A fresh post in a long while ..
So, after writing for clients and my research being all consuming this past year I am re-focusing time in my day to share observations and thoughts. Why? Quite simply I learn more when I write; share, and get feedback then living in an echo chamber. How will this benefit the world/you.. simple, you will share in the knowledge I gain from sweat and toil and learn through the same iteration cycle as I. I also will begin focusing my posts on my dedicated portal for such topics and (attempt) to limit my writings here to on-topic. I hope you will continue to join me on the new(er) site and the other media platforms.
Also, I am trying to aim for a high iteration format instead of the long form of old. Meaning, shorter (I hope) posts that are succinct on ideas without the typical pre/post writings that are common in most write-ups. My ask, please share, challenge, and seek to understand my perspective – as I will do for you.
Onward then …
Today is RSA day and 2 themes that are evident and of most importance based on several large client discussions; analyst discussions; and a few researchers I had the privilelege of speaking with today:
- Communicating the WHY is of paramount importance today (WHY are we spending security budgets on X assets? WHY are our practices for managing enablement between development, operations, and security out of sync? Etc..)
- Passive Resistance (my phrase, but after a day of hearing about NSA, RSA, Crypto architects disowning responsibility for operational deployment, and “enable” privacy, security this is where I landed) is the idea of persons and organizations being asked to respond to these threats in a manner that impings their capabilities. There are many problems with this stated position, but I shall leave that for another day and your own pondering
Businesses must address #1 and be extremely cautious with #2, and #2 will be a heavy discussion during my RSA session on Thursday for all that are present. If you are unable to attend, I will as usual post my work and research in note form online. Looking forward to learning and expanding my thinking with you.
Posted in Compliance
Tagged 2014, analysis, bank and technology, best practice, cio, ciso, Compliance, rsa, rsa conference, rsac, rsaconference
Below are my notes and takeways from the first day of RSA London. The day started off with plenty of cinematics and a nature theme opening session by the heads of RSA. The location is fantastic – the conference hotel is very close to good trains in London and there are plenty of things around. While the hotel is a bit of a maze – I am told it is a fair trade off from prior years.
Arthur Coviello opened the conference and gave a great deal of specifics regarding the industry. He actually gave a fantastic introduction to my session materials, and that certainly helped the delivery of my own session. (Speaking of my session – I will be composing my session into a paper and posting it online to gather opinion and input).
- 15 Billion devices communicating – according to John Ganz “The Embedded Interent: Methodology and Findings”
- By 2011 – 75% of us workforce will be mobile (BNET)
- Facebook will exceed 300M users by end of 2009.
- More information has been created in this decade than “all time”?!
- All content is created digitally at inception or within 3 months.
- Physical control of IT assets are loosening
- Growth and adoption of IT Cloud services will grow to 35 billion Euros. It will capture 25% of ALL IT spending
- Today “high value” is in taming the complexities of information and this is the challenge of IT organizations.
- The challenge of the security industry is to enable these ubiquitous technologies and enable them in a boundaryless IT environment.
Hugh Thompson of People Security:
Hugh have a great session that was both animated and well structured. His presentation reflected a past project where I created algorithms and technology to conduct social cyber forensics using similar mechanisms. He gave a good number of points regarding Data Gateways and I hope that his presentation will be available to help disiminate the definitions and risks.
He highlighted (the somewhat obvious fact) that people are posting indiscriminately data online through social sites. There will be a fallout to the information posted online. There should be some kind of education for people on “what to post” online.
A takeaway from the Meetup dialogs was if the social norm is to post all this information then the minority is to not. Therefore is it right to educate the masses or secure them for them? Interesting implications regarding security authentication and authorization systems as a result.
Guy Bunker’s session:
Highlighted the Jericho forum 2009 Cube and provided very interesting and impactful questions that every organization should know about – need to see if I can find a copy of that slide.
In a internal infrastructure situation – if the system to system controls fail it is generally OK. An audit deficiency or a weekend is in order to rectify the error. If such errors or security failures occur at the Cloud Administrator the exposure has an impact – the severity depends upon the breach, information, and audience.
“Compliance is the dark side” … hmmm
- Moving to the cloud doesn’t devoid the duty of complying with regulations
- Moving to short time contracts with Cloud providers (i.e., spinning up an environment for XYZ project over a measured time frame) introduces requirements to demonstrate that these environments are appropriately secure and compliant. What is the onboarding, management, measurement, and offboarding process occur in these environments?
- Caution (especially within the EU) is the exporting of data to these providers, and do they maintain the possession in proper approved regions and systems.
- Data Migration:
- Moving data back and forth between internal and external clouds can be difficult
- Moving the data if the systems are proprietary requires API and conversion efforts
- Restoration of data from backups based on prior / old applications creates challenge when the system is wholly updated and older updates are no longer supported (Think JP Morgan required to provide restored email backups from systems they internally managed that are no longer available by the vendor).
- Questions to Ask Part 1 and Part 2 are a nice breakdown of sanity checks when using cloud providers by Guy Bunker
- Trend in new threats is people taking the entire Virtual Machine images, not just data. This not only is the information but more importantly the HOW and MEANS of delivering the exact same service.
The end of evening included the Vendor booths which were significantly smaller than the April conference, but was better due to the quieter and more productive conversations I had and observed. The Blogger Meetup also was Tuesday and it was great. Plenty of very smart individuals and the conversations were all geek, security, compliance, and extensions of sessions conducted during the day. I actually hope that other such evening events will come together to take advantage of the presence of so many experts in their fields.
Day 1 was certainly a success. The tremendous focus on Cloud, Social Media Risks, Identity Fraud, and audit was rich and worthwhile. A personal takeway I have is how applicable my hands-on work around securing auditable Cloud environments is for businesses.
Other sources for information:
More to come…
James DeLuccia IV
Posted in Compliance
Tagged 2009, audit, best practices, botnet, cloud practices, Compliance, europe, forensics, it compliance and controls, IT Controls, london, recap, rsa, rsaconference, Security