Ben Rothke: Stepping in Front of the Camera at RSA
Ben Rothke spent a lot of time behind the camera at this year’s RSA documenting the perspectives of the security industry’s tastemakers, but we rather hoped that he’d get in front of the camera at some point and share his thoughts.
Happily for us, the good folks over at InfosecIsland.com managed to catch Ben after his presentation on data destruction and asked him to sum up his thoughts on the topic.
As far as Ben’s concerned, data destruction really isn’t rocket science. With a few simple tools, a willingness to implement best practices, and a healthy relationship with both the vendor and the National Association of Information Destruction, there’s no need to fear the data destruction process and inadvertently leave your company’s data behind for all the world to see.
Federated Passport: Is the future here?
By Vaune M. Carr, Principal Consultant & Security Practice Lead, BT Global Services
The potential for an identity ecosystem — including federated passports, federated IDs and single sign-on capability for Internet sites (be it your bank or your Facebook account) – that’s been suggested by the White House has spurred quite a bit of debate. But it’s troubling, to me, for a variety of reasons. Not only could an identity ecosystem be part identifier, but it also could be part profiler as well, amassing your unsolicited biography of online banking, healthcare, and any survey data you offer up on the Internet. Who would have access to that profile and to what end?
The government sees this as a facilitating technology that could make it easier for the user (who can’t remember all the passwords he or she has created) as well as government agencies that would have easy access to a person’s data (and usage profile) in one location. What no one should lose sight of, however, is that pooling data about multiple aspects of an individual’s identity heightens risk. If everything about someone – from Social Security number and bank account numbers to passwords for all online accounts – resides in the same place, a hacked account could be devastating – both personally and financially.
In addition, since this online ID would include information that falls into both private (financial) and public (Social Security) sectors, it raises the question of who is responsible for protecting the information. Should your bank be just as responsible for your Facebook password as your account numbers? Does the government really need to worry about your Twitter ID alongside your passport number? Which of the entities should be relied upon for prevention and detection of unlawful acts and misuse of any of the information being accessed?
Once again, the boundaries of personal and public private information are becoming blurred.
Monitoring will become increasingly important as stores of information continue to accumulate. But we need to bear in mind that monitoring can only be as good as the latest updates to address new threats. How many organizations are actually making the latest updates to their threat profiles? The fact is, updating a threat profile is not the same as waiting for your latest version of anti-virus. The best updates are coming from organizations dedicated to this particular security function, Managed Security Services. Anything less is subject to “piece of the pie” budget restraints. Which would serve you better for maintaining control over your voting habits — Facebook posts or online banking transactions? You know the answer.
How will you protect your information in a world with changing boundaries? How will you protect your customer’s information? The process requires analytical power and continual monitoring with dedicated experts looking for the next threat, so they can protect you and your organization’s information.
Before the White House moves too far in the direction of an identity ecosystem or Federated ID, there are many assurances that citizens and entities will have to have before moving to that level of trust.
Friday, March 18, 2011
Tablet Wars Cause Network Access Control Pain
By Sushila Nair, Product Manager, BT Counterpane
The tablet war is heating up with Google’s announcement of an operating system for the Honeycomb tablet. Meanwhile, Apple is predicted to release a new iPad in April.
The difference in business models is fascinating — Google does not make its own devices, but gives its operating system, Android, to manufacturers for nothing; whereas Apple has complete control over its devices, refusing to allow them to run on anything but its own hardware.
The war between Apple and Google seems destined to be exciting. In its latest survey of the U.S. mobile phone industry, comScore reported that while RIM continued to lead among Smartphone platforms with 33.5 percent market share, Android charged past the iPhone to take second place with 26 percent of U.S. Smartphone subscribers. Currently, Apple leads in the tablet market war, but with the release of Honeycomb and the absence of Steve Jobs from Apple’s helm, it remains to be seen if Apple will maintain that lead. Independent of who wins the tablet war, there is no doubt that tablets are here to stay. As a corporate tool, or as a consumer device, the tablet needs to be taken seriously.
Organizations that assume that the tablet market is simply a consumer product should think again. Gartner predicts that by 2013, 80 percent of the workforce will be using tablet devices. The portability and low cost of tablet devices, complemented by the improvement of 3G and 4G networks, make these mobile products very attractive to corporations looking to keep workforces connected while cutting costs.
As well, these smart devices that fit well with cloud-style, centralized environments point to a new type of corporate infrastructure. Couple smart devices with the growing BYOC (bring your own computer) models being run by organizations such as Kraft, Microsoft, Intel and Citrix, to name a few, and we see opening up in front of us a very exciting but difficult to secure network.
The advent of smart devices that plug into a corporation’s network will not completely oust desktops any more than secretaries really vanished with the advent of computers. There is, however, no doubt that a significant proportion of that network will be accessed by untrusted end points. Already being fought is the battle between network access control, which enforces a minimum of controls required before end points can access networks, and implementation of controls so the smart devices can only access untrusted parts of our network.
We are likely to end up with some kind of blend. For now, the battle has highlighted that flat networks are pretty much dead and that not only does information need to be classified according to risk, but also that end points need to be classified by risk. Corporate data storage on untrusted end points must be very heavily weighed and controlled. There must always be a preference for corporate data to remain on corporate assets, and for this data to be accessed through remote access style applications which encrypt and secure that information according to risk.
The bottom line is that organizations need to bring tablets into their environment in a controlled fashion. If organizations haven’t already started doing so – the time is now to start the process to analyze and develop policies, procedures and guidelines around smart devices — because by all predictions, a tablet is coming to your network soon.