Last month, Ed and I spent a couple days in Paris with Orange's management team for their annual analyst event. Overall I was impressed with Orange’s innovation in business service offerings as well as their extensive global reach. Many of the large telecoms (Verizon, AT&T, Sprint, etc.) have had to and very much want to expand their business offerings. The telecoms clearly see platform-as-a-service as the natural extension of their core telecom business. Just selling bandwidth is no longer sufficient for these companies, which is in fact now a commodity business. Orange is no exception. This evolution in the telecom business model has been successful due to the industry’s ability to:
Offer endpoint and network security optimization solutions coherent with their existing bandwidth business. With their unique vantage point over the network, the telecoms are ideally placed to deliver “clean pipe” Internet service by stopping outside network threats before they reach their customers’ endpoints. For instance, Orange’s DDoS protection service can leverage their large global footprint and control over the infrastructure to gather intelligence and exercise defensive measures farther up the stack than most of their non-telecom competitors.
Last week I had the opportunity to attend the 15th annual Black Hat security conference in Las Vegas. I have attended DEFCON in the past, but never Black Hat. The conference has grown significantly each year, and judging by the size of the expo floor, the vendors understand its significance. I enjoyed the conference and had great conversations with practitioners and vendors alike. Here are some observations from two of the sessions that I attended:
Steve Jobs by Walter Isaacson is a very readable and honest portrayal of one of the most influential personalities in the computer industry from 1980 to the present. Often caustic, abrupt, and driven, Steve Jobs was a man of extreme brilliance who could intuitively understand what makes a great product. His marketing and design shrewdness were without peer. Jobs had his share of failures and more than his share of successes. Apple II, Macintosh, iMac, iPod, iPhone, and all iPad reflect Jobs' ability to orchestrate human capital to create truly innovative products.
A subtext of the book, and not directly called out, however, is Jobs' awareness of the value of intellectual property and the need to secure this. Jobs shows concern for the security of Apple’s intellectual property and goes to great lengths to ensure that security. For example, he imposed strong controls on the design area where the Apple design team works:
“The design studio where Jony Ive reigns, on the ground floor of Two Infinite Loop on the Apple campus, is shielded by tinted windows and a heavy clad, locked door. Just inside is a glass-booth reception desk where two assistants guard access. Even high-level Apple employees are not allowed in without special permission.”
--Isaacson, Walter, Steve Jobs, p. 345, Simon & Schuster, Inc. Kindle Edition.
However, the contribution Jobs makes to information security is an indirect one. This contribution is the recognition that the true value of Apple’s products is in the design. It is not in the physical assets themselves. The idea and its associated intellectual property is the true tangible asset.
We regularly get inquiries from companies that feel the need to restructure their access controls to support extended enterprise user populations: firms have to support employees, contractors, business partners, customers and keep them contained to be able to access resources (applications, data, etc.) that they have a business need to access. Technology and protocols are catching up here: companies (and vendors too!) are moving to finally support SAML, OAuth and OpenID Connect in bulk.
The real question, however, is not just access control, but it's also identity administration and attestation. How do you extend your internal provisioning of entitlements to your employees to your business partners or customers? What is the lifecycle of a data asset or piece of intellectual property in the broader ecosystem of identities? OAuth, Claims-based authorization or SAML attribute value injection will provide the infrastructure for enforcing policy decisions, but how do you extend your identity and access governance to the extended enterprise?
We see companies being interested and starting to build on the following to solve these challenges:
1.) Don't solve the problem but ingest a much richer context in your access control solutions (risk based authentication used for internal workforce user access, context variables being passed on to federated Relying Parties to understand that you're at a coffeehouse in a rogue country vs. you're logging in from your normal office and open up the general ledger with read/write access only if you're in your office).
2.) Providing increased delegated administration and attestation services from the cloud so business partners can also participate in these processes. This has been around for some time and will gain more popularity as firms need to remain compliant in the era of the extended enterprise.
Chris and I recently published a report describing how to build risk and compliance principles into your company’s corporate culture. As we worked to finalize, edit, and publish the report, a flurry of new corporate scandals emerged, all related to this topic.
Here are just a few of them:
Wal-Mart executives accused of trying to hush up bribery cases in Mexico (article here).
A whistleblower accuses Infosys of engaging in a systematic practice of visa fraud (article here).
A former Goldman Sachs employee writes an op-ed for the New York Times blasting the company’s ethics (article here).
JP Morgan suffers a $2 billion trading loss due to “poorly monitored” trades (article here).
On Wednesday, American footwear company Skechers agreed to pay the US Federal Trade Commission $40 million. This settlement resulted from a series of commercials that deceived consumers claiming that the Shape-Ups shoe line would “help people lose weight, and strengthen and tone their buttocks, legs and abdominal muscles.” Professional celebrity Kim Kardashian appeared in a 2011 Super Bowl commercial personally endorsing the health benefits of these shoes.
This settlement was part of an ongoing FTC campaign to “stop overhyped advertising claims.” A similar effort would serve the information security community well. For example, one particular claim that causes me frequent grief is: “solution X detects and prevents advanced persistent threats.” It is hard, dare I say impossible, to work in information security and not have heard similar assertions. I have heard it twice this week already, and these claims make my brain hurt.
Our next installment of "Hackers vs. Executives" is just weeks away. Join us at the Forrester Security Forum and sit in on one of the most popular sessions of the event each year. We have a great panel lined up for you. In the Hackers corner, we have Chase Cunningham of Neustar and Brian Gorenc of HP Tippingpoint DVLabs. In his hacking demo, Chase will use social engineering, packaged exploit delivery, and credential harvesting to show you how open source data can create avenues for hackers to attack users and ultimately compromise your network. In his hacking demo, Brian will provide an in-depth look at what it takes to analyze a vulnerability and the steps required to weaponize it. Centering on a vulnerability in a Microsoft application, the demo will show you how an attacker can quickly move from proof-of-concept to remote code execution.
In the Executive corner, we have Richard Bejtlich of Mandiant and Steve Martino of Cisco Systems. Richard and Steve will discuss what these types of attacks mean to Security & Risk professionals, including how your organization can prepare and respond to them. John Kindervag and I will moderate the panel. There will be great discussion and you will have the opportunity to ask questions of all of our panelists. It will be a fantastic session; one you won't want to miss. Please join us in Las Vegas on May 25th from 11:05 to 12:40. Take a look at the Security Forum website for more details. John and I hope to see you there.
Last week saw news that yet another top GRC software vendor has been acquired, following in the footsteps of Paisley, Archer, OpenPages, among others. BWise has always been an impressive vendor in the GRC space, so first off I think congratulations are in order for both parties.
That said, if you didn’t foresee NASDAQ getting into the GRC software space coming, don’t beat yourself up… after seeing the large technology vendors and content providers enter the space over the past 3 years, this wasn’t an obvious move. But looking a little deeper, NASDAQ’s move makes sense for a couple reasons:
- NASDAQ’s target market cares about GRC. NASDAQ lists its target roles as marketing/corporate communications, board and corporate secretary, investor relations, and corporate finance. All of these roles have a vested interest in better controls, stronger risk management practices, and improved corporate governance.
- BWise has always focused on the “G” of GRC. More than any other of the top GRC software vendors, BWise targeted governance professionals with capabilities such as entity management.
- There are immediate integration possibilities. Among NASDAQ’s corporate solutions are products for board management, whistleblower reporting, and XBRL filing. BWise has a host of capabilities (issue management, process management, policy management, reporting, etc.) that could quickly add value to implementations of those products.
But, as always with a deal like this, both parties will have to show the market how they will address some key questions:
Even though it is not specific to security, this idea came to me while attending Dell’s Annual Analyst Conference (DAAC) in Austin, Texas two weeks ago. One of the hot topics discussed at the conference is the issue of bring your own device (BYOD). Dell recognizes this is a major trend and is looking for ways to remain true to its business-to-business DNA but still offer a competitive end-point solution with strong management and security capabilities. This is a problem for companies like Dell because a significant amount of revenue comes from corporate and not consumer sales, but BYOD is a consumer sale.
Not all is lost, however. As corporations move away from purchasing blocks of PCs for their employees, they will still have the capability to influence their employees to purchase certain equipment. The value for the employer is that they can still have some visibility to the types of equipment employees will use. The employee wins because they have assurances that the equipment they purchase has been vetted with some level of assurance that there is compliance with company systems.
What this means is that organizations will need to treat their former business customers as channel partners. I can envision scenarios where device makers provide their former customer marketing funds and special incentive funds (SPIFs) to encourage employees to buy their equipment. They will also be willing to offer the end user customer/employee a volume discount for employees for purchasing specific equipment. All of the major cell phone providers provide this type of program. PC makers, but also other types of device makers, need to start looking at their former customers as channel partners.