Deconstructing the spectrum

On the far right of the spectrum is a merchant that accepts cardholder data for payment of goods or services.  In addition to directly receiving the data into their own Web-based payment application that they have developed in-house, they also store the data in a database.   Every function is managed by the organization, and nothing is outsourced.  The merchant on the far left-hand side of the spectrum also has a merchant ID that defines them as a merchant and allows them to accept payment cards as payment for goods or services.  This company, however, has elected  not to accept any payment cards, and therefore this merchant never stores, transmits, or processes any cardholder data within its environment.

Since both companies are merchants, the operating regulations of the card brands (Visa, MasterCard, etc.) mandate that both companies comply with the PCI DSS.  Understanding this, the question then becomes, what requirements apply?

Illustrating levels of compliance

The company on the far right-hand side of the spectrum will need to comply with all 12 high-level requirements, as well as all 250+ sub-requirements because they directly store, transmit, and process cardholder data within their systems.  Additionally, they develop their own payment applications in-house.  By contrast the company on the far left of the spectrum still has to comply with the PCI DSS, but there are no requirements that would apply to this specific merchant since they do not store, transmit, or process cardholder data.  The PCI DSS is clear when it says: “The PCI DSS requirements only apply if a company stores, transmits, and/or processes cardholder data.”  By not handling data, the company has reduced their compliance burden by 100 percent while still complying with the card brand rules and remaining in compliance with the standard.

Clearly the company on the far left side of the spectrum exists in theory alone.  Companies will have a  need to handle cardholder data at some level. The point is to demonstrate the concept of the compliance spectrum.  By minimizing how cardholder data is handled, companies can reduce the number of PCI requirements that apply to their environment and reduce the cost and complexity of their PCI DSS project.

If you have specific questions on PCI compliance, leave them in comments and I will be happy to answer them. If this post has helped you better understand PCI compliance, please share it with others using the social links below.

According to a recent study conducted by international business school INSEAD, organizations who are supported by strong business enablers and resources, and who have well-developed digital platforms in place, stand the best chance of getting the most benefit from investments in new technologies.

Conversely, organizations who are saddled with weaker business resources risk seeing virtually no return on their technology investments.

1. Have you ever entered any of your personal information (e.g., credit card, social security number, etc.) on a company’s or individual’s website?
2. If you have, did you wonder whether the website you were using was “safe”?
3. Have you ever wondered if there was a way to know if a particular website you have been using is “safe”?
4. How many re-issued credit cards have you personally received from your bank where you were notified that your card was possibly breached based on an “undisclosed source?”

To find the answers to these questions, go to www.ssllabs.com. You can test a URL/website that you either have used or will be using to see what kind of security rating they receive. Simply enter a URL, then click submit, and receive a free, detailed security assessment of that particular website.

The first URL/website I entered when I first learned of this free on-line service was my banking institution (e.g., www.<enteryourbankurlhere>.com). Then, I tested the ecommerce websites I most frequently use.

I’m fortunate in that my banking institution received an “A” on its scan. Unfortunately, not all websites I use fared this well.

For the websites that did not fare so well, I had to consider my options. I could call the company to tell them their website is receiving a negative security rating and I’m a concerned customer, use the site in the future for informational purposes only and do not provide sensitive information, or avoid the site altogether until the website improves its rating.

So if you were wondering about the fifth question, here it is:

5. Will you go to this website to check the security rating of a website before you enter sensitive data into it?

Provide – and use – information responsibly

I would urge you to keep in mind that not only do merchants, service providers, payment processors, and others have a responsibility to protect the data that you entrust to them, but you also have a responsibility to be careful with whom and how you provide your sensitive information.

It is important to note this information is not to be used for hacking purposes, as you will see by the terms and conditions on this SSLLabs website. I would be remiss if I did not mention that if we can freely run a URL through this feature to learn whether a website is secure so that we can protect our data, a hacker could just as easily access this information for their nefarious purposes.

One of many things the Internet has done for us is it has given more power to the people to obtain information about our companies.

Here are a few important questions to consider from a business perspective; let us know your thoughts in the comments below.

• What does the result of this SSL test reveal about your organization?
• If a nefarious person out to obtain your company’s information used this link to test your URL, could this data be used to breach your company’s network?
• Will you go see what this website says about your company before your customers or nefarious individuals run this report? If so, will you take action to protect your organization?

For example, if you were to say that health is a top value, but you spend minimal time on this – exercising only one hour out of 168 hours in a week — you would want to reevaluate exercise as something that is less important to you.  In my humble opinion, no value is a “bad value” — a value may be different than mine, but that doesn’t make it bad, just different.  Awareness of your values is important to staying aligned with your vision of the life you intend and leader you aspire to be.

Understanding your infrastructure vision

The same can be said about your company’s infrastructure.  Whether it is in-house, managed, or cloud based, none of these are “bad” infrastructure architects, they are just different.  However, the vision you have for your company and your infrastructure plans need to be aligned.  If they do not match up, inefficiencies will build, making the IT plans the wrong ones for the company.

Below is a table with four values to consider for your company and the typical corresponding infrastructure.  Which value ranks the highest?  Is your company infrastructure aligned with the overall vision?  If not, mapping a path to align the company vision with the infrastructure may be needed.

Ultimately, visions for your company should branch to the values that fulfill this.  Tactical functions and resources need to project from these values in order to realize the organizational vision.  Similarly, if health is important to you, spending the time to walk 10,000 steps in a day and skip the fast food line to cook a nutritious meal should replace time spent on activities that are not associated to a core value.

Does your current infrastructure align with your company vision?  What changes do you need to make so the vision, values, and tactical functions align?

Are you sure? If you do have them, are the safeguards up to date? Are they monitored and audited regularly? Is your staff compliant with the regulations and rules you have in place? Are your Business Associates compliant?

If you answered “no” or “I think so” to even one of the above questions, you could be putting your patient data at risk of a breach and your patients at risk of identity theft. And you’re not alone. In the past two years, 94% of healthcare organizations had at least one data breach, and 45% said they had more than five significant data breaches.

According to the final rule, you have until Sept. 23 to make sure your HIPAA house is in order. Per the rule, any impermissible use or disclosure of patient data is considered a data breach unless an official risk assessment concludes otherwise. It also extends requirements of the HIPAA privacy and security rules to organizations’ business associates, which are any people or companies that use or disclose protected health information on behalf of, or provide services to, a covered entity. This puts your organization on the spot – potentially with a HIPAA audit – to verify your business associates meet the requirements.

The right cloud partner can help you meet the HIPAA Sept 23^rd deadline

Often in-house IT professionals lack the resources to manage all of the security projects necessary to keep protected health information (PHI), including medical images, safe. Working with a cloud services provider to manage the bulk of the back-end security can be a cost-effective solution. However, while a cloud services provider can help shoulder some of the load, it is absolutely critical to choose the right cloud partner. PHI can actually be more secure in the healthcare cloud than on your local server if you work with a cloud provider that:

• Meets technology and procedure best-practices in support of HIPAA and HITECH requirements
• Agrees to a contract that specifies best-practice security and privacy policies, breach notification/support processes and data protection even upon termination of contract
• Demonstrates that its technologies and procedures are consistently updated, monitored and audited by a third-party
• Provides solutions to give your staff reliable and highly secure remote and mobile access that meets industry and regulatory requirements

Here’s an overview of the administrative, technical, and physical safeguards a full-service cloud services provider should be able to provide you with, in support of HIPAA and HITECH compliance:

Risk analysis and roadmap

A HIPAA Security Rule risk assessment and roadmap showing what you need to improve and how to help achieve compliance.

Physical security

Security policies that restrict physical access to the cloud services provider data center to authorized personnel; redundant back-up storage for PHI to support business and clinical continuity.

Administrative security

Proof that authorized administrators of your data are current with security training, including HIPAA security training; auditing tools for you to monitor the cloud environment as desired.

Technical security

Multiple layers of security technology, from network and firewall security to data encryption; mobile security features such as authentication/authorization, encryption and data “sanitation” to wipe data from stolen or missing devices.

You’re still the boss

Regardless of how much a cloud provider can support HIPAA and HITECH compliance on the back-end, it is still your organization’s responsibility to drive the bus. Do the risk assessment. Get familiar with the HIPAA and HITECH requirements. Know your business associates inside and out, and only work with those who can prove they have best-practice policies in place. The risk to your organization — both financial and professional — and to your patients is too great otherwise.

What steps have you taken to help ensure your healthcare organization is HIPAA and HITECH compliant? What is your biggest challenge?

As I drove back to the office with a clean bill of health, I thought about how a holistic approach could also solve some of the aches and pains felt by enterprise businesses today. One of these pain-points lies inside the data center where infrastructure, network, and applications all meet. System health monitoring is typically divided between these three groups.  But problems arise because each group has its own tools to monitor performance and none of these groups has final responsibility over end-user performance. The lack of accountability results in a loss of productivity for the enterprise business when systems are down or not functioning optimally.

I spoke to Joe McKinney from ADCom Solutions who has been working with IT professionals for over three decades.  He explained that many companies struggle with aligning resources to manage and troubleshoot across multiple IT silos.  When a problem occurs, a “pizza party” with the various teams is needed to solve it. While the meal is delicious, it pulls IT staff away from strategic CIO technology initiatives that are needed to keep the business competitive and relevant. McKinney’s firm suggests that clients should take a more holistic approach. Managed Application Performance (MAP) is a new way to quickly isolate and mitigate the problems in the data center and vastly abbreviate the time it takes to fix them.

Here are three ways this approach could benefit your business:

1. Isolating the fault domain more quickly

By closely monitoring the entire system, small problems in any part of the IT stack are given proper attention.  A minor error in the network may not be reason for alarm, but when it is in conjunction with another alarm in the application, it poses a major impact to users. Holistic monitoring will quickly identify and fix the problem by alerting the right team. Before a bad IP routing address or line of code can cause a huge headache, Managed Application Performance brings the problem to its rightful owner to fix it in an orderly fashion By taking a holistic approach, Managed Application Performance allows companies to get the most out of the tools they have invested in even in this day and age of constrained resources.

2. More meaningful reporting

Most tool sets have vast reporting capabilities. But lack of resources and trained expertise prevents the data from making it to the executive’s desks.  The problem is further complicated by the fact that no one tool set exists to show the overall health readings. There have been ‘manager of manager’ systems on the market for years such as HP OpenView and IBM Tivoli, but they do not poll the user experience in an end-to-end manner and require trained staff to implement and operate. A managed holistic approach to monitoring does two things. It provides a regular and meaningful dashboard of the end-user experience and it provides correlative information to predict and proactively fix impending performance problems.  Legacy reporting metrics include system availability and uptime.  While these are intrinsically significant, an available system isn’t always usable by the end-user or customer.  Managed Application Performance creates of more meaningful metrics around whether an internal user can do their work or whether customers can purchase products on the ebusiness site.

3. Transforming the business

Kesha McDade, technical service director for AT&T in Richardson, Texas told me that she has seen a lot of interest in Managed Application Performance, especially from customers who are deploying transformational technologies such as new ERP, UC or VoIP systems. This is because customers lack a single point of contact that manages and troubleshoots across all the different silos.  Consider the following: when moving from a TDM to a VoIP platform the voice will now ride on the data backbone and call patterns will change from distributed PBX model to a much more centralized call-controller environment.  These two variables can be tricky, and there is only one shot to make a conversion like this work. Having end-to-end monitoring tools and reports is in high-demand when a business is transforming these mission critical applications.

Lack of resources and fragmented monitoring tool sets are common problems today for over-stretched IT departments. How is your company coping in this environment? Have you considered or implemented a holistic Managed Application Performance service to get the most from your investment in performance tools?

A rose by any other name

What is an application, really? To misquote Shakespeare “that which we call an application, by any other name would still process input.” In other words, all applications are made up of processes that take input from a user and produce output or results. Traditionally PCs or laptops ran these applications, but what if an application runs remotely on a server with access via a browser? Is it still an application? Many “apps” on a mobile device merely access the web version of an application, prompting heated discussions. Is it still an app if it’s nothing more than a web browser accessing a website? The easiest way to decide is to ask the same question we did above.

What’s an app, Doc?

An application is merely one or more processes that take input and spits out results. Where the application runs doesn’t change this definition, though it may add an adjective or two to the description. We might call them “remote apps” or “client/server apps” to properly describe where it lives. But if it takes input and produces output it must be an application.

On your desktop, you click an application and it opens a window. The OS handles this request as a way to provide input into the application. The same is true on a mobile device, but on these devices the application could also be a window produced by a web browser masquerading as traditional app. Aside from lost connectivity or reduced functionality due to the mobile device, running your apps in the cloud has many advantages, the least of which is data security and redundancy. Quibbling over the window into the service is like arguing that the drive through doesn’t qualify as eating at the restaurant.

The more things change

All we’ve done is move the kitchen further back from the drive-thru window. Food is still prepared and packaged the way it always was, but the way you order becomes enhanced. The window can live on your home PC or your mobile tablet, but the food and consumption is still just as real regardless of how you received it.

The damage and resulting distrust come from the early attempts at cloud services. They spoke of the cloud as if it were something more (or less) than it was. The marketing made it seem almost magical when in fact it was simple evolution of a service model. As the capabilities of these platforms grow, we’ll see more complex Software as a Service (SaaS) solutions offered to solve every business need. And SaaS seems to be hitting the spot for many companies as the adoption rate climbs.

Bon appetit!

Now the cloud is the kitchen and the drive-thru window is the device. Basically, the same product or service is still being delivered. The real “art” is in how the application improves or enhances the process.

Has the cloud has improved the delivery of applications in your company? What are some of the obstacles you have encountered? How have they been overcome?

Why am I giving you  all of this horrible imagery about my house that I am now probably paying more for than it is worth and what does my pink house have to do with your network? Well, I’ll tell you.

Consider the outdated network

I bought this house because the good outweighed the bad. You did the same with your voice and data network. In addition, through business changes, you may have consolidated with other companies or locations that don’t work so perfectly with what you have. In other words -the equivalent of a pink kitchen.  It may work but you have a vision for something better.

So what do you do?

If you are lucky, you have a big budget and will just go ahead and tear everything out and remodel your network to make it look like the network equivalent of the kitchen of your dreams, complete with stainless steel appliances and granite countertops.

But if your budget is not so big, there are too many variables to make infrastructure changes all at once.  You have to consider what your company wants and needs, what your clients demand, and the technology changes that we are seeing in communications. It’s a little overwhelming.

Upgrade a little at a time

If your voice network has a pink kitchen, that cosmetic change could mean adding an easy value-add service to your business such as IP Toll Free that enhances what you are using, but you don’t have to make significant changes to incorporate it. Or add VPN to your data network and allow business to take place practically anywhere you want. In other words, make a change that works with what you have and takes you into the future.

Next thing was to eradicate the pink floor. This was a little more expensive so I had to save for it and really think about it. I mean, you don’t want to replace pink with equally soon to be outdated – green, or you will be resigned to constantly making changes.

Once you pick your protocol and platform, think of your core network as the foundation of the rest of your communications. The tricky part is to invest in something that is going to last. I had to look at the trends, just like you do with your network.  If you are still using PBX and PRI trunks for voice, you might want to take a good look at SIP trunking. It is a great foundation in that it is easier to manage your service, you can get more bandwidth and functionality, and like a good foundation, it is the platform for many other applications such as unified communications and a fully integrated network.  Same goes for data. If you haven’t already done so, a move to MPLS or Ethernet will take you well into the future.

Go for impact

When you make changes to your network, try to focus on where you can make the most impact and how that can be an investment and not just a change. Every time you touch your network, it should be to improve it and not just maintain it.

When you are upgrading, it isn’t always like for like. With the changes in technology, you want to look at how traffic is flowing through your whole network.  Look for where potential bottlenecks are in your servers and when you expand, keep disaster recovery in mind so that you can care for both things at once.  Also, if you can consolidate traffic, that will help as well.

Finally, after years of patiently making upgrades to my pink kitchen, the pink is gone. I wasn’t visionary or even methodical in updating the kitchen; yet slowly, I was able to transform it into a modern, efficient space with nice countertops and a normal stainless steel sink.

Are you slowly upgrading your existing network? What changes have worked out well? What advice would you give others who are gradually “remodeling” to incorporate the latest technologies and trends?

Hepplemann spoke of the third industrial revolution as the digitization of products. The digitization of products means a product takes on a full digital existence before it’s ever built. Ruh discussed how the industrial industries, such as aviation, locomotives, and gas turbines are moving from analog to digital businesses. Over the next decade, Huff claims the Internet will create shifts in the industrial business that are on par with the transformations we’ve seen in other industries. He says machines will become intelligent, machines will get connected, and software will be available to analyze the information.

Rise of smart products

Hepplemann predicted the continuing rise of smart products. In smart products, the product is more about the software rather than hardware. The software can be upgraded after the product is produced. For example, in your car there are between 50 and 100 computer chips that run software every time you start your car. If your car doesn’t work, there is a 50-50 chance it is due to a problem with the software controlling the engine, suspension, ABS, or entertainment. Cars are now upgradable.

Integrating sensor data, cloud computing, analytics

According to GE’s Huff, integrating new technologies, such as sensor data, with cloud computing and analytics could help industries deliver new efficiencies with existing processes. For example, the airline industry spends $200 billion a year in fuel. Developing a new aircraft engine takes years, but having the ability to tune the engine and give the pilot insight into how to operate the engine can create huge savings. Even a 1% change would equate to $2B a year in savings. In every industry, GE sees that there are five to twenty key levers, such as fuel efficiency, and that if the industry could experience a 1 to 5 percent change it would equal tens of billions of dollars in savings.

Huff notes there are great opportunities, but there are also challenges. One sensor on a GE gas turbine generates 500 gigabytes of data per day and there are 20 sensors on each turbine. GE has 12,000 turbines globally, and its challenge is how to collect and manage this volume of data. GE would also like to perform real-time analysis on the data to decide if a piece of equipment is reaching a critical failure point, such as a blade breaking.

A time of change

We are at a time of unprecedented change in technology. Each layer of the infrastructure stack is being transformed. Increasingly, there is difference between a product and a service in the digital age. Many items that would have been considered products are now sold as services. Salesforce.com and mobile devices are excellent examples of this. A mobile device without connectivity and without applications is largely useless. However, when connectivity and applications are used with mobile devices, the device transforms into a product of services.

Software upgradable products, machine-to-machine communications, and insightful analytics will be the underpinnings of any successful business going forward.

How will you use machine-to-machine communications within your business? Please leave a comment here or connect with me on Twitter at @MaribelLopez.

Maribel Lopez is the CEO and mobile market strategist for Lopez Research, a market research and strategy consulting firm that specializes in communications technologies with a heavy emphasis on the disruptive nature of mobile technologies. AT&T has sponsored this blog post.

On the heels of the OpenStack Summit in Portland, Oregon, and recent announcements from Microsoft, now is a good time to address the “state-of-the-state” of enterprise hybrid clouds. Due in large part to burgeoning industry alliances (e.g., OpenStack) and maturing cloud platform technologies (e.g., Microsoft Cloud OS), six technologies have emerged in the enterprise hybrid cloud market that deserve attention:

1. OpenStack
2. VMware vCloud
3. CloudStack
4. Eucalyptus
5. Microsoft Cloud OS
6. Google Cloud Platform

This diagram shows relationships between the leading cloud platforms and public cloud service providers:

Click here for Microsoft Azure IaaS                                        Click here for Google Compute Engine 

Once a customer selects a cloud platform, a private cloud can be deployed behind the enterprise’s firewall or by a service provider via an offsite, hosted service then a public cloud service provider can be selected that supports that particular cloud platform. For example, if OpenStack is the cloud platform of choice, a customer can choose among public cloud service providers like AT&T, Dell, HP, or Rackspace.

5 observations and predictions

So what’s next for the hybrid cloud? After following this developing market with great interest, I’d like to offer several observations and predictions about the industry:

1) OpenStack is the mindshare leader in the open source / open standards hybrid cloud space. Here’s why:

• Momentum - Contributors include major industry players like Ericsson, IBM, HP, Dell, Red Hat, Nebula, Cloudscaling, Piston Cloud, Ubuntu, AT&T, Nimbula (Oracle), SoftLayer, SUSE, Cisco, and VMware. As a result, there are many OpenStack solutions to choose from already
• Wide Adoption – Rackspace, which distributes and is a founding member of OpenStack, has moved aggressively into hybrid cloud, with customers like HubSpot , and partners like Persistent Systems.
• Growth – OpenStack has over 900 job postings
• Vision – OpenStack has made interoperability, or “no vendor lock-in,” an essential feature.
• Its recent announcement of a global cloud network is proof. Plus, Cloudscaling is offering an OpenStack cloud that can burst into Amazon or Google public clouds
• Prediction - OpenNebula, the open source cloud platform founded in Europe, joins the OpenStack Foundation. OpenStack strengthens its European presence. See Cloud Watch for more information.

2) VMware strengthens its vCloud message and markets its own public cloud to expand its proprietary, hybrid cloud solution — leveraging thousands of ESX customers.

3) CloudStack grows and seeks more public cloud partners, in addition to Terremark.

• Prediction – CloudStack establishes a closer, more strategic relationship with AWS to compete more effectively in hybrid clouds.

4) Eucalyptus merges with AWS.

• Prediction – In support of its new $600 million, ten-year CIA contract, AWS purchases Eucalyptus to expand aggressively into enterprise hybrid cloud solutions.

5) Microsoft Cloud OS /Azure IaaS, founded on Windows Server and Windows Azure, is successful.

We’d like to hear from you. Will OpenStack maintain its impressive momentum? Do you believe that CloudStack will make an alliance with AWS? How will Google fare in the enterprise hybrid cloud space? What does this mean for your business? We look forward to your comments.