Amazon hopes to halt Microsoft’s work on Pentagon JEDI contract


Nicole Kobie

14 Jan, 2020

Microsoft is set to start work on a controversial $10 billion cloud contract with the US military on 11 February, but not if Amazon has its way.

Last year, the Pentagon awarded the $10 billion contract for the Joint Enterprise Defence Infrastructure (JEDI) to Microsoft, tasking it with replacing ageing computers with a cloud network.

By the time the contract was awarded, Amazon Web Services (AWS) was the only other supplier in the race for the work and seen as a front runner by some, saying at the time it was “surprised” to lose the deal. Reports in a book suggested that may well have happened because President Donald Trump told the Pentagon leadership to “screw Amazon” as part of a spat with the company’s CEO Jeff Bezos. Weeks later, Amazon said it would appeal the decision in court.

As part of the ongoing dispute, Amazon filed a court document yesterday revealing it will seek a preliminary injunction that will “prevent the issuance of substantive task orders under the contract”, the filing says.

The three parties — the US government, Amazon and Microsoft — have already agreed on an expedited schedule for the court to consider the preliminary injunction, because the cloud system is considered important to national security, according to a report in Federal News Network. Amazon will file the formal request for an injunction by 24 January, with the other parties given a week to respond; the court should rule by the 11 February, when work is supposed to begin.

One objection could simply be that Amazon has filed the injunction request too late to stop work, raising questions of why the company didn’t make the request sooner in the case, which started at the end of November.

“The United States and Microsoft note that, in agreeing to the above schedule for briefing of AWS’s intended motion for temporary restraining order and/or preliminary injunction, they expressly reserve their right to object to the timeliness of AWS’s proposed motion,” the filing notes.

The filing also shows the US government “does not intend to file an answer to AWS’s complaint”. That’s reportedly common in bid protest cases, and means the government won’t give much detail about why it handed the contract to Microsoft.

The Department of Defense has rejected Amazon’s claims and the reports that Trump pressured staff to choose Microsoft over Amazon, and said the contract decision was made without bias or external influence.

Bundesliga goes all-in on AWS, cites ML and AI expertise for archiving as key

Yet another sporting franchise is signing up with Amazon Web Services (AWS) to utilise its artificial intelligence (AI) and machine learning (ML) capabilities. The Bundesliga, Germany’s top flight football league, has announced it its going all-in on AWS to beef up its statistical acumen as well as improve the fan experience.

Among the technologies in AWS’ arsenal being used by the Bundesliga are image and video analysis tool Rekognition, as well as SageMaker, to build, train and deploy ML models. The league will use another ML service, Personalize, to ‘create real-time and individualised recommendations’ and ‘offer fans personalised game footage, marketing promotions, and search results based on their favourite teams, players, or matches.’

One aspect which Rekognition will be used for is particularly interesting – and relates to similar usage by another sporting client. The Bundesliga will build a cloud-based media archive which will automatically tag frames from more than 150,000 hours of video with metadata, such as games, players and venue, meaning a much easier search process.

This will, presumably, create other opportunities for the league: in June, NASCAR moved to AWS with the aim of launching new content from its archive called ‘This Moment in NASCAR History’, helped by the added metadata.

“We are extremely excited to be working alongside AWS to develop the next generation of football viewing experience,” said Christian Seifert, CEO of Bundesliga in a statement. “Innovation means challenging the status quo. Working closely with AWS, as one of the most innovative technology companies in the world, significantly enhances the investment we’ve made in innovation over the past two decades, all of which contributes to us being able to deliver a world-class football experience for our fans.”

Alongside NASCAR, AWS has announced deals with Major League Baseball and Formula 1 over the past 18 months. The latter has particularly become a flagship customer, with technical director Ross Brawn taking to the stage at re:Invent 2018 to discuss the ‘F1 Insights Powered By AWS’ launch, including exploring telemetry data and high performance computing (HPC) environments.

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Google testing biometric support for Autofill service


Keumars Afifi-Sabet

13 Jan, 2020

Google is toying with adding biometric support to its Autofill service on Android devices, deployed by users to automatically populate online forms and apps with personal and sensitive information.

Android code that hasn’t yet been enabled suggests Google’s built-in service could, in a future update, introduce an additional security layer involving fingerprint scanning or facial recognition, according to XDA Developers

The additional step would be handled through the ‘BiometricPromptAPI’, and would aim to resolve a security concern that has riddled Google’s auto-fill feature for years.

Autofill allows Android users to automatically populate forms and apps with information like passwords, addresses and credit card details, that’s synced with their Google account.

With Google’s Android 8 Oreo operating system, the inclusion of an Autofill API opened up support to third-party password managers like LastPass and Dashlane.

Using the equivalent of Autofill with these apps, however, generally requires users to pass an additional layer of security, like a quick fingerprint scan, to verify their identity.

Unlike these third-party apps, however, Google’s own feature has never demanded any additional form of authentication.

Attackers, therefore, could in theory gain access to a wealth of sensitive information – including financial data – by just bypassing the passcodes users set that allows access into their devices.

According to an APK teardown, biometric support options would be enabled within the Autofill settings portion of the Android settings menu, under ‘autofill security’. 

Users could then separately toggle biometric support on or off for payment information and credentials like usernames and passwords.

Biometric security is increasingly being seen as a reliable and secure alternative to traditional passwords and passcodes. The use of password managers, too, is often recommended by security experts as a means of improving cyber hygiene.

Microsoft, for instance, is a company that’s been highly vocal about the need to shift away from conventional passwords and for users to instead embrace biometrics as an alternative. Its chief information security officer Bret Arsenault has in the past called for online passwords to be eliminated entirely.

Embracing biometric support completely, however, presents its own security challenges, as the Biostar 2 data breach showed, with the nature of the biometric data taken for more permanent than usernames and passwords, which are stolen in most other breaches.

GCHQ warns against Windows 7 for email, banking


Nicole Kobie

13 Jan, 2020

Windows 7 should not be used for sensitive tasks, such as banking or email, after the decade-old software hits end of life tomorrow, the British government’s security service has warned.

The National Cyber Security Centre (NCSC), the public-facing arm of GCHQ, issued the warning ahead of Microsoft ending extended support for the ten-year-old operating system on 14 January, meaning Windows 7 will no longer get any security updates and that flaws will go unpatched and left open for hackers. Businesses will still be able able to pay to get security updates for the next three years.

“The NCSC would encourage people to upgrade devices currently running Windows 7, allowing them to continue receiving software updates which help protect their devices,” an NCSC spokesperson told The Telegraph.

“We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts,” the spokesperson added. “They should also consider accessing email from a different device.”

The NCSC noted that criminals started targeting Windows XP immediately after extended support ended in 2015, though Microsoft has issued a handful of emergency patches for serious vulnerabilities despite officially ending support.

As of the end of 2019, Windows 7 was still used on 27% of desktops and laptops globally, according to Net Applications’ Market Share, while 55% were on the most recent version, Windows 10. Indeed, a tiny slice, just over 2%, remain on Windows XP.

That includes consumer devices around the world, but Kaspersky warned last year that as many as half of small businesses still use older operating systems, such as Windows 7, despite the significant security risk. That’s partially down to cost and dependence on apps unsupported on newer systems, but also down to habit, the security firm said. This is despite a number of high-profile attacks such as WannaCry, which targeted Windows 7 machines.

For those who prefer to plan ahead, Microsoft has already announced that it will end support for Windows 10 in 2025.

What will drive 2020 in cloud governance? In a hybrid world, a solid strategy is key

Now that we are a few weeks into 2020, we should consider what lies ahead in the ever-evolving world of cloud governance. What seems certain is that when it comes to IT governance there is still the same need to balance the benefits of agility and speed which come from decentralisation, against key business risks be they security and/or cost management.

In fact, what is meant by cloud governance really depends on where you sit within an organisation. Microsoft has produced some interesting content on these different perspectives, which they have boiled down into “five disciplines.” 

From my perspective, I think mostly around cost management and cost optimisation. Obviously, if you sit within a security related function within a company or are a vendor of security tools, cloud governance means something quite different. The other factor impacting perspective is where you stand on the so-called ‘cloud journey’. If you are still working on migrating your first workloads to the cloud you will have a completely different outlook than if you have been in the cloud for the last 10 years and built your entire business model from the ground up in the public cloud.

So, now that we are in 2020, what does this all mean? The cloud world is full of predictions, but one often cited that caught my eye is that in 2020, 83% of enterprise workloads will be in the cloud with approximately half of these being in the public cloud (AWS, Azure and GCP for example).

The growth in public cloud over the last decade has been enormous and with it a management task that has moved beyond a scale that humans can manage. Automation has been part of the cloud since its inception, but the move to automated governance has begun and without a doubt will continue to accelerate in the coming years.

Be it automated, from cloud guardrails which prevent misconfigurations which enable malicious attackers to penetrate what was considered well protected systems, to automated cloud cost control which automatically schedules resources to be available when required (and off when not) or adjusted to the right-size to meet the needs of the workload. It’s also not just the infrastructure layer that’s going to get automated as new tools emerge including application resource management, which enables the entire application stack to be automated using software. 

In reality, most of what is termed ‘automation’ in the world of cloud governance in 2020 is really just recommendations, which are then manually implemented. These often still require sophisticated workflows, approval processes and signoffs from operations and business owners. Few organisations have moved to fully automated governance actions were, in essence, the machines are being used to manage machines.

Just as with the move towards autonomous vehicles, driver augmentation via adaptive cruise control, lane-centering et al is now considered almost standard on new cars, and so is at least some level of automation in governance is becoming a standard requirement. Being delivered a list of hundreds of recommendations in the last decade was considered a vast improvement on the status quo. In the next decade, these recommendations will likely increasingly become invisible as infrastructure optimisation is managed in an ongoing and continuous manner and will require little or no human input.

The range of governance tasks to be automated is also likely to grow. I can already observe the way cost management is increasingly being automated and our own customers are getting comfortable with more ‘set it and forget it’ automation processes based on policies they define. Teams anxious about cloud security are turning to a growing market of automation tools that cover monitoring, compliance, and threat management and remediate these issues in real-time.

There is certainly a lot of headroom when it comes to automating governance. It makes me wonder where we will be by 2030.

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Google Cloud goes ice cold with general availability of Archive storage class

Google Cloud has announced the general availability of Archive, its coldest storage offering focused on long-term data retention.

Cold storage, unlike its antithetical hot cousin – see Wasabi as an example of the latter – is for workloads which are accessed less than once a year and has been stored, usually, for many years. It is pitched by the hyperscalers as a replacement for tape backups; when Amazon Web Services (AWS) launched Glacier Deep Archive at 2018’s re:Invent, CEO Andy Jassy told the audience they would ‘have to be out of their mind’ to manage their own tape moving forward.

Google’s Archive, meanwhile, aims to differ from Amazon’s version in a couple of ways. When this publication reported in March on updates to Coldline, Google’s ever-so-slightly-warmer storage class, it noted ‘high availability and low latency as its calling card.’ Google aims for no delay on data retrieval – ‘millisecond latency’, as the company puts it – compared with AWS which offers restoration any time between one minute and 12 hours.

Archive is priced at $0.0012 per GB per month, or $1.23 per terabyte per month. This is above AWS and Azure, who are priced the same at $0.00099 per GB per month and $1 per TB per month. This is part down to the longer remit for an early deletion charge – Google has it at 365 days compared with 180 days for AWS and Azure. It is worth noting that this is a basic guide, with caveats between the providers for workloads and usage.

Google Cloud Archive was first announced last April, with the promise at the time of ‘later this year’ only slightly out. “Having flexible storage options allows you to optimise your total cost of ownership while meeting your business needs,” wrote Geoffrey Noer, Google Cloud storage product manager in a blog announcing general availability. “At Google Cloud, we think that you should have a range of straightforward storage options that allow you to more securely and reliably access your data when and where you need it, without performance bottlenecks or delays to your users.”

You can compare cold storage offerings by visiting Google's page, AWS', and Microsoft's.

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Teams unveils Walkie Talkie and off-shift access controls in frontline workers push


Keumars Afifi-Sabet

10 Jan, 2020

Microsoft has unveiled a set of new features for its flagship Teams platform to appeal to what the company calls “firstline workers” in industries like medicine, retail and manufacturing.

Over the course of 2020, the major Slack rival will introduce a suite of tools, including features like an in-app walkie-talkie, shared device sign-out and off-shift access controls for IT administrators.

The news marks the company’s second major push around ramping up functionality for frontline-workers, hinting that Microsoft is aggressively trying to fill what it sees as a gap in the market.

Microsoft had previously revealed simple sign-in for Microsoft 365 and Teams at its Ignite conference in November. The previously announced SMS sign-in tool would allow frontline workers to log onto Teams using an SMS authentication code obtained by entering their phone number.

Companies in the retail industry, in particular, with high staff turnover, could be the main beneficiaries from this feature, as well as from new tools like off-shift access controls and shared device sign-out.

“Companies at the forefront of digital transformation recognize how critical it is to enable all of their people with the right technology and tools,” said Microsoft’s corporate vice president of modern workplace verticals Emma Williams.

“That’s why, in industries like retail, hospitality, and manufacturing, there’s a movement underway to digitally empower the Firstline Workforce – the more than two billion people worldwide who work in service- or task-oriented roles.

“Giving Firstline Workers the tools they need requires companies to address unique user experience, security and compliance, and IT management.”

Allowing workers to sign in using SMS, for instance, would allow IT departments to avoid the need to set up fully-fledged user accounts for individuals who may not stay in the job for very long.

One of the most eye-catching new features, the walkie-talkie tool, is aimed at supplanting the need to buy additional equipment like radios, with workers able to conduct voice conversations over Wi-Fi and mobile data.

Microsoft sees this walkie-talkie feature as a means to help companies ditch “analog devices with unsecure networks”, with workers no longer having to worry about crosstalk or eavesdropping from third-parties.

Principal analyst for digital workplace at CCS Insight, Angela Ashenden, said frontline workers have become a growing area of focus for Microsoft, with this segment of the workforce historically unserved with any apps or tools.

“We’ve seen Microsoft target this group already with its collaboration solution Teams,” she said. “And with its mixed reality applications as part of Dynamics 365, and we’re now starting to see these two worlds coming together as the company focuses on key verticals like retail.”

“Today’s announcements of a new push-to-talk, walkie talkie feature in Teams will be hugely valuable for retail businesses, and SMS sign-in helps address the challenge of the high-turnover storefront workforce who aren’t always given an email address to use to sign in with (this is a feature we’ve also seen Workplace by Facebook rollout).”

The use of off-shift access controls, similarly, gives IT admins the capacity to limit worker access to the app on personal devices outside of working hours. This would ensure employees are not working longer hours than they’re supposed to and helps employers comply with employment regulations.

While these features don’t have fixed release dates, Microsoft has penned broad estimates that range from later this quarter, to over the course of the first half of the year. All capabilities are expected to have been released by midway through 2020 or earlier.

Warner Bros turns to AI to greenlight movies


Bobby Hellard

9 Jan, 2020

Warner Bros will trial a machine-learning platform to help predict how movies will perform at the box office. 

The iconic film studio said it will use Cinelytics’ AI and cloud-based project management system to inform its decision around talent valuations and release strategies.

Cinelytic is a Hollywood-based business that applies machine-learning models to licensed performance data from the box office, home rentals and even pirated downloads, which it cross-references with information about genres, seasonal release dates and even actors. 

The company claims it can predict the economic value of a film and potentially the total revenues it will have over its lifetime. The deal is only a trial at the moment and will only involve the international side of the studio. 

“Warner Bros is excited to employ Cinelytic’s cutting-edge system,” said Tonis Kiis, Senior VP for international pictures at Warner Bros. “In our industry, we make tough decisions every day that affect what – and how – we produce and deliver films to theatres around the world, and the more precise our data is, the better we will be able to engage our audiences.”

Cinelytics’ platform is a subscription-based interface that works like a questionnaire, similar to an online insurance form. Users can enter information about their projects, such as budget, who is in it, who is directing, when and where it’s being released and the machine learning algorithms match that its dataset. 

The company’s CEO Tobias Queisser spoke to IT Pro last year and used the movie Hellboy as an example. Before its release, Queisser’s team ran the film’s information through the platform and its estimated box office takings were $23.3 million – less than half of its $50 million budget. 

It earned $21.8 million and the reason appeared to be the timing of its release. The film came out in a comic book-heavy spring schedule between DC’s Shazam and  Marvel’s Avengers: Endgame.

Mozilla fixes Firefox zero-day being actively exploited


Keumars Afifi-Sabet

9 Jan, 2020

Mozilla has patched a critical flaw in its Firefox browser that’s being actively exploited by criminals in targeted attacks.

The critical vulnerability, branded CVE-2019-17026, allows an attacker to seize control of an affected computer through a mechanism that leads to ‘type confusion’, according to an advisory released by Mozilla. 

The company confirmed that the critical flaw, which has now been patched, affects users running version 72.0.1 of Firefox and version 68.4.1 of Firefox ESR. The developer added that it’s “aware of targeted attacks in the wild abusing this flaw”. 

The severity of the flaw is such that the US Cyber Security and Infrastructure Agency has issued a separate warning urging Firefox users to apply the necessary updates.

The attack works by causing ‘type confusion’, which is a potentially critical error that can lead to data being read from or written to locations of memory normally out of bounds. When triggered, this can lead to an exploitable crash because of issues caused when the browser attempts to manipulate JavaScript objects.

It’s the second time within seven months that Firefox has sustained a critical zero-day vulnerability being actively exploited in the wild.

A previous flaw, discovered in June 2019, gave attackers the tools to execute arbitrary code on flawed machines and in some cases take over users’ devices remotely.

The latest emergency fix follows a round of 11 CVE-rated bug fixes Mozilla has issued, five of which were rated ‘high’ and four rated ‘medium’. Among these highly-rated issues were memory safety bugs in Firefox 72, another type confusion issue, and a memory corruption flaw.

The second major security scare within a matter of months is a blow to a developer trying to forge a fresh identity for Firefox as a privacy-centric web browser. Mozilla has teased and rolled out a suite of changes to how Firefox functions in the last year, including tools like a virtual private network (VPN).

In September last year, Mozilla also instigated a change in Firefox that would block known third-party tracking cookies and cryptocurrency mining by default as part of its Enhanced Tracking Protection (ETP).

Insight Partners snaps up Veeam for $5bn


Bobby Hellard

9 Jan, 2020

Data management firm Veeam has been acquired by software investors Insight Partners in a deal worth approximately $5 billion.

The change will see the Swiss firm become a US company, with an American leadership team take the helm.

Veeam offers backup solutions for cloud data management. According to the latest IDC Software Tracker, it’s the number one market share leader in EMEA and number four in the world, behind Dell, Veritas and IBM.

The deal will be completed by the end of the first quarter of 2020 and will enable Veeam to expand its hybrid cloud platform.

“Veeam’s strong growth, coupled with high customer retention, unparalleled data management solutions and the opportunities to expand services into new markets, make it one of the most exciting software companies in the world today,” said Mike Triplett, Insight Partners managing director.

“We are committed to supporting Veeam’s next phase of leadership and growth in the United States, continued market-share leadership position in EMEA and continued global expansion,” Triplett said. 

As part of the deal, former chief of staff to the VP of the United States, Nick Ayers will join Insight Partners managing director Mike Triplett and Veeam CEO, William H. Largent on the board. Co-Founders Andrei Baronov and Ratmir Timashev will step down. Additionally, Insight Partners managing directors Ryan Hinkle and Ross Devor will each serve on the Board once the acquisition has been completed.

“With the acquisition, we are excited that our current US workforce of more than 1,200 will be expanded and strengthened to acquire and support more customers,” said Largent. “Veeam has one of the highest calibre global workforces of any technology company, and we believe this acquisition will allow us to scale our team and technology at an unrivalled pace.”