Monday, 22 December 2008

Happy Holidays!

I have to admit that I am happy we now see the end of 2008! It has been an awful year...and a very good year...or as my friends (that used to be in the financial market) would say...the volatility has increased. The awful things is of course almost all related to the financial market but I would also claim that the bad weather during my vacation is as bad. Another summer like that and my wife will demand that we sell our sailing boat...and instead spend our vacations on a beach somewhere. This will lead to me being bored, kids who thinks that nature looks like the Canary Islands (that would probably be O.K for my teenage daughter...I still hope that I can save my other two kids) and even more time spend on airplanes. I cannot stand flying so when I fly I always take a drink, the more I fly the more drinks. I will probably end up drinking too much which will affect my job and this blog...so my carrier will go down the drain. All of this because of one lousy rainy summer!

One more thing before I will leave you alone for Christmas, there is a problem with Christmas gifts that seldom is discussed. After the kids have received all their new toys they turn to me to make them work. Suddenly I am transformed from my more theoretical approach in life to become an engineer, computer expert or assembler. So my Christmas evening will be spend reading manuals and I usually wreck some of the new toys. This year I have a plan; I will try to persuade my kids to get help from their Mother so I can inspect the work when it is done. I hope my plan will work…I will let you know.

Wednesday, 17 December 2008

Virtualisation and security

Virtualisation is not only hard to spell but seems to be the cure for all things that is wrong with any IT-infrastructure. The arguments for virtualisation ranges from everything from saving money to save the planet. As always, security is an issue that is rarely discussed to the surprise of no one.
Now I have to admit the underlying security problem is not really a virtualisation issue, it just becomes clearer when all servers become virtualised. There is a difference of having a hundred different servers in a network or one server that runs a 100 virtualised servers. The first thing that needs to be done is to put an application layer firewall between all users and the applications and then (which is as important as the firewall..) only give granular access to the users. An ordinary firewall will not work as they lack the granularity that is needed. Users should never have access to more information then what they need. With this approach the server is protected from attacks and “browsing” on the server is prohibited..and all access is logged. I also think that it is vital that all communication between the users and the server is encrypted…as I do not trust any network…inside or outside and that the device is checked BEFORE any access is given.

Monday, 15 December 2008

Six days to the end of the world

I have spent time at some interesting conferences this autumn. One of them was in Brussels and was attended from the police, military and other security specialists. It is always interesting to learn from people that are users of the technology that we in the industry provide. Sometimes the problems are very, very different from the ones I encounter in my daily life, such as the discussion I overheard about the best way to dispose 10 000 kilos of drugs that came out of a big bust. It was discussed as a pure logistical problem.
You can say one thing about people in the security space; we are not the most optimistic people in the world. Put a bunch of us in a room and we will provide scenarios that will make the most optimistic person run for cover. In one of the seminars I attended we discussed what would happen if the supply of water, power and food where to be stopped. The conclusion was that it would take six days before the society would break down. I do not know if that is true but it gives a perspective on how vulnerable our modern life is for attacks.

We also discussed how long it would take to bring a company to its knees, the conclusion was that a service company would not last more then two weeks without Internet access.

Then we discussed which companies and organisations that where under the biggest threat for a political attack (terrorism with other words..). We did not really reach a conclusion because when we discussed it everybody seemed to be threatened. Here is a shortened list:
• Anyone in the financial sector
• Meat producers
• International companies with strong brands
• Power and other utilities companies
• IT-Security companies
• Media companies
• Oil companies
• Car industry
• Drug companies
• Defence industry

Friday, 12 December 2008

How many point products does it take to build a secure environment?

The cost for IT-Security is a common topic when I discuss security with business managers. The general feeling seems to be that every year they spend more and more on security without seeing any real improvements. The threat level never seems to change. The obvious positives such as remote access and mobility are often forgotten.
I claim that new functionality does not always have to lead to increased costs. We just need to get out of the habit of using “point-products” for everything we do. My definition of such a products is a solution that solves one particular issue but does not cooperate with any other parts of the environment. A typical example is push emails to mobile phones. As I said many time, buy a VPN product that handles all types of access including mobility. It is then possible to treat all access equal. This saves money and increases security.
Point-products is also very hard to get rid off (they have always worked….you know… and we need to think about the guy in Farawayland that uses it on Thursday’s every second week).
The cost for running disparate products with little integration is often higher then expected. There is a need for more personal, upgrades takes longer time; training and support costs are higher etc etc.
The industry is starting to pick up on this, they supply more products and talk about one-stop-shop….and we customers end up with one supplier…and still have products that cannot be integrated.
Save some money and increase the security, get rid of point products.

Thursday, 11 December 2008

Who can you trust part 2

A while back I was invited to participate in a panel at a security conference. One of the things we discussed was how to treat the fact that human beings are security risks. I have been in many discussions like that before but this one was different. Usually the consensus is that users have to be trained in security so they do not do any mistakes. This in a way puts the blame on the users if anything goes wrong. Now the conclusion was different. Even if the users fail the security systems has to work. I think that this is a break-through in the IT world. In other parts of our life we already see this trend, cars is a good example. Cars gets safer and safer, roads get safer and safer and we have regulations so people at least know how to behave. People makes mistakes and sometimes they even commit crimes, we in the industry need to prevent mistakes to cause security breaches and to prevent crime. We need to have less technology focus and accept that people are people and make life easier for them.

Wednesday, 10 December 2008

Mobile Security..we always do the same mistake

I have spent a good deal of today talking to a frustrated system admin providing arguments of why it is not a good idea to open holes in firewalls because the CEO wants to read e-mails on his mobile phone. (Another good example how hard it can be for the business side and the IT side of a company to communicate.)
Sometimes I wonder why we do the same mistake over and over again. We buy point products to solve point problems. We then end up with an infrastructure which cannot be managed and is costly to run.
My argument is always the same when it comes to mobility: treat it as any other access form, use a proper VPN with 2-factor authentication, NAC and granular access control.

Tuesday, 9 December 2008

This is a good week

I have been recognised as an Most Valued Performer 2008 by Network Products Guide. What can I say...I am proud today as well. Another winner was the CEO of Google.

Monday, 8 December 2008

I am very proud today

Today we learned that AppGate has been awarded the title "Best of Access Management 2008" by SC Magazine. I am very very proud....

http://www.scmagazineus.com/Access-magagement-AppGate-Network-Security/article/121763/

Big Brother or Big Mother

I am born in the sixties and during my whole life I have learned that our government wants to know everything about us to be able control us, something that we usually called Big Brother. I wonder how many people that actually understand how much we do that can be controlled and monitored. Every time you use a mobile phone the operator knows where you are, every time you use a credit card the purchase is registered, every time you access a web page you are registered. Thank God that no one puts all that data together…that would be awful…
Funny enough it looks like we accept monitoring if it is for our own good, we accept CCTV as an example. Now our government (and others) launch more and more services to “help” us, I got an offer this morning for a service whereas I could monitor the whereabouts of my teenage daughter through her mobile phone. These are examples of what I call Big Mother, it is for our own good!
Funny enough we have more and more customers calling us because they want to encrypt all data, internally as well as externally to avoid monitoring.

Friday, 5 December 2008

We will fix the security later

I wonder why fixing security issues usually ends up as one of the last things to fix in any given IT-project. If the same thing was true in the real world, I would be really afraid. Would we accept a first version of a car without breaks, without safety bags etc ? I often been invited to participate in projects where all things is ready….now we just have to fix the security as well. Usually it is then to late to “fix” anything and the cost to make it secure becomes a problem for the whole project…and I end up as the bad guy. The result is often that security has go give away for “time-to-market” or for some other reason that precedes the security aspect. Do not take me wrong, security means nothing if it does not help the business but why not think about security from the beginning instead? That will be cheaper, faster and will produce less grey hair on my head.
Maybe a part of the problem is that we as customer do not expect anything to be secure anymore. We, instead, applauds when a vendor (for the 100:th time) sends out a new more secure version then the one we got 2 weeks ago. We of course know that we will have another even more secure version in 2 weeks time again…and we accept that which in a way is rather strange. I am the first to admit that it is hard to develop secure software but sometimes I feel that the Industry has given up. We accept the car without brakes.

Thursday, 4 December 2008

How a new architecture for security can change the network architecture

I think that most people today agree that the perimeter of a company is hard to define and I visited a customer a while backs that was a perfect example of this. The customer is in retail and has about 300 shops around the U.K. They have up to know treated all the shops as a part of the internal network so they have either connections to them via MPLS or "leased lines". That is of course a very expensive way to do things as it demands multiple firewalls, extra VPN equipment, local networks etc etc plus the cost for the communication.

By re-defining the perimeter it was easy to come up with another concept. ( I am sorry, this now sounds like marketing but bare with me..). They customer will now move the perimeter defence for the retails shops very close to application servers and encrypt all traffic from that point out to the individual device connected to applications. They add a personal firewall to every PC so that the PC only can reach the AppGate Server (sorry marketing...), add two factor authentication, add polices so that a user only can have access to what they need to access. They installed a wireless network in every shop (and here is the thing) bought ordinary Internet access points to the shops. They now have granular access, Nac, all traffic encrypted and total control over the access and they saved a lot of money in the process.

Who can you trust!

I suspect that you have read about the network manager in San Francisco who held the whole city hostage a while back. I think it is a fun example of the old saying “who polices the police that polices the police?”. There are many fun examples when people that should have been trustworthy turned out to be quite the opposite. One of my favourites is when a system administrator had an argument with his manager and decided to send out all email in the mail server to everybody in the company as revenge. And as it turned out, the manager had an affair with his secretary and they used emails to set up meetings.
Another famous example is the English bank clerk who changed the address for some of the banks customer to his home address. He then sent payments to his home and collected the money. He got caught of course….
To quote my head of development: Power corrupts; absolute power corrupts absolutely (but it rocks absolutely too)
The simple conclusion is that no one should have all the power, not even the IT-department. I often see that all people working at the IT-department has access to all systems, not because they need it, but that is they way they always done things.
All systems should be built according to the “2-hands principle”. In addition to that, logs are a very good way to make people behave.

Wednesday, 3 December 2008

Who has the responsibility?

AppGate has many customers in the defence space, and one thing that you can say about those customers, they know a lot about delegation of mandate. They know who is in charge and they know how to give orders (and how to get people to follow them), A soldier has less power then a general but on the other hand a general has more responsibilities.
Take a moment to think about who is responsible for Information Security in your organisation. Is it the IT-department that builds the solution, security department that writes polices or the management who is responsible?
In my way of thinking there is an easy answer to the question: it is always the management. The problem is that they seldom understand that responsibility. Therefore we from the IT side need to build tools for them to understand which decision that has to be made to achieve the right level of security. That is our responsibility. If we do not get the right attention (or funding) it is our fault, not theirs.
Who is not responsible? There is a simple answer to that as well: the users. We cannot expect them to take the right security decisions. That is why we have a door that closes automatically behind people, for once in a while they forget to close the door.

Tuesday, 2 December 2008

Why is information security so boring?

First of all, welcome to my blog! I hope that you will enjoy the things I write about and I look forward to any discussion. This is my first attempt to blog in English and I hope that any Swenglish (English and Swedish) will pass unnoted...
I have to admit that I sometimes lie about what I do for a living. Telling that I work with Information Security often gets people to change the subject of the discussion very fast. (According to my wife Anna it is also a proof that I am not as funny as I think…but that is beside the point). Sometimes it is fun to say that I work with something really exiting such driving a bus or selling shoes, but then again it would be nice if someone actually cared.
I think that we in the industry partly can be blamed for this, every time there is issue…we call for another four-letter abbreviation that no one outside our small circle of experts actually understand, or we just say NO to any proposal that comes up…for security reasons.
I read somewhere that communication only exists if the receiver actually understands what the senders say…and we in the IT Security space do “send” a lot.
In this blog I will try to make security interesting for people outside the IT Security Industry. The ones that really should care, because it is their data we are trying to protect.