Sunday, 29 April 2007

A Spanjaard in the Works

Over on PCI Answers I've been talking about Henk Jan Spanjaard at Decru today. I met him at InfoSec last week, and he was a genuinely nice, friendly guy. I've never met a Dutchman I didn't like, must be something in the air :) I asked him why he hadn't tried to poach me from Vormetric and he said "because I didn't know where you were!" Which is at least diplomatic.

Then, whilst searching for a quote about European disclosure I also came across this little gem from HJS:

"Bedrijven moeten zich afvragen hoeveel zin firewalls hebben als de opgeslagen data niet beveiligd is. Ze doen de deuren op slot, maar laten de ramen open. Op deze manier lopen bedrijven onnodige risico’s op het gebied van security", zegt Henk Jan Spanjaard van Decru.

I don't speak Dutch, I just love the way it sounds. Loosely translated this means: "Companies must wonder how much intelligence firewalls have themselves as stored data is not protected. They lock the doors, but leave the windows open. This way companies are in danger of unnecessary risks", says Henk Jan Spanjaard from Decru.

This is exactly my point about firewalls, neatly explained in a few lines. I think I'm going to start saying it in Dutch.

Maybe I'll make more sense?

Saturday, 28 April 2007

Playing $oftball

Slightly off message today, but after yesterday I deserve a break and it's the weekend...

There's been a lot in the press around my home town of Winchester, UK, about Paul Allen of Micro$oft's intention to buy local football (that's soccer to you American types) club Southampton F.C. The story broke yesterday morning in the Daily Echo - a complete rag of a newspaper - so I wouldn't be in the slightest bit surprised to find out that someone at the Echo has a number of shares in SFC and is just pissed off that they're doing so badly again this season. The share price jumped 30% yesterday on the back of this "exclusive".

There are various reports from Allen's camp to the effect of "what?", "Southampton, where's that then?", etc. but apparently Southampton have confirmed that there is an offer on the table. Well, if it's in the Guardian it must be true (er...). Considering Paul Allen's track record with sports teams, it would seem that his match with Southampton is a good one . I haven't been to watch an SFC match since my season ticket ran out in 2001, but I can't say I've felt like I've missed anything. Mind you, I feel pretty much the same about Microsoft.

Football is becoming duller and duller the more money is pumped into it, when Abramovich bought Chelsea it just became scary. Glazier buying Man. U made it laughable, Madejski at Reading, Gay-whatever-vich buying Portsmouth didn't register, more Russian blood money dissecting our national game and pride.

All it ever seems to achieve is more young men on coke-fueled Saturday night rampages in their 20s having to apologise to the press/their families/partners/friends, getting fat, then burning out in their 30s to become whisky soaked middle-aged sad cases with little of their earnt fortune remaining.

Still, I'm not bitter or anything.

Friday, 27 April 2007

A Brief History of the Future.

Joshua led the Israelites 7 times around the ancient city of Jericho until the walls came down. Joshua was a man after my own heart. I would gladly walk 7 times around every firewall in the world if it would make them crumble to dust. Once again however, I digress.

The aim of the Jericho Forum is to promote business by taking away the hard outer layers of perimeter security that are ubiquitous these days. Some people can't see this ever happening, and like the people who believed so strongly that the world was flat, they resort to name calling and snorting to prove their point (sorry this is such an old article, but it's still the 5th entry on Google when searching for "Jericho Forum", number 3 being a discussion board for the TV Series Jericho. Doh!)

Deperimeterisation is a very long word, but it makes such a lot of sense if you spell it right. I'm beginning to see it happen already. I talked previously about AppGate and Secerno; these are both a step towards creating better security at the app and db levels. I've seen some fabulous security this week, firewalls are being incorporated into UTM devices fairly universally now, and this is a great way to get rid of them altogether.

Once UTMs have replaced all the firewalls we will be left with proper devices at the perimeter which filter out all the crap and leave you with something clean to go through your network. However, why then would we leave them at the perimeter? Network devices are only ever applications working inside a box. Why not make this security travel with each transaction, or at least build it into your apps, make it data-centric rather than network-centric...

UTM is the first step, AppGate have seen this already, Hoff over at Crossbeam also knows this, and is cashing in. F5, who I am a great fan of, have been breaking into the same space for a while, as have Juniper, Bluecoat, etc, etc.

Computers are becoming powerful enough to be basically a network in a box, but still want to connect to each other. It's becoming like the internet in the early seventies again, just a collection of connected points without concentrated private networks. Albeit there are a hell of a lot more of them, but the principle is the same.

In this scenario, the perimeter is dispersed or non-existent, so there's no way of telling where it is to protect it, and this is how it should be security should have as few variables as possible to ensure ubiquity and uniformity. This makes business easier, and now we have open standards for communicating, this is possible to do securely, unlike the 70s.

We still have to educate the users: security will one day boil down to best practices and learning how to be safe as the technology becomes reasonably standard across the board. We will see more platforms, frameworks for building security on like UNP, more standards, SOA, webservices, XML, until there are no longer any huge advances to be made or huge margins to be gained. This is long after the Semantic Web of course and way into the future.

The new billionaires will be the inventors of the next "next big thing", which will leave us all kicking ourselves that we hadn't thought of it of course, and the world will change again.

(Better than Hawking any day.)

Thursday, 26 April 2007

And on the last day...

...he rested and saw that it was good. Yep, OK, I enjoyed it. InfoSec was a roaring success for me in fact, and I had people actually come up and tell me they'd read my blog. Even some quite clever people. Igor Drokov over at Security x.0 stopped to talk to me for quite a while and I felt humbled in the presence of such a large brain. Those Cambridge guys are pretty amazing.

I also met with every other vendor under the sun, pressed some flesh with the distis and resellers, saw some great new technologies, looked at some girls in short skirts and talked a hell of a lot. What more could a man ask for?

Well, I'll tell you what. I came home to find a newly delivered mail from my newest American buddy, Mike, over at PCI Compliance Demystified, from a geezer in the US wanting to write an article on PCI. So I've given him some stats and expect to see my name up in lights soon. I'll let you know where it appears, as it seems I have quite the fanbase now.

I expect to see that decrease now I've said that of course.

Wednesday, 25 April 2007

On the Second Day...

...I could barely get out of bed. It was only the thought of seeing all my chums again that willed me in today. Good God my back aches. I remember standing up at these things in days gone by and not needing to sit down every time someone came to talk to me. Mind you, all this was fields then... I digress.

So I went to see Secerno today, and their stuff really does seem to be as awesome as I thought, didn't get around to Centrify, but spent a good 40 minutes at the AppGate stand. This stuff is seriously good by the looks of things. A mature "deperimeterisation" technology they call it. I'm not 100% convinced of this yet, but they are heading in the right direction better than anyone else I've seen. Maybe I will expand on this at a later date. Depends if they want to partner or not I suppose... :) The power of blog.

In other news today: I had an email from my old friend Owen at QinetiQ (which is still a bloody silly name), and he actually had a bit of a rant. He agreed with all things blog, said that I was looking at the right technology at InfoSec, etc. but pointed out that I was wrong about firewalls and that some of them (the layer 7 application kind) are OK. Gah, rubbish! Firewalls are satan's (network) device and should be banned. Deperimeterisation is the way forwards, data-centric security will rule the earth as the Semantic Web takes it's hold over mankind, and I will be your natural leader. OK, this might not happen for another 20 years, but I'm certain that it will one day. They laughed at Einstein you know.

That is to say: my blog = my rules. :p

Tuesday, 24 April 2007

On the First Day of Infosec... back aches and I'm losing my voice, and yet I feel strangely satisfied.

So, where's the big buzz this year? Strangely enough, it felt like it was all around. The first day is always quieter than the others, but this one seemed to be humming along very nicely. I walked around the whole show and saw some great things, Secerno and Centrify I will be examining more closely tomorrow. I caught up with some old friends, Ingrian, the Equip/Horizon crowd, F5, Bluecoat; made some new friends, Decru, Protegrity, SafeNet, and will hopefully catch up with Hoff at some point as I noticed he was absent from the Crossbeam stall today...

The real interest from the crowd seems to be split, on one side there is a lot of interest in application security, on the other hand the really big spenders are coming over to talk about compliance, and we couldn't be better placed.

So, if you've got deep pockets and want a data integrity PoC, come over to G130 and look at the fabulous Kinamik stand. I'm the tall one with the stripy tie and glasses invariably on my head.

I must also put in a quick hello to Mairtin (yes, that is spelt correctly, I checked) O'Sullivan from an unpronouncable place near Dublin, who came to see me especially to talk about PCI and told me he had read this blog. That's got to be worth a mention...

Monday, 23 April 2007

The 4-year Itch

InfoSec tomorrow, and I have to admit to a slight feeling of excitement. Maybe it's because I haven't been to one for a couple of years, maybe it's because I'm on one of the bigger stands this year, or maybe it's because I've got a lot of talking to do.

I'm fascinated to hear what all the buzz will be about this year, because as far as I'm concerned, the security industry in the UK has got a bit lost recently. When I was in distribution there was little interest in any of the really important security breakthroughs, but the load balancers and SEM/SIEMs were flying off the shelves. NAC was also just getting popular. Anyone in the US reading this will be scratching their heads now - I will repeat one of my many moans here - the UK is consistently around 4 years behind the US in terms of security, more in some areas.

I worked in encryption, with Ingrian for a few years, and for Vormetric for a year in the UK. There was a limited market for it, hence my move to distribution. There I again worked with Ingrian, and am delighted to report some uptake at last, but not without work. In the US, both of these companies are doing great things, and deservedly so. Vormetric in particular is an astoundingly good piece of technology which deserves to be much more widely used than it is. Maybe in 4 years time we will see a large take up in the UK?

Curiously enough some things seem to be working in parallel. There is a big buzz around UTM, but I don't think anyone really understands it, they just see it as a way to cut costs. And there's the rub. The difference in the 2 markets is that in the US they will install "belt and braces" security before the horse bolts bceause they will get sued if they don't and because they can. In the UK, we wait until it's well and truly broken, if we can't fix it for free, we try to do it on the cheap. And what's the average lifecycle of a piece of technology before it is superceded or needs a complete upgrade...? Around 4 years.

Friday, 20 April 2007

Guerilla security

I've been doing the rounds again and saw a great quote from Alex ( on Michael Smith's blog: "Interestingly enough, the goal of security awareness is the same as war - to change the values of the culture. How about that?"
Michael has just produced what he calls a CISO's book of death too.

It seems to me that they have stumbled across something here which all CSO/CISOs will recognise. Getting anyone to listen to anything to do with security is a fight, and you often need to be sneaky and subtle to get your objectives achieved. I've been talking on PCI Compliance Demystified to a guy (Andrew) who, like me, lives in Spain, but works offshore in Gibraltar for a gaming company. To cut a long story short, he's having issues getting the PCI program off the ground and is starting to use "tactics". Some of the things he's done are great, and similar to things recommended by Mike Rothman in "The Pragmatic CSO", some of them are a bit sneakier. These are the ones I particularly like.

Anyone else have any interesting stories about how they managed to get a security issue recognised or a program successfully implemented against the odds? Let's hear it, there's a prize for the most inventive and original if it's true.
And if you can get to Barcelona to pick it up.

Tuesday, 17 April 2007

How much does security suffer for sales?

The simplest example of WORM (write once, read many) storage is a CD or DVD. Once written, that data cannot change, we can only read from it as many times as we like, or destroy it. Great. I trust that data. Until the very second it leaves my sight that is. Once someone else has it they can copy it where they like, reproduce it, change it and put it back on a similar storage medium.

Also, taking a step back, was this data originally in a database file? Was the database secure? How do you know? Did the data get written by an application? Was that secure? Did the application have good user controls? Access controls? Secure transmission? I suddenly don't trust that data at all.

More complex WORM drives are available, and some storage companies are using software to create unique tape and drive identifiers. These are great sales pitches, but are still just point solutions. What extra security do they provide, other than a warm fuzzy feeling that compliance is being addressed? I can't answer that, please let me know if you can. COMPLIANCE != SECURITY.

Security NEEDS to stack up, if you have a storage solution, you need to secure EVERYTHING above it, and the storage into which you are depositing needs to be secured BY everything above it, otherwise it is weakened by it.

I spoke with a Bay Area product manager for a very large storage vendor a couple of weeks back. I told him about some integrity software and he said "Well, I'll talk to a couple of people, but I don't think we'll be interested." Long story short: they weren't. Long story explained: the storage company sells more storage if it is WORM storage. Using integrity software they could re-use that storage and that would stop sales. Ugh. So much for security then. Oh, and the "security software" solutions for WORM, yes, they can be uninstalled. D'oh!

This same storage company has bought a security company, like many of them seem to be doing now. I'm sad for the state of security, I hope someone will prove me wrong, I really do.

Monday, 16 April 2007

Tune in, turn on, drop out...

I had a few minutes spare this afternoon and as ever, decided to read a few other people's blogs. I started to notice a lot of people blogging about a mysterious Heidi, Geek Girl Detective. Expecting to be directed to someone else's blog, I clicked and was surprised to see a cartoon style story, and just decided to give it a go.

3 hours later finally finished looking at a great story. I've never spent that long on one website before. If the author (mysteriously anonymous still) doesn't make a career as an author, she could certainly make a killing from advertisers.

However, that may be one reason I spent 3 hours on there without breaking stride. No annoying adverts flashing in my face explaining how I can enlarge my penis and get my hair back.

I don't need any of that now, I have something better to do, and it's free. Have a read.

Saturday, 14 April 2007

Another great idea (which wasn't mine)

I've just posted on PCI Compliance Demystified about compliance being a business issue and realised that I owe a lot of what I'm saying to Mike Rothman. I bought The Pragmatic CSO last week and it arrived astoundingly quickly to be with me yesterday morning. I have been devouring it ever since, and sending Mike irritating "I would have done this" emails (well, he did ask). To his credit, Mike has taken everything without sending a "piss off smart-arse" reply.

Without turning this into a book review or hero-worship, everything in the book is spot on. These are the things which you wish you had known when you started your ascent up the security ladder, not just when you reach CSO. These are the things everyone selling to and communicating with a CSO should know about their job too.

Every classic mistake is illustrated in the book, and more importantly, the way to avoid or get out of the consequences. For those of us that have made them, this would seem obvious, but then considering this in a "lights on" moment I realised that it is not obvious or I wouldn't have made the same mistakes in the first place, not everyone has been through this, nor will they need to now.

So, could I have written the same book? Maybe, not as well as Mike though.
Did I think of writing it? No, no I bloody didn't.

Friday, 13 April 2007

Ye Olde InfoSecce

I wrote an article for the InfoSec show programme this year, and no, it didn't get printed. Apart from the fact that I write gibberish, I wondered what kind of thing I should be writing to get published. I can't say I was impressed, or surprised. Not to belittle the efforts of those who did get printed, they are very smart people with very high profile jobs, but it's just not new and exciting anymore. I remember the days when SafeNet didn't have to offer £25,000 "incentives" to visit their stand, there were no dancing girls on the booths, just engineers in grey suits. Well, some things aren't so bad I suppose.

Reading through my show programme I have a strange sense of deja vu. Everything I'm reading today, I've read before somewhere. Possibly it was the same show programme last year, possibly it was the contributors own websites, but more likely I think it was amongst my brethren in the SBN. Except for one important factor, what I'm reading now seems like yesterday's news.

There are columns on Web 2.0 "The New Internet bring New Security challenges", I swear we did that 6 months ago. I've been blogging about Web 3.0 for a week now. "UTMs or point solutions", that's just a Hoff v. Shimmy debate isn't it? "The rise of the data breach" made me laugh, I'm sure I've been telling people this for AT LEAST 4 years - since I worked for Vormetric.

Maybe it's because I'm blessed to have worked with Americans, so get to see the trends coming before they hit our shores, maybe it's because I read stuff, maybe it's because I've worked in the channel for many years. Whatever the case, I'm kicking myself for writing an article about data integrity for a market which is still getting to grips with PGP encryption.

Still, at least I get to see my buddies in the UK again. And the dancing girls.

Saturday, 7 April 2007

Web 3.0 research

Since I put up my post about Web 3.0 yesterday I have had more hits on that page than any other in my blog history, apart from the ones explicitly about data security. This is not only amazing due to the lack of content, but hilarious because I was saying that I don't know what it is...

It appears that there are people out there searching through blogs looking for the meaning of the web. How the web imitates life. So, it seems to me that if I put out a definitive definition (as all definitions should be) and labeled it up properly, within a couple of weeks, whatever I said would be right just by sheer force of numbers.

Right, here goes... only kidding. This is what I've pulled together over the past few weeks, my understanding as it currently is. I welcome criticism and comments.

A brief history:

Web 1.0 is the web as most of us have grown up with it. HTML pages served up to us with little interaction, maybe the odd form to fill in which populates a back-end database, safely (we hope) situated deep in the belly of, or

Neither Web 1.0 nor Web 2.0 has a hard boundary, however, the concepts surrounding the idea are fundamentally different. Whereas 1.0 treated the web as a communication medium and the providers of content control the data, the core values of 2.0 are using the web as a platform and users controling their own data/content.

If Web 2.0 is basically using existing web technology and becoming more interactive, Web 3.0 has to be making that interaction more data-centric. Data-centric as opposed to user-centric, and data-centric as opposed to file-centric. I'm in heaven. I prayed for this day to come. But it hasn't yet of course.

The Semantic Web (TSW) is often talked about in hushed tones at present, as though no-one really dares say it too loud in case it doesn't actually happen. It's another one of Tim Berners-Lee's brainstorms, so it's got to be good, but it does depend on completely different styles of usage of the web, and that's going to take some programming. The basic premise of TSW is that URLs are used as database fields, the web is just one giant database (Web 3.0) and we can shove whatever applications on top of it that we like (Web 2.0), and secure our "databases" as we wish (phew, jobs for us still).

Taking this to its logical conclusion therefore, Web 4.0 will be when users become largely irrelevant and it becomes an entity which survives on its own, humans essentially becoming its servants, feeding in an endless supply of data, or parasites living at its outer reaches living off scraps. Very 1984.

How the web imitates life.

Friday, 6 April 2007

Who's coming to InfoSec?

Just a quick one...

Chris Hoff reminded me earlier that InfoSec is nearly upon us over here in Europe. He is coming to look me up on my rickety, Sellotape and staples, SafeNet sub-vendor stand (G130).

If anyone else, old friends or new, out there is coming to InfoSec on April 24th-26th, drop me a line so we can hook up. I don't know about you, but I find these things drag without something to do...

Releasing the Web

There's a lot of talk about at the moment about Web 3.0.

Hang on! I've only just really started to understand what Web 2.0 is (and I use the word "understand" in its loosest terms). I challenge anyone to put down what it means in a sentence which actually makes sense. And what happened to the minor releases? Anyone stuck on Web and unable to upgrade directly due to database incompatibilities?

At a recent awards conference attended by a number of VCs, a colleague of mine spent a day walking the halls and listening out for buzzwords, then very smartly tweaked his presentation at the last minute. At presentation time, an otherwise fascinating talk with several slides courtesy of one "Rob Newby" (a respected security professional), had the following words and phrases liberally dropped in: "The Semantic Web", "Web 3.0", "data-centric"

The slavering crowd went wild for this young entrepreneur's use of words, and he was approached after the meeting by no less than 3 VCs professing an interest in the product. I'm delighted of course, the Semantic Web I just about "get" for now, and my love of data-centrism is by now reknowned, but I've looked everywhere I can for a definitive explanation of Web 3.0, and there isn't one.

In my experience most software becomes mature round about the 4th major release. 4.0 releases are usually trumpeted as the big step forwards (although I usually wait for 4.1). By that time most of the really crazy bugs are wheedled out, customers have given valuable feedback and hopefully you (and by 'you' I mean 'I') are left with a saleable piece of software that actually represents value for money in some regard.

I think I'll wait for Web 4.0, that'll be really good.

Monday, 2 April 2007

Here comes Cobia...

An email arrived in my inbox overnight (I'm over in the UK at present) from Mitchell Ashley over at StillSecure. "I’m launching the UNP product, called Cobia, tomorrow and I wanted to give you an early heads up."

Oh, it's as simple as that is it? You know, I'm a product manager, the Director of Product Management in fact (the capital letters make all the difference), and I could never be that cool on release day. Either Mitchell is secretly crapping himself and hasn't slept all night, or he really is a cool customer who knows he's got a good thing going with Cobia.

For those of you who haven't read the various postings on UNP over the last month or so, where the hell have you been? Even those that dislike UNP still like the ideas behind it, (and the debate seems to be a little bit confused between argument and agreement in places as a result). I'm pretty certain it's where the market is heading and where a significant improvement in the industry as a whole can be made.

Even so, Mitchell, you might sound just a little bit worried...