Could a “platform company” disrupt your industry? Odds are it already has.

If your company is not a platform company, or actively in the process of becoming one, your livelihood is at risk. What do I mean by “platform company”?

A platform company is a company that creates value by facilitating exchanges and transactions between two or more interdependent groups, usually consumers and producers. Contrast that with a traditional company that operates on a linear model that creates value in the form of goods or services and then sells them to someone downstream in their supply chain.

Uber and Lyft are platform companies, Yellow Cab is not. Airbnb and VRBO versus Wyndham Hotel Group or Marriott International, and even eBay versus Sotheby’s or Christie’s.

A platform company DOES NOT rely on inventory, manufactured goods, and products, etc.

Uber doesn’t own any cars, Airbnb doesn’t own any hotel rooms, and eBay doesn’t own any warehouses full of art and artifacts.

A platform company DOES rely on two paradigms of Digital Transformation: the transaction and the platform.

The transaction is the scalable and repeatable process that creates and consumes value between producers and consumers. The platform is what enables consumers and producers to find each other and to enforce the standards and rules for those same transactions. Platforms don’t cut out the middleman, they digitize them and take a cut of every transaction. They enable consumers to communicate directly with providers and that is what drives their value and their market share.

It doesn’t matter if you’re selling services, products, or content, or providing a platform to allow developers to build software, or hosting a Massively Multiplayer Online (MMO) game, once you realize what part(s) of your industry can be a platform, digital transformation then becomes a matter of execution. Your company’s survival may not be assured but it will certainly have a better chance than if it continues delivering on the linear business model.

When you’re ready to disrupt your industry and breathe new life into your business let us know. We can help.

Author

Joe Knape

Joe Knape

From Cloud Reluctant to Cloud Secure

To say that cloud computing is hot is old news. A majority of organizations have either migrated or are considering migrating their core computational and storage workloads to the public cloud. Gartner predicted that the cloud market was expected to grow by 17.5% in 2019 and exponentially for the next 3 years.

Some have yet to migrate or are thinking about migrating but are hesitant to make the decision. Their major concern lies in the fear of the “unknown” and a perception that the Cloud is generally not secure. Let’s address these concerns by discussing three key points in an order that will help shape your decision:

  1. Cloud Responsibility
  2. Cloud Breaches
  3. Cloud Adoption provides Resilience

Cloud Responsibility

Since AWS has been the leader in the industry, let’s take a moment to understand their Shared Model in regards to cloud security. The AWS Shared Model outlines the roles and responsibilities in a way that is easy to follow and implement. While AWS is responsible for “Security of the Cloud,” such as protecting the infrastructure, it is the customer’s job to make sure that “Security in the Cloud” is achieved by managing data, classifying assets, and applying appropriate rules and permissions for configurations of the application layer and the software-defined network topology. AWS’s infrastructure security measures simplify your life – removing the “undifferentiated heavy lifting” aspects of security, which is common for everyone and shouldn’t be part of your company’s “secret sauce.” This doesn’t, however, absolve you from your responsibility for thinking through, configuring, and implementing core security practices appropriate for your implementations.

Cloud Breaches

Let’s look at some of the high profile cloud breaches that have occured as of late. The recent Orvibo breach where passwords and password reset information for home security systems were left out in the open comes to mind. Because of the interoperability of the cloud, with one switch you can leave a great deal of your infrastructure open to the public. A 3rd party vendor working for Verizon committed a configuration blunder on an AWS S3 bucket, which exposed names, addresses, account details, and pin numbers of millions of US-based Verizon customers.

But was this really a cloud shortcoming? No, it was a result of a weak 3rd party program. Other cases at Target, Home Depot and Apple iCloud also received a lot of media scrutiny. However, most of these breaches were a result of human error and/or weakness in the process, not shortcomings in the cloud. For example, in the case of Target and Home Depot, hackers were only able to get ahold of personal information by bypassing the cloud infrastructure via third-party vendors. The data in the cloud was simply still too secure. In a nutshell, we need to understand that security issues outside the cloud (like with third-party vendors) are similar to those within the cloud and include well-known challenges like 3rd Party Risk, Data Governance, etc.

Cloud Breaches

Cloud adoption is one of the most significant technological shifts that your organization will face, but there must be a reason why a majority of the most innovative companies are going down that path. They treat this choice not as an option, but a mandate. Minimum Viable Cloud (MVC) is a great starting point for your first production cloud as it treats the whole platform as a piece of software. Most of the big CSPs (Cloud Service Providers) provide this utility through automation programming.

Hence, the new mantra for quick and scalable adoption is “infrastructure is deployed as code”. It means to provision and manage IT infrastructure through the use of source code rather than through standard operating procedures and manual processes. What’s the benefit of that? Well, with the ever-improving toolset you are now able to manage configurations more quickly and deploy infrastructure components efficiently, consistently, and in a repeatable fashion. This approach helps architect, build, and operate large-scale systems that are resilient in nature, even while taking advantage of scalability, flexibility and increased agility.

Companies like Netflix have pioneered this approach; they release thousands of lines of code a day and, though you may not be ready for that pace, plan for change and how to learn from errors and failure. The cloud helps facilitate this, but developing good processes to enable these methods is paramount. A dedicated cloud security program keeps these early implementations for descending into chaos.

An Effective Cloud Security Program

Instead of relying purely on conventional security methods, cloud security programs need to be developed so that they cater to (a) Business needs for cloud adoption, (b) Shared-responsibility models, and (c) Compliance requirements. A Cloud Security Operating Model can achieve this while demonstrating a way to optimize the organizational and current security processes for cloud adoption, and while helping them work together to secure the benefits of the cloud. These models typically includes elements like:

A) Cloud Security Strategy

  • Why do we need a new Cloud Security Program?
  • What are the Key Goals?
  • Understanding Cloud Ecosystems & the Regulatory Landscape

B) Cloud Security Governance

  • Strategic Alignment
  • Key Stakeholders Identification
  • Resource Allocation
  • Metrics

C) Key Services and Processes

  • Cloud Risk Management
  • Cloud Controls Management
  • Data Governance
  • Training and Cloud Awareness

An Effective Cloud Security Program

Fears about cloud adoption arise from a lack of education and understanding in the user environment, not from the shortcomings in cloud services. Instead, cloud adoption can help you focus and direct your investments and resourcing efforts more on the application layer, which needs the proper knowledge and set up for the desired maximum level of security. With the Cloud providing more agility, elasticity, and reliability for your services, your security capabilities can now be more innovative and adaptable to change, giving you more resilience in the long-term. Feel free to contact us to learn more about how our cybersecurity experts can assist in easing your migration to the cloud by designing a comprehensive cloud security program.

Author

Suman Kukreti

Suman Kukreti

Responding to COVID-19 A Client Success Story

Starting in January, companies around the world were faced with a mysterious disease that quickly morphed into the Covid-19 pandemic. This research report highlights some thoughtful, timely, creative, and well-executed steps that one of our healthcare clients has taken that we believe will be helpful in guiding your own ongoing response:

Customers

It goes without saying that your customers are the most vital part of your business. Here’re some ideas about how they can be creatively engaged in these uncertain times:

– Communicate across new channels

  • Besides the usual channels of emails, websites, mailers, where carefully crafted messages were delivered periodically, inhouse experts in medicine and patient management were utilized to create concise and informative Video messages, which were then distributed widely
  • Spearheading a social media challenge, our client leveraged a custom hashtag and TikTok to engage young people all over the world resulting in more than 2.5 billion views - one of the largest brand campaigns the platform has seen to date
– Collaborate with new partners
  • Our client already had a popular mental health application suitable for most digital platforms. During the current crisis, they decided to make it free for all members.

– Call and reach out

  • Our client made sure to understand their members and proactively reach out to the most vulnerable to provide support services for those that might have been struggling to pay for necessities such as food
– Think outside the box when it comes to approaching and engaging new entities
  • The company cold-called dozens of the largest retail and apparel companies to coordinate and facilitate the delivery of PPE and other life-saving equipment around the country.

– Go big when possible: Facing long waits for outsourced COVID-19 test results, our client leveraged existing capabilities to build and staff its own state-of-the-art lab capable of performing 10,000 tests a day

– Built and deployed a “Volunteer Portal” to help coordinate projects and organizations needing volunteers with individuals with the needed skills and availability.

– Made tools available that allowed for a COVID-19 “self-assessment”

– Implemented a chat feature to provide for and enhance e-visits.

Your employees are also dealing with a new work-from-home paradigm. Some key considerations for the new work and employee-employer relationship:

– Validate and vet the set of tools to be used, when to be used, how to be used; and anticipate the volume. Host training sessions around tools.

– Clarify tools to be used and to be avoided.

– Ensure that data in transit is protected and encrypted when necessary using encryption in transit tools (e.g. VPNs, SSL, HTTPS, et. al.)

– Don’t forget the impact to speed and connectivity issues for communications now that ISPs are being stretched due to additional traffic (should you consider easing timeout or retry restrictions?)

– Put in changes to maintain security, and integrity of the network, all while ensuring the stability of the environment. For example, our client:

Staff

The company’s staff were the front-line of response and adaptation, and innovation with them was critical.

– The organization helped socialize how many unplanned expenses there would be. It may be too late during a crisis, but preparing for such an eventuality is what Governance and Risk Management is about

– Proactive hiring: While putting new hiring on pause may be the first reaction, understand that this is also the time to find talent for that hard to fill post, or for the business opportunities that are going to arise after the worst is over

– Care for the current employees. Our client launched two new programs consisting of:

Technical

Securing your IT is now more critical than ever. Even without the rise in risks due to Covid19 related hacking attempts, now is the time to ensure your system reliability and security. Here are some points to consider:

– Should you consider a Change Freeze? Stopping all non-critical development allows you to focus on mission-critical items and push out less important changes to a future date

  • Define what a Change Freeze implies
  • What is the approval/ denial process and ownership structure?
  • What is exempt?
  • Develop a new timeline

– Conversely, can resources that have been made idle due to change freezes, the shutdown of non-critical functions, etc. be tasked with addressing technical debt and refactoring activities that may be impractical while systems are running at or near capacity?

– Start monitoring types of attacks (phishing, malware, imposters, for example)

– If possible, obtain the business continuity plans of your vendor partners to find ways to work together and ensure the security and stability of your supply chain.

– Keep your environments stable: Are you prepared for the extra bandwidth and security required for staff working from home?

– Plan for quick lifting of the change freeze to prevent future business impacts

– Proactively test applications and infrastructure to ensure they can handle the surge that will be happening when businesses, members, clients, and others start coming back online.

– Review and modify applications and workflows to improve efficiency and delivery in the new “work from home” paradigm.

Your employees are also dealing with a new work-from-home paradigm. Some key considerations for the new work and employee-employer relationship:

  • Validate and vet the set of tools to be used, when to be used, how to be used; and anticipate the volume. Host training sessions around tools.
  • Clarify tools to be used and to be avoided.
  • Ensure that data in transit is protected and encrypted when necessary using encryption in transit tools (e.g. VPNs, SSL, HTTPS, et. al.)
  • Don’t forget the impact to speed and connectivity issues for communications now that ISPs are being stretched due to additional traffic (should you consider easing timeout or retry restrictions?)
  • Put in changes to maintain the security and integrity of the network, all while ensuring the stability of the environment. For example, our client:
    • Added firewall blocking to block selected sites (AV, Games, etc)
    • Increased security classification policies to segment devices
    • Identified managed vs unmanaged devices to understand who is coming online remotely
    • Enabled Global Protect Split tunneling for Office 365 network traffic, in order to offload traffic from corporate networks
    • Made network engineering upgrades that allows for Teams video to be carried separately on the network, while preserving bandwidth for critical business needs

– Increase capacity in various areas for the remote workforce:

  • Increase reserve capacity for critical applications and infrastructure
  • Enhance email infrastructure for secure file transfer in mail transport agents for capacity
  • Revisit and simplify access process and access for remote user onboarding requests
  • Closely monitor VPN utilization

Author

Kunal Nagpal

Kunal Nagpal