9 Hot Technologies That Can Blow Up In Your Face

Treat this list as a security blanket, not a wet blanket. You must aggressively explore emerging technologies such as virtualization, enterprise search, and smartphones. The following problems are no excuse to stick with the status quo. Just be prepared--then charge ahead.

Smartphones' Growing Risks

Nobody ever got fired for choosing BlackBerry.

It's a reassuring idea that rings hollow. You may not get fired for the "safe" smartphone choice, but one device can't cater to every professional's needs, so expect the complaints to multiply. Even if you play it safe, here are three smartphone gotchas, and tips on avoiding them:

1. Product cycles move at consumer electronics speed. "I've seen plenty of examples of companies getting halfway through a deployment, and then finding that the product is no longer available," says Bruce Friedman, CEO of Movero Technology, which provides mobile device management services. High-end mobile phones and smartphones come and go, so companies used to three- to-five-year tech refresh cycles find themselves constantly behind when it comes to testing, procuring, and deploying new devices. The answer is simple but not easy: Find ways to compress product approval and testing, such as making sure new applications and upgrades don't harm the phone, operating system, and network connectivity. Plan for a six- to 12-month product cycle--and hop on the treadmill.2. Application creep. The power of smartphones lies in their ability to run multiple applications, and certain employees will see that as an invitation to load their own. Ban unapproved apps all you want, but human nature says business users will snag them anyway. The better answer: a security protocol (such as Platform Security on the Symbian OS or Windows Mobile's Application Security) that assigns applications a "level of trust" and lets only preapproved ones access the operating system.

3. The taxicab factor. Smartphones are lost, stolen, and damaged even more than laptops. Plan to make real-time repairs, erase critical data, and replace devices. This is where a "managed mobility services" company such as Movero or Mformation can be worth the fees: If deploying significant numbers of devices, they almost always end up saving you money.

--Richard Martin

Virtualization Threats Ahead

If organizations keep expanding server virtualization without taking into account what makes virtual machines different from physical ones, they'll open new doors for intruders into the data center. We can't identify the precise nature of the threats, because they haven't yet materialized. But anyone who takes comfort in that fact hasn't been paying attention to information security the past couple of years.The hypervisor software from VMware and open source XenSource represents a new layer of privileged software in the data center, similar to operating systems, with full access to other software resources. But it hasn't been vetted with the years of testing and review that operating systems have. Gartner estimates that 60% of virtual machines will be less secure than their physical counterparts through 2009. And if there's a security hole, access to a virtualized server's hypervisor gives an intruder access to all virtual machines under the hypervisor.

Many organizations secure virtual servers the same way they do physical servers. Only a few specialized tools have emerged to monitor and protect VMware's ESX hypervisor, such as Reflex Security's VSA and Blue Lane Technologies' VirtualShield. Security tools for Xen are more rudimentary.

VMware notes that banks and the military use ESX Server, proof that it's a secure platform. But the operation of a hypervisor is different from that of an operating system on a physical server. It can be picked up and moved by VMware's VMotion tool and initiated on another physical server, leaving its former security environment behind, says Allwyn Sequeira, a senior VP at Blue Lane. "Before virtualization, firewalls, routers, and servers assumed a relatively static framework existed for security," Sequeira says. It's common for security policy to be focused on a given TCP/IP address. When VMotion moves the virtual machine to a new server and new TCP/IP address, the two sets of policies should remain in sync, but they often don't, he says.

It also can be difficult to track all virtual machines and keep them in view. One Blue Lane customer overlooked a virtual machine until it popped up on inspection as having been initiated about six months earlier. If an intruder stumbles across such a VM, it's higher risk because no administrator is tracking what it's doing, he says.System management vendors such as BMC, CA, and Hewlett-Packard are building in more capabilities for virtual machine management. But it's still too easy for one to slip out of sight.

--Charles BabcockSearch Reveals Too Much--Or Little

Enterprise search sounds perfect: Raise the productivity of employees by letting them find files and documents without endlessly digging through FTP sites and weird file names. That is, until people start finding things they shouldn't. Search can turn into a security and compliance nightmare.

Stouffer Egan, U.S. CEO of search vendor Autonomy, recounts how a defense contractor had "separate" networks for secret and top secret information, but employees on the secret network still could search and find things on the top secret network. Oops.

The standard must be that if you can't access something otherwise on the network, you shouldn't be able to find it as a search option. Wells Fargo is experimenting with blogs for execs to converse with customers and employees, and it even runs its own virtual world. Yet the company put limits on enterprise search, restricting employees' ability to search across data repositories, because of the complexity of authorizations. Wells Fargo spends about 80% of its application development and deployment time on security steps such as authorization and authentication.Even if classes of information and specific applications are password protected, that doesn't mean they're classified correctly. One company discovered its search system could get at sensitive payroll information in a rarely accessed part of its file system, says Forrester Research analyst Matt Brown. So-called "security by obscurity" is an accident waiting to happen.

A final risk is that employees abandon search tools if there's not enough material indexed to make them valuable or if search terms need to be too precise. An InformationWeek survey of 250 business tech pros finds that integrated search is implemented but little used in about one quarter of companies.

--J. Nicholas Hoover

Lost In NAC-ronyms

The latest red-hot security acronym--NAC--has different meanings to different vendors. Despite what they may tell you, no one delivers it all, and security can get crimped in the confusion.Stay with us on the jargon here. Network admission control is Cisco's baby, and it's all about controlling which devices connect to your network: Are they clean of viruses? Are security settings up to date? If not, quarantine. Network access control (or in Microsoft's parlance, network access protection) addresses what devices can do once they're on the network--checking the PC's or printer's profile against a directory server or access control server for privileges. No vendors offer both network access control and network admission control, and cooperation among vendors is just starting.

So saying that you're going to implement a complete network admission and access control system is like saying that you're getting a unicorn for your kid's next birthday party. This mythological IT creature isn't likely to come out of hiding until Cisco, Microsoft, the Trusted Computing Group, and, more recently, a workgroup of the Internet Engineering Task Force agree on standards to greatly simplify NAC implementation.

Help is on the way, for those willing to wait. Cisco, McAfee, Microsoft, and Symantec all are building end-point risk management into upcoming products, though they won't be ready for at least a year, says Forrester Research analyst Robert Whiteley.

NAC as a concept is the right one to embrace--using anti-malware, access control, and identity and configuration management tools in unison to head off rogue devices trying to connect to the network or take action inside it. But today that takes data from a series of servers, making it complex. Don't kid yourself into thinking that the idea of NAC is anywhere near a single product today.

--Larry GreenemeierNot So Unified YetUnified communications is a bit of a muddle, still taking shape as different technologies come together. It means putting the right communication tool where it's needed in a business process, whether embedding click-to-call in applications; combining voice, e-mail, and presence technologies; or letting employees switch discussions from an instant message to a videoconference. Yet you can't implement a unified communications system out of the box from a single vendor, so companies had better be ready for a lot of integration and on-the-job learning.

You might have an IP PBX from Nortel, unified messaging from IBM, LAN equipment from Cisco, and business apps from Oracle, and draw on all of them in a unified communications project. But there's not much experience integrating all those products for real-time communication. A Microsoft-Nortel alliance, for example, is just starting to turn out jointly developed unified communications products, and the full vision goes four years into the future. Meantime, Microsoft has stepped up its interoperability with other vendors' products, including those from Cisco, Avaya, and Siemens.

Companies must identify a business process that will benefit from unified communications; choosing the vendor comes second. "You can paint yourself into a box" by picking a vendor that can't meet your business need, says Don Van Doren, president of Vanguard Communications, which helps companies plan for unified communications. Companies also shouldn't assume they must completely convert to Internet Protocol to deploy unified communications. "For some applications and business problems, unified communications can work well with legacy systems," Van Doren says.

Ultrasonic Precisions, a supplier of industrial equipment, saw big productivity gains from integrating Web conferencing, videoconferencing, and Outlook e-mail and contacts into one system based on Microsoft software and Cisco gear, says CIO Steven Fishman. Still, the deployment required many trials and intense work with the vendors. And it took compromises: Fishman decided to steer clear of integrating any non-Microsoft applications, since they didn't function well with SharePoint, Exchange 2007, and Microsoft Dynamics GP10.

--Elena MalykhinaSOA = Clean Up Your Act

A service-oriented architecture is supposed to make your technology infrastructure more flexible and faster moving. But creating Web services without adequate governance can get out of control and actually bog things down.

For the first dozen Web services, you're probably OK doing things as you always have--minimum tracking of performance, helter-skelter changes by different developers to a Web service in production, and little use of automated monitoring tools, says Burton Group analyst Anne Thomas Manes. After that, however, "you should be thinking about proper governance of the entire life cycle," she says.

That means making sure a newly created service is summarized in a registry and stored in a repository. Change management should be applied through a central system, and different versions of a service either shouldn't be allowed or should be carefully documented. The service needs to be tested so that it meets the requirements of many other processes. If it's to be reused, it must work with many systems, not just those favored by its initial developers. How much it's being used, and in what circumstances, should be monitored and points of performance degradation spotted and addressed.

BearingPoint consultant Pete McEvoy reached a similar conclusion in his recent report on SOA in the financial services industry, "Seven Years Of SOA: So What?" An IT professional on the service-creation team "must behave like a product manager," writes McEvoy, because someone needs to assume responsibility if a service needs to be upgraded. "Few organizations have thought through these and other operations issues," he writes.The intent is to create a flexible architecture, optimized for application reuse, through loosely coupled, sharply defined services, says Ron Schmelzer, an analyst with ZapThink. "People think SOA and Web services are the same thing," he says. "Web services are just a change in the way you access things--SOA is a change in the way you do things."

--Charles BabcockBeware BI For The Masses

As business intelligence moves beyond the desks of analysts and financial specialists, beware "worst practices" in delivering BI to the masses.

If you let users generate reports from scratch using raw data, they can be misleading, with different teams coming to different conclusions. The initial report building is best left to specialists. But companies must offer a "curriculum" for those who want to learn more and dive deeper, says Jonathan Wu, senior principal with Hewlett-Packard's information management practice. Otherwise, "you're not fostering power users."

Business unit managers should spend time with BI analysts, in-house or contracted, to help in deciding which metrics and indicators to provide staffers. They also need to agree on data definitions and naming standards. Wu worked with a company doing a CRM-related reporting system where "customer" for the accounting team meant someone getting billed, while in marketing it also meant a potential customer.Those being equipped for BI will expect certain tools--like dashboards--so IT teams must document what's going into their project. "It's almost more important to tell people what they're not going to get," Wu says.

Most companies don't treat BI as a critical app in disaster recovery planning, even though workers rely on these tools for critical decision-making. Wu has seen server failures sideline BI apps for weeks.

IT teams also must be prepared for waves of requests to change the types of data and reports. Until employees start using a BI system, they won't know all the things they want to do with it. "If they're not asking, they're probably not using it," Wu says. And there's no bigger blowup than a pricey project sitting unused.

--Mary Hayes Weier and Chris Murphy

SaaS's ShortfallsSure, you can deploy software-as-a-service applications quickly. They can even save your company money and your IT organization headaches. But do they fit funny?

Limits to customization have been the rap against SaaS apps almost from the beginning. Unlike many on-premises apps, you can't modify the code.

On the other hand, a big advantage of SaaS apps is that vendors such as Salesforce.com add incremental functionality regularly that's immediately available to users, says Eric Berridge, co-founder of Bluewolf, a services firm that specializes in supporting SaaS. With on-premises software, new functionality often comes bundled in big releases that customers sometimes skip.

Because new functionality is added so frequently in SaaS offerings, customers must be nimble. That may mean having to adapt processes to fit new functions, putting the onus on users instead of the IT department. For managers, though, it means staying on top of changes and communicating them to users so they're willing and able to adapt, says Berridge.

Too much change isn't good. If new functionality means you need to modify your processes or the app itself more than 20%, you might be better off with in-house software, he says.Another drawback to SaaS: Business users, not techies, often sign the deals, and they can be clueless about what to look for in terms of security and privacy, particularly as security standards for SaaS are still emerging, says Forrester Research analyst Liz Herbert. No major security holes have been found in SaaS offerings, "but it is a paranoia," she says. Berridge says security problems with SaaS are more often a matter of how the software is accessed internally: "You don't necessarily want your New York sales reps to see sales data from reps in New Jersey." Unless rules are set, he says, "everyone can see everything."

Also, companies must keep regulations like HIPAA and Sarbanes-Oxley in mind when moving to SaaS. They need copies of their data on-site, Berridge says, in case regulatory problems arise. That means remembering to set up data replication schedules with their SaaS vendors.

For data integration, there are third-party packages (including Bluewolf's) that can ease connections between Saas software and on-premises software like SAP and Oracle. But when data exchange speed is of the essence, like financial trading, those links can become troublesome, says Berridge.

--Marianne Kolbasuk McGeeJavaScript Jitters

Web 2.0 speaks the dynamic language of JavaScript, allowing interactions between a Web application and an individual user through Ajax programming. But JavaScript and Ajax also are opening up rich new possibilities for Web site intruders.One year ago, the Yamanner worm briefly exploited a JavaScript vulnerability in Yahoo Mail to spread itself around the Internet, forwarding e-mail addresses from address books to spammers. MySpace, which lets users upload content using JavaScript, has had several instances where malicious code planted cross-site scripting in a MySpace account that transfers itself to visitors' computers. One planted the message "Sammy is my hero" on thousands of MySpace pages.

For assessing future risks, consider Jikto, a cross-site scripting engine that Billy Hoffman, lead researcher at security firm SPI Dynamics, demonstrated at the ShmoozCon hacker conference on March 24.

JavaScript has a built-in security model, called the "same origin," that lets it access content or perform operations on the site from which it originates, but not on other sites. Jikto can be used to sidestep this protection by sending Web site contents to a proxy site, such as Google Translate, which translates site content from one language to another. A malicious Jikto user can direct the contents of a site to be displayed on Google Translate, conduct a vulnerability scan there, and see the results. Jikto can use Google Translate or other proxy sites with otherwise useful functions to retrieve pages at site after site, scanning them for vulnerabilities and overcoming the JavaScript security model.

JavaScripts can be changed frequently or even directed to change themselves, so conventional virus scans usually can't detect them. The Yahoo Mail case involved a JavaScript function to upload pictures, but it could be used for malicious purposes because Yahoo's code didn't check that the file was actually a picture. Many such back doors are open across the Web.

Since publicizing the risks of Jikto, Hoffman has received e-mails from miscreants to the effect of "Hey, you're ruining our fun." Get ready. These people have a different idea of fun than you do.--Charles Babcock