Tag Archives: security

Private Cloud: Benefits but Not a Free Lunch

As a result of ongoing discussions with IT managers and providers, Saugatuck has identified the increasing popularity of Private Clouds particularly among large enterprise IT organizations. In a recently published Strategic Perspective, Saugatuck offers guidance to any Enterprise IT organization considering a Private Cloud. Assessments are provided for areas of comparison between Private Clouds and infrastructure virtualization.

Saugatuck characterizes two basic factors to that make Private Cloud attractive to typical enterprise IT organizations: Continue reading

Cloud Security is People!

What is Happening?          

The recent leak of 7 million Dropbox passwords has raised the inevitable blog posts and questions regarding Cloud security. It’s another round of questions including “Can the Cloud be secured?” and “Will advances in security technology protect our data?”

Saugatuck’s take, with apologies to the classic science fiction film “Soylent Green,” is this: ”Cloud security is people!”

While technologically, Cloud-based resources remain more secure than most enterprise data centers, the widespread, boundary-free utilization of Cloud-provided IT and business resources increases the likelihood of human error because it removes traditional boundaries in IT and business. Initiatives such as Cisco’s Intercloud, and similar Cloud aggregation / integration efforts by HP, IBM, Microsoft and others, extend the range and scope of not only Clouds and everything linked to them, but of the number and type of people using, managing, and connecting through them.

When more resources are used by more entities, some of which may be unknown, more of which are removed from any centralized or fixed environment, and many of which are used sometimes in new and innovative ways, the potential risk for security failures increases dramatically because human involvement increases. Technology won’t save us when the people using and managing the technology fail to use and manage it correctly. Continue reading

Security’s Big Picture?

Security has gone through major gestational changes since its inception, from mainframe and host-based access controls, to network access controls, to patching and end-point protection, to applications-based pen-testing and vulnerability management delivered through the Cloud.

All of this is about to change as the age of security’s big picture makes its mainstream entry. Although underway for almost a decade among leading-edge firms, it’s about to go mainstream over the next 18 months, and after this security will never be the same. Suppliers are charging into the market with security big data collection and categorization solutions and services, with security analytics products and services, and with security scorecard and presentation services: all delivered through products and services. Some of these suppliers have no idea their buyers are taking them down a path to security’s big picture, while others see the vision and have funded multi-year efforts to deliver on the promise. Continue reading

Is Consistency Killing Your Security Profile?

There are enough security standards to cover the earth, many times over, and yet we are no more secure today than we were without the security checklists that have been developed over the past few decades.

We deploy the same PCs, laptops and servers throughout the enterprise. We encourage our employees to use the same mobile phones. We make sure our routers and switches work identically throughout the network. We make sure our security controls operate the same everywhere.

Hackers depend on our consistency and lack of attention to the human element. They know we are obsessively focused on consistency throughout IT operations, they depend on our exclusive focus on technology controls and procedures, and they know that our employees are easy bait for lures that seem irresistible. They also know that they can learn anything about our systems and controls they’d like. We place great emphasis on form, and not substance by continually referencing our standards and policies, and then publishing these to the world through our websites. We give our adversaries the tools needed for more effective reconnaissance and intelligence gathering. We pride ourselves on passing audits year in and year out, not paying attention to the fact that audits are not security. Continue reading

5 Questions Every CISO Should Ask About Digital Business

For decades of business IT, we’ve managed to shunt customers aside and ignore their desires by building moats around the markets, products and services that we offer. These defensive tactics have included tariffs, trade barriers, legislative perquisites achieved through lobbying, modern versions of monopolism called oligopoly and the outright agglomeration of markets through merges and acquisitions with front-of-the-house shingles that display a veneer of choice.

But customers today know better, and now, customer trust is king in the new world of Digital Business. In this new world there are no secrets, no hidden ownership tricks, and no other fact than the customer chooses you, instead of you defining and segmenting your customers. Continue reading

Futebol and IT: Brazilian Repercussions from the World Cup, NSA, and the Olympics

Brazil has a strong IT sector, though the country has been mired in lackluster growth for the past several years after its earlier sprint. There is a lot of development beneath the surface, however, and among the strongest influencers, are an attempt to put on two top World Cup 2014 Brazilinternational events – the World Cup and the Olympics – within two years. This is a feat that no other nation has yet attempted. It is extraordinarily expensive and demanding, with demands from FIFA (World Cup governing body) and the Olympics Committee for a wide range of new infrastructure and conditions, all of which have created a need for new technology, as well as waves of protests over costs and security arrangements.

IT has been an important part of event preparation, with high tech security centers being established in major urban locations throughout the country, and media/communications facilities being expanded to accommodate viewers, visitors, and fans. The preparations have also highlighted Brazilian technology, as well as drawing even greater attention to the protests, construction failures, and inability to meet time commitments. Continue reading

Security: The Fault Lies not in Our Clouds, But in Ourselves

As we roll into Friday the 13th, we see that Cloud security is a hot topic again this week. A review of news feeds, blog posts, Twitter feeds and more reveals a plethora of publications and posts generating FUD regarding Cloud security.

The net feeling across all of these is that Cloud is big and scary. The negative quotes cited all seem to be from IT “security experts” and providers of IT security. Hmmm.

The most-cited security breaches include the December 2013 Target breach (not Cloud; failure to develop and manage adequate security within Target), various laptop and memory stick thefts beginning in the 1990s (obviously not Cloud; failures of security management and practice), and the October 2013 MongoHQ breach, which suffered an attack through social media app provider Buffer. Continue reading

Insanity is Using the Same IT Security Approaches Over and Over Again

We keep deploying and maintaining antivirus on our end points, expecting this to protect our enterprise. Instead our adversaries use root-kits and back door transplants that are largely invisible, and which enable them to own the PCs and revisit them at will. We assume we are protected, and yet we have this nagging doubt because we don’t know, what we don’t know. Yet we keep spending a lot of money on antivirus and other security tools that are built on the same premise of a mechanical security perimeter. The compulsion to do so is from regulation, industry practice, and because, well that’s just the way we’ve always done it.

This problem is not unique to antivirus. Almost all of the security perimeters we rely on are now outdated and ignored by our adversaries. Why? Our adversaries have access to the same systems and tools we do, and they have access to a wide variety of exploits through online auction sites and underground share sites. It doesn’t take much to test out a new exploit and even less to activate it without being caught. Once activated, exploits find ready targets across millions and billions of the limited technology monocultures we use around the world. Today’s exploits simply walk through or around our security perimeters and our adversaries simply thumb their nose at us. Continue reading

Solving the Security Wormhole Challenge of the API economy

The API economy is doing quite well, but its expansion awaits a breakthrough security invention that will enable the use of APIs and the economy to unleash data currently behind corporate firewalls. As it exists today, the API economy is fixated on freemium business models where consumers find “freely” available information they can put to use in their daily lives. Whether the purpose of acquiring the data is to make travel reservations, purchase something, or simply search for something, the current complexion of the freemium API economy is just the start of business model reinventions that are yet to come, where entire industries will be remade and then made over again.

The big business blockbuster gains of the past 40 years might have been propelled forward by technology innovation, but all have been led by changes in business models. This will be the same in the API economy. Changes in business models will drive the need for technology innovation, which will drive further change in business models.

API Security

The current state of information security today is one where data is either free, or it’s not free. The data is commonly available on the Internet through a wide variety of APIs, or it’s behind many layers of security controls to prevent access to the data. This security wormhole, from data being free to it not being free, is going to be traversed as businesses seek competitive advantage over others in the API economy. Continue reading

Verizon’s Data Breach Report: Is Cloud the Data Security Solution?

What is Happening?

Verizon’s annual data breach investigations report is out, and Saugatuck’s analysis of the information, gathered from 50 sources cataloguing 63,000 security incidents across 95 countries is this: Despite investing billions in hardware, software, and services, we have learned little to nothing about managing data and system security effectively.

Two things stand out in our review of the report:

  1. The number and scope of data breaches bears little resemblance to the related hype and resultant market perceptions; and,
  2. The vast majority of data breaches (and losses) are still, quite simply, preventable by improving and adhering to consistent management practices. Acquiring and implementing security technology does not effectively prevent data loss.

First, let’s look at perceptions and realities regarding frequency of system breaches and resulting losses of data. The pie slices in Figure 1 use Verizon’s published data to illustrate the relative numbers of reported data breach incidents by firms in 21 industry categories, alongside the relative percentages of actual losses reported by the same firms.

Figure 1: Analyzing Verizon’s Data Breach Data

Verizon Data Breach Data

Source: Saugatuck Technology Inc. from Verizon Inc. data published April 2014 Continue reading