Categories ArchivesEnterprise Security

Why the Public Cloud Shuns Security standard

Did I just use a tactic to get you to click on this? Maybe. It sure is a punchy headline. I bet it stirs up some emotion on both sides of the transaction: cloud providers that are tired of working with auditors and security professionals that are tired of explaining to business analysts why regulated data can’t live inside a public cloud. I spoke at the North Texas Cloud Security Alliance chapter last Friday, and I had a great question from the back of the room. Paraphrasing, if security is a requirement for certain use cases, why do public cloud providers sell services without security controls? Man, that is a question I wish more people would ask. There are two ...

Continue Reading

Big Data vs Social Engineering standard

Some of the discussions we are having over here are brain-wrinklers! I was speaking with some colleagues yesterday about the security implications of big data. Typically I would group them into two separate ares: Using big data as an enabler for predictive security analytics (i.e., deriving security information powered by analytics across big data) Securing the output of big data analytics on the business side (and possibly in infosec too) After talking about some of the uses of Greenplum Chorus, it occurred to me that there was a third area that needs to be addressed: the security problem of using independent but diverse big data sets to arrive at the same conclusion (especially when that conclusion could be part of ...

Continue Reading

Sir, Put Down the Loaded Weapon standard

Sensitive information is sometimes like a loaded weapon someone might randomly stumble upon in a park. For those that have some kind of training with weapons, you can probably think of a dozen things you would and wouldn’t do if you were in this situation. But what if you had never seen this kind of weapon before? Would it become a paperweight on your desk? Maybe a doorstop? Or in an extreme case, earrings? Maybe you see peers treating these weapons the same way and all the sudden it becomes acceptable. Until one goes off. Then everyone flips their lid and its utter chaos. Questions like, “How did this happen?” and “Why isn’t the government protecting us?” start to pop ...

Continue Reading

What’s your Maturity? standard

No, I’m not asking how old you are or if you still laugh at fart jokes, but how mature is your security program? Traditional security isn’t working anymore, and its relevancy erodes as the business moves ahead without it. If you’ve heard me speak about information security maturity lately, you may have heard me compare our industry and function to Maslow’s Heirarchy of Needs. For those of you that may need a refresher, here are the basics (minus a few to stop some search engine hits). In order for a human to realize his full potential, he must have specific needs met. Those are: Physiological: food, water, sleep, movement toward stability Safety: security of body, employment, resources, morality, family, health, ...

Continue Reading

There Are No BYOD Absolutes (You’re Doing It Wrong) standard

Check out this post by VPN Haus that tackles the cost savings aspect of BYOD. They argue that BYOD can be expensive and isn’t always a cost savings initiative. There are a few issues with this article that I’d like to address, starting with the cost issue. BYOD isn’t just about saving money, it’s also about making employees happy. I have not met a knowledge worker that looks forward to getting their new clunky Dell or Lenovo laptop, especially if they travel. Having the ability to empower the worker to bring their own device allows for cost savings in a number of areas, including forcing them to handle their own basic break/fix support. In my case, I don’t call IT ...

Continue Reading

Reducing the Risk of Passwords standard

On Wednesday we discussed passwords and their contribution to the people security problem. At the end of the post, I asked what we could change to take weak passwords out of the equation. If having passwords is a requirement to doing business, what things could we add to the mix that might be able to reduce the risk of using them? Strong Authentication. Obviously, adding an additional factor of authentication can go a long way to improve the risk scores associated with data access. Positives include a significant number of solutions with a few leading their respective packs. Disadvantages can include cost to deploy and manage as well as poor integration with every technology you may use. Risk-based Authentication. Keep ...

Continue Reading

Passwords and the People Security Problem standard

We can only blame people for so long. After all, we traditionally secure access to the critical resources on our network, whether that is customer information, price lists, salary information, or the secret recipe to our best selling product, by requiring users to log on with a username and a password. Usernames allow us to grant authorizations and track activity, and passwords authenticate the username, theoretically providing assurance that the owner is the person using the credential. Over the years, humans have demonstrated their poor ability to create and use strong passwords. We try to teach them about strong passwords, give them examples, set policies to require strong passwords, and yet we still get users with passwords like P@ssword. Our ...

Continue Reading

Top Five PCI DSS Mistakes that Lead to a Breach standard

RSA Conference is over, but that just means that all of those side conversations and meetings that we had will start to make themselves into blog posts! One that is a biggie for me is the top five mistakes that merchants make that lead to a compromise. I often get questions from small merchants asking for the top three to five things they should do to make sure they do not suffer a breach, specifically after they are overwhelmed by SAQ-D. While there is no substitution for complying fully with PCI DSS, there are a few common themes in breaches that businesses should address to avoid one. Keep in mind, while this applies to all setups, the ones getting hit ...

Continue Reading

GRC in the NextGen Data Center standard

The new data center is service oriented and less focused on the physical assets when compared to virtualized and utility computing that may or may not be on-premises. This makes GRC a bit more challenging as the governance piece slips out of the direct control of the IT organization and compliance requirements increase in numbers and the sheer amount of stuff required to demonstrate your compliance. In order to have a healthy GRC function in your IT environment, you must have an IT GRC platform that: Define IT policies and controls based on external and internal requirements Manage policy content Map policies to technical and process controls Evaluate IT risk Automate the auditing and regulatory reporting Keeping in mind that ...

Continue Reading

Trusting Identities in the Cloud standard

While next-gen IT and cloud infrastructure continues to grow in relevance and adoption, there are still some serious issues that have yet to be universally solved. One of those issues is the assertion of continuous trust in identities as they move around the cloud. RSA and Zscaler announced today a collaboration to deliver trusted access for cloud computing by jointly developing a cloud-based solution to provide that identity assertion. It will integrate risk-based authentication and identity federation from RSA’s Cloud Trust Authority and RSA’s Adaptive Authentication along with the inline web security capabilities of Zscaler’s Cloud Security service. Want more information? Stop by the RSA booth in the Expo hall! Possibly Related Posts: Selective Domain Filtering with Postfix and a ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!