Cisco unveils CCaaS tool

New cloud consumption tool aimed at midmarket customers


Cisco has unwrapped its new Cloud Consumption-as-a-Service (CCaaS) tool and made it available to its entire channel partner base either to resell or build into an existing managed service portfolio.

The CCaaS software tool, which is a follow on to Cisco’s existing Cloud Consumption Assessment and Cloud Consumption Optimization models, aims to helps solution providers and customers gain visibility into outside services used by an organization, Cisco said.

Related articles

Most importantly to partners, the tool offers up an avenue for solution providers to serve as trusted advisors to many companies that don’t have an existing cloud strategy and/or don’t understand how to assess their cloud spend, according to Robert Dimicco, Cisco cloud consumption global leader.

“We’ve been working in this space for three-and-a-half to four years now [and] companies were telling us they needed to understand how much they were spending [on public cloud services] and other infrastructure-as-a-service capabilities,” Dimicco told Channelnomics. “They wanted to know how those services were being used in their organizations.”

At the same time, Cisco’s channel partners were signaling their interest to move beyond working with the customers on private cloud deployments, Dimicco said.

“We asked what services…to put in the [cloud services] portfolio to resell,” he said.

“There was absolutely a need for professional services here and an imperative for it to have as its foundation a software tool that looks at network traffic and the individual cloud services used. And, it had to be significantly valuable, above a basic traffic analysis tool.”

Cisco’s initial cloud consumption offerings were framed as professional services tailored to large enterprises, Dimicco added, pointing out that the with the new tool, the vendor is scaling to the needs of mid-market and small businesses, delivered exclusively through the channel.

The networking vendor is positioning the CCaaS tool as a data-driven method to manage Shadow IT – or the unauthorized use of public clouds from within an organization. Cisco said its own data shows that the number of cloud services used by an organization is nearly 14 times the number customers themselves believe occurs, growing 112 percent last year and some 67 percent in the past six months.

Dimicco, who shepherded construction of the CCaaS tool, said the service helps customers not only to discover cloud services used across a customer’s organization, but also to monitor usage, mitigate risks, compare public cloud providers, lower costs and eliminate duplicated services. Further, the CCaaS software includes data security tools, a cloud service anomaly analysis, trigger-based changes, cloud provider profiles and identifies redundant services, he said.

All Cisco partners are eligible to sell the CCaaS tool and no special certification is required, he added, but he suspects the most likely Cisco partners to engage with the CCaaS tool will be those who have been in the cloud space for a while and have account managers and engineers “comfortable in cloud discussions” and who can leverage a cloud consumption model with their customers.

“Some of our more traditional partners involved in network and datacenter infrastructure also are looking at this to extend their capabilities to public cloud advising,” Dimicco pointed out.

“Mid-size organizations and small enterprises want their partners involved, whereas larger companies want a mixture of partners and [internal staff]. The smaller organizations aren’t equipped to compare public cloud providers or to know the best practices. But partners can.”

Password Manager Proves Security Risk

Google has uncovered a major bug in a security software tool that could expose user passwords to hackers. Its the second time in a matter of weeks that Google’s found problems with security software.

On this occasion the problem is with the antivirus package from Trend Micro, specifically a Password Manager feature. This allows users to store passwords securely with a master security code; at the touch of a button, users can then have them the program automatically fill in passwords and logins on websites.

According to Google’s Tavis Ormandy, the feature is installed by default with Trend Micro’s antivirus software and starts automatically when Windows starts. (Source:

Tool Used Outdated Connection

Ormandy says the problem lies with the way the Password Manager interacts with the Chrome browser and its underlying system Chromium – specifically, the way that the sandbox feature works. The tool was was originally set up to work with version 41 of Chromium when that version was available last year.

The latest edition of Chromium is version 49, which now utilizes Chrome’s sandbox features much differently than in the past. In short, the old version of Trend Micro’s Password Manager does not comply with security features of the new sandbox, which means that certain programming code of the Password Manager is able to overstep parts of the system memory and is thus susceptible to exploit. (Source:

As a simple analogy, the vulnerability acted like a hole in a wall, which then allows hackers to remotely access the computer. Ormandy demonstrated the flaw by remotely forcing a computer to open the Windows calculator, but said it would have been just as simple to access the list of stored usernames passwords in the Password Manager itself.

Trend Micro Patch a Must Install

Trend Micro quickly acknowledged the bug and thanked Google for its vigilance. It has now issued a patch for the vulnerability, which users should install immediately. Of course, keeping security software updated is good practice and helps to ensure that the system has the latest signature database of known threats.

Two weeks ago, Ormandy uncovered a serious problem with a Chrome browser extension created by another security firm, AVG. In that case, AVG had deliberately crafted the extension to bypass Google’s own security measures. The matter is so severe that Google may blacklist AVG entirely from Chrome.

What’s Your Opinion?

Do you use Trend Micro’s password manager software? Do you worry about security on such tools? Do you think its safer to use a password manager that’s a standalone product from a dedicated company rather than an add-on tool in an antivirus package?

22 Free Security Tools To Safeguard Your Enterprise

Enterprises have been battling security breaches for decades, but now the intrusions are multiplying at tremendous rates, putting enterprise digital information at great risk. Opportunist attackers seek to exploit vulnerabilities in enterprise security policies and systems to achieve their malevolent goals.

Experts believe most breaches can be prevented if enterprises make information security a high priority by installing and implementing powerful security tools. They must take protective measures to keep information from being stolen or damaged, including detecting when information has been damaged, identifying the cause of the damage, and recovering the lost or damaged information. Fortunately, there are a number of robust tools available to protect enterprises from substantial breaches.

Every IT environment needs a strong security strategy. That strategy can include tools for specific applications or situations, but fortunately they don’t have to cost a lot. The easily available and free tools discussed on the following pages can help diagnose and monitor threats, prevent intrusions, secure passwords, ensure security compliance, and much more. Additionally, when enterprise cloud computing and BYOD policies open the door to security threats, these tools protect against breaches and exploitation, allowing businesses to reap the full advantages of cloud computing without risking the security of the enterprise.

There’s no need for your business to be at risk. Check out the free security tools described here — in domains spanning cloud, network, data, wireless LAN, identity and access management, and endpoint security — to strengthen and supplement your enterprise security.

Will FFIEC Revamp Cyber Assessment Tool?

Cybersecurity , Risk Management

Agency Solicits Comments; Critics Urge Changes

Will FFIEC Revamp Cyber Assessment Tool?

In response to banking institutions’ requests for clarification of the Cybersecurity Assessment Tool, the Federal Financial Institutions Examination Council is taking a preliminary step that could lead to refinements.

See Also: Roadmap for Identity Management in the Modern Organization

The FFIEC recently reopened its comment period for the tool, which was issued in July. It’s accepting comments through Jan. 15, according to a notice in the Federal Register from the Office of the Comptroller of the Currency, the lead agency for the FFIEC.

The OCC has not yet confirmed whether new comments could lead to refinement of the tool. But critics of the tool claim it doesn’t meet banking institutions’ cybersecurity needs and are hopeful it will be refined soon.

“As an industry, what we want is a version 2.0 of the assessment tool,” says Jeremy Dalpiaz, assistant vice president of cybersecurity and data security policy for the Independent Community Bankers of America.

“From the ICBA’s standpoint, we all agree that cybersecurity is a focus for all financial institutions. But I think the tool needs improvement,” he says. “One thing our bankers have asked for is that when they account for risk, there is no way, using the tool, to account for mitigating controls. You get to a binary ‘yes’ or ‘no’, and we think this is short-changing the compensating controls that institutions have already put in place.”

In September, the Financial Services Sector Coordinating Council, whose members include large and midsize U.S. banking institutions, stock exchanges and card networks, as well as banking associations, including the ICBA, sent a letter to the FFIEC requesting that it re-evaluate its tool. Dalpiaz believes that letter was the catalyst for FFIEC’s new window for comments.

The FSSCC wants the FFIEC to clarify how it uses the tool during IT examinations. Although the FFIEC originally marketed the tool as a voluntary cyber-risk assessment aid, banking institutions report that regulatory examiners are using the tool as part of their IT examination process, Dalpiaz says.

“If they are using it in an exam, then it’s a defacto regulation,” Dalpiaz says. “As a result, we’ve now seen a few states that have come out and said the tool is mandatory. So we want the FFIEC to clarify all of this. And we want to see version 2.0 sooner rather than later.”

New York, Texas, Massachusetts and Maine have either specifically mandated use of the Cybersecurity Assessment Tool for compliance with state regulatory guidance or have said that a mandate is on the way, Dalpiaz says.

Beth Dugan, the OCC’s deputy comptroller for operational risk, tells Information Security Media Group that the tool is currently being used as part of the examination process, but only as a means of evaluating its efficacy.

“The OCC has started to use the tool as part of our examinations of our national banks and federal savings associations,” Dugan notes. “The OCC will leverage the results of examinations using the assessment tool to better measure the risk and assess the preparedness of individual institutions, categories of institutions and the national banking system overall. By analyzing the data gathered during examinations, we will improve our identification of broader trends in cybersecurity preparedness and common control gaps. This information will be used to inform the OCC’s supervisory strategies and any future supervisory guidance on cybersecurity.”

Cyber Assessment Revisions Expected

Dalpiaz says the FFIEC has been receptive to industry concerns. In the fall, the FFIEC met with representatives from the FSSCC and member institutions to review concerns noted in the Sept. 21 letter. He says he expects a similar meeting to occur after the Jan. 15 window for additional comments closes.

“We want to work with the FFIEC to continue refining this tool to make it more useful for everyone involved,” Dalpiaz says.

In its letter, the FSSCC asks that the FFIEC:

  • Clarify and preserve the voluntary nature of the assessment tool;
  • Refrain from using the current version of the tool as part of any formal examination processes;
  • Collaborate with banking associations and institutions for the next 12 to 18 months to develop version 2.0 of the tool, using a process similar to the approach used to develop the National Institute of Standards and Technology Cybersecurity Framework;
  • Ensure that version 2.0 more closely aligns with recommendations noted in the NIST Cybersecurity Framework;
  • Ensure that the tool has more objective measures for its assessment of cybersecurity maturity; and
  • Outline ways the tool can enable effective boardroom engagement.

Mike Wyffels, chief technology officer of QCR Holdings, a $2 billion company that owns four banking institutions, says the tool feels more like a “checkbox” exercise than an interactive assessment tool. And, like Dalpiaz, he says the tool includes too many black-and-white questions that leave no room for alternative responses.

“Some questions are difficult to answer because you may do some things for a particular question but not others,” Wyffels says. “You have to weigh your response to either a ‘yes’ or a ‘no.’ Those types of questions require more follow-up and explanation for internal and external audiences to understand the scope with which you do or don’t do certain things.”

Instead, Wyffels suggests the tool should focus on an institution’s cybersecurity maturity and provide guidance about cybersecurity controls that could be implemented based on the institution’s overall risk posture. “It would be very interesting to be able to compare an FI’s [financial institution’s] results to an aggregate benchmark of FIs of similar size and services, to determine gaps that could be evaluated as well,” he says.

Conflicts with NIST Framework

Some banking leaders are concerned that certain recommendations in the tool conflict with the National Institute of Standards and Technology’s cybersecurity framework, which was released in February 2014.

“The NIST cybersecurity framework came out about a year and a half ago, and CISOs had to explain to their boards how it was to be used and what it meant,” Dalpiaz says. “Now we have this Cybersecurity Assessment Tool from the FFIEC, and while it is mapped to NIST, it is not based on NIST, and this has to be explained to the board.”

In December, Chris Feeney, president of BITS, the technology policy division of the Financial Services Roundtable, highlighted concerns about the Cybersecurity Assessment Tool’s perceived conflicts with the NIST framework.

In a recent interview, Gartner analyst Avivah Litan expressed similar concerns, noting that the tool acts more like a list of requirements than an interactive feature that could help institutions truly assess their current cyber-risk posture.

“In principle, it all started out very well and good,” Litan says. “But we have been getting lots of calls from our clients about how the process itself doesn’t seem to live up to the spirit of the guidance and the regulation. … What we are witnessing is phase one of this new tool, and hopefully phase two will allow more judgment, more context, and will be accompanied with outgoing and proactive education. There should be working groups and conferences, and I’m not seeing any of that yet.”

In the meantime, Dalpiaz says banking institutions, with the help of the Financial Services Information Sharing and Analysis Center and the FSSCC, have developed their own tool to help assess cybersecurity maturity. The tool, a downloadable file available on the FSSCC website, was designed to help fill the gaps left by the FFIEC’s tool, he adds.

Mobile Developers Follow Mandated Security Protocols

Fifty-seven percent of mobile developers worldwide follow government mandated security protocols, an Evans Data survey said.

While software development and security do not always go hand in hand, mobile developers tend to follow security protocols as a necessity, a recent study finds.Security has long been a top issue for mobile development, but an Evans Data survey of mobile developers worldwide shows that 56.7 percent are following security protocols mandated by their governments.This is especially true in North America, where 67 percent use protocols that the federal government has specified for authentication and digital signatures. Use in Asia was only slightly less while only a third in Europe, the Middle East and Africa (the EMEA region) follow government guidelines.The most common potential security issues that developers have encountered in the last year are authentication without using HTTPS, and weak server side controls—both cited by 43 percent of the developers polled. In the United States, the Office of Management and Budget (OMB) guidelines advocate use of HTTPS for authentication, but those guidelines do not necessarily apply to non-government sites. For enterprise developers, data leakage and network-level security issues compete with data tampering in transit as issues.

“Security is critical today in all forms of software development, but there are more vulnerabilities when it comes to mobile,” Janel Garvin, Evans Data CEO, said in a statement. “Encryption during transport over the network is one of the issues peculiar to mobility that is particularly of concern to developers, but so is encryption for data at rest on the device. As mobile devices become the de facto standard for the client, these issues have become more pressing.”

The Evans Data survey focuses on a wide range of topics related to mobile development, including the use of APIs; monetization; development for Android, iOS and Windows Phone; carriers; mobility in the corporate enterprise; design practices; wearables; and the Internet of things and cloud in mobile development. The study was conducted worldwide with professional software developers active in development for mobile devices and provides a margin of error of 4 percent.An Evans Data survey from November showed that the quality, expense and risk of discontinuation are major factors in developers’ adoption of various cloud offerings. Thirty-eight percent said the “risk of using subscription tools or PaaS [platform as a service] that becomes discontinued” is the biggest barrier to using a particular vendor’s cloud tools and PaaS offerings for development.In a related issue, 48 percent of the cloud developers said that development tools are the top expense of cloud offerings once money and ramp-up time are both considered. In addition, respondents said that “quality of tools” is the one thing that should be most improved in vendors’ PaaS offerings.”For the developer, the tools that he has access to for work in the cloud are of paramount importance,” Garvin said in a statement. “Providing high-quality tools and SDKs are a crucial part of a PaaS, but all the offerings have to be of good quality and vendors need to provide some kind of guarantee that the work involved in ramping up to use a new tool won’t be lost later by the vendor discontinuing that tool and pulling it off their PaaS.”