Friday, April 10, 2020

Prioritizing Security When Selecting A Video Conferencing Solution...

Originally posted at the EMA blog site. You can find it here.

Before the recent CoVID -19 pandemic, most companies have looked at unified communications and collaborations (UC&C) solutions as a “nice to have” technology, often used by sales and marketing teams as part of their process and certainly not a critical part of the business infrastructure. With Work From Home (WFH) becoming the mandated norm, businesses have come to look at their UC&C solution as a mission critical tool, allowing managers and leaders to communicate with their employees, and allowing employees to try to conduct some semblance of normal business.

All things being equal, businesses would do well to use or augment their existing infrastructure for video conferencing. Those licenses have likely been purchased, and it makes sense to continue to use products that people are already trained to use.

But things are not equal.

In the past weeks since the pandemic has spread, and the various states have mandated stay at home orders, there have been plenty of news reports demonstrating that not all of the UC&C solutions are created the same. Which isn’t to say that some of the solutions are “bad”, but I believe it is fair to say that some have differing priorities when it comes to what is most important in their software lifecycle.

For businesses and enterprises looking for a unified communications and collaboration solution, security should be the starting point in which enterprise and productivity applications are built upon.  For complete transparency – these are the criteria I have personally used in my previous IT and security roles before becoming a security researcher.

Functionality / Features

This may be the most obviously important factor, but it is also the “table stakes” criteria. The solution needs to be able to connect and host video conferences, without failures, latency, and delays (this was a significant problem for many, if not most, of the providers immediately after the WFH and virtual classes began). Call recording, screen share and recorded chat are all necessary, as are presenter controls and dial-in options. From there, the sky is the limit, though virtual lobbies, third party integrations (with Outlook and video systems) and virtual whiteboards are differentiators.

Usability / Interface

A good video conferencing solution must be easy to use on pretty much any device. The interface should be intuitive, and a client should be available for any / every platform. Most of the solutions will claim they can be used on every kind of device through their web portal. This is likely true, but most solutions require a client to take advantage of all of the solution features, and there may be security concerns with a web-based or web-only solution.

Cost

There are generally two types of pricing: free and licensed cost. The licensed solutions run the gambit in pricing, based on number of meeting participants, geographic scope (paying for international dial-in numbers), length of meetings and number of enterprise users. Many of the licensed solutions offer a free or trial, with limited functions, participants, meeting length and very little in the way of support. 

Security

Last on this list is the security of the UC&C solution. Security is the foremost consideration in choosing a UC&C solution, after moving past the standard feature checklist (in which the top solutions nearly all have in common).

Finding a UC&C solution that protects your employees and enterprise is the best way to narrow down the list:

- Secured Out of the Box: Many of the UC&C solutions on the market concentrate on the user experience and interface at the expense of security. And when they “discover” security as a priority, it comes from bolt on fixes and patches, requiring updates and procedural changes. Look for a solution that has a track record as a security leader in the industry, with a platform of millions of secured installs and a commitment to focus on security first.

- Support is Critical: Many of the UC&C solutions provide little in the way of support, and the free solutions generally providing none.  An enterprise ready UC&C solution should have proven and dedicated support, able to respond to requests. When considering the mission critical nature that the UC&C solutions have become, examine the company’s ability to respond to vulnerabilities and response times to resolve their security gaps. 

- Addressing Data Privacy: How is the data transmitted and communicated within a session stored, maintained, and used? Are the chats kept private? Is the information encrypted when stored? Is the session encrypted? Can anyone just “boom” an open session? As information technology professionals, we are all aware of the necessity of maintaining data security and data privacy, and many enterprises have engaged in data privacy projects and campaigns before the pandemic outbreak. Enterprises cannot abandon their data privacy efforts because of the pandemic, and must ensure that their UC&C solution is aligned to their data privacy goals.

- Newer is NOT Better: There are plenty of UC&C solutions on the market today, but some are literally in their infancy as far as install base and working out the bugs, while several have been the leaders in the industry – in some cases before there WAS an industry. Those solution that have an established track record of success and stability are always worth considering when making an investment in mission critical infrastructure. Plus, it gives comfort to management and executives knowing that they are selecting a proven solution.

Never has there been a time when a Unified Communications and Collaboration solution has been so critical to the success of the enterprise. Understandably, there is an immediate need to select and deploy this type of solution to meet the business need and for companies to keep their doors open during this crisis. But IT and security managers would do well to choose their UC&C solution carefully, focusing on the security that the solution provides instead of the shiny bells and whistles.

Friday, March 13, 2020

Righting a Wrong: IBM is a Leader in the Cloud...

Year after year, the various media outlets release their report on the cloud: who does this or that, security breaches here and there (and who is/is not to blame), and the quasi-regular report of cloud services market share. And every year, there is some controversy as to who has the largest share of what. It is pretty obvious—based on whatever metric that one may use—that AWS is the market share leader in overall cloud services consumption. Great for them: it has democratized the cloud and cloud technologies, bringing an affordable, basic cloud solution to everyone. Second is Microsoft, with their Azure offering. They are doing some interesting things with their cloud solution and continue to gain market share (usually from AWS) with innovation and capabilities.

Despite what some may want you to believe, the cloud is not a “two offerings only” show. There are plenty of other vendors doing extremely interesting things with their cloud offerings. IBM was recently featured in an article from Bloomberg news discussing their place in the market, and I wanted to offer an alternative to some of the views discussed in that article.

First, the concept of market share based on sales reporting is outdated. Arguably, the way some analysts firms determine market share is based on an antiquated calculation of compute cycles purchased (or something equivalent), while excluding anything that may also contribute to the overall cloud solution. It was likely generated at a time when AWS was nearly the only player in the market, and AWS did not (and still does not) provide significant consulting services or integration services, making the number of compute cycles a relevant measure. Again, there is little doubt that AWS leads this market, but excluding the multitude of other offerings and services that IBM delivers to their cloud customers from the market share figure is wrong and arbitrarily dismisses the value of their cloud offering.

Second, there is even some dispute over the numbers included within the article. At the beginning of the article, the author claims that Google reported $9 billion in sales, while IBM reported $21 billion. But (much) later in the article, the author claims that only about half (I’ll use $10 billion for round numbers) of IBM reported that cloud income comes from cloud sales, while Google’s $9 billion in revenues also include their other, non-core cloud offerings (such as Gmail and Google Docs). So no matter how you parse the math, it appears that the traditional IBM cloud offering DOES outpace Google (IBM’s $10 billion > Google’s $9 billion), something that should have been mentioned right at the very beginning of the article.

Lastly, and likely the most important, is the IBM cloud offering itself. While I’m not trying to become part of the marketing team at Big Blue, their cloud solution vastly differs from Amazon, Microsoft, and Google. While AWS, Azure, and GCP provide cloud to the masses via point-and-click setup and deployment, they also have devised a barebones solution that allows pretty much anyone from any vertical of any size to get up and running on their cloud. The end configuration and compliance and everything else after the initial setup is the purview of the client or their third-party support. While this model may work for some, IBM has taken the complete cloud solution: scoping, setup, implementation, migration, and maintenance. If the customer needs additional services related to their cloud, IBM is the full-stack solution that provides those services. Highly regulated environments (such as healthcare, financial services, etc.) have turned to IBM specifically because of this level of service and support.

The analyst community is often asked about “who is best” and “how does this impact our business.” Personally, I have advocated for the security benefits of ALL cloud solutions for years, as the cloud solutions provide better, more comprehensive security than most on-premises environments could ever hope to provide. It is also why it is important to understand that all of the cloud providers mentioned here give outstanding value to their customers. But I also believe that we need to compare apples to apples when looking at some of the claims in the market, and to revise our models to reflect how companies are actually consuming cloud services. The conclusions found in the Bloomberg article about IBM’s share of the cloud market are misleading, and readers would do well to get a perspective of the whole picture when making their cloud provider decisions.