With apologies to the late great President Ronald Reagan, "trust but verify" is outmoded advice when it comes to computer network security. So, why do so many information security professionals still think trusted and untrusted networks zones are still best practice? Most think that people are trusted or untrusted. The problem with that thinking is you never know who can or cannot be trusted. Remember wikileaks? It was an inside job.
The solution: Zero Trust - Verify Then Trust
Meet John Kindervag, Forrester Principal Analyst and a leading expert in network and information security. He says that firms must take a Zero Trust approach to network security that means "verify then trust". In this episode of Forrester TechnoPolitics, John describes the what, why, and how of the Zero Trust approach to network and information security.
Podcast: Zero Trust - Your Only Hope For A Secure Network (8 mins)
I’m very excited to kick off survey development for upcoming Forrester Forrsights surveys that will feature security content. Continuing on from previous years will be the Forrsights Security Survey. This is an annual survey of IT security decision-makers from North American and European SMBs and enterprises. New for 2013 is a Workforce Survey that will provide the (also North American and European) employee perspective when it comes to security and devices in use within their workplace.
These surveys will be fielded April through May, and the results will make their way into published research this summer. Survey development starts now, and I would love to hear what you think about the proposed topics. What are some areas where you’d like to see us gather more data?
Come again? You mean to tell me that Eve Maler, one of Forrester's experts on emerging identity and security solutions, has never changed her Amazon password? Yep. She aptly points out that "Amazon has no password rules." While passwords aren't dead, she says, firms that rely only on passwords for identity management are vulnerable to serious breaches. Most firms have "terrible hygiene" when it comes to identity management.
In this episode of TechnoPolitics, Eve Maler discuss how firms like Amazon and Paypal use a "constellation" of risk-based authentication techniques and technologies to protect customers' identity. The courage to make tough calls — that's Eve.
Podcast Listening Options — The Future Of Identity Management
More and more data is stored online by both consumers and businesses. The convenience of using services such as Dropbox, Box, Google Drive, Microsoft Live Skydrive, and SugarSync is indisputable. But, is it safe? All of the services certainly require a user password to access folders, and some of the services even encrypt the stored files. Dropbox reassures customers, "Other Dropbox users can't see your private files in Dropbox unless you deliberately invite them or put them in your Public folder."
The security measures employed by these file-synching and sharing services are all well and good, but they can be instantly, innocently neutered by a distracted programmer. Goodbye privacy. All your personal files, customer lists, business plans, and top-secret product designs become available for all the world to see. How can this happen even though these services are sophisticated authetication and encryption technologies? The answer: a careless bug introduced in the code.
Below is some Java code I wrote for a fictitious file-sharing service called CloudCabinet to demonstrate how this can happen. Imagine a distracted programmer texting her girlfriend on her iPhone while cutting and pasting Java code. Even non-Java programmers should be able to find the error in the code below.
Think you developed a secure mobile app? Think again. Many mobile app developers have a naive notion of app security that leads them into believing their apps are secure when they are not. Some developers authenticate users and encrypt passwords and think that they’re all set, but there could still be security holes so wide you could sail a ship through them. The results of releasing an insecure app can include financial loss, reputation tarnish, lawsuits, and Twitter shame.
When designing your mobile apps and mobile backend services, be sure to consider the six security properties of confidentiality, integrity, availability, authentication, authorization, and nonrepudiation (see Figure below). Simply considering how each security property applies to your app won't make it more secure. You will need to perform threat modeling on your design and find solutions to secure your app based on your specific technology and use cases. Don't forget that the mobile backend services must be secure too.
Huawei hosted about 160 industry and financial analysts at its ninth annual analyst summit in Shenzhen, China in April 2012. The event showed us that Huawei’s carrier network activities are becoming increasingly software-focused. Huawei is building up its network software and professional services capabilities. This drive is reflected in its SoftCom solution, driven by the cloud computing delivery model in the network space. Huawei is well aware of the role software will play for future distributed and virtualized network infrastructure and network-centric solutions, where the data center is effectively becoming the phone switch for ICT solutions. In fact, Huawei goes as far as to say that hardware will be fairly commoditized and that differentiation will be based on software. Huawei is a member of more than 130 industry standard-defining bodies; as such, it influences the development of industry standards. Huawei maintains its own silicon chip fabrication capabilities (HiSilicon), which help deliver opex reductions and greater energy efficiency as part of its networking solutions for wired and wireless (WiFi, WiMAX, and LTE) environments. Huawei has been designing and assembling servers for a decade and offers blade and rack configurations designed to support cloud and virtualization environments. Huawei’s security solutions, greatly enhanced by Huawei buying the remaining 49% stake in its Huawei Symantec joint venture recently, include firewall, VPNs, intrusion detection, application gateways, and unified threat management. Huawei also works with other leading ICT vendors to deliver solutions according to customer requirements. Huawei’s GalaX Cloud operating system delivers large scale virtualization capability for compute and storage resources in a cloud deployment. Huawei assists carriers and enterprise customers with design implementation and operation of deployments through its SmartCare Services solution, which monitors and ensures the
There is growing evidence of a harmonic convergence of Infrastructure and Operations (I&O) with Security and it is hardly an accident. We often view them as separate worlds, but it’s obvious that they have more in common than they have differences. I live in the I&O team here at Forrester, but I get pulled into many discussions that would be classified as “security” topics. Examples include compliance analysis of configuration data and process discipline to prevent mistakes. Similarly, our Security analysts get pulled into process discussions and other topics that encroach into Operations territory. This is as it should be.
Some examples of where common DNA between I&O and Security can benefit you and your organization are:
Gain economic benefit by cross-pollinating skills, tools, and organizational entities
Improve service quality AND security with the same actions and strategies
Learn where the two SHOULD remain separate
Combine operational NOC and security SOC monitoring into a unified command center
Develop a plan and the economic and political justifications for intelligent combinations
It has been a few years since Forrester delved deeply into the issues surrounding consumer privacy, and in that time, an awful lot has changed:
Facebook Connect, Google ID, Yahoo Identity, and Sign In With Twitter have emerged as a wholenew way of being recognized across a myriad of websites across the Net. As little as a decade ago, most adults online couldn’t have imagined the convenience of single sign-on.
At the same time, data capture methods have not only proliferated, they’ve become exceptionally sophisticated. Tactics like Flash-based cookies and deep packet sniffing surreptitiously collect behavioral data about online consumers, while loyalty and membership cards provide more insight into consumers’ purchasing habits at the line item level than ever before.
All that extra data is hard to protect without big changes to governance policies and technology stacks, and when data breaches happen, they're public and ugly.
Finally, legislators have forged ahead with regulations to protect consumer data. Europe's answer is the Data Protection Directive – a regulatory framework that governs the capture, management and use of consumer data, while in the US, congressional leaders, egged on by consumer advocacy groups, are introducing bills designed to limit data capture and to provide remediation in cases of data and security breach.
Well, maybe everybody is saying “cloud” these days, but my first impression of Microsoft Windows Server 8 (not the final name) is that Microsoft has been listening very closely to what customers want from an OS that can support both public and private enterprise cloud implementations. And most importantly, the things that they have built into WS8 for “clouds” also look like they make life easier for plain old enterprise IT.
Microsoft appears to have focused its efforts on several key themes, all of which benefit legacy IT architectures as well as emerging clouds:
Management, migration and recovery of VMs in a multi-system domain – Major improvements in Hyper-V and management capabilities mean that I&O groups can easily build multi-system clusters of WS8 servers, and easily migrate VMs across system boundaries. Muplitle systems can be clustered with Fibre Channel, making it easier to implement high-performance clusters.
Multi-tenancy – A host of features, primarily around management and role-based delegation that make it easier and more secure to implement multi-tenant VM clouds.
Recovery and resiliency – Microsoft claims that they can failover VMs from one machine to another in 25 seconds, a very impressive number indeed. While vendor performance claims are always like EPA mileage – you are guaranteed never to exceed this number – this is an impressive claim and a major capability, with major implications for HA architecture in any data center.