Navigating the cloud: SMEs and cloud services

nielharper

Cloud-Computing-cap
More and more small businesses are migrating to the cloud and reaping significant benefits like never before. With cloud services, small businesses no longer need to install physical infrastructure like e-mail servers and storage systems, or purchase software applications with exorbitant annual license fees. The “on-demand” availability of cloud solutions means seamless and simple collaboration with customers, business partners, and staff members using nothing more than a web browser. Cloud services also provide entrepreneurs and home-based businesses with access to advanced technology without the requirement to hire a full-time IT specialist.

But what exactly is this “cloud”?

Cloud computing is an overarching term which encompasses a number of different categories. Software-as-a-Service (SaaS) is where a particular application or service is provided to a business or individual as a subscription. Google Drive, QuickBooks Online Plus, and BaseCamp are all popular examples of SaaS.

Using Platform-as-a-Service (PaaS), businesses are provided with a platform on which they can build, install, and maintain customized apps, databases and integrated business unit services. Widely used PaaS include Windows Azure, SharePoint Online, and Google App Engine.

Infrastructure-as-a-Service (IaaS) allows businesses to outsource infrastructure in the form of virtual resources. Components include servers, storage, networking and more. IaaS providers include Rackspace, HP Converged Infrastructure, and Amazon Web Services.

Most small businesses generally don’t need much more than SaaS to meet their operational needs. SaaS provides them with the capabilities to deliver a myriad of IT services that would otherwise be expensive and resource intensive to administer as localized, on-site solutions.

It must however be emphasized that cloud services bring with them a number of security, stability, and data control issues. That is why it is critically important that small businesses stay informed and strictly require that cloud providers furnish them with detailed business continuity plans and security controls to remediate outages and protect sensitive data.

What to do when your cloud brings the rain?

There are a plethora of reasons why cloud computing is popular. It gives small businesses the technology that enables them to be lean, agile, and competitive. But as is quite evident, trusting your information assets to a single entity whose equipment is stored in a centralized location, means that you’re extremely vulnerable to whatever outages, security compromises, or natural disasters that they are exposed to.

So what are small business owners to do? Here are some recommendations that can allow you to better manage the risks associated with cloud providers.

Fine Tune Your SLA: Service level agreements (SLA) should codify the exact parameters and minimum levels of service required by the business, as well as compensation when those service levels are not met. It should assert the ownership of the business’ data stored on the cloud platform, and outline all rights to retaining ownership. It should include the infrastructure and security standards to be adhered to, along with a right to audit for compliance. It should also specify the cost and rights around continuing/discontinuing use of the cloud service.

Keep Critical Data Local: Decide which business processes require maximum uptime, and keep them on-site. Avoiding the cloud totally for specific mission-critical applications, small businesses can minimize data unavailability as well as security and privacy issues. Most definitely some businesses have regulatory requirements to meet, and this ought to be a key consideration when deciding not to ship your data offshore.

Two-Factor Authentication: More and more providers are offering two-factor authentication (2FA) as a means of securing access to cloud services. Two-factor authentication adds a second layer of authentication to user logon credentials. When you have to enter only your username and one password, that’s considered as single-factor authentication. 2FA mandates that users have 2 out of 3 types of credentials before access to cloud resources are granted.

Deploy A Hybrid Configuration: Maintaining a hybrid implementation of cloud and local services is a best practice approach for protecting company data. Replication or archiving solutions often deliver a service with both a local appliance at the customer’s premises and cloud storage too. This type of on-premise-to-cloud replication strategy ensures that you have local copies of the data you transmit to the cloud. Actively seek out cloud providers that can configure this kind of scenario.

Availability, integrity and confidentiality issues will always exist when using IT systems. And when a business employs cloud-based computing, these challenges are even more pronounced. Be extremely meticulous when searching for cloud providers, and question them about their security controls and disaster recovery options. Even though you outsource the processing of your business data; there’s no reason why you should lose control.

Network Operators and the Profiteering Games They Play

nielharper

net-neutrality

[This is my personal commentary on a situation in the Caribbean where Digicel Group, a mobile operator, is blocking VOIP services such as Viber, Nimbuzz, etc. and asking these companies to basically pay for Digicel’s network upgrades]

The Internet, as with any other disruptive technology, has necessitated a change in the business models of service providers. However, in many cases, there is serious resistance from network operators to adapt to this new reality. These companies make millions (and in many cases billions) of dollars in profits a year, but are insisting that content providers and OTT services providers foot the bill for network upgrades.

Based on CAPEX trends in the telecoms industry from 1996 through 2012, capital expenditures have pretty much remained the same from year to year. So why all of the sudden have ISPs and mobile broadband operators put so much time and energy into ‘forcing’ content providers to pay in addition to their own increased costs of supplying more robust Internet content, any increase in network upgrade costs of the ISPs as well?

The reason is because the usage-based model of service billing is no longer relevant or sustainable. The Internet has killed it… DEAD!!! Service providers cannot bill a customer $0.45 a minute for ILD when VOIP providers are charging $0.02. They cannot charge for the usage of mobile broadband in megabyte increments; market forces and hyper-competition have pushed service providers toward unlimited data packages. They cannot milk consumers with outlandish roaming charges when individuals can jump on the free Wi-Fi in airports or at Starbucks and make those calls for free via Viber or Skype (or even better, simply use 4G networks to make those calls for free).

The Digicel Group posted $2.78 billion in revenues for the year ended March 31, 2013 with core profits of $1.2 billion (http://tinyurl.com/pa4fy6l). Is all this money supposed to go to shareholders and the likes of CEO O’Brien who cashed in a dividend of $650 million (http://tinyurl.com/q84cajd)? Why isn’t a percentage of this profit reinvested into network upgrades to meet market demands? To now ask OTT service providers to fund upgrades is not only unreasonable at face value, but also entirely inconsistent with published financial reports indicating that returns on investments are excellent, and are expected to improve even further, driving additional growth in bottom line profits.

And to expect regulators to be complicit in their forcing of costs on companies like Viber, Nimbuzz, etc. or in raising prices on consumers is to present a false choice. Increasing demands for bandwidth is a fact of the industry. Innovating to meet those demands are what network operators are in business to do.

The Narcissistic Entrepreneur

nielharper

Narcissism

My blog posts are generally about the challenges and opportunities of the Internet, and its impact on society. But there is a trend I have been witnessing that has necessitated a brief divergence from my tunneled musings. I am going to refer to the aforementioned trend as “narcissistic entrepreneurship”, and it is characterized by inflated egos, superiority complexes, and a certain intolerance / indignation for anyone who is not “working for himself or herself”.

First of all, let me state that none of us ever truly work for ourselves. We work for our employers, customers, shareholders, investors, employees, families and most of all for the state (have to pay those taxes folks!!!). Trade and commerce are symbiotic in nature, and the complex interweaving of dependencies is often forgotten (or ignored) by most.

Secondly, entrepreneurship is a compendium. There are several types of entrepreneurs; all of which must be understood and appreciated for what they are worth. Now let’s take a look at some of the different types:

1. The Octo-Boss
These are the brave and adventurous souls (or so they think of themselves) who have started a small enterprise and take on numerous roles — strategic, tactical and operations — to keep the company afloat. They market the business, manage the books, answer the phones, meet with potential investors, serve the customers, and anything else that is required to be successful. Work-life balance maybe an issue, but who cares. They are their own boss. Right?

2. The Obstinate Artist
These individuals are generally ‘anti-system’ and committed to freely living their passions. Albeit, many of them are starving or not making enough money to eke out a comfortable existence. Still, they are the ‘free spirits’ among us — the painters, musicians, budding fashion designers, etc. — who enjoy being untethered and have made a statement by rebelling against the man and his wage labor oppression. Fight the power! Umm, I guess.

3. The Freelancer
This person runs their life as if they are actually working for a company. They are so highly skilled and effective that they only work on a contractual or project basis, They maintain flexible working hours or work remotely, negotiate excellent remuneration and a litany of perks, and pretty much still enjoy all the benefits of being an employee (without actually being one). Some of them even secure such large contracts that they can outsource the work to others. All power to them.

4. The Simplistic Frugal
He/she has a simple business model. They have found one thing that they’re very good at and committed to (e.g. Selling coconuts, snow cones, fruits, nuts, grilled fish, etc.). They generally have mastered their supply chain, or have very little overheads, and profit margins are substantial. They are not extravagant by any means, save most of their money, and have made some very shrewd investments. Over an extended period, they have build significant wealth, but one would not know from seeing them. Be careful who you judge.

Some of you maybe wondering what is the point I am trying to make. It is simple. There are many entrepreneurs who think their path is so much more righteous than the road travelled by those in the money-for-labor system. But every entrepreneur is not a success, and every success is not an entrepreneur. For those beating themselves up because they haven’t started their own company, think about where you fit on the compendium. Landing on the cover of Entrepreneur or Fortune is not the only route. Every single one of us has the ability to create something. And we all can succeed if we find our niche and perfect our craft. One love and best of success!

Cyber Threats and Security in the Caribbean 2014 Update

nielharper

Lock background

[Exert from a recent interview I did with ICT Pulse on the state of cybersecurity in the Caribbean]

ICT Pulse: Niel, give us a quick recap of what were the most prevalent incidents in Barbados and/or in the region in 2013?
Niel Harper: In 2013, Barbados was subjected to attacks from a number of different threat vectors. Several government agencies, financial institutions and private businesses were the focus of targeted website compromises. Some of the techniques used were distributed denial-of-service (DDoS), cross-site scripting (XSS), and SQL injection attacks. There was also a sophisticated ATM skimming campaign that was perpetrated by Eastern Europeans whereby several commercial banks were targeted. I would like to emphasize that these are the known issues. I am pretty certain that the occurrences and complexity of the attacks were much higher, but as there is no legal requirement to report breaches, we will simply never know.

ICTP: Although we are still early in 2014, how is the threat landscape changing? Are there any particular areas of concerns that you have for Caribbean organisations this year?
NH: The Caribbean will be facing the same evolving threat landscape as the rest of the world. For one, as more companies and individuals in the region move their information to the cloud, we should expect to see more focused attacks on corporate and personal data stored on cloud services. Secondly, we will witness greater adoption of advanced persistent threat (APT) techniques to be used in the distribution of traditional malware. There will be growth in the amount of Android and iOS malware, and the burgeoning use of mobile apps for enterprise applications coupled with increased social media usage will broaden the overall attack surface. Given that Windows XP is still widely deployed across enterprises and on personal computers, the platform will become a huge target for attackers as Microsoft ends support activities. And finally, spam is evolving to a point where it is being employed more and more for malware payloads.

ICTP: At the CARICOM level, there appears to be a growing awareness of cybercrime and calls by leaders that something be done. In your opinion, have there been any improvements in the cyber security-associated resources or support structures in Barbados, and/or perhaps regionally? What might still be missing?
NH: The Government of Barbados has signed a MOU with the ITU to setup a Computer Incident Response Team (CIRT) within the framework of the ITU-IMPACT initiative on strengthening cybersecurity. I believe that this step is a signal of intent by government to improve cyber response capabilities in the country. However, my concern is that the accompanying cybersecurity legislation and the necessary capacity building for personnel is not being addressed in as robust a manner as it needs to be. Jamaica has expanded the capabilities of the Communication Forensic and Cybercrime Unit (CFCU) of the Jamaica Constabulary Force, and has also taken steps to establish a national computer security incident response team (CSIRT). A National Cybersecurity Task Force was also established in 2012. However, what have been missing in Jamaica are large-scale cybersecurity awareness programs to educate key at-risk groups. The Caribbean Telecommunications Union (CTU) has also been doing its part to combat cybercrime region-wide, but there are still a plethora of challenges in numerous countries in terms of adequate resources and funding for cyber security response. Moreover, there is little to no coordination among the cybersecurity entities in place across the CARICOM footprint. This prevents the region as a whole from jointly benefitting from crucial activities such as threat information sharing, critical infrastructure protection, active defense and incident preparedness.

ICTP: Are you observing any real evidence of a greater willingness among organisations to take cyber/network security more seriously? How is that awareness (or lack thereof) being manifested?
NH: I think there are generally two types of organizations across the CARICOM region: 1) Organizations that by the very nature of their business and the operational and regulatory requirements they are subject to, are compelled to take cybersecurity serious and invest heavily in a strong control framework to effectively mitigate the risks they are confronted with; and 2) Firms or institutions whose management simply does not recognise or understand the high risks which they are faced with as it pertains to cyber attacks and online crime. So what you now have is a situation where there are a handful of companies with very strong cybersecurity capabilities (mostly financial institutions), and a large amount with weak controls as it relates to cyber resilience. All in all, many Caribbean organizations are still facing serious financial constraints, and budgetary planning cycles regularly do not include large expenditures on things like IT security. Monies are spent on more seemingly important corporate interests, although this will likely change as cyber-risks increasingly pose threats to human, social and economic well being and stability.

ICTP: Are there any key areas businesses should be investing their network security/IT dollars this year?
NH: Businesses need to invest their money in personnel with specialized knowledge and expertise in implementing technical solutions, enhancing operational practices and developing effective cybersecurity-related policies. Governments as well as corporations also need to invest in awareness-raising programs around cybersecurity. And more dollars also have to be spent on research, monitoring, reporting, and coordination of responses to cybersecurity incidents.

The full article and interview can be found at: http://tinyurl.com/mlssfll

Should We Fear the Era of Ubiquitous Computing?

nielharper

Eye Looking Over Person On Computer

More and more, technology is becoming an integral part of our lives. In a not so distant future, there will be a major convergence of entire industries in the fields of media, consumer electronics, telecommunications, and information technology. But the approaching wave of the technological revolution will affect us more directly, in all aspects of our lives – it is becoming apparent that our future will be characterized by the appearance of computing devices everywhere and anywhere. This concept is known as ubiquitous computing. Ubiquitous computing encompasses a wide range of existing technological platforms and emerging research topics, including distributed systems, ad hoc sensor networks, mobile computing, location-based services, context-aware computing, wireless networks, machine-to-machine (M2M) communication, artificial intelligence, and human-computer interaction.

Case in point, the functionality in smart mobile devices is constantly expanding into previously unthinkable dimensions. Wi-Fi positioning systems (WPS) and GPS can deliver location services as exact as 10 meters in an outdoor setting. Short-range radio interfaces (Bluetooth, ZigBee, Z-Wave, IrDA, etc.) are creating personal area networks (PANs) that better facilitate intrapersonal communication. Mobile phones can now be employed as personal base stations or “access points” that connect a universe of “smart devices”. As it relates to the unbanked or under-banked, technologies such as Near Field Communication (NFC) and Unstructured Supplementary Service Data (USSD) are allowing more individuals and entrepreneurs to participate in the ever-burgeoning mobile economy. From the perspective of e-health and remote patient monitoring, mobile watches (essentially wearable computers) are able to capture a user’s health data and, if necessary, transmit vital statistics back to a medical center via telemetry. In this regard, new qualities and functions are developing due to the proximity to the body that a normal mobile phone could not previously achieve.

Former IBM Chairman Lou Gerstner conceptualized a “post-PC era” where he foresaw, “…a billion people interacting with a million e-businesses through a trillion interconnected intelligent devices.” Smartphones with high-speed data connections, geo-location positioning, and voice recognition capabilities that contextually interact with their environment are the first indicators of this type of ubiquitous virtual network of technical devices and day-to-day objects. Such developments are only now being realized due to rapid advances in technology. For example, semiconductor technology has progressed to a point where complex functions have been miniaturized; so as to obtain drastically reduced form factors — weight, size and energy consumption. The field of “Body Area Networks” has broken new ground whereby the human body can be employed as a transmission channel for low voltage electromagnetic signals. Touch, gesture and other tactile interfaces can initiate individualized communications, and be deployed for user authentication, personalized device configuration, or billing of products and services.

While determining concrete applications for such technologies is a difficult task, the potential for objects to communicate with each other, use available Internet services, and access large online data stores, is simply mind-blowing. The field of ubiquitous computing, and its array of technologies, is creating linkages between the mundane world and everyday objects, between products and services and capital assets, and between e-commerce platforms and supply chain management systems. They are effectually removing human beings as intermediaries between the real and the virtual world. As a result, new business models are emerging that are providing incremental benefits to manufacturers, suppliers, and customers. More importantly, we are seeing the ultimate creation of a plethora of new services such as the persistent personalization or customization of products throughout their entire life cycle.

Despite the obvious social and economic value of ubiquitous computing, particular attention needs to be focused on the issues of security and privacy. The promise of ubiquitous computers is accompanied by a broadening of the traditional Internet problem of “online history” (i.e. the collection of online user activity into big data sets) to include an even more extensive “offline history”. As such, whereas the online surveillance of individuals has been restricted to Internet usage, there will now be no clear delineation between “online” and “offline” data collection in a world of pervasive smart objects. Without a doubt, this will make the resulting data much more valuable. But who will be deriving value from this data (or more so profiting)? Whereas previously a limited profile of an individual could be “built” through data analytics, a much more comprehensive view of this person and his/her daily activities can be obtained in the ubiquitous reality. The question is: Do we really want others to have this much insight into our lives?

In his lecture, “The Ethicist’s and the Lawyer’s New Clothes: The Law and Ethics of Smart Clothes,” Glenn Cohen asserts that the ubiquity of computers threatens to “disrupt the place of refuge.” He warned that even when we switch off our mobile phones, given the prevalence of smart devices, “we squeeze out the space for living a life.” He concludes, “Lots of people have things they want to do and try but wouldn’t if everything was archived.” Should we expect the government and the rule of law to protect us in the ubiquitous world? In the post-Snowden era, we would be foolish to harbor such false expectations. Taking into consideration that most online surveillance activities are undetectable, the odds of anyone securing a legal claim against corporations or governments are slim to none.

In an ideal world, having business responsible for baking robust privacy controls into their products seems to be an optimal solution. But this means that we have to be able to trust the companies (a tall order in my estimation). Most recently, the technical community, in the form of the Internet Engineering Task Force (IETF), has renewed its commitment to building greater security into Internet protocols such as HTTPS and through the use of Transport Layer Sockets (TLS) and Perfect Forward Secrecy (PFS). However, there are significant limitations in the use of technology-only fixes to enhance privacy and security on the Internet (and ubiquitous computing will be no exception). Operational practices, laws, and other similar factors also matter to a large extent. And at the end of the day, no degree of communication security helps you if you do not trust the party you are communicating with or the infrastructure and devices you are using. With all that has happened over the last 24 months in terms of pervasive online surveillance, should we be fearful of what the ubiquitous era holds for us? I wouldn’t necessarily say that I’m afraid, but neither am I brimming with unbridled confidence.

Mind you, I am not by any means a pessimist. There is no doubt that ubiquitous computing will provide vast opportunities for improvement in the realms of our political, commercial, and personal existence. However, the multitude of concerns around governance, standards, integration, interoperability, security, and privacy will necessitate an effective multi-stakeholder approach. The demand will be for unprecedented collaboration among the technical community, academia, business, and government. My fear is that the concerns of the end user will be largely ignored amidst the jostling for position by the others players.

The Age of the Unregulated Algorithm

nielharper

images.jpeg

There can be no doubt that the use of big data analytics holds great promise as it relates to delivering numerous social and economic benefits. From the perspective of science and research, the introduction of new techniques and methodologies based on big data analytics represent a potential quantum leap for how discoveries are realized across scientific fields of endeavor. Case in point, some will argue that scientific modeling is an outdated practice given the uncanny amounts of data available to researchers.

Supercomputers can easily mix, mash and detect complex patterns and relationships that were previously impossible to conceptualize. The delivery of public services is another area where big data applications can yield massive benefits in terms of economic development. If the public sector could sufficiently exploit available datasets (and sadly enough they aren’t doing so presently), they can: 1) enhance transparency in the public sector; 2) deliver more efficient, innovative and customized public services; and 3) facilitate more expedient policy creation and decision making processes.

Still, with these benefits and more to be obtained, a number of critical questions still remain: What are the risks to foundational values arising from big data analytics? What are the potential impacts of big data analytics on fairness and coherence? Are the necessary levels of knowledge and competence available within society to adopt big data analytics? Are current policy frameworks suited to the use of big data analytics in an era in which data is open, re-used, and re-combined in order to bring significant benefits?

As the debate rages on about how do we best take advantage of the gazillion bytes of data that exist, what is clear is that the industry has to reach a point of self-regulation or it will continue to be regulated by those who don’t understand what they’re doing (and society will be disadvantaged significantly more than it will be able to accrue the benefits of big data).

Cue the personal data economy! This shift in direction is about addressing the core issue of privacy through promoting greater awareness around the use of personal data as a resource. Presently, our data is primarily a transaction tool characterized by user identification and consumer purchasing habits. This model empowers (and emboldens) corporations and governments. Even worse, the fears and anxieties around privacy obscure the greater opportunities for improving the lives of individuals.

This new paradigm — the personal data economy — will be driven by more educated end users. The individual will be more powerful because he/she understands data ownership, and how they can optimally share their data but with greater control over different aspects of their anonymity. The result will be that the major features shaping the commercial environment will be “value-creation”, “transparency” and “openness”.

Nokia Corporation: Planning the next bounceback

nielharper

For a firm that has gone from pulp to televisions to handsets to telecoms equipment, maps, anything seems possible. I believe that the sale of the handset manufacturing division to Microsoft was good, smart business. With its ‘new’ venture, Nokia Solutions & Networks (NSN), the company is focusing on an industry that allows for steady, modest growth and is less volatile from the perspective of fickle customers and quickly changing market demands. Even though competing with the likes of Ericsson, ZTE, Huawei and Alcatel-Lucent is quite the tall order, I believe that Nokia will not be punching out of its weight class. And with the deals that the company has secured in recent times, I predict that all will be well with the Finnish giant. Moreover, I also proffer that Nokia will possibly acquire one of its competitors in the not so distant future. Reinvention is the name of the game, and the Finnish “company that can” has done this quite often in its history. http://tinyurl.com/ntjz7gk

Regulators See Value in Bitcoin and Other Digital Currencies

nielharper

Alternative currencies are nothing new (see Liberty Reserve, Berkshares and Ithaca Hours), and are an excellent way to break the inflationary and economically debilitating effects of fiat money. All that is really needed is buy-in and acceptance from a community that’s large enough, and commitment from other networked systems to allow for trading and exchange (the necessity of a government oversight and control framework is debatable). However, given the amount of pressure and negative attention that Bitcoins have received from regulators, central banks and other naysayers around the world — and the pervasiveness of the fiat money system (in terms of the controlling interests), this development concerns me tremendously. Something just isn’t right here!

http://tinyurl.com/n8prkch

How Somebody Forced the World’s Internet Traffic Through Belarus and Iceland

nielharper

The security and resiliency of the Internet is an important topic, and a key area where groups like the IETF, IEEE and W3C are undertaking significant works to ensure that critical Internet infrastructure is protected from large scale cyber attacks. This being said, the risks of a compromise have not been mitigated to tolerable enough levels, and as this article demonstrates, can be somewhat difficult to defend against. Truly disconcerting!

http://tinyurl.com/ny25ej4

The Real Privacy Problem

nielharper

As more and more corporations and governments collect and analyze ever increasing amounts of data about our lives and our activities, it’s appealing to react by creating more privacy-related legislation or arrangements that pay individuals for use of their personal data sets. Instead, this article by Evgeny Morozov (the author of The Net Delusion: The Dark Side of Internet Freedom) suggests that what is needed is a civic-minded response, because democracy is at risk.

http://tinyurl.com/kszqg4k