Archive for the ‘Security and Compliance’ category

Gartner recognized SnapLogic as a Visionary in its Data Integration Magic Quadrant

August 7th, 2019

Gartner recognized SnapLogic as a Visionary in its Data Integration Magic Quadrant! This comes on the heels of being recognized as a Leader in three top analyst reports for the best integration platform as a service (iPaaS) solutions – the Gartner Magic Quadrant, Forrester Wave, and G2 Crowd Grid.
We believe these collective recognitions testify to the fact that SnapLogic is unrivaled when it comes to integrating cloud applications and on-premises data in one unified platform.

Gartner commended SnapLogic for:
• Our powerful integration convergence and augmented data integration delivery
• Our easy accessibility to diverse user personas
• Our pricing model simplicity and trial version

Synergy Software Systems is a Middle East partner. . This solution speeds up deployment of complex solutions with multiple jntegrations and significantly improves and simplifies the management and maintenance of integrations.

Whether for EDi to Odette standards for the automotive sector, or for streaming high volumes of data, or for ETL processes to bring data from multiple, enterprise systems into a data lake or Enterprise BI or Corporate performance management system, Snap Logic provides a multitude of pre built “Snap integrations: for a low code, configuration approach to integration.

Synergy Software Systems has provided integrated solutions in the region. Digital revolution is proving new opportunities and challenges. Robotic Processes Automation, Predictive analytics, ML AI, IoT, RFID, cloud services, data lakes, and mobility are now standard components of any solution. However digital revolution also requires agility and rapid robust deployment and ease of update and maintenance. Integration ETL, and streaming data from multiple systems at enterprise scale needs a new ‘productized’ low code approach to integration.

Snaplogic is a key tool for successful agile deployment of Enterprise integration, Corporate Performance management, EDI, BI and RPA solutions.

There are already major clients deploying Snap Logic in the UAE.

To learn more . Call us on 00971 43365589

SQL Server 2016SP2 Cumulative Update 8

August 3rd, 2019

The urgent security update earlier this month is not the only patch for SQL Server 2016 in July,
Microsoft has released SQL. SP2 CU8 (build number: 13.0.5426.0)
• Restores of compressed encrypted backups fail
• Data masking doesn’t
• DAXquery needs memory 200x larger than the database size
• Peer-to-peer replication fails when your host name isn’t uppercase
• QueryStore cleanup can fill the transaction log and cause an outage
•DistributedAvailability Groups cause memory dumps when automatic seeding
• AGreplication stops working due to internal thread deadlocks
•The deadlock monitor can cause an access violation
• Query a view with a union on a linked server,
• Concurrent inserts into a clustered columnstore index can deadlock
•Infiniteloop when FileTable is used for a long time without a restart
•SSAS2016 randomly crashes ( maybe not completely random if they fixed it)
•TransparentData Encryption doesn’t encrypt if it’s restarted mid-encryption

And much more.https://support.microsoft.com/en-us/help/4505830/cumulative-update-8-for-sql-server-2016-sp2

I guess we will get a similar patch for Sp1 but by now you should be on a later patch

Office 365 will retire TLS 1.0 and 1.1 starting June 1st, 2020

July 24th, 2019

To provide best-in-class encryption, and to ensure the service is more secure by default, Microsoft is moving all of its online services to Transport Layer Security (TLS) 1.2+

Office 365 will be retiring TLS 1.0 and 1.1 starting June 1, 2020. This means that all connections to Office 365 using the protocols TLS 1.0 and TLS 1.1 will not work so prior to June 1, 2020.

Plan to replace clients and devices that rely on TLS 1.0 and 1.1 to connect to Office 365.

The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. It is an IETF standard intended to prevent eavesdropping, tampering and message forgery. Transport Layer Security (TLS), and the deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communications security over a computer network and the protocols find are uses in applications such as: web browsing, email, instant messaging, and voice over IP (VoIP). Websites use TLS to secure all communications between their servers and web browsers. The latest version – TLS 1.3 – is an overhaul that strengthens and streamlines the crypto protocol.

The work on TLS1.3 started in April 2014, and it took four years and 28 drafts before it was approved in March of 2018. Version 1.3 makes the handshake process faster by speeding up the encryption process. This has a security benefit, and will also improve performance of secure web applications. With TLS 1.2, the handshake process involved several round trips, whereas with 1.3 only one round is required, and all the information is passed at that time. In addition to security improvements, TLS 1.3 eliminated a number of older algorithms that did nothing other than create vulnerabilities.The updated protocol added a function called “0-RTT resumption” that enables the client and server to remember if they have communicated before.

The PCI compliance standards require that any site accepting credit card payments uses TLS 1.2 after June 30, 2018 Services such as PayPal, Authorize.net, Stripe, UPS, FedEx, and many others already support TLS1.2, and have announced that they will eventually refuse TLS 1.0 connections. This means your safest action is to upgrade to TLS 1.2+/3 sooner than later to avoid disruption. It also likely to be a consideration for GDPR compliance in the event of a breach if using an older protocol.

Windows 7 exploit- critical fix July 2019

July 16th, 2019

Microsoft’s latest SSU helps fix a bug in Secure Boot that interferes with Windows’ BitLocker encryption system. The updates are available from the Microsoft Update Catalog or through Windows Server Update Services (WSUS).

Microsoft said it “strongly recommends” that users and admins install this latest SSU before installing the latest cumulative update, which was released along with this month’s Patch Tuesday updates. This month’s updates brings a fix for a Win32k zero-day, marked as CVE-2019-1132, which was part of an attack used by Kremlin-backed hackers. The researcher at ESET, Anton Cherepanov, found the exploit for the flaw which doesn’t affect Windows 10 or Windows 8 but it does impact older versions including Windows 7 SP1, Windows Server 2008 SP2, and Windows Server R2 SP1. Cherepanov noted that the technique used in the current exploit is “very similar” to one used before 2017 by the advanced hacking group called Sednit, aka Fancy Bear, APT28, STRONTIUM, and Sofacy. Windows 8 and later block a key component of the exploit chain, which is why the flaw only affects earlier versions of supported Windows versions. He notes that Microsoft back-ported the Windows 8 mitigation to Windows 7 for x64-based systems.

Bugs like this are one reason Windows 7 users should follow Microsoft’s advice to upgrade. Those who still use Windows 7 for 32-bit systems Service Pack 1 should update to newer operating systems, since extended support of Windows 7 Service Pack 1 ends on January 14, 2020. Which means that Windows 7 users will then no longer receive critical security updates. Thus, vulnerabilities like this one will stay unpatched forever.

This is not the only fix – the Microsoft patches address 77 security flaws, including 15 rated “critical.”
In May this year patches were also released for BlueKeep’s – the ability to automatically spread from one vulnerable machine to another – could be exploited in an attack on the same global scale as WannaCry, whose worm capabilities were enabled by EternalBlue, the leaked NSA exploit for the SMBv1 file-sharing protocol. The NSA urged admins to patch the flaw and change configurations to prevent potential attacks. Its warning followed research that found that at least one million Windows computers were still vulnerable to BlueKeep. The NSA said it was “likely only a matter of time” before attacks emerged.

Windows 7 updates July 2019

July 16th, 2019

Last week there were Windows Updateof security and reliability fixes for Windows 7 as part of the normal Patch Tuesday delivery cycle for every version of Windows. icrosoft split its monthly update packages for Windows 7 and Windows 8.1 into two distinct offerings: a monthly rollup of updates and fixes and, for those who are want only those patches that are absolutely essential, a Security-only update package. Under Microsoft’s rules, what it calls “Security-only updates” are supposed to include,only security updates, not quality fixes or diagnostic tools. However, this month’s Security-only update, the “July 9, 2019—KB4507456 (Security-only update),” bundled in the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10.

The concern is that these components are being used to prepare either for another round of forced updates or to spy on individual PCs. The word telemetry appears in at least one file, and for some it seems to be a short step from innocuous data collection to spyware. Microsoft appeared to be surreptitiously adding telemetry functionality to most of its solutions. Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates). So this is not a security-only update.

The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed. Given the headaches users faced over unwanted upgrades back in Windows 10′s first year why is Microsoft reluctant to talk about security issues except in formal settings like release notes and support bulletins.

This has already been an exhausting week thanks to a pair of Windows 10 zero-day exploits being used in the wild, by Kremlin-backed hackers.

Windows 10 19H2 release

July 16th, 2019

The 19H2 release of Windows 10, which will probably be called the Windows 10 October 2019 Update, will not include a list of new user-facing features. Instead, it will deliver “select performance improvements, enterprise features and quality enhancements.”

This update “will install like a monthly update” on PCs that are running the latest Windows 10 release, version 1903. In other words its what we would call a service pack even if Microsoft no longer does. Devices on any currently supported version of Windows 10 will only need to reboot once to update them to 19H2. The 19H2 release will be fully supported for 30 months. While still n aggressive update schedule for some IT departments that is a lot easier to live with than 6 monthly updates. (The update is the last Windows 10 release before the end of free support for Windows 7 on January 14, 2020. )

For OEM and retail Windows editions, even Windows 10 Home, feature updates are no longer immediately mandatory. The twice-yearly feature updates are offered on PCs that Microsoft’s algorithms deem suitable; but the feature update is to be offered as an optional update that the PC’s owner has to approve manually. You’re can ignore that prompt for as long as the current version is supported, or a maximum of 18 months.

For businesses with PCs running Windows 10 Pro, the updates are delivered with the same 18-month support cycle. The difference is that administrators can defer monthly cumulative updates by up to 30 days and can defer feature updates by up to 365 days. On a PC with Windows 10 Settings app or applied Group Policy to defer feature updates, the option to update to the next release doesn’t appear at all until the deferral period ends or the current version reaches its end-of-support. Companies that run Windows 10 Pro should plan for an annual Windows 10 feature update – any .than 12 months, but and you may hit an end-of-support date and a forced feature update.

Customers running Windows 10 Enterprise and Education get the longest support calendar, \. The March updates will have an 18-month support cycle for all editions, whereas the September release will get the longer, 3 install version 1903 late in 2019 and plan to install the 19H2 release as a lightweight update when it’s ready. With that “service pack” in place, they can leave those PCs alone for two full years, until the second half of 2021.0-month support cycle for Enterprise and Education editions. (All Windows 10 Pro releases are supported for 18 months.)

To ensure updates don’t happen at the wrong time see this post:

https://www.techrepublic.com/article/how-to-control-updates-in-windows-10/?ftag=CMG-01-10aaa1b

P.S. Dark mode to reduce eye strain MacOS got dark mode last year in Mojave, . Android also got a dark mode setting last year, and the upcoming Android Q will make it easy to turn on. You can similarly dim the lights in Windows 10 = Go to Settings, tap Personalization, tap Colors and then under Choose your default app mode, choose Dark.

GDPR enforcement be aware of what it means to you

July 15th, 2019

http://www.enforcementtracker.com/

Reports that in Germany there have already been 101 fines made public worth 484.900 EUR. As well as recent high profile fines recently covered in this blog there many other actions reported on this site.

Some examples

France: SERGIC, a company specialized in real estate development, purchase, sale, rental and property management
The two key reasons were lack of basic security measures and excessive data storage Sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place.
Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users’ lives), the size of the company and its financial standing.

Google – The fine was imposed on the basis of complaints from both: the Austrian organisation “None Of Your Business” , and the French NGO “La Quadrature du Net” that concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR)

UNIONTRAD COMPANY – Complaints were made by several employees of the company who were filmed at their workstation. This was in breach of rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided. In the absence of satisfactory measures at the end of the deadline set in the formal notice, the CNIL carried out a second audit in October 2018 which confirmed that the employer was still breaching data protection laws when recording employees with CCTV.

Austria – A fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas intended for the general use of the residents of the multi-party residential complex: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; and the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings was therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data.

Romania – WORLD TRADE CENTER BUCHAREST SA - A printed paper list used to check breakfast customers, contained personal data of 46 clients who stayed at the hotel’s WORLD TRADE CENTER BUCHAREST SA and was photographed people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA was sanctioned because it has not taken steps to ensure that data was not disclosed to unauthorized parties.

Hungary a fine was imposed on an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company’s legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company’s annual net revenue.

Several countries issues fines related to misuses of data in elections.
Several countries issued fines to companies who did not respond to a request by an employee or customer about data that was held about them.

PwC’s own UK Privacy & Security Enforcement Tracker found that fines in the UK alone over data protection law violations totalled £6.5 million in 2018.

SQL Server 2008 and SQL Server 2008 R2 -OUT OF SUPPORT today

July 13th, 2019

SQL Server 2008 and 2008 R2, both of these versions of SQL server go out of extended support with Microsoft today 9th July 2019

Many companies and businesses are still SQL Server 2008 R2 and below. There can be a number of reasons for this, maybe the applications the databases support require an older version of SQL Server, maybe the applications are also coming to the end of life, but the end dates do not match up with the data platform end of support dates.

Sometimes applications are critical to the business and everything works just fine. The business doesn’t want to disrupt the application or introduce any risk by performing a migration to a new version so why change it?

In this situation your data platform is out of support completely. Out of support system attract hackers. Note the previous articles about fines for loss of privacy data to realise how serious this can be

So you should be making plans to migrate your legacy SQL Servers off the unsupported versions. It is likely if you are still on an old database that you are also on an old server and on an old version of Windows. That gives additional risk of failed hard disks, other system vulnerabilities – Meltdown, Spectre? Phishing…….
Investors and insurers are not likely to be sympathetic in such circumstances.

There are many performance and security benefits of upgrade.

If you decide to run on out support software and take the risk associated with running on out of support software. The main advantage of this approach is there is nothing immediate to do. The longer you run on the platform the greater the chances of you encountering a security vulnerability or failing a compliance test.
If anything does go wrong you’ll have no support from Microsoft.
Other software vendors support contracts may also require that you be on a currently supported database

Modernise and upgrade is one of the options that you have available.

You can upgrade your on premises SQL Server or migrate the databases to Azure either as IaaS solution where you run the VM in Azure or even the PaaS Azure SQL database offering

There are number of advantages to upgrading your data platform. You’ll be running your database workloads on an in support data platform, with a long support window. There will likely by new features in the latest and greatest version of SQL Server that you can use to add business value to your application – Availability Groups for example. Also you will likely find people with skills in the later technology, those skills will be more readily available in the jobs market.

There will likely be a different licensing model – the licensing model changed between SQL Server 2008 R2 and SQL Server 2012 – it possible you will have to pay more for you SQL Server licences.

The third option is instead of doing nothing you pay for a custom support agreement. The main advantage here is you can continue to get security updates and therefore potentially remaining compliant. The main disadvantage of this approach is the cost involved, which is typically 75% of the full license costs of the latest version of SQL Server and Windows Server.

Migrate workload to Azure. Microsoft allow SQL Server 2008 and SQL Server R2 VMs running in Azure to have the security updates for free for a further 3 years. So you can migrate your database server to azure and continue to get security updates for free until 2022.

The main advantage of this is you get to keep running the same version of the OS and Data platform, the security updates are free so the cost is minimal \. The disadvantages is you would need to move off premises, if this is not an option for you then you can’t exercise this option and there will still be work in involved in ‘lifting and shifting’ the VM to the cloud.

Whatever you do when support ends for SQL Server 2008 and SQL Server 2008 R2 have a plan

GDPR shows its teeth -Marriot, British Airways bothto be fined heavily

July 11th, 2019

The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million / $123 millionfine under EU GDPR laws for a data breach that exposed personal details of over 339 million guests. The incident concerns a 2014 data breach of hotel company Starwood, which was acquired by Marriott in 2016. The breach, however, wasn’t detected until November 2018.

Information Commissioner Elizabeth Denham said companies collecting personal data have a legal duty to protect them, and that ICO will not hesitate to take strong action if that doesn’t happen. “The GDPR makes it clear that organisations must be accountable for the personal data they hold, This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

The latest ICO fine came a day after UK airline British Airways was hit with an even larger penalty of £183 million ($229 million). The BA fine was the biggest ever issued by the ICO, and the first under the EU General Data Protection Regulation (GDPR) laws. The updated regulations, which went into effect last year, state that the ICO can seek a fine of up to 4 percent of a company’s worldwide annual revenue in the prior financial year. This marks a significant increase on the maximum fine of up to £500,000 it could levy under the UK‘s previous data protection guidelines.

The fines for BA and Marriott both represented 1.5% of their respective turnover, and the commission said both companies cooperated fully with their respective investigations.

Meanwhile, Facebook, Google and Apple remain under investigation by the Irish Data Protection Commission, which enforces the GDPR.Google could face a fine of up to $5 billion, and Facebook up to $2.2 billion, based on both companies’ annual revenue in 2018.
Earlier this year, the ICO indicated it would investigate Google over leaking of customer data from its advertising platform. Google has faced scrutiny and fines under the GDPR from France’s regulator, with a $57 million penalty levied in January for “lack of transparency” and valid consent controls for users, among other issues.

Facebook received modest penalties of $644,000 for the Cambridge Analytica scandal, in which users weren’t given proper notice that a survey was being used for political research and advertising. it is currently under investigation for a breach of usernames and passwords on its Facebook and Instagram platforms that could be far more costly.

The European Data Protection Board questioned how well Marriott had vetted and protected data when it acquired Starwood in a $13.6 billion deal that closed in 2016.The decisions used punitive language uncommon in the privacy enforcement arena, particularly in the U.S., where companies are traditionally treated as victims of cybercrime first, rather than perpetrators of data loss. In a statement, filed with the Securities and Exchange Commission by Marriott CEO Arne Sorenson said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. ”

Excel vulnerable

July 1st, 2019

Security researchers uncovered a serious vulnerability in Microsoft Corp.’s Excel that exposes around 120 million users to attack. Mimecast Services Ltd., identified that the vulnerability relates to how Power Query, a feature in Excel that is able to pull data from other sources, can be abused. A hacker is able to use Power Query to dynamically launch a remote Dynamic Data Exchange attack into an Excel spreadsheet to actively control the payload. The vulnerability can be exploited to launch hard-to-detect attacks that combine several attack surfaces, embed malicious content in a separate data source and even load the content into the spreadsheet when it is opened to compromise the user’s machine.

In November 2017 Microsoft published an advisory that included workarounds, including recommending users disable the DDE feature where it is not needed in order to block external data connections. The same advisory did note, however, that users would have to click through a number of security prompts for malicious code to be installed. There is legitimate concern over the vulnerability as the feature is turned on by default. It’s unclear whether organizations are following Microsoft’s earlier advice, and it seems unlikely that many organizations have disabled it.

There are currently no known cases of the vulnerability being exploited in the wild, although that could change now its details have been published. Microsoft has not published a fix for the vulnerability nor has it indicated that it is working on one, but with 120 million users at risk and now widespread attention, we strongly recommend all Microsoft Excel customers implement the workarounds suggested by Microsoft.

Oman and VAT – Ask Synergy Software Systems to help prepare and update your systems

June 30th, 2019

Oman government representatives have said that the state is looking to implement a 5% VAT regime from 1 September 2019. In 2017,
it signed the Gulf Cooperation Council VAT Framework Agreement, which included: Saudi Arabia, Qatar, UAE, Bahrain and Kuwait. Local media reports in March 2019 quoted a senior official from Oman’s Ministry of Finance as saying that the date of implementation of VAT in Oman is under review. The official reportedly indicated that the target date had been 1 September 2019 but that this is not confirmed, although the intention clearly remains to implement VAT as early as possible. Businesses should take this as a cue to continue their VAT implementation plans in Oman, or restart and reinvigorate those if the work has been put on hold.

A key lesson from our experience of VAT implementation projects in UAE, KSA and Bahrain, across more than 100 companies is that companies that started their VAT planning and implementation projects early had a smoother transition to VAT, than those that waited for the final publication of the domestic law and regulations. A ‘wait and see’ approach backfired on many businesses in the UAE, KSA and Bahrain where there was minimal time between the release of the law and regulations and the go-live date for adequate training, data preparation and testing, and a shortage of resources in the market to cope with the backlog.

There are practical steps to take now. the first is to form an internal VAT working group of key stakeholders to monitor developments in VAT and ensure that VAT is on the Board agenda and is included in budget discussions. The working group will be best placed to negotiate professional services to support implementation, to train end users, and to define test scenarios, etc.

Next ensure there is VAT awareness is key – customers, vendors, and staff. Many in the region have never dealt with VAT, and a solid understanding of the mechanics, scope and terminology of the tax takes time, and that is a necessary foundation for the next steps.

Document your transaction flows . VAT is a transaction tax, with each transaction triggering a potential VAT consequence. This will help you to identify: software changes, processes to update, training needs, data collection needs, commercial document redesign, financial report redesign etc.

Review Contract to ensure they are ‘future proofed’ for the introduction of VAT. For example, to identify whether they include suitable clauses allowing VAT to be charged in addition to contractually agreed prices. The UAE VAT law clearly mandated that communication be sent to all customers within a specific timeline stipulating whether their contracts will be treated as exclusive of tax, failing which customers can dispute the tax being charged in the contract. Therefore, revisiting contractual obligations for both customers and vendors and determining cutover dates, incorporating tax clauses and revising prices and quotations will play a pivotal role to safeguard the business interests of all parties to a contract.

There will be transactions which are closed before the go-live date, and there will be instances where payment is received post the go-live date or where the supply is scheduled post the go-live date, but where the relevant invoices are paid prior to it. Failure to assess and communicate/agree on the VAT impact between all parties to the transaction on such spillover transactions might increase the cost of such transactions and either of the parties may be out of pocket in such scenarios, and there may be unwelcome friction with trading partners, if not managed.

IT infrastructure will be the ‘backbone’ of the VAT compliance function from issuing VAT compliant invoices to producing the VAT return.

Identify VAT resource requirements, particularly external consultants and auditors. Skilled VAT resources are drawn from a diminishing pool of individuals. Take advantage of the experience gained by service providers implementing in Dubai, KSA and Bahrain. There are many wrinkles, not immediately obvious.

Industry associations can raise common issues and concerns with the Ministry of Finance, particularly in advance of the formal publication of the VAT law.

While you can choose to defer VAT implementation be ready to demonstrate to your owners/investors/respective boards and shareholders, that you have done so only after undertaking an appropriate level of due diligence of the likely preparation of the VAT environment. Some key areas include:

Upgrades to ERP systems and user acceptance testing Reporting
Timely VAT registration, (company by company or at Group level?)
Timely Collection of Tax registration numbers for Trading partners
Timely returns, accrual and and payment of taxes
Scoping the need for professional service and selection/references, time for reaching agreement with partners.
Unforeseen penalties
Cash flow management – how will this change? the delayed inflow on account of receipts from customers; outflow after the discharge of tax liabilities on supplies without consideration/deemed supplies (if any); outflow on account of payment to vendors; and additional outflow due to the payment of taxes (net of input tax recoverable) to tax authorities.

Tracking changes in law/ public clarifications

Some businesses in the UAE and Saudi Arabia faced challenges when ERP systems were not implemented in time to capture VAT on transactions or to generate customised VAT payable or receivable reports. The first quarter of the respective VAT regimes required substantial manual effort to properly account for transactions.

Another hurdle was training staff on the upgraded ERP software as well as new reporting standards

In a test system for financial or erp system, for training and requirement scope you could get early familiarity with the Dubai or KSA framework – there are unlikely to be major changes in the Oman framework.

If you current system is largely manual, or has significant limitations then now be the time to plan for upgrade, or reimplementation or a new system. The UAE VAT law has a penalty provision whereby every incorrect invoice can trigger an AED 5,000 fine (approx. OMR 500), irrespective of the value of the invoice. Exposure to these fines can be significant in industries where high volumes of transactions are made per day, for example the retail, utilities and banking industries. Compliance depends on a robust system and operations preparedness. The audit trail of the process, and other documents, help to ensure correct and timely filing of the returns as well as avoiding any unwarranted penalties.

Businesses across the globe tend to see a fall in demand where the display prices on products do not include VAT, specifically in the case of products which are price sensitive. The implementation of a new indirect tax law will have an impact on turnover and consumer preferences. Some prices ma need to be rounded up or down. You may need to show VAT separately, item by item on a receipt or invoice – is your software able to do that?

Given that the potential VAT rate in Oman may vary between 5 per cent, exempted, non-taxable and zero-rated, businesses should ascertain the price impact of VAT on imports which are recoverable and non-recoverable, final product pricing and alternative sourcing if imports are expensive, and vice versa.

Electronic health data originating in the UAE – Federal Law No. 2 of 2019 (the Law)

June 26th, 2019

Important changes for anyone who collects, processes or transfers electronic health data originating in the UAE.

Besides a host of new data protection measures and new rules around use of a centralized database managed by the United Arab Emirates (UAE) Ministry of Health, a general prohibition on transferring health data outside the UAE has a significant impact on healthcare service providers and life sciences companies operating locally.

Cloud based health solutions which involve collection, storage and processing of health data, such as wearables and health monitoring apps, may be particularly affected. It is imperative for companies operating in the sector to carefully monitor developments.

On 6 February 2019, the President of the UAE issued Federal Law No. 2 of 2019 (the Law) which regulates the use of information technology and communications (ITC) in the healthcare sector. This Law:
• aims to raise the minimum bar for protection of health data and to introduce certain concepts which are on a par with best international practice in information law;
• supports the legislative trend towards localization of sensitive categories of data;
• paves the way for centralized health data capture and analysis to support public health initiatives conducted by the UAE Ministry of Health.

The Law was published in the Federal Gazette on 14 February 2019 and will come into force three months from publication. (May2019). The implementing regulations which will provide further details on its application are to be issued within six months from the date of publication.

The law is the first Federal data/privacy law of its kind in the United Arab Emirates albeit limited to healthcare data.

The law prescribes 31 articles and its application is wide both in terms of geographical spread and industry sectors. The law covers the entire United Arab Emirates (UAE) including its Free Zones and will impact on many sectors including local healthcare regulators in the different Emirates as well as all sectors dealing with healthcare data/information.

The health authorities in each local emirate are empowered to establish the rules, standards and controls for their own electronic data and health information systems, such as the methods of operation, exchange of data and information and their protection, as well as access to and copying of data and information

The Law applies to all entities operating in the UAE, whether onshore or from one of its free zones (including Dubai Healthcare City), which provide:
• healthcare services;
• health insurance services (including insurance brokers or providers of related administrative services);
• healthcare IT services; or
• any other services, directly or indirectly, related to the healthcare sector, or engaged in activities that involve handling of electronic health data.

1. Regulation of health data

The scope of the Law is broad – it regulates the processing of all electronic health data regardless of its form, including names of patients, information collected during consultation, diagnosis and treatment, alpha-numerical patient identifiers, common procedural technology (CPT) codes, images produced by medical imaging technology, and lab results among other types of data.

2. Prohibition on storage of health data outside of the UAE

The Law formalizes the longtime informal regulatory policy that health data must be processed and stored inside the UAE. Critically it provides that such data may not be transferred outside of the UAE, except where an exception is issued by the relevant heath authority. The Law also prohibits the creation of health data outside of the UAE which relates to health services provided inside the UAE. Accordingly, cloud solutions hosted out of country, outsourcing of IT services to overseas locations, remote IT support from other departments within multi-national Healthcare Service Providers and remote collection and monitoring of patient information within the UAE, such as heart rate, sleep patterns, or steps walked, from outside the UAE through apps and wearables may be significantly impacted.

The Law envisages certain exceptions to the default data localization requirements. These will be set out in subsequent ministerial resolutions or the implementing regulations.

3. Minimum standards for processing of health data

In addition to reinforcing the duty of Healthcare Service Providers to maintain the confidentiality of health data, the Law introduces a number of concepts similar to overseas data protection frameworks. For example:
• Purpose limitation: Patient information must not be used other than for the purpose of the provision of health services, except with the prior consent of the patient;
• Accuracy: Healthcare Service Providers must ensure that the health data processed is accurate and reliable;
• Security measures: Healthcare Service Providers must put in place measures to protect health data and to prevent its unauthorized processing, damage, alteration, deletion or amendment; and
• Non-disclosure/patient consent: The Law reiterates existing obligations not to disclose patient data to any third party without the prior consent of the patient.

4. Retention period

Health data must be retained for a minimum period of 25 years from the date on which the last procedure on the patient was conducted, or as long as is necessary if longer.

5. Centralized data management system

A new centralized data management system (DMS) will be established and operated by the UAE Ministry of Health to facilitate access to, storage and exchange of health data. Healthcare Service Providers are required to register to access the DMS and identify all members of personnel who are authorized to access it.

6. Website blocking for advertisement or licensing violations

The UAE Ministry of Health is entitled to instruct the relevant local or federal health authorities to block any website, whether inside or outside of the UAE that does not comply with the regulations applicable to healthcare advertising or which provides healthcare information without a license or permission from the UAE Ministry of Health.

The only circumstances in which a patient’s information may be used or disclosed without the patient’s consent are:
• to allow insurance companies and other entities funding the medical services to verify financial entitlement;
• for scientific research (provided that the identity of the patient is not disclosed and applicable scientific research standards and guidelines are complied with);
• for public health preventive and treatment measures, for example. in the case of a public health crisis;
• at the request of a competent judicial authority; or
• at the request of the relevant health authority for public health purposes including inspections.

There is a delicate balance to be struck between the potential benefits of this practice and the protection of each individual’s right of privacy. Where to draw the line in this assessment remains a topic of discussion between industry stakeholders and regulators, particularly in light of high profile breaches in recent years such as the collaboration between the Royal Free London NHS Trust and Google Deep Mind to identify patients at risk of kidney disease, or in the context of using health data for secondary research purposes. In January 2019 the European Data Protection Board issued its opinion on the European Commission’s draft Q&A on the interplay between data protection under the EU General Data Protection Regulation and clinical trials regulation. Wewait for the Law’s implementing regulations to see what position the UAE authorities will take on this sensitive issue.

As well as certain penal sanctions for breach of key requirements, such as the data localization obligations, the Law sets out a number of overarching disciplinary sanctions for breach of its provisions. These sanctions range from warnings to fines of AED 1 million and/or cancelling the breaching company’s permit to use the DMS.

Typically, access to centralised systems – such as the planned healthcare system – is facilitated by open APIs (application programme interfaces) made available to third party suppliers of IT systems which access the system. Where those IT systems already exist and are in use (under contracts between healthcare providers and the suppliers), technical changes to the systems will be required.

Some businesses will need to revisit their business procedures to comply with the Law. We recommend that companies affected by the Law:
• Keep up to date with the executive regulations setting out further details
• Ensure IT systems are capable of interacting with the central IT system
• Complete necessary administrative steps to obtain access to the central IT system, such as registration / licensing requirements
• Have technical and organisational processes in place to ensure that all patient data is treated confidentiality, kept secure, kept accurate and uncorrupted, not used for other purposes and retained as required
• Not transfer or store any patient data outside the UAE unless authorised to do so by a resolution issued by the local health authority
• Conduct a data mapping exercise to identify what type of health data is held, where it is processed and with which third parties it is shared.
• Where such third parties are based overseas, take steps to cease the transfer of health data to them, or to anonymize / denonymize the health data transferred;
• for any health data which cannot be anonymized / denonymized due to the nature of the processing activities, source alternative third party service providers to conduct the processing of that data within the borders of the UAE
• review contracts with third party service providers which process personal data and ensure that the contractual obligations for data processing and information security are sufficient to meet the new requirements of the law
• consider contracting obligations on service providers to support compliance with the law, such as annual rights of audit;
• add a step to the existing compliance sign-off process prior to adoption of new operational processes and business lines to ensure that no health data leaves the UAE and that the minimum statutory compliance standards are met.

SQL Server 2008 and SQL Server 2008 R2 – end of life July 9, 2019 -ask Synergy Software Systems

June 23rd, 2019

Microsoft has previously announced that SQL Server 2008 and SQL Server 2008 R2 will reach end of life on July 9, 2019.

This means that in less than a month, Microsoft will no longer release regular security updates for the product.

There are several reasons this is important to you.
• Attacks against software products of all types are common and ongoing. With Microsoft SQL being such a prevalent platform, attacks against it are ubiquitous, and it’s important to keep your database platform up-to-date with the latest Microsoft security patches.
• Many compliance requirements dictate that you must be running currently supported software.
• As Microsoft drops support for a product, many third-party applications may also discontinue support for their products running on those platforms.

So, if you are still running SQL Server 2008/2008 R2, then what are your options?

1.Upgrade to a newer version of SQL.
SQL 2019 is in preview release as of this writing, so the current production version of SQL Server is 2017. Its end of life will be October 12, 2027.
Evaluate your applications and databases to make sure they are compatible e.g. Dynamic Ax 2012 is not supported beyond SQL 2016

Plan a migration for either on-premises or cloud. A move to an Azure SQL Database Managed Instance, will not require you to upgrade in the future. By choosing this option, you will also gain access to new features which have appeared in the latest SQL Server versions. However, it only offers subset of SQL features so you need to be sure it will support your application and use.

2.Migrate to Azure to receive three more years of Extended Security Updates for SQL Server 2008/2008 R2. If you need to stay on the same SQL code base for a bit longer, Microsoft will allow you to rehost your SQL 2008 environment in Azure and still provide you with security updates for an extended period. There is no extra cost for the extended updates beyond the standard Azure VM rates.

3.Purchase extended support. Microsoft allows customers with an active Enterprise Agreement and Software Assurance subscription to purchase and receive three years of Extended Security Updates for SQL Server 2008/2008 R2. The annual outlay for the updates is 75% of the full license cost.

4.The least desirable option is to stay where you are and pray. If circumstances prevent you from moving forward now, then at minimum you should:
• Recognize and account for the risk;
•Plan and budget for a transition as soon as possible;
•Re-evaluate your security and tighten it as much as possible.

Microsoft provides guidance for handling the end of support of SQL Server 2008/2008 R2 at https://www.microsoft.com/2008-eos.

Of course, Synergy is ready to help you to evaluate and to progress to the next level. 0097143365589

If you are running newer versions of SQL Server, then here are their End-of-Life dates.
•SQL Server 2012 – July 12, 2022
•SQL Server 2014 – July 9, 2024
•SQL Server 2016 – July 14, 2026
•SQL Server 2017 – October 12, 2027

UAE and AI

June 20th, 2019

A report commissioned by Microsoft and conducted by EY says the UAE has seen the second highest AI investment over the past decade, more than USD $2.15 billion
• One in five companies in the country consider AI as their top digital priority
• 94% of C-suite leadership consider ‘AI strategy’ as an important topic and 35% of non-managerial staff are actively having AI discussions

New research shows the state of AI within businesses across the UAE is expected to improve dramatically over the next three years,as a growing number of executives look to AI to drive their digital agendas. Already, 18% of businesses in the country consider AI their most important digital priority. (AI Maturity Report in the Middle East and Africa (MEA) Click here – a new study commissioned by Microsoft and conducted by EY.)

The UAE’s progress in elevating the AI agenda is a direct result of leaders across the country recognising that the technology is a key differentiator across all sectors. 94% of companies in the UAE report involvement in AI at executive management level – the highest percentage of any surveyed country in MEA.

“When we examine companies with high AI maturity, it’s clear that the technology is driven directly by the CEOs themselves. This high level of involvement typically results in greater investment in AI, broader adopti on and a greater number of successful implementations,” says Sayed Hashish, regional general manager at Microsoft Gulf.

Leadership capability in the UAE is also rated high when compared with other countries in MEA. While 64% of respondents believe they have moderate, little or no AI leadership competency, 24% of executives in the UAE rated themselves as highly competent, with another 46 percent indicating they are either competent or very competent. Most companies still consider themselves to be in the planned phase of AI maturity, meaning AI has not yet been put to active use. On the opposite end of the spectrum, just 8% of businesses perceive themselves as advanced in their application of AI.

It’s not surprising that the UAE is the second highest regional investor in AI over the past ten years, investing $2.15 billion in total. The bulk of this investment went towards social media and Internet of Things (IoT) transactions. This was followed by notable spend across a further eight technologies, including smart mobile, gamification, and machine learning.

Machine learning is ranked as the most useful AI technology, with primary emphasis placed on decision support solutions, then smart robotics and text analysis, where customer interactions are the key focus.

The UAE’s open culture around AI is a highly positive indicator of the health of the technology within the country. 94% of UAE companies have ‘AI Strategy’ as an important topic at C-suite level and a significant 35% of companies say AI discussions are filtering down from top management right the way through to non-managerial levels. As a result, employees in the UAE embrace opportunities to participate in skills training and pilot programmes.

UAE companies are, in general, heavily focused on customer engagement when it comes to AI. The use of chatbots in the marketing space has become common, largely because they enhance the customer experience, ultimately demonstrating obvious value to management. UAE respondents expect AI to deliver greater operational efficiencies, drive down costs and, most importantly, enable them to be more competitive. Companies within the Emirates view prediction (76%) and automation (76%) as the most relevant applications of AI for their businesses.

65% of UAE companies rate themselves as highly to very competent when it comes to drawing on external alliances to strengthen their AI capabilities.

Synergy Software Systems offers Integration as a service, Robotic Process Automation, Machine learning, and Advanced analytics solutions

Databases breaches

June 18th, 2019

Verizon has published a Data Breach Investigations Report annually and the latest report is the 11th edition, and all are extremely well detailed. Not all data breaches are discovered, and those that are discovered aren’t necessarily reported. The 2018 report covers 53,000 incidents, defined as: A security event that compromises the integrity, confidentiality or availability of an information asset. . It also covers 2,216 breaches, which are defined as: An incident that results in the confirmed disclosure — not just potential exposure — of data to an unauthorized party.

These numbers ), do NOT include breaches involving botnets. The additional 43,000 successful accesses via stolen credentials associated with botnets are handled in a special insights section of the report.

Those are scary numbers.

The Verizon report show s 73% perpetuated by outsiders, 28% involving internal actors, 2% involving partners, 2% featuring multiple parties, 50% carried out by organized criminal groups, 12% involved actors identified as nation-state or state-affiliated. These figures are regarding those confirmed data breaches, not all security incidents. While 28% involve internal users, the bulk of data breaches were caused by from people outside the organization, using malware or social attacks, or exploiting vulnerabilities created due to errors.

While the exact internal actors weren’t found for all of the reported data breaches, analysis was done for 277 data breaches and a screen shows: 72 system admin, 62 end user, 62 other, 32 doctor or nurse, 15 developer, 9 manager, 8 executives

Database administrators may focus on denying permissions to developers for production, but developers proved much less likely to be involved in data breaches than system admins …which includes … the DBAs.

You don’t need production system access to cause a data breach. It’s common practice in an enterprise to make copies of production data for use by analysts, developers, product managers, marketing professionals, and others.

Privacy law compliance makes this all the more concerning.