Preparing Your Storage Environment for Tomorrow’s Opportunities

Businesses today can’t exist without data. They feed on it, breathe it, and those that understand how to most effectively harness it, achieve competitive advantage. Not only will those companies see returns today but tomorrow as well since they will be well-poised to seize future data storage opportunities and better leverage their data to make decisions and glean insight.

As you know, companies and consumers alike are producing data at a rate never seen before and this continues to increase. Those companies looking to the future know that they will need to support a data set vastly larger than the one they support today and at faster speeds. However, this is only part of the future storage landscape.

Setting

Looking towards the future in any industry can be difficult because so many things will change, but change is expected, often cumulative, consisting of a series of many small changes that overall shift the business and technology landscape forward. In this way, they are somewhat predictable even if we do not know the exact specifics of how those changes will take place.

It is true that organizations will have much more data in the future, but this huge amount of data will be spread among a variety of different providers including cloud services, local storage, peripheral devices, and datacenters. Employees will interface with their data not only via computers, browsers and apps, but through wearable technology and possibly augmented and virtual reality. Users will not be the only ones creating the data of the future. As sensors continue to decrease in cost, the Internet of Things (IoT) will become more prolific and see many new use cases.

In fact, IDC expects the “digital universe” of global data to double in size every two years between now and 2020, when it will reach 44 zettabytes.[1]

These changes will produce new storage opportunities for organizations.

Opportunities

The main opportunities for storage and IT will be in protecting data’s competitive advantage and achieving new insights and capabilities from integrating systems, while supporting larger data volumes and faster access to data.

Self-protecting data

Data today provides significant value to organizations. Without it, many companies would not be able to exist. The value of data will only increase and as that data is used in more and more places, securing it in the absence of traditional organizational security controls will be of prime importance because the secure data will allow companies to maintain their competitive advantage. Companies will do this by allowing data to be self-protecting. Data will need to be able to move freely but still enforce organizational security policies.

New insights and capabilities from system integration

Creation and consumption of data by users and things will take place on many devices, peripherals and connected things, managed by their own systems. Such systems will most likely be a diverse collection of companies and technologies. Those companies that can effectively integrate the data from these sources will be able to gain new intelligence and it will set the stage for data management opportunities.

One data management opportunity for future storage systems will be to reduce rework. Data created on one device can be shared with other devices, so that users do not need to recreate the data. This will be especially important for teams working on the same project. Organizations will be able to take this a step further and integrate data from different teams together, so components from one project or initiative are automatically correlated with others. This will increase agility and key business metrics such as time to market, closed sales or customer response time. Furthermore, the insights and uses of different systems will allow for users to utilize the data they create in multiple ways, enhancing data utility and maximizing the data’s organizational value.

Those companies skilled in data management will also be better equipped to protect data against loss. Data creation and change events can be tracked across systems so that they are effectively synchronized and archived.

Larger data volumes, faster speed

Companies and storage partners will need to effectively architect a solution that meets current and planned capacity and performance needs without introducing bottlenecks down the road. Disk has been our bottleneck for so many years that we are conditioned to focus on it, sometimes to the exclusion of other factors.

As flash storage approaches new heights in speed at lower price points, utilizing more open standards, bottlenecks will crop up in other parts of the storage network such as switches, Host Bus Adapters (HBAs), and virtual fabrics. Future ready solutions need to take this into consideration and allow for increased bandwidth, expandability and flexibility in the storage network and various interconnects such as WAN or cloud services.

Case in point – Wunderlich Securities Inc. implemented a flash-storage solution, and chief information officer Aaron Goodwin reports “We’ve got a lot of headroom for growth, plus more peace of mind.”

Future Ready Strategy

How effectively companies can utilize their current and future data will depend upon the ability of companies and their storage solutions to tag and categorize data, evaluate and integrate data platforms, build system organizational intelligence and empower end users.

Define policies for tagging and categorizing data now

Most data now are like a patient in the ICU without ID. Doctors don’t know who the person is, including their medical history which limits treatment options. Tagged data, like the patent with ID, has a history and it can tell that history to the applications that work with it. Some patients refuse care and some data will refuse to be accessed while others may be accessed with some restrictions.

Establish methods for evaluating and integrating data platforms

Data that exists in silos can only benefit applications and users operating within those platforms. Future ready companies will need to allow for secure integration between these diverse platforms. However, they will need to ensure that data leaving is protected and that incoming data is screened. The organizational data silos of today are like fresh water cisterns. Those can be combined together into a much larger collection, but introduce saltwater and the entire repository is unusable. Similarly, garbage data in a system will result in poor decision making, and new data created based on this data will be similarly flawed. This is particularly important for companies employing machine learning and artificial intelligence based business intelligence systems.

Build organizational intelligence and awareness into systems

From a security perspective, future ready storage solutions act more like a parent at a playground rather than an executive secretary. Whereas the secretary keeps the executive sealed off from the world, the parent lets their child experience the playground under the parent’s watchful eye. Those that believed the secretary would protect the executive’s schedule were proved wrong again and again as attackers pushed their way past the secretary or worked around her. The parent, while not infallible, is ever-ready to intervene. He or she is intelligent enough to make decisions in a changing environment with many simultaneous interactions and they can take appropriate action such as negotiating with other parents or communicating and coordinating with more powerful entities such as law enforcement when the need arises. Data, like that child, will need to interact with many systems under an intelligent, flexible guardian.

Empower end users

Lastly, users of tomorrow’s systems will need to be aware of how their creation and use of data impacts the organization. It is not enough to have effective data integration and security controls if users incorrectly categorize data, disclose it to unauthorized persons, or feel so restricted that they do not utilize the systems. Users must be empowered so that the technology and data allows them to work more effectively. Such users will embrace the technology and bring the most value to the organization. They will also find their careers more enjoyable when they do not need to compete with the technology. Technology should be a tool, not a restriction, a pencil rather than handcuffs. Are your storage systems ready for the future? It is coming faster than you think so prepare yourself for tomorrow’s opportunities.

Continue reading

A breach is found. Now whom do I tell?

In 2014, the Identity Theft Resource Center (ITRC) tracked 783 data security breaches with 85,611,528 confirmed records exposed. This year appears even more dismal. The ITRC Data Breach Reports1 for July 7, 2015, captured 411 data incidents with 117,678,050 confirmed records at risk. Because data breaches are a common occurrence in today’s information security threat landscape, it’s going to become de rigueur for companies to pump up security preparedness within their incident response plan.

“The plan cannot simply be static and gather dust; it requires upkeep. The incident response plan should change as requirements and environments change.”

— Edwin Covert, Norse Dark Matters

Bev Robb and Eric Vanderburg, two information security influencers, discuss which protocols companies should consider when a breach occurs.

Bev Robb

Robb: Attempts to contact a breached company (if the breach is unknown to them) often has no direct point of contact for reporting it. For example: Many times the Darkweb will discover vulnerabilities, exploit/extract the data and share or sell the stolen data before anyone outside of the Darkweb is aware that a breach has occurred. Aside from having a good incident response plan, I believe that there should also be a point of contact for reporting the breach directly to the company and it should be easy to find and openly accessible from the company website.

Eric Vanderburg

Vanderburg: You bring up a good point, and it is quite relevant considering that more than 69 percent of breaches are discovered by outsiders.2 I wonder how often a breach is discovered but not reported due to there being no easily discernible way to contact the organization. When organizations are discovering breaches within weeks or months of the breach3 rather than days, it is imperative that they make use of such a system to allow for breaches to be quickly reported. Of course, I don’t want to imply that organizations should not rely on others to notify them of their own breaches and not perform their own due diligence in breach detection.

So, with that said, the questions I see are who or which group should be the contact within an organization, how that person or entity can be contacted, and how reported breaches should be handled and investigated.

Robb: I think that before we look at who should be delegated as the breach contact within a company, we need to address the incident response plan. How many companies are actually proactively educating IT staff and their employees about breach response workflows? Is the incident response plan just hanging out and gathering dust or is the company conducting regular discussions, scenarios, and incident response drills? I believe that once we establish a solid foundation for a comprehensive incident response plan  the incident response plan should include a communications function within the plan indicating points of contact within the organization, as well as the contacts that will be handling external responses.

Vanderburg: The aforementioned elements should be integrated into the incident response plan and should be part of incident planning discussions. For example, the roles and responsibilities section would contain an incident reporting person and the validation section would describe how a reported incident is validated and whether it will be classified as an incident resulting in the enaction of further elements of the plan. As you mentioned, training should include identifying the contact person. I have led awareness training sessions and often I will ask the group members, “Whom do you contact to report an incident?” I sometimes get a variety of amusing responses but after I point out the person or group they should contact and then we walk through indicators of an incident and each person’s responsibility in protecting against data breaches.

Robb: Should the company have its incident response plan “in-house” or retain the services of a breach resolution partner?

Vanderburg: The incident response plan is an organizational document much like other policies and procedures so it should ultimately go through review from senior management and reside within the organization. However, it can be quite helpful to bring in experts in developing the plan so that best practices are implemented. Also, an organization may not have the necessary response resources available to them in-house so it is best to identify a third party that is willing and able to perform those activities and to document this in the plan. In such cases, the incident response plan or subsections of it would also reside with the third-party incident responder.

Robb: After visiting 10 random company websites from the Alexa top 100, there was no direct point of contact for reporting a data breach at any of these companies. Where should this be implemented in the incident response plan?

Vanderburg: Typically a generic email account such as breachreport@company.com would be forwarded on to one or more people mentioned in the roles and responsibilities section of the incident response plan. If there are multiple people who receive the message, the roles and responsibilities section should specify who would take the ticket. For example, there may be a rotation where someone is responsible each week or it could be based on which shift a person works. In other cases, there is a primary contact and a secondary or “deputy” contact when the primary is unavailable.

Lastly, metrics should be tracked on response time for breach reports to foster continuous improvement and the actions should be audited to ensure consistency.

—————————–

There is little doubt that a well-considered, up-to-date and frequently tested incident response plan is a critical part and parcel of any company’s incident security program. It is also recommended that companies revisit their website navigation design and implement a data breach “point of contact” in the primary navigation area.

Resources: 

Breach Defense Playbook: Incident Response Readiness (Part 1)

Breach Defense Playbook: Incident Response Readiness (Part 2)

Dell SecureWorks: Incident Response Plan: 3 Most Important Elements

How To Build a Data Breach Response Plan: 5 Great Resources

Tips for Starting a Security Incident Response Program

Veracode: 5 Best Practices in Data Breach Incident Response

Footnotes

1IDT911.”ITRC Data Breach Reports.” ITRC 2015. Web. 7, July 2015. http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
2Heberlein, T (2015, May 29) What Percent of Breaches By Outsiders Are Not Detected By Organizations? [Web log post]. Retrieved July 8, 2015, from http://www.toddheberlein.com/blog/2015/5/29/what-percent-of-breaches-by-outsiders-are-not-detected-by-organizations
3Drinkwater, D (2014, April 14) Data Breach Discovery Takes Weeks or Months [Web log post]. Retrieved July 8, 2015, from http://www.scmagazineuk.com/data-breach-discovery-takes-weeks-or-months/article/343638/

Continue reading

An elegy for privacy

In childhood I dreamed of a world quite grand
Where my name and face were far from mystery
A life far removed from one boring and bland
Popular, famous, in fact, pure fantasy

How could I know that my dream would become real
My name and identity are known far and wide
Governments, stores, and thieves don’t need to steal
I’ve given it freely, when asked, I provide

Now everything is different, complex, distorted
Reportedly the data on me is vast
All that I do is electronically recorded
Much of it collected to chronicle my past

I’m lacking in answers but mired in questions
How do you know data collectors will be honest?
If they’re not tracking me, explain ad suggestions
Is this the future that technology promised?

Oh give me the life that was simple and understood
When I was myself as no other could be
Alas it is gone and lamenting is no good
All that I want is a little privacy

The case for consistency in security

Security spending could be compared to the stock market. It increases and decreases depending on intangibles such as how “at-risk” the organization feels rather than on objective measures such as the number of cyberattacks, vulnerabilities or data breaches.

An organization may put technical controls in place, educate employees and establish new policies immediately following a breach, but over time the technology becomes outdated and no longer protects the organization as it should. Memory of the breach fades, causing exceptions to be made to the firm’s policies and leading to forgetfulness in employee adherence to best-practice procedures. Eventually, another incident causes the organization to spend money again, and the cycle starts all over.

This situation is detrimental to companies in two ways. First, it results in periods when the organization is quite vulnerable. Also, in the end, more money is spent on security than would have been required if security spending were consistent from quarter to quarter. In fact, effective IT security solutions contribute to business success and profitability. Let’s explore this by looking at major areas where security dollars go; technology, governance, and training.

Technology

Technology such as firewalls, Intrusion Detection Systems (IDS), antivirus software, authentication systems or auditing and alerting systems, is essential to protecting organizational information assets but technology is quickly outdated. More sophisticated attacks or better equipment on the part of the attackers necessitates increased investment by organizations to protect themselves.

Consistent spending keeps technology up to date so that it continues to address current risks. It is also much easier to make incremental improvements to address new risks rather than design a completely new solution. Those who maintain security systems have a better understanding of how the product protects against threats and how it can be modified if necessary.

Governance

Governance includes the policies that spell out the organization’s approach to information security such as how users will be authenticated, how data is classified, roles and responsibilities and sanctions for those who do not follow policies. Procedures document how specific tasks are performed to accomplish what is set forth in the policies. When security spending is consistent, policies are updated so that they are in line with business objectives. When inconsistent, policies may conflict with business objectives and the policies are either ignored or business objectives are not met.

Similarly, consistent security spending allows for procedures to be updated as technology and forms of attack change. When spending is irregular, procedures may be followed but won’t adequately protect the organization or informal undocumented procedures may occur — which affects operational effectiveness. Lastly, policies are enforced when security spending is systematic, leading to regular patterns of behavior and a culture that sustains security rather than obstructing it.

Training

Training is also more effective with consistent security spending because it keeps security awareness top of mind. Otherwise, employees will need to be completely retrained on information security because much of the information is forgotten.

So how is security spending addressed in your organization? Is it consistent and proactive or inconsistent and reactive?

Continue reading

Star Trek Biofilters and Terahertz ray technology

The biofilters from Star Trek may some day become reality.  The Star Trek biofilter is a device that scans for harmful biological substances and it was primarily used as part of the transporter system.  This technology that seemed so fantastical might soon be seen in airports, hospitals, postal offices, and ports.  The technology is called a terahertz scanner.  Terahertz ray technology is being researched as a way to identify bioterrorism agents in amounts as small as parts per billion.  Terahertz scanners operate on a different area of the spectrum from x-rays so scans from them would not be harmful to people.  These scanners, if perfected, could be installed to check packages for harmful agents or to check people entering and leaving secure areas to determine if they are carrying a harmful agent.  The scanners work in real time so there is no need to wait for an interpretation of a scan.  People could walk through an area normally and only be stopped if there was a concern with the terahertz findings. 

See this article in the New Jersey times for more details. 

Virtualization for Competitive Advantage | Cleveland State University

I will be joining Pei-Ying Lin at Cleveland State University today to present on Virtualization for Competitive Advantage.  Virtualization can easily transform your IT infrastructure, making your business more agile and give you better ROI on your IT equipment.  You can view the presentation below.

Interviewing Tips from Microsoft

In a 2008 blog entry by Steve Clayton at Microsoft, he mentions the five things he looks for in candidates when hiring.  This information is useful for both job candidates and those looking for qualified people.  Here are his five tips:
  1. Hire for diversity, not consistency – I wanted people in my team as diverse as I could. Having twenty brilliant but unmanageable tech wizards in the team don’t work. Balancing out the wizards with the delivery guys worked out well.
  2. Hire Delivery Guys (and girls) – I don’t mean postal workers. I mean make sure you have folks who simply deliver – again and again, on time and with minimum fuss. When the chips are down, they come to the fore, and your wizards take a back seat. As a side note, figure out what makes these people happy and reward them well. They’re gold.
  3. Hire Wizards – in my experience everyone great team has one (or more) who are just brilliant minds. They’re the creative ideas people who differentiate you from the average team. They’re often a nightmare to manage, but they’re worth it. How do you know a wizard? They’re curious
  4. Hire Curious People – by this I mean people who have a natural curiosity. Stephen’s mentions this in his interview with Bill Taylor, and it struck a chord with me. These are the people who ask questions. Constantly. They may not ask questions out loud, but they will question things and often go away and explore to find the answer for themselves. They may never need the information or us it – but one day they may. Trust me this is a very valuable skill. These people become information hubs, and you hear their names again and again in the company as they’re “go to” people. I learnt some of this from my Granddad…but that’s a story for another day.
  5. Hire Passionate Readers – this doesn’t mean hire people who read Mills and Boon. It’s similar to curious people but worth calling out separately. A friend (who is a wizard and curious) taught me this interview question when I joined Microsoft. Ask someone what magazine they regularly read. Let’s say they answer with WIRED. Then ask them how many back issues they have in their loft. It’s not a deal breaker question, but my guess is if you’re reading this you know what I mean. People who are passionate about stuff read about it. A LOT. Okay so they may read online now, and this question may be dated but try it anyway. They may say “ah I just auctioned off my 8-year collection of National Geographic on eBay.” That’s a hire.

For interviewing help go to http://interviewexcellence.org