There is truth to the meme, “data is the new oil.” Data is the lifeblood of today's digital businesses, and for economic and even political gain, highly skilled cybercriminals are determined to steal it. Meanwhile, customers around the globe have become highly sensitive to how organizations track, use, and store their personal data, and it's very difficult for security pros to stay one step ahead of changing privacy laws and demands. Plus, as data volumes explode, it's becoming a herculean task to protect sensitive data and prevent privacy infringements (today we talk in petabytes, not terabytes).
Every day, vendors introduce a new product that claims to be the silver bullet to data security challenges. Consider that DLP remains one of the most popular search terms by security pros on Forrester.com. In the case of data security, there is no silver bullet. There is no way to solve the problem without a process framework that outlines how you go about discovering, classifying, analyzing, and then ultimately defending data. Forrester has created a framework to help security pros protect data – we call it the Data Security And Control Framework. If you take a framework approach, you will:
I spent a jam-packed day with security software and services provider AVG last week, checking out their 2013 product line-up for free antivirus and paid premium products, and participating in roundtable discussions with press, analysts, and AVG executives about consumer security, mobile, privacy and policy. Here are my reactions to what AVG is doing:
LIKE: Consumer data (yes, I’m biased here, being the data nerd). AVG has lots of it and it’s all free. This is awesome because it’s a great resource not just for the industry but for other parties to use in education and awareness program design. They’ve done studies across 11 countries for their Digital Diaries studies, surveying parents and kids of different age brackets from 0 to 17 to understand online behaviors and attitudes. Here’s a data nugget that caught my attention: by the time they are two years old, 81% of children have some kind of digital footprint (online photographs, personal data, email and/or social networking accounts). 81%!
Traditional antivirus techniques have been fighting a losing battle for years. Popular hacker exploit kits pounce on new vulnerabilities quickly while advanced tools such as polymorphic viruses propagate their malicious intents. As a result, signature databases (known as “blacklists”) have ballooned in size, causing strain on a company’s infrastructure and endpoint performance. Combined with the fact that antivirus vendors miss a significant number of the unknown or zero-day threats, many security professionals are left questioning their antivirus-centric approach to endpoint protection. As the number of malware samples rise, this traditional "Whack-A-Mole" blacklist strategy of signature-based antivirus protection is simply unscalable.
I reported that the managed security services market is growing in our recent Forrester Wave™ covering North American managed security service providers. Trustwave just issued a press release that announced 148% sales growth. This is a significant number in anyone’s book. It does point to the increased growth we are seeing as more and more firms consider and adopt managed services to handle some or all of their security requirements.
Last month, Ed and I spent a couple days in Paris with Orange's management team for their annual analyst event. Overall I was impressed with Orange’s innovation in business service offerings as well as their extensive global reach. Many of the large telecoms (Verizon, AT&T, Sprint, etc.) have had to and very much want to expand their business offerings. The telecoms clearly see platform-as-a-service as the natural extension of their core telecom business. Just selling bandwidth is no longer sufficient for these companies, which is in fact now a commodity business. Orange is no exception. This evolution in the telecom business model has been successful due to the industry’s ability to:
Offer endpoint and network security optimization solutions coherent with their existing bandwidth business. With their unique vantage point over the network, the telecoms are ideally placed to deliver “clean pipe” Internet service by stopping outside network threats before they reach their customers’ endpoints. For instance, Orange’s DDoS protection service can leverage their large global footprint and control over the infrastructure to gather intelligence and exercise defensive measures farther up the stack than most of their non-telecom competitors.
Last week I had the opportunity to attend the 15th annual Black Hat security conference in Las Vegas. I have attended DEFCON in the past, but never Black Hat. The conference has grown significantly each year, and judging by the size of the expo floor, the vendors understand its significance. I enjoyed the conference and had great conversations with practitioners and vendors alike. Here are some observations from two of the sessions that I attended:
Steve Jobs by Walter Isaacson is a very readable and honest portrayal of one of the most influential personalities in the computer industry from 1980 to the present. Often caustic, abrupt, and driven, Steve Jobs was a man of extreme brilliance who could intuitively understand what makes a great product. His marketing and design shrewdness were without peer. Jobs had his share of failures and more than his share of successes. Apple II, Macintosh, iMac, iPod, iPhone, and all iPad reflect Jobs' ability to orchestrate human capital to create truly innovative products.
A subtext of the book, and not directly called out, however, is Jobs' awareness of the value of intellectual property and the need to secure this. Jobs shows concern for the security of Apple’s intellectual property and goes to great lengths to ensure that security. For example, he imposed strong controls on the design area where the Apple design team works:
“The design studio where Jony Ive reigns, on the ground floor of Two Infinite Loop on the Apple campus, is shielded by tinted windows and a heavy clad, locked door. Just inside is a glass-booth reception desk where two assistants guard access. Even high-level Apple employees are not allowed in without special permission.”
--Isaacson, Walter, Steve Jobs, p. 345, Simon & Schuster, Inc. Kindle Edition.
However, the contribution Jobs makes to information security is an indirect one. This contribution is the recognition that the true value of Apple’s products is in the design. It is not in the physical assets themselves. The idea and its associated intellectual property is the true tangible asset.
We regularly get inquiries from companies that feel the need to restructure their access controls to support extended enterprise user populations: firms have to support employees, contractors, business partners, customers and keep them contained to be able to access resources (applications, data, etc.) that they have a business need to access. Technology and protocols are catching up here: companies (and vendors too!) are moving to finally support SAML, OAuth and OpenID Connect in bulk.
The real question, however, is not just access control, but it's also identity administration and attestation. How do you extend your internal provisioning of entitlements to your employees to your business partners or customers? What is the lifecycle of a data asset or piece of intellectual property in the broader ecosystem of identities? OAuth, Claims-based authorization or SAML attribute value injection will provide the infrastructure for enforcing policy decisions, but how do you extend your identity and access governance to the extended enterprise?
We see companies being interested and starting to build on the following to solve these challenges:
1.) Don't solve the problem but ingest a much richer context in your access control solutions (risk based authentication used for internal workforce user access, context variables being passed on to federated Relying Parties to understand that you're at a coffeehouse in a rogue country vs. you're logging in from your normal office and open up the general ledger with read/write access only if you're in your office).
2.) Providing increased delegated administration and attestation services from the cloud so business partners can also participate in these processes. This has been around for some time and will gain more popularity as firms need to remain compliant in the era of the extended enterprise.
Chris and I recently published a report describing how to build risk and compliance principles into your company’s corporate culture. As we worked to finalize, edit, and publish the report, a flurry of new corporate scandals emerged, all related to this topic.
Here are just a few of them:
Wal-Mart executives accused of trying to hush up bribery cases in Mexico (article here).
A whistleblower accuses Infosys of engaging in a systematic practice of visa fraud (article here).
A former Goldman Sachs employee writes an op-ed for the New York Times blasting the company’s ethics (article here).
JP Morgan suffers a $2 billion trading loss due to “poorly monitored” trades (article here).