Thanks and goodbye

As I will be leaving AppGate soon to join the Swedish Post and Telecom agency (from January 1) as the Director General it is time to end this blog. I would like to thank everyone for this time!

Thin clients...now on Mobile phones

I have worked with mobile users and applications for several years. I have seen the transition from "oh I am so happy to have emails on my phone" to something that are a part of the organisations IT access architecture. The problem has been (and still is) that it is almost impossible to create applications that works with all mobile operating systems...or phones. I spoke to some friends in the industry yesterday and the answer seems to be simple...use the web browser in the phone and connect to the Intranet through an VPN. Simple, secure and cost effective. Now when the mobile networks are so good it is not necessary to carry around the data. Why create solutions that are un-necessary. I even have customers who run terminal servers on their mobile phones.

Black list versus white list

As long as I have been active in the IT-industry the methodology for internal security has been blacklisting. You can reach almost everything but we will close down access to certain resources. That was probably OK "in the old days""when there where an limited amount of information accessible. I therefore think white-listing is much easier to use: block everything and give access only to information that is needed for the given task. Much easier, much more secure...and probably more cost-effective.

Maybe you already know...

I have been appointed by the Swedish Government to be the new Director-General of the Swedish Post-and Telecom Agency. I am sorry to leave my friends at AppGate but happy to get new ones at PTS. I will start my at my new job in January 2010, until then I will continue to blog. For more information about PTS, please visit www.pts.se

Time they are a changing

I read something interesting today, the sales of ADSL is losing momentum due to increased usage of mobile data access. It sounds fairly obvious when I think about it, mobile is easier, more flexible and therefore in a way, more user friendly. But the change is also interesting from other perspectives because it has other implications then just the obvious. The fact that people now can be connected everywhere will create new business models, the need need for new security architectures and more connected "devices". I remember when I (several years ago) tried to buy an "connected refrigerator" (not the best of ideas...) but now we will see a fast adoption of new things connected to Internet.( Please do not tell my wife but I will buy a TV with internet access soon.. ). My next car will probably be connected etc etc. We have talked about this for a long time but the difference is that now it is really happening. Maybe we are now "Back to the Future". What I do not know is who will produce those services, companies like Skype and Spotify has taught me to humble. Ten years ago the industry was filled with fun ideas (not all of them very good) based on new technologies. I think that we will see a lot of that new innovation "pulse" again.

Security and energy consumption

For good reasons there is a lot of talk about the IT industry´s need for energy and all the measures that can be taken to limit that need. I spoke to a customer this morning that we did some work with a while ago and replaced several security point products (a mobile VPN system, several internal firewalls, an SSL VPN and an old IP-sec based VPN) and he told me that one of effects he now has seen is lower usage of electricity due to less servers and point products. At the same time they started to virtulize the infrastructure so the effect was double (they run our server in a virtualized form "on top" of the applications)

I have not thought about this effect before but it makes me happy that increased security can sometimes lower energy consumption. So my tip of the day is to look into the usage of power when you design your next architecture.

Reality versus hype

I read an study today about customers willingness to adopt "the cloud". In the study only 8% where ready to make the move. The others had concerns about security, integrity and costs. I think this proves that the IT industry has matured, people now understand that they need to analyse the consequences of implementing new technologies. I think this is good..being tired of all hypes that vendors have sold to their customers over the years...with the result that a lot of money and energy has been lost on immature or useless products.

The first thing to check for any manager...

Yesterday I was invited to attend an internal discussion with one of our customers. The customer main business is in finance and they did something that I think more companies should do: they did a war game. They tried to find any potential breach they could have from any type of source, internal or external. I was invited to help them with questions to ask themselves. They did a good and thorough job so I ended up with only one question: Is anyone responsible for all access systems? I think that in any security environment there should be a 2-hand principle. As an example: one person handles the access system, another person should handle the LDAP. We ended up doing a map of whom was responsible for which system. A couple of minutes ago I go an email from my customer where they told me that they added the principle to their security plan and they already changed some access rules internally.

A very intelligent article by someone else then me....

I get happy when other people express what I am trying to say (in a much better way then me..). AppGate has a new partner in South Africa: Condyn. They recently wrote an article about security that I think is great...so here are some quotes:

Most investigations concerning computer crimes show that 60% to 80% of all security breaches are performed by insiders. These statistics highlight the fact that the most common method of protecting a corporate network and computers – the “ring wall” – is ineffective as it is assumed that attacks will come from the outside.

“This type of firewall-centric solution was designed many years ago and is slowly becoming obsolete,” explains Jorina van Rensburg, CEO of Condyn.

“Protection has been moved closer to the assets, such as application servers as well as workstations and laptops. So, how do you transform this traditional view into a more modern and effective architecture?” she asks.

According to Van Rensburg, the first step forward is simply observing the fact that the larger a network becomes, the more insecure it will be. This means that security can be improved by partitioning the corporate network.

Traffic between domains should be strictly controlled and potential problems logged. This immediately puts a limit on the maximum amount of damage a security problem can cause, and increases the possibilities to both detect and deal with potential problems.

The next step is to fully move away from the “ring wall” architecture. “If the servers can be protected against all unauthorised traffic, then operating systems, network protocols and applications cannot be attacked.

Step three involves improving client security. Clients need to be correctly configured, configurations must be reviewed and all software patched to make sure they do not contain any publicly known vulnerabilities. The security system should also be able to do a “client-check” before access to sensitive resources are granted. This check could guarantee, for example, that the client has anti-virus software installed, a good personal device firewall is in use, that no file sharing software is present, or any other rules the application system owner would like to enforce before access to that application is granted.

I really looking forward to work this company, they know what they talk about.

Why are not all patches applied?

One of reasons for security breaches is that security patches have not been applied. The message from the vendor often seems to be: yes we screwed up but now there is a patch so it is not our problem anymore. They seem to expect everybody to jump on any new patch and install them in an instant...this seems not to be the case. Are people stupid or lazy (or both?)? I do not think so; I think it is a question of time and resources. Any given company or organisation runs several applications and hardware at the same time. Just to know that there is a new patch out there can sometime be a problem. Another problem is to find out if the patch will have any implications on the rest of infrastructure.
This is especially true when it comes the network and security infrastructure where many point products interact with each other (many times in strange ways...). As always there is no simple solution but I have over the years recommended a short list of things to do...
1. Make sure that you UTM products instead of point products...that is an easy one.
2. Limit people’s access to applications (when things goes wrong the problem is isolated)
3. Make a list of the most dangerous applications and systems you have and grade them.
4. Check how different point products interact with each other.
5. Make a due diligence plan..and do due diligence often..

With this you hopefully created time....use that to patch.

What will you do if the Swine flu hits your organisation?

The latest UK Government figures suggest a worst case of up to one in eight employees forced to take time off work due to swine flu. On 28 th July, the British Chambers of Commerce (BCC) advised businesses to consider offering staff the option of home working to maintain continuity during the swine flu epidemic. The organisation warned that companies could be hit by intense periods of staff absence if projected figures for infections are realised.
Remote access is simple in theory but hard to achieve on a mass scale...here are some things that needs to be considered:
1. Who should be able to access and what should they be able to access? It is never a good idea to open the whole network for access.
2. How should they be able to access? To let everybody use their private PC:s for access could be a security challenge. How do you know if the PC is infected or not? Maybe a USB client with terminal access would be the best and most cost-effective solution.
3. How do the users authenticate themselves? I have seen many times that intruders use crises in a organisation to exploit networks..simply because no-one cares about IT Security during (as an example) a bomb threat. I strongly recommend 2-factor authentication.
I guess what I am trying to say is to plan ahead. The cost of trying to solve the problem during the crises will always be more expensive then fixing the problem beforehand. A small investment now can save tons of money later.

How to survive vacation?

I do not know about you but being away from the office could be quite stressful for me..I need to be in the loop. Luckily enough I have an understanding wife and I work in a company that makes remote working possible. This year I added to the technical infrastructure in my boat by installing a wireless router that I connected to my 3G data card. That made it possible for both me and my wife to "work" and use Internet...even on a remote island (and mostly in the rain..). I now had the same access as if I was in the office.
I had one technical problem this summer...when I learned that mobile phones do not swim very well. Skype helped me to overcome that burden until I could buy a new phone.
Sitting in my boat I realised that all this has created a new level of freedom, just a couple of years ago this would have been impossible or very expensive. Now it is easy and actually quite cheap. My wife in the end had a slightly other view..she told me that I now gone from working full time to working all-the-time.

I am back from vacation....

I have not posted anything in a while...mostly because I have been away from my desk and in my boat...and partly because this summer has been different from most other summers in terms of business. We have never been more active then we are right now at AppGate. I think this is proof of that the customers are looking for security solutions that are built around another concept then the old "firewall inside-outside" model. Anyway I am happy....

An argument for keeping control of your data.

http://www.cio.com/article/494553/T_Mobile_Confirms_Stolen_Data_is_Genuine

As I have stated many times before, before you outsource any data or parts of your infrastructure...make a an security assessment . Think about the go-to-jail factor.

(Thanks Malcom for the link)

This is pure marketing...but I am proud of it

Following rigorous testing over the past year, AppGate’s solution has been chosen to ensure police officers on the beat can securely access essential information held on the central network at police head quarters via their mobile phones. AppGate’s technology will now make it possible for the Police force to change how they work to be more productive and efficient.

Stockholm 17 June 2009 - It has been a tough knot for the Police to solve, how to make confidential information available for officers working on the street while ensuring the information remains secured. Previously, officers had to return to the station each time they needed to retrieve information, despite the fact that it would be more effective and efficient if they were able to access it while at the scene of the crime.
A key requirement has been to find a solution that uses the highest possible level of security while at the same time providing the best possible availability, and the new solution from AppGate achieves that making it possible to retrieve highly classified information over a mobile phone. The solution will be available to police all over Sweden and 10 000 police officers will use the system at first with the possibility to scale it up to incorporate more users later.

The AppGate system makes it possible to integrate all types of access: Mobile, PC/Mac, PDA, in one single solution without having to accept reduced security or functionality. The users will get exactly the access they need when they need it – no more and no less. One set of users might be restricted to downloading e-mail and synchronizing their calendars on their mobile phones, while others who are running the required AV software on their mobile devices might have access to SAP and the CRM system as well.

As always AppGate security servers build on existing proven functionality such as:
Application Layer Firewall
Mobile & Fixed VPN
Granular & Role based Access
End-point Security Control

I am so tired of hidden agendas from vendors

I read an article with someone called Mark Hennessy from IBM today. In the article he claimed that in the future the IT-department of most companies would disappear due to that everybody would use "the cloud" for all types of applications. He is entitled to have his view of course and I also think that a lot of companies will jump on this new outsourcing trend. What makes me irritated is that again a salesperson hides behinds his title….to sell a product. This is not uncommon in the IT-industry..anti-virus companies sends out reports that shows that there are more viruses then ever...router vendors that "foresees" increased usage of Internet (so operators needs to buy new and faster routers). Do they actually think that most people do not see through their marketing effort and take their advice for what it is...pure selling.
On the subject about cloud computing I think that companies that has IT as an integrated part of their business strategy will never outsource all part of their application infrastructure.

Who is responsible if the shit hits the fan?

I am often invited by companies to act as a bridge between the IT department and the higher management. That is not always easy..the management seems to think that IT people likes new toys to play with...and IT people seems to think that management does not understand the importance of IT. A way of getting around the discussion is to play the responsibility game. I start by asking what the worst thing that could happen would be. Usually that is that the company does something that hurts a 3-party...and then gets sued for it. I did this when I talked to a CEO about cloud computing...and I really enjoyed when he realised that he could never delegate the responsibility just because he outsourced his applications. That CEO is now very much involved in all discussions regarding outsourcing and cloud computing. I call it the go-to-jail factor.

More about Mobility

I spend a lot of time with customers who want to increase the usage of mobile phones but have concerns about security and costs. There is no single answer that would fit anyone but over time I have formulated a list of questions to ask.
1. Will you use the mobile phone to access more then just email? Intranet, business applications and other applications are on the wish list of most users today. Will that increase your return on your investment?
2. What is the lowest level of authentication you will accept for access to information? Passwords? 2-factor authentication? Does your mobile solution support the authentication system that you already use?
3. What are the security effects on your infrastructure? How many ports do you need to open in your firewall etc etc?
4. Can you accept that your traffic goes trough a 3-party gateway (like the Blackberry solution).
5. How do you manage the mobile and support the mobile phone? Can a phone be updated remotely?
6. Can you control the identity of the actual phone before it is connected to the network?
7. Should information be stored on the phone or centrally?
8. Does the phone have encryption pre-installed or do you need to add that.
There is one more thing I usually tell everybody that wants to listen...make a difference between what you NEED to do...and what is fun to do. I have seen the costs of many mobile projects explode due to the FUN factor. Make a list of features that you need rather then options vendors try to sell to you. One of the features many talk about is the users use of the phone..expensive reports are created for something that you get from your operator for free.

How boring is IT-Security?

I had some friends over for dinner a couple of weeks ago and for some odd reason we started to talk about my blog. The verdict was that is had to be good...as they did not understand a word about anything I wrote. I have to admit I was a little but surprised because I want to think that I write about things that people should understand...as it concerns everybody. My wife gave me the simple (but fairly cruel) answer...IT Security as a dinner discussion is very very boring for 99.999% of the worlds population. It is such a boring subject that next time I bring it up..she will force me to bed without dessert. So why is IT-Security such a boring subject? I am not boring; my friends in the industry are not boring (at least we do not think so). I do not have the answer but maybe security is boring because we do not think it is that important. We actually believe that the threat is un-real and that the makers of software do a decent job to protect us. Therefore we who work in the industry are troublesome whistleblowers who try to make a dollar by scaring honest people to buy stuff they do not need. I wish it were true. I am open to any suggestion how to make IT Security more interesting for people outside the industry..at least that would make my dinner parties more interesting.

Are humans the biggest security problem?

I read a story today about a person that got his mobile phone infected with a virus when he received an MMS that happened to contain hidden software. The journalist that wrote the story talked to a representative from Microsoft who said that end-users are the biggest security problem. I do not debate that users has to take some responsibility to ensure their safety but I still think that we in the industry cause more problems then most users. It is strange that in an area where so many people (and companies) depend on communication so little is done to fix the underlying problem of security. Many applications are badly designed, badly written and full of holes. Access systems are seldom used or badly implemented. In any other industry consumer groups would be shouting (and suing) suppliers that lie as much as the IT-industry does. So humans are never the "problem", let us start to think about their needs instead.

More about the architecture

I have to admit I am a little bit lazy now.. I copy this text from one of an internal AppGate paper....but I do this to show that it is not that complicated to build a more secure and cheaper architecture for security. The base of the solution is that a user should never see any resources on the network before he or she is properly checked and indentified...to use a new world expression...the firewall is a part of the access system.
1. User finds a machine and connects to an AppGate Security Server.
2. The user is authenticated; ideally, the user should only have to log in once to the system (‘single sign-on’) which is possible for many services.
3. The AppGate Security Server checks availability of possible services (authorisation) for the user. Availability may depend on many different parameters for example based on authentication method being used and the user’s physical location.
4. The system provides the user with information about service availability and the user selects a role depending on what he/she wants to do (this step can be optional and all access could be completely transparent for some users)
5. The AppGate Server will allow authorised users access to requested services while blocking all access to unauthorised users. This makes internal services completely invisible for all unauthorised users regardless of who they are and their physical location .
6. Traffic is normally encrypted to provide message integrity and/or confidentiality over the networks. This step actually makes it possible to use both internal networks and the Internet for transport and makes the borderline between them less important.

An alternative architecture for security

I got an email from a reader of my blog. He wanted to have more information about "non-firewall based" security. This is my answer:
Chris,
Thank you for your email and your comments. It is not a question of replacing the firewall...more of a question of making the firewall a part of the architecture rather then the center of the architecture. Firewalls have traditionally been used to build a supposedly secure wall around the network. However, users on the inside need access to outside resources and many trusted users found on the outside need access to internal resources. In addition, more granular internal security is needed since the corporate LAN is normally not secure enough and does not give enough protection to all resources. The traditional firewall- centric view that treats everything on the outside as malicious and everything on the inside as benign is no longer as useful as it used to be.
A new architecture where each device is capable of protecting itself is needed. To implement this, protection mechanisms must be moved away from the perimeter and be placed much closer to the servers where applications execute and the data is located. All end-systems used for access should have personal firewalls and software that protect them from other network threats. In a world when every system, each server and all clients, are able to protect themselves and only admit authorised users to access data, then the role of the firewall is diminished. In this world, the networks are only used to transport data and the boundary between the internal network and the Internet will become much simpler.
It is possible to create centrally defined policies that govern how all computers that connect to the network should behave. With this model, it easy to offer secure access to all types of services and since all users are treated equally regardless of location. It is now equally easy to offer access for internal users as it is for business partners, home workers and mobile users.
Firewalls can still be present but will in the long run be transformed into systems for data collection for example for intrusion detection (IDS) and intrusion prevention systems (IPS). This new architecture can be compared with modern cities; we no longer build a ring wall around the city and now protection has moved from protection at the perimeter to protection at the source, i.e. to buildings, shops and stores where the assets are located. The streets are just transport paths just like the network will be, and simply having access to the network does not mean that all services are available or even visible to the user.
Regards
Goran

I have blogged about this before...but it is important

Yesterday when I visited a customer I was reminded about something that I wrote about last year under "who can you trust?". The question is simple: can you trust your IT department to always do what you want them to do (yesterday I heard the expression: no creativity..just hard work ). The IT department has an enormous power within any given organisation and their failures have a direct impact if you can do your job or not. On the other hand, when things runs smoothly no-body thanks them…
I often say that people have to much access to information...and that is certainly true for people at IT departments. They are often by definition power users and can access more information (and do stuff) then anyone else in the organisation. It is essential for the management to make sure that the rules and regulations regarding access as are applied also for the IT department. I usually recommend the two-hand principle for anything that has vital implications...an example of this is that one person handles the LDAP system...and other person handles the access system.

Split tunneling

Most corporate networks today are well protected and so hackers are increasingly targeting end point devices instead. This makes the task of protecting these devices and servers just as important. One key step when it comes to protecting information is to establish different security domains and avoid handling information of different sensitivities at the same time. For example you should not proofread the upcoming quarterly report whilst browsing eBay. Doing this turns your computer into a gateway between protected information and the unprotected Internet - an ideal starting point for information theft and other attacks. It's often referred to as the "split- tunnelling-problem". A simple solution is ensuring sure that there is a personal firewall on the PC with an automatic rule-set. When a user connects to a secure domain..all other un-secure traffic is prohibited. The word automatic is important, as users are too important to hassle with security issues

Securing SAP

SAP/ERP systems can provide considerable benefits for medium and large organisations but they can also introduce significant risk to the security of critical data and resources.
But what surprises me is that this risk is frequently not acknowledged or managed effectively when SAP/ERP systems are deployed.
Central to ERP is the commitment of all business function resources and information to a central ‘resource planning’ platform. Centralising information is essential for sharing data across the organisation but, should any malicious user gain access, the threat to the business is much greater.
What is surprising is that information security is not a central consideration as part of a standard SAP/ERP deployment. Instead, it tends to be treated as an after-thought. The result is that network security is inflexible or ineffective leaving corporate data and assets vulnerable to attack. Holes in the network perimeter via ‘backdoor’ access routes are not closed off, internal security risks are overlooked, usernames and passwords are passed un-encrypted. Where attempts are made to provide security, users face inflexible procedures that make SAP applications difficult to use and the user less productive.
The costs to business as a result of unauthorised access to corporate information are well documented and include not only direct costs but also a drop in share price and loss of customer loyalty. For organisations implementing and running SAP/ERP, information security should be recognised as a strategic issue.
By managing user access needs for the SAP/ERP system as a whole, including at the deployment stage, the relevant security issues can be fully addressed whilst also helping users make full use of the ERP environment. “Unified Access” is an information security model that aligns very closely with the SAP/ERP model, allowing security and user access policies for the whole system to be managed through a centralised access control platform.

(Thanks Malcom for the info)

The difference in helping users or forcing them

Many security systems are built to force people to behave in a certain way. The user-friendliness of security systems is seldom discussed. A very simple example: users often need to behave differently depending on where they are or which device they are using. They need to use different authentication systems, different access applications (that looks and behaves differently) and sometimes even the target applications looks different depending on if they are on the outside or the inside. Add to this that we expect them to take security decisions and avoid security issues (as written in the latest security policy document which can be found in the second drawer under the coffee machine on the second floor).
Does anyone wonder why users see security as an obstacle? When we design our security infrastructure we need to address the issues of the users and respect their wishes. The plan should be for optimal security...for the users and the organisation. Well-implemented security solutions can and should help the users to do their job in an efficient way. Always try to make it as simple for the users as possible to access data and take away as many obstacles as possible (usually due to many point products and in-efficient security policies).

Mastering the Internet

I read today about the rumours that the U.K Government plan( called Mastering the Internet) to increase monitoring of Internet usage. I do not know if the rumours are true but they help us to sell security solutions. I spoke to a customer today who has bought a VPN solution from an U.K. operator. His conclusion is that he cannot continue that service anymore as he sees that operators will have to store his secret information in the future. According to him this is the same for all 3-party security providers that also operates a network (he also mentioned an Canadian mobile phone provider..). He will now build and operate his own solution..and make sure that all traffic always is encrypted. During the discussion he also realised that he uses so called MPLS lines from the same operator to connect branch offices...so most of his internal traffic is un-encrypted as well...and is possible to monitor.
I wonder how the operators will deal with this. I think that they have been very silent. Maybe they are afraid to loose customers.

The unsecure end point

I have said it before and I will say it again, many times the end point is the biggest security challenge. Why? Because it is very hard to know everything (or check anything) that runs on PC:s that users treats as something personal. Users wants to downloads stuff and store stuff on their PC:s..and sometimes the PC:s does not even belong to the company or the organisation. Users access corporate data using a cafe pc or their home pc. Will this trend change? Not likely as the difference between our working life and our private life becomes more and more diluted. We live a part of our life in cyberspace and companies needs to accept that company infrastructure (and security policies) needs to support that.
There are a couple of simple tricks to avoid the worst problems (apart from good antivirus systems and updated applications):
1. Make sure that split tunnelling is prevented.
2. Use 2-factor authentication
3. Give access for users on a need to know basis..to limit the damage if security is breached.
4. If the PC is really unknown...give the users an USB with a separate OS on it to use when they connect.
Now you probably ask where NAC fits into this model? It does but do not only rely on it as the only thing you need..and next time you buy an access system...make sure that end point security is a part of the product.

Compliance, compliance..compliance

I had a discussion with an analyst yesterday about virtual security. His conclusion was that it was "early days" and few people actually talked about the security risks in the virtual world. When I asked him what security issues that where on managers minds today he replied..compliance.
My reflection is that the compliance discussion is the first time that security specialist has been able to build a bridge to managers where there seem to be an understanding from both parties. Maybe this is the even the first time security vendors have figured out a way of marketing security products in such a way that management can understand. Compliance is often about common sense but sense in order to be common has to be communicated in the right way.
Now I just hope that we vendors will not destroy the discussion by marketing products with slogans such as "by me and we will solve all your compliance issues...all the time..." That will erode the message fast. Vendors should learn from the experience from the discussion about SOX.

Do Government have a role in IT-Security?

Sometimes when I listen to politicians I get the feeling that they are looking for the perfect legislation that will fix all IT-Security issues in the world...which leaves us with many frustrated politicians...as there is no easy fix. The simple fact is that Internet is a big jigsaw puzzle and the beauty (and the cause of many problems) is that no-one "owns" the Internet. Internet profs the existence of an "invisible hand" where many forces co-exists with their own purpose to create something as fantastic as this gigantic electronic network. As in any parts of life, some forces are good...some are stupid and some are evil. Funny enough politicians often do not realise that they have legislation put in place already...there are laws against stealing...untruthful marketing and so on.
But I still think that our governments around the world has a job to do..make sure that they protect citizen data. Governments store an incredible amount of data about every citizen and they should protect our data with their life (or at least with their jobs). Why is this different from the enterprise world? Because I can choose to do or not to do business with a company but I cannot stop paying my taxes...(at least I have not tried).
One more thing, after they have done the job right they should share with the rest of the world how they secured our data so others can learn from what they done. The government is a big buyer and have more resources then most companies...and as it is our money they spend...let us make sure that we can learn from their mistakes.
Now we just have to convince them about this as well.

Big Brother...or Big Mother

Sometimes I wonder when people will realise how easy it is to monitor activities on Internet. Today I have read a study about monitoring employee’s e-mails. In the study most companies actually had some kind of surveillance ; checking e-mails, checking where users surfed etc etc. I do not think that this comes as any surprise to anyone within the community but every time a story like this "breaks" it seems to come as an surprise to many people. The truth is that monitoring can be done on many levels: the company you work for, the operator, the OS provider, the application provider, the search engine company, the government to name same of them...and these are only the so called good guys..you can also add the bad guys.
In the end everybody needs to take some responsibility for their own level of security (and please do not think that you are to small or to un-interesting to be threatened) but from an organisational standpoint the monitoring possibilities creates risks. The first think to ask is who to trust, internally or externally. Do you trust your operator, your users, your application provider etc etc? Then you have to ask yourself with WHAT do you trust your partners? Are you willing to hand over customer-privileged information to an external cloud company as an example? You are being watched, but there are ways to avoid unnecessary risks. Make sure that you know what you do.

More thougths about virtualisation

At my already mentioned meeting yesterday we discussed virtualisation. If you have been reading my blog for a while you probably know that I am slightly cautious when it comes to new technologies such as virtualisations. Everybody seems to jump on new technologies without thinking about security issues...and I want everybody to think before they jump.

Here is some simple advice to minimise security risks:
1. Install a firewall to protect the server
2. Give only granular access for users. This minimises the users access.
3. Do not virtualise applications that are really sensitive. Why, because if another applications running under the same hypervisor are insecure that insecurity can be used to compromise the hypervisor...and then the sensitive application is unprotected.

There is money to be saved with virtualisation, just make sure to do it without compromising the security.
What I really want to say is....think first

Thanks to an un-known person!

Today I am in Germany visiting one of my favourite customers (they know their security from inside and out..that is one of the reasons I like them). During my meeting I realised that I lost my wallet. We did spend a fair amount of time looking for it but it was no-where to be found. In the end we gave up and headed out of the parking area in our rented car. I was on the phone trying to call my bank etc etc when Anders (our support manager) who was doing the driving heard a bump from the roof and in the mirror caught a glimpse of my flying wallet ( or actually MY FLYING MONEY). One minute later I was running aorund on the motorway chasing flying money and credit cards. I think I found most of them…
I probably lost the wallet getting out of the car and a friendly person found it and placed on the car roof.
So thank you, who ever you are and thanks dear customer for a very interesting meeting today and please say thanks to your receptionist for her support (she was right...it was in the car..sort off)

New technologies creates new opportunities

Sorry for just copying the press release but I think this is very interesting.

Jericho Forum Challenge winner AppGate makes information security accessible to everyone for free

AppGate’s security server, designed to provide security in an open-network environment, is now available as a free virtualized server

Stockholm, 21 April 2009 – AppGate Network Security a leader in network access control and information security has launched the AppGate Free Edition (AFE), a free-to-use version of the AppGate security server and part of the recently launched V9.0 family, which will be demonstrated at this year’s InfoSecurity Europe. The AFE is a fully functional, virtualized version of the AppGate security server that can run on almost any virtual platform, for example VMware. AppGate takes a different approach to information security, as advocated by Jericho Forum, and the AppGate solution is designed to address the challenges of securing data and applications in an open, Internet-driven world. With the AFE, every organisation now has access to this technology.

Organisations are dependent more than ever on use of the Internet, for flexible working for employees, collaboration with partners, and taking advantage of services in “the cloud”. While there are potentially huge benefits, there are also considerable risks. Jericho Forum, the high level independent user group that is leading the way in analysing the security issues and raising awareness, called for a new approach to information security moving away from border-centric mechanisms to enable the secure flow of data over the Internet. The AppGate solution embodies much of this thinking, moving security as close as possible to the source.

“AppGate was a worthy winner of the Jericho Forum challenge four years ago and continues to follow many of the Jericho Forum design principles, championing the cause of open source” said Ian Dobson, Director of the Jericho Forum.

AppGate has developed a real solution to the challenge of securing IT architecture in today’s open-collaboration environment, and it runs on OpenSolaris, a UNIX-based operating system.” In AppGate's solution, the central firewall is replaced by a set of distributed firewalls that are installed on all clients and servers. These firewalls are centrally controlled and configured dynamically to allow or deny traffic on the network. Making AppGate’s security server available on the OpenSolaris operating system is consistent with its corporate rollout strategy, and AppGate regards it as the next phase of evolution in the IT security market.

“At AppGate we have always been a great supporter of the principles of open source”, says Tomas Olovsson CTO of AppGate. “MindTerm, one of our products has been available as source code and free of charge for personal and limited commercial use for many years. By launching the AppGate Free Edition we are following the same principle, giving people the unique opportunity to freely test and use the functionality of the AppGate solution even in smaller commercial environments.”

AppGate will be demonstrating the V9.0 security server at InfoSecurity Europe on stand R70 between April 28th and April 30th. AppGate won the first Jericho Forum Challenge in 2005 with a paper entitled “Balancing the Equation; Enterprises moving to the de-perimeterised world need to adopt a ‘core’ mentality based on controlled access to systems”.

As always AppGate security servers build on existing proven functionality such as:

Application Layer Firewall
Mobile & Fixed VPN
Granular & Role based Access
End-point Security Control

How to cope with Tvitter and Facebook from a security perspective

I have touched upon this subject before but it is worth mentioning again. As a an employer you need to figure out a way to live with the likes of Facebook and Twitter. There are three alternatives; first: do nothing and create a potential security threat, second: make sure that no-one can access those during working hours and live with that valuable employees will leave your organisation or third: deal with the problem using security tools. I believe that as an employer you need to accept the fact that your employees will live a part of their life in cyberspace and I actually do not think that that behaviour is a bad thing. The difference between "private" and "work" is now more blurred then ever. See your team’s activities on Facebook and Twitter as new marketing channels. They can be excellent tools to create loyalty to your company.
From a security standpoint this is the company version of "split tunnelling", the same time a user is connected to a secure internal networks the user is also connected to the outside to an application that can be rated as unsecure. Today there are many ways to deal with this problem, last week we installed a solution that connected the user not directly to the web but through a terminal server at the same time as they where connected to internal applications. I think that we in the future also will se more virtual instances on the PC.

Pirate Bay is now Pirate Jail

I guess that everybody knows by now...Pirate Bay is now Pirate Jail. (Thanks Fredrik for the tip) as the founders of Pirate Bay today was sentenced to one year in prison,

Think architecture-not products

Most security products are by tradition point products targeted to solve one or (if you are lucky) two problems at the time. I have a history in networking and every time we did anything we talked about the implications from an architecture perspective. The main purpose was to make sure that that the traffic in the network was running as efficient as possible (with as much up-time as possible).
In the security space we often seem to lack this knowledge. We gladly add new products into the network without thinking about if they co-exist with other parts of the infrastructure. We add new mobile solutions that does not work with the authentication system, we add access systems that does not work with the LDAP system, we install BIG firewalls and leave the network open, we build a DMZ and then we let PC:s connect behind the DMZ the same time (split tunnelling...) etc etc.
So learn from the networking people and think from an architecture point of view, I bet there is money to be saved from this approach.

Will better applications save the world?

First of all, I hope that you enjoyed your Easter...I did and therefore I been away from my blog...

I have been involved in an discussion about how much better the world would be if all programmers could make applications more secure from start. Apparently this would save an awful amount of money and would make all security products unnecessary. In a way I think that the notion is fairly insulting to all programmers in the world, of course that are rotten eggs among the community, but I think that most wants to do a good job.

I claim that even if all applications where perfect (from a security point of view..) we still would need security applications as the biggest problem in security is the access problem. Who, when, how etc etc should get access to information. In general it is too easy to access information.
I do not believe that it is possible for all applications to have granular access control, encrypted transmission etc. I agree that applications (and especially operating systems) could more secure but believing that this is the “silver bullet” to make the world more secure is fairly naïve.

Another day...another rumour

I was really expecting something interesting to happen the first of April related to the virus that was expected to explode. I have searched for info but I have not seen any...so I have a question: are we now so good to handle viruses that we dealt with the problem...or did vendors use this threat to save their first quarter numbers?

More about clouds...it is an interesting topic

There is one thing about cloud computing that has to be said: you have to compare your existing security level with the cloud alternative. I have seen many examples of companies that have been over-confident about their security. For companies that does not have enough competence or resources cloud computing can actually increase the security level. Be realistic even if it hurts.
lA big problem that many organizations are facing is that of compliance with various regulations. Being compliant can imply a load new IT projects and forming your house in-house system into compliance can be costly.
Instead, Compliance as a Service may be offered where the service provider takes care of every requirement around the application. And the fundamental security functions such as separation, access control, authorization, end point security etc, may now be seen as selling factors

GhostNet In The Machine

Sometimes interesting articles about security disappears due to other more important news stories so therefore I want to highlight this one:
http://www.forbes.com/2009/03/29/ghostnet-computer-security-internet-technology-ghostnet.html

The first time I read the story I thought it was a good plot for a Hollywood movie but it turned out to be a real-life example of the insecurities in our world. When I grow up there was a saying in Sweden that came out of the 2:nd World War: A spy lays a puzzle. In meant that a spy would collect little pieces of information from different sources, the same way that this computer network worked. Viewed separately the information was not very valuable but accumulated it was indeed very valuable. The government has a responsibility in this to help private companies and organisations to defend "their piece of the puzzle". I think that governments around the world at least has to make sure that information security is a part of the public debate and to provide best practices and help with information. The problem is now too big and “evil forces” to powerful. Government has a great tradition to help the consumers through international co-operation and regulations. Now is the time to do the same in information security.

It is in the cloud

Andrew Yeomans from the Jericho Forum is a very smart person. I have had the opportunity to meet him a couple of times and he has impressed me every time. He is also the reason why AppGate (the company I co-founded) is a proud member of the Jericho Forum. I read an article today where he asked some very good questions about cloud computing.

Here is a short summary:
When you repatriate data from a cloud provider, taking it back into your own internal systems, how can you be sure that no trace of that data resides on their own systems? What leaks might exist between the cloud service back into our own infrastructure? Does the provider adhere to the same physical, logical and personnel controls that are applied to our own internal systems? What will happen if the provider goes bust?

These are all important things to consider before you jump into the cloud! If you do not have the answer….you should not take the dive.

You pay to much for your insecurity

I am the first to admit that it is hard to calculate ROI on security investments but that should not prevent us from making sure that we get as much security out of every invested dollar.
The first thing to realise is that every investment consists of two parts, the initial investment and the running cost...and that the running cost is usually much higher then expected. Why? Because in most calculations the small factor "time spent" is left out.
Think about it for a second, if you have many different specialised products installed they all have to be maintained, patched, connected etc etc but I guess that most of the products probably did not cost that much so the investment cost was low.
Why do I talk about this subject now? Because now is the perfect time to look over the real cost of running our security infrastructure...because we all need to save costs now.
I thought about this today when I got a new customers (take this as a tip rather then pure marketing) and he pressured me to pay over an extended time period as the cost saving became visible. (I have some explanation to do to my sales person now....). In the end I thought it was a good deal for both of us…he did not have to pay that much money up front..and I got a new customer.
The customer replaced his old mobile email system, his ssl VPN and re-build his DMZ.

What is sufficient security?

I had a conversation with a partner yesterday about which level of security is sufficient. The first question is of course how to define a security level. I often hear people say things like " we accept to have a sufficient level of security rather then a high level of security" Then they often add "we are not a bank and we do not need that kind of security". Every time I hear this I take a deep breath because I know I have a long discussion ahead of me. The sad thing is that most people that talks about sufficient security do not have a clue how to define security whatsoever.
I claim that in the simplest form security is digital, either you have it or you do not. On the other hand, any given environment is a complex beast so from an architectural point of view total security is hard to achieve. So there is a need to compromise between the need for protection and what is possible. The only way to achieve a "sufficient security level" is investigate which information that is the most vital for the company...and manage the access to that information. If the information is less sensitive then more access can be granted (less security). If you do not do this you do not have a clue if your security level is sufficient (or in-sufficient).
Conclusion: It is not about which security system you buy, it is about what you want to protect and from whom.

More about cloud computing

Yesterday we had a board seminar about strategy. We do that every year to discuss what we believe will be the biggest market trends during the coming year and how we as a company should react to them. One of the things we discussed was of course cloud computing and the security implications of this "new" trend. It was an interesting discussion as it turned out that the biggest security concern was not really technical. The biggest concern was trust. How do we know if we can trust the supplier? Do they have the right infrastructure, can we trust their staff, how stable are they from a financial perspective, what will the level of support be etc etc? The one "can we trust their staff" was in our discussion highlighted many times.
I think that the discussion summarised a trend that I have seen elsewhere, customers in general are more critical to new hypes and now has the knowledge to ask the right questions. When large companies do outsourcing contracts they do almost do a due diligence of the suppliers. Maybe everybody should do the same when the application is business critical.

Again: the internal security threat

I have been actively involved in the IT-security market for almost 15 years and during this time the issue of the internal security threat as been brought up many many times. I recently read an story in DarkReading (http://www.darkreading.com/insiderthreat/security/vulnerabilities/showArticle.jhtml?articleID=215801195&cid=nl_DR_WEEKLY_T) about insider threats . A questions comes to my mind; why is this still an issue? The answer is actually simple; the technology that builds today’s security architecture does not do the job. Most solutions are built around the notion of the existence of an inside and an outside. Please repeat after me...there is no difference between the inside and the outside anymore. Security solutions has to be built according to a model where users only have access information “on a need to know basis” REGARDLESS of where they happen to be for the moment (and according to how secure the device is etc etc). Today’s IT environment is far to complex and users to mobile for an inside/outside model.

The one problem at the time problem...

My wife tells me that as man I have problems to focus on more than one thing at the time. The IT industry consists mostly of men (unfortunately) and (if my wife is right) that explains why we seem to concentrate on one security issue at the time...and then we solve one security problem at the time with a point product. When I grew up and bought my first stereo I learned that there was no need to buy the best speakers in the world if I could not afford to buy the best receiver. The quality of the output would never be better then the most inferior part of the system. The same applies for security systems; why have the best firewall in the world if you do not have an authentication system, what is the use of an authentication system if you do not have an access management system, what is the use of having all that and then you open ports in the firewall for uncontrolled access to email on mobile phones etc etc? The sad truth is that if there is a hole in your defence, an attacker will find it and exploit..it is only a question of time.

Conclusion: Do not solve security problems "one problem at the time", to be secure you need to have a holistic view on the problems and make sure that the need of security is balanced with the TOTAL cost and the need of the operations. Otherwise you will end up with a good fence but a lousy door.

Security: what are we looking for?

I got a question from a reader of my blog. He wanted me to define the different aspects of security in layman terms. Here is a definition I often use where I divide security into three components: Integrity, Availability and Secrecy. (Others sometimes other words to describe the same thing)
Availability: I define this as the systems ability to give service to authorised users. The information users needs should be available when the users have the need. For companies that are dependent on Internet as a source of income, availability is a major concern.
Secrecy: The systems ability to provide access to information or services only to identified and approved users on a need to know basis.
Integrity: The systems ability to maintain the "correctness" of the information. How do you know if the information not has been tampered with?
Different organisations will value these factors differently and therefore it is hard to compare security solutions between different organisations. Added to that different organisations have different threat levels to live with.
There are more factors that can be taken into account but I think that these are the most important ones.

Who can you trust?

I am supposed to give a speech in a couple of days about how to recognise who you cannot trust...this will be the highlights.
It is a difference between trusting people in ordinary life and trust people from a security system standpoint. Why? Because on the Internet you will never know the people that tries to access your system. If the systems are accessible for the people you know (and trust) they are open for everyone else as well...and can you really trust everybody you know...and do you really know them?
Think about it for a while, even if you trust anyone that works for you, you have to build a security system that protects you from the people that you do not know. If you do this properly you will end up with a system that also protect you from actions from people that you thought you could trust.
Conclusion: Forget about the discussion about who, you have to treat everybody equal.

How to know what to protect...and from whom?

The most common way is to start an investigation (often with the help of external consultants) and then classify the information according to some kind of policy.
I would propose an alternative (slightly drastic) strategy, close down access and then ask the question: who needs this information to be able to perform their job. In general people has access to much information and by asking this simple question a pattern which information is vital emerges quickly. (Only the ones who needs it will be angry and call…)
This way we treat all information as "secret" and we differentiate based on the user which is much easier. I can give you an example from real life; a company I worked with a while back ( a consultancy company) started to loose people to an competitor. It turned out that a hired resource in the reception copied the whole internal phone register and the calendar (where it was possible to see where a consultant spent his or her time, which customers they visited etc etc) and gave it all to her boyfriend...a headhunter. This was of course not legal but I doubt anyone will go to jail for it. Did the receptionist need to see where a consultant spent their time through the internal calendar system?..of course not.
Conclusion..lock everything down..and give access on a need to know basis only.

Confirmed...Cloud computing is still just a hype...

I read an article yesterday regarding a study in Sweden. The study was about companies intentions to start using so called cloud computing. The definition of cloud was set to resemble to buy applications as a service. I still wonder from a business perspective was the difference is between outsourcing, ASP and the cloud...but I guess I am un-educated in this matter.
The study showed that most companies where not interested to enter this market until (and this makes me really happy..) before they could feel confident about security and reliability.
Maybe we now start to see the shift that I have been waiting for where security is treated as a part of the business process inside a company instead of a technical issue that has to be fixed at the end. I will celebrate tonight....

Will Nokia enter the PC market?

Nokia´s CEO has revealed that they are at least considering that option. This is a proof that the difference between the "mobile world" and the "pc world" gets more and more blurred. A practical aspect of this is that security applications needs to be developed independent of the platform. I see this as an end for all the mobile specialists applications such as simple push technologies. Why not use a proper and secure vpn for access from mobile phones instead of inventing something that only solves the "mobile problem"? We need to treat access from mobile phones the same way as we treat all access...and there is no better way to do that then to use a prober vpn with 2-factor authentication, encrypted and compressed traffic, NAC and granular access. Why inventing another “silo” instead of building on technologies that already work?

Invitation to an important event!

AppGate has a close relationship with SUN, among other things we use OpenSolaris as the OS when we deliver our solutions. We also work closely together developing solutions for different industries and now you can join a webinar to learn more about what we have done together.

Join us for a live web event to see how government agencies
are protecting data regardless of device

Security for a Mobile Workforce
Register Now
http://www.government-webevents.com/

* * *
The world is changing and so is how we work. Technology has
provided great opportunities to take traditional desk jobs
into the field to be more efficient and effective. The
challenge lies in how to develop a secure, unified approach
to managing an IT infrastructure with so many access points.

Today's Government agencies need to provide secure communication
between different regions. Information of all government
agencies, civilian, intelligence and defense, must be absolutely
protected. But implementing it may be harder than it seems.

Join industry leaders from The 451 Group, Sun Microsystems,
and AppGate Network Security for this informative web event
and you will learn:

* The driving factors behind a growing mobile workforce in
government

* The benefits - and pitfalls - of solutions on the market
today

* Successful methods of protecting government services from
unauthorized access, regardless of device

Live web event
March 12 at 8:00 am PT
REGISTER TODAY:
http://www.government-webevents.com/

Security is a balance between cost, value of information and the threat level.

Another thought from the conference last week; why do we always see security as a technical problem? At least we always talk about it from a technical perspective and we want to solve everything with more products. I believe that before you even consider what equipment to buy there are three important things to consider:
1. A proper security policy.
Without a security policy no one knows what to protect and from whom. If there is breach in security no one will no how to react or how to repair the damage. Polices and procedures goes hand in hand.
2. Balance between cost and benefits
An important aspect of security is that the cost of the security solutions must be proportional to the threats and to what you want to protect. The best way to achieve this is to investigate which assets you have and which threats you can foresee. The next step is to do a threat analyse covering what happens if there is a security breach. Based on this analyse it is possible to grade different threats and choose the protection that is needed from what is sound from an financial standpoint. The goal is to find a balance between the costs for security (money, flexibility etc) and the value of the information. The higher value of the information and the higher the treat level, the higher the investment needed. The equation works the other way around as well; high value but low threat level…lower cost.
Do not forget the users in this process, in the end they need to able to work with the systems.

3. If 1 and 2 is fixed security can lead to increase revenue and lower costs.
If you have control more things, more things will be possible to achieve. More users can get mobile access, partners and customers can get access to internal information etc etc. Good security implemented in the right way can be a way to compete with other companies..

I attended a security conference in Brussels today

As always some of the most interesting topics where discussed at the lunch break and as a result I came away with some interesting thoughts. The first one made me feel slightly old...
Thought 1: The change in technology has changed the concept of privacy. I can actually relate to this as I and my teenage daughter has very different views on privacy. We had a discussion in our family about having a family "web page" and I strongly opposed that. I do not want to share everything I do with my family with people I do not know. Then came Facebook..which is my daughters lifeline to her friends where she share pictures and thoughts about everything...and chatting away with her friends in a way that I would never do. My daughter has adjusted her sense of privacy according to the change in technology much better then what I have done. For us in the security business this change of view will change how we develop products and how we build processes for security. Today many companies and organisation solves the issue by simply prohibit people from using Facebook at work. I wonder if the younger generation will accept that or will they take their talent and their skills to a company that makes it possible for them live their "cyber life" the way they are used to?
Thought 2: During the conference someone claimed that a study amongst the 100 biggest organisations in Europe 80% of data breaches where due to so called super-users. Examples of super-users where CEO:s and other managers. Talk about leading by example... If this is true (and I have no reason to expect that is not) we that work with security has failed...We need to get the message across that security breaches cost money and that companies can go down the drain if the XXX hits the fan. We need to stop talking about security in technical terms and start talking in a way that makes good-will sensitive number crunches understand what we talk about.

For us this is an fun day...

It has taken longer then expected (what does not...?) but today we at AppGate finally launched the public beta of AppGate Free Edition. AFE is what it says..a free version of AppGate Security Server, I think it is the first time anyone launches such a comprehensive solution for security for free.

Have a look at it (or even better; try it out), let me know what you think!

Cybercrime criminals get more advanced

According to an article from BBC (http://news.bbc.co.uk/2/hi/technology/7797280.stm) cybercriminals seems to avoid the layoffs during to the financial crisis. Instead they have increased their activities during 2008..as to the surprise of no-one. Now everybody in the industry will tell everybody that wants to listen how their (the security vendors) product will chase away all the bad guys and solve all your problems. That is not often the case by the way,
First things first....the problem is a real for everyone. Unprotected data will be stolen, money will disappear from you bank account and your credit card will used by others. I meet a potential customer a while back that got its source code stolen and now was blackmailed. The thieves said that if the company would not pay they would post the source code on the Internet.
BUT the solution is not to go and buy a new point security solution, instead (which starts to be a theme in this blog)...validate what to protect ...and who should be able to access what...and then use solutions that supports your business. I bet that companies that use this model will end up with a very different security architecture that the one that is based on today’s firewall...we trust people on the inside...but no-one on the outside model.

Mobile security is a big concern for everyone

I read a report today by Telenor that talked about organizations concerns about Mobile Security...or to put it the other way around...the lack of Mobile Security and how it prohibits implementations of true mobility.
I know that I am biased in this matter as we at AppGate sell a system that treats all access in an equal way regardless of the device..but it also happens to be what I believe in.
The basic problem is the same: who the user is (always use strong 2-factor authentication), what should he or she access, how secure is the device etc etc? It is not about emails on mobile phones anymore; now we can access Intranet, business applications etc etc as well.
Funny enough when people talk about mobile security they talk about encryption of mobile phones or remote wipe (both things now comes as standard in most of Nokia business phones) instead of talking about the access problem. Many companies has not realized that they can use proper VPN:s to connect to the phone instead of simple push technologies.
So my simple conclusion…make a business decision about who and what information that people should be able to access…and then buy a system that handles all access….on mobile phones…PC…Mac…Linux…..on all types of networks…on the inside….or the outside….

Can you trust your friendly security vendor?

I had an interesting discussion earlier today with a customer about which security problems that exists in real life...and the ones that security vendors invent in order to sell more security solutions. His argument was based around all the "reports" about virus attacks on mobile phones. From time to time there are reports that NOW everybody needs antivirus software on mobile phones because NOW there will be a lot of viruses that will attack your mobile phone. He claimed that NOW has been going on for the last three years and we are still waiting for it to happen.
In a way I guess he is right, this happens in all industries. In my hometown Stockholm a couple of years ago , there was a company that deleted graffiti for trains...as it turned out they hired some local "artists" that painted trains in the evenings to make sure that they had business continuity.
I agree that some security issues are really not that important for all customers but in order to avoid problems companies and organisations needs to start from the right angle... and that is not to figure out which security system to buy as the first order of business. The simple answer is to find out which information that should be protected and balance the cost for protecting it with the business needs. Then it is possible to discuss how to protect the information and from whom. The last thing to do is to go and buy a security solution.
So if you are an Manager and your security people wants to buy an new security solution ...ask for a threat/business analyze or even better, make it together with them. This way it will probably be easier for everybody.

IT security during the financial recession

A sad fact when a company has to ask people to leave is that many times important information goes out the door the same time. It is only natural that people that loose their jobs gets frustrated and many times angry and blames everything on the company. When they leave, they leave in anger and take customer lists, software and other "secret " information with them. To ask someone to leave is often hard and it is even worse to be on the other side. The situation does not create an environment for dialogue but it is still important to inform employees about the rules for stealing data and assets from the company.
It is essential to have routines for access for ex-employees and procedures to follow as many companies has several different systems for access. Make sure that there is someone that is responsible for discounting access rather then having separate departments handling it. Make a register of all different types of access (SSL-VPN, Internal systems, Mobile Access, IPSEC...etc etc..and next type buy a system that handles all types of access..).
I often get the question if I to do not trust people and my answer is that I do. I just want to be able to present to my customers different alternatives so they can make the decisions. After all they are the ones who knows their employees the best. Most company I work with really hate to be in a situation where they have to ask people to leave and they try to do their best but the financial crisis gives them no choice. I know that most people understand this but their are rotten eggs out there and unfortunately we need to make sure that they do not make any damage.

What is the most important aspect of security?

I had a conversation earlier today about what really is the most important aspect of security. Is it to protect the PC from viruses, to encrypt all communication or to encrypt all hard drives? From listening to the marketing messages from different vendors it is hard to know. I would say that they are all important but the most important thing is access control. It is essential to know who has the right to access what during what circumstances, without that there is no security. In general people has to much access which is strange, even highly trusted employees do not usually get keys to the safe.
Here are things that you always should be able to determine before someone is granted access:

* Who the user is (strong authentication)?
* What device is used and how secure is it?
* Which access should the user have?
* Where is the user (on the inside or the outside)?

Everything is linked and a weak point will be breached, but with a strong control of access many things can be avoided.
One more thing, this has the effect that all applications have to be secured and locked indivually. There needs to be a lock in the door so to speak.

AppGate and jetlag

One of my friends (who is one of the best security experts I know) has his own blog where he has written a good story about his sleeping problems...and AppGate.

http://blogs.sun.com/gravax/entry/jet_lag_and_appgate

Certifications...trick or treat?

AppGate has customers in 22 countries and a customer base that includes almost all types of customers, from defence to car manufactures. The difference in the security knowledge between the customers is sometimes really scary. I can understand why, to keep up with the "latest and greatest" in security is not an easy task. One thing that often strikes me is that people that knows security often ask for certifications and people that has a limited knowledge seldom asks for it. In my option it should be the other way around....Certifications are good if you do not have the time, money or knowledge to test a security product.
When it comes to cars they are thoroughly tested before they can be delivered to customers, certifications are the closest thing we have in IT Security.

I am aware about the criticism against certifications, such as that they slow the development process..sometimes I think that is not a bad idea. The industry are experts in shipping untested and insecure solutions...and then spend years sending out security fixes.

Where to put the defence in a company with no borders

In my previous blog I discussed the problem that companies no longer have a clear border to the world. I think that our CTO at AppGate, Tomas Olovsson, summarizes the problem very well in only one sentence. He says, " There are people on the inside that cannot be trusted and people on the outside that should".
How do you solve this fundamental problem? The answer is to move the security in two directions (from the perimeter...usually the company firewall), closer to the users and closer to the applications. The device should be secured and checked for access, a firewall should be places close to the applications (the access system and the firewall should be part of the same system)
All traffic between the user and the application should always be encrypted and all access should be granted on an individual basis.
Users should only be able to access information they need...and nothing else. The interesting thing is that now the difference between the outside and the inside disappeared. This also increases the possibility to enforce access polices such as which users should be able to access information on which platform? Where should the user be located? What time of day etc etc? From a legal standpoint this makes it possible to conform to laws and regulations such as SOX.
This sounds easy but one of the problems of today is that most vendors do not like this architecture, as it would sell fewer boxes....

Where is the perimeter?

Life was much more simple a couple of years ago when you went to work in the morning, home in the evening and the word remote access was non-existent. I can still remember (yes...I am that old) when the company I worked for got access to Internet for the first time. We did not even think about the perimeter because we installed a Firewall at what we thought was the edge. But what is the situation today? We cannot see an organisation as an island anymore; everyone is a part of a gigantic ecosystem with a never-ending increasing demand for fast access. We work closer with our customers and partners, our staff is more mobile and there are more devices that is connected to Internet. The difference between "private" and "corporate" devices is also blurred. We answer private e-mails and surf on the Internet on our company PC; we want to read company emails on our private PC at home etc etc. Add the Smartphone into the equation and things starts to be really complicated.
So now back to the original question, where is the perimeter of the company? The answer is simple; the edge is at the user so the perimeter is at the mobile phone, the home user or the external consultant who access the network from anywhere there are. The funny thing is that most companies treat the Firewall as the edge, the same security model as we used when we installed Internet 20 years ago.
We need to implement a new architecture for security that takes into account that the world has changed despite what the big firewall vendors tells us.

Firefox now has more users then Explorer!

A couple of weeks ago we launched our new web forum at AppGate (http://forum.appgate.com/) and I recently had a look at the web statistics. Firefox now leads with 45% against 39% Explorer users. Now I have to admit that AppGate is not the most visited web site in the world but we have some fairly interesting visitors (and customers..). One of the reasons why people visit our web site is because of Mindterm, one of the worlds most used Java SSH clients, which we give away for free for non-commercial use. You can find Mindterm users everywhere but one important user group is students..and according to our web stats they now favour other operating system then Windows. We see this trend also among our ordinary customers, from almost 100% Windows to a much more blended environment (Mac, Linux etc), which also includes mobile phones. There are probably lots of reasons for this trend but one of my customers gave me an interesting insight into the future. They reasoned that if they want to attract the new generation to come and work for them they need to have an IT-infrastructure that suited the needs of the “next generation”. That meant that handing over an "old PC" would not be sufficient in the future and talented people would go somewhere else.

From a security standpoint this is of course interesting as many security products are platform or OS dependent and to have even more point product will increase costs and decrease security. I think the future will be interesting…

A typical example of the financial downturn

I have been away for a while so I have not been able to update my blog. One of my travels included a trip to Germany where I needed to rent a car to be able to get to my customer. Usually I always go for the cheapest car but this time (despite the fact that I pre-booked one) there where no cheap cars available. The poor girl at the rental firm excused her by telling me that she never been out of "cheap" cars before. Instead she offered me (for the same price of course) an MB S 350 L...a car that makes the Hummer look shy. It also had some practical consequences...such as; it took me almost 50 km to figure out how to start the radio. The car was also equipped with necessities such a fan in the seat, a radar that prevented me from running into the car in front of night and night vision. The fan was really fun, every time I went into a right hand corner the right side if my seat was blown up (and vice versa) to prevent me from falling out of the chair. The downside was of course the amount of petrol it used (you need to have your oil company to run it) and it took two parking spaces.

What does this has to do with IT security then...not much but two things comes to my mind; products gets more and more functionality (less point products..) and what would happen if a car like that got hacked?

Who is responsible part 3?

I guess that you have read about the hacker that got a 30-year sentence for hacking TJX Maxx. That got to be the longest sentence ever for a hacker. But there is an aspect that story that often is forgotten. The company got busted as well owning up to potential liabilities of $118 million. It would have been cheaper for them to invest in some knowledge and systems for proper IT Security. The U.S government is also looking to change the system so they can fine a company for this kind of bad behaviour. In a way this is good news for all struggling IT-Managers out there to find time and space with their managers to talk about IT-Security issues..and as I always say…it is always the management of the company that is responsible.
http://www.networkworld.com/news/2009/010809-tjx-maxx-hacker-banged-up.html

Increased control..is that really useful?

After the last financial meltdown (in the beginning of 2000 and the years after) many countries including the U.S sharpened the regulations for companies and financial organizations. We usually call those regulations “SOX” or in Europe “Euro-SOX”. In simple terms this is done by controlling who-does what, give individual access instead of general access and to have a clear “chain-of-command”. There should always be someone that is responsible. (I know I oversimplify the whole thing now..)
When these regulations came the common belief that this would prevent companies from overstating their assets or lie about their revenue, in the end protecting share holders and others that had a stake in the company.
I do not think that I would anger anyone by claiming that it did not prevent the worst financial crises ever….
Maybe the regulations added to problem by giving a false sense of security. Everybody has been compliant to regulations but no one has used common sense.
My conclusion is simple, there is no safe “systems” without common sense. To be able to be sensible you need to be trained and have the knowledge how to handle crises. This is the responsibility of the management. This goes for IT related crisis as well, they cannot be handed over to the IT people and for no-one else to worry about.
I wonder if all the consultancies that have sold SOX training now will start to sell “common sense” training instead. That could be fun to listen to.

Today I am frustrated...

I have spent the day helping a customer to write a new security policy. In that policy there was a section about how new security functions should be security cleared before they where released. The thinking behind this was shorten the time for testing and implementation.
Other parts of the policy included a definition of what and why something needed protection, who should have access to the information and during which circumstances? In this company everything related to their customers is regarded to be extra sensitive. This comes as no surprise as this is a company in the service sector and their relationship to their customers is the only real asset they have. They would loose a lot of business if their customers secrets where revealed.
Now the reason for my frustration…during the meeting the CFO of the company came into the meeting, all fired up. He had attended a seminar about “cloud computing” and now he had seen the light. Out with the old…bring in the new….
It was fairly easy to see that this “brand new “ idea not really was in conjunction with their security policy. I would call it stupid to outsource this information but I on the other hand do not trust anyone…and WHY do we always jump on the latest ideas…without thinking about the security implications. Now they have an internal battle with the CFO who thinks that security people do not understand the reality of business…and security people that thinks the CFO is a moron.
My tip of the day….always ask outsourcing companies for SLA:s and their security policies.