Dear Intel, Here’s Why Selling Intel Security Would be a Huge Mistake

Summary Bullets:
• A rumored sale of its security business would be a major mistake for Intel.

• Intel Security has strong legacy products, promising new ones, winning leadership and strategy, and presents synergistic opportunities key to Intel’s future.

I’m not sure what surprised me more: Sunday’s Financial Times report that Intel was exploring a sale of its security division, or that industry observers and partners alike seem to be either indifferent or actually in favor of such a dramatic move.

Current Analysis believes a sale of Intel Security or its assets would be a mistake, for a variety of reasons. Here’s a brief look at the value Intel Security provides its parent:

Read more of this post

Google’s New “Android for Work” Program Actually Puts BYOD to Work

Brad Shimmin

Brad Shimmin

Summary Bullets:

  • Google has at last launched its Android for Work program, prioritizing Android devices within the workplace through the separation of personal and professional data profiles.
  • But don’t look for Google to secure this data on its own; instead customers can look to partners AirWatch, MobileIron, SAP, Soti, MaaS360, Citrix, and others for full bore data security in the workplace.

Forget the Apple iOS and Google Android user wars. It doesn’t matter which one wins a user’s heart. In the enterprise, any enterprise willing to embrace the BYOD mindset, such questions just don’t matter. What’s important is the ability to make manageable and secure whatever crazy device users decide to bring into the workplace. But that’s never been an easy proposition. Read more of this post

Marking HTTP Sites as Insecure: The Emperor’s New Clothes Indeed!

Mike Fratto

Mike Fratto

Summary Bullets:

  • Users don’t have a way for readily knowing when a site should be protected using SSL/TLS or not, and Google engineers are proposing yet another indicator.
  • A better use of their time would be in working with existing standards efforts – or starting a new one – that let site owners indicate when a site should be protected.

Google is using its size in the web arena to affect changes in how users view the relative “security” of websites. I put security in scare quotes because that word has a dubious meaning at best and more likely doesn’t mean what the company intends. The short story is that Google wants a way to indicate to end users that a page which is not properly protected using TLS – the current, improved version of SSL – is not secure. Read more of this post

The Pendulum’s Swing Back to Privacy is Just Getting Started

Paula Musich

Paula Musich

Summary Bullets:

  • The growing use of encryption, especially in smartphones, gives privacy controls back to end users, much to law enforcement’s chagrin.
  • The backlash against government snooping is just getting started, and it will only get louder with time and a potential defining event that will spur widespread calls for reform.

The government met last month with Apple executives to talk about the new encryption technology used in Apple IOS 8 and now Google’s Android Lollipop release that can block government access to information on smartphones, even if law enforcement has a court order. IOS 8 encrypts all data on the device and passcode protects it. Data can’t be accessed without the passcode, which Apple does not have access to. The Justice Department, FBI, NSA and others are demanding access; the industry is saying customers demand their privacy. Who’s right? The widely used WhatsApp chat service also just significantly upgraded its encryption. I think the government over-reached (especially with the NSA’s Prism program) and failed to understand the gathering backlash created by the Snowden leaks, and the high tech industry, including Apple, is seeing a negative impact on business as a result of lost customer trust. Read more of this post

Notes from the Front Line: CISOs Share their Problems and Prescriptions

Paula Musich

Paula Musich

Summary Bullets:

  • The NSA leaks have created new opportunities for non U.S.-based cloud providers.
  • Developing people and political skills among IT security pros is equally as important as developing technical skills, but it is often overlooked.

I had the good fortune to attend the CISO Forum in London this week and as usual it offered a lively discussion of critical security concerns faced by enterprises, governments and non-profits. Topics covered long running themes such as how to define, measure and manage risk; how to communicate the value of and need for information security to the C-Suite and board; how getting the basics right is difficult for most organizations; the security skills shortage; the need to provide agile security and more. Read more of this post

PII in the Sky – A Cloudy Outlook

Hugh Ujhazy

Hugh Ujhazy

Summary Bullets:

  • Asian governments are evolving their approach to managing PII data through legislative frameworks.
  • Data privacy rules are converging across the region, but the onus for protection still rests squarely with the enterprise.

A fully realized cloud infrastructure promises server, storage and applications (along with all their data) floating in a glorious OpEx soup. Managed from afar, provisioned in minutes, flexible and scalable – there is little to dislike. However, for enterprises operating in multiple jurisdictions in Asia, data protection remains a key issue in planning deployments of cloud solutions. Read more of this post

Heartbleed Bug Shows Industry is Under-investing in Software Integrity

Paula Musich

Paula Musich

Summary Bullets:

  • The disclosure of the devastating Heartbleed bug – two years in the wild – illustrates how much the technology industry under-invests in software integrity.
  • Bug bounty programs spur greater participation in vulnerability research, and those who benefit most directly from open source software should contribute to an open source bug bounty program.

Unless you’ve taken a holiday from the connected world, you probably know by now about the Heartbleed bug. And if you’re a CSO or CISO, you’ve most likely seen plenty of suggestions on how to respond to the threat posed by this extremely risky and widespread vulnerability. Although the effort to address the problem is not quite as Herculean, it struck me that the response to the Heartbleed bug needs to be nearly as widespread as the effort to fix the date problem at the turn of the 21st century. Estimates that I saw about how widespread OpenSSL use is suggest that as much as 66% of all the websites across the globe use OpenSSL, and some reports suggested that the technology is embedded in a wide variety of network infrastructure devices, including routers, WLAN controllers, firewalls and more. But while enterprises had plenty of advance notice to address the date problem leading up to the year 2000, web site operators and technology vendors need to move with the utmost urgency to patch this flaw and clean up the mess created by this “catastrophic” vulnerability. It shouldn’t be a surprise that the coding error happened, and I don’t think that its existence is necessarily a condemnation of the way that open source vetting works. Read more of this post

Something for Everyone at Interop Las Vegas 2014

Mike Fratto

Mike Fratto

Summary Bullets:

  • The upcoming Interop event in Las Vegas will offer lots of sessions and workshops from fellow IT professionals and experts to attend and get current on your interests.
  • Take part in the social gathering to meet old friends and make new ones. Personal networking is as important as anything in your career.

Interop is next week and I am looking forward to catching up with old friends, peers, and colleagues and making new acquaintances. Still, the draw for me is meeting with vendors and attending a few of the presentations over the course of the event. The content this year is very solid and there’s something for everyone.

Read more of this post

Customer Authentication and Fraud Detection: The Contact Center’s Looming Challenges

Ken Landoline

Ken Landoline

Summary Bullets:

  • The costs of compromised security in the customer care environment are high to both the enterprise and the customer, and the occurrences of security breaches continue to grow briskly.
  • Although not widely used technologies today, the combination of voice biometrics and predictive analytics has great potential to enhance fraud deterrence.

The methods of customer identification and verification used in contact centers today take too much time and are a major source of customer irritation. Agents’ questions inquiring about personal identification numbers (PINs) or asking pre-arranged security questions, such as “What is your father’s middle name?”, have outgrown their usefulness and are often easily circumvented by fraudsters seeking illegal access to customer accounts and private corporate information. High on the list of technologies destined to replace these traditional techniques are voice biometrics coupled with sophisticated predictive analytics. Read more of this post

VMware Has a Security Attention Deficit Disorder

Paula Musich

Paula Musich

Summary Bullets:                

  • VMware continues to shift its virtualization security priorities around, this time with a focus on the new Service Composer in the NSX virtual networking platform.
  • Despite the lack of focus on VMware’s part, third-party security providers continue to make progress with existing products, building up greater maturity and expanding their installed bases.

VMware’s attempts to deliver a cohesive set of security services for its dominant server virtualization technology in partnership with leading security providers appears to be a bit of a shell game.  Just when you thought the gold security coin was under one shell, you discover that you missed the last move and now it is under another.  In this case, VMware had been working to create a set of higher level APIs developed in conjunction with leading security partners that would be easier to work with than the former VMsafe APIs and reflect the requirements of a broader set of security functions—not just anti-virus signature scanning.  But that was before VMware acquired software-defined networking startup Nicera for over $1 billion around the time of VMworld 2012.  Fast forward to VMworld 2013 and voila!  No progress report on the security APIs, no expansion of the partners writing to those APIs, no case studies demonstrating real world deployments of security products using those APIs to deliver better security for VMware hosted applications.  Instead what you find is that VMware has shifted its attention (and resources) to trying to establish a virtual networking platform that it hopes will do for networking what the virtual machine did for computing. Read more of this post