Page 4,194«..1020..4,1934,1944,1954,196..4,2004,210..»

Windows Server 2016 changes prompt a new look at management – TechTarget

August 28, 2017 | Author: admin

Microsoft wants more IT pros to get on board with its Azure platform and knows the fastest way to do that is through automation. The company took a subtle approach to engender a cloud mindset through various Windows Server 2016 changes -- but it might not be as flexible in the near future.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Microsoft encourages IT admins to develop policies and Desired State Configurations that manage servers as a collective. But it hasn't forgotten the legions of admins who spend their days -- and nights -- in the depths of the Microsoft Management Console. These IT workers are hands-on with each individual server. They perform manual configuration changes constantly and largely ignore anything with the suffix -aaS.

With a few Windows Server 2016 changes to the server management model, Microsoft nudged administrators to look up from their individual servers and consider the infrastructure as a whole, not unlike a cloud provider.

In IT, there is a concerted effort to stop the micromanagement of individual servers. This trend is popularized by the pets vs. cattle analogy that contrasts how we care for our cats and dogs to the way commercial farmers manage a herd.

In IT, there is a concerted effort to stop the micromanagement of individual servers.

The new approach is to build identical servers and handle them as a collection. This approach is business-critical for web-scale companies that manage thousands of servers. They would face skyrocketing operations costs if they stuck with the old 1:100 admin-to-server ratio. If one server malfunctions, remove and replace it with another. Problem solved.

But for certain legacy shops, this approach to manage servers gets no traction. A midsize company might have a dozen servers, each with unique applications and possibly distinct OSes. When a server fails, a business crisis follows. The recovery process typically involves various backup media, coffee and swearing. Swap out the server? That's not an option.

Why bother building out a cattle infrastructure if server and application deployments are few and far between? And what if the staff skill sets align more closely with the features in Windows Server 2008 R2 than Windows Server 2016?

A threshold is implied here -- but not defined. The real question is: How big does an IT infrastructure need to be before a move from pets to cattle is a reasonable course of action? Do you go by the number of servers, applications or administrators -- or data centers? Is it a combination of these factors?

Between these two extremes, Microsoft positioned its Windows Server 2016 changes. The company must tread carefully to keep two sets of customers happy: the DevOps devotees with their cattle and the traditional server admins with their pets. Both groups represent much to Microsoft's future, despite what you might hear from the CALMS crowd.

Windows Server 2016 is a bridge to facilitate the transition from the traditional way to manage Windows servers to an automated model. Consider what you see when you first log in to a Windows Server 2016 system: the Server Manager dashboard. Here, the administrator decides to either use Server Manager and move one step closer to managing cattle -- or stick with the reliable Computer Management tool and keep shopping at the pet store.

Server Manager quickly and easily creates groups of servers based on a role or an application. With this tool, admins manage servers more efficiently and do not need to change connections. It's a shame this tool's functionality isn't more obvious; many server admins don't realize Server Manager makes it almost effortless to control multiple remote servers.

Windows Server 2016 is a single platform with multiple management points intended to seduce administrators away from the Computer Management console in favor of the sleeker Server Manager.

It's impossible to talk about Windows Server 2016 changes without a look at PowerShell. Some describe it as a gateway drug that leads to a hardcore automation addiction and, eventually, the cloud.

Where Microsoft once gently encouraged admins to use PowerShell, it now strong-arms admins toward management via the command-line interface (CLI). Admins who don't pay close attention and click through the Windows Server 2016 installation options will find themselves staring at a blinking cursor of the PowerShell console instead of a desktop.

Microsoft's message is clear: PowerShell is the preferred method to manage Windows Server 2016. The GUI is a consolation prize for admins who continue to scoff at scripting.

An overview of the more cloud-friendlyfeatures in Windows Server 2016

Here we are, with two sets of enthusiasts who aspire to apply their brand of management to the Windows world. There's no reaching across the aisle here. Ideologies are entrenched, and very few admins show any willingness to switch sides. The PowerShell crowd wants an OS designed around Windows Remote Management that doesn't need interactive control. The old school admin crowd wants Windows Server 2003 R2 but with a newer look.

Microsoft is smart to cater to both crowds with its Windows Server 2016 changes. DevOps and related methodologies are not evolutions of traditional server management -- they are an attempt to manage cloud-native applications at scale in a smart and efficient manner. Both techniques can coexist, and an OS vendor would be foolish to force an all-in-one approach.

Given the major shift in Microsoft's strategy since Satya Nadella's arrival and the breakneck pace at which Azure chases enterprise cloud customers, I expect future Windows Server releases to further blur the line between on premises and cloud and to make that pets vs. cattle decision for its users. We'll see PowerShell become the default method to manage servers, and administrators who currently jump through hoops to load the server GUI will finally cave to the CLI.

Read more here:
Windows Server 2016 changes prompt a new look at management - TechTarget

Read More..
Posted in Cloud Servers | Leave a Comment

Oppo and Vivo plan to move cloud storage to India, following India’s new directives on data security – Firstpost

August 28, 2017 | Author: admin

Chinese smartphone brands Oppo and Vivo are planning to move their cloud service locations to India.

Oppo. Reuters.

According to a report by The Economic Times, a senior executive, said, Oppo and Vivo have their cloud services and data server providers like Amazon. They are now asking them to change the location of these clouds to Indian territory.

However, both the leading cloud servers, Amazon and Azure Cloud did not comment whether the Chinese smartphone makers are asking them to change their remote data storage locations to India.

According to ET, Chinese brands are inclined to comply with the government rules before it strikes a deal with the app developers, which has been kept on hold. However, both the Chinese companies refused to comment.

According to previous reports, Chinese brands Xiaomi, Oppo, Vivo, and Gionee, collectively account for half of Indias $10 billion market. The recent developments in the Doklam standoff have raised issues over a possible cyberattack from these corners.

Recently at Coolpads launch, CEO James Du said, I believe that there won't be any major conflict and businesses would not be influenced."

However, the Ministry of Electronics and Information Technology has sent notices to 21 smartphone makers which includes Chinese ones as well. They have been asked to share the steps they are taking in order to ensure data security in mobile phone devices.

The companies have been asked to reply to notices by 28 August.

The rest is here:
Oppo and Vivo plan to move cloud storage to India, following India's new directives on data security - Firstpost

Read More..
Posted in Cloud Servers | Leave a Comment

New Bitcoin.com Charts: The Bitcoin Ecosystem at a Glance – Bitcoin News (press release)

August 27, 2017 | Author: admin

At Bitcoin.com were very passionate about the decentralized economy and everything tethered to the evolving Bitcoin ecosystem. In order to provide more Bitcoin resources, weve just added a new chart and data analysis section to our web portal called charts.Bitcoin.com. The charts section is aimed to give both veterans and new enthusiasts a glance at the Bitcoin networks various movements and economic achievements.

Also Read:Reward-based Social Media Platform Yours Switches from Litecoin to Bitcoin Cash

The bitcoin environment is quite vast, and many people and organizations like to study the data thats tied to this innovative ecosystem. Charts like these show a graphical representation of the various facets involved with Bitcoin. The most popular types of analytical data people like to research include price, circulating supply, mining data and much more.

Now our visitors can drop by charts.Bitcoin.com to check out a myriad of charts that cover thebroad constellation of Bitcoin data. The new section covers market statistics, block details, activity & usage, mining data, economic measurements, and an advanced section with more technical particulars. Our chart section was designed by our Senior developer, Clark Moody, an early bitcoin enthusiast and programmer who built the first real-time exchange data site for the bitcoin ecosystem.

For instance, market statistics has charts that show Bitcoin price, market capitalization, the current money supply, and chain value density. If a user toggles a certain chart, they can change certain aspects like the time period setting, changing the value scale to linear or logarithmic, a night & day setting and much more. At charts.Bitcoin.com theres also an economic section that shows a variety of data collected measuring Bitcoins economic health. In this section, visitors can collect data on BTCs inflation rates, Metcalfes Law, and the velocity of money.

People who are more interested in things like mining, the networks hashrate, and blocks can find charts for these subjects as well. Charts in these sections show a graphical representation of block sizes, times between blocks, block height, and blockchain size. Further, for mining data users can get information on the current hashrate and growth, difficulty, transaction fees, and miner revenue. Users interested in Bitcoin activity can check out the amount of daily transactions, fee percentages, UTXO averages and total transaction count.

At Bitcoin.com were excited to launch our new charts portal so bitcoiners can catch a glimpse at Bitcoin achievements and network status from a different viewpoint. In additionto the vast collection of information, visitors can get a direct link to the chart, a markdown Reddit link, embedding code, and the ability to download a CSV file. Individuals who love charts and graphs that show the current status of the Bitcoin network and its economy will surely enjoy visiting charts.Bitcoin.com.

What do you think about our new section charts.Bitcoin.com? Let us know in the comments below.

Images via Shutterstock, Bitcoin.com, andcharts.Bitcoin.com.

Bitcoin.com offers up-to-the-minute charts on bitcoin price and other stats. Our feeds show the bitcoin price index in all three major currencies (USD, CNY, EUR). Also, if you want to dig deeper into how the bitcoin network is performing behind the scenes, check out the statistics page too.

Read the original:
New Bitcoin.com Charts: The Bitcoin Ecosystem at a Glance - Bitcoin News (press release)

Read More..
Posted in Bitcoin | Leave a Comment

OpenBazaar Developers May Introduce Altcoin Support in the Near Future – The Merkle

August 27, 2017 | Author: admin

OpenBazaar is certainly at the top of many peoples lists of cryptocurrency-based marketplaces. The OpenBazaar protocol is appealing to a lot of people since it allows anyone in the world to buy or sell any good or service in exchange for Bitcoin. The possibilities are endless. One downside, though, is that OpenBazaar only supports Bitcoin right now. That situation will change very soon, by the looks of things.

Ever since the Openbazaar platform was released, cryptocurrency users have been incredibly excited about what theprotocol hadto offer. Being able to buy or sell any product or service in exchange for Bitcoin has a lot of value to a lot of users around the world. With most merchants hesitating to fullyadopt Bitcoin payments, different solutions are needed. OpenBazaar certainly checks a lot of the right boxes andit has a ton of functionality.

During the initial stages of OpenBazaar, there were some issues that needed to be addressed. For one, there was no convenient way to search for goods and services. Later on, the DuoSearch tool was introduced to alleviate this issue, and it has received a lot of praise over the past few months. OpenBazaars developers have been working on integrating their own search feature as well, which has madethe whole project more convenient for users.

There has also been a growing demand for altcoin support on OpenBazaar. Considering how this platform is designed to act as a decentralized protocol for marketplace purposes, there should notbe a limit on the range ofcoins users can utilizeto make or receive payments. Integrating altcoins into Openbazaar is not necessarily all that easy, butthe developers are working hard at it. It is a bit unclear which coins are on their radar right now, but Bitcoin Cash is one of the proposed solutions for the time being.

It would be quite interesting to see OpenBazaar embrace many altcoins. There has never been any indication the developers would not look beyond Bitcoin when it cameto dealing with payments. This makes a lot of sense, as Bitcoin is not the perfect currency some people would like to think it is. However, given the uncertainty regardingwhich altcoins will be integrated into theplatform moving forward, it is not impossible someone wouldfork this source code to include specific currency support in the future.

Indeed, that is one of the main selling points of OpenBazaar. Although the projects source code can be downloaded from GitHub with relative ease, there is nothing preventing other developers from making their own versions of thesoftware. When it comes to integrating support for alternative currencies, this can be an option well worth exploring. Any forked versions of OpenBazaar may eventually have features ported to the main development branch over time, depending on how successful the implementation is.

It is good to see the OpenBazaar team acknowledge their project couldbenefit from integrating support for various othercryptocurrencies. Although the main focus will always be Bitcoin, there are plenty of other currencies thatcould be valuable additions to this protocol in the future. There is no plan to drop Bitcoin support altogether, but the developers do not seem satisfied with theway things standright now. That is notentirely surprising, but it couldhave major consequences for this decentralized marketplace project.

See the original post here:
OpenBazaar Developers May Introduce Altcoin Support in the Near Future - The Merkle

Read More..
Posted in Altcoin | Leave a Comment

Person tests Amazon’s "unlimited" cloud storage by uploading 1.8 petabytes of porn – Boing Boing

August 27, 2017 | Author: admin

A fellow who goes by the handle beaston02 wanted to see how unlimited Amazon's "unlimited" cloud storage plan was, so he uploaded 293 years' worth (2 million gigabytes or 2 petabytes) of PornHub videos to his account.

From Motherboard:

Beaston02 told me he stopped recording streams simply because his interest in it waned. "I know plenty of people have labeled me some huge pervert or someone with a huge porn addiction, but that's really not me at all," he said. "I have more of a problem with collecting or hoarding data than I do with porn." He said he used the exercise to learn Python, SQL databases, and how to handle that much data. "The project ran its course, I got the knowledge I was hoping to get, and I just had no interest in it anymore."

While he's no longer running the scripts that collected the porn, he made them available on Github. Another Redditor, -Archivist, took up the cause with the "Petabyte Porn Project," recruiting other hoarders to help continue recording live public cam sessions all day every day. -Archivist told me in a Reddit message that this represents "upwards of 12 terabytes per day." Those helping hoard are close to two petabytes now, stored on Amazon's cloud and mirrored on Google Drive. Amazon did not respond to Motherboard's request for comment.

Amazon canceled its unlimited storage offering in June.

Gothamist sent a video crew out with dumpster diving comedian Jeff Seal on a trip through NYCs nighttime streets, in which he raided the trashbags of the priciest, most upscale grocers and packaged-food restaurants in Manhattan.

Shooting better photos is often a matter of technique, but sometimes the tiny integrated optics on your device just wont cut it. This 3-in-1 lens attachmentcan provide that camera some added versatility.This lens accessory gives your phone an easily detachable mounting bracket for its collection of lenses. It uses a simple clip mechanism, so it []

For the uninitiated, dinoflagellates are the single-celled organisms behind the eerie algal bloom known as red tide. But some of these tiny marine creatures are capable of producing a beautiful bioluminescent glow, and you can harness their natural light with a Dino Pet, available now in the Boing Boing Store.This dinoflagellate-filled aquarium is shaped like []

Continued here:
Person tests Amazon's "unlimited" cloud storage by uploading 1.8 petabytes of porn - Boing Boing

Read More..
Posted in Cloud Storage | Leave a Comment

Hedvig Advances Private, Hybrid and Multi-cloud Storage with New Integrations, Security, and All-flash Capabilities – insideBIGDATA

August 27, 2017 | Author: admin

Hedvig, the company modernizing storage and accelerating enterprise adoption of private and hybrid clouds, announced the availability of the Hedvig Distributed Storage Platform version 3.0, a new release of its software-defined storage (SDS) platform. Innovations in 3.0 include end-to-end integrations, advanced security capabilities and enhancements to its comprehensive suite of caching technologies. These 3.0 capabilities enable customers to store and protect virtualized, containerized, and backup workloads from a single platform.

Weve seen a sea change in customer requirements since we released the Hedvig Distributed Storage Platform two years ago. Enterprises require a platform that significantly simplifies their IT infrastructure and operations, said Avinash Lakshman, CEO and founder of Hedvig. As more mainstream enterprises adopt software-defined storage, they seek technology that plugs into their existing architecture, natively protects against growing cybersecurity and compliance mandates, and future-proofs their infrastructure with innovations in flash technology.

As more businesses adopt software-defined storage and multi-cloud infrastructure, the flexibility to accommodate primary and secondary data in a single platform becomes critical. New certifications, plugins, encryption, auditing, multitenancy, and flash-caching capabilities found in Hedvig Distributed Storage Platform 3.0 offer organizations an elastic storage system that runs on-premises, in the public cloud, or both.

New CloudScale Plugins simplify integration of SDS into existing infrastructure and operations

Hedvig adds to its existing Docker and OpenStack CloudScale Plugins with new and improved plugins for Veritas, VMware, and Red Hat. CloudScale Plugins provide pretested, validated options to ensure SDS is easier to use and operate. Hedvigs CloudScale Plugins now include:

New security features including Encrypt360 reduce the risk of hacking and ransomware

Enterprise cyber and malware attacks are on the rise, resulting in a growing need for enhanced security and encryption built directly into storage infrastructure. Hedvig Encrypt360 delivers a native, in-software approach to protecting data throughout its entire lifecycle, encrypting data thats in-use, in-flight, and at-rest. Based on Hedvigs unique distributed systems architecture, data encryption starts at the host level and carries all the way through the backend, distributed cluster nodes. Encrypt360 supports a variety of key management systems, including AWS, and enables customers to select a 256-bit AES encryption policy on a per-volume basis. Also new to the 3.0 release are advanced auditing and multitenancy access control mechanisms that, combined with Encrypt360, ensure customers can securely meet IT compliance and regulations while adopting hybrid and multi-cloud architectures.

FlashFabric improvements lower the cost and complexity of adopting an all-flash data center

The Hedvig FlashFabric is a comprehensive suite of flash caching technologies that optimize performance in Hedvig clusters. In 3.0, Hedvig adds improvements to the platforms all-flash caching, including more advanced auto-tiering and read cache capabilities. Customers architecting all-flash data centers or those interested in adding all-flash resources in public clouds can easily take advantage of NVMe, 3D Xpoint and other flash innovations without having to add complex, proprietary hardware. Simply add new commodity servers or public cloud instances configured with the latest flash technologies and Hedvig will automatically consume the resources and optimize performance based on application needs.

Sign up for the free insideBIGDATAnewsletter.

More here:
Hedvig Advances Private, Hybrid and Multi-cloud Storage with New Integrations, Security, and All-flash Capabilities - insideBIGDATA

Read More..
Posted in Cloud Storage | Leave a Comment

Cloud Computing | HHS.gov

August 27, 2017 | Author: admin

Introduction

With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI). This guidance assists such entities, including cloud services providers (CSPs), in understanding their HIPAA obligations.

Cloud computing takes many forms. This guidance focuses on cloud resources offered by a CSP that is an entity legally separate from the covered entity or business associate considering the use of its services. CSPs generally offer online access to shared computing resources with varying levels of functionality depending on the users requirements, ranging from mere data storage to complete software solutions (e.g., an electronic medical record system), platforms to simplify the ability of application developers to create new products, and entire computing infrastructure for software programmers to deploy and test programs. Common cloud services are on-demand internet access to computing (e.g., networks, servers, storage, applications) services. We encourage covered entities and business associates seeking information about types of cloud computing services and technical arrangement options to consult a resource offered by the National Institute of Standards and Technology; SP 800-145, The NIST Definition of Cloud Computing.[1]

The HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) establish important protections for individually identifiable health information (called protected health information or PHI when created, received, maintained, or transmitted by a HIPAA covered entity or business associate), including limitations on uses and disclosures of such information, safeguards against inappropriate uses and disclosures, and individuals rights with respect to their health information. Covered entities and business associates must comply with the applicable provisions of the HIPAA Rules. A covered entity is a health plan, a health care clearinghouse, or a health care provider who conducts certain billing and payment related transactions electronically. A business associate is an entity or person, other than a member of the workforce of a covered entity, that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting PHI. A business associate also is any subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.

When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate. This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

This guidance presents key questions and answers to assist HIPAA regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain or transmit ePHI using cloud products and services.

Yes, provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules. Among other things, the BAA establishes the permitted and required uses and disclosures of ePHI by the business associate performing activities or services for the covered entity or business associate, based on the relationship between the parties and the activities or services being performed by the business associate. The BAA also contractually requires the business associate to appropriately safeguard the ePHI, including implementing the requirements of the Security Rule. OCR has created guidance on the elements of BAAs[2]

A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate BAAs. See 45 CFR 164.308(a)(1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502. Both covered entities and business associates must conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit. For example, while a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.),[3] provided it enters into a BAA with the CSP, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.

In addition, a Service Level Agreement (SLA)[4] is commonly used to address more specific business expectations between the CSP and its customer, which also may be relevant to HIPAA compliance. For example, SLAs can include provisions that address such HIPAA concerns as:

If a covered entity or business associate enters into a SLA with a CSP, it should ensure that the terms of the SLA are consistent with the BAA and the HIPAA Rules. For example, the covered entity or business associate should ensure that the terms of the SLA and BAA with the CSP do not prevent the entity from accessing its ePHI in violation of 45 CFR 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1).[6]

In addition to its contractual obligations, the CSP, as a business associate, has regulatory obligations and is directly liable under the HIPAA Rules if it makes uses and disclosures of PHI that are not authorized by its contract, required by law, or permitted by the Privacy Rule. A CSP, as a business associate, also is directly liable if it fails to safeguard ePHI in accordance with the Security Rule, or fails to notify the covered entity or business associate of the discovery of a breach of unsecured PHI in compliance with the Breach Notification Rule.

For more information about the Security Rule, see OCR and ONC tools for small entities[7] and OCR guidance on SR compliance.[8]

Yes, because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually view the ePHI.[9] Thus, a CSP that maintains encrypted ePHI on behalf a covered entity (or another business associate) is a business associate, even if it does not hold a decryption key [10] and therefore cannot view the information. For convenience purposes this guidance uses the term no-viewservices to describe the situation in which the CSP maintains encrypted ePHI on behalf of a covered entity (or another business associate) without having access to the decryption key.

While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule. Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations. Further, encryption does not address other safeguards that are also important to maintaining confidentiality, such as administrative safeguards to analyze risks to the ePHI or physical safeguards for systems and servers that may house the ePHI.

As a business associate, a CSP providing no-view services is not exempt from any otherwise applicable requirements of the HIPAA Rules. However, the requirements of the Rules are flexible and scalable to take into account the no-view nature of the services provided by the CSP.

All CSPs that are business associates must comply with the applicable standards and implementation specifications of the Security Rule with respect to ePHI. However, in cases where a CSP is providing only no-view services to a covered entity (or business associate) customer, certain Security Rule requirements that apply to the ePHI maintained by the CSP may be satisfied for both parties through the actions of one of the parties. In particular, where only the customer controls who is able to view the ePHI maintained by the CSP, certain access controls, such as authentication or unique user identification, may be the responsibility of the customer, while others, such as encryption, may be the responsibility of the CSP business associate. Which access controls are to be implemented by the customer and which are to be implemented by the CSP may depend on the respective security risk management plans of the parties as well as the terms of the BAA. For example, if a customer implements its own reasonable and appropriate user authentication controls and agrees that the CSP providing no-view services need not implement additional procedures to authenticate (verify the identity of) a person or entity seeking access to ePHI, these Security Rule access control responsibilities would be met for both parties by the action of the customer.

However, as a business associate, the CSP is still responsible under the Security Rule for implementing other reasonable and appropriate controls to limit access to information systems that maintain customer ePHI. For example, even when the parties have agreed that the customer is responsible for authenticating access to ePHI, the CSP may still be required to implement appropriate internal controls to assure only authorized access to the administrative tools that manage the resources (e.g., storage, memory, network interfaces, CPUs) critical to the operation of its information systems. For example, a CSP that is a business associate needs to consider and address, as part of its risk analysis and risk management process, the risks of a malicious actor having unauthorized access to its systems administrative tools, which could impact system operations and impact the confidentiality, integrity and availability of the customers ePHI. CSPs should also consider the risks of using unpatched or obsolete administrative tools. The CSP and the customer should each confirm in writing, in either the BAA or other documents, how each party will address the Security Rule requirements.

Note that where the contractual agreements between a CSP and customer provide that the customer will control and implement certain security features of the cloud service consistent with the Security Rule, and the customer fails to do so, OCR will consider this factor as important and relevant during any investigation into compliance of either the customer or the CSP. A CSP is not responsible for the compliance failures that are attributable solely to the actions or inactions of the customer, as determined by the facts and circumstances of the particular case.

A business associate may only use and disclose PHI as permitted by its BAA and the Privacy Rule, or as otherwise required by law. While a CSP that provides only no-view services to a covered entity or business associate customer may not control who views the ePHI, the CSP still must ensure that it itself only uses and discloses the encrypted information as permitted by its BAA and the Privacy Rule, or as otherwise required by law. This includes, for example, ensuring the CSP does not impermissibly use the ePHI by blocking or terminating access by the customer to the ePHI.[11]

Further, a BAA must include provisions that require the business associate to, among other things, make available PHI as necessary for the covered entity to meet its obligations to provide individuals with their rights to access, amend, and receive an accounting of certain disclosures of PHI in compliance with 45 CFR 164.504(e)(2)(ii)(E)-(G). The BAA between a no-view CSP and a covered entity or business associate customer should describe in what manner the no-view CSP will meet these obligations for example, a CSP may agree in the BAA that it will make the ePHI available to the customer for the purpose of incorporating amendments to ePHI requested by the individual, but only the customer will make those amendments.

As a business associate, a CSP that offers only no-view services to a covered entity or business associate still must comply with the HIPAA breach notification requirements that apply to business associates. In particular, a business associate is responsible for notifying the covered entity (or the business associate with which it has contracted) of breaches of unsecured PHI. See 45 CFR 164.410. Unsecured PHI is PHI that has not been destroyed or is not encrypted at the levels specified in HHS Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals [12] If the ePHI that has been breached is encrypted consistent with the HIPAA standards set forth in 45 CFR 164.402(2) and HHS Guidance [13] the incident falls within the breach safe harbor and the CSP business associate is not required to report the incident to its customer. However, if the ePHI is encrypted, but not at a level that meets the HIPAA standards or the decryption key was also breached, then the incident must be reported to its customer as a breach, unless one of the exceptions to the definition of breach applies. See 45 CFR 164.402. See also 45 CFR 164.410 for more information about breach notification obligations for business associates.

Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.

As explained in previous guidance,[14] the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.

Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.

OCR does not endorse, certify, or recommend specific technology or products.

If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules. 45 C.F.R 164.308(b)(1) and 164.502(e). OCR has entered into a resolution agreement and corrective action plan with a covered entity that OCR determined stored ePHI of over 3,000 individuals on a cloud-based server without entering into a BAA with the CSP.[15]

Further, a CSP that meets the definition of a business associate that is a CSP that creates, receives, maintains, or transmits PHI on behalf of a covered entity or another business associate must comply with all applicable provisions of the HIPAA Rules, regardless of whether it has executed a BAA with the entity using its services. See 78 Fed. Reg. 5565, 5598 (January 25, 2013). OCR recognizes that there may, however, be circumstances where a CSP may not have actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit ePHI. The HIPAA Rules provide an affirmative defense in cases where a CSP takes action to correct any non-compliance within 30 days (or such additional period as OCR may determine appropriate based on the nature and extent of the non-compliance) of the time that it knew or should have known of the violation (e.g., at the point the CSP knows or should have known that a covered entity or business associate customer is maintaining ePHI in its cloud). 45 CFR 160.410. This affirmative defense does not, however, apply in cases where the CSP was not aware of the violation due to its own willful neglect.

If a CSP becomes aware that it is maintaining ePHI, it must come into compliance with the HIPAA Rules, or securely return the ePHI to the customer or, if agreed to by the customer, securely destroy the ePHI. Once the CSP securely returns or destroys the ePHI (subject to arrangement with the customer), it is no longer a business associate. We recommend CSPs document these actions.

While a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from using or disclosing the data in a manner that is inconsistent with the Rules.

Yes. The Security Rule at 45 CFR 164.308(a)(6)(ii) requires business associates to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the business associate; and document security incidents and their outcomes. In addition, the Security Rule at 45 CFR 164.314(a)(2)(i)(C) provides that a business associate agreement must require the business associate to report, to the covered entity or business associate whose electronic protected health information (ePHI) it maintains, any security incidents of which it becomes aware. A security incident under 45 CFR 164.304 means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Thus, a business associate CSP must implement policies and procedures to address and document security incidents, and must report security incidents to its covered entity or business associate customer.

The Security Rule, however, is flexible and does not prescribe the level of detail, frequency, or format of reports of security incidents, which may be worked out between the parties to the business associate agreement (BAA). For example, the BAA may prescribe differing levels of detail, frequency, and formatting of reports based on the nature of the security incidents e.g., based on the level of threat or exploitation of vulnerabilities, and the risk to the ePHI they pose. The BAA could also specify appropriate responses to certain incidents and whether identifying patterns of attempted security incidents is reasonable and appropriate.

Note, though, that the Breach Notification Rule specifies the content, timing, and other requirements for a business associate to report incidents that rise to the level of a breach of unsecured PHI to the covered entity (or business associate) on whose behalf the business associate is maintaining the PHI. See 45 CFR 164.410. The BAA may specify more stringent (e.g., more timely) requirements for reporting than those required by the Breach Notification Rule (so long as they still also meet the Rules requirements) but may not otherwise override the Rules requirements for notification of breaches of unsecured PHI.

For more information on this topic, see the FAQ about reporting security incidents(although directed to plan sponsors and group health plans, the guidance is also relevant to business associates); [16] as well as OCR breach notification guidance [17]

Yes. Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI. The HIPAA Rules do not endorse or require specific types of technology, but rather establish the standards for how covered entities and business associates may use or disclose ePHI through certain technology while protecting the security of the ePHI by requiring analysis of the risks to the ePHI posed by such technology and implementation of reasonable and appropriate administrative, technical, and physical safeguards to address such risks. OCR and ONC have issued guidance on the use of mobile devices and tips for securing ePHI on mobile devices. [18]

No, the HIPAA Rules generally do not require a business associate to maintain electronic protected health information (ePHI) beyond the time it provides services to a covered entity or business associate. The Privacy Rule provides that a business associate agreement (BAA) must require a business associate to return or destroy all PHI at the termination of the BAA where feasible. 45 CFR 164.504(e)(2)(J).

If such return or destruction is not feasible, the BAA must extend the privacy and security protections of the BAA to the ePHI and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. For example, return or destruction would be considered infeasible if other law requires the business associate CSP to retain ePHI for a period of time beyond the termination of the business associate contract.[19]

Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules. However, while the HIPAA Rules do not include requirements specific to protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that the risks to such ePHI may vary greatly depending on its geographic location. In particular, outsourcing storage or other services for ePHI overseas may increase the risks and vulnerabilities to the information or present special considerations with respect to enforceability of privacy and security protections over the data. Covered entities (and business associates, including the CSP) should take these risks into account when conducting the risk analysis and risk management required by the Security Rule. See 45 CFR 164.308(a)(1)(ii)(A) and (a)(1)(ii)(B). For example, if ePHI is maintained in a country where there are documented increased attempts at hacking or other malware attacks, such risks should be considered, and entities must implement reasonable and appropriate technical safeguards to address such threats.

No. The HIPAA Rules require covered entity and business associate customers to obtain satisfactory assurances in the form of a business associate agreement (BAA) with the CSP that the CSP will, among other things, appropriately safeguard the protected health information (PHI) that it creates, receives, maintains or transmits for the covered entity or business associate in accordance with the HIPAA Rules. The CSP is also directly liable for failing to safeguard electronic PHI in accordance with the Security Rule [20] and for impermissible uses or disclosures of the PHI. [21]. The HIPAA Rules do not expressly require that a CSP provide documentation of its security practices to or otherwise allow a customer to audit its security practices. However, customers may require from a CSP (through the BAA, service level agreement, or other documentation) additional assurances of protections for the PHI, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities.

No. A CSP is not a business associate if it receives and maintains (e.g., to process and/or store) only information de-identified following the processes required by the Privacy Rule. The Privacy Rule does not restrict the use or disclosure of de-identified information, nor does the Security Rule require that safeguards be applied to de-identified information, as the information is not considered protected health information. See the OCR guidance on de-identificationfor more information.[22]

[1] See http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

[3] As adapted from NIST Special Publication 800-144, vi:

A Public cloud is open for use by the general public and may be owned, managed, and operated by any organization. Examples are the message storage services offered by major email providers, photo-sharing sites, and certain EMR providers. Many large organizations use Private clouds that exclusively serve their business functions. A Community cloud serves exclusively a specific community of users from organizations that have shared concerns. A Hybrid cloud is a combination of any of the above, bound together by standardized or proprietary technology that enables data and application portability.

[9] 78 Fed. Reg. 5,566, 5,572 (January 25, 2013).

[10] A key used to encrypt and decrypt data, also called a cryptographic key, is [a] parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. See NIST SP 800-47 Part 1 Revision 4, Recommendation for Key Management Part 1: General (January 2016). Available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

[19] 67 Fed. Reg. 53181, 53254 (August 14, 2002).

[20] See Section 13401 of the HITECH Act.

[21] See 45 CFR 164.502(a)(3).

More:
Cloud Computing | HHS.gov

Read More..
Posted in Cloud Computing | Leave a Comment

Oppo, Vivo plan to move cloud storage to India – Economic Times

August 27, 2017 | Author: admin

NEW DELHI: Chinese smartphone makers Oppo and Vivo plan to move their cloud service locations to India, while an up and coming brand from the Asian country has called off talks with developers of apps to be pre-loaded on its devices after the Indian government asked handset companies to share their customer data security protocols.

According to senior industry executives, some domestic device vendors are also seeking clarity from pre-loaded app developers about security features to protect user data after the IT ministry recently ordered almost 30 smartphone makers mostly Chinese to share their information security protocols by August 28.

Oppo and Vivo have their cloud outside India, which is usually outsourced to enterprise cloud service and data server providers like Amazon. They are now asking them to change the location of these clouds to Indian territory, said a senior executive, asking not to be identified.

Amazon Web Services and Microsoft Azure are the leading cloud and server providers and both have a presence in India. The companies did not respond to queries about whether Chinese, multinational or Indian handset makers had discussed shifting of their remote data-storage locations.

Vivo and Oppo, which are No. 3 and No. 4 in India by market share, declined to comment.

A relatively new Chinese entrant, which has soared up the handset market ranks, has halted talks with app developers after getting the government order. Its CEO said that while the companys servers and cloud storage were local, it wants to ensure compliance with any upcoming government rules before entering into agreements with app developers. Pre-loading apps on a device would give the handset maker additional revenue, he added.

A leading Indian handset brand with servers in the country has asked developers of apps that were being pre-bundled on some of its devices to share their user information protection protocols.

We have asked them internally, so we can tell the government, a senior executive of the company said, asking not to be identified.

Cyber security experts said that moving cloud services to India would only be the first step that companies would have to take considering that the governments long-term view is to keep data of mobile phone users within the country.

If companies are moving their cloud-based data to India, its fine as that is the first level where data is stored and it can be easily accomplished. But the more important aspect to address is whether data would leave India at any point for processing, analytics, etc., said Amit Jaju, partner, cyber forensics and data analytics, at EY. The regulations need to be clearer in defining this.

Moving cloud locations would take one to two weeks and the cost would not be very high.

However, if to move the cloud to India a brand has to change its service provider from one which doesnt have an India-ready model to one which has, that transition can become effort- and cost-oriented, said Atul Gupta, partner of IT advisory at KPMG India . EYs Jaju said large mobile companies, including Chinese handset makers, will increasingly have to keep their data storage locations within the countries where they operate as rules to protect user privacy globally, including India, become stronger.

In the European Union, fines of up to 20 million euros or 4% of revenue of a data controller can be levied for any violation, including security breaches. The proposed rules under which personal data of EU users needs to remain in the Union come into effect in May 2018.

India has directed 30 handset makers including Apple, Samsung, Micromax, Xiaomi and Lenovo to share the procedures and processes they use to ensure the security of mobile phones sold in the country by August 28.

We comply with all regulations of the Indian government, a Samsung spokesperson said. Indian companies including Micromax have made similar statements.

Read this article:
Oppo, Vivo plan to move cloud storage to India - Economic Times

Read More..
Posted in Cloud Computing | Leave a Comment

Quantum Computing Is Coming at Us Fast, So Here’s Everything You Need to Know – ScienceAlert

August 27, 2017 | Author: admin

In early July, Google announced that it will expand its commercially available cloud computing services to include quantum computing. A similar service has been available from IBM since May. These aren't services most regular people will have a lot of reason to use yet.

But making quantum computers more accessible will help government, academic and corporate research groups around the world continue their study of the capabilities of quantum computing.

Understanding how these systems work requires exploring a different area of physics than most people are familiar with.

From everyday experience we are familiar with what physicists call "classical mechanics," which governs most of the world we can see with our own eyes, such as what happens when a car hits a building, what path a ball takes when it's thrown and why it's hard to drag a cooler across a sandy beach.

Quantum mechanics, however, describes the subatomic realm the behaviour of protons, electrons and photons. The laws of quantum mechanics are very different from those of classical mechanics and can lead to some unexpected and counterintuitive results, such as the idea that an object can have negative mass.

Physicists around the world in government, academic and corporate research groups continue to explore real-world deployments of technologies based on quantum mechanics. And computer scientists, including me, are looking to understand how these technologies can be used to advance computing and cryptography.

A brief introduction to quantum physics

In our regular lives, we are used to things existing in a well-defined state: A light bulb is either on or off, for example.

But in the quantum world, objects can exist in a what is called a superposition of states: A hypothetical atomic-level light bulb could simultaneously be both on and off. This strange feature has important ramifications for computing.

The smallest unit of information in classical mechanics and, therefore, classical computers is the bit, which can hold a value of either 0 or 1, but never both at the same time. As a result, each bit can hold just one piece of information.

Such bits, which can be represented as electrical impulses, changes in magnetic fields, or even a physical on-off switch, form the basis for all calculation, storage and communication in today's computers and information networks.

Qubits quantum bits are the quantum equivalent of classical bits.

One fundamental difference is that, due to superposition, qubits can simultaneously hold values of both 0 and 1. Physical realisations of qubits must inherently be at an atomic scale: for example, in the spin of an electron or the polarisation of a photon.

Computing with qubits

Another difference is that classical bits can be operated on independently of each other: Flipping a bit in one location has no effect on bits in other locations. Qubits, however, can be set up using a quantum-mechanical property called entanglement so that they are dependent on each other even when they are far apart.

This means that operations performed on one qubit by a quantum computer can affect multiple other qubits simultaneously. This property akin to, but not the same as, parallel processing can make quantum computation much faster than in classical systems.

Large-scale quantum computers that is, quantum computers with hundreds of qubits do not yet exist, and are challenging to build because they require operations and measurements to be done on a atomic scale.

IBM's quantum computer, for example, currently has 16 qubits, and Google is promising a 49-qubit quantum computer which would be an astounding advance by the end of the year.

(In contrast, laptops currently have multiple gigabytes of RAM, with a gigabyte being eight billion classical bits.)

A powerful tool

Notwithstanding the difficulty of building working quantum computers, theorists continue to explore their potential. In 1994, Peter Shor showed that quantum computers could quickly solve the complicated math problems that underlie all commonly used public-key cryptography systems, like the ones that provide secure connections for web browsers.

A large-scale quantum computer would completely compromise the security of the internet as we know it. Cryptographers are actively exploring new public-key approaches that would be 'quantum-resistant',at least as far as they currently know.

Interestingly, the laws of quantum mechanics can also be used to design cryptosystems that are, in some senses, more secure than their classical analogs. For example, quantum key distribution allows two parties to share a secret no eavesdropper can recover using either classical or quantum computers.

Those systems and others based on quantum computers may become useful in the future, either widely or in more niche applications. But a key challenge is getting them working in the real world, and over large distances.

Jonathan Katz, Director, Maryland Cybersecurity Center; Professor of Computer Science, University of Maryland.

This article was originally published by The Conversation. Read the original article.

See the rest here:
Quantum Computing Is Coming at Us Fast, So Here's Everything You Need to Know - ScienceAlert

Read More..
Posted in Quantum Computing | Leave a Comment

Leak of >1700 valid passwords could make the IoT mess much worse – Ars Technica

August 27, 2017 | Author: admin

Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet.

The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs.

It is likely that criminals have been using the list for months as a means to infect large numbers of devices with malware that turns them into powerful denial-of-service platforms. Still, for most of its existence, the list remained largely unnoticed, with only some 700 views. That quickly changed Thursday with this Twitter post. By Friday afternoon, there were more than 13,300 views.

"There's not much new about devices standing out there with default or weak credentials," Troy Hunt, a security researcher and maintainer of the Have I Been Pwned breach notification service, told Ars. "However, a list such as we're seeing on Pastebin makes a known bad situation much worse as it trivializes the effort involved in other people connecting to them. A man and his dog can now grab a readily available list and start owning those IPs."

Last year, several botnets came to light that drastically increased the potency of DDoS botnets, which use thousands of computers or other Internet-connected devices all over the world to bombard a single target with more junk traffic than it can process. Security site KrebsOnSecurity, for instance, was taken down for days by attacks that delivered a then-staggering 620 gigabits per second of network traffic. Around the same time, a French Web host reported sustaining onslaughts of 1.1 terabits per second.

The botnets that made these once-unthinkable attacks possible carried names such as Mirai and Bashlight. Unlike more traditional botnets that infected Windows computers, the new generation targeted routers, security cameras, and other Internet-connected devices. According to OVH, the France-based Web host, the 1.1-terabit-per-second barrage was delivered by roughly 145,000 devices. Based on that figure, the 2,174 currently available devices in the list that came to light Thursday are capable of only a small fraction of that firepower. Still, that's enough to bring plenty of smaller sites down almost instantly.

Some of the credentials included in the list suggest that some of the devices have already been conscripted into botnets. The username-password combination mother:fucker, for instance, is used by some IoT botnets once they infect a device. Even if a device is currently infected by such a botnet, it's often possible for a rival botnet operator to seize control of it by causing it to restart, since most of the malware can't survive a reboot. The ready availability of addresses means a single device could be taken over by multiple groups.

Overall, the list included more than 33,000 records, presumably because it had been updated over time from multiple Internet scans without redundant entries being removed. Some IPs in the list showed more than one username-password pair, either because that device had more than one account or because the device had been infected by malware on subsequent scans.

The list was posted by someone who has previously published a host of valid log-in credentials and botnet source code that has proven useful to security professionals, Ankit Anubhav, a researcher with NewSky Security, told Ars. While some of the exposed passwords had been changed, even those remained weak enough to be deduced using brute forcing, a technique that repeatedly submits the most commonly used usernames and passwords into telnet-accessible devices in hopes of guessing the right combination. The vast majority of the 144 unique pairs, however, were factory-default credentials. The top 10 passwords, as tallied by Anubhav, were:

Of those, all but oneGMB182were factory default passwords. GMB182 has often been used in the past by botnet malware.

Meanwhile, Gevers said the top five username-password combinations were:

People who use routers, cameras, and other IoT devices are reminded that remote access should be enabled only when there is good reason, and then only after changing default credentials to use a unique, randomly generated password, ideally of 12 or more characters, or assuming the device doesn't allow that, one as long as possible. Even when remote access is disabled, people should always ensure the default password is replaced with a strong one.

Gevers said he and other GDI Foundation volunteers are in the process of contacting as many currently affected host owners as possible in an attempt to lock down the vulnerable devices. Given the IoT's deserved reputation for poor default security and the lackadaisical approach many users have for securing their devices, there almost certainly are tens of thousands of other vulnerable devices that can be easily detected doing a simple Internet scan.

See the original post:
Leak of >1700 valid passwords could make the IoT mess much worse - Ars Technica

Read More..
Posted in Internet Security | Leave a Comment