Monday, 30 June 2008

A worthy cause...

Now I'm sure all of you high earning security types already give substantial sums of money to charity each year in any case, but this cause is one close to my heart. My father died of cancer 7 years ago at the tragically young age of 54. I miss him every day, and this is one small thing I can do to help other people avoid the kind of upset that we went through.

My friend Tanya is hoping to raise just £100 to help Cancer Research UK fund further research into cancer treatments. I'd like to see her reach 10 times that... not least because she has no idea that I'm writing this.

Go on, make her day, make mine, confuse her completely by having complete strangers donating to her site. Maybe one day I'll let her into the secret...

Wednesday, 25 June 2008

What's up with HMRC?

Her Majesty's Revenue and Customs has been in the news again today. The data leaks that have led to their recent ridiculing in the national press are not all due to 'junior ministers', but, as suspected, 'systemic failure'. I'm not going to write any more on this yet, it's just too obvious for words, and they should have done it better a long time before this.
So, what do you do when your systems fail? Bring in an expert of course. So who's getting the top job at HMRC next? The name Mike Clasper may not mean much to you, it didn't to me, but the name BAA certainly will, especially if you've been reading these pages recently.
Mr. Clasper is the ex-CEO of BAA, before the Ferrovial takeover which seems to have brought it to its knees. It seems that he's good at making things run well then, and then selling them off and watching them collapse from a distance. Here's hoping he can get the data security big right at least. I would hope for £150k a week, 3 days a week, he could at least get someone to look at it for him. I'll do it for 2/3rds of that. :)
Good luck to Mike C. then, he's got an uphill battle, but he certainly knows how to make the best of a bad situation. Let's just hope he never leaves.

European PCI: bad state or bad reporting?

A scary looking headline in The Register this morning informed me that PCI DSS is further behind in Europe than we had previously thought. I read the first paragraph open-mouthed (lips only moving very slightly):
Nine in ten (88 per cent) European firms have failed to achieve compliance with a credit card industry standard for processing ecommerce transactions.
then came across the killer line:
A poll of 65 merchants across Europe by NetIQ
Oh dear. Sorry, but I've complained about this sort of thing before. I'd like to stop writing now, but I have some heavy sarcasm to dish out.

Come on NetIQ, 88% of 65 merchants ACROSS EUROPE, equates to far less than 1% of all the merchants in Europe. After citing 65 as a total, the rest of your statistics cease to make any sense at all:
Worse, the majority (54 per cent) have no timetable for getting up to speed. Only 17 per cent of respondents reckoned that they would be compliant within six to twelve months.
Hmm, so 35 weren't interested, 30 were, but 11 were compliant, or on their way already. I don't really get where the statistical significance over several thousand merchants is between 11 and 35, but let's also look at who you were asking.

I presume these are all NetIQ customers, or people driven to the NetIQ website by promises of not having to do any work that morning, whilst being able to stare at a screen, and therefore look as though they were working, whilst not actually doing anything at all.

Something which again made my blood freeze as I read it however:
Seven out of 10 of those quizzed by NetIQ reckoned that the penalties for non-compliance would only occasionally be levied, while 23 per cent said that fines would "almost never" be issued. Many of the merchants are more worried about dishonest workers than external hackers or business partners.
That's an awful lot of ignorance, even in such a small sample. Wake up guys, this just isn't true. That's 45 merchants out there in Europe who are sitting ducks for a fine after June 30. I presume and hope that these are relatively small merchants, in which case they MAY have a short period of time before the hackers or auditors catch up with them - I am prepared to admit that the spotlight will be on the Tier 1 merchants in the first instance. However, its a bit like relying on everyone else being fatter to avoid heart disease, i.e. stupid.

However, so far, all I can conclude from this survey is that NetIQ customers are ignorant, which isn't a great advert for them.

Tuesday, 24 June 2008

Don't look up

One thing I shouldn't really do is sit here working on my laptop whilst my wife watches Angel on the Sci-Fi channel. In today's episode (I'm afraid I don't know the episodes by name, or who said it, but...) one of Angel's chums quipped:
"Let's face it, unless there's a website called '', we're out of luck."
Well, if you had a laptop available in the same situation, you'd check, wouldn't you? Guess what? Yup.

No, I don't know who Darla is, or anything else about Angel, but the Internet is way funnier than real life in any case. Back to checking my emails...

Where are all the UK startups?

Many years ago now, I was discouraged from applying to Cambridge by a very short, bitter tutor (who had been to Cambridge) because he said my predicted grades of A, A, B, B were not strong enough. He even said I shouldn't even apply, because it would look bad on my UCAS form to the other universities. Yes, I know how stupid that looks now.

Well, I never applied, so never got a chance to prove him wrong. Little did I know they probably would have been happy to accept - I later got on to a Physics course at Bath University where other attendees were accepted with just 2 E grades, they were that desperate for intake, and that was considered one of the top non-Oxbridge courses in the country at the time. Still, I can't change history, and Mr. Sampson is still short, and a poor teacher. I have never trusted anyone in authority since, never let anyone question my intelligence and I cannot abide the short. So I guess I learnt some valuable life lessons.

All of which roundabout rambling brings me to the subject of the fabulous technical parks set up by these bastions of British learning. Cambridge in particular has thrown up many security start-up companies. Indeed, the area around Cambridge is often referred to as "Silicon Fen" (being in the area known as 'the Fens'). There are apparently over 1000 technology companies there with several billion pounds worth of investment. Most people will have heard of nCipher in particular, now a little past their prime, but at one point valued at hundreds of millions of pounds on the FTSE. I could name half a dozen bright little Security ideas that have come out of the area in recent times, some whom I have had contact with, others not. Of course, not all of these go on to greatness. The investors play a numbers game here just as they do in Silicon Valley.

Outside of those hallowed walls, there seems to be a scattering of other good UK-based technology startups around at the moment too, right across the country. I'm encouraged, because it's an area I know quite well, I know the processes and the pitfalls, the people to work with and those to avoid like the plague. I just want to hear more about them at the moment as I'm pretty sure we're about to see a lot more growth in this sector over here.

If you've got a security startup and think it's worth talking about, get in touch, I'd be interested to see what's new and what's working.

Monday, 23 June 2008

Data Integrity is important, now official!

I'm a big fan of the Jericho Forum, it was set up by a bunch of visionary Brits for a start, they have never listened to criticisms from the cynics, and kept their stance broadly the same since inception. Many of the cynics have now come around to their way of thinking, "actually, it was only getting rid of firewalls I objected to, de-perimeterisation is a good idea"-type responses abound. And that's from the clever ones.

I first met Andrew Yeomans from JF about 5 years ago, with a considerably flatter stomach and more hair (me that is, Andrew hasn't aged a day). I was extremely flattered to get a comment from him on a recent post, and a subsequent email to say that he regularly reads these posts. I'd better write something sensible then.

My attention has today been brought to the comments of another Jericho director, founder and all round security Titan, David Lacey. I've never met David, but you can't really move far in the UK Security arena without hearing the name, especially not in data-security. I was beaming from ear to ear then, when I heard this.

What's that? Data integrity will be the next threat? So, I'm NOT mad? Maybe just a little early to the game when I said it last year? Once again, a prediction came true, and far earlier than I thought. I'm hoping this is going to build from here. Obviously no-one is going to listen to my little voice, but with DL saying it, I think some people may start to sit up and pay attention.

Of course, I hope he will take a look at my old chums at Kinamik, he already has some pretty big fans there out in Barcelona. And if he's reading, David, if you fancy a quick break in Spain, I know some people who would happily put you up!

Sunday, 22 June 2008

Is there a future in PKI?

PKI is something which often strikes fear into the hearts of IT managers and administrators. It can be complex, fiddly to administer, and slightly ethereal at times. The expense of a PKI is often difficult to justify over a large enterprise, especially when it can't be guaranteed that identities will be trusted outside their own domain.

Speaking to a friend this weekend, he told me to take a look at Certipath - an interesting company with a great pedigree. From their website:

In late 2003, ARINC, Exostar, and SITA began discussions on how to jointly operate a PKI Bridge to meet the needs of suppliers to the U.S. DoD and UK MoD. Both the Air Transport Association (ATA) and Transglobal Secure Collaboration Program (TSCP) had simultaneously been working on specifications that called for such a trust broker. The need of the A&D industry to interoperate with the U.S. DoD was the initial requirement, with a secondary need of being able to exchange PKI-enabled data with other suppliers in a trusted manner. The global aspects of addressing the European Union, Canada and AsiaPac/Australia drove the need to have a consortium of companies with competencies in security and communications.

CertiPath LLC was formed to provide this service in June 2005, and went ‘live’ in May 2006. The service is now operational with Boeing, Lockheed Martin, BAE Systems, Raytheon, Northrop Grumman, EADS, and the U.S. governments’ Federal Bridge Certificate Authority (FBCA). For more information please visit

Now, if this had been set up commercially, I wouldn't expect it to succeed, but the fact that this already services most of the important defence companies in the world, I think that people are going to want to pick up on it. I would certainly expect the UK and US governments to pick up on it more than just in their defence departments, and extend it to the rest of their concerns.

What I particularly like about this is the way that it links into data security with federated identity. Soon, all of the junior ministers (because it's always junior ministers) will be able to leave their laptops on trains, in taxis and in the local park with complete impunity.

Thursday, 19 June 2008

DLP moves slowly into data security...

Today it seems to be big news that DLP deployments should include encryption. I'm amazed that it's taken this long for something purporting to be data centric security to have this included as a standard feature, but it's about time!

This report includes soundbites from an RSA marketing guy, which is all fine, they are the people to go to for encryption information after all, but I wonder how much of this will come back to bite them, or rather the hand that feeds them. I'm sure over time EMC will work out a clever strategy for commoditising their storage again, but data-centric security can only see storage getting cheaper and cheaper - the protection being in the data, not the hardware around it, or the applications it runs through. Centera and Celerra arrays are massively over engineered blocks of expense, but they sell at the moment because there are few well known alternatives.

What these big beasts don't do is allow you to move your data with any sort of security still attached. This is their big fault. Encrypted information with a master key available to decrypt at the endpoints for scanning purposes, or to make a decision on encrypting information as it is sent out - now that's more like it...

... and exactly what I was talking about yesterday. The trick is to get this all working without getting tied into one vendor, using a standard of some sort. Perhaps the ZIP standard would work? It is already installed in 25,000 corporate users, and those are just PKZIP and SecureZIP customers, not the free download users, or everyone on WinZIP, for whom half of the security is available, despite the lack of control.

I'm surprised DLP vendors have taken this long to come up with encryption, and I'm surprised they aren't already looking at compression and integrity on top of this. It would have been smarter to do this before now.

Orchestria revisited

I'm used to seeing US businesses struggle in the UK market, I've helped a few now to recover after false starts, or to launch successfully in the first place. I'm currently working with PKWare on a long term contract which I'm really very pleased about. I count myself extremely lucky that much of what I have blogged about as being necessary security over a number of months and years, actually exists as a set of products.

I've commented an awful lot about the dynamics that make this possible over here, the fact that a market has to be built up from scratch, reputation not doing much for a company which is big in the States when it comes to these shores, how the American style of business differs from the slightly more staid version we have over here, etc.

Something I hadn't come across before is the reverse of this process, a company launching over here and trying to break the US. I covered Orchestria a few weeks back, talking about how they seemed to appear from nowhere in the DLP space, and yet kept hearing good things about them. I found it surprising then that I got a slightly different story from some friends the other side of the pond.

I have thoroughly researched Orchestria, spoken at length with their English CTO, Pete Malcolm, and gone into numerous demonstrations of their technology, proofs of their customer base, and have even, surprisingly, been shown a very impressive set of accounts. At this point an NDA prevents me from saying anything more. Needless to say, some of the negative comments that were made after my story last week now look pretty much like sour grapes.

I fear that Orchestria are suffering the reverse of what many small US tech companies experience when trying to enter the EMEA market. I fear that sales and marketing teams in the US are maybe not set up for this type of technology without having it on their doorstep, or a specialist from the industry on their team. I fear that only a handful of people in the country may understand this fully. I fear that analysts in the US have been in touch with the wrong people in the organisation - because this stuff is pretty damn good. I also fear that properly marketing it is going to be a mountain to climb, but whoever takes it on is going to do very well out of it.

I would urge anyone who is looking at DLP to look at Orchestria. If you are in the UK, it's a no brainer, local support, local development, etc. If you are in the US, don't believe the poor marketing and doomsayers from the rest of the industry. If you are in Orchestria, get a good marketing team out there, and beef up the support you already have out there. I think we could see them coming out near the top of the pile in the DLP wars. However, this isn't just what Orchestria does - and here's the only 'issue' that I could find with them - the technology is way more than DLP. You could use a couple of Orchestria devices and some SecureZIP in your entire environment and dispense with 50% of your hardware... if you don't believe me, try it out.

This is in fact the reason that this reasonably large company (and expanding monthly) seemed to appear out of nowhere and hit the DLP market. They had a product in a different sector (compliance) which happened to cover DLP very well, and they decided to market it as such. Good idea, poor execution, to get into a security market you need people who know that market inside out, whether they are in the US, the UK, Norway or Timbuktu. This is unfortunate though, because it has given a good piece of technology a slightly false start in an industry where they could be a shining light.

I haven't been this excited by a product since, well PKWare actually, but before that, Njini with their data classification / de-duplication software (another British company, yeah!). What I'd really like to do is put them all together and make a demo. What makes me feel good about all of this is that this is how I predicted the future of security just a year ago. I just didn't expect it to come so fast.

Tuesday, 17 June 2008

Happy Birthday to me

Wednesday marks one of the big binary milestones of life for me.

Yes, tomorrow I turn 100000.

I don't feel a day over 10101.

But enough of this computer-related geekery. On with the celebrations.

Saturday, 14 June 2008

Compliance abuse

Vendors talk about PCI so much that the reality gets skewed, walking around RSA or InfoSec this year, you could have been forgiven for thinking that PCI was a problem that could be fixed with software. Certainly some software may be able to help with a couple of point of PCI, but there are a couple of issues I have with this vendor approach.

Firstly, presenting PCI as a problem, along with other FUD. FUD is so 90s, so Chicken Little. Security has got stuck in a rut in the 00s because we've spent so long saying the sky's going to fall in. When it didn't, no-one believed us any more, and had to try and make up their own minds. Now the people who stand out are the ones who say the opposite - who say that they can actually aid your business, help it to make money. In fact, that's always been a way to make money from software, it's just that using compliance as part of FUD has detracted from the overall value of both security and compliance.

Used properly, compliance will make your business run smoothly, without you having to recruit too many specialists. Security will help you achieve that, but here's the second problem. Whereas I have been firmly on the vendor side of the fence for many years now, I can't repeat enough that security isn't all about software. Without decent policies and education security software is near useless.

My friends over at the SPSP (Society of Payment Security Professionals) have recently developed the CPISM (Certified Payment-Card Industry Security Manager). It strikes me that this is something long overdue. Developed by Mike Dahn and Heather Mark, two of the biggest names in PCI that I can think of, and with Walt Conway on the advisory board, it's sure to be comprehensive and more importantly, relevant and useful.

I can't wait until RSA next year when all the newly qualified CPISMs start asking the questions that Walt and Mike did this year. I'm going to suggest to Mike that he makes this part of the course!

Tuesday, 10 June 2008

Another blog contest

I'm busy writing a presentation about data security, no surprises there, when I decide to check my mails and see the old Google alert for "Rob Newby" (don't tell me you don't do it too). Imagining it to be about the other Rob Newby, Tory councillor for Topsham in Exeter, who often does the rounds, I almost ignored it. However, it was for me this time (imagine how pissed off other Rob must be about all his IT security alerts!).

As well as my fellow Euro-Securo Kai, writing about the new Black Hat Bloggers Network, there was one from the Computer Weekly magazine. Apparently I have been nominated in a blog competition. I wonder if that was down to Kai too, or if they were just thin on the ground and needed to fluff it up a bit?

In fact I think it's probably because I've written a couple of articles for them recently and they probably like me because I do it as a hobby, not for work. Something I have noticed though - it specifically says "Help us to identify the best IT blogs in the UK in the IT Security category." Then it lists Bruce Schneier, Richard Bejtlich and Anton Chuvakin! Much as I respect and love them all, especially Anton, who I met at RSA recently, they're not from the UK, nor do I suppose they want to be.

Besides, they're all better at security AND writing, so it's really not fair.

Tuesday, 3 June 2008

BAA tackles security... BAA style.

*** this story has been altered due to Rich pointing out that I was flogging the wrong dead horse, sorry British Airways, you are of course infallible...***

You may already know that BAA are a pretty useless bunch. If you've read my recent exploits in San Francisco, you'll know that they can't get luggage to the same destination as their passengers.

It comes as no surprise then that they will throw someone off a plane for wearing a Transformers t-shirt. I say "it comes and no surprise", but it's the same sort of "comes as no surprise" as finding yourself under arrest for shopping because the police saw you in a shop, and realised you were prone to shoplifting.

Come on BAA, you're already a laughing stock. You look like complete idiots already, don't let's make it any worse. Oh, too late.

Sunday, 1 June 2008

The next move

Often, when I read other people's blogs, I look at the companies they are working for and think "well, they would say that, wouldn't they?" Richard Stiennon was very vocal whilst at Fortinet about all things firewall and network, at a time when I was coming down heavily on the other side of the fence. Chris Hoff, when at Crossbeam, talked a lot about UTM. Both of these guys are at the top of their game however, so their arguments also seemed reasoned and seasoned, and when they both moved to new jobs, their opinions remained broadly the same. Indeed Stiennon is now at a new startup with a similar message, and Hoff still refers to Crossbeam with reverence.

I fully admit that I have made mistakes in choosing various parts of my career path so far, hence why I took the last 2 months off and took advice from Rich Mogull, Mike Rothman and as many others who would listen to my limey whingeing. The general message I got was "take your time, listen to what comes your way, and act only when you think you've got something worth doing". In the meantime I was still in constant contact with the security community, vendors and colleagues. Jobs are not as thin on the ground as I had expected in the current downturn, possibly because of the heightened awareness, particularly in data security created by the mistakes our government have made over here recently.

It is therefore with great pride that I am able to report my latest move. I've just signed up Robert Newby and Associates (i.e. me) with PKWare for 12 months. I talked about some time ago when they first aroused my interest. I am going to be helping them make a big noise in the UK and EMEA. My reason for choosing this company...? Because I could. I'm genuinely excited about the software, the product direction and the easy story it tells. It aligns with everything I've ever thought about data security, and from the conversations I've had with the CTO and product managers, all I am likely to think about it in the coming months.

So what do you know of PKWare? The normal reaction to the name is "PKWhat?", so I say "you know PKZip?", which of course everyone does. "That's them." The history is interesting, and something I will write more on another time, but their future is what concerns me for now. PK are no longer just about zip, but security too, SecureZIP is just that, a secure zip product, encryption and compression in one. PartnerLink is again, just that, linking a company to their partners by encrypting, compressing and applying policies to data at source. I wrote about PartnerLink before, saying that it was something I'd wanted to get written when I was a product manager. I'm quite glad I didn't now, as this is better than I could have managed with my resources.

The products are good because they are simple ideas, effectively executed. Being a fully private company with no VC borrowing, there are no odd decisions passed down from people not involved in the business, so no nasty surprises or sell outs when the market is at its lowest point of appeal. Being a small company with an excellent pedigree, I can talk to the CTO as easily as I can the sales guy working on my accounts. This communication is evident throughout the company, most obviously to me by the quality of the software. At last, someone who QAs to their own deadlines, not the VCs'. So, I'm excited, I've found a breath of fresh air in an industry which looks like it's slightly lost its way of late.

So, look forward to lots more data security posts again now I'm back working amongst customers with real data security needs. And to those of you who have picked this up because you have a Google alert for "PKWare" - hi, good to be working with you.