May 14, 2015

Quentin Clark: SAP CTO. Technical helmsman. Runner.
"I think, as an industry, we're really only at the beginning of understanding how the cloud will dramatically change how businesses exist going forward," Clark said. Cloud technology has transformed the technology industry in two ways, Clark said. The first is in the delivery model. A lot of the early success of the cloud has to do with this model -- just think about how software, infrastructure, backend, and databases are delivered "as a service" now. It doesn't alter the foundational capability of the company, he said, but it does change how the company spends its energy and maintains its tools, which is still important. The second shift comes from the the things cloud computing has uniquely created and how they are altering the products and industries around them.

Cybersecurity Education Receives a Makeover
In part, experts say, it is society’s fault as people’s increasing desire and dependence on technology make it easier for criminals to hack their way toward profitable endeavors. “We certainly are in an area right now that has seen explosive growth with the Internet, but more importantly, we have, quite frankly, put our lives and our economy and our ways of interacting with business and friends and colleagues and everything into this digital world,” says Rob Roy, federal chief technology officer with HP Enterprise Security Products. “Sensitive information, intellectual property, financial information—that’s all in this brave new world that we’re living in, and it becomes extremely attractive to the three primary groups or individuals who want to use it for bad purposes.”

New Revenue Recognition Rules Require Software
There is a natural relation between principles-based accounting standards and software. In addition to ensuring consistency in treatment and facilitating governance and control, software also is capable of automating the process of presenting a company’s results from multiple perspectives in a consistent fashion. This is important because many companies will find that their statutory books alone will not provide the right numbers to manage their business. Although public company managements will want to see how their numbers look to Wall Street, they may find that these figures are inconsistent with business practices required to achieve sustainable long-term objectives. Software can systematize the simultaneous translation of events into increasingly divergent financial and management accounting contexts.

Are you the wrong type of “engaged” leader?
After all, when leaders consistently connect with their team members in a positive way, they create an environment of open communication. This connectivity has positive business results as well: the DDI survey indicated that “plugged in” leaders had three times less turnover and 83% led their teams to exceed their productivity goals. Yet there’s an irony at play. Consider for a moment two possible meanings of the word “engaged.” One is: to be thoroughly involved, as in, “the employees were highly engaged in the customer service rollout.” Then there is “busy or otherwise occupied.” In order to have the first type of engagement with your team, as a leader it’s necessary to forgo the second. Leadership places many demands on you; are you sending “I’m too busy” signals without knowing it?

The cybersecurity talent war you don't hear about
Finding the right Internet security guru can be as much a challenge as keeping your corporate data safe. Up to now, the hiring process for highly-skilled software engineers has often been haphazard, with some companies putting candidates through as many as 10 interviews, sometimes led by people without the skills to judge a candidate's talents. ... "We recruit global security researchers," said Kaplan. Like HackerRank, Synack tests candidates for the specific skills customers are seeking and does a thorough vetting, including face-to-face interviews. A test might consist of finding known vulnerabilities in a mock mobile-banking application. "This lets us determine if they are as good as they say," said Kaplan. "We weed out over 80 percent of candidates."

Fujitsu pushes wearable IoT tags that detect falls, heat stress
“These sensors stand out for the many business apps such as medicine or security that are easily incorporated through our cloud solutions,” said Tatsuhiro Ohira, a general manager in Fujitsu’s Ubiquitous Business Strategy Unit. As an extension of a company’s awareness of its staff, the tags could raise privacy concerns. Fujitsu said the wristbands could also be used to estimate whether the wearer is taking breaks, or to help manage workers’ health. The sensors are to be rolled out beginning in December but the cost has not been determined yet, Ohira said. Ubiquitousware has also been implemented in the latest version of Fujitsu’s head-mounted display for workers. The device has a 0.4-inch display in front of one eye for looking at assembly manuals, as well as a camera, microphones and sensors such as an accelerometer to detect falls.

Venom vulnerability bares its fangs: Protect your data center with these patches
According to Petr Matousek at Red Hat, "This flaw arises because of an unrestricted indexed write access to the fixed size FIFO memory buffer that FDC emulation layer uses to store commands and their parameters." Some commands in QEMU's virtual FDC fail to reset the index in a timely manner, or even at all -- in which case, further writes made to the FDC can become out-of-bounds. As the attacker has full control over the stored values and nearly full control of the write length, this can be exploited to allow arbitrary commands to be executed from inside the host virtualization process. Of particular importance, this vulnerability is independent of both the host and guest operating systems. Linux guests would require root access to interact with the FDC, and thereby exploit the vulnerability.

Surprise: More Cloud Benefits Are Emerging
Significant organizational efficiencies start when a company goes from managing different technology architectures (Wintel, Linux, RISC-based Unix, disk storage, tape storage, etc.) to simply managing the cloud. Though the streamlining of architecture management may not be significant during initial adoption, it becomes more noticeable as larger portions of the IT infrastructure have migrated. The further an enterprise moves toward a full cloud migration, the more benefits it will reap from managing an increasingly simplified and homogenized environment. Some of the earliest adopters of public IaaS, particularly those in industries not subject to heavy security and regulatory requirements, are seeing significant reductions in staffing, not all of which were obvious when they were writing that first cloud business case.

CIO interview: Hans-Petter Aanby, Scandinavian Airlines
All our infrastructure is new, including a new datacentre in Aarhus run by Danish communications provider TDC.” Not everything can be handled by external service providers though. “It is difficult to outsource the technical expertise required for airline-specific systems such as Amadeus – for reservations – and flight operations systems," says Aanby. "It makes sense for us retain that technical expertise in-house.”  He says SAS’s part of industry network Star Alliance adds challenges when changing systems. “Although being part of Star Alliance is an important strategic move for the company, it adds to the complexity within IT. To change one of the shared products, we must discuss specifications with 26 other airlines."

Applying the Irari Rules to a risk-based security program
The Irari Rules are intended to give someone with minimal technical competence —as is the case with most people in the media — the ability to ask, “Does this attack really meet the criteria of a ‘sophisticated’ attack? Was this an unpreventable attack, or the sign of an unsophisticated security program?” And though the Irari Rules don’t specifically take risk into account, a security professional looking at them should evaluate which of the countermeasures implied by the rules are really too difficult or too expensive to implement. Keeping anti-malware signatures up to date? Having a good password policy? Not having proper network segmentation? When looked at that way, we would argue, most of the implied countermeasures should be mandatory.

Quote for the day:

“Successful leaders see the opportunities in every difficulty rather than the difficulty in every opportunity.” -- Reed Markham