Today, Check Point Software Technologies, one of the old guard in the world of information security, announced they are purchasing Nokia's security appliance business. This is welcome, if late, news to Check Point's customers who use Nokia hardware. For many years, Nokia was the de facto hardware platform for deploying Check Point firewall software. Check Point/Nokia shops have been struggling for months to decide how to respond to Nokia's announcement that they would rid themselves of this troublesome (think non cell phone) business. For customers with sometimes hundreds of Nokia appliances, the fear of potentially unsupported hardware, or of a big firewall replacement project, were equally disturbing.
This new agreement spawns a couple of interesting questions:
As the day draws to a close on December 16, 2008, Microsoft issued an advance out-of-band security advisory, #961051, and an emergency patch to follow the next day.
The vulnerability behind this advisory is a critical remote-code-execution vulnerability within Internet Explorer (IE). All currently supported versions of IE are affected. The vulnerability is related to an invalid pointer used in the data binding element within IE’s code base. This vulnerability allows remote execution of arbitrary code. If a vulnerable browser visits a malicious Web site, this Web site can instruct the browser to execute arbitrary code with the same privilege as the user itself.
In my coverage of business continuity and disaster recovery, I talk to both IT infrastructure and operations professionals as well as IT security professionals and I've found that the term "data protection" means something different to each. This comes as no surprise and I think for a long time it didn't really matter because IT operations and security professionals operated in independent silos. But as silos break down and "data protection" is a shared responsibility across the organization, it's important to be specific and to understand who is responsible for what.
Keep an eye out in the next week for Forrester’s GRC Trends 2009 report, which will take a look at how a decidedly rocky end of 2008 will impact those responsible for various aspects of corporate governance, risk management, compliance, audit, and finance... as well as the product and service firms that serve them.
One trend that we call out in the report is the impending consolidation of the GRC technology landscape, which is a top-of mind issue for many leading vendors in the space.
On December 4, 2008, RSA and Microsoft jointly announced the imminent release of a collaboration that integrates RSA's Data Loss Prevention (DLP) product into Microsoft’s enterprise offerings. Initially, this means an integration between RSA's DLP 6.5 and Microsoft’s Active Directory Rights Management Server (AD RMS). The DLP product identifies and classifies sensitive information and RMS automates policy enforcement based on a company's existing AD structure. The integration is admittedly relatively basic to start, but in the long term the two companies expect DLP to be tightly woven into the fabric of Microsoft's enterprise products — identity-enabled data protection sitting deep within a company's Microsoft infrastructure.
What it means: All things considered, this is good news for every CISO. Microsoft has the broadest technology base by far; teaming up with a true security front-runner like RSA mitigates the fact that Microsoft has also had arguably the largest selection of security challenges in the past. The partnership addresses today's prime security challenge: By and large, firms tell us that the need to protect sensitive information leaking to people and places inside and outside the corporate perimeter is the single biggest obstacle they face.