Firstly it is Tom Davenport who reports that after a year after ‘going live’, Intellipedia, one of the most interesting and wide-reaching corporate social software projects, has been used by around 10%. Is this little or much? Viewed from a viewpoint of the total number of employees it is probably not enough, from another angle it is a great success because the notorious difficulty of making cultural changes to increase knowledge sharing.

Incidentally, Andrew McAfee who was at the same conference as Tom Davenport, asked panelists in a discussion about blockers in the implementation of collaboration tools. What he found out is worth noting:

I didn’t hear any of you point the finger at the managers in your organizations. Were you just being polite, or are they really not getting in the way of Enterprise 2.0? The new social software platforms are a bureaucrat’s worst nightmare because they remove his ability to filter information, or control its flow. I’d expect, then, that each of you would have some examples of managers overtly or covertly trying to stop the spread and use of these tools. Are you telling me this hasn’t happened?… That is in fact what they were telling me, and I didn’t get the impression that they were just being diplomatic”

Based on this I’m guessing here that most of these middle managers see the software as pretty irrelevant. The social and collaborative software has a potential to disrupt the established order, but I am guessing the early adopters may have changed the way they work, but 10% is probably not enough to create the tipping point without some major top down changes in corporate culture. Having said that there is still bound to be lots of space for some fantastic point innovations.

• I finished a major paper and got it published on my employer’s website. It’s somehow similar to some of the content of the Architecture and Delivery categories on this weblog, but it is more focused and there is some previously unpublished content. I am very pleased about that because it finally materialised the huge amount of effort I put in into this.
• Secondly I took an NLP Master Practitioner Course. NLP gives strong grounding in many very useful interpersonal skills that I found very useful in the day-to-day business context. The training itself was great fun, but it required rather lengthy home study before the course started.

Anyway, now when the tide of work that had to be done before my French colleagues leave on their grandes vacances starts to subside and all other activities are pretty much done, I hope to post a bit more.

Introduction
Chris Potter, PWC

If we were to look 10 years out, what would be different? Because security incidents are a byproduct of changes in business and technology environment, we need to look out to the changes in a broader environment:

• Increasing staff turnover
• Outsourcing and offshoring
• Increasing bandwidth and death of a distance
• Network boundaries expanding and becoming wireless
• Mobile telephony, convergence and digital TV
• Techno-savvy younger generation

It is impossible to guess future, but we still need to have a vision of where the world is heading to.

Trusted Computing – Benefits & Challenges
Shane Baife, Royal Holoway, University of London

Why can’t you trust your computer? Malware is getting more sophisticated, working on industrial scale. Once infected, the platform is no longer under your control and cannot be trusted. What is trust? Expectation that a device will behave in an intended manner.

Trusted Computing= trusted platform modules plus

• Integrity measurement & storage,
• Attestation (checking of the state of the device),
• Protected storage (bind data to a unique platform in a cryptographic manner
• Software isolation (compartmentalisation of memory – security process running completely separate from other processes)

Key Challenges

• Usable security [Note JL: this is IMHO one of the fundamental points]
• Global PKI required to enable the concept

Mobile Computing
Howard Schmidt

Today we are facing issues that are conceptually similar to those we had ten years ago. It’s only that the computers and communications are much more widespread. How will the internet look like in ten years’ time?

In ten years time…

There will be 2bn devices, which translates to 10 IP addresses for every person on the Internet. Mobile devices will be more powerful than desktop computers and they all be connected to everything else. You will go shopping and after buying what you wanted you just walk out and the goods will get charged to the mobile. Then you put your shopping in the fridge, which will automatically update the inventory. When the food goes off and you throw it away, your bin will check what you bought and thrown away and adjusts your future shopping plans. It will also notify your financial system to make appropriate changes to your financial plans. You will have calendaring system connecting all family members and friends, your work, hobbies and television shows. Medical devices will be connected, monitoring bodily functions and external environment, alerting your GP when necessary and recommending you the right nutrition. It will work globally, regardless of your city, country or airport. It will be more user friendly. A global, federated, identity management (see global PKI above) will enable this type of functionality.

We will own our data. We will be able to sign up to a loyalty programme, but also unsubscribe . We will be able to provide data temporarily to the parties that need it (e.g. for credit check) with specified expiry period after which the data will self destruct.

Technology will evolve to support this new ultra mobile world. There will be a variety of mobile protocols including a number of new ones. We will need to understand their security impacts. There will be a new generation of software. We should try to avoid inherent vulnerabilities. The weakest link will be something unexpected, e.g. power management or environmental impact.

Generation Z and Enterprise Data Protection
Nigel Stanley, Bloor Research

People are always the weakest link and we are entering into the Golden Age of computer crime.

The demographics is changing: Generation Y is entering the workplace with a very different set of expectations. Web 2.0 is the way they work. We (security professionals) need to understand them – their culture, language, expectations; currently we don’t.

In ten years we can expect:

• Growth of virtual worlds leading to illicit real world activities (e.g. drug dealing and money laundering) overflowing into virtual realities and vice versa (people being killed for stealing a sword of destruction in VR)
• E-crime will professionalise and grow into professionally run organisations with marketing, sales, technicians. Nation states will sponsor information warfare. Quite possibly, the traditional bank robbery will come to an end. Why bother robbing banks?

To deal with it, security will have to be baked in, yet there will always be room for small innovative companies. But people problems and desires and motivations will remain the same.

This was a technical vendor presentation showing a rather tactical, but at the same time rather cool use of technology. [Note JL: At the moment, people need to have far too many laptops. In the future, people are likely to start using their own laptops and corporate software will move to the cloud. But in the short term, this is not entirely possible as many corporate services still live on the desktop and their web-ification is too expensive to do at once.]

The problem of too many laptops is worst for mobile transient workers such as contractors and consultants. The solution presented by Tom is quite cool - an OS build with Vmware player, time activated, running of an encrypted USB memory stick.  One of the innovative uses of virtualisation, which is what I have been looking for for a while.

Overall rating: 3/5 (good technical presentation, a tad too detailed)

And I certainly should visit Bletchley Park, which is something I have been planning since coming to the UK.

A good overview of mobile banking

Evolution of mobile banking
First mobile banking solutions arrived at the end of 80s and technology then evolved in three waves. First was a basic mobile banking providing basic services such as account inquiry, activity alerts, finding a cash machine. Then came a second, mobile payments wave technology allowing initiation of payments at the PoS and in virtual worlds and P2P communication via SMS. We are at the beginning? of a third, mobile marketing, wave enabling two-way, interactive functionality during transactions, alerts, loyalty programmes, location specific offers and electronic coupons.

Current mobile banking technologies
There are broadly three classes of technologies, each with its own benefits and disadvantages:

• SMS – familiar to the target user demographics, low cost of entry, but not guaranteed delivery, no end-to-end encryption, data stored on device. Exposes users to a range of threats including fraudulent SMS messages, spam, spoofing;
• Browser – common. familiar, SSL encryption, low cost requiring only extension of the existing internet banking system. Has problems with upgrade, small screen & keyboards affecting usability; vulnerable to phishing, malware, squatting, man-in the middle, vulnerabilities;
• Thick-client apps – secure, dedicated to single purpose, allow branding, upgrades, resistant to phishing, support multi-factor authentication, lower cost, increased stickiness & better used for marketing; challenging if they need to be installed by customers (uptake & helpdesk impacts); still susecptible to malware and inherent vulnerabilities; hundred phone models to support; some banks to tied to provider / devices

Future
Limited consolidation of technologies. Higher risk transactions will require more secure access. Services and adoption will vary widely across countries and services. Criminals will follow the money. Regulators will follow he criminals. Our handsets will never be the same after the iPhone.

Overall rating: 4/5 (A solid technology session delivered by a vendor which was not just a thinly disguised sales pitch)

24th April

Jon Collins
We need to allow enable business to do what it needs to do. We also need to have some stick to keep things under control. At the same time too much security/control can be bad leading to lowering of end-user productivity. It can also lead be self-defeating leading employees to circumvent security mechanisms that are too cumbersome.

Geoff Harris
Geoff provided some definitions:

• Operability=functionality+availability+performance+ease of use
• Security=confidentiality+integrity+availability
• Compliance=his interpretation is that it sets and enforces minimum level of security (e.g. PCI DSS, COBIT, SOX, MPS, etc).

The biggest tradeoff is between operability and security. It cannot be said which one is more important as this tradeoff depends on the risk appetite of different organisations.

Adrian Seccombe
The question about the relative importance needs to be re-stated as a question about achieving the business value of information. To get an infinitely secure system you should switch it off and bury in a concrete undersea bunker, but this won’t provide any business value. The right question is therefore “How can we put our information asset at appropriate risk to achieve the maximum value”.

The answer to this will differ system to system and organisation to organisation. The appropriate level of risk needs to be negotiated with business asset owners. For these negotiation to be successful, they need to be done in the context of enterprise architecture and delivery processes. Such processes integrate security with the enterprise-wide architecture discipline and processes (Adrian’s role is CISO and Senior Enterprise Architect).

The big challenge today in balancing these three aspects is to respond to the fundamental transformation of companies from tightly knit internally integrated companies into flexible network organisations. Eli Lilly, which is an example of this, is transforming from a fully integrated pharmaceutical company to a company dependent on flexible collaboration, time-bound use of external partners and outsourcing. This is not easy and requires lots of balancing. There is no magic wand and to do this, but integrated processes are more useful than checklists.

There is another aspect we need to cope with and that is the fact that most of our enterprise data is moving outside the company – into the cloud, onto the internet. Competencies that drive value out of our business are also moving outside. We all need to figure out how to secure the cloud and how to manage cloud providers, preferably before we move our assets out there. This is still 3-5 years away but it is clear now that to do this successfully will require new thinking, new approaches and new products.

Jericho provides probably best overview of the new capabilities that we need:

• Onboard and offboard people (all types, employees, contractors, partners)
• Manage risks across collaborative frames
• Manage information assets in the cloud, processes to manage assets outside direct control
• Manage devices, services in the cloud to identify the asset, determine the user determine how trustworthy
• Onboard and offboard enterprises, support them during the period of collaboration, and then offboard them whilst maintaining security

Question from the audience: How does this fit with IT Service Management and BCP standards?
Answer: IT Service Management is a key discipline allowing management of cloud service suppliers. Ability to comply with ITIL, Cobit etc will be critical for the suppliers.

Abdellah Cherkaoui
Abdellah focused on the compliance angle. The challenge Sodexho, as one of the first European companies that has to comply with SOX, was how to cascade compliance requirements down to subsidiaries, partners etc. Cost of compliance was very important. At a certain price point the non-US based business needs to ask if the cost of compliance is worth it. Another problem – incompatible international laws.

Adrian Seccombe: As an American company, Eli Lilly did not have the option to de-list from SOX and so the approach they took was to achieve compliance at the lowest cost point. The key for that was to select the right auditors. (Many auditors were doing more than law required to get a repeat business).

John Collins: How to provide services out of the cloud? How to determine whom to trust and with what?

Adrian Seccombe: To do this, Eli Lilly decided to do the information classification exercise using the traffic light colours: white – public, green – company+collaborators, amber – sensitive, red – named people and certified systems only. E.g. Canteen menu on the intranet is public, IPR on drug sensitive, fire alarm system is red. This information can be used to decide which services can be sourced from the cloud.

John Collins: We are at the point of making this change but we have not achieved it yet. We are mostly consciously competent in getting in relationships across organisations, but consciously incompetent at developing technology to support them.

Overall rating: 4.5/5 (First half was fantastic and overshadowed the second half, which got a bit rambling and tedious, but overall probably the best session at the conference)

Another enjoyable retrospective from one of the key people who were at the birth of UK security education. By my laptop ran out of power and I could not take notes, but two interesting poits presenting two interesting paradoxes remained in my head.

The first was that every project has a range of consequences which are either intentional or unintentional, and which have a various degree of desirability.  Because desirability is subjective, things like surveillance will always draw disagreeing views.

The second point was tha related to cryptography. Cryptosystems were originally designed with a view that the interceptor is the bad guy, but in last decade that got reversed. Today cryptography is used to protect the information of good guys from the bad guys, but equally the bad guys (e.g. crime) are using it protect against good guys. Who is good and who is bad is to an extent in the eye of a beholder. This not only leads to endless discussions (mostly about the feelings and models in Schneier’s words) but this also leads to the fact that the crypto solutions can never perfectly reconcile these two perspectives.

Overall rating: 3.5/5

This was a retrospective, free-wheeling, conversation with Howard Schmidt, who has been involved in IT security-related public policy circles for the last 20 years. Even though there was nothing new per-se, it is always a good fun listening to stories of people who were personally present at the important points in the history. An interesting point was that he thinks that in terms of organising the protection of critical infrastructure, Europe is about 3 years behind the US.

Overall rating: 4/5 (Very enjoyable even if mostly covered public policy and law enforcements)

This was a dedicated product-oriented Microsoft presentation. I thought I would attend, just because mobilility is becoming such a big deal. The session was pretty close to what was promised in the invite:

How on earth can you manage the security of the ever growing range of mobile devices in your enterprise? Even if you standardise on a small number of devices it’s often difficult/impossible to manage them while they are out on the road. Microsoft® System Center Mobile Device Manager makes it easy to solve these complex problems.

We are getting increasingly mobile. An informal survey MS did showed that probably 40-50% knowledge workers are mobile (travelling often or working away from they desk).

Most companies don’t have mobile strategy and as a result, which often results in a sub-optimal and non-scaleable solutions next time your CEO asks for a Blackberry. Technical mobility strategy is needed to respond to demands like this. But mobility is also a big HR subject – the appropriate policy for mobile working is the main thing that prevents businesses to get more benefits from their use of mobile devices.

One of the key technical requirements for mobile solution is the ability to scale up. Their deployment often starts with 100 user pilot but quickly spreads to thousands.

We are now talking about Microsoft CE as a mobile OS platform, which now can be better managed and is more secure. Windows Mobile 5&6 now have including EAL2? [note JL, which just shows how insecure mobiles are].

The main features come with the System Centre Mobile Manager, whose new version came out in April. It gives you a lots of goodies:

Management

• Configuration of hardware and software using based on AD / GPOs
• Provisioning & enrollment. User can buy the device in the high street, via enrollment it can be remotely configured to become the enterprise device.
• Mobile deployment of applications over the air
• Inventory reporting

[Note JL: Mobile Manager seems to give you similar management capabilities that are currently used to manage standard desktop]

Security

• Hardware driver lock-down – can switch off camera, lock down bluetooth, capability to delete the information on the device remotely
• Can control access to applications, who can install what, access to internet
• File encryption for memory card and the in built storage
• Mobile VPN - Tailored specifically to work over GSM/GPRS infrastructure to get around the problems of moving between base stations. Can be used to provide access to web based business apps

Overall rating: 3/5 (A decent technical presentation, good content, too much focused on product features rather than solutions)