Ok, so NASA failed an audit. Don’t we all? I think it is important to understand the government’s cloud computing adoption timeline before passing judgment on NASA for failing to meet its cloud computing requirements. And, as someone who has read NASA’s risk management program (and the 600 pages of supporting documentation), I can say that this wasn’t a failure of risk management policy or procedure effectiveness. Clearly, this was a failure of third-party risk management’s monitoring and review of cloud services.
The Cloud Is Nebulous
Back in 2009, NASA pioneered cloud technology with a shipping container-based public cloud technology project named Nebula -- after the stellar cloud formation. (I love nerd humor, don’t you?)
Photo Source: NASA
During 2009, NASA, to determine if current cloud provider service offerings had matured enough to support the Nebula environment, did a study. The study proved that commercial cloud services had, in fact, become cheaper and more reliable than Nebula. NASA, as a result of the study, moved more than 140 applications to the public sector cloud environment.
In October of 2010, Congress had committee hearings on cybersecurity and the risk associated with cloud adoption. But remember, NASA had already moved its noncritical data (like www.nasa.gov or the daily video feeds from the international space station, that are edited together and packaged as content for the NASA website) to the public cloud in 2009. Before anyone ever considered the rules for such an adoption of these services.
with Brownlee Thomas, Ph.D., Henning Dransfeld, Ph.D., Bryan Wang, Clement Teo, Fred Giron, Michele Pelino, Ed Ferrara, Chris Sherman, Jennifer Belissent, Ph.D.
Orange Business Services (Orange) recently hosted its annual analyst event in Paris. Our main observations are:
Orange accelerates programmes to get through tough market conditions. Orange’s’ vision in 2013 is essentially the same as the one communicated last year. However, new CEO Thierry Bonhomme is accelerating cost saving and cloud initiatives in light of tough global market conditions. The core portfolio was presented as connectivity, cloud services, communication-enable applications, as well as new workspace (i.e., mobile management and communication apps).
Orange proves its capability in network-based services and business continuity. Key assets are its global IP network and its network-based communications services capabilities. In this space, Orange remains a global leader. These assets form the basis for Orange taking on the role of orchestrator for network and comms services, capabilities that have (literally) weathered the storm, proving its strength in business continuity.
With apologies to the late great President Ronald Reagan, "trust but verify" is outmoded advice when it comes to computer network security. So, why do so many information security professionals still think trusted and untrusted networks zones are still best practice? Most think that people are trusted or untrusted. The problem with that thinking is you never know who can or cannot be trusted. Remember wikileaks? It was an inside job.
The solution: Zero Trust - Verify Then Trust
Meet John Kindervag, Forrester Principal Analyst and a leading expert in network and information security. He says that firms must take a Zero Trust approach to network security that means "verify then trust". In this episode of Forrester TechnoPolitics, John describes the what, why, and how of the Zero Trust approach to network and information security.
Podcast: Zero Trust - Your Only Hope For A Secure Network (8 mins)
I’m very excited to kick off survey development for upcoming Forrester Forrsights surveys that will feature security content. Continuing on from previous years will be the Forrsights Security Survey. This is an annual survey of IT security decision-makers from North American and European SMBs and enterprises. New for 2013 is a Workforce Survey that will provide the (also North American and European) employee perspective when it comes to security and devices in use within their workplace.
These surveys will be fielded April through May, and the results will make their way into published research this summer. Survey development starts now, and I would love to hear what you think about the proposed topics. What are some areas where you’d like to see us gather more data?
Come again? You mean to tell me that Eve Maler, one of Forrester's experts on emerging identity and security solutions, has never changed her Amazon password? Yep. She aptly points out that "Amazon has no password rules." While passwords aren't dead, she says, firms that rely only on passwords for identity management are vulnerable to serious breaches. Most firms have "terrible hygiene" when it comes to identity management.
In this episode of TechnoPolitics, Eve Maler discuss how firms like Amazon and Paypal use a "constellation" of risk-based authentication techniques and technologies to protect customers' identity. The courage to make tough calls — that's Eve.
Podcast Listening Options — The Future Of Identity Management
More and more data is stored online by both consumers and businesses. The convenience of using services such as Dropbox, Box, Google Drive, Microsoft Live Skydrive, and SugarSync is indisputable. But, is it safe? All of the services certainly require a user password to access folders, and some of the services even encrypt the stored files. Dropbox reassures customers, "Other Dropbox users can't see your private files in Dropbox unless you deliberately invite them or put them in your Public folder."
The security measures employed by these file-synching and sharing services are all well and good, but they can be instantly, innocently neutered by a distracted programmer. Goodbye privacy. All your personal files, customer lists, business plans, and top-secret product designs become available for all the world to see. How can this happen even though these services are sophisticated authetication and encryption technologies? The answer: a careless bug introduced in the code.
Below is some Java code I wrote for a fictitious file-sharing service called CloudCabinet to demonstrate how this can happen. Imagine a distracted programmer texting her girlfriend on her iPhone while cutting and pasting Java code. Even non-Java programmers should be able to find the error in the code below.
Think you developed a secure mobile app? Think again. Many mobile app developers have a naive notion of app security that leads them into believing their apps are secure when they are not. Some developers authenticate users and encrypt passwords and think that they’re all set, but there could still be security holes so wide you could sail a ship through them. The results of releasing an insecure app can include financial loss, reputation tarnish, lawsuits, and Twitter shame.
When designing your mobile apps and mobile backend services, be sure to consider the six security properties of confidentiality, integrity, availability, authentication, authorization, and nonrepudiation (see Figure below). Simply considering how each security property applies to your app won't make it more secure. You will need to perform threat modeling on your design and find solutions to secure your app based on your specific technology and use cases. Don't forget that the mobile backend services must be secure too.
There is growing evidence of a harmonic convergence of Infrastructure and Operations (I&O) with Security and it is hardly an accident. We often view them as separate worlds, but it’s obvious that they have more in common than they have differences. I live in the I&O team here at Forrester, but I get pulled into many discussions that would be classified as “security” topics. Examples include compliance analysis of configuration data and process discipline to prevent mistakes. Similarly, our Security analysts get pulled into process discussions and other topics that encroach into Operations territory. This is as it should be.
Some examples of where common DNA between I&O and Security can benefit you and your organization are:
Gain economic benefit by cross-pollinating skills, tools, and organizational entities
Improve service quality AND security with the same actions and strategies
Learn where the two SHOULD remain separate
Combine operational NOC and security SOC monitoring into a unified command center
Develop a plan and the economic and political justifications for intelligent combinations