Tag Archives: security

The Privacy Con


What is Happening?

Online privacy is an ongoing concern for consumers, businesses, governments, and academia. But there is wide disagreement about its importance to consumers, the costs to businesses, and need for regulation. Academia asserts a lack of transparency amongst data collectors, while businesses say consumers approve of their actions.

Last week, Saugatuck’s Ron Exler participated in the Federal Trade CoDataPrivacy3mmission (FTC) first privacy conference, PrivacyCon, in Washington, D.C. More than 500 participants from computer science, behavioral science, law, economics, and politics participated, with sessions covering five key areas of IT privacy and security:

  1. The Current State of Online Privacy
  2. Consumers’ Privacy Expectations
  3. Big Data and Algorithms
  4. Economics of Privacy & Security
  5. Security and Usability

The net takeaway? Privacy is a con game with misunderstood effects. Continue reading The Privacy Con

Will 2016 Bring a Framework for Encryption Warrants?

The unfettered use of modern cryptography is coming under pressure from governments around the World that: 1) wish to limit its uses, 2) use “backdoors” to gain access to its protected data, and 3) obtain technical assistance from telecommunication and Internet operators to obtain access to encrypted data.

The current pressure for restrictions and super-access privileges is coming from governments in China, France, the U.K. and U.S. The move by these governments to gain access to encrypted data is occurring on the heels of the terrorist attacks in Paris and San Bernardino from ISIS terrorists and sympathizers who are using smartphones, tablets, computers, the Internet, Wi-Fi, Tor, and VPN services to recruit, plot and carry out attacks around the World.

  • In France, the government extended a State of Emergency that expands house arrests, restricts freedom of association, maintains warrantless searches, expands search powers to cover electronic devices, and enables the French government to block websites and social networks.
  • In the UK, bulk data collection practices are enlarged with the ability to identify devices and their usage to IP addresses. A new bill being considered in Parliament will force Internet service providers to keep records of every website their customers visit for a period of 12 months, for subsequent access by law enforcement.
  • In China, a new law mandates telecommunication and Internet service providers to provide technical methods, assistance and support for decrypting data and other counterterrorism efforts of the government.
  • In the US, a proposed Senate intelligence committee bill will require companies to decrypt data upon government request.

Continue reading Will 2016 Bring a Framework for Encryption Warrants?

Data Insanity Will Slow the IoT

The promise of the IoT is improved service interactions between business and their customers, and between governments and their citizens. Realizing these promises relies on collecting, managing, and analyzing data. But the IoT generates data streams in unprecedented volumes, frequency, and variety. These data streams can choke the networks, applications, and target systems. The data goes into data management systems that are in many cases unable to process adequately.

With existing systems often unable to support IoT demands, enterprises assume they must add new infrastructure. IoT deployments require infrastructure expansion: new devices and applications are the norm. But the IoT data streams define the scale.

Just because we can collect data from connected objects frequently, should we? It’s not a secret that most IoT data remain underused, misused, and unused. Data misuse means added deployment costs and project time. Adequate and appropriate data planning is critical to attractive ROI of IoT deployment.

Instead of assuming the need to collect as much data as possible and then filter it later, more attention should go into planning the data lifecycle. Users, developers, and providers of IoT-related offerings need to consider the potential costs of careless data collection. Planning questions should start with the application requirements. Continue reading Data Insanity Will Slow the IoT

Poor Interoperability Will Slow the IoT

At least half of the expected real economic value of the IoT will come from interoperability – connecting devices to each other and external systems. But interoperability in the IoT is costly and complex. Standards efforts are nascent and confusing. The pace of innovations is outrunning the ability to connect the devices.

Plus, the IoT is perhaps the most hyped technology trend in the last decade. Its promise touches almost every aspect of human existence. From smart factories to smart cities, connected devices are changing the way enterprises and governments operate and provide services. But something stands in the way of the IoT reaching its full potential: reality. The reality is a web of poorly connected sensors feeding data streams in unprecedented volumes and variety into systems that are unable to process adequately.

While it is easy to blame the providers, success in IoT interoperability goes beyond the IT Master Brands working together. The age-old position that competitive advantage comes from proprietary technologies is passé. Instead, the winners will be providers who flexibly support needed enterprise transactions required by business constituents. And successful enterprises will engage those providers and tackle interoperability head-on to address business requirements. Collaborative pilot projects are cropping up to show how the IoT can address specific applications. Continue reading Poor Interoperability Will Slow the IoT

IBM’s Bernie Meyerson Set to Keynote 2015 Cloud Business Summit NYC

We’re pleased to announce that Bernie Meyerson, VP and Chief Innovation Officer at IBM will deliver the opening keynote at Saugatuck Technnology’s upcoming 2015 Cloud Business Summit, taking place on November 4th at the Yale Club of NYC.

In a presentation entitled “Information Technology: A Tectonic Shift,” Meyerson will explore what’s next after Moore’s Law – as the advent of new forms of parallelism become a leading framework defining IT over the planning horizon.

Since the invention of the first solid-state computers, IT has relished in consistent, predictable advances in performance that were quite easy to assimilate – as the number of transistors on a circuit chip would doBernard Meyerson Picuble approximately every two years. Fortunately for the IT industry, increasing circuit density yielded increasing performance while reducing costs ranging from device manufacturing to electrical power consumption. Such performance increases were easy to exploit . . . and addictive. Unfortunately, as circuits have now approached the dimensions of only a few atoms, the end of increasing circuit density is near. In essence, Moore’s Law has been repealed. Meanwhile, technology advances such as predictive analytics, big data, and mobility (among others) have only continued to drive the need for IT capacity at an accelerating pace.

The consequence is that designers of IT application and infrastructure architectures will have to turn in a new, more challenging direction. As Meyerson will share, one likely scenario is Continue reading IBM’s Bernie Meyerson Set to Keynote 2015 Cloud Business Summit NYC

Making Threat Intelligence, Intelligent

The old joke about military intelligence is that the term is an oxymoron. This came into being not because people serving in the military were unintelligent, but from the experience of many who served in the military witnessed orders that appeared unintelligent, but which had to be followed. The fact that many military orders start with policy initiated by politicians may put the phrase into a different context had it been politician intelligence.

In fact, military intelligence is a discipline with a very long history that collects a lot of data and information, analyzes the data and provides guidance to commanders who need to make decisions. This places it close to the reality of where the average enterprise finds itself today: at war with smart cyber-attackers who are hired by competitors and criminal gangs, or battling well-equipped and superbly-trained State actors with very different motives, and from an onset of hacktivists and terrorists.

Current cyber threat intelligence services are in their infancy and childhood. Some of the Cloud-based services are delivering raw data masquerading under the rubric intelligence, while others are delivering data that has been evaluated and analyzed by human intelligence analysts. Continue reading Making Threat Intelligence, Intelligent

How the Security Game of Whack-a-mole Changes

Vulnerability management is the area of security that can best be compared with playing
whack-o-mole, a world where rubber mole heads pop up and out at random from the holes in which they are hiding. Your job is to whack away at the head of each mole with a rubber mallet, thereby forcing the head of the mole back into the hole from which it came. You score points for each mole you force back into a hole and the more points you score in the allotted time of play the higher your total score.

In the game of vulnerability management, you are hitting the heads of the moles by applying patches and configuration changes to IT assets to eliminate or minimize the attack surfaces available to hackers. The problem is that hacker moles like to operate silently and you don’t know which ones are there and which holes they are operating in, unless of course you are constantly searching all the holes to determine if hacker-moles have enough space to get into and through the holes.

Determining where the holes are that will attract the moles is the job of vulnerability scanners, most of which are now operated as Cloud service subscriptions. And it’s not working. And the reason it’s not working has little to do with the scanning services and almost everything to do with the lack of the other tools and services you need to run your score up by smashing the moles faster and in less time. Having access to information about where the moles are, how many there are, where they are lurking and what their cycle-times are would make you invincible in the face of the onslaught of hacker-moles attacking the enterprise network. Continue reading How the Security Game of Whack-a-mole Changes

Dangers Lurking in the Shadows of IT

In light of high-profile security breaches – some, possibly sponsored or performed by governments – enterprise IT assets seem more exposed than ever before. And, every IT manager is excruciatingly aware his fundamental mission is to ensure the security of the data, applications, and infrastructure under his purview. However, even as they are developing plans for evolving their infrastructure to include Cloud alternatives, IT organizations are becoming increasingly aware of the extent of Cloud-based solutions in use by the company organizations they support. This Shadow IT consists of ad hoc Cloud-based solutions implemented or adopted with little or no involvement of the IT organization.

As a result of that awareness, security is under increasing scrutiny across all industry segments. Saugatuck projects the focus on security will continue to increase to become a major focus – on a par with the focus on adoption of Cloud offerings – by mid-2016. In a recently published Strategic Perspective, Saugatuck identifies that the security exposures posed by Shadow IT are increased due to:

  • Abuse of privileges on approved Cloud applications;
  • Access of Cloud applications by former employees;
  • Cloud app security that fails to comply with internal or industry requirements;
  • Lack of monitoring and control of documents shared through Cloud collaboration tools; and
  • Lack of audit trail of changes to user authorizations, configuration settings, etc.

Continue reading Dangers Lurking in the Shadows of IT

Gorillas in Our Midst: Mobile App Security Issues

From a security perspective, mobile apps are much more than they seem. They may appear as harmless and benevolent creatures, yet their potential for security issues resembles something more like King Kong. Mobile apps can wreak havoc with security because they are easily introduced, easily developed, and easily deployed. Their usefulness leads to complacency. Yet they increasingly gain access to critical information and important corporate applications through APIs in the cloud. Mobile apps also have access to a wide variety of personal data, such as location information, social information, contacts, photos and videos, and anything else that a user may care to contribute to social streams. If this weren’t enough cause for concern, they contain codes, passwords, and information that would be critical for gaining access to corporate data directly, or through social engineering techniques.

Attack Vectors for Mobile Apps
Attack Vectors for Mobile Apps — Source: Saugatuck Technology

Despite these issues and their valuable content, mobile apps are notoriously insecure. Relatively little attention has been paid to them due to their relative recent introduction and the fact that their development coincides with general changes in software development. Apps create security concerns going well beyond what has previously been considered with their desktop cousins. They may be vulnerable in every area from development to deployment and, afterwards, maintenance and security updates. On top of this, there are special concerns that are particular to mobile devices.

Continue reading Gorillas in Our Midst: Mobile App Security Issues

Cloud Security Services – On the Move

Is the security profile of your organization partly cloudy with a chance of meatballs? Is the security budget not expanding fast enough to cover required projects or simply never enough? Can you easily explain the difference between managed security services, subscription security services, and Cloud infrastructure security including VM monitoring services, virtual machine, and hypervisor notification agents?

It may be time to climb out of the Cloud and look at alternatives to onsite security programs and controls. Security subscription services, managed security services, Identity services, Cloud infrastructure and data center services may be just the fixes for never enough money, staff turnovers, and the need to deliver more in less time.

Saugatuck recently published a five-page Strategic Perspective entitled The Rise of Cloud Security Services (1562STR, 17Apr2015 – see link at bottom of this blog post if you are a premium subscriber to Saugatuck’s CRS research service to access) that analyzes available Cloud security service alternatives across five key dimensions (see Figure 1). The piece includes identification of some of the leading vendors delivering Cloud security services in each of the five categories, what the different services are best suited for and why, and provides insight into the multiple apparitions of Cloud security.

Figure 1: Cloud Security Services

1562MKT_figure1

Source: Saugatuck Technology, 2015

It seems that all security products and services are being labeled as “Cloud security” these days, and that every vendor in the business of delivering security is now a Cloud security vendor. There’s good reason why vendors are toeing the “Cloud” line as organizations transition from legacy systems and application workloads to virtualized Cloud data centers: the Cloud and in the transition to the Cloud is where the money is. Continue reading Cloud Security Services – On the Move