Webtorials tag:www.webtorials.com,2009-12-14:/content//7 2012-05-17T08:59:14Z Movable Type Pro 4.32-en Why Cloud Computing Needs a Cloud-Intelligent Network tag:www.webtorials.com,2012:/content//7.1417 2012-05-17T08:53:22Z 2012-05-17T08:59:14Z ZK Research on behalf of Cisco Systems... Webtorials http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=12
  • ZK Research on behalf of Cisco Systems
    • ]]> Cloud computing has been on the horizon of most CIOs for the better part of half a decade. Cloud computing represents the next evolutionary step for computing. Decades ago, the mainframe era kicked off computing. This phase lasted about 20 years, eventually giving way to the client/server era. Organizations began to locate more employees in branch offices, giving rise to Internet computing. Now the industry finds itself in the midst of another transformation -- the shift to cloud computing.

    Download Paper
    ]]>     Telecom Contracts: Dodging the Potholes tag:www.webtorials.com,2012:/content//7.1415 2012-05-16T13:39:25Z 2012-05-16T13:42:20Z A TechNote on Unified CommunicationsGary Audin, Delphi, Inc.... Gary Audin, Delphi, Inc. http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=137
  • A TechNote on Unified Communications
  • Gary Audin, Delphi, Inc.
    • ]]> Have you ever read your telecom contract? Did you understand it? Does it seem fair and balanced? If you answered "no" to any of these questions, you might have unwittingly opened your company up to some big contract problems. Contract terms and conditions for payment and commitments are riddled with potholes for the enterprise. Let the buyer beware, for the agreements are typically biased toward the vendor. Contract Fairness UCTNMay14-ART.jpgContract fairness was one of the major topics presented last week at the Center for Communications Management Information (CCMI) Telecom Negotiation Conference in Washington, D.C. Hank Levine, founding partner in the communications and technology law firm Levine, Blaszak, Block & Boothby, LLP (LB3), revealed a series of "gotchas" that can be mitigated by judicious negotiations with the telecom carrier. Levine's starting point was this equation: Good RFP + Bad Contract = Bad Deal While a good request for proposal (RFP) can spell out what the enterprise wants, said Levine, it in no way guarantees that what is requested is what will be delivered. And, once the price is set, negotiations are not necessarily finished. A carrier will commonly offer short standard contract forms regardless of what the RFP specifies. This is usually very unfavorable to the enterprise. Rather than the verbally agreed-upon terms, the contract will include terms that the enterprise never agreed to or even knew about during the procurement process, Levine warned. The forms will include capitalized terms ("Line" vs. "line," "Termination" vs. "termination," for example) that the vendor defines very differently from the way the enterprise might assume. So the enterprise must learn the vendor definitions, not use its own definitions, to understand the contract. Service Guide Trumps All All vendors use a master agreement structure. At the bottom is the service guide, which can be hundreds of pages long. Above that are the general terms and conditions. At the top are the rates, service-level agreements (SLAs) and other service-specific terms spelled out in attachments, exhibits and schedules. The enterprise negotiator needs to understand that the service guide overrides everything else. For example: If the negotiated portions of the contract are silent on a given issue, then the service guide provisions will apply. If a term or condition is removed from the contract but is in the service guide, the provision removal is not valid. This could apply to contract renewal or even individual circuit terms. Resolving an issue in the master agreement will not end the matter if the vendor's version comes back via an attachment. This could mean that the vendor can use the enterprise's logo, trademarks, trade names and service marks in the vendor's internal and external communications - even against the enterprise's wishes. Ensuring Rate Stability The enterprise enters into a contract for services with the expectation rate stability during the contract term. About 80 percent of purchased services can be stabilized by: Setting out the rates in the contract. Ensuring rate descriptions are NOT defined as "illustrative" or "current." If these terms are used, there is no guarantee of rate stability. Avoiding discounts off the service guide rates. These can be changed without the enterprise's consent and will usually increase over time. In international agreements, ensuring that the vendor cannot move a customer from a low- to high-priced zone or band. Insist on Rate Reviews The contract should have a provision for rate reviews, with clauses that give the vendor an incentive to keep rates competitive and give the enterprise an incentive to set realistic expectations. Read the review clauses carefully, for they can be obtuse and hard to comprehend. In fact, once the complex language is removed, it is more than likely that the enterprise will have a guarantee of nothing. Something to watch out for: sometimes a contract will allow the enterprise to request an increase in commitment in return for a capped temporary rate reduction. However, a very short decision time for the commitment could be difficult for the enterprise to meet, thereby eliminating the cap.
    ]]>     Unified Communications and WAN Performance - A Delicate Balance tag:www.webtorials.com,2002:/content//7.1380 2012-05-15T20:11:03Z 2012-05-11T22:06:56Z Béatrice PIQUER DURANDIpanema Technologies... Steven Taylor http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=10
  • Béatrice PIQUER DURAND
  • Ipanema Technologies
    • ]]> (Sponsor-Contributed Paper)

    Unified communications (UC) offers significant opportunities for enterprises to improve productivity, foster collaboration among employees and increase customer satisfaction. Ultimately, UC can lead to higher profits by delivering more efficient teamwork and a greater competitive advantage. 

    But UC comes with its own distinct challenges.  If these challenges aren't addressed and overcome, the UC project will not yield its anticipated return on investment (ROI). The primary challenges are:
    • UC implementations are a significant investment. If they are to deliver a strong ROI and a suitable user experience, UC performance must be guaranteed. This is challenging because UC among users and resources in geographically dispersed sites rely heavily on the wide-area network (WAN) which is a shared resource, hard to control.
    • UC comprises data, video and voice flows with dynamic, variable traffic patterns that grow or subside based on user demand. This makes capacity planning difficult. If not managed properly, not only UC applications can perform poorly but they are likely to impact the performance of other business-critical applications during peak traffic periods.
    • UC encourages desktop-to-desktop video communication, which can considerably boost productivity. However, video can place enormous strain on inter-branch WAN links that carry this traffic. A single desktop video flow often requires 300Kbps to 500Kbps between branch office sites, for example. Together, many such flows can consume considerable bandwidth. 
    Just adding bandwidth will not solve all the problems and traditional classes of service (CoS) are too static to match such complex traffic situations, thus putting overall business application performance at risk.

    Advanced Application Performance Management Meets these Challenges

    Advanced application performance management systems are able to overcome these challenges. They identify specific traffic types and dynamically adjust network behavior and resources to the exact application traffic demand. This way, bandwidth can "expand and contract" as needed to ensure continued performance of all applications on the network.

    Enterprises deploying UC expect to cut their legacy enterprise voice systems costs in half through the use of conferencing, instant messaging, internal voice, integrated administration, lower long-distance charges and other measures. But they need to ensure that the replacement system works reliably. This is where advanced application performance management becomes necessary. 

    What is the TCO for unified communications?  Recent research about UC deployments from industry-leading UC suppliers like Avaya, Cisco, Microsoft and ShoreTel demonstrated an average total cost of ownership (TCO) of $30 to $40 per user per month, excluding WAN circuit costs and long-distance charges. 

    Looking at this from another perspective, consider a 20-person branch office of a company with 5,000 employees in the professional services industry that is deploying UC. The company has an IT (not just UC) budget aligned to its industry standard: $975/user/month, of which $320/user/month is allocated to applications. 

    So the key is to make sure that this investment in IT is optimized and protected.  Advanced application performance management will:
    1. Guarantee the quality of the UC applications (an investment of $30 to $40/user/month as noted above); 
    2. Protect the performance of the other business-critical applications (ERP, CRM, file sharing, cloud apps, Internet and so forth) against resource-intensive UC (an average investment of $320/user/month as noted above); 
    3. Automate incident prevention, better help desk productivity and IT governance, and delay bandwidth upgrades by a few years, which we estimate to be an average saving of $30/user/month.
    To realize this protection, the typical TCO for an advanced application performance management solution from Ipanema, called the nano|engine, is $3.00 per user per month for the prototypical branch office described above. That cost includes central devices, management operations expenses and unforeseen project incidents.

    The investment of $3.00/user/month saves $30/user/month while protecting services costing more than $300 per month.

    The Bottom Line

    Not deploying advanced application performance management systems in the branch jeopardizes not only the success of UC deployment but also the performance of the other business applications. Unsatisfied users and business managers are likely to complain, lowering UC adoption and forcing IT to upgrade the WAN at a high cost. IT can't be entirely sure of the impact of the WAN upgrade, given that "throwing bandwidth at the problem" isn't sufficient when it comes to delay-sensitive voice and video applications.

    Because it can control WAN network behavior based on application type and do so dynamically, intelligent WAN management is a critical component to successful UC implementations. It helps ensure that UC implementations deliver the benefits they promise by meeting the challenges they present to the corporate network.

    ]]>     Careful: 4G Could Fuel Data Overages tag:www.webtorials.com,2012:/content//7.1411 2012-05-14T18:53:42Z 2012-05-14T20:01:36Z A TechNote on Wireless and MobilityJoanie M. WexlerTechnology Analyst/EditorEditorial Director, TechNotes... Joanie Wexler, Analyst/Editor http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=226
  • A TechNote on Wireless and Mobility
  • Joanie M. Wexler
  • Technology Analyst/Editor
  • Editorial Director, TechNotes
    • ]]> 4G cellular networks build-outs are snowballing. At last week's CTIA Wireless 2012 conference in New Orleans, for example, Federal Communications Commission (FCC) Chairman Julius Genachowski noted that the U.S. is leading the world in 4G deployments with "64% of the world's 4G LTE subscribers." And the U.S. is expected to have coverage across most of the country by late 2013. Sounds great. But what will 4G do to your wireless monthly data expenses? Let's face it: the bigger the pipe, the more content users can consume. And the more they consume, the bigger the bill. Some startling math: A March 2012 blog by online researcher GigaOM about 4G pricing for the iPad noted that at maximum 4G speeds, a 5GB data plan would be drained in around nine minutes. Unfortunately, the days of unlimited data plans are dwindling, with Sprint hanging on as the sole U.S. nationwide carrier still offering unlimited plans. So if users are on a 5GB plan and want to use the mobile network for more than nine minutes, overages are in their future. Employers can just turn on the 4G hose and let their workers drink their fill of mobile bandwidth. Or they can attempt to manage expenses by creating structured policies augmented by real-time usage-tracking tools. Won't BYOD Ease Costs? Thumbnail image for WirelessTN-May14-ART.jpgHold the phone, you might be thinking. With the popular bring-your-own-device (BYOD) model, won't most employers just pay a flat payroll stipend to employees, who will then pick up the rest of the cost? Ojas Rege, vice president of strategy at mobile device management (MDM) company MobileIron, holds this view. He believes that because of BYOD, employers' cost focus has shifted to taming hefty international roaming costs. "As more companies adopt BYOD, the enterprise interest in managing service costs drops dramatically," Rege asserts. MobileIron's mobile expense management component tracks user location and, via policy, either sends alerts to users about their usage levels or limits access to contain costs when users cross borders. International roaming is certainly a big culprit behind mobile bill shock. Still, whatever bandwidth gets consumed for business purposes - global or domestic - is likely impact corporate coffers. For example, that flat monthly stipend an enterprise allows for business usage of personal device might have to increase. Also, despite all the talk about BYOD, there are plenty of companies still running corporate-liable shops. And most that do allow BYOD still support a sub-population of corporate-liable users. So businesses might need to buy bigger data plans for individual corporate-liable users or more generous data pools for them to share. Making a Plan The first step toward containing costs, advises Daniel Rudich, a senior vice president at telecom expense management company Tangoe, is for those responsible for paying corporate cellular bills to strategically classify employees into user groups - perhaps users with similar usage behavior. Then, analyze each group's usage volume to date and from there, decide how (and how much) each group should be reimbursed. "If you haven't been pooling, look at it," says Rudich. Pooling, long available for voice, has recently become available for data plans. The business buys an aggregate amount of minutes or gigabytes per month, and users draw from the pool as they use the network. When the pool is drained, overage charges kick in. "Find out what the optimal pool [plan] is for each group," Rudich advises. "Keep monitoring the pools because usage changes; for example, people change job functions and the applications they use change." Options Differ for Enterprises, SMBs As has been traditionally the case, larger enterprises with volume-buying clout have more options from carriers than small and midsized businesses (SMB). SMB data pooling plans tend to be preset, similar to consumer plans and allow for less customization than those available to big enterprises. So SMBs might have to buy a bigger plan than necessary to avoid paying hefty per-minute or per-KB/MB/GB overage charges. On the other hand, newer expense management cloud services are available for smaller businesses. For its part, Tangoe offers a real-time wireless expense management service that continually calculates where users are in relation to their plan and makes projections based on behavior. Users and administrators can find out, at any time, what percentage of each plan has been used, how many days are left in the billing cycle, and so forth. The expense management service is available for between $3 and $5 per month, Rudich says. There are other companies that offer real-time wireless expense management, too. One is Lyrix, with its Mobiso SaaS called Mobiso; another is eMOBUS, with its Enterprise Mobility Management platform.
    ]]>     BYOD and the Wireless Revolution tag:www.webtorials.com,2012:/content//7.1408 2012-05-14T13:48:47Z 2012-05-14T14:47:43Z Avaya... Webtorials http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=12
  • Avaya
    • ]]> Smartphones. Touch screen tablets. Handheld video conferencing tools. Wireless devices are invading every aspect of enterprise operations, causing IT managers to reexamine their WLAN deployments.

    For IT departments whose networks are ready to support the surge in wireless traffic, the "bring your own device" (BYOD) revolution promises huge gains in productivity, mobility and cost savings, all on devices purchased by the employees.

    But are you ready? Enterprises that are not prepared for the tidal wave of wireless devices massing in the market will not only fail to realize the benefits of the BYOD revolution; their networks will be crippled.

    BYOD doesn't have to mean Bring Your Own Difficulties.

    Download Report
    ]]>     Sound Off! tag:www.webtorials.com,2012:/content//7.1407 2012-05-10T21:42:59Z 2012-05-11T16:58:05Z Welcome to "Sound Opinions"Your chance to hear and to be heard... Joanie Wexler, Analyst/Editor http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=226
  • Welcome to "Sound Opinions"
  • Your chance to hear and to be heard
    • ]]>
    We like to think of this area as a community that fosters the flow and exchange of ideas and expertise among all types of folks in our industry. We only ask that you not use this space to directly solicit business; please make no blatant product pitches or generically self-serving comments, as we will have to filter those out. And feel free to agree or disagree with others; just no profanity, please.

    Enjoy!

    ]]>     Check out Cloud Providers' Business Models tag:www.webtorials.com,2012:/content//7.1404 2012-05-09T21:04:16Z 2012-05-09T21:07:13Z A TechNote on Unified CommunicationsGary Audin, Delphi, Inc.... Gary Audin, Delphi, Inc. http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=137
  • A TechNote on Unified Communications
  • Gary Audin, Delphi, Inc.
    • ]]> There's no single way to deliver cloud communications services, and the specific business model a given provider uses could make that provider more or less appropriate for your particular needs. A 2011 Webtorials survey of cloud communication providers, for example, showed that the provider's business model can have significant implications for the various cloud services important to enterprises such as service-level agreements (SLAs), security, privacy and availability. For example, while most cloud communication providers use the Internet to provide access to their services, a few bundle Multiprotocol Label Switching (MPLS) access into their services. Their users will get better voice quality because MPLS supports a quality-of-service (QoS) level not available over the Internet. Primary Available Models The five business models now in use by cloud service providers are as follows: Vertically integrated provider - This is a holistic cloud service where the provider owns the hardware and software, has the staff that implements and maintains the service and is responsible for all aspects of the service (SLAs, security, privacy and availability) except Internet access. Because the provider writes the software for its service, special features and functions can be custom-designed to meet the enterprise's requirements. Pure cloud service - The converse of the vertically integrated provider, this type of service can be located on cloud-based servers that run provider-owned software licensed from a third-party software vendor. Amazon Elastic Compute Cloud (EC2) platform is an example of an existing cloud-based business service that can be used as an implementation platform. EC2 is a Web service that provides resizable compute capacity in the cloud. Software modifications must be implemented by the third party. SLAs, security, privacy and availability are supported by the cloud platform rather than directly by the service provider. If the cloud platform has a problem, as EC2 did twice in 2011, the service can fail, and the service provider must wait for the cloud platform to return to operation before the service can resume. Alternate pure cloud service - In this model, a communication software vendor's product (for example, call-center software) operates on the cloud provider's platform. The software vendor can customize features and functions for the enterprise, but relies on the cloud platform operator to handle issues with SLAs, security, privacy and availability. Amazon EC2, cited above as an example of pure cloud service, can support this model as well. Third-party implementation - A third party installs licensed communication software in the cloud (e.g., on the EC2 platform) and sells the service directly. Custom feature and function modifications are unlikely to be offered with this model. SLAs, security, privacy and availability issues are the platform provider's problems. Resold services - In this model, the reseller itself owns nothing but simply resells cloud services from one or more wholesale providers. The reseller might use the cloud provider's name when offering the service or might create a private-label service. In either case, the reseller is only passing through a service. Customized features and functions are likely not supported, and the reseller has no control over the service's SLAs, security, privacy and availability. The Fewer Middlemen, the Better The business model a provider chooses can have a huge influence on the SLAs and acceptable use policies (AUPs) an enterprise will encounter. Contracts or service agreements are likely to be biased in the provider's favor if the platform is not part of its own operation but comes from a third party such as EC2. The more direct control and knowledge the provider has of the service (as in the vertically integrated model), the easier it will be for the provider to enforce SLAs and effectively troubleshoot problems. Furthermore, the stability of the service can be in jeopardy if the service provider business model is not successful. What if the cloud provider goes out of business or decides to terminate certain features or functions? What if the service provider fails to pay the cloud platform bill, leaving enterprise information such as voice mails, e-mails, user profiles and dial plans inaccessible? Such scenarios have already occurred with some wholesale as well as retail providers. Just in case, the enterprise should always have a backup plan (possibly an alternative cloud provider) in place.
    ]]>     Best Approaches to Scaling Virtual Machine (VM) Networking Beyond the Data Center tag:www.webtorials.com,2002:/content//7.1324 2012-05-09T12:40:28Z 2012-05-09T16:40:54Z The Data Center LAN Evolution SeriesA Webtorials Thought Leadership DiscussionDr. Jim Metzler, ModeratorFeaturing Arista, Avaya, Brocade, Cisco Systems, Extreme Networks and HP... Jim Metzler, Ashton, Metzler & Associates http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=49
  • The Data Center LAN Evolution Series
  • A Webtorials Thought Leadership Discussion
  • Dr. Jim Metzler, Moderator
  • Featuring Arista, Avaya, Brocade, Cisco Systems, Extreme Networks and HP
    • ]]>
    The panelists were asked to identify the primary challenges that limit the ability of an IT organization to move VMs between data centers.

    ]]>     Which IT Services Do You Keep? Which Move to the Cloud? tag:www.webtorials.com,2012:/content//7.1400 2012-05-08T12:10:49Z 2012-05-08T12:13:30Z Jim Metzler, Ashton, Metzler & Associates http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=49
  • A TechNote on The Next Generation
  • Jim Metzler
  • Distinguished Research Fellow and Co-Founder
  • Webtorials Analyst Division
    • ]]> Cloud service offerings for enterprises are moving beyond basic mainstream packaged software solutions. They now include a broad array of functions traditionally considered the exclusive domain of IT. The availability of so many new services from cloud providers is certain to pose new questions for IT organizations as they decide which services to get from the cloud, which ones to keep in-house and how to plan for changes in that mix. When cloud computing first began to make an impact in the market several years ago, it was most often associated with offerings from software-as-a-service (SaaS) providers such as Salesforce.com or infrastructure-as-a-service (IaaS) providers such as Rackspace. Enterprises would acquire mainstream enterprise applications such as customer relationship management (CRM) or enterprise resource planning (ERP) as a SaaS. Or they'd procure basic compute and storage services in the form of an IaaS. Mainstream enterprise SaaS application services and IaaS compute and storage services continue to grow. But cloud providers have recently begun to also offer an even broader set of cloud networking services - services historically provided by the IT infrastructure group. Kitchen Sink Cloud Services Among some of the latest cloud services are VoIP, unified communications, network and application optimization, security and management. It's almost to the point that any service or solution IT once offered or supported has a cloud counterpart available. The emergence of this new set of solutions poses a new challenge for IT organizations. Not only does IT still have to manage, optimize and secure traditional cloud computing solutions, but it now must also determine which of the traditional IT services it should continue to provide itself and which ones it should procure from a cloud provider. When evaluating these solutions, IT organizations need to determine whether a cloud service offering eliminates, or at least minimizes, the negative aspects of public cloud computing. According to the Webtorials market research report, "Cloud Computing: A Reality Check and Guide to Risk Mitigation", security concerns have been the primary impediment to the adoption of public cloud computing solutions. Hence, evaluating the security of the cloud provider's facilities is a critical component of evaluating the overall solution. The IT organization must determine whether the provider's implementation of a multi-tenant environment compromises security. Can the provider maintain compliance with corporate and regulatory standards while still leveraging the cost benefits of the provider's shared infrastructure and improved operational efficiency? Making the task harder is that there is no widely accepted framework for securing a cloud environment. The IT organization can ask potential providers to reveal the results of third-party security audits they might have undergone and/or to provide references from existing customers who are subject to the same compliance requirements. Also, Gartner, Inc.'s Global IT Council for Cloud Services has defined six rights of cloud service consumers to help providers and their customers create and maintain successful business relationships (see April 9, 2012 TechNote on Unified Communications, "7 Must-Haves in a UC Cloud Contract.") Consider Security, Cost, Agility Just as important as security is whether the solution actually provides the benefits that drive IT organizations to use public cloud computing solutions - lowered costs and reduced time to deploy new functionality. Cost information provided by the provider should enable the IT organization to determine whether the service provides a compelling cost advantage. The provider's agility in deploying new services could depend on the degree to which it has virtualized its data center infrastructure, since a virtual infrastructure is notably easier than a physical infrastructure to initialize, scale and migrate. As IT organizations anticipate and plan for cloud-driven changes, they should evaluate emerging new services in the same way they would evaluate any public cloud networking service. Meanwhile, they should keep in mind that it's not an all-or-nothing choice. For example, though it is highly unlikely that an enterprise IT organization would entrust all of its security requirements to a public cloud service, it might use such a service to gain an additional level of security that enhances its overall defensive security strategy. And while the ongoing adoption of cloud computing continues to fundamentally change IT, we should remember that IT organizations have been "out-tasking" various functions to third parties for decades. The use of cloud services is just one more example of out-tasking, and as such it requires expert vendor-management skills.
    ]]>     What We Can Learn from Google Street View tag:www.webtorials.com,2012:/content//7.1396 2012-05-07T20:35:58Z 2012-05-07T20:38:19Z A TechNote on Wireless and MobilityLisa Phifer, PresidentCore Competence, Inc.... Lisa Phifer, Core Competence http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=25
  • A TechNote on Wireless and Mobility
  • Lisa Phifer, President
  • Core Competence, Inc.
    • ]]> Many wireless LAN planners, administrators and enthusiasts routinely discover nearby networks. In the workplace, discovery is essential to identify interference sources and rogue devices. Outside, "war drivers" often use discovery tools to map available WLANs. In fact, this practice is so common that WiGLE.net, a community-sourced WLAN database, now contains 59 million names and locations. WLAN discovery results can be put to good uses, including trend analysis and client locationing. So why did the Federal Communications Commission (FCC) investigate the Google Street View project for discovering WLANs from 2007 to 2010, which it summarized in a recent report? And what lessons can the Wi-Fi community learn from the FCC's findings? What the Fuss Is About In April, the FCC published a report detailing its investigation into Street View for possible violation of Section 705(a) of the Communications Act of 1934, which pertains to unauthorized publication or use of communication except as authorized by the Wiretap Act. The investigation focused on this provision: No person not being authorized by the sender shall intercept any radio communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communication to any person. No person not being entitled thereto shall receive or assist in receiving any interstate or foreign communication by radio and use such communication (or any information therein contained) for his own benefit or for the benefit of another not entitled thereto. According to the report, Street View did more than record WLAN names and GPS coordinates to create a locationing database. It also collected "payload" data - the content of Internet communications - including e-mail and text messages, passwords, Internet usage history and other personal information. Investigators determined that an unnamed developer had incorporated code that recorded "all wireless frame data, with the exception of the bodies of encrypted 802.11 data frames." Quoting the report: Google engineers decided that the Company should also use the Street View cars for "war driving"... By collecting information about Wi-Fi networks (such as the MAC address, SSID, and strength of signal received from the wireless access point) and associating it with GPS information, companies can develop maps of wireless APs for use in location-based services. To design the Company's program....Engineer Doe developed Wi-Fi data collection software code that, in addition to collecting Wi-Fi network data for Google's location-based services, would collect payload data that Engineer Doe thought might prove useful for other Google services. How Data Was Used Upon analyzing over 200GB of data collected by Street View between 2008 and 2010, investigators concluded that, in some cases, sufficient unencrypted payload data had been gathered "to construct an accurate picture of the communication of an often identifiable user." To avoid further risk of violating privacy laws, Google revised Street View to disable all data frame capture in May 2010, enabling location collection to resume. Ultimately, the FCC assessed a penalty for failure to respond to investigation requests in a timely and complete manner. However, no penalty was assessed for payload data collection. Why? The Wiretap Act provides this exception: It shall not be unlawful under this chapter...for any person...to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public. Google successfully argued that all data Street View had collected was readily accessible to the general public because it came from unencrypted Wi-Fi networks; thus no laws had been violated. Upon review, the FCC opted to forego action, stating: "Although Google also collected and stored encrypted communications sent over unencrypted Wi-Fi networks, the Bureau has found no evidence that Google accessed or did anything with such encrypted communications." Three Lessons First, this case focused on data payload. Beacons, probe responses, and other headers commonly used for WLAN analysis do not seem to have posed concern. Lesson: We can be comfortable recording these frames during WLAN discovery. Second, although the Act allows interception of electronic communication readily accessible to the general public, the investigation was triggered by data payload recording. Lesson: If payload is not necessary, don't record it. Third, WLAN owners can consent to recording their own traffic, but Street View recorded traffic from other WLANs. Furthermore, what was done with that data played a big role. If encrypted data had been cracked, the ruling could have differed. Lesson: If you plan to drill into data, get permission first. Finally, every WLAN professional should understand what data their tools record so that it can be treated appropriately. This just might be the biggest lesson of all.
    ]]>     Mobility/BYOD Security Survey tag:www.webtorials.com,2012:/content//7.1394 2012-05-07T20:08:49Z 2012-05-08T22:32:26Z The SANS Institute on behalf of MobileIron... Webtorials http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=12
  • The SANS Institute on behalf of MobileIron
    • ]]> Mobile devices are more pervasive in businesses today than in previous generations of computing (desktops and laptops). Mobile apps on these devices are used for both personal and business purposes. According to the International Association for the Wireless Telecommunications Industry (CTIA) report released in the fourth quarter of 2011, there were more mobile devices in the United States than people!

    Smart devices have also caught the attention of attackers who are now commonly targeting their rich apps--and their access to even more valuable backend data such as bank accounts, corporate (organizational) intellectual property and personal health information. For this reason, there has been a marked increase in mobile malware.

    To understand and address risk in this growing mobile segment, SANS performed its first annual mobility survey of more than 500 IT professionals. The survey's intent was to determine the type of mobile device usage allowed for enterprise applications and what level of policies and controls enterprises have around this type of usage. To find out the results, download the paper.

    Download Paper
    ]]>     Oh, the Power that Siri Wields tag:www.webtorials.com,2012:/content//7.1393 2012-05-02T11:43:19Z 2012-05-02T11:46:16Z A TechNote on Unified CommunicationsGary Audin, Delphi, Inc.... Gary Audin, Delphi, Inc. http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=137
  • A TechNote on Unified Communications
  • Gary Audin, Delphi, Inc.
    • ]]> The small screens on mobile devices tend to limit long discussions - all that typing! That's why most people have found it easier to use unified communications (UC) features from a PC or laptop than from a smartphone. However, the Apple iPhone 4S's voice-recognition application, Siri (official name: Speech Interpretation and Recognition Interface), presents an opportunity to change that. Using the voice-activated interface, users could overcome their dependence on text and and gain far easier access to UC features and functions. However, Siri has a ways to go before revolutionizing the mobile UC community. There are two big reasons. First, at least at this juncture, Siri has a few reliability flaws. Second, its consumption rate could quickly wreak more havoc with mobile operators' network capacity planning attempts. Adaptable, but Fickle and Chatty Siri is an integral part of Apple's iOS 5 operating system. It uses a natural-language user interface and is intended to serve as a virtual personal assistant to users. As such, it is promoted as adapting to individual user preferences, such as UC features, over time. But from a usability standpoint, Apple user communities have been full of examples of Siri working less well than advertised. In addition, several articles and blogs have shown through humorous dialogs how confusing and confused the Siri interface can be when it doesn't work as expected. As Siri matures, however, this situation will more than likely improve. Alternatively, it might be up to the UC system and cloud vendors to come up with a better voice-activated interface for their own products and services. But the biggest problem for mobile UC could be that Siri considerably increases a mobile device's data consumption. Siri is a bandwidth hog that could, along with Apple's iCloud and other over-the-air synchronization, backup and storage services, clog networks and even impact government spectrum allocation plans. Just How Talkative Is She? A recent blog post at network performance management company AppNeta shared the results of a test, using AppNeta's own PathView Cloud product, of how much bandwidth Siri consumes. For example, the voice command, "Dial 781-555-5555" consumed 38Kbps, while the question, "What is the weather going to be like tomorrow?" used 29.4Kbps. Both consumed far more bandwidth than their text equivalents. Some organizations, such as Arieso, a mobile network management company, estimate that iPhone 4S users consume twice as much data as iPhone 4 users and three times as much as iPhone 3G users, citing Siri as one reason. Not only does Siri use more bandwidth for the equivalent functionality of text; voice activation eases use so that users tend to use more functions on their iPhones and, as a result, generate more traffic. That's good for users, provided the bandwidth is there. But it significantly adds to the wireless load stress on mobile operators' networks. In fact, many of the mobile network operators offering the iPhone have shifted from unlimited data plans to limited plans with data caps to discourage use above and beyond a certain level. It's widely reported that a relatively few heavy-use subscribers - those who continually record high-definition video, download images and download music to play on their phones - are causing most of the network congestion. In addition, the Apple iPhone in general, with its default alerts, backups and pings, is known to generate more traffic than other phones without the user actively doing anything. What Happens Now? There is not much end users can do to deal with this problem except to turn off automatic default pings and alerts or voluntarily restrict their usage. This is an unlikely scenario, especially for the 10 percent of mobile users who reportedly consume the 90 percent of wireless bandwidth. So what is likely to happen? The FCC might have to yet again rethink its wireless spectrum allocation plans. Network providers will try to buy spectrum owned by others. Providers might implement more Wi-Fi locations for access in congested areas such as New York and San Francisco. Usage billing will probably become more prevalent, as will "throttling" of the bandwidth of heavy users - with ever-lower throttling thresholds. Providers might even push for modified applications that reduce the data volumes consumed.
    ]]>     Beware Social-Engineering Attacks, Part 2: Email tag:www.webtorials.com,2012:/content//7.1391 2012-05-01T11:43:26Z 2012-05-01T11:48:58Z A TechNote on Information SecurityDirk Racey, Private Security Investigator/Observer... Dirk Racey, Security Sleuth http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=538
  • A TechNote on Information Security
  • Dirk Racey, Private Security Investigator/Observer
    • ]]> In my last dispatch, I described some of the ways that hackers use social networking try to trick us into helping them violate our own computers and identity. Today, we'll unmask another of their favorite social-engineering tools: your email inbox. Amazingly, decades after we first saw the "Nigerian Email Scam," people still fall for it. Its common incarnations ask that you keep the message confidential and then claim something along the lines of: You've won a windfall in a foreign lottery. A relative you've never heard of has left you a pile of dough. An overseas corporation, government or barrister needs to transfer a fortune into a U.S. account, and if you let them use yours, you'll get a cut. These scams work because of folks' desire to get something for nothing. I receive at least two such messages a week, and when I kill them, it's my small way of defeating the people who spew them from Internet cafés across the globe. Inbox Landmines Still other dangers lurk, but you can dodge 'em: TNSecurity-April-30-ART.jpgDon't trust all messages from relatives, friends or organizations that you'd normally trust. "From" fields are easily spoofed. Today, I heard from "Norton Antivirus" and "PayPal," both of which I use. And though the messages were highly "anonymized," when I traced them, one seemed to come from a building down by the river in lower Chi-town and the other from beautiful downtown Bolton, England (see photo). These emails are especially dangerous if they seem to be from real business partners like eBay, PayPal, Amazon, your banks or even the IRS. But their subject lines can be tip-offs. Be wary if the subject lines are blank, say only "Re:," begin with strange strings like "!*#", or have misspellings, bad grammar or lousy "business English." An example of the latter is this recent alert: "You have $250,000 lodged in Western Union to be transferred to you." If legitimate business contacts want to discuss your accounts, they'll use your account pages on their own sites. And the IRS will send a letter. So if suspicious messages arrive, axe them and then check your own private account pages rather than clicking bogus links in emails from nefarious ne'er-do-wells. Shred everything - including envelopes and printed emails - that shows your name and address, even if it lacks financial data. The reason is simple. Any dumpster-diving crud worth a grain of salt can parlay your name, address and a business partner's name (or logo) into full-fledged identity theft. Social Security Numbers, account numbers, user IDs and passwords are not needed to weasel information out of you or your business contacts. Snitch on the bastards! Many firms have Web pages for reporting emails that claim to come from them. I always do for bogus communiqués from eBay, PayPal, Amazon, the IRS and the FBI. When reporting, provide both the message and its "full tracking header" or "message source." You'll have to fish around a bit to find it. For example, in Lycos mail, select the message, click "More Detail" and then click "Message Source." But in Yahoo email, select the message, click the "More Actions" (gear) icon at the top of the page, and select "View Full Header." You can then copy and paste the header into the form where you report the message. Corporate America Wakes Up Corporate America is also getting tougher. Last January, Google, Facebook, LinkedIn, Bank of America, Comcast and others opened a "Domain-based Message Authentication, Reporting, and Conformance" (DMARC) service that they've been using for months. By signing up, a firm that sends/receives emails or provides email services will help carriers automatically stop spoofed messages and, as a result, will reduce our exposure to them. This is done by including DMARC sender-verification data in valid emails from member organizations and by stopping spoofed emails that do not pass DMARC checks. We should all encourage our business partners to sign up. But until the Web widely embraces tools like DMARC, your most effective weapon against social-engineering email attacks will remain hyper paranoia. Don't be a hacker's puppet. Don't play the patsy. Rather, follow in the footsteps of bumbling but beloved Inspector Jacques Clouseau and "...suspect no one... and everyone."
    ]]>     Wi-Fi 'Voice-Enterprise' Cert: No Longer Stuck On Hold tag:www.webtorials.com,2012:/content//7.1389 2012-04-30T14:52:24Z 2012-04-30T16:35:55Z A TechNote on Wireless and MobilityLisa Phifer, PresidentCore Competence, Inc.... Lisa Phifer, Core Competence http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=25
  • A TechNote on Wireless and Mobility
  • Lisa Phifer, President
  • Core Competence, Inc.
    • ]]> According to a Milestone Group survey, enterprise WLAN expansions are being driven to increase density and support new devices and applications such as smartphones and voice. To date, over 600 phones and 1200 smartphones have been certified by the Wi-Fi Alliance (WFA) for basic Wi-Fi interoperability. However, succeeding at large voice-over-Wi-Fi (Vo-Fi) deployments is still no slam-dunk. Joe Epstein, author of the book Scalable VoIP Mobility: Integration and Deployment and a former chair of the WFA's Voice over Wi-Fi Technical Certification Task Group, believes that standards-based certification is needed to replace older, more custom solutions developed by disparate vendors. "Those proprietary mechanisms definitely work when set up properly, but there is a lot for customers to have to think about and for vendors to do," he says. "The [WFA] Voice-Enterprise certification program will make it easier for everyone to get solutions right the first time." Voice-Enterprise is a long-in-coming WFA test for interoperability among different vendors' Vo-Fi-capable products in large enterprise settings. The Alliance expects to start certifying products this summer. Meeting Enterprise Needs The WFA's 2008 Voice-Personal program was a solid start but did not go far enough to meet enterprise-wide requirements. According to WFA senior marketing manager Tina Hanzlik, Voice-Personal was designed for homes and small offices with a single access point (AP). "Voice-Enterprise looks at larger networks that need fast transitions between APs, admission control and enterprise security," she says. Specifically, Voice-Enterprise builds on the WFA's Wi-Fi Multimedia (WMM), WMM Power Save and WPA2-Enterprise certification programs, adding selected capabilities from IEEE 802.11k, 802.11r and 802.11v to maintain high performance of notoriously delay-sensitive voice sessions. 802.11r enables continuous connectivity by enabling fast, secure, seamless handoffs from one AP to another. 802.11k improves AP discovery to stop client roaming to over-utilized APs with strong signal. Instead, APs detect when clients are moving away and help them make better choices. 802.11v provides clients with topology information, increasing their network awareness in hopes of improving overall WLAN performance. Benefits for All Thumbnail image for WirelessTN-April 30-ART.jpgSuch improvements are essential for voice quality in enterprise WLANs. But Aruba Networks Fellow Partha Narasimhan expects all Wi-Fi clients to benefit. "The ability for infrastructure and clients to exchange RF measurement information improves the quality and timing of roaming decisions. Infrastructure can [now] suggest roaming target APs to associated clients and trigger roams," explains Narasimhan. "Once a roaming decision has been made, Voice-Enterprise [can] quickly transfer security and QoS [quality of service] contexts to the new AP." Dave Stephenson, a senior leader in Cisco's wireless networking business unit, echoed this view. "The new certification will not only improve voice quality and user experience, but also provide the critical, consistent connectivity needed in many industries," he says. Long Time Coming Vendors are already implementing Voice-Enterprise features; the WFA expects to start certifying products early in the third quarter. But why has Voice-Enterprise taken so long to launch? Says Epstein: "Getting voice quality right touches so much of the network - quality of service, security and performance - [that] it's better to take the time needed to get it right." For example, certification tests more than standards. "It measures performance with strict guidelines in a way that voice needs," says Epstein. Like Voice-Personal, Voice-Enterprise will include metrics for latency, jitter, packet loss, plus handoff delay inside and between domains. "A network domain is what you might see in an enterprise, where you have a network composed of similar APs from the same vendor," explains Hanzlik. "We differentiate this from [handoffs] involving APs from different vendors." Reaching the Finish Line While goals might seem straightforward, "Voice-Enterprise [brings] together many standards and the best of several proprietary features. Making everything work well together made this a very complex program to complete," says Hanzlik. Ultimately, success requires both infrastructure devices and client devices. "Initially, we expect certified client devices to include laptops, tablets and handsets; later we expect expansion to other mobile devices," predicts Hanzlik. As for infrastructure, most enterprise WLAN vendors are likely to pursue certification, albeit at their own pace. Cisco was the first to support 802.11r in its Aironet 3600 Series AP in January. And Aruba has played an active role by providing equipment for the program's test bed, which means that any client device presented for certification will get tested against Aruba's gear. According to Hanzlik, certified products will reap broad benefits. "Not only will voice users have a more seamless mobile experience, but enterprises will gain bandwidth management and power save capabilities," she says.
    ]]>     Cloud Computing Concerns in the Public Sector tag:www.webtorials.com,2012:/content//7.1386 2012-04-26T11:50:43Z 2012-04-26T11:54:01Z How Government, Education, and Healthcare Organizations Are Assessing and Overcoming Barriers to Cloud DeploymentsCisco Systems... Webtorials http://www.webtorials.com/mt/mt-cp.cgi?__mode=view&blog_id=7&id=12
  • How Government, Education, and Healthcare Organizations Are Assessing and Overcoming Barriers to Cloud Deployments
  • Cisco Systems
    • ]]> This Cisco paper briefly examines issues that often present barriers to public-sector implementations of cloud services. In particular, it focuses on reliability and resilience, privacy and security, and standards and development. It also discusses how hybrid clouds are helping overcome many objections to cloud deployment and touches on financing models that are making cloud computing more affordable.

    Download Paper
    ]]>