I read an article yesterday regarding a study in Sweden. The study was about companies intentions to start using so called cloud computing. The definition of cloud was set to resemble to buy applications as a service. I still wonder from a business perspective was the difference is between outsourcing, ASP and the cloud...but I guess I am un-educated in this matter.
The study showed that most companies where not interested to enter this market until (and this makes me really happy..) before they could feel confident about security and reliability.
Maybe we now start to see the shift that I have been waiting for where security is treated as a part of the business process inside a company instead of a technical issue that has to be fixed at the end. I will celebrate tonight....
Friday 27 February 2009
Thursday 26 February 2009
Will Nokia enter the PC market?
Nokia´s CEO has revealed that they are at least considering that option. This is a proof that the difference between the "mobile world" and the "pc world" gets more and more blurred. A practical aspect of this is that security applications needs to be developed independent of the platform. I see this as an end for all the mobile specialists applications such as simple push technologies. Why not use a proper and secure vpn for access from mobile phones instead of inventing something that only solves the "mobile problem"? We need to treat access from mobile phones the same way as we treat all access...and there is no better way to do that then to use a prober vpn with 2-factor authentication, encrypted and compressed traffic, NAC and granular access. Why inventing another “silo” instead of building on technologies that already work?
Wednesday 25 February 2009
Invitation to an important event!
AppGate has a close relationship with SUN, among other things we use OpenSolaris as the OS when we deliver our solutions. We also work closely together developing solutions for different industries and now you can join a webinar to learn more about what we have done together.
Join us for a live web event to see how government agencies
are protecting data regardless of device
Security for a Mobile Workforce
Register Now
http://www.government-webevents.com/
* * *
The world is changing and so is how we work. Technology has
provided great opportunities to take traditional desk jobs
into the field to be more efficient and effective. The
challenge lies in how to develop a secure, unified approach
to managing an IT infrastructure with so many access points.
Today's Government agencies need to provide secure communication
between different regions. Information of all government
agencies, civilian, intelligence and defense, must be absolutely
protected. But implementing it may be harder than it seems.
Join industry leaders from The 451 Group, Sun Microsystems,
and AppGate Network Security for this informative web event
and you will learn:
* The driving factors behind a growing mobile workforce in
government
* The benefits - and pitfalls - of solutions on the market
today
* Successful methods of protecting government services from
unauthorized access, regardless of device
Live web event
March 12 at 8:00 am PT
REGISTER TODAY:
http://www.government-webevents.com/
Join us for a live web event to see how government agencies
are protecting data regardless of device
Security for a Mobile Workforce
Register Now
http://www.government-webevents.com/
* * *
The world is changing and so is how we work. Technology has
provided great opportunities to take traditional desk jobs
into the field to be more efficient and effective. The
challenge lies in how to develop a secure, unified approach
to managing an IT infrastructure with so many access points.
Today's Government agencies need to provide secure communication
between different regions. Information of all government
agencies, civilian, intelligence and defense, must be absolutely
protected. But implementing it may be harder than it seems.
Join industry leaders from The 451 Group, Sun Microsystems,
and AppGate Network Security for this informative web event
and you will learn:
* The driving factors behind a growing mobile workforce in
government
* The benefits - and pitfalls - of solutions on the market
today
* Successful methods of protecting government services from
unauthorized access, regardless of device
Live web event
March 12 at 8:00 am PT
REGISTER TODAY:
http://www.government-webevents.com/
Monday 23 February 2009
Security is a balance between cost, value of information and the threat level.
Another thought from the conference last week; why do we always see security as a technical problem? At least we always talk about it from a technical perspective and we want to solve everything with more products. I believe that before you even consider what equipment to buy there are three important things to consider:
1. A proper security policy.
Without a security policy no one knows what to protect and from whom. If there is breach in security no one will no how to react or how to repair the damage. Polices and procedures goes hand in hand.
2. Balance between cost and benefits
An important aspect of security is that the cost of the security solutions must be proportional to the threats and to what you want to protect. The best way to achieve this is to investigate which assets you have and which threats you can foresee. The next step is to do a threat analyse covering what happens if there is a security breach. Based on this analyse it is possible to grade different threats and choose the protection that is needed from what is sound from an financial standpoint. The goal is to find a balance between the costs for security (money, flexibility etc) and the value of the information. The higher value of the information and the higher the treat level, the higher the investment needed. The equation works the other way around as well; high value but low threat level…lower cost.
Do not forget the users in this process, in the end they need to able to work with the systems.
3. If 1 and 2 is fixed security can lead to increase revenue and lower costs.
If you have control more things, more things will be possible to achieve. More users can get mobile access, partners and customers can get access to internal information etc etc. Good security implemented in the right way can be a way to compete with other companies..
1. A proper security policy.
Without a security policy no one knows what to protect and from whom. If there is breach in security no one will no how to react or how to repair the damage. Polices and procedures goes hand in hand.
2. Balance between cost and benefits
An important aspect of security is that the cost of the security solutions must be proportional to the threats and to what you want to protect. The best way to achieve this is to investigate which assets you have and which threats you can foresee. The next step is to do a threat analyse covering what happens if there is a security breach. Based on this analyse it is possible to grade different threats and choose the protection that is needed from what is sound from an financial standpoint. The goal is to find a balance between the costs for security (money, flexibility etc) and the value of the information. The higher value of the information and the higher the treat level, the higher the investment needed. The equation works the other way around as well; high value but low threat level…lower cost.
Do not forget the users in this process, in the end they need to able to work with the systems.
3. If 1 and 2 is fixed security can lead to increase revenue and lower costs.
If you have control more things, more things will be possible to achieve. More users can get mobile access, partners and customers can get access to internal information etc etc. Good security implemented in the right way can be a way to compete with other companies..
Thursday 19 February 2009
I attended a security conference in Brussels today
As always some of the most interesting topics where discussed at the lunch break and as a result I came away with some interesting thoughts. The first one made me feel slightly old...
Thought 1: The change in technology has changed the concept of privacy. I can actually relate to this as I and my teenage daughter has very different views on privacy. We had a discussion in our family about having a family "web page" and I strongly opposed that. I do not want to share everything I do with my family with people I do not know. Then came Facebook..which is my daughters lifeline to her friends where she share pictures and thoughts about everything...and chatting away with her friends in a way that I would never do. My daughter has adjusted her sense of privacy according to the change in technology much better then what I have done. For us in the security business this change of view will change how we develop products and how we build processes for security. Today many companies and organisation solves the issue by simply prohibit people from using Facebook at work. I wonder if the younger generation will accept that or will they take their talent and their skills to a company that makes it possible for them live their "cyber life" the way they are used to?
Thought 2: During the conference someone claimed that a study amongst the 100 biggest organisations in Europe 80% of data breaches where due to so called super-users. Examples of super-users where CEO:s and other managers. Talk about leading by example... If this is true (and I have no reason to expect that is not) we that work with security has failed...We need to get the message across that security breaches cost money and that companies can go down the drain if the XXX hits the fan. We need to stop talking about security in technical terms and start talking in a way that makes good-will sensitive number crunches understand what we talk about.
Thought 1: The change in technology has changed the concept of privacy. I can actually relate to this as I and my teenage daughter has very different views on privacy. We had a discussion in our family about having a family "web page" and I strongly opposed that. I do not want to share everything I do with my family with people I do not know. Then came Facebook..which is my daughters lifeline to her friends where she share pictures and thoughts about everything...and chatting away with her friends in a way that I would never do. My daughter has adjusted her sense of privacy according to the change in technology much better then what I have done. For us in the security business this change of view will change how we develop products and how we build processes for security. Today many companies and organisation solves the issue by simply prohibit people from using Facebook at work. I wonder if the younger generation will accept that or will they take their talent and their skills to a company that makes it possible for them live their "cyber life" the way they are used to?
Thought 2: During the conference someone claimed that a study amongst the 100 biggest organisations in Europe 80% of data breaches where due to so called super-users. Examples of super-users where CEO:s and other managers. Talk about leading by example... If this is true (and I have no reason to expect that is not) we that work with security has failed...We need to get the message across that security breaches cost money and that companies can go down the drain if the XXX hits the fan. We need to stop talking about security in technical terms and start talking in a way that makes good-will sensitive number crunches understand what we talk about.
Monday 16 February 2009
For us this is an fun day...
It has taken longer then expected (what does not...?) but today we at AppGate finally launched the public beta of AppGate Free Edition. AFE is what it says..a free version of AppGate Security Server, I think it is the first time anyone launches such a comprehensive solution for security for free.
Have a look at it (or even better; try it out), let me know what you think!
Have a look at it (or even better; try it out), let me know what you think!
Wednesday 11 February 2009
Cybercrime criminals get more advanced
According to an article from BBC (http://news.bbc.co.uk/2/hi/technology/7797280.stm) cybercriminals seems to avoid the layoffs during to the financial crisis. Instead they have increased their activities during 2008..as to the surprise of no-one. Now everybody in the industry will tell everybody that wants to listen how their (the security vendors) product will chase away all the bad guys and solve all your problems. That is not often the case by the way,
First things first....the problem is a real for everyone. Unprotected data will be stolen, money will disappear from you bank account and your credit card will used by others. I meet a potential customer a while back that got its source code stolen and now was blackmailed. The thieves said that if the company would not pay they would post the source code on the Internet.
BUT the solution is not to go and buy a new point security solution, instead (which starts to be a theme in this blog)...validate what to protect ...and who should be able to access what...and then use solutions that supports your business. I bet that companies that use this model will end up with a very different security architecture that the one that is based on today’s firewall...we trust people on the inside...but no-one on the outside model.
First things first....the problem is a real for everyone. Unprotected data will be stolen, money will disappear from you bank account and your credit card will used by others. I meet a potential customer a while back that got its source code stolen and now was blackmailed. The thieves said that if the company would not pay they would post the source code on the Internet.
BUT the solution is not to go and buy a new point security solution, instead (which starts to be a theme in this blog)...validate what to protect ...and who should be able to access what...and then use solutions that supports your business. I bet that companies that use this model will end up with a very different security architecture that the one that is based on today’s firewall...we trust people on the inside...but no-one on the outside model.
Tuesday 10 February 2009
Mobile security is a big concern for everyone
I read a report today by Telenor that talked about organizations concerns about Mobile Security...or to put it the other way around...the lack of Mobile Security and how it prohibits implementations of true mobility.
I know that I am biased in this matter as we at AppGate sell a system that treats all access in an equal way regardless of the device..but it also happens to be what I believe in.
The basic problem is the same: who the user is (always use strong 2-factor authentication), what should he or she access, how secure is the device etc etc? It is not about emails on mobile phones anymore; now we can access Intranet, business applications etc etc as well.
Funny enough when people talk about mobile security they talk about encryption of mobile phones or remote wipe (both things now comes as standard in most of Nokia business phones) instead of talking about the access problem. Many companies has not realized that they can use proper VPN:s to connect to the phone instead of simple push technologies.
So my simple conclusion…make a business decision about who and what information that people should be able to access…and then buy a system that handles all access….on mobile phones…PC…Mac…Linux…..on all types of networks…on the inside….or the outside….
I know that I am biased in this matter as we at AppGate sell a system that treats all access in an equal way regardless of the device..but it also happens to be what I believe in.
The basic problem is the same: who the user is (always use strong 2-factor authentication), what should he or she access, how secure is the device etc etc? It is not about emails on mobile phones anymore; now we can access Intranet, business applications etc etc as well.
Funny enough when people talk about mobile security they talk about encryption of mobile phones or remote wipe (both things now comes as standard in most of Nokia business phones) instead of talking about the access problem. Many companies has not realized that they can use proper VPN:s to connect to the phone instead of simple push technologies.
So my simple conclusion…make a business decision about who and what information that people should be able to access…and then buy a system that handles all access….on mobile phones…PC…Mac…Linux…..on all types of networks…on the inside….or the outside….
Monday 9 February 2009
Can you trust your friendly security vendor?
I had an interesting discussion earlier today with a customer about which security problems that exists in real life...and the ones that security vendors invent in order to sell more security solutions. His argument was based around all the "reports" about virus attacks on mobile phones. From time to time there are reports that NOW everybody needs antivirus software on mobile phones because NOW there will be a lot of viruses that will attack your mobile phone. He claimed that NOW has been going on for the last three years and we are still waiting for it to happen.
In a way I guess he is right, this happens in all industries. In my hometown Stockholm a couple of years ago , there was a company that deleted graffiti for trains...as it turned out they hired some local "artists" that painted trains in the evenings to make sure that they had business continuity.
I agree that some security issues are really not that important for all customers but in order to avoid problems companies and organisations needs to start from the right angle... and that is not to figure out which security system to buy as the first order of business. The simple answer is to find out which information that should be protected and balance the cost for protecting it with the business needs. Then it is possible to discuss how to protect the information and from whom. The last thing to do is to go and buy a security solution.
So if you are an Manager and your security people wants to buy an new security solution ...ask for a threat/business analyze or even better, make it together with them. This way it will probably be easier for everybody.
In a way I guess he is right, this happens in all industries. In my hometown Stockholm a couple of years ago , there was a company that deleted graffiti for trains...as it turned out they hired some local "artists" that painted trains in the evenings to make sure that they had business continuity.
I agree that some security issues are really not that important for all customers but in order to avoid problems companies and organisations needs to start from the right angle... and that is not to figure out which security system to buy as the first order of business. The simple answer is to find out which information that should be protected and balance the cost for protecting it with the business needs. Then it is possible to discuss how to protect the information and from whom. The last thing to do is to go and buy a security solution.
So if you are an Manager and your security people wants to buy an new security solution ...ask for a threat/business analyze or even better, make it together with them. This way it will probably be easier for everybody.
Sunday 8 February 2009
IT security during the financial recession
A sad fact when a company has to ask people to leave is that many times important information goes out the door the same time. It is only natural that people that loose their jobs gets frustrated and many times angry and blames everything on the company. When they leave, they leave in anger and take customer lists, software and other "secret " information with them. To ask someone to leave is often hard and it is even worse to be on the other side. The situation does not create an environment for dialogue but it is still important to inform employees about the rules for stealing data and assets from the company.
It is essential to have routines for access for ex-employees and procedures to follow as many companies has several different systems for access. Make sure that there is someone that is responsible for discounting access rather then having separate departments handling it. Make a register of all different types of access (SSL-VPN, Internal systems, Mobile Access, IPSEC...etc etc..and next type buy a system that handles all types of access..).
I often get the question if I to do not trust people and my answer is that I do. I just want to be able to present to my customers different alternatives so they can make the decisions. After all they are the ones who knows their employees the best. Most company I work with really hate to be in a situation where they have to ask people to leave and they try to do their best but the financial crisis gives them no choice. I know that most people understand this but their are rotten eggs out there and unfortunately we need to make sure that they do not make any damage.
It is essential to have routines for access for ex-employees and procedures to follow as many companies has several different systems for access. Make sure that there is someone that is responsible for discounting access rather then having separate departments handling it. Make a register of all different types of access (SSL-VPN, Internal systems, Mobile Access, IPSEC...etc etc..and next type buy a system that handles all types of access..).
I often get the question if I to do not trust people and my answer is that I do. I just want to be able to present to my customers different alternatives so they can make the decisions. After all they are the ones who knows their employees the best. Most company I work with really hate to be in a situation where they have to ask people to leave and they try to do their best but the financial crisis gives them no choice. I know that most people understand this but their are rotten eggs out there and unfortunately we need to make sure that they do not make any damage.
Monday 2 February 2009
What is the most important aspect of security?
I had a conversation earlier today about what really is the most important aspect of security. Is it to protect the PC from viruses, to encrypt all communication or to encrypt all hard drives? From listening to the marketing messages from different vendors it is hard to know. I would say that they are all important but the most important thing is access control. It is essential to know who has the right to access what during what circumstances, without that there is no security. In general people has to much access which is strange, even highly trusted employees do not usually get keys to the safe.
Here are things that you always should be able to determine before someone is granted access:
* Who the user is (strong authentication)?
* What device is used and how secure is it?
* Which access should the user have?
* Where is the user (on the inside or the outside)?
Everything is linked and a weak point will be breached, but with a strong control of access many things can be avoided.
One more thing, this has the effect that all applications have to be secured and locked indivually. There needs to be a lock in the door so to speak.
Here are things that you always should be able to determine before someone is granted access:
* Who the user is (strong authentication)?
* What device is used and how secure is it?
* Which access should the user have?
* Where is the user (on the inside or the outside)?
Everything is linked and a weak point will be breached, but with a strong control of access many things can be avoided.
One more thing, this has the effect that all applications have to be secured and locked indivually. There needs to be a lock in the door so to speak.
AppGate and jetlag
One of my friends (who is one of the best security experts I know) has his own blog where he has written a good story about his sleeping problems...and AppGate.
http://blogs.sun.com/gravax/entry/jet_lag_and_appgate
http://blogs.sun.com/gravax/entry/jet_lag_and_appgate
Subscribe to:
Posts (Atom)
