Cambridge Display Technology is a UK-founded company that is leading the development of display technology based on polymer organic light emitting diodes. Their technology is used in mobile devices, screens and lighting. The company employs hundreds of scientists, engineers, and supporting staff around the world.
The company needed a high performance desktop virtualisation solution that would make supporting a distributed workforce easier. Constraints were space, power, CAPEX and a lack of availability of shared storage. End users were running a mixture of office automation and scientific applications.
A 64-bit Operating System was required in order to support the 6GB RAM desktops demanded by end users. Each hypervisor node was to support between 40 and 80 of those users. The only way to achieve the user-density required while meeting the constraints, was to use dedicated Virtualisation Appliances. The platform chosen provided an integrated IOPS sink, continuous performance and heath monitoring, and a redundant N+1 configuration. The solution was designed to support expansion, including applications that require virtualised GPU capability.
Where once only basic "office" desktops could be supported in any number, and the hardware (in particular shared storage) required to do so was prohibitively expensive, it is now possible to support far more specialised classes of user and application. Furthermore, such users can be supported at high-densities without the necessity of expensive shared storage, thanks to the in-bult IOPS sink and performance management features of Virtualisation Appliances.
Friday, December 30, 2011
Thursday, December 29, 2011
360is End Of Year Message, 2011
2011 was another year of growth for 360is and for many of those with whom we work. Our base of Financial Services clients has seen a rebound since the darker days of 2009, and we have continued to expand into Scientific and Research Intensive sectors with several new projects and clients in Cambridge. As a result of this, we were pleased to welcome another Cambridge-based senior consultant to the practice. We continued to execute Virtualisation, Security, and Performance-related engagements for our clients, and maintained our focus on short term, (less than 3 month) fixed-price, projects, with a vendor-independent, client focused approach.
Inside 360is in 2011
- Security work consisted mainly of Security Assessments, Penetration Tests, and Post Incident work, but grew to include Application Security Assessments, with significant new clients in the online gaming sector. We have also seen an increase in Distributed Denial Of Service (DDoS) mitigation projects. More companies with an online business model established themselves as brands, and therefore attracted the attention of extortionists, activists, and attention-seekers.
- Virtualisation made-up almost 50% of projects, however the emphasis shifted from 1st-time production roll-out to 2nd or 3rd stage "3-5 years on" projects. We recently doubled the density of an already-virtualised estate of 500+ VMs as part of a hardware refresh cycle. Service Provider Virtual Desktop Infrastructure (VDI) projects also grew in 2011. 360is worked in partnership with client's Architecture and DevOps staff to deliver industry-leading high-density, high-margin, VDI to tens of thousands of users.
- Performance-related projects were driven by a combination of CAPEX freezes and business growth, and were concentrated around storage systems. Due to continued difficult economic conditions in the UK, and recent shortages in hard drives, we expect this trend to continue into Q1/Q2 2012. In the last 18 months, data volumes have increased dramatically in Media (HD and 3D), Geo Sciences (ultra-wideband sensors), and Life Science (faster, cheaper, sequencing). These trends drive up data volumes and the demand for performance, as the bottlenecks move downstream.
360is Outlook For 2012
The outlook for 360is in 2012 is good. Industry trends favour our long experience, technical capability, and vendor-neutral approach to problem solving.
- There will be fewer new infrastructure projects in 2012 (semiconductor sales were essentially flat in 2011). Supply chain disruption caused by floods in Thailand will provide even greater incentives to extend the life of existing platforms through careful optimisation and tuning. Although hard drive prices are stabilising, availability remains poor unless you take spindles as part of a large purchase from a major vendor. 360is can help you grow in spite of these difficulties, engage us to execute the following projects:
- Storage Consolidation/Re-Tasking
- Storage Performance Tuning
- Storage Tiering
- Rising energy costs and the practicalities of power distribution will continue to constrain some projects and have a significant impact on hosting and colocation costs. A recent study by 360is revealed that those renewing 3-year contracts for data-centre space typically saw a 40%-50% increase in annual charges, with colocation customers under pressure to migrate to higher-margin higher-price fully managed hosting contracts. If you have already virtualised some years ago 360is consultants can help you find an encore, we can further streamline your operations, deliver greater VM densities and lower OPEX costs through the use of new methods and technologies.
- High Density, Low Power Virtualisation Appliances
- Data Centre selection and evaluation
- Cloud or hosting provider selection and evaluation
- Recent wide-scale civil unrest across UK cities brought Disaster Recovery and Contingency Planning into focus in 2011. Further disturbances are set to occur as a variety of protest and pressure groups plan disruptions in 2012. Whether it be city-wide riots or attacks against individual organisations, it is now more important than ever to make sure you have a solid, rehearsed, Disaster Recovery or Business Continuity plan. 360is consultants have executed many of successful projects in the areas of DR/BC.
- Secure hosting/colocation outside London
- In-house Disaster Recovery Infrastructure
- Replication and High Availability or Fault Tolerant Systems
- Denial Of Service Mitigation
If your team is challenged to deliver any of these projects, 360is can help you do so, on time and on budget, in a way that is tailored to your organisation's individual circumstances. We look forward to working with you in 2012.
Wednesday, August 24, 2011
360is Completes Migration to New Data Centre
360is have recently completed a data centre migration from our primary location (shared with the Manchester University Supercomputer) into a new facility nearby. We continue to maintain a presence at both sites, which have layer-2 adjacency. The motivation for the move?
Power costs.
UK consumers are seeing domestic bills increase this year up by 18% for gas and 10% for electricity. The UK electricity price broadly tracks natural gas futures, so we can expect further rises in the months and years to come. Since 2004, electricity prices have doubled from below 3.0p/KWh to 6.0p/KWh. At that rate they will be between 8p and 9p per KWh by 2013, an increase of 40% from today.
UK Energy Prices, Gas and Electricity, 2004 to 2011, Source: BuyEnergyOnline
Since many companies sign 3-year contracts with their provider, increases of 30-40% in the power-portion of their data centre costs are common upon contract renewal. Although the long term trend for network bandwidth prices is down, the reduction is nowhere near enough to offset the power cost increase, particularly since most companies have modest bandwidth requirements.
Besides contracting with a new data centre, 360is have also deployed energy efficient virtualisation appliances to reduce overall power consumption. These systems provide large VM carrying capacity (upto 384GB RAM in a 1U unit) in a tiny power power envelope (between 120 and 300 Watts depending on utilisation), they can carry hundreds of VMs.
By re-contracting at a new site, and replacing commodity systems from HP and Dell with dedicated virtualisation appliances, we have been able to mitigate the hike in power costs.
If you have received a shock when presented with a new data centre, hosting, or colocation contract then speak to one of our consultants. Together we can formulate a long term strategy to better insulate you from increasing power costs.
Power costs.
UK consumers are seeing domestic bills increase this year up by 18% for gas and 10% for electricity. The UK electricity price broadly tracks natural gas futures, so we can expect further rises in the months and years to come. Since 2004, electricity prices have doubled from below 3.0p/KWh to 6.0p/KWh. At that rate they will be between 8p and 9p per KWh by 2013, an increase of 40% from today.
UK Energy Prices, Gas and Electricity, 2004 to 2011, Source: BuyEnergyOnline
Since many companies sign 3-year contracts with their provider, increases of 30-40% in the power-portion of their data centre costs are common upon contract renewal. Although the long term trend for network bandwidth prices is down, the reduction is nowhere near enough to offset the power cost increase, particularly since most companies have modest bandwidth requirements.
Besides contracting with a new data centre, 360is have also deployed energy efficient virtualisation appliances to reduce overall power consumption. These systems provide large VM carrying capacity (upto 384GB RAM in a 1U unit) in a tiny power power envelope (between 120 and 300 Watts depending on utilisation), they can carry hundreds of VMs.
By re-contracting at a new site, and replacing commodity systems from HP and Dell with dedicated virtualisation appliances, we have been able to mitigate the hike in power costs.
If you have received a shock when presented with a new data centre, hosting, or colocation contract then speak to one of our consultants. Together we can formulate a long term strategy to better insulate you from increasing power costs.
Tuesday, August 16, 2011
360is Welcomes New Consultant
We'd like to welcome another new consultant to 360is. Miles is an ex-UUNET consultant who worked with 360is founders in the 90's, where he specialised in secure Internet gateway deployments and UNIX/Solaris hosting. At UUNET he managed the secure Internet gateway infrastructure for BP/Amoco at 7 international sites. Back then, Miles drew the short straw and did all the on-site work in Bogota.
Miles has many years experience in the ISP and data centre world as consultant and engineer, and more recently has been operating a VMware estate for a UK-based display technology company. He is based in Cambridge.
Welcome Miles!
Miles has many years experience in the ISP and data centre world as consultant and engineer, and more recently has been operating a VMware estate for a UK-based display technology company. He is based in Cambridge.
Welcome Miles!
Friday, August 12, 2011
360is at DSEi 2011
Three Sixty will be present at the 2011 Defence & Security Equipment International, held at at the Excel Center, East London, between City Airport and Canary Wharf. Between the 14th and 16th September we shall join with our clients and partners in the exhibition hall, briefings, and break-out sessions.
Just as in 2009, the 2011 the conference will be attended by a range of military, intelligence, government, and private organisations. There will be 25000 delegates and over 1200 exhibitors. Of the many streams and seminars to attend, we recommend that our clients and partners check the following briefing:
Intellect Cyber Security Briefing
Briefing Room Two
15th Sep 2011
14:00 - 16:00
Agenda:
Just as in 2009, the 2011 the conference will be attended by a range of military, intelligence, government, and private organisations. There will be 25000 delegates and over 1200 exhibitors. Of the many streams and seminars to attend, we recommend that our clients and partners check the following briefing:
Intellect Cyber Security Briefing
Briefing Room Two
15th Sep 2011
14:00 - 16:00
Agenda:
- The threat landscape
- The impact on the Defence industry
- How SMEs can protect themselves and the supply chain
- Virtual Task Force (industry response to cyber threats)
- Reactions to the UK Government's Cyber Security Strategy
Tuesday, August 02, 2011
XenServer & The City, London LinkedIn Group
There is now a LinkedIn group for those end users running or evaluating Citrix XenServer in the City Of London.
New members shall need to be approved before being able to post (to keep the SPAM out) but otherwise the group is open to members. Feel free to invite your colleagues and contacts. Discussions can only be read by other members of the group. This group operated for the benefit of end users, sorry vendors/resellers.
Running IT operations in one of the worlds largest financial centers puts extreme pressure on infrastructure managers:
- Data center space is in short supply, driving up prices and driving out colocation to make way for fully managed hosting customers. Hosting offers higher margins and reduced churn rates to service providers, but does not suit everyone.
- Power demand continues to outstrip supply as it has done for years. Although there is some hope this will improve after 2012. Lack of power in London has been a recurring problem!
- Cooling. Due to the Urban Heat Island effect, central London can be up to 10 degrees warmer than the surrounding area. This places further strain on cooling plant and equipment. We have just entered what is traditionally the warmest month.
These factors have driven city sysadmins to ever more dense virtualisation and higher levels of utilisation. However, maintaining mission critical systems under such conditions is a challenge.
The XenServer City Of London Group activities outside LinkedIn will likely include occasional informal get-togethers (yes, that means drinks), briefing sessions, peer talks, and perhaps even collaborative projects. The group will also provide leverage for pushing bug fixes and feature requests back into Citrix Engineering through our longstanding relationship with the development teams.
As with any user forum, you get out what you put in.
In other words "ask not what this group can do for you, but what you can do for this group".
Monday, August 01, 2011
Maximising VM Density
Maximising Virtual Machine Density is one of the few topics that is of interest to both engineers and business managers alike. With recent announcements from VMware, even Procurement and Finance Directors have reason to show an interest in this subject.
Being able to run a very large number of Virtual Machines on a very small number of physical hardware platforms (servers, switches, storage, racks) requires a high degree of technical skill and great operational discipline. Not every IT team has both in the the right measures.
For business managers, VM density may be directly linked to profitability (hosting, cloud, or something-as-a-service providers). For other kinds of company, VM density may be just another marginal competitive advantage among many, rather than an outright ace.
One thing we can be sure of, for companies using our favorite metric (IT Head Count to Free Cash Flow), increasing VM density can be a primary ratchet for achieving operational efficiency. It is the essence of "doing more with less", and can link IT performance to business outcomes.
360is consultants regularly work with our clients to maximise their VM density, either as part of a performance tuning exercise or a new-build data center project. We were recently invited to present on the subject of maximising VM density at the Citrix XenServer UK User Group's regular meeting in Cambridge. We covered:
Delegates from some of the UK's largest companies were present, along with a mixture of hosting service providers, government, and educational establishments. We were pleased to see a few familiar faces from our own client list.
For those of you who could not make the event, you may obtain the slides in PDF form here. If you had not previously registered for the event then you will have to enter your Email address in order to access them.
If you would like to speak to one of our consultants about increasing VM density in your data center, or you would like to register for the next event, then please get in touch.
--- Update 25-07-2011 18:20:21
The application shown on the slides displaying performance and capacity planning information is the Virtual Estate Manager, which is part of VMC's high density virtualisation appliances.
Being able to run a very large number of Virtual Machines on a very small number of physical hardware platforms (servers, switches, storage, racks) requires a high degree of technical skill and great operational discipline. Not every IT team has both in the the right measures.
For business managers, VM density may be directly linked to profitability (hosting, cloud, or something-as-a-service providers). For other kinds of company, VM density may be just another marginal competitive advantage among many, rather than an outright ace.
One thing we can be sure of, for companies using our favorite metric (IT Head Count to Free Cash Flow), increasing VM density can be a primary ratchet for achieving operational efficiency. It is the essence of "doing more with less", and can link IT performance to business outcomes.
360is consultants regularly work with our clients to maximise their VM density, either as part of a performance tuning exercise or a new-build data center project. We were recently invited to present on the subject of maximising VM density at the Citrix XenServer UK User Group's regular meeting in Cambridge. We covered:
- Hardware Selection, down to the component level
- Hypervisor Configuration (we limited things to XenServer)
- Performance Monitoring
- Operational Practices
Delegates from some of the UK's largest companies were present, along with a mixture of hosting service providers, government, and educational establishments. We were pleased to see a few familiar faces from our own client list.
For those of you who could not make the event, you may obtain the slides in PDF form here. If you had not previously registered for the event then you will have to enter your Email address in order to access them.
If you would like to speak to one of our consultants about increasing VM density in your data center, or you would like to register for the next event, then please get in touch.
--- Update 25-07-2011 18:20:21
The application shown on the slides displaying performance and capacity planning information is the Virtual Estate Manager, which is part of VMC's high density virtualisation appliances.
Measuring IT Performance & Spending
Industry analysts never seem to tire of debating factors that drive IT spending, it may be their favourite subject. In our experience, IT spending is driven primarily by 4 factors:
It is for this reason that measuring the IT department's performance through a set of ratios and comparables has become the industry analysts 2nd most popular topic after debating spending drivers.
So how should we measure the performance of IT in 2011?
- Your choice of products and technologies
- Your business processes
- How your organisation is structured
- The way in which you interface with customers
It is for this reason that measuring the IT department's performance through a set of ratios and comparables has become the industry analysts 2nd most popular topic after debating spending drivers.
So how should we measure the performance of IT in 2011?
We already know that about 70% of all IT budgets are contractually committed to software or hardware maintenance, telecommunications, to managing what is already running. After taking out another 15-20% for migration/end-of-life projects, this leaves about 10% for innovation. With such a large part of the budget locked-out from the effects of short-term management changes, it does not make sense to use IT budget number itself as part of a performance metric. Instead we can use something better...
At 360is each of our consultants have over 15 years experience helping our clients make product and technology decisions. As vendor-neutral advisors we can help you get the maximum value from your IT budget through fixed-price engagements and periodic intervention in your mission critical projects. We are able to assist in budget justification and vendor negotiations and act in the sole interest of our client. If you have a project that would benefit from our contribution then please get in touch.
Monday, February 07, 2011
Welcome To 2011, Year Of The Rabbit
This year our normal New Year message to clients and partners comes exactly one month late. Another way to look at it (with the Chinese New Year starting February 3rd) is that we are bang on time.
一个好年头 (Another Good Year)
If you would like to discuss any of what you have read about with one of our consultants then we would be happy to meet with you at your offices or at our London or Wokingham sites. Simply get in touch.
All that remains is for us to say is Happy New Year and finally"gung hay fat choy"(*)
(*)"may you become prosperous"
2010 was another year of growth for 360is with more clients in new sectors and a formalised datacenter performance practice. We deepened our profile in Private Equity with more virtualization projects (VMware and XenServer), and in mainstream Investment Banking with more VDI (VMware View and XenDesktop) assignments. Our Security practice continued with steady growth, and included new business from UK-based online gaming and "dotcom" sectors. 360is now counts among it's clients several of the UK's fastest growing and "best to work for" companies. While the UK Economy may have disappointed in December (particularly retail), through 2010 we saw our Financial Services, Mining/Metals, and Hi-tech Manufacturing clients rebound.
年更强 (Stronger In 2011)
The outlook for Q1 2011 is better than many thought. For the services sector at least, it looks like the December 2010 disappointment really was snow related, or was everyone at home with flu? This year promises more investment activity, increasing demand for raw materials (China again), and growing orders for our UK Hi-tech manufacturers.
We expect the trends of 2009-2010 to continue for 360is:
- Increasing average project size
- Steady rate of new client acquisition
- Increasing number of projects per client
- Steady geographical focus on UK, South East
- Increasing client diversity beyond historic finance/telecoms base
- Steady ratio of bookings to billings to backlog, no credit risk
- Conservative recruitment strategy focused on "talent" not "resource"
科技是一个礼物 (The Gift Of Technology)
What technological gifts did 2010 bring our clients, and how can we best use them to increase their prosperity in 2011?
Multi-Core Systems
Multi-core systems have been around since at least 2005. One fact of which you may not be aware is that x86-64 CPU manufacturers have long since given up on making CPU cores go faster. Faster cores require more exotic materials, more expensive cooling apparatus, more complex micro-architectures with only marginal performance gains, and present all sorts of problems with manufacturing yield. That last point frightens shareholders to death. Instead, today, Intel and AMD devote most of their efforts to making more cores per square millimeter of silicon. More cores means more processing capability. Problem solved, right? Not really.
While increasing the numbers of cores (made possible as transistors get smaller) does increase theoretical performance, in practice this must be balanced with the right amount of memory bandwidth and core-to-core interconnect design. Even then, our problems have only just begun. The fact is most software does not take great advantage of multiple cores, more serious still is the fact that most programmers lack parallel programming skills. Finally, there are many classes of computational problem which are serial in nature, and are never going to gain much from running on a multi-core CPU.
Wont Microsoft/Oracle/IBM/VMware sort all this out for me? Not really.
While technologies like virtualization (whole-system or zone-based) allow you to run many workloads on a single CPU (keeping many cores occupied at once) they do nothing to speed up the execution of any one task or thread of activity. In order to speed up your IT from the end-user's perspective you may have to resort to more carefully considered system performance tuning, and that may require a deeper understanding of systems hardware and application software than your staff posses. The really big gains in performance can't be had by simply adding a product here and a patch there.
360is consultants have extensive experience in squeezing the maximum performance out of an infrastructure. Using a toolkit of repeatable intellectual property we are often able to increase performance even for serial, single threaded processing through our formal methods approach. Find out more about our performance practice.
Non x86-64 Servers And Other Novel Hardware
If like most of our clients, you are in the UK, then IBM Power CPUs calculate your insurance premiums, Oracle SPARC processors compute your taxes, and Intel Itaniums keeps your commuter train running on time (mostly). If you are out of work, then it's an IBM z10 CPU that you have to thank for paying your benefits. While Intel or AMD x86-64 systems dominate in the front office, the back office is more mixed, and with good reason. No, these particular systems do not run Windows, or Linux.
This year x86-64 front-office systems will be joined by new servers based upon ARM, Loonsong, Atom, and SPARC-T3 CPUs. So the next time you visit your hosted/colocated systems in a shared datacenter, keep an eye out for them. If you want to know how these systems might provide a competitive advantage to your business, get in touch. 360is has a record of working with novel hardware platforms that increase the profitability of our clients.
The Inevitable Spread Of Productivity Services
Technology vendor's continue to channel hundreds of millions of pounds a year from their marketing budgets into rebranding products and services "for the cloud". At 360is we call this "cloudwashing", it's much like the "greenwashing" that the same vendors underwent a few years ago. However, through the fog of cloudwashing there is value and real adoption happening in the world of cloud services. At 360is we are users of cloud-based productivity tools like Evernote, Dropbox, ManyEyes, and Google Chrome (as a tool to access other Google services). These productivity services offer an inbuilt ability to work anywhere, on any device, over any network. Whether or not they conform to your security policy, your users will soon be using services like these. If they make life easier then they will spread in the same way that instant messaging spread a decade ago.
360is can help you select and standardise upon productivity tools and provide secure remote access to your confidential information.
VDI - Virtual Desktops - Desktop As A Service
Virtual Desktop deployments continue to grow in number as both large and small clients display increasing acceptance of this method of desktop delivery to end users. The primary drivers for VDI deployment remain:
- Avoidance of desktop hardware refresh
- Ease of migration to Windows 7 from XP
- Stronger Disaster Recovery/Business Continuity
- Ability to manage/maintain more desktops with fewer/static IT staff
360is have executed a number of virtual desktop projects using all the major vendor products for large and small organisations in the public and private sector, using a variety of endpoints including thin clients, tablets, and mobile devices. Find out how.
If you would like to discuss any of what you have read about with one of our consultants then we would be happy to meet with you at your offices or at our London or Wokingham sites. Simply get in touch.
All that remains is for us to say is Happy New Year and finally"gung hay fat choy"(*)
(*)"may you become prosperous"
WikiLeak's Lessons For UK Information Security Professionals
“A government is the only known vessel that leaks from the top” - James Reston, Journalist
Rarely does a story with a strong Information Security thread garner quite so much attention in the mainstream press. However, when the leaking of secret state information is combined with pent-up public interest in subject matter like current and future adventures in the middle east, climate change, the banking crisis, and international relations, demand meets supply and column inches result.
The WikiLeaks publication of US State Department cables in November/December 2010 was featured in the recent Q4 2010 issue of Executive Intelligence, the 360is Quarterly for UK CSOs/CIOs and IT Security Directors:
(1) Recognise Where You Are Vulnerable
As with external Information Security threats, the key to improving your internal Information Security posture is to first recognise where you are vulnerable. Understanding your current vulnerability to leaks should be a part of formal Information Risk Management. Make a start by writing down answers to the following questions:
(5) The Human Element, A Matter Of Staff Maturity And Common Sense
Don't give low-level or casual staff a high-level of security clearance, this includes staff working in IT. Of course in order for the phrase "low or high level" to have any meaning at all, you first need to have implemented something from (4).
Regardless of employee seniority or access, some staff may still feel compelled to leak. What then?
Consider establishing an internal ethics board where staff can take their concerns and have them heard. However, your best chance of preventing information leaks comes during the initial staff recruiting and vetting process. Do you vet staff who regularly handle highly sensitive or client confidential information?
Having worked for many city institutions, 360is consultants are able to recommend the services of a suitable staff vetting agency. Instruction is also available for your fellow directors and senior company officers on the correct way to invoke UK Legal Professional Privilege, and general handling practices for the most sensitive communications.
Some of our clients have a regular rotation of staff, preventing any one person getting too comfortable (and possibly carefree) with sensitive information. In some cases this is an option, but for most firms it does not fit their operational model.
(6) Handling A Leak
Sooner or later your confidential information will escape either accidentally or with help from an external hacker or an insider with access. Once this happens, it is the way in which your organisation handles the leak that partly determines total cost to your organisation in terms of reputation and revenue loss.
At what point do you inform your clients if there are potential implications for them? Who will handle enquiries from the press? What assurances will you offer partners, suppliers, and customers/clients that information concerning your business dealings will be better protected in future? How can you "get ahead of the story" and start taking control of the incident?
360is consultants recommend bringing in a professional response team who have handled these types of situations before. Most managers are not trained in dealing with the media and can quickly find themselves in an awkward position without proper preparation. 360is are able to assist such a team in formulating technical answers to some of the questions that will need to be supplied both to post-incident internal investigators and journalists.
More From 360is Executive Intelligence
This briefing on preventing leaks and the WikiLeaks episode of December 2010 is referenced in "Executive Intelligence" the quarterly security briefing provided by 360is to our current and former clients. Executive Intelligence is now available to all UK Information Security Professionals in our network. Find out how to subscribe to our UK quarterly security newsletter.
The full text of this article is available in PDF form via the Resources section of our web site here.
Rarely does a story with a strong Information Security thread garner quite so much attention in the mainstream press. However, when the leaking of secret state information is combined with pent-up public interest in subject matter like current and future adventures in the middle east, climate change, the banking crisis, and international relations, demand meets supply and column inches result.
The WikiLeaks publication of US State Department cables in November/December 2010 was featured in the recent Q4 2010 issue of Executive Intelligence, the 360is Quarterly for UK CSOs/CIOs and IT Security Directors:
"On November 28th, the whistle-blower web site WikiLeaks began disclosing the first 220 of 251,287 US State Department cables dating from the 1966 to 2010. These cables ranged from SECRET//NOFORN to UNCLASSIFIED in their protective marking, and contained many unguarded, frank, and often critical comments from US diplomats on a range of subjects."Putting to one side the virtues or vices of making this particular information public, what lessons can we learn from it as Information Security professionals? What actions should we propose to our directors while the subject of information security is fresh in the mind of the main board? What tactical, practical advice can we put into action in light of what this WikiLeaks episode has taught us?
Information Security problems of this type are a subject that many find difficult to discuss. For the most part we are talking about the actions of insiders; employees, contractors, or close members of your supply chain. Managers find the broad subject of insiders harder to broach than that of the threat from external attack. However, most of the practical advice we have for our clients is around process rather than people, and can be implemented without alienating staff or making them spied upon.
(1) Recognise Where You Are Vulnerable
As with external Information Security threats, the key to improving your internal Information Security posture is to first recognise where you are vulnerable. Understanding your current vulnerability to leaks should be a part of formal Information Risk Management. Make a start by writing down answers to the following questions:
- Where is confidential information kept in your organisation?
- In how many different places can it currently be found?
- Are multiple copies routinely created of confidential information?
- How many different access methods are there to this information?
- What size community of users have access to it?
- What controls are there over who can access what, where, and when?
Armed with answers to these questions and the rest of this article, you may begin a process of prioritisation, focusing on where your most leak-worthy data is kept. Target areas where the greatest quantity of the most confidential information is held, made available to the largest user community, with the minimum of controls.
The full details of how the US State Department leak came to pass have yet to be released and may never be fully disclosed. However, given the current speculation that a relatively low level, young Private of a few years service had access to all this material, and did not arouse suspicion when extracting it, the US State Department would score very low on any Information Security scorecard one can imagine.
(2) Know If You Are A Target
Some organisations attract leaks because they are repositories for particular confidential information, or because the information they hold is highly newsworthy, others find themselves subject to leaks because their employees sometimes struggle with difficult and conflicting concerns about the nature of their work. While your newsworthiness may fluctuate over time, certain sectors tend to experience a perennial popularity with leakers. If you are in the energy, pharmaceutical, government, or banking sectors, you should consider yourself a prime candidate for leakers at this time. Companies engaged in arms manufacture or doing any kind of business in troubled parts of the world are likewise a target. Are you an aggregation point for sensitive information from several of the sources above? If you operate a law or consultancy firm, or other business where you are entrusted with sensitive information from clients in these industries or geographies, then you will be a target for leaks.
As both a prominent government office and an aggregation point for all types of sensitive information from diplomats around the world, the US State Department is one of the more likely targets for leakers.
(3) Diligence And Statutory Obligations (Compliance)
As a minimum, you as the designated Information Security officer should ensure your organisation's awareness of, and adherence to, the minimum standards for compliance. As CSO (or equivalent, most UK firms do not have a CSO) failure to do so will eventually end up being a problem that lands at your office door. Confidentiality and privacy are key tenets of several pieces of compliance legislation designed to protect the information of individuals, particularly where you may be required to hold personally identifiable information. However, you may have obligations even if you do not handle this kind of information. Of particular relevance to UK companies are the Data Protections Act, the UK Corporate Governance Code, the Freedom Of Information Act, and for many, PCI. All of these have Information Security connotations although some more oblique than others.
Although the US State Department may not be subject to the same compliance legislation as your organisation, they failed to honour even basic obligations (be they explicit or assumed) in keeping sensitive information confidential.
(4) Segment Your Data
Do you currently segment your sensitive information, or do you maintain a single monolithic store for all confidential material? If a potential leaker were to gain access to that store, what is the scope of disclosure that you might suffer? By segmenting your sensitive data you have a better chance of limiting the scope of a leak.
- Segment by status: active client versus inactive/former clients.
- Segment by "security level" of the information: secret, confidential, unclassified.
- Segment by time: don't keep files for completed projects with the currently open client files.
- Segment by user/group: litigation versus patent, analysts versus sales, buy-side versus sell-side.
Segmenting your sensitive information sounds complicated but it can be as simple as not keeping project files older than 3 months in the same place as current files, along with a process for individuals to obtain access to the archive with the proper authorisation and oversight. Increasingly, Email is used as a long term information store, ignoring the huge problems created by doing that, secure Email archiving and retrieval products can facilitate the same segmentation of Email that you would have with traditional file stores.
Enforcing the most basic file-folder security on drive shares (by user, by group), or more complex access control lists (if supported by your storage) can dramatically reduce your vulnerability to a State-Department-sized leak.
Finally, do you individually encrypt the most sensitive documents or indeed any documents in your organisation? Encryption of individual documents, or individual client folders is another way of limiting widespread uncontrolled disclosure of confidential information. It is not difficult to imagine a regime of individual passwords for individual projects, clients, or business units.
Finally, do you individually encrypt the most sensitive documents or indeed any documents in your organisation? Encryption of individual documents, or individual client folders is another way of limiting widespread uncontrolled disclosure of confidential information. It is not difficult to imagine a regime of individual passwords for individual projects, clients, or business units.
It is unknown whether or not there was any real segmentation where the US State Department cables were stored. It does not seem likely. Either that or there was a requirement for segmentation and this requirement was routinely ignored. One can find no other reason why cables ranging over 30 years and 6 security levels from hundreds of sources were so readily available to 1 junior staff member.
(5) The Human Element, A Matter Of Staff Maturity And Common Sense
Don't give low-level or casual staff a high-level of security clearance, this includes staff working in IT. Of course in order for the phrase "low or high level" to have any meaning at all, you first need to have implemented something from (4).
Regardless of employee seniority or access, some staff may still feel compelled to leak. What then?
Consider establishing an internal ethics board where staff can take their concerns and have them heard. However, your best chance of preventing information leaks comes during the initial staff recruiting and vetting process. Do you vet staff who regularly handle highly sensitive or client confidential information?
Having worked for many city institutions, 360is consultants are able to recommend the services of a suitable staff vetting agency. Instruction is also available for your fellow directors and senior company officers on the correct way to invoke UK Legal Professional Privilege, and general handling practices for the most sensitive communications.
Some of our clients have a regular rotation of staff, preventing any one person getting too comfortable (and possibly carefree) with sensitive information. In some cases this is an option, but for most firms it does not fit their operational model.
If the current speculation is to be believed, a relatively low-level, young Private, of only a few years service had access to the leaked material. In addition to this, it is also speculated that over a million other individuals had access to some or all of the information. This would suggest that either the information should not have been marked secret/confidential at all, or that there has been a failure to consider the human element in it's handling. Even the most optimistic Information Security professional will find it hard to believe that any "secret" shared with a million individuals will remain secret for very long.
(6) Handling A Leak
Sooner or later your confidential information will escape either accidentally or with help from an external hacker or an insider with access. Once this happens, it is the way in which your organisation handles the leak that partly determines total cost to your organisation in terms of reputation and revenue loss.
At what point do you inform your clients if there are potential implications for them? Who will handle enquiries from the press? What assurances will you offer partners, suppliers, and customers/clients that information concerning your business dealings will be better protected in future? How can you "get ahead of the story" and start taking control of the incident?
- Put a plan in place now
- Rehearse that plan periodically
- Use external professional crisis management if you lack relevant experience in-house
- Understand any legal obligations to clients, partners, and the regulator
- Ensure the right personnel are press/media trained
360is consultants recommend bringing in a professional response team who have handled these types of situations before. Most managers are not trained in dealing with the media and can quickly find themselves in an awkward position without proper preparation. 360is are able to assist such a team in formulating technical answers to some of the questions that will need to be supplied both to post-incident internal investigators and journalists.
We will leave an assessment of the State Department's handling of this episode to the reader, but suggest you consider these questions:
Have they managed to "get ahead of the story" or are they still reacting to it?
Do their partners feel re-assured that this is any less likely to happen in future?
Have their actions, post-incident, served to increase, decrease, or had no effect on public perception of Information Security within their organisation?
More From 360is Executive Intelligence
This briefing on preventing leaks and the WikiLeaks episode of December 2010 is referenced in "Executive Intelligence" the quarterly security briefing provided by 360is to our current and former clients. Executive Intelligence is now available to all UK Information Security Professionals in our network. Find out how to subscribe to our UK quarterly security newsletter.
The full text of this article is available in PDF form via the Resources section of our web site here.
Subscribe to:
Posts (Atom)