By on December 12, 2011

What’s in an email address?

PasswordThere has been much debate recently about the value of email when compared to Instant Messengers and Social Media. I’m not going to reinvigorate that debate here, but the whole passionate brouhaha has got me thinking about what it means to actually have an email address and how important that short string of text has become.

Two words spring immediately to mind when I think about what is actually in an email address, those words describe a process that has quite a profound affect on you as a users of Internet services. Those words are;

           “Password reset”

Your email address, whether given to you by your employer, your ISP (remember CompuServe?), or chosen by your own fair hand seeks to identify you. In many cases an email address is your name, or part thereof, and is generally recognizable unless you’ve taken steps to make it less so.

I have an incomplete thought about this identity; we take this identity for granted, we assume that this identity is true, and we generally don’t question the legitimacy of an email address or the identity of the supposed sender. This of course is exploited fantastically well by malicious senders who are attempting to dupe us out of our financial information or login credentials. As a former penetration tester I can tell you that I’ve always had 100% success with email-based attacks sent from addresses that ‘claim’ to be from someone they’re not, especially if the sender demonstrates a little knowledge of the recipient or subject at task.

But, and here’s the paradox; we understand social engineering and phishing very well, yet we still treat an email address as an identity don’t we?

Often this identity is all you need to carry out that password reset; gain control of an email address or account and you have instant access to a mind-boggling array of personal accounts and information. Often the ‘forgotten password’ link simply asks you for your address, sometimes you may be prompted for more information – ‘mothers maiden name,’ ‘place of birth,’ ‘month of birth’ etc – social media anyone? Some sites even ask you for ludicrous validators like “your preferred internet password.”

I expect that just supplying an email address to a website to request a password reset is a shortcut on that website’s part, they could do more but probably don’t want to over complicate things for you. This is a fantastically naive expectation of identity on a simple, string of text. I suppose the expectation is that the recipient hasn’t had their email account compromised, but no website I’ve ever used has asked that question.

Culturally an email address now makes up a significant part of you identity, in some cases it is 100% you. I suspect without the casual and formal asynchronous subject centric communications currently known as email (to coin a phrase of our CTO) you will find you lose a little of your identity, even if you can no longer reset your <insert website of choice here> password.

Add your comment (0)

CISSP, CCSK
Mimecast, North America.

Article Tags

, ,

By on December 9, 2011

Velocity: How fast is your Exchange Server Store growing?

Blurred vehicle lights and cityscapeThis week Mimecast has been at the Gartner Data Center Conference 2011, in Las Vegas, with a packed agenda full of insightful discussions and presentations. As expected the Cloud was a strong trend throughout the week, but I couldn’t help but notice that another trend has emerged since the last summit; that of Big Data, a topic this blog has written about many times before.

One particularly compelling presentation by Gartner Research VPs, Merv Adrian and Sheila Childs delved into Big Data. The packed session was standing room only, so this is obviously a hot topic for people looking for insight to help them solve their own unique problems.

Adrian and Childs identified a shortcoming in the way business and technology leaders talk about big data, in that the emphasis is often placed on volume. They rightly pointed out that

“The most difficult information management issues emerge from the simultaneous and persistent interaction of extreme volume, variety of data formats, velocity of record creation and variable latencies, and the complexity of individual data types within formats.”

As we’re concentrating on volume of data, we’re often forgetting about the velocity, variety and complexity of the data too.

Adrian and Childs went on to quantify velocity, which is when I started relating it to email data and Exchange Stores.

Velocity involves streams of data, structured record creation and availability for access and delivery. Velocity means both how fast data is being produced, and how fast the data must be processed to meet demand.

The most important factor when it comes to thinking about Big Data in relation to Microsoft Exchange Server, in my opinion, is velocity. Of course most Exchange databases won’t have the sort of big data that most data center managers have to worry about, but to those of us who manage Exchange Servers, I’ll bet the data therein is one of the largest repositories of data in your environment. To coin a phrase of our Chief Scientist, you have essentially got a Nano-Google’s worth of data, it’s important to you, but nothing that hasn’t been dealt with before, but trying telling that to the Exchange administrator when they’re planning to migrate the stores from one version of Exchange to another.

So what is the Velocity of your Exchange Server? If Velocity is the stream of data, record creation and availability for access and delivery, I’m sure there must be a quadratic equation that will actually give us a figure for this. But I was thinking more about it in terms of every day reality, especially if that reality means an upgrade or migration.

The unique big data complexity that exists within each Exchange environment is compounded by the velocity of the email environment that surrounds it. The data will continue to grow at a rate that can only be determined by a number of local factors; corporate culture, use of email, access to email, integration of email into other systems. Again, I’m sure there is a quantitative way to work out what this velocity is.

When you’re thinking of doing something with your nano-Google Exchange store I would suggest that getting a grip on the velocity of Exchange is the first step. I doubt very much that you can do anything to throttle this velocity, not without upsetting your users at least. So I’m drawn to the phrase “Just Enough on Site” which is one we use at Mimecast, to describe an Exchange environment that has been given the benefit of Cloud Augmentation to take the Big Data load off said server, before, during and after a tricky migration.

I would argue that the amount of ‘online’ data needed in an Exchange Server is pretty minimal, probably about a month or two. The rest doesn’t need to be offline, but keeping it near-line is way more productive. Remember velocity is also about how fast the data must be processed to meet demand. Surely putting the less accessed and older data near-line in the cloud means your Exchange can concentrate on the on-line velocity of the real time data?

 

 

 

 

Add your comment (0)

CISSP, CCSK
Mimecast, North America.

Article Tags

, , , ,

By on November 28, 2011

Gartner Predictions for 2012 – Counterpoint

The Rise of the Client/Cloud Paradigm and the Age of the Cloud App.

Gartner has just published its predictions for ‘2012 and beyond’ and, as usual, there’s plenty of good content.  The overall focus is on IT relinquishing the traditional notion of ‘control’ as the big macro trends of consumerization of technology and cloud take hold.  Nothing particularly earth shattering there, but Gartner goes on to dig beneath the surface and look at how these things might manifest themselves over the next year or two, and this is where it gets interesting.

Matt Cain’s section on Social Software and Collaboration points to the move away from the ‘traditional desktop client’, prompted by the proliferation of mobile devices and a ‘richer mix of email clients and access mechanisms.’  All good so far.  But he then goes on to suggest that we’ll see a big shift in favour of browser-based access to email, with HTML 5 acting as the catalyst in closing the functionality gap between browser email and desktop clients like Outlook.

And this is where I take slight issue, although of course making predictions is a mug’s game at the best of times.  In my view, the idea that most people will consume their Exchange email via OWA is wrong. The more probable outcome is a client/cloud model – where the device you use (notebook, tablet, mobile) defines the client and the client simply interacts with the cloud service.

Even Gmail now has clients for iOS as opposed to stubbornly insisting that users use their HTML5 rendering. Taking this further, most Gmail users have pointed out that they see no need for an app or for using the HTML5 because they can simply set up their Gmail account on the iOS native email app and that gives them the best experience.

Facebook also realised this and eventually produced dedicated client/cloud apps for both iPhone and iPad after insisting – for years – that HTML5 was good enough.  The fact is, HTML5 is there as a catch-all for client app gaps, but it’s not the panacea we might have thought it would be.

Instead, the panacea is a consistent user experience – but not in the way people tend to think. The consistency of UX is device-dependent, not application specific. People want an iPhone email app to work in the way that works best on an iPhone, same with WP7 and Android. UI mechanics, look and feel, application switching, local settings and so on need to work the way apps for that particular device work;  otherwise it’s an annoyance.

Mobile notebook users running Windows will, I suspect, continue to use Outlook above OWA because it’s a Windows app with a rich experience and works the way Windows works. This leaves “bolted to the desktop” users with little to do in terms of remote access. They’ll use Outlook at work, and won’t use OWA at home or elsewhere – simply because they would have been given a notebook if they needed remote access anyway. So I see limited OWA use cases.

It’s all about client/cloud.

The rise of the app and the sophistication of touch UI means that you can’t dumb down the experience to a one size fits all anymore. Unfortunately, this also doesn’t mean that you don’t have to build HTML5 “clients” for end users – you’ll simply have to do all of the above, which is no mean feat for a service provider.  But the fact is, this approach makes perfect sense to the end user – and the end user is king in our future and just about everyone else’s.

Gartner’s Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away, November 23rd

Add your comment (0)

Co-founder and CTO
Mimecast

Article Tags

By on November 23, 2011

Migrating Exchange at the moment? 2007 or 2010?

Microsoft Exchange MigrationMimecast recently commissioned Loudhouse, an independent research consultancy to take a look at the Exchange Migration situation. The research tells us that there is a mass migration of Microsoft Exchange Servers going on right now. At Mimecast we call this ‘The Great Email Migration’ and some interesting facts and figures have been discovered.

Underneath the headline research figures there is a lot going on that struck me as interesting if not perplexing and clearly frustrating; I’m often talking to CIOs and IT Managers about their email infrastructure and recently their plans to migrate to the next version of Microsoft Exchange Server; I’m always assuming they’re planning to upgrade and migrate to Exchange 2010 or Office 365, but I’m hearing more and more choosing to stay a version behind on Exchange 2007, but not for want of trying.

Microsoft, and in fact Mimecast, are desperate to get you all off the old versions of Exchange, away from those Exchange 2000 or 2003 boxes that are still out there, but for so many the upgrade path stops at Exchange 2007. I began to wonder why this is, and after a quick unofficial straw poll I found a pattern emerging.

Firstly I noticed that upgrade plans for Exchange have been in the pipeline for quite a long time. Many people tell me they were planning to upgrade from 2000/2003 versions to Exchange to 2007 pretty much as soon as they heard about the new release. But given the scale of the upgrade the project took them longer to budget and plan for, most blame their own internal and overly complex procurement process; whereby a non-technical procurement employee veto’s or delays the project for trivial reasons.

Secondly, I’ve heard quite a few mentions of a “patch-and-pray” mentality to upgrades. Let me be clear, there is only so long this kind of support process lasts before your Exchange Admin is facing a late night and lost weekend due to some sort of failure, and that’s the last thing we want. At some point the CIO has to admit the business and the users have outgrown their email environment and it’s time to look elsewhere; but this overly cautious approach, akin to the “if it ain’t broke don’t fix it” method, means you’ll never be close to the latest version. Fear of change, hesitation and caution are the enemy of new technology.

All of this frustrating behavior adds up to significant delays; delays that leave your IT project plans looking like the airport departures board during a heavy snow storm. You know you’ll get there in the end, but the wait is agonizing and you would do almost anything just to “get on with it.”

A permanent cycle of delays means your Exchange environment could always be stuck a version behind. Given that Microsoft plan to release a new version of Exchange every three years, I’m always concerned when I hear of project life-cycles that are even longer; how can you possibly take longer to deploy the platform, than it took the vendor to write the software in the first place? Don’t answer that I already know how; project scope, evaluation, planning, more planning, more evaluation, procurement, re-scoping, procurement, deployment planning, re-scoping, procurement, and so on. Initial project evaluation to final deployment for Exchange 2007 could have taken so long, that Microsoft have released Exchange 2010 in the meantime. And so the cycle continues.

Breaking the upgrade cycle is something I’ve written about before; now is the time. Seriously, Exchange 2010 is worth the effort, especially if you’re still floundering about with old versions like 2000 and 2003.

 

 

Add your comment (0)

CISSP, CCSK
Mimecast, North America.

Article Tags

, ,

By on November 18, 2011

How Does Microsoft Approach Cloud Security?

Doug Cavit, the Chief Security Strategist at Microsoft recently did a great video on Cloud Trust at 10,000 feet.

It boiled down to- Can you trust it and how does Microsoft do Cloud Security? Which raises the obvious question: How does Mimecast compare?

Doug is a really interesting guy- he was the CIO of McAfee for 8 years- protecting them from threats – an important job if you consider what happened to RSA. When he joined Microsoft he worked on the OneCare product team as Microsoft started to become more of a service provider in the security space, so he’s definitely one of those people that’s been on both sides of the table.

In the video he’s answering one of the questions we get asked most: How can I trust my data is going to be safe in the Cloud? And it’s a question we take more seriously than anything else.

The fundamental difference in Cloud vs On-Premise is control.

When your data is on your own equipment, you have ultimate visibility and control over the policies and processes that operate on that data, which means you can be the ultimate arbiter as to how it’s treated. With the Cloud, you aren’t. So how do you deal with that?

With Cloud, you need to trade control for transparency.

That’s the only sustainable way to cede control over something so important- your business data, and in our case, your primary communication method, email.

So we take transparency extremely seriously here at Mimecast, to the point where we have a whole team of people here at dedicated to transparency- helping our customers receive the insight and information from us.

What makes a provider transparent and therefore trustworthy?

Policies are the jumping off point- ensuring these meet your requirements as a customer. Policies are fine, but how do you make sure they are followed into procedures? This has consistently been one of the hardest things for Cloud companies to prove because in an emerging sector like Cloud, standards always lag behind the technology. So we’ve had to forge best practices and procedures through collaboration with organisations like the Cloud Security Alliance, which is helping ISO update the Cloud security controls for ISO 27001. But we’re getting there, and hopefully soon we’ll have the most comprehensive ISO 27001 implementation of any Cloud provider to date.

What about reliability?

This is where the rubber meets the road. To take a phrase from the financial services industry- “Past performance is no guarantee of future results” couldn’t be further from the truth- what has the service provider delivered to date? Are they open about it? What’s their SLA to back it up? And we like to put our money where our mouth is too, with an industry leading 100% uptime SLA.

Thinking more broadly about putting your data in the Cloud- one of the most important things to think about is the actual data- how much risk does it represent? It sounds like a ridiculous question, but classifying the data is such an important part of GRC: you don’t need to protect your marketing brochures the same way you protect your trade secrets. Doug has a great quote from the video “I can’t protect something if I don’t know what it is”.

Thinking about the lifecycle of the data and your relationship with the Cloud provider is critically important-  I talk about Birth, Marriage and Divorce in my presentations. It’s easy to think about the birth and marriage when going to Cloud, but vital to think about divorce, in case you need to get it out at the end. It’s a tough question for structured data, like accounting or ERP but significantly easier for unstructured data like emails. Our customers can download their data at any time.

One thing he doesn’t mention is data sovereignty… where your data is physically located, which is becoming more and more important because of legislative requirements and judicial concerns, like the Patriot Act. Having your data located in the right jurisdiction is critical.

So like Microsoft we take a two step approach to security.

  1. We reduce vulnerabilities as much as we possibly can in software
  2. And recognising that issues will happen- when they do, the key is how you deal with them. Triage, Identify, Learn and Integrate that learning into processes. We’ve been doing that for 9 years- that’s a lot of experience built into our processes.

To top that off you can always reach a human being at Mimecast. Someone to help you resolve your issues and escalating them appropriately. I love that. When I got locked out of my Google Apps account the other day- it took a few days for them to respond to my email…

Having a deeper understanding of Cloud security will enable you to use the Cloud provider to do what they do well – abstracting your IT department away from the complexity of running the service.

So can you trust the Cloud? I think so. Like Doug says, just know what you’re trying to accomplish and make sure the vendor offers you the right amount of transparency.

Add your comment (0)

Cloud Strategist
Mimecast

Article Tags

, ,

By on November 16, 2011

What features are driving people to Exchange 2010?

Looking at Exchange 2010?

In the Loudhouse research- “The Great Email Migration” commissioned by us at Mimecast- 57% of IT managers said they were upgrading to Exchange 2010 because of new features.

What are some of those features?

What’s been a real focus for Exchange 2010 is to directly enable the email user to do more, and to do it more easily.

Free/busy is a great example of where Exchange 2010 is a great improvement.

Free/busy is a well known feature to users worldwide, however in older versions of Exchange it’s nearly impossible to see the free/busy status of another user in another organization. Exchange 2007 enabled cross-forest free/busy lookup to another Exchange organization if the pre-requisites were in place. But it was still just free/busy.

Exchange 2010 builds significanly to that, by allowing organizations to federate with each other, and exchange free/busy information with detail, controlled by the administrators.

Assuming that partner companies in different forests and different networks need to see each other, Microsoft will broker and vouch for the authenticity of the relationship via a hosted service, and then enable each company to dial up or down the detail visible to the OTHER companies recipients.

Free/busy is akin to the availability feature of Lync or OCS when it comes to making the decision to make a call or not. Seeing another companies free/busy massively empowers users to work faster and more efficiently.

Another big step forward is MailTips with Exchange 2010 Outlook Web App and Outlook 2010.

MailTips enables the person emailing to see the Out of Office of the recipients before they send the mail. This eliminates that frustrating workflow associated with sending a mail again after thinking it was dealt with.

Managing availability between organisations and MailTips are just two of the many new productivity features available in Exchange 2010 which truly reclaim minutes in the information workers day. Help your people be more effective with Exchange 2010.

Migration on the other hand, isn’t always easy… so we’ve produced a series of webinars and how to guides to help you migrate in the Migration Readiness Kit (registration required).

Add your comment (0)

Messaging Architect
NB Consult

Article Tags

, ,

By on October 20, 2011

Minimizing the risk of an email migration

Last week Mimecast announced the results of their Great Email Migration research, conducted by Loudhouse Research.  Loudhouse surveyed 500 IT decision makers in the US, UK and South Africa and asked them about their email migration plans.

According to the report, “The potential loss of data is at the top of the list with more than half (52%) of the companies mentioning this.”

Companies are right to be concerned at the possibility of data loss. Infrastructure which is in flux opens companies up to be vulnerable to data loss, due to bad process, unmanaged configuration change and/or bad discipline. How can companies possible hope to mitigate these kinds of risk.

It is an old axiom that failing to plan is tantamount to planning to fail. In this context, planning should be a formal activity of every migration project, with a formal and on-going deliverable known as the migration plan.

Migration plans are only as good as the effort put into them and the accuracy of the scope which they are fed by. Accurate quantification of source environments, labs which approximate live environments, and a sample of representative user data are all prerequisites to ensuring a migration plan has the best possible chance of succeeding.  In fairness, most of us don’t migrate for a living, so it’s not unreasonable to expect not knowing where to start. Here we will offer two suggestions:

Follow the military approach to planning by starting with the end goal in mind, and working backwards through every objective until the base understanding of the requirement is defined, without knowing how to solve every objective or process requirement. The end goal must be a clearly defined business or technical requirement.

Follow up by adding process planning for each stage, known or unknown, and add technology choices last, so that technology becomes the enabler to the process, and not the other way around.

Migrations are epitomised by environments in flux. Flux is risky and is mitigates by process, planning and management. Migration planning as an on-going exercise as well as a living document is a foundation stone in the on-going exercise to mitigating on-going risk.

Add your comment (0)

Messaging Architect
NB Consult

Article Tags

, ,

By on October 12, 2011

The Great Email Migration

Microsoft Exchange 2010 is here, Exchange 2013 will be along at the end of next year and Exchange 2003 is out of mainstream support, so it’s fair to say The Great Email Migration has begun.

At Mimecast, we are always talking to CIOs and IT Managers about ways in which we can make their email management easier, and the conversation more often than not involves plans for migration.  So, we commissioned Loudhouse,an independent research consultancy, to conduct a survey into email system upgrade plans. The results are being published today.

The rush to upgrade

With so many new features and enhancements being added to each new version of Microsoft Exchange it’s no surprise that three quarters of respondents told us they were planning to upgrade in the next two years; 57% even said within the next 12 months. Most are migrating to Exchange 2010 on premise, but 21% are headed for the hosted option and 13% for Microsoft’s Cloud-based Office 365.  As you read this, there’s a 1 in 10 chance that you have no plans to migrate at all, perhaps having recently completed a move to Exchange 2007.  Maybe you want to see what  Exchange 2013 (version 15) will bring? We’ve written on this blog before about Exchange 2003 and a reluctance to upgrade, but now the time is right.

The benefits are clear

Continue Reading →

Add your comment (0)

CISSP, CCSK
Mimecast, North America.

Article Tags

, ,

By on October 12, 2011

RIM outage not only hitting consumers!

In April 2010, Mimecast released a report entitled “Keeping the Enterprise Agile and Mobile” in which we examined the growing pressure to keep BlackBerry services up and running at all times.

At the time, we thought the results were pretty interesting and events over the past few days have played them out pretty well.

Our report found that the expectations of BlackBerry users are extremely high – 66% of respondents claimed that as much as one hour of downtime per month is not acceptable and a further 22% saying NO downtime is acceptable at all! I can only imagine how these users feel about the last three days’ worth of interruptions…

With the reported impact on support desks and the board level fall out that BlackBerry outages seem to cause, we were, at the time, surprised by the high percentages of organizations that had no provisions for high availability (41%) in place at all. A further 59% said they couldn’t provide continuity for their users and 61% don’t have an internal BlackBerry availability SLA.

So with these numbers, the corporate world breathed a collective sigh of relief when RIM announced that the outages that they have been having are only affecting their BIS and BBM users… Well, they sighed until their corporate users started complaining about service unavailability.

Continue Reading →

Add your comment (0)

Enterprise Consultant
Mimecast

Article Tags

, , ,
Previous Posts
Newer Posts