Wednesday, April 23, 2008

Functional Cryptography the future?

Interesting concept this new research from UCLA called functional cryptography. Apparently the key is a function of peoples "attributes" and not having the specific key itself - as far as I can understand. I would guess that defining these attributes might be tough... Seems like they are addressing key management, authentication and aspects of sharing keys without going for a full blown PKI infrastructure...

Be interesting to find out more about this area.

However, one aspect of this did strike me as sysnergestic to my views of data centric/information centric security - the attributes and keys are held within the data itself and resides with the data...

Tuesday, April 22, 2008

The insider threat - Lending Tree

We spend so much time and processes protecting against the unknown external threat - it is time we also took the insider threat more seriously. Case in point - the recent news from Lending Tree about insiders giving out passwords to external entities.

Not that the above could have been easily circumvented by technology, but good process and education of employees would have helped. When trusted employees start sharing passwords, things become very dicey.

More process, threats of termination - interesting times ahead...

Monday, April 21, 2008

Errors in Quantum Cryptography?

Interesting research from Sweden - apparently researchers were able to unexpectedly find a flaw in quantum cryptography, the holy grail of 100%, bullet-proof encryption!

The researcher quotes - "We didn't expect to find a flaw". Makes one wonder if there is any technology that can claim it.

I think there are no foolproof solutions, only fools (maybe too strong a word, but the rhyming was too good to pass up!) who believe so...

Friday, April 18, 2008

Risks, cost of an attack versus price of encryption

Very interesting article by Charlie Martin in Computerworld exploring how expensive (or rather cheap) encryption really is compared to potential losses due to data loss...

Not sure he calculated the costs and probability of the cold boot attack quite right - I think the fact that over 40% of folks do not shut down their laptops while travelling makes this a higer probability. (This number came from a short survey we did in Pittsburgh with around 200 respondents - will provide more details in a forthcoming blog). Now cosider the fact that people think this can be done - this changes behaviour of thieves, methinks.

However, the general idea that Charlie has is spot on - the peace of mind, staying away from the headlines, the lowering of probability is what securing data is all about....

Tuesday, April 15, 2008

RSA and Information-centric security

Been a while since my last post - vacation and the RSA conference went by fast! I had a great time at the RSA conference, we had a great booth in the Microsoft partner pavilion and talked to a whole lot of people.

One of the most satisfying parts of the conference for me was its focus on information-centric security. Check out John Thompson, CEO of Symantec as he expounds on this during the opening key note. Very cool! This aligns a lot with what I also think is the future of security. We cannot have device-centric or perimeter focused security for much longer - data has to be protected at its fundamental level...

More soon as soon as I catch up with my email.. :)