Often the mere thought of BYOD can make an enterprise security officer nervous. How nervous? Data breach kind of nervous. Before we join the chorus of security officers and auditors crying out for the ubiquitous deployment of forced mobile management conditional network access, and more, let’s have a closer look at BYOD and Exchange.

Mobile device access to Exchange is not new. Exchange mobile protocols are designed to be secure out of the box, yet many of us have lived through the frustration of educating a customer about the self-signed certificates used to bootstrap an Exchange deployment. In fact, Exchange 2007 is known for being the version of Exchange that caused vast slews of ITPro’s to learn about various types of certificates, and the order of the names appearing on them. Point in case, Exchange mobile protocols are secured by design.

Moving on from the protocol stack and onto the physical access method. We’re not going to spend a lot of time on this point, except to point out, that BYOD tend to use wireless access methods of varying degrees of security. If this layer of physical security is breached, then the attacker is still required to break the encrypted protocol tunnel between the device and Exchange. This is no different to monitoring traffic on a physical Ethernet switch, the result is still encrypted garbage.

Our next point of examination is storage. If the BYOD device is a laptop, the data store tends to be the offline cache file created by Outlook, i.e the OST file. This file is encrypted and useless without the user authenticating onto the device using the correct mail profile. Other devices, including tablets and mobile phones implementing the Active Sync protocol implement similar storage mechanisms, secured by the user authenticating onto the device such as a Pin Lock and then the email account in question.

Exchange 2010 Features a number of remote management tools, including the ability to wipe devices remotely, however remote wipe is just the tip of the management iceberg.

Active sync management policies and the built-in management features allow an organization to structure mobile security granularly, such that different users receive different security policies.

Mobile device management tools augment the security which we’ve discussed so far, by adding a layer of auditability, remote management, tracking and wiping amongst other features, which can help mitigate the risk of data loss, if the device is lost or stolen and the users passwords (device and Exchange) are known.

I’d like to argue that BYOD is often no less secure than the average corporate laptop, due to the security features built into Exchange  and the devices themselves. Exchange is designed to be implemented securely, and features mobile management features in the platform. While those features may not be enough to fill every compliance or security requirement under the sun, they are a massive part of ensuring that BYOD security fears, may be overrated.

And it’s becoming an increasingly important decision as Cloud becomes the “default” choice for many businesses, they need to understand where their data is and how safe it is.

Yes, Cloud Computing is still in its relative infancy, but it’s growing up fast.  To hear a highly respected and influential Gartner analyst saying that he rarely recommends anything but SaaS solutions to companies looking to change their email security service shows that the die is well and truly cast.  It’s a similar picture in the archiving space.  SaaS vendors are growing far faster than their on-premise counterparts, although SaaS still accounts for a small share of the overall market.  And of course, with Microsoft’s strategic priority to transfer the on premise dominance of Exchange into the cloud (with Office 365), it’s fairly clear that at some point in the future, all these technologies will be delivered to customers from the cloud.

It’s a matter of when, not if.

What’s surprising however, there seems to be a two stream approach to Cloud adoption, the haves and the have not’s- those who have Cloud and those who don’t. Yet.

On the one hand, especially in the SMB and midmarket, cloud vendors are now dealing with a far more enlightened customer base.  Many CIOs are now on their second or third cycle of purchasing cloud services.  They have wised up to vendors who over-promise, or hide behind bogus SLAs, and they will have rejected out of hand any service that doesn’t do what it says on the tin.  Their next decision could potentially be based on a specific business or technical need, but more likely, it will be based not simply on the service but on the vendor’s approach to delivering that service.  In other words, it will be based largely on the vendor itself.

The second stream is convincing the have not’s to adopt, often larger enterprises that their data is safe in the cloud. This is a slower burning challenge, because these businesses often have massive legacy investments in on premise IT resources, both in terms of tin and human capital.  That makes a move to cloud technology not only a technological change in mindset but a cultural shift as well.  But it doesn’t matter how big the organization is, the pressure on IT departments to reduce costs while delivering more value is the same.  And most if not all roads lead to the cloud.

But IT departments needn’t fear- Jevons Paradox predicts that more IT will be required for the future, not less- it’s just going to be different to what they’re doing today. But that’s technology for you. When was the last time IT staff used their Windows 3.1 skills?

The danger here is that CIOs of large enterprises tend to ‘trust’ the biggest, most established technology brands with the deepest marketing pockets, best placed to “Cloudwash” their dated technologies. I use the term ‘danger’ because, when it comes to cloud, money can’t buy you trust.  The big brands have whole shoals of fish to fry and are usually more interested in wooing consumers than they are safeguarding the interests of customers and their data.  For smaller, pure play cloud vendors like Mimecast, this is ALL we do.  And that means we can’t slip up.  So we have to earn trust the hard way, and the only way.  And that’s by building a history of excellence in delivering Cloud Services.

For those CIOs who’ve already made the leap of faith and are committed to a cloud strategy, we’re now hearing – anecdotally at least – that customer service and support has jumped up the purchasing priority list alongside cost.  That is largely because customer support has been the single biggest pain point for consumers of cloud service over the last two years.  Why?  Because it is, arguably, the most underinvested business function in the cloud industry.

But of course, the economics of SaaS and cloud only work if you retain those customers for long periods.  At Mimecast we retain over 98% of our customers. It goes without saying that the product has to work.  But perhaps the key variable is our ability to look after our customers.  To put it politely, the cloud industry has a patchy record in providing customer service.

To some extent, then, in the SMB and mid-market space, there will be a period of ‘natural selection’, where the new breed of cloud savvy IT purchasers weed out the suppliers whose service doesn’t match the promise, for whatever reason — unreliable product, unrealistic SLA, non-existent support, dodgy security protocols, or fudged solutions built on OEM arrangements or poorly integrated acquisitions.  The cloud vendors who are playing the long game and investing properly where it matters will rise to the top through this process, and others will fall by the wayside.  (In fact we’re already seeing this happening in the early part of 2012.)

For first time purchasers and larger enterprises, though, we still have to help them with their trust issues, and we won’t achieve that by focusing on customer service excellence.  Instead, we have to put our weight behind meaningful industry initiatives that can turn ‘trust’ from an intangible to a tangible purchasing criterion.  One example of this is Cloud Security Alliance’s Security Trust and Assurance Registry, or STAR, which is addressing the need for Enterprises moving applications and data to the cloud, or consuming a provider’s services, to understand cloud provider security. Another is an organisations willingness to adhere to security standards such as ISO 27001. But providers remain hesitant to give up proprietary information, or expose themselves to exploitation.  In fact, to date, only Mimecast, Microsoft and Solutionary have agreed to publish their STAR controls.

Transparency is clearly going to be a major factor in the success of cloud technology, particularly as a means of building confidence amongst enterprise CIOs that their data is safe and secure in the cloud.  But while we will continue to embrace standards initiatives such as STAR and ISO27001 that make trust a tangible factor, our growth in the mid-market will most likely come from good old fashioned values, such as delivering strong after-sales support, and from sharing stellar recommendations from existing customers.

STAR launched in the fourth quarter of last year and its aim is to be a public repository of providers’ security controls. Providers who are STAR members can fill out either the CSA’s Consensus Assessments Initiative Questionnaire or the Cloud Controls Matrix framework questionnaire, both built according to the ISO 27001 standard, and ultimately agree to have that data published online and publicly accessible. 

Image CC Flickr- Lyncis

Outlook Web App isn’t available. If the problem continues, please contact your helpdesk

While appropriate, this isn’t the most descriptive error message in the world.

In order to demonstrate this scenario I build a lab with two Exchange Servers, both deployed on domain controllers in different AD sites. In this scenario, OWA is published to the internet in Site 1, however the user in question is trying to login to his mailbox, which is hosted in Site 2. Site 1 is internet facing and Site 2 is not. Both sites are running Exchange 2010.

Let’s look at what’s happening “under the hood”:

• After a user has authenticated to an internet facing CAS server, the CAS server attempts to locate the location and version of the users mailbox.
• If the user is local, the mailbox is rendered.
• If the user is NOT local, then use the AD Routing information supplied by the “Microsoft Exchange Active Directory Topology” service to locate a CAS server in the site hosting the user’s mailbox. If an external URL is configured on the CAS server in the second site, then silently redirect to the URL (available in SP2) or redirect the user to the link supplied. If the external URL is NOT specified, and an internal URL exists, AND the authentication method on the virtual directory is set to windows integrated, THEN proxy the request.

In the Exchange Management GUI, you should see the following, first the empty External URL

Second, the authentication method is set to windows integrated:

However we’re still receiving an error.

Looking at the Active Directory event logs on the Domain Controllers in both sites, we may notice a number of Active Directory errors, including Inter Site Topology Generator errors. These are the clue that we need.

When we open the Active Directory Sites and Services administration tool, we would notice that the IP SITE LINK between the two sites is missing or misconfigured. Without valid site links, Exchange cannot proxy between sites and OWA fails.

Re-creating the site link, and waiting for replication and cache timeouts to take effect, (or restarting the “Microsoft Exchange Active Directory Topology” service) and OWA stops replying with an error message and renders the users mailbox.

Let’s recap quickly; our three areas for OWA site to site proxy failures are:

• Incorrect URL’s
• Incorrect authentication
• Incorrect site link definitions

The last one can be a bit tricky since it’s often unexpected, and most of us take for granted that AD is either designed and implemented correctly or at least is healthy.

April 26th is World Intellectual Property Day.

This is a day of recognition that was started in 2001 by the World Intellectual Property Organization.

Do we need a day to remind us how important Intellectual Property (IP) is?

Personally I think we do.

Sure we know about the value that we get from patenting our big ideas, from documenting and enforcing our workflows that give us the competitive edge we need. We know about the big ideas, the things that are easy to differentiate, the processes that clearly are our own and stand us apart from our competitors.

But is this knowing about our IP or is this simply protecting our key assets?

Let’s take a look at another day that is celebrated in many countries around the world, Mother’s Day.

Mother’s Day is a very old traditional holiday that celebrates motherhood and honours mothers. Rather than letting these two essential and everyday parts of our society languish in anonymity, we choose to bring them to the fore to recognise and cherish what mothers do for us, what motherhood means to us. Let’s face it, humanity has always had mothers and motherhood and will certainly continue without a day celebrating them. Mother’s Day is simply a way for us all to tell mothers everywhere that we recognise that while they are a common occurrence, motherhood is by no means a mundane part of our society.

So too with IP Day.

We keep secrets from one another and we brand our information as confidential. Every day we see ownership and confidentiality disclaimers. Our emails profess that all information belongs to our employers and those we receive belong to the sender’s employers. We have IP and privacy woven into the very fabric of our business society. Like mothers, IP is a core part of everyone’s lives – only we don’t generally choose to acknowledge anything but the biggest and brightest ideas.

The biggest single issue with IP is that most companies don’t actually know what knowledge they are sitting on.

Take email for example- it is a phenomenal source of knowledge. So much business communication use email, whose conversations provide a rich contextual background to any single piece of data it contains. Who sent it, what was said, what versions went where, when- the real context.

But the problem is that email is stored and archived in places where data goes to die. Ok, maybe not to die, but archives conjure up images of old musty shelving in the basement that is only ever accessed when there is some or other legal dispute that requires old information to be collected and brought back into the light. This is also true of vaults, places to lock information away, places that ensure no-one gets any value from your data for all time.

This is one of the big problems we’re working to solve at Mimecast. Giving us your email is going to make it more useful, not less in the future.

Imagine if a little bit of awareness enlightened your staff and let them know that everything they do adds a little to the wealth of your company. Imagine if they recognized how valuable information actually is. Imagine the potential you would unlock if you could mine and analyse the data you have been storing for all these years.

So celebrate World IP Day in style, let your people know that while you may not have the analytics tools to automatically derive value from your unstructured data, you value the information they produce for you and would love to hear from them how best to surface more value. Information is there to be used, not stored in some dusty basement only to be called for in emergencies.

After all, you don’t only bring your mother out once a year do you? She is there every day adding value to the lives of those around her.  Treat your information like you would your mother, let it thrive and add value to your life every day.

What began as a quiet Tuesday evening in the Mimecast gym turned into a veritable ruckus this week as none other than Peter Bauer, Mimecast CEO, made an appearance to share some fighting tips with our CRN Fight Night contender, David ‘The Doctor’ Rodger. And it wasn’t just physical training tips: mind, body and soul were top of the agenda as Peter sought to ensure that Dave is top of his game in every possible way.

That evening of knowledge transfer was the catalyst for all sorts of activity kicking off around the office as people started turning their attention to this fantastic event. The Doctor’s public Mimecast gym sessions have worked the office up into fever pitch, with his muscles and sweat causing hysteria in certain corners.

After the crowds had died down, however, I was thrilled to be able to grab a moment with the two ‘men of the moment’ at Mimecast: the student and the teacher.

Humbled by the experience Dave, who is looking to overcome Jack Bulmer of Centerprise in May, was keen to praise his mentor: “To have a man of this professional quality in the gym with me gives me motivation in so many different ways. He can also pack a decent punch!”

“I think David found our training session together a tough but valuable lesson,” commented Mimecast CEO, Peter Bauer. “I have a lot of useful experience to share in building a fighting fit, winning team and, as David will find out, the bulging muscles are the easy part; it’s the mental strength that counts.”

In the next few weeks I will be shadowing The Doctor in training as he builds both mind and body so be sure to read on for exclusive photos and interviews with the man himself as he strives for corporate glory.

Here are the highlights, as we learnt a great deal about MIME from Nathaniel’s answers.

philcorfan ‏ @philcorfan

Right, here’s my #MIME20 question for @drmime… Can you explain, in 140 characters(!), why MIME was so important?

Nathaniel Borenstein ‏ @drmime

#MIME20 MIME provides a standard & simple way to identify & share any kind of data across platforms.

Nathaniel Borenstein ‏ @drmime

#MIME20 Without MIME, we’d have, in effect, hundreds of separate Internets, mostly vendor-specific.

Steven Ambrose ‏ @ambio

@ambio: @drmime Do you see any newer or more secure protocols?

Nathaniel Borenstein ‏ @drmime

#MIME20 Newer protocols, absolutely. But MIME as a data format is much easier for new protocols to adopt than replace

philcorfan ‏ @philcorfan

#MIME20 @drmime You say you made mistakes in developing MIME, with the benefit of hindsight, what would you have done differently?

Nathaniel Borenstein ‏ @drmime

#MIME20 @philcorfan We botched anticipation of future changes to MIME, but as no major changes were ever needed it’s merely embarrassing.

Nathaniel Borenstein ‏ @drmime

#MIME20 @philcorfan We also didn’t make Content-Disposition clear enough to keep vendors from screwing it up.

Nathaniel Borenstein ‏ @drmime

#MIME20 @philcorfan Those are my two biggest regrets, so I guess it could be a lot worse. However, the error anticipating future…

Nathaniel Borenstein ‏ @drmime

#MIME20 @philcorfan …changes results in 19 wasted bytes in every MIME object. I estimate it wastes 7 petabytes/year in global bandwidth.

1.  Where you work matters. I devoted roughly 2 years of my life to defining MIME. Not that many employers would tolerate that, but I was a researcher at Bellcore, with a broad mandate to promote more bandwidth use in the future. Other companies support standards work, but few to the extent that Bellcore supported me. It would have been hard to create MIME while working for most technology companies.

2.  Address a real need. Most people didn’t know it yet, but the world really needed an interoperable, open standard for multimedia data; almost everything on today’s Internet reflects this reality. I realized it early because I had built a multimedia email system at Carnegie Mellon, and Steve Jobs had followed up with something similar at NeXT, but the two systems couldn’t exchange multimedia data with each other. I knew that some day I wanted to get pictures of my grandchildren by email, but I didn’t want my kids and I to have to use the same email software.

3.  Address another real need. Any standard will face barriers to adoption, at least from the inertia of the installed base; meeting two major needs can increase the number of people who care, and hence the pressure for adoption. In the case of MIME, multimedia junkies like me were able to make common cause with the deep desire of people around the world to send email in languages other than English. These problems could have been solved separately, but a standard that solved both surely hastened adoption, perhaps even making the difference between success and failure.

4.  Connect the dots and share the credit. Some successful teams self-assemble, but behind most successful teams is a visionary who figured out what parts needed to be brought together. In the case of MIME, the visionary was the late Einar Stefferud, who introduced me to Ned Freed and suggested that we collaborate on the work that became MIME.

Sharing the credit is remarkably useful in leading argumentative technology gurus to consensus. At the end of the MIME standard, there’s a long list of acknowledgements of people who helped draft the standard. I found that adding someone to this list made them less argumentative. There’s no downside to sharing credit generously.

5.  Keep your goals modest, realistic, and limited. I know, extending email to include all human languages and all media types doesn’t sound like a limited goal, but the truth is that we achieved those goals via a very limited mechanism. We avoided trying to settle as many battles as we could, preferring instead to create a framework for the debate to continue. Thus, MIME doesn’t declare  JPEG a better image format than GIF, or PDF superior to HTML and DOC; we just made it possible to unambiguously define labels for these types, such as image/gif and image/jpeg. (The wisdom of this approach is clearest when you consider applying it to the natural language problem: had we tried to specify that everyone should always speak English, or Chinese, we would never have found consensus.)

6.  Acknowledge that your vision is limited. Standards designers tend to overspecify; MIME was designed in the aftermath of X.400, a proposed email standard that failed in large part due to its complexity. Rather than try to imagine every future use of MIME, we created an initial set of media types, and a registry for defining new ones. The result is that the number of media types has grown from under 20 in the original standard to over 1,300 today.

7.  Worry about branding and marketing. This is the lesson I find hardest to convey to technically-oriented people, who tend to dismiss anything non-technical as fluff. The fact is, technologies are adopted (or not) by people, who are subject to a wide range of influences. Good publicity and catchy names really matter.

In fact, the best advice I’ve gotten in my entire career came from Dave Crocker, the author of the original Internet email standards, who convinced me to come up with a clever name or acronym. I laughed, but he was insistent, so after 15 minutes I came up with “Multipurpose Internet Mail Extensions” — MIME which, because it is much catchier than, say, RFC 1341, is often used conversationally.

Essentially, because people have heard the name MIME and perhaps have a vague idea what it is, I have instant credibility with total strangers.

8.  Give it away. If you want to see a standard adopted, it helps to produce a solid implementation and release it as open source software. I built a software package called metamail, a standalone MIME implementation for UNIX that could be plugged into any mail reader, and released it to the world when the MIME spec was stable. Combine real need and free software, and things happen fast. Within a few days, I received patches that made it work on DOS, while Macintosh, Amiga, and others were not far behind. Again, credit is due Bellcore, for supporting building such software only to give it away.

There are other lessons, I’m sure, but most relate to technical details and are unlikely to be of wider value. So now, perhaps, I can stop writing about MIME for another ten or twenty years and see what it looks like then.

Photo CC via Len Radin, Dave Gray & Þorgerður Olafsdottir on Flickr

The invention of Multipurpose Internet Mail Extensions (MIME) was a critical moment in the history of email. It transformed email from the simple text-only messaging system first demonstrated in 1965, to the extra-ordinarily successful communication and collaboration tool that we all know and love today.

Thanks to the development of the MIME standard, email has become quite possibly the most important business tool of our time – check out the infographic below for the full story.

Also available on Flickr.

Cries of fear and panic could be heard echoing from the Centerprise offices today as the news filtered out of Mimecast HQ that Dave ‘The Doctor’ Rodger had been hand-picked to represent Mimecast at the CRN Fight Night 2012.

Rodger never, at any point, looked as if he doubted his own ability and always knew he would be the man carrying the hopes and dreams of an entire company on his broad, muscular shoulders.

Come the 24^th May, ‘The Doctor’ will be surely planning a slick, efficient operation ending in destruction rather than restoration; inflicting, rather than relieving, pain.

His patient? Jack Bulmer of respected IT provider, Centerprise. Obviously the underdog – and clearly fearing the match as we are told he has removed his picture from LinkedIn – Bulmer will need to bring his A game if he is to topple the mighty Rodger.

Having spent the day with the man of the moment, I was able to get an insight into the next few months and the journey he will now embark on which will culminate with him standing victorious under the bright lights. As well as his daily gym sessions, he will have an intensive session with CRN and double sessions with Urban Kings in a bid to make quick work of Bulmer.

Ever the gentleman outside the ring, Rodger was keen to compliment his fellow Mimecasters who lost out on the number one role. “Trevor and Rich both worked really hard and spurred me on to get where I am now. The better man definitely won but I have plenty of respect for them,” said Rodger. “I am looking forward to getting my head down in training and working hard. And I’m really looking forward to the event and bringing the title home for Mimecast.”

And what an event it is billed to be. As well as the headline Bulmer v Rodger match, there are eight thrilling undercard bouts to be settled. This year also sees the introduction of female contestants, so any budding female fighters out there can start thinking about CRN Fight Night 2013!

So now the hard work really starts – Rodger has Bulmer in his sights and he must stick relentlessly to his regime. In just under 12 weeks, he will go where no Mimecaster has gone before: into the ring to shed blood, sweat and tears in the pursuit of victory.

Let the drama begin.

Before MIME, you couldn’t attach or embed anything to an email- no pictures, word documents, files or anything.

MIME enabled people to send and receive attachments via email, and an estimated 1 trillion MIME attachments are still exchanged every day!

I didn’t know until this week that the very first attachment was an image and audio clip of Nathaniel with his fellow Telephone Chords barbershop quartet members singing a short jingle about MIME written to the tune of “Let Me Call You Sweetheart”.

To mark the anniversary (and demonstrate his continued love of all popular communications channels!), Nathaniel is hosting a twitter interview – twinterview – to answer any burning questions you may have about MIME, innovation, the evolution and future of email, email’s position in an increasingly social world, how to turn an idea into a world standard… and even barbershop quartets!

Nathaniel will be taking part in the twinterview for a full hour from his own Twitter account @drmime, and is taking all queries so get thinking! All questions should feature the hashtag #MIME20 to ensure Nathaniel sees them. His responses will also include the tag so you can watch the whole interview unravel.

Date: 7^th March 2012

Time: 3pm GMT

Hashtag: #MIME20