The Pendulum’s Swing Back to Privacy is Just Getting Started

Paula Musich
Paula Musich

Summary Bullets:

  • The growing use of encryption, especially in smartphones, gives privacy controls back to end users, much to law enforcement’s chagrin.
  • The backlash against government snooping is just getting started, and it will only get louder with time and a potential defining event that will spur widespread calls for reform.

The government met last month with Apple executives to talk about the new encryption technology used in Apple IOS 8 and now Google’s Android Lollipop release that can block government access to information on smartphones, even if law enforcement has a court order. IOS 8 encrypts all data on the device and passcode protects it. Data can’t be accessed without the passcode, which Apple does not have access to. The Justice Department, FBI, NSA and others are demanding access; the industry is saying customers demand their privacy. Who’s right? The widely used WhatsApp chat service also just significantly upgraded its encryption. I think the government over-reached (especially with the NSA’s Prism program) and failed to understand the gathering backlash created by the Snowden leaks, and the high tech industry, including Apple, is seeing a negative impact on business as a result of lost customer trust. Continue reading “The Pendulum’s Swing Back to Privacy is Just Getting Started”

Notes from the Front Line: CISOs Share their Problems and Prescriptions

Paula Musich
Paula Musich

Summary Bullets:

  • The NSA leaks have created new opportunities for non U.S.-based cloud providers.
  • Developing people and political skills among IT security pros is equally as important as developing technical skills, but it is often overlooked.

I had the good fortune to attend the CISO Forum in London this week and as usual it offered a lively discussion of critical security concerns faced by enterprises, governments and non-profits. Topics covered long running themes such as how to define, measure and manage risk; how to communicate the value of and need for information security to the C-Suite and board; how getting the basics right is difficult for most organizations; the security skills shortage; the need to provide agile security and more. Continue reading “Notes from the Front Line: CISOs Share their Problems and Prescriptions”

PII in the Sky – A Cloudy Outlook

Hugh Ujhazy
Hugh Ujhazy

Summary Bullets:

  • Asian governments are evolving their approach to managing PII data through legislative frameworks.
  • Data privacy rules are converging across the region, but the onus for protection still rests squarely with the enterprise.

A fully realized cloud infrastructure promises server, storage and applications (along with all their data) floating in a glorious OpEx soup. Managed from afar, provisioned in minutes, flexible and scalable – there is little to dislike. However, for enterprises operating in multiple jurisdictions in Asia, data protection remains a key issue in planning deployments of cloud solutions. Continue reading “PII in the Sky – A Cloudy Outlook”

Heartbleed Bug Shows Industry is Under-investing in Software Integrity

Paula Musich
Paula Musich

Summary Bullets:

  • The disclosure of the devastating Heartbleed bug – two years in the wild – illustrates how much the technology industry under-invests in software integrity.
  • Bug bounty programs spur greater participation in vulnerability research, and those who benefit most directly from open source software should contribute to an open source bug bounty program.

Unless you’ve taken a holiday from the connected world, you probably know by now about the Heartbleed bug. And if you’re a CSO or CISO, you’ve most likely seen plenty of suggestions on how to respond to the threat posed by this extremely risky and widespread vulnerability. Although the effort to address the problem is not quite as Herculean, it struck me that the response to the Heartbleed bug needs to be nearly as widespread as the effort to fix the date problem at the turn of the 21st century. Estimates that I saw about how widespread OpenSSL use is suggest that as much as 66% of all the websites across the globe use OpenSSL, and some reports suggested that the technology is embedded in a wide variety of network infrastructure devices, including routers, WLAN controllers, firewalls and more. But while enterprises had plenty of advance notice to address the date problem leading up to the year 2000, web site operators and technology vendors need to move with the utmost urgency to patch this flaw and clean up the mess created by this “catastrophic” vulnerability. It shouldn’t be a surprise that the coding error happened, and I don’t think that its existence is necessarily a condemnation of the way that open source vetting works. Continue reading “Heartbleed Bug Shows Industry is Under-investing in Software Integrity”

Something for Everyone at Interop Las Vegas 2014

Mike Fratto
Mike Fratto

Summary Bullets:

  • The upcoming Interop event in Las Vegas will offer lots of sessions and workshops from fellow IT professionals and experts to attend and get current on your interests.
  • Take part in the social gathering to meet old friends and make new ones. Personal networking is as important as anything in your career.

Interop is next week and I am looking forward to catching up with old friends, peers, and colleagues and making new acquaintances. Still, the draw for me is meeting with vendors and attending a few of the presentations over the course of the event. The content this year is very solid and there’s something for everyone.

Continue reading “Something for Everyone at Interop Las Vegas 2014”

Customer Authentication and Fraud Detection: The Contact Center’s Looming Challenges

Ken Landoline
Ken Landoline

Summary Bullets:

  • The costs of compromised security in the customer care environment are high to both the enterprise and the customer, and the occurrences of security breaches continue to grow briskly.
  • Although not widely used technologies today, the combination of voice biometrics and predictive analytics has great potential to enhance fraud deterrence.

The methods of customer identification and verification used in contact centers today take too much time and are a major source of customer irritation. Agents’ questions inquiring about personal identification numbers (PINs) or asking pre-arranged security questions, such as “What is your father’s middle name?”, have outgrown their usefulness and are often easily circumvented by fraudsters seeking illegal access to customer accounts and private corporate information. High on the list of technologies destined to replace these traditional techniques are voice biometrics coupled with sophisticated predictive analytics. Continue reading “Customer Authentication and Fraud Detection: The Contact Center’s Looming Challenges”

VMware Has a Security Attention Deficit Disorder

Paula Musich
Paula Musich

Summary Bullets:                

  • VMware continues to shift its virtualization security priorities around, this time with a focus on the new Service Composer in the NSX virtual networking platform.
  • Despite the lack of focus on VMware’s part, third-party security providers continue to make progress with existing products, building up greater maturity and expanding their installed bases.

VMware’s attempts to deliver a cohesive set of security services for its dominant server virtualization technology in partnership with leading security providers appears to be a bit of a shell game.  Just when you thought the gold security coin was under one shell, you discover that you missed the last move and now it is under another.  In this case, VMware had been working to create a set of higher level APIs developed in conjunction with leading security partners that would be easier to work with than the former VMsafe APIs and reflect the requirements of a broader set of security functions—not just anti-virus signature scanning.  But that was before VMware acquired software-defined networking startup Nicera for over $1 billion around the time of VMworld 2012.  Fast forward to VMworld 2013 and voila!  No progress report on the security APIs, no expansion of the partners writing to those APIs, no case studies demonstrating real world deployments of security products using those APIs to deliver better security for VMware hosted applications.  Instead what you find is that VMware has shifted its attention (and resources) to trying to establish a virtual networking platform that it hopes will do for networking what the virtual machine did for computing. Continue reading “VMware Has a Security Attention Deficit Disorder”

Is the Gmail Privacy Flap Just a Big Misunderstanding?

itcblog-marcusSummary Bullets:

  • Google has come under fire recently from a consumer organization which pointed to a company filing to claim Gmail users can have “no expectation of privacy”, given the company’s email processing function described in the public document. With Gmail in use by thousands of enterprises, business owners may be concerned about a potential breach in trust.
  • As it happens, the claims reveal no new information about any processes used by Google to manage its popular email service. Unfortunately, the press loves a story that makes Google out as “Big Brother” or worse, especially given the NSA surveillance revelations of recent months. Users should continue to trust Google as much or as little as they did prior to this press storm.

What Happened?

Google is in court over privacy concerns, fighting a class-action lawsuit that accuses it of breaking wiretap laws when it scans emails in order to target advertisements to Gmail users. It claims Google “unlawfully opens up, reads, and acquires the content of people’s private email messages”. In a bid to dismiss the suit, filed in May, Google explained that in the delivery of its service, messages could not be hidden from the company, seeing as it needs to process and display them for users. An unfortunate wording in its filing implies users shouldn’t expect “objective confidentiality”, but the company was trying to be transparent about the reality of electronic communication, the messages transmitted by which are by definition exposed to the software and machines running the system. Continue reading “Is the Gmail Privacy Flap Just a Big Misunderstanding?”

Wired Authenticated Access is a Chicken and Egg Problem, and It’s Scrambled Up

Mike Fratto
Mike Fratto

Summary Bullets:

  • Strong wired authentication and access control is available using 802.1X, which is needlessly complex in wired networks and 802.1ae which is not widely available.
  • Lack of customer demand doesn’t give equipment vendors any inducement to simplify 802.1X wired functions or add 802.1ae to network equipment. You can change that.

Ever wonder why 802.1X and 802.11i is so well supported in wireless LANs—even consumer grade access points—yet is complex and fragile in wired ports? It’s not the technology or differences in the capability of wireless compared to wired equipment. The reason is customer demand. You. The average enterprise user hasn’t demanded the same level of functionality in the wired network as they did in the wireless. Continue reading “Wired Authenticated Access is a Chicken and Egg Problem, and It’s Scrambled Up”

Are M2M Communications Secure?

Kathryn Weldon
Kathryn Weldon

Summary Bullets:

  • If M2M grows the way the ecosystem hopes it will, there will be millions and even billions of end points sending continuous (as well as more sporadic) data across wired and wireless networks, including proprietary and mission-critical pieces of information about customers and businesses
  • What are operators, systems integrators, and security software and services specialists doing about this? Why doesn’t security seem to be discussed as openly as other M2M requirements?

When holding briefings with operators involved in M2M, security and privacy issues come up occasionally. Generally mobile operators offer APNs, which means that an M2M device is connected to the customer’s private IP network or cloud rather than directly to the carrier’s wireless network or the public internet. This provides a level of built-in network security but doesn’t deal with breaches that come through a corrupted end-point.  Nor does it always prevent unwarranted or malicious access to data behind the firewall. Adding encryption to sensors or other low-end M2M endpoints let alone putting it in a chipset or module may be overly expensive, as is adding end to end encryption to the entire data flow in between the “machine” and wherever the collected data is being sent. SIM cards within embedded modules generally have some level of built-in authentication, but how about application security, device OS security, or the kind of proactive security practiced routinely for remote laptops and mobile devices such as frequently updated anti-virus/spam/denial of service software, intelligent threat detection, and all-purpose managed security services?  Continue reading “Are M2M Communications Secure?”