Vulnerability management is the area of security that can best be compared with playing
whack-o-mole, a world where rubber mole heads pop up and out at random from the holes in which they are hiding. Your job is to whack away at the head of each mole with a rubber mallet, thereby forcing the head of the mole back into the hole from which it came. You score points for each mole you force back into a hole and the more points you score in the allotted time of play the higher your total score.
In the game of vulnerability management, you are hitting the heads of the moles by applying patches and configuration changes to IT assets to eliminate or minimize the attack surfaces available to hackers. The problem is that hacker moles like to operate silently and you don’t know which ones are there and which holes they are operating in, unless of course you are constantly searching all the holes to determine if hacker-moles have enough space to get into and through the holes.
Determining where the holes are that will attract the moles is the job of vulnerability scanners, most of which are now operated as Cloud service subscriptions. And it’s not working. And the reason it’s not working has little to do with the scanning services and almost everything to do with the lack of the other tools and services you need to run your score up by smashing the moles faster and in less time. Having access to information about where the moles are, how many there are, where they are lurking and what their cycle-times are would make you invincible in the face of the onslaught of hacker-moles attacking the enterprise network. Continue reading How the Security Game of Whack-a-mole Changes→
In light of high-profile security breaches – some, possibly sponsored or performed by governments – enterprise IT assets seem more exposed than ever before. And, every IT manager is excruciatingly aware his fundamental mission is to ensure the security of the data, applications, and infrastructure under his purview. However, even as they are developing plans for evolving their infrastructure to include Cloud alternatives, IT organizations are becoming increasingly aware of the extent of Cloud-based solutions in use by the company organizations they support. This Shadow IT consists of ad hoc Cloud-based solutions implemented or adopted with little or no involvement of the IT organization.
As a result of that awareness, security is under increasing scrutiny across all industry segments. Saugatuck projects the focus on security will continue to increase to become a major focus – on a par with the focus on adoption of Cloud offerings – by mid-2016. In a recently published Strategic Perspective, Saugatuck identifies that the security exposures posed by Shadow IT are increased due to:
Abuse of privileges on approved Cloud applications;
Access of Cloud applications by former employees;
Cloud app security that fails to comply with internal or industry requirements;
Lack of monitoring and control of documents shared through Cloud collaboration tools; and
Lack of audit trail of changes to user authorizations, configuration settings, etc.
From a security perspective, mobile apps are much more than they seem. They may appear as harmless and benevolent creatures, yet their potential for security issues resembles something more like King Kong. Mobile apps can wreak havoc with security because they are easily introduced, easily developed, and easily deployed. Their usefulness leads to complacency. Yet they increasingly gain access to critical information and important corporate applications through APIs in the cloud. Mobile apps also have access to a wide variety of personal data, such as location information, social information, contacts, photos and videos, and anything else that a user may care to contribute to social streams. If this weren’t enough cause for concern, they contain codes, passwords, and information that would be critical for gaining access to corporate data directly, or through social engineering techniques.
Despite these issues and their valuable content, mobile apps are notoriously insecure. Relatively little attention has been paid to them due to their relative recent introduction and the fact that their development coincides with general changes in software development. Apps create security concerns going well beyond what has previously been considered with their desktop cousins. They may be vulnerable in every area from development to deployment and, afterwards, maintenance and security updates. On top of this, there are special concerns that are particular to mobile devices.
Is the security profile of your organization partly cloudy with a chance of meatballs? Is the security budget not expanding fast enough to cover required projects or simply never enough? Can you easily explain the difference between managed security services, subscription security services, and Cloud infrastructure security including VM monitoring services, virtual machine, and hypervisor notification agents?
It may be time to climb out of the Cloud and look at alternatives to onsite security programs and controls. Security subscription services, managed security services, Identity services, Cloud infrastructure and data center services may be just the fixes for never enough money, staff turnovers, and the need to deliver more in less time.
Saugatuck recently published a five-page Strategic Perspective entitled The Rise of Cloud Security Services (1562STR, 17Apr2015 – see link at bottom of this blog post if you are a premium subscriber to Saugatuck’s CRS research service to access) that analyzes available Cloud security service alternatives across five key dimensions (see Figure 1). The piece includes identification of some of the leading vendors delivering Cloud security services in each of the five categories, what the different services are best suited for and why, and provides insight into the multiple apparitions of Cloud security.
Figure 1: Cloud Security Services
Source: Saugatuck Technology, 2015
It seems that all security products and services are being labeled as “Cloud security” these days, and that every vendor in the business of delivering security is now a Cloud security vendor. There’s good reason why vendors are toeing the “Cloud” line as organizations transition from legacy systems and application workloads to virtualized Cloud data centers: the Cloud and in the transition to the Cloud is where the money is. Continue reading Cloud Security Services – On the Move→
What’s stopping the largest percentage of enterprise leaders, including Finance executives, from trusting even some of their systems and data to Cloud providers?
December’s Saugatuck survey on Cloud and Finance, which has provided fodder for a terrific series of strategic reports, Strategic Perspectives, blog posts, and other insights published for and used by Saugatuck’s clients, included hundreds of open-ended responses regarding current and expected Finance IT systems and infrastructures. And while an encouraging plurality of survey participants indicated that they are moving, typically judiciously, toward using more and more Cloud for Finance, more than 20 percent of those writing in responses still expressed security-related concerns as their primary reasons for not even considering Cloud-based Finance systems.
The ones that stood out included the following:
“Every time our financial managers look at ‘the cloud,’ they only see that the information is outside our firewall and therefore perusable by anyone and everyone. Only completely public information will ever be stored off-site or outside of our company’s direct control.” – Controller, Healthcare, Upper-midsize company
“We are concerned about cloud security and competitors being able to access cloud information.” – Finance Director, Business / Professional Services, Midsize
“We have a fear of using the cloud based on possible hacking and fraud capabilities. Until it’s a proven technology we will keep everything in-house.” – VP Finance, Financial Services, Large
“Organizationally, we are evaluating the movement towards cloud-based computing, and are aware of the potential cost savings, but are tempered by the continuing risk of breaches.” – Director of IT, Healthcare, Upper-midsize company
First, let me vent in a blunt manner, then I’ll get to the more reasoned content.
In the old days in each village, access to personally identifiable information was in your face: it occurred when the other villagers looked into your eyes. The days of the village and up-close eye contact have been replaced by vast amounts of digital data representing identity. The modern digital equivalent of identity information is stored in repositories in digital networks throughout the world. Continue reading The Business of Digital Identity→
Strap yourself into your seat for the big data security analytics show, for it’s coming to a town near you. Carnival barkers from every walk of life will want you to come into their tents to see the latest and greatest show on earth: the big data security analytics show.
You will want to understand why using evolution charts, Venn diagrams, Pareto charts, and Pivot tables can or will help. You’ll want to see what association rules, clustering, decision trees, and forecasting can do for you. And you will want to understand the difference between analysis and knowledge, as it’s applied to security.
You will also want to make the distinction between whether you have to hire a data scientist or not and whether this will solve your immediate problems. You will also want to consider which approaches you could take that will produce the most value in the short, medium, and long term for your company and career.
To be useful, security analytics must take the large volume of data that can be collected and take three actions with the data, as follows:
Reduce voluminous data and identify the pattern that matters,
Use the information to enable a timely and appropriate in-situ response, and,
Use the data to make adjustments – after the fact.
Mocana began as a technology provider of embedded systems security in 2004. Over the years Mocana has broadened its scope and identified two potential markets to address: one, the need to protect mobile devices and, two, to protect apps and the data on them. Mocana launched its Mobile Application Protection platform in 2011 with support for Android apps, and added iOS app support in 2012.
In 2012 Mocana raised $25 million in Series D funding, bringing total investment to $47 million, to expand its opportunity around its Mobile App Protection software. Trident Capital led the round, joined by existing investors Intel Capital, Shasta Ventures, Southern Cross Venture Partners and Symantec.
Mocana’s nearly two-year partnership with SAP, launched in May 2013, has taken a back seat to SAP’s single-minded focus on promoting its HANA platform. However, over the past twenty months, Mocana Atlas has emerged as a leading platform for delivering secure, high-productivity mobile integration with SAP solutions.
Mocana recently commissioned a research study designed to validate its economic benefit and now stakes a claim to user productivity improvements leading to improved application time to market and and cost savings resulting from that.
Privacy – or the lack of it – is a fact of life on the Internet today. Between big banks, healthcare, and insurance companies being infiltrated, and national governments getting into the act with rumors of proxies and direct involvement, the stakes and consequences involving identity data are becoming higher. Whether the raw data of identity is being harvested by mobile telecommunication operators, big Internet search and online advertising companies, large online ecommerce houses, via shadowy browser fingerprinting, or by stealth from government agencies and cyber-criminals, identity is big business – valued in excess of hundreds of billions annually – and will likely remain this way.
With almost 7.3 billion people on the earth today, only 32.7 bits of information about someone is required to uniquely identify a single person living on the earth. It does not take much information about someone to get close to 33 bits of information: it can be assembled from small pieces of data about people. If you assemble and add enough small bit of information to someone’s bit-profile, you can quickly approach the one in 7.3 billion chance of uniquely identifying a person by rapidly aggregating 33 bits about a person. And, although not able to uniquely identify a person by itself, when surreptitious browser fingerprinting and geo-location are mated to an email address, a Facebook account, a Google+ account, etc., the combination makes it possible to uniquely identify almost anyone. Continue reading The Business Impact of Privacy and Identity→
Adoption of Cloud-based solutions is expanding across enterprises and across business departments within enterprises. Saugatuck’s on-going surveys and discussions with IT executives indicate that significant expansion of Cloud usage will continue over the next two years. However, as experience grows, IT management teams are learning the “realities” of Cloud IT. In a recently published Strategic Perspective, Saugatuck reviews four reality areas discussed by an expert panel and audience of IT executives at Saugatuck’s recent Cloud Business Summit (CBS2014) conference in New York City. The four reality areas are characterized by the following questions posed to initiate the panel discussions: Continue reading Cloud Realities Revealed→