Wednesday, December 9, 2009

New Cisco report on state of security

Cisco has just released their annual state of security report - the Cisco Annual Security Report. It mentions the normal stuff that you hear - more malware, 40% more spam in 2010, more banking trojans etc. Scary stuff, no doubt. Read more about it here.

But the stuff that worries me is what is missing (or not highlighted) in the report - i.e. data security in the enterprise. While I, being also a consumer, appreciate the issues pointed out here, the data breached from enterprises also causes significant pain.

Trojans, malware, viruses will always be around and I think we have to expect this going forward. How do we ensure that these get relegated to just annoyances and not become a security threat? This is where an information-centric approach works best - once the data is protected, only the right user opening up the document with the right application can decrypt it. The malware thus cannot access protected data since it does not have the right permissions. This might reduce the impact of much of today's malware - at least for enterprise data.

For transactional consumer data (i.e. credit card information submitted during a web session etc), we have to think of other but similar techniques...

Thursday, October 8, 2009

Hannaford case reversal

Some interesting developments for those who have been following the rulings in the Hannaford breach case - the judge had ruled that since cardholders were not affected economically because credit cards were stolen (banks will cover any losses to cardholders), they dont have a civil case against Hannaford.

However, the judge recently reversed himself and asked the Maine supreme court whether "inconvenience" that the cardholders went through should be compensated... Interesting fork and one that could have strong impact to the retailers if the Maine Supreme Court indeed thinks so..

The bottom line is whether retailers should take more care of data entrusted to them - while the judge had a very narrow view of "loss" to the consumer, the defense believes that they have a shot in making cardholder rights heard...

Should be interesting to see the developments..

Monday, October 5, 2009

One million dollars!

As an award that is... Express Scripts has reportedly put up $1M to anyone who can provide information leading to the arrest of those responsible. Apparently the thieves wanted to get the most from the stolen data - sell it to the highest bidder or extort Express Scripts to keep it safe!

Looks like extortion is the new black- from talk show hosts to stolen data! Be interesting to see where this takes the industry. But my question is - is this extortion because the criminals do not have a market demand for the stolen data? If it has a ready market, why bother with extortion?

Thursday, October 1, 2009

Josh Corman at IANS

Just attended an interesting keynote by Josh Corman at the IANS event in Boston this morning. Very though-provoking stuff - he also has an article about it in CIO magazine.

Being a good marketer, Josh trimmed down the 8 secrets to 7 (but wait!, one was free and he counted from zero, so we are back to 8 :)). I had previously discussed one of his takes in this blog.

The interesting part about listening to the discussion live, is Josh's emphasis on risk. He believes that we as security professionals have been so caught up with managing around compliance mandates, we have not stepped back to think about what risk we are mitigating.

Excellent point - especially when it relates to projects on hand. Would you do disk encryption based on the knowledge that 31% of all breach incidents are the result of lost and stolen laptops? Of course you would. However, would you rethink your decision if you also know that these lost laptops account for only 9% of all data lost? Hmmm does FDE only reduce risk by 9%?

That begs the question, what else reduces risk by a larger percentage? Interesting topic and subject for another post....

Tuesday, September 29, 2009

Virtualization and PCI standard - can we do better?

The wheels are turning for another version of the PCI standard. And this time virtualization security is a big focus in the development of the standard. Commendable, I say. Virtualization will become a bigger deal (more than it is today) and almost all organizations will have some form of virtual environments setup.

However, are we prone to repeat the same mistakes? We still seem to be stuck in the legacy world of protecting infrastructure - security professionals have no time to look beyond the normal, staple, security diet of anti-malware, IDS/IPS, firewalls etc, to where the more active threats are.

How do we bring the security world (as well as the business world) forward to rethink how to enable secure business? I have strong opinions on this - I believe an information-centric security approach is vital and imperative in virtualized environments. In fact, I can go so far as to say that this is the only logical and enforceable method, that enables virtualization to be all-it-can-be - so that business can be all it can be!

Let not PCI be a reflection of the past threats - let it become what we need now and prepare us for the future. This is the only way it can stay relevant and useful.

Friday, September 18, 2009

Gartner - Pay now or pay (a lot) later!

Read a few weeks ago a very interesting (and perhaps one of the few) analyst reports that analyze the costs of a fixing a breach as compared to prevention. Check it out here..

The basic premise of Gartner analyst, John Girard, is that the costs of prevention are insignificant compared to the costs of cleanup - less than 2%! How can management of any organization look at this and say that "let's cross our collective fingers" and hope for the best?

Data protection if done correctly, does not have to be expensive. I just read this article based on a survey that said most organizations in MA feel that the costs of data security are hurting firms. While I agree there is an investment to be made. the costs of cleanup are far higher. In fact a recent Ponemon report showed that over 60% of organizations have had breaches in the last 12 months - what this means is any organization has a 60+% chance of a breach!

Any organization should at least start protecting its most vulnerable assets - data in vulnerable locations. Be it on mobile devices such as laptops, USB devices or on file shares.

These costs are minimal compared to the costs of payment later...

Tuesday, September 15, 2009

SB-20: A California refresh!

The updated California breach law, SB-20, is finally on the Governator's table. It has been a while coming and is most interesting since it finesses the grand-daddy of all breach laws, SB-1386. For more information, check out Ariel Silverstone's blog. There is a very good analysis of the new law.

I like the use of the work "unencrypted" in the new law - implies that even if data was encrypted but the keys were lying around, you cant claim immunity :) Contrast this language with something like "plain" or "open"...

I think this is a good step forward, especially around the notification, use of plain language etc. I would have liked it to be more focused on remedies and "get-out-of-jail" by using encryption (the MA law is one such).

Friday, September 11, 2009

My black-market value? 32 bucks

Interesting tool that Symantec has unveiled - an online risk calculator that figures out how much your identity could be auctioned off for! Apparently I am cheap and can be had for $32.29 - no idea how they got the accuracy down to 29 cents!

Without going into the merits of the calculator (and the random number generator behind it :)), I think it is an interesting thought. While a criminal might not be targeting you specifically, breaching and then auctioning off thousands of such records can make someone some pretty good coin.

It is also likely that the guys who breach have their specialty - getting the records. It is upto the buyer now to steal the actual cash from the accounts or credit cards that have been turned over! Specialization and job segmentation at its best!!

Saturday, September 5, 2009

Virtualization security compliance guidelines - quite off base!

I don't know if it is a challenge with today's compliance rules or how folks perceive virtualization security, but the recent guidelines published by VMware and RSA seemed to have missed the mark. I don't want to add the word "completely", but I do think they are quite off base.

Not to say they dont have some good things in there, like platform hardening, network segmentation, change management, admin access control etc.. But this is something one would be doing for non-virtual environments as well - not much different here, just common sense.

A reason for missing the mark is the non-focus on virtualizaiton itself. Virtual environments are different. I think they need some fundamental rethinking of security, including focus on statelessness, shorter session-lifetimes and a true focus on data.

What fills me with a sense of incompleteness from these guidelines is the total non-focus on data! C'mon what are we trying to protect here? It's the data!! And nary a single mention?

Thursday, September 3, 2009

WhoHooo! BitArmor recognized in the latest Magic Quadrant!

Apologize for getting a bit excited - BitArmor is named in the 2009 Gartner Magic Quadrant for Mobile Data Protection! The full report can be read from the Gartner website. Our release about this recognition can be read from our website.

In this blog, I usually talk about my thoughts on the industry, evolution of security etc and I don't blog much about our product and the company. However, this I do think is a good excuse to do so :) It is good to be recognized by leading security analysts as John Girard and Eric Ouellet!

The report highlights our unique information-centric security approach to protecting data. It also talks about our No-Breach Guarantee. And one phrase I like is "far advanced" - as a way to describe our technology. Nice!

Being information-centric in our approach to data protection makes us a bit different from the other vendors in the document - most of them protect mobile devices. Because of our Smart Tag technology, BitArmor is able to protect the data itself at all times - thus the protected data can move to a laptop, USB device, via email as attachments or via FTP. It can also move from a file share to a data center server to a backup tape and still remain protected. From this perspective, we are truly fulfilling the real "Mobile Data Protection". I think the naming of this Magic Quadrant report is a bit ahead of its times!

However, as it stands now, most people associate data protection with "mobile devices" - i.e. protecting the devices that the data rests on (laptops, USBs, phones etc). And possibly for good reason - there were no good enough or usable enough technologies that could truly protect the data itself and that too persistently. Until now, of course!

I do think the Mobile Data Protection Magic quadrant will evolve more towards a data or information-centric approach in the coming years. Looking forward to our footprint trending, nay jumping, up and to the right!

Wednesday, September 2, 2009

Another case for information-centric security

The more I read about how criminals are breaching the perimeter and getting access to sensitive data in an organization, the more I am convinced an information-centirc approach is the only way to go.

Case in point is the recent article from Information Week - 5 Security Lessons from Real World Breaches. Fun stuff!! Here is a short excerpt from one attack the article describes - the conclusion..

"...The attackers used the compromised server as their home base. They deployed tools and scanners and spent several months meticulously mapping the network without being detected. Once they found the systems that contained the data that they were looking for, they simply copied the information, put it into a Zip file, and moved it out."

Emphasis above is mine - basically compromised a server and then copied data out. This data-at-rest protection being perceived as the end-all, is making me frustrated. If this data were protected using an information-centric approach - i.e. protect the data and keep it protected at all times (at rest and in motion), this would have been much harder. All the criminals would have gotten is encrypted data.

I am also looking at the 5 guidelines/conclusions from the report and besides a short mention of layered security and isolation, there is not much emphasis on data protection. I think the authors are missing the point. You can never have enough perimeter security - IDF/IPF, anti-malware works only to a certain extent.

You need to recognize that data is the critical asset,not the network or the server. Protect the data, damn it!!

New HIPAA breach laws taking effect

More rules and more rules... The HHS has issued final guidelines on breach notification requirements for organizations under the HIPAA law. They take effect Sept 23rd... Just in time for the G20 summit?

Maybe not. However, the reality is that organizations are having to now deal with a bevy of such requirements and the bigger problem is not in complying with basic standards, but ensuring the lowest common denominator (or in this case the strictest rules) are being met...

Saturday, August 29, 2009

Encrypted is not a boolean variable


Let's face it, encryption is a new thing, and you have to
keep things simple so people can understand it.

But it frustrates me that most of the talk about
encryption technology, law, policy, compliance, etc is
always in terms of "encrypted" vs "unencrypted". Yeah,
all your data should be encrypted. But that's the beginning
of the discussion, not the end. Encryption is easy.
Protecting data is hard.

Once you use strong encryption to protect your data, you
have real security. That sounds great, but the flipside is
that your company's security policy is probably a pile of
paper in a drawer that no one reads or updates, and does
not correspond to reality. How do you organize your data,
backup your data, share your data, manage your data ...
frankly, how do you USE your data in an encrypted
world? Encryption is coming. You need to think about it
now. Do your homework. If you don't, you'll be paying for
your lack of preparation for years.

-Tim

BTW this blog post is encrypted with no less than three
proprietary encryption algorithms (ROT-13^2,
XOR-0x00, and CAESAR-26, among others) and therefore
cannot be read by anyone. "encrypted == true" !

Friday, August 28, 2009

Bernanke hit by ID breach

Did the thief think he could cash into the billions that the Fed chief oversees :) Or maybe he was looking for a bailout himself!

Will this put some fire under the administration to think seriously about national laws for breach? Always seems to happen when something hits close to home and personally...

Interesting news, nontheless...

Monday, August 24, 2009

Dirty secrets and the non-existent perimeter

The perimeter is dead - long live the perimeter (the new perimeter, that is). Which obviously is the data.

I am also intrigued by an article by Joshua Corman from IBM, in CIO magazine, that discusses this. Check out Dirty Secret #3. "There is no perimeter". I love it. Mostly because it is true. And for some small selfish reasons as well... :)

Here is what he says - very eloquently, I might add..

"We need to define what the perimeter is," he said. "The endpoint is the perimeter, the user is the perimeter. It's more likely that the business process is the perimeter, or the information itself is the perimeter, too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn't be more wrong."

The bold emphasis above in mine - and not from Joshua. But I do it to illustrate my point (which I put forth in a recent blog on the benefits of an information-centric security approach as well). Security professionals need to move beyond the perimeter and thinking that has dominated for the past 30-40 years and recognize the world is different now.

For heaven's sake, the internet that allows for rapid dissemination of data and collaboration is already a teenager! Why do we still protect this environment with stuff built for the 70's?

Sunday, August 23, 2009

Benefits of information-centric security

For a while I have been meaning to write a short article on what I think information-centric security is - so here goes.

Organizations have focused on securing sensitive data by protecting the infrastructure that hosts the data. This could be implemented by hosting the servers inside a data center, using firewalls and similar perimeter protection techniques to prevent external attackers, encrypting whole drives or encrypting networks. I think of these as protecting data by proxy - i.e. protect the network to protect the data, protect the perimeter to protect the data, protect the device to protect the data.

Information-centric security is the concept of focusing the protection on the data itself as opposed to the device – protection that stays with the data while at rest and while in motion. Access controls and other policies are embedded in data and follow it wherever it goes - thus enforcing these policies at the data level, regardless of where the data is.

This approach has several advantages:

  • Continuous protection: Data always remains protected since it does not get decrypted as it moves - this has performance benefits as well as security benefits
  • Device independence: Data can be protected regardless of the devices it rests on or travels between. For eg, it data moves to a USB device, to a backup tape, it still remains protected. No need to deploy a USB protection solution or a backup tape solution separately.
  • Enabling secure collaboration: Since the data remains persistently protected, you can share it better - the proper access controls of who can access the data remain with the data itself! Therefore data can be self-defending. No need to provide access to networks, file shares etc to share data.
  • Lower costs and complexity: all this comes down to much lower costs and complexity - no need to have multiple device or network centric products protecting data and that too by proxy..
I think the world is moving to such a method of protecting data - the old ways are untenable in today's world of exploding data and the requirements to share and collaborate.


Tuesday, August 18, 2009

The same TJX hacker?

How many more breaches were perpetrated by Albert Gonzalez? According to new charges, he is saddled with TJX (from before) and now with Heartland as well as Hannaford! The guy has been busy, no doubt.

What was it that made these breaches similar? And what did we not learn from the first ones that we let Albert and gang do it again and again? Obviously there are many theories - but my view is, at the end of the day, infrastructure protection can get you only so far.

We need an information-centric approach to protection where the focus is not on the pathways, perimeters and devices, but on the data itself. Imagine if this were the case in the above breaches, where data was stripped of networks, or from servers. If that data were protected at rest and in flight, it would not have mattered if the data were copied outside the company - it is protected! It remains encrypted!

Better, more logical and more effective security. But seems like folks are still in the rush of "protect the infrastructure"...

Thursday, July 30, 2009

Persistent, information-centric protection, PCI and the Network Solutions breach

The more news I see regarding various breaches, the more I am convinced of the superiority of persistent and information-centric security. For example, take the latest breach at Network Solutions - a PCI compliant organization. Over half a million cards stolen.

Comments galore:
Here is what they say "The company determined that the unauthorized code may have been used by cybercriminals to capture transaction data, including customer names, addresses, and credit card numbers, and transfer it to servers outside of the company...."

Now look at the statements below from industry experts:

"...many enterprises are behind in security protection efforts such as anti-virus updates due to shrinking IT budgets, which results in unpatched vulnerabilities that are easily exploited"

Seems like anti-virus and unpatched systems are the main culprit - long live infrastructure protection!

"...the incident illustrates the risks of cloud computing."
A broad general statement - not clear what the implication is :)

The point:
My point is that the industry is so wrapped around protecting the infrastructure - i.e. protecting dat aby proxy, that they forget what it is they are really trying to protect. With an information-centric security solution, the credit card data would be protected persistently. Even if the data were to be "..transferred over to servers outside the company..", it would still remain encrypted thus making it much harder for criminal organizations to obtain any value from the data.

The last and best line of defense is the data - this is how layered security should be.

Friday, July 24, 2009

Where does a £3M fine hurt?

Not sure, but we will know. Regulatory bodies are becoming increasingly tough on lax organizations for not protecting sensitive data - HSBC was recently fined £3M for not adequately protecting customer records.

The interesting part to notice is the fine was applied even though no customer had an unfortunate incident after the breach - I presume like a lost identity, stolen money from their bank etc.

And even more interesting was that HSBC got a 30% discount for cooperating :). Good boy!

Thursday, July 23, 2009

It's the Vision Thing, Stupid!

Let's face it: "It's the software, stupid!" gets almost a million hits
on Google.

And I don't want to belittle software. Software is important.
Software is what processes your data, and unfortunately, software
is horribly badly designed and rushed to marked long before it is
ready. Your data is at risk? Blame software. It's easy, and you
can be 99% sure you are right. Those are pretty good odds.

But think about where you were when "ILOVEYOU" hit. When
I wrote "JustBeFriends", we assumed that Microsoft would blame
the victim, as they had every previous time. Instead, Microsoft
changed direction and started caring about security. Bad news for
me, good news for Microsoft.

This is a blog post. It will not answer all your questions. But it
will make the following points:

(1) virtualization is important,
(2) your data is what matters,
(3) the world is changing,
(4) there are no time machines or magic wands.

We now return you to your regularly scheduled blog.

-Tim

Wednesday, July 22, 2009

Virtualization security - presentation at the OpenGroup Security Conference

Just presented on virtualization security and some of my thoughts on how an information-centric security approach will be absolutely essential - this is at the OpenGroup Security Conference in Toronto. I am putting up the slides I presented in this post.

This is my first attempt at sharing slides via Slideshare - lets see how it works:

The new Missouri breach law

Looks like we have state number 45 - Missouri passed a new breach law recently and will be applicable by the end of August. Nothing earth shattering in the new law - follows pretty much the standard ones.

the interesting part is they decided not to go the Nevada and Massachusetts way and look at prescribing a solution - i.e. encryption. Does this mean there is less perceived value in what MA law is? Or are legislators are unwilling to go the extra step to enforce protection for fear of pushback?

Monday, July 20, 2009

The UCSD and Kaiser breaches

Have not talked much about any specific breach in a while, but this one caught my eye. Apparently the hotline for a hospital that had a breach was swamped with folks trying to understand what happened and whether they were at risk. UCSD had a breach of about 30,000 records, when an external attacker was able to pry through the defenses.

I was beginning to get concerned that folks were not in the least (concerned that is)! Apparently they still do care when their personal information gets out there - but, as is the case all the time, it has to get personal. In fact they were concerned enough to swamp the hospital with calls!

Which brings me to the benefits of small amounts of money, spent judiciously on the right security programs. Even if the cost of losing 30K records was a minimal of $30 bucks per record (including the costs of notification, credit monitoring, legal fees etc), its still nearly a whopping million dollars! A lot of moolah to be sure..

Which brings me to the Kaiser breach - the judge saw it prudent to smack the hospital on its wrists with a fine of $187K. Not a large fine in the context of a hospital, but something to say it is serious about preventing lax management of records.

Wednesday, July 15, 2009

New Ponemon report - little change

It is interesting to note that the more things change, the more they remain the same! the new Ponemon report is out and the numbers are interesting (but no shocking new revelations). Check out the article from Dark Reading.

  • 74% of organizations had a breach in the last 12 months (the PGP release says 85%)
  • 22% had five or more breaches (and they did not have any encryption)
  • Compliance is a big driver (64% say this is why they do what they do)
One interesting nugget is the idea that encryption is becoming more strategic and folks are moving away from point solutions. I am not sure how people view the difference between point solutions and a suite of solutions :) (the latter is just a bunch of point products slapped together into an interface).

I strongly believe that this device-centric approach will not get us out of this funk. Every year we have more breaches, even though adoption of encryption is getting better. Why? Poor strategies, poor management of encryption and multiple device centric solutions not really doing the job.

The only way to truly protect data is with an information-centric security approach - and not focus on multiple devices, apps, file shares and now mobile devices as seen in this article.

Tuesday, July 14, 2009

The Soprano breach

I guess this is what we have been seeing the trend - breaches and hacking are not for brownie points and bragging rights. Real, solid criminal enterprises are behind it; as seen by this story about the mafia being busted for hacking into Lexis Nexis databases.

Staggering, the amount of money out there from breaches - else why would enterprises leave the opportunity costs and gross margins of other endeavors (drugs, etc) and flock to this? Or maybe it is the "white-collar"ness of the crime? And maybe less violence?

Friday, July 10, 2009

Enhancing DLP

What exactly is DLP? The general consensus is that DLP technologies worth their salt should include some form of content awareness. Was recently at the Gartner Security Summit and Eric Ouellet made a strong case for it - if you get a chance to see the presentation, it is very well worth it and provides a great overview.

Also, just read a good article in CSO Magazine by Bill Brenner on technologies that can extend the value of DLP. Am glad that folks are seeing the value of encryption within a data leakage context and am encouraged by the comment by William Pfeifer about the requirement to protect the data at all times and not just at rest. This, I believe, is the right information-centric approach.

One point I think Bill might have missed is the value of Identitiy technologies (IAM) to enhance DLP as well. I strongly believe that the combination of IAM+content-aware DLP+persistent encryption can solve (from a technology perspective) many of the challenges we face. This gives control over roles, the content itself as well as completing the action of protecting the data by enforcing specific access control triggers within the data itself.

Aha - true "discover once, protect forever" :)

Monday, July 6, 2009

The Sharepoint security connundrum

Sometimes going to security conferences can be not as useful. However, I just got back from the Gartner Security Summit - some very interesting presentations and conversations. I like the in-depth analysis that they do - and this time I was intrigued by the Sharepoint security presentation by Neil MacDonald.

A few points I learnt:

  • Sharepoint is the fastest growing product in Microsoft's history! Taking over and replacing many file shares and other collaboration products.
  • Security is a big concern due to the rapid growth - especially when collaborating with external parties.
  • Data is usually not encrypted within Sharepoint - makes it hard to search and index.
Sharepoint is an example of an information-centric approach in an organization - and I think most optimal for a similar information-centric approach for data security. You cannot protect the data by protecting the boxes, encrypting hard drives etc. The protection policies should be with the data and/or enforced by authntication and the right authorization within Sharepoint.

Will be interesting to see how this shakes out - I am excited about the information-centric security approach that Sharepoint will force organizations and vendors to adopt!

Wednesday, June 10, 2009

The T-Mobile Breach - getting personal

Now they are getting personal! Being a T-Mobile customer has brought this scary world of breaches and identity theft home to me - with the news that T-Mobile confidential and customer data had been breached.

Being in the security industry and seeing a lot of breaches, one tends to get a bit overwhelmed - both with the scale and costs involved. And after a while one gets a bit numb as well. However, when it hits you personally, like it does for me now, it feels a bit different. I am frantically checking each of my credit card statements for erroneous charges, my bank statement to see if any worrisome withdrawals have gotten through etc. I am worried about my SSN being compromised and identities of my family stolen. Not a fun place to be...

While this may turn out to a hoax as some suggested (I selfishly do hope it is), but the sinking feeling it gave me when I read the news is real. And such a breach is not by any means, far-fetched.

Sunday, May 10, 2009

EU requiring guarantee of software security?

In one word - wow. Looks like software companies might be held liable for the security of their software if the EU gets its way. According to the article:

"Software companies could be held responsible for the security and efficacy of their products, if a new European Commission consumer protection proposal becomes law.

Commissioners Viviane Reding and Meglena Kuneva have proposed that EU consumer protections for physical products be extended to software. The suggested change in the law is part of an EU action agenda put forward by the commissioners after identifying gaps in EU consumer protection rules."

I like this, since BitArmor itself has announced a No-Breach Guarantee. It is a good idea to make sure software vendors have a bigger stake in making their software more secure.

However, I am not sure I like the stick approach. There could be multiple ramifications to this. Will all software have the capability to do this and be secure? Will vendors become more risk-averse and thus not innovate? How will the varying nature of environments that software works in enable such a law to be enforced?

I think it might be better to provide incentives for better security, i.e. ensure that government contracts have a preference for software with such guarantees - rather than a blanket law that forces it.


Tuesday, April 7, 2009

Security and learning from nature

Nature is interesting in how it deals with threats. I think we can learn a lot from it (while I am just as sure I will be reaching while I construct some of the analogies below!).

One point that always sticks in my mind is how the "bad stuff" in terms of germs, viruses, bacteria etc are all around us, right next to us. Compare this with how an organization likes to look at security:

  • Try to ensure the whole environment is secure (i.e free of bacteria etc)
  • Try and restrict movement of assets (i.e. restrict sharing of data)
I think this approach is a fool's errand. We can never be rid or free of malware or threats around us. The key will be to learn from nature and see how it deals with such threats. It does not try and ensure everything is pristine. it just ensures the critical asset is secure. The air we breathe, the water we drink etc all might never be pristine. But our body can deal with it since it has the anti-bodies for most of the bad stuff out there (True, we need to also ensure we don't breathe in the Ebola virus).

However, the lesson is lets not try and fix the environment - we will never be successful. Lets try and ensure the asset (in this case the data or information) is truly protected. This information-centric approach is the better and more logical way forward - as nature points out to us!

Monday, March 30, 2009

Devolution, job responsibilities and data-centric security

Seems like the data/information-centric approach to data protection is gathering more steam. Interesting article in CSO Magazine by Forrester analyst Andrew Jaquith talks about giving up control to gain control - using a data-centric security approach. Very interesting.

It talks about forgoing a infrastructure control perspective to being more data-centric and giving up responsibility to those to use the data.

Here is a short excerpt:

"Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization."

Another excerpt I agree with :

"Confronted with these three challenges, some nervous CIOs and CSOs choose to throw the proverbial kitchen sink at the problem: DLP, encryption-everywhere, enterprise key management, NAC, and employee education. However, this approach will fail because at its roots, the problem of data security stems from four sources: digital information was meant to move; information classification isn't ingrained into work processes; technical solutions aren't standardized; and accountable parties are too far from the controls."

The main one being (highlight above is my emphasis) - data is meant to move, distribute and gain in value! You cannot stop data from moving and be a friend of the business!

The Chinese Cyber very, very, very, targeted attack

Incredible news about the cyber attack launched from China - and its taking over systems worldwide.

What is amazing about this is the large number of countries attacked - 103 with the small number of actual computers affected - 1200! Just about 10 systems a country - now that's a targeted attack! And to top it off, apparently over 30% were "high-value" systems and those within embassies of many countries.

It is remarkable that something this targeted can be achieved using one malware - unless it is the secondary phase after another one was spread wide, segmented the market and finally targeted those that are important.

Without taking away from the seriousness and criminality of it, the marketer in me is impressed - and shocked.

Wednesday, March 18, 2009

Heartland and Visa - a big case of CYA?

The latest salvo in the Heartland saga is Visa's decision to delist both Heartland and RBS WorldPay from the PCI DSS compliance list. According to a harsh assessment by Avivah Litan, Gartner analyst: "It's all legal maneuvering by Visa," Litan said. "This is PCI enforcement as usual: They're making the rules up as they go."

Ouch. These are interesting developments, and raises some questions -

  • Is complying to PCI not enough anymore?
  • Was Heartland really compliant?
  • Or did the auditors not do a good job when they looked at Heartland?
  • Do compensating controls not do the work?
  • Is the PCI standard too vague and open to interpretation?
  • Or is Visa just ensuring it does not get caught in the legal storm brewing around the breach?

Questions, questions...

I hope that this drives the industry forward in creating better standards, better auditors and better solutions that can address the increased threats we face daily - all we can hope is look for the silver lining in this debacle...

Thursday, March 5, 2009

Fraud affecting the huddled masses

Could not believe the recent Gartner analysis that says that 7.5% of Americans are hit with financial fraud - a good chunk of it due to breach, phishing etc. That is about 22M people, assuming a population of 300M. Thats a lot!

From the article:

"Gartner says financial losses are highest in the case of new-account, credit card and brokerage fraud, with the average cost per incident totaling $1097, $929 and $900, respectively."

The amount of money lost is staggering - if we assume a more conservative number of $500 lost for 22M Americans who have been defrauded - that's a total loss of $11B in 2008!

But wait, there's more -

"Victims of brokerage, credit card and debit card account fraud find it easiest to recover their losses, receiving an average of 100%, 86% and 77% of the funds stolen, respectively."

These defrauded customers get back their money - and the banks have to pay for these losses! (well, they get it back from the customers with increased fines and interest).

I guess the point I am making is - the losses are real, the pain is real. We need to work to reduce these losses and fraud.

Monday, February 23, 2009

The ex-employee threat

We all suspected it, some might have done it as well. According to the latest Ponemon survey, apparently nearly 60% of terminated employees take some company sensitive data with them. But the most troubling aspects are the ability for ex-employees to access company data even after they were let go!

I would think the majority of these can be prevented via good and simple baseline security. Some, of course, will need more sophisticated tools such as DLP etc that can track documents based on content. The hardest part will be stopping malicious users from taking a small set of extremely sensitive documents - for eg. taking a photograph of the document on his PC! If there are a lot of documents, it might be hard for the employee to do these manual tasks.

At the end of the day, one has to trust employees and be able to track documents and prosecute. If one or two high-profile cases end up in court, deterrence will become a good security policy!

Tuesday, February 10, 2009

Breaches: The collective yawn

Are the breach laws not effective at all? Are the public not concerned or not paying any attention? Not sure what we should expect - outrage, public demonstrations, letters to senators? But as the recent article from NetworkWorld points out, folks don't seem to much care...

Possibly this apathy is picked up by organizations and combined with the multitude of complex regulations and data protection solutions - and the result is folks not knowing how to address these issues. The challenges may seem too much.

I think the right way to approach the problem is take a risk based approach - what is the most vulnerable area, how do we protect that. Start with something small, since inaction does not help at all. For many organization worried about losing assets outside the organization, protect the mobile data - that which goes outside the organization. This would mean laptops, USB devices to start out with and go from there.

Obviously if the threat is internal negligence, maybe look at DLP solutions that can, based on policy, protect sensitive data from leaking outside the enterprise.

The main point it, start on the path. Don't wait to develop a comprehensive plan that takes a year to study and setup - look for quick hits and gains. As you deploy you will be able to develop the right plan for the enterprise.

Thursday, February 5, 2009

Breaches - up, up and away!

The news around breaches seem exactly like that of the current economy - gloom and doom all around. The latest in the fusillade is the analysis from Jon Oltsik from ESG. Looks like the number of breaches every year have been increasing - and this year it seems worse. Seems like with all the stuff hapenning (Heartland, the VA settling, the recent Ponemon report, the McAfee trillion dollar news), this new research is on expected territory.

However, one interesting nugget from Jon - 61% of small organizartions had a breach in the last 12 months while 49% of large ones succumbed in the same timeframe. One would have expected the difference to be much higher. Larger organizations have the resources and the security technologies in place to prevent such breaches - much more than do smaller organizations. Could be many reasons for the smallish gap - large companies are bigger targets, have more employees, have stringent disclosure requirements,have more data, etc. All valid reasons...

While this might be true, my hypothesis is that current security measures are also not working in large organizations. Breaches do not just happen in one areas (say laptops), but wherever data goes. And multiple, device-centric approaches to data protection do not mitigate breaches as much as folks would like to think.

One needs a better and more logical approach to data-protection. I firmly believe the information-centric approach is the way to go - protect data once, keep it protected wherever it goes - on any device and for any application.

Wednesday, February 4, 2009

BNY Mellon settles after breach

One more organization is now settling after a breach affected over 600 thousand customers. Apparently BNY Mellon will pay for 3 years of credit monitoring (initial 2 years and now an additional 12 months). At a very conservative estimate of say $10 for each person for three years, this comes to $6M - at $50 it is about $30M.

Amazing that folks dont take protecting data more seriously as opposed to making the three credit agencies wealthy!

Tuesday, February 3, 2009

Heartland and end to end encryption

Interesting to note that Robert Carr, CEO of Heartland is now calling for end to end encryption. In his words...

"I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed"

How this encryption will be implemented is another story - do we go with one product to protect data at rest (not one but one for each device!), one for networks, etc? I think this is a bad move - each time you move sensitive data from one device/network to another, you go through a decrypt/encrypt cycle - and guess what happens when you decrypt?

I think only a data or information-centric approach to data protection can truly give you this end to end protection for data. Protect your data once, the protection remains with the data wherever it goes - is this not what you really want?

Monday, February 2, 2009

Cost of a breach - redux

More fun news about the cost of breaches. While everything in this economy is on a firesale, seems like the cost of breaches continue to escalate. First McAfee came out with a study that costs to fight and repair data breaches last year were about one trillion dollars! From the report:

McAfee made the projection based on responses to a survey of more than 800 chief information officers in the U.S., United Kingdom, Germany, Japan, China, India, Brazil, and Dubai.

The respondents estimated that they lost data worth a total of $4.6 billion and spent about $600 million cleaning up after breaches, McAfee said.

I think the numbers are very high - I calculated 14B/year based on extrapolating the number of breaches since 2005 (~250M from attrition.org) with the average cost per breached record (~$200 from Ponemon). But this seems like a larger survey sample size - so I may be wrong.

Hot on the heels of the McAfee survey is the new report from Ponemon - costs are going up, average cost of a breach is $6.6M, and similar interesting numbers..

The bottom line to all this - I think - costs are high and it is better to protect your data than to deal with the breaches and lost business that comes with it.

Friday, January 30, 2009

Fines and lawsuits - data breaches and the bottomline

Am not sure if the costs of data breaches are considered "soft-costs", or prevention is not sexy enough - but the recent $20M settlement from the VA and news about the lawsuit filed against Heartland seem to an interesting precedent.

Will this shake up the companies and have them start thinking that prevention is significantly less expensive than the headache and costs of settling stuff, post-breach?

Time will tell...

Sunday, January 25, 2009

I disagree with Bruce Schneier - but ask for his help!

Some more interesting feedback on our guarantee, the most recent one if from Bruce - I love his blog and read it quite often. This one he tackles the BitArmor guarantee head on :) I respect his opinion on a lot of things, but in this case I think he may have been a bit off the mark.

In this litigious society that we live, in putting yourself out there and standing behind your product is not a simple task. It takes some serious product capability to think about offering something like this - one would have to be, as an executive, completely irresponsible to open up BitArmor if this were not the case. Ergo, Bruce, please give us a little credit - this is not just a PR stunt.

There obviously is a PR element to this, but without product capability to back it up, no company can do this. It would have been nice of you to have at least acknowledged that possibility and asked insurance companies to step up, instead of “pooh-poohing” the whole thing.

What we do as security companies is reduce risk - what an insurance company does is transfer risk or normalize it across a large set of customers. Big difference there. I bet if insurance companies feel security products work, they would be able to better quantify the liability and offer affordable premiums! It takes the foundation of good security for insurance to work - buying and selling liability will be easier if this foundation is strong.

And to your point below:

“So if BitArmor fails and someone steals your data, and then you get ridiculed by in the press, sued, and lose your customers to competitors -- BitArmor will refund the purchase price.”

Here is the rub – this process is not exclusive to BitArmor protected data! If you lose your data, protected by any security product (or not protected at all), you will still be ridiculed, sued and lose your customers! We are not claiming that our product is unbreakable – what we are saying is we are willing to shoulder some responsibility for its failure to do the task it was bought for, i.e. protect data.

And we think we can do a better job than any product out there - hence our confidence in putting forth a guarantee.. If we can make this better and more workable for the industry, we welcome a conversation with Mr Schneier and ask for his help.

We have, we believe, the right product for this. Help us take the security industry forward.

Wednesday, January 21, 2009

One hundred million! A breach of staggering proportions

This is unbelievable - and sounds almost like Dr Evil asking for ransom before threatening to blow up something. In spite of all the PCI regulations and best practices to protect data both at rest and in flight, about 100 million records were breached at payment processor Heartland. I'd be interested to know if Heartland was indeed PCI compliant.

The challenge, I think, is that lots of folks think about compensating controls to get around actually protecting the data. And surprisingly, in spite of the TJX breach that happened across the wire, most folks think that just encrypting their laptops is enough! And the Heartland case has proven otherwise - one also needs to protect data in flight!

How many such network pathways can one protect? How many are there to protect? This is why the informaiton-centric approach makes sense. Protect the data itself - dont worry about the pathways as much. Ensure that the data is persistently and continously protected at all times - this will ensure device independence and network independence.

And breaches, massive or small, can be cost effectively avoided.

Friday, January 16, 2009

Warranty versus a no-breach guarantee.

Not surprisingly, we got some questions on our recently announced No-Breach Guarantee. One specifically I would like to address today is the notion of a software warranty versus the No-Breach Guarantee. Are they not the same?

Well, we think not. Most software warranties are for 30-60 days and basically say the vendor is not responsible for anything. The application will have errors, bugs and might not install or perform as indicated :) Check out this interesting eWeek article titled "Software Warranty Woes" on the subject.

A few excerpts from the article:

"GM couldnt sell a car using the [current] software model," in which the buyer assumes the risk of making sure the product works reliably, says Scott, whose company is a large SAP and Electronic Data Systems customer.

Software vendors typically provide a 90-day limited warranty that promises the application will conform to published specifications. The supplier usually adds that the software may have errors and notes there are no guarantees that an installation will be successful.

Thats not good enough, Scott says.

And some more..



I read with interest the comment on CNet by Phil Dunkelberger, CEO of PGP, on our guarantee. I am not sure if Mr. Dunkelberger has read his own EULA - PGP has a very limited 60 day software warranty - terms used are "PGP Corp will, at its own expense and as its sole obligation and your exclusive remedy for any breach of this warranty,... " etc etc..

Not the same, I would contend.

We don't claim to have the perfect answer, but we do think the BitArmor guarantee better reflects what the customer is purchasing data protection software for - to prevent data breaches! And we stand by our capability and responsibility to provide that protection.

Thursday, January 15, 2009

Introducing a no data-breach guarantee

Usually we do not talk much about our product or company in this blog. However, today might be an exception :)

This is an exciting day for us at BitArmor - we are announcing a guarantee against data breaches for organizations looking to protect sensitive data and avoid the massive expense of a data breach. We feel proud in being the first vendor to do so!

The concept is simple - we believe we have superior Smart Tag technology that can protect data persistently - using an information-centric approach. The data remains protected at rest, in flight and is device independent - therefore giving us the ability to protect data on multiple devices, especially the ones that are most vulnerable; i.e. laptops (we use disk encryption here in addition to our persistent file encryption), USB devices and email attachments among others..

This gives us the confidence (well, we also derived a lot of it from government agencies and crime labs beating up on our software!) to make this bold statement and back our product with a money-back guarantee in case a publicly announced breach is the result of someone breaching BitArmor controls.

While we understand that a breach may cost the company more than our promise, we want organizations to know we have skin in the game to ensure that their data is protected. In some sense, we also shoulder some of the responsbility :)

Tuesday, January 13, 2009

Financial firms - poor security or valuable data?

Since the recent PricewaterhouseCoopers report came out, there has been a lot of discussion on why financial firms are coming up short on data security.

While I think there is some truth to the story - for example, it is staggering to think that organizations do not have incident response processes or defined methods to address a data breach, I am not convinced that financial firms are behind anyone in terms of approaching data security.

For one, they have the most valuable data in the world and are often the target compared to any other vertical, save the government. In spite of being such a huge target, they don't seem to have a massive share of the breaches - according to the new report from the ITRC in San Diego. In fact this is the statement from that report, "The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years."

And from my experience as a vendor working with many financial firms, almost all of them have good processes, encryption and data security products deployed and some of the most security savvy employees. I would love to know more about the types of financial institutions that did not perform well. Are they the small regional banks or are they larger ones that might have huge amounts of data?

Hmmm.. So I am a bit skeptical about parts of the report... I think, while there might be some truth to it, being custodians of such valuable data, banks are overall quite responsibile in terms of data security.

Friday, January 9, 2009

Thats what we need - 2 terabyte memory cards!

This seems more like a giant leap by mankind - rather than the more predictable Moore's law. Seems like new SD card standards could bring about memory cards that have a 2TB capacity!

Imagine all the credit cards and personnel records that can be saved in one of those - image the fun we will be having in a few years when the entire SSN list of over 300M Americans are found in one of those! Even though I am an optimist, it is hard not to see bigger (literally) breaches ahead - unless we get our act together. Time to make these cards more secure - can we get some security standards also into the new SDXC standards?

Of myths and security

Very interesting set of articles by Erik Larkin about the last few days of the enduring myths of security - check them out here. He talks about hacking for fun and brownie chops, malware, etc. Fun stuff..

I think one enduring myth beyond what Erik has touched upon is "doing the same thing and hoping for a different result". Einstein said it with more color! I think many organizations are using the same old techniques for preventing losses or breaches with the hope they will produce better results - this might be wishful thinking. The game is far ahead and we have to develop new techniques and change our approach a bit.

Being an information-centric security cheerleader, I think this is one of the changes we as an industry have to move forward with. Thinking that the old, device-centric approach will work every time, since that feels like comfort food, might turn out to be not true...

Thursday, January 8, 2009

30 years jail time for 90M records!

Looks like the chicken has finally come to roost - apparently the mastermind behind the TJX hack, Maksym Yastremskiy, is sentenced to serve 30 years for his act. By a Turkish court no less!

I always believed that deterrent is crucial in preventing such acts - organizations obviously should protect their data, but if you know that you could get jugged for 30 years, that ought to put a damper in your enthusiasm to sell some stolen records :)

I like the sentence term as well - however, it is approximately only one year for every three million records stolen! I would recommend 1 year for every 100,000 record and move it down with a sort of volume discount :)

In any case, nice going Turkey..

Wednesday, January 7, 2009

Devolution and data-centric security

Forrester has been covering the data-centric security space for a while - Paul Stamp has had some good articles and now Andy Jaquith has an new report out as well - "Data-Centric Security Requires Devolution, Not A Revolution". The bottom line is to not think of this approach as revolutionary - While I agree with Andy to a certain degree, I would like to characterize this approach as being more the "logical" way to really protect data. You don't need to devolve to do this, but approach it logically :)

There are no complete solutions out there yet that fulfill the promise of data or information-centric security completely - and as in the case of all technology, there will always be work to be done! Therefore, one will be working with some sort of hybrid solutions for a while. There will still be areas where protecting the device or the network will make sense - these tools are widely available and have become mature. However this mistake that is made is to assume this is sufficient.

Andy has blogged about his report. He mentions that all data needs to be secure - no doubt. But we have to start thinking beyond those data elements at rest and think of data as a flowing medium - protect it everywhere. In this case, the only logical way appears to me to be the information-centric approach.

Tuesday, January 6, 2009

Two data breaches a day!

And to think that the numbers might be even higher! According to the Identity Theft Resource Center in San Diego, some 656 breaches were reported in 2008, up almost 50% from the previous year. This is almost two breaches a day - and according to the article in the Washington Post, many breaches do not even get reported. So this could be even higher!

I wonder if folks are getting blase about these breaches. To borrow a often-used Indian saying "Chalta hai!" - meaning "its okay, it happens" etc. :)

Hopefully the companies (and their customers) that have been affected don't have this sense of chalta-hai and pull up their collective socks to fix their data protection issues...