SHLOMI'S PARKING SPOT

We fix Stupid!

2011-08-15T13:45:00.002-04:00

Recently I had a chance to meet with a couple of very different and promising companies. One is the classic information security for the enterprise company going after the holy grail of risk management. The other one is a small startup company attempting to be the good cop of consumer privacy. Both are very successful.

Allegedly there is no connection between the two, right? While some tend to bundle privacy and security together (as well as compliance), there is a clear distinction between the two. Not to mention the very different target markets (enterprise vs. consumer).

So why do I bundle the two?

Let’s take the enterprise risk management perspective first:

When observing some of the recent data breaches (e.g. the RSA incident), there is an interesting pattern. As we know hackers target the weakest links in their quest for the prize. Occasionally these links are infrastructure vulnerabilities, but in many cases it is the ultimate weak link – the human factor.

It should not surprise anyone that it is much easier entering a building through its main door (especially when you have the keys), rather than using a small, semi closed, side window on the 5^th floor. Since organizations will always provide employees access to their enterprise resources (so they can perform their work), all is left to the hackers is to get the keys and use the main door. But why bother trying to hack enterprise protected resources directly?

Without getting into lengthy explanations, what bad guys do is create a “hit” list of employees with the right profile. Then they collect information about the selected targets mostly using publically available resources (such as the Wild Wild Web). Once enough information is collected a targeted campaign is launched. In many ways this campaign is very similar to consumer phishing. During this process (A.K.A spear phishing) users end up enabling the attacker to collect more information (which is not publically available), and eventually get the access they need.

Bottom line – employee’s consumer vulnerable profile is enabling an attack on enterprise resources.

Now for the consumer privacy point of view:

Simply put the objective of privacy tools is controlling the amount of private information publically available and by doing so to reduce the consumer’s attack surface.

Do I need to explain the linkage between these two companies/domains?

By protecting consumer-employees privacy enterprise reduce their risk of being attacked.

A few things to keep in mind:

1. “All or nothing” solutions are never a good idea – simply not practical. Security solutions that attempt to solve “everything” traditionally fail (DLP is a good example). Instead of applying protective controls for all employees we should apply the right controls only for the employees identified as “high risk” (relative to a defined threshold).

2. How to define “high risk”? The risk is the enterprise’s risk, not the employee’s. It should be defined based on a combination of the employee’s enterprise profile (e.g. systems he can access and his access level), and his consumer online profile vulnerability score (i.e. how exposed is he).

3. By no means I’m promoting a “big brother” type of solutions. Enterprise should not collect\manage\care about employees’ private information but only their online vulnerability score (the likelihood of being attacked).

4. Coming up with an online profile vulnerability score should be done by leveraging similar techniques as consumer privacy tools, or emulating hackers’ information collection process.

And maybe someday, some company will address this aspect of the human factor, and will be able to use the great tagline: “we fix stupid!”

Drop(the ball)box?

2011-05-27T11:21:00.000-04:00

Dropbox is a great tool, I use it all the time. Very simple, user friendly and perfect for what I need. Its sweet spot in my opinion (and my main usage pattern) is collaboration or sharing small amount of documents (not digital media, but documents that change over time).

Dropbox got some bad publicity recently regarding the security state of their service.

For those who are not familiar, a quick summary of the two main two points:
1. A relatively easy way to impersonate other users – simply put, Dropbox identify the user on the device using a file stored locally in a similar location on all Dropbox installations. All Bob has to do to impersonate Paul is copy over Paul’s identification file, and he has access to all his files.
2. Dropbox possesses the encryption keys for all users’ data – very common with tools that provide web access to user’s files (or other content related services). The big issue was less about the possession of the keys and more around the fact their privacy policy (and marketing messages) has mislead people to believe Dropbox does not have a copy of the key or ability to decrypt users’ data.

While bullet #1 is an ugly security glitch, it is simple to fix and I trust the Dropbox team to take care of it.

Bullet #2 reminds me of the main reason I buy insurance. It is not so much about the actual insurance policy and much more about the trust factor. I just want to know I can trust the insurance agent to take care of my business if something goes wrong. If for some reason the trust is broken, I will replace the insurance agent/company regardless of the price. Incidents will always happen, everyone makes mistakes. It is about bouncing back from an incident, about the reaction after dropping the ball. That’s what breaks or strengthen the trust.

Dropbox messed up, it does not really matter what they think, it is all about the perception. So if I was Dropbox, I will be less concern about proving who is right or “fixing a problem” and more about bouncing back gracefully.

Having said that, consumers have proven time and again that they don’t really care about security, they don’t even care about privacy…

Thinking that people are going to ditch Dropbox because of the recent security issues is not realistic, will simply not happen. Do you remember how many people banned Facebook during the “who owns my photos on Facebook” campaign just a couple of years ago? (hint – several hundred or thousand, while during the same period of time millions new users joined…).

People care about serviceability, productivity, and the coolness factor. Less about privacy or security.

The notion of personal/private information is long gone from the consumer world. Somehow (social media or even plain old email) your data moves/duplicated to the cloud/web. Once in the cloud there is no going back, and it is no longer in your control (try to really delete stuff from Facebook). The Dropbox type of tools simply extends the cloud/web further into your desktop, while your content is syncing between devices it also synced to the “mighty cloud”, and once in the cloud…

As for enterprise usage – this is a totally different story.

The consumer employees (http://shlomidinoor.blogspot.com/2010/01/we-are-all-consumer-employees.html) continue to build internal pressure to adopt consumer-like tools to simplify and streamline their work. The new generation file syncing/collaboration tools such as Dropbox are a good example of the phenomenon. While great tools they lack adequate controls enterprise IT/IS are expecting. My friends at CloudLock (formally Aprigo) identified a similar opportunity with Google Apps and provide a control layer on top Google’s platform. In a similar fashion vendors will continue identifying other tools originally built for consumers (by “consumer” vendors) and provide the enterprise control layer. Dropbox is a good example.

Bottom line:

As consumers we should keep on using these great tools that improve our productivity.
As enterprises we should look for and work with vendors that will provide the much needed control layer (while maintaining a seamless user experience for the consumer-employee).
As vendors consider it as an opportunity!

Focus is Golden!

2011-03-22T14:28:00.000-04:00

In many occasions I’ve being asked a very basic question: what is information security? My two words answer is: Risk Management.

Any other answer that might imply we can achieve 100% security would simply lead me to the conclusion that we should just give up now, go home, and find a different occupation…

There is no 100% security, it is too expensive, too complex, too agonizing, takes too long, too dynamic. It is all about risk management, define your risk threshold and make sure you have the right controls to meet your goal.

Last week I’ve presented at a CISO event discussing the same topic (i.e. security and risk management), and I thought it might be a good opportunity to share my take on the topic.

One of the fundamental debates we have in the security community is whether to take the “All or Nothing”/”let’s boil the ocean” approach, OR focus on contained problems we can actually solve…
Large vendors tend to promote the first approach with their deep stacks (and services organizations), while pure players/smaller vendors tend to focus on their core competency.

As I believe security=risk management, it will not come as a shocker to anyone that I vote for focusing on the highest risk first (i.e. a contained problem).

Kind of trivial, but where/how should we begin?

Everyone seems to have their quadrant, so here is Shlomi’s quadrant. It provides a good high level view where we should (and should not) invest, that is if you are out to solve the security challenge.

While “All or Nothing” calls for similar controls for all types of operations, the reality is real damage comes from operations associated with the 4^th quadrant (powerful actor + powerful target). The advanced audience can add the context of the operation as a 3^rd dimension, for the sake of simplicity I left it out.

Ok, so powerful actor + powerful target is the way to go, but how can we better evaluate the cost, time, agony and success of using the described two methods with relation to the risk addressed (i.e. coverage of your risk)?

Since I’m in a “graphy” mood today, let’s observe the following:

“All or Nothing” approach to security calls for controls across the board, which is very expensive, very long to implement, extremely painful and have questionable success rates. It is somewhat linear with regards to the risk we actually address. Take any of the big security projects (e.g. DLP or IM), after all the investment you end up with partial coverage at best.

The “high risk first” focus on the 4^th quadrant, no resources spent on low risk activities, achieving a sharp up warding slope up front of risk coverage.

Now for the interesting part comes ($$$) – when placing both on the same graph:

Using the “all or nothing” approach to achieve a given risk threshold (left side) will be more expensive, take longer, more painful, and higher likelihood to fail. While using a given a budget/time frame/pain/likelihood to fail (right side) will provide coverage for a lower addressable risk.

Which approach to choose? Your decision…

But the existing security controls address this mumbo-jumbo, right? Not exactly…

The top 3 reasons why most security stacks/controls are missing the point are:

1. Focus on known identities and personal accounts rather than high risk (privileged) accounts.

Personal accounts/known users = limited access = low risk

Privileged accounts and users = limitless access = high risk

2. TMI (Too Much Information)

Collecting all events (of high or low risk) is a waste of time. It takes too long to make sense out of it, and slows down production systems… I just want to see the important information.

3. One trick pony

Most solutions address verticals – data, events, access, identity, sessions (of high or low risk), rather than a horizontal (i.e. high risk across the elements)

So when you are out there looking for ways to address your security risk think of tools that manage to carve out the high risk stuff, take a holistic (horizontal) view AND do not impact performance of your existing environment/personnel.

Cloudouflage

2011-02-08T17:06:00.000-05:00

Have you ever wondered why some flavors of cloud computing (SaaS) are so successful while others (IPaaS = Infrastructure or Platform as a Service) are less (yet)? And what is cloudouflage?

Whenever possible I advocate for simplicity, therefore I’ll try to take the simple approach (a.k.a. naïve) to address these questions. Let’s see if I can limit myself to no more than 2 bullets a section.

It is very clear adoption of SaaS is exploding, regardless what numbers you are using (ballpark of $8 Bbbbbilion last year). While I could go through lengthy and intelligent description of all the reasons (including financials, agility, etc.), I want to focus on two which I find interesting:

1. It is just another website, not any different than Gmail
The usage model is very clear and simple. I open my browser, go to this website, and consume a service. Consumerization plays a big part here. Since the emergence of the web, consumer technologies are leading the way, while enterprise is a delayed copycat at best. Consumers are simply looking to consume a service, for everything they need there is an app for that. Similarly when consumer employees (http://shlomidinoor.blogspot.com/2010/01/we-are-all-consumer-employees.html) need a CRM service (e.g.), there is a cloud for that.

2. No IT involvement
In many cases no IT is required, not for setup nor maintenance. If something does not work you call customer support. Great for SMBs (with no internal IT expertise), and very convenient for Business in larger organizations believing no IT means No extra processes, No security policies, No regulations…

Looking at IPaaS we don’t see the same crazy adoption, numbers suggest it is $1B at best (a nice number but relative to its potential - not as impressive).

Notice: I’m bundling IaaS and PaaS together as I believe they will ultimately converge. We already see the IaaS vendors adding “platform” services and vice versa for PaaS vendors.

IPaaS is very different from SaaS:

1. Not really a packaged service but an infrastructure
Regardless of the “aaS” suffix, IaaS is providing “virtual machines/storage/…”, from a business perspective what can I do with it? It is a starting point not the end game, now something needs to be deployed, optimized, maintained, etc. Where is the SaaS magic (i.e. I open my browser and the service is there)?

2. IT involvement is inevitable
As the SaaS magic in nowhere to be found in the IPaaS reality, real work is required for setting up the virtual infrastructure. IT assistance is required (sorry Mr. Biz – no shortcuts for you…).

A simplistic representation where IaaS + PaaS converge into IPaaS, Biz uses SaaS directly (blue), and IPaaS through IT (green):

So what should happen in order to drive IPaaS adoption?

1. The peace pipe will finally be used
I will not attempt to elaborate beyond the many blogs, tweets, articles, presentations, etc. done on this topic. Eventually IPaaS vendors and IT/IS will agree on a common ground regarding control, transparency, security, regulations and such. As with any peace agreement both sides will have to compromise (yeah – BOTH sides).

2. Cloudouflage
There is still a lot of money being paid for IPaaS solutions, meaning organizations are using it for something. It does not come as a big surprise that the main use cases for IaaS today are dev & test, cloud burst, and high performance computing. They fit perfectly with IaaS characteristics. Yet, most of the setup/maintenance/support efforts are done ad hoc/manually/internally.
How can we leverage these use cases to exponentially increase the IPaaS usage?
That’s where cloudouflage comes into play. Wrapping IaaS with a relatively “thin” service layer will create an illusion (cloud-camouflage) for customers that they are consuming a packaged service rather than infrastructure (reminder - that’s what they want). Imagine a vendor providing a service to create and manage a catalog for demo environments. The management, configuration and meta data is the “thin” service layer, however whenever starting a demo environment, virtual machines are being created and built on top of the underlying IaaS solution. Same goes for dev & test.

Bottom line: while for anything consumers need there’s an app for that, the day will come where for every service organizations will need there will be a cloud for that. The time for Service as a Service has come!

Neuroprivilogy is the Holy Grail

2010-12-06T11:02:00.000-05:00

Is your Neuroprivilogy vulnerable?
The answer is most probably yes, you simply have no clue what Neuroprivilogy is (yet)…

The first step with any discussion is defining a fancy term to describe the phenomenon. That’s where Neuroprivilogy came about.
As the name suggests Neuroprivilogy is constructed from the words neural (network) and privileged (access), and can be defined as the science of privileged access points’ networks. Using the neural network metaphor, organization’s infrastructure is not flat but a network of systems (neuron=system). The connections between systems are access points similar to synapses (for neurons). Some of these access points are extremely powerful (i.e. privileged) while others are not. Regardless, access points should be accessed only by authorized sources.

This privileged access points’ network is vulnerable as you’ll find out by observing the Neuroprivilogy vulnerability 7 fallacies:

1. These access points have limited permissions
Systems almost always use proxy accounts to interact with other systems (e.g. application to database). Now let’s be honest – when was the last time we used any type of mechanism to restrict systems’ access based on anything (e.g. propagate end user permissions to the app-database interaction)? In most cases we simply grant privileged access rights to systems. Hey, it is much easier to use most permissive access rights required as the common (permission) denominator…

2. Given the associated high risk I probably already have controls in place
Does anything from the following list sounds familiar? Hardcoded passwords, clear text passwords in scripts, default password never changed, if we’ll touch it everything will break… The irony is personal accounts for real users has very limited access rights, while having stricter controls (even simple ones such as mandating frequently password change).

3. But I have all those security systems so I must be covered, right?
This topic calls for a separate blog post altogether, however I’ll point out the fundamental principle of most systems handling users and accounts (such as IAM, SIEM, GRC, etc.) - the prerequisite to all operations is identification of users. They are great tools for personal accounts correlated to known users, and not really for privileged access points used by non carbon based entities. The solution is very simple – use the adequate tools!

4. Privileged access points vulnerability is strictly for insiders
Picture yourself as the bad guy, which of the following would you target? Personal accounts with limited capabilities protected by some controls, OR privileged access points with limitless access protected by no control? The notion of an internal access point is long gone; especially with the borderless infrastructure trend (did I say cloud?).

5. Adding new systems (including security) should not impact my security posture
That’s where it gets interesting. Most systems interact with others, whether of infrastructure nature (such as database, user store) or services. Whenever adding a system to your environment you immediately add administrative accounts to the service, and interaction points (access points) to other systems. As already mentioned most of these powerful access points are poorly maintained, causing a local vulnerability (of the new system) as well global vulnerability (new system serves as a hopping point to other network nodes). Regardless, your overall security posture goes down.

6. I have much more accounts for real users than access points for systems
Though this fallacy might sound right, the reality is actually very different. It is not about how many systems you have but the inter-communication between them. Per enterprise customers I’ve talked with, the complexity of the network and magnitude of this challenge will surprise many.

7. This vulnerability is isolated to my traditional systems
Some of the more interesting attacks/breaches from the past year present an interesting yet non-expected trend. The target is no longer confined to the traditional server, application, or database. Bad guys attacked source code configuration management systems (Aurora attacks), point of sale devices, PLC (stuxnet), ATMs, Videoconferencing systems (Cisco), etc. The extent of this phenomenon is actually very surprising. I even heard the other day, pacemakers has privileged accounts (for remote management). Now this is what I call a life and death type of vulnerability!

When observing these fallacies and APT attacks characteristics, you realize Neuroprivilogy vulnerability is the Holy Grail for APT attackers. It perfectly fits the APT characteristics - not about quick/easy wins, but rather very patient, methodological and persistent attacks targeting a well defined (big) “prize”. You work the privileged access points’ network until finding the way in and winning the “big prize” (limitless access to the required/targeted parts of the infrastructure).

The dummy version of comparing traditional to APT attacks is: traditional = a quick and easy win, APT = keep your eyes on the prize.

Now going back to my opening question – is your Neuroprivilogy vulnerable? (No need to answer, just a rhetorical question)

BTW – an interesting TED talk about neural networks and how it actually defines us: http://www.ted.com/talks/sebastian_seung.html

v1.0 is always more successful when bundled with two sunny days at Orlando

2010-11-22T14:21:00.000-05:00

Nothing like sunny Orlando in the middle of a Boston’s November, therefore you can imagine my excitement about participating at the first Cloud Security Alliance Conference this week.
So what did we have there (other than ~90 degrees)?

Interesting mix of participants (customers, vendors, thought leaders, consultants, federal)
Lots of cloud and security related sessions
Securing privileged users (insiders threat) and privileged access points (API management) are top concerns
Sitting in a panel discussion about securing applications and data in the cloud
Booth at the expo center (chance to both pitch and have interesting discussions with participants)
AND one big debate about security and the cloud

(Basically all the ingredients for two days well spent)

While I can go into lengthy descriptions of sessions and other discussions, I prefer focusing on what I perceived as the biggest debate at the conference. Which of the following is right?

The cloud is new therefore requires all applications and security solutions to be re-written

Just of the same, been around for a while, let’s move our apps and secure it using current controls

Surprisingly (or not) most influencers seem to believe things needs to be re-written.

Not surprising (or …) I have a different take on that. But first a couple of clarifications:

I’m tired with this binary approach to the cloud some people present – “either everything going to the cloud (1) or nothing (0)”. Think hybrid, we are going to have mixed environments for as long as you can currently plan.
Tired++ from this ongoing FUD competition (though I have to admit occasionally I participate). RELAX, don’t panic, we are going to be OK. The cloud is a great thing and a decision whether to adopt it is a business decision (based on its many virtues). And yes it has vulnerabilities and issues which need to be highlighted and addressed (start with focusing on operations accountability and transparency).

It is off my chest and I can finally address the cloud-security debate. As with most cases, the answer is somewhere in the middle. The cloud represents new concepts, technologies and delivery mechanism. Given the extent of the change (and opportunities) some areas are definitely going through a revolution and require re-thinking/re-architecting or as some of my colleagues put it – re-writing. However, when looking at public IaaS there are quite a few challenges that only experience evolution and can be addressed with existing tools and expertise (only some adjustments required). I thought my friend Gilad (founder+CEO @ Porticor) presented it nicely during his session.
Now it is true every several years products gets re-written anywhere, therefore the shift to the cloud might be a good opportunity.

My recommendation (my personal crystal ball):

If you are in the services business – identify evolution areas and follow them.
A vendor? the revolution domains is where you should be looking for opportunities.

When all is said and done, looking at Friday’s financial news: Salesforce’s Q3 results exceeded expectations and their stock is on fire! Makes you wonder whether customers really care or are we simply over hyping it all…

Anything you can do I can do better

2010-09-30T10:37:00.002-04:00

During the past several years it has become a hobby of many to bash the Identity Management vendors, solutions, deployments, you name it. It is too expensive, it takes forever to deploy, eventually it provides limited coverage, it is not business aware, it is too complex, did I mention the price? As an Identity Management veteran I can admit that, despite the major consolidation the market experienced and the multibillion $$$ market, some of it (probably most of it) is kind of right…

Why is it any different from the natural evolution of other domains?

Sometimes you encounter a special phenomenon where:

1. The problem is well understood by everyone

2. It is a major problem

3. Every organization experiences it

4. And are willing to pay to resolve it (thus the market is defined as a multibillion $$$ market)

5. There are plenty of solutions out there

BUT NO EXPONENTIAL GROWTH for any of the vendors, wouldn’t you expect at least one to break away?

So why does it happen? Sometimes because the existing products’ coverage is limited, other cases it is too complex, too expensive, (basically most of the reasons previously described).

Those familiar with the domain knows that despite the white noise (of existing vendors) the market is anxiously awaiting someone to actually “do it better”, “be greater”, “sing louder”, “go higher”…

This month I’ve participated in a couple of events – VMWorld 2010 and Arcsight Protect 2010. While representing Cyber-Ark and discussing our PIM (Privileged Identity Management) technologies I had a chance to listen to what the hosting vendors had to say.

I’m happy to report that there are two new players stepping into the Identity Management space claiming to do it better. Meet VMWare (provisioning, self service and SSO) and Arcsight (IdentityView).

It is true both vendors are very cautious with their announcements (Arcsight – we only do monitoring, VMWare – it is only for synchronous provisioning and we only manage our systems), come-on…

What do you think, if VMWare customers ask to “simply integrate with a ticketing system for approvals” would they provide it? Or “can you open the platform for plug-ins to control other systems”?

How about Arcsight customers requesting to be able to do some remediation actions (such as disable a suspicious account) directly from their control panel?

I don’t know about you, but I think these guys are here to stay.

Another market that experiences a similar phenomenon is information protection (DLP and/or ERM and/or EIP …). The extent of this challenge is huge (i.e. a major major problem for all organizations) and the current products are straggling to solve this hairy problem. However products are simply too complex, limited and fail to pick up. If I had to predict I would say waves of innovation are expected, and only a different take will manage to lift this domain to the next level.

So if you are out there considering starting an information security start-up definitely look at this space, there’s alllllllllooooooooottttt to be done and it requires a fresh approach.

A Flat to Let – the Challenge of Selecting Neighbors

2010-08-05T15:12:00.008-04:00

This week I would like to begin with a fable, based on an Eastern European folk tale translated to several other languages. Bear with me as I’m positive you’ll get (and like?) the metaphor!

"At the edge of a valley so quiet and pretty, stands a five-story building far away from the city,"

It begins, and describes the animal tenants on each floor: a fat hen, a cuckoo, a pampered black cat, a voracious squirrel. The fifth floor used to be inhabited by Mr. Mouse, but he disappears, and the neighbors put up a sign: "A Flat to Let." The flat is shown to many animals. Each follows the same cycle of sing-song questions and exclamations. But each visitor objects to one of the other animals, and rejects the flat.

“Do you like the rooms?

   They are nice.

Do you like the kitchen?
   It is nice.

Do you like the hallway?
   It is nice.

Then dwell with us, Rabbit.
   No, I won’t!

Why?
I don’t like the neighbors. How can I, a mother of twenty bunnies, dwell together with a cuckoo, which deserts her children? Her children grow up in weird nests. All of them deserted, all of them neglected. What would my children learn from them?

The cuckoo bird was hurt. And the rabbit went on her way.”

Finding the right neighbors is tough, you don’t want end up with someone that will mow the lawn too early in the morning, drag his trash bins too late in the evening, nor have loud parties every other day. But how can you control it?

Representing Cyber-Ark, I participated in Burton Catalyst 2010 conference last week. During the virtualization and cloud tracks, the inhibitors to public clouds topic was discussed. As expected security is still #1 concern, where multi-tenancy is a big part of it.

Translating it to “fable language” - organizations are very concerned about their neighbors (with whom they share infrastructure), and want to take part in the neighbors selection process. Everyone is using the example of Coke, claiming they will never agree to share infrastructure with Pepsi. Frankly, I believe they should be more concerned if Johnnie Hacker was their neighbor, but that’s just me…

Some history - once upon a time infrastructure was private, no neighbors at all. Parents only had to deal with room allocations to family members (I want a bigger one, a better view, close to the kitchen, isolated, etc.).

Fast forward, then there was the Cloud where infrastructure has become a shared resource for all citizens of the world, with no ability for tenants to impact the neighbors selection process.

As potential tenants grew concerned with automatic allocation of neighbors, cloud vendors quickly responded offering a dedicated infrastructure option. This is obviously more expensive, to the point that the risk vs. benefit ratio is not as appealing anymore. Organizations preferred building private clouds, gaining partial capabilities of the “cloud movement”, while compromising on others.

I believe we will witness evolution of new cloud computing models/offering in addition to public and dedicated, addressing the neighbors challenge.

A few potential directions which come to mind:

1. Co-location based on reputation - think about your car insurance policy, coverage as well as cost depends on your reputation (previous claims, driving record, etc.). Credit score is another reputation mechanism with direct impact on services you receive. An organization’s reputation (such as controls in place, attack record, load) will be used to determine their co-location. Companies with good reputation will be granted better service, lower cost and above all – reputable neighbors!

2. Cloud communities – in the physical world we see communities forming around joint interests or trust. Similarly “cloud communities” with shared interests (such as regulations) or trust (community members trust each other) will be created. They will run their systems on shared infrastructures dedicated for the community. I foresee an eco-system of brokerage services helping forming these communities, and negotiating terms with cloud service providers on behalf of the community.

3. The Cloud Randomizer – this started as a joke, but think about it. The cloud’s underlying technology is mainly virtualization; virtualization enables moving environments around with no down time. How about frequently moving organization’s systems around in a randomize way, reducing the likelihood of attacks (at least planned ones)?

What do you think? Am I dreaming? Should I stick to folk tales?

Hard-coded default passwords? The Ostrich for the rescue!

2010-07-23T14:30:00.000-04:00

Some days I feel the world will be a much easier place to live in if we simply adopt the ostrich approach. If something looks slightly challenging, let’s just stick our head in the ground for a while and the problem will simply go away.

Those of you who enjoy tracking threats, attacks, malware and the likes probably heard about the Stuxnet worm by now. For the rest of you it is malware targeting windows environments running Siemens software used by industrial companies. Once on systems, it uses Siemens default passwords to connect to the database and collect information.

Does not sound like a big deal. Nobody is using default passwords these days and even in case they foolishly did, just change the password and have a good night sleep, right?

ahmmm… unfortunately in that case I had to look for a different topic for my post…

Those of you who follow my blog know by now that I’m not really a security radical, but rather moderate and open minded when it comes to the way security specialist grasp the world. But I can tell you that this incident is mind boggling even for me.

Sin #1: using hard-coded passwords – happens from time to time, irresponsible behavior, slap on the wrist.

Sin #2: sin #1’s hard-coded passwords are the default ones and are similar for all customers – doh!

Sin #3: these passwords cannot be change (per Siemens) or the systems will stop working – what were these guys thinking? It is even worse than creating a system with no authentication mechanism at all, zip, open to the public, web 2.0 like... You communicate a FALSE sense of security that there are controls in place to secure usage of the system (i.e. authentication), yet the passwords are known to the public and cannot be changed?!

Top it with Siemens’ response (reportedly advised customers not to change their default passwords, arguing it “may impact plant operations.”), leaving customers out there in the cold having to choose between bad and worst…

There are many articles describing this incident, an example: http://tiny.cc/osg8q

I’m positive Siemens will snap out of their current state of mind and resolve it, but the unfortunate part is the fact that this phenomenon and state of mind is not limited to Siemens. Some still use hard-coded passwords, some still use default passwords and some don’t change passwords.

It is time to GET BACK TO THE BASICS!

1. Authentication between systems should be externalized and governed by processes/tools that can rotate and secure credentials.

2. Default passwords might be good for the initial bootstrap/setup procedure, however should be changed and should definitely be unique per customer

3. There are tools designed to address the whole privileged accounts challenge regardless whether it is performed by humans or non carbon based entities (such as application, services, or devices).

Unlike the common belief that vulnerability of internal, powerful credentials are a target for internal threat only, the reality is privileged accounts are a gem for external attackers. More frequently than you imagine external attacks target these powerful accounts, as hijacking these accounts makes external hackers’ life/job much easier.

Next week is Burton Group’s Catalyst week, stay tuned for my take-aways/insights from the conference and sunny San Diego!

The Jerry Maguire take on Security

2010-07-20T09:35:00.001-04:00

I have a strong feeling this post is going to be my Jerry Maguire’s “Mission Statement”…

A couple of comments for those who have not seen the movie:
1. Keep reading as watching the movie is not a prerequisite
2. You should probably consider watching it, it has some funny quotes

A recap - Jerry Maguire is a 1996 film starring Tom Cruise about a sports agent who has a moral epiphany and is fired for expressing it, who then decides to put his new philosophy to the test as an independent with the only athlete who stays with him (Wikiquote.org - http://tiny.cc/sqj8p).

My case is obviously different: it is not so much an epiphany but rather some thoughts/insights, and the whole firing part???

Despite the many changes the security community experienced, one thing seemed to stick with us throughout the years (especially as compliance has been bolted on to security) – FEAR.

If we’ll scare them they will come!

Fear as a way of thinking about the challenges, fear as a design criteria, fear as a way to prioritize features, fear as a driver for pricing, and certainly fear as a selling tactic.

It is kind of a negative way of thinking, don’t you think?

Recently I have participated in the Enterprise 2.0 conference. Surprisingly these guys approach issues differently, on the verge of a Woodstock atmosphere. It is all about collaboration, opening up the organization, loosing controls, doing good for everyone (rainbows and violin background music…). Almost too much positive thinking for me…

In the audience I could notice quite a few CIOs, most of which participate in our (security) conferences as well. It simply mind boggling what is going through their minds when they hear both enterprise 2.0 and security pitches. The contradiction is simply amazing.

So who has it right?
Are we right and they are naïve, or they have it right and we are simply afraid?

As with most things, I believe the truth is somewhere in between.

You would rightfully say organizations spend their security budgets addressing threats. And Rod Tidwell’s immortal motto is probably correct (from the movie of course): “Show me the money!” security vendors should continue addressing these threats and fears. Hey, this is our thing and we should keep on doing it.

However I still believe there is a place for positive thinking in our domain (security). The infrastructure play and information our security systems are exposed to can be leveraged for positive spins. Topics such as increase awareness, productivity and reduce cost can all be addressed.

Just a few simple examples (I’m keeping the real interesting ones for internal usage…):
1. While monitoring usage of applications the system can recommend (potentially even automate) adding the more popular apps under the SSO umbrella.
2. As we monitor behavioral patterns for fraud detection we can contribute to optimize web applications increasing productivity and reducing cost.
3. During the access control to unstructured data we can identify usage frequency and suggest lower cost storage for hardly used documents or “cache” more frequently used data.
4. And even small frustrating thing as laptop’s startup time can be improved as application usage is monitored, we can identify hardly used apps/services and remove them from the startup sequence.

Can you imagine positive thinking can become a differentiator in the security domain?
Do you believe customers will actually be willing to spend their security $$$ on positive things?

Gold Rush – The return of the King

2010-06-25T10:23:00.000-04:00

5:45pm – just as I was planning to head out to the Apple store I get the following alert:

SEVERE THUNDERSTORMS PRODUCE DAMAGING WINDS AND LARGE HAIL... AS WELL AS DEADLY LIGHTNING AND TORRENTIAL RAIN. GET TO SAFE SHELTER NOW... INSIDE A STURDY BUILDING OR IN A VEHICLE. DO NOT SEEK SHELTER UNDER TREES. IF YOU CAN HEAR THUNDER... YOU ARE CLOSE ENOUGH TO BE STRUCK BY LIGHTNING. DRIVERS SHOULD BE ALERT FOR PONDING OF WATER AND AVOID FLOODED ROADS.

A SEVERE THUNDERSTORM WATCH REMAINS IN EFFECT UNTIL 800 PM EDT THURSDAY EVENING FOR NORTHERN CONNECTICUT AND MASSACHUSETTS AND SOUTHERN NEW HAMPSHIRE AND CENTRAL RHODE ISLAND.

You got to be kidding me!

If you really think a deadly thunderstorm storm will hold me back from getting the prize, then think again.

6:10pm got to the store (still alive) only 5 people in line (all with pre-orders or tickets). This obviously proves that you get a better treatment if you are invited to the party…

7:00pm returning home as a winner, I’m probably looking at a romantic evening where together each one is busy updating his new iPhone…

Not sure what the big excitement is all about – after all it is just a phone (and an ipod and an email device and an app platform probably the coolest gadget around…)

I have finally figured out the name “iPhone 4”, looks like you have to wait 4 hours to get an iPhone…

Gold Rush

2010-06-24T11:45:00.001-04:00

I have finally decided to walk the walk and make the commitment. Despite the nasty mother in law (AT&T) I’m getting an iPhone 4.

For the first time in my life I’m going to actually wake up early, stand in line and on the premiere be one on the lucky ones (as well as additional 1M people) to have the new majestic device!

So this is how it went (so far):

5:40am – woke up (going to get the iPhone 4 today, YEAH!)

5:55am – reports on the internet: already long lines (still optimistic)

6:15am – the Dinoor team is out on the road (cautiously optimistic)

6:20am – Dunkin Donuts, and we are ready for the action (carbs are always good for the spirit)

6:25am – the parking lot is half full, at 6:25 in the morning!? (Um, Oh...right)

6:30am – finally standing in line, practically at the mall’s entrance with probably 200-300 people in front of us (it is going to be a long day)

7:01am – we are moving! Actually the other line (pre-order) is moving (shall I cut my losses here and now, i.e. leave?)

7:30am – made 10 feet progress and rumors has it the pre-order line is getting in first (50:1 ratio between the lines)

8:45am – nothing (let’s pack our thing and leave, such a looser…)

9:00am – there is a God up there, I have made it! I’m the proud owner of a … ticket assuring me an iPhone (the line is still long, but who cares?)

9:15am – leaving the scene as a winner, I’ll be back later on tonight to pick it up

Stay tuned for more on how the saga ends!

Worth Repeating

2010-06-21T14:27:00.002-04:00

I find myself quite often quoting expressions I hear at different places. Surprisingly people seem to enjoy it and even (God forbid) use it at later times...

As an entertaining exercise, I’m going to post these valuable quotes from time to time at the “Worth Repeating” section on the right (keep scrolling down).

To kick it off I’m going to start with a few I’ve heard recently:

1. “Security is like life insurance, you only win when you lose” Dr. Rainer Janßen, Munich Re CIO, EIC 2010, Munich May 2010

2. “The cloud is cloudy, not transparent” someone at EIC 2010, Munich May 2010. While discussing Cloud and security concerns

3. “The bits move faster than people, make sure to bring the people with you” Sanjay Mirchandani, (EMC CIO), EMC World, Boston May 2010. While discussing the journey to the cloud.

4. “The technology market is definitely accelerating - it took IBM 40 years to become the evil, Microsoft 25, Google 10, Facebook 5 and Twitter 2.5” JP Rangaswami, Enterprise 2.0 conference, Boston June 2010

Enjoy!

ShaaS

2010-06-17T09:54:00.000-04:00

Regardless of what people might say, the recent couple of years were great for the technology industry. We (technologists) exhausted the 3 and 4 letter acronyms, and at some point just when we thought 5 letters is the new 3 letter a miracle has happen.

The CLOUD was created enabling us to cloud wash everything by simply adding “aaS” as a suffix. This allowed us to start all over again with the 1-2 letters game.

As you can see I’m no different than the rest. So what is ShaaS (used in the title) all about? Is it simply Shlomi as a Service? Better guess again…

It is actually Sharing as a Service. A lot was said and written about collaboration and sharing of data but despite the chatter, solutions have not addressed some of the key challenges.

I’ll focus just on one of these challenges - modern collaboration and data sharing are dynamic by nature and cannot be controlled by static policies/controls.

Let’s follow a use case (as an example) – sharing a document with a group of people. The team can access the file, download it, read it, etc. But what happens two weeks from now when something has changed and I want to stop sharing the file with some members of the team? Using existing information protection techniques (such as DLP or DRM) will not allow me to do it as the file is already in possession of these people. Even if it was wrapped by some type of a shell (in the case of DRM), it is based on a static, outdated policy.

It is true Enterprise 2.0 guys say (rightfully) organizations should design for loss of control (including over data) as web 2.0 penetrates the enterprise. However while organizations promote sharing/collaboration they should protect their sensitive data.

Another interesting phenomenon is the different approach to data by enterprises and consumers. While the enterprise default is “secure first then ask questions”, for consumers it is all about sharing (security? privacy? No one cares!). It looks like consumers treat data as almost nonexistent unless it is shared.

It will be interesting to see a TTS (“Time To Share”) graph over time (i.e. time from actual event to when it is shared). I’m willing to bet TTS has dramatically gone down and is currently very low.

Evolution:
1. In the past one would take photos of an event, download it to the computer, upload it to your favorite social networking tool and share it with a selected audience.
2. Then it seems all devices introduced direct social networking posting capabilities.
3. Next using telepathy capabilities, thoughts will be automatically posted.
4. And finally, the ultimate sharing tool – the Twitter generator. Based on my interests and real events will automagically generate tweets in real-time (on my behalf). I will be perceived extremely smart, how cool is that?

The reality is probably somewhere in the middle, sharing of data is fundamental for the business, yet should be controlled to protect the business. Information protection systems should be morphed with data sharing tools taking its dynamic nature into consideration.

While I leave you with this, I’ll go back to think how to make Shlomi as a Service a viable business…

The Shlomi Cloud!

2010-05-17T16:31:00.000-04:00

Facebook owns my photos, Google owns my emails/documents/contacts, LinkedIn owns my network, Delicious owns my favorites, and even my real URLs are not in my possession (but by the Tiny URLs of the world)…

Did I totally lose it?

I recently read about a new startup offering us to manage all our social networking sites from one place. Finally you can move pictures from Picasa to Facebook and then to Google docs, all from a single location. Kind of nice, right? While it is probably very useful (haven’t tried it yet), I say - not another aggregator please!

Instead I want to use a hub and spoke model and have my own Shlomi cloud (clouds are exceptionally trendy these days) where I own/control/manage/store eeevvvverything.

I can define my network (tree/forest of relationships) in one place and carry it (or a subset of it) with me to different social network sites (today to Facebook or LinkedIn, and tomorrow to the next big thing).

I can store all my photos, documents, etc. and delete them whenever I want, knowing no zombie copies are floating in the WWW wilderness.

I can create my personas and manage them, deciding which persona to present and when.

And all the great social networking sites can focus on the services they provide while referencing my identity from the Shlomi Cloud.

What do you think? Is it time to start the MyPersonalCloud.org movement, where everyone can create, own and control his own piece of identity?

The Global Brainstorming Event of the Year

2010-04-01T17:27:00.001-04:00

Writing about April fools day scams is kind of corny, right?

I’m in the business of ideas and innovation, so let me ask you a question and try to answer it from my perspective:
How do you call a once in a year event, where great minds think outside the box with no boundaries or limitations, and publicly introduce theoretical innovative ideas that even sound reasonable in some cases (with no patents, NDAs, IP restrictions, etc.)?

Now you might call it April’s fools’ day, but for me it is Global Brainstorming Event of the Year (GBEY).
So welcome to GBEY 2010!

Here some of this year’s pranks. Try making some sense out of them:
1. Topeka is Google (really), now Google is Topeka
2. Starbucks introducing ridiculous new sizes
3. No Coffee for you! While Starbucks introduce new cup sizes, the FDA ban coffee causing the same Starbucks to move outside of the US.
4. Introducing Google Translate for Animals
5. HugSpot by HubSpot? New HugSpot Dating Software Helps Singles Find Love Online.
6. Chatroulette for the Enterprise, Randomized Productivity Management, i.e. RPM (who comes up with these acronyms!?).
7. Gartner publish Microsoft Decides To Open Source Windows Operating System.
8. New mobile search option, Where am I? who am I? why am I?
9. New resolution used by YouTube (TEXTp) saves YouTube bandwidth and money.
10. Redbox to Speed Up DVD Return Process by adding a return butler (i.e. real person) next to each kiosk).
11. iHOB, a new iPhone application that turns your phone into a mini-stove (great stuff!). It provides a 15 ring system to heat up in mere seconds to be warm enough to heat a can of baked beans or soup in 15 minutes and once turned off will cool down in 15 seconds.
12. A must have accessory for the iPad fans, an arcade cabinet for iPad

And the list goes on and on and on…

If you observe GBEY 2010 scams from my point of view, you might realize that with the right spin some of these crazy ideas can actually be quite good…

TSA plays Russian roulette, yet again…

2010-03-23T11:24:00.000-04:00

A quick disclaimer: I have nothing against TSA, despite the fact I’ve missed a flight in the past due to long lines at the security check… They are a symptom of a greater problem rather than the problem itself.

Now that we’ve put it aside let’s observe TSA’s mission statement (http://www.tsa.gov/who_we_are/mission.shtm):
“The Transportation Security Administration protects the Nation's transportation systems to ensure freedom of movement for people and commerce”

And vision statement:
“The Transportation Security Administration will continuously set the standard for excellence in transportation security through its people, processes, and technology.”

Sounds like TSA are heavy duty on security, right?

Well, I will not discuss transportation security (though debatable by some); however history tells us a slightly different story when it comes to information security…

Looking at the past 4 years:

2007 (http://bit.ly/aoChfI) – External hard drive containing data from approximately 100,000 archived employment records went missing from a controlled area at TSA.

2009 (http://bit.ly/5REHBu) – TSA accidentally posted a document containing highly sensitive information on its airport screening procedures on a government website.

2010 (http://bit.ly/dc2Nbu) – Poor security protocols lead to TSA fired worker sabotaging TSA’s databases containing information tied to the war on terror and other law enforcement activities.

While some might argue this is an unfortunate collection of non related incidents, I would seriously doubt it. With no intent of being harsh with TSA, this comedy of errors is an indication how security is perceived at TSA.

Starting point:
It will never happen to us! (Therefore no real controls, procedures or C-level directives are necessary)

Post incident #1:
Oops, it did happen. Ok, it will never happen to us AGAIN! (Must be a random statistic glitch, our current strategy is proving itself!)

Post incident #2:
Not again, No way! (Hmmm, at least we placed on each page of the manual the following: NO PART OF THIS RECORD MAY BE DISCLOSED TO PERSONS WITHOUT A 'NEED TO KNOW.')

Post incident #3:
Doh! Let’s bring in a data breach response services company to clean out the mess (http://bit.ly/c0loLq). (Addressing the collateral damage is probably going to solve the problem!)

Most of these types of incidents can be addressed today with existing controls. These are not operator errors, but a depressing example of the overall organizational/C-Level failure to enact security policies (much which are seemingly common procedures) that secures data and protects sensitive assets.

If C-level execs don’t get it they can simply view it as an insurance policy (ensuring bad things don’t happen). People get an insurance policy not because they plan to use it on a daily basis, but mainly because if something happens it can be substantial.

Another way to look at the statistics is organizations play a game of Russian roulette, assuming it will not happen to them (there is only one bullet and five empty chambers).

With the case of TSA - it looks like the cylinder is practically full…

Today I was riding with the four horsemen of the apocalypse, so I’ll finish with a positive tone:
Spring is here, happy (belated) equinox (http://bit.ly/2qHKU1)!

Brain dump

2010-03-12T16:15:00.001-05:00

Last week I’ve participated in the RSA conference representing Cyber-Ark. It turned out to be a pretty busy week (your sympathy is appreciated).

This week as a slightly different exercise, we will switch roles (let’s call it un-blog post). Instead of me describing my insights, I will provide some raw data from the conference in a form of a brain dump. If any of this makes any sense to you please comment or ping me with your insights.

As with any brain dump - no order, priority or importance, just partial list of raw numbers/”facts”:

Server Virtualization penetration in enterprise is estimated at 25%
6% of ID theft comes from password guessing
IT spend 2/3 of their budgets on maintenance
CIO survey – for 51% security is the greatest concern surrounding cloud computing adoption
Information growth - 60% per year
1B mobile devices will be accessing the internet by the end of the year
Survey of 2,100 companies (CIO, IT, CSO, etc.):

          - Over the last 12 months 75% experienced cyber attack
          - 100% experienced cyber lose in 2009
          - Top 3 stolen “items”:

1. Theft of IP

2. Financial/credit card data
3. Customer PII

During 2008 – 1.6M signatures (like previous 17 years combined)
During 2009 – 2.9M signatures
Customers said from their entire data only 1% matters
40% of employees private machines access work resources
10% of private machines are the primary working machine
Some organization promoting personal devices for work (subsidize)
Per Gartner – organization can save 9-40% on equipment cost
Data breach - average loss per record is $204
Data breach - average loss per incident is $6.75M
70% of physicians are afraid to place customer data in the cloud
56% of the malware written today is designed to steal data
42% of data breaches involve a 3rd party (service provider, consultant, etc.)
Since 2008 there are more mobile devices accessing the internet than “fixed” devices
By the end of 2011 there will be 5B users out of 6.8B people in the world…
Projected data traffic increased 2009-2014 is by 3900%
Videos will be 66% of mobile traffic by 2013
Organization leveraging Amazon cloud services usually have one super admin account to purchase and manage their infrastructure:

- It is a shared account
- It is a standard Amazon account and can be used to purchase books or anything else…

As an epilogue to get your CPU working a quote by Marc Benioff:

“Why isn’t all enterprise software like Facebook?” It was the next iteration of the question he asked in 1999 (that spawned salesforce.com), “Why isn’t all enterprise software like Amazon.com.”

No Internet or Laptop for you!

2010-02-26T21:22:00.002-05:00

A couple of weeks ago I blabbered about a world with no IT resources. Since then I had a chance to discuss it with friends, especially the end device ownership part and thought it is interesting enough to share with others.

During the 15th century the Feudalism system was very common in Europe. The lucky ones played the role of lords and “life was good,” for the rest (vassals) the story was slightly different…
Let’s look at the employee-employer relationship back then. A common “compensation” package a vassal could expect would include a very small component of “salary” and a relatively large component of benefits consisting of food, clothing, housing, security, and possibly heritage rights. In return the lords practically “owned” them.
Therefore the equation was you (the vassal) will work your butt off for me (the lord) and in return I’ll give you everything you need to barely live + some change.

Through the years gradually the salary portion grew while the benefit component has gone down.

Looking at today’s common compensation package, it includes a large component of salary and a relatively small component of benefits. Food, clothing, housing, security, heritage rights? Are you kidding me?

This trend continues and will affect the “end device ownership” dilemma previously discussed.

Companies already take it for granted consumer employees will have internet access at home, so they are capable of continue working (if needed). Now who pays for the internet, electricity, etc.?
End devices are next in line (cell phone, laptop, tablet, etc.). Surprisingly we have an unusual case of common interest. Most consumer employees will be happy using their own device for both home and work activities. We already see today some companies funding the purchase of personal device for work.
As you are expected to show up to work dressed up, employers will mandate end devices capable of doing your work. The good news is as most/all the computing will happen in backend systems (virtual desktop solution), so the requirement for your device is going to be pretty basic.

If we’ll look at the futuristic equation (right around the corner) the employer (i.e. the lords) will give you (the consumer employee) salary only, and in return you’ll be responsible for everything needed to do your work (and obviously work).

Next week it is RSA conference week, therefore no post for you (but many sessions, meetings and dinners for me).
See you in a couple of weeks.

There is an App (war) for that

2010-02-17T14:09:00.002-05:00

Once upon a time many, many years ago Apple has lost the OS = Operating System battle (at least the first round). Some believe the main reason was Microsoft’s smart platform play. The Redmond giant bet on building an open OS, not open source but rather a set of robust, easy to use, well documented, supported APIs. They figure out early in the game the simple ‘law of nature’ – easiness of creating applications cause more applications to be created which cause higher value to the underlying platform (OS) resulting in more money to the OS vendor (which is … Microsoft of course).

< Side comment - today in the era of Cloud Computing Microsoft is betting again on the platform, through their Azure offering.>

Fast forward to early 2008 (if I got it right), Apple has launched the AppStore (less than a year after launching the iPhone). Well, it seems Steve Jobs has done his homework. He created an ‘open’ platform (iPhone OS) and invested/promoted the AppStore concept (more than 150k apps and counting).

Apple in the role of Microsoft? Doh!

A different school of thought claims what Microsoft has done to the Macs, Google is doing now to the iPhone/AppStore. Apple still has a one HW-one SW strategy; as far as they’re concerned apps can only run on their HW. Google is making friends with many HW vendors and their Android OS/apps can run on a slew of devices. While Google only has to focus on the SW, Apple needs to be best at both fronts (HW & SW) in order to continue dominating the market.

Though a history fan, why do I open with a history lesson?

News from early this week: ‘Biggest mobile operators join forces on app store project’. It was all over the media (e.g. http://tiny.cc/ktgxp). Should we assume the battle on the apps has just begun?

Of course not! This battle is as old as the Operating Systems. Mostly it was the OS owners fighting for position (Microsoft, Apple, Google, etc.), however occasionally others get greedy (given the size of the turf). It is easier making money selling services/apps in the mobile space, mainly as users are used to paying extra for extra. PC consumers expect everything to be provided as a service (over the internet) and for free. When was the last time you paid for services/apps?

While these 24 carriers claim their motivation is pure - ‘developers will be able to go to one place to get their applications distributed instead of having to go through multiple application approval processes’ (Yeah right…), it is clear they are after piece of the action. Apple’s appStore and Google's Android Market are being challenged by mobile network operators (per article).

Apple’s appStore, Google's Android Market and recent initiative (by mobile network operators) are all about consumer apps, but what about the enterprise?

If I’m an enterprise bought into Apple’s vision and seeking to provide customized (business) apps for my staff, how do I achieve it? How can I enable the iPhone in a similar fashion to laptops? I just want to have my own apps catalogue (similar to my software catalogue solution).

Is it time for a ‘private app store’ for enterprise unlike the ‘public app stores’ previously discussed?

Well, the first signs are here: ‘Google to open app store for business software (http://tiny.cc/W5Hwc). Sounds like the right direction, isn’t it? Despite the promising title it is actually not really what I was looking for. It is mainly a marketplace for business applications focusing (as a first step) on Google Apps (rather than Android Market).

As for enterprise app store solutions, the Apple/Google of the world will probably approach it as an extension of their consumer solution. This will leave the door wide open for security vendors to address question such as access control, application governance etc.

So do we have an App (store) for that?

A world with no IT Resources – Should Admins get nervous?

2010-02-09T09:33:00.002-05:00

The reality of organization’s IT resources (starting with SMBs) as we know it is about to dramatically change. The Cloud movement along with the new “Consumer employee” phenomenon (employee at day, consumer at night) drives organizations to reduce ownership of IT resources. Eventually IT resources free.

How is it going to work (most of the technology is already available)?

1. Server infrastructure
     Entire server infrastructure will run in the cloud (pick your favorite vendor)

2. Employees workspace
     Desktop virtualization will run on the cloud server infrastructure

3. Applications
     SaaS where possible, else application virtualization on top of the cloud server infrastructure

4. Desktop/Laptop/endpoint device
     That’s where things become interesting. Since your workspace is virtualized all that is needed is a device with basic capabilities to connect (e.g. browser). Now if the “consumer employee” prefers using his own cool/customized/private/latest/greatest device anyway, why should the organization buy an extra one? Instead, every several years (e.g. 3Y) the organization will grant each employee with an allowance (e.g. $3k) to purchase a personal device (desktop, laptop, netbook, tablet, etc.). While I think the real revolution is going to happen around the device ownership, I will leave this topic to my next post (stay tuned).

Information protection is going to become key in the described setup. As data will reside elsewhere (in the cloud or personal devices), controlling who can access it, who has accessed it and where is it, are going to be critical capabilities for future security solutions. Think about asset management and even identity management in this hybrid world…

I’m no prophet, by all means, but the day is coming and we better accept (even embrace, God forbid) the changing landscape and start preparing.

Now regarding my opening question (should IT personnel become nervous in this world with no IT resource) - of course not! Their current role will change/expand, rather than spending most of their time deep in the infrastructure (such as AD configuration/administration), they will be instrumental with this virtual/cloudy infrastructure. Vendor selection and ongoing benchmarking will occupy a greater portion of their time.

Are you convinced by now? I must be missing something and be happy to hear your take.

If you have the same problem for a long time, maybe it is a fact not a problem…

2010-02-02T11:39:00.000-05:00

Recently the topic of weak passwords (= hacking made easy), has reared its ugly head once again.
You probably mumble now – please don’t let it be yet another passwords related post, we already know our passwords are weak, hackers can (and will) share our identity and we are all going to die…

Unfortunately I could not resist.

As long as users are responsible to create their own passwords, it will not matter how high the security walls are built. Let’s face it - we all want the ultimate user experience, just let me use the service without the entire authentication mumbo jumbo. When it comes to passwords, most of us create simple passwords, don’t change them at all, and use similar passwords for all our accounts (where possible). And BTW – since forgetting passwords is a hassle we tend to conveniently write it on a piece of paper or simply save it in a file on our computer (the sophisticated among us might even “hide it” by not placing it on the desktop).

Through the years many vendors attempted to tackle this issue introducing a slew of solutions - secret questions, images, graphics, second passwords, and the list go on and on. These are all just sophisticated passwords (password 1.0, password 2.0 or password 3.0), still subjected to the users will/motivation.

Security experts in the audience will explain that regardless of password strength or rotation frequency, hackers will manage to break them. Terms such as session hijack or Man-in-the-middle will be used to further scare us. I must admit it is all true, however with so many identities out there you simply need to be slightly better than your neighbors to postpone destiny (like the well known joke about two friends, a jungle, a hungry lion and a pair of running shoes). In addition, a large customer recently confessed that changing passwords every 90 days addressed a very large portion of their identity problems. Today I read that Twitter asks users to reset passwords after possible phishing attack (http://tinyurl.com/yhmn9y8).

So why do we consistently write about it for years and years? Is it because there is no solution for the problem? It keeps changing on us? The solutions provided by vendors are not valid anymore?
Well, as I have already stated the root cause of this problem is us, the (lazy) users. Once this parameter will change the problem will simply go away (flying angles play harp, rainbow in the background).

A quick recap:
Problem – weak passwords = hacking made easy
Root cause – us, the (lazy) users
Solution – replace us, the (lazy) users
Problem solved, moving on!

How can we replace us, the (lazy) users in a process intended to authenticate us (the …)?
While there are many solutions out there strengthening user authentication (e.g. out of band), I’ll mention two ways to better manage authentication:
1. Software replaces users – software manage the entire authentication process, including password generation (a non-lazy program will ensure password strength), maintenance (frequently modify) and seamlessly login. Implemented right this will address the challenges previously described and improve security while reducing the hassle.
2. Behavioral characteristics – base authentication on user’s behavioral characteristics/patterns, rather than parameters subjected to his will. Answer the question “who he is” (I’m not referring to physical aspect such as fingerprint) rather than “what he knows”.

Consumers are mainly concerned with their own identity. For enterprise the problem is a hairy one. Organizations measure everything using the “risk lenses” (and they should), therefore not all identities are born equal. While most identities are associated with “real” employees, some such as shared administrative accounts are not tied to any particular “real” identity. The paradox is that while the number of these accounts is relatively small the risk associated with their capabilities is huge.
Recently we’ve heard of a financial services company with poor password management controls for shared administrative accounts that resulted in a data breach affecting 1.2 million of their customers. The realization of this challenge contributed greatly to the spike of the PIM (privileged Identity Management).

My recommendation for organizations is: “worry when you should worry, don’t worry when you should not worry”. Brilliant, isn’t it? A more professional way to put it will be: your security controls should be proportional to the risk. While providing better password management capabilities and controls for the entire organizations has value, you lose focus on your priorities. Focus stands for better controls in a timely manner for the high risk accounts.

Please stay alive while we upgrade the software

2010-01-26T09:58:00.001-05:00

An unbelievable, yet true story:

A family member was going through a severe medical situation requiring a daily life saving treatment. Treatment took place at the hospital using an expensive medical device. After two weeks of therapy he was asked to skip the next couple days of treatment. Sounds a bit strange given the fact it was a life saving procedure, doesn’t it? Confused, he inquired for the nature of his doctor’s request and was given the answer that device is down for two days due to a software upgrade (of the equipment).

Can you believe it? Critical (life saving) medical infrastructure is down for days due to software upgrade!? It must be a bad joke…

This story is an indication of the criticality of software applications in our lives. Recently there was a big discussion about the impact of a cyber terror attack knocking down the internet. Without getting into a lengthy debate I feel we are past the turning point. Software has become critical part of our lives, especially with regards to some commercial/enterprise applications. Based on the story above it can even be a life saving medicine.

Despite the importance of software, in many cases the overall quality of the package is lacking. We have all heard the stories about vendor locking and challenges some customers have with upgrading commercial software (as well as enterprise software). It always looks like install and upgrade are an afterthought rather than a core capability (similar phenomenon with security and even management capabilities). Occasionally the approach is “once it is up and running - you will get all this great functionality…” This phenomenon is much more common with large software vendors with stronger leverage (i.e. bargaining power) over their customer base.

So how can we align quality with criticality to improve this situation?

A major benefit SaaS vendors bring to the market has to do with their state of mind as companies. Unlike the common perception of SaaS companies as software companies, they are not. SaaS companies are actually SERVICES companies, which happens to develop\market\sell a product. Their state of mind is of a services organization. A CEO of such a company recently told me: “if the service we provide is not good enough, we can (and will) be fired every day”. This refreshing perception of the role of software applications (and software providers) keeps these companies close to (and dependent on) their customers and might be the panacea for the quality (or lack of) delivered. I believe it might even have a positive impact on more traditional software vendors.

So if you are a software vendor, keep in mind the “services state of mind”. But most important – stay healthy!

We are all Consumer Employees

2010-01-19T17:33:00.004-05:00

Like many others I anxiously await Apple’s latest iPad/iSlate/iTablet/i(“Apple’s new Tablet which is going to change our lives and blow away the competition”), one more week to the announcement (most likely).

A quick disclaimer - I love Apple technologies. My household members are proud owners of several iPods, iMac, MacBook. If it was not for AT&T I would have an iPhone... I have even invested in Apple’s stock.

Unlike the iPhone revolution, this time the competition is not planning to be caught off guard, playing to the hands of Apple. Thinking they understand Apple direction, everyone (Google/HTC, Sony, Microsoft, Dell, HP, Nokia, Motorola, ASUS, etc.) is rushing to release a tablet message to the market followed by what seem at times pre-mature products. Eventually Apple will release their hyped device taking the market by storm…

Though a gadget freak, I wonder, what does the new tablet era have to do with the title of this post?
Well, there is an interesting phenomenon we are experiencing. Enterprise infrastructure has opened up to support remote access of employees (travel, home, remote office, etc.). In addition, mobile devices have become more powerful and many of us are getting these devices for their personal use.
Now is the time to introduce a term I’ll be using quite often I believe in my posts - “consumer employee.” In this era the line between employees and consumers is very blurry as most of us are employees at day and consumers at night. We are going to continue purchasing (and thinking) as consumers while demanding open connection to our work environment, as employees.
You don’t need to be genius to connect the dots. If you (a consumer employee) had a personal fancy/cool yet powerful device (e.g. iPhone) wouldn’t you want to use it to access your work environment (e.g. email)?
This plays nicely to Apple’s brilliant strategy. They found the secret sauce to eventually master the enterprise mobile world. Instead of battling head to head from day one with the enterprise SW/HW vendors they came up with a different approach.
Apple’s strategy is very simple:
1. Create a cool device with a relatively small number of really great features (e.g. iPhone)
2. Sell this device to consumers and dominate (not in number but in hype) the market
3. Add the necessary capabilities (again small number of features) for enterprise use (e.g. Exchange integration)
4. Leverage the satisfied/hyped customer base to create a reverse pressure from inside the enterprise (i.e. “we want to use these devices to connect to our working environment”)
5. IT/Security will try to push back but eventually will have to compromise and support these devices

The consumer employee phenomenon is not limited to mobile devices, they also want to use social networks and other “always connected” consumer mediums during the day time when they act as employees. These new challenges are not limited to security and have to be addressed. By the way many of the IT guys responsible to watch the milk are by themselves geeky consumers (and I mean it as a positive virtue).

Am I missing something? Are you convinced by now? I’ll be happy to hear your take.

Taking the plunge

2010-01-19T16:27:00.002-05:00

I have finally decided taking the plunge and write my own blog where I can blabber about everything, especially technology and how it impacts life. Since my day job revolves information security (and has been so for quite some time), as a bonus from time to time I will provide my security takeaways.
I plan to enjoy the ride, hopefully you will as well.

Without delay – let the games begin!