Tuesday, May 27, 2008

The Blackberry keys

Lots of news over the past few days on the back/forth between the Indian government and RIM. And apparently the latest is a retraction - last week RIM apparently had said it would make the crypto keys available.

Apparently, the reason is that RIM itself does not have the keys - therefore they cannot hand it over. The company says, "The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for Research in Motion (RIM) or any third party to read encrypted information under any circumstances"

If this is true, I wonder if any government has these keys...

Thursday, May 8, 2008

Jeez - State department laptops missing..

This is bad news - folks with some of the most sensitive information seem to be willy-nilly with their laptops. How can we expect plain old corporate folks to take protection seriously?

And this snippet takes the cake "...about 400 missing laptops belonging to the Anti-Terrorism Assistance Program ..."

I wonder how many of these were targeted and stolen... If so, is a cold boot attack more likely against these types of assets?

Wednesday, May 7, 2008

To believe or not - new research from Ponemon

New research from Ponemon on consumer behavious post breach breach - apparently over 31% of those surveyed terminated ties with an organization that had a breach.

Not sure to fully believe it when consumers say such stuff (I did not mean the Ponemon research itself:)) - I think consumers say what they think is the right thing to say. I think folks are still lukewarm when it comes identities getting stolen, card numbers being breached. There is not yet enough pain directly resulting from this.

However, I do hope this is true though - high time we took such breach information more seriously.

Tuesday, May 6, 2008

More on functional encryption and two-level keys

Following up to my previous post on functional encryption. Just read another interesting article on the subject.

The gist of it is in using policy as a way of granting acess and reducing the reliance on a "trusted server". From the article..

"In a functional encryption system, keys are personalized and only one is needed for a person to gain access to all the data that should be available to them. In addition to simplifying the key process, this idea allows users—with proper access rights—to search encrypted volumes for specific information. "

The key used here is a personal key which contains attributes of a person which is used to unlock the document... Seems intriguing, but I am not sure how multiple people (or even groups such as HR) can be given access to a document based on such keys... Would like to understand this a bit more...

Monday, May 5, 2008

Dirty secret #2 - the perimeter is dead!

Just came across an interesting article in Network World on the dirty secrets of security vendors. While I agree with some, disagree with a few, it was #2 that caught my eye.

The author, Joshua Corman, claims, "There is no perimeter". Paraphrasing him -

Vendors say that the network perimeter must be defended, but most data that is actually lost doesn’t go through the firewall. Half of all breaches are the result of either lost laptops or lost thumb drives or other removable media. Businesses need to tighten up their business processes at least as much as they need to tighten up network perimeters, he says. “If you still believe in perimeters, you may as well believe in Santa Claus,” he says.

Not sure I believe in Santa Claus, but that's not the reason I agree with Mr Corman. I do believe that a data-centric or information-centric approach to security is the right one. Protecting devices, ports, networks, perimeters might become a thing of the past. Security vendors will evolve towards offering protection at the data level..

When? Now that's a completely separate discussion, though some are further along in reaching this goal than others....

Thursday, May 1, 2008

The insider threat - jobs at risk!

Looks like Her Majesty's Revenue & Customs does not take lightly to employees peeking at sensitive data - they have disciplined around 600 employees.

Lots of questions come up - intentional breach, stupid mistakes etc. If the data were protected with the right policies and access controls would this have been prevented?

My Dad always said when I leave stuff in my car seat - "Don't tempt folks. Even if they are not thieves, the sight of something valuable can turn people". I started believing this after my car was broken into and it turned out to be a neighbor kid.

I firmly believe that taking temptation away (in this case not having access to data you should not) is a great strategy. Insider threats are more troubling, since this is targeted at the most sensitive and valuable data - while the outsider threat depends a lot on luck to get to this.