Is the Cloud Always Cheaper?

Office 365 and Exchange Online are good offerings – they provide useful functionality, a growing feature set, pretty decent uptime, and they’re relatively inexpensive. Microsoft, in this third major iteration of cloud services, has done a good job at offering a comprehensive set of applications and services. (We use Exchange Online internally and are quite pleased with it.)

From Microsoft’s perspective, the primary reason to move their customers to the cloud is to make more money. In 2015, Microsoft told Wall Street financial analysts that moving its customers from a “buy” model to a “rent” model will generate anywhere from 20 percent to 80 percent more revenue for the company. As evidence of how right Microsoft was, the company’s Office 365 revenue for the fourth quarter of 2017 is now greater than its revenue generated from traditional licensing models.

From a customer perspective, one of the key reasons for migrating to Office 365 is to reduce the cost of ownership for email, applications and other functionality. Our cost modeling has demonstrated that this actually is the case.

So, Microsoft makes more money from the cloud, but its customers spend less when migrating to the cloud. On the surface, that doesn’t seem to make much sense until you realize that the cost savings for customers are coming primarily from the labor that you no longer have to pay to manage an on-premises system, and from the stuff you no longer have to buy to maintain it, especially when considering hardware and software refresh cycles.

But what if you’re a small organization that wasn’t spending much on labor because you have an easy-to-manage email server, for example, and your hardware requirements to run it are not significant? Let’s go through an example comparing Exchange Online Plan 1 with Alt-N Technologies’ MDaemon Messaging Server for a three-year period for a 50-user organization:

Exchange Online Plan 1

  • $4.00 per user per month
  • $7,200 for 50 users for three years

MDaemon Messaging Server (with priority support)

  • $2,433.04 initial cost, or $1.35 per user per month for three years

MDaemon Messaging Server (with priority support, Outlook Connector and ActiveSync)

  • $4,678.43 initial cost, or $2.60 per user per month for three years

So, the on-premises platform will save a 50-seat organization anywhere from $2,522 to $4,767 over a three-year period. If we assume that an on-premises email system like MDaemon could be managed by an IT tech making $35,839 per year (the national average for that position according to Glassdoor), that means the tech could work anywhere from 4.1 to 7.7 hours per month on the MDaemon infrastructure to bring its cost up to that of Exchange Online Plan 1, although it’s unlikely that much of a time investment would be required. Of course, I have not factored in the cost of the hardware necessary to implement an on-premises email system, but most organizations already have that hardware on-hand already.

The point here is not to abandon consideration for Exchange Online or other cloud platforms, since they offer a number of important benefits and there are good reasons to go that route. But for organizations that need to get the most bang for their buck, they will be well served to consider using on-premises solutions, especially if their hardware and software refresh cycles are longer than three to four years. That’s especially true for things like desktop productivity platforms like Word, Excel and PowerPoint, where the average refresh cycle is quite long (one survey found that Office 2010 remained the most popular version of Office in use five-and-a-half years after its release.)

Automatic Monitoring of Key Systems

One of the problems that IT often has with business systems — especially those on which users or customers are dependent for real-time or near real-time interactions or transactions, such as email or eCommerce systems — is that users are often the “canary in the coal mine” in determining when a problem has occurred. For example, IT will often learn about an email downtime only when there’s a spike in traffic to the corporate help desk, or calls to a help line will be the trigger that notifies IT that a customer-facing system has gone down or is providing unacceptable performance.

dinCloud has introduced an interesting offering called “James“, what they’re touting as a virtual robot designed to monitor systems on a 24×7 basis. James is designed to monitor a wide variety of systems, such as eCommerce platforms, corporate email, databases and a variety of other systems that support business processes and workflows. The basic goal of James is to monitor systems continually for events like outages, system errors or performance that drops below a predetermined threshold, and then alert IT about the problem so that the issue can be rectified as quickly as possible. The example below, from dinCloud’s web site, is a basic example of how James works.


Although James can be used in any environment, it seems especially well-suited to smaller organizations that may not have the technical expertise or other resources needed to monitor key systems on a continual basis. dinCloud offers a turnkey approach for customers, helping them determine what to test and providing services around configuration and deployment of the system. James also supports a real-time dashboard that enables decision makers to keep an eye on system performance and receive alerts when problems are discovered.

While I’m not crazy about the name “James” as it applies to this offering (perhaps something like “Virtual System Monitoring Robot” might be more descriptive), I really do like what dinCloud is doing here. Downtime and poor system performance are the bane of online systems because even small glitches can create major problems. For example, an older study found that about 40 percent of US consumers will give up on a mobile shopping site that won’t load in just three seconds, and a 2016 study found that the cost of unplanned downtime for a large organization will cost an average of nearly $8,900 per minute. Our own research finds that email outages of even just 10 minutes can create problems.

In an era of ransomware, DDoS attacks, hacking and other threats that can create significant levels of downtime in addition to the more traditional causes like server crashes or application faults, system monitoring should be high on every IT manager’s priority list.

Open Questions About the GDPR

The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018. In short, the GDPR will provide data subjects (i.e., anyone who resides in the EU) with new and enhanced rights over the way in which their personal data is collected, processed and transferred by data controllers and processors (i.e., anyone who possesses or manages data on EU residents). The GDPR demands significant data protection safeguards to be implemented by organizations, regardless of their size or their geographic location. You can read the full text of the GDPR here, as well as our recently published white paper and survey report on the subject here and here.

The goal of the GDPR is quite clear: to protect the privacy rights of EU residents and to ensure that they have a right to be forgotten by any organization that possesses data about them. However, there are some situations in which legal jurisdictions and whose rights should prevail are not yet clear. For example:

  • US organizations have an obligation to apply a legal hold on relevant data if they have a reasonable expectation that a legal action may be forthcoming. But what happens if some of the data that a company is obligated to hold includes data on an EU resident that has asked for that data to be expunged?
  • Broker-dealers and others under the jurisdiction of FINRA must retain various types of communications, such as communications between registered representatives and their clients. What if a client of that representative ends the relationship, but immediately wants his or her data to be deleted?
  • Manufacturers routinely keep customer information in support of warranties that they offer on their products. If a customer in the EU asks that all of their data be forgotten, does that relieve the manufacturer from their obligations to honor the warranty?
  • Will governments be permitted to retain data on visitors from the EU, such as the data provided on the embarkation forms that visitors are obligated to complete upon entry to a country, if those visitors ask that the data be deleted?

As with any new regulation there are always unanswered questions, unique situations that had not been contemplated when the regulation was written, and various unintended consequences — the GDPR is no different in that respect. What is different are the consequences of getting things wrong, which can include fines as high as €20 million ($23.7 million), or four percent of an organization’s annual revenue, whichever is higher. For a company with $1 billion in annual revenue, that would be a $40 million fine!

Will the EU impose such large fines shortly after the May 25, 2018 implementation of the GDPR? That’s an open question, but given the EU’s aggressive stance toward companies like Google and Facebook, my guess is that they will seek a test case to let everyone know that they mean business.

Do You Manage Social Media Well?

Some actual social media posts:

  • “….we need to hold this f%#@er and all his racist supporters accountable.”
  • “Threatened with a $200k lawsuit from idiot client who misrepresented the scope of their project and took longer than originally planned.”
  • “What a stupid client, how can he be an engineer for so many years!”
  • “I have 2 moods. 1) I love working let’s get moneyyyy 2) I never want to work again I want to kill every customer.”

Given that somebody’s employees have already posted these comments, what would you do if it was your employee that did so?

  1. Nothing.
  2. Accept the fact that employees can do what they want on their own time, regardless of the consequences for your company?
  3. Communicate with your employees about the importance of considering what they post on social media before they do so.
  4. Remind employees about the importance of following your company’s social media policy that specifically addresses identifying their employer on their personal social media pages.

Any company can choose a, b or c, but many companies can’t opt for option d because they don’t have a social media policy – or at least one that is sufficiently thorough or detailed that would address a situation like these.

Even with the best tools in place to monitor and review social media, this issue has implications beyond just those that are focused on technology and policies. Should employees be allowed to tweet anything they want while in your employ? Should employers have the right to restrict employee activities on social media after-hours? Should courts or regulators have the right to access employees’ social media posts?

We will be writing a white paper shortly on the importance of managing social media well – not only from the perspective of providing robust security capabilities so that social media can’t act as a conduit for malware, phishing or other threats – but also from the perspective of establishing good social media policies, monitoring what people are saying via social media when using the corporate network, and archiving business content in social media posts.

How to Deal With the Travel Ban on Laptops and Tablets

On March 21st, the Department of Homeland Security (DHS) announced that any personal electronics larger than a smartphone cannot be carried in the passenger cabin on US-bound flights originating from Jordan, Qatar, Kuwait, Morocco, United Arab Emirates, Saudi Arabia, and Turkey. The airlines affected, all based in the Middle East, have 96 hours to implement the appropriate changes to ensure that non-compliant electronic devices are carried only in checked, not carry-on, luggage. The UK followed suit, implementing essentially the same policy for flights to the UK originating from Egypt, Jordan, Lebanon, Tunisia, Turkey and Saudi Arabia.

The reasons for the new policy by the US and British governments were not made entirely clear, but the US raid on Al-Qaeda forces in Yemen in January of this year apparently yielded intelligence about the terrorist organization’s development of “battery bombs” that could be large enough to destroy a commercial aircraft. Also cited were the destruction of a Russian A321 over the Sinai Peninsula in October 2015, and a bomb blast aboard a Somali A321 shortly after it left Mogadishu in February 2016, either or both of which may have been the target of battery bombs or similar devices.

While the ban on personal electronics in carry-on luggage affects only direct flights to the US and the UK from the countries noted above, it’s possible that the ban may be extended to other countries and maybe even to domestic flights in the US, UK and elsewhere.

If you rely on your laptop and/or tablet when traveling, what would you do if the ban suddenly applied to your next trip, as it already has for thousands of travelers? Here are some options:

  • The obvious (and worst) option is to travel with your laptop and tablet in checked luggage. While the rate of lost luggage, at least in the US, is relatively low at 3.09 bags per 1,000 passengers, a dramatic increase in number of laptops and tablets flying in checked luggage might motivate some baggage handlers to help themselves to the suddenly more valuable cargo. Even in the absence of theft, there is a significant risk that rough handling of luggage could damage the devices.
  • Another option is to work only from your smartphone. That will work for things like checking email and making presentations, but for writing, creating presentations or working with spreadsheets, that’s not a viable option.
  • A better option is to use a Windows to Go drive that will allow you to plug this USB device into any Windows-based computer or a Mac and use the computer only as a host. These bootable devices can be imaged with corporate applications and data, they store data only on the USB device leaving nothing on the host, and some are hardware-encrypted, providing a highly secure platform for storing data. Using a Windows to Go drive, a traveler could take with them an outdated Windows 7 or Windows 8 laptop that wouldn’t cause much angst if it was stolen, or they could borrow someone’s laptop at their destination.

There are a number of vendors that offer Windows to Go devices, including Kingston, Spyrus, Kanguru and Super*Talent. These devices offer a robust experience that is more or less indistinguishable from a native PC experience, they’re fairly inexpensive, and they are not likely to be the subject of a ban of the type discussed above. If you must have access to a laptop or tablet when traveling, Windows to Go drives should be an option you should evaluate sooner rather than later.


Microsoft vs. Google vs. IBM

While there are a large number of cloud-based communication and collaboration solutions available, the “Big Three” in cloud-based communication and collaboration today are Microsoft Office 365, Google G Suite and IBM Connections Cloud (which includes a very good email solution called IBM Verse). I won’t go into what you get with each offering, but you can check out the various components, features and capabilities at the following links for Office 365, G Suite and Connections Cloud.

All of these offerings include robust email, instant messaging, document collaboration, file sharing and other tools, as well as lots of storage. All of these solutions are reasonably priced, although Microsoft’s high end plans are significantly more expensive than the other two (but they also include more capabilities). Microsoft’s solutions require the least disruption to the way that most information workers work, since the vast majority already use the Office suite of Word, Excel and PowerPoint; and Office 365, from a desktop productivity standpoint, is nothing more than a switch from purchasing a perpetual license for these applications to renting them in perpetuity.

From a long-term perspective, however, particularly for enterprise customers, IBM’s solution should be the subject of most decision makers’ serious consideration because of Watson Workspace. Watson, the “computer” that trounced Ken Jennings and Brad Rutter on Jeopardy back in 2011, uses cognitive capabilities to analyze social interactions among information workers. Watson is currently being used for cancer research, tax analysis and other data-intensive applications, but Watson Workspace is specifically focused on using these cognitive capabilities in the workplace. The goal of Watson Workspace is to help workers manage information overload, present the right data at the right time, and otherwise streamline work processes with the goal of making people more efficient. Microsoft and Google have analytics and other capabilities that are focused on similar aims, but neither of these vendors have capabilities that compares to Watson at this point. In short, Watson has the potential to revolutionize the way that people work with one another.

The problem for IBM, however, is two-fold:

  • First, IBM is generally more bureaucratic than either of their key competitors and has a more difficult time moving products from the conceptual stage into stuff that people can actually deploy.
  • Second, Microsoft and Google make it easy to buy Office 365 and G Suite, respectively. IBM does not.

As a test of the latter point, I had one of our researchers run a test to see how long it would take to set up an account in Office 365, G Suite and IBM Verse. She started on a weekday afternoon and found that it took six minutes to complete setting up an Office 365 account, four minutes to set up an account in G Suite — and 31 minutes to set up an account in Verse.

Now admittedly, IBM is not really focused on the single user market to nearly the same extent as Microsoft and Google. But the difficulty and length of time associated with setting up an account are indicative of IBM’s need to make its account acquisition process a bit easier and more transparent. This one-off market can result in the deployment of perhaps a few million seats, a market that just about any communications and collaboration vendor should pursue for its own sake, but also for the potential impact it could have on making these tools more familiar in the enterprise space.

In short, IBM’s communication and collaboration solutions are the best of the Big Three, but also the most difficult to acquire.

Is BlackBerry Dead in the Water?

A blog post from yesterday asks the question, “Would you say that BlackBerry is pretty much dead in the water at this point or is there hope left for the struggling Canadian company?”

The question is a good one. In the first quarter of 2009, BlackBerry had  55.3 percent of the US smartphone market and 20.1 percent of the global smartphone OS market; as of the last quarter of 2016, BlackBerry’s share of global smartphone sales had fallen to 0.048 percent. The company’s revenues fell from a peak of $19.91 billion in FY2011 to $2.16 billion in FY2016. It’s operating income and net income have been in negative territory since FY2013. It’s stock price went from $138.87 on April 30, 2008 to $7.45 as of today. In September of last year, BlackBerry stopped making its own phones.

So, yes, a case can be made that BlackBerry is “dead in the water” or very nearly so.

However, I believe that 2017 and 2018 will see a modest resurgence of the company, albeit not to levels that we saw before the iPhone and Android devices began eating BlackBerrys for lunch. Here’s why:

  • BlackBerry isn’t really a smartphone company anymore, but is transforming itself into a software and cyber security company. If they’re successful in doing so, that will turn their 30-something margins into 70-something margins. The company’s financial results are at least hinting that margins are going in the right direction.
  • BlackBerry still has a very good security architecture for mobile devices, one that many decision makers should (and, I believe, will) seriously consider as mobile devices increasingly access sensitive corporate applications and data repositories. BlackBerry’s DTEK technology offers robust user control over privacy and that’s going to be important for many enterprise decision makers.
  • While BlackBerry’s market share in the US and many other markets is really, really poor, the company is still doing reasonably well in places like Indonesia and in some key verticals, such as financial services. For example, a major US bank is standardized on BlackBerry mobile technology, as is HSBC, among others.
  • BlackBerry is increasingly focused on markets that are quite far afield from its traditional phone business. For example, BlackBerry Radar is the company’s first IoT application and is designed for asset tracking, currently in use by a major Canadian trucking firm. BlackBerry QNX, a real-time operating system focused on the embedded systems market, is currently used in 60 million cars worldwide (and replaced Microsoft Sync at Ford). BlackBerry has some interesting and innovative solutions focused on addressing enterprise BYOD/C/A concerns.

The bottom line is that BlackBerry is nowhere near out of the woods, but is definitely showing signs of life. John Chen has done a good job at starting to turn the company around, there is promise in several of BlackBerry’s key markets, and the company has a decent base of working capital. I have some confidence that in a couple of years BlackBerry will see something of a resurgence.

The (Sometimes Dangerous) Power of Perception

I had a conversation with someone this morning that suggested I join a customer advisory board. He recommended it, in part, over a board of directors because, as he put it, the latter takes more in-person time and “it’s difficult to get to other places from Seattle. For example, it would be difficult to get to a place like Omaha.”

This individual’s perception about getting to and from Seattle was right — perhaps 15 to 20 years ago — but that’s no longer the case. For example, I fly Alaska Airlines for most of my business travel and to about 98 percent of the places I travel in the US, Alaska has a direct flight. Plus, in the 26+ years I have been flying Alaska, I have had only three connecting flights — twice to Orlando and once coming back from Las Vegas. That’s three flights out of my too-numerous-to-count flights on Alaska in more than 26 years!

The perception of Seattle as a distant outpost is shared by many, particularly NFL commentators who will periodically tell viewers about the difficulty encountered by teams coming “all the way out” to Seattle. But looking at actual data reveals that for the Jets or Giants to visit the Seahawks they would fly 146 fewer miles than if they were visiting the 49ers. If the Patriots visited the Seahawks, they’d fly 115 fewer miles than if they visited the Rams.

So, perception is often wrong and it has consequences. Much more seriously than the misperception of Seattle as out somewhere past Siberia is the perception by many that the cloud is less secure than on-premises solutions. For example, you can read about the “insecurity” of the cloud, or decision makers’ perception of its insecurity, here, here, here, here and here. However, an examination of the biggest and most damaging breaches of highly sensitive or confidential data over the past several years reveals that the vast majority of these were exfiltrations of data from on-premises systems, not those in the cloud. Even as far back as 2012 the Alert Logic Fall 2012 State of Cloud Security Report noted that users of service provider solutions experienced less than half the number of security incidents than users of on-premises systems. More recently, Infor concluded that, “Cloud vendors typically offer a much higher level of data center and virtual system security than most organizations can or will build out on their own.”

While on-premises solutions can be highly secure, data stored in the cloud is generally. more so. Cloud providers enjoy economies of scale in rolling out security capabilities that most organizations with on-premises systems cannot achieve. The cost of security for cloud providers is generally much lower on a per-customer basis than it is for those that manage security in-house, allowing cloud providers to do more on a dollar-for-dollar basis. Cloud providers suffer from insider threats much less often than do their on-premises counterparts. And, the very existence of cloud providers is much more dependent on maintaining the security of their customers’ data than it is for companies that maintain their own systems on-premises, giving cloud providers the stronger incentive to get security right.

Within the next few weeks we will be publishing a white paper focused on cloud security in which we will be exploring the key issues that decision makers should understand as they consider security in the cloud vs. on-premises.

And, Alaska offers a daily non-stop to and from Omaha.

The Impact of the GDPR on Your Business

We have just published a white paper on the General Data Protection Regulation (GDPR), the European Union (EU)’s new data protection regulation, released in May 2016 and with an implementation date of May 25, 2018. Every organization that collects or process personal data on EU residents must comply with the new regulation, regardless of where they are located, or they will face significant financial penalties (up to four percent of their annual revenue) and reputational damage.

Complying with the GDPR requires any organization with personal data on EU residents to implement both organizational and technology measures to remain in compliance. Organizational measures include appointing a Data Protection Officer, developing policies and training on handling personal and sensitive personal data, and an approach for executing a Data Protection Impact Assessment (DPIA). Technological measures for protecting data include capabilities like data classification, data loss prevention, encryption, managing consent more explicitly, data transfer limitations, and technologies that enable data subjects to exercise their rights to access, rectify, and erase personal data held by data controllers.

It is important to note that the GDPR is focused on the protection of personal data, not just its privacy. Complying with the protection mandate requires a higher degree of proactive and far-reaching effort on the behalf of organizations that control or process personal data.

The survey we conducted for this white paper among mid-sized and large organizations that will be subject to the GDPR found that the majority (58 percent) are not sufficiently familiar with the wide scope of the regulation and the penalties it includes. Only 10 percent believe their organizations are “completely ready” to comply with the requirements of the GDPR. That’s a serious problem, since the penalty for failure to comply with the GDPR could cost a large organization many millions or tens of millions of dollars.

You can download our just published white paper here.

What Happens to Your Data When Employees Leave Your Company?

When employees leave a company, whether voluntarily or involuntarily, it is quite common for them to take sensitive and confidential data with them. This paper examines this problem in detail and provides solutions for employers to mitigate the risks. For example:

  • A survey published by Biscom in late 2015 found that 87 percent of employees who leave a job take with them data that they created in that job, and 28 percent take data that others had created. Among the majority who took company data with them, 88 percent took corporate presentations and/or strategy documents, 31 percent took customer lists, and 25 percent took intellectual property.
  • A survey of 1,000 employees in the United States and Europe found that one in five had uploaded sensitive and confidential corporate data to an external cloud service specifically for the purpose of sharing it with others.

As just one example of data theft by departing employees, in September 2016 the US Office of the Comptroller of the Currency (OCC) detected the November 2015 theft of more than 10,000 records by a retiring employee that may have exposed personal information about OCC employees.

Here are some of the important takeaways from a white paper we recently published on this topic:

  • Employee turnover is a fact of life: the typical organization in the United States, for example, can expect that 24 percent of its employees will leave each year, although some companies in the Fortune 500 experience much higher turnover[i].
  • Employees who leave their employers, regardless of the reason for their departure, often take with them sensitive and confidential information, such as intellectual property or trade secrets, that belongs solely to their employer.
  • The theft of this information can damage a company in a variety of ways, including putting them at risk of a regulatory violation, forcing them to take legal action against former employees, harming their competitive position, and negatively impacting their revenue.
  • To reduce the risk of employees taking information with them when they leave, employers should establish detailed and thorough policies and procedures focused on ensuring visibility into employee practices, limiting employee access to data, requiring encryption of sensitive data, managing devices properly, ensuring that data is backed up and archived properly, requiring the use of enterprise apps (since these apps and any associated offline content can be remotely wiped, even on personally managed devices), and ensuring that IT has access to all corporate data to which it should have access (some confidential data, such as HR data, should not be available to IT in all cases.)

To support these policies and procedures, organizations should evaluate and deploy various technology solutions. Technologies that should be considered, but not all of which need to be deployed, include content archiving, backup and recovery, file sharing and collaboration, encryption, mobile device management, employee activity monitoring, data loss prevention, logging and reporting, virtual desktops and other solutions that will minimize the possibility of employees misappropriating corporate data upon their departure.

You can download the white paper here.