HITRUST partners with AWS and Microsoft to clarify shared responsibility in cloud security


Praharsha Anand

13 Jan, 2021

The Health Information Trust Alliance (HITRUST) has announced the release of its new Shared Responsibility Matrix program to help cloud vendors better communicate their security and privacy assurances.

Developed in collaboration with Amazon Web Services (AWS) and Microsoft Azure, HITRUST’s Shared Responsibility Matrices clearly define security and privacy responsibilities between cloud service providers and their customers, streamlining processes for risk management programs.

Furthermore, the HITRUST Shared Responsibility Matrix for AWS and the HITRUST Shared Responsibility for Microsoft Azure align perfectly with each cloud service provider’s unique solution offering.

“Leading cloud service providers have long supported shared responsibility models, whereby the provider assumes some security responsibility for hosting applications and systems, while the organization deploying its solutions in the cloud assumes partial or shared responsibility for others,” said HITRUST. 

“The challenge, however, is that many shared responsibility models are loosely defined and vary based on the solution. For businesses deploying solutions in the cloud, this ambiguity creates an added layer of complexity related to achieving broader risk management objectives.”

HITRUST’s new shared responsibility model for cloud security is a part of HITRUST’s Shared Responsibility and Inheritance Program, which was introduced in 2018 to address the many misunderstandings, risks, and complexities organizations face when engaging with their cloud service providers.

“HITRUST launched this Program with the goal of providing greater clarity regarding the ownership and operation of security controls between organizations and their cloud service providers,” said Becky Swain, director of standards and shared responsibility program lead, HITRUST.

Swain continued, “The introduction of the Shared Responsibility Matrix is another HITRUST resource that underscores our ongoing commitment to simplifying and enhancing offerings to address our customers’ most pressing risk management challenges.”

Lastly, HITRUST announced its information risk management platform MyCSF can now inherit controls from AWS and Microsoft Azure. According to the company, the ability to automatically inherit controls helps save time, money, and resources as organizations pursue their risk management and compliance objectives.

Email is killing productivity, new research finds


Sabina Weston

13 Jan, 2021

Poor email processes are killing productivity, with a quarter of UK-based employees spending nearly one working day each week managing their inboxes.

That’s according to research by Mail Manager, which surveyed 500 business leaders and decision-makers in the UK. It found that one in four respondents spent at least one hour a day going through their inbox, which amounts to almost one full working day spent on managing emails.

This is despite email being the most-often used form of communication. 90% of respondents indicated that they use email to communicate with their clients, while Skype and WhatsApp, by comparison, were used by 55% of those surveyed. Just 15% of those surveyed said that Slack was their go-to communication platform. 

Jacob Wardrop, commercial director at Mail Manager, described email as the “letter of today”. 

“While tools like Slack and WhatsApp are great for informal correspondence and chat, email remains the core correspondence method for formal communication. Before the digital era, companies would send formal correspondence as letters, which would be physically stored. Now, email is the tool for formal correspondence, but the need for filing and securely storing this communication remains, even though it’s digital,” he said.

The additional time spent on sorting emails has a negative impact on employees emotions and work. More than half (55%) of respondents said that they were frustrated by not being able to find specific documents in their inbox, which left them feeling as if they were wasting time (63%), being less productive (48%), and losing track of project information (52%).

In some cases, poor email management led to missed customer and client opportunities, an experience shared by 45% of those surveyed.

The findings come after last year Slack added a feature to send messages beyond the walls of a company and connect organisations into shared channels. 

Aside from productivity gains, Slack’s CISO Larkin Ryder also pointed out safety benefits of switching to the messaging tool.

«Email is an open front door to security threats to an organisation – $12 billion in losses are caused by business email scams, and 90% of data breaches are from phishing. If you want a more secure collaboration solution for your organisation, the first thing you can do is take your employees out of email and into Slack,” he said.

IBM buys Salesforce consultancy firm 7Summits


Carly Page

12 Jan, 2021

IBM has announced plans to acquire 7Summits, a consultancy firm that specialises in projects based on software as a service (SaaS) applications from Salesforce.

IBM said the deal, the financial terms of which have not yet been disclosed, «is part of a broader IBM investment strategy in services and ecosystem partnerships to enable our clients’ digital transformations through hybrid cloud and artificial intelligence (AI).»

Milwaukee-based 7Summits was founded in 2009 and designs and develops digital experiences with Salesforce solutions in order to help business improve customer relationship management (CRM), sales, and cost reduction.

The company, which has 66 employees across Milwaukee, Indianapolis, Austin and San Francisco, will join IBM’s Global Business Services’ Salesforce division, which IBM says is facing “rising client demand”. This is no doubt as a result of the global COVID-19 pandemic, which has seen organisations accelerate digital transformation projects in order to facilitate mass remote working.

«7Summits is part of a broader IBM investment strategy in services and ecosystem partnerships to enable our clients’ digital transformations through hybrid cloud and AI,» said Mark Foster, Senior Vice President, IBM Services.

«Salesforce plays a critical role in transforming customer, employee and partner lifecycle processes into intelligent workflows that deliver accelerated business outcomes.»

IBM added that, following the deal, its Global Business Services arm will significantly expand hiring, training and certifications to support key growth areas for Salesforce, including Tableau, Mulesoft, and Vlocity, while continuing to build out new Salesforce specific offerings that leverage IBM complementary capabilities and deep industry expertise.

Tyler Prince, executive vice president of Worldwide Alliances and Channels at Salesforce, commented: «Our partner ecosystem is a driving force of our growth, and the addition of 7Summits to IBM’s fast-growing Salesforce business will provide even more value for our customers’ digital transformations.

«The combination of both companies’ Salesforce consulting and design capabilities will help businesses in any industry keep pace with rapidly changing customer expectations, helping them thrive in an increasingly digital world.»

Red Hat acquires Kubernetes security firm StackRox


Rene Millman

11 Jan, 2021

Red Hat has announced it’ll acquire container and Kubernetes-native security provider StackRox in a bid to boost the security of its OpenShift Kubernetes platform. 

StackRox offers native security solutions to Kubernetes containers by directly deploying components for enforcement and deep data collection into the Kubernetes cluster infrastructure. The StackRox policy engine includes hundreds of built-in controls to enforce security best practices; industry standards, such as CIS Benchmarks and NIST; configuration management of containers and Kubernetes; and runtime security. 

Red Hat said the purchase would help it focus on securing cloud-native workloads by expanding and refining Kubernetes’ native controls and shifting security left into the container build and CI/CD phase. This will help provide a cohesive solution for enhanced security up and down the entire IT stack and throughout the lifecycle.

«Securing Kubernetes workloads and infrastructure cannot be done in a piecemeal manner; security must be an integrated part of every deployment, not an afterthought,» said Red Hat CEO Paul Cormier. 

«Red Hat adds StackRox’s Kubernetes-native capabilities to OpenShift’s layered security approach, furthering our mission to bring product-ready open innovation to every organization across the open hybrid cloud across IT footprints.»

Red Hat said it plans to open source StackRox’s technology post-acquisition. It’ll also continue to support the KubeLinter community and new communities as Red Hat works to open source StackRox’s offerings.

In addition to Red Hat OpenShift, StackRox will continue supporting multiple Kubernetes platforms, including Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE).

In a company blog post announcing the acquisition, StackRox CEO Kamal Shah said his company made a strategic decision to focus exclusively on Kubernetes and pivoted its entire product to be Kubernetes-native.

“Over two and a half years ago, we made a strategic decision to focus exclusively on Kubernetes and pivoted our entire product to be Kubernetes-native. While this seems obvious today; it wasn’t so then. Fast forward to 2020 and Kubernetes has emerged as the de facto operating system for cloud-native applications and hybrid cloud environments,” Shah said.

IBM appoints Martin Schroeter as CEO of infrastructure spin-off


Bobby Hellard

8 Jan, 2021

IBM has appointed its former chief financial officer, Martin Schroeter, as the boss of its newly separated infrastructure business.

Schroeter will be initially tasked with oversing the formation of the ‘NewCo’ unit, following the company’s decision to spin off its managed infrastructure services business in October.

Following the appointment of Arvind Krishna, and 2019’s Red Hat acquisition, IBM will now focus its attention on the cloud market, with its new business, which has still yet to be named, focusing on the management and modernisation of global IT infrastructure.

«Martin is a world-class leader and is uniquely qualified to drive the long-term success of the new, independent company,» said Krishna. «Martin has the strategic vision and business judgement to realise NewCo’s enormous potential as the global leader in managed infrastructure services. He is an inspiring, results-driven executive and the right CEO to lead NewCo through the spin-off process and beyond.»

IBM have a history of promoting executives from within. Like Krishna, and his predecessor Ginni Rometty, the role of CEO has often gone to company veterans that have held a number of positions over a period of decades.

Schroeter, who joined in 1992, is returning to the company having left in June 2020. Before his departure, he held a number of executive roles in sales and marketing, most notably CFO of the company.

Dell’s new monitors feature a dedicated Microsoft Teams button


Carly Page

6 Jan, 2021

Dell has launched a new lineup of monitors that puts Microsoft Teams at the forefront as the company looks to capitalise on businesses’ continued reliance on video conferencing.

With the Dell 24, 27, and 34 Video Conferencing Monitors, the company claims it has created the “world’s first video conferencing monitors certified for Microsoft Teams».

This comes after Microsoft started certifying displays, webcams, and headsets last year in a bid to ensure a range of devices could be offered to both consumers and business that required no additional configuration to interact with Microsoft Teams and Skype for Business.

The monitors’ dedicated Microsoft Teams button will let users quickly launch the app to make and receive video calls, while the onboard 5MP infrared camera, noise-cancelling microphone and dual 5-watt integrated speakers promise to deliver high-quality video calls.

The Dell 24, 37, and 34 Video Conferencing Monitors, with the numbers reflecting the size of each monitor in inches, will launch in the US on 16 February, priced at $519.99, £719.99 and $1,149.99. UK availability details have not yet been announced.

Dell has also updated its business laptop lineup ahead of next week’s all-digital CES conference. The new Dell Latitude 9420 and 9520 add Intel’s 11th Gen vPro chips, optional 5G support, and a new automated webcam shutter to physically shut off the camera when not in use.

The «SafeShutter», which Dell claims is an «industry-first», can open and close automatically when the webcam is in use, but the laptops also feature dedicated “mute” keys to manually disable the microphone or camera as needed.

The 14-inch Dell Latitude 9420 will be available this month, while availability details for the 15.6-inch Latitude 9520 have not yet been announced.

Dell has also unveiled the Latitude 7520 with a 15-inch 4K UHD display and an optional full high-definition camera, and has updated its Latitude 5000 series and Precision 3560 PCs with new bioplastic designs that the company claims will help it to achieve its moonshot goal to have half of its products’ content be made of recycled materials by 2030.

Microsoft will soon offer 99.99% uptime for Azure Active Directory


Praharsha Anand

6 Jan, 2021

Starting April 1, Microsoft plans to update its service level agreement (SLA) for Azure AD user authentication to 99.99%. Hitting this four-nine uptime will be an improvement over the current 99.9% SLA.

A multi-tenant identity management service, Azure AD processes tens of billions of authentications per day. To deliver on its ‘99.99% uptime’ promise, Microsoft aims to drop service credit for administrative features and include only vital user authentication and federation features under Azure AD’s new SLA. 

Any period of time when users can’t log in to the service, access applications on the Access Panel and reset passwords, accounts to service downtime. Furthermore, organisations can avail service credits if Azure AD’s uptime drops below the SLA. For instance, Microsoft offers a full-service credit when uptime falls below 95% per month.

Microsoft attributed the enhanced SLA to its ongoing program of resilience investment to improve reliability in all areas of its identity services. 

To increase the reliability of its Azure AD, Microsoft centralised architecture to scope and isolated the impact of failures to a minimum number of users; included a backup authentication service that transparently and automatically handles authentications for participating workloads; integrated Azure infrastructure authentication with regional authentication endpoints; and provided instant enforcement of policy changes with continuous access evaluation (CAE) protocol for critical Microsoft 365 services. 

“In conversations with our customers, we learned that the most critical promise of our service is ensuring that every user can sign in to the apps and services they need without interruption,’’ said Nadim Abdo, vice president of engineering at Microsoft.

“To deliver on this promise, we are updating the definition of Azure AD SLA availability to include only user authentication and federation (and removing administrative features). This focus on critical user authentication scenarios aligns our engineering investments with the vital functions that must stay healthy for customers’ businesses to run.”

Updated Emotet toolkit ends 2020 as most dangerous malware


Bobby Hellard

7 Jan, 2021

The Emotet Trojan was used to target over 100,000 users per day over December, placing it at the top of a list of the most dangerous malware threats facing businesses today.

That’s according to a new global index from security research firm Check Point, which revealed the malware has impacted 7% of organisations around the world during the last month of 2020, closely followed by banking trojan Trickbot and information-stealing virus Formbook, both impacting 4% of global companies.

All three viruses made a return to the index for December, although the sudden uptake of Emotet should be a cause for concern among businesses, Check Point has warned. It was originally developed as a banking malware, sneaking onto a target’s computer to steal sensitive information, but it has since evolved into one of the most costly and destructive malware variants available, according to Maya Horowitz, director of threat intelligence and research products at Check Point.

«It’s imperative that organisations are aware of the threat Emotet poses and that they have robust security systems in place to prevent a significant breach of their data,» said Horowitz.

Emotet was at the top of the Global Threat Index in September and October, and is best known as being a tool for opening access to infected computers for further ransomware operations. It is also thought to have been used by the criminal group known as Ryuk, said to be responsible for a number of attacks on healthcare facilities throughout the autumn.

Researchers believe that a brief lull in activity during November was the moment the Emotet malware was updated with new payloads and improved detection capabilities. The Check Point team believes the malware is now far more dangerous as a result.

The same is true for Hiddad, an Android malware variant which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the operating system.

The most exploited vulnerability of the month was the MVPower DVR Remote Code Execution flaw, which affected 42% of organisations around the world during the month.

Amazon banned from using AWS logo in China


Bobby Hellard

6 Jan, 2021

Amazon Web Services can no longer use the abbreviation ‘AWS’ as a logo in China after a Beijing court ruled in favour of a local software company.  

ActionSoft Science & Technology Development (AWS in China) have the rights to the trademark, according to a court verdict published 30 December, The Wall Street Journal reports. 

The verdict, made in May last year but only released in December, has decreed that Amazon can no longer use the term ‘AWS’ or any similar logos in China. The tech giant has also been ordered to pay compensation of 76.5 million Yuan (£812.5 million) to ActionSoft. 

Amazon still had ‘AWS’ on its Chinese cloud services website as of Tuesday, according to the WSJ. However, a disclaimer at the bottom of the page notes that ‘AWS’ is used as an abbreviation and «is not displayed herein as a trademark».

In a statement, Amazon said it invented cloud services and made them popular around the world under the AWS name long before «any other company».

«Amazon was the first to use the AWS logo in China to sell cloud services by many years,» a spokesperson for the company said. «We strongly disagree with the court’s ruling and have appealed the case to the Supreme People’s Court.»

However, this is disputed by the court ruling which cites China’s official trademark database. It states that ActionSoft registered ‘AWS’ for cloud computing services in 2004, while Amazon only did so in China in 2012. 

Despite being the biggest cloud provider in the world, Amazon is only the fifth largest in China, far behind the likes of Alibaba and Tencent, with a market share of only 7.2%.

Trademark disputes between US and Chinese companies are quite common; Apple settled an iPad dispute in 2012 that allowed it to continue selling the tablet in China, while Facebook, Starbucks and even basketball legend Michael Jordan have battled with Chinese firms over naming rights.