by Orlando Scott-Cowley
Last month Israeli security forces imposed their right to examine your email at their border crossings; the initial panic was calmed by a clarification from the Israeli Attorney-General stating the specific circumstances for the search. Previously, in 2009, the United States imposed a right to search your electronic devices, and keep them for further examination, at border crossings too—without any suspicions of wrongdoing. Are these signs that our local data is no longer private when we travel?
State sponsored search of your devices, and data, now becomes the latest privacy worry for any international travellers; we’ve always been worried about malicious attempts to gain access to our data, or having our laptops stolen from airport security screening points, but now the case for travelling completely clean is made.
Many technology travellers I talk to have always maintained a set of clean equipment, which is only used on trips outside their native country. Before and after every trip their laptop, smartphone, and tablet get factory wiped and restored from a known good image. This is especially important when returning from a trip to ensure the platforms remain clean – those devices are also replaced more frequently than home devices, and are occasionally stripped to check for “extra hardware”.
Maybe; but more sensible than paranoid, as we’re in the days of state sponsored hacking such as Flame, Stuxnet and Duqu.
If you’re wondering how you manage to work in such a sterile environment – have a think about how the cloud supports your remote working now. Keeping your data on your local hard drive isn’t the necessity it once was; it seems quite antiquated to me.
Cloud services that allow you to store your data online mean you’re only ever a click away from that data, and given the ubiquity of Internet access these days, that’s never a problem. Of course data stored in the Cloud isn’t beyond the reach of search warrant of subpoena, but at least it’s not local on your device being carried through a border crossing.
Email inboxes should remain empty until you’re safely through a border crossing, and on a known and trusted network. Once you’ve downloaded your recent email remember to remove the account and wipe the device before you leave the country too; there’s no sense taking the precaution for inbound border crossing and forgetting about the outbound.
The same applies to file data, leave your files in the cloud and only access them when it’s safe. Don’t store anything locally unless you can securely wipe the hard drive after use.
From an enterprise IT perspective; CISOs and CIOs should educate their users on how to handle such incidents, and of course draw up a policy for international travellers. It does occur to me that your IT department can help, by disabling your access to ‘their’ services on your devices until you give them the go ahead once safely at your destination. Deleting your stored passwords on devices would also prevent the access of data not stored locally.
For travellers the Cloud should now be as essential as your flight socks and money belt. As someone before me once said – “Don’t leave home without it”.
by Orlando Scott-Cowley
This weekend Evernote became the latest cloud vendor to have its systems breached; user data including passwords has been compromised. In case this is news to you, a quick recap – Evernote assured us that passwords were correctly hashed and salted unlike LinkedIn, who neglected to salt their passwords. Evernote didn’t tell us whether or not the salts were compromised too. The attack “follows a similar pattern” to others so we can assume some sort of long term APT style compromise.
There are a couple of interesting observations one can make as a result of this last hack.
The usual amount of your-data-in-the-cloud-is-not-secure media hysteria has been dished out; no doubt some Evernote users will be busy deleting their notes as a result, even though their contents are probably as interesting as the ingredients list on a bottle of water. Being an Evernote user (yes, I have reset my password) I can’t help but think this isn’t about data in the cloud, or about the cloud at all; this is more about a target. Evernote was the target in this instance, before them it has been LinkedIn, Facebook, Yahoo, RSA Security, New York Times, Iranian nuclear centrifuges, the list goes on. Once the target has been identified this sort of “coordinated attempt to access secure areas” is likely to succeed regardless of the data’s location. The data could be anywhere; in the cloud, a server on your LAN, one of your users’ laptops (Facebook), a mobile device, a filling cabinet (remember those) or even data left on someone’s desk – the attackers will use whatever means they need to compromise that data.
Secondly, if there is weak security protecting that data, again the location is unimportant. Putting the data in the cloud on a dedicated platform means, as in Evernote’s case, the breach can be monitored and contained by people who’s job it is to do that. There is very little one can do to contain the old school espionage attack that reads secure material from your desk or even from your rubbish bin.
Evernote did the right thing and alerted its users to the hack, emailing them to advise password resets. They did slip up slightly though, by providing a link in the same email that also suggests users should “Never click on ‘reset password’ requests in emails — instead go directly to the service”. But to be fair, this is the first time Evernote has had to deal with this threat.
What this sequence of events really means is that 2013 could be the year that cloud service providers will rebalance their priorities, so that preparedness for attacks will be as important as getting the latest app version out the door, and also that we as consumers realise the importance of our data regardless of where we leave it.
by Orlando Scott-Cowley
Too many Enterprise SaaS and Cloud vendors focus their efforts on marketing and spinning a good story to attract new customers, rather than spending time or money looking after those customers once they have signed on. Once the ink is dry on the contract ongoing service and support seems to be an afterthought.
According to newly released global research from The Enterprise Strategy Group (ESG), Enterprises value SaaS applications, particularly for email-management, but customers are facing significant service and support challenges plus a lack of ongoing aftercare from their SaaS vendors.
The “SaaS with a Face” report, which asked 248 global companies currently using SaaS-based e-mail management about their usage and service satisfaction, indicates the problem is so bad that of non-Mimecast SaaS customers 22% are looking for a new SaaS email management vendor.
Given some of the largest and most aggressively marketed vendors in the Cloud email management space are publically listed companies, it’s quite clear their drive to attract new customers is part of a shareholder-pleasing business plan. Ongoing aftercare and customer satisfaction seem not to be a concern to them.
If these vendors want to grow, they need to wise up about their customers’ expectations. Service and support is a vital addition to an Enterprise SaaS product offering; simply delivering a fancy Web 2.0 interface, or expecting your customers to fend for themselves on support forums is not enough. The ESG SaaS with a Face report identified that 66% of customers cited vendor support as an important vendor selection criteria, only 34% noted that they had actually achieved improved service and support compared to traditional software vendors. It would seem that well-known cloud vendors are letting their customers down.
The impact of bad service and support by SaaS email management vendors are wide and have a significant impact on their customers. When asked what service and support challenges customers faced with their SaaS email management vendor the list of problems indicates a severe lack of aftercare; for example 27% of non-Mimecast customers were not able to find the right person to solve their problem. A further 15% reported inexperienced support staff, while missed SLAs and long support wait times were reported by 18% and 17% respectively. Worryingly 12% of non-Mimecast customers cited that some problems were never resolved.
For a true Enterprise SaaS vendor, offering industry leading service and support is an essential part of the relationship we have with our customers. Unlike other SaaS and Cloud email management vendors who build their solutions by cobbling together a collection of acquired of OEMd products, Mimecast’s infrastructure is purpose built by our own team. This means we are not tied to 3rd parties for customer service and importantly can support our own customers in the high standards they expect.
This personal level of involvement by all our service, support, development and customer facing teams means the Mimecast difference, or out “SaaS with a face”, really shows; our customers rate our award-winning customer support highly and, as a result, report satisfaction well above the industry average – 85% of Mimecast customers have no plans to move to a different vendor.
To read the complete ESG SaaS with a face report, click here. We also hope you like our infographic, embedded in this post, which reflects the findings of the report.
by Peter Bauer
Today it was confirmed that leading global private equity firm, Insight Venture Partners, has invested $62m in Mimecast. This will catapult us to even greater endeavors over the coming years as we build on our efforts and progress of the past nine. It’s a validation of the vision we had back in 2003, where we sought to consolidate the patchwork of fragmented LAN-based email infrastructure into a single cloud-based platform. We called it Unified Email Management (UEM), and today we’ve got more than 6,000 customers and 1.6m users on our service, processing, protecting and storing several petabytes of their most valuable business data.
However, my colleagues would probably agree – that now that ‘the cloud’ is going mainstream, some of the really interesting work and opportunities start here. First of all, more and more companies are buying into our UEM proposition. We compete strongly in multiple different markets here; email security, email archiving, email continuity and DR, DLP, eDiscovery, to name a few; and while we sell some of these things separately, our customer delight tends to come from the discovery that all of these things can be managed centrally through a single admin console as all of Mimecast’s applications are all built on a common platform.
Furthermore, some 50% of corporate email users are still on Exchange 2003 and Exchange 2007, many of them increasingly throttled by the ‘point’ applications they have added to their network over the last five years or more. We are still 100% committed to helping these people as they think about their migration path to Exchange 2010 and 2013.
New frontiers are emerging too. While some people like to mutter about the impending death of email at the expense of social media and enterprise collaboration tools, we unashamedly fight in the opposing corner. Email is the ONLY global standard for asynchronous communication in business. It’s the global standard but, perhaps, not the gold standard. It has some issues.
So we’re taking up the challenge of trying to take email, the one tool we all know how to use, and make it better at supporting the collaboration scenarios we all face so often nowadays.
We’ve worked hard on solving some of the big email infrastructure problems like security, storage and information management, and now we’re looking at the end user problems too. It’s here that the frustration with email is boiling over.
We think we can make email even better. We already offer an incredibly rich experience for users of Microsoft Outlook, integrating security settings that the user can configure on a ‘per-email’ basis before pressing send, and real time archive search. And we extend this user experience to the full range of smart-phones and iPads, and of course the web.
But while tools and devices, and apps, have a reassuringly contemporary feel to them from an IT perspective, it’s what we do with the data in the archive that really will make the difference.
Our industry appears to be obsessed with long-term data storage. Words like ‘vault’ conjure images of dusty archives of information locked away behind ten inch steel doors. Even the word ‘archive’ sounds too passive – too much like a whisper-quiet library; books gathering dust.
We see a world where the business – HR people, IT people, end users from all departments – dip in and out of the archive every day, using clever apps, or suites of apps, that enable them to collaborate on projects, visualize complex relationships in the metadata chains, search and browse documents from file stores, email archives or Sharepoint on an iPad …
We’re currently calling this the Interactive Archive, and it underpins an idea we’ve been working on for some time called Information Banking. In a few years’ time, there will be a handful of companies with whom businesses of all sizes entrust their corporate data. We’re betting that they will do it because it’s safer with us, but also because they can do more – an awful lot more – with that data once we’ve got it in our Interactive Archive.
So that’s the next leg of the journey we’re mapping out for ourselves and our new investment partners, Insight. It’s going to be an exciting ride.
by Orlando Scott-Cowley
This is the second post in the mini-series that I’m planning, to coincide with the Games taking place in London this summer. In my previous post I suggested the arrival of the Olympic Games on London will probably cause businesses to rethink about how best to service their users, especially if a greater number of users than usual are working remotely.
This summer London’s businesses will have to face a set of untested scenarios as more of the workforce are driven to work outside of their normal patterns. Remote working in particular will be high on everyone’s agenda as the advice from Boris to Londoners is to get ahead of the games. Previously I suggested the Cloud as a solution to support you and your remote users, especially for highly demanded services like email; so here are ten ways the Cloud can help take the weight during the Games.
- Ubiquity of access: The Cloud, by definition, is available from pretty much anywhere you can get an Internet connection, but unlike your own remote access platforms it is built for access, and lots of it. Your users can access Cloud-enabled services from any device and any Internet connection, they’re not limited to a single VPN service or gateway.
- Scalability of access: Your own remote access service was something I covered in the last blog post, in that the in-house systems you’ve got were probably only designed for a small percentage of your users. The Cloud services’ your business can use are completely different – those services were built with the ubiquity of access (above) in mind so won’t act as the remote access bottle-neck like your on-premise solution.
- Make remote working easy: I often watch remote workers on trains and in cafés trying to access their corporate systems. Usually there is a VPN client required, a token of some sort, multiple interfaces and portals to negotiate, some even send a text or make a phone call. Most of the time all of these people want to do is simply hit send/receive in Outlook. I’m not being disparaging about access control or security policies, but very often the security applied is far too restrictive and as a result leads to point four below.
- Keep users in house: We already know from research that if you demand that your users jump through too many hoops to access your on-premise resources remotely, they will default to their own web-based platforms simply because they are easier to use. Using a cloud platform for business that offers the required level of security and accessibility means you can keep your users on the reservation, which is vital for corporate governance.
- Support mobile platforms & BYOD: There are limited ways your on-premise infrastructure can support users on the hoof i.e. those who have a few minutes to kill and might have a smartphone or tablet to hand. Of course email is accessibly on most devices, but normally a maximum of 30 days – not hugely useful if your users want to refer back to older messages. Deploying a Cloud platform that also supports users mobile platforms will give them the ability to be more productive for longer. If you don’t issue those devices but support a BYOD policy, then you really do need a platform that supports ubiquity of access like the Cloud.
- Keep corporate governance going: As I mentioned in point four, your users may be jumping out to other webmail services just to get their job done. For any IT Managers this will mean a governance nightmare, as the corporate perimeter no longer applies. Email in particular is susceptible to this problem, but using a cloud-based email management solution that is easy to access from anywhere, on any platform will mean your users are still under your control and your policies and governance will still be applied. Centrally.
- Deliver reliable and available services to users: As I mentioned in my last post, the Games are going to test your infrastructure to its limits. Most IT admins I know aren’t looking forward to finding out where that limit is, and wished they had thought about this sooner. Most reputable Cloud vendors will give you 100% availability, wouldn’t it be more comforting if that were an SLA you could pass onto your own business?
- Re-deploy your IT team more meaningfully: I doubt your highly trained IT team want to be waiting by the phone this summer. Some companies I know are letting all their staff work from home except their IT team in case something does go wrong; but wouldn’t it be more productive to let them work on those projects they’ve been putting off for years because of the constant firefighting. All of the points above indicate how your IT team are working to keep systems up and running, but also how the Cloud can take the weight of on-premise applications and augment them, freeing up the time of your IT team.
- Future-proof your environment: This will be the core topic of an upcoming blog post, but in short I’d suggest that changes you make to your environment now in preparation for the Games (if you’re not too late) will be like your own Olympic Stadium; you’ll enjoy the immediate benefit of the Cloud now, as well as finding a way of on-ramping the Cloud into your network for the future.
- Be prepared!: Need I say more? We used to talk about the cloud as an SME tool, but today enterprise class businesses are using the cloud to augment their creaky on-premise services, the writing is on the wall I think.