Friday 29 May 2009

Security Coronation — White-lists from the White House?

Barak Obama has announced that he will personally appoint a “cyber czar” to lead the creation of a cyber security office in the White House. This is not the first time we have seen President Obama’s commitment to technology. One of his first announcements on taking office was the appointment of a Chief Technology Officer.

This is further public acknowledgment that those at the very top are taking threats to both public and private sector networks very seriously. It is long overdue for governments to step in and provide the real investment and leadership required to control the threats from cyber criminals and their attacks.

The question remains – what power will the newly anointed White House King of Cyberspace be granted along with their crown? It would be good to see them adopt a positive white listing philosophy.

On a different note, Secerno have been determined as one of the Top Ten Tech Companies to Watch. Check out the link here.

Friday 22 May 2009

Cloud Computing Expo

Yesterday I was an invited speaker at the Cloud Expo Europe 2009. I spoke about “Securing Virtualized Database Assets” highlighting many items covered in an earlier post. It was interesting to be part of a forum that is substantially different from the Information Security forum – no big vendors like McAfee or Symantec. IBM were at the Cloud Expo and Bob Sutor gave a strong keynote. A few of the exhibitors were organizations providing hosting, whilst others were Linux distribution companies (e.g. RedHat and Ubuntu).

The security of a Could computing environment requires the same care and attention to other platforms. As BT's Bruce Schneier says, cloud computing is like existing outsourcing arrangements which require an element of "trust". Cloud computing also provides opportunities for security vendors. It allows them to make use of utility computing plus shared intelligence to provide a higher quality protection in a shorter time window. This approach of putting security in the cloud is what [Trend Micro CEO, Eva Chen, spoke about on our panel session at RSA last month. The collective intelligence plus the accessible compute power provided in a cloud environment can be deployed for non-realtime security functions like email scanning.

There is still much to be sorted out for how data access in the cloud can be performed in a uniform and secure manner. Those organizations that are hosting virtualized databases in the cloud must ensure they are adequately protected.

Monday 18 May 2009

Child Protection and Data Protection

The UK government has switched on a centralized database of information about at-risk children whilst fears remain that the data itself could be at-risk.

Have they ensured that the data is cared for in the same way that they wish the individual children themselves are cared for?

The motivation for centralizing the data is strong. Many organizations and individuals hold separate facts about at-risk children. However, the inability to prevent the poor treatment of children is often reported to be the result of protection agencies not having all the accumulated facts in one place.

So, am I saying a centralized database is a good thing? Well, not entirely. Having concentrated the data in one place makes it a powerful tool for good and detecting inappropriate interactions with vulnerable children, it is now a single target for those disturbed individuals that commit such crimes.

Just like at-risk children, highly sensitive databases need to be closely monitored for inappropriate access and activity. Systems and processes need to be established to ensure that only authorized individuals can access the appropriate data and only in ways that are appropriate.
Children deserve to be cared for appropriately. So too do databases.

Friday 15 May 2009

Lessons from endpoint security: Gartner’s Magic Quadrant

What can we learn from Gartner’s report on “Magic Quadrant for Endpoint Protection Platforms”? The unsurprising bad news is that “Traditional blacklist antivirus capability is insufficient” as “standard signature engines are rapidly losing effectiveness”.
Equally unsurprising is that Gartner recommend proactive management, white-listing and processes to constantly drive the vulnerability surface of systems.

First, let me congratulate the leaders in the End Point Protection (EPP) space who have been placed in the “MQ” – McAfee, Sophos, Symantec, and Trend Micro. EPP is a challenging area with a very dynamic threat landscape.

We know that signatures don’t work – particularly in environments where the items you are protecting are unique in their operating context. Take databases for example. One customer’s Oracle system does something completely different to the next customer’s deployment of the same Oracle database platform. This diversity means that any pre-defined signatures will fit no body accurately and will be effectively useless. (I won’t even bother to rant on about how using the wrong signature language only makes the task impossible.)

Building up accurate white-lists, as recommended by Gartner is a challenge. These must correctly categorize and suit each database and the way data is used from it. However, with third generation engine technology and intelligent deployment it is possible to control and actively secure all database interactions to protect data. This is what we do at Secerno.

Thursday 7 May 2009

Trust and ‘Rock Stars’: Reflections on security gigs

It is now a full week after the close of the InfoSecurity 2009 show, which followed the RSA 2009 conference. Secerno was in attendance at both of these events and I was busy giving presentations, panel appearances, analyst meetings and press interviews.
My observations from these events are:
  • Public awareness of IT Security Issues continues to grow and this is powering the underlying confidence that seems to be around in the IT Security Industry.
  • Messages relating to compliance and data governance adorned many stands as a sign of where customers have budgets. Let’s hope that in years to come the messages are about security life-cycle technologies to improve the quality and run-time safety of our software-based infrastructure.
  • Cloud computing is a hot topic. Some commentators view it as something presenting new opportunities/challenges whilst others are simply “bored” with it already (see below).

I was in the intimate audience at BT’s stand (offering a range of security products and tools) when their Chief Security Technology Officer Bruce Schneier gave his presentation. He was commenting on Cloud and having said on a panel at RSA that he was “bored” about it, he could not see what the distinction was between cloud and existing outsourcing models. His view was that it all comes down to “trust”. There is the challenge of how one establishes trust and what levels of due diligence firms already do with their outsourcers, and how to go about this in the cloud environment.

Bruce drew analogies between service provision and contract law, and suggested that the future of (data) security revolved around a legal framework. I challenged him on “Legislation being the answer” and he replied that is was a necessary piece, but not the whole answer. In his view, the security risk for an organization is controlled via a magical “graphic equalizer” with many “sliders” to adjust. The organization needs to fiddle the sliders to produce a profile that they are comfortable with.

After his presentation, BT were giving out copies of Bruce’s new book Schneier on Security, and the audience diligently lined up to have their copy signed. The dust jacket of his book has on the front “The closest the security industry has to a Rock Star”. Now there is a rock-star whose voice we should trust.