Blog posts by Paul Fisher
There is more to the cloud than AWS, Azure, IBM and Google according to OVHCloud - the new name for OVH as it celebrates its 20th anniversary. While the big four have carved up the public cloud between them, the French cloud specialist believes that business needs are changing, which gives them an opportunity in the enterprise market it is now targeting. In short, OVHCloud believes there is a small, but discernible shift back to the private cloud - for security and compliance imperatives.
That does not mean that OVHCloud is abandoning the public cloud to the Americans. At October’s OVHCloud Summit in Paris, CEO Michel Paulin spoke forcefully of the need for Europe (for that, read France) to compete in this space. “We believe we can take on the US and Chinese hegemony. Europe has all the talents needed to build a digital channel that can rival all the other continents.” he said.
OVHCloud needs to shift focus and mature
The company is growing, with 2,200 employees and revenue estimated at around $500m. For comparison, AWS posted revenue of $9bn for its third quarter in 2019 – spot the difference. OVHCloud is doubling down on the Security as a Service (SaaS) market with 100 SaaS products announced for a new dedicated marketplace. The company says the focus will be on collaboration and productivity tools, web presence and cloud communication. On the security front, OVHCloud is promising the following soon: Managed Private Registry, Public Cloud Object Storage Encryption and K8s private network.
If OVHCloud is to take even a chunk of the Big Four’s market, it needs to shift focus and mature. It believes it can by moving from what it terms the “startup world” of digital native companies into the traditional enterprise sector (without neglecting its cloud native customers). Gained customers so far include insurance, aviation, big IT services and some finance and retail customers. OVHCloud believes the enterprise market is lagging its traditional customers in digital innovation and transformation.
Security reasons and better data oversight bring customers back to private clouds
Crucially, the company thinks that enterprise customers are coming back to private clouds for security reasons and better oversight of data in the age of big compliance. At the same time, it predicts that the future of cloud should remain open and multi-cloud, something I and others would agree with.
In terms of business strategy, OVHCloud is moving from a product approach to a solution approach along with the shift towards enterprise customers – this makes sense. OVHCloud makes much of its ability to build its own servers and cooling systems, and sees this as a USP, claiming the industry’s lowest TCO for energy usage. Such an advantage depends on scale, however, and in an open multi-cloud, multi-vendor market, the cost savings may make little difference to enterprise customers. But the green message may play well in today’s climate conscious market for some buyers in the startup crowd and potentially in the more digital parts of larger enterprises.
For more insight into the enterprise cloud market please read our reports or contact one of our analysts.
Much is written about the growth of AI in the enterprise and how, as part of digital transformation, it will enable companies to create value and innovate faster. At the same time, cybersecurity researchers are increasingly looking to AI to enhance security solutions to better protect organizations against attackers and malware. What is overlooked is the same determination by criminals to use AI to assist them in their efforts to undermine organizations through persistent malware attacks.
The success of most malware directed at organizations depends on an opportunistic model; sent out by bots in the hope that it infects as many organizations as possible and then executes its payload. In business terms, while relatively cheap, it represents a poor return on investment and is easier for conventional anti-malware solutions to block. On the other hand, malware that is targeted and guided by human controllers at a command and control point (2C) may well result in a bigger payoff if it manages to penetrate privileged accounts, but it is expensive and time consuming for criminal gangs to operate.
Imagine if automated malware attacks were to benefit from embedded algorithms that have learned how to navigate to where they can do the most damage; this would deliver scale and greater profitability to the criminal gangs. Organizations are facing malware that learns how to hide and perform non-suspicious actions while silently exfiltrating critical data without human control.
AI powered malware will change tactics once inside an organization. It could, for example, automatically switch to lateral movement if it finds its path blocked. The malware could also sit undetected and learn from regular data flows what is normal, and emulate this pattern accordingly. It could learn which devices the infected machines communicate with, its ports and protocols, and the user accounts which access it. All done without the current need for communication back to 2C servers – thus further protecting the malware from discovery.
It is access to user accounts that should worry organizations – particularly privileged accounts. Digital transformation has led to an increase in the number of privileged accounts in companies and attackers are targeting those directly. The use of intelligent agents will make it easier for them to discover privileged accounts such as those accessed via a corporate endpoint. At the same time, malware will learn the best times and situations in which to upload stolen data to 2C servers by blending into legitimate high bandwidth operations such as such as videoconferencing or legitimate file uploads. This may not be happening yet but all of this is feasible given the technical resources that state sponsored cyber attackers and cash rich criminal gangs have access to.
To prove what’s possible IBM research scientists created a proof-of-concept AI-powered malware called Deep Locker. The malware contained hidden code to generate keys which could unlock malicious payloads if certain conditions were met. It was demonstrated at a Las Vegas technology conference last year, using a genuine webcam application with embedded code to deploy ransomware when the right person looked at the laptop webcam. The code was encrypted to conceal its payload and to prevent reverse engineering for traditional anti-malware applications.
IBM also said in its presentation that current defences are obsolete and new defences are needed. This may not be true. AI is not yet magic. As in the corporate world, much AI assisted software, benefits from the learning capabilities of its algorithms which automate the tasks that humans have previously held. In the criminal ecosystem this includes directing malware towards privilege accounts. Therefore, it makes sense that if Privileged Access Management (PAM) does a good job of defecting human led attempts to hijack accounts then it should do the same when confronted with the same techniques orchestrated by algorithms. Already the best PAM solutions are smart enough to monitor M2M communications and DevOps that need access to resources on the fly.
But we must not stop there. Future IAM and Pam solutions must be able to detect hijacked accounts or erroneous data flows in real time and shut them down so that even AI cannot do its work. Despite the sophistication that AI will bring to malware, its target will remain the same in many attacks: business critical data that is accessed by privileged account users, which will include third parties and machines. It is one more way in which Identity – of people, data and machines - is taking centre stage in securing the digital organizations of the future. For more on KuppingerCole’s research into Identity and the digital enterprise please see our most recent reports.
Car buyers gathering at the Frankfurt Motor Show last month will have witnessed the usual glitz as car makers went into overdrive launching new models, including of course many new electric vehicles reflecting big change in the industry. Behind the glamour of the show, the world’s biggest car makers are heavily investing in new technologies to remain competitive, including Artificial Intelligence (AI) and Machine Learning. While perfecting algorithms for self-driving cars is a longer-term goal and grabs the headlines, much is being done with AI to improve the design, manufacture and marketing of cars.
In an industry characterized by high costs and low margins, car makers (OEMs) are turning to AI to improve efficiencies, improve quality control and understand their markets and buyers better. Five years ago, Volkswagen opened its Data:Lab in Munich. It is now the company’s main research base for AI with around 80 IT specialists, data scientists, programmers, physicists, and mathematicians researching and developing applications in machine learning and AI. Volkswagen goes as far to say that AI will fundamentally change the company’s value chain as it will now begin, not end, with the production of the vehicle.
An area of focus is applying AI to market research and marketing to pre-empt changes in demand and consumer choice outside of OEMs traditional 7-year model cycle. Any manufacturer that can be ahead of the curve in marketing will have a significant advantage. Volkswagen is using AI to create precise market forecasts containing a multitude of variables including economic development, household income, customer preferences, model availability and price.
With this kind of insight, it is possible that the company could configure model choice (specs, optional extras, engine sizes etc) and order production to meet buyer preferences on a smaller regional or even hyper local level. For example, a Golf special edition that appeals to specific buyers in London or an Amarok truck configured for the needs of farmers in the Rhineland.
Volkswagen’s German rivals are also scaling investment in AI technologies and are keen to be seen doing so with positive statements on their websites, and active recruitment drives to get the best developer talent. All three of Germany’s OEMs are aware that they need to be technological leaders in IT as much as engineering as cars become more connected and software driven.
At its factory in Stuttgart, Daimler has created a knowledge base that stores all the existing vehicle designs at the company which any new engineer can tap into. More than this, the algorithm has been trained to suggest that a new engineer contacts a more experienced colleague for human advice in certain circumstances. A good example, of how AI can be trained to interact with human workers.
At the final inspection area at BMW’s Dingolfing plant, an AI application compares the vehicle order data with a live image of the model designation of the newly produced car. If the live image and order data don’t correspond, for example if a designation is missing, the final inspection team receives a notification. This frees up human employees to work elsewhere. Algorithms are also being taught to tell the difference between a hairline crack in sheet metal and simple dust particles, something that is beyond the scope of human eyesight. Meanwhile in paint shops, AI and analytics applications offer the potential to detect sources of error at much earlier stages of the process. If no dust attaches to the car body before painting in the first place, none needs be polished off later.
While these examples of AI applications may lack the sci-fi appeal of self-driving cars, they are presently more important to the future survival of the car industry, not just in Germany but across the globe. AI is being used effectively to meet the three fundamental challenges of the industry’s survival: improved quality, cost and waste reduction, and customer demands.
If you liked this text, feel free to browse our Artificial Intelligence focus area for more related content.
A visit to HP Labs offices in central Bristol, about 120 miles west of London, was a chance to catch up with the hardware part of the former Hewlett Packard conglomerate, which split in two four years ago. The split also meant that there are now two HP Labs, one for the HP business and the other for Hewlett Packard Enterprise.
To perhaps position itself as a serious B2B vendor we were told that HP is an “endpoint infrastructure company”, which kind of works, but its US, Chinese and Taiwanese competition could conceivably claim the same.
To counter this, HP is tapping into the shared legacy of the research and development focus that the original Mr. Hewlett and Mr. Packard founded in that famous garage in Palo Alto – hence the trip to HP Labs. A single floor of an office block in Bristol lacks some of the wow factor of the more campus feel of the old joined-up and bigger HP Labs but, on the other hand, the ideas that came out of those Labs did not always see practical application.
The focus then was on HP’s security credentials for innovations that have found their way into products. In a series of demonstrations of its Sure Suite technologies, HP made a case for why its line of laptops and PCs are better equipped to withstand attacks on the endpoint.
Sure Start protects the BIOS from attack each time the PC or laptop is booted on a network or standalone and automatically validates the integrity of the BIOS code. Once the PC is operational, runtime intrusion detection monitors memory. In the case of an attack, the PC can self-heal using an isolated “golden copy” of the BIOS. The live demo on the day showed a laptop that had been locked by ransomware being brought back to operable life. Sure Recover is a tool squarely aimed at the SMB market allowing end users to recover their operating system even after it has been wiped out by an attack, without recourse to IT. It uses HP’s chip-based Endpoint Security Controller (ESC) to image the latest OS using a wired network connection.
A new announcement on the day was HP Sure Admin which extends the automation of secure endpoint management into the corporate domain and builds on the user-friendly technologies of Sure Start and Sure Recover, to reduce the threat of attacks on the surface created by remote management tools. Traditionally, BIOS updates on endpoint PCs have been administered through passwords which are at risk of theft or intervention. Sure Admin uses public/private key encryption to authorise remote BIOS changes. For local access, Sure Admin runs as an app on a smartphone accessed by a private key, which then generates a onetime PIN for an admin to access an endpoint that needs maintenance or recovery. Also demonstrated was HP Sure Sense which uses AI to recognise unknown malware to mitigate zero-day attacks, with a less than 20 millisecond detection rate claimed by HP.
Any kind of demo must be viewed objectively, and these technologies will only prove their mettle in the wild. The other issue is how well any of these endpoints so equipped would embed into an existing corporate environment. Sure Admin needs a serious examination of how it can be integrated into the wider enterprise IT, access management and security portfolio.
This is not to disparage the progress HP has made, and my feeling at the end of the day was that HP is using its Labs for real-world security applications. But they are currently more efficient iterations of existing technologies rather than great leaps forward. However, endpoint protection is essential for business environments that are more open, extended and connected than before. HP’s recent acquisition of endpoint security start-up Bromium will no doubt impact on HP’s future plans to improve on these technologies further.
Artificial intelligence (AI) and machine learning tools are already disrupting other professions. Journalists are concerned automation being used to produce basic news and weather reports. Retail staff, financial workers and some healthcare staff are also in danger, according to US public policy research organization, Brookings.
However, it may come as a surprise to learn that Brookings also reports that lawyers have a 38% chance of being replaced by AI services soon. AI is already being used to conduct paralegal work: due diligence, basic research and billing services. A growing number of AI based law platforms are available to assist in contract work, case research and other time-consuming but important back office legal functions. These platforms include LawGeex, RAVN and IBM Watson based ROSS Intelligence.
While these may threaten lower end legal positions, it would free up lawyers to spend more time analyzing results, thinking, and advising their clients with deeper research to hand. Jobs may well be added as law firms seek to hire AI specialists to develop in house applications.
What about adding AI into the criminal justice system, however? This is where the picture becomes more complicated and raises ethical questions. There are those who advocate AI to select potential jurors. They argue that AI could gather data about jurors, including accident history, whether they have served before and the verdict of those trials, and perhaps more controversially, a juror’s political affiliations. AI could also be used to analyze facial reactions and body language indicating how a potential juror feels about an issue, demonstrating a positive or negative bias. Proponents of AI in jury selection say it could optimize this process, facilitating greater fairness.
Others are worried that rushing into such usage could might have the opposite effect. Song Richardson, Dean of the University of California-Irvine School of Law, says that people often view AI and algorithms as being objective without considering the origins of the data being used in the machine-learning process. “Biased data is going to lead to biased AI. When training people for the legal profession, we need to help future lawyers and judges understand how AI works and its implications in our field.” she told Forbes magazine.
A good example would be Autonomous vehicles. Where does the legal blame lie for an accident? The driver, the car company, the software vendor or another third party? These are questions that are best answered by human legal experts who can understand the impact of IA and IoT on our changing society.
Perhaps a good way to illustrate the difference between human thinking and AI is that it usually wins in the game of Go because, while it plays according to formal Go rules, it does so in a way no human would ever choose.
If AI oversaw justice it might very well “play by the rules” also but this would may involve a strict interpretation of the law in every case, with no room for the nuances and consideration that experienced human lawyers and judges possess. Our jails may fill up very quickly!
Assessing guilt or innocence, cause and motive in criminal cases needs empathy and instinct as well as experience – something that only humans can provide. At the same time, it is not unknown for skilled lawyers to get an acquittal for guilty parties due to their own charisma, theatrics and the resources available to them. Greater involvement of AI could potentially lead to a more fact based and logical criminal justice system, but it’s unlikely robots will take the place of prosecution or defence lawyers in a court room. But at some point, AI may well be used in court, but its reasoning would still have to be weighted and checked against a tool like IBM Watson OpenScale to check the validity of its results.
For the foreseeable future, AI in the legal environment is best to enhance research, and even then, we should not trust it blindly, but understand what happens and whether results are valid and, as far as possible, how they are achieved.
The wider ethical debate around AI in law should not prevent us from using it right now in those areas that it will being immediate benefit and open new legal services and applications. Today, AI could benefit those seeking legal help. Time saving AI based research tools will drive down the cost of legal services making it accessible to those on lower incomes. It is not hard to envisage AI driven cloud based legal services that provide advice to consumers without any human involvement, either from startups or as add-ons to traditional legal firms.
For now, the impact of AI on the legal profession is undeniably positive if it reduces costs and frees up lawyers to do more thinking and communicating with clients. And with further development it may soon play a more high-level role in legal environments in tandem with its human law experts.
It’s not been a good couple of weeks for Apple. The company that likes to brand itself as superior to rivals in its approach to security has been found wanting. Early in August it was forced to admit that contractors had been listening in to conversations on its Siri network. It has now temporarily stopped the practice, claiming that only “snippets” of conversations were captured to improve data.
At the end of last week, a much more serious security and privacy threat was made public. Google researchers revealed that hackers have put monitoring implants into iPhones for years, affecting thousands of users per week. The hacking operation, which started in 2017, used several web sites to deliver malware onto iPhones. Users did not have to interact with the site: just visiting was enough. From there, criminals were able to siphon passwords and chat histories from WhatsApp, iMessage and Telegram – bypassing the encryption designed to protect the integrity of these messaging apps. According to the researchers, attackers used five different exploits across 14 pieces of malware.
This is undoubtedly a major incident. It strongly undermines Apple’s reputation for securing users’ devices and the (personal) data residing on these. In an age where all tech companies are facing criticisms for misuse of customer data it comes as a body blow to Apple’s security management expertise; something it has consistently portrayed itself as superior.
What is worse is the revelation that Apple was made aware of the flaw in the iPhone in February this year. Apple did release a patch for the flaw, but why did it not make a much more urgent public announcement back In February to warn all iPhone users to update iOS software urgently? This is Apple’s real failure: trying to make everyone believe it has the best security controls but not delivering. It’s not the first time that Apple’s culture of secrecy has undermined security as a previous blog by Martin Kuppinger illustrates.
Not surprisingly, others were making hay at Apples expense on social media last week. “This is a huge find by Google’s team,” said Alex Stamos, Facebook’s former security chief and now a researcher at Stanford University, while Marcus Hutchins, a security researcher who helped stop the WannaCry attack in 2017 wrote, “Maybe I’m missing something, but it feels like Apple should have found this themselves.”
Apple did not fail to patch but it failed to act swiftly and adequately communicate the flaw, and now it finds itself on the backfoot. Was all this the result of hubris or carelessness? Either way it’s not a good look as it gears up to launch the iPhone 11 and promote its new credit card as a secure alternative to conventional bank cards. As ever the best advice for users of iPhones or any device is to ensure you always have the most up to date operating system installed by making a regular check.
Reports of a data breach against Mastercard began surfacing in Germany early last week with Sueddeutsche Zeitung (in German) one of the first news outlets to report on the loss. As is often the case in major corporate breaches, the company was slow to react officially. On Monday it said only that it was aware of an “issue”. The next day the company had someone to blame: a third-party provider it said had lost data which included usernames, addresses and email addresses, but no credit card details.
By Wednesday however this statement was proved incorrect when persons unknown uploaded an Excel file with full credit card numbers to the Internet, without CVV or expiration numbers. However, a credit card number with names and addresses is still a highly valued and dangerous item on the dark web. It took until the end of the week before Mastercard admitted that 90,000 customers had been affected and reported the incident to the German Data Protection Authority (DPA). Mastercard confirmed a third party running its German rewards program Priceless Specials had been attacked.
The company said that the breach had no connection to Mastercard’s payment transaction network, and it was “taking every possible step to investigate and resolve the issue,” including informing and supporting cardholders. The company shut down the German Specials website.
There are two lessons from this breach. It took Mastercard five days to fully admit it had been attacked. Not only does this potentially contravene GDPR which requires 72 hours, but more importantly left its customers without any information and unsure of their exposure. This suggests a failure or absence of incident response management policies and processes at Mastercard, which should be put into action at first sign of a potential breach. It cannot be emphasised enough that companies must scrupulously prepare for disaster and incidents, including PR and executive response strategies to avoid telling conflicting stories.
Secondly, the fact that the breach occurred at a service provider proves once again that oversight and due diligence are essential when confidential data is at stake. GDPR quite clearly states that the data controller remains responsible for a breach from a third-party provider. And this case is a perfect example of how Mastercard may be judged to have failed in this regard when the DPA investigates.
After the recent Capital One breach, some commentators have suggested that cloud security is fundamentally flawed. Like many organizations today, Capital One uses Amazon Web Services (AWS) to store data, and it was this that was targeted and successfully stolen.
In the case of Capital One it was process, not technology, that failed. The company failed on three points to secure its data properly using the extended tool sets that AWS provides. It relied only on the default encryption settings in AWS, suggesting a lack of product knowledge or complacency in security teams. The Access Control policies had not been properly configured and allowed anonymous access from the web. Finally, the breach was not discovered until four months after it happened because Capital One had not turned on the real-time monitoring capabilities in AWS. This last point would put the company in a tricky position if any of the data belonged to EU citizens – in this case it looks like only US citizens were affected.
The lesson from the incident isn’t that cloud security is not up to the job. Certainly, putting data in the cloud without protection is foolish but modern cloud platforms such as AWS and Azure, for example, have advanced configuration controls to defend robustly against breach attempts. The cloud is here to stay; the digital transformation essential to modern business depends on it. To suggest we curtail its usage because of security concerns is avoiding our responsibility and ability to secure it with the tools at our disposal.
To learn how KuppingerCole Analysts can assist you establish a compliant and secure cloud strategy please download our Advisory Services brochure.
A new strain of Sodinokibi ransomware is being used against companies in the United States and Europe. Already notable for a steep increase in ransoms demanded ($500,000 on average), the malware can now activate itself, bypassing the need for services users to click a phishing link for example. In addition, the Financial Times reports that criminals are targeting Managed Service Providers (MSPs) to find backdoors into their client’s data, as well as attacking companies directly. “They are getting into an administration system, finding lists of client privileged credentials and then installing Sodinokibi on all the clients’ systems,” the report warns.
Ransomware has proven to be highly effective for cyber criminals, as many companies have no alternative but to pay up after they have been locked out of their own systems. This is particularly true of smaller companies who often have no cyber insurance to cover their losses. Criminal hackers have also become more ruthless – sometimes refusing to unlock systems even after the ransom has been paid.
But the sophistication of this new strain of Sodinokibi and the inflated ransom demands tells us that the criminal developers and distributors have raised the bar. The ransomware does not need to find vulnerabilities, as it gains “legitimate” access to data through stolen credentials. Left unchecked, Sodinokibi threatens to be as damaging as its notorious predecessor, Petya.
Even Managed Security Service Providers (MSSPs) are not immune. According to reports, one such MSSP was attacked through an unpatched version of the Webroot Management Console, enabling attackers to spread the ransomware to all its clients. Webroot responded by sending out a warning email to all its customers, saying it had logged out everyone and activated mandatory two-factor authentication.
Webroot’s warning email after one of its MSSP customers was attacked by Sodinikobi
Notwithstanding the fact that any MSSP clients should expect them to take robust and regular proactive security steps as part of an SLA, it shows that diligent use of IAM and authentication controls can do much to prevent ransomware from doing its worse. But it is privileged accounts that are the true nectar for cyber criminals as these unlock so many doors to critical data and services. Which is why PAM (Privileged Account Management) is essential in today’s complex, hybrid organizations and if this responsibility is outsourced to MSP or MSSPs it is doubly important. (For more on PAM please see our recent Leadership Compass and Whitepaper research documents).
The success of any ransomware, which is not a complex piece of code in itself, depends on the lack of preparedness by organizations, and a lack of due diligence on patching systems to prevent it reaching its intended targets. In the case of Sodinikobi, it’s new ability to execute unaided makes this more important than ever.
When too many users have access to critical data and systems, it makes life much easier for ransomware. A properly configured and up to date PAM platform, either on premises or at an MSP will do much to stop this and prevent the situation found at many organizations where Privileged Account and Admins often have too much access. Best practice for today’s enterprise environments is to set credentials for single tasks and be strictly time limited - and setting two-factor authentication as default for privileged accounts. This would stop ransomware from spreading too far into an organization. Another nice concept for MSPs and MSSPs is fully automated administration of client services with well tested runbooks, and no personalized access to the systems at all.
Of course, a management platform should be patched to stop any form of ransomware reaching those credentials in the first place - patches for Sodinikobo are widely available – but as we have seen organizations cannot rely on that to happen. Given what happened with the WebRoot platform there is a strong argument for organizations to host IAM on premises, at least for privileged account management so that they have control over patch management. A robust IAM and PAM solution will prevent “access creep” by ensuring the consistent application of rules and policies across an organization. After all, hackers can’t demand a ransom if they can’t get access to your critical systems.
Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]