Ok, so NASA failed an audit. Don’t we all? I think it is important to understand the government’s cloud computing adoption timeline before passing judgment on NASA for failing to meet its cloud computing requirements. And, as someone who has read NASA’s risk management program (and the 600 pages of supporting documentation), I can say that this wasn’t a failure of risk management policy or procedure effectiveness. Clearly, this was a failure of third-party risk management’s monitoring and review of cloud services.
The Cloud Is Nebulous
Back in 2009, NASA pioneered cloud technology with a shipping container-based public cloud technology project named Nebula -- after the stellar cloud formation. (I love nerd humor, don’t you?)
Photo Source: NASA
During 2009, NASA, to determine if current cloud provider service offerings had matured enough to support the Nebula environment, did a study. The study proved that commercial cloud services had, in fact, become cheaper and more reliable than Nebula. NASA, as a result of the study, moved more than 140 applications to the public sector cloud environment.
In October of 2010, Congress had committee hearings on cybersecurity and the risk associated with cloud adoption. But remember, NASA had already moved its noncritical data (like www.nasa.gov or the daily video feeds from the international space station, that are edited together and packaged as content for the NASA website) to the public cloud in 2009. Before anyone ever considered the rules for such an adoption of these services.
Before joining Forrester, I ran my own consulting firm. No matter how ridiculous the problem or how complicated the solution, when a client would ask if I could help, I would say yes. Some people might say I was helpful, but I was in an overconfidence trap. There was always this voice in the back of my mind that would say, “How hard could it be?” Think of the havoc that kind of trap can have on a risk management program. If any part of the risk program is qualitative, and you are an overconfident person, your risk assessments will be skewed. If you are in an overconfidence trap, force yourself to estimate the extremes and imagine the scenarios where those extremes can happen. This will help you understand when you are being overconfident and allow you to find the happy medium.
Have you ever padded the budget of a project “just to be safe”? I hate to tell you this, but you are in the prudence trap. By padding the project budget, you are anticipating an unknown. Many other managers in your company may be using the same “strategy.” But the next time you do a project like this, you will pad the budget again, because the inherent uncertainty is still there. The easiest way to keep your risk management program out of the prudence trap is to never adjust your risk assessments to be “on the safe side,” There is nothing safe about using a psychological trap to predict risk.
There are many ways to skin a cat. The same can be said of innovation. When I mention innovation in conversation, people generally think about a process of making a product bigger, faster, better, or stronger. However, product improvement is just one type of innovation. Innovation can target the process around creating a product, resulting in lower costs such as the "lean manufacturing" innovations from the automobile company Toyota. Innovation can target improvements in the design of marketing materials, creating a more emotionally appealing advertising campaign and resulting in higher revenue. Marketing innovation has been used by numerous firms over the years to reinvigorate their concepts and company. Samsung designed their Bordeaux television line after being inspired by a wine glass. They have been on the top of the television market ever since. Innovation can even mean cultural innovation in which the culture of the company changes and innovates to come in line with a newly updated corporate vision increasing employee loyalty, retention, and overall happiness. Innovation has many faces.
Allow me to introduce myself. I am Renee Murphy, and I am new Sr. Analyst here at Forrester Research. Prior to joining Forrester, I was both an internal and external auditor. My experience includes network and data center engineering and management, operations process development and implementation and creating auditable technology environments in many different industries with diverse client needs.
I often say that trust is not a control, luck is not a strategy, and if you can’t have fun in Albuquerque, you aren’t a fun person. (That last one isn't really useful unless you are in Albuquerque and having a bad time.) I joined Forrester to use my audit powers for good and not evil, and I plan to assist you with your audit issues, control frameworks, regulatory requirements, risk management, and security, building stronger relationships between you and your auditors.
With my extensive regulatory knowledge and technical process expertise, my goal is to give Forrester clients a unique view of your regulatory and best practice programs to ensure that you take advantage of the efficiencies that strong audit and control frameworks can provide. I will also help you navigate the security and risk ramifications of existing and upcoming regulatory requirements.
I am proud and very excited to be part of the Forrester family and I look forward to working closely with our clients to help them achieve their GRC goals.
Today we saw the announcement of the Samsung smartwatch, Galaxy Gear.
I am certain that this new smartwatch form factor will fill a niche: augmenting the input and output of a (Samsung, initially) mobile phone and device then with further miniaturization, take over more and more of the functionality of the smartphone.
Beyond the cool factor, there are immense and also immediate security benefits to be gained from a smartwatch:
You can use the smartwatch as an "invisible" token. If the watch is on your wrist, an application running on the smartphone, mobile device or even a PC will sense the proximity of the smartwatch and thus authenticate and let you in. Without the smartwatch being nearby, you won't be able to (easily) log into the mobile application. This is very similar to Entrust's mobile phone token paired on Bluetooth with a PC, except now the smartphone is the PC and the token is the smartwatch. Further, it's a lot harder to steal your watch than it is to steal your mobile phone. The watch can also use motion, gait, etc. as extra factors for authentication beyond just "being there." Putting a fingerprint reader on a smartwatch may also be an easy way to authenticate users.
Voiceprint authentication to the watch and through the watch. This is where voice control and voiceprint authentication will come of age. Since the smartwatch lacks any other usable input interface other than voice control, using your voiceprint to authenticate to the 1) smartwatch and its applications and 2) through the smartwatch to the smartphone or mobile device will be the easiest option. We expect that the above use case will give a whole new boost to the voiceprint biometrics market.
In Forrester's 16-criteria evaluation of comprehensive identity and access management (IAM) suites, we identified the nine most significant vendors in the category — Aveksa, CA Technologies, Courion, Dell, IBM, NetIQ, Oracle, Ping Identity, and SecureAuth — and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other to help security and risk (S&R) professionals select the right partner for their enterprise, business-to-business, and consumer-facing IAM deployments. Get the document at http://www.forrester.com/The+Forrester+Wave+Identity+And+Access+Management+Suites+Q3+2013/fulltext/-/E-RES99281
All of the fighting has resulted in multiple casualties. BlackBerry couldn't keep up the pace and was eventually chopped off at the knees. Microsoft has yet to gain enough developer volume to be a real threat and will eventually reinvent itself as a new company under new leadership. Third-party app stores are distributed and nimble but really amount to nothing more than splinter groups using guerrilla tactics against the major nation states. They just can't compete in the long term.
In the United States, Google Play and Apple iTunes have become the two superpowers in the mobile app war. With exceptional mobile application uptake, these two players have come to dominate the consumer mobile space. Phones don't sell phones. . .applications sell phones, and these two players have won.