Thursday, December 20, 2007

YADSB (Yet Another Data Security Bill)..

Looks like the lawmakers are gettting serious (maybe they always were) about data breach legislation. Rep. William Clay has just introduced a new bill , H.R. 4791, to address some of these issues. This follows previously failed starts, in June, with a similar proposal from Rep. Tom Davis.

We conducted a consumer survey of approximately 400 consumers during the Black Friday post-Thanksgiving shopping season and found that many favored a single federal law compared to the myriad of state laws on the issue. Makes sense...

Have not looked at the full details of the proposed bill, but am looking forward to finding out more. Let me know if you have thoughts on this specific bill...

Tuesday, December 18, 2007

Data-centric security: How far do you de-perimeter your perimeter?

Ever since the Jericho Forum coined the term, we have seen some interesting jousting over “deperimeterization” (I personally need a cup of coffee before I attempt to pronounce that!). While the idea intrigues me, I see historical evidence against short-term deperimeterization for most organizations. Consider the Itanium vs. Opteron battle as a prime example. While the purist might say the battle is not over yet, the initial rounds by far were won by the hybrid 62/32 bit Opteron chip. The futuristic Itanium would have required significant changes in software to take advantage of the capabilities and is still trying to gain a footing.

Current investments ensure that the incumbent is favored - and by the same logic, a hybrid model for the next generation investment. And this means, a combination of perimeter security with further hardening of the current “soft” core.

From BitArmor’s perspective, we are looking at this discussion in the context of protecting the data itself regardless of where it resides (which could be the ultimate in deperimeterization), and not devices or end-points per se. I am having an increasing number of conversations with customers and industry experts about data-centric security. While I don’t think the tide is completely shifting away from end-point security, such as firewalls, full disk encryption or port control, more people are recognizing that device or perimeter-focused solutions are no longer fully adequate for their purposes. They must be paired with secondary (and tertiary, etc.) defenses.

But, if you lock things down to the point where people can’t do business, that obviously defeats the purpose; business rules and processes must enter into the equation as well, allowing people to collaborate, share documents…in short, to do business. And this is where data-centric security has already begun playing a more important role.

Therefore, while I think that security investments will migrate from hard perimeter defenses to more data-centric models of protection, it will not be immediate nor, by any means, complete. There will be more balance, stemming from a “defense-in-depth” philosophy. Multiple, smaller perimeters for authentication, encryption, access control etc., will continue to gain traction, even to the granularity of individual files.

I am almost tempted to say “multiperimeterization,” but one tongue twister for that space, is one too many!

Monday, December 17, 2007

Record fine of over $2.5M for UK insurer

The FSA (Financial Services Authority) in the UK has fined Norwich Union a record $2.5M (or 1.26M GBP) for incompetence. Seems like criminals pretended to be customers and cashed in on policies worth GBP 3.3M.

$2.5M - thats a large sum for a fine. The previous high was Nationwide Building Society for GBP 980K, earlier this year. Seems like the regulators are getting tough on companies who are incompetent. And this seems to showcase a trend in increasing levels of fines.

Monday, December 10, 2007

The crystal (now with no lead!) ball of security predictions..

Seems like everyone is predicting what the future will bring for security... I read with interest what Schneier has to say, looking out ten years (wonder why 10 is such a magic number?). Lots to get worried about. But of all the predictions, the one I got concerned about is abstraction of core skills - "..people getting by with just knowledge of Powerpoint" (must admit I do my fair share of ppt!).

I think better awareness and knowledge is the best antidote against threats and it is scary to think that we are losing our focus on core technology and assuming that some other "smart" person is on the lookout. The rest of the predictions may or may not come true, but I think we will find ways to overcome them. Some reactively and some proactively.

I also read Rich Mogull's framework for predictions - I see this to be similar for all IT investments, not just for security.
1. Hard dollar investments since I am losing money or can' make money
2. Somewhat hard dollars since my customer is losing money or I may lose money.
3. Soft dollars - some costs may be avoided and I might be able to make more money.

Thursday, December 6, 2007

Got PCI? Another aspect of data security and PCI, I did not know

Brian Kilcourse, managing partner from RSR Research shared some interesting research data with us at the recent conference. Turns out the best-in-class retailers are lagging behind in PCI compliance. Hmmm… we agree that this does not make sense, and there were many conjectures as to why this is the case. A few of the reasons put forth - they know how difficult the process is and are taking their time; they don’t care about fines (the fines don’t make a dent), it is too complex for the leaders etc.


My theory is this – retailers who are best in class, have to be operationally best-in-class as well. They must have the best logistics, high-end analysis capabilities for a streamlined operation that lowers their costs (retail is a thin-margin game). As part of this, they already have built up best practices on how to handle data well and dont see PCI as providing immediate benefits.

I suspect they all have looked at their environments from a PCI perspective. Some have concluded they meet many of the requirements and thus are not under imminent risk. Others may have decided they need to do some fundamental improvements and need the time to design and plan.

The common thread is this – these organizations are disciplined and don’t look at PCI just as a check-box. This approach is definitely the better one – make sure you have the right processes instead of just checks in the right PCI boxes.