Read more]]> Some argue that a cyber-Armageddon — or a “digital Pearl Harbor” — may be just around the corner, while others counter that while cybersecurity needs to be taken seriously, the overall cyberthreat and its consequences are vastly overblown and are merely a convenient excuse to sell over-priced security software and consulting.

The May 2011 Cutter IT Journal will try to separate the wheat from the chaff as pertains to security threats from current and potential cyberweapons. Proposals of interest are due 2 March 2011. To respond, please visit
http://www.cutter.com/content-and-analysis/journals-and-reports/cutter-it-journal/callforpapers02.html

Read more]]> Security and the law have not caught up with technology and the outlaws. But most people seem to be ignoring the risks in favor of the opportunities and I don’t see that changing in 2011. A high profile incident is bound to happen, probably sooner rather than later.

The headlines this year have been full of security issues facing the internet. First, there was the Zeus Trojan Horse which has stolen millions of dollars from small businesses and individuals. Zeus steals your credentials from your computer, and then uses them to make numerous small transfers from your bank account (under the $10,000 limit for reporting) until it has been emptied out. Since your computer was at fault, banks don’t feel liable for the theft. Zeus is a toolkit that has sold tens of thousands of copies on the Internet black market. Not wanting to be left out, SpyEye is a competing toolkit that not only steals your credentials, but kills Zeus in the process if it detects it. These ‘crimeware’ kits are purportedly developed and sold by organized crime. Oh, and by the way, they are virtually undetectable by most antivirus software.

But it’s not just the crooks that are out there. The Stuxnet virus hit the news this summer after being discovered as having attacked Iran’s Bashehr and Natanz nuclear facilities. Although the Pentagon can neither confirm nor deny knowledge of the virus, the incredible sophistication of the virus points to a few, highly skilled intelligence communities. It was reported just this week that Stuxnet is still wrecking havoc and Iran still hasn’t gotten it under control.

Then of course there is WikiLeaks. First with documents related to the war in Afghanistan, then a few months later, hundreds of thousands of diplomatic communications. The government agencies in charge say it will take years to properly secure their networks. But, when certain organizations went to shut down WikiLeaks operations (such as Amazon, PayPal, Mastercard, etc.) all hell broke loose. Members of the group Operation Payback initiated Denial of Service (DDoS) attacks on those sites. In addition, up to 3000 people downloaded programs from different websites that allowed them to contribute to the DDoS attacks against numerous free speech foes including Joe Lieberman and Sarah Palin (ironically for speaking their minds).

It’s the Wild West in Cyberspace. Be careful out there.

[Editor's Note: This post is part of the annual "Cutter Predicts ..." series, compiled at the Cutter Consortium website.]

Read more]]> Here at Cutter HQ, as we fondly call it, we’re in full Summit mode: printing badges, packing boxes, tweaking the final menus – getting all the behind-the-scenes stuff done. But that’s certainly not the exciting stuff! What is exciting is the program.

As always (this is the 14^th Summit we’ve held here in the Boston area), there’s nothing theoretical about the program or sessions. It’s all about creating and discovering business-technology strategies that pave the way for success. And since there are no vendor sponsors, there are no pitches, subtle or otherwise, about silver bullet-type solutions.

Here’s a peek at Monday’s sessions:

We’re addressing cloud computing. Lou Mazzucchelli’s tackling this topic. If you’ve ever heard him speak before, you know that Lou (1) is incredibly experienced and knowledgeable, (2) hones in on the “ah-ha” moments, (3) is not at all afraid of being the contrarian, and (4) is very funny. So I’m certain when he takes the podium to talk about the security, privacy and risk issues surrounding cloud computing, he’ll point out some risks you’ve not yet thought about. The panel debate that follows is sure to be both eye-opening and loud!

Since it’s the Halloween season, we thought it would be appropriate to have Andy Fried scare your pants off. Andy’s a former uniformed police officer, computer programmer, security analyst, and Senior Special Agent with the US Department of the Treasury who now works as a security researcher for a nonprofit organization involved in identifying organized criminal enterprises responsible for fraudulent schemes, DoS attacks, malware propagation, and large-scale botnets. Suffice it to say, he’s seen it all. And during lunch, he’s going to tell you about it. I wouldn’t be surprised to see some Summiteers rush to their laptops to change passwords, security settings, etc. during the short break after Andy’s talk!

In the afternoon, Jim Highsmith will reveal the results of his year-long study of the roles and practices of Agile leaders. He’s been looking at how activities like performance measurement; facilitating self-organizing teams; facilitating an empowered, collaborative workplace; etc. are incorporated into those agile organizations that are able to weather business turbulence. The panelists who will debate and answer questions from the audience after Jim’s keynotes have all dealt with the challenges of making agile really work. I expect this panel, too, to be enlightening.

Rob Austin returns to the Summit this year, but not as a keynoter or a panelist. Instead he’ll be the conference moderator. He views every single topic through a variety of lenses: technology, business, and innovation. He’s sure to pull out threads of conversation that make you think twice, and ask the really hard questions of both the speakers and the audience members. He’s well-versed in the Harvard Business School case study method and will be bringing that hard-hitting style to each of the sessions of this fall’s Summit.

I’ll post an overview of the Tuesday and Wednesday sessions later.

For those of you reading this post who will be joining us on Monday, I look forward to seeing you there! (If you haven’t registered but want to, you still can.) If you won’t be at the conference, we’ll post some highlights here throughout the week and we’ll be tweeting (@cuttertweets) throughout the week.

Read more]]> Early this year, fellow Cutter Consultants Mitch Ummel, Mike Rosen, and I wrote an Executive Report on the Smart Grid. In that report, we talked about all the potential that the Smart Grid offers, how it would be designed, and also about the serious problems that such an ambitious undertaking faces — especially problems related to reliability and security. We expressed fears that since the next generation of Smart Grid electrical utilities is based on current standards taken from the Internet and the current generation of operating systems, it would be subject to serious attacks by more and more sophisticated hackers which, in turn, could seriously jeopardize the reliability and security of our most critical infrastructure. Boy, were we on the mark.

The ink was hardly dry before we realized that we were more prescient than we could have possibly imagined. Indeed, while we were writing our report, security experts around the world were already documenting a new kind of Internet malware, the Stuxnet virus. In July and August, many of the top security labs around the world began reporting on a new, very sophisticated virus whose objective, like many viruses, was not immediately apparent. Just this week, however, two respected security experts gave us the answer: the Stuxnet was in fact an Internet bomb.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world — to destroy something (Mark Clayton, The Christian Science Monitor, 22 September 2010).

Stuxnet is now the subject of serious debate around the world. Many experts believe the virus was developed by a very sophisticated, very serious group of top-notch software security experts probably financed and controlled by a nation state with an equally serious intent. The target of this worm, it appears, was a single facility; most likely the Iranian nuclear facility at Bushehr, and it was focused directly at a bit of technology core to the electrical utility industry — SCADA software from the German giant Siemens.

So here we are a decade ahead of our time, with a serious cyberattack that sounds a whole lot like a 1980s sci-fi thriller — but it isn’t, and it ought to get the top minds in all of the software industry focused. What should the next generation of the Internet, our basic operating systems, and our most critical infrastructures look like? And how do we get there before something — like some major piece of electrical infrastructure — literally blows up in our faces?

Finally, a bit of good news. I noticed as I was finishing this piece that the US military’s cyberwarfare operations is “advocating the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet” (Thom Shanker, Cyberwar Chief Calls for Secure Computer Network, New York Times, 24 September 2010).

This last bit is truly good news, and perhaps someone with some real purpose and deep pockets is working on the problem, because without a really secure operating system and networks, the SmartGrid is going to look pretty dumb.

Editor’s Note: This is an advance copy of next week’s Enterprise Architecture Advisor, which we are posting now due to the timeliness of Ken’s commentary.

Read more]]> Security and data privacy/regulatory considerations are two of the biggest bottlenecks standing in the way of more organizations adopting cloud computing. Simply put, many organizations have serious misgivings about using cloud computing — in particular, software as a service (SaaS) offerings — due to regulatory requirements prohibiting them from using the cloud for storing sensitive data, or due to concerns about the privacy and security of data residing in the cloud.

Organizations have also gone to considerable lengths to put the systems and processes in place that enable them to enforce consistent access control policies for their enterprise applications. Thus, it is quite understandable that many organizations remain leery of the security capabilities for ensuring secure end-user access and control to cloud-based applications and services.

While cloud providers and other proponents frequently say that these issues are overblown — arguing that many cloud-based applications and services are much more secure than many organizations’ own internal, on-premise applications and networks — the fact of the matter is that hardly a week goes by that some company or government agency doesn’t announce that it has suffered a data breach or some other form of unauthorized system access or tampering. Consequently, it’s only natural that these fears linger — fears that continue to make some organizations hesitate to make a greater commitment to the cloud.

But there have been a number of recent developments that indicate that the industry is striving to address these issues. And we are now seeing real progress in the application of encryption and other security techniques to address these challenges.

Data Security, Regulatory/Compliance Developments

One of the more innovative examples of this trend is Navajo Systems. Navajo offers a SaaS application data security appliance designed to address the limitations and concerns of using cloud applications with sensitive corporate data. The appliance, called “Virtual Private SaaS” (VPS), installs on an organization’s LAN/WAN. It’s also available as a cloud service for licensing. Either way, VPS allows organizations to encrypt sensitive SaaS application data before it is moved to the SaaS provider. Moreover, all sensitive corporate data remains encrypted while residing on the SaaS provider’s servers. In addition, all encryption keys remain in the possession of the end-user organization. When the data is returned to the end-user organization from the SaaS provider, the process is reversed.

VPS works transparently, meaning that application functionality is unaffected by the data encryption process (e.g., sort and search functions continue to operate as expected) and end users remain unaware that it is taking place.

The advent of cloud data security offerings such as VPS are important because they should help organizations’ fears about adopting cloud computing for the simple fact that encryption makes the data unreadable when in transit to, or stored on, an SaaS provider’s servers. In effect, database theft and identity theft become, for all intents and purposes, negligible, because the sensitive data remains undecipherable when in transmission or in storage outside the end-user organization’s firewall. Regulatory compliance is also made more practical, which is especially important when it comes to the need to ensure the safety of medical, financial, and other sensitive customer information.

Bulletproofing Cloud End-User Access/Security

Organizations are also running into difficulties when it comes to providing secure end-user access to SaaS and other cloud applications. This becomes especially apparent when I talk with people whose organizations are using multiple SaaS offerings or cloud-based applications that need to work with on-premise enterprise applications (and most do). Simply put, knowing exactly who has access to SaaS applications and being able to easily activate and deactivate user accounts via a centralized management system are essential for organizations that need to manage large numbers of users of cloud-based applications and services.

A good example of the kinds of developments we are seeing in regard to cloud application access and security is provided by Symplified, which offers an integration as a service platform for integrating enterprise security policies and administration with cloud applications and data. Symplified’s SinglePoint platform allows end-user organization’s to centralize the management of user accounts for multiple cloud applications by extending and enforcing their existing security policies to the cloud. In other words, Symplified did not try to reinvent the wheel when it comes to end-user access and security for cloud-based applications. Rather, its platform is designed to work in conjunction with common enterprise provisioning systems (e.g., Oracle, CA, Quest, Identropy, Sun). I also like SinglePoint because organizations can implement it as an on-premise appliance, or it can be delivered from the cloud as a secure proxy.

SinglePoint functions by integrating with enterprise user directories to automate the creation, provisioning, modification, and deprovisioning of accounts that enable employees to access SaaS applications and data. (It integrates with existing identity and access control infrastructures, including Microsoft Active Directory and Salesforce.com, etc.). In effect, by bringing SaaS applications under the control of enterprise and cloud-based user-provisioning and -management systems, it automates the complex workflows that occur when users and their access privileges are added or removed from directories. It can also facilitate compliance audits.

Conclusion

Organizations naturally remain concerned when it comes to ensuring the security of their data residing in cloud-based application and services. It is no less reasonable to expect organizations to want to be able to apply the same rigorous access controls across their cloud-based applications and services as the ones that they have gone to great pains to implement for their on-premise, enterprise applications. The vendors and cloud providers recognize that in order to realize greater adoption of cloud computing and services they must address these concerns. We are now seeing new developments in these areas and, as trends suggest, they are moving very fast. To be sure, there is still room for improvements (particularly in the way of standards for ensuring and safeguarding data residing on cloud systems, a topic to be addressed some other time). However, when it comes to ensuring security and regulatory compliance in the cloud, I believe that progress has definitely been made, and that the cloud is no longer quite the “Wild West” it was just a few years ago.

Finally, I’d like to get your opinion on developments pertaining to cloud security and compliance. What issues has your organization encountered or expects to encounter? And what new tools and procedures do you think are needed?

Read more]]> Over the last week we’ve received predictions from more Cutter Senior Consultants. Here’s a preview of the latest additions:

• Rebecca Herold: Bigger privacy breaches than any that have occurred so far on social media sites will occur as a result of no information security or privacy pre-planning at many to most of these organizations.
• James Odell: systems will no longer primarily be top down. Instead, as individuals, small groups, and organizations interact around the world, technology must support approaches that are more side-by-side.
• Rob Austin: 2010 will be the year in which mobile devices become the client device of choice in many enterprises.
• Jim Highsmith: A small, but significant, number of organizations will “get it” when it comes to agility, and they will begin to appoint Chief Agility Officers (CAO).
• Karl Wiig: Increasingly, organizations and academia worldwide will increase their focus on intellectual capital and its role in making societies, organizations and people more competent for better performance.
• David Spann: The next financial crisis will be the growing amount of personal credit accruing in the U.S. and the hope that consumer spending will buy us out of the current crisis.
• David Coleman: We will see a steep retrenchment in the collaboration tools environment, with a few large vendors such as Microsoft and IBM/Lotus as the dominant enterprise players.
• Ken Orr: The netbook + 4G wireless network will create an explosive new marketplace.
• Mark Levison: There will be some big public agile adoption failures this year.
• Alexandre Rodrigues: 2010 will be marked by unique developments and changes in the way in which organizations make use of technology to support their business processes.
• Bart Perkins: IT’s stature as a business enabler will rise dramatically.

You can read more than just the headlines of these predictions (and the insight of other Cutter Senior Consultants) at the Cutter site. Let us know … do you agree? Disagree? Have any advice about how to prepare for what’s ahead?

Read more]]> The crystal ball gazing continues. Here are more excerpts from Cutter Senior Consultants’ predictions for 2010 and beyond.

• Dave Rooney: Agile Software Development will follow the same pattern as two other game-changing trends — Relational Database Management Systems and Object-Oriented Programming over the upcoming decade.
• Claude Baudoin: Expect contractors and consultants to be in demand, and many of them will be ex-employees who, having found their past employer’s loyalty in short supply, will now be more interested in being their own boss than in rejoining as an employee.
• Ken Collier: Although Agile adoptions will proliferate, we will see an increase Agile project failures due to misunderstanding, misapplication, and misguided attempts to follow an “agile recipe”.
• Mike Rosen: Continued “cyber events” will temper the rush to the Cloud.
• Jeff Kaplan: The consumerization of IT by end-users and availability of a widening array of cloud-oriented services that can meet the needs of business units will drive CIOs and IT organizations to reassess their roles, responsibilities, skills and operating structures.
• Bhuvan Unhelkar: Over the next 4 years, it will be a necessity for organizations to measure and monitoring carbon emissions.

Many of Cutter’s experts have made more than one prediction, but  I’ve only highlighted one each here (and here). You can check out the others, and the reasoning behind them all at the Cutter site. What’s your reactions to these predictions?

Read more]]> With the new year upon us, we asked Cutter’s Senior Consultants and Fellows for their business technology predictions. Their perspectives — as always — are quite thoughtful, thought-provoking, and varied. Projections cover the changing role of the CIO, what will happen in enterprise architecture, the increasing adoption of agile, the explosion of cloud computing, the impact of green initiatives, and more.

We’re posting all the predictions on the Cutter website as they come in. Here are some excerpts:

• Israel Gat: I expect 2010 to be the first year of a prolonged golden age.
• San Murugesan: In 2010 and beyond, we will see growing interest and major developments in cloud computing, green IT, and mobile systems and applications.
• Steve Andriole: By 2015, operational technology requirements have merged with business requirements and vice versa.
• Vince Kellen: Social network analytics will grow. Understanding how networks of people consume or deliver value is both a powerful and a simple concept.
• Scott Ambler: 2010 will see agile at scale take off in a visible way.
• Curt Hall: Adoption of on-demand/cloud-based BI and data warehousing will experience steady growth in 2010.
• Mike Sisco: IT will be called on more to help reduce costs and improve company productivity.
• Pierfranco Ferronato: The concept of a central, model-based repository will emerge.
• E.M. Bennatan: We are nowhere near the end of this extraordinary surge in technological advancement. In fact … the pace will only increase.
• Sanjiv Augustine: Agile engineering practices will gain traction as teams and organizations that have implemented Scrum work on increasing code quality.
• Gil Broza: Agile adoption will increase considerably, while the certification of newcomers will drop sharply in price and scale.
• James Robertson: If a piece of technology is to succeed, it has to be, above all, convenient.
• Masa K. Maeda: Agile-lean will become the new mainstream approach to project management and software development.
• Arun Majumdar: Auditing of security from multiple levels, human to electronic, will become a major new growth area, especially in cloud computing and trusted infrastructure protection.
• Jens Coldewey: In the next five years I expect a radical change in both the attitude and the reputation of programmers.
• Carl Pritchard: Windows 7 will encounter its first serious breaches in 2010, leading to the inevitable questions about its long-term viability.
• Scott Stribrny: The U.S. software industry, in 2010, will have an eroding share of the global software market’s value because of lack of the right talent within the American workforce.
• William Ulrich: Organizations will realize that relying on business processes as sole input into SOA is unrealistic.

We’ll keep updating this blog and the Cutter site as more predictions arrive. Do you agree with what these experts think will happen? Disagree? What do you predict?

Read more]]> Since we started putting out the word on Cutter’s annual Summit before the program was 100% final, I’ve received several emails asking about what else is on tap. We’ve got a packed program already, and we’re still squeezing more in! Again this year, there’s nothing “theoretical” about any of the sessions at the Summit. Every keynote, case study, seminar and roundtable discussion is focused on the reality of dealing with the front-burner issues right now (with right now meaning May 4-6).

Here are just a few of the highlights:
Steve Andriole’s keynote, The 5 Essential Habits of Appropriately Paranoid Business Technology Strategists is sure to raise some eyebrows. Maybe even tempers. If you’ve read any of the reports/articles Steve’s written for Cutter, or seen him in live action before, you know he pulls no punches. The awesome thing about Steve is that he just calls it like he sees it; sometimes he offends, but he always inspires.

Mark Seiden is another person who leaves you with your jaw hanging open. He’ll be keynoting about the latest security breaches and what your organization can do to prevent hacks. (And also what you can do to prevent having your PII and/or bank balance stolen.) Mark is a secret-agent-of-sorts in the internet security biz. The stories he tells will no doubt keep you up at night. His are the tales you’ll find yourself repeating to your friends.

Cutter’s been a leader in Agile movement since its inception. We’re amazed and really pleased at how entrenched it has become. So what’s next? Now it’s time for Agile to move onward and upward — the Agile Enterprise. On Wednesday at the Summit, Jim Highsmith will give a 3-hour seminar on just how to scale agile up to larger and distributed projects. Jim’s into some pretty intense sports. He’s an avid mountain climber, skier, and cyclist. The perspective he’s gained from these sports, along with an incredible resume filled with stories of guiding successful agile transformations, colors his vision and gives his a unique take on agility.

We’ve also got a full-day of Enterprise Architecture sessions planned. Mike Rosen and John Tibbetts tackle collaboration, from an EA perspective. Jeroen van Tyn follows that with a session on operational business patterns. Ken Orr is up next with a case study. He’s just wrapped up a business architecture project for a large organization, and will talk about what went right and what went wrong — the proverbial lessons learned — so you can adopt the best practices and skip the duds. The afternoon will wrap up by bringing all four contestants back on stage for a panel/Q&A session.

There is, of course, lots more to the program. (Details.) And then there’s the downtime — plenty of time for getting to know all the participants, speakers and Cutter Senior Consultants. In the meantime, if you have questions or comments for the speakers, feel free to ask them in the comments of this post, and we’ll answer them here, too.

Read more]]> Did you KNOW that January 28 was international Data Privacy Day? I bet most of you did not. Too bad. The way to help improve privacy practices within organizations is to raise awareness of privacy issues.

I recently blogged about Data Privacy Day here and here.

Are you planning to do something for Data Privacy Day? If so, please let us know! I love to hear what folks do to observe such days, and to help raise awareness of information security and privacy issues.

Or, if you are not planning to do something, why? Too late of notice? You don’t see the point of doing anything? You think it is dumb? You think…???? Let us know!