Cisco warns UC users of limited support for Windows 7

Cisco (NASDAQ: CSCO) is warning customers of its unified communications products that support for Windows 7 won't be forthcoming until the product's 8.0 release scheduled for the first quarter of 2010. About a dozen more UC products will not support Windows 7 until version 8.5, in the third quarter of 2010 and at that time, only the 32-bit version of Windows 7 will be supported. 7 tools for Windows 7 rolloutsDennis Hartmann on Cisco Unified Communications Only three Cisco UC products among a list of about 50 published by Cisco Subnet blogger Brad Reese specifically promised 64-bit support, and this only through the use of a 32-bit emulator. These products are the Cisco UC Integration for Microsoft Office Communicator, Cisco IP Communicator and Cisco Unified Personal Communicator. One CCIE, who asked not to be identified, is frustrated with the delay. The Communicator products are the client-side multimedia applications used with Cisco Unified Communications. He tells Network World that Cisco became a Windows supplier when it developed desktop UC applications such as the Unified Attendant Console, one of the applications that is not yet slated to support 64-bit Windows 7. The spotty roadmap for 64-bit support makes it difficult to see Cisco's UC as a good fit for companies wanting to upgrade to Windows 7, he says.

However another expressed frustration. One reader posted a comment on Reese's blog that said it is possible to run UC products on Windows 7 right now. This anonymous reader wrote, "I realize many of the Cisco UC products will probably work on Win 7 32-bit. Microsoft 64-bit OS has been available since Win XP although 64-bit processors have only been available for the masses for a few years. I'm concerned about the Cisco UC applications working on Win 7 64-bit. However, most desktop and notebook computers purchased in the last 2-3 years included 64-bit processors.

They provide many applications for the standard desktop computer. Cisco is now a desktop software application vendor. They have a responsibility to support the most current corporate desktop OS!" Microsoft released Windows 7 to manufacturing on July 22, 2009. At that point developers of Windows applications had access to the final code included Windows 7. It was released to the general public on October 22.  According to Microsoft's Windows 7 Compatibility Center, four Cisco desktop Windows applications have been certified as compatible with Windows 7. These are the Cisco VPN client version 5, the Cisco EAP-FAST Module, the Cisco LEAP Module, the Cisco PEAP Module. The Cisco Anyconnect 2.4 SSLVPN client actually does support both 32-bit and 64-bit versions of Windows 7. The Cisco VPN client 5.0.6 supports only the 32-bit version, according to Microsoft's compatibility information. These modules are methods to securely transmit authentication credentials and are used with a VPN. Cisco Subnet blogger Jamey Heary asserts that Cisco is the first major VPN vendor to support Windows 7 (as well as Mac OSX 10.6 clients). Cisco's VPN support for Windows 7 covers both its IPSEC client and SSLVPN client software.

Follow all Cisco Subnet bloggers on Twitter.

DC player Jim Payne joins Telcordia

Veteran federal government marketer Jim Payne is joining Telcordia Technologies in a bid to raise the visibility and win contracts for this New Jersey-based network research shop. Payne is credited with building up Qwest's government services division earlier this decade, winning key contracts with the Department of Energy and the Department of Defense. Payne is well-known around the Beltway, having led Sprint's successful FTS 2000 and FTS 2001 efforts in the 1990s to provide telecom services to federal agencies.

In 2005, Payne joined Bechtel, where he led the construction company's federal network division until now. Originally named Bellcore, Telcordia provided research and standards support to the seven Regional Bell Operating Companies. Payne faces a steep challenge in raising the profile of Telcordia, a 25-year-old research and development company that was founded when AT&T was split up. The company's name was changed to Telcordia after it was purchased by federal contractor SAIC in 1997. SAIC sold the company to two private equity firms - Providence Equity Partners and Warburg Pincus - in 2004. Telcordia created many aspects of today's telecommunications system—including toll-free calling, Caller ID and e-mail attachments — but the firm hasn't been able to leverage these innovations to become a household name. ``Only the most sophisticated communications engineers and network engineers really have a good understanding of what Telcordia has to offer,'' says Ray Bjorklund, senior vice president with FedSources, a McLean, Va. market research firm. ``Taking that indepth talent that Telcordia has and putting it in a less Ivory Tower world – that would be a play for them in the federal market.'' Payne plans to tout Telcordia's expertise in network architecture, standards and cybersecurity to federal agencies. ``There needs to be an independent broker in the [federal market] that's not trying to sell a box, that's not trying to sell a circuit, that says this is the network design you should migrate to,'' Payne says. ``The federal government must have a central vision across the DOD and the intelligence space.'' Payne intends to pursue contracts with the Department of Homeland Security, the Defense Department and the intelligence community. He'll work from Telcordia's office in Arlington, Va. ``We have a very good base of business here,'' Payne says. ``We need to expand tremendously our visibility…and proximity is everything.'' Bjorklund says Telcordia's key competitors in the federal market will be MITRE. ``Now that there is legislation that directs the government to be far more cautious about allowing companies to skirt organizational conflicts of interest issues in defining a system and building it, a lot of large systems integrators are a little concerned that they've got exposure in these areas,'' Bjorklund says. ``Telcordia, who is not a systems integrator, might gain some more wins out of this if they can figure out how to market themselves as really smart people who can solve complex problems.'' He's interested in providing strategic network engineering services to the Defense Information Systems Agency and the new U.S. Cyber Command. ``It's time for Telcordia to raise its awareness,'' Payne says. ``People don't realize…that there's this separate, independent organization that does the standards and the software that makes the U.S. telecommunications system work.'' Payne's official title is Senior Vice President/General Manager for National Security and Cyber Infrastructure in Telcordia's Advanced Technology Solutions arm.

Wipro, other Indian outsourcers expand in the US

Wipro, India's third largest outsourcer, is expanding its development center in Atlanta from 350 to 1,000 staff, reflecting a growing trend for Indian outsourcers to expand and hire locally in the U.S. market. India's largest outsourcer Tata Consultancy Services (TCS) said earlier this month that it was expanding its business alliance with The Dow Chemical Company, including setting up a services facility near the site of Dow's global headquarters in Midland, Michigan. The company said that 80 percent of its current 350 employees were hired locally, and includes recent graduates from reputable academic institutions in Atlanta, experienced professionals and retired army personnel. TCS also announced that it was expanding a software services delivery center in the Cincinnati suburb of Milford, Ohio.

Indian outsourcing companies are expanding both in India, and in the U.S., their key market, in anticipation of a pick up in business. Infosys BPO, the business process outsourcing subsidiary of outsourcer Infosys Technologies also said this month that it would acquire McCamish Systems, a BPO company in Atlanta focused on the insurance and financial services market. Employing staff in the U.S. is expected to go over well with the local community and politicians because of resentment in the U.S. about companies moving jobs to India and other countries, analysts said. Political considerations are evidently a factor for Indian outsourcers to expand in the U.S., said Siddharth Pai, a partner at outsourcing consultancy firm Technology Partners International (TPI) in Houston. U.S. Senators Bernie Sanders, an Independent from Vermont, and Chuck Grassley, an Iowa Republican, last week introduced legislation, called the Employ America Act that would prohibit firms that lay off 50 or more workers from hiring guest workers. U.S. companies do not also want to be seen sending jobs abroad, he added.

Certain types of work even in BPO, such as development of technology platforms for services delivery, and analytical work, require proximity to customers, he added. But there are also strong business considerations that require Indian companies to set up operations in the U.S., according to Pai. Indian outsourcers have to start looking like global players, Pai said. Japanese car makers, for example, manufacture all over the world, because some customers would like to buy locally produced goods, he added.

Gartner on cloud security: 'Our nightmare scenario is here now'

At the Gartner Symposium IT/Expo this week, thousands of IT managers packed into sessions on the topic of virtualization of enterprise computers, along with the prospect of adopting public cloud-based services or building private ones. Gartner analysts, including David Cearley and Gene Phifer, trotted out user case studies involving FedEx, Presidio Health, Johnson Diversey and others extolling the public or private cloud, while in a separate session Michael Lock, head of enterprise sales at Google, found himself looking like a budding rock star in front of an huge audience of high-tech execs eager to hear about Google Apps. Some say the revolution is underway, and security managers are caught in the middle, losing their earlier controls. With new ways of conducting enterprise computing and application development shaking up established IT practices, the darker mood about it all was mainly heard from Gartner's security analysts, recognizing the revolution underway is ripping away the security controls of today. "Our nightmare scenario is here now," said Gartner analyst John Pescatore.

In addition, corporate employees are now using handheld smartphones the company didn't even issue and spending substantial time on networks not owned by the enterprise. Botnet-driven cybercrime is clearly accelerating as online predators involved in "cybercrime as a service" plunder corporate and consumer data for financial gain. Now comes cloud computing as service offerings and "obviously attacks will come after this," Pescatore said. With the cloud taking shape nebulously as many types of public, private and hybrid services, an important technology to turn to will likely be encryption services. "In the next few years, you'll see encryption services out there," Pescatore said. In many instances, the fact is the "IT organization is being driven to have less control over software and hardware." The implication of this, Pescatore said, is they can sit and dream of something pleasant, like the return of the mainframe, or they will have to make a shift to using or developing "security as a service" to adapt to new threat scenarios in both public cloud computing and virtualization of their IT infrastructure. Gartner analyst Neil MacDonald also minced no words in describing the implications for security in the virtualization and cloud-computing revolution. "We're at a critical point," MacDonald said.

With virtualization, the key concept of "locking down a physical device" is disappearing in favor of virtual machine-oriented security, such as virtual security appliances as software instead of physical appliances, he said. Adoption of consumer technologies and the transformation of the technical infrastructure in the enterprise means that there's "frustration of the business units with us," MacDonald said. In addition, the enabling of quick deployment of virtualized applications and databases to facilitate business partnerships will need to be done, though "security becomes very difficult in this environment." Cloud computing and virtualization "break one of the foundational principles of security architecture: Us and them," MacDonald said. Antivirus must be buttressed with whitelisting to control application use, and the newer software-based virtual appliances for security have to be examined for use in a virtual-machine environment. Known technologies such as signature-based antivirus are now insufficient, increasingly useless and he added, way overpriced. About the physical security appliances out on the market today, MacDonald said "these boxes are expensive," and he disparaged Cisco, Juniper and TippingPoint as "not having much going on now because they like to sell boxes." When it comes to cloud computing services, the security professional is being pressured to "get out of the way" and figure out something that's "secure enough," said MacDonald, though the impulse will be to say no to the cloud.

But there are going to be "trade-offs" as new cloud service offerings, and the stance the security professional should take is to clearly explain the risks to the business owners of the data and make sure they accept it, not push it back onto the security and IT department. "They get all the accolades and you take all the risk, who wants that job?" he pointed out. Though the public cloud "makes sense for less-sensitive data," there are limits, such as "PCI stuff, no way," MacDonald said, referring to the data falling under the Payment Card Industry security requirements. Speaking on a panel at the Gartner conference, a number of CIOs acknowledged their prime concerns are about security in cloud computing. Sometimes there are some unexpected risks. June Hartley, CIO at the National Business Center of the U.S. Department of the Interior, said security requirements known as FISMA that the U.S. government uses for security compliance will likely be changed to meet the new world of private and public cloud computing.  Casey Coleman, CIO at the General Services Administration and co-chair of what's known as the Federal Cloud Council, agreed, but both indicated there was no apparent barrier to that. Sal Allavarpu, senior director, product marketing at Citrix Systems, a player in the virtualization market which has created virtual appliance versions of its Access Gateway, Branch Repeater and NetScaler security, network and application control appliances, says there are new security issues that arise in virtualization and cloud computing.

Without sharing detail, he said he knows of a recent occurrence in a cloud-computing arrangement where law enforcement going after someone seized the data for the entire physical server even though the suspect had data on just one virtual machine on that server. For one thing, it's not advised to run applications with different levels of trust controls on virtual machines located on the same physical server, he says. "It's best to keep them separate, virtual machines with the same trust controls on the same physical server," he said, noting auditors prefer this. This caused a lot of consternation among other companies whose data happened to be on that same physical server in separate virtual machines. Mark Hurd, chairman and CEO at HP, who gave the keynote at Gartner yesterday, evoked a knowing chuckle from the audience when he said he has visited with many CEOs and frankly, they didn't like the term "cloud" because they would prefer to think they're operating in "clear skies." But without tipping his hand, he hinted that HP could be active in this arena itself with cloud-oriented services over time, probably the more private cloud varieties. He noted that virtualization and cloud computing is new to law enforcement in some instances and this kind of issue is still being hammered out.

Profile of an IT forensics professional

A snapshot look at the IT forensics profession from the perspective of Rob Lee, an IT forensics expert at Mandiant. He is a graduate of the U.S. Air Force Academy and a founding member of the USAF's Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Name: Rob Lee Title: Director and IT forensics expert at Mandiant, a Washington-based information security software and services firm Related work: Curriculum lead for digital forensics training at the SANS Institute. 30-second résumé: Before joining Mandiant, Lee served as the technical lead for a vulnerability discovery and exploit development team that worked for a variety of law enforcement, government and intelligence agencies. Skills boost: To stay current, Lee does hands-on work in the field and is an avid reader of and contributor to information security journals and blogs.

He also recommends specializing in a particular area of computer forensics. "If you're choosing forensics, be a specialist in firewalls or hacking or mobile devices," Lee says. "Mobile devices alone are extremely complex and constantly changing. "If you're just beginning, classes are the way to go," he advises. "After that, you can continue to learn online. A passion to learn and to continue learning - rather than a formal computer science degree or security certification - is the top requirement for an IT forensics expert, says Lee, who also teaches SANS certification classes. The best thing you can do once you attain a certain level [of expertise] is give of yourself back to the community. Always do research and publish it." Next: Opinion: Web 2.0 security depends on users Choose something you don't think anyone else has [expertise in] and research that.

HITECH Act: What you need to know about new data-breach guidelines

Healthcare providers and others handling sensitive patient data are now finding the stakes raised if they suffer a data breach because of a new law known as the "Health Information Technology for Economic and Clinical Health Act," or HITECH Act. Depending on whether a data breach arises from a simple mistake to willful theft, fines will range in tiers from as low as $100 per violation for a slip-up regarding unencrypted data to $1.5 million or more for knowingly and willfully violating the data-breach rules, say those familiar with the HITECH Act. "Under the HHS rule, you have to figure out if you had a data breach," says Rebecca Fayed, attorney-at-law firm Sonnenschein, Nath & Rosenthal's healthcare group division in Washington, D.C.. But the new rules, which cover both electronic and paper formats, are far from simple.  Healthcare organizations find IT cures for identity and security  The HITECH Act, devised by Congress primarily to address electronic medical records, is being noted for its impact in adding a tough data-breach notification requirement to the long list of long-existing Health Information Portability and Accountability Act (HIPPA) security and privacy rules. Passed by Congress in February, the HITECH Act is now coming into enforcement by the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC), which each have been given a role to play under the law, potentially levying punishments and fines on organizations that stumble in protecting personal health information. Like HIPAA, the HITECH Act covers healthcare providers, insurers, clearinghouses and also business associates handling personal information about patient health, as well as other protected information, including name, Social Security number, address and insurance account numbers.

If the data breach "is only five people, HHS doesn't want you calling them," though you will have to inform the individuals impacted. Fayed says there's often the misperception that the HITECH Act will require public disclosure of any data breach of unencrypted personal health information (PHI) but the fine print actually says the data breach has to have impacted at least 500 people in one state. "Then you have to notify the media," she says. And it appears there's no need to report an employee unintentionally accessing a record by mistake in the course of doing his  job. The HHS guidelines set forth two basic ways to secure that data, "encryption" for electronic data and "destruction" applied as a means to destroy electronic data or paper. A lot of the talk about HITECH is centering on encryption because the breach notification only applies to "unsecured PHI," Fayed says. When it comes to encryption and stored data security, guidelines from the National Institute of Standards and Technology are referenced, including NIST's FIPS 140-2 for certification of encryption products.

So, the bottom line is the HHS-issued guidelines, now an interim final rule that went into effect Sept. 23 (though it won't be enforced until February 2010 by the office of civil rights at HHS), is a game-changer. Though encryption isn't mandatory under HITECH Act, just by bringing encryption technology into the discussion of a data breach the federal government is raising the bar about what's implied about best practices, Fayed notes. Wes Rishel, vice president and distinguished analyst at Gartner, calls the HITECH Act ground-breaking. "This is the first time there's been a federal regulation for data breach," Rishel says. Although there are now far fewer known instances of data breaches involving PHI than credit cards, for example, it doesn't mean that these cases don't happen, many say. It changes the balance in terms of security and puts an emphasis unknown before on encryption because a data breach of encrypted data is not going to have to be reported. Fraud involving stolen patient healthcare data, primarily Medicare/Medicaid identity theft for making money off submitting fraudulent claims, is not uncommon, Fayed says. "The reason you haven't heard about these is because people haven't had to report these yet," she says.

But encryption use to protect stored data is not typical today among HIPAA-regulated organizations and they are going to be struggling to encrypt and decrypt effectively among business partners. "Encryption can create a big mess, too." The HITECH Act has more healthcare providers crafting encryption strategies.  "They should be deploying encryption," says Forrester analyst Noel Yuhanna.

IPv6 and VoIP – Friend or foe?

Whether enterprise users are ready or not, it appears that implementation of IPv6 is in the not-too-distant future. IPv6: the essential guide At the same time, it's also a given that VoIP is firmly entrenched as the current – no longer even the "next" - generation of voice networks. The need for enhanced addressing is needed, especially as everything from your PC to your toothbrush (so your dentist can immediately know whether you're really brushing after every meal) becomes IP-enabled.

So this leaves us wondering what the impact will be when these two inevitable trends merge. Voice packets tend to be quite small. Not that many years ago, we were quite concerned about VoIP due to the bandwidth overhead. In fact, for the low-bit-rate codecs that tend to be used with VoIP, a typical packet size is on the order of 20 to 40 bytes. (These small packets are necessary in order to avoid too much latency.) And the overhead simply due to IPv4 and UDP about equals the payload size, with at least 20 bytes (octets ) for IPv4 plus at least 8 octets for UDP. Now IPv6 is coming, and at least doubling the header size. On the plus side, IPv6 offers some much-needed additional control.

We can see two sides to this situation. Overall, VoIP should perform "better" when it's VoIPv6. At the same time, the additional overhead is a concern. Thanks to our colleagues Gary Kessler and Gary Audin for their contributions to the ideas above. Have we finally reached the point that we can make the same assumption of "free unlimited bandwidth" for WAN communications that we've made for years concerning LAN communications? And we look forward to continuing this conversation with you and our team of analysts at Webtorials.