Messaging News - The Technology of Email and Instant Messaging

Some Musings on the Facebook IPO

Michael Osterman — Thu, 24 May 2012 17:17:11 +0000

Since everyone else seems to be weighing in on Facebook’s IPO and the subsequent surprise in its valuation in the days following, I thought I might pass along a few thoughts on what I think this might mean:

Learning from the past is important: Before the dot-com bubble burst a little over a decade ago, the inclusion of “Internet” or “Web” in a startup’s business plan was about all that was needed to get investors to throw cash their way. After the bubble deflated rather rapidly, investors and business managers re-learned the basic principle that business fundamentals and realistic market assessments are more important than hype. Then along came social media and most of the lessons learned were lost, and are now being relearned since last Friday’s Facebook IPO. Admittedly, Mr. Zuckerberg was a teenager when the dot-com bubble popped, but many of his older advisors who lived through it should have been paying more attention.
Real-world thinking and math are important: One of the fundamental problems that the Facebook IPO surfaced is that many investors considered the social media business as fundamentally different than other types of businesses. It’s not. For example, would you buy a restaurant if it was priced at $115 per customer—and if its average customer spent $4.84 per year? Probably not, but many Facebook investors were willing to do just that—up until a few days ago anyway.
Social media is still important: A knee-jerk reaction by some might be to discount the importance of social media in the workplace, for advertising, or for commerce in general. After all, if the biggest, most popular and most pervasive social media company can’t generate sufficient interest in its IPO, some might surmise that the category isn’t as important as they were led to believe. However, it is important to remember that social media is perhaps the most important development in communications and collaboration for the past decade. In the workplace, it offers enormous potential on a variety of fronts, including real-time analytics to improve business processes and decision making, the ability to establish deeper connections with those inside and outside a company, the ability to enable informal interaction and insight gathering in a way that other tools cannot—and we’re just scratching the surface.
Reputation and likability are important: A recent survey found that Facebook is the most hated social media company in the United States, while Google is among the best-liked companies. Facebook’s IPO has seriously disappointed, while Google’s stock price has increased nearly six times since its IPO. I think there’s a connection here.
Beware of popularity without impact: Facebook is extraordinarily popular, used by 900 million people around the world and the numbers continue to grow. However, users spend relatively little money with Facebook as a result of their interaction with it. The lessons here are (a.) that popularity doesn’t necessarily lead to impact, (b.) impact doesn’t necessarily need popularity, and (c.) build your brand (and your life) so that if you disappeared tomorrow you would be missed.
Nothing has really changed: Although Facebook’s IPO has been a debacle in a way that relatively few could have guessed just a few days ago, nothing fundamentally has changed. Facebook is still used by 900 million people and counting, you can still “like” the breakfast or vacation or video that one of your friends just posted, and the money that some people lost investing in Facebook last week is still there, just in different pockets.

Is There A Place for Social Networking in Modern Healthcare Delivery?

Stephanie Jordan — Wed, 23 May 2012 18:35:14 +0000

I recently reviewed two reports that opined on the role that social networking should (and shouldn’t) play for healthcare providers, which gives food for thought to any professional.

The first report, Cooperation, Communication, Coordination: Three Pillars of Collaborative Teamwork from IDC Health Insights (April 2012), reviews the “transformation of the healthcare delivery model.”

Of the “four Cs” of effective teamwork, social networking is listed as a key area for healthcare providers, noting that the medium is useful in “health and wellness, disease management, clinical trial recruitment, maintenance of personal health records, treatment, hospital and physician selection, and other important aspects of healthcare delivery.”

The authors, Jan Duffy and Silvia Piai, note that in particular staff shortages, cost constraints and service demands have increased the need for more efficient and effective communications. This led the IDC research team to predict that mobile technology, providing access to data on the go, and social networking among providers to be an essential ingredient to the evolving healthcare delivery model.

Where it appears social networking does not belong is between patient and provider. In a Sophos blog this week, Lisa Vaas reports on how hospital administrators, concerned about the lack of professionalism and data leakage, are recommending healthcare providers do not set up relationships with patients in social networking sites (in particular she lists Facebook and Twitter).

This cautionary approach is echoed by policy guidelines that the American Medical Association drafted this year titled Professionalism in the Use of Social Media. The policy is well thought out and while it does not recommend complete abstinence from social networking, it does offer cautions of how to best use the medium and maintain professionalism. Noting the need for appropriate boundaries, ethics, the need to monitor, and if need be, to have unprofessional content posted by colleagues taken down, these guidelines would be useful to anyone who is in a business-to-client, or to-customer relationship. It is worthy of a read, if only to remind us of our own need to protect our online reputations.

Vaas also points to a study (PDF), published last August by QuantiaMD, an online community for physicians, that upon surveying over 4,000 clinicians concluded that over 65% of physicians are using social media for professional purposes.

I suspect that number will grow rapidly over the next few years. Last summer, the Pew Internet & American Life Project conducted a study called, Social Networking Sites and Our Lives. The report was authored by Keith Hampton and revealed that more people are using social networking sites. Hampton says “the figure is now 47% of the entire adult population, compared with 26% that was measured in our similar 2008 survey. Among other things, this means the average age of adult social networking site users has shifted from 33 in 2008 to 38 in 2010. Over half of all adult social networking site users are now over the age of 35.”

As with many trends, the bleed over from personal life to professional life will mean that social networking will continue to rise in the professional realm as people become more and more comfortable with the medium.

Social networking may be a road to enhanced patient care, but it may not be a primary element in patient-provider communications.

The Road to Secure Collaboration

Stephanie Jordan — Wed, 23 May 2012 04:38:20 +0000

Email dominates business communications despite being little more than a one-to-one/one-to-many “push” technology that hasn’t kept pace with the modern business world, doesn’t facilitate true interactive, many-to-many collaboration, and suffers from a range of size and security restrictions due to its underlying SMTP-based infrastructure. For instance, stakeholders can only exchange marked-up digital documents--which require consolidation and redistribution for verification--rather than share and develop one copy of a digital document. And in 2012, that simply won’t suffice.

When the very first email was sent in 1971, few imagined that in a relatively short period of time email would become the business communication tool of a generation. Initially, email remained in the hands of those with ARPANET access, Unix Newsgroup access, or access to mainframes like BITNET.

But when PCs were connected to LANs in the early 1980s, a revolution began. Server-based email systems replaced paper and voice systems for closed-network communication, which in turn demanded the advent of email gateways that would allow disparate networks to talk to each other.

These gateways initiated a second wave of email technology--security software to protect users and enterprises from malicious content, such as SPAM, which can severely affect resources, and malware and viruses, which can wreak havoc on IT infrastructures. Soon, IT departments began to implement user policies, apply policy-based filtering, and utilize data-leakage-management controls. The importance of protecting and controlling information flowing in and out of enterprises was clearer than ever.

Today, the need for tools that facilitate true interactive, many-to-many collaboration within and among enterprises has led to the rise of a “simple collaboration” paradigm that features cloud-based, easy-to-use, quick-to-deploy, self-provisioned services. These services empower users to share files completely outside the enterprise’s control, and are nimble--in a way IT currently is not--at providing and provisioning the tools users need and prefer.

At the enterprise level, this is unacceptable and dangerous, and most organizations are beginning to realize that they risk serious exposure from malicious content and data leakage due to this new lack of enterprise control over data sharing. How, they wonder, can they avoid becoming the next headline on MSNBC?

Well, for starters, they have to extend the goal of simple collaboration to include secure collaboration--that is, the ability to seamlessly control the flow and protect the integrity of critical business information without reducing employee productivity. And the good news is that it’s not that hard, because the security fundamentals of a modern enterprise email gateway are also the fundamentals that ensure secure collaboration:

Integration with the corporate enterprise directory, such as AD or LDAP, for authentication and authorization control
Integration with corporate-controlled policy engines for policy enforcement and data loss prevention (DLP)
Use of corporate storage and encryption technologies
Use of corporate antivirus and malware scanning for protection from malicious content
Use of enterprise-quality multi-tenancy for secure department and group separation

At the same time, enterprises must meet user demand not just for secure collaboration tools, but also easy-to-use collaboration tools that help them get their jobs done efficiently. So, for instance, enterprise users want to be able to move easily between email--the collaboration tool of today--and collaborative spaces--the collaboration tool of tomorrow. They need to be able to send large attachments from an interface they are familiar with (e-mail) with the confidence that they will arrive safely at the right collaboration space. And then they must be able to send those documents securely back into the email channel from that collaboration space.

And unlike commercial cloud offerings, all of this collaborative activity must remain under the enterprise’s control.

Whether they choose on-premise, private cloud, or public cloud hosting services, enterprise IT departments must be able to deploy solutions and integrate them with the aforementioned controls, directories, policy and DLP engines, and storage-and-encryption/key-management technologies. These extensible solutions must integrate with the enterprise’s existing business and operational solutions and drive the business--the very reason data is being exchanged and collaboration is occurring in the first place.

This second wave of collaboration technology--secure enterprise collaboration--will leverage the tactics born out of the second wave of email technology, when IT departments applied policy filtering and security controls to protect against threats such as SPAM and data leakage.

At last, business users will finally have the easy-to-use, secure collaboration tools they want, and the enterprise will have the peace-of-mind they need.

About Mark Schertler
Mark Schertler currently serves as the Chief Security Architect for Axway where his responsibilities include leading the security and privacy efforts for Axway’s SAAS offerings, the integration of Secure Application Development Life Cycle (SDL) practice into Axway’s worldwide engineering processes, and leading the engineering business unit.

What Really Is the "D" in BYOD?

Michael Osterman — Wed, 09 May 2012 18:59:49 +0000

The Bring Your Own Device (BYOD) trend is consuming lots of digital ink on blogs, IT managers are wrestling with the problems created by it, and a growing number of vendors are addressing the issue with innovative new solutions. But when we talk about the “Device” in BYOD, what do we really mean? I contend that BYOD should really be BYODA: Bring Your Own Devices and Applications (remember, you saw it here first!).

The problems with BYOD in a device-only context are several:

IT must spend more of its already scarce time to manage employee-owned devices like iPhones, iPads, Android smartphones, Android tablets, etc., in addition to the devices they supply to employees. This consumes an increasing amount of staff time in IT departments that are already resource- and budget constrained.
More strategically, employee-owned devices that access corporate applications, download email, store attachments and the like are mini-repositories of sensitive and confidential information that can create a variety of compliance problems. For example, a lost device that cannot be remotely wiped (not all companies have yet implemented this capability) can create enormous data breach notification problems, not to mention the potential exposure of intellectual property.
Even for devices that are not lost, imagine going through an e-discovery, regulatory audit or similar exercise in which you have to identify, search and extract data from potentially thousands of devices that are spread around the globe.
When employees leave your company, you have to ensure that a) sensitive or confidential corporate data has been returned to the company along with the device itself and b) that copies are not stored in repositories outside of IT’s control.

How are these problems any different for an organization when users download Dropbox, share company files via Hotmail to get around file-size limits in the corporate email system, or post information to Twitter or Facebook? Fundamentally, the problems are the same for devices as they are for applications: IT must spend time managing/blocking/creating policies about these applications if they want to exercise any sort of control over the content stored or sent using them, they face compliance issues when data is stored in personal cloud repositories, they face the same kinds of search and extraction problems when going through e-discovery or regulatory audits, and they have no assurance that corporate content is not still somewhere in the cloud after an employee leaves.

In short, the BYOD problem is not really a device-focused issue, it’s part of a larger governance issue that encompasses both devices and potentially thousands of different (mostly cloud) applications.

Can You Allow BYOD and Still Secure Business Data?

Stephanie Jordan — Wed, 02 May 2012 02:16:23 +0000

By nature SMBs need the flexibility and productivity that personal devices now offer. But is the company at risk with the fast adoption of “consumer” BYOD practices? There was a time when cool gadgets and slick computers were only found in business environments and the selection was the domain of IT. But today, as smartphones get smarter and smarter and connectivity is available anywhere, more devices are coming into the workplace not from IT, but from users directly. For small- and medium-sized companies, this is especially true. Gartner is predicting that end-users will be responsible for 50 percent of business IT procurement decisions. From what I hear, it seems like the percentage will likely be higher. BYOD (bring your own device) is now common in all sizes of organizations. Should specific policies be in place to address this ongoing practice?

A recent informal survey of 500 IT professionals, conducted by Mimecast, a provider of email archiving, continuity, and security for Microsoft Exchange and Office 365, found 74 percent of the respondents emphasized that the biggest BYOD challenge was managing information security.

“Employee support for consumerization of IT is in full swing, whether business leaders are ready to admit it or not,” believes Orlando Scott-Cowley, senior product marketing manager of Mimecast.

Here are some recommendations from Mimecast for managing BYOD:

Provide comprehensive support—Employees will work around corporate IT infrastructure in order to be productive and find ways to leverage their personal devices, regardless of if they’re supported by the business or not. Supporting as many computing platforms as possible will ensure employees are accessing and sharing business data within a secure environment approved by the organization.
Focus on data—Seventy-one percent of those surveyed identified their role as a data custodian or someone responsible for locating content and establishing context that is aligned with associated business rules. An organization’s mobile strategy therefore needs to not only enable IT professionals to effectively manage the volume of data, but also provide the solutions that allow employees to securely access and leverage data as a business asset.
Enable productivity—Identify the business applications employees rely on—such as the organization’s email or social collaboration tools—and provide mobile and tablet support for these applications to ensure employees can remain productive.

For any size business it is a worthwhile exercise to discover what employees are using within the network and what might be happening outside the network that is work related. If you are in a business that has compliance regulations to adhere to or have proprietary information to protect, BYOD can jeopardize the company through data leakage. Holding educational sessions with employees about malware, data leakage, and what might be against company policy on devices is an important piece of any policy.

What Devices Are Most Popular?

The IT professionals that participated in the Mimecast survey named the specific personal devices they currently own, with Apple and Android devices leading the pack. Although over half (56.3 percent) of the respondents indicated they were working on a Windows PC, 87.3 percent own a device running off the Apple operating system, with 44.5 percent owning an iPhone and 42.8 percent owning an iPad. Android mobile and tablet ownership followed, with 51.3 percent ownership, and Windows and Blackberry devices followed, with 26 percent and 19.2 percent ownership, respectively.

The smartphone market is, quite simply, on fire. IDC recently reported the worldwide smartphone market grew 42.5 percent year-over-year in 1Q12. But contrary to the survey respondents, it wasn’t Google’s Android or Apple’s iPhone in the top spot, it was Samsung.

“The race between Apple and Samsung remained tight during the quarter, even as both companies posted growth in key areas,” said Ramon Llamas, senior research analyst with IDC’s Mobile Phone Technology and Trends program. “Apple launched its popular iPhone 4S in additional key markets, most notably in China, and Samsung experienced continued success from its Galaxy Note smartphone/tablet and other Galaxy smartphones. With other companies in the midst of major strategic transitions, the contest between Apple and Samsung will bear close observation as hotly-anticipated new models are launched.”

Set Up A Policy

With the number of smartphone and tablets flying off the shelves, there will only be more and more of them appearing in the workplace. There are a number of templates available that offer sample BYOD policy options. At the minimum, a BYOD policy should cover user responsibility, establishing security settings, use of passwords, information classification, camera use, email security requirements and the outlining of unauthorized activity.

As with any policy, employees understanding of the policy is key, along with a policy enforcement plan.

Proofpoint IPO Has Good Debut Amid Tech Stock Rollercoaster

Stephanie Jordan — Tue, 01 May 2012 04:41:21 +0000

This month Proofpoint Inc, one of the original security-as-a-service providers, took the plunge and launched its IPO, trading on the NASDAQ Global Market. Gary Steele, CEO, had the honor of ringing the Opening Bell on April 20 to commemorate the event.

IPOs in the anti-spam space are less common than acquisitions. In the past eight years of movement in “big name” security vendors I’m not sure I can think of one that went public. Brightmail was bought by Symantec. FrontBridge was swallowed by Microsoft. CypherTrust went to Secure Computing, which went to McAfee (as did MX Logic). IronPort was acquired by Cisco. Postini was taken by Google.

After 10 years in the market, Proofpoint’s IPO had a solid start selling 6.3 million shares at $13. The open market price was $16.85, up nearly 30 percent. The company is trading on NASDAQ as PFPT.

Proofpoint’s timing proved pretty good, as the NASDAQ had its best day of 2012 last week, following a bumpy period. One of the most popular tech stocks, Apple, hit a three year high last week, however this week that stock started off with a 3.15 percent drop by close; bringing NASDAQ down with it.

In contrast, Proofpoint stock is holding with a close today at $13.10.

The high tech stock most people are awaiting, of course, is Facebook. The plans for launching the IPO was expected in a few weeks, but rumors are flying of delays. Some are reporting that Facebook’s IPO, when it does happen, may be the largest Silicon Valley IPO ever.

Measuring Social Media Success

Stephanie Jordan — Tue, 01 May 2012 04:31:28 +0000

While social media as a messaging medium has become a mainstay, e-marketers are still learning how best to incorporate this latest channel into marketing practices and to define what success looks like. The E-tailing Group offered a synopsis of its recent Annual Merchant Survey in its whitepaper Metrics Therapy—Details, Dashboards and Diligence authored by E-tailing Group President Lauren Freedman and sponsored by Baynote. The section on social media success was of particular interest.

The survey included responses of 147 merchants and how they are thinking of metrics today and how those metrics are used to drive business decisions. The no-brainer metric is the number of Facebook fans or Twitter followers. But according to the findings, retailers are looking for ways to measure social beyond engagement. There are other metrics being used like click-through rates to retail site from social media, growth rate year-over-year for pre-determined KPIs, number of YouTube views, sales from social networks, improved SEO, PR and media exposure, and video sharing rates.

“Interactivity seemed to be of greater interest for retailers to clarify how wide a net was being cast in the social stratosphere,” writes Freedman. “This moved beyond the number of fans to the levels of conversation and how much they were promoted and shared. Interest in growing social as a communication tool means monitoring the conversations and jumping in to bolster activity.”

Another merchant advocated not counting the number of fans, but rather count the number of comments on posts, returning views and overall time spent using the social media channel.

Freedman also notes that, “More sophisticated players are attempting to track the cost to acquire a new fan and understand where and when they convert in order to put necessary social resources in place.” Another metric to consider: tracking who is signing up for emails from social locations and tracking subsequent engagement with the company.

Additional areas Freedman says to pay attention to:

Referral sources (blogs, Facebook, Twitter)
Where traffic is derived from
General onsite sharing tools (share, like)

When considering what is successful with e-marketing today, it is not just about transactions anymore. Interactions with the company and building relationships is the real value social media can bring, at a relatively low cost. This is true for B2C markets, but also holds true for B2B.

SSL Wildcard and Multi-Domain Certificates

Ben Gross — Mon, 30 Apr 2012 18:22:17 +0000

For better and more recently often for worse, SSL certificates provide the security for the data in transit for many modern protocols, most commonly the web. Every time you see a URL that starts with https rather than http, you are using SSL. Typically, SSL certificates are designated for only a single host such as www.example.com or shoppingcart.example.com. However, most modern businesses may have many hosts that run services that they wish to security with SSL and these hosts and services may have different security requirements and different public visibility. Certificate authorities offer multiple types of SSL certificates to match different requirements, in particular there are several kinds of certificates that can support security multiple hosts with a single certificate. These include types known as multi-domain certificates, Subject Alternative Name (SAN) certificates, Unified Communications Certificates (UCC), and wildcard certificates. Since example.com is considered a separate host from www.example.com--this is one of the most common situations--most certificate authorities will provide you with a certificate that will work for both www.example.com and example.com for the price of a single certificate.

The second name on the SSL certificate, such as example.com, is an important technicality that unfortunately needs some additional explanation. It is accomplished with Subject Alternative Name or subjectAltName (SAN) extension that appeared in X.509 version 3 PKI specification that defines much of what we think of as SSL. For the purposes of this article, think of the SAN as a field on the SSL certificate. The alternative names may be other hosts other domains or a hostname wildcard. All modern browsers support SAN fields, however older Symbian OS 9.1 and earlier and Palm Treo devices do not. In practice, supporting multiple domains on a single certificate is difficult, although support for multiple domains offers a great advantage for web servers that run virtual hosts, so that a single server may support multiple secure domains using a single IP address. The Server Name Indication (SNI) extension is one solution to this problem, however support is not universal, as it will not work with older operating systems such as Windows XP.

Unified Communications Certificates (UCC) are SAN certificates that are typically intended for use on Microsoft Exchange Server 2007 or 2010 installations that need multiple hostnames such as mail.example.com, owa.example.com, smtp.example.com, and autodiscover.example.com. In addition, UCC certificates can include NetBIOS names for configurations with older clients. UCC certificates can also be used with Microsoft Lync installations.

Another type of multi-domain certificates is known as a wildcard certificate, which allows a single certificate to secure an arbitrary number of hosts in a single subdomain such as *.example.com that could include www.example.com, mail.example.com, calendar.example.com, portal.example.com, and so forth. In addition, some certificate authorities will provide the option to include hosts via Subject Alternative Names on the certificate that can also secure example.com as well as other hosts that may need to be used with older mobile devices such as those running Windows Mobile 5. Some certificate authorities may restrict the number of different servers that are allowable for use with a single wildcard certificate via a license agreement even if it is technically possible to use the certificate on an unlimited number of machines. If this aspect is a consideration, you will want to check your license agreement carefully.

Most certificate authorities offer a wildcard certificate products. Not all certificate types are available as wildcards. For example, one of the certificate authority industry associations, the CA/Browser Forum says that the domain name field "“must contain one or more host domain name(s) owned or controlled by the Subject and to be associated with Subject’s publicly accessible server. Such server may be owned and operated by the Subject or another entity (e.g., a hosting service). Wildcard certificates are not allowed for EV SSL Certificates.”

Pros and Cons of Wildcard Certificates

I commonly read arguments against wildcard certificates that I think are a bit specious. For example, I regularly heard that wildcard certificates are more expensive. This is true in the sense that they cost more than a single certificate, but if you have many hosts you wish to secure, such as many development server machines, the cost can be quite competitive. I recently purchased, a RapidSSL wildcard certificate for $150, while the least expensive UCC certificate I found was about $300.

I also frequently hear the argument that wildcard certificates are less secure. The argument follows that if one machine has a compromised SSL private key then all machines with that certificate would also be compromised. This is true, but mostly a red herring. If a typical web server is compromised so badly that someone can extract the private keys from the SSL certificates, then you likely have far greater problems and should probably reissue your certificates in any case. The extra work is minimal compared to the overall remediation problem. Some vendors such as DigiCert will issue unique variants of a single wildcard SSL certificate to reduce the damage from any one key leaking. This said, wildcard certificates are frequently used in a manner that is insecure and any certificate that is used on more than one machine should be treated with additional caution.

Wildcard certificates are best used when it is desirable to secure a large number of independent services and the cost of purchasing certificates would be prohibitive otherwise. As I mentioned earlier, support for SNI is still not as widespread as one would hope, so you will likely need one IP address or port per server unless you are certain that your user base is modern enough to support SNI. One additional note of caution, wildcard certificates can be finicky with Microsoft Exchange, especially versions older than 2010 and it is not currently possible to use a wildcard certificate with Microsoft Lync.

I have written about SSL certificates a number of other times including: Purchasing SSL Certificates, No Frills SSL Certificates Are Inexpensive and Useful, Smartphone Anti-Phishing Protection Leaves Much to Be Desired, SSL Is Critical Infrastructure at Risk

Will Infected Macs Dampen Apple's Stock?

Stephanie Jordan — Fri, 27 Apr 2012 05:08:07 +0000

April’s reappearance of a Flashback variant—the most recent being Flashback.C, which masqueraded as an update to Adobe Flash Player and discovered last fall—is too recent to have any impact on this week’s Apple earnings reports and stock reaction, but one wonders if this crack in the oft-cited “more secure platform” that Apple has enjoyed will change in the future.

This week, Apple stock climbed back above $600 a share after suffering two weeks of losses. The gain coincided with Apple’s fiscal 2012-second quarter (ending March 31) earnings announcement, which states quarterly revenue of $39.2 billion and quarterly net profit of $11.6 billion.

The stock decline of two weeks ago happened at the same time as the news of the current Trojan became publicized. Infected Macs are projected to be in the neighborhood of 650,000 but there seems to be trouble detecting and confirming the accuracy of that number. Dubbed “the most successful botnet attack ever on the Mac OS X platform,” it is estimated that half of the infected machines are in the U.S.

According to its earnings announcement, Apple realized an 88 percent iPhone unit growth, as compared to last year in the same period. Apple iPads continue to soar in popularity with 11.8 million sold during the quarter, representing a 151 percent unit increase over the year-ago quarter. A more modest growth was seen with 4 million Macs sold during the quarter, a 7 percent unit increase over the year-ago quarter.

As for the virus, notes F-Secure in a blog earlier this month: “If you haven’t already disabled your Java client, please do so before this thing really becomes an outbreak.” The company posted instructions on how to disable Java.

For its part, Apple did publish a security update for Java in about 24 hours upon discovery, which some report was “too long.”

Is Wall Street worried about such things as viruses on Macs? Appears not, when compared to the phenomenal growth of iPhones. One enthusiastic analyst, Brian White of Topeka Capital Markets, upon review of the financial results this week put a price target “from $1,001 to $1,011” on the stock. White is quoted as saying: “We believe the negative vibes that have held back the stock over the past couple of weeks will now be replaced with the fear of missing the next leg up in the stock price.”

Google Takes on Competitors, Privacy Issues, Makes Google Drive Core Service

Stephanie Jordan — Fri, 27 Apr 2012 04:54:06 +0000

The long awaited Google Drive made its debut this week amid a flow of commentary both pro and con for the product. In theory the product is late to the cloud party with rivals such as Dropbox, Microsoft’s SkyDrive, Apple’s iCloud among others firmly underway. Cloud-anything has been hot for some time now, and many Google users have eagerly awaited the ability to sync files between smartphone, tablet and computer.

Google’s motives for the product, believes some, go way beyond a cool product feature set. Mark Little, principal analyst at Ovum, for one, says “With Google Drive, Google has recognized the potential of shared cloud storage as a consumer hub or open platform that can be central to developing third-party apps such as video editing, sending faxes, and creating websites, with potential for a far greater range of applications from its busy community of third-party developers.”

Little thinks the platform potential of Google Drive is of strategic importance, leveraging “Google’s developer strengths and competitive pricing (50% cheaper than Apple’s iCloud in some cases) to drive penetration of its cloud offering via both consumer and enterprise channels.”

As with many of the cloud offerings, security and privacy are of concern to IT administrators tasked with maintaining compliance and content care. Earlier this year, Google announced a controversial consolidating of its privacy policies from more than 60 down to one main privacy policy. The policy took effect March 1, even as it was being contested by users, privacy advocates and countries (most notably France, which has very strict privacy requirements.)

Privacy advocates are trying to nail down just what Google can do with the content once users upload their content to Google Drive. The new privacy policy is making what Google does across its offerings and what is shared a bit muddy. There has been much talk about sensitive data and whether or not it should be uploaded to Google Drive at all.

Privacy is not a new problem for Google. Recently the FTC has undertaken an investigation into Google’s bypass of the default privacy settings of Apple’s Safari browser for Google users. (The company contends that the change in default settings for Safari browsers were necessary to allow the “+1” button connected to its Google+ social network to work with Apple’s browser.) This current FTC investigation is happening just after Google was fined $25,000 for “allegedly blocking” a federal privacy investigation into a 2010 privacy breach.

Though Google is late to the cloud storage party, there is a twist to the offering. Observes Little, “Google Drive is a major challenge to Apple’s iCloud and others whose propositions are selling cloud storage as a useful ancillary to using its applications. The Google Drive proposition is the other way around, offering cloud storage as a core service from which users can access an ecosystem of highly useful applications.”

Google Drive will be even more powerful once the Apple iOS mobile operating system version becomes available, especially given Apple’s earnings release this week that showed ever-increasing demands for the products with 35.1 million iPhones and 11.8 million iPads sold during the company’s fiscal 2012 second quarter.

Controversial CISPA Passes House Despite White House Threat to Veto

Stephanie Jordan — Fri, 27 Apr 2012 04:42:20 +0000

Despite advocacy efforts to amend parts of CISPA—H.R.3523 Cyber Intelligence Sharing and Protection Act of 2011 (PDF)—the cybersecurity legislation passed the House of Representatives today by a vote of 248 to 168.

Groups believing the bill poses threats to privacy include The Constitution Project, American Civil Liberties Union, Electronic Frontier Foundation, Fight for the Future, Free Press, Reporters Without Borders, Sunlight Foundation, TechFreedom, and The Center for Democracy & Technology (CDT).

Since late last year when the bill was introduced, CDT has raised concerns that the bill, which would authorize Internet service providers and other companies to share customer communications and other personally identifiable information with governmental agencies, had flaws that needed to be addressed. According to CDT, the flaws include a too broad, almost unlimited definition of the information that can be shared with government agencies, superseding all other privacy laws. Also of concern is a likely expansion of the government’s role in the monitoring of private communications and a likely shift in control of government cybersecurity efforts from civilian agencies to the military. CDT also points out that once information is shared with the government, it wouldn’t have to be used for cybersecurity, but could instead be used for other purposes. CDT Senior Counsel Greg Nojeim outlined concerns in a December blog, just after the bill was introduced.

Last week, CDT, among others opposing CISPA as currently written, were pushing for a separate cybersecurity bill, H.R. 3674 - the PRECISE Act, sponsored by Rep. Dan Lungren (R-CA), that has information sharing language that many feel offers a better alternative to CISPA, and better balances cybersecurity, industry, and civil liberties concerns.

“We need cybersecurity legislation, not surveillance legislation,” stated CDT President Leslie Harris.

CISPA was fast-tracked, with final amendments to the bill due on Tuesday. The White House issued a veto threat yesterday, saying the bill did not have sufficient civilian oversight and privacy protections. Supporters, however, believe the bill is needed to safeguard against a major cyberattack.

CDT issued the following statement, today, upon the news that the bill is moving onto the Senate: “We worked very hard in cooperation with the Intelligence Committee to develop amendments to narrow some of the bill’s definitions and to limit its scope. We are very pleased that those amendments were adopted, leaving the bill better for privacy and civil liberties than it was going into the process. However, we are also disappointed that House leadership chose to block amendments on two core issues we had long identified—the flow of information from the private sector directly to NSA and the use of that information for national security purposes unrelated to cybersecurity.”

CDT and others are vowing to continue to oppose the legislation without recommended amendments.

The Real Importance of Google Drive

Michael Osterman — Wed, 25 Apr 2012 22:12:41 +0000

Google has finally announced Drive, its storage and synchronization solution that—at least on one level—is designed to compete with Dropbox, Microsoft SkyDrive, YouSendIt Dropbox, Trend Micro SafeSync, SugarSync, GoodSync, Syncplicity and other file-synchronization tools. On an overly simplistic level, file synchronization is a superset of online backup, often focused on individual users, because of its addition of automatic synchronization features—and it’s one of the hottest areas of growth in the storage space right now. Secure file transfer—another growing area of interest and investment—is a related market, but somewhat different because of its emphasis on the transfer of content as opposed to its storage.

Drive now creates a new front in the ongoing, multi-front battle between Google and Microsoft in the context of communications (Gmail vs. Exchange Online), online productivity applications (Apps vs. Office Web Apps), search (Search vs. Bing), real-time communications (Talk vs. Lync), etc. However, Drive may represent the biggest headache for Microsoft in a couple of ways. First, by integrating so tightly with Gmail and Google Docs, Drive creates even more of an ecosystem in the cloud, allowing organizations to create and store everything online. Drive does not represent a dramatic shift toward making it easier to migrate to the cloud, but is another—albeit important—push in that direction. To underscore this, Google is making cloud storage very inexpensive and focusing on both individuals and corporate customers. For example, Drive offers 16 terabytes of storage for $800 per month, or five cents per gigabyte per month. This is dramatically lower than Amazon’s S3 pricing of 11 centers per gigabyte per month at that storage level—even at 5,000 terabytes of storage per month, Amazon’s pricing is 5.5 cents per month.

Second, and perhaps more important, the growing ecosystem of cloud capabilities offered by Google and even Microsoft itself, as well as the addition of very inexpensive storage in Drive, will be yet one more thing that deemphasizes the importance of the OS in the minds of many corporate decision makers. As has been discussed by many others, the rise of the browser’s importance is more or less coincident with the fall of the OS’ relevance. That’s not to say that the choice of operating system is not an important one, but justifying an expensive migration from Windows 7 to Windows 8 (or even Lion to Mountain Lion) will become more difficult in an age where applications and communications tools are accessed increasingly using a cloud model.

What Drive represents, then, is much more important than just another Dropbox competitor, but rather another arrow in the Google quiver directed against Microsoft. Microsoft has already taken some preemptive steps as a result, lowering the price of Office 365 last month and increasing the amount of free storage on SkyDrive just this week.

Peer-to-Peer Storage Where You Are the Cloud

Michael Osterman — Thu, 19 Apr 2012 09:01:09 +0000

I had dinner last night with people from Symform (about whom I blogged late last year) and some of their prospects. Symform is a Seattle-based company that has applied what is, in essence, the Skype model to data storage in an attempt to dramatically drive down the cost of cloud-based storage. Rather than build out a traditional data center, Symform customers provide all of their storage themselves on a quid pro quo basis. Here’s how the system works:

Content is uploaded to the cloud from your environment and segmented into 64-megabyte chunks that are protected using 256-bit AES encryption.
Each of these 64-megabyte chunks is then divided into one-megabyte segments.
For each group of 64 one-megabyte segments, 32 one-megabyte parity fragments are added using a RAID 96 algorithm.
These 96 one-megabyte fragments are then distributed randomly across the base of Symform customers worldwide (although most are currently in Europe and North America, with a handful throughout the rest of the world).

When a Symform user downloads content from the cloud, it is gathered from these disparate sources and assembled into the content that has been requested. The 32 parity segments for each block of 64 one-megabyte segments add 50% to the overall storage load, but makes the system highly redundant when local storage is corrupted, customers’ storage systems are turned off or otherwise unavailable, etc. Any 64 of the 96 blocks of data are all that is needed to restore each segment of data.

One of the key advantages of the Symform approach is its extremely low cost: the first 200 gigabytes of storage is offered at no charge, while unlimited storage costs $3.50 per user per month. The only “string attached” is that customers provide as much storage locally as they receive, since their local storage is essentially part of someone else’s cloud. However, Symform also offers an option for those who do not want to contribute local storage.

In addition to offering cloud-based storage at low cost, Symform has also developed interesting solutions to some of the problems associated with cloud storage. For example, their “Turbo Seeding” technology allows IT solution providers to upload customer data to the cloud more securely than when drives filled with customer data are shipped to the cloud provider for the initial data upload. Their “Hot Standby” copies data to the cloud and to another local or remote device for instant access in the event the primary data storage is destroyed or otherwise taken off-line, thereby speeding data restoration.

Another advantage of the Symform approach is its extremely high level of security. Because the data uploaded to the distributed cloud of storage providers is essentially shredded into bits of data, they are useless to anyone who might intercept and decrypt them. Practically speaking, this renders various national requirements to store data only in certain geographies moot—whether all regulators around the world will be enlightened enough to accept this might be another matter.

Symform’s approach is clearly innovative and provides a unique and distributed cloud experience as opposed to one based on remote data centers. They are definitely worth a look.

How Seriously Do You Take Data Breaches?

Michael Osterman — Tue, 10 Apr 2012 21:51:43 +0000

Press reports of data breaches are all too common these days, with some breaches exposing millions of records to at least potential exposure to criminals and others. These breaches can be caused by any number of issues, ranging from lost or stolen laptops or smartphones, misplaced backup tapes or USB sticks, direct hacker attacks, installation of keystroke loggers resulting from malware infiltration, advanced persistent threats, malicious loss of data from disgruntled or departing employees, social media exploits, malvertising, etc. Any IT or business manager will agree that data breaches are a serious issue, but how real do they believe the threat to be? For example:

Are tools like Dropbox used in your organization without solutions in place to protect against the loss of data from them?
Is every company-supplied laptop, smartphone and USB stick encrypted so that, if lost, corporate data won’t be lost along with them?
Are your users accessing your corporate network and data assets with their own iPads, smartphones, laptops and home computers without solutions in place to manage their use?
Are DLP solutions in place to prevent unencrypted Protected Health Information, credit card numbers or other sensitive information from being sent through the corporate email system?
Are your users employing their personal Webmail accounts when the corporate email account won’t let them send very large files?
Can files sent outside of your organization be time-limited so that they disappear after a set period?
Can personally-owned smartphones and tablets that contain corporate information be remotely wiped in the event they are lost?
Are you archiving your electronic business records so that this content is not inadvertently purged?

These are just a few of the questions your IT and business decision makers need to be asking and the issues for which funding should be a priority if the answers are not satisfactory. Data breaches can be extraordinarily expensive given that privacy notification laws are becoming the norm, not to mention the cost of losing the sensitive data itself.

Solving a problem begins with taking it seriously.

Don't Ask Too Much; Don't Post Too Much

Michael Osterman — Thu, 05 Apr 2012 00:33:29 +0000

There are numerous stories in the press about companies who demand to see the Facebook profiles of job applicants or current employees. In some cases, employees have been denied employment, suspended or fired for refusing to provide this access.

The argument offered by employers for demanding this access is that it provides them with more information about prospective or current employees, much like a credit check or background check would provide. And, from a purely factual standpoint, employers who hold to this position are right: examining a Facebook profile will provide more information about someone than not examining that profile.

But are employers wise to demand access to your Facebook profile? In my opinion, absolutely not.

There is an interesting open letter—albeit a fictional one—that offers a resignation from a director of software development. This resignation was in response to his company’s new policy of requiring prospective employees to allow the company to look over their shoulder when accessing Facebook, or preferably to give the employer their Facebook login information.

In one interview after implementing the new policy, a prospective new hire—after providing her Facebook login credentials—promptly declared that she was a lesbian and was prepared to file suit if a heterosexual “less qualified in any way” was hired instead of her. She went on to explain that even if she was hired she might demand to see the employment contracts of all other employees to determine if she was being paid less than her male or heterosexual counterparts.

A few interviews later, another applicant declared—again after providing his Facebook credentials—that his partner was expecting a child and he would be exercising his right of taking six months of leave as allowed by law in Ontario. He went on to ask, “you would never refuse to hire someone because they plan to exercise their legal right to parental leave, would you?”

This director resigned because he was no longer able to hire whom he wished. By knowing too much about prospective employees, his hiring decisions could immediately be suspect even if his motives were completely above reproach.

Here are two lessons I think we can draw:

Employers are better off not asking for prospective or current employees’ Facebook credentials because knowing too much can make their hiring decisions much more complicated and litigious than they have to be.
Don’t overshare or post content that you don’t want to come back to haunt you. Does the entire Facebook world really need to know your drinking habits, your every idle thought, or every opinion you hold? For example, as I write this I’m looking at the public Facebook profile for someone who looks like a teenager and has posted information about a body part that I might consider inappropriate if I were an employer. Another profile uses profanity in the “Activities and Interests” section. Yet another profile is of a 20-something woman whose clothing in her profile picture might not fully cover my MacBook Air.

FTC Calls Upon Companies to Adopt "Do Not Track"

Stephanie Jordan — Sun, 01 Apr 2012 03:37:05 +0000

This week the Federal Trade Commission published what some call a landmark report, which offers best practices for businesses to protect the privacy of consumers. The commission’s “Protecting Consumer Privacy in an Era of Rapid Change” (pdf) report encourages companies to give consumers greater control over the collection and use of personal data before legislation requires them to do it.

“If companies adopt our final recommendations for best practices—and many of them already have—they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy,” said Jon Leibowitz, Chairman of the FTC in a statement. “We are confident that consumers will have an easy to use and effective Do Not Track option by the end of the year because companies are moving forward expeditiously to make it happen and because lawmakers will want to enact legislation if they don’t.”

Online privacy is a huge topic of late. Last month the White House unveiled its “Consumer Privacy Bill of Rights,” a set of guidelines intended to give consumers more control over their personal information.

While both of these efforts are considered “guidelines” and “best practices”, most believe that ultimately legislation will be forthcoming. At the time of the Administration’s February announcement, Center for Democracy & Technology (CDT) President Leslie Harris said: “We believe legislation will likely be necessary to achieve these protections, we support the White Paper’s call for the development of consensus rules on emerging privacy issues to be worked out by industry, civil society, and regulators.”

Even while the FTC is encouraging companies to adopt voluntarily, at the same time it is recommending legislation this week stating in the report that Congress should consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.

Upon the reports release, CDT Director of Consumer Privacy Justin Brookman commented: “The FTC has delivered an important reminder that Do Not Track standards must address the collection of behavioral data as well as its use. Moreover, the FTC rightfully refocuses attention on the heightened privacy concerns presented when ISPs, operating systems, and browsers have broad access to consumers’ online activities.”

According to the FTC report, focus areas of consumer privacy protections include five main action items:

Do-Not-Track—The Commission commends the progress made in this area: browser vendors have developed tools to allow consumers to limit data collection about them, the Digital Advertising Alliance has developed its own icon-based system and also committed to honor the browser tools, and the World Wide Web Consortium standards-setting body is developing standards. “The Commission will work with these groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system,” the report says.

Mobile—The FTC urges companies offering mobile services to work toward improved privacy protections, including disclosures. To that end, it will host a workshop on May 30, 2012 to address how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens.

Data Brokers—The Commission calls on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data. In addition, the website should detail the choices that data brokers provide consumers about their own information.

Large Platform Providers—The report cited heightened privacy concerns about the extent to which platforms, such as Internet Service Providers, operating systems, browsers and social media companies, seek to comprehensively track consumers’ online activities. The FTC will host a public workshop in the second half of 2012 to explore issues related to comprehensive tracking.

Promoting Enforceable Self-Regulatory Codes—The FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.

While some organizations have been open to adopting the suggested practices, the FTC feels that many companies need to adopt its privacy framework now, before anticipated legislation makes it a requirement.

Popular Web Sites Found to Host Malicious Content

Stephanie Jordan — Sun, 01 Apr 2012 02:31:50 +0000

Just because a Web site has been around a while and has enjoyed a solid reputation, it cannot be assumed that the site is safe to surf. A case in point: it was recently found that 58 of the Web sites ranked among Alexa’s most popular sites have served up drive-by download exploits in the month of February.

Though the sites might be consumer oriented, as we all know with the “always on” world that we live in, what is viewed at home using mobile or laptop devices can easily be brought into the workplace network. And of course there’s also employees using company resources, on company time, to do some personal Web browsing. So here is one more case to share with employees as part of awareness training.

This conversation started during RSA conference last month with an interesting discussion with Paul Judge, chief research officer and head of Barracuda Labs. Judge shared with me some early findings that are expected to publish on April 2. The folks at Barracuda Labs have intentionally been mimicking typical Web browsing behavior to review the most popular Web sites as listed by Alexa Internet, Inc, which offers information about Web sites including top sites, Internet traffic stats and the like.

At this point, thanks to user education programs, many users are aware of certain site types to avoid. But infections in today’s Web are not so easily avoided, because cyber bad guys are infiltrating sites that are otherwise trustworthy. This is not necessarily new, as legitimate sites have been targeted and taken hostage over the last few years. But it seems that the practice of infecting “good” sites may be growing. Judge notes that of the Alexa sites the Labs found hosting malicious content, nearly half (43 percent) of the infected sites were hosted here in the U.S.

From the investigation that Barracuda Labs conducted, it also appears that while the malicious content is not served up each day, it is served in an almost continuous on-going fashion. For a quick glimpse of which sites were found to host, and other interesting details, take a look at Barracuda Labs’ research infographic.

Checklist for Evaluating Enterprise Backup Products

Ben Gross — Fri, 30 Mar 2012 19:05:17 +0000

I recently evaluated a number of enterprise backup products and services. Once I started the process, it quickly became obvious I needed a systematic checklist of items in order compare the different offerings. Given that World Backup Day is March 31, the topic is timely. The requirements for the project may not match your own, but I hope that it will be a good starting point. Please let me know if you have questions of your own that you would add.

Requirements:

Cross platform (Windows, Mac OS X, Linux)
Supports both server and workstation clients
Supports backup of individual directories (as opposed to just whole disk)
Supports backup of open files (aside from Exchange, SQL Server, and Quick Books)
Supports encryption of data in transit
Supports encryption of data stored on remote server
Supports Exchange 2007 and Exchange 2010
Supports brick or granular restore for Exchange

Business questions:

What are the licensing costs for client or server software?
What is the cost for maintenance on licenses?
What is the cost per machine and/or per gigabyte per month for hosted server storage?
What Service Level Agreement (SLA) is offered?
Where are the data centers located?
How many times are the backups replicated in how many different physical locations?
What are the certifications are the service and data center in compliance with?

Reseller questions:

Do they offer reseller accounts? What are the requirements?
Is it possible to private label / white label, or co-brand the service?
Who is responsible for support for the clients of resellers?
Who is responsible for billing for the clients of resellers?

Supported platforms, file systems, and network protocols:

What platforms and file systems are natively supported for both workstation and server clients?
What native agents are available on each platform?
What platforms are supported non-natively via file system or network drive copies?
Do users on workstation clients need to be logged in for the backup to run?

Backup management:

Does each machine require a separate account or can multiple machines be backed up under the same account?
Is there support for directory services integration (i.e. LDAP or Active Directory)?
What functionality for reporting, monitoring, and alerting is available?

Backup details:

Is there support for continuous backups in addition to timed intervals or scheduled backups?
Is there support for backing up individual files or directories instead of a whole disk?
Is there support for backing up to network drives?
Is there support for backup up to locally attached drives?
Is there support for backing up open files (aside from Exchange, SQL Server, and Quick Books)?
Is Volume Snapshot Service (VSS) / Shadow Copy used to backup open files?
Is data encrypted in transit?
Is data encrypted on the remote server?
Is there support for private encryption keys?
Is there support for bandwidth limiting or traffic shaping?
Is there a way to seed the initial backup by shipping in a hard disk?

Application specific backup details:

Is there support for backing up Microsoft Exchange? How is this accomplished?
Is there support for granular / brick level / message level recovery for Microsoft Exchange?
Is there support for archiving Microsoft Exchange?
Is there support for backing up Microsoft SQL server?
Is there support for backing up Microsoft SharePoint server?
Is there support for backing up Intuit Quick Books?
Is there support for backing up VMWare virtual machines?

Restoring data:

Is there support for accessing backups via a web interface?
Is there support for end users to restore their own data?
Is there support for performing bare metal restores?
Is there support for shipping a hard disk of restored data for disaster recovery?
What other restoration options are available?

Archiving data:

What are the options for granular policies for archiving and retention?
Is there support for storing versions of a file?
How long can an archived version of a file that has been deleted be recovered?

Another (and Perhaps the Most Compelling) Reason to Archive

Michael Osterman — Thu, 29 Mar 2012 09:56:25 +0000

I have been banging the email archiving drum for many years, urging organizations of all sizes and across all industries to archive their email. Just as individuals archive their tax and other important records, business records should be archived for as long as necessary. However, many organizations are still resistant to archiving for reasons that range from a perception of excessive TCO for archiving technology to a desire not to retain “smoking guns” that might portray a company in a negative light during a legal action.

In most cases, the adoption of email archiving is driven by a need to address e-discovery, legal hold or regulatory compliance—much of it driven by specific regulators’ demands or an impending lawsuit—and less by IT’s desire to let users access their own archived content on a self-service basis. However, Dr. Nathaniel Borenstein, the chief scientist at Mimecast, is touting the real time use of archived email in a novel way: as a means of improving decision making when composing new emails.

Borenstein cites an example of typing an email and having real time information from the corporate archive pop up alongside the email based on a real time, semantic analysis of the content. Used in this way, an archive could inform email senders of relevant information, such as others’ communications with the recipient of the email, the recipient organization’s sales history, or its customer service history. As but one example, a salesperson who is composing an email to a key client could be presented with information as they type about a problem that the client is experiencing—information that might change the wording or tone of the email.

Using an email archive in combination with semantic analysis could provide enormous benefits, including faster and better informed decision making, fewer compliance problems, better customer service, and more accurate communications with clients, business partners and others. Of course, it would require a number of things that most organizations don’t have right now, including the archival of content in at least near real time and retention of content that today would probably be discarded. The latter point, for example, could result in significantly greater storage requirements and would require lots of computing horsepower so that relevant information could be identified and presented in real time.

More difficult, however, might be justifying these types of capabilities to senior management. For example, archiving to reduce the cost of e-discovery or to comply with regulatory obligations is a relatively easy sell given that the penalties for not doing so can be significant and a compelling ROI can be made. However, enabling real-time archiving to help users send better informed emails – while extremely valuable—offers “soft” benefits that are much more difficult to justify. That said, this evolution of archiving is among the more novel and interesting that we have heard about and one that I look forward to seeing in action.

Study Reviews TCO of Public vs. Private Cloud Messaging and Collaboration Deployments

Stephanie Jordan — Thu, 29 Mar 2012 03:49:11 +0000

As we have said for some time now, not all “clouds” are created equal. An interesting report was released today from Azaleos Corporation, a provider of managed email, collaboration and unified communications and Osterman Research that studied the TCO of public cloud vs. private cloud when it comes to deployments of messaging and collaboration systems.

The study looked at the total cost of ownership (TCO) when implementing enterprise configurations of the Microsoft Unified Communications stack of applications—Exchange, SharePoint and Lync—on premises, using a public cloud, such as Office 365, and using a private cloud model where “servers and software are all dedicated per customer and located in a secure third party data center, but the infrastructure is managed remotely by a service provider for a fee per user per month.”

The interesting approach of evaluating cloud vs. cloud led research analyst Michael Osterman to find “the private cloud model of delivering and managing enterprise grade services using the Microsoft stack is less expensive than the public cloud because of two primary factors. First, the base price for public cloud provider services is higher than the fully amortized price of the hardware. Next, when deploying an enterprise scale system, some of the additional features like adding voice functions to Lync or extra bandwidth in an Exchange environment are much more expensive in the public cloud than in a private cloud scenario.”

While prudently acknowledging that “developing cost models for offerings as complex as those discussed in this white paper requires some level of interpretation and judgment” and that “some readers may disagree with aspects of the cost model we have developed,” the general finding held the private cloud TCO was cheaper by 26% once enterprise grade capabilities were factored in. The public vs. private comparisons did take into account the recently announced price reductions of Office 365.

One key myth that Osterman points out is that the cloud is not just for smaller organizations. Writes Osterman, “Contrary to the beliefs of many decision makers, the cloud is not just for small organizations. Although Microsoft says that 90%+ of Office 365 deployments are with companies under 50 seats, and even though only about 5% of the total market today is using the cloud for Exchange, our findings clearly demonstrate that cloud-based offerings – whether public or private—are less expensive than on-premise solutions even in large organization deployments.”

Of course the primary myth the paper tackles is that public clouds are cheaper than private. “While there’s a general perception within the IT industry that public cloud services are always the cheapest alternatives, this study pokes a number of holes in that argument,” observes Scott Gode, vice president of product management and marketing for Azaleos. “Osterman Research’s findings clearly demonstrate that for medium to large sized organizations the public cloud is still not ready to compete with private cloud alternatives in terms of cost of ownership. When you factor in the added functionality and security benefits, the advantages provided by private cloud deployments of Exchange, SharePoint and Lync are very compelling.”

The paper, “Cloud vs. Cloud: Comparing the TCO of Office 365 and Private Clouds” was made available today and can be downloaded through Azaleos. It’s a thought-provoking read.