Data Protection In The Cloud: The Facade Of Vendor Trust Is Crumbling

Many non-US organizations operate under privacy regulations that require that customer data remain within their countries or jurisdictions. In response, US cloud providers build data centers and host their applications inside countries that they're selling their solutions to.

However, all this is nothing but theater. These requirements are far more useful as a local jobs program rather than as an effective privacy practice. I've warned about this before: Any US vendor is going to be handing over data under a US subpoena, and most certainly under a National Security Letter. It doesn't matter if it resides in a data center on US soil, in the EU, or even in outer space.

So it's refreshing to see a vendor openly admit this, as Microsoft has.

Maybe now that we're all starting to be honest with each other this issue will gain some traction, and vendors will begin to incorporate some real data protection measures into our cloud environments, such as encrypting the data in such a way where only customers - not the cloud providers - have the keys. I suspect we'll start to see such requirements begin to show up in a lot of RFPs.

Forget About Security's Impact On Business -- What About Business' Impact On Security?

These days, it’s not just modern-day Willie Suttons behind cyber-attacks. While financial motivations still drive the mindset of most hackers, we’re seeing a renaissance of high profile attacks perpetrated for political and ideological purposes. Hactivism isn’t new, but combined with the rising likelihood of success and the greater damage
from successful attacks, we should expect to see it more often.

What it means:

Just as security decisions have a business impact, we are now seeing business decisions have a security impact. Some organizations will always be a target: governments, banks, and as we’ve recently seen NGOs like the IMF. But other organizations step into the line of fire: Anonymous attacked PayPal, MasterCard, and others because of their actions against WikiLeaks and Assange, while Sony’s legal actions against George Hotz (for jailbreaking the PS3) led to the spate of LulzSec attacks against it.

Read more

Forget About Security's Impact On Business -- What About Business' Impact On Security?

These days, it’s not just modern-day Willie Suttons behind cyberattacks. While financial motivations still drive the mindset of most hackers, we’re seeing a renaissance of high profile attacks perpetrated for political and ideological purposes. Hactivism isn’t new, but combined with the rising likelihood of success and the greater damage from successful attacks, we should expect to see it more often.

What it means:

Just as security decisions have a business impact, we are now seeing business decisions have a security impact. Some organizations will always be a target: governments, banks, and as we’ve recently seen NGOs like the IMF. But other organizations step into the line of fire: Anonymous attacked PayPal, MasterCard, and others because of their actions against WikiLeaks and Assange, while Sony’s legal actions against George Hotz (for jailbreaking the PS3) led to the spate of LulzSec attacks against it.

Read more

What The New White House Cybersecurity Proposal Means For The IT Security Industry, Businesses, And Consumers

The White House released a proposal for cybersecurity legislation today. The fact sheet can be found here. This is a proposal for legislation – a framework for a bill. What final bill emerges and gets voted on, and ultimately becomes law (if anything does), is yet to be determined. I have only read through the fact sheet, so here is my preliminary analysis.

Noteworthy elements:

1.       This goes beyond CIP (critical infrastructure protection).
 

The proposal focuses primarily on critical infrastructure protection. But it also extends to the area of data breaches in general – which can hit organizations in any industry sector. Related to that, it also addresses consumer protections regarding data breaches. This added focus on consumer protection really has nothing to do directly with CIP. But the cybersecurity proposal is probably Obama’s best chance to get something like this through. However, I put the chances of these consumer protections surviving the legislative journey at less than 50%.

2.       DHS is taking a lead role in security information sharing.

According to the fact sheet:

“Organizations that suffer a cyber intrusion often ask the Federal Government for assistance with fixing the damage and for advice on building better defenses…[This proposal] provides [organizations sharing information with the DHS] with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.”

Read more

The Reemergence Of Endpoint Protection

I found the RSA Conference completely exhausting, but also intellectually invigorating. (Shameless plug: you can see me speaking on an RSA Keynote panel about the future of authentication here.) I came away with a much clearer picture of the trends shaping the future evolution of our market.

The first one I want to talk about is the reemergence of the endpoint as a key element of security architecture.

As our IT environments have evolved, we’ve moved a lot of our security controls into the network and into applications. While these technologies and services will remain relevant and investment in them will continue to increase, I predict a radical swing back to the endpoint as a focus for security.

I see this driven by four major market trends:

  • Virtualization. With virtualization, security functions that existed on the network (firewall, IPS, WAF, etc.) are moving on the host, integrating through APIs like vShield to capture inter-VM traffic. Moreover, it makes no sense to copy the model we have today of procuring a different function from different vendors and putting multiple agents onto servers. Instead, we will inexorably, and quickly, follow what happened at the desktop: vendors will consolidate functions into single-agent "suites" with unified management and reporting.
Read more

Categories:

Novell Acquired By Attachmate

News hit today that Novell will be acquired by Attachmate, which in turn is owned by an investment group led by Francisco Partners, Golden Gate Capital and Thoma Bravo.

My colleague, Chris Voce, has posted about what this means to Infrastructure & Operations professionals.

Here are my observations regarding the impact on and implications for the vendor community:

  1. This is a deal focused on systems management. It's a deal for what Novell gives Attachmate in the systems management space by way of market share (led by ZENworks), portfolio-expanding technology (BSM, CMBD, etc.), and tech innovation (virtualization and cloud).
     
  2. This puts SUSE on the auction block. Most of Novell is staying as a separate brand alongside NetIQ and Attachmate. SUSE is also becoming another brand. Given that there are so many ways to divvy up Novell (e.g., merging Novell's systems and security management with NetIQ), SUSE is conspicuous as its own brand. It's certainly not core to Attachmate, and this brings up all sorts of speculation as to whether they plan on selling off SUSE (or be made an offer too good to pass up). There are the obvious acquirers worth speculating about: IBM and HP. Other candidates include Oracle, EMC, Cisco, or Dell: Anyone with an appliance business moving up the stack, or in Oracle’s case a platform business expanding to sell appliances, could potentially turn SUSE into a key asset. SAP is another contender. Any acquisition of SUSE could, in turn, put RedHat into play.
     
Read more

Why Cloud Radically Changes The Face Of The Security Market

When does a shift create new market? When you have to develop new products, sell them to different people than before who serve different roles, have a different value proposition for your solutions, and they’re sold with different pricing and profitability models – well, that in my view is a different market.

Cloud represents such a disruption for security. And it’s going to be a $1.5 billion market by 2015. I discuss the nature of this trend and its implications in my latest report, “Security And The Cloud”.

Most of the discussion about cloud and security solutions has been about security SaaS: the delivery model for security shifting from on-premise to cloud-based. That’s missing the forest for the trees. Look at how the rest of IT (which is about 30 times the size of the security market) is moving to the cloud. What does that mean in terms of how we secure these systems, applications, and data? The report details how the security market will change to address this challenge and what we’re seeing of that today.

Vendors have finally started to come to market with solutions, though as you’ll see from the report, we’re still at the early stages with far more to go. And developing solutions for cloud environments requires a lot more than scaling up and supporting multi-tenancy. But heightened pressure by cloud customers and prospects is fueling the rapid evolution of solutions. How rapid and radical an evolution? By 2015, security will shift from being the #1 inhibitor of cloud to one of the top enablers and drivers of cloud services adoption.

Read more

National Security Or Security Chauvinism?

My colleague Heidi Shey brought this article to my attention. It talks about how China mandates that government and core industry sectors (banks, transportation, etc. -- what we would refer to as "Critical Infrastructure" sectors) buy certain IT products only from Chinese companies. The attorney quoted in the article says that "Right now, it seems to only affect the companies that are in the information security sector," but the journalist wasn't able to substantiate or refute this. There could indeed be a national security rationale behind this -- however misguided. Of course, this isn't the first time we've seen interests of national security come into direct conflict with interests of corporate security: see RIM's troubles with the BlackBerry in Saudi Arabia, the UAE, and India; or ask a US-based service provider selling to overseas companies about those customers' concerns about whether their data would be exposed to USA PATRIOT Act disclosure). Some vendors I've spoken to speculate (off the record) that this could all be designed to give the Chinese government access to these systems by having the Chinese vendors install back doors. Others think this is simply a matter of funneling business to Chinese companies.

Whatever the reason, I'd be interested to hear from you about whether this is really happening or not. Do you sell security, or other IT infrastructure, products in China? Are you seeing this come up as an issue with Chinese companies in certain industry sectors? Are you seeing anything similar in other countries?

More About Intel-McAfee

Questions keep pouring in about this deal, so I'll attempt to answer the most common ones here. Practically every analysis I've seen calls this a "head-scratcher", and so they slam the deal simply because they don't understand it.

Read more

Don't Underestimate Intel And McAfee

Intel and McAfee, the odd couple of technology? At first blush, Intel is not a "best fit" acquirer like HP or IBM which have major software businesses, existing security solutions, and related capabilities such as systems management. And, Intel is not a services company either. So it's straightforward to spot the potential problems that need to be addressed.

But a longer-term perspective indicates that these two companies are on to something fundamental and could create a force to be reckoned with within the tech industry. We believe embedded, or integrated, security is the future. The acquisition is ahead of the market and will thus accelerate this evolution. Standalone security products, and the companies that create them, are on borrowed time. We will see security embedded into hardware, in mobile devices, M2M devices, smart computing devices (e.g., smart grid meters), laptops, and just about everything else. Embedding security at the chip level is not a new concept either. Companies like Renesas and ARM already do this. Cisco has also been embedding security into the network, while Microsoft has embedded it into the platform. In systems, we see embedded security in Internet service provider (ISP) devices most prevalently today.

Read more