In a Cloud world, does backup still matter?

If your business is in the Cloud, don’t let ignorance be bliss. You may regret it!

I recently worked with a client, a law firm, on their Business Continuity plan. A Business Continuity plan is simply a document that spells out how a business will respond to different kinds of business interruptions including systems failures or catastrophic events.

Like many businesses, they’ve been working to migrate many of their systems to the Cloud. As I reviewed the different failure scenarios (ie, fire/natural disaster, hardware failures in the office, Office 365 becoming unavailable, Cloud app becoming unavailable, etc.) we realized that unlike the in-house systems where we have multiple backups, online back up and failover, we really had no way of recovering if the Cloud solutions became unavailable or lost their data. The only option was to wait for the service to become available again and hope to recover the data.

 

A Cloud Provider Perspective: Trust us, our availability and retention systems are enough!

Several years ago I sat in a seminar put on by Microsoft for its Partners designed to educate and promote their evolving Cloud solutions including Office 365. One of the Partner participants asked “how are we supposed to backup the client data in Office 365.” The Microsoft representative seemed totally puzzled and annoyed. He simply said the systems will be available and offered an additional MS solution to enable mailbox archiving for an additional cost. For Microsoft Partners, this was a shocking perspective since MS has been promoting backup best practices through their certification programs for years.

This kind of laissez faire response about backup is typical among Cloud providers. The Cloud is supposed to be simple, secure and easy, like turning on the switch from a utility. It turns out that backing up your data offline from a Cloud solution is difficult and is often an unbudgeted cost. So these questions are often swept under the rug by the providers and ignored by the subscribers.

 

Availability and retention, how does it differ from Backup?

Most Cloud solutions rely on availability and retention solutions to protect your data. This means they have sophisticated systems and redundant infrastructure so that if their system suffers a failure, their systems will remain available. They also keep multiple versions, changes and deletions for a certain amount of days. But it’s important to remember that availability and retention are not a backup strategy.

A backup strategy employs unique copies of data in disparate systems, physically separated from production systems. They employ good retention policies that can keep copies of data for at least several months, a year or possibly longer. A good backup strategy also takes into account recovery of data to production or backup system and how long that recovery will take (Time to Recovery).

 

So how secure is my data on the Cloud? The truth is cloudy

I looked at the Service Level Agreement (SLAs) and Master Service Agreements (MSAs) of several of the big Cloud providers to see what they actually do to protect your data.

Salesforce – Salesforce’s seems to be one of the most limited I’ve seen on the market. Their MSA says they will “…use commercially reasonable efforts to make the online Services available 24 hours a day, 7 days a week, except for:… (List of exceptions)” There is no statement ensuring backup of data or change retention. They also clearly spell out that the most they can be liable for under any circumstance is 12 months of services paid. If they lost all of your Salesforce data or couldn’t recover your account for 1-2 weeks, is that enough for you to stay in business?

Microsoft Office 365MS’s SLA is a bit more confusing as they provide a financially guaranteed uptime formula for compensation called Service Credits. Service Credits “…are your sole and exclusive remedy for any performance or availability issues…” The financially guaranteed uptime guarantees makes no guarantees of data integrity specifically but they do spell out all the efforts they make to protect your data. Like Salesforce, they also make no claims of backups.  They do indicate they replicate data between 2 or more geographically disparate data centers and make other specific efforts to prevent data loss. If MS lost some or all your data or couldn’t recover your account for 1-2 weeks, would receiving the financial benefits described in the Service Credits be enough for you to stay in business?

G Suite/Google – Google provides their Terms of Service as well as a SLA, but provides very little detail in terms of data protections or guarantees. They do offer an additional document on security here, which outlines some of their technologies and systems to protect customer data. The TOS and SLA specifically address “down time,” the period for which their service are unavailable.  They offer similar language as Microsoft and offer Service Credits as a customer’s “…exclusive remedy for any failure by Google to meet the G Suite SLA.” If critical GoogleDocs become corrupt or unavailable for an extended period of time, how resilient would your business be?

 

What is the risk, is Google/Salesforce/MS likely to lose my data or go offline for an extended period of time?

The short answer is no, it is unlikely and the risk is low that any of these large Cloud solutions providers will lose your data or will remain offline for an extended period of time.

These providers are heavily invested in the protections of your data and the availability of their systems. For their own credibility and future of their business, there is a heavy burden to make sure their systems meet the expectations and needs of their users. One major loss of data or extended down time could significantly hurt their credibility and possibly put them out of business. It may be the case that some of the smaller and niche Cloud providers represent a higher risk though, as they likely don’t have the same systems and resources that MS, Google and Salesforce do.

But hope and ignorance are not a plan and there is always some risk. These Cloud businesses work on large scales, so the loss of 100 Google Docs, while important to you, is likely not going to rock the Google ship! Getting resolution to 1 or 2 missing or corrupt Google Docs is not going to get a fast and personalized response even if they are critical to your $1M contract.

 

Betting on the Cloud is like going on a cruise

When I think about the question of risk with Cloud services, I always think of going on a cruise. Cruise ships are sophisticated giants, like floating cities, that roam the World’s oceans. They rarely have problems and have so much girth and sophistication that they can manage most challenges (Weather, systems failure, medical emergencies, food, etc.) But when things do go wrong, the outcomes can be disastrous. You do not want to be stuck on a cruise ship during a major storm, system failure, Norovirus outbreak, etc. And we still do keep lifeboats on board for a reason.

 

What should I do, I love what the Cloud does for me and my business

No one is arguing for not using Cloud solutions. In fact, leaving Cloud solutions out of your businesses technology arsenal will limit your competitiveness. But business owners and managers must treat Cloud solutions as a critical business relationships rather than the as a “utility” as is promoted by the Cloud industry.

To make sure your business is strong, you must make sure these relationships are strong. Business owners and managers should do the following:

  1. Evaluate what Cloud solutions are in use and what functions they play within your operations
  2. Determine risks to your business should Cloud service or data become unavailable
  3. Evaluate existing contracts and determine what can be changed or enhanced to limit risk
  4. Implement backup and recovery solutions to mitigate identified risks
  5. Evaluate business continuity and cyber insurance to ensure your risks are properly covered
  6. Review Cloud relationships regularly to make sure your plans are still adequate for identified risks and newly identified risks

Ultimately, managing a Cloud solution is no different than what we’ve been doing for years to manage internal in-house infrastructure. Going to the Cloud has not eliminated the risks of technology failure, it has only shifted the operational burden. The risks still need to be identified and managed.

 

The challenge of Digital Identification in a Cloud world, Password Managers Emerge

At time when the news headlines are filled with a parade of data breaches (DNC, Yahoo, etc.), the Password Manager has emerged as an effective tool to solve the problem of Digital Identification.  Digital Identification is the way you prove who you are to all your Cloud based online accounts.

The Password Manager is a online system combined with software tools that allows users to create long, complicated password strings that are unique to each online system. This prevents passwords from being guessed and prevents compromised passwords from being used to access other sites if one system has been hacked.

The challenge for online service providers is to secure their systems and accounts but allow users easy and convenient access.  Without a Password Manager, long, complicated and unique passwords are not something that people can easily use.

Without a Password Manager, username and passwords are ineffective because:

  1. People choose passwords they can remember, which are simple for criminals to figure out.
    • Brute Force techniques allow criminals to guess thousands and millions of common combinations (Ex. Password1, Sex123, etc.) from dictionaries and lists of already discovered passwords from previous data breaches.
    • Old fashioned PI work is surprisingly successful using social media and public records to formulate possibilities including children’s initials, birth dates, mailing addresses, pets names, hobbies, etc.
    • Phishing techniques like was used in the DNC hack trick users into sharing their passwords through fake websites and email solicitations.
  2. Long, random, secure passwords are difficult for humans to remember and as a result are not used or are stored insecurely.
    • Often, passwords are kept on sticky notes under keyboards, in note pads and in insecure online address books in Google or Outlook.
    • Users find creative ways to compromise complex password requirements by making minor modifications, writing  them down but leaving out some characters, etc.
  3. The same passwords are often shared across different systems.
    • Long complex password that change frequently are hard to remember, so users use the same or similar passwords across many systems
    • Hackers know passwords are shared across multiple systems so they try and access other online systems once a password is discovered and verified.

The Password Manager evolves

The original password managers were not useful because they were inconvenient.  They presented too much of a challenge to setup, organize and access.  Also, securing all your passwords and private information with a single password seemed like having all your eggs in one basket.  If that system and password was compromised, so was everything else!

Modern password managers have solved most of these challenges.  They are now the hub of your digital identity.  Products like 1Password, LastPass and Dashlane provide simple solutions to protect your passwords and provide convenient access from all your devices and online.

You are in control

  • With the help of these tools, long, random, unique and complex password are created for your online accounts.  The Password Manager software makes logging in and accessing your online accounts simple without having to remember these passwords.
  • There is no need for 3rd party solutions like certificate authorities to issue and manage your credentials.  No one else can grant access to your online accounts and you don’t have to use permanent physical characteristics like your fingerprints, DNA, etc. to identify yourself.
  • No one but you can see your passwords and account info. None of these online solutions store your passwords in a form that is accessible to anyone other than yourself. They do this by employing high levels of encryption within their systems and they encrypt your passwords with your own master password, which they don’t have.

Isn’t this risky, putting all your eggs still in one basket?

Many people still get stuck on the single master password and the concern with having all your eggs in one basket.  It’s a legitimate concern but these systems have checks in place to limit this risk.

  • Before you can attempt to un-encrypt your database with the master password, you must first authorize your devices and demonstrate control of the email account associated with your account.
  • Attempts to access your account are logged and reported to you so you’ll know quickly if someone else is trying to access your account.
  • 2FA/Multifactor Authentication can additionally be added onto your account.
  • The Master Password is never stored in their system, so if they become compromised hackers still should not have access to your information.

Emergency access

One feature that I find particularly compelling is “Emergency Access.”  When someone becomes ill or passes away unexpectedly, there is a panic among family, friends and sometimes within businesses to try ensure access to online accounts and protected files.

My wife and I have many online accounts related to finances, insurance, mortgages, photo sharing, etc.  One day I realized I had no idea what passwords my wife was using for many of these accounts as they change often and have so many different requirements.  With the Emergency Access feature, I can setup emergency access to her passwords after a 2 day waiting period.

Why shouldn’t we just use alternatives to passwords?

Biometric or genetic authentication: Science fiction has often extolled the benefits of genetic or biometric authentication including retinal scanners, fingerprint readers, voice recognition or DNA scanning.  The problem with these technologies are twofold:

  1. They can be fooled:  If a would be hacker learns a target’s fingerprint, retinal pattern or DNA unique identifiers, systems can be devised to represent these unique patterns in a way that can fool an automated system.  There are currently many examples online of fingerprint readers being fooled.
  2. Once a biometric or genetic marker has been compromised, users cannot “reset” them, they are hard coded into our bodies.  So if one’s identity was stolen and it was tied to a unique DNA identifier, the individual is now unable to easily reclaim his identity.

Digital Certificates: For a time there was a lot of discussion about how Digital Certificates from certificate authorities could replace passwords.  These certificate systems are currently widely used for securing websites, securing corporate and the government systems, and to sign software code.  They use a private and public key model to encrypt and identify authorized users and systems.

However, Digital Certificate systems have failed to become broadly used because of two major challenges:

  1. There is no one to trust with all this power!
    • Over the past few years there have been several high profile compromises of certificate authorities including Comodo, Symantec, and others.
    • Certificate authorities hold the master keys, allowing a single point of failure.  This allows malicious actors who successfully compromise one of these systems to access unauthorized systems or issue illegitimate certificates.  This allows the publishing of fake bank, google, or other systems where users are tricked into providing information through fake systems.
  2. Public and private key certificate systems have proved to be too complicated and inconvenient for most average users.
    • Users have to be able to understand the private and public key model, which is often beyond the interest and abilities of most users.
    • Personal certificates are not very convenient.
      • I can load my Private Key on my computer so that when I go to my banking site I can easily log in, but what do I do when i’m at my parents house?
      • I can load my Private Key on a USB Smart Card but that opens up many other challenges and security risks including plugging in USB drives to other people’s computers.

2FA or Multi Factor Authentication: 2FA (Two form Factor Authentication) or Multi Factor Authentication is the technique of using 2 or more methods to uniquely identify a user.  This usually includes some form of password combined with a text message, phone call or possession of physical hardware Token (USB device, Phone App or computer app that generates random numbers, etc.).

  1. 2FA or Multi Factor Authentication doesn’t get rid of passwords but makes them much harder to compromise.
    • Even if a hacker knows a user’s password, they cannot gain access to a system without the second or third authenticator.
  2. 2FA and Multi Factor Authentication methods are becoming broadly and freely available with many online systems including Apple, Facebook, Google, Yahoo, Microsoft, etc.
    •  The problem with these solutions are that they make access a lot less convenient. This is especially true if you’ve misplaced your smartphone or are not working on your own computer or if you’re sharing access to a system (usually can’t list multiple cell phone numbers).
    • Additionally they don’t eliminate the password, they just make it more secure.

A good option now for greater security

The convenience of the Cloud’s always on, always available nature means that these systems are always available to enterprising criminals all over the world.  Long gone are the days when systems are safely behind physical walls and firewalls requiring special software and/or physical access.  There is a significant need now for greater security across all these systems and the Password Manager is one of our best options.

 

Best Bluetooth speakers for home and office with some business inspiration to boot!

This subject may seem like a fluff topic but I have to tell you about these speakers and the company behind them.  They’ve got me pumped because they are great speakers, lots of fun to use, have great business applications and even offer a great business lesson.

The Product

The products I’m talking about and love are the Oontz Angle 3 and Oontz Angle 3XL.  They are inexpensive ($30-$110) Bluetooth speakers with truly incredible sound given their size and cost.  They have a built-in mic for use with phones and computers as a sound source and are super easy to setup and pair with your devices (phones, computers, etc.).

As you can imagine, they are a great way to bring music wherever you are but they also offer impressive portable speakers for business presentations and can be used as a portable speakerphone for ad hoc conferences when paired with your smartphone.  So these are great to place in conference rooms or with traveling executives and sales staff.

One unique feature of the Oontz Angle 3XL (the larger unit) is that if you buy two of them, you can set them up to offer true stereo sound with each one carrying a separate stereo channel.  I have not tested this as the single units have proved to be more than sufficient for my needs.

The history

I used to be a bit of an audiophile when I was younger and was really into a company called Cambridge Soundworks, based in my home town of Newton MA.  I visited their factory store, dreamed of their speakers and even tried to get a summer job there.

Cambridge Soundworks has gone through enormous changes over the years.  At one time they had a national chain of retail stores and huge online direct distribution.  But with anyone familiar with the consumer electronics and Hi Fi industry, everything changed with the iPod and digital music and people lost interest in component music and high fidelity sound systems.  And so the likes of Lechmere, Tweeter, Circuit City and many others went out of business in the late 2000s.

Cambridge Soundworks was no exception and was struggling in the late 90s but had a niche with products that worked directly with computers and the new portable music players like the iPod, known as SoundWorks.  They had comparatively good sound next to the competition.  In 1998 Creative Labs, a computer components and portable electronic manufacturer, acquired Cambridge Soundworks.  As best I can tell, Creative Labs cannibalized Cambridge Soundworks for their technologies and distribution and ended up closing all their retail locations. Their products dwindled, there was no innovation and their brand suffered.  As a loyal and committed customer, it was very sad to see this downfall.

In 2011, SoundWorks, Inc. was formed and purchased the remaining assets of Cambridge Soundworks from Creative Labs Inc.  They relaunched the business based on a new product called Oontz, a portable Bluetooth speaker system.  Frankly I was dismayed.  As someone who was into sound quality this was the last straw! Bluetooth was notoriously bad at carrying high fidelity sound and the speakers were so small that I couldn’t imagine anything worthwhile coming out of them.

Fast forward to 2016 and I’m a HUGE fan!  I think the Oontz products are incredible.  Yes, they still don’t offer truly high fidelity sound, but they do provide an exceptional solution for a convenient, connected speaker and mic system with good sound. And they have achieved this with a product that is simple to use and has better sound than the competition at a lower cost.

My takeaway

As a business owner I can become overwhelmed with the necessity and constant pressure to innovate and evolve to stay relevant. It is easy to get stuck in the nostalgia and wishful thinking of what used to work or how things used to be.  All you have to do is think of behemoths like Polaroid and BlackBerry to know what the risks are.  But when I think of Cambridge Soundworks, I’m inspired and amazed at the vision and guts it takes to truly innovate and evolve a business.

I’m inspired by Cambridge Soundworks because they were not held back by their own old products and past successes.  They were forward looking, understood their unique value proposition of good simple sound products at a lower cost, and created great brand new products that people want.

The result is a business reborn and great speakers I can call the Best Bluetooth speakers for home and office.

To Slack or not to Slack?

As many already know, the cloud based messaging tool Slack burst onto the market in the summer of 2013 and has become one of the hottest business messaging platforms around.  Honestly I was slow to pick up on its relevance and what differentiated it from other solutions.  I remember reading about it, looking into it and thinking I just didn’t have time for another gimmicky or niche solution which could expose me and my clients to security risks.

I’ve seen many new technologies come and go over the years and some of them stick around but don’t have the adoption or credibility to be a real business solution.  This has been the greatest challenge to Slack, because in order for it to become a solution that people can use, they have to prove that it is a safe, secure and reliable place to put businesses communications and files.

Brilliantly, Slack has used the same playbook as DropBox.  They managed to get their product into teams and businesses through the IT back door by offering free services that anyone can setup, offering simple, well written software and web apps.  And they have been so overwhelmingly successful at promoting their product that they have real credibility now.

Our Experiment

In our office we’ve been using Skype for Business for the last 4+ years and found it to be a great solution for keeping track of people’s Presence and reducing Inbox bloat.  So when we switched a couple months ago to Slack on a trial basis, I was very skeptical and didn’t want to give up what we already had.

In Skype for Business, Presence allows users to post their availability and what they are up to, like an electronic bulletin board.  This makes looking for help and answers much quicker than sending out multiple emails, calls, checking calendars, etc.

Skype for Business has also been great at reducing the Inbox bloat associated with the multiple interoffice emails, which tend to crowed out important emails.  And Skype for Business keeps your conversations available and searchable in your mailbox for review and documentation.

The Verdict

So after getting everyone connected on Slack and running it in place of Skype for Business for several weeks, we decided to stay on Slack.  In the end Slack offered several benefits that users felt better served our needs.

Pros:

  1. The Slack software and web interface are simpler and more usable.  They are easy to understand and follow and get the information we need.  Slack provides great software for smart phones, Macs and PCs.  In Skype for Business, the software is slow to load and connect.  On the Mac users are still limited to an old Lync client, which is very limited and buggy.
  2. Conversations among multiple users (Channels in Slack parlance) remain persistent, which is enormously helpful.  This allows messages to be posted and users to review and contribute to them at another time.  They can also see the history of the conversation to give them context and allow them to catch up.  In Skype for Business, conversations are immediate, meaning you can’t send a message for someone to receive and respond to later.  If you do message someone who’s busy or offline, they may (not reliably) get an email with the “missed conversation.”  Once someone disengages a chat session, the session is over and a new conversation must be established without the chat history.
  3. Notifications and continuity between devices is very smooth and reliable.  Slack always seems to know where to notify you (Computer, phone, web, etc.) and is very good at reliably reflecting which messages are new and unread regardless of where you check.  Also, being able to manage notifications based on topic (Channel), direct messages or specific words is helpful in limiting unnecessary distraction.
  4. Extensibility is a very strong and a unique feature of Slack.  It allows integration and extension of the Slack systems to many third party solutions and plugins.  I haven’t used many of these yet but they are widely used with many 3rd party add-ins.
  5. Slack offers persistent file storage.  Unlike Skype for Business, which transfers files from one system to another when they are shared, Slack actually stores them.  This has some collaborative benefits but also introduces new security considerations. We have not been using the file sharing capabilities as we’ve implemented Slack with a very specific purpose and strict usage guidelines.  We don’t allow client data, sensitive information or files stored in the Slack systems.

Drawbacks

Using Slack does have some drawbacks.

  1. Its support for Presence is very limited.  It really only has a “Do not disturb” mode and a light indicator to show if a person is online.  You cannot easily reflect location, current task or to indicate if you’re in the office but busy in a meeting.  This has also been reflected in the feedback I’ve gotten from users that Skype for Business seems more immediate.
  2. The user interface can become very muddled with what I call “Channel Creep” or “Channel Sprawl.”  Having too many Channels and overlapping Channels can get very confusing.  Ultimately someone needs to be in charge and maintain some level of order in an organization.
  3. Slack can also be another monthly cost.  In the Cloud age, businesses are saving on capital expenses but are being drained by the growing list of monthly subscriptions critical to their daily operations. It is true that the free offering may be sufficient for many users, but the free offering is limited and may not always be available.
  4. Slack possesses some security and data portability challenges.  The lack of data portability means you cannot easily take your data elsewhere if for example you decide you don’t want to use Slack anymore.  You can export your data for compliance and archiving, but the exported data is mostly unusable outside the Slack system.
  5. Security is also a consideration as Slack creates a new attack vector exposing communications and documents stored outside primary communications and storage systems like Google for Work, Office 365, DropBox, Box, Egnyte, etc. It constitutes yet another system, set of user accounts, passwords and copies of duplicate files for businesses to try and manage.  In 2015, Slack suffered a major security compromise exposing all their user profiles including passwords to hackers.

Alternatives

There are alternatives to Slack with similar communication models including HipChat and Fleep.  Both products have received much less media coverage then Slack but offer very compelling alternative solutions.  Not to be outdone, Microsoft is planning on introducing Skype Teams, which reportedly will have much of the same capabilities as Slack.

Conclusion

All in all, Slack is a great messaging technology that many businesses should consider using.  It offers a unique approach to messaging with significant advantages over older communication platforms like email, IM and voice.

The Cloud requires a new kind of intelligence, “Cloud Smarts”

Growing up as kids we could easily differentiate between school smarts and street smarts.  School smarts were the skills needed to excel in the classroom and school institution and street smarts were the “intuitive” skills that some had to survive on the “streets” and negotiate challenges, strangers, bullies and other potential threats.  These different kinds of smarts came to different kids with different levels of ease and were learned and taught in school and the home.

But in today’s Cloud enabled world driven by Big Data, there is a new set of skills and understandings that almost all of us are unaware of.  I would like to term these skills and understandings as “Cloud Smarts.” As a society, it’s increasingly critical that we cultivate an awareness of Cloud Smarts and its impact on our daily lives.  Without this awareness our democracy, economy and even our own free will are at stake!

The Cloud and Big Data Explained

The Cloud allows data and systems for many users to be maintained centrally.  This has a lot of benefits including huge operational and development efficiencies and improved access through web-based systems.  It also allows the data from a huge sampling to be analyzed, giving insights and making sense of data that would otherwise be inaccessible and seem random.  Big Data is the ability to analyze and make sense of these huge seemingly unrelated data sets.

Here are a few good examples of the positive impact of the Cloud and Big Data.

Example 1:

A large restaurant Point of Sale (POS) Cloud solution is able to see across thousands of its subscriber restaurants and develop insights using Big Data tools that can identify likely fraud patterns by analyzing retail, inventory and transaction information.  They share these findings as a benefit to its subscribers and alert them when likely fraud is taking place in their operation.

Example 2:

A large Antivirus company uses its millions of software agents across its installed base to inventory file signatures of all the files its software scans.  With this information, Big Data tools can help identify maliciously modified files and files that don’t belong on systems.  This helps the Antivirus company to identify threats that have not yet been discovered and improve the accuracy of detection of known threats.

Example 3:

A large Cloud provider of file and email services is able to see logon and access patterns of users across a large user set and geography and is able to use Big Data tools to identify likely hacking attempts by a sophisticated global actor. With this information they are able to notify the affected users and put in place counter measures to limit user exposure.

Anonymity and therefore privacy are lost forever

Cloud systems and Big Data are wonderful when they help solve problems that are becoming increasingly complex in a connected world.  However, with this incredible insight into huge amounts of data and patterns, anonymity becomes a thing of the past.

It doesn’t matter how many laws the EU puts into place “protecting” privacy or how well the medical industry protects your medical records through HIPAA compliance practices, people’s online behaviors generate unique patterns that, through the use of Big Data along with publicly available data sources, can uniquely identify them.  If you don’t believe me, check out this article.

Your Internet behaviors are being collected from many sources including your ISP (through sold DNS traffic), your Cloud service providers and Ad tracking systems (like the SilverPush system linked above). They are being carefully curated and stored by companies you’ve never heard of before called Data Brokers.  Data Brokers are happy to sell any of this information to whomever is willing to pay for it and allow the information to be used for whatever purposes the buyer would like.

With the loss of anonymity and personal privacy, the Cloud and Big Data can lead to some scary outcomes.  Here’s a few examples of the Cloud and Big Data gone wrong.

Example 1:

A large sales organization uses several online Cloud services to help facilitate their sales team.  The team can “share” materials with prospective consumers by sending presentation materials and links to online resources about their services and products.  Because the prospect is logged into Google online services (Chrome web browser) and also their FaceBook account, the Sales person can pull lots of personal profile information about the prospect without them being aware.  This is permissible through the Google and Facebook terms of use.  Also, the tool used to share the product materials allows the sales person to see what pages the recipient spends most time on, what info is skipped, etc. all without the prospect knowing it. The sales person is now armed with a trove of personal information without the prospect having any idea that the scenario is lopsided and the prospect’s chances of making an informed and fair decision are significantly impaired.

Example 2:

Large stock traders already use High-Frequency trading to connect directly into the electronic stock markets using fiber optic lines and high-speed computers to make hundreds and thousands of trades in fractions of seconds.   They use algorithms to anticipate even very minor changes in stocks and the market and make many buys and sells as a stock goes up or down.  These small changes can mean big money if you’re able to sell thousands of stocks in a fraction of a second.  Many people already find the High-Fequency trading unfair to the average joe trader.  But now imagine if High-Frequency trading firms were able to combine this capability with seemingly inside knowledge only available to them through the use of huge data sets and Big Data tools?  They might be able to correlate information from Data Brokers, Internet traffic behaviors, trending on FaceBook, trending on Twitter, trending on Google, weather feeds and other data sources to anticipate specific movements in the market.  They may even be able to track the likely geographical movement and purchasing behaviors of key executives to help determine certain outcomes.

Example 3:

It is possible that local and national elections are being impacted by well financed special interest groups using Data Brokers and other online data sources to create highly customized and individualized advertisements that would directly speak to individuals’ specific situations and concerns in order to influence their thinking and voting?  This advertising is unfair and manipulative because the viewer has no idea that the message is individualized and is based on inside knowledge of them.  These advertisements may not even look like Ads and may direct them to seemingly reputable resources and reporting with a specific political bent or misinformation.  It is very difficult to regulate these types of efforts and the use of Big Data and the availability of information in the Cloud makes these efforts relatively simple and scalable to roll out.

We must develop a good sense of “Cloud Smarts”

I’m constantly asking my friends, colleges, clients and family if they care if Google (The Cloud) knows so much about their behaviors: Searches, documents, photos, movements around the globe, phone calls, friends, etc.  And resoundingly they all say for the most part, No they don’t care!  They like the information, convenience and free services they get and are willing to give up “some info” to get them.

So what do we do to protect ourselves and make sure we continue to benefit from the Cloud and Big Data while not giving up the freedoms that make our society great?

Ultimately Laws will need to evolve to catch up with the technology to adequately protect citizens.  But until then, individually we have to cultivate an awareness of what data is out there, how easily it is collected, who has it (anyone who wants it) and how it can be used to impact our behaviors and our fortunes.  This trend is only accelerating as more systems and solutions move to the Cloud and more of our daily lives are conducted online.

We can also demand transparency and clarity from our Cloud providers.  One company who is setting the bar for this level of transparency is Microsoft with Office 365.  They clearly spell out how data is stored, protected and used and provide tools for customer auditing.

Cloud Smarts starts with a healthy sense of feeling vulnerable, a good defensive posture and being mindful of what data you knowingly put online (Ex. Google, Facebook, “free” services, Ad links, etc.). We can no longer browse the Internet believing we’re in control, because mostly we’re not.  We have to understand that Ads, links, sales people and other “strangers” likely have more information about us than we realize.

Brian Krebs is a well known reporter and blogger on computer and Internet security.  His blog posts and writings on security breaches and the general sense of online insecurity are eye opening and have helped me stay informed and understand the full scope of the issues.  He has several posts about ways to protect yourself online including setting up a Credit Freeze and Tools for a Safer PC.   There was also a very interesting article about Data Brokers on NPR worth reading.

Staying informed, aware and skeptical are the foundation of the new Cloud Smarts we should all start practicing.  Perhaps if we’re lucky the kids in school will learn about this, give it a better name and help teach us about the new reality.

Where does the traditional phone fit in with the modern business – VoIP and Internet Based Phones Solutions

VoIP  (Voice over Internet Protocol) has been in use since the early 2000s by both businesses and consumers.  However, if anyone remembers the early days of Vonage at home, you probably remember the horrible call quality issues.  Today the technology has improved and the needed bandwidth is now readily available.  VoIP is now the new standard for business and home phone systems.

VoIP basically means the phones are connected and calls are being carried over network equipment using Internet based protocols instead of the traditional low voltage copper lines in use since their invention by Alexander Graham Bell.

VoIP systems offer many benefits over traditional phone lines and phone systems including:

  • Simplified self administration, usually web based
  • Enhanced functionality including voicemail to text by email, call recording and internet based voicemail management
  • Simple and powerful automated attendant systems for flexible and professional call routing
  • Simple and powerful presence and call routing including find me follow me functionality, so calls can easily be routed to cell phones, home phones, office phones or wherever you are
  • Simplified unified system for offices and remote staff because all that is needed is good Internet connectivity
  • Built-in phone conferencing

 

VoIP solutions come in two main flavors, On Premise and Cloud Hosted.

The On Premise solutions have four main benefits:

  1. They can include integration with on premise CRM applications and other on premise software.  This is great for customer service departments and other call heavy departments.
  2. Lower cost for some organizations that have a requirement for a large number of handsets but few actual users.  This might include labs, manufacturing facilities, kitchen operations, etc.  Hosted solutions will charge monthly for handsets even if they’re not being used while on premise solutions only charge for the lines being used for inbound and outbound calls.
  3. Greater control and visibility into security as systems are maintained in-house and access to systems is limited.  This mitigates some exposure to threats like eavesdropping, call hijacking and long distance fraud, among other threats.
  4. Generally greater reliability and call quality due to the frequent use of dedicated switched circuits and the elimination of variables from network and Internet bandwidth limits.

Cloud Hosted solutions offer the following benefits:

  1. Very low up-front costs
    • Handsets and possibly some networking equipment are the only needed equipment
    • Dedicated Internet connectivity may also need to be purchased
  2. Very low maintenance costs as those costs are built into the monthly recurring subscription fees
  3. Unparalleled flexibility and scalability allowing phones to be setup at multiple locations, can be easily moved and can be easily expanded or contracted to accommodate changing workforce and business
  4. Lower Long Distance charges as many VoIP solutions offer fixed and inclusive National and International LD solutions

 

VoIP pitfalls and common mistakes

There are some significant pitfalls with using VoIP solutions, and often the sales people for these systems are not familiar with all the networking and technical challenges that should be considered, so it is really important to include your IT staff or consulting firm in these decisions.

Choosing the wrong VoIP solution or improper implementation can lead to lots of frustration, can impact call quality and wreak havoc on business data networks.  Some of these mistakes include:

  • Using the same data network that is used for your computer equipment
    • In this setup users “uplink” their machines through the VoIP phones.  This may be OK for some simple networks but it effectively puts a network switch in front of every computer.  This can have a significant impact on network performance and may impact the performance of some high throughput applications.
    • Using phones with slower ports than the existing networking equipment on your network.  Many phones are sold with 10/100Mbps ports while many offices are running 1000Mbps networks.  Newer networks are even going to 10Gig speeds.   By uplinking to these phones, the networks are effectively slowed down by a factor of 10 or more.  The phones with slower ports are less expensive and easier to sell for sales people who are not familiar with these limits.
  • Not provisioning proper Internet connectivity or traffic segmentation and prioritization
    • This can lead to dropped calls and call quality issues, especially when bandwidth becomes challenged by large computer downloads and online applications.
    • Simultaneous loss of multiple critical business data systems including phones and Internet when there is a reliance on a single Internet provider.
  • Purchasing too much networking equipment that overlaps with existing data infrastructure
    • Sometimes VoIP providers try to replace existing networking switches and firewalls, which may not meet the needs of the data systems, but are sold to accommodate the needs of VoIP systems.  This can lead to all sorts of network and security challenges.

 

Do you really need phones anymore?!

Before making any changes or replacing your current phone system, many businesses should really ask themselves do they even need phones anymore and if so how many?  It used to be that every desk and person needed a phone with voicemail, but now that paradigm has shifted.  Many startup companies don’t get phones for much of their staff unless they are direct client facing.  I’ve seen whole offices of programmers with no phones.

With so many modes of communications including email, chat, IM, voice services like Skype and Google Voice, Slack, Yammer, etc. in addition to users’ mobile phones, desk phones have become superfluous for many. In fact, I have users complaining about having to have an office phone as it is just another voicemail they have to manage. Similarly many people are seeing their home LAN lines as unnecessary.

 

Alternative Internet based phone solutions

Many businesses should consider using a Virtual Phone System rather than a full-fledged VoIP or on-premise phone system.  Virtual Phone Systems include some elements of a VoIP solution but do not actually include handsets.

These solutions allow businesses to have a phone number, automated attendant and call routing but lets them take advantage of the diverse phone solutions their staff already have in place including mobile phones, traditional LAN lines, etc.  This is great for a distributed work force or sales team and offices that have low call volumes.  These types of solutions can also be effectively combined with VoIP and On Premise systems to meet the needs of many businesses.  Some of these Virtual Phone Systems include Grasshopper, VirtualPBX  and OneBox.

 

Great VoIP solutions for office and home for people who don’t “need” a LAN line

The move is on in homes across US to drop their home LAN lines.  People don’t see the need for the expense and functionality is redundant with their mobile phones.  Even small home based businesses are simply using mobile phones and other solutions like a Virtual Phone System.  But there are still good reasons to have a primary phone line and there are some really good inexpensive solutions to meet this need.

Some of the compelling reason to still have a “LAN” line are:

  • Phone number tied to a location:  Sometimes you need to call a location rather than a person and the LAN line is always in the same place.  So if calling the house or the office, you may not care who picks up but that someone does.
  • Safety: Having a fixed phone to ensure communications in the event of an emergency can be very important.  Mobile phones wander and are tied to users but kids and staff may need to place calls to safety personnel when mobile phones are not available and don’t reflect a traceable address for 911 operators.
  • Call quality: Good VoIP phones is still offer better call quality then mobile phones, especially within some buildings or areas where coverage may not be good.

Ooma is one of my favorites choices for VoIP solutions for home or small office.  They offer “Free” and Premium solutions that meet most user’s needs at a very compelling price.  The “Free” offering requires an up-font $100 purchase and monthly $4/month “Taxes and Fee” for their basic service plus International LD and other service charges. Their Premium services is only an additional $10/month, but this may not be necessary for many users.

In a world of so many communications options, the traditional phone has still managed to stay relevant.  But with the Internet as its backbone, the phone has morphed into a much more flexible and capable tool with many different deployment options, which businesses and individuals should be keen to take advantage of.

Encryption, a double edged sword for businesses and home users trying to stay safe on the Internet

People may think of encryption as a technology that protects users’ privacy and security. And it’s true, encryption can be a powerful tool to protect ones privacy and secure sensitive information.  However, the current trend toward encrypting everything has created a significant challenge for businesses and users trying to stay safe from hackers and malware.

Encryption is the process of scrambling data so that only the intended users can access it. There are many forms of encryption.  Some encryption technologies protect data in transit such as TLS/HTTPS, which protects the information passed back and forth to websites and through email.  Other forms of encryption are used to protect data at rest on hard drives, iPhones, and cloud storage.

What does this mean for me, my business or my family?

It’s great to know that my credit card number is safe as I buy products online or conduct online banking.  But this same technology is also helping the bad guys to hide their malware and their efforts to steal our money, resources and secrets. The expensive technologies we’ve put in place including gateway firewalls, web filters, email scanning, Antivirus, etc. has been rendered increasingly ineffective now that more and more traffic is protected by the cloak of encryption. The content can only be viewed once it is executed and unpacked on your machine or your network, and by then it too late!

Imagine my 9 year old son, at home, going to YouTube.com to search for videos for fast cars and Hot Rods.  I do limit his access to sites by category, but YouTube.com is considered a legitimate and safe site.  YouTube.com is run entirely over HTTPS, encrypting all traffic from my home computer to the YouTube.com servers.  Once he’s connected, the Next Generation Layer 7 Firewall I have installed at home (perhaps overkill for home but this is my line of work) can’t see anything going back and forth between my son’s input and the results that YouTube gives him because its all encrypted.  His search terms and the results are blind to the filtering I put in place. So when that video of Hot Rods shows up, which was not at all what he was expecting, me and my wife are put in the unenviable position of answering our very inquisitive son why someone might make that video!

The same is true with other legitimate sites.  Almost 50% of websites online are WordPress sites.  These sites, if not maintained, are highly susceptible to compromise. I’ve seen many examples of sites becoming compromised and distributing malware to unsuspecting visitors.  That Youth Hockey site forum or Spa website you frequent may be the source of your next computer virus!  If the site is being run over HTTPS, that traffic is not being filtered by the web filters, firewalls or Antivirus you have in place, letting the malware into your network and your computer unobstructed.

Even this silly Blog is encrypted over HTTPS.  I could be infecting your machine right now! Encryption is being used heavily throughout the hacker world to evade detection and for distributing their malware..

Why is everything being encrypted and how did we arrive at this point?

When Edward Snowden released his Wikileaks documents in June 2013, aside from the specific details and revelations, its greatest impact was that they shattered one of the basic operating principles of the Internet, there is privacy in numbers. It was always understood that the sheer volume of transactions and data on the Internet made the Internet relatively private for most of us.

Why would anyone care about a personal email to my grandma about my plans to meet her on New Year’s Eve?  This email is one of trillions and the subject is seemingly irrelevant to anyone else but Grandma. The amount of time, money and effort for some organization to find, catalog, store and correlate this one email was thought to be improbable if not impossible. It’s like walking through Times Square on New Year’s Eve picking my nose.  Who would notice or care?

But we learned how the U.S. Government had put systems in place to do just that, record huge amounts of data from all communications systems and the Internet, cataloging the information and making this data usable through artificial intelligence, analytics, pattern matching and targeted searches.  Content and data streams from large companies such as Google and Microsoft had also been intercepted and fed into these systems.

Learning of this made individuals, Google and other institutions mad.  People’s privacy and confidence had been breached!  But really, how does this affect me and my email to Grandma?

Our trust and privacy was violated!

Google, Microsoft and other large companies immediately began implementing greater encryption across all their systems.  In 2014, Google made news by modifying their search algorithm to make the results of encrypted sites appear higher in search results and by publishing statistics about ISPs and websites who did and did not encrypt their web and email traffic.  So now this silly blog site is encrypted because I want to be found on Google! Along with this trend, the technology progressed and the processing overhead of encrypting traffic and decryption no longer posed significant overhead for providers.

Now all your search requests to Google, increasing numbers of websites, emails and more are encrypted, making access to this information by the prying eyes of the government and other unwanted and dangerous actors much harder if not impossible to access.  There are even moves to encrypt more traffic on the internet including DNS and other communications.

But are we safer and is our information more secure?

Unfortunately we’re not any safer today. According to Symantec’s latest Threat Report, there were almost double the number of Zero-Day threats discovered in 2015 then in 2014, a record 9 mega data breaches in 2015, over 50% increase in Spear-Phishing campaigns targeted at employees and the list of troubling statistics goes on.  The unintended consequence of ubiquitous encryption has only made the detection and discovery of malware and hackers efforts even harder.

It may be true that the U.S. Government no longer has ready access to your data, but now the tools and solution we have to protect ourselves have been compromised by the use of encryption.  Our personal data has become the domain of private corporations such as Google, who have built walls around their systems with encryption with little oversight and transparency.  Hackers can now more easily and stealthily steal our information and avoid detection with the help of encryption.

Instead of the U.S. Government knowing about my email to my grandma and my plans to meet her in Times Square on New Year’s Eve, Google, their affiliated advertising partners and also anyone else who sees the geographical coordinates published by my photo on Instagram and Facebook know exactly what I’m up to.  Also, because the hackers have successfully installed a quiet keylogger on my machine that was downloaded from the secure Youth Hockey site, they have successfully co-opted my good credit rating and opened 5 credit cards in my name and have left me with $50k in loans. They also managed to rob my house while they knew I was out of town.

What’s a person to do?  I like the privacy encryption provides but I don’t want to be a victim.

I’m not saying encryption is bad or we should stop using it.  However, it does pose a particular challenge to people and businesses alike trying to stay safe on the Internet and protect their information.  There are some technological solutions available to help mitigate these risks including HTTPS inspection solutions, and software and hardware pattern matching solutions.  They are worth consideration for many businesses but they’re expensive and hard to implement effectively.

Also, Antivirus companies are releasing new products and technologies that are starting to address these challenges through sophisticated behavior analysis, so staying up-to-date and implementing their new solutions is important.  There are also some notable startups that are taking different approaches to identifying and fighting malware including Cylance and Barkley.

Keeping computers up-to-date with all their software including OS (Windows, Linux and Mac) and all third party software (Java, flash, browsers, plugins, Microsoft Office, etc.) is also critical in protecting yourself. There are lots of solutions for businesses to deploy updates and patches across a network.  Home users or small offices can use a free tool called Secunia PSI.

The most effective and important thing anyone can do to stay safe is follow Safe Internet Behaviors.  Companies should be testing and training their users by sending out malicious like emails and phone calls to try and trick them into giving out information or access that they shouldn’t. There are now many solutions like PhishingBox that can provide these services.