The Vangelis NewsRoom » Cloud Computing

Huawei boosts profits by 33% despite US cyber-espionage allegations

Bretos Margetis — Wed, 23 Jan 2013 18:18:59 +0000

Huawei has revealed details about its 2012 fiscal year, announcing that it boosted its net profits by 33 per cent last year. Despite US security concerns over its products, the Chinese company raked in 15.4 billion yuan (£1.6 billion) in earnings in 2012, largely due to impressive smartphone sales and products tied to cloud computing.

The company also announced that it saw revenues of 220.2 billion yuan (£22 billion) in 2012 – an eight per cent jump from the previous year.

At a press conference, Huawei’s chief financial officer Cathy Meng also said the company, which is currently privately held, is keeping “an open mind” about going public in the future. Meng also pointed to an estimated 13 per cent growth in 2013.

“Cloud computing is a huge sector in the next five years. In the telecom industry, we are expecting a 5 percent increase in capital investments. Smartphone penetration is still way too low and there is a lot of room for growth. So these three areas will create a lot of opportunities for us,” Meng said.

Huawei is second only to Ericsson in the sale of telecom equipment and has also made strides in the enterprise business. It has also improved its standing in the smartphone market, where it is now the world’s sixth-largest vendor. At CES earlier this month, Huawei announced the launch of two new high-end handsets – the Ascend D2 and the Ascend Mate - suggesting that it is gunning for a larger share of the global smartphone market.

“Huawei has a better long-term outlook (than ZTE) because it has telecom equipment, enterprise and handsets business,” said Jessie Yu, a Frost & Sullivan analyst, told Reuters before the results announcement.

“Its handsets are doing quite well and it has maintained its telecom equipment share. There is also some pickup in its enterprise business, so overall, its revenue channels are wider than ZTE,” Yu added.

Meng pointed to growth in Europe, Africa and Asia, though it has had setbacks in North America, where the US has accused the company of facilitating cyber-espionage on behalf of the Chinese government - a charge the company vehemently denies. She insisted that the contention with the US government would not hamper its growth in other parts of the world.

by Rawiya Kameir,

Warning sounded over complicated cloud standards

Bretos Margetis — Sat, 08 Dec 2012 21:15:49 +0000

The cloud industry might have bemoaned the lack of agreed standards in the market but one of those players instrumental in helping define the direction could go in has warned that coming up with the wrong solution could cause more problems than it would solve.

The APM Group, the Cloud Industry Forum’s certification partner, has reacted with caution to the start of EU backed moves to introduce standards into a market that has suffered because some customers have avoided getting involved with a technology that lacks standards.

The European Commission revealed its cloud strategy with the European Telecommunications Standards Institute starting to work with other stakeholders to work out standards around interoperability and security.

“There is no denying that the advancement of pan-European cloud standards would be a positive development – not least because our American counterparts have been so adept at regulating their own industry. Standards will be key to arriving at a common framework for cloud services, encouraging end user confidence, removing any uncertainty that surrounds the industry, and building a solid base upon which innovation can thrive. But to achieve this it’s vital that the standards that are eventually arrived at are carefully considered and appropriate,” said Richard Pharro, CEO of APM Group.

“The EU will face a number of crossroads as it attempts to trace a standards roadmap for Europe. Success of the European cloud project depends upon the coordination of all 27-member states but given that cloud, by nature, is essentially stateless, this may prove challenging. Ultimately the implementation of any agreed standard would be down to interpretation. Will we have one set of standards, but 27 different interpretations?” he added.

Simon Quicke

Warning sounded over complicated cloud standards

Bretos Margetis — Sat, 08 Dec 2012 20:02:34 +0000

Cloud security: what is the right approach?

Bretos Margetis — Sat, 08 Dec 2012 18:00:07 +0000

Having been surrounded by hype and enthusiastic promises of improved business performance; “cloud” technology has had a tough time establishing itself as a creditable part of the IT landscape. After a period of uncertainly, cloud has now moved beyond this stage and there is clear evidence, case studies and testimonials that prove the technology has improved IT infrastructure. Industry heavyweights, Gartner included, agree cloud is here to stay.

The wide array of applications for cloud has, however, led to a something fragmented landscape. Everything, from simple data storage to scalable environments for developers deploying test applications, has been impacted by cloud technology. The downside is the fragmented landscape lacks established standards across the industry, and for cloud the most notable issue is security.

Security requirements in the cloud vary greatly from those of on-site infrastructure. Businesses looking to deploy in the cloud or replace existing infrastructure with something that promises to be faster, better, cheaper, or anything else in-between, must take a holistic approach to cloud security.

Control in the cloud

Security requirements will vary for any business. Even the smallest of players will have sensitive data, such as personnel files and financial details, on file that needs to be kept secure. The larger players have more complex compliance issues to think about. Payment Card Industry Data Security Standards (PCI DSS), Sarbanes Oxley and HIPAA are all potential pain points for larger businesses looking at cloud technology.

Responsibly for keeping data safe and secured in the cloud is also not clear cut. The Information Commissioner’s Office (ICO) recently published guidelines that, although not specifically related to cloud security, offer some precedent. A 24 page document attributes the responsibility for data, and data loss, to the business that created it even “after passing it [data] to the cloud network provider”.

It’s only a short leap to assume a business that is responsible for data loss is also accountable for security and regulatory requirements. Data loss could even fall under the umbrella of security, so any cloud provided selected by a business must prove itself a trustworthily partner and supplier.

In this regard, cloud security is not mutually exclusive from the data security practices businesses should have in place today. Protecting access to certain sensitive data and limiting what can be shared to outside infrastructure, such as through virtual desktops, USB storage keys and so on is a staple of IT security. Cloud security should not sit apart from this, but rather be an extension of what is already taking place, albeit a well-considered extension.

Holistic Approach

A ‘holistic approach’ to cloud security is a sensible course of action for businesses looking to shift some elements of their IT infrastructure to the cloud. This simply means taking the time to fully assess the security requirements of business data heading to the cloud, and ensuring a cloud service provider is capable of meeting these. This may sound obvious, but the importance of security means the issues should be elevated more thoughtfully and thoroughly than an item on a list to tick off.

The CIO or CSO should take ultimately responsibly for deciding which data can be transferred to the cloud, but the decision should be informed by every part of the business. This will ensure the businesses can account for any and all regulatory requirements, keep the right level of control over their data, and gain the benefits of using cloud technology.

by Chris Jenkins, line of business manager, security solutions for IT Solutions provider Dimension Data

Hacked journalist reminds us security is people plus process

Bretos Margetis — Wed, 14 Nov 2012 12:16:44 +0000

When Wired journalist Mat Honan realised his Twitter, Amazon and iCloud accounts had been hacked, he initially thought someone had brute-forced his seven-character, alphanumeric password.

That’s not impossible — GPU computing in the cloud makes cracking passwords much easier. If you care about an account, your password needs at least 12 characters. That can be two or more common words together rather than a single Brobdingnagian word.

But what allowed a hacker who just wanted a cool Twitter handle to get so much access to Honan’s accounts were failures in the security processes at both Amazon and Apple, and good old human error. Forget zero-day vulnerabilities and buffer overruns and heap-spraying attacks. If you forget that security has to be a combination of people, process and technology, then someone is going to get hacked.

Technology as secure as the Enigma machine isn’t enough if people and processes are insecure

I’m not quite sure why Amazon ever allowed customers to add a credit-card number to their account over the phone — some oddity of the US banking system, because it’s easier than typing it in on a phone screen? But allowing someone to add a security credential to their account and then use it almost immediately is clearly a bad idea.

It’s something that many credit-card and banking-fraud systems look for, actually. You could force a waiting period between entering and using a new credential, or insist on out-of-band confirmation — such as the emails you get when you set up new accounts with many websites — or you could stop someone adding a new security credential without confirming an existing security credential.

The problem here is that Amazon was conflating a service — adding a new way to pay — with a security check — using a credit card number to reset an account. It amounted to a process failure it’s since fixed, compounded by Apple using just the last four digits of a credit card for a password reset. Presumably, Apple employees weren’t asking for the other security features such as the expiry date and security code because they weren’t being used for a purchase, and there’s some dispute as to whether that was official policy or not. If it was, that’s a process failure. If not, it’s people failure.

Security experts sometimes joke that two-factor authentication stands for, “Something you’ve lost and something you’ve forgotten” — a physical object that you can prove is in your possession as well as a password you can memorise. In this case it was, “Something you can find out and then pretend to remember”.

But we do forget passwords and lose or break physical items such as keycards and tokens. Having a live human being as the last resort for regaining access to your account is a good thing, but you have to make it an annoying process for legitimate users to avoid making it to easier for hackers to get around.

Social engineering means getting someone to break the rules. Having good rules and training people to understand why they’re important is the best protection.

My bank gets some of that right and some of it wrong. For example, I have to type in a code it texts to my phone to set up a new standing order. That’s good two-factor authentication. But I recently lost access to my business bank account because the banking site told me I’d changed computers, which I hadn’t, or IP address, which I hadn’t either.

What I had done was swap back to the Windows 7 image I took before installing Windows 8 CP so I could upgrade to Windows 8 RP, deleting or replacing whatever cookie the bank had used last to identify my computer — often this is a randomly-generated number. I was confronted by a set of security questions that should have unlocked my account. But my account was set up before those security questions were added to the system and my answers didn’t work.

When I phoned the bank, the security procedure involved asking me a lot of other questions. Not just my name, address, date of birth and company name, but when I opened the account, who else could operate it, full security details from the account credit card plus details of the balance and recent transactions that you wouldn’t know unless you’d already hacked me.

That’s a good process and lot more secure than security questions you can find the answer to on Facebook. One US bank warns you to pick answers that no-one else can give and then asks for the name of your first boyfriend or girlfriend. At least one other person on the planet knows that even if you haven’t told the world on a social network.

I couldn’t answer all the questions straightaway. We stayed on the phone for half an hour running through alternative but equally secure questions before I’d proved my identity enough for the bank to reset the security-question prompt. That’s people applying the process well. No, they didn’t reset my password. They just let me set up new security questions but answering them didn’t get me into my account. I still needed both my password and passcode to log in.

All this is a crutch for dealing with the broken system of passwords that’s going to keep letting us down. A much better idea would be to use something harder to copy, find online, crack and lose.

It’s not perfect, but using the trusted-platform model (TPM) that’s in many modern PCs would be a good start. Windows 8 PCs will have TPMs in far more systems. Firmware TPMs are built into Windows RT tablets and SoC devices running Windows 8 and even consumer PCs will start to include them because Windows 8 uses the TPM to help guard against rootkits that mess with the operating system directly.

You can use a TPM as a virtual smartcard in Windows 8, so you could tie important accounts to the hardware of your PC — which wouldn’t change if you upgraded your OS or logged in from a different network.

Lose, break or replace your PC? The recovery system can use a mobile phone for secondary authentication — something you’re less likely to lose control of than an email address — and fall back to a call centre, with well-trained people following a good security process.

Source: Mary Branscombe ZDNet

BYOD: a simple guide for small businesses

Bretos Margetis — Tue, 13 Nov 2012 17:11:21 +0000

It’s now usual to let workers bring their own device to work – despite CIOs’ concerns. This guide looks at ways of mitigating the risk

There are plenty of advantages that BYOD can bring to your business, with cost savings and flexible working being perhaps the most notable, but the big downside is all too often introducing insecurity into the workplace.

When Osterman Research surveyed more than 100 SMB IT security providers earlier this year on behalf of Trend Micro, it confirmed that the Bring Your Own Device (BYOD) trend of employees using their own smartphones, tablets and laptops at work is on the up amongst SMBs. Android device usage gained the largest year on year increase, up 7.1 percent, but iPhone and iPad usage is also increasing.

Trend Micro noted at the time that the typical SMB employee uses a whole raft of BYOD endpoint devices, and these need to be properly secured if the business is to be protected from exposure to malware and other threats. Which begs the question, just how does the average SMB go about translating security concern into real world policy in the face of this BYOD flood?

Say what?
Although you might think that’s it’s not feasible to restrict your employees to only using a particular flavour of the Android OS on a specific hardware platform, and such an extreme is unlikely to be workable, that’s not actually the case.

What you can do is recommend devices which you are able to support from the data security perspective, such as iPhones and iPads running iOS version ‘x’ or later and hardware running Android version whatever. If you say what you can support, by implication it means you can also state that anything else is not supported and therefore must not be used to access or store corporate data.

It’s all but impossible to police such a policy and prevent such apps from being installed and used

The same ‘say what’ approach is much harder to extend to software and services if employees want to use their own devices. Some SMBs will attempt to go down the policy road of banning Twitter and Facebook apps, third party email clients or VPNs for example, on the basis that these apps may have security vulnerabilities which could impact upon corporate data.

The fact of the matter is that it’s all but impossible to police such a policy and prevent such apps from being installed and used. It’s also a fact, unfortunately, that the bad guys do see consumer grade apps as being a route to stealing business data.

Any BYOD security policy is, therefore, better directed at bridging the security time gap. This can be best thought of as being the time between malware being released and protection against it being deployed. Policy should wrap with technology here, and the SMB should look to implementing as near as posssible, a real time approach to security pattern/signature updates. The cloudcan help, with an increasing number of threat intelligence and pattern updating products being available now that both save on endpoint resources and remediate newly launched threats quickly.

Your policy has to be something of a balancing act between the fact that the devices it applies to are not company property, but at the same time are being used to access company data. This inevitably is going to involve compromise, much of it from the employee side of the fence.

So while research would tend to suggest that few users have passwords or even simple lockscreens in place on their consumer devices, your policy should insist upon password access controls.

It’s all too easy to forget that a BYOD policy shouldn’t just cover data security, it should also embrace general usage. Your Acceptable Use Policy (AUP) and your BYOD policy should be joined at the hip, ensuring that unacceptable activities are not enabled courtesy of an employee using a smartphone instead of the desktop or company laptop. Just because they own the device in question, as long as they are using a VPN tunnel to your network then the same AUP requirements should apply in all cases and at all times.

This may seem straightforward, but the question of monitoring and enforcement may not be and legal advice is always recommended before considering using any such monitoring tools available to you.

End of life
Another thing that often gets forgotten when talking BYOD is what happens when that employee in question is no longer an employee? Obviously you wouldn’t want them to still be able to access your company data, but you cannot just confiscate their iPhone when they leave.

So your policy should cover the enforced removal of company data, security tokens etc. If you decide to take the ‘exit wipe’ route whereby each device is securely wiped and returned to factory status when an employee leaves, then you had better also consider how you back up their personal data so that can be reinstalled after the company stuff has been wiped.

And talking of wiping of a device, the small matter of data storage should be included in your BYOD policy. Data segregation is the accepted norm, with a distinct system in place to ensure that business data is stored separately from personal data. Not forgetting that data should also be encrypted, of course. There should also be systems in place for automated backing up of this data, external to the device itself of course with the cloud being the obvious answer, and an agreed method of dealing with data in the event of device theft or loss. The usual method being that remote wipe…

One size doesn’t fit all
Once you have a policy in place, it should not be considered a fire and forget solution to BYOD security. Your policy needs to be audited regularly in order to ensure that any new loopholes are uncovered and patched quickly. An out-of-date policy which has not kept up with the latest advances in both portable platforms and services as well as the threats that face them is in some ways worse than having no policy at all; a false sense of security leaves the potential data breach door wide open.

The main thing to take away from this primer is that, while the points covered are a good baseline to start from and provide food for thought, there is no such thing as a one-size-fits-all BYOD policy. The details are going to vary according to the size and nature of your business, whether it has a dedicated IT department or not, what budget you have to devote to BYOD security and so on.

The second thing to take away is that policy isn’t the be all and end all of BYOD security, it’s just a part in the overall puzzle. Ensure that you have user education programmes and technological solutions in place to complete the picture.

by Davey Winder

Gartner: ‘Personal cloud will replace personal computer’

Bretos Margetis — Wed, 14 Mar 2012 16:48:10 +0000

The analysts’ latest report claims cloud computing will remove the need for corporate PCs from users’ digital lives

The PC has long been the essential tool of corporate employees, keeping all the secrets – and spreadsheets – of a business across a network of machines.

However, analyst firm Gartner believes these days are coming to an end and the cloud will remove the need for a PC per employee.

Instead, by using cloud computing, workers will be able to use their day to day devices – such as smartphones, tablets and laptops – to access all of their corporate info and not have to return to their desk and individual machine.

“Major trends in client computing have shifted the market away from a focus on personal computers to a broader device perspective that includes smartphones, tablets and other consumer devices,” said Steve Kleynhans, research vice president at Gartner.

“Emerging cloud services will become the glue that connects the web of devices that users choose to access during the different aspects of their daily life.”

Although this could save a company big bucks and give it a more flexible workforce, Kleynhans warned it would need a whole new approach to application delivery from enterprise IT departments.

“When the way that applications are designed, delivered and consumed by users changes, it has a dramatic impact on all other aspects of the market,” read his report.

“These changes will have a profound impact on how applications are written and managed in corporate environments.”

There are benefits to this though, with more opportunities for cross-platform applications and enabling apps to be used in many more ways than just as one corporate tool.

One of the key trends influencing this change is the “self-service cloud,” according to Gartner.

By giving an employee a more scalable and flexible environment, it gives them more individual tools to tailor their workload. Making their own choices about applications and having more opportunities encourages stronger innovation and, in turn, increases productivity.

“The combination of these megatrends, coupled with advances in new enabling technologies, is ushering in the era of the personal cloud,” said Kleynhans.

“In this new world, the specifics of devices will become less important for the organisation to worry about.”

Although the PC would still have its role, he concluded it would no longer be the ‘primary hub’ for users.

“The personal cloud will take on that role,” said Kleynhans. “Access to the cloud and the content stored or shared in the cloud will be managed and secured, rather than solely focusing on the device itself.”

Cloud computing set to be major driver for British economy

Bretos Margetis — Wed, 14 Mar 2012 16:47:06 +0000

The deputy director of the government’s digital service has said cloud will be a major driver for the UK economy over next few years

Cloud computing will be one of main drivers for the UK economy over the next few years, according to the head of the UK government’s project to rationalise its web presence.

In a keynote speech given at the Digital London conference in East London, Tom Loosemore, deputy director of the UK Government Digital Service said that ”everything that is a digital service is done in the cloud. It is easier and cheaper for start ups,” he said.

The UK government was at the forefront of driving growth in the new digital economy, according to Loosemore. He said the government’s new web portal gov.uk had used the cloud and new business models to drive innovative web services.

“World class digital skills are at the heart of government. We need to build the government’s web presence the way Google builds Google and Amazon builds Amazon.,” said Loosemore

But he stressed that in order to build up the economy and make London a digital hub, companies had to concentrate on four things. Loosemore said companies needed to be ”digital by default” and have a focus on users, putting their needs first. “We need to be agile and we need to be open.”

The former digital strategy adviser to media watchdog Ofcom said companies should be “using digital to make services work for users whether they are online, offline, mobile or assisted”.

In addition, Loosemore said the current education system should be overhauled so that the UK could create room for a new generation of digital talent. “Our challenge is teaching children how to program and not just how to use applications”.

But he also warned that the focus on technology in the country should not be limited to a small area of east London. ”The smartest people are beyond the boundaries of Hoxton and we need to adapt ourselves.”

Forrester: specialised apps will deal cloud a killer blow

Bretos Margetis — Wed, 14 Mar 2012 16:43:10 +0000

Forrester analyst warns cloud could be marginalised by interconnected apps and smart devices

Cloud computing could end up as a passing fad with more and more smart devices communicating via apps, according to a leading analyst.

Speaking at a session of the Digital London summit in east London, Brian Hopkins, principal analyst at research company Forrester said apps running on smart devices ”are the future and the cloud is dead.”

“The cloud is about powering the data centre. But powerful devices are out on the periphery,” said Hopkins. “The emerging architecture is where apps and devices talk to each other and have very little interaction with the cloud.”

Hopkins also said that there is a rising number of technology-savvy employees using business services that weren’t necessarily sanctioned by their IT departments.

“They are downloading apps on their phones in order to do businesses for the companies they work in.”

He said that these empowered employees interacting socially on their mobile devices will generate a lot of data. He predicted that there will be around one billion smart devices by 2016 and Facebook and Google would be the main companies to exploit this generated data the most.

He warned that this amount of data was going to create a big problem. He pointed to a survey that Forrester carried out that found that 62 per cent of companies had up to nine petabytes of data to manage and this amount of data was set to grow by around 40 per cent annually worldwide. “Data is growing faster than the ability of companies to use it.”

He said that in order to process this amount of data, compromises would have to be made.

“Big data solutions may trade off consistency and integrity for speed and flexibility,” said Hopkins.

SugarSync Finalises $15 Million Series D Round

Bretos Margetis — Thu, 01 Mar 2012 17:31:04 +0000

Cloud based syncing service provider SugarSync has announced that the company has managed to raise an impressive $15 million series D round.

SugarSync further stated that the fund would be used in order to expand its team as well as beef up its existing datacentre infrastructure, which will help the company immensely in implementing its plans to emerge as a key global provider of syncing services.

The series D investment round was captained by SugarSync’s new investor Coral Group, with other existing investors including Sigma Partners, Draper Fisher Jurvetson, Hercules and Hatteras Venture Partner.

Following the completion of this latest round, the total funding raised by the company has touched the $50 million milestone figure. SugarSync also boasted that its services will be made available to as many as 100 million new customers with the assistance of these partners throughout the year.

“We see a massive opportunity in the Cloud services market as the proliferation of mobile devices continues. SugarSync has the most robust and complete Cloud solution for accessing, syncing and sharing files across all devices — regardless of platform,” Yuval Almog, Founder and Senior Managing Director of Coral Group