Posts Tagged ‘security’

Business Lesson: Choose Your Partners Wisely

Tuesday, June 29th, 2010

Photo courtesy of DRB62 on Flickr

My wife & I began subscribing to the MetroWest Daily News back in 2002. At the time they published in the afternoons, so it was the paper I read when I’d get home from work in the evening. When we moved from Framingham to Westborough back in 2008, we opted to keep subscribing to the MetroWest even though it’s Framingham-centric paper and there are probably better candidates for local news. As everyone knows, I’m a craft beer geek and always look forward to Norman Miller’s Beer Nut columns on Wednesdays. If you’re reading this and wondering why we subscribe to a physical newspaper in the Internet age, well, I’m not going to convince you why it’s worth it. Suffice it to say we like the routine of knowing there’s morning news in our driveway, and we also enjoy supporting quality reporting by paying that subscription fee. Of course, the subscription fee also funds the delivery of the paper. Which leads me to my story…

We enjoyed reliable delivery service for most of the 8 years we subscribed. Then, a couple months ago, our regular delivery person was replaced. It’s still unclear to me whether it was just a new person from the existing delivery service or an entirely new delivery service. Apparently the MetroWest Daily News farms the delivery part out to a 3rd party, which I’m sure is much cheaper for them in the long run.  We knew the carrier had changed on that first morning when our newspaper wasn’t there (we later discovered it in our neighbor’s driveway). The next day we didn’t get any paper at all and it wasn’t in our neighbor’s driveway either. In the days that followed we had some days where we got the paper, some where we got the wrong paper, and some with no paper at all. I grew accustomed to calling the MetroWest’s Circulation Dept to report the problem. Within a couple of weeks I had their phone menu options memorized because I had dialed in so frequently (side note- why does one option say “to have your paper REdelivered, press..”? How can a paper be redelivered if it wasn’t delivered in the first place??). It was not going well.

After several days of issues a MetroWest manager called the house to apologize. He gave us his direct dial line to call if we had further issues, and he even called on some days to check and made sure we got the paper. This was the GOOD side of dealing with the problem. Unfortunately there was a BAD side too. The delivery service itself called our house a couple of times. They were rude, abrupt, and apparently suspicious of our motives. On one call they implied that we were inventing the issues (did I miss the announcement that one can use accumulated newspaper credits toward their kids’ college savings plans?). On another day when the service had already “redelivered” the paper because they’d missed the morning delivery, a 2nd driver showed up to give us a 2nd copy. When I politely explained that we’d already gotten the paper, the driver commanded in an annoyed voice “just keep it because I don’t want to have to come back out here.”

I’m guessing we had at least ten days of newspaper delivery issues over the course of 6-8 weeks. We’re

Photo courtesy of aroberts on Flickr

not high-maintenance people, but our patience was wearing thin. Eventually we decided “1 more strike and they’re out”. That final strike happened last week when I went outside and found no MetroWest Daily News. I was tired of calling their circulation desk at least once a week, and I didn’t understand why our service went from excellent to miserable so quickly. I made the final call to the subscription desk to cancel. When the woman I spoke with politely asked why, I made things very clear: “I love your newspaper, your staff has been great to deal with, but your delivery service has been awful lately.” She immediately saw my list of calls and was very sympathetic. A manager is supposed to call us at some point, no doubt to regain our business. At this point I don’t see that happening.

Here’s what I learned from this whole saga:

  1. Don’t take excellent service for granted. We always sent tips to our old carrier, but I would have sent more had I realized how much aggravation his reliability saved me.
  2. If you outsource any aspect of your business to partners, choose wisely. Partners share as much responsibility for representing your business as your employees do. Chances are your clients/customers won’t make the distinction between a full-time employee and a partner when something goes wrong. More often than not, your business will pay for your partners’ mistakes. If you don’t believe me, just ask the MetroWest Daily News.
  3. If you or your company resells or performs a service on behalf of another entity, you should strive to represent them in the best possible light. This will help to differentiate you from other partners. If you end up making a poor impression, you risk costing them money. Go the extra mile and you’ll be recognized and appreciated.

At CoreBlox we’ve been fortunate to be part of some productive strategic partnerships. I think a big part of that success comes from taking the lessons we learn as individual consumers and applying them to our business. This experience with my local newspaper has reminded me that when it comes to partnerships, there’s no substitute for reliability and professionalism.

– Newspaper photo courtesy of DRB62 on Flickr

– Handshake photo courtesy of aroberts on Flickr

Tags: , , , , , , , , , ,
Posted in General | No Comments »

RSA Conference 2010 (a.k.a. Information Security Heaven)

Tuesday, February 9th, 2010

If you’re in the market for a security conference over the next couple of months, look no further than the big one that’s happening in San Francisco! On March 1-5 the granddaddy of all enterprise security conferences will be taking place at the Moscone Center when RSA Conference comes to town. Todd & I had the chance to visit the Moscone Center a few years back for salesforce.com’s DreamForce event, and it was a gorgeous venue. The speaker list for this year’s event looks impressive:

– Scott Charney, Corporate Vice President for Trustworthy Computing, Microsoft Corp.

– Art Coviello, Executive Vice President of EMC Corp. and President of RSA, The Security Division of EMC

– Enrique Salem, President and CEO, Symantec Corp.

– Dave Hansen, Corporate Senior Vice President and General Manager, Security Business Unit, CA Inc.

– Al Zollar, General Manager, IBM Tivoli Software

– David DeWalt, President and CEO, McAfee Inc.

– Phil Dunkelberger, President and CEO, PGP Corp.

– Philippe Courtot, Chairman and CEO, Qualys Inc.

– Herbert (Hugh) Thompson, Ph.D., Chief Security Strategist, People Security and Program Committee Chair, RSA Conference 2010

– James Bidzos, Executive Chairman, VeriSign Inc.

How’s that for a list of heavy hitters? :-)

The CoreBlox team is excited to follow the conference and hear what the future holds for some of the key technologies we service such as SiteMinder, Radiant Logic VDS, and CA Identity Manager. These gatherings are a great way to break free of the day-to-day and engage with your peers in a social setting. For more information, check out the RSA Conference 2010 registration form.

Photo courtesy of adactio on Flickr.

Tags: , , , , , , , , , , , , , , , ,
Posted in Identity and Access Management, Virtual Directory, events | No Comments »

Enterprise Microblogging Security

Tuesday, October 14th, 2008

Last week I read an article that was co-written by one of the most knowledgeable social media experts I follow on Twitter, Aaron Strout of Mzinga, and Joe Cascio of JoeCascio.net.  The article is titled Is the Enterprise Ready for Microblogging Tools Like Twitter?. It was full of useful information that any organization would want to consider before using a tool like Yammer or Present.ly, but the pieces that caught my eye were listed under the Key Considerations section:

“Single Sign-On (SSO): A growing problem in the social media world right now is identity proliferation. With some notable exceptions that accept OpenID, most sites still require you to create yet another account in their system (or identity domain). In most enterprises, a fair amount of effort has already been expended on establishing single sign-on through the intranets’ LDAP registry. It would be highly desirable to leverage this capability to enroll employees in the microblogging system. So, an enterprise microblogging solution must have flexibility in adapting to existing ID and sign-on registries.”

Then further down:

“Security: This will probably be of paramount concern at least initially in most businesses. Most corporations are very aware of keeping internal communications safe from prying outside eyes. An enterprise microblogging solution must provide for fine-grained authorization and trustworthy security of communications. Management, through the IT department will want to be able to restrict who can see certain posts.”

Some would say that the beauty of Twitter is its lack of walls. Granted you can globally secure your updates so that only those you approve may see them or leverage the DM feature to send private messages, but for the most part communication is done in the clear for all the Twitter community to see. But when discussions turn to private topics like corporate strategy and departmental policies, the need for enterprise microblogging to be secure becomes paramount. In other words, you don’t want that jab about a competitor’s product to become public because the person who made it was foolish enough to set their password = “password”.

So how secure are these new microblogging tools? A quick check of Yammer’s API Documentation shows the following:

“Authentication is done using HTTP Basic Authentication. The username is the full email address of the user, and the password is the same used to authenticate to the yammer.com web interface.”

It’s the same with Present.ly’s API Documentation:

“Just as with the Twitter API, the Present.ly API can be accessed via HTTP Basic authentication. The primary difference is that there is no data accessible without authentication in the Present.ly API, since the data is all private.”

For those who aren’t familiar with Basic Authentication, Wikipedia points out its main weakness:

“Although the scheme is easily implemented, it relies on the assumption that the connection between the client and server computers is secure and can be trusted. Specifically, the credentials are passed as plaintext and could be intercepted easily. The scheme also provides no protection for the information passed back from the server.”

This entry is not intended to knock Yammer or Present.ly for their API security protocols. I’m sure when their founders set out to deliver their solutions, security was barely a blip on their radars. But this is a security hole that Yammer & Present.ly’s customers will need to address if they want to provide secure microblogging environments for their employees.

If you’re part of an organization that needs help implementing SSO to a microblogging solution, or if you have any other security needs related to microblogging, we’d love to hear from you! CoreBlox has broad experience creating quick and effective solutions to these types of issues, and chances are we could help you figure this out. Drop us a line at info@coreblox.com, or feel free to contact me directly on Twitter.

For those folks who work in the Identity & Access Management space or just have a general interest in this area- what are your thoughts on the security challenges that these microblogging solutions pose? Anything you see that makes their situations unique relative to other applications that are covered by enterprise security?

Tags: , , , , , , , , , , , ,
Posted in Identity and Access Management, Social Networking | 3 Comments »