Black Hat Roundup: Keeping Tabs on the Ones That Got Away

July 31, 2012 by Leave a comment

B. Ostergaard

B. Ostergaard

Summary Bullets:

  • With the annual Black Hat event in Las Vegas, the global Internet community celebrates its felons.
  • Like physical combat, Internet security requires a good understanding of enemy black hat strategies.

Last week saw Las Vegas hosting the 15th annual Black Hat event.  From its inception in 1997, Black Hat has grown from a single annual conference in Las Vegas (still the main event with the highest stakes) to a global conference series with annual events in Abu Dhabi, Barcelona, Las Vegas and Washington, DC.  From its nefarious roots, it spouts uncomfortable truths about the insecurities we face every day as global net workers.  It’s difficult to find any other industry where crime and passion are so closely aligned and where ‘respect’ and ‘respectable’ are terms so far apart.  Cyber-warfare for profit and power lacks any basic ‘Geneva Convention’ that could specify global rules of conduct and the means to prosecute felons. Read more of this post

Filed under Secure Tagged with ,

Hunting for Big Data in Cloud Services: Customers Need a Better Security Standards Map

June 29, 2012 by Leave a comment

B. Ostergaard

B. Ostergaard

Summary Bullets:       

  • The lack of cloud security standards and the expanding range of cloud providers complicate RFPs.
  • The Current Analysis Cloud Security Study shows IT SPs ahead of carriers and the U.S. ahead of Europe.

The decision to migrate to the cloud is complicated by the expanding number and variety of cloud service providers (typically carriers, IT SPs, vendors, or dedicated cloud SPs), each with its own legacy of strengths and weaknesses, coupled with a dearth of specific cloud security standards to put into a request for proposal (RFP).  Apart from PCI DSS in the retail sector and FedRAMP for the delivery of cloud services to the U.S. government, security standards pertaining to cloud services are related to general business process quality (ISO9000), data center management processes (ISO27001-5), auditing (SSAE 16), and a slew of more vertical industry-specific requirements around handling of sensitive personal data.  Corporate customers are still relying on best-practice guidelines from standards bodies such as NIST in the U.S. and ENISA in Europe, as well as the user/industry forums such as the Cloud Security Alliance with its Cloud Matrix tool.  Still, what does the cloud security playing field look like from the service provider side?  How can they assess their service offerings to amorphous customer requirements, as well as the other providers in the market? Read more of this post

Filed under Secure Tagged with ,

Stop GIGO Data with Better Information Management

December 23, 2011 by Leave a comment

B. Ostergaard

B. Ostergaard

Summary Bullets:

  • The looming GIGO data storm
  • Information management capabilities are more important than cheap storage capacity

Ease of storage expansion as well as lower storage costs per TB, combined with the drive to be more security ‘compliant’, threaten to combine to create a perfect data storm. Present conditions seem to encourage regulators and government agencies to insist that public sector institutions as well as corporations collect and retain even more data that is not required for operational purposes, but might be needed in future, or might be needed for public safety, or might aid future issue handling. Corporate governance, risk, compliance (GRC) policies are going in the same direction. The bottom line is: added operational costs.  Privacy issues aside, from a cost-benefit perspective two facts spring out: first, some 98% of what is stored is never viewed again, and second information management is way behind the curve. To put it bluntly: garbage in, garbage out (GIGO) is a growing problem because duplication, inconsistencies, randomness as well as systemic errors, lead to massive waste. Policy decisions based on such data risk being flawed and misleading, rather than those based on well-informed analysis of timely and reliable data. Clearly, it’s easier to just add more data to storage than to actually create an information management policy and capability that gives some assurance that data used for decision-making is valid to some defined degree. Read more of this post

Filed under Secure Tagged with , , , , , ,

Follow

Get every new post delivered to your Inbox.

Join 431 other followers