BitArmor acquired by Trustwave!

Exciting news for us and pleased to announce the acquisition of BitArmor by Trustwave! The press release is here..

Quick FYI - Trustwave is a leader in delivering compliance and security solutions for thousands of large and small customers across the globe. The have a great story about PCI as well. Great to be part of an awesome company!

We believe this is an absolute perfect fit with our vision of information-centric security, our Smart Tag technology and how Trustwave sees the world of security and compliance.

Will post more in a few days.. Lots to do so gotta run!

New Cisco report on state of security

Cisco has just released their annual state of security report - the Cisco Annual Security Report. It mentions the normal stuff that you hear - more malware, 40% more spam in 2010, more banking trojans etc. Scary stuff, no doubt. Read more about it here.

But the stuff that worries me is what is missing (or not highlighted) in the report - i.e. data security in the enterprise. While I, being also a consumer, appreciate the issues pointed out here, the data breached from enterprises also causes significant pain.

Trojans, malware, viruses will always be around and I think we have to expect this going forward. How do we ensure that these get relegated to just annoyances and not become a security threat? This is where an information-centric approach works best - once the data is protected, only the right user opening up the document with the right application can decrypt it. The malware thus cannot access protected data since it does not have the right permissions. This might reduce the impact of much of today's malware - at least for enterprise data.

For transactional consumer data (i.e. credit card information submitted during a web session etc), we have to think of other but similar techniques...

Virtualization security compliance guidelines - quite off base!

I don't know if it is a challenge with today's compliance rules or how folks perceive virtualization security, but the recent guidelines published by VMware and RSA seemed to have missed the mark. I don't want to add the word "completely", but I do think they are quite off base.

Not to say they dont have some good things in there, like platform hardening, network segmentation, change management, admin access control etc.. But this is something one would be doing for non-virtual environments as well - not much different here, just common sense.

A reason for missing the mark is the non-focus on virtualizaiton itself. Virtual environments are different. I think they need some fundamental rethinking of security, including focus on statelessness, shorter session-lifetimes and a true focus on data.

What fills me with a sense of incompleteness from these guidelines is the total non-focus on data! C'mon what are we trying to protect here? It's the data!! And nary a single mention?

WhoHooo! BitArmor recognized in the latest Magic Quadrant!

Apologize for getting a bit excited - BitArmor is named in the 2009 Gartner Magic Quadrant for Mobile Data Protection! The full report can be read from the Gartner website. Our release about this recognition can be read from our website.

In this blog, I usually talk about my thoughts on the industry, evolution of security etc and I don't blog much about our product and the company. However, this I do think is a good excuse to do so :) It is good to be recognized by leading security analysts as John Girard and Eric Ouellet!

The report highlights our unique information-centric security approach to protecting data. It also talks about our No-Breach Guarantee. And one phrase I like is "far advanced" - as a way to describe our technology. Nice!

Being information-centric in our approach to data protection makes us a bit different from the other vendors in the document - most of them protect mobile devices. Because of our Smart Tag technology, BitArmor is able to protect the data itself at all times - thus the protected data can move to a laptop, USB device, via email as attachments or via FTP. It can also move from a file share to a data center server to a backup tape and still remain protected. From this perspective, we are truly fulfilling the real "Mobile Data Protection". I think the naming of this Magic Quadrant report is a bit ahead of its times!

However, as it stands now, most people associate data protection with "mobile devices" - i.e. protecting the devices that the data rests on (laptops, USBs, phones etc). And possibly for good reason - there were no good enough or usable enough technologies that could truly protect the data itself and that too persistently. Until now, of course!

I do think the Mobile Data Protection Magic quadrant will evolve more towards a data or information-centric approach in the coming years. Looking forward to our footprint trending, nay jumping, up and to the right!

Another case for information-centric security

The more I read about how criminals are breaching the perimeter and getting access to sensitive data in an organization, the more I am convinced an information-centirc approach is the only way to go.

Case in point is the recent article from Information Week - 5 Security Lessons from Real World Breaches. Fun stuff!! Here is a short excerpt from one attack the article describes - the conclusion..

"...The attackers used the compromised server as their home base. They deployed tools and scanners and spent several months meticulously mapping the network without being detected. Once they found the systems that contained the data that they were looking for, they simply copied the information, put it into a Zip file, and moved it out."

Emphasis above is mine - basically compromised a server and then copied data out. This data-at-rest protection being perceived as the end-all, is making me frustrated. If this data were protected using an information-centric approach - i.e. protect the data and keep it protected at all times (at rest and in motion), this would have been much harder. All the criminals would have gotten is encrypted data.

I am also looking at the 5 guidelines/conclusions from the report and besides a short mention of layered security and isolation, there is not much emphasis on data protection. I think the authors are missing the point. You can never have enough perimeter security - IDF/IPF, anti-malware works only to a certain extent.

You need to recognize that data is the critical asset,not the network or the server. Protect the data, damn it!!

Dirty secrets and the non-existent perimeter

The perimeter is dead - long live the perimeter (the new perimeter, that is). Which obviously is the data.

I am also intrigued by an article by Joshua Corman from IBM, in CIO magazine, that discusses this. Check out Dirty Secret #3. "There is no perimeter". I love it. Mostly because it is true. And for some small selfish reasons as well... :)

Here is what he says - very eloquently, I might add..

"We need to define what the perimeter is," he said. "The endpoint is the perimeter, the user is the perimeter. It's more likely that the business process is the perimeter, or the information itself is the perimeter, too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn't be more wrong."

The bold emphasis above in mine - and not from Joshua. But I do it to illustrate my point (which I put forth in a recent blog on the benefits of an information-centric security approach as well). Security professionals need to move beyond the perimeter and thinking that has dominated for the past 30-40 years and recognize the world is different now.

For heaven's sake, the internet that allows for rapid dissemination of data and collaboration is already a teenager! Why do we still protect this environment with stuff built for the 70's?

Benefits of information-centric security

For a while I have been meaning to write a short article on what I think information-centric security is - so here goes.

Organizations have focused on securing sensitive data by protecting the infrastructure that hosts the data. This could be implemented by hosting the servers inside a data center, using firewalls and similar perimeter protection techniques to prevent external attackers, encrypting whole drives or encrypting networks. I think of these as protecting data by proxy - i.e. protect the network to protect the data, protect the perimeter to protect the data, protect the device to protect the data.

Information-centric security is the concept of focusing the protection on the data itself as opposed to the device – protection that stays with the data while at rest and while in motion. Access controls and other policies are embedded in data and follow it wherever it goes - thus enforcing these policies at the data level, regardless of where the data is.

This approach has several advantages:

• Continuous protection: Data always remains protected since it does not get decrypted as it moves - this has performance benefits as well as security benefits
  
• Device independence: Data can be protected regardless of the devices it rests on or travels between. For eg, it data moves to a USB device, to a backup tape, it still remains protected. No need to deploy a USB protection solution or a backup tape solution separately.
  
• Enabling secure collaboration: Since the data remains persistently protected, you can share it better - the proper access controls of who can access the data remain with the data itself! Therefore data can be self-defending. No need to provide access to networks, file shares etc to share data.
  
• Lower costs and complexity: all this comes down to much lower costs and complexity - no need to have multiple device or network centric products protecting data and that too by proxy..

I think the world is moving to such a method of protecting data - the old ways are untenable in today's world of exploding data and the requirements to share and collaborate.

The same TJX hacker?

How many more breaches were perpetrated by Albert Gonzalez? According to new charges, he is saddled with TJX (from before) and now with Heartland as well as Hannaford! The guy has been busy, no doubt.

What was it that made these breaches similar? And what did we not learn from the first ones that we let Albert and gang do it again and again? Obviously there are many theories - but my view is, at the end of the day, infrastructure protection can get you only so far.

We need an information-centric approach to protection where the focus is not on the pathways, perimeters and devices, but on the data itself. Imagine if this were the case in the above breaches, where data was stripped of networks, or from servers. If that data were protected at rest and in flight, it would not have mattered if the data were copied outside the company - it is protected! It remains encrypted!

Better, more logical and more effective security. But seems like folks are still in the rush of "protect the infrastructure"...

Persistent, information-centric protection, PCI and the Network Solutions breach

The more news I see regarding various breaches, the more I am convinced of the superiority of persistent and information-centric security. For example, take the latest breach at Network Solutions - a PCI compliant organization. Over half a million cards stolen.

Comments galore:
Here is what they say "The company determined that the unauthorized code may have been used by cybercriminals to capture transaction data, including customer names, addresses, and credit card numbers, and transfer it to servers outside of the company...."

Now look at the statements below from industry experts:

"...many enterprises are behind in security protection efforts such as anti-virus updates due to shrinking IT budgets, which results in unpatched vulnerabilities that are easily exploited"
Seems like anti-virus and unpatched systems are the main culprit - long live infrastructure protection!

"...the incident illustrates the risks of cloud computing."
A broad general statement - not clear what the implication is :)

The point:
My point is that the industry is so wrapped around protecting the infrastructure - i.e. protecting dat aby proxy, that they forget what it is they are really trying to protect. With an information-centric security solution, the credit card data would be protected persistently. Even if the data were to be "..transferred over to servers outside the company..", it would still remain encrypted thus making it much harder for criminal organizations to obtain any value from the data.

The last and best line of defense is the data - this is how layered security should be.

Virtualization security - presentation at the OpenGroup Security Conference

Just presented on virtualization security and some of my thoughts on how an information-centric security approach will be absolutely essential - this is at the OpenGroup Security Conference in Toronto. I am putting up the slides I presented in this post.

This is my first attempt at sharing slides via Slideshare - lets see how it works:

Open Group Virtualization Security Final

View more presentations from mnamboodiri.

New Ponemon report - little change

It is interesting to note that the more things change, the more they remain the same! the new Ponemon report is out and the numbers are interesting (but no shocking new revelations). Check out the article from Dark Reading.

• 74% of organizations had a breach in the last 12 months (the PGP release says 85%)
• 22% had five or more breaches (and they did not have any encryption)
• Compliance is a big driver (64% say this is why they do what they do)

One interesting nugget is the idea that encryption is becoming more strategic and folks are moving away from point solutions. I am not sure how people view the difference between point solutions and a suite of solutions :) (the latter is just a bunch of point products slapped together into an interface).

I strongly believe that this device-centric approach will not get us out of this funk. Every year we have more breaches, even though adoption of encryption is getting better. Why? Poor strategies, poor management of encryption and multiple device centric solutions not really doing the job.

The only way to truly protect data is with an information-centric security approach - and not focus on multiple devices, apps, file shares and now mobile devices as seen in this article.

Enhancing DLP

What exactly is DLP? The general consensus is that DLP technologies worth their salt should include some form of content awareness. Was recently at the Gartner Security Summit and Eric Ouellet made a strong case for it - if you get a chance to see the presentation, it is very well worth it and provides a great overview.

Also, just read a good article in CSO Magazine by Bill Brenner on technologies that can extend the value of DLP. Am glad that folks are seeing the value of encryption within a data leakage context and am encouraged by the comment by William Pfeifer about the requirement to protect the data at all times and not just at rest. This, I believe, is the right information-centric approach.

One point I think Bill might have missed is the value of Identitiy technologies (IAM) to enhance DLP as well. I strongly believe that the combination of IAM+content-aware DLP+persistent encryption can solve (from a technology perspective) many of the challenges we face. This gives control over roles, the content itself as well as completing the action of protecting the data by enforcing specific access control triggers within the data itself.

Aha - true "discover once, protect forever" :)

The Sharepoint security connundrum

Sometimes going to security conferences can be not as useful. However, I just got back from the Gartner Security Summit - some very interesting presentations and conversations. I like the in-depth analysis that they do - and this time I was intrigued by the Sharepoint security presentation by Neil MacDonald.

A few points I learnt:

• Sharepoint is the fastest growing product in Microsoft's history! Taking over and replacing many file shares and other collaboration products.
• Security is a big concern due to the rapid growth - especially when collaborating with external parties.
• Data is usually not encrypted within Sharepoint - makes it hard to search and index.

Sharepoint is an example of an information-centric approach in an organization - and I think most optimal for a similar information-centric approach for data security. You cannot protect the data by protecting the boxes, encrypting hard drives etc. The protection policies should be with the data and/or enforced by authntication and the right authorization within Sharepoint.

Will be interesting to see how this shakes out - I am excited about the information-centric security approach that Sharepoint will force organizations and vendors to adopt!

Security and learning from nature

Nature is interesting in how it deals with threats. I think we can learn a lot from it (while I am just as sure I will be reaching while I construct some of the analogies below!).

One point that always sticks in my mind is how the "bad stuff" in terms of germs, viruses, bacteria etc are all around us, right next to us. Compare this with how an organization likes to look at security:

• Try to ensure the whole environment is secure (i.e free of bacteria etc)
• Try and restrict movement of assets (i.e. restrict sharing of data)

I think this approach is a fool's errand. We can never be rid or free of malware or threats around us. The key will be to learn from nature and see how it deals with such threats. It does not try and ensure everything is pristine. it just ensures the critical asset is secure. The air we breathe, the water we drink etc all might never be pristine. But our body can deal with it since it has the anti-bodies for most of the bad stuff out there (True, we need to also ensure we don't breathe in the Ebola virus).

However, the lesson is lets not try and fix the environment - we will never be successful. Lets try and ensure the asset (in this case the data or information) is truly protected. This information-centric approach is the better and more logical way forward - as nature points out to us!

Devolution, job responsibilities and data-centric security

Seems like the data/information-centric approach to data protection is gathering more steam. Interesting article in CSO Magazine by Forrester analyst Andrew Jaquith talks about giving up control to gain control - using a data-centric security approach. Very interesting.

It talks about forgoing a infrastructure control perspective to being more data-centric and giving up responsibility to those to use the data.

Here is a short excerpt:

"Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization."

Another excerpt I agree with :

"Confronted with these three challenges, some nervous CIOs and CSOs choose to throw the proverbial kitchen sink at the problem: DLP, encryption-everywhere, enterprise key management, NAC, and employee education. However, this approach will fail because at its roots, the problem of data security stems from four sources: digital information was meant to move; information classification isn't ingrained into work processes; technical solutions aren't standardized; and accountable parties are too far from the controls."

The main one being (highlight above is my emphasis) - data is meant to move, distribute and gain in value! You cannot stop data from moving and be a friend of the business!

Breaches - up, up and away!

The news around breaches seem exactly like that of the current economy - gloom and doom all around. The latest in the fusillade is the analysis from Jon Oltsik from ESG. Looks like the number of breaches every year have been increasing - and this year it seems worse. Seems like with all the stuff hapenning (Heartland, the VA settling, the recent Ponemon report, the McAfee trillion dollar news), this new research is on expected territory.

However, one interesting nugget from Jon - 61% of small organizartions had a breach in the last 12 months while 49% of large ones succumbed in the same timeframe. One would have expected the difference to be much higher. Larger organizations have the resources and the security technologies in place to prevent such breaches - much more than do smaller organizations. Could be many reasons for the smallish gap - large companies are bigger targets, have more employees, have stringent disclosure requirements,have more data, etc. All valid reasons...

While this might be true, my hypothesis is that current security measures are also not working in large organizations. Breaches do not just happen in one areas (say laptops), but wherever data goes. And multiple, device-centric approaches to data protection do not mitigate breaches as much as folks would like to think.

One needs a better and more logical approach to data-protection. I firmly believe the information-centric approach is the way to go - protect data once, keep it protected wherever it goes - on any device and for any application.

Heartland and end to end encryption

Interesting to note that Robert Carr, CEO of Heartland is now calling for end to end encryption. In his words...

"I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed"

How this encryption will be implemented is another story - do we go with one product to protect data at rest (not one but one for each device!), one for networks, etc? I think this is a bad move - each time you move sensitive data from one device/network to another, you go through a decrypt/encrypt cycle - and guess what happens when you decrypt?

I think only a data or information-centric approach to data protection can truly give you this end to end protection for data. Protect your data once, the protection remains with the data wherever it goes - is this not what you really want?

One hundred million! A breach of staggering proportions

This is unbelievable - and sounds almost like Dr Evil asking for ransom before threatening to blow up something. In spite of all the PCI regulations and best practices to protect data both at rest and in flight, about 100 million records were breached at payment processor Heartland. I'd be interested to know if Heartland was indeed PCI compliant.

The challenge, I think, is that lots of folks think about compensating controls to get around actually protecting the data. And surprisingly, in spite of the TJX breach that happened across the wire, most folks think that just encrypting their laptops is enough! And the Heartland case has proven otherwise - one also needs to protect data in flight!

How many such network pathways can one protect? How many are there to protect? This is why the informaiton-centric approach makes sense. Protect the data itself - dont worry about the pathways as much. Ensure that the data is persistently and continously protected at all times - this will ensure device independence and network independence.

And breaches, massive or small, can be cost effectively avoided.

Introducing a no data-breach guarantee

Usually we do not talk much about our product or company in this blog. However, today might be an exception :)

This is an exciting day for us at BitArmor - we are announcing a guarantee against data breaches for organizations looking to protect sensitive data and avoid the massive expense of a data breach. We feel proud in being the first vendor to do so!

The concept is simple - we believe we have superior Smart Tag technology that can protect data persistently - using an information-centric approach. The data remains protected at rest, in flight and is device independent - therefore giving us the ability to protect data on multiple devices, especially the ones that are most vulnerable; i.e. laptops (we use disk encryption here in addition to our persistent file encryption), USB devices and email attachments among others..

This gives us the confidence (well, we also derived a lot of it from government agencies and crime labs beating up on our software!) to make this bold statement and back our product with a money-back guarantee in case a publicly announced breach is the result of someone breaching BitArmor controls.

While we understand that a breach may cost the company more than our promise, we want organizations to know we have skin in the game to ensure that their data is protected. In some sense, we also shoulder some of the responsbility :)

Of myths and security

Very interesting set of articles by Erik Larkin about the last few days of the enduring myths of security - check them out here. He talks about hacking for fun and brownie chops, malware, etc. Fun stuff..

I think one enduring myth beyond what Erik has touched upon is "doing the same thing and hoping for a different result". Einstein said it with more color! I think many organizations are using the same old techniques for preventing losses or breaches with the hope they will produce better results - this might be wishful thinking. The game is far ahead and we have to develop new techniques and change our approach a bit.

Being an information-centric security cheerleader, I think this is one of the changes we as an industry have to move forward with. Thinking that the old, device-centric approach will work every time, since that feels like comfort food, might turn out to be not true...