Blending Cloud IAM Delivery Flavors: Convergence Of In-House And IAM Suite Offerings

Andras Cser

Today we see two basic flavors of cloud IAM. One archetype is the model offered by Covisint, VMware Horizon, Symplified, Okta, OneLogin, etc.: these vendors provide relatively tight integration, but less capable identity services based on their respective firm's own intellectual property. Because of the above, these offerings clearly have a short implementation time. The other camp of vendors believes in providing hosted services of "legacy" IAM products: CA Technologies coming out with CloudMinder, Lighthouse adding their own IP to IBM TIM/TAM, Simeio Solutions blending OpenAM and Oracle's identity stack with their own secret sauce, and Verizon Business using NetIQ's IDM stack as a basis for their hosted offering solution.

Read more

How To Survive And Thrive At #SXSW If You’re Not From Texas

John Kindervag

I’ll be in Austin, TX this weekend to participate in South-by-Southwest Interactive. My panel “Big Data Smackdown on Cybersecurity” will be held Sunday, March 11 from 12:30PM - 1:30PM at the Austin Hilton Downtown. Hope to see you there.

Now, I wasn’t born in Texas, but I got here as soon as I could. I’ve lived in Dallas, TX for 30 years so I consider myself an adopted native-Texan. I’ll be at South-by-Southwest Interactive this weekend, so I thought I’d share some tips for all my current and future friends. For those of you from out-of-state – known as furriners – I hope you’ll find this advice helpful.

You’re coming to a foreign country.

Read more

An Unexpected RSA Encounter

Rick Holland

Last Friday, after a long week of RSA conference events and meetings, I eagerly looked forward to slipping on my headphones and enjoying the relative silence of my flight back to Dallas. As I approached my seat, I saw I was sitting next to a United States Air Force (USAF) officer. I looked at his rank and saw two stars on his uniform, making him a major general. I had a sudden sense of nostalgia and I instinctively wanted to salute him. I resisted the urge, introduced myself, and thanked him for his service.

Over the next two hours I had the most unexpected and fascinating conversation of my RSA week. It turned out that my fellow traveler is the commanding officer of the Air Force Research Laboratory (AFRL). According to the website, the AFRL is “the Air Force’s only organization wholly dedicated to leading the discovery, development, and integration of war fighting technologies for our air, space, and cyberspace forces.” We discussed a variety of open source topics, including electromagnetic pulse weapons, cyberweapons, Stuxnet, unmanned aerial vehicles, USAF renewable energy initiatives, as well as national policy.

Read more

Lies, Damn Lies, Security Metrics, And Baseball

John Kindervag

The legendary British Prime Minister Benjamin Disraeli is said to have noted that “There are lies, damn lies, and statistics.” Much of the technology world is focused on statistics and metrics. You’ve often heard it said, “If I can’t measure it, it doesn’t exist.” Known as the McNamara fallacy — named after the business tycoon turned Vietnam-era Secretary of Defense — this famous idea failed miserably as a strategy. While it sounds good to the CEO’s ears, there is a corollary bubbling up below him that implicitly states that “If my boss wants to measure something that doesn’t exist, then I’ll invent it!”

Read more

WikiLeaks And Stratfor Make The Case For More Data Encryption

John Kindervag

Yesterday, WikiLeaks released emails taken in the highly-publicized Stratfor data breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies and rarely is illumined in real life. For example, one email suggests that Stratfor is working on behalf of Coca-Cola to uncover information to determine if PETA was planning on disrupting the 2010 Vancouver Olympic Games.

While Stratfor’s response suggests that some of the emails may have been tampered with, this is not the point. As the soon-to-be infamous “Lunch Theft” email shows, that might be merely what the email calls Fred's rule # 2: “Admit nothing, deny everything and make counter-accusations.”

Read more

Force Multipliers - What Security & Risk Professionals Can Learn From Special Forces

Rick Holland

Last week I read an article on wired.com’s Danger Room blog about the elite US military Special Forces command, JSOC.  The units within the Joint Special Operations Command (Delta Force and Seal Team 6) are responsible for the most clandestine and sensitive US military operations, including the Bin Laden raid into Pakistan last year. JSOC is very similar to elite Special Forces (SF) units across the globe including: the Russian Spetnaz, British SAS, French Naval Commandos, and the Israeli Shayetet 13.  These SF units are capable of addressing asymmetric threats that traditional military units aren’t prepared to handle.

In the article, Spencer Ackerman interviews Marc Ambinder, one of the authors of The Command about JSOC. The article piqued my interest and I just finished reading the eBook. Like almost everything I do, I considered the information security implications as I read it.  Today’s infosec threat landscape is dominated by unconventional threats that are difficult to address. How can we leverage the techniques utilized by SF to deal with the cyber threats we face today?  I realize that we have an international audience, and my point isn’t to focus on US policy, but rather to take a deeper look at the unique capabilities of SF units and what lessons we can apply in our roles as S&R professionals.

Read more

Categories:

MSSP Valuation - Information For Selecting An MSSP

Edward Ferrara

I attended two really great presentations at MSPWorld yesterday. This is a very interesting conference, sponsored by the MSPAlliance[i] and co-hosted with IT-Expo but focused on managed service providers. Both dealt with the issue of MSP (MSSP) valuation. Many of the attendees are SMB (MSP/MSSP) business owners and this was a hot topic.

So what is an MSSP worth and if someone wanted to buy a business like this how much should they pay?  This is an important question for Forrester’s IT clients because the rules of valuation can help IT clients evaluate potential partners.  Financial stability and the intermediate and long-term plans of the MSSP should factor into the decision of selecting an MSSP.  In any negotiation it’s also always good to know what the other side is thinking.  Here’s the list:

1.     Recurring Revenue – What is the firm’s recurring revenue profile? What are the sources of revenue and how much of this revenue comes from long-term (multi-year) contracts?

2.     Service Agreements – What is the nature of the service-level agreements the firm has in place with other clients?  Do they address risk management and risk sharing? How much liability is the MSSP willing to accept for regulatory compliance and information breaches?

3.     Service Revenues – What percentage of the MSSP’s revenue comes from what types of business?

Read more

New Research: Develop Effective Security Metics - Published this Month

Edward Ferrara

This month I published a new report on information security metrics, best practices as well as a maturity model to measure your maturity in the reporting process.  This report outlines the future look of Forrester's solution for security and risk (S&R) professionals looking to build a high-performance security program and organization. We designed this report to help S&R pros develop and report the appropriate security metrics for their security organization. Security metrics are a key initiative for chief information security officers (CISOs) today, but many struggle with picking the right metrics. Some CISOs use a broad-brush approach, using operational metrics to demonstrate security. The problem with this approach is that most people don't understand what the metrics are saying, and they don't understand how these metrics make their lives easier or harder. Good metrics are easy-to-understand, incite actions, and change behavior by providing a clear idea of why the audience cares. When CISOs present metrics, they must be able to clarify "What it means" and "What's in it for me?" Use this paper as a set of guidelines to develop a well-formed security metrics strategy and to drive behavior change and improve performance.

Take a look at these links:

Planning For Failure, Personal Edition -- Strategies To Protect Yourself In 2012

Rick Holland

This week I did a webcast, Planning for Failure, which makes the assumption that if you haven't been breached, it is inevitable, and you must be able to quickly detect and respond to incidents.  An effective response can be the difference between your organization's recovery and future success or irreparable damage.  While I was working on the slides for the webcast, I started to reflect back on the 2011 security breaches that personally impacted me.   Three breaches immediately came to mind:

  1. Texas Teacher Retirement System -  My personal data was stored unencrypted on a public server
  2. Epsilon - Email compromise that resulted in increased phishing attempts
  3. STRATFOR - My personal information, credit card and password hash were stolen
Read more

Virtualization Security, Better Late Than Never

Rick Holland

I am excited to announce my latest research, The CISO's Guide To Virtualization Security. This is the first report in a new series focusing on securing virtual environments.  The reduced costs and flexibility of virtualization have led to widespread adoption of the technology.  Despite this adoption, security and risk professionals haven't given their virtual environments the attention that is required.  Our research interviews revealed several themes:

  • Business as usual is the status quo. IT departments rely upon traditional security solutions (end point and network security) to secure their virtual environments.  Depending on the network architecture, virtualization can create blind spots in your network leaving you blind to intra-virtual-machine (VM) communication. 
  • Many security pros aren't aware of the virtualization aware solutions available on the market. One CISO we spoke with wasn't aware that his organization's current antivirus vendor offered a virtualization aware solution.  This isn't necessarily surprising; many of the virtualization aware security solutions are relatively new to the market.  Virtualization aware solutions afford us the ability to have potentially greater visibility into workloads than we might have in our traditional physical environment.
  • Many security pros have a general discomfort with virtualization. Security pros, especially CISOs and other security leaders who have risen up the technical ranks, aren't as confident in their virtualization knowledge as they would like to be. This is particularly the case when we compare virtualization with more mature security areas, such as network security.
Read more