AppGate has customers in 22 countries and a customer base that includes almost all types of customers, from defence to car manufactures. The difference in the security knowledge between the customers is sometimes really scary. I can understand why, to keep up with the "latest and greatest" in security is not an easy task. One thing that often strikes me is that people that knows security often ask for certifications and people that has a limited knowledge seldom asks for it. In my option it should be the other way around....Certifications are good if you do not have the time, money or knowledge to test a security product.
When it comes to cars they are thoroughly tested before they can be delivered to customers, certifications are the closest thing we have in IT Security.
I am aware about the criticism against certifications, such as that they slow the development process..sometimes I think that is not a bad idea. The industry are experts in shipping untested and insecure solutions...and then spend years sending out security fixes.
Friday 30 January 2009
Wednesday 28 January 2009
Where to put the defence in a company with no borders
In my previous blog I discussed the problem that companies no longer have a clear border to the world. I think that our CTO at AppGate, Tomas Olovsson, summarizes the problem very well in only one sentence. He says, " There are people on the inside that cannot be trusted and people on the outside that should".
How do you solve this fundamental problem? The answer is to move the security in two directions (from the perimeter...usually the company firewall), closer to the users and closer to the applications. The device should be secured and checked for access, a firewall should be places close to the applications (the access system and the firewall should be part of the same system)
All traffic between the user and the application should always be encrypted and all access should be granted on an individual basis.
Users should only be able to access information they need...and nothing else. The interesting thing is that now the difference between the outside and the inside disappeared. This also increases the possibility to enforce access polices such as which users should be able to access information on which platform? Where should the user be located? What time of day etc etc? From a legal standpoint this makes it possible to conform to laws and regulations such as SOX.
This sounds easy but one of the problems of today is that most vendors do not like this architecture, as it would sell fewer boxes....
How do you solve this fundamental problem? The answer is to move the security in two directions (from the perimeter...usually the company firewall), closer to the users and closer to the applications. The device should be secured and checked for access, a firewall should be places close to the applications (the access system and the firewall should be part of the same system)
All traffic between the user and the application should always be encrypted and all access should be granted on an individual basis.
Users should only be able to access information they need...and nothing else. The interesting thing is that now the difference between the outside and the inside disappeared. This also increases the possibility to enforce access polices such as which users should be able to access information on which platform? Where should the user be located? What time of day etc etc? From a legal standpoint this makes it possible to conform to laws and regulations such as SOX.
This sounds easy but one of the problems of today is that most vendors do not like this architecture, as it would sell fewer boxes....
Tuesday 27 January 2009
Where is the perimeter?
Life was much more simple a couple of years ago when you went to work in the morning, home in the evening and the word remote access was non-existent. I can still remember (yes...I am that old) when the company I worked for got access to Internet for the first time. We did not even think about the perimeter because we installed a Firewall at what we thought was the edge. But what is the situation today? We cannot see an organisation as an island anymore; everyone is a part of a gigantic ecosystem with a never-ending increasing demand for fast access. We work closer with our customers and partners, our staff is more mobile and there are more devices that is connected to Internet. The difference between "private" and "corporate" devices is also blurred. We answer private e-mails and surf on the Internet on our company PC; we want to read company emails on our private PC at home etc etc. Add the Smartphone into the equation and things starts to be really complicated.
So now back to the original question, where is the perimeter of the company? The answer is simple; the edge is at the user so the perimeter is at the mobile phone, the home user or the external consultant who access the network from anywhere there are. The funny thing is that most companies treat the Firewall as the edge, the same security model as we used when we installed Internet 20 years ago.
We need to implement a new architecture for security that takes into account that the world has changed despite what the big firewall vendors tells us.
So now back to the original question, where is the perimeter of the company? The answer is simple; the edge is at the user so the perimeter is at the mobile phone, the home user or the external consultant who access the network from anywhere there are. The funny thing is that most companies treat the Firewall as the edge, the same security model as we used when we installed Internet 20 years ago.
We need to implement a new architecture for security that takes into account that the world has changed despite what the big firewall vendors tells us.
Monday 26 January 2009
Firefox now has more users then Explorer!
A couple of weeks ago we launched our new web forum at AppGate (http://forum.appgate.com/) and I recently had a look at the web statistics. Firefox now leads with 45% against 39% Explorer users. Now I have to admit that AppGate is not the most visited web site in the world but we have some fairly interesting visitors (and customers..). One of the reasons why people visit our web site is because of Mindterm, one of the worlds most used Java SSH clients, which we give away for free for non-commercial use. You can find Mindterm users everywhere but one important user group is students..and according to our web stats they now favour other operating system then Windows. We see this trend also among our ordinary customers, from almost 100% Windows to a much more blended environment (Mac, Linux etc), which also includes mobile phones. There are probably lots of reasons for this trend but one of my customers gave me an interesting insight into the future. They reasoned that if they want to attract the new generation to come and work for them they need to have an IT-infrastructure that suited the needs of the “next generation”. That meant that handing over an "old PC" would not be sufficient in the future and talented people would go somewhere else.
From a security standpoint this is of course interesting as many security products are platform or OS dependent and to have even more point product will increase costs and decrease security. I think the future will be interesting…
From a security standpoint this is of course interesting as many security products are platform or OS dependent and to have even more point product will increase costs and decrease security. I think the future will be interesting…
Friday 23 January 2009
A typical example of the financial downturn
I have been away for a while so I have not been able to update my blog. One of my travels included a trip to Germany where I needed to rent a car to be able to get to my customer. Usually I always go for the cheapest car but this time (despite the fact that I pre-booked one) there where no cheap cars available. The poor girl at the rental firm excused her by telling me that she never been out of "cheap" cars before. Instead she offered me (for the same price of course) an MB S 350 L...a car that makes the Hummer look shy. It also had some practical consequences...such as; it took me almost 50 km to figure out how to start the radio. The car was also equipped with necessities such a fan in the seat, a radar that prevented me from running into the car in front of night and night vision. The fan was really fun, every time I went into a right hand corner the right side if my seat was blown up (and vice versa) to prevent me from falling out of the chair. The downside was of course the amount of petrol it used (you need to have your oil company to run it) and it took two parking spaces.
What does this has to do with IT security then...not much but two things comes to my mind; products gets more and more functionality (less point products..) and what would happen if a car like that got hacked?
What does this has to do with IT security then...not much but two things comes to my mind; products gets more and more functionality (less point products..) and what would happen if a car like that got hacked?
Tuesday 13 January 2009
Who is responsible part 3?
I guess that you have read about the hacker that got a 30-year sentence for hacking TJX Maxx. That got to be the longest sentence ever for a hacker. But there is an aspect that story that often is forgotten. The company got busted as well owning up to potential liabilities of $118 million. It would have been cheaper for them to invest in some knowledge and systems for proper IT Security. The U.S government is also looking to change the system so they can fine a company for this kind of bad behaviour. In a way this is good news for all struggling IT-Managers out there to find time and space with their managers to talk about IT-Security issues..and as I always say…it is always the management of the company that is responsible.
http://www.networkworld.com/news/2009/010809-tjx-maxx-hacker-banged-up.html
http://www.networkworld.com/news/2009/010809-tjx-maxx-hacker-banged-up.html
Thursday 8 January 2009
Increased control..is that really useful?
After the last financial meltdown (in the beginning of 2000 and the years after) many countries including the U.S sharpened the regulations for companies and financial organizations. We usually call those regulations “SOX” or in Europe “Euro-SOX”. In simple terms this is done by controlling who-does what, give individual access instead of general access and to have a clear “chain-of-command”. There should always be someone that is responsible. (I know I oversimplify the whole thing now..)
When these regulations came the common belief that this would prevent companies from overstating their assets or lie about their revenue, in the end protecting share holders and others that had a stake in the company.
I do not think that I would anger anyone by claiming that it did not prevent the worst financial crises ever….
Maybe the regulations added to problem by giving a false sense of security. Everybody has been compliant to regulations but no one has used common sense.
My conclusion is simple, there is no safe “systems” without common sense. To be able to be sensible you need to be trained and have the knowledge how to handle crises. This is the responsibility of the management. This goes for IT related crisis as well, they cannot be handed over to the IT people and for no-one else to worry about.
I wonder if all the consultancies that have sold SOX training now will start to sell “common sense” training instead. That could be fun to listen to.
When these regulations came the common belief that this would prevent companies from overstating their assets or lie about their revenue, in the end protecting share holders and others that had a stake in the company.
I do not think that I would anger anyone by claiming that it did not prevent the worst financial crises ever….
Maybe the regulations added to problem by giving a false sense of security. Everybody has been compliant to regulations but no one has used common sense.
My conclusion is simple, there is no safe “systems” without common sense. To be able to be sensible you need to be trained and have the knowledge how to handle crises. This is the responsibility of the management. This goes for IT related crisis as well, they cannot be handed over to the IT people and for no-one else to worry about.
I wonder if all the consultancies that have sold SOX training now will start to sell “common sense” training instead. That could be fun to listen to.
Wednesday 7 January 2009
Today I am frustrated...
I have spent the day helping a customer to write a new security policy. In that policy there was a section about how new security functions should be security cleared before they where released. The thinking behind this was shorten the time for testing and implementation.
Other parts of the policy included a definition of what and why something needed protection, who should have access to the information and during which circumstances? In this company everything related to their customers is regarded to be extra sensitive. This comes as no surprise as this is a company in the service sector and their relationship to their customers is the only real asset they have. They would loose a lot of business if their customers secrets where revealed.
Now the reason for my frustration…during the meeting the CFO of the company came into the meeting, all fired up. He had attended a seminar about “cloud computing” and now he had seen the light. Out with the old…bring in the new….
It was fairly easy to see that this “brand new “ idea not really was in conjunction with their security policy. I would call it stupid to outsource this information but I on the other hand do not trust anyone…and WHY do we always jump on the latest ideas…without thinking about the security implications. Now they have an internal battle with the CFO who thinks that security people do not understand the reality of business…and security people that thinks the CFO is a moron.
My tip of the day….always ask outsourcing companies for SLA:s and their security policies.
Other parts of the policy included a definition of what and why something needed protection, who should have access to the information and during which circumstances? In this company everything related to their customers is regarded to be extra sensitive. This comes as no surprise as this is a company in the service sector and their relationship to their customers is the only real asset they have. They would loose a lot of business if their customers secrets where revealed.
Now the reason for my frustration…during the meeting the CFO of the company came into the meeting, all fired up. He had attended a seminar about “cloud computing” and now he had seen the light. Out with the old…bring in the new….
It was fairly easy to see that this “brand new “ idea not really was in conjunction with their security policy. I would call it stupid to outsource this information but I on the other hand do not trust anyone…and WHY do we always jump on the latest ideas…without thinking about the security implications. Now they have an internal battle with the CFO who thinks that security people do not understand the reality of business…and security people that thinks the CFO is a moron.
My tip of the day….always ask outsourcing companies for SLA:s and their security policies.
Subscribe to:
Posts (Atom)
