We’re calling this part II - and it’s being advertised as:

“How to conduct a risk analysis and produce a high impact deliverable to senior management.”

With topics:

• The life-cycle of a quantitative risk analysis
• Key control opportunities against targeted attacks
• Getting senior management to understand the risk posed to the business

I got to do the Q&A backchannel on the last presentation, and there were great questions asked.  I think this presentation will be even more exciting, as it’ll cover both analyst and management considerations.

If you’re a regular reader of the blog, I don’t think you’ll have to have attended the last one for this one to be worth your while.

REPEAT PERFORMANCES OF THE FIRST WEBEX ARE AVAILABLE

We’ve had a some folks who attended the original WebEx ask us to do a “private” performance for just their  infosec group and/or other members of their organization (like audit and ERM).

We’ve been given the OK to do these provided that there are a minimum of 5 attendees.  Leave me a comment to this post if you’re interested (be sure to include your email in the submission - it won’t be made public but we’ll need it to contact you to set this up), or just email me:  alexh -shift2- riskmanagementinsight:dot:com.

And if you missed it the first time, the playback of the first preso is here, and the slides are here.

First of all, I’d like to point out a major difference between the Gartner conference and the big Cisco Live user conference going on down here at the same time. Keynotes start at 8am at the Gartner show – and before that is breakfast, networking, etc. etc. John Chambers’ keynote over at Cisco Live starts at 10am. 8am versus 10am. I knew there was a reason I should have been a network engineer…

But here’s something they don’t have at Cisco Live – VP & Distinguished Analyst Thomas Bittman talking about Cloud Computing and the Future of Infrastructure.

(Picture credit: WATBlog)

Point: The idea is that it’s complex to create computing power so we should centralize it among a few providers (Google, Amazon, ebay) to gain economies of scale. Ability to drive down price by centralizing and getting to scale is just too compelling. In this scenario, computing is a commodity; IT is a commodity. Remember Nick Carr’s controversial book, “Does IT Matter”?

Gartner Counterpoint: IT is not a commodity because of constant innovation. So it’s not about a big investment in old/stagnating technology but more about developing and investing in agility. There will be not a few cloud computing providers but thousands.

A quick definition of Cloud Computing by Gartner: a style of computing where massively scalable IT-enabled capabilities are delivered as a service to external customers using Internet technologies.

Cloud Computing Drivers:

• connections are becoming pervasive (anywhere, anytime)
• response time expectations are shrinking
• relationships are online and short-lived

Tom Bittman shared a view of the evolution of the data center – from “Silos to Clouds”. Prior to about 2002, data centers were sprawled siloed organizations focused on component management. Over time, hardware cost went down, flexibility is up spurred by technologies like virtualization and creating fluid pools of capacity that can be moved around intelligently. What we are moving towards is automated, services-oriented environment in data centers that are focused on enabling agility. Ecco Cloud Computing!

Gartner predictions:

• By 2012, 80% of the Fortune 100 will be paying for some cloud computing services, and
• 30% will be paying for cloud computing infrastructure services.

ShareThis

Tim Greene makes the point again in his column that NAC is a great tool to help with PCI compliance. He is right on. Here at StillSecure we have several customers who are using NAC to help with PCI.  My issue is Tim highlights some recent spin fed to him from the "used car salesman of NAC". They claim to have a "PCI kit" that will help with 8 out of 12 PCI requirments.  A kit sounds like something you put on your car to help with gas mileage or something and for all I know is just more snake oil.  They claim to have an "unnamed customer" who is already using it.  Who could that be, LVHH again?  Or maybe they found a Cisco or Juniper customer that they say uses them for NAC now too.  The BNBB advises to take anything they say or write with a grain of salt.  Remember Caveat Emptor!

Last week in response to Richard Stiennon's glowing write up, I questioned what it is exactly that Rohati does. Well someone from Rohati must have seen it and I was contacted by the Rohati team and offered a peek and a deep explanation of exactly what Rohati does.  So today I had a chance to speak with Shane Buckley, CEO, Prashant Ghandi VP of product management and strategy and Steven Wastie, VP of marketing.  I was impressed that such a triumvirate of power players from the Rohati team took the time to speak to me.  But I guess after I wrote what I did, it was followed up by JJ writing her article on it and than Rothman piling on with his own two cents. 

Give the Rohati team credit for recognizing the power of blogs to influence the influencer and reaching out to stem the tide.  It just goes to show you how far blogging has come. But enough about the power of blogs, lets talk about Rohati.

The best way for me to describe Rohati is that it is layer 7 ACLs to control access to applications.  Where we already have security at the perimeter and at the edge, Rohati is about controlling access at the server/application.  The diagram on the left (click on it to get a bigger version), is a good illustration of how Rohati works. By integrating with LDAPs Rohati can assign you an access policy to any application.  Based upon that Rohati gives a very fine grain level of access control at the application layer.  It acts as a proxy to the app server for both regular and encrypted traffic.  Because the ACLs are on the Rohati box itself, there really is not any integration with switches per say and so no integration worries.

The only problem is that the Rohati box has to be able to handle the traffic flow.  Hence the box is a big honker.  The cheap one is about 20k list I believe and the industrial size version is 80k. This product is aimed squarely at the data center space and is sold through channels.

Will Rohati succeed.  Yes, I think it will.  I think they have taken a unique approach to a security issue that will continue to grow in years to come.  Application access is an area that I think is still up and coming.  In a period of nothing is ever new in security, the Rohati team seems to have found something that has not been done before in a packaged dedicated way like this.  If nothing else, with all of the ex-Cisco folks there, Cisco will eat its young and buy the technology back in.

We will watch Rohati's progress in the months to come.  At the very least, it seems they are blog savvy enough to navigate the waters of social media.  Maybe they will start their own blog soon.

Last week in response to Richard Stiennon's glowing write up, I questioned what it is exactly that Rohati does. Well someone from Rohati must have seen it and I was contacted by the Rohati team and offered a peek and a deep explanation of exactly what Rohati does.  So today I had a chance to speak with Shane Buckley, CEO, Prashant Ghandi VP of product management and strategy and Steven Wastie, VP of marketing.  I was impressed that such a triumvirate of power players from the Rohati team took the time to speak to me.  But I guess after I wrote what I did, it was followed up by JJ writing her article on it and than Rothman piling on with his own two cents. 

Give the Rohati team credit for recognizing the power of blogs to influence the influencer and reaching out to stem the tide.  It just goes to show you how far blogging has come. But enough about the power of blogs, lets talk about Rohati.

The best way for me to describe Rohati is that it is layer 7 ACLs to control access to applications.  Where we already have security at the perimeter and at the edge, Rohati is about controlling access at the server/application.  The diagram on the left (click on it to get a bigger version), is a good illustration of how Rohati works. By integrating with LDAPs Rohati can assign you an access policy to any application.  Based upon that Rohati gives a very fine grain level of access control at the application layer.  It acts as a proxy to the app server for both regular and encrypted traffic.  Because the ACLs are on the Rohati box itself, there really is not any integration with switches per say and so no integration worries.

The only problem is that the Rohati box has to be able to handle the traffic flow.  Hence the box is a big honker.  The cheap one is about 20k list I believe and the industrial size version is 80k. This product is aimed squarely at the data center space and is sold through channels.

Will Rohati succeed.  Yes, I think it will.  I think they have taken a unique approach to a security issue that will continue to grow in years to come.  Application access is an area that I think is still up and coming.  In a period of nothing is ever new in security, the Rohati team seems to have found something that has not been done before in a packaged dedicated way like this.  If nothing else, with all of the ex-Cisco folks there, if nothing else Cisco will eat its young and buy the technology back in.

We will watch Rohati's progress in the months to come.  At the very least, it seems they are blog savvy enough to navigate the waters of social media.  Maybe they will start their own blog soon.