VPNs and Work From Home: Security under scrutiny in times of COVID-19

VPNs secures communication between company servers and employees’ devices, but end user devices are exposed if not secured enough. Also, other compensating measures need to be in place.

Courtesy of The Cyber Security Hub™ (TCSH), I would like to depict a link that TCSH had pointing to, citing that Work From Home(WFH) using VPN is not 100% secure, other risks existing in that activity (WFH). This article I wrote is for those who believe that VPN is all you need for a secure WHF. I extract selectivelly from the mentioned article only what I believe is critical in order for non-expert readers to grasp the essence.

Conclusions:

  1. So, BYOD (Bring Your Own Devices) is a high risk. At least, it has to be approved by the company which the employee works in. This device MUST be secure enough against penetration, so I would strongly recommend: (i) remove admin rights from this device (to the extent possible) and (2) anti-virus and firewall on them is a must (although recently I have learnt that such amunition is not enough against a skilled hacker).

2) The IT infrastructure support generally i.e. in normal time (not these times of pandemic crisis) around 30% of users that work remote. Generally. During COVID-19, if all users go remote, then ” Houston, we have problem!”. I mean, no organisation has envisaged so far that its staff will work from home in such a huge majority. Therefore, buying an additional equipment to support the increasing demand of users to work using VPN takes time (months). Configuration and integrating such new equipment into the existing infrastructure also requires time.

3) I will end up with this recommendation (excerpt from the article) that I fully agree with:

So, stay safe not only from COVID-19 virus, but also to avoid get viruses (electronic form) or other electronic malware from hackers.

For this purpose, employees need a secure device (as I have mentioned above, i.e. remove admin rights and have installed anti-virus and firewall software) and instructions regarding how to counter phishing attacks (about these I hope you have already introduced regular simulations as I have recommended in this article on LinkedIn previously) so when employees working from home and they are not supervised or no quick requesting and support link with IT department, they hopefully be able to apply at home that knowledge.

 

Ransomware mitigation with backups. It might work well for small or medium companies that cannot afford huge budgets for securing their systems

Provided that certain conditions are met

In a previous page I wrote about the balance that always has to be reached between costs in risks, including cyberattacks. So, I have expressed the opinion that there is no point in spending too much on some fancy security tool that covers a risk that, if occurred, it will cost the company far less than the cost of the mentioned tool.

This is the case with small companies, and some of medium-sized ones. Eventually, deleting all and starting from scratch, taking data from papers and input them in the company’s system, be it an ERP or other system might be less costly than securing its system investing a disproportionate budget.

However, if you have good back-ups in place, you don’t need to take it from scratch. Only since last back-up. Provided that several pre-conditions are met in respect of those back-ups.

Courtesy of Boardish – IT and Cyber That Speaks The Board’s Language the below twenty seconds video explains what happens in a ransomware (he he he – very funy! – but when real life hits it’s not funny anymore).

The back-ups will work to mitigate elegantly the ransomware attacks provided that:

  • you have back-ups defined according to your risk appetite and your organisation will have to delete all current live info from production environment (in order to delete also the malware from your systems because you don’t have the decryption key and might not want to pay for the ransom)
    • frequency of back-ups is to be defined according to how much back in time you want to repeat doing latest data entries in your systems (while remain in the risk parameters defined in your strategy and are virtually unaffected) as to be up-to-date and have latest customer transactions data available in your systems. This procedure supposes to take data from papers (contracts, written customer aplications, customer orders in written form). If to restore data from emails, this is a separate activity and I presume in this article that you have the email server hosted in the cloud (having the email server on premises without back-up on cloud will miss the opportunity to take data from customers from emails, so no back-up at all means data will not be recovered if the ranswom virus will spread on the email server as well)
    • the duration needed to input again the data since the last back-up (as to be up-to-date) does not take longer than needed (at least you have defined in advance a task force that is to be available upon request to do such data entries and have procedures in place how to do it)
    • the duration of reseting your systems / or reinstall all systems from the kits is not so long and is feasible to do it in the pre-defined time frame
    • last, but not least: testing regularly the back-ups will avoid surprises, namely when everything is recovered from back-ups but the systems do not work … or recovering from the back-ups is a messy process (so exercising regularly the procedures how to recover data is essential)
  • a second condition is to have back-ups decoupled from your live systems (unless you have a real-time back-up technology, in that case you have to have a third back-up that is done manually, decoupled from / live environment, namely on tapes or other independent systems that stay off-line all the time, like a safe storage of data if you like). Yep, you got it: the risk of having the back-up systems coupled (connected) on-line with your live systems (in order to do the back-ups automatically with predefined frequencies) has the downside that back-up systems might also be infected with the malware.

You know something? The above-mentioned pre-conditions are according to good practices and security standards, only they are more or less applied on various enterprises in the IT department. Real life is different than standards, I just hope you have in real life those actions already implemented. If not, and you are a small or medium-sized company that support your business operations significantly with the aid of whatever ERP or IT system, but cannot afford big budget for securing your company agaist cyberattacks like ransomware, you might need to consider implementing those recommendations I mentioned above.

In this context I would say you are probably free from the consequences of a potential ransomware that penetrates your organisation despite all security controls are in place.

In this happy-end situation you don’t have to pay for ransomware.

However, this does not mean security controls and protective actions to fight against cyberattacks are to be completelly ignored because ransomware is one type of attacks, but there are plenty out there ready to catch you unprepared (if there is some data at stake).

Nevertheless, as the duration of time needed to recover your business is the most important and critical / vital criteria to any organisation, I would say that the mitigation by back-ups as explained in this article (provided the conditions listed above are met) might work satisfactorily and will allow you to be quickly back in business.

Note: another assumption I made in this post is that the decision to pay for the ransom (or not) takes into consideration also the sensitivity of data. When I mentioned about cost and risk, presumably at the cost of producing the risk, all the costs, i.e. for example with fines from authorities (for example data protection) for leaking sensitive data outside the company (because securing company’s operations was not enough), or the other reputational risk like losing an important (or several important) customers have been quantified and the decision was taken in the direction to not pay for ransom.

API (Application Programming Interface), SOA (Service Oriented Architecture) and Microservices

What is meant by these terms?

From a definition of a service perspective:

In software development, a “service-centric” software application supposes to write code that gets exposed (typically over a network) via one of many interfaces.

These interfaces are the endpoints to business functionalities and regardless of the architectural pattern (SOA, Microservices), services tend to share the following attributes:

  • are self-contained
  • are “black boxes” to users of the service
  • models a set of activities with specific inputs and outputs

Why SOA?

Reduced complexity: in case lot of records are needed to serve a particular business or data requirement. Making multiple requests might suppose implementing processes or uses-cases more complex than they need to be.

Reduced risk: the classical (monolithic) development to serve data requirements might expose too much of the underlying data model.

Bottom line: SOA packages up functionality into endpoints, typically accessible at the enterprise level that is: easy to access for the business, reusable, can be used as building blocks for future applications. 

APIs and relation to SOA

SOA is more B2B Business solutions layer where when business need to pass data back and forth between different types of medium, API‘s are built, and business rules are built around that.

SOA is an architectural methodology. It is a way of specifying separation of responsibility from a business oriented point of view into independent services, which communicate by a common API (often but not necessarily by publishing events to a bus).

In recent years, a culture shift takes place in businesses and organizations, especially in the public sector. Thus, there have been recent drivers to open access to data service, often through public APIs which are available online.

API definition: a source code-based specification intended to be used as an interface by software components to communicate with each other.

Differences:

API = any way of communicating exposed by a software component.

SOA = a set of enterprise architectural design principles to solve scalability issues by splitting responsibility into services.

Microservices (architecture) – MSA

At a very high-level, microservices are an alternative way for architecting applications which offer a better way to decouple components within an application boundary. 

Maybe if microservices were rebranded as microcomponents it‘d be easier to understand.

In an application that implements microservices, the application boundaries or interfaces are no different to that of a traditional monolith application, the key difference is what happens behind the application boundary. 

Behind the service boundary, collections of independent microservices run in their own processes, all with their own individual set of APIs or web service endpoints that get exposed through the application boundary.

For complete decoupling, isolation, and independence, each microservice can use of its own data model that aligns with the domain objects being passed through it which helps improve stability and maintenance.

Microservice architecture is focused on multiple, independent, self-contained application-level services that are lightweight and have their own unique data model.

For CIOs / CTOs to make informed decisions:

In the followings, will present main attributes for each

Sources:

https://www.devteam.space/blog/microservices-vs-soa-and-api-comparison/

https://stackoverflow.com/questions/9496271/what-is-the-difference-between-an-api-and-soa

My research above would have been not complete without to try find some API Management providers in Romania.

A reliable source I believe is Gartner (Magic Quadrant). Gartner report: https://www.gartner.com/en/documents/3970166/magic-quadrant-for-full-life-cycle-api-management (excerpt below).

I found 5 leaders (who have the ability to execute and they are also visionaries) and took all of them (in the order as they appear in the Gartner document) into my research to see if any Romanian customer can get some API services in Romania from these. I think it is important to have a local distributor or partner (for reasons relating to easier troubleshouting, local / on-premises customisation, etc)

Google Apigee: not found a partner in Romania for Apigee (see this – no “Romania” word in the results of that search and this – a provider taken also from the results of searches, but who has nothing in Romania, but is present in other countries in the region around Romania)

Software AG: not found a partner in Romania (they coordinate from Poland) – see this

Mulesoft – it seems they have a partner, but did not see a specific focus on API (at least from the main page displaying this partner’s services I could not retrieve details). Thus, see this – pointing to Softvision, but on mulesoft site the link “Partner’s site” points to this website whereby one could find no link/details about API services.

IBM: yes, they have IBM Romania and the specific page for API Management is https://www.ibm.com/ro-en/cloud/api-connect

Axway: yes, they have a Romanian partner (EasyDO) and the specific page is https://www.easydo247.com/products-axway

Final conclusions: I saw that the banks in Romania have already contracted some API Management services (for example, no.2 bank in Romania, BCR has something from Axway as per the link mentioned at previous paragraph – see at the bottom, where I found also BNP Paribas as their client).

I could imagine that IBM would have also offered to Romanian companies their API Connect product, but did not find on their website specific Romanian clients using API Connect. Maybe they keep that list confidential.

I know that for banks and fintechs the PSD2 directive (in force since December 2019) requires that banks have to expose their data through APIs for fintechs as consumers of data.

Anyway, if you run a Romanian company that has a complex IT architecture and want to go for digitisation in 2020, flexibility in creating new products in order to satisfy customer needs, you might want to consider gradually build new products having a services-based architecture, i.e. SOA, microservices. Therefore, implementing some APIs (if you did not do that already) and managing them is the way.

In pursuing the above-mentioned endeavour, if I am required to express an opinion, I would recommend to go with one of the leaders from the Gartner Magic Quadrant.

Recently I have attended: Transform your organization through RPA (Robotic Process Automation)

What is RPA

“RPA” refers to a set of modular software programs (or“bots”) to complete structured, repeatable, and logic-based tasks by mimicking the actions taken by existing human staff.

Why an organisation would need that?

Transform your organization through RPA (Robotic Process Automation)
See the full certificate at the end of this post

There are many advantages, but personally I see also a few Cons.

Transforming an organisation through software development undertaking, within waterfall (or even Agile) projects is way too long, given the current external environment in which everything is moving very fast. Digitisation, disruption, all happen at an incredible speed. RPA is not a classic software development project, but something that could be delivered way more fast. It is in between an operational work and a full software delivered within a classical project meant to automate processes.

Developed bots are capable of interacting with and integrating disparate enterprise applications, databases, and files to limit the business need to develop custom, application specific integrations.

How it works

A set of scheduled bots are capable of running on multiple servers within a company’s environment simultaneously with minimal impact to resource and network capacity.

Practically, if an organisation has many operations (and repetitive) supported by different systems (there is no integrated ERP for all activities, for example) and use a software for invoicing, another software for managing suppliers, and so on, RPA is recommended to be considered.

Cons: I see at least a disadvantage, namely security. A risk assessment is needed anyway, followed by actions to mitigate those risks. For example, as the bots within a RPA solution may use powerfull user accounts in various systems or applications, access to them need to be properly protected from unauthorised staff.

A company that is of Romanian origin that delivers RPA solutions as its core business is UI Path. They are the first Romanian unicorn (assets valued at more than 1 billion USD) company.

RPA solutions could be created to run on various operating systems. UI Path has its RPA solutions designed for Windows.

Please find below a top of 10 companies that offer RPA services:

https://www.em360tech.com/ai_enterprise/tech-features-featuredtech-news/top-10-rpa-companies/

And also my cetificate:

Smart speaker sales worldwide – new records

Global smart speaker sales reached 45% year-on-year in Q4 2019

Do you want to set timers or reminders, or do Internet searches or check your calendar using voice? If combined with additional software as well as devices, smart speakers are used to control home functions by voice such as locking doors or turning the light on / off. Or shop online by voice.

While for a single quarter there were sold 55.7 million smart speakers (a record), for a year this volume amounts to 147 million in 2019.

Examples are plenty, let’s take one: Amazon Echo. Smart speakers enable to control Amazon’s virtual assistant, Alexa, by your voice. Others customize the lighting for specific movies, TV shows and parties, or for news and weather forecasts.

Amazon and Google lead in 2019 in both North America and Europe, where they accounted for more than three-quarters of all smart speaker sales, but the Chinese brands Baidu, Alibaba and Xiaomi made up the top five brands globally and continue to dominate the domestic China market between them.

Below there is a table showing the market shares of smart speakers in last quarter of 2019.

Since the introduction of the Amazon Echo in 2014, the popularity of smart speakers has taken off, with products like Google Home and Apple HomePod gaining momentum in recent years.

Source: https://www.strategyanalytics.com/access-services/devices/connected-home/smart-speakers-and-screens/market-data/report-detail/global-smart-speaker-vendor-os-shipment-and-installed-base-market-share-by-region-q4-2019

Wallmart has an experimental service that is going to be shut down

Jet black (ideea is very interesting) started in 2018

“We’ve learned a lot through Jet black, including how customers respond to the ability of ordering by text as well as the type of items they purchase through texting,” said Scott Eckert, Senior Vice President.

As a learning experience for Walmart it seems all good.

Personally I appreciate the courage to run such an experiment, but Walmart can afford to do it anyway.

What did go wrong?

It seems a customer of Jetblack spent an average of 1500 $ per month, but the costs for Walmart amounted to $15,000 per year per member, as of last summer. Also, JB overlapped with Walmart’s own home delivery options, including its successful Walmart Grocery service, which could deliver the fresh food Jet black could not.

Around 300 employees in JB are going to be laid off soon.

Source: https://techcrunch.com/2020/02/13/walmart-shuts-down-its-experimental-personal-shopping-service-jet-black/

MC (MasterCard) in China?

Approval obtained from People’s Bank of China (PBoC) to begin formal preparation to set up a bank card clearing institution in China

MC are not the first US credit institution to require approval from PBoC. Also, Amex (American Express) had submitted the file in 2018. PayPal is targetting GoPay (PP are willing to pay for 70% of GoPay stakes).

Mastercard together with NetsUnion (both companies having set up a joint venture last year whereby NetsUnion is a clearing house for online payments whose stakeholders included PBOC) refiled this year its application as a joint venture called Mastercard NUCC Information Technology (Beijing) Co., Ltd. That application has now been approved.

According to the source below, it seems that the approval of MC (as well as of Amex – through with Amex’s Chinese partner LianLian Group – they both have a joint venture) are a part of the U.S.- China trade deal, which required Beijing to accept and review payments firms’ applications in a timely manner, which hadn’t happened before.

Source: https://techcrunch.com/2020/02/11/mastercard-given-approval-to-prepare-for-entry-into-chinas-payments-market/

Anyway, they have competitors in Chinese market. China had 8.2 billion bank cards in circulation by the end of September 2019, 90% of them being debit cards. For example, local actors like WeChat Pay will fight to avoid losing market share.

Yet mobile payments in China are expected to grow 21.8% from 2017 to $96.73 trillion by 2023, and the total number of active mobile payment customers is expected to reach 956 million by 2023, up from 562 million in 2017.

Interesting to watch these evolutions: either China joining a western style of payment, or US companies will not succeed there. Will see.

Mobile apps for meditation

Those apps recorded $195M in 2019 – increasing by over 50% compared to previous year

Apparently, such evolution has been originating from millennials’ lifestyles, such persons chosing to marry later in life and delay having children; and because of that, it seems they allow themselves more time to remain self-focused, compared with their parents’ generation.

Also, internet acces had a more positive advantage for millenials when comparing to the previous generations: they have thus an easier access to information and therefore become better informed about welness and self-care.

Calm and Headspace (two mobile apps) registered (final figures not available though) $92 millions in 2019, and $56 millions respectivelly. Also, they have 24 millions new users in 2019 (Calm) and 13 millions (Headspace).

Source: https://techcrunch.com/2020/01/30/top-10-meditation-apps-pulled-in-195m-in-2019-up-52-from-2018/

Next years I think millenials will determine more and more the market evolutions based on their interests, toward a direction or another. Will be interesting to watch these trends!

Identify patterns in Big Data and build statistical models, a manual work – to be somehow automated by AI tools such as Pecan

Who would need this AI tool?

A business analyst need some business intelligence applications or tools (for example http://www.sas.com) and employ some methods to build a statistical model for the data he/she is analysing. But what if instead of laborious work to build a statistical model (even though SAS or other classical tools allow for this), a machine learning tool could help the statistician during this process and finally make his/her life easier?

A statistical model, if proven correct, will eventually anticipate consumer behaviour. These means a lot of opportunities for cross selling, inventory prediction (that will be prepared according to the model – see seasonalities, for example, that the statistical model will take into consideration in its prediction) and a bunch of good things will be anticipated.

Using business intelligence and analytics tools a statistician digs into data when building such a model. Someone said the other day that a company will build over a pre-defined period of time from 5 to 7 statistical models, out of which one of them will eventually work.

Pecan is for those who want to bring the power of machine learning to their data analysis, but lacks the skills to do it.

The Pecan AI tool includes a series of templates designed to answer common business questions divided into two main categories. The first is customer questions and the second is about business operations questions, i.e. related to things like risk.

There is also a third possibility: build your own template, but apparently this defeats the purpose (simplicity) because Pecan CEO Zohar Bronfman says that building your own is really for more advanced users.

The innovation started from the problem defined as much of the work involved in building machine learning models is about getting data in a form that the a machine learning algorithm can consume.

“The innovative thing about Pecan is that we do all of the data preparation and data, engineering and data processing, and [complete the] various technical steps [for you],” Bronfman explained.

Total raised by the startup so far: $15 million. The platform is builded since 2016 and Pecan has been working with beta customers for the last 18 months.

I like how AI is supposed to help human and make their life easier. This tool could be an example of such good “cooperation”.

Source: https://techcrunch.com/2020/01/28/pecan-ai-launches-with-11m-series-a-to-automate-machine-learning/