Tuesday, 29 April 2008

nihaorr1 attack explained

I went and introduced myself to the guys at Secerno again at InfoSec last week, and whilst I have no professional affiliation with them, I'm always interested in exciting technology which does something new. Steve Moyle, CTO, is a friendly guy who oozes enthusiasm, just as Paul Galwas was when I met him last year. I just got a mail from Steve to tell me about a recent attack, and I thought it was so well explained I offered to reproduce it here. Steve agreed, so here goes:

"The nihaorr1 attack trashed web facing databases all over the planet last week. It was based on an automated SQL Injection attack (Secerno stops these). Previous attacks like this were targeted and individual. It was only a matter of time before someone sinister worked out how to automate it. We were working with a victim not long after the outbreak.

In this attack, they were not stealing data. However, for the affected web sites it would be difficult for anyone claiming PCI compliance that they had their data under control. The attack can easily be rewritten to take integer values (e.g. credit card numbers) from one field (say) and copy them to a text field, and then expose them on web pages ...

Basically, the attack worked as follows:

Step 1: potentially vulnerable sites identified automatically (probably by a Google query)

Step 2: SQL Injection part 1. SQL injection at a site to ask the database for every field it has that contains text

Step 3: SQL Injection part 2. Update every text item in the database with the original item plus a link that will download a trojan to the web browser

Now what happens is that when a web site serves up a page, the text it serves up is called up from its database -- but every piece of text now has a malicious link under it. When clicked on, the link serves up a virus that infects the viewer of the web page.

Note that the original victim -- the web site -- has become the attacker. Whilst the new victim is the website visitor who trusts the site.

This attack will be adapted and will cause real chaos."

Thanks Steve for the entertaining story and explanation of how this attack is working. And, as the Romans say, caveat emptor internettus.

The road ahead

With user security, CIA (or AAA as it becomes) is fully integrated. This is an area of security which has been around since computers were first invented, to some degree. It is the most mature of the 3 areas I have picked out in my series of posts so far. [Although please note, these are only picked out for sake of ease, in reality there are overlaps.] Network security is less integrated, although in my career I have watched as point solutions in the network have become more fully integrated. Network devices at least all talk the same language to each other now, TCP/IP as a standard form of communication has kind of settled in.

With data we are not quite so fortunate, C, I and A are not integrated, although large storage companies are trying. There are a few of these though, so they all have their own standards.

In my original piece I said that integrity was the future of data security, and indeed, it will be an important part of every piece of storage eventually, when everyone realises its importance - but that's not a great starting position. I don't think it will be a point solution that becomes part of a data security standard. Integrity will always be an option, along with encryption and compression as the whole data centric security space merges and evolves.

This will happen separately from hardware as well as being built in to it. But will the standards emerge from the hardware, or something distinct and separate from the hardware that the information resides on?

Data-centric security has to be able to move with the data. Anything that the large storage companies try to apply directly into hardware will be difficult to use at best, more likely ignored. We've already seen a big pull and push between Sun, IBM, etc. in trying to standardise key management. If they can't even agree on that, where keys are already in reasonably standard formats, what chance do they have on agreeing on compression, encryption and integrity standards? It is more likely they will pick up and use existing popular methods over time as happened in the network.

I don't want this to become too much of an advert, but I spoke recently about PKWare, because I am interested in them, and will be visiting them this week. I'm going to talk with them about their products in more detail, but they sound very close to my heart, and as close to the reality of reaching my data security nirvana that I've actually seen. What's more, it makes sense.

I've heard some very interesting things about them recently, their new SecureZIP line, and PartnerLink are both areas I identified as being massive opportunities for growth whilst at my previous job. I actually asked our engineers about designing a product almost identical to PartnerLink, but it was too much for our small team. We didn't have the resources to develop the ideas, but now I find those ideas already exist.

Ask anyone (as I did at InfoSec) whether they've heard of PKWare and they will often look blank, until you say "have you ever used PKZIP?", which of course everyone has at some point, if they've used a computer for anything other than emails. I'll be asking some more searching questions this week and reporting back in due course.

Monday, 28 April 2008

Nearly there...

I've just finished writing my final post in the series of 'data nirvana' posts - you can read it here tomorrow - and taken a quick look back through the other blogs I enjoy to find Rich talking about data classification being dead. I have to agree. I started writing about this last year and even ranted at someone else about not understanding it properly (which I won't dig up again).

Data classification is the real data nirvana of course, but it really can't be achieved satisfactorily. To echo Mr. Mogull for a moment, a network is a dynamic thing, it's constantly being updated with information, which can change its status from Top Secret to Private, or Public to Classified in a stroke. Tags just don't cut it. A company I spoke to at length last year propose a data classification solution. They haven't pushed it as such yet because the market isn't there. A few tyre kickers have had a go, not because they want to classify their data, but because they want to find it. That's a totally different matter. De-duplication is a very good idea, and simple, and sellable. Data classification is a great idea, but complex and completely un-sellable to anyone except me and Rich. [If you manage to invent it, please drop us a line.]

The only way you could manage to classify a system is to close it: make it read-only, or take it off-line as Rich also talks about. That kind of makes technology about as useful as your local library, though, and sends us crashing back into the 20th century just as everyone is getting used to the 21st. Something I find much more interesting is the idea of controlling information from a central hub, with policies in place around it - information sharing. It's more of a 'real world' example of how people are likely to use data security.

It reduces the need for classification as you only have to choose policies around the data you are making available outside your network. I also talked about this last year, as Microsoft released their SISA idea with about 10 other companies involved. This is clearly a good idea, but with so many technologies involved, bound for disaster. I don't know if anyone got anywhere close to deploying this, but I rather think not.

So Information Sharing is my new proxy-nirvana, or pseudo-nirvana, that is, the thing that will sell and be used, and is actually practical and possible. And guess what, I just happen to have written something about it in my post tomorrow... read on.

It's not in the network

Everyone's bored of network security aren't they? I certainly haven't thought much about it recently. There are a few reasonable sized companies out there doing very well from network devices, by which I mean devices which control the network traffic in some way, not just sit on the network, analysing this or that, controlling something or providing a secure store for something else.

Back in the year dot of the internet, Cisco made it big from connecting everyone together. At the same time Microsoft made it easy to use a computer, and the internet boom started to have some knock on effects. Suddenly hundreds, thousands and eventually millions of people were connected to each other with little more than an open pipe to each other which could be stopped, stolen or even hijacked.

Corporations understood the need for computer communication between them, it's almost a given these days that you need a computer in business to survive, but security was nowhere near top of their minds.

So a few scary years later, antivirus and then firewall products started to appear. This gave Mr. Corporation a feeling of safety, the bad guys were outside the network, the network was self-cleaning, and the good guys were inside, just like in a normal, physical-world company. The amount of headline space given to firewalls and AV around the beginning of the 90s is, in my humble opinion, the main reason why security is now so difficult to teach and sell. Up until fairly recently, you mentioned IT security to a CEO and he would answer 'we have a firewall already'.

After firewalls came IDS then IPS/IDP, to stop live nasties getting in, undetected by AV, largely because they weren't viruses, or were zero-day attacks, the AV as yet unaware of their signature. Then came VPNs, proxies, reverse proxies, SSL termination points, load balancers, link controllers, etc. To analyse every product would take another 3 weeks, and would not add to this post.

The market was flooded with all manner of devices in the mid to late 90s, and the messaging was hard to follow. This market evolved relatively slowly (compared to the internet boom) and only in recent times have we been able to pick the parts which make sense to use in the network, drop those that don't and turn them into what we are now calling UTM - Unified Threat Management.

UTM is a much better solution to network security issues, but it doesn't cover everything. You still need to have separate user security for example. User security is also still evolving into identity management and identity based access management. Security will never be perfect, so this process will always continue in ever decreasing forward steps. Certainly for now, I'm done with network security. Data security is much more interesting, and that's where I'll continue tomorrow.

Sunday, 27 April 2008

Continuing the search for data nirvana

It's a while since I wrote about data integrity (actually, I wrote about it a couple of days ago, but not in detail). I will assume that everyone is familiar with the CIA triad before reading on. [If not, please look it up.]

Last year I wrote a couple of pieces which talked about the security of transactions, addressing the user, the network and the data. It was part of a presentation I used in Barcelona to persuade some VCs to invest in Kinamik, who I was then with. I certainly thought it was along the right lines then, and I still think it's relevant, although I need to update the ideas.

Here's a copy of the table I referred to as my Transaction Security table:

Access Controls
Wireless, Load balancers
Firewalls, IPS, etc.
Anti-Virus, Change Control Mechanisms, Digital Signatures
Access Controls
Digital Signatures

Most people involved in using IT of any kind will be familiar with authentication, entering usernames and passwords. Most of us will do this many times a day in fact. We need to do this, to make sure we are who we say we are, to prove our integrity. We need to be authorised to continue our journey in the network, to allow us into the areas we are permitted to view and use. The confidentiality of the network and data is at stake if authorisation is not in place. The network and data therefore needs to have access controls, to stop unauthorised access, or permit authorised access, this is availability.

I've spent a little time and space explaining this because it's not always obvious. Even if we work in a network environment, we don't often see user security, it is built in to applications, operating systems and devices. It is an integral part of being in the network, just as our identities are an integral part of us. User security needs to be like this, or we wouldn't want to use the technology.

OK, maybe this is too simple. I'll let you look at the network security parts for yourselves for the moment. The network is how we travel to the data, as users, so the concepts of C, I and A here are largely intuitive, much as we picture things on a network diagram. Tomorrow I'm going to continue with the network, then wrap up with the search for data nirvana so temptingly promised by the title.

How do you solve a problem like EMEA?

If you were at InfoSec this week you will have noticed a few of the larger stands. For me, seeing companies like Juniper and F5 filling the show floor is comforting in some ways, but in others it indicates where there is work to be done.

If I was the CEO of a tech company looking at the successes of these guys I might think: "The way to tackle EMEA is to put in an office near London, staff it with sales guys and flood the market." Indeed, that is a tried and tested method, but not very successful. I mention these 2 companies specifically because I was lucky enough to work with them both when working in pre-sales at Equip Technology, their UK distributor a couple of years back.

Juniper of course built their success on their NetScreen firewall, and the reason for that success was its simplicity of administration. It sold in lorry-loads and was easily supported by the channel. I know probably 15-20 engineers who are qualified to support Juniper products, and as the company has grown, so has their product arsenal, their training capabilities, and their worth. I think they have a great model for the channel, which was the result of a lot of hard work, but not inconsiderable luck. They hit the market at the right time, and the product was simple enough to keep going locally.

F5 built their success on the fabulous BigIP and the family of products that can reside on one, the LTM, GTM, ATM, Link Controller and probably loads of others by now. When I left the channel they had just bought 4 new companies to fill their portfolio. I was a big fan, simply because they made the GUIs easy for administrators to understand and explain to others. The boxes usually worked and there were few things not possible with the help of iRules and iControls. Success here was down to the need to monitor and re-use infrastructure internally without messing too much with the front end. A bit more complex than the firewall, but easy to explain and justify the costs, this was a sales success more than a technical success, but sales success forces the technical side to keep up. As can be seen from the Juniper example above, the guys who put the work in are now very valuable engineers.

The sales for these pieces of kit were much fewer than with Juniper, but often much much larger. The last deal I was involved in for F5 kit was quoted at over £350k, for a number of devices. The margin on a deal like that is not inconsiderable, when you weigh up the fact that distributors are typically looking for 40% when they take on a new vendor.

So where does that leave everyone else? What about very technical products, or products where sales cycles are long and boxes aren't just shifted along like these guys have managed to achieve? If you've done the sales job in the US, the market doesn't automatically pick up on it over here. In fact, the whole sales job has to be done again, regardless of early adopters and good press. Relying on the channel is still possible, but without regular sales the salesmen soon get frustrated, and the technical guys forget what they have learned. For very technical products, encryption being my experience, this creates a problem which has to be managed very closely. Sales and technical people representing the vendor have to be available to go onsite on a weekly basis, just to keep the product in the minds of those pushing it out there.

This is hard to achieve from San Francisco, so very often an RSM is hired in the UK, they are of course given targets, usually unrealistic ones. They do not have technical skills, so an SE is hired, of variable quality. These 2 have to sell direct AND sell through the channel, 2 very different jobs which can spread them both too thinly, even if they are in constant communication. It is also very stressful, and involves a huge amount of travel, whether you feel like it or not, and whether it gains you anything or not. Selling direct for these long cycles is nerve racking and a thankless task, especially when it fails. However, if you hire someone to just cover the channel, what are they going to do for the other 3 days a week you are employing them?

At SecurEMEA we are helping technical companies address this gap cheaply and effeciently. Communication is key to our survival and success. Once we have helped develop a successful channel to market for a technology, we then aim to help build that company until it can stand on its own in the region. Maybe then you'll see a few more highly technical vendors on stands at InfoSec in the coming years.

Friday, 25 April 2008

I'm limited, it's official

As of today I am now operational as a Limited Company in the UK. Robert Newby & Associates (RNA) now has a bank account and a registered trading number. So that means you can hire me as a consultant, and my associates of course.

SecurEMEA is still growing, and thanks to Rich Mogull's little podcast with me at RSA, I've been inundated with requests for help. It soon became clear to me talking to people about this that this is not going to be a quick process however, and rightly so. By the very nature of what I am offering to clients in the UK, there is a lot of checking, double checking and hesitation to move forwards.

SecurEMEA is being set up to help bring companies into the UK, to address the channel here, and then growth into the wider European market. I'm going to stick my neck out here and say that the majority of US IT security vendors (successful or otherwise) do not know the UK channel to market very well. There are many who haven't even tried, but there are also a brave few who have. Out of these brave few, there are a smaller percentage still who have succeeded.

One company I heard of recently, and who will always remain nameless in my presence, spent 2 years and $3 million pushing a team of 15 people into the UK, thinking they had a great product, and indeed they did. After 2 years, they realised that sales were flatlining, and had to set about chopping the staff back down. This cost more $$$, and took time they didn't have. Then the process of building the company here had to start again. Owch.

Many companies do it cheaply now. I was fortunate to work for Vormetric over here 4 years ago, there was 1 RSM, and me with my spanners. Later a UK sales guy joined and sales dived, so the UK operation became too expensive to maintain at that time. They are going to have a much better year this year, mark my words. Ingrian did the same, 1 RSM, me with a spanner set, and a UK sales guy. They were luckier, and managed to be acquired, but not for a huge hill of beans, and no-one made much out of it. SafeNet will probably not do much with the technology this year in my opinion.

All of this costs money, and as can be seen, is not guaranteed to be successful. An RSM costs $100-150k a year, an SE $100-150k a year, and extra sales guys, the same again. IF they make a sale, then they pay for themselves, but not the offices, infrastructure, etc. And you can't guarantee you're getting good sales guys. And you can't manage them effectively from 5000 miles away. So, this is still cheap is it?

SecurEMEA is based on the premise that I've done it before, and know what mistakes not to make again. I know what sales guys to work with, and who to avoid like the plague (you know who you are!) I know which distributors work well with tricky technologies, and which resellers are more than box shifters. Initially I am planning to do this fairly intensely with a couple of companies only, but in time I would like this to be THE place that people come to break into the UK market.

So, you can see that the people who will be most aware of the benefit that SecurEMEA can bring will be companies who have already tried and been burnt to some degree. Those who haven't tried might be persuaded that they can do without, and indeed, it is possible, especially with products that have a very long sales cycle.

If you can't afford to wait that long, or spend that much cash however, why not drop me a line?

Wednesday, 23 April 2008

Captain's Blog, Supplemental - PCI is dead, long live PCI!

I've been writing here over the last couple of days about RSA and InfoSec, and how the PCI messaging in particular has been much better at InfoSec, largely due to the fact that there was less of it. I was asked over lunch why I thought this was. I have to say thanks to Eleanor for asking me some of the more intelligent security questions I've heard in a while. Maybe a journalist's inquisitive nature, but it certainly got me thinking. Consider the following:
  • Last year at InfoSec, the PCI marketing was completely irresponsible and embarrassing - 'We solve PCI', 'Solving PCI in 60 days', type of thing...
  • It was like that at RSA in San Francisco this year, but NOT at InfoSec.
  • The US market is traditionally more advanced, certainly in terms of technical sales, than the UK/EMEA.
I wrote an article on this 6 months ago on this very topic for CW. We can see that technology advances very quickly in the US, and local people buy local goods. Even in bi-coastal offices there is only a 3 hour difference in timezones. Therefore, if an end user has a support issue, the vendor can be onto it immediately, or withing 3 hours maximum, SLAs can be adhered to, support cases can run in a short time period, people can communicate easily.

In the UK, 8 hours away from Silicon Valley, the customer is not as well supported. This is why the channel exists as it does in the UK, tiers of support, protecting the vendor from waking up to a slew of angry British emails - we can be vicious in writing you know.
So if the UK tried to pitch PCI last year and the US is still trying this year, what's happening? Surely the UK market hasn't overtaken the US market?
Actually, I think it's better to think of it in terms of what's NOT happening. Vendors are finally realising that offering to solve PCI isn't going to get them anywhere in the UK. No vendor will address everything in PCI. PCI is there to help, not to proscribe technology. I once had a customer snort at me in a meeting when I said that some people found PCI quite vague and difficult to get to grips with in a technical environment. He said he found it very specific, actually.

I don't just make things up to entertain people, but this guy was from management, all of the guys I'd dealt with previously were techies. PCI is a great management tool, it gives an excellent set of rules and a fairly good hint at what will happen if they are broken. The techie then has to go out and choose the products that complete the management's requirements though, so when faced with a bunch of marketing that all says the same incorrect and confusing things, the techie runs away.

Just as UK end users are reticent to spend money on unproven, unsupported products from a remote origin, they are reticent to accept that anything will solve all their problems. We have a much more cautious approach to security, much more to lose if we make a poor decision, so the product has to be tried and tested... or local.

Great, so there's only one problem left, what about the flurry of activity in the US at RSA around PCI? Quite simply, it's a different market. There are many more small products, everyone grasping for their diminishing piece of the security pie. This is where the products originate, many of them on the doorstep of the Moscone Center, 80% of these products will never see the light of the UK market. Each of these has to say it does a million things, solve PCI, make the beds, prepare breakfast and call you a cab home. That's why actually the sensible thing to do there is to shut up, stand up and let the product do the talking (I mentioned at the time, PKWare were the ONLY product I saw do this). Sadly, few actually have a good enough product or well known enough brand to do that. Maybe Microsoft could, Google could, but does anyone REALLY think these two names are security giants?

This argument is already much simplified and this post too long. I urge contributions to this debate as I'm still floundering for ideas and want to get some fresh thoughts. But PCI as a marketing tool, I'm pleased to say, is dying a death over here. Maybe now PCI as actual compliance can have some air? That's a whole other set of posts.

Infosec 2008 - Day 2

It's been a hot and sweaty day again, and I've just about lost my voice from talking, so retreated back to the hotel early before my internet access is cut off. At £15 a day, I'll probably wait until I get home tomorrow to finish off my postings. So, no shock news there then, London is still a rip-off.

I don't think I'm going to get much more mileage out of being here to be honest. The show is better this year than it was last year, more interesting, more focused somehow. Less marketing rubbish about PCI, more facts. It's like people are respecting the fact that most CIOs/CISOs know what they are looking for here, and it's not a shiny marketing bastard in a suit. Like RSA was.

Still, I put on my shiniest suit (courtesy of British Airways - thanks Willie, I'm a big fan of your money) and trudged out to the show in the pouring rain this morning. Due to being 9am, the hall way nice and cool, and everyone remarked on how nice it felt not to be melting like yesterday. "Oho, you wait until 2pm", I said. Behold and lo, it is now 3pm and the rest of the shiny suited bridgade are sweating away in the conference centre whilst I cool off in my hotel room.

So what of today? I met up with my old boss and MD of Kinamik, Christophe Primault and went to see Bruce Schneier's talk about Security Theatre. It was all very clear and well thought out, but I couldn't help spend my time thinking "I could do that". I guess we're not so dissimilar, except that I am a foot taller, 100 pounds heavier, 10 years younger and 10x stupider. For those of you trying to work out my height, weight, age and IQ - 31, 210, 130, 110 - the numbers are approximate, the order randomised, and the units I am not telling.

A quick meeting with another old boss, Colin T from Vormetric, then off for the highlight of my day, lunch with the editorial team from InfoSecurity Magazine, Eleanor and Helena. These fine young ladies were on the same flight as me to San Francisco last week, and ended up in the same hotel in Shannon overnight. I joined them for breakfast and, well, the rest is history that you can follow in blog form here. We talked BA, InfoSec and near-death experiences. I feel a kindred spirit with them to know we could have met a hot and grazed end together. I have offered to write some unbiased, level-headed, insightful articles for the magazine, so hopefully I'll be able to find some on Google if they take me up on it.

Since then, it's all been hand shaking and telling people about my new venture. Hence why I've lost my voice... must go and wash my hands.

Tuesday, 22 April 2008

Infosec 2008 - Day 1 PM

InfoSec, in my opinion, is better than RSA was. In complete contrast to last year, there is very little PCI talk, there's barely mention of DLP, and everyone seems to have their own product for doing their own thing. There are even fewer nurses uniforms here than last year (but still more than none). Sadly, nothing really jumps out at me and grabs me (not even a nurse).

Some things that have pleased me then:
1. Meeting up with Colin Tankard, my ex-boss at Vormetric, who is still selling Coreguard across Europe. I think their time is coming at last in the UK. Unstructured data encryption is hot here right now since the government lost so many records, repeatedly at the beginning of the year. It was all 'junior' employees at fault obviously.

2. Meeting Iain Kerr from Protegrity at lunch. Iain seems to have worked for every successful tech company in the world in the last 30 years. A Scotsman living in Florida, with a hybrid accent that sounds like, well, a chilled out Scotsman. He also ran his first marathon at the age of 50, and plays golf off a handicap of 7 (up from 1). He's been brought in to head up their technology drive into the UK, and is certainly more than capable.

3. I also had lunch with a journalist Iain Thompson from VNUNet, the Managing Editor, no less. Journalists are always a source of consensus of information, so it pleased me to hear that his impressions so far were similar to mine (see above). One thing I had not heard however was the stance which Microsoft has been taking where 'everyone should share and peace and love' were Iain's words (more or less) - aiming for shared standards that is, but then in a Microsoft world, of course that's what they want.
Fight the power!

Infosec 2008 - Day 1 AM

As always, Olympia is like a greenhouse in the middle of April, so I've dashed back to the hotel for some fresh air (inside the hotel obviously, London is outside). Whilst I'm here, I thought I'd get some stuff down so I don't have to ramble too much later.

I came in this morning and made a bee-line for the PKWare stand to see how they were setup. They have many sales people staffing the stand, and to be honest I'd be rather superfluous standing there as well. I'm still talking about them around the showfloor though as that's a much more satisfactory way of covering the show and picking up leads.

A quick stop to chat with Bobby Conway from NuBridges, put a face to the name and find out what they're up to. They were an Ingrian partner until early last year, but there were some problems there which I still don't know the truth behind and have no opinion on (yeah, right!). Suffice to say, they have a great i-series product, which we used to default to until the partnership disappeared. I hope they will talk to SafeNet again after the acquisition, as it would be a strong place for them to focus and could get far better coverage that way, for both parties.

As I passed back via the Secerno area, I stopped by to say hi to Steve Moyle, the CTO, who looked blankly at me when I said my name, and then smiled broadly and sat me down at the table to talk. I'm still impressed with these guys, they have taken a complex product that I thought did something great and turned it into something a lot simpler that seems to do just one thing well. At this stage I'm not sure if they haven't over-simplified it, but that may be just the thing to break into this market space right now.

The basic premise is that they will look dynamically for SQL injection type of activity, rather than using signatures or static files like a web-app firewall. I like this because it is more application focused and closer to the data. They also have a much more comprehensible GUI now, which is a relief, and good reporting, which is a necessity.

Back to the show for some lunch, then a quick poke around at some of the bigger boys this afternoon I think.

Monday, 21 April 2008

Warming up for InfoSec

It's that time of year again and I'm up in London for the annual InfoSec show, which I expect to be pretty much the same as RSA, only much more English. I'm up here pimping the new business and talking to every encryption vendor under the sun about how to sell stuff over here.

I was also really excited to be approached by the CTO of Secerno last week, who I have talked about at length in these posts previously. I'm looking forward to meeting him and having a full debriefing. I actually had one last year, but I have to admit to being faintly confused by it at that time. Now I understand what it's needed FOR, I should have a much better chance.

I'm expecting an awful lot of 'we solve PCI' drivel, plenty of virtual this and consolidated that. But also lots of Jericho Forum, data centric security and all the stuff I like actually being there at last. I may well just go and gatecrash the JF party and take a look at Mark Curphey's keynote. Mark very kindly invited me to lunch before Christmas, and I had to stand him up at the last minute, we never did catch up. Perhaps I can buy him a donut to make up for it?

Thursday, 17 April 2008

Data security pop quiz

If you are a regular reader of this blog, or indeed someone who reads end of this sentence, you will know by now that I am a keen student of encryption. I hesitate to say expert, because I am nothing of the sort. I am the equivalent of the commentator at a Kasparov v Karpov chess match, or maybe even just one of the audience. Still I enjoy encryption, data integrity, data security and all that gubbins, immensely.

It is with great regret then that I have to announce that most people aren't using it for the right thing. I have to defer to Fred Cohen slightly on this one, as I have done many times in the past, but just think for a moment why you encrypt things. If you are a CISSP or other security professional, go back to basics, look at your C, your I and your A. Now tell me why we encrypt. Is it:
a) because it stops our data being viewed by people who we don't want to see it?
b) because it stops our data leaking outside our organisation?
c) to protect from the DBA?
d) because it keeps data secret?
e) none of the above.
If you answered a, you are probably a customer of one of the encryption vendors, who have sold you a policy engine, key management system and encryption bundle, all under the auspices of PCI - and there is an argument to say that this is A Good Thing.

If you answered b, you need to go back to school, this is Availability, not Confidentiality, you need DLP. c? Well, no, as I wrote earlier in the week, this doesn't happen. I still don't know of one encryption product which can successfully protect against the DBA, separation of duties maybe, making it harder to attack the data for sure, but complete protection, no-one can do.

d - correct, have a sweetie, this is the security 101 answer. But in reality, even this is wrong. I plump for e, because at the end of the day, encryption is only as strong as the latest algorithm, which is only as strong as the latest supercomputer, which is ever stronger according to Moore's Law.

So, is encryption useless? Not at all. There is a lot to be said for deterrent measures, for making things next to impossible in substitution for impossible. Along with data integrity, encryption provides a powerful tool for electronic data transfer between two points where trust is a requirement but not guaranteed. Where availability of data is a concern then encryption is a must too, otherwise the data loses its value quickly.

Chris Hoff describes information as 'data with a value', which is so smart I even wish I'd said it. Widespread availability of that data can reduce its value quickly, in simple terms: if everyone else knew what I know, I wouldn't be able to charge for it. Integrity of data adds no value unless we are certain of origin. The origin can be questioned far less if the data is encrypted: if I sign a piece of cleartext information, because it can still be read, it can be intercepted, changed, re-signed and re-sent. If this was encrypted, it cannot be read, changing it changes the signature, which then cannot be accepted at the end point, so the original message must be re-sent.

So maybe data isn't the be all and end all that many vendors pretend it is, certainly not in PCI anyway, but without it, your data isn't valuable information. Hence why you have 'data breaches' not information breaches I guess, once it's breached, it's already too late.

Tuesday, 15 April 2008

Crunch time

I don't imagine that this was all down to me. I emailed both of these guys to complain last week, so maybe the stress of dealing with me got too much for them and they quit, but more likely they are just bad at their jobs and were asked to leave. OK, I'll stop kicking them whilst they're down now.

I never wanted anyone to lose their jobs, I just wanted Britain and its Airways to look less crap. Maybe it will now. Maybe not.

I also hear that 40,000 city jobs are going to be lost in the near future due to the "fall out from the US credit crunch". I guess our recession is on the way. I still haven't arranged my re-mortgage on the house, a surveyor came round to value it yesterday whilst all our carpets were still up and the floors still damp. I may be looking at negative equity and living in a shoebox for the next 5 years.

It seems the only way I'm going to make any money at all is claiming it back from BA.

Friday, 11 April 2008

Why you need DLP and DAM

I've wanted to write this post for ages, but it wasn't really appropriate whilst working for an encryption and key management company. I wrote earlier about the need for DAM - something which Rich Mogull talks about a great deal and extremely well. But whereas Rich tends to look at it from every possible angle, and how to decide which one to pick, I have one very specific point to make, and have a good idea what I like already based on the people I've spoken to in the industry.

If you've encrypted your databases already, don't get complacent, you still aren't safe. Yes, you are compliant, but if you were worried about your DBA being nasty enough to steal data in the first place, you haven't done anything he can't get around by using encryption. Even if the whole thing is set up properly, consider for a moment how your encryption solution works:

Does it rely on views and triggers, or does it encrypt the underlying files? If the latter, it was never securing anything other than the files and the DBMS could be full of holes, they often are. The data is still in the clear once the database is running, and the DBA has no harder time fiddling things than if the database was unencrypted.

If the former, think what's happening here:

When you encrypt a column in a database, you are encrypting the underlying table, removing the plaintext data, and putting in a view of the underlying table. Depending on the applied policy, this either gives you cleartext data out, or an encrypted reply/default message/chosen error.

Now, consider the fact that you are protecting against the DBA. That DBA has access to all the tables, views and triggers in his database, even if he can't access the encrypted data. What happens if the DBA writes into the views a simple few lines of code such that when a legitimate user of cleartext data access it, it writes that data to a file? The DBA then not only has the original data, but he has it in a separate location to the 'sensitive' data, in an unprotected file which he can then walk off with.

There are only 2 ways to protect against this:

1. DLP - anyone want to choose one after the dazzling array you've seen this week? I certainly don't. It would be a toss-up between Vontu or Vericept I think, but I'd need a PoC.

2. DAM - The stuff out there is of variable quality. Products like Guardium and Imperva have their place, but the killer app for me in this space still has to be Secerno. Much cleverer and better produced. I'm still waiting for this to hit the big time having picked it out at InfoSec last year. I think we'll be seeing a lot more of these guys.

I just hope Oracle/Microsoft/Google/Symantec doesn't buy them first.

Do one job, and do it well (Mr. Walsh)

I know I said I wasn't going to refer to my luggage again, but I have to report a bit of a coup. I just had a call from the BA Executive Office, apparently Willie Walsh Himself 'was aware' of my email (not the one I posted here the other day, but another, more reasonable one). They are going to cover my expenses up to £800 - which will cover the $1100 suit I had to buy, and the various toiletries, plus today I get to pick out a nice pair of shoes to go with it. My wife is going to Nieman Marcus and Saks.

On top of this, we're getting an upgrade to Club Class on the way back, but it wasn't without a huge amount of complaint and emailing everyone under the sun. I'm flying home tomorrow and my luggage still isn't here. I've had a pretty appalling experience all in all and I'm certainly not going to be mollified by a few freebies, which cost BA next to nothing. I think they are scared that I will go to the newspapers, the BBC, and the courts. They'd be right.

So you want to hear about some security? I've been unimpressed. Apparently McAfee spent over $300k on a party on Tuesday night. This will just be for tax reasons I'm sure, but you can be sure as hell no-one will buy any antivirus because of it. Google had some coloured boxes out on stands. Why? Google, you are not a security company, please don't even try. I was pleased to note that there was always more staff than visitors on the stand. Microsoft, IBM, not sure what their messages were this year, although I'm glad to see more of a recognition of data security at last.

The small guys on the side booths, I don't know what they were there for. A hundred different products doing... the same thing. A couple of honourable mentions then for:
RedSeal, who I think have a nice product, which does a necessary job. Don't add any more features guys, and you have a great little earner. Do one job, and do it well, the security software mantra, one which Willie could learn from perhaps.

PKWare, who has something more than they are shouting about, completely the opposite of everyone else at the show, and very refreshing. They also don't have slicked back marketing monkeys in shiny suits.

Protegrity, I think they'll do well now SafeNet have swallowed up Ingrian. SafeNet probably won't get their messaging straight for a few months, giving Protegrity a clear run at the SME market where they can build their reputation.

Vericept, nice little start-up with great people. I'm a big fan, and will be talking about these guys more in future.

Secerno, I still like this lot. They're British and Paul Galvas, their PM in the UK is a very nice guy who I can happily spend time yammering away about data security with. DAM is clearly the way ahead, especially if you've just spent a wad on encrypting your databases. Sorry, they're still not secure.
There are a few more, but none really stands out from the crowd. I won't be so mean as to mention the ones I really don't like, but there are some out there which are pure marketing and vapourware. I was in competition with one when I worked out in Spain - data integrity product, you do the research - they have nothing, no product, just a load of cash from some particularly dodgy lawsuits. I can't say more publicly for fear of another one.

I saw their CEO at the show, slicked back hair and a shiny suit.

Thursday, 10 April 2008

Final dissertation for RSA 2008

No more RSA for me, my last security 'appointment' of the week just finished, dinner with Mike Dahn and Walt Conway at Sam's, just down the road from my hotel. And with friends like these, of course the conversation turned to PCI (after the mandatory bitch about my luggage of course, which still isn't here).

I thought I'd been alone in my utter confusion at most of the products on display at RSA this year. Some of them seemed OK, most of them were pretty rubbish to be honest, and all of them purported to be DLP/PCI/GRC or part of a risk management solution. Right. Like Rich said in his blog earlier, there was hardly a theme.

The problem seems to be that security got sexy, the guys in sandals became guys in suits, then girls in nurses uniforms. I have nothing against this, but it proves that where there were once ideas, there is now marketing in force. Once the marketeers get involved, everyone has to fight for the same dollars, which become cents, slices of a finite pie.

In a way I'm glad there was no theme. It means that I was right about the market not going anywhere. Maybe security will have a chance to catch up with the marketing now, and
then the compliance will get nicely rounded too, and everyone will stop complaining about it. I doubt it though.

Some of the bigger crimes of the conference that we discussed tonight:
The vendor who talked about 'encrypting the PIN' to Walt, who when corrected, ('er, that's PAN'), threw a strop and refused to talk any more.

The vendor who Mike asked about their POS protection who replied that what they were selling was more of an e-commerce solution, like TJX. Mike pointed out that TJX was POS, to which she replied, 'oh yeah, that sort of thing.'

The literally hundreds of vendors sitting there trying to make one little box do 50 different things, just to get a sniff of a customer, purporting to solve PCI in one fell swoop. THIS CAN'T BE DONE.
And finally, there was some good stuff too:
I've heard rumour that there was a log solution vendor saying that they just addressed logs.

I also hear tales of the vendor who only purported to address PCI requirement 1, and nothing else.

I saw products which only addressed one problem, not even a compliance issue, didn't talk about GRC or DLP or TJX or PCI, and did it well. These are the ones you will see at next year's conference.
I was particularly impressed with PKWare, who I will be representing at InfoSec in a couple of weeks. I love their technology, just because it's simple, it cuts through the marketing bullshit and does what people need, much like their products always have. It's also cheaper and easier to install than anything else I've ever used, and when it comes to encryption, there's not much I haven't used.

So, some of RSA was disappointing, but to be expected. There are still some genuine treasures to be found out there, and the future for them is bright.

Being vindictive

During the biggest security conference of the year, my blog has somewhat given way to the less interesting story of lost luggage, as that is what has occupied my time more than anything security orientated. I'm more than a little annoyed at that myself, and next week I will be making this known to BA in no uncertain terms. Yesterday I emailed Willie Walsh himself, and the director of operations for T5, and the marketing director for BA as a whole. Today I have emailed a friend on the BBC Ten O'Clock News team, the editorial desk of the Times newspaper, and the Sun just for balance and coverage. Who knows if this is still newsworthy, but I'm not letting them get away with this.

One person I must mention in particular is Chris Elliott of Elliott.org - the travel troubleshooter. I found him purely by chance through Google whilst searching for Willie Walsh's email address - it's the one I printed in my spoof email yesterday, by chance. I hope no bots go screen scraping it from my blog and send him spam, as that would be awful, but so be it. I emailed Chris on the off-chance he could help me as well, and he's been a star. He has already helped a number of people claim against BA, and said that if I'm having problems with them, he has 'a few tricks up his sleeve' to help out.

I can't wait. Thanks Chris, you've given me a new reason to be happy today and perhaps now I can get on with my work.

I promise you, no more stories about luggage, unless I get on the telly.

Something to shout about

I have mixed feelings about this week. In a way, it has been the most terrifying and frustrating of my life so far. My luggage is still somewhere between Heathrow and San Francisco, which means it could be in International Waters for all I know. At this stage if I think about it any more I will probably hit something. My flight home is in a little over 48 hours (with any luck), and I'm really not looking forward to it.

On the plus side I have met some really great people this week, the guys from Protegrity were an unexpected pleasure, Vericept are everything a start-up should be in my eyes, the bloggers were fun and interesting. I'm excited about some work I have lined up in the near future having spoken to some of the PKWare guys over here this week. I've had some incredible conversations, and found a lot of interest in my new venture - SecurEMEA.

Several people have asked my opinion on data security, and in an interesting new twist, which I would only expect to get out here, how we can go about educating the world on a much larger scale about data-centric security. Kevin Rowney said "I want to re-write the book". To which I replied "I think you'll literally have to write that book then."

It's sad, but true, just talking about these things doesn't get you anywhere, you need to write, and write well, talk and talk well, spread the word and become an evangelist. But unless you're really good at it, Rich Mogull, Bruce Shneier, or one of those incorporated types who gets to do this type of thing on a wage, you won't necessarily get any thanks for it.

When Gordon Rapkin asked me "what job do you want to do?" over lunch the other day, I very deliberately said that I was taking time out to think about this right now. Hence the contracting. I don't want to go headlong into any job right now where I might think better of it in 2 months time and want to get out. What I'd like to do of course is be an international playboy with a private jet (and my own baggage handlers), but I don't think my wife would allow it.

I would really enjoy being a paid analyst and evangelist, taking pre-sales to another level. I caught Erich (Baumgartner) from Ingrian as I was entering the Moscone today, and as we parted company he asked if he could run some technology ideas past me. I said I'd be pleased, because I would, I enjoy it immensely. Now if only I can find a way of getting paid to do it...

Wednesday, 9 April 2008

Post script for the week

When we stopped in Ireland on Sunday, I managed to get down to breakfast very early before the buses left for the airport. My wife hates breakfast, so I went solo and friendless. I wandered, bleary-eyed into the bar area and took various fried fare to a free seat at the end of a table.

There were 2 tired-yet-presentable girls, sorry, ladies, at the table, and I asked if I could sit. They said I could and we struck up the most basic of conversations, centering on what we were missing in San Francisco already. It turns out that these ladies were none other than the editor and marketing person from Infosecurity Magazine. I was so bleary at the time that I can't actually remember what I said, but it was of no consequence. I thought about this chance meeting later on the plane and realised I'd probably missed an opportunity, but I'm not sure I would appreciate being solicited over breakfast, and decided on balance I'd made the better choice not to talk too much.

I popped by the Infosecurity Magazine stand yesterday to catch up with these ladies, see if they'd had their luggage yet and ask if I could write something for them - now I'd thought it through and we'd all had some sleep. Nothing to do with the fact that they're pretty young ladies of course. Sadly the two I'd met weren't there, but their helper on the stand said they'd be back at 2pm. I wasn't however. No, I was out doing rounds of the show again, looking for Anton Chuvakin (also very beautiful - you've seen the picture on his blog?) who said we should try and hook up, but I decided he probably wasn't looking as hard for me and headed back to the hotel to write more abusive emails to British Airways.
To: Willie.Walsh@BA.com
From: Me

Dear Willie,

You are a fat, hopeless git and your airline is a disgrace. Why won't you resign and let someone less incompetent screw things up for a bit?


Rob Newby

P.S. Where's my f***ing luggage, you moron?
Today, again whilst scouting for Anton, I stumbled across the Infosecurity stand, this time, Eleanor (Dallaway, the aforementioned editor) was there, and I managed to talk coherently for at least 5 minutes before having to run off for my free lunch with Gordon and Paul. I hope she will still get in touch in time to meet up at Infosec, especially now I've said such nice things.

I also hope Willie will drop me a line to explain where my f***ing luggage is, but I'm not holding my breath, now I've been so publicly rude.

No such thing as a free lunch?

Today was another long day as I woke up to take a call from the CTO of PKWare. He missed it because of trouble with aeroplanes, of course, I should have predicted that. Lunch with Protegrity's CEO, Gordon Rapkin, and VP of Marketing, Paul Giardina - having been in competition with these guys for the last few months it made for some very interesting conversation. Of course I sold them all the trade secrets I could remember and in return got a free lunch.

I made a lazy amble round a few of the other stalls. Then I remembered why I don't do that at shows. The experienced show-goer knows that if you slow down, you're going to get badgered. Jetlag failed me and I ambled right into an ESET demo of their heuristic antivirus. This is like giving the Pope a dissertation on Islam - he probably knows it already and despite having a deep respect for it, won't touch it with a bargepole. Still, I got a free t-shirt, and my luggage still hasn't arrived.

This actually lightened my mood, so I did another rekke, free Radware t-shirt with an amusing slogan, excellent. My wardrobe bolstered I made my way over to Proofpoint and had a chat with some very sympathetic people. Another t-shirt. I hope this doesn't spoil my claim to British Airways.

Highlights of the day were to come however. Dressed in a smart new t-shirt and crappy old jeans, I made my way over to the Vormetric reception at the Yerba Buena opposite the Moscone Center. I was amazed to find that the girl on the desk remembered me, Krystal Kiser was a young university graduate when I first met her, and I have to admit I was quite taken with her as a young SE myself. I never thought she'd remember me of course. So, feeling quite the man, I went into the bar and talked to a few old friends. Mike Fleck, now director of Engineering, still leaves me in stitches every time we speak. Sadly I can't repeat what he said to make me laugh here or I'd be thrown off the internet.

Then, of course, came THE event of the day, the conference, and the year. The blogger's meet. What can I say. You were all probably there anyway. I was the tall guy in my traveling clothes. I saw Bruce Shneier taking all the food, and Hoff taking all the drinks. Finally hooked up with Anton Chuvakin, met Mike Rothman, Rich Mogull, Chris Hoff, Alan Shimel, all the great names in security blogging. Jet lag prevented me from taking the podcast stand as I would have just burbled into the microphone and embarrassed everyone. I still enjoyed it, another chance to tell everyone that I don't know where my luggage is.

Oh, and I got another t-shirt.

Tuesday, 8 April 2008

Ah, some security at last

Wow, today's been a long one... 7am I arrived at Hotel Nikko on Ellis and Mason and got in the lift with someone else who seemed to know where they were going. I ended up on the 25th floor where a large Vericept sign introduced me to the breakfast briefing with Rich Mogull. Having spoken to Rich many times on the phone and spent years reading his work, I was surprised to find I had spent our first couple of minutes in each other's exclusive company in complete silence - he had been my lift companion just moments earlier.

Rich gave a great talk about data breaches in the US and the UK, for which I was extremely grateful - not many people here are concerned about both markets, but it's important to know what's going on. Rich even let me pitch in a little about the state of the UK government's recent data problems, and also on a funny story about Jeremy Clarkson putting his details online for everyone to hack. [Full story here]

After the talk, Rich used his first podcast of the week to talk to little old me about the UK market, and my latest project, setting up an EMEA product management company - SecurEMEA.

A couple of meetings later and it was time to hit the show. I have rarely been so confused by messaging and constant banter. I walked around the show in a bit of a daze, being collared often by various friends old and new. I'm sure I know more people in San Francisco than I do in London these days.

Another couple of meetings with the guys at PKWare and Sam from AlertLogic and I was ready to hit the road. One more sweep of the show to make sure I hadn't missed anyone and I bumped into a couple of guys I'd shared my near death experience on the plane with.

4pm saw me hooking up with a couple of guys from Vormetric. No trade secrets to be shared, just catching up with old friends, and making a new one. Despite plying me with Starbucks coffee, I was flagging badly, so agreed to pop in for their drinks party tomorrow night at the B bar in Yerba Buena and made my way to my room.

Just as I was sitting back to enjoy some peace and quiet my wife came in and announced that her friend Leah, on her way to Australia and here keeping her company for the next few days, had had $100 stolen from her in the very same Starbucks earlier in the day. She turned up at the hotel a few moments later, so I bought her a drink and offered dinner. I'd hate anyone to go away with the impression that San Francisco is that sort of place, I love it and I feel so safe here normally. I guess you get bad people everywhere.

I'll be talking more about SecurEMEA in the very near future, after I have some initial conversations out of the way at RSA, but the basic premise is out there on the website, and I am available for immediate consultation. Catch up with me this week if you're at RSA, it could be a while until I'm coaxed back onto an aeroplane...

Monday, 7 April 2008

Fighting the system

I finally got off BA287 24 hours late and stopped shaking with fear just about the same time I started shaking with rage at the BA representative on the ground here in SFO. Having nearly killed us, lost our luggage, sent us on a tour of County Clare (which incidentally is extremely beautiful, but not San Francisco), put us up in a freezing hotel, then delayed us some more, they offered us $50 to replace our missing luggage.

I'm pretty much speechless at that, I don't need to write anything scathing or cutting, you're obviously as outraged as I was. And 300 other people. I will repeat again how crap Terminal 5 is, just in case anyone's out there still looking for a way to shut it down. The fact that they can't service a plane properly to the point where 300+ people are in danger of being made into pancakes in Shannon should really be enough to call the whole thing to a close. Willie Walsh, get your marching papers mate. The buck stops with you, you nearly killed 300 people. That's genocide. In the words of Alan Sugar, you're fired. Or you bloody well should be at least. What a shower.

In the midst of all of this, I have to register my appreciation of pretty much every Irish person I met on my journey, their emergency hospitality was fantastic and their sense of humour put a smile back on my face. The air crew on my flight, Eleanor and Lesley in particular, were great, and no doubt as terrified as us, as tired as us, and yet still worked another 10 hour day for us. Since I've arrived, every American has not only helped out where possible, but also apologised for my inconvenience (go figure that). No, it's the British (Airways) who are the bastards, as usual.

Now my disgust is registered in print and any 'real' journos looking for a piece to pick at can search for it on my keywords, I must turn my attention to something else which worries me, and my dear old Mum, who sent me a link to this story, with the comment at the end: "Maybe the editor is trying to put some of the bloggers off in the interest of keeping control of the news?"

She taught me everything I know. And you wonder why I'm so cynical.

Saturday, 5 April 2008

Just when you thought it was safe to go back in the airport...

Well... I'm still alive, just, to be able to tell you that Terminal 5 at Heathrow is NOT working properly, and neither are BA's planes. (BA, in this context, is British Airways not Mr. Baracus from the A-Team, he most definitely ain't gettin' in no plane, and now I know why.)

After a relatively smooth entry to the airport, we waved goodbye to our luggage for the last time and set off to the departure gates. I sat looking for potential terrorists, completely overlooking the fact that the guys in the blue uniforms were the ones who I had to fear most from.

13:50 we were all aboard and ready for take off. Except that someone wasn't. Apparently last week a passenger on the no-fly list had managed to board the plane and they had to remove ALL the bags before putting them all back on, bar one. They had to do this again today.

16:50 after 3 hours on the tarmac we were finally ready to go.

18:45 ohholyshitImgoingtodie. Except the news people reported it thus.

Let me report it more accurately - pilot interrupted my film to say "Senior member of cabin crew to flight deck IMMEDIATELY". Immediate gut wrench. Then another announcement of "There's a problem with the hydraulics", followed by "we're going to ditch some fuel to get down to the correct landing weight, nothing to worry about". My wife didn't tell me until we landed, but apparently they only do that if they're worried about the plane ditching early and exploding. Great stuff.

Well, we were apparently chased down the runway by 5 fire engines when we landed, and there was a round of applause for the captain. The only good thing to come out of this experience was that I spied Chris Boyd (Paperghost) a few seats back on the way back from the (inevitable) toilet stop once we'd landed. We chatted for a while and apparently Chris has some cracking photos, so you should stop by there for the video diary.

As they let us off the plane to retrieve our luggage and get a hotel for the night, 2 things happened. They lost our luggage and couldn't find a hotel for the night. As far as I know, my luggage is either in a) Terminal 5, Heathrow, b) San Francisco, c) Milan/Warsaw/Singapore or d) jettisoned over the Atlantic with 20 tons of kerosene.

We've ended up in the South Court Hotel in Limerick, which is lovely, but it's now 1am and I have to be up at 7. I hope I'll make it to San Francisco tomorrow. God how I pray.

Thursday, 3 April 2008

End of the line

Today marks my first day of glorious unemployment, it's a beautiful sunny day here and I'm prepping for RSA by checking that Terminal 5 is working properly and printing out various tickets. It's the end of Ingrian too as everything finally hands over to SafeNet. So I'm free... and right now I'm just going to enjoy it. I woke up at 11am today having stayed up until 3am this morning, just because I could, marvelous. I've decided to take Mike's advice and have a little time off to recuperate - the last year has been tough mentally and emotionally, and I still don't have any replacement carpets.

My friend Betty, Marketing Director of Ingrian (not sure of her new title at SafeNet) put some interesting remarks in the comments of my last post, asking about current trends in the market, maybe curious as to my next step, I hesitate to say 'hers'...

Betty asks some interesting questions about the next big thing, will it be enterprise search, location based services, video or solar/green energy; virtualization, social media or SaaS? These are all great questions and I'm sure they all have a bright future, but for me they mostly represent fashions rather than futures. That is, I'm sure they will all make some people in the valley a load of cash, but I'd rather look at stuff I'm interested in and make money where possible, not look at where the money is and be interested where possible. That's a pretty soulless existence and if I wanted that, I'd be a salesman.

The closest I can get to predicting the future in any of these is to say that Software as a Service will be used increasingly in the security field, it's already happening, and I would expect to see security combining with enterprise search and social media type technologies to give us some form of data classification relatively soon. I talked about this a lot last year and I'm really interested to see how this pans out. It will be something I am specifically looking for at RSA.

To be clear, I don't think there's a market for this yet, but anyone doing research into it now will be in the right place when the market arrives. I'll blog some more on this (as I have done in the past, but I think I'll wait until I've seen some more and enjoy the sun in the meantime, for tomorrow I must wrestle with Terminal 5...

Tuesday, 1 April 2008

Who you gonna call?

I have many options. In fact I have rather too many. Without giving any names I have been contacted by:
  • 2 encryption vendors
  • 3 other technology vendors
  • a reseller
  • a distributor
  • plus a friend who wants to set up a business with me, and some others who want to help out with temporary contracts.
It's far too much to make any sense of, hence my posts earlier in the week.

Apart from the work suggestions and ideas, I was astounded by the sheer number of people who have reached out to support me. Amongst the blogging community alone I've had a number of people go out of their way for me:

Brian Honan was first (as usual - same time zone helps) with suggestions of a couple of books I should read and the usual shoulder to cry on. (I've bought the books Brian, they come tomorrow).

Andy Willingham described his recent, similar exercise and gave me confidence that I was on the right track.

shrdlu, as ever, let me pour my heart out and rant and rave in her general direction. [Now I think I've offended her by saying bad things about the US economy which sounded like I was being mean to her parents. I didn't mean it shrdlu! Please come back!]

Emily Bristow from NetConsulting over in Wales is a becoming a firm friend who I find great to bounce ideas off. Maybe I'll have to head over to Tiger Bay sometime.

Walt, wing man, mentor, old chum, you are wise beyond your years and I look forward to catching up again next week.

Last, but by no means least, Uncle "Security" Mike Rothman. Mike spent half an hour of his precious time on the phone to me this afternoon (GMT, morning EST), helping me step through every option I have, and telling me basically not to get too wound up.

Great advice. I think I'm just going to chill out for a while. Thanks everyone!