Matthew Sekol

"The basic tool for the manipulation of reality is the manipulation of words."

Category: Security

Why Microsoft Should Really Buy Blackberry

In all honesty, this is a hard sell. I’ve been supporting Blackberry in various capacities since they were little pager devices (collective Aww…). I’ve reveled in their downfall though, ultimately believing that ActiveSync was a much better solution than the old BES servers. Regardless, Blackberry is in its final throes, right? Well, maybe. Rumors about Microsoft purchasing them abound. The Motley Fool wrote 3 Reasons Why Microsoft Should Buy Blackberry, but I think they are widely missing the mark. At least I hope so.

Why the Fool is Wrong
Reason 1: Keyboard phones targets business users
Had I been drinking when I read this, my monitor would’ve been splattered with water. iPhones, which are keyboardless, have a massive hold on the Enterprise. As Baby Boomers retire and Millenials come in, only Gen X-ers, like myself, might want keyboards on our phone. Frankly, I don’t know anyone who would. This argument seems counter-intuitive to Microsoft’s mobile first mantra and the capabilities you get with their Enterprise Mobility Suite (EMS) solution.

Microsoft believes the user is mobile. Long gone are the days of having 2 devices (work and personal) for the same person. Side note – if you have 2 devices, I’m sad for you, stop being paranoid already! What Microsoft is really driving is a consumer and business experience across one device with Enterprise level protection and segregation with EMS.

The last point here is around porting Blackberry’s key features and apps into Microsoft’s app store. Microsoft could do this, but why bother? Clearly, Android and Apple have the largest market share. Blackberry itself seems to have given up its own app store and can borrow from Android and Amazon.

Reason 2: Windows Phone Distribution Channels are In Place
Blackberry had a great distribution channel for years! They aren’t having a problem getting their phones out there, the issue is that no one wants them! Would Microsoft purchase Blackberry, convert their phones off Blackberry OS to Windows OS and then distribute, possibly. Seriously though, I’m sure Blackberry knows how to distribute phones, they just don’t seem to be able to sell any.

Microsoft’s purchase of Nokia was at a turning point for Nokia. They had dropped out of the world’s top 5 phone manufacturers, but had started turning things around with the Lumia line. With Nokia’s integration taking a long time, would Microsoft bother rescuing a failing Blackberry to do the same. Man, I hope not.

Reason 3: BlackBerry Messenger could be a signature app
With the leak of Microsoft Flow and the rebranding of Lync to Skype for Business, and the consumer Skype, Microsoft is already sporting 3 chat platforms (arguably 2, but I listed 3, so there you go). Skype does support chat still and, in the Enterprise, Skype for Business underpins all Office collaboration. Would Microsoft buy Blackberry just for Blackberry Messenger? No. Would Microsoft integrate Blackberry Messenger into Windows 10? No. Would Microsoft integrate the features from Blackberry Messenger into Skype, Skype for Business, and possibly Outlook? This one I could believe.

What’s Matt Take on This?
I’m glad you asked. Admittedly, there could be some hardware benefits in Reason 2, but there’s something else that caught my eye recently. Amid the layoffs, Blackberry is ensuring Blackberry Messenger and their Enterprise Security Solutions remain in tact. This protects Blackberry’s most valuable asset – their IP. Imagine if Microsoft integrated Blackberry’s IP into their existing EMS solution and Office 365. They could potentially shift the Enterprise market back to them.

I’ve long believed any player has an opportunity to recapture share in the mobile phone market because of the refresh cycle of the devices. I’m hopeful that Continuum, Windows 10, and their recently released application development toolsets will help them grow their app store and recapture market. Layering Blackberry’s security and encryption IP could make for a powerful play in the Enterprise.

Microsoft does have a problem though if this is their purchase strategy. Blackberry is larger than their IP at the moment and hard decisions will have to be made. The offer from Microsoft shouldn’t be large enough to cover everything Blackberry is doing currently, but where they are heading – to a niche mobile security player. If this happens, Microsoft will get the true value of Blackberry.

Identity Theft –
Through the Glass, Darkly

I read a lot, or at least I try to. My favorite author is Philip K. Dick. While a lot of Dick’s books deal with multiple level of identities (and puts them through the blender), I think even he would be hard pressed to imagine the world we’ve built around our identities and how freely we and others pass them around.

Dick wrote “A Scanner Darkly,” which is a fantastic novel, and one of Dick’s most insightful about identities. The story centers around a drug addict who is also the police agent that unknowingly is spying on himself. He looks at the himself through a glass, darkly (ie. a mirror). This dual self-identity without knowledge of ‘the other’ is almost as complicated as what happens everyday when we sign in online.

When we’re hacked, we feel personally violated at the electronic breach of something that isn’t us. Sometimes when we’re hacked, it’s only one account out of a multitude. Regardless, that piece of us, that identity for that account, has been compromised.

There’s something more sinister going on besides this identity crisis though. Your identities are being extended and stretched out of your control.

You Don’t Own Your Online Identity
Anthem was hacked. I still have received no notice that my account was hacked, but my son did. He is 5 years old and was a customer through me. I’m not sure how only he was hacked, but he has 2 years identity theft protection, so ‘Woohoo,’ I guess.

When I mentioned this to someone else, they said that they had received a notice as well. Surprised, I asked which of their employers had Anthem. He said he never had Anthem as his insurance, but somehow he was in their systems and his data was compromised.

Anthem is a fantastic example of how you are not in control of your identity. Even if you think that you are careful with multiple levels of authentication or a minimum amount of online presence, it doesn’t matter. There are always back room deals for your identity and data. While it might not be usernames and passwords, it is you, in your digital form, being traded back and forth.

The thing that scares me most about the Anthem hack is not the hack itself. Instead the fact that Anthem had non-customer data! How revealing a thing that is about our identities in this modern age.

What happened in the Anthem hack was that other non-customers in the independent Blue Cross and Blue Shield (BCBS) insurers that may have been serviced by Anthem at some point in the past were also hacked. I had no idea that if I was in an area covered by another BCBS company, your data could be shared with another provider. Yikes!

When you signed up with your company’s health insurance or direct deposit, you gave critical and vital information to another party (your company) and yet another party (the health care provider or payroll company) without a second thought. Who wants to prolong the onboarding process after all? But, now we’ve learned our identities are passed around to facilitate bureaucracy.

Why aren’t we more concerned about this?

Surely, my son was not at fault here, nor was my friend. In order to get essential services and get paid, I have to provide this information and to service me, companies need to share data.

Where does this leave us?
Well, people absolutely HATE government oversight, but at this point I’m not sure what else would do. Maybe an option would be a technology standard around social securities and /or identities – someone get to it!

Anthem and the BCBS network needs to be held accountable. Not so much that they were hacked, but because they don’t have a better process. Both are frankly, easily fixed with good IT solutions.

Online identity is a strange thing. Your electronic presence is something that you not only need to take care of, but something that is completely out of your control. For some reason, everyone is focused on the former and not the latter. The scariest thing to me is how my identity is being traded around without my knowledge.

“For now we see through a glass, darkly.”
1 Corinthians 13:12

At the risk of being possibly the only LinkedIn article with a Bible passage – When we look at our online identities, are we and those we’ve entrusted seeing them clearly or through the monitor, darkly?

Let’s Fix It: The Gap Between
IT Budgets and IT Security

mindthegap

Are there any excuses anymore for not dedicating a serious effort towards your company’s IT Security?

There are some common and not so common things you might be thinking about for IT Security. Budgets and framing the conversation might be your biggest hurdle.

Here are 3 examples how budget hacking can lead to…well, actual hacking and something you can do about it.

The Basics – Economic Downturn
In the past decade, the economy has tanked. Enterprises were looking for ways to cut costs. DR, security and other proactive services were cut. These were the easiest targets because of the perceived low benefit.

Security Risk: The dedicated IT Security job has been cut and responsibilities scattered to folks wearing other IT hats. To compound the problem, other IT staff has been cut as well.

How to Communicate the Risk: This one is difficult to address because of the scope and the longest to ramp up. You may not even understand all of IT’s exposure. Don’t get too bogged down on the big picture!

Start reading security blogs and watch for similar companies in your industry that have been hacked and common ways hackers enter your network. Build your conversation with similar high risk systems that you may have and any low hanging fruit that can be addressed. This will at least get you some attention and put the company on the right path.

If your conversation is well received, you may want to recommend an engagement to identify risks. When you get the results, go beyond the technical and translate the risks into something the business can understand.

No one in the business will understand that you aren’t running an Intrusion Detection or Network Behavior Analysis system, but they will understand if that credit card system running under Gary’s desk could easily be stolen from your office.

The Not so Obvious – The Custom Written Application
For large Enterprises a decade or more ago, custom written applications were the cloud of the day. By hiring a small team of these computer geniuses, you could get exactly what you needed. I remember those guys, where did they go?

Security Risk: A critical database with customer information is still on SQL 2000. Despite the critical data stored here, the developers left years ago, but the application works too well to give it up. No group has stepped up to take ownership because no one wants the head count or developer budget to hit their numbers.

Side note – when planning cloud applications, define an application lifecycle so this doesn’t happen!

How to Communicate the Risk: In terms of critical and outdated applications, there are 2 risks.

1. The data is stolen because it is outdated and easily hacked – frame this conversation in terms of the data type and exposure risk to the media. Talk to your marketing team. They could lead you to other conversations with business units that could lead you to a real financial impact to the risk.

2. The application is taken offline and can’t be rebuilt because it is outdated – This is a bonus one! Find the business partners using the application. These folks should be able to provide potential business losses, etc. Depending on the exposure of the offline application, marketing could help you here as well.

Since we’re talking about not hiring security professionals, but developers instead, you should steer the conversation to the business units. Discuss the secondary benefit of adding functionality to these applications. You may find a business unit is aware of this risk and might take the headcount on if needed, or at least fund a quick project to get it done.

The One Thing Missing – Identity Management
Matt Zanderigo laid out a great framework to get companies thinking about how they can look at IT Security. If there was one thing I could add, it is that an Identity Management solution with a tight termination policy and consolidation of directory access supplements everything he’s laid out.

Security Risk: Your company has 4 directories, all with critical access to critical applications. There are 4 teams of people that are responsible for terminating access. One team has staff out of the office and terminations are just sitting there.

Ho boy, in this scenario, you are relying on so many disparate teams to terminate account access that you better hope VPN is first on your list and that you aren’t using cloud services!

How to Communicate the Risk: Review your termination SLAs and compare them against active accounts from HR, provide a report of stale accounts to your management chain. Write up ways this risk is mitigated now (physical access controls, tighter VPN controls, etc), but point to where the holes still exist.

You may not need a full blown Identity Management solution, but a project to build out a better account lifecycle management process could do wonders.

Mind the Gap!
Budgets have different ways to hurt your IT Security efforts. As the economy turns around, it is time to start looking at ramping up your IT Security again. Quantifying the risk and translating it into a risk the business can understand is IT’s responsibility. In all these scenarios, a little investment and re-thinking your discussions can go a long way!

© 2017 Matthew Sekol

Theme by Anders NorenUp ↑