The Other Challenge is Security

by Willy Leichter
Director, Product & Solutions Marketing

Earlier this week, Michael Osterman wrote a provocative article for, arguing that “given that it is replacing largely local/on-premises capabilities that today offer reasonably snappy performance, cloud services will have to compete on performance as well as their other benefits.”

I agree with his position. With all the current noise around cloud services, there are fundamental challenges that need to be addressed before there is widespread adoption by enterprises. Performance is definitely one challenge, but I think for many organizations, security will be just as daunting.

The conventional cloud model derives incredible efficiencies and cost savings by abstracting and sharing resources—from storage and platforms to applications. One assumption is that multi-tenancy is a must, and a good thing. While this may bring the vendor’s costs down, it also leads to serious concerns that are preventing most security-conscious organizations from jumping into the cloud.

Let’s say I’m bound by HIPAA, PCI, or other compliance requirements—I need to know where my data is going, where it’s stored, and ensure that only the appropriate people have access. The security SLAs from many cloud providers essentially say, “trust us, we’ll be very careful…” But that simply doesn’t cut it when the regulators come calling.

This leads to the interesting concept of private clouds. Instead of focusing on multi-tenancy, private clouds ensure the segregation and integrity of customer-specific applications, while still providing many of the other benefits of cloud computing—off-loading network infrastructure, faster deployment, more elastic scaling, and lower up-front costs.

Fundamentally, I agree that the march toward cloud computing is inevitable, but it will need to move beyond a one-size-fits-all model before it makes a dent in the enterprise IT world.

Axway CEO Christophe Fabre Looks Back On Connections ’09 and Ahead to 2010

Insight from Axway CEO Christophe Fabre.

The Definition of Interactions is Going to Broaden

Joe Fisher, vice president of product and solution marketing, reviews Connections ’09.

Turn a Regulation Into a Competitive Advantage

Paul Fowler discusses how the right technology can transform compliance demands into opportunities to add value.

Moving Toward the Self-Service Model

Daryl Eicher and Connections ’09 attendees discuss the advantages of providing a self-service model to your customers.

The Prosumer Will Dictate Every Piece of Technology That Will Run in the Enterprise

Gartner’s L. Frank Kenney speaks with Melissa Dress.

Axway CEO Christophe Fabre Talks About Day 1 of Axway Connections ’09

A Different Kind of Immunization

by Ruby Raley
Director, Healthcare Solutions

Have you heard about ARRA and the HITECH Act?

A little background. The HITECH Act is a 400-page piece of legislation and part of the American Recovery and Reinvestment Act (ARRA), and its purpose is to provide grants, incentives and penalties to improve the healthcare infrastructure within doctor’s offices, hospitals, and state and federal agencies.

The government hopes to foster the adoption of e-medical records and e-health records (eMR and eHR) with this act, and they plan to pay doctors and hospitals a certain amount for the next three to five years to foster that adoption. Then, after that period, the government will impose penalties or reduced Medicare payments if doctors and hospitals don’t have the technology necessary to comply.

So what does this mean to doctors and hospitals?

Imagine a hospital with subcontractor doctors. All their anesthesiologists are in a group practice, and, in fact, a number of specialists are in group practices. The hospital also has doctors that work directly for them as employees and don’t work outside the hospital. It has relationships with labs and other satellite clinics. It has relationships with family providers all around town. It has relationships with certain payers, like insurance companies.

How is this hospital going to actually accommodate all of these providers who now get to decide which vendor they’re going to select for eMR and eHR? How is this hospital going to satisfy HIPAA privacy protection requirements? After all, the government enhanced the requirements for HIPAA privacy protection because they felt that if people didn’t believe that their data–their personal private data–was safe, they wouldn’t support doctors sharing it with others through an electronic system.

This sentiment is easy to understand. If you went to a doctor, gave your social security number, disclosed the fact that your family has a history of cancer, and then realized that that information was going to become public information, that that information could stop you from getting future medical coverage or that that information could be used to steal your identity, you would be outraged.

The government got this. They decided that they had to put more pressure on HIPAA, which ushered in new rules.

The new rules demand that data must be encrypted whenever it’s moving, and that data at rest must be encrypted or destroyed.

Which brings us to where we’re at today.

To accommodate these new rules, doctors and hospitals need the right tools to protect patient data, to safely move data from one vendor of eMR to another vendor of eHR, and to enable themselves to work with and submit data to any of the state-supported portals (i.e., Health Information Exchanges). Doctors and hospitals must solve interoperability, privacy, compliance, and protection problems, have their infrastructure assessed, and determine what they need to satisfy these new demands.

Anything short of that will, very soon, put doctors and hospitals at risk of the aforementioned imposed penalties or reduced Medicare payments, and what was once a non-issue for medical practitioners will become an extraordinarily critical issue. As an industry well acquainted with the importance of immunization, healthcare should understand that the sting of a data privacy vaccination is necessary to prevent serious harm in eHR exchange in the years ahead.

(Photo by robertdx: / CC BY 2.0)

What Are Business Interactions?

Insight from Axway CTO Dave Bennett.

Non-Delivery Report Spam Should Be Non-Event Spam

by J. Kirk
Sr. Product Solutions Manager

A recent study shows that there has been a rise in spam attacks designed to look like non-delivery report (NDR) messages.

Let’s say you send an e-mail to a non-existent address. What happens? It bounces back and you get an e-mail that says the message isn’t deliverable. It’s a common event and we’ve all experienced it. And spammers know this. So sometimes, spammers will use your e-mail as the reply-to in their spam campaigns, and you’ll receive a bunch of non-delivery responses sent back from all the non-existent addresses the spammer sent e-mails to.

But in these new cases, something different is happening. It looks like spammers are using the non-delivery report messages as something to dupe the recipient, via spam, into clicking on the e-mail because the recipient thought they sent a message that wasn’t deliverable. This clever tactic has become one of the most widely used methods for beating much of the anti-spam technology on the market, and it’s revealing countless addresses as worthwhile targets for spammers.

One way to protect against NDR spam is by utilizing Bounce Address Tag Validation (BATV), an industry-based standard that helps you determine whether the bounce address specified in a returned e-mail message is valid (i.e., whether the bounced e-mail actually originated at the e-mail address mentioned inside it). It serves as the first line of defense—an absolute solution—against NDRs and backscatter.

Still, another way to ensure that this type of NDR-charading spam doesn’t bother you is by demanding DomainKeys Indentified Mail (DKIM) in your e-mail security solution.

DKIM attaches address validation tags to outbound e-mails. By simply tagging outbound messages, you’re guaranteeing that you’re not going to run into this NDR problem, as any NDR e-mails you find in your inbox will have this tag. Quite simply, you can be absolutely certain they’re legitimate!

Plus, DKIM eliminates the uncertainty created by NDR spam. You can tell your users that all NDR reports should be taken seriously, that all NDR reports actually refer to genuinely non-existent addresses that they can delete from their database. Everyone’s trust in these valuable reports can be restored.

Finally, in addition to BATV and DKIM, it’s a good idea to make sure that your anti-spam capabilities feature a strong inbound IP-reputation solution, so that even if something is disguised as an NDR, it will be dropped before it hits the network anyway, based solely on its IP address.

By ensuring that these measures are in place, you can rest assured that you’ll be neither victimized by NDR spam nor uncertain about the legitimacy of the valuable NDR reports that do end up in your inbox.

(Photo by Cookipedia: / CC BY 2.0)