Blogs@Intel

Where do secure, private and compliant APIs come from?

Fri, 24 May 2013 21:04:18 +0000

It’s apps that always get the glory don’t they? After reflecting on my talk at the Health Refactored conference in Mountain View last week, I saw a lot of focus on the consumer and client side of the healthcare API equation, but almost nothing on how to build up a scalable, compliant and secure governance layer for API traffic that might contain sensitive PHI or PII information.

There were quite a lot of great talks, and one of my favorites was Rachel Kalmar’s talk on Towards an Open Data Ecosystem. One of the points she made was with regards to the semantics of health care data, especially in relation to the new category of smart devices such as the fitbit as well as related fitness apps such as RunKeeper.

She made an important point on health care data/fitness interoperability – how does one measure a “step”, and how would such “steps” be interoperable among different service providers? This question is difficult because each company will have their own definition making this type of interoperability problem elusive, and because each of these companies eventually want to survive, they will need some sort of business plan, which likely amounts to “monetizing” this stored data, ensuring that it remains locked-up in silos. I tweeted to her that we have JSON and XML but this only helps with structure, not semantics. Can standards help here? Maybe. It seems like one of those big “lets get together and definite an ontology” projects.

From an API perspective, each of these companies are collecting data from these devices and storing it using RESTful API calls. There are two important but related points here:

1. Who owns the data?
2. What sort of privacy and compliance protections are required for fitness/health data?

Point 1 is controversial, and I would argue that defining such ownership is a difficult non-technical question. When is data my own property? As an avid user of RunKeeper it seems logical that the record of my runs, time elapsed, elevation gain, average pace, best pace and frequency are all my data. After all, I generated it! Seems obvious, no?

One opposing point comes from 17th century philosopher John Locke. Given a state where the world has a large set of common resources, he asks a strikingly similar question about property. When is something that I obtain for free my property?

The example he uses is an acorn and apples found under a tree used for nourishment. Precisely when does the apple become my property?

He writes.. “I asked then, when did they begin to be his? When he digest? Or when he eat? Or when he boiled? Or when he brought them home? Or when he picked them up? And it is plain, if the first gather made them not his, nothing else could.” For Locke the distinction is whether or not labor was mixed with the resource.

If we apply this logic to a free app such as RunKeeper, it’s not like I can reach inside my body and pull out a USB drive containing my running data. The good folks at RunKeeper have mixed considerable labor in terms of building the app, running the infrastructure to host the API that receives the data from the phone and tracking the results. RunKeeper provides the labor, and the customer captures this value at no monetary cost. Sure, it was my body that did the run, but under this logic, it’s RunKeepers data, because they are the ones that put the work into it. I just got a free app, similar to Locke’s example of picking up an apple under the tree.

As for API building blocks, Intel’s Expressway can help protect PII, PHI, and PCI data in API calls as data is received or queried, helping it address #2. The trouble here, however, is that it’s not entirely clear what sort of protections a service provider must provide. Even if data is de-identified, examples such as the “Massachusetts Attack” demonstrate that even “de-identified” data can be combined with other data sources to re-identify the data. Does that mean we shouldn’t mitigate such attacks with tools like Expressway? I think we absolutely have to.

Blake

The post Where do secure, private and compliant APIs come from? appeared first on Application Security.

Cloud Service Brokerage: Enabling MBaaS for the Enterprise

Fri, 24 May 2013 17:00:00 +0000

API Evangelist Kin Lane has just released a new paper that provides an overview of the Backend as a Service space. Kin’s research does a great job covering the breadth of tools and services that get lumped in under the BaaS/MBaaS category. In the paper, he takes a closer look at what constitutes an MBaaS offering, and which vendors provide solutions. To me one of the key takeaways in the paper (and from other reading about MBaaS) is that these services are all about agility, and about commoditizing APIs. Just as OAuth eliminates the need to roll your own authentication mechanism, incorporating MBaaS services into your applications can allow you to focus on creating new features rather reinventing the wheel in other areas such as location or notification services. This ties in nicely with the other work Kin has been doing, tracking Cloud Service Brokerage in the API domain.

Enterprise IT Concerns

Most MBaaS services aim to reduce the barriers to application development. They’re intended to be easy to use, which includes being easy to adopt. Some are “freemium”, while others use success-based pricing. As a result, developers don’t need to execute purchase orders in order to start using them – they just sign up through a portal, click “agree” on some terms and conditions they probably never read, and maybe provide a credit card number. This is similar to what happened when Amazon and other providers started offering cloud infrastructure — IT initially lost visibility into what was being hosted outside of the corporate data center because it was easier to go around IT than to use IT to engage with these services.

As I said in my last post, APIs will be the next wave of consumerization. What I mean by this is that just as employees have gravitated towards the devices and cloud services that make them most productive, developers will do the same with APIs. This will happen whether IT wants it to or not – their choice is to lead, follow, or get out of the way. (The fourth option, blocking access to non-approved APIs is not likely to be successful, given the ever-increasing number of public APIs).

IT as a Cloud Service Brokerage

Rather than putting our heads in the sand or trying to fight the adoption of these APIs, there is an opportunity for IT to play a leadership role within the enterprise by establishing itself as a cloud service brokerage. Just as IT shops are extending their service catalogs with SaaS and IaaS offerings, they should consider adding APIs that provide a core set of capabilities. Done right, this adds value for enterprise developers by reducing cost and complexity.

First, consider the spectrum of public APIs – 9185 according to ProgrammableWeb as of this writing (but that will be outdated by the time you are reading this). Even if we constrain this to MBaaS providers, Kin Lane’s paper covers dozens of those and there may be even more minor players out there. By analyzing the landscape of MBaaS providers and framing their solutions in terms that the business can understand, an IT shop can remove a lot of duplication of effort among the developer communities that it supports. IT can also work with their dev community to look at competing offerings and assess which one has best pricing and functionality. Just as IT has helped their line-of-business customers standardize on enterprise software suites and cloud providers, the next opportunity will be to align APIs to improve interoperability across apps within the enterprise.

As more enterprise developers adopt MBaaS services for their apps, IT can also help to drive down costs by taking advantage of economies of scale. Most API providers offer volume pricing — heavy users are charged less per API call than lighter users, except for the very bottom tier of developers who are just kicking the tires. While any organization can reuse a single API key to pool their usage, an API management layer can provide finer-level detail and billing support. An enterprise could, for example, assign internally-generated API keys to each developer registering to use an MBaaS API, rolling all of those up into the corporate API key before forwarding to the MBaaS provider. This indirection provides visibility into how heavily each app is using the API, which could be factored into a charge-back model for the API’s consumption. The benefit to the develop is that they have visibility into all of the APIs they’re consuming from a single IT-provided dashboard rather than having to look at a different portal for each API provider they’re using.

The API management layer also gives the enterprise’s information security office better insight into how these APIs are being used, and what data is being transferred. Sensitive data can better be protected by enabling tokenization, data loss protection, or other policies on the API from within the enterprise regardless of what the MBaaS provider offers on their side.

Finally, as more competition emerges in the MBaaS landscape, IT can utilize competing offerings to provide a failover service for API calls (I covered this in a bit more detail in my previous post). An API management layer allows IT to mediate between two APIs providing the same functionality. If the preferred provider is down, it can be mediated so that it is interoperable with the second provider’s interface, and the response can be reformatted so it conforms to what the app is expecting. This increases app resiliency without any additional app code being added by the developer – this benefit is amplified as more of the enterprise’s apps adopt the same core set of APIs.

Summary

Make no mistake: enterprise developers will be incorporating MBaaS and other external APIs into their apps. Many are doing so already. This can be a good thing, as it allows them to focus on providing new, business-specific functionality rather than getting bogged down in implementation of basic functions. This improves time to results and adds value to the enterprise.

IT’s opportunity is to engage with their internal dev community early on and do what IT excels at: procurement, provisioning, security/compliance analysis, and integration. By adding MBaaS APIs to an internal service catalog, IT can demonstrate that it understands the landscape and has been proactive in onboarding the APIs that the enterprise needs. By incorporating these external APIs into their API management layer, IT can also employ second sourcing and economies of scale to drive down cost while increasing app resiliency and reliability.

Additional Resources

As I noted above, Kin Lane’s Overview of the BaaS Space is a good place to start. Our Mobile Middleware Buyers Guide goes into more depth about the API management layer as it relates to mobile app dev scenarios. We also have a Webinar with Gartner about IT’s role as a Cloud Service Brokerage.

The post Cloud Service Brokerage: Enabling MBaaS for the Enterprise appeared first on Application Security.

Behind the scenes: Users first inside Intel IT

Wed, 22 May 2013 13:01:01 +0000

Managing the Changing IT Landscape: User-Centered Computing

In my recent blog, “It’s time to put users first” I wrote about user-centered computing, a strategy for embracing consumerization that puts users first. Much like user-centered design seeks to optimize a product around the needs of customers, a user-centered approach to IT involves learning from research and user engagement. And for Intel IT, user-centered computing works very well.

Intel IT worked proactively with employees using an inclusive strategy based on three core principles:

Inviting
- Deploying early adopter programs to help guide IT strategies
- Having employees participate in proof-of-concept studies, pilot programs, research, and surveys

Listening
- Conducting user segmentation research to target IT solutions and services to specific employee groups, optimize PC refresh rates, and improve technical support
- Using a human-factors-engineering group to learn how people use and interact with technology to optimize workflows

Informing
- Sharing a variety of approaches on technical implementation and IT services to help guide employees on Bring Your Own PC (BYO-PC)
- Educating employees on pros and cons as well as use cases, IT services, and the security capabilities of a variety of devices, helping to smooth adoption

To learn more about how Intel IT applies these principles, check out this IT whitepaper that I coauthored with my Intel IT colleagues Lisa Spelman, Director of Employee Computing Platforms, and Julie Rovegno, Manager of IT Products and Services. You can also listen to Lisa’s Inside IT podcast.

Does your IT organization practice user-centered computing? How do you make it work?

Chris
@chris_p_intel
#UserCenteredComputing #Consumerization #IntelIT

http://www.intel.com/itcenter

Big Data, IoT, API …….Newer technologies protected by older security.

Sat, 18 May 2013 14:32:54 +0000

Now-a-days every single CIO, CTO, or business executive that I speak to is captivated by these three new technologies: Big Data, API management and IoTs (Internet of Things). Every single organizational executive that I speak with confirms that they either have current projects that are actively using these technologies, or they are in the planning stages and are about to embark on the mission soon.

Though the underlying need and purpose served are unique to each of these technologies, they all have one thing common. They all necessitate newer security models and security tools to serve any organization well. I will explain that in a bit, but let us see what is the value added by these technologies to any organization:

IoT – is specific data collection points that employ sensors placed anywhere and everywhere. Most often times the information collected by these devices are sensitive data and contain specific identifiable targeted data. IoT allows organizations to analyze behaviors and patterns as needed but also poses an interesting problem. Gone is TB (Terabytes) of data; now we are talking about PB (petabytes) of data which continue to grow exponentially. IoTs use M2M communication, which are a newer channel and create a newer set of threat vectors.

Big Data – - store massive amounts of data (some of these data are from the aforementioned IoTs) and having the necessary software and infrastructure that allow you to access them faster which promises to cost you a fraction of what it is costs today, further enabling you to capture as many data points as possible.

API – interface, enabler and interconnector between systems by providing a uniform and portable interface (whether it is to the big data or the platform that enables big data).

While each of technologies at first glance appears to be serving different constituencies within an Enterprise, there is an undeniable interconnectedness that exists. The IoT collects data from everywhere. Hence, it is pouring tons of data that need to be not only stored somewhere, but also analyzed properly so that the dots can be connected, to ultimately form meaningful patterns that people can make use of.

[In the graphic above assume all communications to the central neural system is via APIs.]

With the evolution of these technologies, there is a very raw, basic, and yet incontrovertible need being expressed. Every business yearns to be better than its competitors in catering to the needs of its consumers. I mean the “consumer” in a loose sense here – be that an individual or for that matter, an organization that is consuming your offerings. Ipso facto, this means you need to capture as much information as you possibly can about the target consumer behavior, so that it can be analyzed, protected, stored, shared selectively, and most importantly, so that it can serve your consumer better (or perhaps to be used when strategically monetizing an area of your business).

None of these technologies is in a trial phase any more. If anything, the social media explosion provided ample evidence that these technologies are being used quite effectively already (real life POCs). Of late, all of these technologies have been gaining adoption in the sacred technology worlds, such as the healthcare and financial sectors. However, when you employ these technologies with your production applications, you need an enterprise grade security that is built from the ground up to provide a necessary level of protection.

In the social world, the model had always been, “build [it] first and secure later based on the need” (or never in some cases). With healthcare, federal and financial sectors, that model is no longer tenable. You need to secure data at any cost, question anybody who wants access, and be hyper-vigilant without compromise.

What is particularly troublesome is that these organizations seem to be of the thought that they can extend existing security measures to protect all of these newer technologies. While your SSL, Identity systems and other existing controls can serve as the baseline for these technologies, you need a newer set of security controls and tools in place. Your security model needs to make the necessary accommodations, instead of trying to force fit everything to make the older set of tools to fit. That would be like trying to fit a square peg in a round hole. I have seen customers trying to bend RACF to fit the newer SOA, API, Big data paradigm. While it can be done, it would end up costing you more, will be very inflexible, and defeats the fundamental purpose of security. Don’t get me wrong — everything has a place in this universe.

Remember I wrote recently about the disappearing perimeter defenses and moving lines of thin defense. This is due to shared data centers, cloud adoption, multiple shared tenants, deeper integration and wider exposure to multiple partners, etc. Regardless of the scenario, you need to protect your own data and be accountable for it. Cyber attackers are very sophisticated and are funded by organizations (or even countries), which means they need to get to the proverbial data goldmine. Without adequate protection, this can prove to be that goldmine. The thing that scares me the most is the underlying threat to all of the above technologies when you try to fit them into the older security model. Most of the above technologies, from what I have observed, are either under protected or unprotected. While it is great for organizations to maximize monetization and satisfaction of a consumer and have a competitive edge over others, that shouldn’t come at the cost of security or by increasing their risk. Especially when it comes to security, Murphy’s Law is always right; it is not a question of if a security loophole will be exploited; it is a question of when.

You not only need to identify the users, authenticate them, and authorize them but also make sure they are allowed access during that time window that they are requesting the info (throw in a location based and device based identification on top).

In addition, you also need to worry about protecting the big data store itself, including strong encryption of storage, transmission, and in process data.

But then, most important of all, you need to mitigate the threat vectors that are created by these new technologies. I will write in the next few articles about how you can protect all of these areas with minimal effort while keeping your TCO very low. I will also talk about specific usecases and usage models that will make sense.

Blake recently wrote a great blog on “touchless” Big Data security. I urge you to check it out here. Demo version is here.

The post Big Data, IoT, API …….Newer technologies protected by older security. appeared first on Application Security.

Ask Ivy

Thu, 16 May 2013 20:38:10 +0000

Hey. What’s up. Yeah, so, I took last year off from blogging here. But there are a lot of things to share about what we’re doing in Human Resources for employees, so I’m back. This is also a good time to give Sejal a shout-out for coordinating these blogs – she does an awesome job!

Okay, the newest thing we’ve launched is a “virtual HR agent”. What’s that, you ask? You know when you shop online, whether it’s for new gadgets or it’s for a plane ticket to go somewhere or maybe it’s just for odds and ends, some websites have a virtual agent that will answer FAQs for you and guide you through the process. Our new virtual HR agent, we named her Ivy, is set up to do the same thing, but for our employees at Intel (so this is an internal tool.) If employees have questions about their pay, stock, benefits, or other HR programs, they simply bring Ivy up on the intranet and type in a question. Ivy uses a combination of natural language processing, artificial intelligence and optimized search to find the answer to the question. Also, magic. Okay, well, it’s like magic to me, so… As of today, Ivy has 4,331 possible responses. How do I know that number so exactly? I led the team that wrote all the responses. You can bet we’re excited for the launch after all that work!

From our research, we’re the first company to implement a virtual agent like this for their employees. Ivy’s no chatbot and she’s not backed by a human “behind the curtain”. She’s all software. We’ve got lots of metrics in place to monitor her performance and our employees can give a star rating to each interaction. Using the performance data and star ratings, we can tune Ivy to make her even better. Beyond that, what’s weird is that she learns. Seriously. Her artificial intelligence gets better as employees ask her questions. Amazing. Oh, and no surprise, she runs on Intel-powered servers. You saw that coming, didn’t you?

So, we started 2013 off with a big project launch that will improve the employee experience here at Intel. And I’m back on the blog. Is it going to be a great year? You bet it is!

The post Ask Ivy appeared first on Jobs@Intel Blog.

Be Your Own Broker: An Enterprise Perspective using API Management

Wed, 15 May 2013 20:07:43 +0000

Kin Lane has started tracking what he calls API Brokers over at API Evangelist. This quote illustrates the promise of API brokerage:

I envision other new API brokers emerging, in niche areas like images, video or messaging. Imagine if you could use Twilio, Tropo or other SMS API provider, but use through a broker who will give you the best availability and costs based upon various needs. This type of API aggregation is not meant for providing users with access to multiple cloud silos via APIs, it is more about brokering API resources and establishing a marketplace.

This really resonated with me, as it is similar to something we’ve been talking about for a while: IT as a Cloud Service Brokerage, which is an emerging specialization of API management. As SaaS, Consumerization, and the general bring-your-own trends continue to accelerate, IT shops are looking to bundle new functionality into their applications while ensuring that they still deliver the expected levels of service. Consumerization/BYO has expanded from handheld devices and ultrabooks to include cloud services like Dropbox, Evernote, and Google Docs. APIs will be the next wave in consumerization. As is the case with many cloud services, APIs with equivalent functionality can be available from multiple sources, but the longevity of the providers (or, as is often the political reality, the contract with the providers) may be uncertain. In addition to the services Kin mentions,

Translation / localization services — remember when Google temporarily pulled the plug on the Translate API? Fortunately they changed their mind, but what if they hadn’t?
Location / Mapping services
Push notifications
… One could spend weeks browsing ProgrammableWeb or Kin’s own list of building blocks and uncover dozens of domains with two or more functionally-equivalent providers

What is an IT shop to do, then, when incorporating cutting-edge functionality into applications when the only providers are fledgling startups (or even hobbies within multi-billion dollar corporations)? It seems like a few options exist:

Bet on the current leader when the app is being developed; rip & replace if conditions change
Code multiple providers’ APIs into the app, embedding some prioritization and fall-back logic
Use an aggregator

Clearly the aggregation layer (whether embedded in the app or as a cloud service) offers more agility and resilience than hard-coding. The additional indirection provides protection against service outages – whether they are due to an operational issue with an API provider, an infrastructure issue with their cloud service provider, or an untimely end-of-life for the service. However, given that this domain is just emerging, most of the aggregators are likely early-stage startups themselves. Their availability and longevity may not be any better than the APIs they are proxying — in fact, it may be less.

An enterprise IT shop has another option here: acting as its own Cloud Service Brokerage. An API gateway is already acting as a proxy between clients and APIs. By adding some additional logic to the API management workflow, the gateway can offer a fallback path to a different provider. By placing the API management & brokerage layer inside the enterprise cloud (whether public, private, or virtual private), the brokered APIs will have the same availability as the rest of the enterprise infrastructure. The gateway already has remediation capabilities built in — JSON or XML fields can be renamed and reordered, omitted, or populated with default values. An enterprise could even define its own API structure that is then redirected in the format expected by the services it is brokering. If necessary, this logic can be combined with format-preserving encryption or tokenization to ensure that sensitive corporate data isn’t transmitted to a third party.

This on-prem brokerage approach is not without tradeoffs, however. First, an API management solution is not likely to be as dynamic as a specialized brokerage service. This means that market forces are less likely to be factored into the runtime routing decision. While contracts and other external forces can be incorporated at configuration time and reviewed on a regular basis, the multi-provider API management policy is most likely going to be implemented as a favored provider with fallback providers utilized for availability, not cost (on the other hand, a brokerage service’s profit margin may offset much of cost savings due to market efficiency). Also, by using a brokerage (whether internal or external), there may be functional tradeoffs: the application may be restricted to the greatest common denominator of all available APIs to allow for aggregation and avoid vendor lock-in. I find these tradeoffs to be fairly standard in Enterprise IT, however, and are widely accepted as part of the cost of providing a stable, predictable IT environment.

I’ll revisit this topic again in the context of Mobile Backend as a Service (MBaaS), but in the interim I’ll leave off with a webinar featuring Gartner on IT’s role as a Cloud Service Brokerage.

The post Be Your Own Broker: An Enterprise Perspective using API Management appeared first on Application Security.

Our New PC Delivery Process Cuts Employee Downtime

Wed, 15 May 2013 19:49:16 +0000

Getting a new PC used to take valuable time out of the workday. But as part of our focus on a user-centered model of delivering IT services, Intel IT recently optimized our PC delivery process, resulting in improved employee productivity, a better employee experience, and reduced operational costs. These process improvements allow our employees to return to work more quickly, reducing their downtime from an average of 4.5 hours to 1 hour, a 77-percent reduction. Read the paper "New PC Delivery Process Cuts Employee Downtime" to learn about the changes we made.

Hadoop Security: Internal or External? Why not both!

Wed, 15 May 2013 01:15:55 +0000

I saw a conversation today on Twitter that asked why we don’t just embed proper security into Hadoop instead of suggesting the API gateway approach to Hadoop security that my colleague Blake proposed. The same could be asked about any number of applications and services, but the bottom line is that we believe that a two-pronged approach is best.

Internally, we have dramatically improved Hadoop’s security capabilities via Project Rhino. This enables best security practices like encryption at rest, which cannot be implemented anywhere else. We are also working to standardize the authorization framework and implement token based authentication with single sign-on. These are all core capabilities that absolutely need to be added to Hadoop’s code base.

The gateway approach addresses something else – the API layer. While I agree that any application should protect against common attacks, consider this in the bigger picture. First, consider the number of different features that may be required by Hadoop adopters: tokenization, data field encryption, integration with Active Directory, mapping to OAuth for mobile applications, etc. It would take a staggering number of man-hours to implement all of these features within Hadoop. Now consider the number of enterprise applications that expose APIs — consider the investment required to duplicate those features within each of these application suites. Finally, consider the job of the poor sysadmin who has to selectively enable these features consistently across everything in their domain, along with the one who gets to come along behind him and audit for compliance. Add to that the probability (or lack thereof) that all of these vendors implemented the features with common configuration processes…

Our façade proxy abstracts much of this functionality to an external system with an easy-to-use graphical interface. Implementation and inspection of common security policies can be managed across all APIs within the enterprise. More complex, custom workflows can be created and reused as well. Finally, the gateway complements the Project Rhino work which provides a solid security foundation that can then be extended (in a standard fashion) by the gateway.

Part of the objection/confusion is shown here:

@alexis_gil my problem with it is standard – adding a totally new layer in between with completely new protocol doesn’t help adoption

— Alex Gorbachev (@alexgorbachev) May 14, 2013

I want to clarify that we are talking about standard protocols – in fact, the gateway pattern is really putting a secure front on the already standardized APIs found in Hadoop such as WebHDFS and Stargate. These APIs aren’t new protocols, but the façade pattern helps with separation of concerns and lets the data scientists worry about data and the security folks worry about security.

The post Hadoop Security: Internal or External? Why not both! appeared first on Application Security.

Our Next Webinar: Five Practical Steps to Building an Enterprise Class API Program

Tue, 14 May 2013 21:09:57 +0000

Join us Wednesday, May 22 at 10:00a Pacific / 1:00p Eastern for our next webinar with Capital One and Mashery:

APIs are a hot topic in all sectors of IT – they have gone from being niche solutions provided by big players like Amazon and Google, to being almost as ubiquitous as corporate websites. Ad hoc API development & evangelism without a formal program can leave real revenue on the table, can unintentionally leak sensitive data, and can tarnish the corporate brand with the development community. Today, developers and partners expect to be engaged with first class API programs, while businesses expect real insights to know which APIs are profitable and which APIs to bring to market next.

In this webinar, Intel & Mashery outline the baseline enterprise pillars for constructing a first class API program. Learn from CapitalOne how they strategized to build an API program grounded in core business objectives. All attendees will receive a new Mobile API Buyers Guide that presents how to optimize APIs for mobile apps.

About the Speakers

Joshua Greenough personifies the intersection of a team athletics mentality and technology passion. He is currently the Senior Director of Innovation at Capital One, where he manages the product & engineer teams for the San Francisco Innovation Lab. His mission is to build, promote and launch innovative partners on Capital One’s groundbreaking API Platform.

Devon Biondi, Vice President of Strategy Services at Mashery, works closely with Mashery customers advising them in all stages of their API lifecycle from program conception to platform launch. Prior to Mashery she was the Chief of Staff at TIBCO Software where she worked as a strategic advisor to the CEO in all aspects of the company from acquisitions, restructures, new product development, large-scale customer retention and events.

Andy Thurai is Chief Architect and Group CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Mobile, Big Data, Governance, Security, and Identity solutions for their major corporate customers. In his role, he is responsible for helping Intel/McAfee field sales, technical teams and customer executives. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS.

The post Our Next Webinar: Five Practical Steps to Building an Enterprise Class API Program appeared first on Application Security.

Enterprises Security Choices and Tradeoffs for BYOD

Mon, 13 May 2013 19:34:26 +0000

Bring Your Own Devices (BYOD) continues to gain momentum as users bring devices into work environments by the droves. Enterprises must make tricky security decisions to balance the tradeoffs of costs, user productivity, and security.

BYOD is effecting organizations both large and small. In our highly connected world, workers bring in familiar and favored smartphones, tablets, and other compute devices into work and expect to leverage them for convenience and to improve productivity. It can have a great positive effect on the business but also raises security concerns. Management can’t hide from taking a position, establishing boundaries, and understanding the tradeoffs.

In today’s responsible corporate environment, enterprises realize the danger of uncontrolled devices on their network and accessing business data. It introduces chaos to security and IT manageability, driving up risks and expenses. Organizations want to enable productivity of employees but must maintain a level of acceptable risks and keep costs flat, or at the very least justifiable. It is a tough balancing act between risks, costs, and user productivity.

Management has a number of high level choices, each with pro/cons and other tradeoffs. Before committing to a particular path, leaders must understand these options in order to select the best direction to set for their organization:

1. No personal devices allowed. Forbid personal smartphones, tablets, and non-managed computers from accessing work systems, networks, and data.
Pro: This stratagem manages security risks and keeps costs relatively flat. It has been the traditional solution.
Con: Not practical for 99.9% of the world. It’s like trying to hold back a tidal wave with a paper cup. Workers, starting with the tech savvy, will bring in devices and connect them, soon to be followed by the rest of the staff. Most likely they and the less technical community has already been doing this for some time. It starts with email forwarding, access to work calendars, meeting logistics, file sharing, instant messaging, etc. Implementing such a policy ignores the opportunity for significant worker productivity gains and stifles flexibility which is so desired by everyone. When employees have convenient access to such data, they are more effective, efficient, and happy.

2. Company provides mobile devices. Providing corporate managed devices in lieu of employees’ personal devices, allows vetting of systems before they access work networks and data.
Pro: Security standards, selective deployment, and the ability to enforce controls, allows the organization to manage risks and costs.
Con: Upfront expenses are high, user happiness tends to be low, and manageability costs slowly creeps up over time. The out-of-pocket equipment and service costs can be very expensive. To control costs, most organizations will not provide everyone a company device. So there emerges a “have” and “have-not’s” class system which spawns resentment. Those who are provided devices must manage their personal devices in addition to the company provided ones. If you have ever been forced to carry two phones, you know how much of a pain this becomes.

Even in a perfect environment with happy users, a different problem emerges. The comingling of personal and private data on employer managed devices. This can be a nightmare, fraught with legal and ethical pitfalls.

Each class, brand, and even model must be configured and secured. IT departments must support users trying to access services and data. The more types of devices, the more complex and expensive the support becomes. One of the keys to managing support costs is scalability. So, it is normal for an organization to settle on one or two to start. Which will not make everyone happy as people have their own preferences. Demand can grow to expand the list of supported configurations, especially as new options become available in the marketplace. Expanded support is great for users, but a nightmare for IT as it increases the legacy support of older configurations which are still in use. Over time the cost to support will steadily increase and the cost of refreshing old and damaged devices will be ever present.

From a productivity perspective, users get an initial boost from the latest equipment and software, but will soon see a degradation as the organization cannot keep up with the latest features coming to market.

3. BYOD of Any Device. All devices welcome with open arms! Users are able to bring in, connect, and use their favorite devices. Security controls are usually network based or via containerization technology on the device itself.
Pro: Initial hardware costs are very low for the organization, as the user absorbs initial out-of-pocket costs for the device. Productivity remains high, as users will continually install latest applications and refresh to current hardware as they see fit.
Con: Expensive to manage and secure. Costs skyrocket to provide and maintain security controls and connectivity support over a wide swath of different devices and applications. Security solutions, many with a high per-seat cost, is required. Not all devices are created or configured equally, adding to the cost and frustration of IT and security departments. The expenses continue to increase and never plateau as users follow the non-stop march of evolving technology, applications, and shiny devices

Challenges with co-mingling of users private data with enterprise oversight can still persist depending upon controls and access configurations

4. BYOD of Certain Devices. The middle ground, allowing users to front the initial costs and enterprises can focus on security and management of a much smaller subset of devices. Network, cloud, and device containerization technology provide security.
Pro: Low initial costs as users purchase the devices. It is a flexible model where the optimal balance of cost, productivity, and security can be adjusted as needed.
Con: Still costly, as the enterprise must invest in security solutions for allowed devices, but policy will limit the number of configurations and therefore help keep costs and risks more manageable. As new devices are supported costs will rise due to legacy support and other complexities. Security is managed based upon the vetting and controls mandated for approved configurations.

Productivity varies based upon the breadth and timeliness of support for new technologies. Satisfaction and productivity also follow this curve. The more devices and applications supported in a timely manner, the happier and more productive the users, but the costs skyrocket accordingly.

Sadly, the pesky problem of data comingling is still present.

There is no universal winning choice. It really depends on the organization, risk appetite, budget, worker productivity needs, and the sway of the most vocal users. A very small number of organizations can disallow all personal devices, mostly government types. Only companies willing to spend a tremendous amount of money on hardware or those which already have a strong caste systems to support a limited distribution will be interested in providing workers with such devices in addition to primary work PC’s. Organizations which have little need for confidentiality, integrity, and availability aspects of security might be able to live with openly connecting any BYOD their users may bring into the office. Although a significant number of organizations may try to dabble in this area before realizing the rapidly growing support costs and security issues before changing to a different strategy. In the end, I believe the majority of organizations will choose to embrace the last option of supporting only certain BYOD devices. They will select a mix of devices, software, and controls which satisfy a broad community while keeping costs and risks predictable. This is no small feat as these solutions are not yet mature.

Every organization must find their own path. They must consider the options and tradeoffs of costs, productivity, and risk. No perfect solution exists, but with forethought, collaboration with users, and solid execution, a manageable solution might be within grasp.

A Mother’s Day letter to a new Intel mom

Mon, 13 May 2013 01:04:44 +0000

Note from the editor: Here’s yet another beautiful blog post shared on our intranet from one Intel employee to another. Regardless of if you have kids or not, I think we can all agree that being a parent is the toughest, yet most rewarding, job in the world. Throw in being a first-time parent and having an already challenging career, and you’ll get a feel for what life is like for many working parents. Jan, manager of the Internal Employee Communications team, wrote a heart-felt letter to one of her employees who just recently gave birth to her first child, sharing her first-hand experience of being a mother (of three) and successful Intel employee. In honor of Mother’s Day, we’d like to share the letter with you and wish all of the mothers out there a very Happy Mother’s Day!

Dear Krista:

True story. In 1993, I applied for a job at Intel. (Yes, I know you were about 12 then.) One of the people who interviewed me was an engineer. At some point, she asked me if I had children. Probably not an OK question, in retrospect, but I answered it.

She then explained to me that Intel was an intense, rigorous and demanding culture that was a much better fit for childless professionals like her and her husband, also an Intel engineer. It was not, she strongly suggested, the right place for a woman with two young children. Like me.

I took the hint, and the job at the other company.

Later, when I had another child, I figured I’d kissed any possible Intel future goodbye. If two kids were a disadvantage, surely three were a deal breaker.

Yet 20 years later, here I am, badge around my neck, accomplished AR tamer, seasoned slayer of acronyms. While Intel has indeed proven to be a demanding place to work these last seven years, it’s also, to my enormous relief, a generous and supportive environment where working mothers can thrive.

It’s been a place where I regained my financial footing after a divorce; a place where I’ve been privileged to know and work with people like you. A place where my detours as a stay-at-home mom and part-time employee haven’t kept me from a career path that has exceeded my expectations.

In just a couple of weeks, your maternity leave is going to be over. Instead of spending weekdays with your beautiful baby girl, you’ll spend them with co-workers (who, while less entrancing, have arguably better language skills). And even though you know she’ll be in good hands, I’d bet you’re dreading the transition from full-time mom to working mom. I know I did.

It won’t be easy. It’s not easy working at Intel, and it’s not easy raising a child. In both roles, we aim high and sometimes we stumble. We second guess ourselves something terrible. We are never quite caught up. We worry —oh boy, do we worry. Being a working parent means having good days when it feels like you have the best of both worlds, and bad days when it does not.

But it helps, a lot, that the Intel village you’re returning to is better equipped and more dedicated than ever to help you manage both your thrilling new role as a mom and the job you’re so good at. And your manager (moi) and your team are standing by to help in any way we can.

Your first Mother’s Day as a mom is this weekend; it’ll be my 25^th (my firstborn even arrived on Mother’s Day). As I marvel—a little wistfully, a little been-there-done-THAT—at the adventure ahead of you, I can’t help but reflect on some stuff I’ve learned, mostly the hard way.

Get over being Supermom. Fast. There aren’t bonus points—this isn’t that kind of a game. Ask for help when you’re overwhelmed, time when you’re short, a favor when you need it.
Don’t wait for permission. Do what you need to do, and don’t apologize.
Once you’ve survived a long flight with a screaming child, screaming stakeholders are a piece of cake.
Email is eternal. Childhood is not. Seize the spontaneous moment with your child.
Stay playful. If you turn into a stressball, everyone around you will be miserable too. During the rough patches, take a deep breath, exhale, and remind yourself that this too will pass. Shake it off, smile, laugh if you can. Then book a massage.
Set boundaries. You will teach your child that no means no. This applies to managers and colleagues as well.
You set the tone. If your daughter sees that you like your work, she will too. If you believe your work is simply time away from her, she’ll believe that too.
Later, when she’s older, tell her about your challenges at work, and your wins. Let her feel, and share in, your pride. She’ll be proud too.
There will be days when it will be impossible to be both the outstanding employee and the outstanding parent you want to be. It is. On those days, accept that good enough really is good enough.
Take notes. When you’re immersed in parenting, you think you’ll never forget the daily routines, the frustrations and pleasures of every stage and age. You will.
In your work life there will be tough periods and difficult co-workers. In your family life these are called “adolescence” and “teenagers.” You will survive both.
Dinner. I never really solved this one. I am a fan of crockpots, however.
You can be anyone’s employee. Only you can be your someone’s mom. Prioritize accordingly.

OK, one last story. One day when my daughter was about four years old, she was playing with some plastic animals. She marched them along the back of the couch where I was sitting. “You never know when pandas are going to come into your world,” she informed me.

How right she was.

Happy Mother’s Day, my friend. And welcome back—we’ve missed you!

Jan

Happy Mother’s Day to all moms! If you’ve got a tip for Krista or other new moms, please share it in comments below.

The post A Mother’s Day letter to a new Intel mom appeared first on Jobs@Intel Blog.

Health 2.0 and API Management

Fri, 10 May 2013 20:53:15 +0000

I just wanted to send a short note that I will be talking about API Management strategy & health care data at the Health Refactored conference next week in Mountain View. I’m hoping to learn a lot of and also share Intel’s approach to API management. We’ll have a booth there so please stop by after the talk!

Blake

The post Health 2.0 and API Management appeared first on Application Security.

Maximizing IT Value by Using High-End Server Processors

Thu, 09 May 2013 19:31:34 +0000

Intel IT has standardized on Intel® Xeon® processors with a core frequency of 2.6 gigahertz (GHz) for two-socket servers to offer maximum IT value for design computing and enterprise server virtualization. Our analysis demonstrates that higher-end processors significantly enhance server performance throughput for a minimal increase in total cost of ownership (TCO). Our analysis demonstrated to Intel IT management and purchasing groups that software acquisition and licensing costs—which represent 3x to 6x the cost of the hardware platform—are the largest drivers of overall TCO for servers deployed at Intel. We concluded that standardizing on high-end processors is a cost-effective way for Intel IT to maximize server return on investment (ROI). You can find more information around our analysis in this recently released white paper Maximizing IT Value by Using High-End Server Processors.

Inside IT: Cloud Aware Applications "Code-a-Thon"

Thu, 09 May 2013 19:13:21 +0000

Earlier this year, Intel IT started conducting a series of Cloud Aware “Code-a-Thon’s”. These were created in response to a skills gap around applications that were being written in a traditional way and ones that needed to be developed to take advantage of the cloud. This event is an inventive way to bring application developers together, introduce them to concepts of programming applications for the cloud and think in new ways. The intent is to have developers experiment with the cloud and be immersed for an entire day. In this podcast we talk to Cathy Spence, an Enterprise Architect in Intel IT. Spence tells us how the Code-a-Thon came about and what it takes to create an app for cloud. We’ll also hear from participants in a recently held Code-a-Thon at Intel’s Santa Clara headquarters.

Why healthcare should be a team sport

Wed, 08 May 2013 12:52:09 +0000

Managing the Changing IT Landscape: Technology in Healthcare

The role of technology in healthcare today is undeniable. What’s really interesting, though, is that we still have a long, long way to go.

I wanted to share this powerful TED Talk featuring Intel Fellow and GM Eric Dishman. In his talk, Health Care Should Be a Team Sport, Dishman shares his story and his views on how our healthcare system must evolve.

In college, Dishman was diagnosed with a rare kidney disease and given only a few years to live. For 25 years, though, he was wrongly diagnosed. It took a genomic test and a coworker he had never met to save his life by donating her kidney. And he quickly learned to be a proactive participant in his own care.

In Dishman’s view, the future of personal care must be at home, which should be our default model. He proposes that today’s technologies—such as high-performance computing, big data, and mobile—make this possible, based on three pillars:

Care Anywhere – We invented hospitals and clinics in the 1780’s … it’s time for a change. The notion of traveling to brick-and-mortar healthcare facilities is dated. It’s also an expensive, risky model that is not sustainable.
Care Networking – We must move beyond isolated specialists treating “parts” to multi-disciplinary teams treating the person. “Uncoordinated care today is expensive at best, and is deadly at worst,” he says (and knows, from his own experience).
Care Customization – High-performance computing, analytics, and big data will help us build predictive models for each of us, as individual patients.

I’ll dig a little deeper in an upcoming blog to explore some of the mobile and social technologies that can enable this change. In the meantime, listen in to Eric’s story and proposal for healthcare transformation.

And check out what Intel is doing to enable better healthcare at the Intel in Healthcare page.

Chris
@chris_p_intel
#Consumerization #Healthcare #Innovation

http://www.intel.com/itcenter

NIST Developing New National Cyber Security Framework

Tue, 07 May 2013 23:53:54 +0000

Last February, President Obama issued Executive Order 13549: Improving Critical Infrastructure Cybersecurity. Its intent is to drive new levels of security into the critical infrastructure of the U.S., systems like dams, the power grid, transportation systems, etc. Many stakeholders, both public and private, had input into shaping the EO and its directives. It is controversial, but like it or not, it has created a lot of activity that could impact any business that uses the internet. For a good overview of the EO, see New rules for cybersecurity? Obama's executive order explained. You can read the EO itself here; the EO itself is only a few pages long.

In part, the EO charges the National Institute of Standards and Technology (NIST) with developing a national Cybersecurity Framework. The Framework will consist of standards, guidelines, and best practices to promote the protection of private information and information systems supporting U.S. critical infrastructure operations, while protecting business confidentiality, individual privacy and civil liberties. Adherence to the Framework will be voluntary—although there is deep skepticism by some that it will always remain so.

To kick off their efforts, in March NIST issued a public Request for Information (RFI) to industry, government agencies, standards-setting organizations, public-private partnerships, and other stakeholders, seeking information on how respondents currently manage cybersecurity risks within their organizations. Thankfully, NIST does not seem to be trying to re-create the wheel, instead they are cataloguing what’s already in use as the basis for the Framework.

I had the privilege of working on Intel’s response to the RFI, and spent six hectic weeks working with an incredibly talented team to formulate Intel’s corporate response to the huge RFI. At the same time, as an Intel representative to the Information Technology Sector Coordinating Committee (IT-SCC), a large public-private partnership, I also worked on their industry-based response with an equally talented group of industry peers. The experience has given me a lot of insight into how the Framework may develop, and along with many others I will be continuing to work with NIST throughout 2013 to build it.

The RFI consisted of 33 questions centered on three major areas: managing cybersecurity, current standards and guidelines already in use, and specific security practices. Some typical questions were, “How do organizations define and assess risk generally and cybersecurity risk specifically?” and, “Do organizations have a formal escalation process to address cybersecurity risks that suddenly increase in severity?” I was pleased to see privacy concerns were explicitly considered in several questions, such as, “What risks to privacy and civil liberties do commenters perceive in the application of these security practices?”

For the Intel response, we wanted to provide as much information as possible on what we know about cyber risk management, while of course also protecting Intel’s proprietary information. Depending on the topic, different experts were assigned to answer a question, then review their answers with a broader group of experts to ensure accuracy. Each answer also had to accurately reflect Intel’s key messages: Ever-changing cybersecurity risks call for flexible and nimble risk-management based solutions; international alignment and harmonization is essential; the Framework must comprehend global privacy and civil rights practices; it must be technology neutral and not proscriptive; and that cybersecurity is a shared responsibility, but industry should lead in developing cybersecurity standards and best practices.

Since most of us were fitting this work in with our regular jobs, it created quite a schedule crunch, but we completed the response by the aggressive deadline, April 8. You can read the Intel response in three parts: 1, 2, and 3. The IT-SCC response, which addresses broader IT industry concerns, can be found here.

The next NIST workshop will be held at Carnegie Mellon University in late May. At that workshop, contributors from all 18 critical U.S. infrastructure industries will see NIST’s first rough draft of what they gleaned from all the responses and what the Framework might look like. Should be an interesting discussion, to say the least. I am attending the workshop and will describe how it went in a future blog.

All Eyes on HTML5

Fri, 03 May 2013 18:11:57 +0000

Visionmobile released a new info-graphic earlier this week that puts some spotlight back on HTML5. While HTML5 is in third place compared to Android and iOS for development and deployment platforms, the most interesting aspect of the survey is the “App Monetisation” panel.

I think the data here confirms what we intuitively already know – if you release your app on more platforms, all things being equal, you will have higher average monthly revenue. This is simply because you can expose your product to a larger unit demand. In other words, the ultimate app is the one that can quickly, easily and cheaply be consumed by users in across all of the walled gardens.

In the case of the survey, the smallest percentage of developers expose their app on 6 platforms but also capture significantly more revenue per month – nearly $5000. If we flip the discussion around and talk about costs, while it is clear that more platforms equals more revenue, the cost drivers here are going to be significantly higher unless you employ some sort of cross platform toolset, and HTML5/JavaScript seems to fit this bill quite nicely.

What about Enterprises apps? We think that the combination of HTML5 for Enterprise app development coupled with an API gateway forms the basis of a reference architecture for low cost, cross-platform app development but if we tie in this new data from Visionmobile, it seems that independent developers may also have a lot to gain from HTML5/Javascript tools when it comes to putting money into their own pocket. If you missed the webinar on this subject, be sure to check it out here.

Blake

The post All Eyes on HTML5 appeared first on Application Security.

Turning Big Data into Big Answers

Wed, 01 May 2013 18:40:53 +0000

Talk live with an Intel IT Center expert: Sure, Big Data is a big deal. But with new sources and growing volumes of data flooding in daily, how do you turn all of that data into meaningful insights that give your business a competitive advantage? In this live interactive webinar, Intel IT experts Ajay Chandramouly and Ron Kasabian will distill what the Intel Big Data Solutions Group has learned about maximizing the value of big data analytics and the cloud. Bryce Olson, Business Strategist at Intel Corporation, will moderate the interactive discussion.

Based on three years of planning and hands-on experience, they will provide practical steps for guiding your Big Data and Cloud initiatives. The discussion will include:

How Intel is optimizing Apache Hadoop deployments
How Intel is using Big Data to bring new products to market faster
How predictive analytics are saving millions across the company

Join this live forum, ask questions, and learn how to turn Big Data into hugely beneficial information your company can act on. Live May 15th at 9am PDT. Register Here

API Management for Healthcare

Wed, 01 May 2013 16:44:35 +0000

It’s springtime and there is a buzz in the air. The API Management market place is heating up. Businesses are seeing the value in exposing data. In the world of Healthcare IT, the drive to accelerate electronic health record adoption collides with the API trend. What market sector could benefit more from the cost control and revenue generating benefits of API Management than Healthcare? Exposing healthcare data is the key to driving innovation, reducing costs and generating new revenue streams. Intel Expressway API Manager (EAM) can make it happen.

Innovate

Meaningful Use is pushing for more exposure of clinical data. If public health records can be made accessible, healthcare can be modernized. But data must be protected from hackers and made available only to authorized users. Intel’s API Management solution can secure services, provide threat defense, IaaS cloud scalability, authentication/authorization, data translation and high performance for RESTful APIs access. Intel is working with public health providers to expose patient data. Intel Expressway Service Gateway brokers the user registration process a third party identity provider (IdP). OAuth tokens ensure that communication with the IdP is authorized. The IdP generates SAML assertions for NYeC to use to secure subsequent transactions containing patient information. NYeC’s drive to expose the data is an exciting process to see in motion.

Reduce Cost

EAM provides the data conversion needed to transform legacy web services to RESTful services. Data transformation features enable XML to JSON and with Informatica’s potent data transformation services embedded in Expressway, HL7 V2 can be converted to mobile ready formats. Once the services are made available, the cost savings can be even greater. APIs enable self-service and fast to market application development. In the US, healthcare costs make up the largest component of the National budget and the numbers are still growing. API Management for healthcare services can be a factor in controlling spending in this sector.

http://www.usgovernmentspending.com/health_care_budget_2010_1.html

Generate Revenue

Removing patient specific data from the clinical information adds another layer of security. Deidentification can be achieved as part of the API Management process by encrypting the Personally Identifiable Information (PII). EAM provides powerful format preserving PII tools provided that will hide the PII from public view. With anonymous healthcare data, the possibilities for innovation expand. Consider Aetna’s CarePass Developer Portal (powered by Mashery). Healthcare APIs are available from Walgreens allowing mobile access to prescription refills, NutritionIx and Food Care are exposing nutrition data to power health and diet applications and Good Rx lists web services that help you find the lowest price for a pharmaceutical. Imagine how the provider of these healthcare APIs can take advantage of the developer community to create applications that will drive new revenue. The New York Times, Flixter and Netflix have shown what a good API strategy can do for growing business. The same revenue models can be applied to HIE. APIs allow for easy partnering EHRs with insurance providers, Physician groups with pharmacies, Patient portals with health clubs, HIE’s with labs and more. Follow the HIE standards, securely expose the data and, as they say in API terms, Mash ‘em up!

Healthcare data exposed as APIs makes businesses sense for the healthcare industry. The innovation that results from increased exposure of patient and clinical analysis data will generate new revenues beyond the short term bonuses from meaningful use incentives. The changes that can come from simplifying healthcare for mobility can feed more data into decision support and can make API Management a big factor in improving patient outcomes. Join us at Health:Refactored in Mountain View, May 13-14, and see Intel Expressway API Manager in action with a case study from Blue Cross Blue Shield Association.

Resources

Read the Intel Expressway API Manager data sheet

The post API Management for Healthcare appeared first on Application Security.

It’s time to put users first

Wed, 01 May 2013 13:00:50 +0000

Managing the Changing IT Landscape: User-Centered Computing

Are you ready to let users determine what IT services you deliver? Like it or not, they’re already using their own devices, not to mention the cloud-based services they want. Wouldn't it be easier to include them right from the start?

I've been writing a lot on the importance of finding the right tool for the job. At the heart of that idea is user-centered computing—an inclusive approach to managing consumerization that puts all users’ needs first.

When I worked for Intel IT, we put this to action by moving away from the one-size-fits-all model to a customized approach that emphasizes the right fit and design for the job. We did this by:

Conducting segmentation studies to understand job roles and how people work
Inviting employees to participate in pilot studies and early adopter programs to improve and stabilize IT solutions before full deployment
Conducting surveys that help:
- Measure customer satisfaction with existing IT products and services
- Identify the services that are most important to employees
- Solicit input on gaps and unfulfilled needs in our service portfolio
Providing greater choice and flexibility by offering more options for primary computing devices
Establishing and supporting Bring Your Own Device (BYOD) and BYO-PC programs

This approach may seem radical, and it does involve changing the culture of IT. However, this change is necessary to fulfill the mission of IT: creating and delivering greater business value.

Chris
@chris_p_intel
#UserCenteredComputing #Consumerization

IT Center

Cloud-Aware Tokenization: Helping to Build PCI-Compliant Applications in the Cloud

Tue, 30 Apr 2013 19:08:30 +0000

Last year the Open Data Center Alliance published an excellent whitepaper that defined the concept of “cloud-aware” applications. The ODCA paper sets forth the following recommendations:

Everything is a Service
Use RESTful APIs
Separate Compute and Persistence
Design for Failure
Architect for Resilience
Operationalize Everything
Security at Every Layer

I will likely revisit these concepts in future posts, but in this post I want to highlight how our multi-datacenter tokenization function can help to build PCI-compliant applications that are cloud-aware, hitting points 4, 5, and 7 above. This is because we designed our tokenization broker as a cloud-aware application with built-in intelligence to work across disparate networks and datacenters while maintaining a low cost proxy implementation model.

What is Tokenization?

For the uninitiated, tokenization is the process that removes personally-identifiable information (PII) or any PAN (primary account number) from a record, replacing it with an encrypted, randomized, or hashed object (or “token”) that represents the PII. The token-to-PII mapping is stored in a separate, highly-secured database, which has the added benefit of simplifying the audit process for the custodian of the data. The token itself is meaningless, requiring a detokenization function to extract the original, cleartext data.

A token is therefore only usable in limited contexts, compartmentalizing risk if it is compromised. In layman’s terms, if someone steals my credit card number they can use it to make purchases anywhere until the card is canceled, but if they get the token that represents my credit card then the data is useless. Tokenization is a best practice used to protect credit card numbers, social security numbers, and even names and addresses (for example in Personal Health Records). It provides added security at the data layer, ensuring that customer data remains secure even if a transaction database is compromised. Tokenization also has unique applications for PCI compliance. Aside from security, tokenized credit card numbers enjoy reduced PCI scope in most cases, driving down business costs.

Why Multi-DC?

There are many reasons for an application to span data centers. The most common reasons are to improve availability and performance (I touched on elastic scaling of APIs in an earlier blog). Also, multiple datacenters are often an outgrowth of business expansion as traditional organizations grow into new business models utilizing public, private or hybrid clouds.

To improve availability, many applications are deployed to different availability zones within a region. This allows multiple instances of an application (or API) to run in parallel, with the ability to route around failures all the way up to the data center level (design for failure; architect for resilience). Performance can be improved by adding additional regions (for example, east coast and west coast) to reduce latency between the user and the application.

There may also be business process drivers for multiple data centers. Consider, for example, a retailer with a both online and brick-and-mortar businesses. These two channels may be run from different data centers, headquartered in different cities. However, customer satisfaction depends on being able to buy an item online and return or exchange it in store, and may even support in-store purchases being returned via the online channel. This requires transaction information to be visible to both channels. While this could be handled by calling out to the other channel’s API, the best customer experience will be delivered by recognizing a customer as a single entity across both channels, regardless of where that customer originated. To do this, the retailer may have a single customer database that spans its brick & mortar and online data centers.

Multi-DC Tokenization

Since tokens uniquely identify data, it is critical that there is a one-to-one mapping between the tokens and the data they represent. This effectively requires all participating data centers to agree upon roles for the tokenization process. This would seem to be at odds with the eventual consistency model I described earlier in this post. However, the importance of avoiding collisions or duplications in the tokenization process dictates that this state be shared and carefully coordinated across all sites with adequate performance and resiliency in the face of datacenter downtime.

Our approach relies on a combination of PAN partitioning and a distributed secure vault.

When a new request comes in, we route the request to the appropriate data center based on the PAN range. The authoritative DC computes the token, returns it (via API), and stores the result in our distributed secure vault. Subsequent references of the token can then be performed at any data center, once the secure vault synchronizes state, which happens nearly instantly (modulo network latency). On the off chance that the application attempts a read-after-write (i.e. detokenization request a few milliseconds after the tokenization request), it is possible that the secure vault will not yet be in sync – anticipating that, we will retry a failed request at the authoritative DC for the token.

By managing this shared token state independently of the application, the developer can treat the tokenization process as a black box. Data can be tokenized from nearly any source over any protocol and PAN data is extracted using common regular expressions or XPath at the application level. No SDKs or application changes are needed. The persistence state is effectively decoupled from compute, and the application’s business logic can be written as if it were a stateless app. This reduces overhead that goes along with planning and testing for collisions, race conditions, and other corner cases, allowing the developer to spend more time focusing on their core business logic.

Summary

Multi-DC tokenization is a good use of the facade proxy pattern for API security. Like our touchless Hadoop security, it allows an application to be secured without being modified. APIs run in the cloud (for that matter, APIs run the cloud) — and thus they need to be cloud-aware. Building all of that support into each application requires significant effort. The proxy façade pattern allows developers to focus on their core business – the differentiating features – rather than investing time creating and maintaining non-differentiating capabilities. With Expressway Token Broker’s cloud-aware tokenization, we manage your distributed token state so you don’t have to.

Resources

The post Cloud-Aware Tokenization: Helping to Build PCI-Compliant Applications in the Cloud appeared first on Application Security.

Intel Employees: A Special Tribute to a Special Teammate

Thu, 25 Apr 2013 20:43:15 +0000

Note from the editor: You hear from me quite a bit, whether it’s through a blog post or as a response to a comment or an introduction to a guest blogger, but you don’t hear from two of my teammates who work tirelessly behind this blog and the Jobs at Intel website to ensure that you have a great experience. My teammates, Teresa and Christine, are the magicians behind the curtain—you don’t see them but they do A LOT of the work to keep the sites running. Today’s guest blogger is Teresa, the Web Product snad Services Manager for Intel’s Talent Enabling Solutions team aka she’s the magic behind our online employer presence. There are lots of different stages to your career: joining a company, getting new managers, transferring to a different group, growing in your role, being promoted, taking a lateral move, and leaving. People leave for different reasons, in this case, it’s one that we’re jealous of—retirement in Florida to pursue a different life adventure. Teresa has written a special post for Christine as she retires from Intel and starts her next life adventure. From all of us bloggers, contributors, viewers, and users—congratulations Christine! All the best with the new endeavor!

At Intel we have a term—‘Great Place to Work’ (GPTW). It’s also one of our values. Each year we get a new badge calendar and on the flip side are listed the Intel values. GPTW lists bullets like Win and Have Fun and Work as a Team with Respect and Trust. I’ve worked for Intel 20 years now – I’m an ol’timer. I’m also kind of a sap, because when introducing myself in meetings or at conferences I also add “…and I’ve loved every minute!”—and though I created this blog, this is my first time contributing to it. I wanted to write a love letter of sorts but first I need to give a bit of background.

I’ve learned a lot about Intel and its culture over the years. At first I remember feeling like a fish out of water. There are so many brilliant and talented people that at first I was intimated. But it was because of those brilliant and talented people that I was pushed into the deep water. I raised my hand to work on a new project and my management team said, ‘go for it’ and off I went. My project was that new “internet-web-thingy” and how would our Staffing team get on this “World Wide Web”. We wanted to market Intel jobs to the public in the new and exciting way. We had no idea what we were doing. I had no idea what I was doing. We put together a one pager that was really only a graphic – I pressed the ENTER key and off we went. It was 1994 – eons ago in the Internet age. I was hooked! Our site grew into our global corporate Jobs at Intel site. We’ve added bells and whistles; tried all the fads and marketing tricks. Some worked – some tanked. I’ve worked on this site for most of my Intel career as developer, architect, and designer. I feel very maternal really. My goal has always been to show the world what it’s like to work at Intel and to grow a rewarding career – just like I’ve been able to do.

Along the way I’ve worked with several talented Content Editors/Managers. These are the people that write all the words that express to our visitors what Intel is really all about. At times I’ve worked with teams of people; at other times just one person. We partner with subject matter experts (SME) all over the globe who provide content. We also work with our college, business, HR and diversity teams assisting in getting their marketing campaigns, content and jobs out to the world. Social media and mobile are new areas for us and we are learning everyday what works and what doesn’t. Content comes from every country we hire in and it is the job of the Content Editor to make it all come together and to make sure it sounds good. It’s a tough job – challenging, stressful, but extremely rewarding as well.

Now here’s my love letter…

For the past seven years I’ve worked with Christine. She came to the job with a lot of questions, much stress and a dose of trepidation. She didn’t know if she could do the job and she worried it was too large for just one editor. I showed her around the house – where all the rooms were, where to find the life vest. I promised her that I would have her back and talk her down from the ledge if needed. I loved the job and I needed a strong editor to partner with who loved the work as well. I wanted her to succeed in every way. And succeed she did. Christine held her nose and jumped in the deep end with me. She managed a global stakeholder team, designed a work request process, juggled dozens of content projects and began the task of making the Jobs at Intel website world-class. Every word on our website was written or edited by Christine. I do the pretty pictures but content is king! She takes the messages we want to convey, along with the SMEs content and writes it in the Intel voice so that our visitors can get a feel for what it may be like to work for Intel. Every word.

On Friday, Christine is retiring from Intel. She found a beautiful stretch of beach and she and her husband will be planting their future in the sand. I’m losing my partner. My emotions are so extremely mixed. I’m so happy for her – so excited that she is finding her dreams coming true. But I’m also so sad because she has made my work life so much fun. Bouncing our creative energy around and then watching it come to life on the webpage has been so rewarding. It’s been like a marriage. We have trust, we communicate, and we voice our opinions – go a bit mad at times but always come up with a solution. And we laugh. Christine is the kind of person that has 20 windows opened at the same time; she’s conversing with two people on IM while talking on the phone. (Her desktop looks like my real hubby’s garage [sorry sweetie, but it’s true]). At first I thought “Geez, how can you get anything done?” But this is how Christine works. Her brain is a file cabinet, and she can easily move from file to file. It’s amazing really. She can find any file going back years. Amazing.

She is also so creative. What I like the most is she makes me better. She pushes me to find solutions, find a way to express what our customers need in new and exciting ways. She reminds me to breathe when the days are full and the schedule dates are looming. She is the Ying to my Yang, my Opus, my Thelma, my Snoopy – she’s jelly and I’m the peanut butter. I do love her and will remember my years working with her as the best (so far).

We don’t always give thanks. We forget to recognize. Even at Intel, thank you is not always stated because the work speaks for us. But I wanted a way to say “Thank you” that would really convey my gratitude. Oh sure there’s going to be a party, laughs will be had, margaritas will be drunk, and hugs will be exchanged. We will toast and we will laugh. (I’ll cry later.)Her friends will gather and we will send her off well. But this is my way of sharing my gratitude and recognition in a way that would be truly unique—and what better way than to do it through a project that we both worked on together and one that would share her legacy for the world to see!

On behalf of Intel, I want to say Thank You Christine! I have had so much fun working with you. Thank you for the respect and the trust. Thanks for thinking of our visitors first and trying always to provide the best possible experience. Thank you for your skill, your partnership and for your passion for the job. It was so appreciated. I wish you and Jeff the greatest happiness as you journey onward. Our “marriage” may be over, but our friendship is lifelong.

YOU are the reason Intel is a Great Place to Work!

You’ve heard it before, but here’s the proof. People truly are Intel’s greatest asset and the reason why many of us come into work everyday.

The post Intel Employees: A Special Tribute to a Special Teammate appeared first on Jobs@Intel Blog.

Moving The Desktop PC Forward: Part 1

Wed, 24 Apr 2013 18:09:24 +0000

The Desktop PC has been the workhorse of the computer industry ever since the personal computer was first invented. It offers the highest performance and greatest configuration flexibility of any PC form factor (which is why it remains popular with the enthusiast community), but when compared with many of the sleek new devices available today it often falls short on style. The typical tower desktop PC, with a tangle of wires running out the back, has been relegated to the office cubicle or back room of the house – kept out of view of polite company. For those of us who like the configurability of the tower desktop PC it’s time that we look for ways to move the platform forward into the realm of stylish technologies that people expect today.

The good news is that many PC makers are actively working on solutions to this problem. One exciting development is the increased number of All-In-One (AIO) PCs available today (the Apple iMac* or HP Touchsmart* being two popular examples). These AIO PCs bring a sense of style that ends the desktop PC’s exile to the den and makes it a welcome addition to any area of the home or office. If you don’t need the mobility of a notebook then these AIO PCs can give you a large screen, solid performance, and the added security of a stationary PC – all in a sleek package.

But what if you still want the power and flexibility that comes from the traditional tower desktop PC? Are you forever relegated to the fashion-challenged corners of the PC world? I believe that there are some lessons we can learn from the PC enthusiast community that can bring modern style to the tower PC without sacrificing its core strengths.

PC Enthusiasts spend a great deal of effort designing and building their dream system, and they like to show off the end result. Unlike a poorly designed do-it-yourself PC where a tangle of wires connects the components inside, the PC Enthusiast community has become very adept at cable management. They combine groups of cables together – sometimes with an outer sheathing layer – and route them in such a way that they don’t spoil the aesthetics of the system interior. This technique is routinely used to solve cable issues inside of the case, but could easily be applied to the problem that exists outside a typical desktop PC.

To get your creative ideas flowing, here’s an example of how this could work. A basic configuration for a tower desktop PC would require a number of wires running between the tower base and the monitor. The exact number of wires depends on the connections being used. Here are two examples for consideration:

Starting with the basic principles of cable management, the first step to taming these configurations is to combine the multiple wires into a single cable – thereby eliminating the typical rat’s nest of wires. After combining the wires using commonly available wrapping materials, our examples then become:

Since the monitor I/O connections are located on the back side, this cable can be constructed so that the point where the cable divides into individual connectors is well hidden, and only a single cable appears to run to the monitor. Congratulations! You’ve just eliminated the mess of wires that we all just assumed was part of owning a desktop PC.

Ultrabook™ gets down to business

Wed, 24 Apr 2013 13:01:14 +0000

_Managing the Changing IT Landscape: Ultrabooks for Business

If you’ve been reading my blogs, you know that finding the right tool for the job is an ongoing theme. And it deserves the attention ... in a consumerized IT world, there are simply more choices for business computing users. And while users want to choose, they expect the business to provide and support the technology needed to get work done. It is IT’s role, in partnership with users, to find the right balance between security, form factor, and performance.

Today’s users want thinner, lighter, more responsive, touch-enabled PCs. Yet for the past year, Ultrabook™ devices—a new category of ultra-mobile PCs—have not met many of the requirements for business-class computing, leaving IT with few options.

Finally, great design that’s ready to work

The Intel® Core™ vPro™ processor-based Ultrabook device delivers on all counts. It provides embedded security that protects your data, devices, and access while keeping threats out. And it’s sleek and portable, at less than an inch thick, but with a hardened chassis and stronger hinges so it can withstand the rigors of business travel. It’s also ready when you are, with a quick tap to the touch screen to get started.

In response to the requests of our own employees, Intel IT has begun the transition from traditional notebooks to Ultrabook devices. Listen to the Intel IT Ultrabook podcast to learn more, and check out the latest options in Ultrabooks for business.

Chris
@chris_p_intel
#Consumerization #ultrabook #4biz #ultrabook4biz

intel.com/itcenter

Inside IT: Evaluating McAfee Deep Defender

Sat, 20 Apr 2013 04:27:10 +0000

The evolution of threats to the security of the enterprise has driven innovation in how that enterprise defends itself. New tools need to be developed to meet today’s threat landscape. McAfee has introduced such a tool, Deep Defender. It’s designed to detect kernel-based attacks that other traditional software security solutions would miss. In this podcast we talk with Intel IT Security Specialist Greg Bassett and Project Manager Stephanie Mahvi as they discuss the pilot study the company conducted to evaluate McAfee Deep Defender for the enterprise.

From ESBs to API Portals: an Evolutionary Journey Part 4

Thu, 18 Apr 2013 20:50:22 +0000

The continuing transformation of the IT industry around the externalization of service components constitutes an exercise in abstraction. The transformation assumes that any IT application can be recursively decomposed into constituent services. An application that has been re-architected or engineered this way is known as a composite application.

As with any abstraction exercise, the devil is in the details. When a particular capability is to be replaced with a service, just as good is not sufficient to trigger change; it needs to be much better to make the change justifiable from a business perspective, anywhere from 3X to 10X to overcome the change hysteresis or the incumbent alternative stays.

One challenge is that in many cases there is no tradition in the organization of measuring service components. For instance if a replacement service is said to be more energy efficient and it comes with the metrics to prove it, these numbers are not useful if the contracting organization does not keep energy consumption statistics at the level of granularity of the service offering: if the available historical data is at the power distribution unit (PDU) level measuring consumption at the rack or even row level, this information is of little use if the unit of delivery for a service is a virtual machine (VM) and the provider furnishes energy data on a per VM basis.

The semantic gap between VM power and PDU power could be in principle bridged by aggregating VM power into rack power. However doing so would require significant research and would difficult to do without industry consensus because the actual numbers would be dependent on the measurement method.

One of the most obvious metrics for a service is pricing. For instance one could use the total cost of ownership (TCO) of a storage appliance to derive a cost per byte over the lifetime of the appliance. This number can be compared with the cost of a cloud storage service offering. The cost of the service may be accrued on a monthly basis, where the cost of the appliance comes in a big chunk of petabytes over the 3 to 5-year lifetime of the appliance. This suggests that there are more dimensions in the process of making a decision between doing nothing or breaking up the application into service components and start factoring out these components, SOA style or externalizing the components through cloud service providers. What are these dimensions? Let’s explore a few.

Performance and Quality of Service

Assuming that a prospective service alternative passes the cost test the IT organization will look at performance. It will be of little consolation if a service offering saves money if the quality of service (QoS) deteriorates to the point that complains pile up. The expectation is that service offerings tend to be remote and hence result in higher latency due to distance and lower bandwidth due to network limitations. A cloud bursting solution may be implemented via a VPN link to remote resources offered by a service provider. This link is a potential weakness, inducing a “tromboning” or barbell effect with two large resources connected through a relatively thin tether, resulting in large latencies between entities connected across the tether.

Performance deserves a careful consideration because performance behaviors tend to be highly discontinuous. For instance, if a service offering doubles storage latency, this may trigger transaction timeouts. Because of the transaction retries, the actual latencies experienced by the end users served by the IT organization may not just double, but increase by an order of magnitude. On the other hand, a global company replacing a centralized database location with storage from a provider may actually end up with improved QoS if the provider caches and mirrors the data in the appropriate locations.

Another dimension of performance is scalability. In the industry cloud computing is economically feasible because of specialization: the assumption is that one entity able to fulfill a specific function on behalf of a community of service customers more efficiently than each customer separately through resource pooling and specialized expertise. Therefore the service provider can deliver the function at a lower cost than the in-sourced alternative enough and still make a profit to stay in business. The size of the pooled resources needs to be larger than the largest request expected from any of the customers; otherwise there will be cases where the provider will not be able to honor a request.

Security

Security is a first order concern on par with performance and cost. It relates to preserving the privacy and integrity of the data and governance, risk and compliance (GRC) practices. Security is often cited as a roadblock to cloud adoption in the industry. An approach to addressing this conundrum is to look at the problem as a continuum, not as a black or white issue and to look at capabilities available today. Different application deployment models have different levels of security associated with them. A classification of infrastructure deployment from the most to least secure could be as follows:

1) Corporate assets deployed in corporate infrastructure

2) Private cloud on corporate premises

3) Provider hosted private clouds

4) Public clouds

One solution to improve cloud security outcomes while minimizing cost is to define different types of data and institute a policy for the deployment of the data. One example would be to have company secrets under #1, corporate e-mail stores under #2, CRM data under #3 and product brochures under #4.

IT and Business Process Standardization

This is a big one. One of the purposes of an ESB is to ensure there are commonly enterprise-wide procedures (“patterns” in SOA speak) for functions such as pub-sub and event notification. For a single enterprise a single, company-wide proprietary ESB implementation, either cobbled up in-house or from a single vendor is a workable solution. Extending this notion across multiple companies and providers is much harder. Arguably cloud computing is still an
emerging discipline with the standards to enable these capabilities not yet in place.

Even the simpler problem of moving a workload from one hypervisor environment is currently a nontrivial undertaking. The author had the privilege of serving as an architect for a proof of concept exercise sponsored by T-Systems. The goal of the exercise was to demonstrate the ability of moving virtual machines across hypervisor environments using publicly available conversion tools. This was a straight implementation of the VM Interoperability Usage Model as defined by the Open Data Center Alliance. We used four of the most well-known hypervisor environments. We found roadblocks across
most conversion paths. Moving VMs to public cloud providers posed additional challenges because of the degree of para-virtualization or customization in public vendors’ hypervisor environments.

Metaservices

In addition to the intrinsic functional capabilities implemented by servicelets, composite applications need a number of ancillary capabilities: service customers need to find them. A service registry would allow service provider to publish their offerings and users to discover, assess and bind the
service offerings to their applications.

Another metaservice is data encryption and transformation: data needs to be striped, replicated, compressed, encrypted and replicated to meet target quality criteria. On the business side reliable, non-repudiable mechanisms for billing and cost settlement that work across composite applications. For some customers the ability to do audit trails or even cloud forensics is a must have feature. Unfortunately the state of the art leaves much to be desired, as panelists declared at a recent RSA Conference.

Epilog

In the next installment we’ll take a look at how Intel® Expressway API Manager and Intel® Expressway Service Gateway offer brokerage, discovery and security services as a present day embodiment of an ESB. In so doing API management addresses some of the challenges for the implementation and deployment of composite applications mentioned above, not just for a single enterprise, but for whole ecosystems comprising both developers and end user communities.

The post From ESBs to API Portals: an Evolutionary Journey Part 4 appeared first on Application Security.

Intel vPro Technology: Built to fly business class

Wed, 17 Apr 2013 12:59:00 +0000

Managing the Changing IT Landscape: Business-Class Technology

I recently blogged about how I define business-class technology and what separates it from the pack. It’s no longer a luxury, but a necessity (unlike that upgrade from coach … definitely a “nice to have”).

IT professionals need to protect sensitive data while giving users the mobile tools they need to innovate and collaborate. Intel vPro technology has the chops as business-class technology that delivers this balance: It’s designed to strengthen security and increase productivity across your business.

An inside look: How Intel saves time, money

Intel IT has been using Intel vPro-based processors as the Intel corporate standard, and they recently revealed four specific use cases. The bottom line? With powerful remote management capabilities, they’ve cut costs and reduced downtime, resulting in greater productivity across the business—even though IT is present at only about one-third of Intel’s physical sites.

Consider this:

We’ve reduced the time to resolve password resets by 80 percent.
On average, we’re saving remote employees more than $100 (U.S. dollars) on shipping and more than 10 hours of employee downtime with Keyboard-Video-Mouse (KVM) Remote Control and ISO mounts.

Are you using Intel vPro technology in your business? If so, what benefits have you realized from this technology?

Chris
@chris_p_intel
#Consumerization #BusinessClass

Betwixt and Between – Service Gateway for Enterprise Mobile Applications

Tue, 16 Apr 2013 14:46:47 +0000

Over the next several posts, I will explore some of the core patterns for Service Gateways that provide access to Enterprise Mobile Applications that need to leverage enterprise apps and data. Before I go there – a word about risk. Mobile security is a hot topic. Is Android less secure than iOS? What about rooted devices? How should enterprise deal with BYOD? How do mobile dev teams write secure code for mobile platforms? And the list goes on and on, there are plenty of important questions to ask.

Amidst all these gnarly big and small questions on technical security for enterprise mobile applications. its vital to remain focused on risk. And where is the risk for enterprise mobile applications? On the apps, identity, and data housed on the numerous mobile devices? Sure. There’s risk on individual mobile apps and devices, but the lion’s share of data, functionality and identity is on the server side, and that’s where the lion’s share of the risk is too.

Boundary crossings are a key focus area for security architects. The Enterprise Service Gateway defines the boundary between “external” systems and “internal” systems (note – I am not sold that this is a valid distinction in many instances but its commonly used and holds up for the purposes of this pattern). The transition between external and internal confronts the security architect with a number of design choices. We can divide the message exchanges into two sets

1. Mobile device -> Gateway: asynchronous Web service calls via REST

2. Service Gateway -> Enterprise backend app servers: synchronous and asynchronous calls via REST, JMS, SOAP, and more

The inbound calls to the Service Gateway usually follow a simple message exchange pattern (albeit its asynchronous which is something new to many enterprises but we’ll save that for another day), whereas the Gateway -> Enterprise message exchange patterns can run the gamut. In effect, the external services simplify the experience for the user and the internal services- well they just go where the data is.

The implications here shed light on the core utility of the gateway. The gateway is the location to implement three sets of security policies.

1. External security policy: for the Mobile device -> Service Gateway message exchanges

2. Internal security policy: for the Service Gateway -> Enterprise backend message exchanges

3. External <-> Internal mapper security policy: to facilitate the right security and identity services for each boundary transition

Security is about reducing vulnerabilities (access control services) and coping with threats (hardening, defensive services). Service Gateways play a key role in each.

In the case of access control and identity services, the identity protocols and tokens that are used by the mobile device are usually validated and terminated at the gateway. The gateway then maps the relevant user identity, such as username and attributes, and instantiates a second protocol to communicate with the enterprise backend.

In the case of defensive services, enterprise applications are not hardened for external access, after all that’s why there is a DMZ. Inbound calls, messages, and data must be inspected for malicious code targeting the enterprise. In effect the Service Gateway is what enables the internal services to be consumed externally.

To make sure mobile security is effective, from a big picture, strategic perspective its important to keep in mind the vital role of the gateway in managing risk on both the mobile device and the enterprise backend. To execute tactically its important to divide the Gateway’s role in to how it works for each separate policy zone, and how it maps between the zones. So many projects, start out assuming that mobile is just another front end to hook up to existing middle tiers – it isn’t. To get an idea on some key differences, I highly recommend this Mobile Middleware White Paper as a solid read for more on the subject. In the next post we’ll look at some policy options for each zone.

The post Betwixt and Between – Service Gateway for Enterprise Mobile Applications appeared first on Application Security.

Join me at the Intel IT Center Experts Tour in Folsom CA on June 13th 2013

Fri, 12 Apr 2013 18:40:32 +0000

Fellow security professionals, come join me at the Intel IT Center Experts tour in Folsom CA, June 13th 2013. I will be one of the many speakers discussing challenges and experiences gained by Intel's IT organization. This is an opportunity to ask questions and share insights.

Complete Tour Listing Link

Direct Registration Link for the Folsom 06/13/2013 session

https://secure1.regsvc.com/registration/index.aspx?TYPE=t&ID=4&LC=&LC=intel&PIN=&REF=&dbGUID=29D3CA22-240C-4BFF-80F3-4619CCFC83B0&

Folsom Event Details:

June 13th 2013 8:00 AM - 2:00 PM
Intel Corporation
1900 Prairie City Road Building FM-7
Folsom, CA 95630

Folsom Tour Event Topics:

The Future of Enterprise IT – Enabling New Uses, Trends and Technologies
     Presented by one of Intel IT’s Client Technology Evangelists
     IT organizations must define and drive the right balance between their
     employees’ expectations and their companies' business objectives, and then
     look for opportunities to implement solutions that address tomorrow's
     needs as well as today's challenges. What are the new disruptive
     technologies or mobility trends that IT needs to prepare for? How does
     security need to change to meet the needs of the new IT world? How are
     generational culture changes impacting the IT organization's response to
     IT consumerization? And finally what are the skill sets your IT shop
     should be focusing on moving forward? Models like BYOD and COPE are addressed
     as well as infrastructure impacts.

Intel IT Cloud Journey and Overview
     Presented by one of Intel IT’s Cloud Enterprise Architects
     Cloud technologies are moving at a rapid pace. Enterprises are wrestling
     with private vs. public vs. hybrid cloud solutions. The need for high
     levels of customizability, flexibility, and agility will drive many
     enterprises to the public cloud. The foundation for this vision will be
     defined by an open approach that delivers best of breed technologies +
     flexibility + choice from data center to client. This session will cover
     the cutting edge cloud progress that Intel has made internally within our
     own IT organization as well as what to expect in 2013.

Cybersecurity Briefing: Trends, Solutions and Opportunities
     Presented by one of Intel’s Enterprise Technologists
     Inadequate security remains the number-one concern about cloud computing.
     Find out what Intel is doing now to manage information security and risk,
     learn the rationale behind Intel’s 2011 acquisition of McAfee Inc., and
     discover the new opportunities this collaboration brings your company.

Deploying Microsoft Windows* 8 in the Enterprise
Presented by one of Intel IT’s Business Client Product Line Managers

Culture’s impact on Innovation

Thu, 11 Apr 2013 22:32:24 +0000

In my initial overview, I stated that I felt that there were 3 items necessary for innovation. The first, the resources, I covered in my first entry. This one is geared towards the second which is the Culture to support innovation.

THE CULTURE

It is easy for many organizations to say that they support innovation. They discuss how they are going about it and how they are providing some resources towards the effort. But when you pull back the surface, you find that they are not really supporting it. Their reward systems that do not support innovation just stifle it. They have review systems designed to ensure only completed projects and programs are recognized and they only reward success. Lastly, they only look at today's results and not towards the future. The talk says "go innovate," but the walk clearly supports only taking risks that will ensure success.

By only supporting the incremental improvements within the organization, we take no risks. This will force teams to think about small next steps and will in turn hamper our organizations ability to drive innovative thinking. This keeps us away from the art of the possible. Here at Intel, we use possibility thinking in order to keep the innovation going. Possibility thinking is starting with a clear definition of where you want to be and then spending time trying to figure out what has to happen to make it true. Not focusing on the next single improvement, but rather the whole picture first. This frees us from the constraints of the current system and processes and allows for a more open field of possible routes to get to a solution. I like to think of it as the difference between a great sprint hurdler and a fair one...A great one focuses on the finish line and the hurdles are where they know them to be; a fair one only focuses on the next hurdle.

This helps set the mindset, but does not always lead to success. In order to drive towards innovative thinking, failure has to be an option. Understanding that the lessons that you learn from failure leads to success is the key to any learning organization. When you are a child, you do lots of things you should not, but through learning the hard way, you find the paths that work. Within companies, we need to do the same. If every project was exactly the same, every issue was exactly the same, all the same people were involved and no human error possible, then maybe we could follow exactly the same method to get to the same result. But in my experience, that is seldom the true. Budgets are different, new people come onto the projects, new businesses are being driven, new capabilities are desired, and these force us into coming up with new capabilities and solutions. Also, in my experience, any successful project or innovation is made up of lots of failure to achieve the results. Support of these failures is critical to their ultimate success. Innovation happens more frequently.

Support of failure does not mean that you need to build out a new reward system that provides monetary compensation for each failure Congratulations Bob that is your third failure this week, here is your bonus!" It means that you recognize it, don't spend time looking for who is at fault and penalize everyone, but focus on what was learned from the failure and how to overcome it. How can you avoid it in the future and strive for better results? This is one reason that small companies or newer companies can innovate faster in many cases. They do not have the time to search for all the guilty parties and punish them in their reviews, they have to continuously evolve and deliver quickly, which forces them to adapt and learn from these mistakes. They are also very focused on the goal and not always married to the path to deliver. This frees them from the constraints and allows for more dynamic approaches.

The third, and hardest part of innovation culture is to simply stop things. When innovations are not panning out, delivering the results expected, or driving to the capability you thought, you need to stop the work and simply move on. This is much harder for people and organizations to do as any innovation begins with a passionate individual or group that truly invests in the direction. Stopping this is a bit like stopping an aircraft carrier in that it takes time and much directed energy to stop. While very difficult, it is a critical step in managing those critical resources you have directed towards innovation.

Here in Intel IT, we build stage gates to manage our ability to stop things. We look at innovation in four steps:

1. Basic Research - Where we are scanning technologies, futurists, research companies and some universities for leading-edge thought on what we might want to work on next. (10% of our time in IT Labs, with no expectation of yield)

2. Proof of technology - Where we bring in capability and test our hypothesis on whether this will work to help us solve problems (30% of our time, with an expectation of about 50% yield)

3. Proof of concepts - This is where we know what we would like to solve based on the capabilities we discovered in the proof of technologies, and we assign goals to the business case and test in live situations (30% of our time, with an expectation of about 60-70% yield)

4. Pilot/transfer - This is where we work with our services delivery groups to do the final proof and production implementation of the capability (30% of our time, with about a 90% yield)

Our process is completely supported by our reward system and our culture to ensure that we focus on our big business problems and deliver solutions to help move us faster. We also are lucky that here at Intel, innovation is in our DNA. We keep in mind some wise words of one of our original founders, Robert Noyce.

Don't be encumbered by the past, go off and do something wonderful! - Robert Noyce

In my next entry, I will discuss the problems and how you need to think in order to guide any innovation process.

Information Security – it’s not only about the technical controls!

Thu, 11 Apr 2013 20:49:41 +0000

Security means many different things in different contexts. With Information Security, it should be about protection of an asset from a known threat. But many times there are biases to security solutions based on controls that are predetermined. The most important questions that should be asked before the how part is defined for a security solution are;

Why is there a need to establish security? It’s an important premise that you determine the value of information to your organization and to your adversaries.
Secondly, who are you protecting this information from? If one is to protect something, one has to identify what the threats are, so as to take appropriate steps to mitigate them.
Thirdly, protection or prevention is one aspect of security controls. Considere detective and corrective mitigating controls addition to preventative mechanisms that could fail.

Because of biases in specialty areas, there could be a tendency to emphasize specific technical controls in defining a security solution. This leaves a great deal of ambiguity and more fuel for fear, uncertainty, and doubt that plagues the field of protecting computer information systems. And as Matthew Rosenquist described in one of his blog posts last year when asked for one word to describe the biggest challenge in information security these days, he used the word ambiguity. While many security researchers are trying to find the latest security flaw, other security professionals are trying to determine how the next security tools provide better technical protection capabilities. But it’s important to realize that information security is not only about the technical solution, it should be a business decision first.

Information Security is not only about technical threats and so technical security controls should not be the first consideration for protection. Technology is often among several other countermeasures used to implement a security solution after defining what it is that needs protecting and from whom it needs protection. This is where administrative controls should be considered first so that the definition of what needs to protect can be defined through procedural controls. Some industries have policies, standards and guidelines that must be followed based on the type (classification) of information, but risk should be evaluated based on threats in context of the environment for which the information made available through processes, transferred, stored, or destroyed. A defense-in-depth strategy should be considered during the earliest stages of the development lifecycle but oftentimes there are changes to the environment that are made well after the deployment of a system or software solution that can introduce risk from new threats or greater exposure to existing ones. Before administrative controls are defined, a risk assessment should be completed to analyze the threats for which any system is vulnerable to.

The real value of a risk assessment is that some systems may process information that is not under industry regulations for protection but still have value to an organization. In many cases an organization will focus on risk from audit failures and apply most of the security dollars to mitigate risks defined by audit report because information classification levels require regulatory protection such as Sarbanes-Oxley Act (SOX), PCI Data Security Standard (DSS), or Health Insurance Portability and Accounting Act (HIPAA) just to name a few. But information of value does not only fall under classifications that have industry standards for protection levels. The risk assessment is a way to have dialog amongst the team and is helpful to communicate with management across the board for all information protection requirements becuase ultimately it is a business decision to implement security controls. Additionally, security controls can be protective but detective and corrective security controls should always be a consideration for a Defense-In-Depth security strategy. One strategy that is taking a more reasonable approach to increasing the level of information assurance is the focus on the threat rather than the vulnerability through the use of a Threat Agent Risk Assessment methodology developed by Intel. This approach places emphasis on what is reasonably possible from a threat perspective in order to address the most likely events.

From Collecting Coffee Beans to Advising the Government

Thu, 11 Apr 2013 14:38:31 +0000

Note from the editor: Every Intel employee has a story behind their career path and how they got to where they are. Today we bring you Carlos’s story which is not only about his Intel career, but how he went from collecting coffee beans in Costa Rica to advising the Costa Rican government.

It is noon on Friday and we just finished one of four sessions to train seven people from Ministry of Economy, Trade and Industry from the Costa Rican Government, aka MEIC. I feel a sense of pride and happiness, because this Intel volunteer activity (just one part of a larger project that a team has been working on for over a year) will not only benefit a community, it will benefit a whole country, my country.

The training included basic tools and knowledge in Project Management. By holding this training with this government team, they’ll be able to use what they learned to improve Business Process Management as a strategy, allowing my country to reduce its bureaucracy, be more competitive worldwide and make it more attractive for foreign investment.

But how did I get to this point of influence? That is a story that starts back in my hometown, Naranjo in the province of Alajuela, when I was a teenager.

When I was 12 years old, I was in my third year of high school and during a class break I asked myself,”What do I want to do with my life from this date to the future?” I set a few goals for myself at that point, the four most relevant for my professional development were: to get a technical degree as Electrician, the second to get a bachelor degree on electronics, the third one to work on a company that would allow me to grow professionally and the last one to live in another country with different culture and different language with my family, working there and being successful on that experience. I said, “If I can complete all of them (four professional and four personal goals) by the time I’m 60 years old, I’d consider myself a successful person.”

The first step: register in a technical high school to get the title of Electricity Technician. To do that, I had to leave the comfort zone of living under my parents´ protection. I had to move and live in another city.

The next two steps came together: working and save money to pay for part of the tuition fees to study Electronics Engineering at Technical Institute from Costa Rica (ITCR). This, in my opinion, is the best public university for the career in engineering I wanted to pursue and I was right–it opened many doors for me.

As an engineer, I was able to achieve another goal: to fly on an airplane and visitdifferent countries. As a child, this idea seemed impossible because I came from a poor family. My mother worked as a seamstress at home to help earning extra money to raise three boys, my two brothers and me. My father worked at a local gas station but his earnings were not enough for our family. That is why my brothers and I decided to work at a coffee plantation during our vacations around the sunny seasons, collecting ripe coffee beans to earn money to pay for our books, notebooks, uniforms and all the materials we’d need and use during the school year. All of that taught us the value of honest work, saving money and defining priorities for life.

I achieved my last goal when I started working at Intel in 2004. More than just visiting, I wanted to live in another country, immerse myself in a different culture with a foreign language and to do this with my family and while being successful during that experience. This goal was accomplished in two steps. The first one allowed my family and me to live in Santa Clara, California for little longer than than 6 months. And what an amazing experience it was! My children went to public schools there and learned the basics and fundamentals of the English language. However this was just preparation for what I considered was the true achievement of my goal. Three months after returning from California, my manager asked me to move to Israel for a year with my family.

I still remember my kids’ faces when we arrived at the airport in Israel. Everything everywhere was written in Hebrew and we did not know even know how to say “hello” in Hebrew! If that was hard, just imagine the experience going to the supermarket and trying to buy groceries!

However with time, we learned. We were able to visit many places. We learned bits of Hebrew and were able to make basic requests at stores, pharmacies, etc. We even crossed the border during our time in Israel and went to Jordan to visit Petra, one of the new Seven Wonders of the World. My kids attended the unique English school available in Israel, but to do that I had to drive 160 Km a day to go to Intel´s site in Haifa from our house located close to Tel Aviv in a placed called Kfar Shmariahu. The technical knowledge I picked up during my time in Israel made me grow to a point where I could participate in several Intel conferences, allowing me to visit other continents and countries and earning significant awards at those conferences as well.

When we returned back from those assignments, I was just 33 years old and I had accomplished all my major goals. Wow. So there I was leaving my comfort zone, I sat to rethink my life, again.

That’s when, using the scholarship that Intel gave me, I was able pursue a master’s degree in Project Management from a private university. After getting my master’s degree, I joined the team in charge of understanding how to implement Business Process Management (BPM) in my department at the time, Quality and Reliability. Soon after, I took the leadership of that team and led my own managers and department to get BPM certification following a Project Management structure. Last year I moved to Technical Training Department, where I made significant changes in the courses we offer technician’s at Intel’s Costa Rica factory to empower them to increase their knowledge in different technical areas. In tandem, I started working as a professor a few years ago, teaching Project Management at the same university I got my Master’s degree.

Using the set of skills I developed from Project Management, Business Process Management, teaching experience and my desire to grow, I joined the volunteer team working with MEIC. Now I lead one of the sub teams, the one that teaches how by using PM and BPM, we can make a better country. That’s how I’ve gotten to where I am today—only time will tell what growth and opportunities the future will bring.

The post From Collecting Coffee Beans to Advising the Government appeared first on Jobs@Intel Blog.

Ten things to know about business-class technology

Wed, 10 Apr 2013 13:00:36 +0000

Managing the Changing IT Landscape: Business-Class Technology

In a recent blog post, I proposed the idea that business-class technology is not a luxury. When it comes to protecting sensitive company information and IP, as well as customer data, it’s critical to have the right technology in place.

But what makes technology business-class? In my mind, these are the top 10 features and capabilities that address the needs of both users and IT.

Durability – Can handle daily wear and tear over a PC refresh cycle of three to four years; reinforced hardware (screen, chassis)
High performance – Can manage multitasking and simultaneous app use
Scalability –Ability to support new operating systems and apps during life cycle
Security technologies – Protection for users and IT in a dynamic threat landscape
Management tools – Ability for IT to manage all devices (tablets, phones, notebooks, desktops, etc.) regardless of operational state or location
Identity protection – Ability to protect users online and safeguard corporate network access
Data protection – Powerful encryption technologies to guard sensitive business data
Antitheft capabilities – Ability to lock or wipe a device that is lost or stolen
Appeal for users – Ease of use with an intuitive interface, a lightweight form factor, long battery life, and a sleek design
Interoperability –Standards-based systems with Ethernet, USB, solid-state drives (SSDs), and strong Wi-Fi

What capabilities does your organization look for in business-class technology? Is anything missing from this list?

Chris
@chris_p_intel
#Consumerization #BusinessClass

Complexity Management with Tokenization

Mon, 08 Apr 2013 23:21:09 +0000

Tokenization is a major trend in application and data security and Gateways are an ideal location to deploy tokenization services. Tokenization replaces sensitive data with benign data. The classic example here is PCI DSS, and the business value of tokenization is summed up here:

Now I am no graphic designer, but let me take advantage of the Chinese saying that “1,001 words is worth more than a picture.” As much as I like the graphic above it does not tell the whole story. The 2/3 of the graphic starting from the left is “PCI Scope”, the 1/3 on the right is outside PCI scope. In my experience the value of tokenization and gateways is that its more like 10-20% of the system is isolated down to in scope for PCI and the remaining 80-90% is “out of PCI scope” – *this* is the value of tokenization – it abstracts away a ton of complexity. As we discussed in the last post, complexity is the main enemy for security people. Tokenization services are a good way to not eliminate but massively reduce the sprawl of sensitive data and in doing so reduces the burden of complexity across the system because the rest of the system isn’t dragged into scope.

The reality is that most of the system does not need to access sensitive data such as payment information, it only needs to be able to reference authorization codes and the like. There are so many ways to mess up code that simply removing the sensitive data in as many places as possible is frequently the single most effective security mechanism. To quote Ken Thompson, “when in doubt use brute force.” What’s simpler – A) exhaustive audits, quarterly vulnerability assessments, section 10 level audit logging, and the full compliance check box olympics across your whole systems or B) brute force – isolate sensitive data, audit that island and expose only tokens and authorization codes to the rest? Its not even close.

The counterargument to the above is that a gateway introduces a new layer in the system and so its another middleboxen for the app server to talk to, another system on the critical path. Fair enough, but its there for a reason same as the app server is in the middle tier. The appserver is in the middle tier so that business logic and rules are centralized and reused. This is the same rationale for tokenization on a gateway – centralize the token generation and verification. Do you want all your developers writing code for generating and verifying tokens? Not bloody likely.

Tokenization is a major trend in security because it allows systems to reduce the sprawl of sensitive data and the attendant vulnerability and audit issues. Gateways are the ideal way to deploy tokenization because

1) the internal core operations of token generation and verification are too important to be left to individual developers. They are generic enough that they can be reused.

2) the external interfaces to the tokenization servicess- generate token and verify a token – are very simple

This is a mix that solves important security problem in a simple way and in a way that scales. Frankly there are not too many times in security architecture where this is the case and that makes tokenization on gateways is a design pattern for the long haul.

The post Complexity Management with Tokenization appeared first on Application Security.

HTML5 and API Gateways

Mon, 08 Apr 2013 21:24:13 +0000

So, here are some questions that have been on my mind lately:

How can Enterprises reduce cost drivers for mobile enablement?
Can APIs and HTML5 provide the basis for a long term mobile strategy?
Can Enterprises avoid lock-in with mobile walled gardens? Should they? Why?
What would the architecture look like?

If you are interested in exploring some of these topics,please join me and my colleagues later this week for a webinar at SC World Congress eSymposium. Hope to see you there!

Blake

The post HTML5 and API Gateways appeared first on Application Security.

Security Does Not Need to be Complex to be Effective

Mon, 08 Apr 2013 18:12:39 +0000

Even a 10 year old little girl can prove this fact:

A 10-year-old girl thwarted an abduction attempt after asking a stranger for a code word that he did not know.

A man approached a 10 year old girl outside a public school and attempted to lure the girl into his vehicle. The man told the girl her parents had sent him to pick her up. But the girl and her parents had setup a shared secret code-word for anyone authorized to pick her up from school.

The girl asked for the code word but the suspect got it wrong. She told him it was incorrect and he drove away.

I applaud the parents for a job well done in implementing a simple and effective security solution and to the little girl who deftly executed to it, likely without the need of understanding the grim impacts of failure.

In the security and technology industry, we can learn volumes from this encounter. First, a security savvy person is far more effective than a stack of technical security controls. Second, complexity does not guarantee effectiveness. In fact, simplicity can be more cost efficient and easier to implement. An elegant solution, is one which is accepted, applied, and delivers the preferred result.

As security professionals, we have an opportunity to meet these requirements to deliver an optimal solution through a marriage of inherent human and technical considerations. We must not forget, computer security is a combination of both. The very best solutions enhance the user’s ability to be secure without being cumbersome. Pure elegance.

Mobile Middleware for the Enterprise: API Security Considerations

Thu, 04 Apr 2013 21:58:47 +0000

A few weeks ago I blogged about different Mobile Middleware usage models for enterprise. Continuing that thread, this post will drill down into API security considerations for enterprise mobile apps.

Mobile applications are typically intended for use outside of the corporate network. This requires the enterprise to expose APIs and web services to the Internet, where previously they were made inaccessible by the corporate firewall. While it is a good practice to protect even inward-facing services, the likelihood of a malicious attack is orders of magnitude higher for external-facing APIs.

Even if these services were previously exposed through a web portal, additional security must be considered. Most modern web portals adopt some variation on the classic three-tier architecture, in which only the presentation tier is exposed to the Internet. On the other hand, many web services place business logic at the endpoint, exposing the server. Furthermore, the API server will have access to a database, so a compromised server can lead more directly to data loss.

Classic 3-tier web hosting architecture

A services gateway allows the enterprise to minimize the attack surface for the mobilization program. Rather than having to protect one or more servers for each external-facing API, the proxy model results in a single server or cluster responding to external traffic. The actual web services can then be further restricted, only allowing connections to the gateway and to internal systems inside the DMZ or corporate intranet.

Mobile-optimized two-tier hosting model

A variation on this model, illustrated by the figure below, uses a pair of gateways to securely expose internal APIs while eliminating the need for a duplicate instance of the API deployed to the DMZ. This involves deploying one gateway inside the DMZ and a second gateway inside a secure enclave. Inbound traffic is permitted to access the first instance, while the second instance only accepts traffic from the first. It should be noted that this is only feasible with gateways that can be deployed on-premise due to the need to securely host one gateway inside the secure enclave.

Dual-gateway security for Intranet-hosted services

Use of a security gateway also makes it easier to implement and enforce consistent security policies for all APIs. Instead of adding custom code to each API or tuning each server individually, a consistent set of checks can be performed at the gateway layer. For example, an enterprise can define a package of checks that includes SQL injection scanning, overflow scanning, and cross-site scripting prevention.

For more on the security and other benefits of the gateway facade, download API Patterns for Cloud and Mobile from CITO Research’s Chief Analyst, Dan Wood (foreword by John Musser of ProgrammableWeb).

The post Mobile Middleware for the Enterprise: API Security Considerations appeared first on Application Security.

Inside IT: Balancing Security and User Experience

Wed, 03 Apr 2013 23:03:59 +0000

Intel has implemented a new granular trust model to improve security throughout the enterprise. It’s designed to support key initiatives like IT consumerization and cloud computing. At the same time Intel wants to keep the user experience as seamless as possible. In this podcast we hear from Toby Kohlenberg, Intel IT Senior Information Security Technologist. He gives us an outline of the first version of the new security model, talks about the advantages of dynamic trust calculation, and discusses the challenges of balancing a complex security infrastructure while ensuring a great user

App stores a harbinger of touch in the enterprise? Yep.

Wed, 03 Apr 2013 13:02:51 +0000

Managing the Changing IT Landscape: Touch-Enabled PCs in the Enterprise

A couple of weeks ago, I posted a blog on the emergence of enterprise app stores as a way for IT to gain better control. Today, I want to go one step further: I believe that enterprise app stores mark the beginning of touch-enabled PCs at work.

For consumers, app stores have become the de facto standard for delivering productivity tools, games, and content. As smart phones and other mobile devices become a part of everyday business, CIOs are realizing the power of app stores in the enterprise—both to achieve greater control and to deliver applications optimized for work streams.

Touch is next out of the gates

IT isn’t paring down these apps for mobile devices; on the contrary, it’s optimizing them for touch-based interfaces. And there’s no need for compromise. By building an app strategy that focuses on touch with the Windows* 8 operating system on an Intel®-based device, organizations can get the enterprise-grade solution they need while users get the devices and experiences they love.

Just the other day, I was dialing a colleague using my laptop’s softphone and thinking how much easier it would be to simply touch the numbers on-screen like I’m able to do on my phone. It’s a faster, smoother, and more natural interaction.

Where do you stand on touch-enabled PCs in the enterprise? Which business apps would you want to be touch-enabled first?

Chris
@chris_p_intel
#Consumerization #touchPCs #enterpriseappstore

Can You Put the Eternity Clock Back Together? Doctor Who in the Intel AppUp® center

Tue, 02 Apr 2013 21:42:40 +0000

Are you a Doctor Who fan? Of course you are because you have access to the Internet! If you’ve not jumped on the Doctor Who bandwagon, here’s the deal: Doctor Who is about a guy (The Doctor) who is one part time traveler, one part alien. He travels in his TARDIS, which on the surface looks like a ‘60s-era British police box, but it’s actually a time machine. He’s got some companions that travel with him as they try to save the world, and fix what’s bad. It aired for about 30 years, then went off the air for a few very dark years, and now it’s back and has taken over the web with memes and TARDIS sightings.

We are diehard Doctor Who fans in the Intel AppUp® center and so of course, we had to add two Doctor Who apps: Doctor Who: City of the Daleks and Doctor Who: The Eternity Clock. But we’re not stopping there. Oh no! We really, really want AppUp users to help the doctor and his companion River Song save the universe and time itself so we’re having a discount on The Eternity Clock for the whole month. This awesome app is 60% off! That’s right, for a limited time, you can unravel the mystery of the eternal clock for just $3.99.

Players are equipped with the Doctor’s sonic screwdriver, River’s blaster and other Whovian gadgets while traveling through four time periods and alien locations. But it’s not all wine and roses; players will also face monsters, including Silurians, Cybermen, Daleks and the Silence. Those who destroy foes and solve puzzles will succeed in saving themselves and the rest of civilization.

Okay, that’s a lot of Doctor Who, but I know the Doctor’s fans can’t get enough. To celebrate the 50^th anniversary of Doctor Who, play Clock Quest—prizes include an Ultrabook™ and 100 copies of The Eternity Clock. All you have to do is play Clock Quest to be entered for your chance to win. Go now!

You don’t need to be a Doctor Who devotee to save the world with The Eternity Clock game. But you do need to act quickly to take advantage of the awesome deal on this app and to play Clock Quest for a chance to win an Ultrabook. Get to it!

Visit Intel Android at Droidcon 2013 Berlin on April 8th -10th, 2013 – Win one of two smartphones

Tue, 02 Apr 2013 17:12:18 +0000

1. How to Enter

Scan the NFC tags around the booth (Easter Eggs) and you will receive a URL. Go to URL and answer 4 questions. Hand in your business card with the 4 digit code you receive after ticking the answers and you will enter the raffle Tuesday, April 9^th at 16.30h and Wednesday, April 10^th at 16.15h. The winner will randomly be chosen at the specified times. The winner needs to be present to win (no delegate).

2. Prizes

There are two Orange smartphones with Intel inside available. Each smartphone has a value of €300,--. These prizes are only available to those who download the NFC code within the specified time period: Monday April 8^th to Wednesday April 10th. Winners will be chosen at random. Prizes are not transferable and cash alternatives will not be available. No transport to or accommodation at the event is provided as part of this contest, winners need to make their own arrangements.

3. Criteria of Winning Submission

The contest will be open to application developers, software engineers and others involved in the design and creation of software in a professional or personal capacity in EMEA. Entrants must be aged 18 years or over or must obtain the consent of their parents or legal guardian. Entrants must not be employed by Intel Corporation US, its affiliates and subsidiaries or must not be related to their families, or persons directly involved in the administration of this Prize Draw. Anyone connected to the contest, including but not limited to Intel employees, is ineligible for entry. The contest is open to residents of the EMEA countries. All national and local laws and regulations apply. The contest is governed by the laws applicable in ‘Germany.

4. Selection of the Winners

Winners will be chosen at random from the pool of those who entered their contact details for the prize draws, Tuesday April 9^th at 4.30h pm and Wednesday April 10^th at 4.15h pm.

5. List of Winners

Entrants to this contest accept that Intel GmbH (“Intel”) may name the winners of the prizes in public.

6. Delivery of the Prizes to the Prize Winners

The Prize will be delivered on the day of the prize draw.

Legal Documents

Intel Android at Droidcon Berlin NFC Draw Contest Rules

These rules (including the Intel Privacy Policy and the Terms of Use) govern the Orange smartphone raffle chance-based contest (the “contest”) and set out the terms and conditions between Intel Corporation and its affiliates (“Intel” or “us/we”) and each participant (“participant” or “you”).

You are eligible to participate in the contest if you are 18 and older.
No purchase necessary. Purchase does not increase your chance of winning. Void wherever prohibited.
You must speak, read and understand English and you must be aged 18 years or over or you must obtain the consent of your parents or legal guardian before you participate in the contest. If you register for the contest or if you accept any contest prizes, you accept these rules. Employees of Intel Corporation, its affiliates, subsidiaries, advertising and promotion agencies, and the immediate families of each may not enter. This limitation is void where prohibited.
The contest is open to residents of the EMEA countries only. All national and local laws and regulations of the resident’s country of residence apply.
We may refuse your entry for any good reason.
Apart from prizes offered as part of the contest, no monetary compensation will be paid for any of your contest entries.
Intel is not responsible for contest entries not received due to lost, failed, delayed or interrupted connections or miscommunications, or other electronic malfunctions. Intel is not responsible for incorrect or inaccurate entry information, whether caused by you or any other persons or by any of the equipment or programming associated with or utilized in the contest.
You may be required to sign and return releases of liability, declarations of eligibility, and where lawful, publicity consent agreements, within five (5) days of acknowledged notification. If minors are allowed to enter and a prize is won by a minor, all required documentation must be signed by the parent/legal guardian. If a selected potential winner cannot be contacted, is ineligible (under these rules or due to a failure to comply with any of the other applicable policies, licenses, rules, and terms of service, fails to claim a prize, or fails to timely return the completed and executed releases/agreements as required), prize may be forfeited and an alternate potential winner may, at Intel’s discretion, be selected. Physical prizes awarded for the winning entries will be given to participants at the date of the notification at the event.
Prizes are personal to the participant submitting the winning entry and cannot normally be transferred. All prizes are subject to availability and they may change at any time and Intel may award substitute prizes of equal or greater value. A cash alternative is not available. Odds of winning depend on the total number of eligible entries received.
The winner accepts responsibility for all federal, state and local taxes and fees in connection with the prizes. The winner shall be solely responsible to obtain all permissions and authorizations to collect and receive the prize in accordance with the laws of the participant’s country of residence. This contest is void where prohibited or restricted by law, and subject to applicable federal, state provincial and local laws. If the winner is a resident of a country in Latin America, cash prizes will be replaced by goods and/or services of equal value in Intel’s sole discretion.
Entry to the contest is restricted to one entry per person.
Acceptance of the prize will constitute permission to use winner’s name and/or likeness for promotional purposes without further compensation except where prohibited by law.
Intel does not provide any warranty on the prizes. To the fullest extent allowable by law, Intel specifically disclaims any representations or warranties, express or implied, regarding the prizes, including any implied warranty of merchantability or fitness for a particular purpose and implied warranties arising from course of dealing or course of performance.
We may, on notifying you, immediately suspend or terminate your rights, if you breach these rules or if we reasonably believe that you have submitted an entry in violation of these rules.
Intel reserves the right, in its sole discretion, to suspend or cancel the contest at any time for any reason.
You can withdraw your entry at any time by notifying us. If your entry is withdrawn your rights to win a prize in this contest are lost.
These rules apply to your entry unless we provide any items to you under more specific terms, in which case those more specific terms will apply to the relevant items. We may make changes to these rules at any time without notice to you. The most current version of the rules can be reviewed on the Intel® SN website (www.intel.com/software). Accepting prizes will constitute acceptance of the revised rules.
Our only responsibilities with respect to the contest are set out in these rules. These rules prevail in the event of any conflict or inconsistency with any other communications, including advertising or promotional materials.
For any feedback or questions regarding the contest or the prizes you can contact Intel by sending an email to Beatrice.fraedrich@intel.com
If Intel improperly denies you any prizes, Intel's entire liability and your sole and exclusive remedy will be limited to a distribution of the equivalent amount of prizes as set forth above. By participating in the contest, you waive any and all rights to bring any claim or action related to such matters in any forum beyond one (1) year after the first occurrence of the kind of act, event, condition or omission upon which the claim or action is based.
If for any reason this contest is not capable of running as planned due to infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes beyond the control of Intel which corrupt or affect the administration, security, fairness, integrity, or proper conduct of this contest, Intel reserves the right at its sole discretion, to disqualify any individual who tampers with the entry or voting process, and to cancel, terminate, modify or suspend the contest.
Intel assumes no responsibility for any error, omission, interruption, deletion, defect, delay in operation or transmission, communications line failure, theft or destruction or unauthorized access to, or alteration of entries. Intel is not responsible for any problems or technical malfunction of any telephone network or telephone lines, computer online systems, servers, or providers, computer equipment, software, failure of any e-mail or entry to be received by Intel on account of technical problems, human error or traffic congestion on the internet or at any web site, or any combination thereof, including any injury or damage to participant's or any other person's computer relating to or resulting from participation in this contest or downloading any materials in this contest.
The promoter of this contest is Intel. The contest is administered by: Intel GmbH, Dornacher Strasse 1, 85622 Feldkirchen, +49 89 9914 3368, beatrice.fraedrich@intel.com

Intel is a trademark of Intel Corporation in the U.S. and other countries.

*Other names and brands may be claimed as the property of others.

Android Event Blog

Icon Image:

Event

Work/Life/School—It’s All Possible at Intel

Tue, 02 Apr 2013 14:06:46 +0000

I’ve been to 22 different Intel campuses in 6 different countries in my 14 years at Intel. One thing is consistent – Intel employees’ spirit of wanting to always do better. Always wanting to BE better. It’s in our DNA. That’s one of the things that makes people love it here at Intel, or prompts them to move on if one is not so inclined – and that’s okay.

Recently, one of our manufacturing groups formed a partnership with the University of Arizona to establish a pretty amazing distance learning opportunity. Employees in Intel’s Fab/Sort Manufacturing group will be able to earn their Bachelor degree in Materials Science and Engineering, while still working at Intel.

Representatives from Intel and the University of Arizona celebrated the kick-off event at Intel’s Ocotillo site

It’s very difficult to go to school and work at the same time. Believe me, I know. What’s really great about this program is that Intel will support it from a work/life standpoint. That means employees’ managers will help them balance the requirements of a busy job with the demands of their educational program. Tuition assistance will also be available to eligible employees. It’s a clear commitment to learning and will be huge to those who participate.

One of the Intel sites I visited was our fabrication site (also called a “fab”) in Rio Rancho, New Mexico. I was lucky enough to get a tour of the fab. Got to put on the bunny suit and everything. I was blown away by the extent and complexity of the engineering. After touring the fab and seeing the incredible technology there, how could you not want to learn more?

This new program facilitates that and eliminates the need for our employees to quit for a few years in order to start and/or finish school. Good thinking, guys. I like your DNA.

The post Work/Life/School—It’s All Possible at Intel appeared first on Jobs@Intel Blog.

OpenCL Developers Kit 2013 Now Available with support for OpenCL 1.2 and future 4th Gen Intel® Core™ Processor

Tue, 02 Apr 2013 13:07:09 +0000

If you’re working on a cutting-edge visual computing application, download the new release the Intel® Software Development Kit (SDK) for OpenCL Applications 2013 to realize efficiency, performance and power savings. The new SDK includes certified OpenCL 1.2 support on 3rd and future 4th generation Intel® Core™ processors running Microsoft Windows* 7 and 8 operating systems.

A new graphics driver lets you utilize the compute resources simultaneously of both the Intel® CPU and I
ntel HD Graphics. By taking advantage of the general purpose programing of OpenCL coupled with the hardware acceleration capability of Intel HD Graphics, your application can get better performance and improved battery life on Intel Core platforms like Ultrabook™ and other low-power devices as well as high-end notebooks and All-In-One PCs. The SDK is ideal for content creation applications like video editing, music creation, and photo editing. You can now download a free copy of Intel SDK for OpenCL Applications 2013 here.

What are the key new features of the Intel® SDK for OpenCL Applications 2013?

The new Intel SDK for OpenCL Applications 2013 brings improvements and new features both in the OpenCL driver and the development tools.

What New Features are Supported by the OpenCL Driver?

OpenCL* 1.2 Support: Across both 3rd and future 4th generation Intel Core Processors and across both CPU and Intel® HD Graphics
Performance Improvements: For both CPU and Intel HD Graphics.
Windows 8* Operating System Support: Windows 7 support continues
Enhanced Interoperability with Media and Graphics APIs

Sharing memory objects with Microsoft* DirectX* 11
Tightly integration with OpenGL* with new support for depth images and sharing of multi-sampled textures.
Standard based memory object sharing with Microsoft* DirectX* 9 for media surfaces.
Interoperability with Intel Media SDK 2013 and Intel Perceptual Computing SDK 2013

What’s New in OpenCL Development Tools?

Integration with Microsoft Visual Studio* 2012
New standalone Kernel Builder (included in the SDK package) with:

Dynamic performance analysis of OpenCL kernels
Full support for both Intel HD Graphics and CPUs.
Support for new OpenCL 1.2* features like compile and link of OpenCL programs.

Enhanced Integration with Profiling Tools, Amplified Coverage of the Intel HD Graphics

Intel® HD Graphics OpenCL profiling support with Intel Graphics Performance Analyzers 2013 R1
Enhanced profiling support with Intel® VTune™ Amplifier XE 2013 Update 4 or higher

OpenCL Kernel Source Code Hotspots Analysis on the CPU
Preview feature: Intel® HD Graphics OpenCL profiling

Kernel Builder - standalone utility to create, analyze, and build OpenCL kernels

Download the SDK for free at intel.com/software/opencl

Don’t forget to follow us on Twitter at @IntelOpenCL

Regards,

Arnon Peleg, Intel® SDK for OpenCL Product Management

OpenCL Application

openCL

OpenCL SDK

Icon Image:

News

The Intel Xeon Phi coprocessor: What is it and why should I care? Part 2: Getting even more parallelism

Mon, 01 Apr 2013 23:00:14 +0000

TITLE: “The Intel Xeon Phi coprocessor: What is it and why should I care?”

PART 2: “Getting even more parallelism”

In part 1, we talked about how it was possible to squeeze all those 60+ cores onto one slab of silicon. Even so, 60+ Intel® Pentiums® processors do not get you all the way to the actual performance of an Intel Xeon Phi coprocessor. You need to be able to magnify the computational advantage of those 60+ cores even further, and given the design of the Intel MIC architecture, that means even more parallelism. The designers found two different ways of magnifying the capability of each of those Intel® Pentium® generation cores. The first was by increasing the number of hardware threads that can execute per core. Do you recall a claim that we only use a quarter of the capability of our brain? The same can be said of a computer core. It has a whole host of capability there, but much of it lies unused. For example, if you are doing an add instruction, what is the multiplication circuitry doing, playing Pinochle?

That circuitry is just sitting there idle, taking up room and energy but doing little else. So why not use it? Intel® did just that by enabling cores to execute multiple instructions simultaneously, assuming that they did not need the same circuitry at the same time. Modern IA cores do this today by allowing two hardware threads to execute simultaneously. Given the special purpose environment of the Intel Xeon Phi coprocessor, the designers knew they could get away with four simultaneous threads. Now remember, four simultaneous instructions is the maximum per core. The actual number of HW threads you can get away with will vary. For the well-optimized application, it is roughly three.

Even given four threads executing per core, it was still not enough given the generational difference between the modern big core and the Intel® Pentium® generation. The Intel MIC Architecture still needed more parallelism.

First let me give you some background. SIMD is Single Instruction, Multiple Data. This describes one of four possible computer architectures as defined by Flynn in 1966. The conventional computers we are all familiar with are SISD, or Single Instruction, Single Data. SISD means that the computer can execute only one instruction on one piece of data at one time. SIMD is where you have that one instruction operating on multiple pieces of data simultaneously. Here is a simple way to visualize this. Say we have eight pairs of numbers to add. A SISD computer, i.e. a conventional computer, will perform eight adds, one right after another. In contrast, a SIMD computer will lay both sets of eight data items in a row, and execute that same instruction simultaneously, i.e. in parallel, on each pair. Thus you have a Single Instruction operating simultaneously on Multiple Data.

Most modern processors since the Intel® Pentium® generation have had this SIMD capability. For example, the Intel® Pentium® processor with its MMX™ SIMD technology could add two floating point numbers, or 64-bits, simultaneously. So in our above example, the Intel® Pentium® processors could theoretically add those eight FP (floating point) values in four instructions by taking two at a time. Life, and the computer industry, have not been idle since the Intel® Pentium® MMX™ days and have constantly expanded upon the original MMX™ SIMD technology. Intel® AVX, the latest generation, has a 256-bit (eight FP values) SIMD engine compared to the Intel® Pentium® processor’s 64-bit (two FP values) SIMD engine.

This is how the Intel MIC Architecture gets the scaling it needs. It combines a large number (i.e. many) of Intel® Pentium® generation cores (60+), enhances those cores with the ability to run four threads per core, and adds to that a whopping 512-bit (16 FP value) SIMD engine. Putting it all together, you have the capability to do greater than 60*4*16 = 3840 instructions, simultaneously. Unfortunately, this does not translate to 3840 simultaneous FP operations since only one of those four threads can use the SIMD engine at a time.

Next: PART 3: “Splitting Hares and Tortoises too”

Intel Xeon Phi Coprocessor

Intel Xeon Phi

Xeon Phi

KNC

Knights Corner

MIC

Taylor Kidd

Many Core

manycore

Icon Image:

Technical Article

The Evolution of Game Development: Everything Old is New Again (and vice versa)

Mon, 01 Apr 2013 22:48:15 +0000

According to a recent survey of game developers, the industry is seeing a slow but steady shift away from console development towards PC and mobile games:

“Thirteen percent of respondents called themselves current PS3 developers, and just 12.4 percent planned their next game for the PS3. The Xbox 360 only does slightly better: 13.2 percent for now, and 14 percent for the future. (Eleven percent of the devs polled said they're making games for the next-generation PlayStation 4 and the "Xbox 720," or whatever Microsoft ends up calling the 360's successor.)

And don't even think about Nintendo's Wii or dedicated handheld game devices. Just 4.6 percent of developers are actively making a Wii game, although 6.4 percent say they'll do so in the future. A mere 4.2 percent are working PlayStation Vita games, with about 5 percent saying they have future plans. Barely 2.8 percent say they're developing future games for the Nintendo DS.” - ReadWriteWeb

The survey went on to say that 48% of developers are developing current games for this platform, and 49% are planning their next games for the PC. Tablets and smartphones are grabbing most developers’ time and interest, with 58% and 56% (respectively) interested in developing games for these platforms.

The rise of the PC in game development

Console sales are falling. According to one industry analyst, sales of video game consoles, accessories, and software fell in 2012 by 28%. The top-selling game in 2012 was for PCs, which boosted year over year sales by 230%:

"Historically the PC game market has taken a lead in commercial innovation compared to the console sector," said Piers Harding-Rolls, senior principal analyst and head of games for IHS Screen Digest. "This innovation has extended to business model -- the introduction of subscriptions and micro-transactions -- and across digital business." – “Is PC Gaming Making a Comeback?” – CNN Tech

Over $20 billion in sales were made in 2012 for PC games alone, and this number is estimated to go even higher in 2013 even though mobile and social gaming are the most popular that they have ever been. Yearly growth of the PC game market according to a report released from gaming industry watchdog PC Gaming Alliance was 8%, with more than a billion PC gamers estimated around the world:

“The PC Gaming industry showed strong overall growth of 8% in 2012, partly as a result of the Chinese market gaining traction in the $20 billion global market with record revenues of $6.8 billion,” said DFC analyst David Cole. “In spite of media focus on mobile games and struggling social network games, there are now over 1 billion PC gamers worldwide and that number will continue to grow as more PCs connect online.” - PC Gaming Alliance

Perhaps the strongest advantage that PCs have over consoles in the realm of game development is simply the fact that many people already own a PC, and there’s no need to go out and purchase an expensive system that could be relatively obsolete in a year. PCs are easily upgraded and can be somewhat easily fixed (if you know what you’re doing, of course).

Factors that influence the move away from consoles

Why are developers moving away from consoles and towards PC and mobile game development? According to some studios, money is definitely something that is influencing this move:

“Mobile platforms are much more open than a console, and don’t have the restrictions of a working with a publisher. Console game development comes with a much bigger price: big title console game studios maintain budgets around $80 - $100 million, while most small to mid-size mobile gaming studios have budget closer to $200,000 - $400,000.

However, mobile game development budgets are growing because of the final contributing factor: earnings potential. Supercell reports earnings around $1 million per day for its games, and Gungho’s Puzzles and Dragons game is bringing in around $2 million daily. The monetization potential on mobile is much higher, and coupled with a lower development cost, there’s a huge opportunity to earn significant revenue.” – “Game over? Video game and console sales take a head shot”, LA Biz Journals

While money is certainly something that needs to be factored in, there are other issues that come into play. According to a presentation given by Valve Software on cross-platform game development, common issues include:

Developer efficiency
Certification failure
User experience
Programming issues

The presentation is quite long and is meant as a higher level look at cross-platform development; however, the basic takeaway is this: “If it runs well on console, it’s easy to make it run well on PC.” That’s really the $64,000 question though – how many games run well enough on consoles to make the transition to PC easy; or if not easy, at least justifiable?

Different games run on different platforms, operating systems, device models, different screen adaptations, aspect ratios, even different versions of the same platform. Developing games for all the different platforms out there is (to say the least) a time-consuming process. Developers have to optimize game projects for each device, taking the time to test everything so there aren’t problems down the road. While it’s certainly fantastic that we have a wide variety of devices available to us as consumers, for developers, making games that will function on the majority of the devices on the market is becoming an increasingly more difficult task.

Retro gaming is making a comeback

Don’t count out the console just yet, though. There’s definitely a strong audience for new releases of retro games on both new and classic consoles, as well as the PC and mobile devices. In addition, emulators on the PC, Wii, and smartphones can make retro games function just as well as their more recent counterparts. This isn’t necessarily something that pays well (or even at all); it’s more of a hobby for dedicated developers who are looking to revitalize a fond memory from their younger days:

“When we first started to talk about developing a game for the Mega Drive we had no intentions of turning it into a hit. When the group of developers and designers first gathered after talking on forums about retro games, we simply took the idea seriously and began to work. It felt like being twelve years old and the boss of the arcade game room….. All of our team members have jobs that have little to do with games,” says Roel van Mastbergen of Dutch indie studio Senile Team, which released Rush Rush Rally Racing for the Dreamcast to celebrate its tenth anniversary in 2009. “Game development is just something we love to do in our spare time - if we have any.” – “Meet the Gamers Keeping Retro Consoles Alive”

How many of us have old Gameboys, SEGAs, even an Atari (now that’s a blast from the past!) systems kicking around collecting dust? These systems aren’t as fancy as their current counterparts, but for sheer nostalgia they can’t be beat.

Where will game developers go next?

From consoles to PC to mobile, there are a lot of choices out there for game developers. Problems are inherent on whichever platform they choose, and it’s going to be intriguing to see where the industry continues to head. As a developer, what do you think of the move away from console development? What do you think is the current state of game development and where is the industry headed next? Please share your comments.

game development

gdc

Game Developers

Icon Image:

Technical Article

Ultimate Coder 2, Week 6 :: Glossal Input Schema

Mon, 01 Apr 2013 22:24:48 +0000

We’re fresh back from GDC and wow…what a great conference! We had so much fun meeting the other contestants, making fun of Lee, and showing off Stargate Gunship to hordes of Stargate fans. Any day you can make a fanboi literally squeak in delight – that’s a good day.

But one of the real high points of the conference was a real-world field test of a technology we’ve been tinkering with for the last several weeks:
Tongue Tracking.

I know that might come as a surprise but consider the following:

The tongue is easily identifiable as a landmark with sharp edges and a definite ‘point.’
For the typical user, the tongue is a highly agile appendage with far-greater accuracy and lower latency than landmarks like the nose or chin.
The tongue moves independently of other landmarks like the eyes or head.

In short, the tongue provides unique advantages in the perceptual environment and could provide an entirely untapped resource for full-facial input modalities.

To give credit where it’s due, we really must cite the decades long and pioneering work of Dr. G. Simmons who says of his own work, “You can't go through life and leave things the way they are. We can all make a difference, and if I die today, I know I made a difference." (Read more at: http://www.brainyquote.com/quotes/authors/g/gene_simmons.html#6H0IHxJPUkSGvFRh.99)

Mr. Simmons has been an advocate of glossal and lingual efficacy since the early 70s but technology has been a limiting factor in his work. Tools like the perceptual camera offer a real opportunity to see this as a genuine path for further exploration. In our case, we created a special gesture, the SDS, which is used to activate the tongue-tracking feature. As you’ll see in the video, once activated the glossal translation is easily mapped to, in our case, the motion of the camera within the scene.

We hope this work can be a stepping-stone to greater use of alternate input methods and look forward to possible future collaboration with Dr. Simmons and other in this exciting field.

Stargate Gunship Gene Simmons Perceptual Mode at GDC

Icon Image:

Contest

Technical Article

Ultimate Coder Challenge: Sixense Studios – Week 6

Mon, 01 Apr 2013 17:47:08 +0000

Hey everyone, chip from Sixense reporting in once again. Wow, I am beat. Two days after GDC and my feet are still throbbing. I slept most of Saturday away and now here I am wide awake on on Sunday night with a messed-up sleep schedule. This seems like as good a time as any to write our blog post. At least by writing it now, I can sleep in a bit longer tomorrow.

GDC

Although GDC week was busy and exhausting, we had a fantastic show. It was great to meet so many of our fellow contestants in person. There are some great projects coming out of this contest and it’s inspiring to see them all first-hand. Great job everyone!

On the GDC show floor, we were running Puppet In Motion on the Yoga at 60fps and we could have two people interacting with the puppets at once. We were also able to use the recording feature, which was a fun surprise for unsuspecting users. :) Here’s one of the videos we recorded on the show floor:

PuppetInMotion-GDC2013

Scope

In the two weeks since our last post, we have been honing in on delivering a solid core experience. Even though we had parts of the online multiplayer working, we decided that it was too ambitious for the scope of the contest. Instead we focused on solidifying the movie capture/export process, since being able to share the stories you create is fundamental to what we are trying to do. We also (foolishly) upgraded our Unity installations, which resulted in lots of errors and editor crashes. We rolled back to the version we had started the project with (4.01), but ended up losing about a day in productivity.

Puppet and Set Interaction

We finally got one of our pigs rigged and brought into the game. It was pretty easy to hook the model up to our puppet controller. This time around, we had a puppet animating within 4-5 minutes after importing it! Danny learned quite a bit about Unity and physics collisions due to all the work he did for the Oculus Rift + Razer Hydra VR demo we put together for GDC. He was able to get our puppets colliding with the world and constrained to a “box” around the camera so that they wouldn’t fly off-screen. This “fix” will be an iterative process because there are times when we will want the puppets to move off-screen. Ragdoll is another great feature we were able to revive. This makes the puppets a little more dynamic and adds some life to the otherwise stiff puppets. Personally, the floppy ears are my favorite.

Art and Performance

In the art department, Dan has been busy populating the scene and wow it is looking great! Of course, we then needed to aggressively optimize it for the Lenova and the application's debut at GDC. We had issues with alpha cards being used for plants and far tree assets maxing our fillrate so we’ve been swapping these out for higher poly cutout versions; trading texture expense for poly count. In the end we had the Lenova ultrabook running at 60fps and 30fps or more while recording.

Polish

GDC left us with a lot of user feedback that we’re now incorporating into Puppet In Motion. There’s not much time left in this contest, so we’ll be working hard to ensure we deliver the best experience we can. If you were at GDC, we hope you had fun with our demos.

Lastly, It was great to meet everyone in person at the Intel Coder Challenge dinner at GDC!

ultimate coder

ultimate coder challenge

ultrabook

Icon Image:

Contest

Infrared5 Ultimate Coder Week Six: GDC, Mouth Detection Setbacks, Foot Tracking and Optimizations Galore

Mon, 01 Apr 2013 16:22:46 +0000

For week six Chris and Aaron made the trek out to San Fransisco to the annual Game Developers Conference (GDC) where they showed the latest version of our game Kiwi Catapult Revenge. The feedback we got was amazing! People were blown away at the head tracking performance that we’ve achieved, and everyone absolutely loved our unique art style. While the controls were a little difficult for some, that allowed us to gain some much needed insight into how to best fine tune the face tracking and the smartphone accelerometer inputs to make a truly killer experience. There’s nothing like live playtesting on your product!

Not only did we get a chance for the GDC audience to experience our game, we also got to meet some of the judges and the other Ultimate Coder competitors. There was an incredible amount of mutual respect and collaboration among the teams. The ideas were flowing on how to help improve each and every project in the competition. Chris gave some tips on video streaming protocols to Lee so that he will be able to stream over the internet with some decent quality (using compressed JPEGs would have only wasted valuable time). The guys from Sixense looked into Brass Monkey and how they can leverage that in their future games, and we gave some feedback to the Code Monkeys on how to knock out the background using the depth camera to prevent extra noise that messes with the controls they are implementing. Yes, this is a competition, but the overall feeling was one of wanting to see every team produce their very best.

The judges also had their fair share of positive feedback and enthusiasm. The quality of the projects obviously had impressed them, to the point that Nicole was quoted saying “I don’t know how we are going to decide”. We certainly don’t envy their difficult choice, but we don’t plan on making it any easier for them either. All the teams are taking it further and want to add even more amazing features to their applications before the April 12th deadline.

The staff in the Intel booth were super accommodating, and the exposure we got by being there was invaluable to our business. This is a perfect example of a win-win situation. Intel is getting some incredible demos of their new technology, and the teams are getting exposure and credibility by being in a top technology company’s booth. Not only that, but developers now get to see this technology in action, and can more easily discover more ways to leverage the code and techniques we’ve pioneered. Thank you Intel for being innovative and taking a chance on doing these very unique and experimental contests!

While Aaron and Chris were having a great time at GDC the rest of the team was cranking away. Steff ran into some walls with mouth detection for the breathing fire controls, but John, Rebecca and Elena were able to add more polish to the characters, environment and game play.

John added on a really compelling new feature - playing the game with your feet! We switched the detection algorithm so that it tracks your feet instead of your face. We call it Foot Tracking. It works surprisingly well, and the controls are way easier this way.

Steff worked on optimizing the face tracking algorithms and came up with some interesting techniques to get the job done.

This week’s tech tip and code snippet came to us during integration. We were working hard to combine the head tracking with the Unity game on the Ultrabook, and ZANG we had it working! But, there was a problem. It was slow. It was so slow it was almost unplayable. It was so slow that it definitely wasn’t “fun.” We had about 5 hours until Chris was supposed to go to the airport and we knew that the head tracking algorithms and the camera stream were slowing us down. Did we panic? (Don’t Panic!) No. And you shouldn’t either when faced with any input that is crushing the performance of your application. We simply found a clever way to lower the sampling rate but still have smooth output between frames.

The first step was to reduce the number of times we do a head tracking calculation per second. Our initial (optimistic) attempts were to update in realtime on every frame in Unity. Some computers could handle it, but most could not. Our Lenovo Yoga really bogged down with this. So, we introduced a framesToSkip constant and started sampling on every other frame. Then we hit a smoothing wall. Since the head controls affect every single pixel in the game window (by changing the camera projection matrix based on the head position), we needed to be smoothing the head position on every frame regardless of how often we updated the position from the camera data. Our solution was to sample the data at whatever frame rate we needed to preserve performance, save the head position at that instant as a target, and ease the current position to the new position on every single frame. That way, your sampling rate is down, but you’re still smoothing on every frame and the user feels like the game is reacting to their every movement in a non-jarring way. (For those wondering what smoothing algorithm we selected: Exponential Smoothing handles any bumps in the data between frames.) Code is below.

using UnityEngine;
using System.Collections;
using System;
using System.Runtime.InteropServices;

public class IntelPerCompController : MonoBehaviour 
{
 private Vector3 facePosition = new Vector3(0.0f, 0.0f, 0.5f);
 private Vector3 targetFacePosition = new Vector3(0.0f, 0.0f, 0.5f);
 private FaceTrackerWrapper faceTracker;
 private bool faceTrackingIsWorking = false;
 // storage for the number of frames we have to play until we need to get an update from
 // the camera (on head position)
 private uint cntToNextUpdate = 0;
 // the number of frames to skip to reduce the sampling rate to the camera
 private const uint framesToSkip = 2;
 private bool showOpenCVWindow = false;
 private bool gotUpdateFromCamera = false;

 public Vector3 fireDirection;

 void Start() 
 {
 Debug.Log("IntelPerCompController :: Start");
 fireDirection = new Vector3(0, 0, 1);
 faceTracker = new FaceTrackerWrapper();
 // location of the haar cascade file for openCV to load in the DLL
 string haarPath = @"./Assets/haarcascade_frontalface_alt.xml";
 int a = faceTracker.InitTracking(haarPath);
 // save if we initialized successfully
 faceTrackingIsWorking = (a == 0);
 // output result to log
 Debug.Log("faceTrackingIsWorking = " + faceTrackingIsWorking);
 }


 void OnDestroy()
    {
 //Debug.Log("OnDestroy");
 // shut down the camera
 //faceTracker.EndTracking();
    }


 void Update()
 {
 if (faceTrackingIsWorking)
 {
 gotUpdateFromCamera = false;
 // check if we're due to update the head position from the camera data
 if (cntToNextUpdate == framesToSkip)
 {
 // always check if we have successfully advanced frames
 gotUpdateFromCamera = faceTracker.AdvanceFrame();
 //Debug.Log("gotNewFrame = " + gotNewFrame);

 if (gotUpdateFromCamera)
 {
 // get the values for the new face position
 float newX = faceTracker.GetFaceX();
 float newY = faceTracker.GetFaceY();
 float newZ = faceTracker.GetFaceZ();
 Vector3 newPos = new Vector3(newX, newY, newZ);
 // save the new value in facepos for the projection calc and to smooth on the next frame
 targetFacePosition.x = newPos.x;
 targetFacePosition.y = newPos.y;
 targetFacePosition.z = newPos.z;
 //Debug.Log("facePosition = " + facePosition);

 // reset the count to the next camera update
 cntToNextUpdate = 0;
 }
 }
 else
 {
 // count until we need to make a new update
 cntToNextUpdate++;
 }
 // smooth on every frame toward the last target position from the camera
 facePosition = DataSmoothingUtil.ExponentialSmoothing3(targetFacePosition, facePosition, 0.18f);
 }
 // check if the user is holding down the left cntrl key
 if (Input.GetKey(KeyCode.LeftControl))
 {
 // if w, toggle the results window
 if (Input.GetKeyDown(KeyCode.W))
 {
 showOpenCVWindow = !showOpenCVWindow;
 faceTracker.ShowResultsWindow(showOpenCVWindow);
 }
 // if q, quit the app
 if (Input.GetKeyDown(KeyCode.Q))
 {
 Application.Quit();
 }
 }
 }


 void LateUpdate() 
 {
 // still update every frame to show the last smoothed result
 if (faceTrackingIsWorking)
 {
 float n = Camera.main.nearClipPlane;
 float f = Camera.main.farClipPlane;

 // all below in real world space
 // screen's bottom left corner 
 Vector3 pa = new Vector3(-0.145f, -0.135f, 0.02f);
 // screen's bottom right corner
 Vector3 pb = new Vector3(0.145f, -0.135f, 0.02f);
 // screen's top left corner
 Vector3 pc = new Vector3(-0.145f, 0.1f, 0.0f);
 // face position 
 Vector3 pe = new Vector3(-facePosition.x, -facePosition.y, facePosition.z);
 //Debug.Log("pe: " + pe);

 Camera.main.projectionMatrix = generalizedPerspectiveProjection(pa, pb, pc, pe, n, f);

 // calculate the direction that things should fire (so it feels like it is coming from your head)
 Vector3 p = Camera.main.ViewportToWorldPoint(new Vector3(0.5F, 0.5F, 10.0F));
 //q.SetFromToRotation(p, Camera.main.transform.position);
 // store the fireDirection as a normalized vector (for fun!! or possible smoothing later if needed)
 p = p - Camera.main.transform.position;
 fireDirection = p.normalized;
 Quaternion q = new Quaternion();
 q.SetLookRotation(fireDirection);
 PlayerController.Instance.CurrentHeadRotation = q;
 }
 }


 Matrix4x4 generalizedPerspectiveProjection(Vector3 pa, Vector3 pb, Vector3 pc, Vector3 pe, float n, float f) 
 {
 // Compute an orthonormal basis for the screen.
 Vector3 vr = pb - pa;
 vr.Normalize();
 Vector3 vu = pc - pa;
 vu.Normalize();
 Vector3 vn = Vector3.Cross(vr, vu);
 vn.Normalize();

 // Compute the screen corner vectors.
 Vector3 va = pa - pe;
 Vector3 vb = pb - pe;
 Vector3 vc = pc - pe;

 // Find the distance from the eye to screen plane.
 float d = -Vector3.Dot(va, vn);

 // Find the extent of the perpendicular projection.
 float m = n / d;
 float l = Vector3.Dot(vr, va) * m;
 float r = Vector3.Dot(vr, vb) * m;
 float b = Vector3.Dot(vu, va) * m;
 float t = Vector3.Dot(vu, vc) * m;

 // projection matrix 
 Matrix4x4 p = Matrix4x4.identity;
 p[0,0] = 2.0f * n / (r - l);
 p[0,1] = 0.0f;
 p[0,2] = (r + l)/(r - l);
 p[0,3] = 0.0f;

 p[1,0] = 0.0f;
 p[1,1] = 2.0f * n / (t - b);
 p[1,2] = (t + b) / (t - b);
 p[1,3] = 0.0f;

 p[2,0] = 0.0f;
 p[2,1] = 0.0f;
 p[2,2] = (f + n) / (n - f);
 p[2,3] = 2.0f * f * n / (n - f);

 p[3,0] = 0.0f;
 p[3,1] = 0.0f;
 p[3,2] = -1.0f;
 p[3,3] = 0.0f;

 // rotation matrix;
 Matrix4x4 rm = Matrix4x4.identity;
 rm[0,0] = vr.x;
 rm[0,1] = vr.y;
 rm[0,2] = vr.z;
 rm[0,3] = 0.0f;

 rm[1,0] = vu.x;
 rm[1,1] = vu.y;
 rm[1,2] = vu.z;
 rm[1,3] = 0.0f;

 rm[2,0] = vn.x;
 rm[2,1] = vn.y;
 rm[2,2] = vn.z;
 rm[2,3] = 0.0f;

 rm[3,0] = 0.0f;
 rm[3,1] = 0.0f;
 rm[3,2] = 0.0f;
 rm[3,3] = 1.0f;

 // translation matrix;
 Matrix4x4 tm = Matrix4x4.identity;
 tm[0,0] = 1.0f;
 tm[0,1] = 0.0f;
 tm[0,2] = 0.0f;
 tm[0,3] = -pe.x;

 tm[1,0] = 0.0f;
 tm[1,1] = 1.0f;
 tm[1,2] = 0.0f;
 tm[1,3] = -pe.y;

 tm[2,0] = 0.0f;
 tm[2,1] = 0.0f;
 tm[2,2] = 1.0f;
 tm[2,3] = -pe.z;

 tm[3,0] = 0.0f;
 tm[3,1] = 0.0f;
 tm[3,2] = 0.0f;
 tm[3,3] = 1.0f;

 return p * rm * tm;
    }
}

Feeling good about the result, we went after mouth open/closed detection with a vengeance! We thought we could deviate from our original plan of using AAM and POSIT, and lock onto the mouth using a mouth specific Haarcascade on the region of interest containing the face. The mouth Haarcascade does a great job finding and locking onto the mouth if the user is smiling - which is not so good for our purposes. We are still battling with getting a good lock on the mouth using a method that combines depth data with RGB, but we have seen why AAM exists for feature tracking. It’s not just something you can cobble together and have confidence that it will work well enough to act as an input for game controls.

Overall, this week was a step forward even with part of the team away. We’ve got some interesting and fun new features that we want to add as well. We will be sure to save that surprise for next week. Until then, please let us know if you have any questions and/or comments. May the best team win!

Intel Ultimate Coder Challenge II

ultimate coder

Perceptual Computing

Icon Image:

Contest

Technical Article

Ultimate Coder Challenge II : Lee Going Perceptual : Week Six

Sun, 31 Mar 2013 09:03:36 +0000

Live From The USA

I write my penultimate blog of the Ultimate Coder Challenge II from the comfort and isolation of my GDC hotel room, where I spent the Saturday coding away on my Perceptucam app.

To recap, my app attempts to create a virtual teleconferencing call between two users, tapping into the Gesture Camera to re-create the user as a 3D avatar in a virtual boardroom. This experience is augmented with a touch based sketch pad, which the called user can view and contribute towards.

UCCII Video Blog Six - Whispered Report

I can report that the GDC event was amazing, and it was really great to meet the other challenge contestants in person. A fantastically talented bunch of guys and gals you could ever hope to meet and I look forward to meeting again at the next developer hang-out.

The App So Far

I have just finished my coding for the night, and I have some observations and progress to report for the current state of the app and where it will be going in the next seven days. At GDC I was able to demonstrate the app to visitors at the Intel booth and discovered a few truths that will change my final deliverable.

VOIP and Network Data Syncing

After much trial and error, it seems the reason the sound lagged behind the visuals was that the sound buffer takes time to fill it's buffers (at both ends), before actually playing the audio. It actually stores up a section of what you say before sending and playing back for the person you are communicating with. This differs from the visual stuff which plays back instantly.

The solution is to buffer the visual information and then play it back in perfect sync with the sound when it finally arrives. This means the app will consume a sizable chunk of memory to store depth and color information and it also means that time stamping will be needed to sync the two types of media. Only then will the app deliver a predictable conferencing experience.

Voice Recognition In A Crowded Room

One of the most striking failures of the technology at GDC was the voice recognition system, which struggled to detect the words spoken among the noise of a GDC hall. It may be true that most calls will be held in a quiet office but equally it could be made in an airport or call center department.

UCCII Video Blog Six - Live At GDC

As you can hear, the background noise at GDC was quite meaty. The lesson here is that the Perceptual SDK needs to include effective noise cancellation technology, and that the voice system should have a non-voice system to control the app as well. Fortunately my app provides touch buttons as the primary input method, and voice control as a secondary feature, so I dodged a bullet there!

Gesture Ambiguity

The number of times I swiped across the Ultrabook to clear the screen of the current drawing numbered in the thousands. Alas the percentage of successful detection's was about 75%. Enough to demonstrate technology, but not enough for an end user who will accept nothing less than 100%. The only perceptual input that performed at 100% was my head tracker which passively got on with the task of controlling the view of the virtual conference room.

In discussions with other developers, it was clear that gestures will be under intense scrutiny from end users when incorporated into apps. Unless it provides something a button or touch cannot do, or provides an improved facility, it will be consigned to the novelty bin. It was also mutually agreed that gestures should be supported by a visual indicator to maintain a constant understanding between the computer and the user. Fail to provide this and your user could be waving their hands about to no avail with growing frustration.

With my remaining days, aside from the essential polishing work, I hope to experiment more with fool proof gestures, perhaps using camera-to-user calibration and visual feedback as a way to achieve the holy grail of 100% predictability.

Making Contact

My final 'missing piece' of the app is the 'Contact List' screen which will allow new contacts to be created and used to make connections between registered users.

At the moment the app only communicates between known local IP addresses which is good enough to test the technology at good network speeds but not for a call to another part of the world.

GDC Developer Tips

TIP 1 : Apparently, you are not restricted to 30fps when obtaining the color and depth stream data from the camera. You can use the SetProfile command to change the maximum fps allowed during the streaming activity. For those who want to use the depth data for high speed fluid input, this should definitely be checked out!

TIP 2 : Be aware that you might be getting choppy audio capture from the Gesture camera when you have both color and depth streams running at high resolution top speed. Running any sound capture on the cameras recording device while it streams the visual information produces an intermittent choppy output. Might be a driver issue, or a USB bandwidth issue. Worth knowing, especially if you are using this data for voice recognition.

Signing Off

I think the value of attending GDC with my app was invaluable. It allowed me to conduct a field test of what might become a commercial app, and quickly highlighted the areas that need work. It is work worth doing too, the general feeling from everyone in the Perceptual Computing space was that the potential was huge. All we need is a few pioneers to develop methods of interaction that transcends keyboard, mouse and touch. It will be these developers that ultimately claim the Perceptual Computing prize and produce apps that literally blow the mind.

ultimatecoder

ultimate coder

Perceptual Computing

Icon Image:

Contest

Primeira Reunião com Desenvolvedores em 2013

Sun, 31 Mar 2013 04:04:33 +0000

No dia 26 de março aconteceu nossa primeira reunião de 2013 com um grupo de desenvolvedores e líderes de comunidade no The Hub em São Paulo. Num clima bem descontraído, conversamos sobre comunidades e ferramentas de Software da Intel, ajudando a esclarecer nossos objetivos como Intel Software no Brasil.

Ainda em 2013, nosso papel é posicionar a Intel como referência e parceira de Software para a comunidade brasileira. A partir desse ano estamos com as portas ainda mais abertas para nos aproximarmos dos desenvolvedores, dentro desse contexto nossa primeira reunião em 2013 rendeu várias boas ideias que se alinham com nossos projetos.

A conversa girou em torno de como podemos montar uma via de mão dupla para apoiar todas as comunidades que desenvolvem Software para plataforma Intel, o que siginifica hoje praticamente todas as comunidades, uma vez que temos produtos baseados na arquitetura x86 desde dispositivos móveis, passando por notebooks, ultrabooks e até servidores, englobando até programação para alto desempenho. Nesse contexto, nossas comunidades visam apoiar diretamente, apenas para citar alguns, desenvolvedores .NET, Java, C/C++, HTML5 dentro da maioria dos Sistemas Operacionais disponíveis.

Alguns pontos discutidos vão nos ajudar a conversar melhor com os desenvolvedores, agradecemos muito os participantes e chegamos a alguns pontos interessantes:

Preferência por Canais de Comunicação:

Facebook: ~90%
Twitter: ~90%
Mailgroup: 60~70%
Google Plus: 10%
Linkedin: 0%

Benefícios mais interessantes para os desenvolvedores:

Empréstimos de HW com tecnologia que não foi lançada no mercado: ~90%
Treinamentos técnicos: ~90%
Uso do auditório da Intel para eventos de comunidade: ~50%
Apoio através de coffe break para eventos da comunidade: ~ 50%
Uso dos canais da Intel Software para ganhar visibilidade: ~70%

Dentro dos vários pontos discutidos, vamos ajudar vocês a ganhar mais reputação pela excelência técnica, engajamento para difundir conhecimento e vontade de se divertir com o que muitos considerariam apenas trabalho. Usem e abusem de nosso espaço para blogar, escrever artigos e usar nossos canais de divulgação.

Muito em breve vamos divulgar a nossa agenda de participação em eventos e treinamentos para que todos possam aproveitar e se aprofundar em tecnologias que vão melhorar muito a qualidade do Software feito no Brasil e trazer diferenciais que podem fazer suas aplicações virarem referência não apenas nacionais, mas também para divulgação de tecnologia ao redor do mundo.

Apesar de não ter sido o foco principal de nossa discussão, mutos tiveram interesse nos benefícios da parceria da Intel Software com empresas de desenvolvimento, por isso deixo o link abaixo que pode orientar melhor sobre o que é a parceria e seus benefícios:

http://software.intel.com/pt-br/grow-business-reports

Quem estiver interessado em se reunir com a Intel para ter uma conversa aos mesmos moldes desse bate-papo com desenvolvedores, mas onde o assunto principal seja empreendedorismo e como a Intel pode apoiar sua empresa, deixe seu comentário pedindo para organizarmos a conversa, assim nosso Gerente de Marketing - Juliano Alves - poderá organizar e liderar a conversa com todos.