Information Technology News.

HP and SAP discussing Hana in-memory computing solution

Share on Twitter.

Click here to order your new fully dedicated Plesk server with the Linux operating system.

Get the most reliable SMTP service for your business. You wished you got it sooner!

March 12, 2013

Hewlett-Packard and SAP are currently talking about the possibility of introducing an as-a-service edition of SAP's Hana in-memory computing solution to the enterprise segment.

Anita Paul, senior director of HP's industry transformation consulting practice for Asia Pacific and Japan says she will shortly meet part of SAP's development team to discuss creating the new service.

For its part, Amazon Web Services recently started offering Hana-as-a-service in its usual elastic mode of operation. SAP can also boast several hardware partners for the platform, with IBM, Cisco, Fujitsu and HP, among others, all capable of cooking up a server with the correct technical specifications.

And of course, HP entering the market with managed Hana-as-a-service will be a good endorsement of the platform, and also a sign of a much tighter HP/SAP relationship.

Adding Hana-as-a-service will, Paul said, satisfy HP clients in two different ways. One will come from stating enterprise customers' desire to run the system, as Paul said many want HP to provide the platform.

The second is a desire for XaaS from HP's consulting services, a trend Paul said she embraces wholeheartedly because the nature of XaaS offers better value for customers.

That it can also mean better profit margins for HP, which hosts such systems in its own data centres and may also have the chance to provide hardware through an internal transaction (hardware sells to consulting), is another welcome by-product of such deals in today's IT industry.

Paul said that this kind of engagement can also be good for sysadmins and architects, as in her experience customers who walk the XaaS path are happy to outsource some operations, but not design.

And skilled personnel therefore stay on HP's payroll even as the servers they once tended to go to a better place.

Sysadmins' lives may be a little complicated when customers decide they prefer on-premises operations, although Paul said the deals HP strikes under those circumstances often make it very clear that there is some equipment on-site that IT staff are forbidden from touching at risk of violating service level agreements and driving up costs.

In other IT and security news

The GroundWork Group, an open-source IT monitoring software company has clashed with a security consultancy over the seriousness of a security hole in its technology.

GroundWork's technology provides a platform for IT operations management, network monitoring, system control, application authentication and cloud delivery services that is used by enterprise customers including Hitachi Data Systems, the Royal Bank of Canada, NATO, National Australia Bank, Siemens and Tivo, among many others.

Security staff at SEC Consult last week published an advisory warning of "multiple critical security vulnerabilities" in the GroundWork Monitor Enterprise platform.

The security consultancy said that many of the holes cover authentication problems and claimed that they are so serious that customers ought to avoid using the technology completely until the multiple security bugs are patched.

The Austrian security firm also published a separate bulletin warning of other "high risk" security flaws. In response, GroundWork said that its users were looking for "ease of use" rather than "maximum security". It didn't release a patch and told its users that tightening up settings was optional.

GroundWork uses the JBoss Portal’s Single Sign-On technology to restrict access to GroundWork components and improve many of their own security capabilities. Most GroundWork customers have expressed a preference for ease of use rather than maximum security, and the default settings reflect those wishes.

Those are suggestions and not mandatory for a GroundWork Monitor installation. Johannes Greil, the security researcher at SEC Consult who discovered the flaws in GroundWork's software, strongly disagreed with this assessment.

"The identified security vulnerabilities have nothing to do with 'maximum security' but rather conforming to web application security standards and guidelines such as OWASP Top 10," he said.

"Furthermore, GroundWork isn't going to repair the security vulnerabilities within the source code, but will only add an authentication layer and implement some changes in authorization roles through an optional technical bulletin," Greil added in an email.

We put Greil's allegations to GroundWork last week but have yet to hear back. Greil added that he is also frustrated by GroundWork's lack of urgency about issues first reported to it two months ago.

"The very slow response and insufficient measures by Groundwork are not a responsible way to react for a vendor who supplies software for government agencies and large data centers," he said.

"An attacker who is easily able to take over this monitoring software is, for example, able to gain access to plaintext passwords of the monitored systems and spread the attack within the internal network," Greil claimed.

"In order to mitigate this security risk, the vulnerabilities have to be fixed within the source code. In secure environments, such as operating data centers where this software is for instance used, it is highly undesirable to use insecure applications. Furthermore, we advise against using this software in the current state of security," he added.

"We have identified multiple different critical vulnerabilities with different impacts. The most severe security issues are that an unauthenticated attacker is able to elevate his privileges (admin access), execute arbitrary operating system commands, take over the whole monitoring system and gain access to sensitive configuration files with clear text passwords of the monitored systems," he added.

"An attacker is therefore easily able to spread the attack within the internal network," Greil added. SEC Consult's previous research includes the discovery of undocumented backdoors in data centre equipment from Barracuda Networks. We will keep you posted on this important development as well as others as they happen.

Source: HP & SAP.

Get the most dependable SMTP server for your company. You will congratulate yourself!

Share on Twitter.

Need to know more about the cloud? Sign up for your free Cloud Hosting White Paper.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sun Hosting, by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.