Friday, April 10, 2020

Prioritizing Security When Selecting A Video Conferencing Solution...

Originally posted at the EMA blog site. You can find it here.

Before the recent CoVID -19 pandemic, most companies have looked at unified communications and collaborations (UC&C) solutions as a “nice to have” technology, often used by sales and marketing teams as part of their process and certainly not a critical part of the business infrastructure. With Work From Home (WFH) becoming the mandated norm, businesses have come to look at their UC&C solution as a mission critical tool, allowing managers and leaders to communicate with their employees, and allowing employees to try to conduct some semblance of normal business.

All things being equal, businesses would do well to use or augment their existing infrastructure for video conferencing. Those licenses have likely been purchased, and it makes sense to continue to use products that people are already trained to use.

But things are not equal.

In the past weeks since the pandemic has spread, and the various states have mandated stay at home orders, there have been plenty of news reports demonstrating that not all of the UC&C solutions are created the same. Which isn’t to say that some of the solutions are “bad”, but I believe it is fair to say that some have differing priorities when it comes to what is most important in their software lifecycle.

For businesses and enterprises looking for a unified communications and collaboration solution, security should be the starting point in which enterprise and productivity applications are built upon.  For complete transparency – these are the criteria I have personally used in my previous IT and security roles before becoming a security researcher.

Functionality / Features

This may be the most obviously important factor, but it is also the “table stakes” criteria. The solution needs to be able to connect and host video conferences, without failures, latency, and delays (this was a significant problem for many, if not most, of the providers immediately after the WFH and virtual classes began). Call recording, screen share and recorded chat are all necessary, as are presenter controls and dial-in options. From there, the sky is the limit, though virtual lobbies, third party integrations (with Outlook and video systems) and virtual whiteboards are differentiators.

Usability / Interface

A good video conferencing solution must be easy to use on pretty much any device. The interface should be intuitive, and a client should be available for any / every platform. Most of the solutions will claim they can be used on every kind of device through their web portal. This is likely true, but most solutions require a client to take advantage of all of the solution features, and there may be security concerns with a web-based or web-only solution.


There are generally two types of pricing: free and licensed cost. The licensed solutions run the gambit in pricing, based on number of meeting participants, geographic scope (paying for international dial-in numbers), length of meetings and number of enterprise users. Many of the licensed solutions offer a free or trial, with limited functions, participants, meeting length and very little in the way of support. 


Last on this list is the security of the UC&C solution. Security is the foremost consideration in choosing a UC&C solution, after moving past the standard feature checklist (in which the top solutions nearly all have in common).

Finding a UC&C solution that protects your employees and enterprise is the best way to narrow down the list:

- Secured Out of the Box: Many of the UC&C solutions on the market concentrate on the user experience and interface at the expense of security. And when they “discover” security as a priority, it comes from bolt on fixes and patches, requiring updates and procedural changes. Look for a solution that has a track record as a security leader in the industry, with a platform of millions of secured installs and a commitment to focus on security first.

- Support is Critical: Many of the UC&C solutions provide little in the way of support, and the free solutions generally providing none.  An enterprise ready UC&C solution should have proven and dedicated support, able to respond to requests. When considering the mission critical nature that the UC&C solutions have become, examine the company’s ability to respond to vulnerabilities and response times to resolve their security gaps. 

- Addressing Data Privacy: How is the data transmitted and communicated within a session stored, maintained, and used? Are the chats kept private? Is the information encrypted when stored? Is the session encrypted? Can anyone just “boom” an open session? As information technology professionals, we are all aware of the necessity of maintaining data security and data privacy, and many enterprises have engaged in data privacy projects and campaigns before the pandemic outbreak. Enterprises cannot abandon their data privacy efforts because of the pandemic, and must ensure that their UC&C solution is aligned to their data privacy goals.

- Newer is NOT Better: There are plenty of UC&C solutions on the market today, but some are literally in their infancy as far as install base and working out the bugs, while several have been the leaders in the industry – in some cases before there WAS an industry. Those solution that have an established track record of success and stability are always worth considering when making an investment in mission critical infrastructure. Plus, it gives comfort to management and executives knowing that they are selecting a proven solution.

Never has there been a time when a Unified Communications and Collaboration solution has been so critical to the success of the enterprise. Understandably, there is an immediate need to select and deploy this type of solution to meet the business need and for companies to keep their doors open during this crisis. But IT and security managers would do well to choose their UC&C solution carefully, focusing on the security that the solution provides instead of the shiny bells and whistles.

Friday, March 13, 2020

Righting a Wrong: IBM is a Leader in the Cloud...

Year after year, the various media outlets release their report on the cloud: who does this or that, security breaches here and there (and who is/is not to blame), and the quasi-regular report of cloud services market share. And every year, there is some controversy as to who has the largest share of what. It is pretty obvious—based on whatever metric that one may use—that AWS is the market share leader in overall cloud services consumption. Great for them: it has democratized the cloud and cloud technologies, bringing an affordable, basic cloud solution to everyone. Second is Microsoft, with their Azure offering. They are doing some interesting things with their cloud solution and continue to gain market share (usually from AWS) with innovation and capabilities.

Despite what some may want you to believe, the cloud is not a “two offerings only” show. There are plenty of other vendors doing extremely interesting things with their cloud offerings. IBM was recently featured in an article from Bloomberg news discussing their place in the market, and I wanted to offer an alternative to some of the views discussed in that article.

First, the concept of market share based on sales reporting is outdated. Arguably, the way some analysts firms determine market share is based on an antiquated calculation of compute cycles purchased (or something equivalent), while excluding anything that may also contribute to the overall cloud solution. It was likely generated at a time when AWS was nearly the only player in the market, and AWS did not (and still does not) provide significant consulting services or integration services, making the number of compute cycles a relevant measure. Again, there is little doubt that AWS leads this market, but excluding the multitude of other offerings and services that IBM delivers to their cloud customers from the market share figure is wrong and arbitrarily dismisses the value of their cloud offering.

Second, there is even some dispute over the numbers included within the article. At the beginning of the article, the author claims that Google reported $9 billion in sales, while IBM reported $21 billion. But (much) later in the article, the author claims that only about half (I’ll use $10 billion for round numbers) of IBM reported that cloud income comes from cloud sales, while Google’s $9 billion in revenues also include their other, non-core cloud offerings (such as Gmail and Google Docs). So no matter how you parse the math, it appears that the traditional IBM cloud offering DOES outpace Google (IBM’s $10 billion > Google’s $9 billion), something that should have been mentioned right at the very beginning of the article.

Lastly, and likely the most important, is the IBM cloud offering itself. While I’m not trying to become part of the marketing team at Big Blue, their cloud solution vastly differs from Amazon, Microsoft, and Google. While AWS, Azure, and GCP provide cloud to the masses via point-and-click setup and deployment, they also have devised a barebones solution that allows pretty much anyone from any vertical of any size to get up and running on their cloud. The end configuration and compliance and everything else after the initial setup is the purview of the client or their third-party support. While this model may work for some, IBM has taken the complete cloud solution: scoping, setup, implementation, migration, and maintenance. If the customer needs additional services related to their cloud, IBM is the full-stack solution that provides those services. Highly regulated environments (such as healthcare, financial services, etc.) have turned to IBM specifically because of this level of service and support.

The analyst community is often asked about “who is best” and “how does this impact our business.” Personally, I have advocated for the security benefits of ALL cloud solutions for years, as the cloud solutions provide better, more comprehensive security than most on-premises environments could ever hope to provide. It is also why it is important to understand that all of the cloud providers mentioned here give outstanding value to their customers. But I also believe that we need to compare apples to apples when looking at some of the claims in the market, and to revise our models to reflect how companies are actually consuming cloud services. The conclusions found in the Bloomberg article about IBM’s share of the cloud market are misleading, and readers would do well to get a perspective of the whole picture when making their cloud provider decisions.

Wednesday, May 8, 2019

How to Delete the Web Tracking Google is Keeping...

From an article located here. Take a quick moment and follow the instructions.

Google has begun rolling out a feature that allows you to configure how long it can save data from all of the Google services you use, like maps, search and everything you do online.

Until now, you had to manually delete this data or turn it off entirely. Deleting it means Google doesn’t always have enough information about you to make recommendations on what it thinks you’ll like, or where you might want to go.

Now, you can tell Google to automatically delete personal information after three months or 18 months. Here’s how you can do that.

Visit and log in if you haven’t already.
Choose “Data & Personalization” on the left-side panel.
Select the arrow next to “Web & App Activity.”
Choose “Manage Activity.”
Select “Choose to delete automatically.”
Select either 18 months or three months.

It isn't perfect, but it is better than nothing.  Pass this along to your friends and family.

Monday, January 28, 2019

Happy Data Privacy Day...

This blog was originally posted at the Cloud Native Digest. You can find it here.

It’s Data Privacy Day or, if you are part of the EU, Data Protection Day.

Data privacy and data protection have been top of mind for information security professionals for a number of years now. While the United States is paying greater attention to privacy legislation (California and several other states have various bills in process), the European Union has led the conversation with General Data Protection Regulation (GDPR) enacted in May 2018.

Last week, the EU (specifically France) issued the first fines associated with a GDPR violation. While the tech company is going to appeal the finding, it is only the start of what will be many fines from EU nations in 2019 for GDPR infractions. Technology professionals will be watching the news to understand how these findings affect their enterprises, and possible steps that they will need to take to remediate violations proactively.

This might go without saying, but it is vitally important — personally and professionally — to make every effort to follow data protection best practices. Still, today is as good a day as any to remember that there are numerous tools and solutions available to help you do so.

That’s certainly true in the cloud. Never in the history of technology have companies paid more attention and spent more on resources to protect data.

The biggest companies in the public cloud space spend BILLIONS of dollars per year improving security controls and compliance standards. The environments that they provide serve as some of the most scrutinized and protected environments ever to exist — far more than the average company can possibly hope to achieve on its own. Companies moving to these sorts of environment not only stand to gain massive savings in costs and resources, but they also end up with an environment that is better, more secure, and easier to manage.

So, to observe the day, take a moment and try to understand what data you have available in digital form. Then, try to determine how that data is protected. You might be shocked at what you find.

Monday, November 5, 2018

Why Do I Write...

Recently, I was presented with a question: Why Do I Write? As a writer, I thought I would share my response.

Words offer the means to meaning, 

and for those who will listen, 
the enunciation of truth. 

- V, V For Vendetta

Everyone writes for the same reason – to communicate a thought, feeling or idea. It can be as simple as a text message, as complicated as a technical whitepaper or as elegant as Shakespearean verse. Yet all are used to communicate. Why do I write? At the most basic level, I write to communicate, and because I generally have things to say.
  • Writing is hard: Using the written word to express an idea is a difficult task. There is an aptitude for it, and it takes a certain amount of skill to convey an idea or emotion. I have never underestimated the skill of writing – it certainly does not come easy to most, and has not always come easy to me. You can always tell the skill level of a writer – how engaging it is, how it includes the reader, how it expresses the idea. None of these things are easy, but the best writers seem to have a way of producing words so that they flow onto the paper, and equally flow to the mind of the reader. 
  • Writing is challenging: Using words to express an emotion or to deliver a message is a challenge. It is a particular challenge that I enjoy, as it can be a powerful method of self-expression. Finding the right tone, finding the right words, narrowing your audience, and crafting a dialogue between the writer and the audience is as difficult as it is rewarding. I think we can all remember a time when we read something – maybe as simple as an article in the news – that was particularly moving or pertinent. Those that can accept the challenge of using words to communicate have a power that no one can take from them.
  • Writing is powerful: So many in the world do not have a voice. It is not because they do not have ideas, or have opinions to share. But they do not have a way to communicate those ideas in a way that is meaningful. I write because it is an outlet for me to express my thoughts and ideas, and – even occasionally – my emotions. I personally enjoy public speaking as well, but it is difficult to find an audience that is constantly available. Whereas writing is always – always available, always refreshing, always influencing. It becomes part of the record, regardless of how insignificant it may seem. Writing allows me to create a historical legacy.
I am privileged to have a profession where writing is an integrated part of the role. I spend hours every week sharing my thoughts about the latest in technical innovations, using words to describe the qualities or value of a particular technical solution. I get to shape my messages to specific audiences. And I know that my writing has an impact – literally tens of thousands of people read my written words every month.

Simply, I write because it is an extension of my abilities, my intellect and my soul.