Monday, 06 September 2010 08:16

Virtualization has become a key ingredient in the IT recipe of most companies today. Data centers and enterprises are increasingly turning to some form of virtualization to meet their requirements of scale and operational efficiency.

Desktop or client virtualization lets a company or user segregate physical machines from the desktop ecosystem, and it allows access to the resultant virtualized desktop even from a remote location. Using a virtualized desktop, the user’s business is not limited by geographical boundaries. Any device equipped to operate in a virtualized infrastructure can give the user access to all his data and applications, regardless of location.

Although this approach has advantages like remote access, flexibility of operations, and minimal downtime, concern is increasing regarding the security software for a virtualized infrastructure.

A hosted virtual desktop system is not automatically immune from viruses simply because its original (“real”) system has protection. The VDI, or virtual desktop infrastructure, faces a mammoth task in being “detected” by security tools like malware protection and anti-virus software. To put it simply, such software tools have not been programmed to seek, locate, and protect VMs (virtual machines). The software protection is programmed to vie for resources only at the network, storage, and CPU levels. In a virtualized system, a single physical server can support several desktops at one time. So, when the software is vying for “attention,” it can put huge pressure on the machine.

Performance and operations can thus become lethargic. As Brian Madden of SearchVirtualDesktop.com says, desktop virtualization is more difficult than server virtualization because the user needs to have the same flexibility that a physical machine would provide him. Desktop virtualization also cannot be done with half measures and cannot have restrictions on the types of devices that can support them or even on the amount of work that can be done offline.

The security risks can be exacerbated if the network is improperly managed. Consider a scenario in which a VDI system goes through a previously scheduled scan. By placing an extra load on the CPU, such a scan can slow down the entire network. A client in need of swift operations at that time may be tempted to remove the security systems from their VDI ecosystem. Such a disastrous move will leave that client’s desktops vulnerable to all kinds of attacks.

A company also needs to be wise to the different options available for protecting its VDIs. Depending on whether it is operating at the enterprise level or smaller-size-business level, the company can choose virtual-machine-based security software or agent-based desktop virtualization security software.

A pertinent question is where exactly the security software would run in a virtualized network. For instance, would it run on the primary operating system, the guest operating system, or some combination of both? Each of the three solutions has a downside

A company can resort to one simple way of addressing this concern. As Richard Sheng, regional director for Trend Micro’s Asia Pacific business, states, “treat your VDI desktop on the same platform as you would your physical laptop.” This means that the same security measures and steps, like data backup and management, need to apply to the virtualized desktop, too.

Trend Micro offers wide-ranging desktop virtualization protection technology. The company’s latest product is Trend Micro OfficeScan 10.5, which is a “virtual desktop aware” package. This software can also work in association with a virtual desktop infrastructure put into place by Citrix or VMware. It offers management of up to 20,000 physical and virtual desktop endpoints from one console.

As the company’s product marketing manager, Joerg Schneider-Simon, states, with the VDI-aware anti-virus package, a company can even “double the number of desktop hosts with no lowering of performance.”

Companies like VMware and Citrix are working on security software for virtualized networks as well. Citrix has been working with McAfee on the latter’s MOVE-AV which is an anti-virus package built specifically for virtualized surroundings. VMware is confident that the future belongs more to the virtualized desktop rather than the virtualized server, and the company states that a virtualized desktop is even more secure than the conventional personal computer.

Monday, 06 September 2010 08:16

Verizon’s Cloudy Health-Care Information System

In 2009, the United States Federal Government passed the so-called American Recovery and Reinvestment Act, which allocates $787 billion to various programs ostensibly designed to reinvigorate a flagging economy. Part of this legislation includes a mandate for conversion of all Americans health records to an electronic format, in part for easier accessibility. With its new Health Information Exchange service, Verizon has stepped forward as a candidate for some of the Federal largesse associated with the health records mandate. The new Verizon service will use cloud-based storage and will allow access to patient medical records by way of a secure portal on the Web. The system will also standardize the formatting of those records, thereby eliminating the difficulties associated with the numerous different formats used by various health-card providers in different locations and even different facilities.

An eWeek.com article (“Verizon Brings Electronic Medical Records to the Cloud”) cites Verizon’s Gerard Grundler, the company’s managing principal of Health Information Exchange Services, as claiming that the new service will “translate data from 14 to 18 major health care standards.” To do this, the system uses Oracle’s Healthcare Transaction Base, which is platform designed to support healthcare information exchanges by simplifying integration and operation of a range of health-care applications. In this way, Verizon’s system aims to eliminate some of the administrative burden associated with electronic medical records: converting the information into a format that is compatible with a given health-care provider’s system or that is otherwise easily accessible and readable. This and similar electronic medical record systems are touted as being a boon to health-care providers owing to their ability to give those providers fast, centralized access to patient records. Presumably, this greater access to such information can greatly aid the patient and health-care provider in making informed decisions about the patient’s medical care.

A critical component of Verizon’s Health Information Exchange service is the cloud. According to Network Computing (“Verizon To Put Medical Records In The Cloud”), Grundler also states that health-care providers can store their medical records in the cloud and then access them in Verizon’s standard format (mentioned above). For providers concerned about centralized storage in Verizon data centers, the records can also be stored on the provider’s premises. This option allows the provider to assure patients that the data never “leaves” the provider’s location (although, presumably, it can still be accessed from anywhere even though it is stored in a particular location).

Verizon’s new medical record storage and access service brings two salient points into view. First, it raises the perennial question of how secure the cloud is, and second, it raises concerns about the motivation for the recent push for a universal electronic medical records scheme.

In light of the virtually sacred nature of the doctor-patient relationship (especially with regard to the patient’s privacy), Verizon’s reliance on the cloud to store and access patients’ medical records may leave many wondering whether such an approach is truly wise. The security of cloud-based data storage is by no means established; many companies are extremely reluctant to trust the cloud with their sensitive information and mission-critical applications. Governments at various levels also have doubts about the propriety of using the cloud. To be sure, a cloud-based approach offers health-care providers numerous advantages, including reduced capital expenditures for administration of records, as well as easy access to those records. Nevertheless, with the jury still being out with regard to the security of the cloud, patients and providers may be quite hesitant to adopt the system.

The second point that Verizon’s cloud-based system raises is the nature and purpose of the government’s push for electronic medical records. Given, for instance, some of the gross privacy violations associated with Federal legislation such as the PATRIOT Act, observers would be remiss to discount the possibility that the government’s desire for a centralized health information exchange is largely about gaining easier access to patients’ private information. Even if it is not directly receiving any Federal funds, Verizon is seeking to capitalize on the Federal mandate for electronic medical records; this mandate penalizes providers that don’t make the transition by reducing their Medicare reimbursements. Thus, Verizon, for its part, is simply taking advantage of a market whose growth is fueled by Federal funds.

The broader issue of privacy remains, however. Electronic medical records will always be in the crosshairs of malicious hackers, if for no other reason than to cause mischief. The questionable security status of the cloud is a significant cause for concern. But what about violation of privacy for “official” purposes, which may be equally malicious? Health-care providers and patients must ask themselves two questions when it comes to electronic medical records generally and Verizon’s Health Information Exchange service specifically: do they trust the cloud, and do they trust the government?

Contact the author at jclark@datacenterjournal.com.

Monday, 06 September 2010 08:16

Let’s pretend that it’s time to elect a world leader. Here are some revealing facts about the three candidates:- Candidate A associates with crooked politicians, and consults with astrologists; he’s had two mistresses; chain smokes and drinks 8 to 10 martinis a day. Candidate B was kicked out of office, twice; sleeps until noon; used opium in college and drinks a quart of whiskey every evening. Finally, Candidate C is a decorated war hero; a vegetarian who doesn’t smoke and only drinks an occasional beer and he has never had ANY extramarital affairs. Who gets your vote? Would it surprise you to discover that Candidate A is Franklin D. Roosevelt; Candidate B is Winston Churchill and Candidate C is Adolph Hitler? All very interesting but what has this got to do with FIPS, encryption or security generally? It proves the point you shouldn’t judge a book by its cover.

Monday, 06 September 2010 08:16

Ongoing changes to network and security device configuration are unavoidable and necessary for business. But they are also risky. They can have unexpected consequences - from service interruptions to performance degradation and even downtime.

How can you reduce the risk associated with configuration changes?
Here is a 3-tier strategy:

1. Reduce the likelihood of configuration errors:

• Monitor and review changes
• Establish change procedures and processes
• Establish a test plan for all changes

2. Detect problems as early as possible:

• Monitor the environment
• Listen to your users

3. Ensure that you can make a fast recovery if something goes wrong

• Maintain accessible, actionable audit information
• Establish standard recovery procedures

Finally, implementing solutions that can automate error-prone, repetitive tasks and can maintain vigilance 24 hours a day go a long way to preventing, and recovering from, human configuration errors.

Monday, 06 September 2010 08:16

The first example of a loyalty scheme in action, thought to date back to the 1930's, is Green Shield stamps from the Co-Op. Today, although fewer than five years ago, there's a plethora of loyalty schemes in operation from the Air Miles program launched in 1981; Tesco's Clubcard in 1995; Boots Advantage Card in 1997; and Nectar in 2002, to name a few. Tesco, however, is often cited as exceptional for its ability to mine the data it captures to gain valuable insight to its customers, their shopping patterns and to market them with pertinent offers that keeps them coming back for more. Capturing data from every sale is the basic principle for introducing a loyalty scheme in the first instance but are 'points' enough to ensure the scheme works?

What's In Your Wallet?

The biggest barrier to loyalty cards is customer apathy to carrying them in their purses or wallets - after all, there are only so many that can physically fit, so the first hurdle is to ensure your card is one of them.

One option is a single card for complimentary outlets such as the Nectar card scheme. Although from a consumer point of view it is popular with only one card to remember, it is run by an external organization which may not be as flexible as your own scheme when it comes to data mining or offering incentives that keep them loyal.

Another option is an electronic card that stores multiple schemes, something which Microsoft is currently developing. At present the technology is in its early stages and so is relatively untested, fairly expensive, and when balanced with the lack of branding opportunity may not justify the investment. However, if this technology were to develop and be flexible enough to let consumers choose which retailers they want to add to the card, it may prove to be a popular, and therefore clever, approach.

There is technology available that could allow you to add a consumer's existing card to your scheme - even their gym card. This makes it easier for the consumer as you're asking them to remember and use a card they've already got and removes the expense to your organization for producing the cards in the first place.

There's an App for That

However, there is new technology that could sound a death knell for cards as we currently know them and the concept of having something in your wallet will disappear completely. Using mobile phone technology users download an app, often free of charge, which acts as a substitute to the loyalty card. Tesco is one retailer adopting this technology and launched its service in February as an option to its Clubcard loyalty scheme. Users type their clubcard details into their device and it creates a barcode which can be scanned at the checkout. As this technology develops, vouchers could eventually be sent straight to the phone to be used in-store.

As fast as phone technology is developing, so are other emerging technologies that could potentially have a major impact on loyalty schemes. Biometrics is one such area and includes, but isn't limited to, fingerprint scanning and facial recognition. Although the processing is fairly slow currently, it won't be forever, and could provide phenomenal benefits if merged with loyalty schemes. When used at the till, it could identify customers and automatically match them to the loyalty scheme without the need for an authentication method thereby capturing every transaction to the CRM.

What Do Points Make

Often criticised, is the amount that has to be spent to generate points in the first place. However, if customers were rewarded simply for walking in to an outlet, or browsing a particular merchandise display, either by swiping their loyalty card, scanning their iPhone, contact-less technology or utilising biometrics, points could be earned without the customer spending a penny. If this was then linked to offers sent automatically to their mobile device with incentives to purchase the item they have rejected and walked away from it could increase impromptu purchases. Alternatively, if retailers were able to identify someone who is making their 1,000th purchase in real time, they could reward them there and then at the till with a surprise discount or even their basket free. This would be an effective mechanism to the outlet which then doesn't have the expense of producing and delivering vouchers. For the customer it potentially would be more memorable and they then don't have the inconvenience of bringing a coupon to claim the reward and makes an instant impact on those customers present at the time.

Other Influences

Another potential avenue for loyalty schemes is to monitor and nurture net-promoters by rewarding their online endorsement. The growing virtual community, facilitated by social network sites, are often discussing brands and sharing product reviews. By rewarding those that positively promote your services or products you could encourage repeat positive endorsement. Another consideration is the benefit of targeting those with a negative perception to try and win their support, a practice Carphone Warehouse is building a reputation for. However, marketers must still behave ethically in this virtual arena and adhere to the fair marketing guidelines, especially in relation to activities involving children.

The final piece of the loyalty puzzle is rewards that are relevant, or that money can't buy, that are appealing to your members. One example is 02, it has cleverly tied its sponsorship of the 02 Arenas with rewarding its mobile phone customers who are offered priority tickets for events and live gigs.

The statistics speak for themselves as consumers vote with their wallets, refusing to fill them with bits of plastic that don't deliver real rewards. Technology is available to not only get you over the first hurdle and capture the data but then to leverage it to keep your customers close to you and your tills. Get the mechanics of your loyalty scheme right and maybe it will be you that Tesco turns to when it's next thinking of over hauling its loyalty scheme.

About the Author: Simon Helliwell Retail Consultant - Clarity Commerce

www.claritycommerce.com

Monday, 06 September 2010 08:16

Virtualization platforms are software. All software has flaws. Therefore, virtualization platforms have flaws. Simple logic, right? The major virtualization platform vendors, VMware, Xen (now Citrix), and Microsoft, have all had several vulnerabilities over the last few years. However, the major components of a virtualization infrastructure and the IT strategy related to deployment and maintenance of virtualization technologies can be planned and secured fairly well. The following sections will explore the major areas of concern for security professionals.

I. Hypervisor security
The hypervisor is a piece of software, in many cases, unless integrated directly with the host platform (see the next section). The major virtualization vendors release patches for their products like any other software providers, and the key to mitigating the risk of hypervisor vulnerabilities is a sound patch management process. Examples of sound patch management practices include maintaining the latest service packs for both guests and hosts, alleviating any unnecessary applications that have a history of vulnerabilities, and applying the latest security rollup patches if and when they are supplied by the virtual software vendor.