The vast majority of Web applications will eventually run on platform-as-a-service, or PaaS. The shift will be slower than to infrastructure-as-a-service (IaaS) because finding the perfect PaaS fit will take effort, and there’s significant loss of control over hardware and software. Many IT departments will resist. But it will happen, so to help you evaluate options and plan a migration strategy, we sent out a questionaire with more than 70 factors to consider to major PaaS providers. You can download a full set of responses at ourInformationWeek PaaS comparison site.

The PaaS value proposition is simple: Bring your code, and we’ll handle everything else for you — Internet connectivity, power, hardware, operating system, software, monitoring, backup, restore, failover, scaling and more. IT can focus on writing code to solve business problems and leave the mechanics of infrastructure and operations to the vendor. In theory, you get a best-practices deployment, including security and business continuity, at a lower cost and better quality versus having your own staff do the work.

READ MORE …

Google has filed a rare petition to challenge an ultra-secret national security letter issued by the government to obtain private data about one or more of its users.

The extraordinary petition, which was filed under seal in the U.S. District Court of Northern California on March 29, comes just days after a U.S. District Judge in California ruled in a case brought by an unnamed company and the Electronic Frontier Foundation that so-called NSLs that come with a gag order on the recipient are an unconstitutional impingement on free speech.

On March 14, U.S. District Judge Susan Illston ordered the government to stop issuing NSLs and to cease enforcing the gag provision in cases where they have already been issued. Illston, however, stayed her order for 90 days to give the government a chance to appeal her ruling to the Ninth Circuit Court of Appeals.

READ MORE …

In federal information technology circles, it’s become a truism that agencies spend way too much time and effort doing paperwork in pursuit of cybersecurity, and not nearly enough time watching over systems and implementing best practices to make sure those systems are better secured than they were the day before.

A new report offers a roadmap that purports to offer ways to measure cybersecurity outcomes rather than just processes, while recognizing that no two agencies have the exact same risk profile.

The report, released Tuesday by Safegov.org, in coordination with the National Academy of Public Administration, does not include a call for new legislation. Instead, it proposes agencies revamp their approach to compliance with the existing Federal Information Security Management Act. Rather than periodically auditing whether an agency’s systems meet the standards enumerated in FISMA at a static moment in time, agencies and their inspectors general should keep running scorecards of “cyber risk indicators” based on continual IG assessments of a federal organization’s cyber vulnerabilities, the authors concluded.

READ MORE …

As we come to the close of the first quarter, data breach numbers show a favorable trend in healthcare as the number of breach incidents and breached records at these organizations is decreasing relative to the same period last year. Security experts say that the early numbers could point to increasing pressure by federal regulators who are adding more teeth to HIPAA enforcement and consequently driving meaningful changes within the healthcare vertical. Nevertheless, 2013 so far has seen more than a few healthcare organizations suffer from embarrassing data security lapses, and it’s clear there’s still work to be done, experts say.

“In the US, federal regulators are very focused on healthcare in terms of their rulemaking and enforcement efforts under HIPAA,” says Andy Green, technical content specialist for Varonis, who explains that practitioners he talks to are acutely aware of the pressure. “With recent changes to HIPAA, the penalties have become more severe–with a maximum of up to $1.5 million in annual fines.”

He points to recent settlements against Massachusetts Eye and Ear Infirmary and the Alaska Department of Health and Human Services as visible examples of how regulators are cracking down.

READ MORE …

South Korea’s data wiping malware that knocked out PCs at TV stations and banks earlier this week may have been introduced through compromised corporate patching systems.

Several South Korean financial institutions – Shinhan Bank, Nonghyup Bank and Jeju Bank – and TV broadcaster networks were impacted by a destructive virus (since identified as DarkSeoul by Sophos and Jokra Trojan by Symantec), which wiped the hard drives of infected PCs, preventing them from booting up upon restart.

SAN FRANCISCO — Conventional wisdom is that cybersecurity is one of the few growth opportunities for defense contractors. Nary an earnings call passes without key industry players repeatedly touting their future dominance of cyber, and the ability for the market to make up for other areas set to decline.

But quietly over the past few months, several companies have been showing some of their cybersecurity staff the door, sources said, part of a growing recognition by the industry that while cyber is growing, it will never reach the scale of aircraft or ship programs.

“It’s the myth and reality of cyber,” said Roger Cressey, senior vice president at Booz Allen Hamilton. “The myth is that it’s the fastest growing capability around, that there is tremendous pent-up demand and it is a river of milk and honey for everyone, when the reality is that it’s not that. There are pockets of need, but there’s also a requirement for specialized skills and capabilities.”

READ MORE …

At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyber­assaults last year, a sign of growing openness among corporations about the breadth of cybersecurity incidents plaguing the private sector.

In their annual financial reports to the Securities and Exchange Commission, major banks such as Bank of America, Citi, Wells Fargo and JPMorgan Chase, along with smaller institutions, have reported that their systems were hit with computer disruptions or intrusions.

READ MORE …

The bad guys certainly seem to be picking on Oracle in the last month or two.  The folks over at Fireeye have posted some info about another 0-day affecting Java that is being exploited in the wild.  This one hits even the latest versions of Java 6u41 and 7u15.  From the writeup the it seems the exploit is currently not always successful, but when it is drops a remote access trojan on the systme and connects back to an HTTP command and control server.  I haven’t had a chance to actually look at the malware yet, so go read the Fireeye writeup for the indicators of compromise to look for in your network.  Simultaneously, Adam Gowdiak has also informed Oracle of 2 different exploitable vulnerabilities (though at least one of his only affects 7u15, not 6u41), though those exploits are apparently not be used in the wild at the moment.  In the meantime, all our previous advice still applies.  If you don’t need Java, don’t install it/remove it.  If you do need it, only enable it when you need it and/or run it inside another sandbox (SandboxIE, a sacrificial VM).

Cyberspies linked to China’s military targeted nearly two dozen US natural gas pipeline operators over a recent six-month period, stealing information that could be used to sabotage US gas pipelines, according to a restricted US government report and a source familiar with the government investigation.