On the theory that sometimes the best defense is a good offense, Microsoft struck out at the U.S. Department of Justice and U.S. Attorney General Loretta Lynch with a lawsuit on Thursday.
The suit tacitly acknowledges one of the most powerful objections to using cloud services, in which a megavendor like Microsoft stores much of the most vital data for millions of customers in, virtually, one place. While centralizing that data under one vendor's control brings powerful cost efficiencies and delivers enterprise-class features for small customers and even home users, it also becomes an extremely attractive target for criminal hackers, spies and government investigators.
The specific parts of that objection that Microsoft is tackling with its lawsuit Thursday are two investigative practices of the U.S. government. One is investigators demanding customers' data directly from cloud providers like Microsoft, rather than from the customers' themselves. The second practice is obtaining secrecy orders under the Electronic Communications Privacy Act (ECPA) that bars Microsoft from telling customers, often indefinitely, about the seizures.
"Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them," reads the opening line of the 17-page complaint for declaratory judgment filed in the U.S. District Court, Western District of Washington at Seattle.
In the court filing, Microsoft argues that the twin practices are unconstitutional, violating both customers' Fourth Amendment protections against unreasonable searches because they don't know the searches occur, and Microsoft's First Amendment right to tell customers what has happened.
To document the scope of the problem, Microsoft noted in the filing that between September 2014 and March 2016, it received 5,624 federal demands for customer information or data, nearly half were accompanied by secrecy orders, and 1,752 of those secrecy orders contained no time limit.
Referring to a pre-cloud era when individuals and businesses stored their data first in file cabinets and later in PCs and on-premises servers, Microsoft's lawsuit contends that those individuals knew they were under investigation because they could watch authorities parading through their offices and leaving with their files or hardware.
"The government, however, has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations. As individuals and business have moved their most sensitive information to the cloud, the government has increasingly adopted the tactic of obtaining the private digital documents of cloud customers not from the customers themselves, but through legal process directed at online cloud providers like Microsoft," the complaint states.
Partners got a taste of Microsoft's increased focus on protecting data from the government in July when Brad Smith, now president and chief legal officer of Microsoft, spoke for the first time at the Microsoft Worldwide Partner Conference.
In its complaint, Microsoft doesn't directly argue that current U.S. government policies threaten its cloud business model or make note of the international mood of distrust surrounding U.S.-based multinational companies.
However, one argument in the filing hints strongly at how much Microsoft perceives itself as being in a defensive crouch:
"These twin developments -- the increase in government demands for online data and the simultaneous increase in secrecy -- have combined to undermine confidence in the privacy of the cloud and have impaired Microsoft's right to be transparent with its customers, a right guaranteed by the First Amendment."
Posted by Scott Bekker on April 14, 20160 comments
Bring your own device (BYOD) usage is widespread, popular with companies and users, and largely mysterious when it comes to security, according to a new survey of 800 security professionals worldwide.
Conducted by Crowd Research Partners within the Information Security Community on LinkedIn, the survey was sponsored by Bitglass, Blancco Technology Group, Check Point Software Technologies, Skycure, SnoopWall and Tenable Network Security.
Respondents were overwhelmingly permitting BYOD in their organizations. BYOD was available to all employees at 40 percent of the companies and select employees at 32 percent of the companies. In addition, some organizations were enabling BYOD for contractors (23 percent), partners (16 percent), customers (14 percent) and suppliers (9 percent).
Top reasons for allowing BYOD included carrots for both managers and employees, such as improved employee mobility (61 percent), greater employee satisfaction (56 percent), increased employee productivity (55 percent) and reduced cost (47 percent). The most commonly allowed app by far for BYOD was e-mail/calendar/contacts at 84 percent. The second most popular app was document access/editing at 45 percent, followed by access to SharePoint or company intranet, video conferencing and file sharing/synchronization.
The top obstacle to BYOD adoption was also a usual suspect; 39 percent of respondents cited security concerns.
Drilling into that question, Crowd Research Partners found substantial support for a laundry list of specific security concerns. The biggest concern is the logical worry about mobile devices, which by nature travel beyond the company's front door -- data leakage/loss. Seventy-two percent of respondents selected that concern. Other high-ranking concerns, in descending order, included unauthorized access to company data and systems, users download unsafe apps or content, malware, lost or stolen devices, vulnerability exploits, and inability to control endpoint security.
Despite the explosion of BYOD usage and concerns over its use, the survey's authors expressed surprise at finding mobile security budgets aren't going up across the board. Only 30 percent of respondents said their mobile security budget would increase over the next 12 months.
Based on the phrasing of the question and answers to some of the other questions, though, it's possible that mobile security issues are being addressed through other IT spending line items. For example, 35 percent reported that additional IT resources were needed in the past 12 months to manage mobile security and 27 percent reported increased helpdesk workloads. In another question, 33 percent said integration between mobile security solutions and existing security platforms was critical, suggesting that mobile security concerns might be addressed within general security budgets.
Perhaps most telling was how little respondents admitted they really knew about what was happening with their users' devices when it came to security incidents. Asked if any of their BYO or corporate-owned devices downloaded malware in the past, 35 percent answered "Not Sure." That "Not Sure" was also the most popular answer (48 percent) to a question about whether any of their BYO or corporate-owned devices connected to a malicious Wi-Fi network in the past. And 37 percent weren't sure if mobile devices had been involved in security breaches in their organization.
Organizations are, of course, trying to bring those mysteries and security holes under control with various methods, according to the survey. Risk control methods include password protection (63 percent), followed by remote wipe (49 percent) and device encryption (43 percent). The most common tool in use is mobile device management at 43 percent. Some of the other solutions, in descending order, include endpoint security tools, network access control, enterprise mobility management, mobile application management, configuration controls, and mobile threat defense and management.
Posted by Scott Bekker on March 30, 20160 comments
When support for Microsoft SQL Server 2005 expires on April 12, Microsoft partners will have more choices than ever as far as Microsoft-approved migration paths for their customers. Many of those choices would seem very strange to those partners' 2005 or 2006 selves, who moved those customers onto SQL Server 2005 in the first place.
The first option is an old-fashioned approach -- upgrading customers to SQL Server 2014 or getting them ready for SQL Server 2016 when it is generally available later this year. Also familiar from the old Microsoft playbook is a parallel campaign to attract Oracle customers to the SQL Server platform.
Different, more timely and more interesting approaches available this time, or in the near future, are shifting customers' SQL workloads into the Azure cloud and, most notably, allowing them to run SQL Server on Linux.
Al Hilwa, an IDC analysts covering software development, contends no one should be surprised by now to see Microsoft separate SQL Server from its Windows Server dependency. SQL Server support for Linux is expected in mid-2017.
"At this point of the game we should understand that Microsoft means business as a multi-platform and open source player and begin to be less surprised by these 'hell freezing over' announcements," Hilwa said in an e-mail sent to reporters about the SQL-on-Linux move earlier this month.
"Azure is a full-service cloud that is intended to compete at the highest level of the market and competing on Linux is a must, not a choice. That Microsoft products like SQL Server have to come to Linux over time is also a business must," Hilwa said.
Beneath the headline-level surprises, such as SQL on Linux, are more significant changes in what Microsoft is asking its partners to do.
In the old days, it was enough for partners to handle the forklift upgrade project. Customers on an old version of SQL Server? Great, get trained on the differences in the next few versions and the vagaries of the migration process, and move them over. Project done.
More recently, Microsoft is showing a lot less love for partners who do that kind of straightforward work -- be it SQL upgrades, Exchange upgrades, SharePoint upgrades or Windows Server upgrades. Partly that's because Microsoft has made such big investments in its cloud infrastructure. Mostly it's because fewer customers seem to want that infrastructure on-premises, and they're getting more comfortable every day with moving vanilla infrastructure into the cloud.
There's still training and a need for partners to do the straightforward on-premise-to-on-premise SQL upgrade, as evidenced by one of the opportunities highlighted this week in a blog post by Phil Sorgen, corporate vice president of the Microsoft Worldwide Partner Group.
But look carefully at Sorgen's statement about where he's hoping partners will head.
"Beyond any single launch or feature release, we want to make sure you're ready to support your customers with a long-term data strategy, helping them become modern, data-driven businesses. In the past, making sense of data was a task reserved for experts and dedicated data scientists. With our new data platform and analytics capabilities, it's easier than ever to crunch the numbers and turn data into actionable intelligence," Sorgen said.
That's consistent with the "tackle Big Data projects" mantra Microsoft has been repeating to partners over the last few years. Microsoft senior executives have been trying to get partners to move up the value stack into helping customers with business intelligence, data analytics and machine learning projects to wring value out of the ever-expanding piles of business data they've been collecting.
What Microsoft wants now are partners who understand how to move workloads and customers to Azure or hybrid cloud deployments. They want partners who not only understand the technology but also understand their customers' businesses at a deep level.
The favored Microsoft partner of the near future is the one who can show a customer how to use Big Data to achieve business insights in their vertical, not just the one who can get the SQL Server database up and running.
Sorgen noted that Microsoft's latest tools, like Power BI, make it easier than ever to crunch the numbers. That's undoubtedly true, but that doesn't mean it will be easy for partners to make a business of it. The skillset required to handle a SQL Server upgrade is very different from the one that can help a customer leverage data for business insights. It used to be that partners could succeed by just understanding the technology of SQL Server. Now business expertise is becoming table stakes, as well.
Posted by Scott Bekker on March 24, 20160 comments
For our next print issue, we're working on a story about Microsoft partners and the Internet of Things. Are you already making money in IoT? Or do you have an idea where there's a pretty good Microsoft partner opportunity in IoT? Let's talk. E-mail me at [email protected].
Posted by Scott Bekker on March 24, 20160 comments
Microsoft's statements about its philosophy around the data held in its cloud matter.
As one of the two or three largest hyperscale cloud operators in the world, and one that is always angling to store more of its customers' data in Azure and its other services, Microsoft has an outsized influence on global perceptions of the cloud and on how closely technology companies and governments should work together.
For partners trying to sell their business customers on moving data to the cloud, those statements are important as a resource to present to concerned customers and as a key piece of evidence to weigh as partners evaluate whether the cloud is the right solution for a particular customer.
In a Monday blog post attributed to the Cyber Trust Blog Staff, Microsoft published an important list of its six "Trusted Cloud principles." Below are Microsoft's verbatim principles, with my comments following each:
You own your data, not us. When you use a Microsoft cloud service, you keep the ability to take your data with you when you terminate an agreement. When a subscription expires or you terminate your contract, Microsoft follows a 90-day retention policy and strict standards for overwriting storage before reuse.
The 90-day policy is key here for two reasons. One, it's important to understand that data is irretrievable, by policy at least, after 90 days. The other is that a constant standard makes for a de facto statute of limitations on government requests for data. If this works as advertised, government agencies can't go fishing through Microsoft data stores for evidence on old cases.
Your data is not used for marketing. Our enterprise business model is not based on exploiting customer data. We do not use your data for purposes such as advertising that are unrelated to providing the cloud service.
I read this as a dig at Google.
We don't use standing access. We've engineered our cloud services so that the majority of operations are fully automated. Only a small set of activities require human involvement; access to your data by Microsoft personnel is granted only when necessary for support or operations, then revoked when no longer needed.
This could reduce, but won't eliminate, concerns about rogue administrators inside Microsoft accessing customer data. At least the attention to the issue suggests vigilance on Microsoft's part, which may extend to steps like checking employees' backgrounds and monitoring access logs.
You can choose your datacenter location. Depending on which Microsoft cloud services you have, you may have flexibility in choosing where your data physically resides. Your data may be replicated for redundancy within the geographic area, but not transmitted outside it.
The intended audience for many of these policies, especially this one, are companies based in countries other than the United States, where concerns about U.S. government access to the data of a U.S.-based company run very high.
We protect data from government surveillance. Over several years, we've expanded encryption across all our services and reinforced legal protections for customer data. And we've enhanced transparency so that you can be assured that Microsoft does not build "back doors" into our products and services, nor do we provide any government with direct or unfettered access to customer data.
Microsoft's backbone about fighting government requests seems to be getting stiffer with each passing month.
Law enforcement requests must go through you. Microsoft will not disclose your data to a third party except as you direct or as required by law. We'll attempt to redirect third parties to request customer data directly from the data owner.
This is an important principle. However, the "required by law" caveat is big enough to drive a truck through. As long as governments require Microsoft to provide them the data, Microsoft will have to comply and is sometimes prevented by law from reporting that fact to the data owner. This is what makes using third-party encryption tools, in which the customer controls the keys, especially important for certain types of data and customers.
Microsoft is setting strong privacy and customer control principles here for customers of its cloud. The list is a slight evolution of what Microsoft has been saying publicly over the last few months. In all, the principles lay significant groundwork for the future of the cloud. How strictly Microsoft can adhere to these principles depends on legislation, court orders and executive orders in thousands of jurisdictions, but at least we know what Microsoft says it will try to do.
Posted by Scott Bekker on March 21, 20160 comments
Google is doubling its bug bounty for Google Chromebook.
Once controversial, bounty programs reward security researchers for reporting the vulnerabilities they find to the vendor rather than publishing the flaws publicly, exploiting the vulnerabilities themselves or selling them on the black market.
Google has been offering bounties since 2010, and currently calls its overall program the Google Security Reward Program. In total, the program has paid out more than $6 million since 2010, and Google disbursed $2 million last year.
However, the sub-program targeted at Google Chromebook, the Chrome Reward Program, hasn't turned up much yet in its top category, so Google is ratcheting that bounty up from $50,000 to $100,000.
"Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven't had a successful submission. That said, great research deserves great awards, so we're putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool," Google said in a blog post credited to "Chrome Defender" Nathan Parker and "Hacker Philanthropist" Tim Willis.
Google Chromebook has relatively low market share, which historically has lulled vendors into a false sense of confidence about the security of the product. Like app developers who ignore Windows Phone to chase the much bigger addressable markets of the Apple App Store and Google Play, black-hat and white-hat security researchers have traditionally invested most of their time in the dominant Windows desktop OS platform.
With Chromebooks accounting for just 2.8 percent of all PCs shipped worldwide through the first three-quarters of 2015, according to IDC, Google could be enjoying that security-through-obscurity cloak.
That share is way up from Google's 2014 mark of 1.9 percent of all PCs shipped, and Google is starting to take over a vital vertical sector in the U.S. market -- K-12 education. According to a December report by Futuresource Consulting, Google Chromebooks, with their low prices, manageability and perceived security, accounted for 51 percent market share in that education market. That's a similar route to the one Apple used to achieve much wider relevance in the PC market.
Google is smart to use a small part of its cash hoard to give security researchers a much stronger incentive to really kick the tires on Google Chromebook just in case it breaks out to a much wider market share. Better to deal with major flaws when the market share is relatively tiny than to discover them later when millions or tens of millions of users are at risk.
Posted by Scott Bekker on March 16, 20160 comments
Tiffani Bova, an influential channel analyst who had the ear of senior Microsoft channel executives, has left Gartner for a newly created evangelism position at Salesforce.com.
Bova's sessions have been a staple of the Microsoft Worldwide Partner Conference (WPC) for years, and she was a regularly featured speaker at more intimate Microsoft partner gatherings. Microsoft was only one of her many clients, and she presented at dozens of other companies' partner gatherings.
She spent 10 years at Gartner, where she was a vice president, distinguished analyst and research fellow. She joined Gartner from a senior channel role at Gateway.
Her title at Salesforce.com is Global, Customer Growth and Innovation Evangelist. In a Q&A blog announcing Bova's hiring, she said, "Salesforce offered me a great opportunity to evangelize sales and innovation to the market and their customers -- and it was something I just couldn't pass up. When you're in the fourth or fifth chapter of your career, it's important to make sure you're going somewhere for all the right reasons. I wanted to go to an organization that is making a difference from both a business standpoint and, more importantly, from a social standpoint."
Bova said part of her new role will involve working closely with the Salesforce Partner and Alliance organization.
Posted by Scott Bekker on March 08, 20160 comments
Channel entrepreneur and Workspace-as-a-Service expert Michael Fraser is looking for beta partners for a new cloud workspace platform.
The startup is called Infinite Ops Inc., based in Mountlake Terrace, Wash., a suburb of Seattle.
The Infinite Ops Console Cloud is designed to simplify the process for partners and IT departments to deliver virtual workspaces powered by virtual machine-based servers in the Microsoft Azure, Google Compute Engine and Amazon Web Services public clouds. The platform includes an API for integrating with other cloud providers, and the company is working directly on a VMware integration with vSphere and vCloud.
"Infinite Ops was founded to provide IT service providers a very simple platform to add the whole stack around cloud workspaces to their business. I look at the cloud workspace as the main focal point of where service providers are going with their customers," Fraser said in an interview with RCP.
Fraser's design goal is to turn deployment of virtual workspaces for one user to thousands of users into a three-step wizard-based process that takes less than an hour.
The console supports mobile and desktop browsers, includes dashboards for monitoring multiple cloud deployments and will have an app store in a later version, Fraser said. A selection of cloud deployment templates allows for quick deployment for both Microsoft Remote Desktop Services and Teradici PCoIP protocol.
General availability is scheduled for the beginning of April, Fraser said, but interested partners can sign up for early access on the Infinite Ops homepage. He said the platform is geared for the service provider channel with multi-tenancy built into the product.
"Ideal partners are IT service providers, MSPs and CSPs who have clients they are already bringing to the cloud and who are looking to get to market with a platform that can simplify and speed up their ability to get workspaces in the cloud with no cloud engineering or development required," Fraser said.
Posted by Scott Bekker on March 07, 20160 comments
Opening what could be a new market opportunity for managed service providers, LogicNow recently acquired iScan Online Inc.
For now, LogicNow is primarily positioning the acquisition as a play for its IT professional customers. While many technologies perform automated vulnerability scanning, what's interesting about the iScan approach is that it focuses on quantifying the dollar value of at-risk data.
As an example, the tool hunts for personally identifiable information, such as Social Security numbers, driver's license numbers and credit card numbers within data-at-rest stores on servers and workstations.
Assigning a monetary risk to having such data exposed would make it far easier to build a business case to senior management for securing that data. Even though such monetary values must be arbitrary, an estimate that's based in real-world breaches would at least provide a legitimate starting point for setting appropriate priorities around properly securing the data. "Our mission is to help customers understand their risk to a data breach," explained former iScan CEO Carl Banzhof in the acquisition announcement.
Banzhof joins LogicNow as vice president of engineering, and will be part of the effort to build a new LogicNow product called MAX Risk Intelligence around the iScan product. For now, LogicNow customers who visit the MAX Risk Intelligence page are directed to download the existing iScan product.
LogicNow plans to integrate the forthcoming MAX Risk Intelligence product with its RMM tool -- MAX Remote Management.
It's easy to imagine how a product originally designed to help security officers protect their own corporate data and present budget requirements effectively to C-level executives would present a strong opportunity for MSPs to do security assessments with their clients and build slick business cases for new security-related projects.
Posted by Scott Bekker on March 03, 20160 comments
Microsoft's massive licensing partner, SHI International Corp., has acquired the professional services piece of a much smaller Microsoft partner this week to bolster SHI's post-sales services capabilities, especially around Office 365 and other Microsoft cloud products.
The deal for the 18-person professional services division of Winston-Salem, N.C. area-based Eastridge closed on Monday and was announced midweek. The amount that the global technology provider paid for Eastridge wasn't disclosed.
Travis Hargett, Eastridge's co-founder and president, joins SHI as managing director of services sales, reporting to Hal Jagger, SHI's vice president and general manager of corporate sales. The corporate division in SHI covers SMB and midsize customers.
Eastridge had been part of the SHI Elite Partner Program, performing deployment work and other projects for SHI customers that had bought Microsoft licensing for Office 365, Azure, SharePoint, SharePoint Online and Dynamics CRM.
"We were definitely familiar with them. It was really a good match because they were really able to add in their services alongside our expertise on the program side," said Ed McNamara, director of communications and marketing at SHI, in an interview.
The acquisition comes as Microsoft is pushing its partners to increase customer usage, or consumption, of Office 365 and other cloud product licenses.
McNamara said SHI's revenues around Microsoft products increased in 2015 by 12 percent. "Microsoft is our No. 1 partner, and we're their largest channel partner," he said. With that kind of growth, he added, "there was really a sense that we needed reinforcements."
Eastridge was one of a few partners in the SHI partner program providing services around Microsoft cloud products, McNamara said. The SHI partner program covers many other types of partners, such as those doing asset reclamation, and other geographies.
It's not immediately clear if adding 18 employees in North Carolina to a $6 billion company will provide the type of capacity that SHI will need to support its growth in Microsoft cloud services, or if SHI will need to continue to work with other partners.
"This was a fast and efficient way for us to increase our capacity in post-sales support," McNamara said. "Eastridge is going to be able to help us [deliver] on behalf of the customer more quickly."
Posted by Scott Bekker on February 25, 20160 comments
Managed service providers serving small-business customers got a new backup and disaster recovery appliance option this month through a partnership between Buffalo Americas and StorageCraft Technology Corp.
The TeraStation StorageCraft Recovery Center 25 is a new joint offering aimed at end-user companies with about 25 employees.
StorageCraft and Buffalo have partnered at a technology level previously to make sure that StorageCraft's business continuity software worked with Buffalo's network attached storage devices. A jointly marketed appliance is a first for the two companies, though. The companies say their collaboration transforms a general-purpose NAS into a disaster recovery device.
The 11-1/4-inch by 7-1/4-inch by 8-1/4-inch appliance weighs just under 17 pounds and sports 12TB of storage on four SATA 3.0 internal hard drives. The processor is an Intel Core i3 3.3GHz Dual-Core and the machine runs on 8GB of DDR3 RAM.
While it's a small device for small businesses, StorageCraft CTO Scott Barnes says the appliance will have a lot of flexibility for various use cases.
"If a small business wants local recovery only, great. If they want to replicate between two offices, no problem. If they want full cloud-base recovery, easily done," Barnes said in a statement. Out-of-the-box replication and recovery options include local-only, site-to-site and site-to-IT solution providers' colocation/datacenter with replication from any of those options to public cloud or to StorageCraft Cloud Services.
Bill Rhodes, director of channel sales at Buffalo Americas, positioned the appliance as an opportunity for Buffalo TeraStation resellers to generate service revenues and for StorageCraft software resellers to go to market with a more competitively priced configuration than they could build themselves.
Because of the small-business focus of the appliance, Buffalo is working exclusively through D&H Distributing. Estimated retail price for the appliance is $3,500.
Software in the package includes StorageCraft ShadowProtect SPX, StorageCraft ImageManager, StorageCraft Recovery Environment, Oracle VirtualBox and Windows Storage Server 2012 R2. Some software licenses must be purchased separately.
Posted by Scott Bekker on February 25, 20160 comments
For the upcoming March issue of RCP, we tried to fill an entire iPhone screen with solid Microsoft business and productivity apps and found more than enough. (The same exercise probably would have worked with an Android phone and Google Play.)
Since putting Word, Excel and PowerPoint onto competitive stores, Microsoft has continued to load those stores with useful apps. To name a few, we found Outlook, Yammer, Skype for Business, Sway, Delver, Power BI, OneNote, Office 365 Admin, OME Viewer, Comp Portal, Dynamics CRM and Groups, among others.
For a future RCP and RCPmag.com article, we have some questions for you:
- Which of Microsoft's apps for iOS and Android are key for you?
- How are you using these free add-on apps in your partner business to mobile-enable solutions, ignite user adoption and, to use one of Microsoft's verbs, delight your customers?
- Conversely, are there any Microsoft apps that aren't living up to their billing or their promise?
- Are there third-party apps that you use instead because they outperform Microsoft in its own wheelhouse?
- Are there key features that any of these apps need to add before they really become first-rate?
- Is there an app that you wish Microsoft would make?
E-mail me and share the knowledge.
Posted by Scott Bekker on February 22, 20160 comments