Contributing analysts to this blog: Stephanie Balaouras, Ed Ferrara, Rick Holland, Eve Maler, Chris McClean, Heidi Shey, Chenxi Wang. Photo credit: SC magazine.
Walking on the RSA 2013 show floor, it was a chaotic, noisy, and energetic place, pulsing with excitement. The industry has reasons to celebrate; the security space is white hot, with more VC money pouring into the space than ever before; Obama’s recent executive order placed cybersecurity front and center. RSA this year was bigger, louder, and more bullish than ever, with more than 360 vendors exhibiting, 24,000 attendees, and 394 talk sessions.
The week heading to the conference was interesting to say the least; with Java 0-days wreaking havoc on the Internet and the Mandiant report taking every major newspaper headline, RSA could not have had a better set-up.
After the dust (and the smoke) settled, we, the Forrester security team, came away with these impressions and takeaways:
On Tuesday, President Obama issued a Cybersecurity Executive Order, which outlined policies to defend against cyber attacks and espionage on US companies and government agencies. The EO came nearly a year after the proposed and much-hated Cyber Intelligence Sharing and Protection Act (CISPA) got stalled in the Senate. The privacy community sees the CISPA as a great threat to Internet privacy. Many of them are encouraged by this executive order, which stayed away from suggesting changes to privacy laws and regulations.
The salient points of the EO are as follows:
The president acknowledged formally that information warfare, at the level of nation states, is ongoing and is a clear and present danger.
The government will build a “Cybersecurity framework” with the private sector to share information on cyber attacks and threats, with the goal to reduce Cyber risk to critical infrastructure.
The Cybersecurity framework will expand existing government programs to bring more private sector subject-matter experts into Federal service on a temporary basis.
Unlike the CISPA, the EO does not carry languages that will change or direct impact privacy laws and regulations.
The EO puts forth specific timelines on the publication of the Cybersecurity framework as well as an assessment report on its implication to privacy.
Last week I flew to Puerto Rico to attend Kaspersky’s industry analyst summit (IAS). This is the second year that Kapersky held a global analyst summit. The event is co-located with their security analyst summit (SAS), which is turning into a mini black hat event with attendance from many premier security researchers in the industry. Unfortunately, I only had time for IAS this year.
Kaspersky is an interesting company. In the last 10 years, they came out of nowhere, built a global brand, established their founder Eugene Kaspersky as a cybercrime-fighting celebrity in popular media (see the Vanity Fair and Wired articles on Kaspersky, and the Formula One sponsorship), and at the same time, grew a tremendous business.
As Kaspersky’s CMO, Alex Erofeev, got on stage talking about how the Kaspersky brand, in many parts of the world, is now the third most well-known AV brand behind Symantec and McAfee. I did a bit of Googling. Look what the Google trends graph below shows (search volume from 2004 to 2013) -- not only the global search volume for “Kaspersky” has increased over the years, it has surpassed “Symantec” and “McAfee”! This is no small achievement for a company that, until two years ago, had no formal B2B marketing function.
Mobile security and operations continues to be one of the hottest topics for organizations across industries. Mobility holds the promise of fostering new innovations, reaching new audiences and, most importantly, creating never-before-seen user experiences and business opportunities. For example, productivity gains brought on by “anytime”, “anywhere”, “any device” access are already revolutionalizing customer service, collaboration, and supply chain management, and many other aspects of business processes.
But delivering what mobile promises in a secure and safe way is a difficult proposition today. The mobile technology ecosystem is changing a million miles a minute: many technologies are still maturing, which led to a fragmented and semi-technology market. As a result, Security & Risk (S&R) and Infrastructure & Operations (I&O) professionals struggle to enforce consistent IT security and operations policies in this new environment where mobile devices have become the norm and customers and employees alike have come to expect certain business functions delivered over the mobile channel, regardless of the risk.
The Mobile Security & Operations Playbook contains content designed specifically for IT security and operations professionals to address these challenges. The playbook covers four key strategy aspects: 1) Discover: articulate the value of mobile security and operations in business terms; 2) Plan: set the strategy for mobile security operations; 3) Act: execute the strategy; and 4) Optimize: measure and optimize mobile security operations. To see a high level overview of the playbook, download the executive overview report.
Data privacy laws are the champions of citizens' rights in the digital age. However, multi-national organizations often find these laws challenging to navigate given the complex framework of global legal requirements. To help our clients address these challenges, Forrester developed a research and planning tool called the Data Privacy Heat Map (try the demo version here). Leveraging in-depth analyses on the privacy legislation of 54 countries around the world, this product is aimed at helping our clients better strategize their own global privacy and data protection approaches.
Using the tool, one can quickly determine how various countries stack up against each another in terms of their data privacy standards. Each country has been rated across seven key criteria, covering the breadth of law, EU adequacy, data transfer limitations, government surveillance activities, etc. Leveraging this data, our clients will be able to establish their own data privacy “high watermarks”, ensuring compliance in all locales in which their organization operates. One such application is in the use of cloud computing. Since the cloud is borderless, jurisdictional-based privacy laws are often a mismatch when applied to clouds. When considering outsourcing to a cloud service, companies should consult Forrester’s Privacy Heat Map to determine, for example, whether their data will be at risk of residing in a country with questionable governance surveillance practices.
This report was inspired by a number of customer inquiries that I had recently on mobile password policies. It struck me that few IT organizations actually understood the fundamental rationale behind password policies - length and complexity of passwords, number of password retries, and password lifetime. This is perhaps because we take user passwords, one of the most basic security controls, for granted, and hence don't think about it too deeply. Because it is such a prevalent security control, and because many organizations don't have much beyond user passwords, it is high time we understand why we set a particular password policy and whether that works for our particular risk profile.
So I set out to write this report - trying to describe the theoretical underpinnings of password properties. For example, if you require that your mobile users use a 6-digit PIN to access their mobile phones, do you know how many PIN fail-retries you should permit but still achieve NIST level one authentication? What about a 6-character alphanumeric password?
Today the rumor mill is churning with chatters that the current CEO Leo Apotheker will resign after the bell. The new person tipped to step in is the former eBay CEO, tech heavyweight Meg Whitman.
HP desperately needs an inspiring leader; Meg may just be the person to fill that role. In recent years, HP has been taking on confusing identities - is HP a consumer hardware company, or is HP a IT services company like IBM, or is HP an enterprise software company? HP cannot be all things to all people, it must decide which course of action to take to boost their shareholder value and prevent their 30,000 employees from defecting to Google, Facebook, and the tech newcomers. HP was once that tech newcomer that everyone aspired to work for. Is Meg the person to bring back the old glory? What do you think?
The security group at Forrester has been handling a steady stream of client inquiries regarding EU data privacy laws, from both EU and North America clients. While there are many good legal sources out there, we thought it'd be a good idea to compile a list of common Q&A questions about EU privacy laws into a report, to serve as a definitive information source for Forrester clients.
The report, titled: “Q&A: EU Privacy Regulations,” is now live on Forrester's website. It is not our intention, by writing this report, to give legal advice. Rather, we envisioned this report to be a repository of the most important information regarding EU privacy laws, updated every 18 months or so. The report has a wealth of information, including links to actual information sources – be that EU's data protection directive web site or interesting studies/analysis done by external parties. For example, one noteworthy study on US Safe Harbor is by Chris Connelly from Galexia consulting. He looked at 2,170 US companies that claimed to be Safe Harbor compliant. Out of these, 940 do not provide information on how to enforce individuals' rights; 388 were not even registered with the US Department of Commerce.
The report also contained information on Model Clauses and Binding Corporate Rules, for which we are beginning to see increased interest. We also discussed new and pending privacy laws in the report, including the EU “cookies” directive and EU's view on geo-location privacy.
Innovations in mobile technologies are making the mobile Internet increasingly ubiquitous and powerful. Consumers are drawn to the mobile Internet because it can be highly contextual and leverages information such as geo-location, presence, and user-specific information to deliver a rich and intensely personal experience.
As my colleague Julie Ask pointed out in her new report eBusiness: The Future Of Mobile Is User Context, companies that produce consumer products/services will increasingly take user context into account to produce convenient products with relevancy and immediacy for consumers. Already location-aware applications are becoming more and more ubiquitous; our movements as individuals are invariably documented somewhere.
Our phone is packed with sensors that can gather more contextual information about its surroundings than anything we’ve seen before. Sensors such as GPS, accelerometers, gyroscopes, NFC, and high resolution cameras are now commonplace in smartphones. Emerging sensor technologies like barometer, microbolometers, and chemical sensors will provide even richer user context information.
Soon your phone will not only know where you are, but what you are doing, how fast you are moving — and if Apple gets their way, the rate your heart beats!
It was revealed yesterday that iPhones/iPads (with iOS 4.0 or later) have been logging the location information of the device and storing that in a hidden file on the phone or the iPad.
This discovery, presented by researchers Alasdair Allan and Pete Warden, at the O’Reilly Where 2.0 conference this week, has sent shock waves through the high tech community. “What? This file contains my whereabouts for the past year? WTF?” was most people’s first reaction when the news broke.
Many iPhone/iPad apps have access to the geolocation of the device, but most only access it at a given point of time and do not attempt to log or create a history file of this information. The discovery that such logs exist begs the question why Apple was logging this data and whether it has any intention of utilizing the information.
I can imagine a number of reasons why Apple would want to collect this data and how they might use it. Device tracking, for instance, is a popular parental control feature that users want. Think your teenager lied to you about his/her whereabouts yesterday? No problem, just log into MobileMe and verify the location tracking information. Similarly, a credit-protection app can be instructed to report the phone’s general location at the time of a suspicious credit card transaction— if the card is used in England and the credit card owner’s phone is in Alabama, hmm… something could be amiss here.