Tag Archives: security policy

The China/Google thing, accountants and other miscreants

Aha! Can’t believe I managed to avoid the unbelievable hype flood that swept across the interwebs in the last month. And to think that the last post (long overdue, I know… had REALLY good reasons for not being able to post anything) was somewhat oracleish in predicting that this would be the focus of this year.

Just to set the stage right – we are at a point where I just saw a USA Today “Money” section front page article on how Google’s engagement with the NSA post the breach will affect the security vendor market, and a few VCs were also quoted to the fact that we will be seeing IPOs this year that will ride this trend.

Overhyped – definitely. Real – just as it’s overhyped. You must be asking then what to do? If the hype is too much, then there must not be so much behind these scary global cyberwar threats! Not exactly – the threat exists, and countries do deal with making sure they have an edge over everyone else (see how I didn’t use adversaries… hint, hint 😉 ), but at the same time this has been happening for years now.

The news here is somewhat lukewarm when compared to the hype. The news is that it is becoming common knowledge that companies tend to miserably fail when keeping their own intellectual and informational assets under wraps. The news is that even the “do no evil” Google(tm) have their own share of problem using old(tm) (or should I say pathetically insecure?) software inside the Googleplex.

But let’s dig a little deeper past the hype – have anyone heard of the fourty-something other “big” companies that were affected? have anyone heard of the thousands of companies that deal with data of sensitive nature (whether they know it or not) that also have a big job ahead of them dodging the flak from their local government trying to make sure the exposure is somewhat lessened? Probably not.

I’ve have the questionable pleasure of assisting some of these entities – which have anywhere between loose and close ties to local and federal government (either providing data at will, or being relied on for compiling national threat level information at varying level of the threat modeling). Without getting into any specific details I can truly say that I was simply disappointed. A lot of good people trying to do good things, but ev

entually (as always) a big fat failure due to some sideline error brings the whole security architecture down. Things as easy as applying service packs, eliminating use of old un-pached software (IE6 – are you still here? I think I to

ld you to get out and never come back again!) and just plain good-ole’ malpractice.

Without sounding too dreary (I’m sure the horrible weekend east-coast weather is doing that to me) we still have our work cut out for us. As long as people (non-security-industry ones) are ignorant regarding the implications of their actions in an all-connected world (nice evasion of “cyberworld”!), holes will be cut open in any modern security design – no matter how well it was thought to be, or how much money was thrown into it. With almost zero-cost, we managed to implement an “idiot-proof” system that would just stop these things from happening for one of the companies…

What can you do? remember how we were taught to plan for the worst – count people in that too. Your people. They may be the smartest guys in accounting, or marketing, or production, but in terms of information assurance they can be your worst enemy (no offense guys, but it’s just like that…).

Clouds, and the winds that blows them away…

You must have seen this coming – I was holding off from discussing cloud security for quite some time for a few good reasons, but now it’s time to take a look at where are we (or more correctly – are we there yet?).

First things first – the main reason for abstaining from the cloud security discussion was simply the lack of definition (and existence) of clouds… True – Amazon has provided the infrastructure to the first layers of building cloud solutions, but full-on “process-as-a-service” has yet to emerge from the different offerings that call themselves cloud. There has been enough ink (bits?) spilled over what really is  cloud computing and what it isn’t (you can check out Craig’s presentation, and Hoff’s view on things).

And now to my 2c on the subject at hand, I have been involved with a few cloud security companies in the past months and being able to lend a hand at the strategic level, I was exposed to several aspects of where are we now with cloud computing, where are the gaps that security firms will need to pitch in and provide basic protections, and a whole lot of marketing fuzz that needed to be thrown off in order to realize what’s out there.

To begin with, we had to sift through the marketing mambo-jumbo to get to the point – seems like the more expensive your marketing budget is, the farther away you get from reality in your message – too bad (and that’s coming from someone who turned a lot of technical material into marketing…). Hence the first point – blowing enough smoke to make everyone tear does not constitute for creating a cloud.

Point two – now that we to the bottom of the offering (and I’m not going to name names…), one usually realizes that it has either been out there for quite a while and has been wrapped in clouds to sell it better, or that someone has made some basic adaptations to an existing offering (see roaming users, VPN, scanning services) to cloudify it. Whatever is left that did not fit into the previous schemes is worth a second (or is it third by now) look.

Point three – what’s the market for your cloud offering? The last hurdle that all these new cloud companies face is choosing (or defining) a direction. Do you see yourself providing a solution for the end users? for businesses? for the cloud infrastructure providers? for providers of services/software/processes on the cloud? If you get an answer in the lines of “we basically provide a solution for all of them” – run! As each of the mentioned markets have different needs, and different views on their place in the cloud, you better get a solid answer for this. I strongly suggest reading the “Cloud Architecture” section written by Chris Hoff which is part of the Cloud Security Alliance’s “Guidance for Critical Areas of Focus” starting at page 15 in order to get an idea on the latter.

Now with most of the fluff away, and the offering at hand we can actually focus on whether it makes sense (business-wise), and where does security fit in. By no means this is going to be a guide for securing the cloud, but always remember the architectural model – from hypervisor, all the way through multi-tenanting, data abstraction and sharing, inter and outer process communication, and off to simple abuses of the cloud in the form of DDoS, Botnet tools, etc…

Hope this made some sense – if not I can only suggest reading some more material on it, and to play around with the current offerings from Amazon, Azure (MS), and Ubuntu (Canonical).

Drawing the line – securing an organization while thinking of users…

My latest post on the Israeli Insurance Association (http://www.igudbit.org.il/Index.asp?ArticleID=1235&CategoryID=98 [HEBREW]) discusses the challanges of managing risk in a complex organizational environment where you have to take into account end-users meddling with data.

In Israel, insurance agencies are not yet at the stage where they provide full access to insured parties online to their insurance and policy information, but should be getting ready to do so. Some of the considerations and implications of creating the infrastructure for such access is discussed in the article in light of the risk management requirements set forth by regulation for such organizations. Financial institutions have been facing the same issues for years now since online banking have become a standard so it’s a great opportunity to reexamine what policies are applicable and what technologies can be used to enforce them in a very similar environment.