I'm a firm believer in providence, things come to you as you need them, not as you want them. And today as I have been gearing up to finish my recent triptych on data-centric security, an email landed in my inbox about a cool little startup back in Blighty.
They are looking at something very exciting, data classification. Oh dear, I don't hear the rave whistles and cheers. OK, maybe it's only exciting to me, but the last time I was this excited about a technology I rented out my house, pleaded with my wife and moved to Barcelona.
I'm not going to name names here, because that isn't the point, there are actually plenty of companies doing data-classification already, and finding them is a Google away. The point is that data-classification is something very necessary for security to move forwards, and people are doing it better all the time.
The military have recognised the importance data-centric security for many years, with their use of the Biba model for integrity (read up/write down) and Bell-LaPadula model for confidentiality (read down/write up). [Note for security buffs, they also use Clark-Wilson for integrity which hinges on well-formed transactions - constrained data transformations leading from one consistent system state to another. This also requires application classification, but then what is an application if it's not just a bunch of data?].
Without proper data classification you cannot enforce any of these models, we need to be aware of the classification level of the user and the data to enforce read and write permissions. This doesn't tend to happen in organisations because ordinary users and administrators aren't as disciplined in their use of the network as military ones, plus there is a higher turnover. Corporate accounts are therefore managed with the same level of security as George from accounts' holiday pictures and MP3s.
So, once we have all the data classified, our users properly defined on the network, and the network working for us to match the two together (as per previous posts), our security should be much simplified. The users can have multi-factor authentication with IAM to address their self-administrative needs, the network can lose all of its unnecessary devices and we can just let it apply access to data if it is allowed by policy. I know of at least one framework (actually I can think of 3 off the top of my head, and there must be more) that will apply this security at the OS level or lower. The data will look after itself, and the network can be used for what it was intended for, carrying data.
This is still only the beginning, but it's happening at last. I've waited for it for years, but now I can see it coming. When it starts it will avalanche as people begin to realise the savings they can make and the all round improvements they can apply to their infrastructures. If you want to slim down your network, speed up communications and still have weapons grade security, come to the data side.
Wednesday, 9 May 2007
Taking the печенье
More on my current thread later, first today I wanted to talk news & politics. This story on the Register surprised me today. Headteacher Alexander Posonov, in the village of Sepych, in the outer reaches of the Ural Mountains, in Russia has been fined $195 for Microsoft software piracy. He bought some PCs with knock off software already installed.
So why is this a surprise to me? Well, the fine came not from Microsoft, but a regional court, the case having already been thrown out by a district court. Before you go thinking that this is a reasonably lenient fine, $195 was half a month's salary for this poor man.
Apparently the motives behind this are to do with Russia trying to join the WTO and is some thoughtless attempt at strengthening a trade accord with the US. Even Vladimir Putin has said it is "ridiculous", so there is an official somewhere in the Urals with яичко on his face.
Rather than chase after the undoubtedly corrupt vendor, they chased the purchaser, which not only qualifies them for a bad cop award, but surely disqualifies them from entering any "fair trade" agreement with the US? Maybe fair trade isn't what they're both after however. I digress.
Microsoft themselves have "distanced" themselves from the investigation, and I can't say I blame them, and while this might seem like a magnanimous gesture, there is more to it than just an insane lack of justice at work.
When Microsoft officially released its software in China, they decided not to go after the pirates, because they knew what a huge economic power China were about to become. What could be more attractive than building an economy on Windows, then milking the new rich?
Russia is one of the largest economies in the world. It has the fourth largest fishing industry, so Google tells me, and is of course the largest producer of energy worldwide, most of which now belongs to Boris Yeltsin's old mates.
The flip side of this P&L examination comes in this story in the Inquirer, which says that Russian schools are now so terrified of getting caught and bankrupted for using Microsoft products which they didn't know were knocked off, they are using Linux instead. I tried to stifle my laughter, because I'm in a busy office and there's work going on. If I was the Russian official I'd be hiding in the stationery cupboard - that's more than $195 he just lost the district. Now he has Putin AND Microsoft after him.
So what's next? Will said official mysteriously disappear in the night and peace return to Sepych? Will Microsoft lean on the district court to get it turned over, will they refund the poor headteacher his half month's salary? Will we see Putin stick his oar in and get everyone back on Windows so the trade agreement goes ahead without a hitch? Will anyone make an example of this miscarriage of justice and get the real culprits so all of this mess can be sorted out? None of the above? You've got to start asking questions about how Russia/Microsoft/US trade agreements work sooner or later. I should probably stop before I get a knock on the door.
I'll be in the stationery cupboard.
P.S. "печенье" means "biscuit", "яичко" means "egg" - why, what did you think?
So why is this a surprise to me? Well, the fine came not from Microsoft, but a regional court, the case having already been thrown out by a district court. Before you go thinking that this is a reasonably lenient fine, $195 was half a month's salary for this poor man.
Apparently the motives behind this are to do with Russia trying to join the WTO and is some thoughtless attempt at strengthening a trade accord with the US. Even Vladimir Putin has said it is "ridiculous", so there is an official somewhere in the Urals with яичко on his face.
Rather than chase after the undoubtedly corrupt vendor, they chased the purchaser, which not only qualifies them for a bad cop award, but surely disqualifies them from entering any "fair trade" agreement with the US? Maybe fair trade isn't what they're both after however. I digress.
Microsoft themselves have "distanced" themselves from the investigation, and I can't say I blame them, and while this might seem like a magnanimous gesture, there is more to it than just an insane lack of justice at work.
When Microsoft officially released its software in China, they decided not to go after the pirates, because they knew what a huge economic power China were about to become. What could be more attractive than building an economy on Windows, then milking the new rich?
Russia is one of the largest economies in the world. It has the fourth largest fishing industry, so Google tells me, and is of course the largest producer of energy worldwide, most of which now belongs to Boris Yeltsin's old mates.
The flip side of this P&L examination comes in this story in the Inquirer, which says that Russian schools are now so terrified of getting caught and bankrupted for using Microsoft products which they didn't know were knocked off, they are using Linux instead. I tried to stifle my laughter, because I'm in a busy office and there's work going on. If I was the Russian official I'd be hiding in the stationery cupboard - that's more than $195 he just lost the district. Now he has Putin AND Microsoft after him.
So what's next? Will said official mysteriously disappear in the night and peace return to Sepych? Will Microsoft lean on the district court to get it turned over, will they refund the poor headteacher his half month's salary? Will we see Putin stick his oar in and get everyone back on Windows so the trade agreement goes ahead without a hitch? Will anyone make an example of this miscarriage of justice and get the real culprits so all of this mess can be sorted out? None of the above? You've got to start asking questions about how Russia/Microsoft/US trade agreements work sooner or later. I should probably stop before I get a knock on the door.
I'll be in the stationery cupboard.
P.S. "печенье" means "biscuit", "яичко" means "egg" - why, what did you think?
Tuesday, 8 May 2007
Theory of everything
My opinion changes as often as my pants, possibly more so. As a result I am no closer to the holy grail of complete and simple security than I am to consistently clean underwear.
I posted yesterday on IAM, and my opinion rests where it lay then. IAM seems to be more about easing administration of users, or rather handing them back the control they use when entering a network. This is a good thing, and should be encouraged, but it doesn't help me in my quest for data-centric security as much as I'd hoped. I think IAM is trying to do too much. I'm not sure it has a place in access control. Access control should be addressed where the users meet the data, but is there a place for this in IAM? Maybe, but only if there is a link to the data as well. Otherwise the layers should be kept separate and open for communication.
But for now I move on to network security. Network security is such a minefield. There are so many devices, so many business problems that need fixing, and as many solutions as there are issues. Not every device on a network is necessary in my opinion. In fact I will go further and say that none of the devices on a network are necessary if proper data access controls are applied. These obviously have to be rigorous if this model is to work, and that's why we've got so many devices.
Think about any device on your network, a firewall, proxy, load balancer, database encryptor, HSM, etc. and ask yourself why it's there, no really, WHY is it there? Firewalls, to stop people accessing your network. Yes, but WHY? Because there's sensitive data there. Proxies, to control connections out to the internet. Yes, but WHY? To stop things being brought back in which might corrupt the data (or the users I suppose!). Encryption? To protect the data. HSMs, to protect the keys (which are data in themselves) which... protect the data.
It strikes me that all the network needs is a good access control framework. Maybe this is why NAC is so popular at present. However, I'm not so sure NAC is doing what we require of it, or rather it is trying to do too much. NAC does not need to control users, merely know them. NAC does not need to touch data, merely give a yes or no answer.
Data centric security is not just thinking about the data. It is about addressing security in the right place. User security needs to be addressed by the users as far as possible. Access controls should be addressed at the point where the users meet the data, i.e. the network, but in a meaningful way. Data security needs to be address as close to the data as is possible, i.e. at the data itself.
Stick with me here. I'll continue tomorrow.
I posted yesterday on IAM, and my opinion rests where it lay then. IAM seems to be more about easing administration of users, or rather handing them back the control they use when entering a network. This is a good thing, and should be encouraged, but it doesn't help me in my quest for data-centric security as much as I'd hoped. I think IAM is trying to do too much. I'm not sure it has a place in access control. Access control should be addressed where the users meet the data, but is there a place for this in IAM? Maybe, but only if there is a link to the data as well. Otherwise the layers should be kept separate and open for communication.
But for now I move on to network security. Network security is such a minefield. There are so many devices, so many business problems that need fixing, and as many solutions as there are issues. Not every device on a network is necessary in my opinion. In fact I will go further and say that none of the devices on a network are necessary if proper data access controls are applied. These obviously have to be rigorous if this model is to work, and that's why we've got so many devices.
Think about any device on your network, a firewall, proxy, load balancer, database encryptor, HSM, etc. and ask yourself why it's there, no really, WHY is it there? Firewalls, to stop people accessing your network. Yes, but WHY? Because there's sensitive data there. Proxies, to control connections out to the internet. Yes, but WHY? To stop things being brought back in which might corrupt the data (or the users I suppose!). Encryption? To protect the data. HSMs, to protect the keys (which are data in themselves) which... protect the data.
It strikes me that all the network needs is a good access control framework. Maybe this is why NAC is so popular at present. However, I'm not so sure NAC is doing what we require of it, or rather it is trying to do too much. NAC does not need to control users, merely know them. NAC does not need to touch data, merely give a yes or no answer.
Data centric security is not just thinking about the data. It is about addressing security in the right place. User security needs to be addressed by the users as far as possible. Access controls should be addressed at the point where the users meet the data, i.e. the network, but in a meaningful way. Data security needs to be address as close to the data as is possible, i.e. at the data itself.
Stick with me here. I'll continue tomorrow.
Monday, 7 May 2007
The big IAM
I haven't had a data centric security post for a while as I've been very much business focused in my day job recently. By night however, I've still been scouring the internet for morsels of security information by any means feasible, just short of selling my mother.
My last trick was to publish something that someone else said in Dutch, thereby snagging the interest of a Security giant and Afrikaans speaker from South Africa, Karel Rode. Karel is the Security Strategist at CA and a board member of Internet Security Group Africa (ISGAfrica). Therefore I listened and absorbed all he had to say with great interest.
Karel wrote to me about IdM/IAM and how important it was in my continuing quest for data security. I wasn't totally convinced at first, saying that I thought 2 and 3-factor authentication was probably enough given proper access controls. Karel kept on resolutely and kept on explaining that IAM was necessary. Then I remembered, I used to work for a company who wrote their own access controls around the data, he works for a company which puts their access controls around the user, there's bound to be some conflict, even if there's valid arguments on both sides. So who's right?
My argument is that the data should control who accesses it, rather than the user controlling what they access. It's a simplistic view of a much more complex set of ideas, but it will do for now. Centralising security around the data makes a lot of sense to me, data is hard to control, it moves around, gets broken up, becomes dispersed, gets appended, replicated and deleted. Users tend to stay as discreet packages and we can normally define them fairly easily in the context of our network.
However, before I get too excited, Karel wasn't disagreeing with this notion, in fact he made it very clear that he agreed. He just advised that I think harder about the user security. There are very good arguments why you should look into IAM.
1. IAM seems to be good at addressing compliance issues from a user perspective.
2. With IAM, users can self-service a request for access to more or new services through forms.
a) System owners are automatically informed through workflow routing.
b) Password resets are in the hands of the users with IAM.
3. IAM is not SSO, widespread use of SSO is a myth. Many companies will not allow pervasive SSO if the perceived risks in some instances are too high.
I will comment further on these points tomorrow, from a data-centric perspective. Thanks to Karel for opening my eyes a little further.
Sunday, 6 May 2007
"What we have here is... failure to communicate..."
"...Some men you just can't reach, so you get what we had here last night, which is the way he wants it. Well, he gets it, and I don't like it any more than you men. " - Strother Martin, Cool Hand Luke.
There's a lot in the news today about the vulnerabilities which TJX left in their network to allow their recent breach to take place. They were apparently using WEP to secure their stockroom wireless, which had access to the central user database. This goes beyond careless, and it's therefore unsurprising to hear that it could cost TJX in excess of $1bn. What is worth taking a look at is exactly how that is being calculated however. I'm not going to steal Alex's thunder on this one, including the possible costs of securing ($100million), as he's done a great job.
What I'm interested in considering is the business case which TJX could have presented to avoid this. A company with a $13bn turnover surely has some security people SOMEWHERE, probably different ones now, but this wasn't new news. TJX had been vulnerable for around 4 years, and had been warned previously that they were vulnerable, so somewhere something has gone wrong.
From previous discussions I've had here and on PCI Answers, it is clear that security is not well understood by many people running a business. Of course now anyone with any doubts can just site TJX, but what could TJX have done?
First let's examine the facts again, they used WEP encryption, with no MAC filtering and broadcast SSIDs. This is like closing your front door, leaving the key under the mat, with a note on the door saying "The key's under the mat". Turning off SSID broadcasting, putting in MAC filtering and using WPA is a 10 minute job, basically free of charge. It doesn't cost $100million and certainly not $1bn.
I'm sure there were other holes, they were not PCI compliant after all, but this is the thing that got them and the issue which is in the news today.
So, assuming that there were security and technical people aware of these securing methods, and they are the most basic ones I can think of in wireless security, the issue really lies somewhere else. TJX is a vast company, covering many countries, and the evidence is that only this one area was hit. That sounds lucky. The issue seems to come down to one of communication, pure and simple. This is so often the case in security breaches and one rarely discussed.
As I said, business people are rarely in tune with security, they are focused on profit, and security does not equal profit (unless you are a vendor). A vital part of security is communicating ideas, making sure people know about password strengths, recommended practices, etc. It may well be that someone at TJX had already rung alarm bells, but unless that person has a voice, it can be ignored. It's time for businesses to put more emphasis on security, and the only way we are going to have those voices listened to is by enforcing regulations.
PCI is a good start, along with SB1386 disclosure rulings, ISO17799 guidelines, etc. but until we have international laws instructing businesses in how to communicate and not giving get-out clauses (PCI has compensating measures), these events will continue to occur.
Thursday, 3 May 2007
Me, me, me.
I'm feeling pretty smug today, not for the obvious reasons (tall, good looking, own teeth, etc.) but for a couple of pieces of feedback I've had. One from Mike Rothman here and the article I referred to here finally got printed here in its original form, and again here! Must have been a slow news day.
First of all, I thought Mike had forgotten about me, and I was feeling a little disappointed because I am genuinely in awe of "The Pragmatic CSO". I've never had such a strong feeling of "I wish I'd thought of that" before. Now he's got back to me AND said that I've got some good ideas, I'm kind of excited, especially considering he must be an extremely busy man.
Second, I thought the old InfoSec articles got chucked out with the stand flair at the end of the show, so I was really surprised when the Business Development director at Kinamik told me I was in print.
I checked with the palace, and apparently my knighthood is in the post.
First of all, I thought Mike had forgotten about me, and I was feeling a little disappointed because I am genuinely in awe of "The Pragmatic CSO". I've never had such a strong feeling of "I wish I'd thought of that" before. Now he's got back to me AND said that I've got some good ideas, I'm kind of excited, especially considering he must be an extremely busy man.
Second, I thought the old InfoSec articles got chucked out with the stand flair at the end of the show, so I was really surprised when the Business Development director at Kinamik told me I was in print.
I checked with the palace, and apparently my knighthood is in the post.
Tuesday, 1 May 2007
Pooling knowledge
I have a question for the community at large: has anyone ever produced an IT Security timeline in the US, showing us when major advances in security were made, i.e. firewalls, IDS, IPS, UTM, AV, encryption, etc?
I think this could be not only very interesting, but also helpful in analysis of the market in Europe moving forwards. All I'd have to do is look at what happened 4 years ago in the US and I'd become a visionary in Europe.
It's a serious question however, does such a timeline exist? Let me know if you find one.
I think this could be not only very interesting, but also helpful in analysis of the market in Europe moving forwards. All I'd have to do is look at what happened 4 years ago in the US and I'd become a visionary in Europe.
It's a serious question however, does such a timeline exist? Let me know if you find one.
Subscribe to:
Posts (Atom)