What exactly is DLP? The general consensus is that DLP technologies worth their salt should include some form of content awareness. Was recently at the Gartner Security Summit and Eric Ouellet made a strong case for it - if you get a chance to see the presentation, it is very well worth it and provides a great overview.
Also, just read a good article in CSO Magazine by Bill Brenner on technologies that can extend the value of DLP. Am glad that folks are seeing the value of encryption within a data leakage context and am encouraged by the comment by William Pfeifer about the requirement to protect the data at all times and not just at rest. This, I believe, is the right information-centric approach.
One point I think Bill might have missed is the value of Identitiy technologies (IAM) to enhance DLP as well. I strongly believe that the combination of IAM+content-aware DLP+persistent encryption can solve (from a technology perspective) many of the challenges we face. This gives control over roles, the content itself as well as completing the action of protecting the data by enforcing specific access control triggers within the data itself.
Aha - true "discover once, protect forever" :)
Friday, July 10, 2009
Enhancing DLP
Monday, July 6, 2009
The Sharepoint security connundrum
Sometimes going to security conferences can be not as useful. However, I just got back from the Gartner Security Summit - some very interesting presentations and conversations. I like the in-depth analysis that they do - and this time I was intrigued by the Sharepoint security presentation by Neil MacDonald.
A few points I learnt:
- Sharepoint is the fastest growing product in Microsoft's history! Taking over and replacing many file shares and other collaboration products.
- Security is a big concern due to the rapid growth - especially when collaborating with external parties.
- Data is usually not encrypted within Sharepoint - makes it hard to search and index.
Will be interesting to see how this shakes out - I am excited about the information-centric security approach that Sharepoint will force organizations and vendors to adopt!
Wednesday, June 10, 2009
The T-Mobile Breach - getting personal
Now they are getting personal! Being a T-Mobile customer has brought this scary world of breaches and identity theft home to me - with the news that T-Mobile confidential and customer data had been breached.
Being in the security industry and seeing a lot of breaches, one tends to get a bit overwhelmed - both with the scale and costs involved. And after a while one gets a bit numb as well. However, when it hits you personally, like it does for me now, it feels a bit different. I am frantically checking each of my credit card statements for erroneous charges, my bank statement to see if any worrisome withdrawals have gotten through etc. I am worried about my SSN being compromised and identities of my family stolen. Not a fun place to be...
While this may turn out to a hoax as some suggested (I selfishly do hope it is), but the sinking feeling it gave me when I read the news is real. And such a breach is not by any means, far-fetched.
Sunday, May 10, 2009
EU requiring guarantee of software security?
In one word - wow. Looks like software companies might be held liable for the security of their software if the EU gets its way. According to the article:
"Software companies could be held responsible for the security and efficacy of their products, if a new European Commission consumer protection proposal becomes law.
Commissioners Viviane Reding and Meglena Kuneva have proposed that EU consumer protections for physical products be extended to software. The suggested change in the law is part of an EU action agenda put forward by the commissioners after identifying gaps in EU consumer protection rules."
I like this, since BitArmor itself has announced a No-Breach Guarantee. It is a good idea to make sure software vendors have a bigger stake in making their software more secure.
However, I am not sure I like the stick approach. There could be multiple ramifications to this. Will all software have the capability to do this and be secure? Will vendors become more risk-averse and thus not innovate? How will the varying nature of environments that software works in enable such a law to be enforced?
I think it might be better to provide incentives for better security, i.e. ensure that government contracts have a preference for software with such guarantees - rather than a blanket law that forces it.
Tuesday, April 7, 2009
Security and learning from nature
Nature is interesting in how it deals with threats. I think we can learn a lot from it (while I am just as sure I will be reaching while I construct some of the analogies below!).
One point that always sticks in my mind is how the "bad stuff" in terms of germs, viruses, bacteria etc are all around us, right next to us. Compare this with how an organization likes to look at security:
- Try to ensure the whole environment is secure (i.e free of bacteria etc)
- Try and restrict movement of assets (i.e. restrict sharing of data)
However, the lesson is lets not try and fix the environment - we will never be successful. Lets try and ensure the asset (in this case the data or information) is truly protected. This information-centric approach is the better and more logical way forward - as nature points out to us!
Monday, March 30, 2009
Devolution, job responsibilities and data-centric security
Seems like the data/information-centric approach to data protection is gathering more steam. Interesting article in CSO Magazine by Forrester analyst Andrew Jaquith talks about giving up control to gain control - using a data-centric security approach. Very interesting.
It talks about forgoing a infrastructure control perspective to being more data-centric and giving up responsibility to those to use the data.
Here is a short excerpt:
"Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization."
Another excerpt I agree with :
"Confronted with these three challenges, some nervous CIOs and CSOs choose to throw the proverbial kitchen sink at the problem: DLP, encryption-everywhere, enterprise key management, NAC, and employee education. However, this approach will fail because at its roots, the problem of data security stems from four sources: digital information was meant to move; information classification isn't ingrained into work processes; technical solutions aren't standardized; and accountable parties are too far from the controls."
The main one being (highlight above is my emphasis) - data is meant to move, distribute and gain in value! You cannot stop data from moving and be a friend of the business!
The Chinese Cyber very, very, very, targeted attack
Incredible news about the cyber attack launched from China - and its taking over systems worldwide.
What is amazing about this is the large number of countries attacked - 103 with the small number of actual computers affected - 1200! Just about 10 systems a country - now that's a targeted attack! And to top it off, apparently over 30% were "high-value" systems and those within embassies of many countries.
It is remarkable that something this targeted can be achieved using one malware - unless it is the secondary phase after another one was spread wide, segmented the market and finally targeted those that are important.
Without taking away from the seriousness and criminality of it, the marketer in me is impressed - and shocked.
