Tuesday, September 29, 2009

Virtualization and PCI standard - can we do better?

The wheels are turning for another version of the PCI standard. And this time virtualization security is a big focus in the development of the standard. Commendable, I say. Virtualization will become a bigger deal (more than it is today) and almost all organizations will have some form of virtual environments setup.

However, are we prone to repeat the same mistakes? We still seem to be stuck in the legacy world of protecting infrastructure - security professionals have no time to look beyond the normal, staple, security diet of anti-malware, IDS/IPS, firewalls etc, to where the more active threats are.

How do we bring the security world (as well as the business world) forward to rethink how to enable secure business? I have strong opinions on this - I believe an information-centric security approach is vital and imperative in virtualized environments. In fact, I can go so far as to say that this is the only logical and enforceable method, that enables virtualization to be all-it-can-be - so that business can be all it can be!

Let not PCI be a reflection of the past threats - let it become what we need now and prepare us for the future. This is the only way it can stay relevant and useful.

Friday, September 18, 2009

Gartner - Pay now or pay (a lot) later!

Read a few weeks ago a very interesting (and perhaps one of the few) analyst reports that analyze the costs of a fixing a breach as compared to prevention. Check it out here..

The basic premise of Gartner analyst, John Girard, is that the costs of prevention are insignificant compared to the costs of cleanup - less than 2%! How can management of any organization look at this and say that "let's cross our collective fingers" and hope for the best?

Data protection if done correctly, does not have to be expensive. I just read this article based on a survey that said most organizations in MA feel that the costs of data security are hurting firms. While I agree there is an investment to be made. the costs of cleanup are far higher. In fact a recent Ponemon report showed that over 60% of organizations have had breaches in the last 12 months - what this means is any organization has a 60+% chance of a breach!

Any organization should at least start protecting its most vulnerable assets - data in vulnerable locations. Be it on mobile devices such as laptops, USB devices or on file shares.

These costs are minimal compared to the costs of payment later...

Tuesday, September 15, 2009

SB-20: A California refresh!

The updated California breach law, SB-20, is finally on the Governator's table. It has been a while coming and is most interesting since it finesses the grand-daddy of all breach laws, SB-1386. For more information, check out Ariel Silverstone's blog. There is a very good analysis of the new law.

I like the use of the work "unencrypted" in the new law - implies that even if data was encrypted but the keys were lying around, you cant claim immunity :) Contrast this language with something like "plain" or "open"...

I think this is a good step forward, especially around the notification, use of plain language etc. I would have liked it to be more focused on remedies and "get-out-of-jail" by using encryption (the MA law is one such).

Friday, September 11, 2009

My black-market value? 32 bucks

Interesting tool that Symantec has unveiled - an online risk calculator that figures out how much your identity could be auctioned off for! Apparently I am cheap and can be had for $32.29 - no idea how they got the accuracy down to 29 cents!

Without going into the merits of the calculator (and the random number generator behind it :)), I think it is an interesting thought. While a criminal might not be targeting you specifically, breaching and then auctioning off thousands of such records can make someone some pretty good coin.

It is also likely that the guys who breach have their specialty - getting the records. It is upto the buyer now to steal the actual cash from the accounts or credit cards that have been turned over! Specialization and job segmentation at its best!!

Saturday, September 5, 2009

Virtualization security compliance guidelines - quite off base!

I don't know if it is a challenge with today's compliance rules or how folks perceive virtualization security, but the recent guidelines published by VMware and RSA seemed to have missed the mark. I don't want to add the word "completely", but I do think they are quite off base.

Not to say they dont have some good things in there, like platform hardening, network segmentation, change management, admin access control etc.. But this is something one would be doing for non-virtual environments as well - not much different here, just common sense.

A reason for missing the mark is the non-focus on virtualizaiton itself. Virtual environments are different. I think they need some fundamental rethinking of security, including focus on statelessness, shorter session-lifetimes and a true focus on data.

What fills me with a sense of incompleteness from these guidelines is the total non-focus on data! C'mon what are we trying to protect here? It's the data!! And nary a single mention?

Thursday, September 3, 2009

WhoHooo! BitArmor recognized in the latest Magic Quadrant!

Apologize for getting a bit excited - BitArmor is named in the 2009 Gartner Magic Quadrant for Mobile Data Protection! The full report can be read from the Gartner website. Our release about this recognition can be read from our website.

In this blog, I usually talk about my thoughts on the industry, evolution of security etc and I don't blog much about our product and the company. However, this I do think is a good excuse to do so :) It is good to be recognized by leading security analysts as John Girard and Eric Ouellet!

The report highlights our unique information-centric security approach to protecting data. It also talks about our No-Breach Guarantee. And one phrase I like is "far advanced" - as a way to describe our technology. Nice!

Being information-centric in our approach to data protection makes us a bit different from the other vendors in the document - most of them protect mobile devices. Because of our Smart Tag technology, BitArmor is able to protect the data itself at all times - thus the protected data can move to a laptop, USB device, via email as attachments or via FTP. It can also move from a file share to a data center server to a backup tape and still remain protected. From this perspective, we are truly fulfilling the real "Mobile Data Protection". I think the naming of this Magic Quadrant report is a bit ahead of its times!

However, as it stands now, most people associate data protection with "mobile devices" - i.e. protecting the devices that the data rests on (laptops, USBs, phones etc). And possibly for good reason - there were no good enough or usable enough technologies that could truly protect the data itself and that too persistently. Until now, of course!

I do think the Mobile Data Protection Magic quadrant will evolve more towards a data or information-centric approach in the coming years. Looking forward to our footprint trending, nay jumping, up and to the right!

Wednesday, September 2, 2009

Another case for information-centric security

The more I read about how criminals are breaching the perimeter and getting access to sensitive data in an organization, the more I am convinced an information-centirc approach is the only way to go.

Case in point is the recent article from Information Week - 5 Security Lessons from Real World Breaches. Fun stuff!! Here is a short excerpt from one attack the article describes - the conclusion..

"...The attackers used the compromised server as their home base. They deployed tools and scanners and spent several months meticulously mapping the network without being detected. Once they found the systems that contained the data that they were looking for, they simply copied the information, put it into a Zip file, and moved it out."

Emphasis above is mine - basically compromised a server and then copied data out. This data-at-rest protection being perceived as the end-all, is making me frustrated. If this data were protected using an information-centric approach - i.e. protect the data and keep it protected at all times (at rest and in motion), this would have been much harder. All the criminals would have gotten is encrypted data.

I am also looking at the 5 guidelines/conclusions from the report and besides a short mention of layered security and isolation, there is not much emphasis on data protection. I think the authors are missing the point. You can never have enough perimeter security - IDF/IPF, anti-malware works only to a certain extent.

You need to recognize that data is the critical asset,not the network or the server. Protect the data, damn it!!

New HIPAA breach laws taking effect

More rules and more rules... The HHS has issued final guidelines on breach notification requirements for organizations under the HIPAA law. They take effect Sept 23rd... Just in time for the G20 summit?

Maybe not. However, the reality is that organizations are having to now deal with a bevy of such requirements and the bigger problem is not in complying with basic standards, but ensuring the lowest common denominator (or in this case the strictest rules) are being met...