There is one thing about cloud computing that has to be said: you have to compare your existing security level with the cloud alternative. I have seen many examples of companies that have been over-confident about their security. For companies that does not have enough competence or resources cloud computing can actually increase the security level. Be realistic even if it hurts.
lA big problem that many organizations are facing is that of compliance with various regulations. Being compliant can imply a load new IT projects and forming your house in-house system into compliance can be costly.
Instead, Compliance as a Service may be offered where the service provider takes care of every requirement around the application. And the fundamental security functions such as separation, access control, authorization, end point security etc, may now be seen as selling factors
Tuesday 31 March 2009
Monday 30 March 2009
GhostNet In The Machine
Sometimes interesting articles about security disappears due to other more important news stories so therefore I want to highlight this one:
http://www.forbes.com/2009/03/29/ghostnet-computer-security-internet-technology-ghostnet.html
The first time I read the story I thought it was a good plot for a Hollywood movie but it turned out to be a real-life example of the insecurities in our world. When I grow up there was a saying in Sweden that came out of the 2:nd World War: A spy lays a puzzle. In meant that a spy would collect little pieces of information from different sources, the same way that this computer network worked. Viewed separately the information was not very valuable but accumulated it was indeed very valuable. The government has a responsibility in this to help private companies and organisations to defend "their piece of the puzzle". I think that governments around the world at least has to make sure that information security is a part of the public debate and to provide best practices and help with information. The problem is now too big and “evil forces” to powerful. Government has a great tradition to help the consumers through international co-operation and regulations. Now is the time to do the same in information security.
http://www.forbes.com/2009/03/29/ghostnet-computer-security-internet-technology-ghostnet.html
The first time I read the story I thought it was a good plot for a Hollywood movie but it turned out to be a real-life example of the insecurities in our world. When I grow up there was a saying in Sweden that came out of the 2:nd World War: A spy lays a puzzle. In meant that a spy would collect little pieces of information from different sources, the same way that this computer network worked. Viewed separately the information was not very valuable but accumulated it was indeed very valuable. The government has a responsibility in this to help private companies and organisations to defend "their piece of the puzzle". I think that governments around the world at least has to make sure that information security is a part of the public debate and to provide best practices and help with information. The problem is now too big and “evil forces” to powerful. Government has a great tradition to help the consumers through international co-operation and regulations. Now is the time to do the same in information security.
Friday 27 March 2009
It is in the cloud
Andrew Yeomans from the Jericho Forum is a very smart person. I have had the opportunity to meet him a couple of times and he has impressed me every time. He is also the reason why AppGate (the company I co-founded) is a proud member of the Jericho Forum. I read an article today where he asked some very good questions about cloud computing.
Here is a short summary:
When you repatriate data from a cloud provider, taking it back into your own internal systems, how can you be sure that no trace of that data resides on their own systems? What leaks might exist between the cloud service back into our own infrastructure? Does the provider adhere to the same physical, logical and personnel controls that are applied to our own internal systems? What will happen if the provider goes bust?
These are all important things to consider before you jump into the cloud! If you do not have the answer….you should not take the dive.
Here is a short summary:
When you repatriate data from a cloud provider, taking it back into your own internal systems, how can you be sure that no trace of that data resides on their own systems? What leaks might exist between the cloud service back into our own infrastructure? Does the provider adhere to the same physical, logical and personnel controls that are applied to our own internal systems? What will happen if the provider goes bust?
These are all important things to consider before you jump into the cloud! If you do not have the answer….you should not take the dive.
Wednesday 25 March 2009
You pay to much for your insecurity
I am the first to admit that it is hard to calculate ROI on security investments but that should not prevent us from making sure that we get as much security out of every invested dollar.
The first thing to realise is that every investment consists of two parts, the initial investment and the running cost...and that the running cost is usually much higher then expected. Why? Because in most calculations the small factor "time spent" is left out.
Think about it for a second, if you have many different specialised products installed they all have to be maintained, patched, connected etc etc but I guess that most of the products probably did not cost that much so the investment cost was low.
Why do I talk about this subject now? Because now is the perfect time to look over the real cost of running our security infrastructure...because we all need to save costs now.
I thought about this today when I got a new customers (take this as a tip rather then pure marketing) and he pressured me to pay over an extended time period as the cost saving became visible. (I have some explanation to do to my sales person now....). In the end I thought it was a good deal for both of us…he did not have to pay that much money up front..and I got a new customer.
The customer replaced his old mobile email system, his ssl VPN and re-build his DMZ.
The first thing to realise is that every investment consists of two parts, the initial investment and the running cost...and that the running cost is usually much higher then expected. Why? Because in most calculations the small factor "time spent" is left out.
Think about it for a second, if you have many different specialised products installed they all have to be maintained, patched, connected etc etc but I guess that most of the products probably did not cost that much so the investment cost was low.
Why do I talk about this subject now? Because now is the perfect time to look over the real cost of running our security infrastructure...because we all need to save costs now.
I thought about this today when I got a new customers (take this as a tip rather then pure marketing) and he pressured me to pay over an extended time period as the cost saving became visible. (I have some explanation to do to my sales person now....). In the end I thought it was a good deal for both of us…he did not have to pay that much money up front..and I got a new customer.
The customer replaced his old mobile email system, his ssl VPN and re-build his DMZ.
Thursday 19 March 2009
What is sufficient security?
I had a conversation with a partner yesterday about which level of security is sufficient. The first question is of course how to define a security level. I often hear people say things like " we accept to have a sufficient level of security rather then a high level of security" Then they often add "we are not a bank and we do not need that kind of security". Every time I hear this I take a deep breath because I know I have a long discussion ahead of me. The sad thing is that most people that talks about sufficient security do not have a clue how to define security whatsoever.
I claim that in the simplest form security is digital, either you have it or you do not. On the other hand, any given environment is a complex beast so from an architectural point of view total security is hard to achieve. So there is a need to compromise between the need for protection and what is possible. The only way to achieve a "sufficient security level" is investigate which information that is the most vital for the company...and manage the access to that information. If the information is less sensitive then more access can be granted (less security). If you do not do this you do not have a clue if your security level is sufficient (or in-sufficient).
Conclusion: It is not about which security system you buy, it is about what you want to protect and from whom.
I claim that in the simplest form security is digital, either you have it or you do not. On the other hand, any given environment is a complex beast so from an architectural point of view total security is hard to achieve. So there is a need to compromise between the need for protection and what is possible. The only way to achieve a "sufficient security level" is investigate which information that is the most vital for the company...and manage the access to that information. If the information is less sensitive then more access can be granted (less security). If you do not do this you do not have a clue if your security level is sufficient (or in-sufficient).
Conclusion: It is not about which security system you buy, it is about what you want to protect and from whom.
Wednesday 18 March 2009
More about cloud computing
Yesterday we had a board seminar about strategy. We do that every year to discuss what we believe will be the biggest market trends during the coming year and how we as a company should react to them. One of the things we discussed was of course cloud computing and the security implications of this "new" trend. It was an interesting discussion as it turned out that the biggest security concern was not really technical. The biggest concern was trust. How do we know if we can trust the supplier? Do they have the right infrastructure, can we trust their staff, how stable are they from a financial perspective, what will the level of support be etc etc? The one "can we trust their staff" was in our discussion highlighted many times.
I think that the discussion summarised a trend that I have seen elsewhere, customers in general are more critical to new hypes and now has the knowledge to ask the right questions. When large companies do outsourcing contracts they do almost do a due diligence of the suppliers. Maybe everybody should do the same when the application is business critical.
I think that the discussion summarised a trend that I have seen elsewhere, customers in general are more critical to new hypes and now has the knowledge to ask the right questions. When large companies do outsourcing contracts they do almost do a due diligence of the suppliers. Maybe everybody should do the same when the application is business critical.
Friday 13 March 2009
Again: the internal security threat
I have been actively involved in the IT-security market for almost 15 years and during this time the issue of the internal security threat as been brought up many many times. I recently read an story in DarkReading (http://www.darkreading.com/insiderthreat/security/vulnerabilities/showArticle.jhtml?articleID=215801195&cid=nl_DR_WEEKLY_T) about insider threats . A questions comes to my mind; why is this still an issue? The answer is actually simple; the technology that builds today’s security architecture does not do the job. Most solutions are built around the notion of the existence of an inside and an outside. Please repeat after me...there is no difference between the inside and the outside anymore. Security solutions has to be built according to a model where users only have access information “on a need to know basis” REGARDLESS of where they happen to be for the moment (and according to how secure the device is etc etc). Today’s IT environment is far to complex and users to mobile for an inside/outside model.
Thursday 12 March 2009
The one problem at the time problem...
My wife tells me that as man I have problems to focus on more than one thing at the time. The IT industry consists mostly of men (unfortunately) and (if my wife is right) that explains why we seem to concentrate on one security issue at the time...and then we solve one security problem at the time with a point product. When I grew up and bought my first stereo I learned that there was no need to buy the best speakers in the world if I could not afford to buy the best receiver. The quality of the output would never be better then the most inferior part of the system. The same applies for security systems; why have the best firewall in the world if you do not have an authentication system, what is the use of an authentication system if you do not have an access management system, what is the use of having all that and then you open ports in the firewall for uncontrolled access to email on mobile phones etc etc? The sad truth is that if there is a hole in your defence, an attacker will find it and exploit..it is only a question of time.
Conclusion: Do not solve security problems "one problem at the time", to be secure you need to have a holistic view on the problems and make sure that the need of security is balanced with the TOTAL cost and the need of the operations. Otherwise you will end up with a good fence but a lousy door.
Conclusion: Do not solve security problems "one problem at the time", to be secure you need to have a holistic view on the problems and make sure that the need of security is balanced with the TOTAL cost and the need of the operations. Otherwise you will end up with a good fence but a lousy door.
Tuesday 10 March 2009
Security: what are we looking for?
I got a question from a reader of my blog. He wanted me to define the different aspects of security in layman terms. Here is a definition I often use where I divide security into three components: Integrity, Availability and Secrecy. (Others sometimes other words to describe the same thing)
Availability: I define this as the systems ability to give service to authorised users. The information users needs should be available when the users have the need. For companies that are dependent on Internet as a source of income, availability is a major concern.
Secrecy: The systems ability to provide access to information or services only to identified and approved users on a need to know basis.
Integrity: The systems ability to maintain the "correctness" of the information. How do you know if the information not has been tampered with?
Different organisations will value these factors differently and therefore it is hard to compare security solutions between different organisations. Added to that different organisations have different threat levels to live with.
There are more factors that can be taken into account but I think that these are the most important ones.
Availability: I define this as the systems ability to give service to authorised users. The information users needs should be available when the users have the need. For companies that are dependent on Internet as a source of income, availability is a major concern.
Secrecy: The systems ability to provide access to information or services only to identified and approved users on a need to know basis.
Integrity: The systems ability to maintain the "correctness" of the information. How do you know if the information not has been tampered with?
Different organisations will value these factors differently and therefore it is hard to compare security solutions between different organisations. Added to that different organisations have different threat levels to live with.
There are more factors that can be taken into account but I think that these are the most important ones.
Wednesday 4 March 2009
Who can you trust?
I am supposed to give a speech in a couple of days about how to recognise who you cannot trust...this will be the highlights.
It is a difference between trusting people in ordinary life and trust people from a security system standpoint. Why? Because on the Internet you will never know the people that tries to access your system. If the systems are accessible for the people you know (and trust) they are open for everyone else as well...and can you really trust everybody you know...and do you really know them?
Think about it for a while, even if you trust anyone that works for you, you have to build a security system that protects you from the people that you do not know. If you do this properly you will end up with a system that also protect you from actions from people that you thought you could trust.
Conclusion: Forget about the discussion about who, you have to treat everybody equal.
It is a difference between trusting people in ordinary life and trust people from a security system standpoint. Why? Because on the Internet you will never know the people that tries to access your system. If the systems are accessible for the people you know (and trust) they are open for everyone else as well...and can you really trust everybody you know...and do you really know them?
Think about it for a while, even if you trust anyone that works for you, you have to build a security system that protects you from the people that you do not know. If you do this properly you will end up with a system that also protect you from actions from people that you thought you could trust.
Conclusion: Forget about the discussion about who, you have to treat everybody equal.
Monday 2 March 2009
How to know what to protect...and from whom?
The most common way is to start an investigation (often with the help of external consultants) and then classify the information according to some kind of policy.
I would propose an alternative (slightly drastic) strategy, close down access and then ask the question: who needs this information to be able to perform their job. In general people has access to much information and by asking this simple question a pattern which information is vital emerges quickly. (Only the ones who needs it will be angry and call…)
This way we treat all information as "secret" and we differentiate based on the user which is much easier. I can give you an example from real life; a company I worked with a while back ( a consultancy company) started to loose people to an competitor. It turned out that a hired resource in the reception copied the whole internal phone register and the calendar (where it was possible to see where a consultant spent his or her time, which customers they visited etc etc) and gave it all to her boyfriend...a headhunter. This was of course not legal but I doubt anyone will go to jail for it. Did the receptionist need to see where a consultant spent their time through the internal calendar system?..of course not.
Conclusion..lock everything down..and give access on a need to know basis only.
I would propose an alternative (slightly drastic) strategy, close down access and then ask the question: who needs this information to be able to perform their job. In general people has access to much information and by asking this simple question a pattern which information is vital emerges quickly. (Only the ones who needs it will be angry and call…)
This way we treat all information as "secret" and we differentiate based on the user which is much easier. I can give you an example from real life; a company I worked with a while back ( a consultancy company) started to loose people to an competitor. It turned out that a hired resource in the reception copied the whole internal phone register and the calendar (where it was possible to see where a consultant spent his or her time, which customers they visited etc etc) and gave it all to her boyfriend...a headhunter. This was of course not legal but I doubt anyone will go to jail for it. Did the receptionist need to see where a consultant spent their time through the internal calendar system?..of course not.
Conclusion..lock everything down..and give access on a need to know basis only.
Subscribe to:
Posts (Atom)
