Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Google’

Apple and Google Make the Department of Defense Jump Through Hoops for Mobile Device Security

Thursday, December 9th, 2010

Despite the unseasonably cold weather, I participated in a mobile security event yesterday at the historic Willard hotel in Washington DC. I set the stage and presented a bunch of ESG Research data on mobile device use, security, and management. Other organizations presenting included the Defense Information Systems Agency (DISA), the (NRC), the US Patent and Trademark Office, and Juniper Networks.

It turns out that DISA is doing some very interesting things around mobile computing. For example, members of the US military can access an information portal called Defense Knowledge Online from their mobile phones. DISA also talked about a program called Go Mobile meant to provide numerous communications, training, and collaboration applications to mobile soldiers.

Since we are talking about the US Department of Defense, mobile device security is a critical requirement for this program so Go Mobile includes user authentication, secure data storage and transfer, secure device management, etc.

Initially Go Mobile was built for Blackberry devices but DISA is now adding support for Apple iPhones and Android phones because of high demand from users. Unfortunately, adding iPhone and Android support is more difficult than DISA anticipated. Why? Because both Apple and Google refuse to give DISA access to their security APIs so DISA had to do a series of workarounds to meet its security requirements. For example, DISA had to add an external Bluetooth device to provide secure personal networking capabilities because Apple wouldn’t provide API access to its iPhone security stack.

Hold the phone here! Apple and Google aren’t willing to provide additional technical support to the United States Department of Defense? Nope. One person I spoke with from DOD said that Apple flat out refused to play ball, telling DOD to “talk to our integrators and carriers.”

I understand that Apple and Google want to control their technology. If Citi or GE asked for API access, perhaps it would make technical sense to refuse but we are talking about the Department of Defense here.

Apple and Google have a market advantage and they know it — Androids and iPhones are so popular that Apple and Google can thumb their noses at DOD. In most cases, DOD would exercise cyber supply chain security best practice and refuse to purchase insecure Androids or iPhones at all. The fact that DOD is going the extra mile and developing workarounds demonstrates that it is willing to do the right thing for American troops in spite of this lack of industry cooperation.

It seems to me that Apple and Google are making self-centered bad decisions here that won’t play well with the American public. Clearly, Apple and Google should re-think these myopic and selfish policies. Providing API access to DOD is the patriotic and moral thing to do, especially since DOD is opening the door to lots of sales opportunities for both companies.

Cloud Computing? We Still Haven’t Mastered Server Virtualization!

Tuesday, October 19th, 2010

According to ESG Research, only 7% of the large mid-market (i.e., 500-1000 employees) and enterprise (i.e., 1,000 employees or more) are not using server virtualization technology and have no plans to do so. Alternatively, 61% are using server virtualization technology extensively in test/development AND production environments.

Okay, so server virtualization technology is everywhere, but how are large organizations using it? Many technology vendors would have you believe that enterprises are using server virtualization as the on-ramp to cloud computing. The industry crows about server virtualization’s use for IT automation and self-service, as VMs are rapidly provisioned, dynamically re-configured, and moved constantly from physical server to physical server for load balancing and resource optimization.

It’s a great vision, it just isn’t happening today. Most organizations use server virtualization for web applications and file and print services but far fewer have taken on transaction-oriented applications or databases. Many firms still struggle with performance issues when trying to align physical networks, storage devices, and servers with virtualization technology. As for VM mobility (i.e., vMotion), only 30% of the organizations surveyed by ESG use VM mobility on a regular basis. Why eschew VM mobility? It turns out that 24% of organizations say they have no need to use VM mobility functionality at this time.

The ESG data does suggest that server virtualization represents paradigm shift driving huge changes in IT organizations, processes, and technologies, but these transitions will take time to work their way out. Many enterprises will get to a state of more dyanamic data center transformation–around 2013 or so.

Take my word for it, the IT rhetoric around server virtualization is visionary hype rather than actual reality. I’ve got tons of data to back this up. There are more average Joe IT shops out there than whiz-bang organizations like , , and Microsoft and there always will be.

Microsoft’s Mobile Phone Opportunity

Wednesday, October 13th, 2010

Microsoft and partners announced a series of new mobile phones yesterday. The new phones are based upon Windows 7 which replaces the more antiquated Windows Mobile OS.

This announcement places Microsoft in an unfamiliar spot, the “hot seat.” Everyone is pressing Microsoft on how its Windows 7 phones will compete with iPhone and Google Android. When Microsoft CEO Steve Ballmer visited NBC’s “Today” show, host Matt Lauer mentioned the iPhone several times. Ballmer continually re-directed him back to the product.

One overused IT cliche is to declare that a company or product is “dead.” I’m sure that many pundits are saying this about Microsoft, trumpeting that Windows Phones are simply too little too late. I disagree for several reasons. Yes, Apple and have become the sexy consumer phones, but Microsoft still has a huge enterprise installed base. According to a recent ESG Research survey, 62% of enterprises already offer formal support for Microsoft mobile phones. Only Blackberry enjoys a higher support status. Combined with its Windows prowess, Microsoft has an opportunity to:

  1. Continue to tweak mobile applications. The fact is that we are just learning what type of applications, functionality, and usability people need for mobile devices. Microsoft has the ability to modify franchise applications like Office, Outlook, and Sharepoint to work best on Windows Mobile. If Microsoft can make this difference meaningful, business users will follow. Microsoft can also point its army of external developers at Windows phones to develop enterprise-focused applications. Finally, Microsoft can use Hyper-V to virtualize PCs on mobile devices better than anyone else.
  2. Use client licensing as a hook. Microsoft often gets enterprise customers to buy lots of applications with pricing bundles. If mobile applications come as part of its Enterprise Client Access License (ECAL), it has an immediate leg up on others.
  3. Focus on management, security, and compliance. Mobile devices can increase risk, endpoint management costs, and regulatory compliance complexity. According to ESG Research, 74% of enterprise organizations believe that mobile devices make complying with industry or government data security and/or privacy regulations more challenging. Microsoft can help bridge this gap by positioning Windows Phones along with existing Windows administration, operations, and security tools.

Microsoft shouldn’t try to compete with consumer-focused iPhone or Android. Rather it should combine some sexy consumer features with rock-solid business functionality. Apple and Google have momentum, Blackberry is vulnerable. If Microsoft establishes this position as “good enough” for consumers but superior for the enterprise, it wins where it counts–with software revenue.

October is National Cybersecurity Awareness Month (Who Knew!)

Monday, October 4th, 2010

If you watched any football games yesterday, you are well aware of the fact that October is National Breast Cancer Awareness Month. Kudos to the NFL for bringing national attention to this deadly disease and donating money to find a cure.

You are probably unaware, however, that October is also National Cybersecurity Awareness Month.

Over the course of the last year, we’ve witnessed visible cyber attacks on Google in January. We’ve seen the activation of the U.S. Cyber Command at Ft. Meade. At my last count, there were ten different bills in Congress related to cybersecurity, including, “The Protecting Cyberspace as a National Asset Act,” a comprehensive piece of legislation coming out of the Senate’s Homeland Security and Government Affairs Committee. Former “cyber czar” Richard Clarke published a new book titled, “Cyberwar.” Finally, we’ve recently witnessed the Stuxnet worm, a cyber weapon attacking the Iranian nuclear infrastructure.

I am providing this brief history to highlight a problem–if you aren’t a Washington cybersecurity insider, you would never know it is National Cybersecurity Awareness Month. Ironic? Yes, but also sad.

Now, I know it is early in the month and there is lots of further activity planned. I am also aware of the fantastic work driven by the National Cyber Security Alliance, an industry group spearheading the National Cybersecurity Awareness Month (www.staysafeonline.org). President Obama will step up and talk about cybersecurity and the indefatigable Howard Schmidt will be as vocal and visible as possible throughout October.

These folks deserve a lot of credit, but somehow the IT and security industries continue to offer lip service support for National Cybersecurity Awareness Month through their Federal offices alone. I did a quick website scan of leading IT and security companies this morning: only RSA Security mentioned National Cybersecurity Awareness Month on its website (Note: The acting NCSA President works at EMC/RSA).

My point here is that National Cybersecurity Awareness Month isn’t making enough people aware of cybersecurity vulnerabilities, education, or government initiatives. Why? It doesn’t appear to me like the industry really cares. Oh sure, there is a bit of token money to appease their clients in Washington, but where is the national spotlight? Beats me.

I was on this soap box last year and will continue to be until I’m proven wrong. I probably have 20 meetings scheduled with security industry insiders in October and I’ll ask each and every one of them if they know what month it is. My guess is that they will say National Breast Cancer Awareness Month.

Blackberry, Windows still own the enterprise but . . .

Friday, August 6th, 2010

Consumer buzz tends to center on two mobile phones: Apple iPhone and Android. As far as the enterprise is concerned however, these two phones remain down the list.

ESG Research conducted a survey of 174 IT professionals from enterprise organizations (i.e., greater than 1,000 employees) and asked them which mobile device platforms their organizations support. Here is what they said:

Phone:                     Support today:                     Will support in the future:

Blackberry                     74%                                             11%
Windows Mobile              62%                                              9%
iPhone                          43%                                             18%
Palm WebOS                  24%                                             17%
Google Android                 8%                                             16%
Symbian                          7%                                             14%

A few facts about the survey. First, it was conducted at the very end of 2009 so it doesn’t capture recent momentum or the impact of new products like iPad and iPhone 4. Additionally, this data comes from IT professionals in North America only.

My read of this data is as follows:

  1. Blackberry retains a strong position. Yes, other data indicates a migration trend away from Blackberry and phone swaps are much more common than corporate PC to Mac swap outs. Nevertheless, Blackberry infrastructure is embedded in the enterprise so new “cool” products could become the corporate choice.
  2. Microsoft is teetering. Windows Mobile has a big installed base but most enterprises are looking closely at other phones. Microsoft has tried to link Windows Mobile to Office, Outlook, and Exchange but users want the pizazz of iPhones, Palms, and Androids. Can Microsoft catch up or will it produce the mobile device equivalent of Zune when the market wants iPods?
  3. Don’t count out HP. Palm was on a downward spiral with consumers but it seems to be holding its own in the enterprise. Now that it is owned by enterprise-savvy HP, it could really impact this space.
  4. Google remains in the distance. Google support is thin but many organizations will include Android support in the future. Nevertheless, it has a lot of work to do if it is going to push others aside and gain share in the enterprise market.

Unlike consumers, enterprises want more than just cool devices — application development, device management, security, and integration into the existing infrastructure are all important considerations. Vendors need to find the right combination of consumer cool and corporate requirements support if they want to defend their position or gain share in the enterprise.

Enterprises Are Embracing Mobile Devices

Wednesday, August 4th, 2010

The latest iPhone commercials feature video calls and multiple couples sharing intimate moments. When describing , wireless carrier talks about, “the apps you crave.” Microsoft’s latest pitch is that Windows Mobile phones fold neatly into social networking.

There are a few common themes here. Each vendor is targeting consumers with whiz-bang functionality and lots of applications. Video capabilities are highlighted in all cases.

Given this focus, you would think that mobile devices = consumer devices but this is not the case. Enterprises are also running to and jumping on the mobile device bandwagon in a big way.

ESG Research surveyed 174 IT professionals about their organizations’ adoption and use of mobile devices. Here are a few data points that illustrate growing mobile device usage in the enterprise.

Question 1. What are your organization’s spending plans for mobile devices and mobile device support?

37% spending will increase significantly
45% spending will increase moderately
14% spending will stay flat
3% spending will decrease
1% don’t know

Question 2. How important are mobile devices to your organization’s business processes and productivity?

38% critical
48% important
11% somewhat important
1% not important today but will be important in the future
1% not important today or in the future
1% don’t know

Question 3: Does your organization develop, or plan to develop, specific applications for mobile devices?

28% already develop applications for mobile devices
34% plan to develop applications for mobile devices
26% no plans at this time but interested in developing apps.
11% no plans or interest in developing apps.
1% don’t know

In summary, enterprises are spending more on mobile devices and device support, they believe these devices are “critical” or “important” for the business, and most already develop mobile device applications or plan to do so.

Sounds to me like every IT vendor in the endpoint (PC, laptop, mobile device), network, security, management, and application markets should have a mobile device strategy. Those that either haven’t developed or articulated their strategies are way behind.

Cyber Stowaways

Wednesday, April 21st, 2010

Here is another must read New York Times article providing more details about the cyber attack at :

Apparently the bad guys became cyber stowaways — unwelcome and undetected network occupants. Once network access was secured, the cyber stowaways fished around until they found the source code to Google’s password system that controls access by millions of users to Google services. While Google has since added new layers of security, it is still possible that the attackers inserted a Trojan Horse/back door in the password system or studied the code to discover other software vulnerabilities.

Google has some of the smartest software engineers in the world so it is likely that they can stay one step ahead of the bad guys, but the lessons of the Google breach should send up a red flag elsewhere for several reasons:

  1. The actual incursion occurred well before the actual attack making the attackers cyber stowaways as described above. This was also true elsewhere (Heartland, TJX, etc.). The scary thing is that if Google can’t detect and remediate an attack, what hope do more pedestrian organizations have?
  2. Once inside, the bad guys have carte blanche to poke around and find anything of value. In fact, the longer a cyber stowaway remains undetected, the more value each incursion reaps. Did cyber criminals penetrate Google to steal the Gaia (i.e., password management) software or did they stumble upon it as they scanned the network? I can’t answer that question but I know the results are pretty bad either way.
  3. This event makes you wonder what other source code has been stolen by cyber stowaways. Heck, some of these attacks may still be underway. Imagine the impact if cyber criminals stole the password system at Bank of America. Yikes!

The bad guys are extremely good at what they do and in many cases, we are several steps behind. There could be cyber stowaways on lots of major commercial, government, and military networks just sitting there, biding their time, and waiting for the right opportunity or target. I hope this realization is now emanating in corporate boardrooms, congress, DHS, DOD, and NSA.

Will Google Tip the Scale Toward OpenID?

Tuesday, March 16th, 2010

Last week, Google announced that it will support OpenID as a Single Sign-On (SSO) and identity standard in its Apps Marketplace.

For the most part, this announcement flew under the radar of most people but it may be far more significant than a simple technology integration play for several reasons:

  1. OpenID is an industry standard with good but not great support. With Google’s muscle, OpenID may be more widely embraced by other cloud and SaaS providers.
  2. OpenID has other user benefits besides SSO. With OpenID, a user can choose which personal information they choose to share. This can help users protect private data.
  3. OpenID can provide SSO for the Internet. Google could become an identity broker or leave it to others like PingIdentity to do so. As a result, I can log-on once, go to secure sites, and rely on my identity broker to log me in. This eases log-on for users, eliminates the need to manage and secure multiple passwords, and bolsters security.

There are other standard and open source identity efforts like Project Higgins (backed by IBM and Novell) and Microsoft’s recently announced U-Prove technology. Now that Google is on board with OpenID,  I hope we can start to merge these efforts and get the most out of each.

Internet identity is broken right now and we need a solution. Kudos to Google for recognizing this and supporting OpenID, an industry standard, rather than sending users down yet another proprietary path.

The Ominous Warnings from the Google China Incident

Friday, January 15th, 2010

Caught between a rock and a hard place, Google did something few companies are brave enough to do — it went public about a data breach. This is especially noble as the company is really betting on cloud computing and SaaS for future growth.

While Google applications were not breached, Google (and all cloud providers) took a PR hit with this incident. That said, Google did a good job of reassuring the public about its security.

Clearly Google has its own business reasons for outing China with regard to its cybersecurity attacks. Nevertheless, there are a few bigger and more ominous warnings contained here:

  1. Sophisticated adversaries can trump strong security. Google is no TJX–it really knows what it is doing when it comes to securing its networks, servers, and applications. In spite of this expertise, however, its assets were still penetrated. The bad guys are really good at what they do, folks. If this doesn’t illustrate this fact, nothing will.
  2. Beware of industrial espionage. The breach at Google may have compromised dissident emails but I have no doubt that foreign and possibly state sponsored adversaries are poking at our networks as I write this. American and European tech companies whose business is based upon Intellectual Property (IP) should be especially worried. Sort of gives cybersecurity a whole new level of business value.
  3. The cyber supply chain may be next. The majority of our technology is now produced off-shore, primarily in Asia. How can we be sure that these components haven’t been compromised already? With the exception of the DOD, NSA, and a few other global government agencies, we are just coming to terms with this risk.

Google has a lot of chutzpah but it is really fighting a battle for the good of Google. It is up to the rest of us to recognize that we are under attack and protect ourselves accordingly.

Public Sector Opportunity for Cisco, EMC, and VMware

Wednesday, November 4th, 2009

Yesterday, Cisco, EMC, and VMware unveiled the next iteration of their partnership. Together, the three will offer common support, professional services (through their joint venture, Alpine), and an integrated server, networking, and storage hardware offering called Vblocks. The companies will also work together on service and support.

During the announcement, all three participants highlighted the fact that Vblocks were really targeted at “private clouds.” In other words, a sort of turnkey cloud infrastructure to be consumed by a single organization.

Hmm. So some Fortune 500 company is going to buy a single hardware and hypervisor stack from these guys and replace all kinds of other servers, storage, networking, management tools, etc? Perhaps, but this seems like a stretch to me as this simply isn’t the way IT consumes products. That said, I believe that Cisco, EMC, and VMware could be very successful with Vblocks and its other new initiatives in the broad public sector space because:

* The Federal government is ga-ga over cloud computing. Since early this year, we’ve seen the feds allocate money for cloud initiatives, propose that GSA offer cloud services, and task NIST with developing cloud standards. Federal CIO Vivek Kundra can’t speak often enough about cloud computing’s potential. Sensing an emerging trend, many federal integrators like Lockheed-Martin, SAIC, and Unisys are building their own clouds believing that Federal agencies will soon buy capacity and services. Cisco, EMC, and VMware should be all over every cloud effort inside the beltway.

* Governments are modernizing IT. Federal, state, and local governments are actively consolidating data centers, replacing legacy systems, and adopting virtualization technology as a foundation. Case-in-point, the Commonwealth of MA released its, “IT Strategy for the Commonwealth 2009-2011″ plan in 2008. The plan calls for the Commonwealth to create, “a robust, agile enterprise IT architecture, shared services and applications, and common, effective management practices.” As part of this, MA will consolidate down to 2 data centers, one of these will be a brand new facility in Holyoke. Seems to me that a massive and somewhat green-field opportunity is a perfect target for Vblocks.

* Governments are already onboard. Kundra already selected Google Apps for Washington DC at his previous job and just last week the City of Los Angeles decided to abandon its own email system in favor of Gmail. These aren’t pure play government cloud computing efforts but they do represent a growing trend. It is likely that more and more service providers will develop specific SAAS applications for the public sector and they will need servers, networks, storage, and virtualization when they do.

The common theme here is that net-new infrastructure presents the biggest short term opportunity for Cisco, EMC, and VMware and that a lot of this activity is occurring in the public sector. This trend will only accelerate as more stimulus dollars flow to IT projects and/or some type of healthcare reform legislation gets passed.

Cisco, EMC, and VMware are leading enterprise companies but so are competitors like HP and IBM. What’s more, technology migration is always ugly. Yes, these three must enter these knife fights together but a public-sector push may be more fruitful while the private sector sorts out this whole nebulous cloud thing over time.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site