NC1607

NETWORKcomputing
I N F O R M A T I O N A N D C O M M U N I C A T I O N S – N E T W O R K E D www.networkcomputing.co.uk
HYPER CRITICAL
How will hyper-convergence
impact storage infrastructure?
WITH GREAT DATA
COMES...
The risks and opportunities
of The Internet of Things
DARKNESS VISIBLE
Getting to grips with the spectre of dark data
GDPR AND PERSONAL DATA
Preparing for the EU General Data Protection Regulation
JULY/AUGUST 2016 VOL 25 NO 04

You
cannot
keep up
with data
explosion.
Manage data
expansion with SUSE
Enterprise Storage.
SUSE Enterprise Storage, the
leading open source storage
solution, is highly scalable and
resilient, enabling high-end
functionality at a fraction of
the cost.
suse.com/storage
Data

COMMENT
COMMENT
#TECHXIT OR OPPORTUNITY?
BY RAY SMYTH, EDITOR
Well, it happened. On the 23rd of June 2016, the United Kingdom, through a
national referendum, voted to leave the EU. Already the Science and
Research sector has spoken, generally forecasting disaster as EU funding and
personal mobility is threatened.
But what of the IT and technology sector? Organisationally we are already a very
international bunch and of course the Internet is a foundation for this. Vendors supply
goods and services on a global basis and their customers exercise every aspect of
internationalism that is possible. Trade agreements will follow but no one is going to
allow their business or personal life to slip into reverse.
The EU has done some important work and the recent agreement around the
General Data Protection Regulation (GDPR) is featured in this edition of Network
Computing, and we plan substantial coverage up to and beyond its implementation as
it's not going away. Best practice and doing things properly don't need additional
labelling or sponsorship, and while no one says that GDPR is the ultimate tool for the
job in hand, it must surely represent the best starting point that we currently have?
As I suggested in my last introduction, it is important that vendors and IT professionals
start a discussion that will ultimately build your plan: your plan not just for Brexit,
but for the next five challenging years, in order to make sure that you can best serve,
even dare I say, lead, the needs of your business. In this respect, please email me or
Tweet me using #Techxit to share your thoughts and let's get the conversation started.
EDITOR: Ray Smyth
(ray.smyth@btc.co.uk)
REVIEWS:
Dave Mitchell
Ray Smyth
SUB EDITOR: Mark Lyward
(netcomputing@btc.co.uk)
PRODUCTION: Abby Penn
(abby.penn@btc.co.uk)
DESIGN: Ian Collis
(ian.collis@btc.co.uk
SALES:
David Bonner
(david.bonner@btc.co.uk)
Lyle Boenke
(lyle.boenke@btc.co.uk
SUBSCRIPTIONS: Christina Willis
(christina.willis@btc.co.uk)
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexion Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK £35/year, £60/two years,
£80/three years;
Europe:
£48/year, £85/two years £127/three years;
ROW:
£62/year, £115/two years, £168/three years;
Subscribers get SPECIAL OFFERS — see subscriptions
advertisement; Single copies of
Network Computing can be bought for £8;
(including postage & packing).
© 2015 Barrow & Thompkins
Connexion Ltd.
All rights reserved.
No part of the magazine may be
reproduced without prior consent, in
writing, from the publisher.
Ray Smyth - Editor, Network Computing.
Ray.Smyth@BTC.CO.UK | https://twitter.com/ItsRay?
GET FUTURE COPIES FREE
BY REGISTERING ONLINE AT
WWW.NETWORKCOMPUTING.CO.UK/REGISTER
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 3

CONTENTS
CONTENTS
J U L Y / A U G U S T 2 0 1 6
EU GDPR.............................10
The EU General Data Protection Regulation
is coming, Brexit or not - but what are its
legislative and security implications for
businesses in the UK? We asked some
leading IT vendors for their thoughts
EDITOR’S COMMENT......................3
Techxit or opportunity
COMPANY NEWS............................6
Market Dynamics: making sense of the market
NETWORK NEWS............................7
Moves, adds and changes
VERSION X......................................8
The latest networking news
INSIDE TRACK..................................23
Getting to know the vendors
ARTICLES
GDPR AND PERSONAL DATA..........10
By James Wickes at Cloudview
RIGOROUS AUDIT............................11
By Roman Foeckl at CoSoSys
THE INTERNET OF THINGS..17
This issue's feature on The Internet of Things
offers some practical guidance for
implementing IoT, warns of the increased
security risk it brings to the network, and
considers what the technology will mean for
businesses and consumers alike
HYPER CRITICAL.....................22
Hyper-convergence is gaining traction.
Sushant Rao, Director of Product and
Solutions Marketing at DataCore considers
its effect on storage infrastructure
BEYOND TODAY’S LIMIT.......20
Network testing and diagnostics needs a
rethink as engineers need greater visibility,
according to Tyson Supasatit, Product
Marketing Manager at ExtraHop
INFOSEC: WHAT NEXT?........30
With the Infosecurity show now behind us
for another year, where should professional
visitors be engaging their minds? Our
Editor, Ray Smyth, offers a view - with the
help of some key vendors
TAMING THE GDPR..........................13
By Brian Chappell at BeyondTrust
THE KNACK OF GDPR READINESS....14
By Paul Donovan at Pulse Secure
PRIVACY BY DESIGN.........................16
By Ross Woodham at Cogeco Peer 1
THE IOT SECURITY CHALLENGE.......17
By Kathy Schneider at Level 3
Communications
WITH GREAT DATA COMES..............18
By Larry Augustin at SugarCRM
AN IOT ECOSYSTEM..........................19
By Ryan Lester at Xively
TAMING DARK DATA..........................24
By Julian Cook at M-Files
ASLEEP AT THE WHEEL........................26
By Homan Haghighi at Alsbridge
IOT SPELLS DANGER...........................34
By Amit Ashbel at Checkmarx
MASTERCLASS
CERTES NETWORKS........................27
Overcoming segmentaton fragmentation
when enabling borderless applications
PRODUCT REVIEW
UNIFIED SECURITY SERVICE.....................15
4 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

NEWS FROM NETVIZURA
NETVIZURA - FREE NETFLOW ANALYZER FOR ACADEMIC INSTITUTIONS
NetVizura was originally developed
in close relation with academic
environments in the area of
research and testing. It was tailored to
support flexible monitoring of large,
complex and high-speed National
Research and Education Networks
(NRENs), which consists of many
universities, faculties and research
institutions, with numbers of smaller
departments
NetVizura NetFlow Analyzer provides
flexible view of traffic statistics in such a
complex network, based on NetFlow data
exported even from a single central point
(core router). By analysing total traffic
from that point, or just a partition of
traffic, i.e. custom traffic of interest,
defined by concept of Traffic Patterns, it
allows full statistics and monitoring of all
subnets (nodes) through IP address
hierarchy. It allows logical view to traffic
structure in the network in addition to
commonly used approach of monitoring
traffic on physical level (per link or router).
Another important demand was the
ability to perform deep forensics, tacking
analysis down to individual user traffic
activity for investigating security incidents.
For that reason NetVizura NetFlow
Analyzer provides a searchable archive of
all collected flow records, while a newly
developed feature provides full statistics
for each end user registered on corporate
Windows domain or VPN server.
These needs and demands in network
monitoring from the academic community
are today common to any professional
network, especially large corporate
networks. For this reason NetVizura
NetFlow Analyzer is used by National
Research and Education Networks
(NRENs), such as Academic Network of
Serbia (AMRES), universities and research
institutions, as well as other commercial
customers as a part of their network
monitoring system. It provides efficient
web based user interface with some of the
most unique features, such as custom
traffic monitoring, end user monitoring
and deep forensics based on long-term
archive of all flow records.
NetVizura wants to give back to the
academic community by offering a full
NetFlow Analyzer license free of charge.
In strengthening the ties with academic
institutions we seek the possibility to
improve both our software and the quality
of academic network services. For those
public funded academic institutions that
wish to get involved, the Free Academic
License Program (FALP) is available. By
entering FALP they receive the full license,
initial start-up support and software
upgrades in order to enhance NetFlow
Analyzer experience. As respected
partners they also receive ongoing
support, however these support tickets will
be handled as secondary priority (after
regular commercial customers).
To apply for the Free Academic License
Program, fill in the form at:
https://www.netvizura.com/products/netfl
ow-analyzer/get-quote/free-academiclicense-program.
ABOUT NETVIZURA
NetVizura provides easy-to-use, flexible
and affordable network monitoring,
forensics and security solutions - NetFlow
Analyzer, EventLog Analyzer, MIB Browser
and DNS Checker. NetVizura is a division
of the company Soneco d.o.o. that
specialises in software, networks and ICT
consulting since 2006. To read more
about the products, customers and
company go to vendor website:
https://www.netvizura.com.
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 5

COMPANYNEWS
MARKET DYNAMICS: MAKING SENSE OF THE MARKET
IN A REGULAR LOOK AT RESULTS AND KEY BUSINESS ANNOUNCEMENTS FOR SUPPLIERS INTO THE
NETWORKING AND IT MARKET, NETWORK COMPUTING SUMMARISES THE EDITORS SELECTIONS
There is a lot happening in the
networking market at the moment, and
frankly anyone who claims to know
how any of it will pan out should order their
throne now. That said, there continues to be
very strong evidence that the security sector
is going through a very welcome and
extremely vital evolution phase.
IT services company Samsung SDS, an
affiliate of Samsung Group, is
accelerating investment in global startups.
They have confirmed investment in
UK based cyber security company
Darktrace and Blocko, a Korean
blockchain platform company.
Commenting, a Samsung SDS
spokesperson said, "Through these
investments, Samsung SDS will be able to
retain leading-edge technology in cyber
security and blockchain. The company
plans to collaborate closely with these
start-ups to drive business growth.
Samsung SDS will increase
competitiveness of its cybersecurity
business and services by promoting sales
of the differentiated cyber threat defence
solution by Darktrace to Korean
companies, as well as work with Blocko to
support commercialisation of emerging
blockchain technology in various sectors
including IoT."
Darktrace is apparently one of the
fastest growing cyber security companies
in the world, and relies on advanced
machine learning technology for detecting
and responding to cyber threats. Samsung
considers differentiated core technology
as very important and invests in global
start-ups in sectors such as AI, analytics,
and IoT to secure disruptive technologies.
It has been said that UK tech businesses
often fail to scale in the way that many US
businesses do. Managed services provider
IT Lab has confirmed that ECI has agreed
to acquire the majority shareholding in
the company. This transaction will support
IT Lab in its goal of becoming the UK's
leading managed service, platform and
business performance services provider,
so there is some hope that this may buck
that trend.
Commenting on the news, Peter
Sweetbaum, CEO of IT Lab said, "We
provide vital IT services to SME and midmarket
companies that are the backbone
of the UK economy …IT Lab is in a very
exciting growth phase with tremendous
potential to expand our capability and
reach [and] partnering with ECI will allow
us to deliver a greater focus on clients."
IDC has recently updated its DDI market
report and identified EfficientIP as the DDI
player with the highest growth rate.
EfficientIP, the youngest company in the
study, achieved a growth rate of 50 per
cent year on year in 2015. The global
DDI market sustained steady growth
during 2015 due to growing market
awareness, DNS security innovations,
renewed vendor energy and the
continuing digital transformation of the
enterprise, adds IDC. David Williamson,
CEO at EfficientIP remarked that "We're
delighted to have been recognised. It
proves our DDI solutions offer what the
market needs."
Talking of the market and inward
investment, a new cloud-enabled
enterprise Wi-Fi brand is coming to the
UK. IgniteNet, already an established and
growing supplier of indoor/outdoor
hardware & cloud services in the US &
Asia, plans to offer cost-effective cloudenabled
networking to the UK market. The
range comprises business-grade indoor
Access Points and outdoor products with
wireless AC starting from just £54, and
includes robust Point-to-Point and Pointto-Multipoint
radio antennas for
connecting buildings up to 1.5kms away.
Cloud managed layer 2 POE and fibre
switches will launch later this year.
What goes around... Southampton
based law firm Moore Blatch have said
that they are advising on the £57 million
sale of Trustmarque Solutions Ltd to
Capita. Trustmarque, a Microsoft LSP and
the provider of software and cloud
technology solutions for both public and
private sector organisations, employs 620
people across five UK locations. This sale
takes place less than two years after
Moore Blatch advised on the purchase of
Trustmarque by the Liberata group. NC
Disclaimer - all information published in this article is based upon fuller submissions provided under general release. Any interested party is urged to verify
any information printed here, prior to using it in any way. Neither Network Computing nor it publishers accepts any responsibility for the accuracy of the
information contained in this article.
6 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

NETWORKNEWS
NETWORK NEWS - MOVES, ADDS AND CHANGES
A REGULAR LOOK AT THE STORIES INVOLVING PEOPLE, COMPANIES AND SOLUTIONS
Is it possible that as Cyber criminals
increase their scope and penetration
they will consider introducing the concept
of Customer Service? Well based on
a report recently released by F-Secure, it
seems so. The report found that three
out of four criminal gangs practising
Ransomware were willing to negotiate
the fee for release.
They evaluated the customer experience
of five current crypto-ransomware
variants, beginning with the initial ransom
screen through to interacting with
the criminals behind them. Apparently
the most professional user interface did
not necessarily offer the best customer
experience and on average a 29 per
cent discount can be negotiated with evidence
that deadlines are not always set
in stone. Because of the need to establish
a degree of 'trust' with the victim
many are ready to offer a certain level of
service in order to realise payment.
There is much regulation influencing
the data residency decision. However,
the Russian Government has recently
passed a law that may compound this
further. It makes Internet and Telecom
user data storage mandatory and now
calls, texts, chats and web browsing
activity will be monitored and stored. The
resulting information can then be
accessed by authorities and some government
agencies without a warrant.
In response, NordVPN has taken a
number of steps to ensure that Russian
Internet user data is encrypted, notlogged
and inaccessible even if their
Russian servers are seized. Those servers
are using advanced security protocols
OpenVPN and IKEv2/IPsec as default
and they operate a strict no log policy
and store no data on any NordVPN
servers. Finally VPN traffic on a server is
encrypted and if a Russian service
provider tracked the data, they would
only see NordVPN servers' IP address
and not the user's.
There are other threats to data; using
the Fidelis Cybersecurity Network solution,
Exatel has found that a web browser
developed by Chinese company,
Maxthon has been collecting sensitive
user data. Apparently, it transmitted endpoint
information such as the OS version,
screen resolution, CPU type/speed
and amount of memory installed, location
of Maxthon executable, status of
adblock (enabled or not, number of ads
blocked) and the homepage URL, which
they say could indicate a reconnaissance
operation.
Justin Harvey, chief security officer at
Fidelis Cybersecurity explains, "By knowing
the exact operating system and
installed applications, as well as browsing
habits, it would be relatively trivial to
send a perfectly crafted spear phishing
attack to a target, or perhaps set up a
watering hole attack on one of their
most frequently visited websites." As a
result, Harvey reminds us that
"Organisations need to note two things.
To be aware of the potentially egregious
data capture happening through
installed applications and leaving their
organisation as well as their endpoints
and secondly, software is frequently
installed on endpoints at home and
work, but that code is often not verified
and may not be doing what it purports to
do. Ultimately, it's only with visibility into
both the network and endpoints that the
Maxthon discovery was made, so it's vital
that enterprises monitor both."
There is more evidence that organisations
are preparing themselves for the
IoT opportunity. Tech Data Corporation
has created a new Internet of Things
(IoT) business practice called Smart IoT
Solutions. It will be led by company veteran
Victor Paradell who is currently VP
IoT Solutions, Europe.
According to Gartner, IoT endpoints
are predicted to grow at a 32 per cent
compound annual growth rate from
2013 through 2020, reaching an
installed base of 21 billion units, with
almost two-thirds of them consumer
applications. With such explosive growth,
solution providers need clarity, education
and an effective route to market. NC
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 7

PRODUCTNEWS
VERSION X
VERSION X
VERSION X
VERSION X
VER
WITH PRODUCT ANNOUNCEMENTS RANGING FROM THE TRIVIAL TO THE BIZARRE, THE EDITOR
DISTILS THE ESSENCE OF THOSE THAT ARE OF INTEREST TO THE NETWORKING COMMUNITY
Claiming that it is the first mobile
zero client solution based on standard
laptops, Toshiba Europe
GmbH has been explaining the purpose
of its Toshiba Mobile Zero Client (TMZC).
Using no operating system or hard drive,
TMZC allows users to access their own
virtual desktop, whether at work or at
home, with no data hosted locally on
either the HDD or solid state drive. All
functionality and data is available
through a cloud-based virtual desktop
infrastructure, eliminating the possibility
of malware being stored on the device
and minimising the risk of data theft if
PCs are lost or stolen. TMZC based computing
leaves no footprint and is highly
compatible with most existing IT infrastructure.
51Degrees has introduced an NGINX
(pronounced enginex) module to allow
customers to integrate its fastest, most
accurate device detection solution into
existing NGINX frameworks. NGINX, an
open source reverse proxy load balancer,
is currently used by more than 40 per
cent of the busiest websites, including
Netflix, Pinterest, and WordPress.com.
This module has been created from customer
demand to provide seamless integration
of its services. NGINX is known
for its high performance, stability, rich
feature set, simple configuration and low
resource consumption.
Commenting, James Rosewell, CEO and
founder of 51Degrees said "We continuously
strive to evolve in line with customer
requests. The NGINX module allows customers
to seamlessly integrate our device
detection solution to improve the user
experience and simplify their networks."
Data centres don't always convey the
image of a safe and pleasant working
environment, and so the introduction of
energy efficient, flexible to install LED
Tubes optimised for aisle containment
infrastructure might help. Minkels, who are
part of the publicly traded company
Legrand, have announced the LED tubes in
two variants. In the first situation the LED
Tubes are on 24/7, but in the second they
are activated by means of a PIR movement
sensor, meaning that they turn off automatically
as the corridor is vacated.
The high luminosity (335 LUX) combined
with energy efficiency means that the LED
Tubes are very useful when applied in the
aisles of free standing corridors or next
generation corridors, especially when
using black coloured racks and corridors.
Staying in the aisle, Dataracks has been
talking about its latest fire detection and
suppression solutions. They are now partnering
with Nobel Fire Systems and
Optex to produce the latest fire safety
solutions. The Optex HSSD dust particles
sensor sets new standards for the early
warning of fires, with exceptional sensitivity
and a built-in fan to provide active
sampling. It can be easily mounted inside
cabinets and racks to ensure rapid detection,
which can potentially avoid a fire
from breaking out in the first place.
Dataracks also supplies Nobel Fire
Systems' Stat-X range of fire suppression
systems, which can also be installed into
virtually any rack. Each compact, selfcontained
aerosol unit offers strategic fire
control to prevent escalation and limits
the damage associated with whole-room
fire suppression.
Jeremy Hartley, Managing Director of
Dataracks, comments, "As an innovationfocused
company we are pleased to offer
these fire safety solutions. Our new
agreements with Optex and Nobel Fire
Systems will ensure that we remain at the
forefront of data centre improvement."
Amazon Web Services (AWS) has
enjoyed legendary success and now it is
available from global interconnection and
data centre company Equinix. The (AWS)
Direct Connect cloud service in Equinix's
Amsterdam International Business
Exchange data centres means that companies
can connect their customer-owned
and managed infrastructure directly to
AWS, establishing a private connection to
the cloud that can reduce costs, increase
performance and deliver a more consistent
network experience. The Equinix
Amsterdam location brings the total number
of Equinix metros offering the Direct
Connect service to eleven, globally.
France-IX, the international Internet
exchange based (unsurprisingly) in France
and offering IPv4 & IPv6 public and private
peering to Internet services
providers, content delivery networks and
8 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

PRODUCTNEWS
SION X
other types of Internet networks, has
announced that Online.net, a French web
hosting provider has joined the growing
number of its peering members to
upgrade to 100Gbps ports. The migration
from four 10Gbps ports to two
100Gbps ports has significantly boosted
capacity at Online and is enabling the
company to deliver increased performance
benefits to its customers. Part of the
Iliad Group, which also owns the operator
Free, Online has been providing hosting
services since 1999 and now hosts
several hundred thousand websites across
three data centres, offering a range of
services including domain names, dedicated
servers and web hosting to Internet
stakeholders of all sizes, worldwide.
Eric Schwartz, EMEA president for
Equinix confirmed that "Our goal is to
help enterprises realise the full benefits of
the cloud, while helping to eliminate concerns
of application latency or cost. By
providing access to AWS via the Direct
Connect service, we are empowering our
customers to achieve improved performance
of cloud-based applications."
Ipswitch is launching the most significant
update to its network monitoring
portfolio in years. WhatsUp Gold 2017
has been designed to alleviate the growing
pressure on IT professionals, allowing
them to visualise and interact with their
network like never before, including the
ability to troubleshoot faster with intuitive
maps, workflows and dashboards, and
monitor their entire environment with one
flexible license. Commenting, Michael
Hack, Senior Vice President of EMEA
Operations said, "WhatsUp Gold 2017
leverages advanced visualisation technology
to intuitively map the user experience
directly to the environment that the IT
team created. The interface will be immediately
familiar, allowing team members
to easily understand irregularities at a
high level and then drill down to detailed
device level information, keeping them in
front of potential issues."
Prague based Avast Software has updated
its flagship product, which can now
deliver new technology to fight threats in
a lightweight, high-speed solution that
uses the cloud to identify and analyse
threats. Avast Antivirus Nitro Update arms
users with security software that is smaller
in size and designed to improve speed,
boot time, download time and system
performance, while providing state-ofthe-art
protection from never-ending
attacks. Along with the Nitro Update
comes security and performance
enhancements to Avast's SafeZone browser,
which isolates browsing sessions and
gives users a much safer and more private
browsing experience than a standard
browser.
Independent research conducted by testing
institution AV-Comparatives found
that PCs run faster with the Avast Antivirus
Nitro Update than with Windows
Defender, which is on by default on
Windows 10 PCs. Avast CEO Vince
Steckler says, "Our priority has always
been to provide users with the best possible
protection by staying on top of new
and emerging threats. With the Nitro
update we are bringing to users a tool
that has minimum system impact and
actually helps PCs perform faster, with the
same strong protection they have grown
to associate with Avast."
With so many other things to think
about, network downtime seems a somewhat
archaic concept, but of course it is
a real issue and to be avoided. Mindful
of this, IDEAL Networks has upgraded its
LanXPLORER Pro network troubleshooter.
Alongside new diagnosis and connectivity
features, technicians using LanXPLORER
Pro can now transfer test data to mobile
devices directly from the work site using
the IDEAL AnyWARE app. The app allows
users to quickly and simply share PDF or
CSV test reports with colleagues or clients
in order to enhance collaboration and
troubleshooting capabilities and help
boost productivity.
The device minimises network downtime
by quickly finding and diagnosing problems
in networks, cabling and Ethernet
devices using copper, fibre and Wi-Fi
interfaces. By connecting directly to a
specific point rather than scanning an
entire network, the device can quickly
verify status and connectivity and then
monitor the total network bandwidth,
analysing the top 10 bandwidth talkers
and listeners to identify devices which
may be impeding overall network performance.
NC
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 9

FEATUREGDPR
GDPR AND
PERSONAL DATA
WITH GDPR INEVITABLE FOR ALL
EU MEMBER STATES, URGENT
ACTION AND MINDFUL
PREPARATION IS AN ESSENTIAL
IMPERATIVE. JAMES WICKES,
CEO AND CO-FOUNDER OF
CLOUDVIEW EXPLAINS
The recently approved General Data
Protection Regulation (GDPR) is
described by legal firm Wright Hassall as
the biggest shake-up of data protection law
for 20 years. It will be directly applicable to
EU member states without further
implementation and serious breaches could
see organisations facing fines from the
Information Commissioner's Office (ICO) of
up to 20 million euros or 4 per cent of
turnover, whichever is higher, for serious
breaches of the Act.
To help clarify its impact we asked Wright
Hassall to comment, and they highlighted two
main points:
Organisations whose core activity consists
of processing special categories of data or
the systematic large scale monitoring of
individuals, must appoint a Data
Protection Officer to monitor and ensure
compliance.
Organisations must ensure an individual's
consent to the processing of their personal
data is 'freely given, specific, informed and
unambiguous' and in most cases, implied
consent will not suffice.
There could be even more at stake, however.
The Culture, Media and Sport Committee's
investigation into cyber security, which was
triggered by the cyber-attack on TalkTalk, was
published in June 2016. It makes two
recommendations with major implications for
those senior executive with legal responsibility
for their organisation's behaviour.
First, it suggests that a portion of CEO
compensation should be linked to effective
cyber-security. It then goes on to say: "We
concur with the ICO that whilst the
implementation of the GDPR will help to focus
attention on data protection, it would be
useful to have a full range of sanctions,
including custodial sentences." So clearly,
executives could face jail as well as fines for
substantial breach of regulations.
The increased fines will apply immediately
after the GDPR is implemented, so it is vital to
begin implementing GDPR compliant policies
and processes as soon as possible. The first
step is to carry out a Privacy Impact Assessment
(PIA) to identify the most effective way to
comply with data protection obligations and to
meet individuals' expectations of privacy: this
includes ensuring that all data is being
gathered for a legitimate purpose and the ICO
has produced a useful guide.
Other factors that should be considered
include secure storage of data along with
safeguards to prohibit interception and
unauthorised access; whether there is a
published information retention policy which is
documented and understood by those
handling data collection; whether data is
deleted when it no longer serves a purpose;
and whether staff know how to respond to
requests from individuals for access to their
personal data.
Finally, organisations need to understand
that personal information is not just written text
but includes photos, video and - a surprise to
many - CCTV recordings. CCTV is often used
to monitor communal areas, manufacturing
sites and warehouses, but if footage enables
individuals to be identified then it is covered
by the GDPR. Adding sound to CCTV is a
further concern, as CCTV surveillance systems
should not normally be used to record
conversations between members of the public
or staff in a working environment. Recording
conversations is highly intrusive and unlikely to
be justified, and this is an example of that
which would be identified by carrying out a
thorough PIA.
One potential solution for GPDR compliance
is to hold information in the cloud, as this
retains data securely off-site and many cloud
systems already have all the required security
and encryption in place. However,
organisations still have to take responsibility
for ensuring that their cloud provider is
compliant with the new regulations, so there is
no possibility of ignoring this responsibility, just
better ways to achieve it. NC
A briefing note, 'Is your use of CCTV
compliant with data protection legislation', is
available from the Wright Hassall website:
www.wrighthassall.co.uk
10 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

FEATUREGDPR
RIGOROUS AUDIT
WHATEVER THE IMPACT OF BREXIT ON EU LEGISLATION, ROMAN
FOECKL, CEO AT COSOSYS EXPLAINS WHY A 'BY THE BOOK'
AUDIT IS THE ESSENTIAL FIRST STEP TO DATA COMPLIANCE
Two years may seem like a long time,
but for EU organisations, particularly
those that deal with data pertaining
to European citizens, it will pass quickly as
they battle to implement the mandated
procedures and tools that will ensure their
compliance with the reformed GDPR.
Actually, given the strict rules and the fact
that very few companies already have
clear guidelines and policies for data
security, especially referring to data in the
cloud, two years may not be enough.
Then, there's the specific character of this
form of regulation such as it being
ambiguous or leaving space for
interpretation: it's not going to be easy.
The highest success rate will be achieved
by organisations that have a systematic
approach based around the three steps of
planning, execution and evaluation and
usefully reinforced by some established
policies. Whatever the case, chances will
be maximised by starting immediately with
an audit.
The reformed EU Data Protection
regulation is like a tribute to individuals'
private data, forcing companies to
increase measures to protect data, to
ensure its integrity and to respect an
individual's right for data deletion. The
audit will establish exactly what data is
collected and processed, and to whom
and where it is transferred, especially if it's
leaving the EU. The importance of the
audit is clear and the entire outcome of
the process of becoming compliant
depends on it.
There are several information audit
management tools that can help with the
audit, but they should always be
accompanied by close supervision of key
decision makers in the company, like CSOs,
HR managers and other departmental
managers that can advise on the business
processes and the information flow.
Data Loss Prevention is also a key tool
that helps the audit process. It offers
detailed reports on data being transferred,
by whom, through what applications or
what removable devices. Research recently
conducted at Infosecurity Europe revealed
that USB devices still represent a big
threat, with 61 per cent of respondents
saying that they are not forced to use
encrypted USB devices and 21 per cent
admitting to the loss of a USB device
containing sensitive data.
So you can see, knowing what data is
being transferred to removable devices, on
online services and applications, and the
associated data, is vital for the audit and a
first step in protecting data and complying
with the revised data protection rules. DLP
is the technology to help with this and
since data controllers are responsible if
data transferred outside of the EU is lost
via a non-EU cloud provider, DLP will be
even more important to detect sensitive data
like personally identifiable information being
transferred to online and cloud applications.
The three essential steps of audit are:
Detect and define what sensitive
information about employees,
customers, and other stakeholders your
organisation stores and processes. This
step is crucial for later steps, when the
actual implementation of the data
security policies will take place.
Check and review your privacy
notices, especially in your direct
marketing activities. Consent has to be
expressed explicitly for any piece of
information collected which should
only be used for the mentioned
purpose; also, data controllers must
be able to prove valid consent.
Extend the audit to the information
security software and hardware your
organisation uses. The audit should
reveal if the systems are updated with
the latest security patches, if they cover
all aspects included in the GDPR, if all
threats vectors are somehow
addressed, etc.
During the audit, all actions and data
should be carefully documented. Next, the
corrective and restrictive measures to
support the new regulations and update
the incident response plan are needed. It
is only at this point that a solid foundation
will be established for the future. NC
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 11

5-6 October 2016, ExCeL London
SIX IT EVENTS UNDER ONE ROOF
CLOUD
EUROPE
CYBER
SECURITY
EUROPE
NETWORKS &
INFRASTRUCTURE
EUROPE
DATA
ANALYTICS
EUROPE
DEVOPS
EUROPE
OPEN
SOURCE
EUROPE
Powering the Digital Enterprise
Securing the Digital Enterprise
Hosting the Digital Enterprise
Insight into the Digital Enterprise
Enabling Continuous Delivery
Future of Collaborative Code
IP EXPO Europe is Europe’s
number ONE Enterprise IT event
for those looking to find out how
the latest IT innovations can
drive their business forward
REGISTER FREE
ipexpoeurope.com

FEATUREGDPR
TAMING THE GDPR
IF YOU HAVE TAKEN THE
APPROPRIATE MEASURES TO
PROTECT YOUR DATA, AND
HAVE CONSIDERED ALL OF
THE RELEVANT LEGISLATION,
THEN YOU HAVE NOTHING
TO FEAR FROM THE EU GDPR,
WRITES BRIAN CHAPPELL,
DIRECTOR OF TECHNICAL
SERVICES FOR BEYONDTRUST
The EU General Data Protection
Regulation (GDPR) extends data
protection law to all companies
processing the data of EU residents,
irrespective of where the data processor is
based. It means these companies have a
simpler task: to comply with only one data
protection approach across the whole of
Europe. The penalties for non-compliance
could be severe with substantial fines based
on annual company turnover.
The regulation has clearly been designed
with social networks and mobile apps at its
core, but the wording of the law means that
it can be applied everywhere. That means
everyone has to take this seriously and, with
less than two years until it comes into force
(even if you aren't an EU member), it's time
to start getting ready for 23rd April 2018.
As always with something new, radical
and mandatory, making an early and
effective start is critical.
Security First: Data protection (DP) by
design and by default is a key tenet of the
new legislation, which means that data
protection safeguards will be baked into
products and services from the very earliest
stages. In fact they should be considered as
first principles. Don't start any new IT
project, software development or service
without having data protection at the front
and centre of the activity. Anything
underway but not yet released should be
reviewed to ensure that DP is covered.
Prevention is better than a cure: My first
piece of practical advice is to address the
preventative actions first when looking at
your DP strategy. Privileged Password
Management should be your first port of
call; make sure that no-one has direct,
unmonitored access to the data stores.
From there, look to Least Privilege as a
best practice to prevent anyone gaining
inadvertent access to sensitive data
through rights granted for an unrelated
requirement. Good least privilege
solutions allow you to know exactly what
the user can do, and don't forget
vulnerabilities. Just as you wouldn't forget
a broken lock on your office building,
don't forget to scan regularly (at least once
a week) and fix those vulnerabilities that
have published exploits.
Detection, mitigation, protection: When
you've got the preventative measures
covered, look to technologies that will help
you to detect, mitigate and protect against
attacks. No preventative solution is 100 per
cent effective, but with effective post
compromise technologies you will get as
close as is possible. Early detection will be
important in avoiding some of the heftier
fines that the GDPR threatens, and the less
data that is exposed and the better your
prevention and detection, the better it is for
everyone. Don't get drawn in by allencompassing
solutions (in anything other
than reporting and dashboards). A
carpenter doesn't carry one tool with all the
attachments they need.
Other Regulations: Use all the
regulatory requirements with security
concerns published, even if they don't
specifically apply to your organisation.
They can often provide good frameworks
to shape your approach and will help you
focus on the gaps.
Be Honest: Review your security honestly.
If you don't have the skills then use external
resources to test your security and engage
your local hacking community to help you
craft better defences and detection. The
only failure in IT security is in thinking that
you've done it.
In essence the GDPR doesn't demand that
you do anything you shouldn't already be
doing. It makes sure that those who haven't
taken necessary precautions, or haven't
been open about being breached, are held
accountable. Having just one DP regulation
for the entire EU, as opposed to the 28
current sets, will undoubtedly be easier to
comply with. The fines are scary, but we
should welcome the simplification. NC
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 13

FEATUREGDPR
THE NAC OF GDPR
READINESS
What role might existing
technology play as the GDPR
unfolds? Paul Donovan of Pulse
Secure considers how NAC can
help to protect corporate data
and help compliance with the
new legislation
There is a distinct lack of official guidance
for organisations who should be
preparing for the GDPR, but with the
potential threat of huge fines organisations
can't wait and must act now. Regardless of
your industry sector, you need to ensure that
your organisation's data is secure, both on
and off-premise. Policies such as BYOD and
remote working can make securing data more
complicated, which has resulted in a
resurgence of interest in Network Access
Control (NAC). No one knows what GDPRcompliance
looks like yet, but securing access
to the network is the first step to securing
access to data, and thus aligning your
organisation with the sentiment of the GDPR.
MARKET FORCES
With new collaborative working practices and
the prevalence of BYOD and remote working,
controlling access to the network has become
increasingly complicated which, in turn,
means that protecting the data both on and
off premise is itself more complicated.
Nowadays, employees expect to be able to
work from home, bring their own devices to
work and even connect other personal
devices to corporate Wi-Fi.
In addition to BYOD, the Internet of Things
(IoT) and cloud applications mean that there
are more endpoints, all with distinct
operating systems and all accessing the
network, than ever before.
As well as being able to connect offpremise,
employees also expect to be able to
connect from a point in the building other
than their allocated desk. For example, if they
are hosting a meeting with partners, they will
expect for themselves and their visitors to
seamlessly connect to the network.
TODAY'S NAC SOLUTIONS
All of these elements present a huge threat
to the security of an organisation's data and
they articulate what's putting NAC back on
the agenda. A 2014 ESG research report on
network security claimed that 40 per cent of
organisations were enforcing NAC
"extensively across the enterprise," and an
additional 44 per cent using NAC to a
lesser degree.
Previously, NAC was overly complicated and
expensive but technological advances make it
a much more attractive proposition today.
NAC solutions now give the IT department
much more control to grant access based on
contextual information (e.g. user ID, role,
device type, security posture, location). This
kind of visibility and control effectively means
that only authorised employees have access
to corporate data depending on their role,
location, and even the time of day.
THE RISE OF DATA BREACHES
A Frost & Sullivan report last year expected
NAC revenues to more than double from
$552.8 million in 2014 to $1.46 billion by
2018 and it suggests the resurgence of
NAC is very much underway. This
expectation could be because the increasing
number of data breaches has put network
access on the boardroom agenda as well as
IT departments.
Recent research from IBM and The
Ponemon Institute claims that the
organisational cost of a data breach has
increased from £2.37 million in 2015 to
£2.53 million in 2016. This is due to a
combination of resources that are deployed
to deal with the breach and the reputational
and customer losses which directly impact on
an organisation's bottom line. With the
impending EU GDPR, this cost could
potentially increase to include a fine based
on global annual turnover.
While the fallout from the GDPR remains
unclear, the ability to prevent devices or
users without the right credentials from
accessing the network, regardless of where
they are, illustrates to the Information
Commisoner's Office (ICO) that an
organisation is taking its data security
seriously. Of course, a breach may still occur
as it's impossible to account for all
eventualities, but having policies, processes
and technologies in place, sponsored by
senior management, will help should the
worst happen. NC
14 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

PRODUCTREVIEW
Unified Security
Service from
CensorNet
PRODUCT REVIEW
PRODUCT
REVIEWPRODUCT RE
Companies depending on web and
cloud applications for their business
operations are going to have to
rethink their security strategies. Despite the
range of solutions available on the market,
few currently offer the level of control required
to keep users and data safe, while still
allowing them to efficiently do their jobs.
The Unified Security Service (USS) from
CensorNet offers a sophisticated approach
providing real-time discovery, analysis and
control for a huge range of web and cloud
applications. USS also provides
comprehensive URL filtering and optional
email protection, all easily managed from a
single cloud portal.
Deployment was simple as CensorNet
agents for Windows and OS X can be
downloaded directly from the portal. Prior to
pushing them to test systems we created agent
profiles that set details such as SSL
interception, a captive portal for BYOD users
and enforced password protection to stop
agents being modified.
For LAN protection the CensorNet USS
Gateway component provides a web proxy
based on Ubuntu 14.04. Delivered as an ISO
file it runs on a physical or virtual server and
for the latter supports hosts such as VMware,
Hyper-V, VirtualBox and XenServer.
We were able to swiftly deploy proxy settings
using methods such as Group Policy, default
gateway or WPAD (web proxy auto-detection).
The SSL Interception feature requires that a
root CA certificate be installed onto each
system. It can be downloaded from the
gateway but installation is automatic when a
windows agent is deployed.
The USS web portal opens with a
customisable dashboard offering a complete
graphical overview of all web and application
activity. We added graphs and charts to show
the top domains and cloud applications being
accessed, along with blocked domains plus
general web browsing activity, and we could
change the views for each one to display
different time periods.
Web and cloud application activity is
monitored and controlled using policies.
These employ the CensorNet rules engine
which uses types, conditions, logic and actions
to determine whether an activity is permitted.
This makes USS highly flexible as policies can
be applied to Active Directory OUs, security
groups and users, devices and groups, device
types such as PCs, smartphones and
wearables, and also time periods. For web
browsing control USS offers over 140
categories to choose from, while the cloud
application list includes 30 classes with
multiple activities within each one.
We tested with a range of cloud applications
including LinkedIn, Facebook, Twitter, Gmail,
Dropbox, OneDrive, Google Drive, Google
Apps plus WebEx and were bowled over by
the level of control available. Look no further
if you want total Facebook control, as USS
can identify 113 different activities such as
joining groups, editing profiles, sharing posts,
unfriending, uploading files or creating pages.
The reports tab provides an incredible amount
of information about web and cloud
application usage as each entry showed us
precisely what our users were doing, along
with links to web sites being accessed. For
Gmail, we could see when users logged in,
who they emailed, if they read or trashed
emails and the action that USS applied to
activities.
MSPs will like USS as its Partners feature
allows them to create customer accounts and
provide various levels of access by defining
roles by account. Message protection also
comes under its remit and the CensorNet
Email Security cloud solution provides antispam,
anti-virus, anti-phishing and content
filtering, which can be managed directly from
the USS web portal.
CensorNet USS impressed us hugely during
testing. It offers a remarkable insight into web
and cloud application usage within the
workplace, is very easy to manage, and its
versatile policies and rules engine deliver the
granular controls that today's cloud-savvy
businesses urgently need. NC
Product: Unified Security Service
Supplier: CensorNet
Web site: www.censornet.com
Phone: +44 (0)845 230 9590
Email: marketing@censornet.com
Price: Per user per year subscription
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 15

FEATUREGDPR
PRIVACY BY DESIGN
ROSS WOODHAM, DIRECTOR
OF LEGAL AFFAIRS AND
PRIVACY AT COGECO PEER 1
EXPLAINS THE IMPORTANCE OF
ADDRESSING PRIVACY AT THE
DESIGN STAGE OF PRODUCTS
AND SERVICES
The General Data Protection Regulation
(GDPR) is a positive development
because its impact will help to lessen
the tremendous damage that can be
inflicted following a major cyber-attack. It
may even help to disarm the vulnerability in
the first place.
Some IT departments may not be keen
though, believing that the GDPR will place an
onerous burden on them. They may also think
that Brexit will let them off the hook. In reality
though, and even with the news of the UK's
exit from the EU, if we wish to continue to be a
close trading partner with the EU then UK
businesses will need to adopt a broadly
similar framework of standards to protect the
data of EU citizens, along with other EU
trading partners such as the US and Canada.
STANDARDISING DATA
REQUIREMENTS
The GDPR marks the beginning of widespread
unification and standardisation of data privacy
requirements both within the EU and arguably
on an extra-territorial basis, at least in respect
of EU citizens' data. Given that data is
growing exponentially with the increasing use
of big data, cloud, mobile and the Internet of
Things applications, the challenges of
managing, securing and processing
information becomes ever more complex.
Within this context and that of the GDPR, a
privacy by design approach to new
applications, platforms and services will help
to focus on data management issues and
benefit from these sensible requirements.
EMBEDDING PROTECTION
The concept of privacy by design is an
approach that bakes privacy processes into
the design specifications of technologies and
other practices. For instance, a central GDPR
requirement is establishing when it is
appropriate to delete personal data - or
equally only retaining information that is
strictly necessary for a well-defined purpose.
Such requirements should be factored into the
design of the technology or system.
The right to be forgotten is also a central
tenet in the GDPR. It allows individuals a
qualified right to request that their data be
erased. Designing a system to enable you to
manage data in this way will be essential to
enabling compliance and avoiding
cumbersome manual processes.
THE FUTURE IS NOW
Given that the lifecycle of new products and
services can span several years, it makes
sense to address privacy at the beginning of
product and service development, rather than
reactively retro-fitting to meet regulation.
Organisations should start planning privacy
requirements now because in 2018 they will
be challenged by these rigorous obligations.
In this way, as new products and services
progressively move online over time,
organisations will already be compliant
when the GDPR takes hold. What's more,
the privacy by design blueprint will already
have been established and put into
practice, making compliance a matter of
routine and a critical operational element
of business as usual.
CLEAR BENEFITS
In the US, there is a growing groundswell of
strong public opinion demanding greater
privacy and reacting to media coverage of
government snooping. Some progressive US
organisations understand that being ahead of
the curve on these issues is good for business
and are already incorporating the concept of
differential privacy into their artificial
intelligence endeavours. Their approach
suggests that they will obscure big data results
in order to mask individual inputs while still
extracting useful information on larger trends.
These instances are real life examples of the
core principle of privacy by design which is at
the heart of the GDPR.
While on this side of the pond advances in
privacy might be being driven initially by
regulation rather than market forces, it is very
likely that those organisations that take an
active and responsible approach to secure
their customer data will be rewarded with
consumer favour, which will of course have
positive implications for both reputation and
revenue. NC
16 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

FEATURETHE INTERNET OF THINGS
THE IOT SECURITY
CHALLENGE
IOT DEPLOYMENT INCREASES
THE POTENTIAL NETWORK
ATTACK SURFACE. KATHY
SCHNEIDER OF LEVEL 3
COMMUNICATIONS SAYS
THAT WE NEED TO ADDRESS
THIS BEFORE ADOPTING IOT
The Internet of Things (IoT) continues to
generate debate and interest amongst
businesses and consumers alike. Frost &
Sullivan estimate that by 2020 there will be 80
billion connected devices worldwide: IoT is set
to transform our lives. However, this
transformation requires careful management in
order to arrive smoothly at our destination,
and security is one of the most pertinent issues
that those entrusted with this transformation
must address.
A few months ago, a non-malicious hack of a
children's toy company proved that extracting
photos and personal information from innocent
consumers was possible. The hacker illustrated
that the company was not secure and in turn
sent all businesses a warning. This case - not
the first of its kind - and related issues continue
to make the news as the global IoT security
challenge evolves and grows.
As more devices become connected, the
access perimeter, essentially the danger zone,
widens. With millions of malware strains and
thousands of new families of viruses identified
each year, the old-fashioned trio of anti-virus
software, a firewall and intrusion detection will
simply not do.
Enterprises tend to focus on Bring Your Own
Device (BYOD) security in relation to mobile
phones and tablets, but they must now also
consider all other connected devices entering
the work domain every day, as they provide
effective doorways to their data. Such devices
include increasingly popular fitness trackers as
well as devices that exist on employee Wi-Fi
networks at home and provide VPN access to
the corporate server. They create security
loopholes that are ripe for exploitation by
malicious actors. According to a recent study
from HP, 6 out of 10 IoT devices had common
cyber-vulnerabilities and 70 per cent did not
encrypt their internet communications.
Security becomes an even bigger concern
when one considers the volume of data
collected by connected devices every day. To
tackle this, a network-based security solution is
required that establishes protection at the
network perimeter. Businesses are then in the
best position to mitigate threats from entering
their network in the first place. Network-based
security will not only simplify things for
businesses, but the ability to manage security
from a single viewpoint will lead them to
financial savings as separate, software-based
solutions will no longer be required. In short,
enterprises will need a simplified, easy-toupdate
ecosystem that provides a holistic view
of their security posture.
To start with, it is essential that organisations
deploying IoT devices conduct rigorous
analyses of built-in and external security
controls for all connected devices and services
currently in use and those planned.
An audit of the following elements is a vital
starting point, in securing any IoT connection:
Communication channels
Use of encryption
Analysis of data collected, stored and
transmitted
Security of the communication endpoint(s)
Given rapid IoT adoption and the broadening
of the cyber-attack surface, organisations must
be increasingly vigilant in conducting
comprehensive risk analysis and implement
proper governance structures. A risk-based
approach is the best way to balance the
challenges of using IoT with its impressive
productivity benefits.
Businesses must ensure that core networks are
robust. Looking beyond security in the current
computing environment, resource-intensive
and internet-connected devices will also need
virtualised servers and reliable cloud storage.
Migration to these systems can incur its own
security issues. However, in employing a
network-based security approach, businesses
should also be able to simplify this process.
The great potential offered by IoT has been
discussed at length, with businesses and
consumers excited for what the future will bring.
However, increased security concerns are valid
and pressing, and no one wants to see their
data compromised. A strong and secure
network is paramount in supporting an effective
and safe IoT environment. NC
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 17

FEATURETHE INTERNET OF THINGS
WITH GREAT
DATA COMES…
THE INTERNET OF THINGS
PROMISES GREAT DATA, BUT IT
ALSO BRINGS SUBSTANTIAL
RESPONSIBILITY. LARRY
AUGUSTIN, CEO OF
SUGARCRM CONSIDERS THE
WAY BUSINESSES UNDERSTAND
AND SERVICE THEIR
CONSUMERS
When Samsung announced that it
would be investing $1.2 billion into
the Internet of Things (IoT), the tech
world sat up and took notice. There has been
a persistent buzz around IoT for years, with
the showcasing of new IoT developments
often the main attraction at the technology
shows I attend, all year round. However,
Samsung's news heralds the start of a
revolution in the way devices interact with
each other and how they generate
meaningful customer data for businesses.
The technology industry is thinking about the
consumer in more detail than ever before, and
it is finding innovative ways to integrate the
daily routine with devices to create an
interconnected world. The potential for
businesses to amass a huge volume of
consumer data is endless. But with great data
comes great responsibility, and businesses
must have robust security measures in place to
avoid costly cybersecurity breaches.
Cloud networks, infrastructure, applications
and data need to be as secure as possible to
make IoT a success. For global enterprises, the
size and complexity of their customer data can
be challenging to manage in the public cloud.
Organisations should have the freedom to
implement the systems and architectures that
best address their needs for security,
compliance, and data integration.
Most cloud solutions are available only in
proprietary, multi-tenant, shared
infrastructure, single cloud configurations.
There's little or no opportunity for companies
to decide where they want their applications
and data to reside. The options are many -
public, and private, within your own country's
borders, on-premise or a hybrid combination
- but often, the only choice is the vendor's
proprietary cloud.
It isn't just consumer data that needs to be
taken care of. The modern working world
means that sensitive business and employee
data now spans an ever-increasing number of
devices. Modern CRM solutions can support
these complex security requirements by
providing a nimble and powerful service
which allows businesses to thrive in a
connected world.
But of course, terabytes of data are only
useful in the business world if you possess a
means to make sense of them. CRM
technology can form an important part of this
sense-making process and its very powerful
when deployed in support of an IoT network.
The IoT offers huge potential for CRM
platforms to build a single view of the
customer and create a frictionless, positive,
customer experience.
We have already begun exploring how to
integrate the IoT into our CRM technology.
We worked with VetAdvisor, the US-based
holistic care provider for military veterans, to
integrate Fitbit bands into its CRM
deployment. This enabled VetAdvisor to track
veterans' progress towards personalised
fitness goals and provide real-time coaching
via SMS messaging.
From geo-location insight to knowing what
time the customer puts the heating on, IoT is
capable of providing microscopic insight into
consumers' lives. But the wealth of data is as
overwhelming as it is exciting. A new channel
means another level of customer expectation:
they want to know that every touchpoint they
have with a company is unified. Businesses
must learn how to incorporate new channels
of data into an already complex web.
As the technology world looks to the future
and the potential that the IoT holds, the need
for businesses to maintain a secure
infrastructure is set to increase, exponentially.
Perhaps the future of IoT is best summed up
by WP Hong, President of Solution Business
Unit at Samsung, who stated in his keynote
address at January's Las Vegas Consumer
Electronics Show, "The age of the Internet of
Things has begun. It will be a success, but
only if we get the fundamentals right:
openness, interoperability and close industry
collaborations." NC
18 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

FEATURETHE INTERNET OF THINGS
AN IOT ECOSYSTEM
RYAN LESTER, DIRECTOR OF IOT STRATEGY AT XIVELY
OFFERS SOME PRACTICAL GUIDANCE FOR
SUCCESSFULLY IMPLEMENTING IOT
The Internet of Things (IoT) is an
attractive proposition for many
businesses. Making devices smart and
connecting them to an ecosystem can
provide large amounts of data that can be
used to better understand customers and
their product use, which can then drive
development and marketing.
Unfortunately it is not as simple as cobbling
devices together into an existing network.
There are a whole range of issues that need
to be considered to ensure that both the
business and its users achieve what they want
from an investment in IoT. In fact, the
complexity and number of considerations
that need to be addressed means that going
it alone can pose high risks and high costs to
any business unfamiliar with the technology.
Worst case, IoT can open up a business to
network vulnerabilities that could result in
loss of data, system functionality, customers
and reputation.
Even with partners in place, those looking to
implement an IoT solution should be aware of
how to proceed in a structured way. Indeed, it
is necessary to ensure they are working hand
in hand with their partners to ensure the best
possible outcome. The following ideas could
help to start in the right place.
SECURITY AND IDENTITY
MANAGEMENT
Security is undoubtedly the biggest issue
facing IoT - or any technology for that
matter. Every device that is network
connected provides a potential entry point
for a cybercriminal. When thinking about
IoT security, businesses should explore these
three elements:
The board. The
physical security of the
device: can it be
tampered with?
The wire. How are
messages secured when
transmitted across the
network?
The cloud. What
authentication and
identification procedures
exist to control those who
have access?
MAINTAINING, UPGRADING
AND GROWING
Any network that is initially successful will
need ongoing work to cope with new
developments in technology, standards and
threats, as well as connections from more
and more devices. Both onboarding of new
devices and network maintenance needs to
be carefully managed around the clock to
minimise user downtime, service interruption
and productivity loss.
DATA MANAGEMENT AND STORAGE
The IoT is causing an explosion in the
amount of data businesses need to store
and manage. It is likely that devices will
transmit data on a regular basis reporting on
a whole range of variables and producing
10s or even 100s of data points each day.
Scale that by the number of devices that
could be connected to the network and it
could easily equate to terabytes of data. This
information needs to be stored securely
whether it's situated on premise or at a
remote location. It must also be collated into
useful data types so that it can be analysed
and leveraged to create business value.
STANDARDS
As the IoT develops, so too will the
standards and certifications that regulate
devices, networks, and so on. These will
help to improve interoperability while
providing reassurance to consumers that
their data is safe. Being aware of these
developments and building them into the
IoT infrastructure are important for longterm
viability.
However, in this new arena there are
likely to be a number of competing
standards, particularly in the short term.
For instance, Google recently opensourced
its Thread protocol, thereby taking
a significant step to win the standards war.
As such, knowing which standards are
likely to succeed is also a significant factor,
perhaps even an advantage.
These are just some of the many
considerations for those looking to
implement an IoT solution. Whether
working alone or with partners, it's
important to get a firm grip on all of them
if you really want to ensure a longstanding
and successful IoT business
advantage. NC
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 19

OPINION
BEYOND TODAY’S LIMIT
NETWORK TESTING AND
DIAGNOSTICS NEEDS A
RETHINK AS ENGINEERS NEED
GREATER VISIBILITY,
ACCORDING TO TYSON
SUPASATIT, PRODUCT
MARKETING MANAGER AT
EXTRAHOP
Network testing and diagnostics is
often thought of as a way to
efficiently get packets from point A
to point B. However, for the network
engineer, it's not just about the delivery of
packets, but efficient interaction between
the network and its applications. After all,
the network can deliver packets very
quickly, only to encounter an overloaded
server that cannot respond. For the user,
there is no difference between network
performance and application performance:
the service is just slow.
A better definition of network testing and
diagnostics should take into account
application behaviour. Efficient remediation
of performance problems requires network
engineers to understand not just how the
network is delivering applications, but how
those applications utilise the network:
Are database backups conveniently
scheduled?
Is a logging script copying the same files
and repeatedly transmitting them over
the network?
Are device DNS settings misconfigured,
leading to waste and noise?
What streaming media is running?
To help answer such questions, network
engineers require application-level detail to
diagnose network saturation and understand
usage. Traditional network testing and
diagnostic tools provide analysis for Layer 2
through Layer 4 but no visibility at Layer 7,
where application detail resides. This
information includes request messages,
response messages, status codes, error
messages, queries, methods, stored
procedures, file names, login failures,
certificates, URLs and more.
Correlation of the information across the
layers allows engineers to characterise the
network's traffic profile and make datadriven
decisions concerning adjustments to
network settings, or if the network
infrastructure requires an upgrade. Without
this application-level visibility, money can be
wasted purchasing new equipment to scale
up to a demand that may not exist.
Correlating network traffic from Layer 2
through Layer 7 is no trivial task, especially
at today's traffic speeds. Reliance on packet
capture tools such as tcpdump to obtain
application-level visibility used to be feasible
when network speeds were measured in
Mbps. This will not work today with
enterprises looking toward 40 Gbps and
100 Gbps services.
Instead of using packet capture to analyse
network traffic at rest, network testing and
diagnosis solutions need to provide a
stream analysis approach that reassembles
packets into full transactions, flows, and
sessions. With this full-stream reassembly,
these solutions will be able to extract the
details that are valuable to network
engineers without having to store the
packets and analyse them retrospectively.
Storing metadata instead of full packets also
provides network teams with visibility into
historical traffic patterns, not just packet rates
and throughput, but what applications those
packets represent. This in turn facilitates
better long-term capacity planning, which
benefits the organisation in terms of costs
and performance.
Stream analysis would also by necessity
require the reconstruction of the TCP
endpoints for every client and receiver.
Analysis of client-server interaction at Layer 4
(TCP) would also reveal behaviours such as
slow starts, receive window throttling, tiny
grams and Nagle delays, which can be
difficult to identify using traditional network
testing and diagnostics tools. Network
engineers need visibility of these metrics when
deciding whether to turn on Nagle's algorithm
or how to adjust the Maximum Transmission
Unit (MTU) sizes on their core services.
For those looking for a better way to carry
out network testing and diagnostics, thinking
about the task more broadly than just
measuring bandwidth and latency is a start.
Instead of just focusing on Layer 2 through
Layer 4, consider the importance of what is
happening at Layer 7 and its association with
the end-user experience.
A more holistic view of network activity will
enable smarter decision making when
optimising performance and planning capacity,
ultimately resulting in better service to IT
customers and the business they support. NC
20 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

OPINION
HYPER CRITICAL
HYPER-CONVERGENCE IS GAINING TRACTION. SUSHANT RAO,
DIRECTOR OF PRODUCT AND SOLUTIONS MARKETING AT
DATACORE CONSIDERS ITS EFFECT ON STORAGE INFRASTRUCTURE
There is a widespread growth of
hyper-convergence taking place and
it has led some vendors to opine
that it is the cure-all that data centres
have been waiting for. But while hyperconvergence
sounds great it has its pros
and cons, and IT professionals need to
understand these if they are to really
utilise its technologies and achieve
optimal results.
First, let's try and establish some
definition of the term hyper-converged.
Typically, hyper-converged technology
takes separate tiers of compute, network
and storage and combines them into a
single tier. The storage is direct-attached
to each node and software pools the
storage of each node into shared
storage. There is a virtualisation layer on
each node so that the applications are
running in VMs. The hyper-converged
software can run in either the hypervisor
or as a VM on top of the hypervisor.
From a hardware perspective it's pretty
simple. From a software perspective, it's
more complicated.
So what about the advantages? With
just 2 or 3 nodes, hyper-convergence
offers higher levels of availability
compared to a small deployment of 2
servers and shared storage, which is
typically low-end and creates multiple
single points of failure. By removing the
low-end storage hardware and leveraging
multiple nodes, hyper-converged can
sustain a failure to one of the nodes but
the applications will be able to recover.
In Remote Office/Branch Office (ROBO)
environments without dedicated IT staff
this is a huge advantage.
Another advantage is the ability to just
add more nodes in order to scale, which
makes sense for VDI. For example, a
company may start with a pilot of 2
hyper-converged nodes for 50 users. If
they want to grow to 100 or 500 users,
they will add 2 or 8 more nodes to
handle the additional users. This makes it
easy for IT.
So far so good - but what about the
disadvantages? The first is performance.
You may think that having data on the
same node as the application will
increase both I/O and application
performance, but this hasn't been proven.
The best benchmark to measure I/O
performance is available from the
Storage Performance Council (SPC). The
major storage vendors have run and
published the benchmarks so that
customers can compare the latency, IOPS
and price of their products, but to date
only one hyper-converged product has
run the SPC benchmark. If you are
expecting to quote major performance
improvement figures by moving to hyperconverged
then you may be disappointed.
Another disadvantage is that hyperconverged
offerings are typically 'walled
gardens', meaning that when companies
want to expand they can only use
equipment from their hyper-converged
vendor. There will be more options if their
hyper-converged product is a software-only
solution, as opposed to appliance based.
Lastly, hyper-converged conflates
storage and compute. This may seem
obvious but it is worth addressing up
front. Is your data growing at the same
rate as your compute? For most
companies the answer will be no. Data is
mostly growing much faster than
compute. When you go hyper-converged,
you are taking a gamble that your data
needs and your compute needs are
roughly in line.
Too many companies that have deployed
hyper-converged realise they need to
grow their storage capacity for additional
data without growing their compute, and
so quickly become stuck. It's much better
to seek a software solution that offers the
ability to scale storage capacity in a
hyper-converged deployment that is
independent of compute and can
leverage your existing storage.
In summary, hyper-converged makes sense
for small environments or VDI. But if you
need proven performance and you want to
integrate with your existing environment, or
you have data growth that outpaces your
compute, then there are better ways to
optimise your infrastructure. NC
22 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

INTERVIEW
INSIDE TRACK
INSIDE
INSIDE TRACK
INSIDE TRACK - GETTING TO KNOW THE
VENDORS…
RAY SMYTH EXPLORED A NEW APPROACH TO AN OLD
PROBLEM DURING A RECENT DISCUSSION WITH TIM
LONSDALE, CEO OF SPEARSEC
INSIDE TRACK
In the fast moving and relatively young IT
security sector it's reasonable to expect
threat vectors to arrive, be remediated
and usurped. When you add to this the
evolution of technologies that prevent,
thwart and remediate the attendant threats,
you can see that things can change fast and
often. This doesn't amount to a flawed
conclusion but it does explain why one
attack vector - Phishing - is all the more
remarkable.
Phishing used to be nothing more than a
convenient term for the theft of information.
But as a security threat vector, Phishing has
evolved, expanding its scope, reach and, to
those actors with malevolent intent, its
usefulness and value.
Tim Lonsdale is the CEO and main
developer of a new to market company,
SpearSec. From the outset of our
conversation Tim presented some interesting
statistics, explaining that while technology
can be considered highly effective at
preventing Phishing attacks, 10 per cent of
attacks succeed. While a 90 per cent
success rate would be considered successful
in many contexts, a Phishing campaign only
needs one successful attack for it to triumph.
Tim explained that Phishing is now
considered a gateway attack vector, and
therefore not an end in itself. With the initial
breach complete, it's not long before the
attacker is moving laterally and assembling
the means to facilitate deeper network
penetration: this all too often leads to the
launch of a Ransomware attack. Such an
attack can totally disable business
operations in an instant, and without some
specialised recovery capability in place the
only option is to pay the ransom. And
remember, this happens because just one
human being clicked on, for example, a
phishing email link.
Focused on those attacks that technology
does not prevent, SpearSec has created a
service that aims to challenge and train
employees in a realistic but totally safe way.
Tim explains, "We decided to build a service
that could engage safely with users while at
the same time expose them to a range of
realistic Phishing attacks, in real-time and
critically, on a continuous basis." This
approach is in sharp contrast to more
formal training. Tim adds, "It is live training
delivered as needed. Clicking a safe link
means that our service can present some
quick, relevant, and highly effective training
so that users can understand what they did
wrong and the alternatives." Clearly, this is
about changing behaviour.
It is commonly accepted that in a
successful cyberattack, regardless of vector,
the success will have been assisted by, if not
caused by, the action of a human being. Tim
says, "Technology alone cannot address
everything - we need to change the culture
and help users to learn and change their
behaviour in a safe, non-threatening
environment."
As well as delivering relevant in the
moment training, the SpearSec service is
building a profile so that a company can
measure its vulnerability to Phishing, its
progress in reducing that risk and activity
trends. In the case that an individual or
group are showing an unacceptably high
level of risk, a more focused and constructive
training response can be crafted.
As you can see this response is targeted at
people not technology and it is clear to see
its potential to drive significant cultural
reform because HR, departmental
managers, suppliers and staff will all
understand the power of working together in
this way. The SpearSec approach enables
people to experience a range of highly
specific Phishing attacks without the risk,
augmented by timely, specific training to
change human behaviour and create the
correct human reflex. The bold claim is that
in this way 100 per cent of Phishing attacks
can be blocked. NC
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 23

OPINION
TAMING DARK DATA
MANAGING DATA IS A
GROWING CHALLENGE AND
THE SPECTRE OF DARK DATA IS
PARTICULARLY TROUBLING.
JULIAN COOK, DIRECTOR OF
UK BUSINESS AT M-FILES
EXPLAINS HOW ECM CAN HELP
With ongoing digital
transformation meaning that
businesses are handling everincreasing
volumes of documents and
information, the issue of dark data is one
that has becoming impossible to ignore. It
poses a threat to compliance and
business efficiency, if left unchecked. To
tackle this problem, businesses need to
develop the ability to identify and
efficiently manage information through all
phases of its lifecycle.
The emergence of dark data has created
a lot of debate amongst industry
practitioners, and it is creating some
significant challenges for organisations.
Many have defined dark data as
information assets that are created and
used only once. While not wrong, it is a
deeper issue than this definition would
imply. Even content that is actively used
for a period of time can turn into dark
data when organisational and project
priorities change, as they do. Active
information that becomes inactive is
typically left where it was last used and
can be easily forgotten. To make matters
worse, employees are resourceful and will
often resort to recreating data when they
can't quickly find their own copy. This
process of duplication and recreation
multiplies the incremental volume of data
that can subsequently become dark.
Without active management, such
information can negatively impact
business productivity. Employees waste
excessive amounts of time searching for
misplaced or lost information and this in
turn reduces the quality of their work, and
it can contribute towards an organisation
not fulfilling its potential. In addition, the
current business climate requires thorough
and accurate record keeping and the
requirement to produce evidence for
quality control, compliance, legal actions,
risk mitigation and many other purposes is
only likely to increase.
In order to address this, businesses need
to develop the ability to identify and
efficiently manage information at all
phases of its lifecycle. Some proactive
businesses are doing this by deploying an
enterprise content management (ECM)
solution.
These solutions can help to simplify the
classification and identification of dark
data as opposed to active information
assets. ECM systems enable content to be
managed in a manner which enables it to
be accessed and synchronised between
various systems and devices, without the
duplication of files. In this way,
information is not tethered to a specific
location and as a result it is freed from
the traditional confines of applications,
platforms, and information silos.
Some information should go dark once it
has served its purpose. With an ECM
solution in place, documents and data
can be archived appropriately based on
selected retention rules. This helps to
simplify future discovery requests while
ensuring that information is stored and
processed based on predetermined
document lifecycle management policies.
The identification of legitimate dark data
also allows it to only remain visible to
authorised individuals. For example, if an
information asset contains sensitive
information about employees or
confidential activity then it can be
protected using access control.
ECM solutions essentially inject more
intelligence into a company's data and
ensure that the right content is in the right
hands, at the right time. In turn this
enables organisations to focus on using
information to drive business growth,
value, and innovation.
In an increasingly digital age, it is
crucial that companies maintain a strong
grip on their data, for efficiency,
productivity as well as for regulatory
compliance. Deploying an enterprise
content management system can be the
answer to the dark data predicament
many companies will increasingly face.
The business benefits and saved time
quickly add up: decision makers can
achieve better results as they are able to
find and use relevant information, and
productivity goes up for employees, since
everyone will spend less time searching
for misplaced information. NC
24 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

OPINION
ASLEEP AT THE WHEEL
WITH A FEW EXCEPTIONS, TELECOMS FIRMS HAVE BEEN
SLOW TO ADDRESS THE IOT BUSINESS OPPORTUNITY, IN
PARTICULAR THE RESULTING DATA ANALYTICS AND
CUSTOMER INSIGHT, ACCORDING TO HOMAN HAGHIGHI,
MANAGING DIRECTOR AT ALSBRIDGE
At a recent investor briefing I
attended, a major global telecoms
firm expounded on its expertise in
the cloud and detailed its plans related to
mobile platforms. Conspicuously absent
though was any reference to the Internet
of Things (IoT), and in particular a vision
for leveraging the significant business
opportunity it presents.
The omission was characteristic of a
general industry malaise. Many carriers
seem to assume that their role in IoT is to
provide the connectivity for the IoT
devices to communicate. The trouble is
that the revenue arising from this
connectivity will quickly erode into a
commodity offering of very little value.
Knowledge, meanwhile, is power and
the real value of IoT lies in mining the
data it generates, especially where
devices are used by consumers. Consider
the Tesla, which gleans data on a driver's
taste in music and places visited; this is of
value to media, holiday, traffic and
insurance companies. Or the smart home
that collects information on everything
from what people cook for dinner to what
they watch on television. Businesses are
seeking, and willing to pay for, access to
the data that can yield detailed insight
into consumer behaviour. From this
insight, they can develop compelling,
bespoke and individualised services. This
will be the battleground of the future as
retailers seek to increase the wallet share
of their consumers.
To compete effectively in the big data
space, telecoms companies need to play a
role at that end-device level of customer
interaction. Consider Vodafone, one of the
few telecoms innovators in the space, and
its data logging devices that can, among
other things, monitor the electricity meter
in a home. Vodafone's utility customers
benefit by monitoring temperature and
usage and eliminating the need to send
meter-readers to customer premises.
Vodafone, meanwhile, gains a critical and
valuable data collection foothold within
the utility's business operations and the
consumer's home.
While the opportunity is immense, so too
are the challenges, especially those of
managing the IoT supply chain: specifically
security, reliability and control. No one
wants their car to be hacked and privacy
issues in the home are a real concern. More
ominously, the growth of smart power grids
expands the potential vulnerability points
from electricity substations to far-reaching
connected power networks, raising fears of
catastrophic, prolonged power outages
resulting from cyber terrorism. Fear of
hacking and breaches are a major obstacle
to the accelerated use of IoT devices.
Telecoms firms can play a leading role in
addressing IoT security challenges. By
virtue of their traditional expertise in
managing communication touchpoints and
overseeing networks, they are well
positioned to identify where breaches might
occur and can take appropriate action.
Another area concerns enhancing
standards to enable seamless
communication across different types of
devices. At present, a smart home's stereo
system typically can't communicate with
the heat sensors or the fire alarm or the
surveillance camera, as all these devices
are made by different manufacturers using
different standards. This lack of
standardisation leads to consumer
confusion as well as reluctance to
commit. Again, the heritage of telecoms
firms in driving communication protocols
and integrating disparate data types can
be brought to bear.
To succeed, simply providing internet
connectivity and deferring to manufacturers
to build the smart devices just won't do.
Telecoms firms must coordinate and
develop and drive standards as well as
being involved in developing the
communication protocols for the IoT
devices. Through that involvement, they
can play a role in defining the standards
that can drive deployment. The alternative
is to lose control and become a commodity
player as opposed to a leader in the
connected world. NC
26 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

MASTERCLASS
The Network Computing Masterclass series…
… GOING BEYOND TECHNOLOGY AND PRODUCT.
THIS MASTERCLASS SERIES IS IN ASSOCIATION WITH CERTES
NETWORKS. IN THIS EDITION THEY EXPLORE THE CHALLENGE OF
OVERCOMING SEGMENTATION FRAGMENTATION WHEN ENABLING
BORDERLESS APPLICATIONS.
Every organisation has sensitive and
confidential data to protect, from
patient data kept by hospitals, to credit
card data stored by retailers: no one can
risk compromise. Worst still, it seems that no
organisation is immune from being the next
data breach victim, and governments that
recognise this are investing heavily to
protect vital services and infrastructure.
Traditional security technologies just aren't
enough anymore. Simply put, the security
perimeter has all but eroded, and all of the
other aspects of network segmentation
focus too heavily on infrastructure, which
impedes day-to-day business. More
importantly, managing these complex
security environments introduces a new
layer of risk. After all, week after week, the
world watches hackers infiltrate government
agencies, corporate retailers and healthcare
providers, proof if it were needed that
traditional data and application security
strategies alone cannot prevent breach.
This is not just presenting security
challenges but segmentation challenges
also, as sensitive data is regularly shared
everywhere and anywhere, especially
beyond the perimeter. One approach in
particular that is failing badly is traditional
segmentation. The outdated segmentation
tool of the firewalled perimeter is entirely
obsolete as hackers exploit gaps and stolen
credentials to bypass it with ease. Siloed,
perimeter-based, infrastructure-dependent,
fragmented segmentation tools are just
complex webs that complicate risk, not
mitigate it.
What is needed is a complete reboot of
segmentation and adoption of a nextgeneration
IT security model that is easy to
manage: one that is fit for the 21st century
borderless digital business.
ENTER CRYPTOGRAPHIC
SEGMENTATION
Cryptographic segmentation establishes
segmentation lines around applications, not
network devices and grants user access
based on business-centric policies. In
essence, it protects application traffic by
taking a business-centric approach to
network segmentation, using strong
cryptography alongside user role-based
access controls. With a software-defined
approach to application security, enterprises
can protect that which really matters:
mission-critical, sensitive data.
With cryptographic segmentation,
networked applications are protected in
virtual application overlays, which are
cryptographically isolated using logical,
policy-driven segmentation controls - and
each virtual segment is only accessible with
a user assigned key. In other words,
employee and partner roles combined with
business policies determine access. This
means that cryptographic segmentation
stops hackers from moving laterally even if
one device, credential or staff member is
compromised.
In this way, cybercriminals will not be able
to move to other networks or applications
because access will not be granted to any
additional virtual segments, limiting
damage by default.
THE LAST LINE OF DEFENCE
Cryptographic segmentation is the last line
of defence in many cases, but in theory it
could have prevented the biggest data
breaches of recent years including Ashley
Madison, the Office of Personnel
Management, JPMorgan Chase and
Anthem. This approach to network
segmentation is essential for frictionless
enterprises that take advantage of, even rely
upon, the cloud, mobile technology and
big data. This is especially so when
considering the number of threats that
businesses face when connecting internal
systems to the public Internet.
A NEW MINDSET
Cryptographic segmentation requires a new
way of thinking. While organisations have
worked hard at creating robust security
strategies, with security experts across the
globe now recommending a containment
policy based on clearly defined
infrastructure segments, it is clearly time to
change. However, those organisations
simply opting to impose segmentation at the
network level are failing to recognise the
true threat landscape; a reliance on network
based controls will add, not mitigate, risk. It
is simply too easy to bypass the controls.
It is only by following a user and
application based cryptographic
segmentation approach that an
organisation can address the heart of this
threat. With the breach firmly contained
within one specific segment, a system wide
disaster is confidently avoided. NC
This is the last in the current series of the
Certes Networks Masterclass.
Any reader comments and questions
relating to this series should be addressed
to Ray.Smyth@BTC.co.uk
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 27
NETWORKcomputing

FOCUSINFOSECURITY 2016
INFOSEC: WHAT NEXT?
WITH INFOSECURITY 2016 NOW FIRMLY IN THE PAST, WHERE SHOULD PROFESSIONAL VISITORS BE
ENGAGING THEIR MINDS? OUR EDITOR, RAY SMYTH, OFFERS A VIEW - WITH THE HELP OF SOME
KEY VENDORS
Often there is a lot of media noise before a trade show but what about after? I am
interested in what security professionals will do after this year's Infosec, and so I went
in search of some vendors who might be able to shape the thinking, action and evolution
that a show like Infosec should provoke in anyone creating a defensible security posture.
SIZE DOES NOT MATTER
In ICT security, size definitely does not matter: small organisations need similar protection to
their larger counterparts and there is a credible range of solutions available from the smallest
to the largest vendors. What does matter is accurately understanding exactly what defences
your organisation requires and finding the best way to effectively deliver and manage them.
BUSINESS DRIVEN SECURITY
With an unlimited budget you may be tempted to buy one of everything, just to be sure. Two
things are certain: there would still be vulnerability in your system and you would have wasted
a lot of money. Amit Ashbel works for Checkmarx and describes himself as a Technology
Evangelist. He starts us off by saying that "While it all depends on the services you provide as
a business, a generic information security framework should start by considering how to prevent
security incidents, how to protect your assets in the face of attack and then how to remediate
and minimise breach impact." So a mantra of Prevent, Protect, Detect and Remediate in
your business context sounds compelling doesn't it?
APPLICATIONS BOLTED DOWN
There is it seems to me evidence that organisations are increasingly adopting a more proactive
approach to the security challenge, having realised that a reactive stance won't even close
the door after the horse is bolted, such is the speed and severity of the current threat. Amit
continues, "It all starts by knowing where the sensitive assets you hold are held and the level of
risk they are exposed to." For example a financial organisation delivering online banking has
sensitive assets which include customer data and of course money, so clearly both the web
and mobile access channels should be built and maintained securely. Amit says that, "The
most prominent category concentrating on prevention of attacks is Application Security
(AppSec) which breaks down into multiple categories. For example, SAST (Static Application
Security Testing) and DAST (Dynamic Application Security Testing) are at the core of AppSec
and they should be included in every organisation's security framework."
THE END OF CAT AND MOUSE
Beyond the acknowledgment of a basic framework there is the ever changing risk profile and
this is driven by the ease (perceived and actual) with which the average cybercriminal can
maximise their success rate. The seminar topics at Infosecurity provided an insight with topics
including ransomware, employee education, risk management and vulnerabilities in applications,
devices and the network. But Guy Caspi, CEO at Deep Instinct noticed that, "A common
28 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

FOCUSINFOSECURITY 2016
thread ran throughout the entire event: the constant cat and mouse game of catching up with
the latest malware and zero-day exploits." Sound familiar?
Protecting against the millions of new malware variants launched daily seems like a pointless
and unwinnable way to credible security, but once you realise that most of these malware variants
are tiny mutations of pre-existing malware, perhaps some traction can be made. Guy
says, "Despite this fact, currently available solutions, even the advanced ones which use
dynamic analysis and traditional machine learning, have great difficulty detecting a large portion
of the new malware, especially in real-time."
It is in this context that I am noticing a new breed of solution that augment existing security
elements such as the firewall, AV, IDP etc. Artificial intelligence and machine learning are
terms that are coyly referred and even the marketing professionals seem to be practising caution.
Guy Caspi explains, "Deep learning is an advanced form of artificial intelligence, also
known as deep neural networks. It is the first family of algorithms within machine learning that
do not require manual feature engineering and instead learn by processing and learning from
raw data, similar to how our brain learns. This groundbreaking capability has become available
thanks to major algorithmic improvements and their implementation on graphical processing
units (GPUs), which provide tremendously enhanced computational capabilities."
It seems to me that such an approach focuses heavily on behavioural traits as opposed to
identifying features, such as signature definitions. This seems to make good sense and identifying
elements of behaviour that seem suspicious or aberrant helps to focus rare talent and limited
resources in the right area.
CONNECTED IGNORANCE
Another important driver of security design is determined by business use and related connectivity
trends, so we simply cannot overlook the Internet of Things. Portnox CEO Ofer Amitai
thinks that "IoT security was quite rightly a hot topic for Infosec 2016. Where there is confusion,
there is talk, and there's certainly a lot of confusion regarding IoT: what is it, do I have
IoT devices connected, device authentication and device security."
Provisioning of network devices has become so easy that users can do it for themselves.
Unfortunately this, combined with the potential scale of IoT connections, only escalates the
risk. Remember, a malevolent actor only requires one point of access to build a highly profitable
path to your assets.
It's not necessarily the case that what is required is technically or intellectually challenging,
and in many instances it will be more about awareness and the ability - and especially time -
to respond. IoT devices generally fall into three categories: class 1, dumb devices, class 2,
smart devices and class 3, which are server class devices. Ofer points out that "Not all IoT
devices actually connect to the internet. They may communicate locally inside their own segment
to a local server or with a cloud server and the risks stem from their architecture, so
common security challenges must include device authentication and protection against a
breached IoT device."
And to avoid being too device centric, other risks include securing data in transit and at rest,
and this will vary with device type and function. Ofer explains, "To authenticate IoT devices a
profiling mechanism should be used. This means taking a digital picture of device properties
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 29

FOCUSINFOSECURITY 2016
and confirming that its properties are correct once connected. If it is not as expected you can
alert or block that device. Other methods such as digital certificates are too complicated and
resource demanding for IoT devices."
Without doubt, IoT will bring new security challenges: for example, patching IoT devices.
Ofer concludes that, "…to protect against a breached device, organisations should use VLAN
assignment based on device type to create micro segmentation. This essentially splits where
these IoT devices reside and therefore lowers the risk of a breach or its impact to a specific
segment." One thing is certain - the IoT threat can be easily ignored, and it mustn't be.
POWERED BY PEOPLE
Traditionally trade shows have focused mainly on products and then solutions, but increasingly
I see commentary on and problems pertaining to an emerging skills gap; a skills gap that
might be influenced in some way by the UK Government's Brexit negotiations.
While it is a sweeping generalisation, it seems to me that there is a viable technologybased
solution available to tackle most known threats. Underpinning this is a wealth of
knowledge and skill, but the resulting deficit increasingly looks like a skills shortage.
Montana Williams, who is Senior Manager of Cybersecurity Practices at ISACA as well as a
cyber-evangelist, reflects that, "One of the key points of interest for me at Infosecurity Europe
was the evident gap between the practical security skills required and the skills available to
the majority of IT teams." Something noticed by more than one person was the underlying
theme that the basic difficulty is finding skilled people who are adequately trained in the
evolving theatre of cyber security.
If Brexit in any way affects the right of overseas residents to work in the UK, then the UK will
surely have an unwelcome worsening of this skills shortage. But the underlying cause is likely
to be much more fundamental. Montana notes, "The current skills shortage is not due to a
lack of ambition or desire on the part of individuals. We are seeing a skills shortage due to a
current training and educational system that prioritises the accumulation of knowledge and
skills, rather than the experience and practice of these skills in the real world. This has resulted
in a glut of people with vast theoretical grounding and plenty of initials after their names, but
in reality, very little practical experience in operating, maintaining and defending complex integrated
business systems." Well that's clear, credible, and a source of great concern…
In offering a way forward, Montana summarises that, "There are four solutions that we continually
discussed over the course of the three-day show." They are:
Secondary School Education: teachers must be educated and able to integrate cybersecurity
hands-on tools and theories into their lessons.
External Youth Engagement: this must offer an extra-curricular level of education.
Role Models: we need some heroes to inspire future generations.
Post-Secondary Encouragement: the US schemes such as DHS/NSA Centres of Academic
Excellence programmes develop skills through skills-based training and performancebased
assessment.
As serious as this problem seems to be, it, along with IoT devices can never be used as an
excuse for increased risk or as a defence for a breach. Somehow, each professional will have
to fix their own challenges, and these will be wide and varied.
30 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

FOCUSINFOSECURITY 2016
PHYSICIAN, HEAL THYSELF
So, we got this far without talking about the insider threat. It's something that seems to have been
around since the beginning, and of course it has been, as we are still talking about people: people
with a heavy focus on the user community. Often I hear vendors go out of their way to
explain that that the insider threat is not an implication that users are bad and should not be
trusted, and this is true. Essentially it's a problem because people are human and fallible.
Rui Melo Biscaia, Director of Product Management at Watchful Software comments, "Whether
at Infosecurity or in the wider industry and media, the narrative of data security is still too caught
up in the idea of external threats. While criminal gangs and bedroom hackers create a popular
image for cyber threats, businesses must do more to get their own house in order before looking
outward." Good data management should be at the heart of any security strategy and this
means that you need to know where it is kept. Rui tells me that surprisingly large organisations
are still unable to fully account for where key data is located or who can access it.
With big data firmly on the boardroom replete with its promise of unique business advantage,
there is going to be real pressure on IT professionals to deliver what is needed. According to
Merrill Lynch more than 80 per cent of most organisation's data is unstructured, consisting of elements
like email and user-created text files, and it is here that a data classification solution could
enable organisation to automatically assess their unstructured data and assign a security classification
based on predefined parameters.
Rui explains that "Once the initial classification is complete, all other files are automatically classified
at the point of creation, removing the chance of it being overlooked. Role-Based Access
Controls (RBAC) are then used to ensure that only users who have been assigned access rights to
a particular classification of file can view it, with encryption preventing access by unauthorised
users. Additionally, files can be classified to various customised levels, for example, internal use
only, files that cannot be moved or copied, or top secret files which can only be accessed by
those with the highest clearance."
It all requires a bit of effort and as can be clearly seen, these measures combine to make it difficult
for both malicious insiders and external hackers to access and remove classified information.
Rui concludes by saying, "There needs to be a stronger drive from the security industry to get
organisations to focus on data management best practice, addressing the essentials before
budgeting for advanced external security."
TECHNOLOGY ALONE IS NOT THE ANSWER
Because of the stakes (big money) cybercrime will grow and innovate at a rate that will continue
to outstrip and challenge all organisations and individuals for the foreseeable future.
Changing the locks and closing the windows alone will not be enough. Beyond the skills deficit
referred to earlier, people must become a greater part of our future strength: they are part of
the solution as well as part of the problem. Because of the skills gap a clinically focused and
extremely tactical approach to the use of technology is essential. And if business needs change
then you must make the case for what is needed - even if, on the face it, it seems like money is
being wasted. There are no excuses.
In the final analysis, don't be found wanting in the face of a successful threat. Listen to
your conscience and make the case for what you know can work: you know it's what your
business needs. NC
32 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

PRODUCTREVIEW
Titania PAWS Studio
2.4.4
PRODUCT REVIEW
PRODUCT
REVIEWPRODUCT RE
SMBs that want to show compliance with
data protection regulations will like
Titania's PAWS Studio a lot. Capable of
auditing any Windows or Linux system, it
offers an impressive range of highly detailed
compliance reports and all at a very
affordable price.
With costs as low as £2 per device, it beats
most enterprise solutions hands-down for
value. PAWS Studio doesn't compromise on
features either, as it comes with predefined
policies for all the major compliance
regulations and provides a policy editor,
so you can easily create your own.
The latest version introduces a range of new
features with existing policies for PCI-DSS,
SANS, NSA, NERC and STIG, complimented
with two extra ones for OVAL (Open
Vulnerability and Assessment Language).
These are important, as they give PAWS
Studio new powers to scan for system
vulnerabilities, as well as compliance.
Titania has added a converter tool, so
you can download the latest DISA STIG
compliance files and OVAL vulnerability
repositories, and update PAWS Studio
with them. There's more, as the new
configuration report provides detailed
hardware and software inventory for each
audited system.
The PAWS Studio console also gets a
design refresh, making it even easier to
create and run audits. The first step is to
choose local and remote target systems, and
options are provided to manually add a
device, run a network discovery routine or
scan an IP address range. We could select
single or multiple systems from the list and
apply a set of universal authentication
credentials. The next step is to choose any or
all available reports and leave PAWS Studio
to generate them.
Leaving no footprint, it pushes a Data
Collector to each system, which gathers the
requested information and sends it back to
the host for report creation. You can also
export the Data Collector tool, along with the
required audit policies, run it directly on a
system and import the results back into the
PAWS Studio host.
Along with our Windows 7 host, we ran
audits of the lab's Windows Server 2012 R2
domain controller, plus Exchange 2013 and
SQL Server 2014 hosts. Report generation is
fast, with a combined NSA, PCI-DSS and
OVAL audit on our Exchange 2013 system
taking a mere 12 seconds.
On completion, PAWS Studio displayed the
report for our approval, which can then be
saved in a variety of formats, including HTML
and PDF. The viewer also provides tools to
customise the report where we could change
the title, add our company logo, decide
which files to display and then regenerate it.
The reports are highly detailed and the
information presented is very accessible.
They provide clear descriptions and impact
assessments for each compliance check, so
widening their appeal from technician to
board member. We could see clearly which
compliance checks had failed and the
reports provided sage advice on remedial
action. User access security is always a
critical area and, for our AD controller, we
could view the status of all domain accounts,
password policies etc., and see those that
needed action.
Windows update and patch status are
checked and verified, along with the status of
essential anti-virus software. We found the
system inventories to be very accurate, with
PAWS Studio correctly identifying installed
OSes, CPUs, used and available memory
and hard disk space, installed software and
much more.
SMBs handling sensitive or personal data
can't make light of regulatory compliance, as
it will mean the difference between success
and failure. PAWS Studio is an ideal auditing
solution, as it provides highly detailed and
comprehensible reports covering all the
major compliance policies, and it is
remarkably good value. NC
Product: PAWS Studio 2.4.4
Supplier: Titania Ltd
Telephone: +44 (0)1905 888785
Web site: www.titania.com
Price: From £12 to £2 per device (exc. VAT)
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards
JULY/AUGUST 2016 NETWORKcomputing 33

OPINION
IOT SPELLS DANGER
BY ANY MEASURE IOT IS NEW, BUT COULD A LACK OF EXPERIENCE
COMBINED WITH POOR SOFTWARE DESIGN CREATE THE PERFECT
SECURITY STORM? AMIT ASHBEL, CYBER SECURITY EVANGELIST AT
CHECKMARX, EXPLORES THE ISSUES
The catchy Hive jingle about
controlling your heating at home is a
great example of the benefits that IoT
can offer. Such benefits are arguably the
reason why IoT has been adopted with
such voraciousness by manufacturers and
consumers alike. Unfortunately, this has
also resulted in IoT devices and
applications being released on to the
market largely unsecured (consider the
University of Michigan's recent study into
the vulnerabilities in Samsung's
SmartThings platform). Meanwhile, the
proliferation of BYOD, remote working
and the always-on employee makes these
unsecured applications, even if confined to
the home, a huge risk to the enterprise
network. So why is IoT largely unsecured,
and how can this change?
ONE CHINK IN THE ARMOUR
A regular home today can have an array
of connected products, from heating
controls, to Smart TV, kitchen appliances
and baby monitors. Each connected
device presents an attack surface. In
reality, once inside the home network,
hacking the corporate network becomes a
distinct possibility. Because of the
connected nature of IoT, it only takes a
small vulnerability, such as an unsecured
fridge, to compromise the network.
BOLTED-ON SECURITY
In an environment where IoT products and
updates are released at a furious rate,
developers are measured on how fast they
can produce code, meaning security can
be an afterthought. Too often security is
considered so late that there is only time
to fix either bugs that could impact the
user experience, or vulnerabilities that
impact application security.
In the competitive technology
marketplace, the vendor often chooses to
fix the bug and come back to the
vulnerability later, rather than delay the
release. It is this unsecured root
application code in IoT devices and
applications that presents the risk.
Moreover, many new IoT vendors lack the
painful experience the IT industry has gone
through in the past 20 years. Vendors
building household appliances are
newcomers to cyber security and while
they may employ external development
firms to build in required functionality, the
lack of regulation combined with
inexperience is creating a lack of
awareness concerning security.
THE ONLY LEADERSHIP IN TOWN
One of the main reasons why this
continues to happen is because there are
no regulations or industry standards when
it comes to writing secure code. The
closest thing to leadership is the Open
Web Application Security Project (OWASP)
which publishes a top ten IoT list of
vulnerabilities on an ongoing basis and
provides recommendations on how to
develop IoT applications that are more
difficult to hack. For example, it suggests
that IoT hardware be programmed to insist
on a default password change to a strong
password during setup. But the underlying
application code still needs to be secure.
CHANGING THE SOFTWARE
DEVELOPMENT LIFE CYCLE (SDLC)
The normal process for software
development or the software development
lifecycle (SDLC) has 5 main stages:
design, development (coding), testing,
deployment and maintenance. As already
mentioned, most testing is conducted late
in the cycle, such as pen-testing, which is
a black box testing method. But vendors
who use white box testing methods such
as Static Application Security Testing
(SAST) can build a comprehensive
understanding of the potential risks in the
code early on, putting developers in a
position to start addressing vulnerabilities
in the same way that they address
functional bugs, and transforming an
SDLC into a Secure-SDLC (sSDLC). When
security is at the core of the SDLC,
vendors have a much better chance of
preventing vulnerabilities that hackers can
capitalise on and that, in turn, makes the
network less vulnerable to attack.
From this it's clear that those deploying
IoT need to be aware of the security risks
and ensure that they ask the most probing
questions of all potential partners. NC
34 NETWORKcomputing JULY/AUGUST 2016 @NCMagAndAwards
WWW.NETWORKCOMPUTING.CO.UK

WWW.TITANIA.COM
www.t itania.com