Sunday, 25 September 2022

Changes in the workplace

It seems that there was always an undercurrent of unhappiness among employees at so many companies. Those feelings of unhappiness were masked because people needed the money that they earned in order to pay their bills etc. Sometimes, it was more convenient to work for a company that was just down the road than move somewhere else that involved a longer commute etc. And some people just turned up at their day job because it helped fund their other life as a performing musician, or as a karate instructor, or whatever. And, mixed in with all these disaffected people were people who were quite happy in their work, and even people who really enjoyed it.

In early 2020, with lockdown and fear of catching Covid, many people started to re-evaluate their life and lifestyle. Many people asked themselves these questions: On a scale of 1 to 10, where 1 is very depressed and 10 is ecstatically happy, where am I? Let’s the suppose that the answer was a ‘7’, then they probably carried on as they were. If the answer was a ‘5’, they might then ask themselves what would have to be different for me to become a ‘6’. This is what led to so many people moving house and the Great Resignation (aka the Big Quit).

Beginning in early 2021, the Great Resignation is an ongoing economic trend in which employees have voluntarily resigned from their jobs en masse, Apart from job dissatisfaction, other suggested reasons given for so many people leaving the work force are wage stagnation with the cost of living rising, safety concerns of the Covid pandemic, and people wanting to work for companies with better remote-working policies.

In July, a McKinsey study found that 40% of workers globally plan to leave their jobs in the next three to six months. Looking at people who left their jobs between April 2020 and April 2022, the report found that 17% did not return to the workforce, 48% moved to a different industry, and 35% took a new job in the same industry. That means 65% of leavers moved out of the industry they were in previously. And that’s a lot of vacancies to fill.

The inaugural Tech Work Report from A.Team and MassChallenge found that 44% of tech founders and execs say that a significant number of their top performers have exited due to the Great Resignation. 67% agree that the traditional recruitment process is broken and needs an overhaul. 62% say it takes 4 months or more on average to hire top product and engineering talent. 80% say they’re willing to hire someone without a college degree for any role.

The report goes on to say that 73% of tech companies now have integrated teams of freelancers and full-time employees. 71% agree that bringing on freelancers or independent workers gives their business greater agility during times of economic uncertainty, and 70% say that remote work has made them more likely to bring on freelancers. 62% believe shifting to a more flexible work model during the pandemic has increased employee productivity, but 37% say they intend to work from the office more over the next year.

That’s great news for freelancers, who are increasingly attractive to tech founders and execs in times of economic uncertainty. 42% of respondents said freelancers or independent workers make up over one-quarter of their total workforce.

71% of tech founders and execs claim that economic uncertainty has made them more likely to bring on freelancers or independent workers. The same number also believes that doing so gives their business greater agility.

There are some people who really enjoy working at home (no commute, now worries about parking, etc) and there are those who really enjoy office work (getting out of the house, interacting with different people, etc). The report found that 62% of tech founders and execs surveyed think shifting to a more flexible work model during the pandemic has increased employee productivity. Only 13% disagree with that statement.

The figures do seem to indicate that there’s something fundamentally wrong with a lot of organizations that so many people are jumping ship as soon as they get the opportunity (or as soon as they find themselves with the financial stability to do so). It can’t be that all of them aren’t very good at their job or that they are workshy. It must be something about the working environment – the ethos of the company – that is not as good as it could be.

Flexible working is something people seem to value. The ability to leave the office for dental or doctor’s appointment, or to be present when your 8-year-old is playing in a concert at school, or it’s Sports Day. People seem to work harder when they are trusted to get a job done and not micro-managed.

Self-determination theory identifies three innate needs that, if satisfied, allow optimal function and growth for an individual. Satisfying these needs will keep employees happy and less likely to leave the company. The needs are:

  • Autonomy – when a person is autonomously motivated, their performance, wellness, and engagement is heightened rather than if a person is told what to do.
  •  Competence – giving people unexpected positive feedback on a task increases their intrinsic motivation to do it, because positive feedback fulfills a person's need for competence.
  • Relatedness – we’re social creatures who enjoy positive interactions with others.

If people aren’t getting these needs fulfilled at work, then they are likely to leave.

For mainframe-using sites, the question they have to answer is whether they are losing mainframe staff. If they are, it seems that freelancers and independent staff might be the answer. It might also be the right time to look at the company ethos and see whether the needs of the individuals who are employed are being met.

Sunday, 18 September 2022

The problem with shadow IT

Shadow IT has been a problem for many years. Simply put, it’s where users find applications that work for them, and they use those applications without informing the IT team. Why is that a problem? The answer is that IT has the experience and it’s an important part of IT’s job function to check the security of every IT device, database, and application. The attack surface available to hackers is big enough as it is without additional surfaces becoming available that are unknown to the IT team.

The problem in many organizations is the frequency that the IT team says the word ‘no’. The second problem is silos – people working in disconnected teams. And, sometimes, members of those non-IT teams don’t understand the importance of security and compliance, and go ahead with their own ideas. For them, the important thing is to get their work done quickly and easily. If the IT team won’t help them do that, or can’t seem to do it quickly enough, those workers will implement their own IT strategy – whatever that might be.

I can remember, many years ago, one member of staff had his email auto-forwarding to his Gmail account. That way, he decided, he could check his email in the evening and when he was out on the road. A simple solution – and before the days of Microsoft 365, and everyone working from home (or anywhere else). What he didn’t realize was that quite a few of his emails were company confidential and the security on his Gmail account wasn’t as good as his work security.

Nowadays, with so much of mainframe working being from the cloud, members of staff can use other cloud-based SaaS (Software-as-a-Service) applications on their laptops at home in order to produce the end results that they need. Again, the IT team has no idea what those non-standard applications are and what sort of security exposure comes with those convenient apps.

Other examples of shadow IT include teams within an organization buying and installing software that they think will make their working life easier. In addition, employees may decide to make unauthorized changes to their laptops, workstations, servers, or cloud instances. These endpoints are often targeted by hackers.

SaaS applications aren’t the only shadow IT issue faced by the IT team. There is also an issue with smart Internet of Things (IoT) devices. These might be Bluetooth speakers, coloured light bulbs, or even coffee makers, and these can all be connected to the corporate network. Why are they a problem? They’re a problem because they could be exposing information. Because the security on IoT devices is quite often very basic, it makes them a prime target for hackers to access, and from there, these bad actors can access the corporate network and everything on it. Hackers often corrupt backups to prevent recovery, encrypt vital data, and send ransom messages to every corporate screen and printer they can access.

These IoT devices may also be connected to the cloud. The issue facing IT security staff is whether the data sent over the Internet from IoT devices is encrypted or not. Obviously, if not, then it could be read by hackers, and the device could be controlled from the cloud. The hackers would be able to see, and use, single sign-on tokens, session tokens, and authentication tokens.

Another related issue that companies are starting to face is shadow data. As organizations start to migrate some applications and some data from their mainframes to the cloud, there are a number of lift-and-shift projects going on. In fact, some proof-of-concept test migrations may have taken place two or more years ago. Certainly, many will be happening nowadays. The issue that organizations face is that quite often there are zombie databases and zombie data sitting in the cloud. This is data that was originally migrated, tested, and left, while the main migration took place, and the new live database or files were installed and went active. Because everyone is busy, and because there was more work to be done, the final tidying up and deletion of these shadow (or zombie) databases never took place.

That test database won’t have the standard security policies associated with it, which makes it an easier target for hackers. And that database may well have personally identifiable data in it such as names, addresses, credit card numbers, etc.

What can IT teams do about it? Firstly, in the same way that all staff should be doing security training to recognize spam emails etc, they should also be educated in the importance of using only secure applications for their work.

Secondly, IT needs to break down the barriers between different silos within the organization. Different departments or teams need to feel that IT is there to help them. There is a very good reason why IT often has to say ‘no’ to people’s ideas. People need to recognize the implications of them using shadow IT and the risk to corporate security that goes with it.

Thirdly, IT needs to work with these departments to see how secure IT can be used to speed up or shorten workflows to make the end users’ lives easier. This is an important two-way conversation so that IT understands what employees need, and employees understand the security implications of what they do. Members of staff also need to get IoT devices checked by IT before they are installed.

Fourthly, IT should ensure security policies are being applied to all data in the cloud – making even forgotten about databases secure from hackers.

Fifthly, management needs to recognize the importance of IT and ensure there are enough personnel available for IT to support the other members of staff.

Lastly, if they haven’t already, IT should migrate the company to a zero-trust way of working.

Sunday, 11 September 2022

The threat of quantum computing

Plenty of organizations are working on quantum computers. IBM is, Google is, and so are many others. The reason is that quantum computing is fast – a whole quantum leap faster than today’s technology. And that would seem like a good thing – remember how slow laptops and modems were 20 years or so ago. However, the fact that they can do sums quickly means that they could be used to break the encryption on data. And that is a cause for concern.

Rather than using 0s and 1s, quantum computers work at the quantum level (hence their name!), ie at the atomic or subatomic level, and information can be encoded in more than one place. And that’s what makes them so fast.

Like everything, quantum computers can be used for good things and for bad. The worry is that large organizations and nation states will use the speed of a quantum computer to break the algorithms used to encode data and then be able to access the previously-encoded information. That could be more than just messages being exchanged, it could be blockchain technologies, including bitcoin. And that means they would have access to your bank details, your health records, everything about you!

Here's an example of how secure we think we are at the moment. It seems it took 300,000 people four years to break a 64-bit key in 2002. 128-bit key encryption would take them trillions of years to find a matching key. Currently the industry standard is 256-bit encryption. Lamont Wood, writing in Computerworld estimated that a quantum computer could exhaust the possibilities of a 128-bit AES key in about six months.

The issue, of course, is that currently, there isn’t a quantum computer with enough power to actually break that kind of encryption. But before you breath too big a sigh of relief, remember that progress is being made all the time. Some of the cleverest people are working on developing quantum computing. So, it really is only a matter of time. And, as Dirty Harry said, “You’ve got to ask yourself one question: ‘Do I feel lucky?’ Well do ya, punk?”. The question to ask is how long will it be before there is a quantum computer big enough and powerful enough to break the toughest encryption? Will you have retired and moved out of the business by then? Or will all your corporate information and your personal information be in the hands of hackers?

Adding to your worries is a report that Google and the KTH Royal Institute of Technology in Sweden have found “a more efficient way for quantum computers to perform the code-breaking calculations, reducing the resources they require by orders of magnitude”. It seems that a 20 million-qubit computer could now break a 2048-bit number in just 8 hours.

Let’s just take a look at the types of encryption that are currently in use. Symmetric encryption uses the same key to encrypt and decrypt the data. Asymmetric encryption (public key) uses two mathematically-linked keys. The one given to the public is used to encrypt the data. It can then be sent over a network. The second key is private and used to decode the message. Both are used over the Internet.

The Advanced Encryption Standard (AES) was published in 2001 by the National Institute of Standards and Technology. It's used for symmetric key encryption. In involves the encryption key being sent to the recipient first before they can decrypt any messages, which itself can be a risk.

RSA (named for inventors Ron Rivest, Adi Shamir, and Len Adleman) encryption is probably the most common public key encryption standard used. It's hard to break because the two keys are based on large numbers (primes) being multiplied together.

Elliptic curve (EC) algorithms can also be used. These are based on the maths used to describe curves.

AES, RSA, and EC could all potentially be hacked by quantum computers in the near future.

So, what can we do about protecting our mainframe data? The z16 supports the Crypto Express8S adapter, which is designed to deliver quantum-safe APIs, letting enterprises start developing quantum-safe cryptography along with classical cryptography and to modernize existing applications and build new applications.

IBM has added the four National Institute of Standards and Technology (NIST) algorithms that were chosen in August to create a post-quantum cryptography (PQC) standard built on encryption algorithms that can protect against future quantum processor-based attacks.

The NIST algorithms are designed for two of the main tasks for which public-key cryptography is typically used: public key encapsulation, which is used for public-key encryption and key establishment; and digital signatures, which are used for identity authentication and non-repudiation.

The algorithms used are: CRYSTALS-Kyber for the key encapsulation mechanism (KEM) for public-key encryption and key-establishment; CRYSTALS-Dilithium, which is the primary algorithm in the signature category; FALCON; and SPHINCS+. CRYSTALS-Kyber and CRYSTALS-Dilithium form the basis of its key encapsulation and digital signature capabilities.

It's good to know that mainframes are keeping data safe from quantum computing attacks by malicious third-parties for as long as possible. I just wonder how other platforms are getting on securing against a quantum-computing attack?