RCP Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.

Microsoft Expanding IUR for Cloud Partners

More internal use rights (IURs) are now available to certain categories of Microsoft partners to allow them to broaden their experience with the new Office 365 E5 suite and to better enable them to create customer demos for Dynamics CRM Online.

Gavriella Schuster, general manager of Microsoft Worldwide Partner Programs, unveiled the new benefits this week in a blog post that also discussed the availability of the new Windows and Devices competency.

Microsoft released the E5 SKU of Office 365 in December and previously only made its IURs available to partners with the Gold Cloud Productivity competency. Some of the features exclusive to the enterprise-focused E5 suite include analytics for business intelligence and e-discovery, secure attachments and URLs, access control, cloud PBX and PSTN conferencing.

Under the new IUR scheme for E5, 100 IURs are available to Gold Cloud Productivity and Gold Communication competency partners. Partners at the silver level for either competency now get 25 IURs.

At the same time, Microsoft is making changes on the Dynamics CRM side to give partners more flexibility to create demo environments for customers.

"We hear from many CRM Online partners that you're building complex demo environments to showcase the value of the solution, and a renewable, 12-month demo environment would help you make full use of what you've built," Schuster wrote in the blog. "So, we're extending demo tenants for CRM and Cloud CRM competency partners: All CRM and Cloud CRM competency partners now receive up to 10 instances of Office 365 E3 and Microsoft Dynamics CRM Online Professional through the Microsoft Partner Download portal."

The changes are among a number of tweaks that Schuster has announced over the last few weeks as Microsoft readies changes to the Microsoft Partner Network for its next fiscal year, which starts July 1.

Posted by Scott Bekker on April 27, 2016 at 11:51 AM0 comments


SkyKick Deepens Exec Bench with Microsoft Vets

SkyKick added three senior leaders with Microsoft experience to its executive team as the company acts to bolster its marketing and accelerate its global expansion.

Seattle-based SkyKick, which provides tools for migrating and backing up Office 365 and managing Software as a Service (SaaS) accounts from multiple vendors, announced on Monday the hiring of Chike Farrell as vice president of marketing; Kathryn Saducas as general manager of Western Europe, the Middle East and Africa; and Anthony Philips as general manager of business development EMEA.

"We're really investing all up and down the stack with partners with technology and with people. We're trying to put all the resources and assets in place to help partners build successful cloud practices," said SkyKick Co-CEO Todd Schwartz in a telephone interview about the moves.

The three new hires deepen SkyKick's senior leadership team to 10 executives and support an effort to expand the business, especially internationally. While SkyKick has around 5,000 partners in 125 countries, about 60 percent of the company's revenues currently come from the United States, said Co-CEO Evan Richman.

L to R: New SkyKick executives Chike Farrell, Anthony Philips and Kathryn Saducas.

The marketing role is a new one for SkyKick, Schwartz said. "We actually have built SkyKick without a head of marketing. Bringing on Chike as VP of marketing really drives more engagement and education to grow our global partner base," Schwartz said. "This gives us the ability to give them more information, more content, more education and engagement. It's not around sell, sell, sell. It's about helping more partners engage with our technology and engage with our platform."

Farrell's B2B and B2C marketing experience includes Fortune 500 company marketing roles and a stint as co-founder and CEO of Caribbean Ideas Ltd., a digital and inbound marketing agency. Previously he had product management and advertising roles in the Online Services Group at Microsoft.

Saducas comes to SkyKick after a decade of channel-focused roles at Microsoft, including the launch of Office 365 in Australia, Surface commercial channel development in APAC, and cloud channel development in Latin America. She is based in SkyKick's Amsterdam office.

Philips, a lawyer who spent about 14 years at Microsoft in global business development, marketing, media strategy and other roles, will focus on telcos, hosters and large resellers in EMEA for SkyKick.

Posted by Scott Bekker on April 25, 2016 at 10:11 AM0 comments


Carbonite Updates Partner Program for EVault Era

Three months after closing the North American portion of its EVault acquisition, Carbonite this week began rolling out a new partner program to accommodate its broader product portfolio.

Carbonite announced the $14 million cash acquisition of the EVault assets from Seagate Technology in December. Founded in 1997, EVault had been part of Seagate since 2007. The North American portion of the acquisition closed in mid-January, although the European Union part of the deal stretched further into the year.

While EVault offered an SMB spin on business continuity and disaster recovery, its products take Carbonite higher up into the midmarket than it had been able to reach before.

The EVault products added as part of the acquisition included EVault Cloud Backup and Recovery, a software-only solution for server backup; the EVault Backup and Recovery Appliance; and EVault Cloud Resiliency Services, which provides Disaster Recovery as a Service (DRaaS) for failover in the cloud.

"With this acquisition, Carbonite is taking a big step forward in meeting the data protection and business continuity needs of the entire SMB market from home offices to medium-sized businesses," said Mohamad Ali, president and CEO of Carbonite, when the EVault acquisition was announced. "EVault's proven technology, which includes a line of highly scalable appliances and advanced disaster recovery as a service (DRaaS) capabilities, enables us to round out our portfolio and immediately provide the features and functionality larger businesses require to support their complex environments."

A product pyramid graphic in a slide deck that Carbonite provided to RCP about the new program (see above) shows EVault products dominating in the top four tiers -- from a 25-99-employee small business tier to a 1,000-plus-employee enterprise tier. Carbonite Server Backup is the product of choice for very small businesses (10-24 employees) and small office/home office (1-9 employees). Carbonite Pro and the Advanced Pro Bundle overlap some of those lower tiers. The Carbonite Personal line is mostly for consumers.

Along with the product segmentation, Carbonite is rolling out a number of other changes to its partner  program, including revamped margins, more generous deal registration rewards and new roles within its channel team.

Posted by Scott Bekker on April 20, 2016 at 2:37 PM0 comments


MSP Platform Vendors Race To Integrate

Three major providers of managed service provider-focused platforms revealed substantial expansions or integrations of their platforms in the last week, highlighting the arms race among top-tier vendors to provide a one-stop toolset for an MSP's business.

Autotask on Monday announced the unification of its professional services automation (PSA) and remote monitoring and management (RMM) tools. Newly dubbed the Autotask PSA and Endpoint Management platform, the unification is supposed to make technicians at MSP companies more efficient by eliminating the need for them to toggle between systems, while also leading to new insights as they see previously disparate information in the same user interface.

"We believe services and devices are the foundation of any IT practice, and belong together in a single product experience," said Patrick Burns, vice president of product management for Autotask, in a statement. "We are delivering the ability to perform work via a single interface, and providing business stakeholders with unified analytics to better understand the relationship between service delivery and computing environments leading to more informed, strategic decisions about the business."

On the same day, SolarWinds N-able announced a more thorough job of pulling a recently acquired technology into its MSP portfolio. Last October, SolarWinds N-Able released remote control access and support product MSP Anywhere, based on the acquisition of BeAnywhere. Initially, MSP Anywhere was a paid product for secure remote support of Windows PCs, Macs and iOS and Android devices.

This week, SolarWinds N-able integrated the functionality into its flagship N-central RMM platform. Called MSP Connect, the remote support and access feature is now a free component of the newly released 10.2 version of N-central.

In the most old-school of the recent batch of integrations, ConnectWise late last week announced a partnership with CentreStack, which offers a multitenant file sync and share product that competes with offerings such as Dropbox and Box. ConnectWise helped drive the RMM-PSA integration push with its investment in RMM provider LabTech in 2010, and also acquired the ScreenConnect remote control platform last year. The CentreStack integration is initially with LabTech, but ConnectWise intends to integrate it with its PSA platform soon.

Posted by Scott Bekker on April 20, 2016 at 11:52 AM0 comments


Microsoft Waives Fee for New Windows Competency

Microsoft on Monday launched a new Windows and Devices Competency, designed to highlight Microsoft partners with expertise in Windows 10 and mobility, with a fee waiver for partners who sign up for the silver level in the next two months.

The competency becomes the 29th competency in the Microsoft Partner Network (MPN). However, Microsoft announced plans last week to retire a dozen competencies over the next 18 months, including a Devices and Deployment competency that the Windows and Devices competency partially replaces.

"We had introduced the Devices and Deployment competency back with Windows Vista," said Gavriella Schuster, general manager of Microsoft Worldwide Partner Programs, in an interview. "The new Windows and Devices competency is based on Windows 10 and a lot of the new devices in the market. We want to shift partners out of this kind of amorphous Devices and Deployment competency, which also included Office and other things, and shift them into the Windows and Devices competency so customers understand that these are the partners that can help with Windows 10 and mobility."

The new competency was originally announced at the Microsoft Worldwide Partner Conference (WPC) in July 2015.

Some benefits of the new program include 50 additional product licenses for partners' internal use at the silver competency level and 100 additional licenses at the gold level.

Microsoft currently has four skills assessment path options -- system builder, deployment partners, Internet of Things (IoT) device builders, and application builders. Microsoft plans to release details later for a Certified IP path and a performance path for partners who are already selling Windows 10 devices.

Microsoft is also offering a short-term waiver for the silver competency fee. "To help you invest in your future, this silver competency fee is no-cost (through June 30, 2016)," Microsoft's Web page for the new competency reads. The gold competency will cost $4,730 for U.S. partners.

Posted by Scott Bekker on April 18, 2016 at 2:20 PM0 comments


Office 365 Sales Put Microsoft in Close 2nd in Enterprise SaaS

Microsoft is breathing down Salesforce.com's neck in the enterprise Software as a Service (SaaS) market, according to a new research report.

Synergy Research Group, which specializes in quarterly tracking and segmentation of IT and cloud markets, on Monday released a report showing Microsoft barely behind market leader Salesforce.com in the competitive enterprise SaaS market.

In an e-mail interview, John Dinsdale, Synergy's chief analyst and research director, said that while Salesforce.com is primarily a CRM play in SaaS, it was Office 365 that made the difference for Microsoft in 2015.

"Microsoft got really serious about migrating its huge Office customer base to a subscription-based model. Dynamics CRM Online is growing for sure, but it's Office 365 which is driving the SaaS market share gains," Dinsdale said.

Synergy did not release specific figures to the media, but an accompanying market share graphic (see below) shows Salesforce.com with just under 15 percent of enterprise SaaS revenues and Microsoft just a few percentage points behind.

"To give you a sense of where the two leaders have come from in terms of relative market position, in 2013 Salesforce enterprise SaaS revenues were over 2.5x those of Microsoft. In terms of current run rate, they are pretty much on a par with each other," Dinsdale said.

If current trends continue, Microsoft should overtake Salesforce.com in 2016. Microsoft had 70 percent year-over-year growth in 2015, compared to Salesforce.com's 21 percent, according to Synergy, which does not include home sales of Office 365 in its estimates.

Adobe is the next biggest enterprise SaaS revenue player, at just under 10 percent share, while SAP, at just over 5 percent, is fourth but growing the fastest with 73 percent annual growth. Rounding out the top 10 by market share are ADP, Google, IBM, Intuit, Oracle and Workday.

The enterprise SaaS market grew 40 percent overall in 2015, and Synergy forecasts that the market will triple in size over the next five years. Dinsdale said that although SaaS is a more mature market than other cloud categories, such as Infrastructure as a Service (IaaS) and Platform as a Service (PaaS), it is still "early days in terms of market adoption" for SaaS.

Posted by Scott Bekker on April 18, 2016 at 1:22 PM0 comments


On the Offensive: Microsoft Sues U.S. Government over Secrecy Orders

On the theory that sometimes the best defense is a good offense, Microsoft struck out at the U.S. Department of Justice and U.S. Attorney General Loretta Lynch with a lawsuit on Thursday.

The suit tacitly acknowledges one of the most powerful objections to using cloud services, in which a megavendor like Microsoft stores much of the most vital data for millions of customers in, virtually, one place. While centralizing that data under one vendor's control brings powerful cost efficiencies and delivers enterprise-class features for small customers and even home users, it also becomes an extremely attractive target for criminal hackers, spies and government investigators.

The specific parts of that objection that Microsoft is tackling with its lawsuit Thursday are two investigative practices of the U.S. government. One is investigators demanding customers' data directly from cloud providers like Microsoft, rather than from the customers' themselves. The second practice is obtaining secrecy orders under the Electronic Communications Privacy Act (ECPA) that bars Microsoft from telling customers, often indefinitely, about the seizures.

"Microsoft brings this case because its customers have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them," reads the opening line of the 17-page complaint for declaratory judgment filed in the U.S. District Court, Western District of Washington at Seattle.

In the court filing, Microsoft argues that the twin practices are unconstitutional, violating both customers' Fourth Amendment protections against unreasonable searches because they don't know the searches occur, and Microsoft's First Amendment right to tell customers what has happened.

To document the scope of the problem, Microsoft noted in the filing that between September 2014 and March 2016, it received 5,624 federal demands for customer information or data, nearly half were accompanied by secrecy orders, and 1,752 of those secrecy orders contained no time limit.

Referring to a pre-cloud era when individuals and businesses stored their data first in file cabinets and later in PCs and on-premises servers, Microsoft's lawsuit contends that those individuals knew they were under investigation because they could watch authorities parading through their offices and leaving with their files or hardware.

"The government, however, has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations. As individuals and business have moved their most sensitive information to the cloud, the government has increasingly adopted the tactic of obtaining the private digital documents of cloud customers not from the customers themselves, but through legal process directed at online cloud providers like Microsoft," the complaint states.

Partners got a taste of Microsoft's increased focus on protecting data from the government in July when Brad Smith, now president and chief legal officer of Microsoft, spoke for the first time at the Microsoft Worldwide Partner Conference.

In its complaint, Microsoft doesn't directly argue that current U.S. government policies threaten its cloud business model or make note of the international mood of distrust surrounding U.S.-based multinational companies.

However, one argument in the filing hints strongly at how much Microsoft perceives itself as being in a defensive crouch:

"These twin developments -- the increase in government demands for online data and the simultaneous increase in secrecy -- have combined to undermine confidence in the privacy of the cloud and have impaired Microsoft's right to be transparent with its customers, a right guaranteed by the First Amendment."

Posted by Scott Bekker on April 14, 2016 at 12:52 PM0 comments


Study: BYOD Usage Widespread but Security Is a Question Mark

Bring your own device (BYOD) usage is widespread, popular with companies and users, and largely mysterious when it comes to security, according to a new survey of 800 security professionals worldwide.

Conducted by Crowd Research Partners within the Information Security Community on LinkedIn, the survey was sponsored by Bitglass, Blancco Technology Group, Check Point Software Technologies, Skycure, SnoopWall and Tenable Network Security.

Respondents were overwhelmingly permitting BYOD in their organizations. BYOD was available to all employees at 40 percent of the companies and select employees at 32 percent of the companies. In addition, some organizations were enabling BYOD for contractors (23 percent), partners (16 percent), customers (14 percent) and suppliers (9 percent).

Top reasons for allowing BYOD included carrots for both managers and employees, such as improved employee mobility (61 percent), greater employee satisfaction (56 percent), increased employee productivity (55 percent) and reduced cost (47 percent). The most commonly allowed app by far for BYOD was e-mail/calendar/contacts at 84 percent. The second most popular app was document access/editing at 45 percent, followed by access to SharePoint or company intranet, video conferencing and file sharing/synchronization.

The top obstacle to BYOD adoption was also a usual suspect; 39 percent of respondents cited security concerns.

Drilling into that question, Crowd Research Partners found substantial support for a laundry list of specific security concerns. The biggest concern is the logical worry about mobile devices, which by nature travel beyond the company's front door -- data leakage/loss. Seventy-two percent of respondents selected that concern. Other high-ranking concerns, in descending order, included unauthorized access to company data and systems, users download unsafe apps or content, malware, lost or stolen devices, vulnerability exploits, and inability to control endpoint security.

Despite the explosion of BYOD usage and concerns over its use, the survey's authors expressed surprise at finding mobile security budgets aren't going up across the board. Only 30 percent of respondents said their mobile security budget would increase over the next 12 months.

Based on the phrasing of the question and answers to some of the other questions, though, it's possible that mobile security issues are being addressed through other IT spending line items. For example, 35 percent reported that additional IT resources were needed in the past 12 months to manage mobile security and 27 percent reported increased helpdesk workloads. In another question, 33 percent said integration between mobile security solutions and existing security platforms was critical, suggesting that mobile security concerns might be addressed within general security budgets.

Perhaps most telling was how little respondents admitted they really knew about what was happening with their users' devices when it came to security incidents. Asked if any of their BYO or corporate-owned devices downloaded malware in the past, 35 percent answered "Not Sure." That "Not Sure" was also the most popular answer (48 percent) to a question about whether any of their BYO or corporate-owned devices connected to a malicious Wi-Fi network in the past. And 37 percent weren't sure if mobile devices had been involved in security breaches in their organization.

Organizations are, of course, trying to bring those mysteries and security holes under control with various methods, according to the survey. Risk control methods include password protection (63 percent), followed by remote wipe (49 percent) and device encryption (43 percent). The most common tool in use is mobile device management at 43 percent. Some of the other solutions, in descending order, include endpoint security tools, network access control, enterprise mobility management, mobile application management, configuration controls, and mobile threat defense and management.

Posted by Scott Bekker on March 30, 2016 at 9:13 AM0 comments


Your Turn: What Are You Doing with IoT?

For our next print issue, we're working on a story about Microsoft partners and the Internet of Things. Are you already making money in IoT? Or do you have an idea where there's a pretty good Microsoft partner opportunity in IoT? Let's talk. E-mail me at sbekker@rcpmag.com.

Posted by Scott Bekker on March 24, 2016 at 10:30 AM0 comments


Dizzying Array of Landing Places for SQL Server 2005 Customers

When support for Microsoft SQL Server 2005 expires on April 12, Microsoft partners will have more choices than ever as far as Microsoft-approved migration paths for their customers. Many of those choices would seem very strange to those partners' 2005 or 2006 selves, who moved those customers onto SQL Server 2005 in the first place.

The first option is an old-fashioned approach -- upgrading customers to SQL Server 2014 or getting them ready for SQL Server 2016 when it is generally available later this year. Also familiar from the old Microsoft playbook is a parallel campaign to attract Oracle customers to the SQL Server platform.

Different, more timely and more interesting approaches available this time, or in the near future, are shifting customers' SQL workloads into the Azure cloud and, most notably, allowing them to run SQL Server on Linux.

Al Hilwa, an IDC analysts covering software development, contends no one should be surprised by now to see Microsoft separate SQL Server from its Windows Server dependency. SQL Server support for Linux is expected in mid-2017.

"At this point of the game we should understand that Microsoft means business as a multi-platform and open source player and begin to be less surprised by these 'hell freezing over' announcements," Hilwa said in an e-mail sent to reporters about the SQL-on-Linux move earlier this month.

"Azure is a full-service cloud that is intended to compete at the highest level of the market and competing on Linux is a must, not a choice. That Microsoft products like SQL Server have to come to Linux over time is also a business must," Hilwa said.

Beneath the headline-level surprises, such as SQL on Linux, are more significant changes in what Microsoft is asking its partners to do.

In the old days, it was enough for partners to handle the forklift upgrade project. Customers on an old version of SQL Server? Great, get trained on the differences in the next few versions and the vagaries of the migration process, and move them over. Project done.

More recently, Microsoft is showing a lot less love for partners who do that kind of straightforward work -- be it SQL upgrades, Exchange upgrades, SharePoint upgrades or Windows Server upgrades. Partly that's because Microsoft has made such big investments in its cloud infrastructure. Mostly it's because fewer customers seem to want that infrastructure on-premises, and they're getting more comfortable every day with moving vanilla infrastructure into the cloud.

There's still training and a need for partners to do the straightforward on-premise-to-on-premise SQL upgrade, as evidenced by one of the opportunities highlighted this week in a blog post by Phil Sorgen, corporate vice president of the Microsoft Worldwide Partner Group.

But look carefully at Sorgen's statement about where he's hoping partners will head.

"Beyond any single launch or feature release, we want to make sure you're ready to support your customers with a long-term data strategy, helping them become modern, data-driven businesses. In the past, making sense of data was a task reserved for experts and dedicated data scientists. With our new data platform and analytics capabilities, it's easier than ever to crunch the numbers and turn data into actionable intelligence," Sorgen said.

That's consistent with the "tackle Big Data projects" mantra Microsoft has been repeating to partners over the last few years. Microsoft senior executives have been trying to get partners to move up the value stack into helping customers with business intelligence, data analytics and machine learning projects to wring value out of the ever-expanding piles of business data they've been collecting.

What Microsoft wants now are partners who understand how to move workloads and customers to Azure or hybrid cloud deployments. They want partners who not only understand the technology but also understand their customers' businesses at a deep level.

The favored Microsoft partner of the near future is the one who can show a customer how to use Big Data to achieve business insights in their vertical, not just the one who can get the SQL Server database up and running.

Sorgen noted that Microsoft's latest tools, like Power BI, make it easier than ever to crunch the numbers. That's undoubtedly true, but that doesn't mean it will be easy for partners to make a business of it. The skillset required to handle a SQL Server upgrade is very different from the one that can help a customer leverage data for business insights. It used to be that partners could succeed by just understanding the technology of SQL Server. Now business expertise is becoming table stakes, as well.

Posted by Scott Bekker on March 24, 2016 at 12:20 PM0 comments


Annotating Microsoft's Trusted Cloud Principles

Microsoft's statements about its philosophy around the data held in its cloud matter.

As one of the two or three largest hyperscale cloud operators in the world, and one that is always angling to store more of its customers' data in Azure and its other services, Microsoft has an outsized influence on global perceptions of the cloud and on how closely technology companies and governments should work together.

For partners trying to sell their business customers on moving data to the cloud, those statements are important as a resource to present to concerned customers and as a key piece of evidence to weigh as partners evaluate whether the cloud is the right solution for a particular customer.

In a Monday blog post attributed to the Cyber Trust Blog Staff, Microsoft published an important list of its six "Trusted Cloud principles." Below are Microsoft's verbatim principles, with my comments following each:

You own your data, not us. When you use a Microsoft cloud service, you keep the ability to take your data with you when you terminate an agreement. When a subscription expires or you terminate your contract, Microsoft follows a 90-day retention policy and strict standards for overwriting storage before reuse.

The 90-day policy is key here for two reasons. One, it's important to understand that data is irretrievable, by policy at least, after 90 days. The other is that a constant standard makes for a de facto statute of limitations on government requests for data. If this works as advertised, government agencies can't go fishing through Microsoft data stores for evidence on old cases.

Your data is not used for marketing. Our enterprise business model is not based on exploiting customer data. We do not use your data for purposes such as advertising that are unrelated to providing the cloud service.

I read this as a dig at Google.

We don't use standing access. We've engineered our cloud services so that the majority of operations are fully automated. Only a small set of activities require human involvement; access to your data by Microsoft personnel is granted only when necessary for support or operations, then revoked when no longer needed.

This could reduce, but won't eliminate, concerns about rogue administrators inside Microsoft accessing customer data. At least the attention to the issue suggests vigilance on Microsoft's part, which may extend to steps like checking employees' backgrounds and monitoring access logs.

You can choose your datacenter location. Depending on which Microsoft cloud services you have, you may have flexibility in choosing where your data physically resides. Your data may be replicated for redundancy within the geographic area, but not transmitted outside it.

The intended audience for many of these policies, especially this one, are companies based in countries other than the United States, where concerns about U.S. government access to the data of a U.S.-based company run very high.

We protect data from government surveillance. Over several years, we've expanded encryption across all our services and reinforced legal protections for customer data. And we've enhanced transparency so that you can be assured that Microsoft does not build "back doors" into our products and services, nor do we provide any government with direct or unfettered access to customer data.

Microsoft's backbone about fighting government requests seems to be getting stiffer with each passing month.

Law enforcement requests must go through you. Microsoft will not disclose your data to a third party except as you direct or as required by law. We'll attempt to redirect third parties to request customer data directly from the data owner.

This is an important principle. However, the "required by law" caveat is big enough to drive a truck through. As long as governments require Microsoft to provide them the data, Microsoft will have to comply and is sometimes prevented by law from reporting that fact to the data owner. This is what makes using third-party encryption tools, in which the customer controls the keys, especially important for certain types of data and customers.

Microsoft is setting strong privacy and customer control principles here for customers of its cloud. The list is a slight evolution of what Microsoft has been saying publicly over the last few months. In all, the principles lay significant groundwork for the future of the cloud. How strictly Microsoft can adhere to these principles depends on legislation, court orders and executive orders in thousands of jurisdictions, but at least we know what Microsoft says it will try to do.

Posted by Scott Bekker on March 21, 2016 at 12:55 PM0 comments


Google Doubles Bug Bounty on Chromebook

Google is doubling its bug bounty for Google Chromebook.

Once controversial, bounty programs reward security researchers for reporting the vulnerabilities they find to the vendor rather than publishing the flaws publicly, exploiting the vulnerabilities themselves or selling them on the black market.

Google has been offering bounties since 2010, and currently calls its overall program the Google Security Reward Program. In total, the program has paid out more than $6 million since 2010, and Google disbursed $2 million last year.

However, the sub-program targeted at Google Chromebook, the Chrome Reward Program, hasn't turned up much yet in its top category, so Google is ratcheting that bounty up from $50,000 to $100,000.

"Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven't had a successful submission. That said, great research deserves great awards, so we're putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool," Google said in a blog post credited to "Chrome Defender" Nathan Parker and "Hacker Philanthropist" Tim Willis.

Google Chromebook has relatively low market share, which historically has lulled vendors into a false sense of confidence about the security of the product. Like app developers who ignore Windows Phone to chase the much bigger addressable markets of the Apple App Store and Google Play, black-hat and white-hat security researchers have traditionally invested most of their time in the dominant Windows desktop OS platform.

With Chromebooks accounting for just 2.8 percent of all PCs shipped worldwide through the first three-quarters of 2015, according to IDC, Google could be enjoying that security-through-obscurity cloak.

That share is way up from Google's 2014 mark of 1.9 percent of all PCs shipped, and Google is starting to take over a vital vertical sector in the U.S. market -- K-12 education. According to a December report by Futuresource Consulting, Google Chromebooks, with their low prices, manageability and perceived security, accounted for 51 percent market share in that education market. That's a similar route to the one Apple used to achieve much wider relevance in the PC market.

Google is smart to use a small part of its cash hoard to give security researchers a much stronger incentive to really kick the tires on Google Chromebook just in case it breaks out to a much wider market share. Better to deal with major flaws when the market share is relatively tiny than to discover them later when millions or tens of millions of users are at risk.

Posted by Scott Bekker on March 16, 2016 at 1:14 PM0 comments