Last week, Facebook announced the launch of Portal, a voice-activated smart home camera device. Considering the recent data breach the company suffered, the tech press response to Portal ranged from bafflement to incredulity.

In response, Facebook senior exec Andrew Bosworth insisted< all processing was done locally on the device – so no information was uploaded to the cloud, or stored on Facebook servers. But is this sensible policy or scaremongering?

This article will argue it is a bit of both; going through various data breaches and scandals, privacy fears around the cloud, and how using tools like VPNs – albeit with a degree of caution– add an extra layer of security to the cloud computing equation.

Cloud data breaches and scandals

Data breaches are common occurrences in today’s information-driven world. Although a lot of these breaches involved server-hosted companies, cloud-hosted companies have had their fair share as well.

Facebook’s data breach is the latest in this lineup. It happened in September of this year when Facebook’s engineers noticed a sudden spike in the site’s user activity.

This led them to scramble for a solution until they concluded that their site had in fact been compromised. Recent reports state that the hackers may have had unrestricted access to over 50 million records.

Earlier this year, Data firm LocalBox was in the news for its controversial building of detailed profiles by scraping publicly-accessible social media data of millions of individuals which left 48 million people’s records on an exposed server.

Last year, conservative data firm Deep Root Analytics exposed 198 million voter records.

In the same year, Kromtech Security Center discovered that healthcare services company Patient Home Monitoring had left 150,000 patient records unsecured. These records included PDF files and sensitive medical data.

With all of these data breaches and scandals, it’s no wonder why many businesses have doubts about the cloud’s security. But these fears are actually ungrounded.

Why?

Most privacy fears around the cloud don’t actually involve the cloud

Privacy and security in the cloud are the primary concerns for many executives and IT managers. Such concerns are understandable given that you’re pretty much entrusting your data to someone else.

Fanning the flames of these concerns are the various data breaches involving the cloud. But what a lot of people don’t realize is that most breaches don’t involve a lack of security in the cloud provider itself.

In fact, a recent Cloud Security Report by Cybersecurity Insiders shows that three out of the four biggest cloud security threats don’t actually involve the cloud service itself.

The four biggest cloud security threats being:

• Misconfiguration of the cloud platform
• Unauthorized access through misuse of employee credentials and improper access controls
• Insecure interfaces/APIs
• Hijacking of accounts, services, or traffic

Human error is actually the cause for most of the recent cloud data breaches including the ones involving World Wrestling Entertainment and Verizon.

Misconfiguration happens when professionals used to the local infrastructure attempt to recreate their local solutions in the cloud without taking into account the intricacies of the cloud provider’s particular features.

Unauthorized access through misuse of employee credentials and improper access controls is, again, not attributable to the cloud provider itself but instead to a client’s employee(s).

The problem with this is that they’re difficult to detect and investigate. This threat can be caused either by an employee intentionally stealing and using someone else’s credentials or by obtaining them by mistake.

Hijacking is a process in which an attacker steals an individual or organization’s cloud account, usually an email account or other credentials. This is a common tactic in schemes involving identity theft where the attacker conducts malicious or unauthorized activity by using the stolen account information.

Hijacking was what caused the whole Apple iCloud debacle. This is why Apple, along with implementing other security features, suggested that users strengthen their passwords.

This all means that while the cloud may suffer a lot of data breaches, the truth is most of these breaches are caused by external factors and not factors inherent in the cloud itself.

Tools to improve cloud security

So you’ve learned that, by itself, the cloud is secure for the most part. That said, in a data-driven economy, organizations will stand to benefit from utilizing certain tools to maintain an adequate level of security for workloads in the cloud.

In fact, the Cybersecurity report showed that 54% of respondents saw network encryption to be an effective way to protect data in the cloud. Perhaps the easiest tool for network encryption is the humble VPN.

The best VPNs protect your cloud data by utilizing military-grade AES 256-bit encryption. This is the same encryption standard used by Apple, Microsoft, and even the U.S. military. Add to that the fact that a VPN masks your IP address and you’ve got a tool that not only secures your data but also prevents it being traced back to you.

Now, there has been recent news about major security flaws found in the top VPN providers but they’ve since been fixed. That said, the same security flaw may still be present in some VPNs so some caution is still required when looking for the right VPN for your organization.

If you’d like to compare the best VPNs available on the market today, check out my reviews for the best VPN services.

SAP has claimed it is the ‘fastest growing cloud company at scale’ in enterprise software applications after breaking the €5 billion barrier for quarterly cloud and software revenues.

The figure of €5.01bn (£4.4bn) represents an increase of 7.5% on this time last year, and an increase of 1.3% on the previous quarter. Total revenues for the company were at €6.02bn, meaning cloud and software was at 83% of all earnings for the quarter.

Speaking to analysts following the announcement, SAP CEO Bill McDermott said the company was in the position it needed to be. “With 41% cloud revenue growth in Q3, SAP has the fastest cloud growth of any peer at scale in the enterprise applications software industry,” said McDermott.

“Three years ago we said that cloud revenue would overtake license revenue in 2018. Today the fast adoption of our cloud solutions and business networks has accelerated this positive development,” McDermott added. “The resilience of our license business remains ever steady even as we grow the cloud beyond expectations.

“Cloud has a higher lifetime value, drive[s] faster consumption of innovation and has higher predictability going forward. We planned for this transition – we guided for it and we are delivering it.”

This publication duly reported SAP’s prediction that cloud profits would exceed software license revenues by 2018 back in January 2015 – and it appears to be on track for that side. That said, it is never fully clear cut to tell; apart from Amazon, which puts AWS revenues in a clear segment, virtually every other primary vendor obfuscates its figures to some degree. Microsoft, for instance, reveals a percentage point increase for Azure but hides its overall numbers in two buckets. For SAP, describing those revenues as ‘cloud and software’ makes sense in this context.

SAP raised its 2018 outlook for the third time this year – but despite this, profits were slightly down, with operating profit declining 6%, from €1.3bn to €1.2bn.

Chief financial officer Luka Mucic reiterated that cloud was ‘where the long-term value was’ and that SAP’s ‘intelligent enterprise strategy’ was ‘resonating broadly and propelling strong adoption of [their] suite in the cloud.’ Responding to an analyst question around license performance and support revenue, Mucic added that “the market needs to expect a gentle decline in growth rates of support revenues.”

You can read SAP’s full financial results here.

Picture credit: SAP

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

In today’s always-on world, customer expectations have changed. Competitive differentiation is delivered through rapid software innovations, the ability to respond to issues quickly and by releasing high-quality code with minimal interruptions. DevOps isn’t some far off goal; it’s methodologies and practices are a response to this demand. The demand to go faster. The demand for more uptime. The demand to innovate. In this keynote, we will cover the Nutanix Developer Stack. Built from the foundation of software-defined infrastructure, Nutanix has rapidly expanded into full application lifecycle management across any infrastructure or cloud .Join us as we delve into how the Nutanix Developer Stack makes it easy to build hybrid cloud applications by weaving DBaaS, micro segmentation, event driven lifecycle operations, and both financial and cloud governance together into a single unified stack.

read more

Clare Hopping

Clare Hopping

Clare Hopping

Crosscode Panoptics Automated Enterprise Architecture Software.

Application Discovery and Dependency Mapping. Automatically generate a powerful enterprise-wide map of your organization’s IT assets down to the code level.

Enterprise Impact Assessment. Automatically analyze the impact, to every asset in the enterprise down to the code level.

Automated IT Governance Software. Create rules and alerts based on code level insights, including security issues, to automate governance.

Enterprise Audit Trail. Auditors can independently identify all changes made to the environment.

read more

Will Stapley

British Airways (380,000 leaked user accounts), MyHeritage (92 million), Equifax (143 million). Just three examples of recent – and massive – data breaches. Even combined, they represent a small proportion of the billions of accounts hacked over the past few years. A timely reminder that, no matter how careful you are with your passwords, you can’t always rely on companies being as diligent.

What you can do, however, is make your password as difficult to crack as possible, so if you are the victim of a careless company your password won’t instantly give itself up.

Despite the advent of new biometric techniques (such as fingerprint, iris and face recognition), the majority of us still tend to use passwords to verify our identity online. And if you create your own passwords using similar terms (maiden names, pets, football teams, etc) rather than randomly generate them, as soon as one password has been stolen the rest become much easier to crack.

In this feature, we look at the methods hackers use to pilfer your passwords and how you can protect yourself against them. We’ll also explain how you can find out whether any of your passwords or other personal information has been leaked in a major data breach. Sad to say, but the chances are surprisingly high.

How are passwords stolen?

Most of us have been there. Struggling to remember one of our passwords, but bashing in those we use most in the hope of striking lucky. Then we see the dreaded message ‘Too many incorrect logins – account locked’. The silver lining, you might think, to this frustrating cloud is that someone trying to hack your password would suffer a similar fate.

A locked-out message might be infuriating for you, but it’s no problem for hackers

Sadly, this isn’t how the world works. Most passwords are cracked by hackers working offline, having already ‘acquired’ a database of user accounts. They will then use various methods to crack the accounts’ passwords. The only time they’ll ever try to log into your account is when they’ve already got your password. So while a limit on login attempts helps prevent people casually trying to access your accounts, it’s useless if your account details have been leaked.

How passwords are ‘hashed’

The good news is that even hackers who have access to a database of account details can’t see the actual passwords as plain text. Any reputable website won’t ever store your password. Instead, they use an algorithm to convert it into a unique, fixed-length block of data, known as a hash.

For example, using one very popular cryptographic algorithm – SHA256, which was developed by the US National Security Agency – the much-used password ‘P@SSWOrd‘ generates a 64-character hash starting ‘BO3DDF3C…’.

This particular password will always create this unique hash, meaning a website can compare it to the hash of the password you enter when you log in – if the two match, you’re allowed in. You can see how it works by generating SHA256 hashes on the Password Generator website. Notice that when you alter a single character, the hash changes completely.

Securing passwords with a pinch of salt

Hashing lets websites store your passwords securely because it’s impossible to reverse-engineer them, but hackers can still use any number of techniques to work out your password. How easy this is depends on how complex your password is and the methods used by the website to generate its hash.

Password Generator uses the SHA256 algorithm to make unique 64-character hashes

To make it harder for hackers to use rainbow tables (databases of leaked passwords) to work out a password from its hash, most websites generate a series of random characters and add them to your password before creating the hash – a process known as ‘salting’.

Using a salt of aE92@3′ (most are far more complex than this), our earlier password of P@ssword‘ becomes ‘aE92@3P@assword‘. Because this generates a completely different hash, it’s highly unlikely it will exist in a rainbow table and will, therefore, be much harder to crack. To increase security, the website will use a different salt for each user.

How to check if your passwords have been stolen

When your passwords (or any other personal information) have been leaked, they normally end up being added to huge databases on the dark web. Trying to locate these to find out whether you’ve been a victim not only takes ages, but is also risky because they’re typically listed on criminal websites. Thankfully, there are safe websites you can use instead.

Have I Been Pwned? (HIBP) was created in 2013 by Australian security expert Troy Hunt. It’s home to a database of over five billion hacked (or ‘pwned’) email accounts from the many leaks that have occurred over the years. You can also search its database using Mozilla’s Firefox Monitor tool, launched last month.

Hacked Emails (run by US-Spanish security firm 4IQ) and BreachAlarm (run by Australian firm Avalanche), are two popular alternatives. All three sites scan for new data leaks by monitoring sites on the dark web and websites such as Pastebin, where hackers post leaked account details. This data is then combined into a single, searchable database.

The sites use similar methods to check whether an email address was part of a data breach – simply type it into the box on the home page then press Enter. While HIBP and BreachAlarm show instant results, Hacked Emails sends a link to the email address you entered, restricting you to running password scans only on addresses you can access.

According to HIBP, our email is linked with two breaches that leaked our password and more

We tested the sites using the same email address – an old Gmail account we no longer use. Both HIBP and Hacked Emails reported that it was part of the Adobe (2013) and Dropbox (2012) breaches – though the former went further by specifying the type of information that was leaked. HIBP also said the address was made available through the Onliner spambot in 2017. Both also listed several ‘unverified’ leaks from unknown sources.

In contrast, BreachAlarm simply said our email address has been leaked “at least 2 times”, with the latest being August 2016. This was disappointingly vague, but it’s still worth trying BreachAlarm because it uses different databases of leaked emails. Between all three sites, you’ll probably find out whether your email account has been hacked.

Run searches for your password

As well as email addresses, HIBP lets you check whether your password has been leaked. Head here or click the Passwords menu from the main HIBP site, then type your password.

We’ve no doubt that HIBP can be trusted, but searching your current password isn’t without risk. Although unlikely, hackers might be able to steal it if they attack HIBP and install keylogger malware.

We, therefore, recommend against using a current password. Instead, try running searches for your old passwords, or simply use it to find out how common certain passwords are. For instance, ‘654321’ has been leaked nearly one million times, while ‘P@ssw0rd’ nearly 50,000 times.

If you do check a current password and find it’s been leaked, there’s no way of telling whether it belonged to you or someone else (the simpler the password, the more it would have been used by other people). Regardless, you should still change it immediately. If the password has been seen online even just once, it will be included in rainbow tables, making it easier to crack.

What to do if your data has been leaked

If your details have been leaked, check the date of the latest breach. If you’ve yet to change your password on the attacked site, do so immediately. Hackers are aware people often just add an extra character when changing their password, so make sure it’s completely different (don’t change ‘Ilovepasta’ to ‘Ilovepasta1’). And if you’ve reused the stolen password on other sites, change them there as well.

If you get the all-clear from these sites, it doesn’t mean your personal details have never been leaked. Lots of smaller data breaches go unreported, while some companies simply aren’t aware they’ve been attacked.

The best way to protect yourself is to use strong passwords and, ideally, a password manager. Also consider signing up to HIBP’s monitoring service, which will email you if your details appear in a new leak. Click ‘Notify me’ at the top of the website, then enter the email address you want to monitor.

Two pieces of research have hit CloudTech’s inbox which show that if you have the right DevOps skills you can go just about anywhere – and name your price with it.

According to a new report issued by O’Reilly Media, the global median pay for DevOps professionals is currently at $90,000 a year.

The report was based on the responses of more than 1,300 IT professionals, and noted that the headline figure is down from $100,000 the year before. Yet this is nothing to be perturbed about: the lowering of the average is down to a greater number of respondents as well as a wider geographic dispersion to traditionally lower-income areas.

One area which definitely needs improvement, however, is around gender imbalance, with only 6% of respondents identifying themselves as female. Their salaries are $6,000 lower on average than their male counterparts to boot.

Salaries can be based on how much time is spent coding rather than spent in meetings. Those who code more earn less. According to survey respondents, those who code only between one to three hours per week bring home on average $94,000, while others who spent at least 20 hours a week at the coalface earn on average $82,000. Naturally, greater responsibility means more time away from the desk, the report notes, while organisations with a lot of coders would also have entry-level employees and interns whose salaries would lower the median value.

It will not come as a major surprise either to note how seniority holds sway. Those with less than five years’ industry experience can expect to earn $58,000, while those with more than 20 years earn $123,000 on average.

It’s worth noting at this point that it’s technically impossible to have 20 years’ experience in DevOps, given the term only came into usage around a decade ago. Any consultant who notes they were talking a good DevOps game in the 1990s, therefore, should be treated with suspicion. Yet if they discuss precursors such as agile software development, then you’re on a much surer footing.

In terms of programming languages, two thirds (66%) of respondent said they used Bash, with 63% using Python and 42% JavaScript. Comparing this with salary, average pay for Python professionals surveyed is $86,300. Some languages perform even better – PHP and Go offer median salaries of $90,000 and $102,000 respectively – but with far fewer professionals regularly using them.

Meanwhile, new data released by cloud service provider Akamai has shown that demand for DevOps skills has risen by more than two thirds across the past two years. Looking at the disparity between coding and management from the O’Reilly research, the Akamai study noted how whether the job role is for DevOps managers, senior staff or engineers, demand has grown significantly for all.

The Akamai study also focused on salary; salaries are on average 24% above the median of similar processes and methodologies, such as agile and scrum and test automation.

“Ensuring that businesses have the right talent is key to the success of DevOps, and when hiring and retaining this talent organisations need to ensure they have the best tools available,” said Ian Florey, Akamai solutions engineering manager. “From cloud platforms which allow automated product updates, to real-time monitoring which helps understand customer habits, DevOps experts expect to have the essential tools to make the most of their skill set.”

Read more: Putting the ‘ops’ back in DevOps: Keeping relevant and providing value for IT

DevOps is the new normal for rapidly delivering high quality software and, with software as the new face of business, speed and quality can determine success. However, integrating DevOps into your organisation can take some getting used to.

Despite initial challenges, the end result has a huge upside. Once DevOps is embraced and established, continuous testing and continuous release will enable you to confidently provide more up-to-date and reliable software to your customers. And that’s good for your business.

If you’re not part of the solution…

For both dev and ops, successfully implementing DevOps requires everyone to make some changes that aren’t always easy or comfortable.

What does this mean for development? Dev has to be willing to work with Ops early in the software development process and accept it is no longer the beginning and end of the creative process. While this might initially feel like intrusion, there is a plus side. DevOps enables development to get ideas to production more quickly and securely, while maintaining quality, which is critical for enterprises with a brand reputation to uphold. Further, they can understand the production life and impact of their code from the comfortable position of pre-production, reducing hair-on-fire moments for everyone.

What does implementing DevOps mean for IT ops? IT ops must be willing to create a partnership with development and testing to successfully integrate DevOps. It must accept it is no longer the end game, the command and control center of the app’s production life. On the plus side for IT ops this will enable continuous testing and release and it will eliminate the ongoing competition between itself and the lines of business that can lead to “do it yourself” or shadow IT, destabilising IT operations and defeating the promise of DevOps.

How can IT ops stay relevant?

IT can lead in breaking down the silos between development, testing and operations, creating a partnership in which the customer is everyone’s focus. To achieve continuous delivery and continuous testing, IT can work with development and testing to create standardized procedures and consistent test environments, letting everyone be a part of the solution.

IT can also take the lead in becoming knowledgeable about new tools and technologies that can simplify and enhance the work of all functions involved in the software delivery process.

Development tools include device simulators and IoT virtualisers to simulate devices and create the necessary environment in minutes and at significantly lower cost. They can create APIs better and faster with easy to use API point and click tools. Tools are available to simplify the often-complex processes of building microservice apps and using containers. Most importantly, development can build security directly into their dev and test cycles, creating more secure software and avoiding the need to make changes after release. Not only is it more difficult and time-consuming to correct security glitches after release but, when customers are the ones to discover the security glitch, it is detrimental to your business and brand.

Testing can use tools that run open-source tests against their app at scale and, by using analytics that provide behavior insights, can find out what the experience with their app is really like for customers.

IT ops will find that new tools and technologies are not just for everyone else. New technologies can improve and speed up the delivery of IT ops – automation for testing and deployment and cloud environments for provisioning – giving IT ops more time for strategic work.

Automation is uniquely positioned to assist IT ops. For configuration consistency and release normalisation, automation provides the speed and stability that ensures quality IT operations.

Cloud computing can create the environments that would cost a fortune and take forever to create in-house. IT infrastructure tools today can work across hybrid environments to provide the same level of insight and control as with an in-house infrastructure. Cloud computing can also help you rapidly scale up when acquisition or a sudden business boost, like a promotional sale, requires it.

In addition, IT ops tools are now available that have advanced analytics, such as AI and machine learning, built into them to better predict and remediate issues. For example, if an app’s performance is not up to par your monitoring tool will let you know but the tool with embedded analytics will let you know why. These learnings can be fed back to the development and test teams for faster remediation.

DevOps is proving its value for IT

The 2018 State of DevOps Report, by DORA (DevOps Research and Assessment), shows that the use of DevOps continues to increase across industries and continues to improve software delivery performance regardless of industry. The report benchmarks high, medium and low performing DevOps teams based on how they are developing, delivering and operating software and have identified striking differences between teams.

In the area of throughput, the highest performing teams deployed code 46 times more frequently and made changes to the code (from commit to deploy) 2,555 times faster. In the area of stability, the highest performing teams had seven times lower change failure rates and recovered from incidents 2,604 times faster.

Looking at these metrics from a customer’s standpoint, high performance teams deployed code on demand and took less than one hour to implement changes, compared to code deployments of one per week and lead time for changes of one per month or more for low performance teams. Similarly, high performance teams took less than one hour to restore service compared to between one week and one month for low performance teams. It’s not surprising that for the fifth year in a row, the report finds that software delivery performance is tightly tied to organisational performance.

In addition, high performance teams do much less manual work, having automated significant amounts of their configuration management, testing, deployments and change approval processes. The result is significantly more time for new, innovative work.

DevOps is a win/win

DevOps is an essential component of successful, transformed organizations and a win for both development and IT Ops. The benefits for IT teams, in particular, are proving to be significant as the 2018 State of DevOps Report shows.

IT ops teams needn’t “protect” their command and control function. By shifting left, earlier into the process of bringing software to market, you can take a leadership role in software delivery and better support your business in satisfying customer requirements. Embracing new technologies and tools such as automation, cloud provisioning and embedded, predictive analytics can simplify the job of rapidly deploying reliable, secure software, making you and your team a more valued partner and contributor to your business’ success.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.