Israeli Software

Not so long ago – when a company ( business unit, department or manager) wanted to develop a line of business software application, they would do a system analysis starting with business requirements and then proceed to develop an application and deploy it.

Things have changed.

Packaged software and Web applications that the CEO’s niece can whip together in a week, have replaced structured systems development. There are of course,  good things about not having a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product, but the downside of not developing software according to a structured systems design methodology is insecure software. So called security development methodologies are band-aids on deep cuts, that cannot replace a serious look at business requirements followed by a structured process of implementation.

There is a fundamental divide, a metaphorical valley of death of  mentality and skill sets between IT and security professionals.  IT is about executing predictable business processes. Security is about reducing the impact of unpredictable events.

IT’s “best practice” security in 2010 is  firewall/IPS/AV.  Faced with unconventional threats  (for example a combination of trusted contractors exploiting defective software applications), IT staffers  tend to seek a vendor-proposed, one-size-fits-all “solution” instead of performing a first principles threat analysis and discovering  that the problem has nothing to do with malware on the network and everything to do with software defects that may kill customers.

Threat modelling is a lot of hard work, hard data collection and hard analysis.  It’s not a sexy, fun to use, feel-good application like Windows Media Player.   Risk analysis  may yield results that are not career enhancing, and as  the threats  get deeper and wider  with  bigger and more complex systems – so the IT security valley of death deepens and gets more untraversable.

There is a joke about systems programmers – they have heard that there are real users out there, actually running applications on their systems – but they know it’s only an urban legend. Like any joke, it has a grain of truth. IT and security are primarily systems and procedures-oriented instead of  customer-safety oriented.

Truly – the essence of security is protecting the people who use a company’s products and services. What utility is there in running 24×7 systems that leak 4 million credit cards or developing embedded medical devices that may kill patients?

Clearly – the challenge of running a profitable company that values customer protection must be shouldered by IT and security teams alike.

Around this common challenge, I  propose that IT and security adopt a common goal and a common language – a language  of customer-centric threat modelling - threats, vulnerabilities, attackers, entry points, assets and security countermeasures.  This may be the best or even only way for IT and security  to traverse the valley of death successfully.

One of the biggest challenges in global multi-center clinical trials (after enrollment of patients) is collaboration between multi-center clinical trial teams: CRAs, investigators, regulatory, marketing, manufacturing, market research, data managers, statisticians and site administrators.

In a complex global environment, pharma do not have control of computer platforms that local sites use – yet there is an expectation that file and information sharing should be easy yet there are three areas where current systems break down:

1. People forget what files had been shared and with whom they have been shared

2. People have difficulty sharing files with colleagues in a way that is accessible to everyone – firewalls, VPNs, enterprise content management, DRM, corporate data security policy, end point security, file size – these are all daunting challenges when all you want to do is share a file with a colleague in Berlin when you are working in a hospital in Washington.

3. Notifications – how do you know when new information has been added or updated? Not having timely notifications on updates can be a big source of frustration resulting in team members pinging other members over and over again with emails.

Over the past 10 years a generation of complex enterprise content management software systems have grown up – they are bloated, expensive, difficult to implement, not available to the entire multi-center team and in many cases written by English speaking software vendors who cannot conceive that there are people in the world who feel more comfortable communicating in their native tongue of French, German, Hebrew or Finnish!

We are developing (currently in beta with a Tier 1 bio-pharma in EMEA)  a Web-based, agile collaboration system with a light-weight, easy to use, simple architecture, that saves time and reduces IT and travel costs – and literally gets everyone on the same page.

The system resolves the 3 breakdowns above while recording all user activities in a detailed audit trail in order to meet internal control and FDA regulatory requirements.

The system also provides significant cost benefits in addition to improving information collaboration:

• Reduces travel costs: Using online events, integrated media and file sharing and discussions, the clinical trial team and investigators can conduct program reviews, education activities and special events.

• Eliminates proprietary IT: No proprietary software or hardware and no IT integration. No extra investments in information technologies, CRM, sales force integration and data mining.

If this interests you – drop me a line!

My colleague, Michel Godet – sent me a link to an article that Mike Rothman recently wrote.

Michel  (rightly) thinks that it supports the approach that we have been pushing in Europe for over a year now, to justify data security technology investments by using Value at Risk calculations.

Mike’s article – building a business case for security is good. I agree with most of what he writes (I would have commented but searchsecurity doesn’t allow commenting on their Ask The Security Expert: Questions & Answers articles.

So – I will use my own blog to post a couple of my comments (I should probably ping Mogull on this too but I lost  his email)

1) I agree that if you can’t get past the first energy barrier of concern with information protection than you are a non-starter for DLP ( or any data security technology for that matter – it must fit the business needs – otherwise it’s like trying to sell a trombone to a violinist.  Total waste of time

However – once you get past the first road block, the business problem for security investment is:

What is your value at risk, what are the right security countermeasures and are they cost-effective.? Not – what are the vendors selling this quarter.

There is no reason in the world why data security should be any different than any other IT investment.

2) I totally disagree that looking only at a network-based DLP product is inherently limiting. Just because a few vendors like Websense and Symantec, have integrated end point and gateway products doesn’t  makes them cost-effective data security countermeasures, ensure success of the project or prevent the next data breach.

Let me submit  two counter-examples:

A) Suppose all your sensitive data is in the cloud – then maybe network DLP is a good fit

B) Suppose all your endpoints are in the cloud – then maybe endpoint DLP is a good fit

C) Suppose all your sensitive data is on notebooks – then maybe encryption is the right countermeasure to data loss.

The answer is that you have to measure stuff – measure your people, process and system vulnerabilities and where your assets are headed. After that you need to estimate your  VaR and only THEN start thinking about the people, process and technology countermeasures

BTW – I’ve been saying this for years

October 28, 2004 –  A guide to buying extrusion prevention products

March 17, 2005 - How to justify Information security spending

Now if only we could find a way to monetize being right.

The new Israeli administration has invited Microsoft to head a government IT steering comittee – the item caused a bit of a ruckus in the Israeli Open Source community a few months ago – although I personally feel that as the world’s largest software vendor – they have a lot to contribute.

Now I think we have reached a new level of Microsoft sycophancy with the Obama administration implementing a Bush decision to standardize IT but in a way that makes practically no sense at all – let’s ban all non IE browsers.  It’s really scary to what lengths the Obama administration will go undo Bush policy.

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.”

It does make sense to standardize on a browser – but why standardize on the most vulnerable browser and operating system?  Why not standardize on Ubuntu and FF 3 on the desktop or standardize on diskless workstations with Citrix or TightVNC?

The full item is here – USDA unit bans browsers other than Internet Explorer

The buzzword du-jour in the current economic crash of 2008 is “Cloud Computing”.

There are several interesting question around cloud computing – why now, how are people building it, what are people doing with it and what about security.

1) Why now?

Back in 2001 after the dot com crash, On-demand / SaaS started picking up. My personal  explanation is that  a) there were a lot of  programmers and entrepeneurs out of work, looking for new things to do and  b) an oversupply of bandwidth and server capacity on the Internet and c) a lot of VCs looking for the next big thing. The sales guys try to pitch an economic reason for on-demand: businesses not having the money to buy large enterprise software systems in a down-market.  Since Salesforce.com is not keeping up with the profitability of year-on-year growth of Oracle Applications and SAP – I don’t buy it. At $50/seat for Salesforce.com – if I have 100 people, it’s $5000/month or $60,000/year which is 10x more than I would pay for a free open source instance of SugarCRM or TigerCRM running on a dedicated server at rackspace.com. If SaaS is not an economically sustainable business model for service providers, it will not sustain  for end user customers either long term.

Read more…

I had heard about this EMC startup but didn’t know much about what they really do. My friend Arik Blum from HP takes the time to send interesting technology updates to his own private distribution list.

Atmos is  COS “cloud optimised storage”, with web services such as SOAP and REST for access. Cloud Optimized Storage(COS) systems are geographically disperse yet managed as a single entity.

Information inside the Atmos repository is stored as objects. Policies can be created to act on those  objects allowing Atmos to apply different functionality and different service levels to different types of users and their data, for example – Replication,DE-duplication, Deletion etc.

Atmos is designed for multi-Petabyte deployments. There are no LUNs. There is no RAID. There are only objects and metadata : Billions of objects globally distributed with policy based information management.

As new data gets written into the Atmos infrastructure it gets synchronously mirrored to N locations (depending on the policy).  The goal for Atmos was to provide a low cost bulk storage system for these emerging markets, like Web 2.0 companies or other industries with lots of user generated content.

• From a hardware perspective, there’s nothing radical here. Drives are all SATA-II 7.2K 1TB capacity.
• Front-end connectivity is all IP based, which presumably includes replication too.

A few open questions are pending regarding ATMOS:

· What resiliency is there to cope with component (i.e a hard disk ) failure?

· What is the real throughput for replication between nodes?

· Where is the metadata stored and how is it kept concurrent?

· Where is the rich metadata going to come from?

· Is 1Gb/s enough to replicate my data to a remote site synchronously?

· Is this all battery backed write cache in case I experience a hardware failure?

· how long will it take to replicate a 1TB drive over IP?

Read more…

Show me a profitable business application-as-a-Service (SaaS) company.

There is a lot of trade talk about the success of Salesforce.com. Here is a company with a $3.2BN market cap as of Oct 26, 2008 currently trading at 24 down from 72, 5 months ago.

In 2007 – SF.com  posted a net income of $480K on revenue of $497M. Compare this to BMC Software,  a software vendor that provides system and service management solutions for the enterprise. BMC has a current market cap of $4.2BN, trading at 23 down from 39, 3 months ago. In 2007 – BMC Software posted $215M net income on $1.5BN in sales.

In plain language – Salesforce.com does not or cannot charge high enough prices for their services to sustain long-term profitability and growth.   At low price points; Free Open Source on inexpensive hosting becomes a highly-competitive alternative, especially for an SME.

Five years ago – the barrier to entry was application functionality but today, Free Open Source line of business applications like Sugar CRM Community edition are mature, full-featured applications with very little, if any, missing features and some unique advantages that Open Source offers.  Salesforce.com imposes a unique IP address/user constraint which can be very annoying. In SugarCRM, if you get User logged out when IP dynamically changed, just change 1 line in config.php

Suppose you need a CRM system (if you’re a large shop, you already have one – like Siebel). We’re a small group of 5 guys – and we were using Salesforce.com with one of our business partners and wanted to use SF.com for our own business. The cost is $325/month or almost $4,000/year for 5 users. You can get 90% of the functionality from Sugar CRM for the cost of a onetime installation (which will take less than an hour of your time or about $150 if you pay someone) and $15/month for the hosting (if you use dreamhost.com, like we do). That’s a net savings of $3,000 / year.  dreamhost give us 700GB – more than SF.com, and the response/time is at least as good.

I know you’re saying that dreamhost.com at $15/month can’t compete with the scalability, reliability and service levels of SF.com. Maybe,  maybe not – but if you want muscle – consider Mosso.

For $100 per month, Mosso will sell you 80 GB of SAN storage, 2000 GB of bandwidth, a control panel to create sites, email accounts, databases, etc. and customer support.

Mosso says it takes radically different approach to Web hosting, using enterprise-level architecture. It deploys each website across clusters of servers, so when a server crashes or a hard drive fails, the other servers in the cluster pick up the slack without downtime. Their promise: for every 1 hour of downtime, they will reimburse you for 1 day off your bill.