I once was working on a project to install a robust wireless network for a company.  I asked the guy I was working with why they were doing it. This company had a general attitude of paranoia where security was concerned, so the drive to fast-track an expensive wireless network seemed out of place.  It turns out, this company’s president had been playing golf with the president of another company.  The president of the other company started bragging about his company’s new wireless network and how he could take his laptop anywhere in the building and get on the network.  Embarrassed, the president came back to work and immediately told his IT staff to install a WLAN so that he would never again suffer such indignation.  Halfway through the project, cooler heads pointed out to the president that since his company focused on critical infrastructure, the security risks of wireless were too great for them to bear.   

This new push for mobility has created a hierarchy within companies.  The important people get the coolest phones and PDAs.  I once discovered a disturbing trend during a policy review related to mobile devices:  when a new phone or PDA came out, a rash of dropped, damaged, and broken phones were turned into the person in charge of handing out mobile devices.  Many "accidentally" fell into the toilet.  Real money was being lost here, as employees jockeyed for status brought by the flashiest new phones.  Yes, this does really happen. I guess I shouldn’t have been shocked by this.  The mobile phone folks figured it out long ago…

TechCrunchIT reported today that a Rackspace data center went down for several hours during the evening due to a power grid failure. Because Rackspace is a managed service provider (MSP), the downtime affected several businesses hosted in the data center.

When companies think of disaster recovery and downtime, they typically think of catastrophic events such as hurricanes, tornadoes, and earthquakes. What companies don't realize is that the most common cause of downtime is power failures. In a joint study by Forrester Research and The Disaster Recovery Journal of 250 disaster recovery decision-makers and influencers, 42% of respondents indicated that a power failure was the cause of their most significant disaster declaration or major business disruption.

To prevent power failures, businesses must ensure that they have multiple diverse connections to the power grid as well as install backup power generators and uninterruptible power supplies (UPS) at the data center. But it's not enough to have these preventative measures in place, businesses must test the ability to switch over to backup power must at least twice year. And if your business has a recovery data center, it's best if the recovery data center is on a different power grid and is also equipped with backup power generation.

But despite all these measures, failures might still happen, in the case of the Rackspace power failure, the company successfully failed over to its backup power generators but some of its chillers did not start up correctly.

In North America, the risk of power failures is likely to remain high for the foreseeable future. According to a 2007 report by the North American Electric Reliability Corporation (NERC), long-term capacity margins are still inadequate and significant investment in transmission is still required.

So businesses must not only invest in preventative measures such as backup power generators, they must think about where they locate their data centers. You must avoid areas that have clearly identified congestion issues and focus on areas that have access to cheap and abundant power. And, don't take it for granted that your service provider has effectively managed the risk of power failures.

I am sure many of you are aware of the recent massive-scale SQL injection attacks targeting Microsoft ASP applications running on IIS. The latest report has the number of attacked sites at 500,000. The press makes it sound like there is a new vulnerability in IIS or ASP. This cannot be further from the truth. The reality is the attacks are targeting Web applications where user input validation is not done (this is one of the fundamental security programming techniques). When a Web application does not validate its form input, it is opening itself up to code injection attacks including SQL injection. Today, the security industry is doing a decent job of communicating the importance of input validation. But you'll still find many legacy Web applications that have these flaws. And this is exactly what happened here: the attackers (well, they are organized) are using Google to find old ASP pages that take user input, and are systematically going after these pages to perform SQL injection attacks.

If you have legacy Web applications, the best thing you can do is use HP's Scrawlr, a lightweight Web crawling and SQL injection detection tool to detect your vulnerabilities. You can download Scrawlr here:

https://download.spidynamics.com/products/scrawlr/.

We'll be back with another edition of how important application security is to business today. Stay tuned.

Simply, most IT-GRC "vendors" are not IT-GRC vendors. An IT-GRC vendor, by our definition, automates the governance, risk, and compliance lifecycles to provide seamless integration and data sharing.  Most of the IT-GRC "vendors" I get briefed on automate IT controls, not IT-GRC lifecycles. For example, Brabeion automates policy management (a governance process), the testing of IT controls (a compliance process), and the assessment of IT risks (a risk process). Brabeion, therefore, is an IT-GRC vendor. Sun Microststems' identity and access management product automates access controls and NetIQ's SIEM product automates event monitoring controls.  Neither of these companies are IT-GRC vendors or have IT-GRC products.

So before marketing a product as an IT-GRC solution please make sure it actually is an IT-GRC solution and not a control automation solution.  This will go a long way to reducing the "noise" around the IT-GRC market space.

While waiting for the pan-out of the Cisco System's acquisition of Securent, I can't help but wonder how Cisco is going to develop the Securent technology in its future products. Will the Securent policy engine (PDP) be used 1) as a main point for policy management and enforcement for network equipment, OR 2) will they continue using the product along the 'Securent-intended' path: enforcing fine grained application level policies by integrating policy enforcement points into applications, OR  3) managing fine grained authorizations on the network layer (without the need to open up applications), similarly to BayShore Networks, Autonomic Networks, and Rohati Systems? Without a comprehensive identity and access management offering (IAM), Cisco will probably be fit best to do 1) and 3) described above. This seems most consistent with Cisco's background and culture.

Several weeks on and I'm still digesting the massive amount of information and insight from the second European identity conference in Munich, organized by Kuppinger Cole. Five days chock-full of content (7 am to 7 pm every day!), 50 exhibitors, 130 speakers, four workshop tracks, five theme tracks, and 25 best-practice sessions. Hundreds of delegates showed up from all over, even though Infosecurity 2008 was raging in London the same week. EIC 2008 was a superbly run event, with the seemingly inexhaustible Martin Kuppinger at the center of the storm.

It's difficult to sum up the content: Internet-scale identity, identity-driven security, federation, single sign-on (SSO), provisioning, context-based authentication, mobile and user-centric identity, SOA, entitlement management, and information risk management all commanded their own tracks. But some unifying themes emerged, chief among them that well-planned and -implemented identity and access management (IAM) is increasingly a must-have if we want to have effective information security, information risk management, and even GRC in today's and tomorrow's enterprises. 2008 may not be the tipping point for IAM, but we're getting close. A few highlights:

• It seemed that every third presentation contained the words "Société Générale" or "Jérôme Kerviel". Nothing like an(other) egregious breach of policy, procedure, and trust to concentrate the mind! Suddenly everyone is rediscovering the Barings debacle of a decade ago and recalling the name "Nick Leeson" — and realizing that, while we have made great technological strides in the past decade, all too often the people and process elements get short shrift. (If the control framework breaks down, it matters little what tech was used to enact it...). So while there was plenty of forward-looking technology-centric discussion, the thread of policy and process ran through every conversation — there was even an entire track session devoted to avoiding internal fraud via rogue trading and the changing threat landscape.
• A lot of the Identity 2.0 discussion was still quite fuzzy. There was little agreement on what mobile identity really means and how companies offering consumer services can provide it to customers, and what the role of mobile operators (who at the moment look like the weak link in the security chain) might ultimately be. User-centric identity is a great idea, but needs to be implemented in a way that gives users meaningful control over their identities and associated credentials in a way that doesn't also shift all of the liability for financial fraud (identity abuse) from institutions to individuals. This has significant implications for things like mobile commerce.
• There was a great physical/logical convergence case study from City College Coventry (UK), which is providing converged smart-card credentials to more than 10,000 students and staff. The card will function as an ID badge across the College, parking pass, building pass, cashless payment card, library card, etc. It will also be required to use any computer, printer, or photocopier connected to the College's network, and will allow lecturers secure access to classroom resources. The College does have the luxury of setting up this system in the context of moving to brand-new facilities, but it shows that if the IT and physical security folks can agree to pull in the same direction, convergence is a wholly attainable goal.
• Results of an enterprise IAM study were presented; one of the most troubling findings was that half of the respondents reported that their biggest obstacle to implementing IAM was that the business was just not ready for it. User management is often in place, but downstream functions like auditing and monitoring are still far from mature in a holistic IAM context. Firms also report big gaps between expected and actual benefits from implementing IAM. That last bit is one reason we advise not trying to do it all at once; rather, break a planned IAM implementation into manageable project chunks, focusing on one set of short-term, tangible, demonstrable benefits at a time.

One panelist put it best: Technology maturity and integration are all well and good, but we need workflow integration and organizational maturity. The need to implement IAM provides an opportunity to share information, define new policies and processes, and streamline existing ones. The CEO and CIO/CSO/CISO need to sit at the same table, commit to eliminating organizational silos, and devise a cooperative approach.

Moody’s recently launched their Vendor Information Risk (VIR) ratings service. The main objective of this service is to reduce the overall burden of conducting risk assessments for organizations, as well as their service providers. The whole idea being that if Moody’s can do a risk assessment on behalf of multiple subscribers, it can make the assessment process a lot more efficient.  The service provider will not have to go through multiple assessments and the subscribers will share the cost, and therefore have a much lower price point.

Many CISOs I talk to are sick of performing third party risk assessments; it takes up valuable time, is expensive, and most importantly, pulls resources away from doing actual security work within the company. On the other hand service providers are also having a hard time keeping up with these assessments. A compliance manager at a large service provider estimated that they responded to over 300 audit requests in 2007, and that number would be around 400 in 2008. Thus, a service like this could potentially save millions of dollars for service providers and subscribers.

Industry efforts, such as the BITS framework, have so far focused on providing methodologies but haven’t really addressed the issue of building a platform to ensure consistency across assessments. It was refreshing to see this service from Moody’s that endeavors to take the burden off of your shoulders.

If this service delivers on its promise and is able to gain traction, it has the potential to move others in the industry to follow its approach. Although I think this is a great idea, here are some things to keep in mind as you evaluate this service for your organization.   

• It can reduce the time, resources, and cost, if enough people use this service. There is no question that it would be much cheaper, less resource intensive, and a lot quicker to go through a Moody’s report as opposed to doing the assessment yourself. The trick would be to convince your service provider to go through an extensive assessment (Moody’s estimates two-three weeks), spend a substantial amount of money (Moody’s primary business model estimates US$ 23K for the initial rating and US$ 10K/year monitoring, volume purchase agreements are also available) for an assessment that may not be accepted by many other organizations. So the real value for a service provider be to have multiple companies subscribing to the VIR service.
• Ongoing monitoring reduces time consuming remediation follow-ups. I think this is a very valuable part of the service if Moody’s gets it right. They will rely on a quarterly questionnaire and publicly available sources to identify changes in a service provider environment. Thus, it may be a little bit of challenge to get a clear risk picture if the service provider isn’t honest in providing all the necessary information or if the information isn’t public. Having said that, it is still better than the current situation where there is no monitoring at all, just an annual audit. Quarterly follow-ups on previously identified decencies by Moody’s will also ensure that the service provider stays on its toes.
• Consultant expertise and consistency in scoring will improve over time. Having done a lot of assessments myself, you get better and more consistent as you go through the assessment process repeatedly. Although the current consultant skill set seems pretty good and appropriate checks are in place to check for consistency, it is only natural that different consultants will assess differently. Security assessments may be a very different beast compared to the financial assessments that Moody’s is used to doing primarily because there is a decent amount of subjectivity in these assessments. 

Lastly, the pricing structure may also influence the decision making for subscribers as well as service providers. I personally think that the current pricing structure is pretty reasonable for the current marketing conditions. Lets hope Moody’s is able to nail this one. What do you think about this service? Does it address your pain points? Are you skeptical? I’d love to hear your thoughts on this. 

So, what was the buzz about this time around? Well, for starters there was no single topic that stood out, but instead InfoSec 2008 was a complex smorgasbord of all past and present security and risk management themes. Certainly, deperimeterization, endpoint protection, data-driven security, and compliance strategies were very visible, but at the same time many network security solutions and antivirus stuff were pushed heavily. Some of the traditional security heavyweights were, you guessed it, widely visible and audible and included the likes of McAfee, Sophos, Kaspersky, Juniper Networks, etc.

Many of the attendees and vendor representatives I talked to seemed to echo the notion that the dynamics of the market are changing. As security managers are overwhelmed by complexity and the daily grind of updating, patching, and fixing holes - many tend to retreat to something of a "wait and see" mode. Yet people begin to acknowledge that technology driven, perimeter-based security is largely a thing of the past and either gets operationalized or outsourced. Most people in the industry begin to see the early contours of a new security and risk paradigm. Visionary folks see this promised land of information security and risk management being in the green valley of business-driven risk management, where data, identity, policy, and compliance are crucial cities (elements).

Which of these cities (elements) will be biggest and most important almost entirely depends on where you are coming from as a vendor and what your primary differentiator is in the marketplace (nothing new here...). Sure, we will see more unified solutions and suites that contain most established security features. Sure, we will have small start-ups addressing the latest threats and more tricky challenges - and then we will see the vendor Darwinism that we are accustomed to.

But for security professionals a key challenge lies in understanding that there is a paradigm shift happening outside of the technology/vendor realm which will require out-of-the-box thinking for many of us. There are a few steps you can take to prepare yourself, though: First off, take a crash course in business speak (as opposed to the tech talk we are all accustomed to), secondly, get your corporate ducks in a row by forming alliances and partnerships with other departments (e.g. legal, HR, key business lines) that you haven't worked with on a regular basis before; third: articulate the business benefits of addressing new security challenges (and be easy on the scare tactics here), and finally introduce technology not as the be-all-end-all but rather as the linking layer between people and processes which are what matter most in any organization. If you then learn how to demonstrate that a new data security product or a fresh start on identity management is going to help your company add to the bottom line - then you are on the right track to the nirvana of security and risk management.

Needless to say, the above will hinge on Hitachi's ability to retain and grow the existing customer base of M-Tech IT in North  America and Europe, and also on  Hitachi's ability to compete against EMC's selling of  Courion and RSA products. How Hitachi will create an access and adaptive access management (Web and desktop) portfolio to complement its identity management and provisioning portfolio also remains to be seen.