bTrade’s services team routinely deals with a wide array of issues in connection with each deployment of its managed file transfer software solutions. One such issue, which affects organizations of all sizes, concerns how to structure all the hardware and software assets.
The discussion usually focuses on whether to deploy on-premise (“on-prem”) or move some or all of the IT infrastructure to “the cloud.” The principal difference between the two is how each is deployed. Cloud-based software is hosted on the vendor’s servers or a third party, whereas on-prem software is installed locally on an organization’s own computers and servers.
bTrade’s managed file transfer offerings are available for both on-prem and cloud deployments. In fact, some bTrade customers have deployed a “hybrid” system that utilizes both on-prem and cloud. For purposes of this post, MFT Nation will explore recent articles which touch upon two critical points to consider when deciding between on-prem and cloud, or some combination thereof.
When the push to the cloud began, the main reasons for moving were efficiency and cost savings. Many articles like this one continue to trumpet the virtues of cloud in terms of cost savings and efficiency. The author of the subject article pushes potential cost savings in a pitch of “pay less and get more.” The author also touts the efficiency of cloud solutions he claims can be “put to work with relative ease.” We need to temper the enthusiasm of the author, at least a bit, with a few IT realities.
The decision of whether and to what extent to move to the cloud is not done with “relative ease.” It is a complex task with many variables. And it is made all the more complicated by the overwhelming number of options, such as hybrid and multi-cloud approaches, which can blur the line between the cloud and on-prem deployment options.
As the number of cloud deployments has increased, so too have the related costs. Expect costs to continuing increasing as the big boys—Amazon, Microsoft and Google, and to a lesser extent, Rackspace—dominate the market and limit competition. As a result, a cottage industry has developed with products/services designed to cut cloud costs. For example, one company touts its products’ ability to cut cloud costs “by up to 65% in a matter of minutes.” This confirms that cloud costs are increasing if a vendor is able to eliminate 65% of waste, and accomplish the task “in a matter of minutes.”
As for the promise of increased efficiencies, you should know that resources will still be needed to manage your cloud or multi-cloud infrastructure, including tracking/controlling cloud costs, gaining visibility and control of multi-cloud infrastructure, and eliminating wasted spend by right-sizing resources and terminating idle resources. And you may feel the need to invest a portion of your IT spend in products/services related to managing your cloud infrastructure.
An article caught our eye because it claims “the future of cybersecurity is in the cloud.” Really? In our experience, customers choose on-prem systems when cybersecurity is the paramount concern. Security considerations are always vital, but some industry sectors will not trust others with important data, such as the banking/financial services industry. Also, some IT pros, regardless of industry sector, have the same type of adverse reaction when it comes to trusting cloud vendors to safeguard crucial data.
The article’s author recognizes that there are “many opponents” of cloud security. He claims to be ex-FBI and says the FBI “feared the Internet so much that agency computers functioned solely on an isolated intranet connected via hard cables.” The author also concedes that “not all cloud services are equal in their dedication to security,” and he lists specific security problems with cloud services that have led to data breaches, such as “poor configuration,” lack of “strong authentication, encryption (both in transit and at rest) and audit logging,” “[f]ailure to isolate a user’s data from other tenants in a cloud environment together with privacy controls that are not robust enough to control access,” and “[f]ailure to maintain and patch to ensure that known flaws are not exploited in the cloud service.”
So why, you might ask, is the author nonetheless pushing the cloud as the “future of cybersecurity”? It should be noted that the author works for some type of cloud company, so we can assume he is biased in favor of the cloud. But basically, he believes “[t]he cloud can leverage big data and instant analytics over a large swath of end users to instantly address known threats and predict threats that seek to overwhelm security.” The article lacks any specifics about how this unidentified, nebulous super cloud will be able to accomplish the task of “predictive security.” And in any event, after all we’ve heard lately about the “Deep State” and how Facebook and other social media platforms are using (or misusing) customer data, we question whether anyone is excited about relying on some type of super cloud system to protect confidential data.
If you want to speak with bTrade’s data security experts about deployment models, please contact us at firstname.lastname@example.org. If you want to keep updated on developments in the world of secure file transfer and data security, follow us on Twitter, LinkedIn, and our blog MFT Nation.
This is a clever, well-written piece proffering six common sense steps to maintain good cyber hygiene: https://ubm.io/2KsxcMW. Of course you can find the same type of, but more detailed cyber hygiene advice from free government sources, like this one: https://lnkd.in/gF3U5Wa. Here’s another good government source for cyber hygiene as it relates to small businesses: https://bit.ly/1Mimb9p.
It’s been widely reported that the legal industry has been a slow adopter of cybersecurity measures. This article by Law.com is further proof of how primitive the industry is when it comes to cybersecurity: https://bit.ly/2HYBm0E. The article merely lists and then discusses in a superficial manner certain “basic cybersecurity measures” (which is the phrase used in the article) like antivirus and the need for encryption.
Instead of creating lists of “basic” cybersecurity measures, Law.com should point all legals to informative sources like @usnistgov and its Cybersecurity Framework: https://bit.ly/2ePWDZM, or @FTC and its small businesses resources: https://bit.ly/2Hv3zsv. And instead of spouting superficial cybersecurity tips like using encryption to protect data, Law.com should provide legals with useful information about a comprehensive, “managed” file transfer software that can address many cybersecurity needs: https://bit.ly/2b6amgC.
I enjoyed reading an article which addresses the recent cries to regulate Facebook in order to better protect users’ privacy. The author, Richard Jones of Dechert LLP, urges caution based on parallels between the “current kerfuffle over Facebook and privacy” and “the Dodd-Frank mess” that followed the Great Recession.
Jones says the Dodd-Frank regulatory scheme consisted of “faux solutions, air freshener wafting over the midden heap of a deeply damaged banking and capital formation sector.” The “faux solutions” were made in haste because of cries for regulation based on a “narrative that banks and bankers were bad and needed to be beaten regularly, made to disgorge billions of dollars for alleged bad conduct (and thereby damaging capital while at the same time we were trying to increase it) and needed to henceforth conform to an exhaustive and elaborate skein of rules and regulations that, in some chalkboard exercise we were assured, would make banking safer and perhaps even end the business cycle.”
Dodd-Frank didn’t make banking safer, but Jones observed that it did enrich the “legions of staff, lawyers and accountants” needed to navigate the maze of the regulations. Jones argues that the “Dodd-Frank regulatory torrent was ill-advised then and I am certain that the current cri de coeur for regulating the internet without further delay is ill-advised today.”
The crux of Jones’ argument for not regulating Facebook rests in the phrase, “Act in haste, repent at leisure.” Jones claims this phrase “is not just a hoary old dodge, but a fundamental truth.” Jones counsels everyone to pause and ponder a fundamental, common sense question: “What exactly does everyone mean by regulating the internet?” He then presents cogent, common sense points for exercising caution before hastily drafting a broad regulatory scheme, which he summarizes as follows: “Someone said we become insane collectively and regain our sanity one by one. Seems right. The internet is too important. Connectivity is too important. We can’t afford to embrace insanity and then wait for regrets.”
Please read Jones’ piece and let us know if you agree or disagree.
U.S. and UK cybersecurity authorities have issued a warning of another campaign by Russian state-sponsored hackers to target network infrastructure. Targets of the alleged Russian attacks are infrastructure devices at all levels, including routers, switches, firewalls, network intrusion detection systems and other devices supporting network operations. Once they gain access, hackers masquerade as privileged users and are able to modify the devices so they can copy or redirect traffic to Russian infrastructure.
It appears the Russian intrusions into US/UK networks were relatively easy to accomplish, and fairly hard to detect. Why? Because many networks have weak security, legacy protocols and service ports intended for administration purposes.
Obviously, software updates and patches should be applied as soon as they’re available. Infrastructure equipment that can’t be updated should be replaced with equipment for which updates are available and which will be supported for a reasonable lifetime.
The US/UK cybersecurity agencies included a list of tips for potential attack targets, which means nearly any organization with a network:
- Don’t allow unencrypted management protocols, such as Telnet, enter your organization from the internet. If SSH, HTTPS or TLS encryption is not possible, use a VPN.
- Do not allow internet access to the management interface of any network device. You should allow access from inside the network only from a white-listed device.
- Disable unencrypted protocols such as Telnet or SNMP v1 or v2. Retire legacy devices that cannot be configured with SNMP v3.
- Immediately change default passwords and enforce a strong password policy.
The National Institute of Standards and Technology (NIST) released Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on 2 years of public feedback: https://lnkd.in/gBi3sG3. The Cybersecurity Framework compiles effective cybersecurity standards, guidelines, and practices into one framework. The new version of the Cybersecurity Framework includes updates on authentication and identity; self-assessing cybersecurity risk; managing cybersecurity within the supply chain; and vulnerability disclosure.
When an organization does infosec planning, one decision involves whether to run software on-premise, in the cloud, or in a hybrid model. At a recent round-table discussion involving infosec pros from financial services organizations, a variety of opinions were proffered regarding the different deployment models, which is consistent with what we hear from bTrade customers.
For example, an infosec pro from ABN AMRO Bank said a public cloud is “a no-go” for him because he cannot “control it” and does not “know who has access to the data,” which is what we often here from large organizations in the bTrade community. Another infosec pro from AXA uses a hybrid deployment because a public cloud works best for certain situations, like “processing data quickly for real-time services,” but they “constantly check what kind of data can be stored in the cloud, even after it is anonymized.”
If you want to learn about deployment models for bTrade software solutions, please contact us at email@example.com. If you want to keep updated on developments in the world of secure file transfer and data security, follow us on Twitter, Facebook, LinkedIn, Google+, and our blog MFT Nation.
Another good tip about ransomware–an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them–from @FBI: Create/test a solid business continuity plan in the event of an attack. According to @FBI, nothing will completely protect your organization from a ransomware attack, so contingency and remediation planning is crucial to business recovery and continuity, and these plans should be tested regularly.