

Now throw into the mix the structural nature of Cloud Computing architectures and its fastest growing method of interfacing systems with the use of Web/Cloud services. A Web or Cloud service being little more than a traditional API (Application Programming Interface) exposed to a public network. Designed to link disparate systems to deliver richer and often more real time functionality at scale and with collaborative resources unattainable until now to single organisations. Web/Cloud Services live for data exchange and data retention follows hard on the heals of those exchanges between API exposed entities. API’s = more joins and cracks, not to mention interactions to be audited and jurisdictions that will be challenging to reach into to audit and truly validate Service Level and or compliance. This is no scare tactic, I work with programmers every day, and these are some of the smartest guys around, but they are human, and ‘humanum est errare’ (it is human to err).

With an Industry average of “about 15 – 50 errors per 1,000 lines of delivered code” Quote Steve McDonnell from his book ‘Code Complete’ (2nd Edition. Redmond, Microsoft Press, 2004. 960 pages. ISBN), there is an inevitable high risk in API’s, they are just code after all. Yes errors can be ironed out, but the effort is often not commercially viable. For example only after using extensive format development methods, peer reviews, and statistical testing did the space-shuttle project achieved a level of 0 defects in a random sample of 500,000 lines of code. The ‘Cleanroom Development’ technique pioneered by Harlan Miles achieves consistent rates as low as 3 errors per 1,000 lines of code (Cobb and Mills 1990), so there are no easy options. All said and done commercial realities turn this into a real concern, the cost of this diligence means API’s will not all be tested to such robustly high quality levels as the space shuttle which means there are errors, and where there are errors there will be means to an end for hackers:

• Insecure API Implementations Threaten Cloud
• Web Services Single Sign-On Contains Big Flaws
• Microsoft Research “All these flaws allow the attacker to sign in as the victim to her accounts on the websites using SSO services even without knowing the victim’s password,”

But what if the data itself was of no use once the hackers got hold of it? Do you think they would bother spending long ours gaining access to it if they found it worthless?

What I am getting at is the act of encrypting the DATA itself, the raw data packets, only then are we starting to address the nub of the issue – making the data secure. Encryption (to encipher) and Cryptography (hidden, secret) is a powerful resource. I like the core message in these terms because they point to the essence of what we must achieve with our data to make it truly secure to turn it into something of ‘no value or importance to anyone else’ = cipher to encipher / encrypt our data. Whilst that may sound simple I and the rest of the security community are under no pretence of the challenge this would represent to manage.

Encryption is no small undertaking, by its nature it is very unforgiving to the forgetful or unstructured amongst us which is why all but the very large Enterprises can afford data encryption systems. It is no wonder Enterprise Digital Rights Management (E-DRM) has become a familiar term transposed onto the more generic Information Rights Management (IRM). At a private level it is almost non-existent, for even if you understand the principles of Public Key Infrastructure (PKI) and can wield the tools of Pretty Good Privacy (PGP) to manage you data in an encrypted way you will find yourself limited in terms of who you can interact with as this is far from user-friendly or mainstream.

Do not be misled, poor adoption of PKI, PGP and their ilk are not an early adopter issue, it is a fundamental structure issue. These mechanism are complex to get to work optimally, and in a sub-optimum deployment they are compromised so its worth is questionable and in a corporate world ‘it works some of the time’ does not win much in budget debates. At an individual level it is simply the complexity of management and exchange of encryption keys and their associated Certificates validating key ownership that renders it unusable.

The best we have at present for securing our data files is through forms of IRM / E-DRM, but this has until recently been out of reach of not just the Small and Medium Size Business (SMB / SME’s) but even large Corporates. OK there are proprietary application level encryption and password locking features, but they lack the truly ‘in-line’ capacity as a real time solution and after all the internet is full of solutions that can break these within seconds just head over to the likes of:

• Passware
• Elcomsoft

Not all is lost though. Most of us have come up against the power of IRM in the form of Digital Rights Management (DRM) with online music purchase, finding that if we try to share a music file bought through one of the online stores we cannot. Why? Because the data is secured and has been locked for use to a single user account. Reflect, the data itself is secured this is the DATA protected, OK the software you use to play the media has to know how to read the data. The data compliance with a standard supported by the software that allows the software to interpret how to authorise the user to use the data, but again I point out this is the DATA that is secured, secured by encryption that refers a user (be it individual or software) to comply with a policy set by the data owner.

Welcome to the future of corporate and personal data, where software (any software) conforms to a standard whereby data is encrypted and software has to comply with that standard to use that data. Just as your Windows Media Player or iTunes software does today through their respective online stores which act as a validation and authorisation proxy for the music industry who are the ultimate rights owners of the tunes you play. In such a new world of data, you could perceivably leave you data anywhere and it would be secure. Why? Because it is encrypted, available to those authorised by the data owner. In such a utopia hackers would gain little from stealing data, and Google would not be able to scan your documents and emails so readily!

IRM as stated above has been the exclusive realm of large Enterprises with the deep pockets to invest in the necessary infrastructure and process discipline mandatory to ensure such an environment works seamlessly and critically data encryption keys are not lost! Until now….

May I introduce or re-introduce you to Microsoft Office 365, Microsoft’s Software as a Service platform for business of all sizes, affordable even for individuals. Microsoft Office 365, delivers Enterprise grade email, collaboration, conferencing and productivity software amongst other benefits. It reset’s the bar in terms of empowering organisations and even individuals and most poignantly stands alone in its security capabilities with its Information Protection and Control (IPC) in the form of Windows Azure Rights Management Service:

• Windows Azure AD Rights Management whitepaper
• Microsoft Exchange Online with AD RMS whitepaper
• Office 365 Virtual Labs for IT Pros
• Windows Azure AD Rights Management Administration Tools and Utilities

Microsoft Office 365 forges a Grand Canyon of a chasm between it and the following herd of online Saas business productivity service vendors when it comes to its compliance credentials and security capabilities, and at a price point that is challenging for any serious functionality and data conscious business executive to not consider very, very seriously. Microsoft Office 365 scales from 1 to 50,000 user environments OUT OF THE BOX! Now NO organisation has an excuse for inappropriate document or email disclosure. It allows ANY organisation to Rights Manage their documents and emails, applying Enterprise class encryption helping to ensure they are only visible to those that have been given explicit rights. This protects organisations in the following common risk scenarios:

• Laptop theft.
• Portable media loss.
• Dismissed employee data retention.
• Inadvertent CC’ing of emails or sending to the wrong recipient
• Email interception.
• Internet vendor document/data scanning.
• ….. amongst others

Not 100% full proof by any means but 100% better than about 95% of the ‘Data’ security being implemented by organisations today. Be assured that just because you believe you have not been compromised does not mean you have not. In fact I would challenge an organisation, IF you have any Intellectual Property worthy of being stolen KNOW that you are either compromised and you don’t know it or adversaries are going after it, if you don’t believe me I fear your falling foul of the old ‘Struthio camelus’ syndrome of head in the sand!

The elephant in the room then becomes how to validate the identity of those access in the data, how do you prove that you are who you are and not an impersonator or a middle man ‘borrowing’ someone access code(s). Single factor Username + Password authentication mechanism are too weak for true identity security, multi-factor authentication (something you know and something you have) is a step in the right direction but many multi-factor authentication approaches remain vulnerable, and thus the goalposts move …. that’s a subject for another day.

Conclusion
So whether you believed me at the start of this article or not here it is, for little more than the cost each year most organisations spend on toilet paper and tea bags (Ok and coffee) per employee they can enjoy Enterprise grade document and email security amongst a bucket load of other powerful features with Microsoft Office 365, no excuses.

——————–

Toilet Paper & Tea Bags Analysis

Thanks to Discovery Channel and MySupermarket.com:

• Average usage per employee/yr = 30,000 sheets/year or 134 rolls/year (@ 150 sheets per roll).
• Average price of 50p/roll

Total £67/year per individual on toilet rolls + Tea breaks at £300 per employee per year – Epiphany research 2012 quoted on ‘The Workplace Savings and benefits’ website.

Free in most cases means ‘Freemium‘ = a limited service offering designed as a ‘Hook’ to get users to consume a service or product. The ‘Free’ service or product offering just enough features and or resources to make it useful for users. The ultimate goal of course being to get subscribers to the ‘Free’ versions to upgrade to a premium or professional paid-for version of the product or service that gives more functionality and or resources.

For new Cloud Start-ups and ISV’s looking to create market this sounds like a great way of attracting a user base and the techie business start-ups flock to this model with little real awareness of the poor returns this can offer. The challenge lies in the conversion rate of subscribers from ‘Freemium’ to ‘Premium’ paid-for usage. The conversion rate is not encouraging. Compare high user volume applications with low and you get to see the hard facts:

• 560 million user base – Skype = 8%
• 300 thousand user base – Ning 5%
• Pandora, Dropbox and Evernote conversion rates are in the range 0.5% to 4%.

What is clear is there is these are not impressive and no ‘Average’ can be used as a rule of thumb, it largely relates to the value proposition for the users and that is the quandary for ISV’s looking at this model.

A full understanding of the Freemium dilemma for ISV’s going online is well laid out in the article by Kim Joar Bekkelund ‘Understanding User Acquisition in Freemium’ Kim interviewed 10 companies that use Freemium and provides an insightful analysis of the success of this model.

To achieve even the ‘Freemium’ subscription rate from which you hope to convert users there are some clear rules that are appearing to maximise this potential. Some top tips that are not rocket science but aim to lower the bar of entry to get users to sign-up and convert:

1. Remove as much ‘Threat’ and friction as possible:
   1. DO NOT demand a Credit Card or other payment method upfront for a Freemium or Trial. This will immediately reduce your sign-up rate to a trickle. Handing over payment details is the biggest decision for the users, so make sure you get them right to the wire first.
   2. Do use a third party authentication channel such as Microsoft Account (Former Live ID) or LinkedIn, Twitter etc This reduces time to sign-up and through association makes the process less threatening. Great for doing user marketing research as you will get more perspective from these login resources which often expose more information about users across other systems helping you to build up your customer knowledge.
   3. Automatically sign-users up to receipt of customer support and training as part of the quid pro quo for the ‘Freemium’ offering.
   4. Have a clear Privacy Policy statement that make sit clear what you do with users supplied data.
   5. IF you solution stores data in The Cloud, state clearly where and the nature of the security of that storage. Is it encrypted (ideally).
   6. If your service application stores data, have a European data location option. This is not expensive in the new Cloud world and will be a green light for offerings into a Professional user base who will be more data compliance aware.
   7. Provide a Contact form on the website for users. You don’t have to respond, its good to, but it is critical you provide a means of connection.
2. Conversion MUST DO’s:
   1. Get to know your market so you can communicate to users and gain mindshare.
   2. Follow-up by reaching out to your new subscribers within a week of sign-up. If users do not engage the resource in this timescale they are unlikely to, so stimulate action.
   3. Use training tips and videos to encourage user adoption of the ‘Freemium’, a great method of increasing the traction of your offering and to dangle Premium features.
   4. Use your ‘Freemium’ audience as voluntary testers of BETA ‘Premium’ features. Remember Google apps etc for years had BETA stamped all over them.
   5. Use support as a channel into ‘Premium’ if you have a business audience. According to David Skok, business users want professional customer support and are willing to pay for it, consumer users are less likely to pay for support.
   6. Make it easy and simple for users to get to ‘Premium’, some tricks include:
      1. In app free 30 days activation of premium features. Can be re-activated again IF user signs up to BETA test for example.
      2. Delay payment prompts till the last moment. I repeat, handing over payment details is the biggest decision for the users, so make sure you get them right to the wire first.
      3. Provide 7 days free email support. Be proactive if they call on it, you can charge for this afterwards so make it appealing. As existing Freemium users they are unlikely to need it but it’s a comfort factor that plays to the Professionals more than consumers.
3. Evolve and adapt:
   1. LISTEN to your users, let them show you the way forward and drive features. Just because you think you know what they want does not mean it’s right!
   2. Use surveys to reach out to users. Many users like to provide feedback and feel they can influence a toolset they are adopting.
   3. Adapt your Freemium offering to maximise adoption. Existing users will see this as a bonus (they either retain functionality or gain), new users may need this to get them on the Freemium conveyor belt and or into Premium.
   4. Do be a good data citizen. Secure your user data online PROPERLY, and don’t sell contact details. If you get compromised or found out you have just killed your credibility.
   5. PARTNER – The new world of Cloud Computing allows you to extend functionality quickly and cost effectively. API’s (Application Programming Interfaces) allow you to tie in niche features from third parties quickly and in so doing add value and give yourself a Premium revenue option. Yes you will have to share revenue with the partner but then you do not have the development costs but hopefully will get the marriage value incremental gain with your offering.

This is by no means exhaustive in detail or exclusive. Make sure you manage a detailed conversion pipeline, a finger on the pulse of your cost of conversion will save you from any unpleasant surprises and keep you firmly rooted in the realms of reality.

Good luck!

Wonderful, reminds me of the great new real time service world we are now living in where updates come automatically and services are iteratively improved. So goes the story. But for the fact that the Nokia update this week forgot the rules and left me amongst many other Nokia an HTC users stranded and frustrated.

What appears to have happened is Nokia has ‘flipped a bit’ in their software that now restricts the application to providing directional guidance to users default region ONLY. The UK in my case. Somewhat useless as I am sitting in the US. The worst of it was at the weekend the application got me up to Stevens Pass, WA, for some wonderful skiing, only for the update at lunch to then deny me directional guidance to get home! Not that I would mind being stranded on the hill, there was some great snow to carve up, but I was due to be in Seattle the next day for meetings with none other than their Phone buddy Microsoft. If this was a conscious feature addition or rectification of a bug that should have had this locked down in the first place is largely irrelevant. Nokia were aware of what they were doing and the impact was crystal clear to even the most closeted of product development managers.

This would not have been so bad IF they had declared this in the update log, but they did not, I tend to check the update logs before hitting update as some app vendors have done manipulative things in the past. Nokia did not provide any notice, furthermore they provide NO means for me to purchase or extend my applications regional support, or any guidance as to how I could remedy the situation. Just a cold and hostile message that left me stranded.

This has without doubt been poorly implemented and I fear Nokia will hide behind the line that the software is technically classed as BETA = user beware. The lesson for Nokia is in this day and age a company of its calibre should be aware of the new attitude that BETA or not users should be respected and such dramatic feature changes communicated or fear the worst, brand trust and confidence damage, so easily incurred, so hard to regain. It is a very delicate balance dealing with real time, something I would not have expected Nokia to have got wrong having had more time in this type of service game than many. But a lesson none the less to ALL companies, that if Nokia can get it so wrong we all need to tread carefully.

The outcome is, I have now been driven (excuse the pun) by Nokia’s poor handling of this functionality injection into finding a replacement and at a commercial cost (£79 in my case) that will not see me reverting back to the Nokia application. Cost was never the issue, as such they have not only lost a user they have lost a customer and revenue to boot. Furthermore it has breached a delicate trust that means I am no longer have confidence this Nokia service has my best interests in mind and will not be venturing into the Nokia service or device ownership space in a hurry again.

Nokia has some damage limitation and trust re-building to do. At the moment I see little to suggest they even care. We can but hope.

The challenge that faces all Nations and individuals alike is the increased impact of Cyber Thread. This is fundamentally what the European Commission is attempting to address for the whole of the European Union (EU) by encompassing an eye watering range of disciplines and jurisdictions from law enforcement, defence, the digital agenda, security, and foreign policy. On the face of it the format fits the EU objectives of greater integration and harmony, but under the surface it has all the hall marks of an exercise in herding cats. The rubber will not really hit the road till we see the action plans, and the monitoring process to qualify results, that are going to be fundamental to exercising and delivering on this ambitious strategy. This latter point being the Achilles heal of the exercise in tight economic times when the EU budget has to reflect the austerity measures of its members with NO exceptions.

Most worryingly cost of delivery is in the timescales this whole process is going to take to implement. In the meantime Cyber Crime becomes more creative maturing as fast as, if not faster, than the creative innovation engine that drives the digital landscape, itself moving at a faster and faster rate of evolution.

In summary the politicians and unelected cohorts of bureaucrats will forever be playing catch up. The fear is that in their haste they will be riding rough shod over some of our core democratic rights. As the Dutch Member of the European Parliament, Sophie in ‘t Veld was quoted saying “The lines are being blurred and we need to safeguard the fundamental rights we expect in a democracy and not cede disproportionate powers to law enforcement”.

The rolling up of all these powers does have a very dark side. One that is open to abuse. The danger here is that once in place the temptation / convenience can become too compelling for any elected governing entity to leverage, and the European Commission has inadequately addressed historical challenges to its own Trust and Credibility record across too many areas to be endowed with this level of centralised power.

This exercise the EU is going through is communicating a need for a new approach. Instead of a Big Brother flavour about it, an approach that can reflect the nature of the changing environs that are being addressed. The problem is it is easier said than done to teach an old dog new tricks, especially when we are talking about what goes on largely behind the closed doors from behind which unelected bureaucrats influence our elected politicians and launch sallies of conditions on our lives.

Actions speak louder than words and one thing the new digital economy is good at is making things happen, and happen FAST.

Estonia and their implementation of X-Road and individual digital certificate usage demonstrates where there is a will there is a way, and leveraging the technology (not having to reinvent anything) can be an effective remedy. It is encouraging to see that Thomas Hendrik Ilves, the President of Estonia, has been elected as Chairman for the European Cloud Partnership governance Steering Board. But more needs to be done faster.

As I wrote just before Christmas ‘Data Security – It’s in the Name!’ We should perhaps be taking a fresh perspective on the problem. Protecting the DATA itself and less worrying about the actual environments that data exists in (networks/cables, computers/serves/PC’s, smart devices, datacenters/offices etc). Why? It’s actually about managing the risk of the loss of DATA availability, and this is an EDUCATIONAL issue more than a regulatory and legislative requirement. Risk management is an acceptance that there will be failures, and that is REAL WORLD.

Take for example:

1. The internet – It was designed to withstand nuclear impact! It is largely self-healing and can route around network failures or even whole geographical regional blackouts. If so much of the Internet goes down that it ceases to function then no EU strategy is going to help. Furthermore Cyber Terrorists are unlikely to see much gain in the digital equivalent of triggering an extinction event by killing the Internet!
2. Datacentres – Deigned for failure, or perhaps you should be re-evaluating your datacentre provider
3. Computers – These are commodities today and with the exception of a few specialist systems, disposable with affordable options for data resilience through external backup storage media or cloud computing empowering even the most economically distressed with scalable backup. Or for the more paranoid both!
4. Smart Devices – It’s in the name. If they are doing their job they should be replicating core data and configuration settings to resilient external storage options which will allow a new device to be provisioned conveniently.
5. Data – Use of Information Rights management (similar or that used by the music Industry) encrypts data objects such as a digital document (Microsoft Office files) so they can only be read by those the creator has intended the document to be shared with. Theft of these files then becomes futile, remove the attraction, the threat is expunged. The same principles apply to an automated function of databases and exported record sets.
6. Digital Certificates – A means for individuals to identify themselves consistently so that access to Data can be reliably managed and TRUSTED.

The demands of society are actually on mandatory digital education and should be taught like learning how to tie up your shoe laces. To cover the following areas amongst others:

• Backup (and restore).
• Encryption.
• Digital Certificates.

At the moment society is learning by osmosis and Urban Myth. Times have changed, so must needs, and the EU Cybersecurity plan may have a place at a National response level but quite possibly there are more practical and immediate means of addressing needs further down the social hierarchy that will not have the cost burden on Small Medium Enterprises (SME’s) that the current strategy would impose.

Remove the ease with which data can be breached and the requirement for security and data breach notification regimes start to look somewhat dated controls.

Despite the lack of clarity around the Windows RT v. Windows 8 versions, Windows RT has established a solid user base. It delivers to the mobile demands of users in key areas of a stylish aesthetic design and critically excellent battery life. More on that discussion in my earlier blogs:

• Windows 8 RT – iPad Killer?
• Windows RT – The new Windows OS

Microsoft’s decision to release an OS build for the ARM CPU was largely driven by the capability this architecture gave the design teams to forge a svelte cutting edge design. Systems on a Chip reduced the bulk and cooling demands as well as increased the battery efficiency allowing for thin devices.

With the announcements by both Intel and AMD that they have their own x86 ‘Systems on a Chip’ CPU’s in the pipeline raises the question that has started entering debate as to the future of Windows RT. Couple this with the new Atom class CPU’s that are now driving fully fledged Windows 8 OS’s and narrowing the gap in critical areas of compactness and battery life.

If the hardware continuous evolve allowing a fully-fledged Windows 8 OS to be delivered on tablet devices without compromising battery and design then what does the future hold for Windows RT? The reality is very little. After all who would invest in a Windows RT device over a fully-fledged Windows 8 device? It is an election into a closed ecosystem with a derisory ecosystem of desktop applications and despite a 4 fold increase in Windows New UI applications they represent a poor compete against Android and iOS libraries of apps.

The decision maker in this saga is the application ecosystem and third party product and vendor attachment. iPad has enjoyed a momentum that appears to demonstrate that OS grade functionality is not a critical factor in the Tablet class as long as app and vendor add on product are compelling. That was in an environment that lacked such fully-fledged OS power, Android being no better than iOS. With Windows RT the started to change, but for the lack of application ecosystem. Now with Windows 8 appearing on iPad tablet design class devices there is going to be some interesting times ahead as the full momentum of the Windows application ecosystem and Partner 650,000+ commercial developer organisations get up to speed. Throw in the next generation of Office 365 due out soon and things get even more interesting.

Back to the debate on Windows RT’s future, there are many permutations but to consolidate these under a few common headline options we are left with:

1. Status-Quo

No change, however it lacks real viable evidence that it is not going to just wither on the vine. OEM’s have not only cancelled RT initiatives they are largely cold on the whole project and driving their hardware architectures to a full Windows 8 which is clearly their agenda further eroding the current device class RT is pitched at fast. There is a price and battery advantage that RT offers as a differentiator but that is modest, and for everyone I have spoken to Windows RT is not worth it.

1. Trim

Reduce the OS to the Windows New UI side of its personality, allowing it to live on lighter and cheaper hardware. As Windows 8 drives a new fully featured OS class of tablet, it will not supplant the cheaper, more compact, lighter and battery efficient Android and iOS class of device which we have become used to as consumption devices. RT has a future in the iOS and Android ‘Consumption device’ class. To do so it needs to drop its split personality (desktop side) and deliver just the new Widows UI. This would allow RT to be stripped back as an OS which could allow it to be delivered on reduced capacity device design’s that would slash cost and battery usage. This still does not identify what will stimulate the redressing of the small application ecosystem, as this is just another low end user volume platform competing against two well established platforms in iOS and Android.

1. Kill

Discontinue the ARM experiment in light of the point made above over hardware evolution supporting full Windows 8. This is the current consolidated view IF it continues in its current form and lacklustre redressing of blatant short fallings such as no offline SkyDrive storage which makes a mockery of the device as a mobile platform when you think you need to be always network attached!

1. Free

One thing is clear something has to happen to allow RT to compete in a class of devices that will not see it being thumped by its big brother Windows 8 as Atom Tablet architectures are already seeing happen. This will probably come over as a heretical idea and likely to be more than out of bounds for Microsoft culture to adapt to BUT there is a real and viable case for releasing Windows RT as an Open Source community effort.

Amongst many viable reasons:

• Removes license costs from production placing it toe to toe with Android and giving OEM’s a choice they currently do not have. It’s Android or nothing in that class of device.
• Make a friend with the OEM’s.
• Opening up the closed RT architecture would immediately get the attention of the largest programmer audience in the world.
• Put a cat amongst the pigeons with the regulators who have always enjoyed having a snipe at Microsoft.
• Microsoft has an established Trusting audience and loyal user base.
• Windows 8 UI familiarity on the Desktop will drive adoption.
• Free platform does not mean NO revenue. This has the potential of driving explosive growth in applications that will stimulate significant reviews through the Microsoft store.
• Community goodwill.
• Takes the fight to Google on territory it arrogantly believes it owns.

There would be significant challenges, headline ones including:

• Microsoft cultural readiness.
• It is unclear how much opening up the RT code would reveal cross platform x86 insights that Microsoft would rather were not.
• It will eat away at the bottom end of the Windows 8 market, BUT this is just the user tier that is adopting Android and iOS devices accepting the restrictions as they do not need power features and functions.

Most of the challenges could be dealt with either in the Open License Agreement and or limitations placed on opening up certain parts of the OS code, whilst providing them ‘black boxed’.

Looking at the bigger picture, services and application store revenues are increasingly becoming the new revenue generators. Would ‘giving away’ a lightweight OS iteration on a constrained hardware architecture really impact bottom line? I challenge that the ecosystem revenues would out weight that furthermore the momentum it would build behind the new generation of Windows OS’s in this class would be an accelerator into taking chunks out of the competitions market share for Microsoft.

It is just this type of bold and decisive action that would shake up this class of devices and place Microsoft very much into the tier of innovators again.

Casual discussions with some of Microsoft OEM hardware partners has seen this received with significant interest. Maybe a lunch with them all in the same room could forge a friendly meeting with the power that be at Microsoft?

For additional background there are a range of posts online addressing specific details of the exploits and vulnerabilities:

• US Government Recommends users Disable JAVA
• What you need to know about the JAVA Exploits
• Despite Oracle patches JAVA still compromised
• JAVA fails to restrict access to privileged code

This is not just another extremely dextrous hacker trick that would be limited in its impact. It is a fundamental failure by Oracle the new owners of JAVA to address fundamental security flaws in JAVA that have led to widespread exploitation.

The worst part of this is Oracle have failed the JAVA community by skirting around the reality of the situation, Quote Java security expert Adam Gowdiak, ‘the update from Oracle leaves unfixed several critical security flaws’.

Because of the severity of this issue and the poor job Oracle has done, it is critical awareness amongst users is proactively promoted with the recommendation that appropriate action is taken to protect themselves and their companies.

The advice is to Uninstall JAVA if you don’t have a need for JAVA, and if you are unsure that you need it uninstall it to be safe. If in the future users find it is needed, then at least the latest version can be downloaded and easily installed and hopefully by then the problems resolved so the version of JAVA will be secure.

You can uninstall JAVA from the Windows Control Panel ‘Programs and Features’ (Vista, Windows 7 and 8) or the ‘Add / Remove Programs’ in Windows XP.

If JAVA is perceived to be needed for some reason, firstly check if there is an alternative method of accessing the content. If not and JAVA has to be installed then the advice is to make sure you are running the latest version which can be easily downloaded from JAVA.com this does not guarantee security, in fact the current version IS NOT SECURE.

The understanding is therefore even after updating to the latest version, you and your company are still exposed. To mitigate this disable JAVA web browser support when it is not explicitly required, only enabling it for sites you explicitly trust, then immediately disable Java support again once you are finished. To disable web browser support for Java on a Windows PC do this:

1. Start – Control Panel – Open the Java icon
2. Click on the security panel and uncheck the box for “enable Java content in the browser.”
3. This will disable Java in your web browsers. You can manually re-enable it if you need it on a specific site.

Once Oracle addresses the current security holes in JAVA, it should be safe to re-enable Java support IF you require JAVA. That having been said it would be advisable for organisations to consider alternative technologies to JAVA that are better supported and in today’s modern multi-device world offer greater flexibility.

Perhaps this will see some sanity come back into decisions by the likes of HP, Dell and Cisco to continue building client management interfaces in JAVA.

The bizarre thing is that despite the obvious, the prevalence of IT security systems protect the ‘Environment Boundary’ in which data resides or is transmitted, whilst understandable form a certain perspective, it is somewhat medieval in its approach to the core ‘Data Security’ problems facing organisations and individuals today.

It is all good and well using SSL (Secure Socket Layers ) to ensure your communications (data exchanges in transit) are secure. BUT a waste of time if the communicating entities do not apply similar levels of security when the data is stored (data at rest). Even the most inept hacker knows that the easiest point to attack in any data exchange is the client (workstation, notebook, mobile device). The server end of the chain is likely to be more secure environment (not necessarily) than the end users. Hence the prevalence of end user vectored attacks, email being the weakest and most convenient conduit to perpetrate a hack. Once a Hacker can get some malware on a user’s PC they can just about do what they want with it, and that includes all the data unless the documents and or data is encrypted.

Thus we get to the headline of the article. DATA SECURITY. If all data adopted the same protective measures as the entertainment industry tries to do with their music and movies then less of our private lives would become public, and organised crime feeding off corporate systems selling inside secrets or blackmail would be poorer overnight. Organisations should be securing their CONTENT as well as their IT environments. Currently most organisations actually do ‘Environment Security‘ NOT ‘Data Security’.

Information Rights Management (IRM) has been around for decades in various guises.. ISV’s (Independent Software Vendors) are largely ignoring a HUGE market opportunity to tap this capability. Some understand it and build their business on this core feature, but most ignore it and defer security to the IT department’s ability to secure a whole environment. IRM has never been easier today to implement, without even needing to deploy a service it is possible to tap Windows Azure AD Rights Management and have this capability on tap. For organisations using the Microsoft Office 365 Online Software as a Service (SaaS) suite it is possible to enable this with ease:

• Set up Information Rights Management (IRM) in SharePoint
• Enabling IRM Services with Exchange Online

Microsoft Office 365 with Windows Azure AD Rights Management enabled represents one of the most secure and feature complete collaboration environments available on the market today. I would challenge some enterprises to prove a more secure data environment, and this is available to the smallest of organisations for less than £15/mth per user. This default functionality in Microsoft Office 365 is just a baseline, for the more security conscious this can be enhanced exponentially with third party products.

IRM is not full proof, nothing can stop someone re-typing a document or photographing a screen. BUT it represents a significant convenience barrier to those perpetrating corporate espionage and removes any ‘accidental’ disclosures.

I suspect though there will be a few more fruitful Christmas seasons for the corporate espionage crime syndicates to roam deserted corporate systems before the penny drops.

For many the reasoning is practical. You have your own Domain and you believe this requires you to pay for an email service that supports this. For others it is simply evolutionary, you have had an email and website packaged service many years with Vendor ‘X’ and have never evaluated your options so you are still paying for something you don’t need to.

For many of you in this scenario you may also find the interfaces for mobile connectivity and browser access are retro, as for website management solution (if at all), some websites are still limited to FTP (File Transfer Protocol) management access to a bare directory on the vendors servers, forcing you into the hands of a commercial agency to get any half decent site built and maintained at more cost.

The solution is simple:

1. For eMail = Outlook.com
2. For WebSite = Windows Azure Websites (See a follow-on blog for details on this)

If you want to see why and fancy a punt at other options such as ‘Google’ apart for the privacy issues that you may not be aware of with Google’s terms and Conditions, have a look at a straight Outlook.com v. GMail Feature Comparison which tells you why Outlook.com is the

If you are still not convince, just one feature should make it for you in this new mobile world we live in and that is Exchange ActiveSync (EAS)

For those who like a 3^rd party opinion then head over to:

• ‘10 Outlook.com Features That Makes It A Gmail Killer’
• ‘Outlook.com adds new features; some of which make transition from Gmail easier!’

The following is a summary guide as to how to set-up your eMail and domain on Outlook.com, a separate Blog will cover the Free Website feature in Windows Azure and the rich content management options this can include.

A PDF version of this Guide is available for download – ‘Outlook.com Admin Configuration Guide‘ (PDF 428kb):

Outlook.com Configuration & Admin Overview Guide

Step 1.

First off you need a ‘Microsoft Account’, formerly known as Live ID/Hotmail ID/ Passport amongst others. If you already have one then that’s easy, just jump straight to the Outlook.com Webmail Login  and voila, you are now running ‘Outlook.com’. If as an existing Microsoft Account holder you get the old Hotmail interface, it is simple to click on the ‘Options’ then ‘Upgrade to Outlook.com’ link and that is you upgraded, per the image below:

That’s you set-up with free Outlook.com email on your Microsoft Account. This is not yet active on your own domain or domains. To get your email on your own domains working you need to continue to Step 2.

It is advisable to be ready to move ALL our email accounts to Outlook.com BEFORE you commence Step 2. This should include being clear who controls your domain(s) DNS settings. If in doubt contact your hosting provider AFTER reading through the rest of this guide so you are clear on what is involved.

Step2.

Configure your domain and get access to Multiple User accounts on your own domain FOR FREE.

1. Head over to the ‘Windows Live Admin Center‘ at http://domains.live.com
2. Click on the ‘Get Started’ link’ Assuming you’re already logged in!

   

3. Enter your domain name. Don’t get confused by the ‘www’ prefix, it is perhaps not the most intuitive way of simply requesting a domain name! Then Click ‘Continue‘
4. Next you will have to go through a formality, check the setting s are correct and assuming your OK with the Terms & Conditions click ‘ I Accept’

   

5. The next screen is a little overwhelming for the non-techies. If you have access to your domain’s DNS or DNS management page then I assume you know what yru doing, if not you will be emailing a copy of this page to your Domains Registrar or Hosting provider who controls your domains DNS.

   In summary this page update your DNS records so that email etc will start getting pointed to your new Outlook.com profile.

   DO NOT initiate this till you’re ready for email to STOP arriving at your old email service, and you are ready to set-up all your email accounts on Outlook.com.
   

   You can pre-configure this and leave it as is, note the ‘Prove Ownership’ box highlighted in Blue. Until you have either made the changes or instructed someone else to and this box is replaced with a ‘Your Service is Active’ statement your email routing is unaltered.

   

6. Assuming were good to go with Outlook.com and you have made the changes noted above in DNS instead of the yellow ‘Prove Ownership’ box, you should now see an ‘Your Service is Active’ message box as illustrated below:

Now you can configure a variety of features from the left hand Admin menu:

Custom Addresses – This allows you to create additional Domain URL prefix’s for your mail domain ie:’mail.yourdomain.com‘ :

User / Members Accounts – user mailbox’s (Up to 500!!)

Open Membership – Great commercial angle to allow you to share your Domain with subscribers to a service or your website:

Co-Branding – Allow you to brand your email experience, ideal if you are using Open membership features:

Domain Reports – All important management tool to monitor activity on your email usage, a summary list of available reports below:

You should not be set-up with your Outlook.com service. You can add additional domains to this all managed by your principle Microsoft Account, or any other Microsoft Account you may wish to designate.

Other features you may wish to explore will include the Microsoft Live SkyDrive and Office Web application linkage that you get for collaboration with Outlook.com, you can access this from the Outlook.com mail interface at http://mail.live.com, top left click the down arrow next to the Outlook banner, see image below:

This will open up a link menu to other rich interface features and SkyDrive for document sharing and Office Web Apps integration:

This guide is designed for users who are not yet running Windows 8, and whilst it can be followed if you are running Windows 8 IF you have Windows 8 Enterprise then a much simpler option is to use the ‘Windows To Go Creator Wizard’ (accessible from the Windows 8 Enterprise Control Panel or search) which automates:

• USB Device provisioning process,
• Windows 8 Instalment (you still need to have the Windows 8 Enterprise install media for this)
• Bitlocker enablement options that can activate Bitlocker automatically during the Windows To Go creation process.

As you are creating a portable instance of your Windows 8 Operating System which is likely to contain private data we strongly recommend you activate the built in bitlocker drive encryption technology.

The process below does not allow you to enable Bitlocker during creation, it requires you to enabled bitlocker drive encryption AFTER creating your ‘Windows To Go Drive’ from within the Windows To Go workspace.

You can download a PDF version of this guide for ease of reference from here: Windows To Go Creation Guide (220 KB PDF)

This process requires Windows 8 Enterprise install media and does not work with other versions.

For a Windows To Go Feature Overview and more information please visit the Microsoft TechNet site.

Preparation Phase:

Step 1. Get the imagex.exe from the Windows Automated Installation Kit (AIK):

1. Download the Windows Automated Installation Kit (AIK) for Windows 7 (1.7GB) http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5753
2. Download WinRAR, then uncompress the AIK ISO file that you downloaded, browse and extract the Neutral.cab file.
3. Uncompressed the Neutral.cab with WinRAR, and extract the file name F1_imagex.
4. Rename the file F1_imagex to imagex.exe.

Step 2. Get the install.wim Windows 8 Enterprise Install File:

1. Download or get your copy of Windows 8 Enterprise
2. If you have this is ISO format (if you downloaded from MSDN for example) use WinRAR to uncompress the Windows 8 Enterprise ISO file.
3. Browse the uncompressed Windows 8 Enterprise files going to the \sources\ folder, extract the install.wim file that it should be in there.

Copy both the imagex.exe and the install.wim files to a separate directory.

USB To Go Creation Phase:

Step 1. Configure your USB drive:

1. Open a Command Prompt (in Administrator Mode)
2. Run the following Commands allow each to finish before proceeding to the next:
   1. DISKPART
   2. LIST DISK (Note down the Disk number of your USB Device, ie: Disk 1 in my example below)
      

      
      

   3. SELECT DISK 1 (Replace 1 with the number of your USB Device from the step before)
      
   4. CLEAN
      
   5. CREATE PARTITION PRIMARY
      
   6. SELECT PARTITION 1
      
   7. ACTIVE
      
   8. FORMAT FS=NTFS QUICK (Format process may take few seconds, longer if you opt to do a full format by leaving off the ‘QUICK’ option)
      
   9. ASSIGN
      
   10. EXIT
       

Step 2. Install Windows 8 Enterprise onto the USB:

1. Open a Command Prompt (in Administrator Mode)
2. Browse to the folder that has the Imagex.exe and now the install.wim
3. Run the following command: imagex.exe /apply install.wim 1 D:\
   (Replace D with your USB drive letter)
4. This write process will take a bit of time, progress is displayed.
5. Once the write process has completed configure the boot record in the Windows To Go USB drive. Type the following command: bcdboot.exe D:\windows /s D: /f ALL
   (Replace D with your USB drive letter)

Volia!

Now you should be able to boot to your external Windows 8 Enterprise USB To Go device and complete your installation. Some helpful hints on how to configure the traditional desktop Start Button etc available at Windows 8 Desktop Prioritisation Guide