What's Holding Back Next Generation Backup and Recovery?

I talk with many IT professionals that are dismayed at how little backup and recovery has changed in the last ten years. Most IT organizations still run traditional weekly fulls and daily incremental backups, they still struggle to meet backup windows and to improve recovery capabilities, to improve backup and restore success rates and to keep up with data growth. Sure there have been some improvements the shift to disk as the primary target for backup did improve backup and recovery performance, but it hasn't fundamentally changed backup operations or addressed the most basic backup challenges. Why hasn't disk dragged backup out of the dark ages? Well, disk alone can't address some of the underlying causes. Unfortunately, many IT organizations:

Read more

Categories:

Chrome OS is coming, and it is impressive

Today, Google made its first public announcements about Chrome OS, a Linux-derived operating system that it positions as secure and easy to use. I listened in on the Web cast today, and had some initial impressions.
Overall, I am impressed. Google had the luxury to design an OS using a clean sheet of paper, and as a result produced an OS that has some very interesting security properties:

Read more

Cloud Security Front And Center

Cloud computing is the latest trend that has the industry abuzz. Everywhere you go, there are cloud services for every functionality imaginable. Many believe that cloud computing can deliver massive business and operational efficiencies. There is even a movement at the national level: Vivek Kundra, the country’s recently named federal CIO, is being tasked to push the adoption of cloud-based services across the federal IT landscape.

Cloud computing differs from traditional outsourcing because in the latter model, it is still very much standalone computing — either you take your server and put in someone else’s data center, or you have a MSP managing your devices. In many cases, you know exactly where your data/host is and what resources, if any, you share with others. Cloud computing decouples data from infrastructure and obscures low-level operational details, such as where your data is and how it’s replicated. Multitenancy, while it is rarely used in traditional IT outsourcing, is almost a given in cloud computing services. These differences give rise to a unique set of security and privacy issues that not only impact users’  risk management practices, but have also stimulated a fresh evaluation of legal issues in areas such as compliance, auditing, and eDiscovery.  

I’ve had many conversations recently with IT security and compliance professionals about cloud security, and the universal concern seems to be that there is a lack of visibility and standards across cloud providers. Users of cloud services are therefore left to fend for themselves, especially in terms of understanding and addressing security risks associated with outsourcing to the cloud.

Read more

Categories:

The Madoff Scandal Widens to Include IT

The SEC announced on Friday that it is charging two computer programmers for their alleged participation in the Ponzi scheme for which Bernard Madoff pleaded guilty and headed off to jail last March.

In its complaint, the SEC alleges that, “Madoff and his lieutenant Frank DiPascali, Jr., routinely asked (Jerome) O'Hara and (George) Perez for their help in creating records that, among other things, combined actual positions and activity from... market-making and proprietary trading businesses with the fictional balances maintained in investor accounts.”

The SEC further alleges that O’Hara and Perez tried to cover their tracks by deleting hundreds of files, withdrew hundreds of thousands of dollars from their investments through the company, told Madoff they wanted to stop helping him, and then accepted larger salaries and substantial bonuses for their promise to keep quiet.

It will be interesting to watch this case unfold. I was hoping it would get into issues of whether the IT professionals were considered just uninvolved support staff or key participants in the scheme. Considering the evidence SEC claims to have, I don’t think we’ll hear those arguments in this case, but keep an eye out for how the defense comes together. Fraud prevention is a growing area of concern for government, health care, insurance, financial services, and other industries... which means we could be seeing more cases questioning the responsibility of IT to identify and/or prevent such issues.

Categories:

Measuring Disaster Recovery Maturity

Each year for the past three years I've analyzed and written on the state of enterprise disaster recovery preparedness. I've seen a definite improvement in overall DR preparedness during these past three years. Most enterprises do have some kind of recovery data center, enterprises often use an internal or colocated recovery data center to support advanced DR solutions such as replication and more "active-active" data center configurations and finally, the distance between data centers is increasing. As much as things have improved, there is still a lot more room for improvement not just in advanced technology adoption but also in DR process management. I typically find that very few enterprises are both technically sophisticated and good at managing DR as an on-going process.

When it comes to DR planning and process management, there are a number of standards including the British Standard for IT Service Continuity Management (BS 25777), other country standards and even industry specific standards. British Standards have a history of evolving into ISO standards and there has already been widespread acceptance of BS 25777 as well as BS 25999 (the business continuity version). No matter which standard you follow, I don’t think you can go drastically wrong. DR planning best practices have been well defined for years and there is a lot of commonality in these standards. They will all recommend:

Read more

Categories:

The iPhone “Worm” Presents No Risk to Most Users

Andrew Jaquith

Much breathless prose has been written about the Ikee malware circulating amongst iPhone owners. Described as the first iPhone worm, Ikee does something fairly funny: it replaces the user’s lock screen with a picture of Rick Astley, of 1980s “Never Gonna Give You Up” fame. In other words, it RickRolls your phone. According to the author, the worm circulates by scanning the phone’s local IP address range for other iPhones running the SSH daemon, and if it finds any, attempts to log in using the default root password. It then copies a JPEG file of the sainted Mssr Astley to the location where the picture is stored.

Read more

NAC Market Overview: Landscape Stabilizes And Musters More Features

I just wrapped up the NAC Market Overview and it’s now live. This is the first Forrester NAC market overview and builds on the work I did for the original NAC Wave last year. I must say that the market overview is far less strenuous and we know it delivers almost as much value. It’s fair to say that I enjoyed this research piece, but I still need to gear up for refreshing the Wave next year. Until then, we can share a lot of good stuff about this market overview and I welcome your thoughts on it.

Writing this market overview was a great learning experience. And it’s even better when you can have meaningful conversations around the research. For example, I saw that someone started a discussion about the NAC solutions on LinkedIn’s “Network Security - IPS and NAC” forum. And very timely that someone referenced this market overview in the discussion — good to see readers benefit from these reports.

Read more

MIT's attack on EC2 an academic exercise

Chenxi WangVirtual infrastructure has become the backbone of cloud computing, particularly in the area of infrastructure-as-a-service. This is why the latest attack on EC2 demonstrated by MIT researchers garnered a fair amount of attention in the press.

This is an attack against virtual computing resources, not necessarily against EC2 per se. In fact, this attack can potentially work against any virtual infrastructure, private cloud included.

Does this mean that there is a security vulnerability within EC2? Yes.

Should you be concerned? Not really.

This is an example of a "side-channel" attack. For this attack to be feasible, certain conditions must be true a priori. These conditions include that the attacker has knowledge of when the victim virtual machines would be launched. Some of these conditions, though not entirely impossible, are on the impractical side. While the author concedes that it is possible that an espionage attack with high-valued stakes may very well undertake such a method, it is hardly a concern for run-of-the-mill computing tasks running in EC2.

Read more

Categories:

Your New Client Security Analyst

Andrew Jaquith

After seven years, my colleague Natalie Lambert is leaving Forrester. In the year that I have been at Forrester, she has been a good team-mate, sounding board for ideas, gleeful mischief-maker, and collaborator on shared research topics. I will miss her insights and energy, and I wish her the best as she begins her next adventure.

Read more

Your new client security analyst

Andrew Jaquith

After seven years, my colleague Natalie Lambert is leaving Forrester. In the year that I have been at Forrester, she has been a good team-mate, sounding board for ideas, gleeful mischief-maker, and collaborator on shared research topics. I will miss her insights and energy, and I wish her the best as she begins her next adventure.

Read more

Categories: