Wednesday, 30 May 2007

Exciting compliance shakes up security

Is it just me or is everyone talking about compliance all of a sudden? Wow, what a thrill.

I've seen more articles about ISO17799/27001 in the last week than in any other week in the history of the standard. It's been in existence for about as long as I've been in IT Security in one form or another, as BS7799, when I was a slip of a lad, setting off on my career path back in the UK, to its current spread of numerical dyslexia from ISO17799 through to 27008. But that's not important right now. I'll blog on it later once everyone else has bored you to death with it. Ready yet?

I've also seen a lot of stuff being written about data security. I suppose I asked for it. I've wanted proper data-centric security for a while, and now people are really beginning to think about it, the crackpots are coming out of the woodwork. I ask you for one thing, in the vain hope you might be a crackpot with a conscience (and hey, if you're reading this, you just might be): please, please, please, think about what you are writing before you bombard us with rubbish ("Hypocrite!" I hear you cry). However, I've been around the block on this particular topic, and I'm not going to back down on "matters of opinion". OK, personal gripe over, let's get back to the topic in hand.

A lot of people have commented on Chris Hoff's "Network security is dead" post this week. Some say "Yay", others "Nay". I am a Yay-sayer. Not because I support Microsoft, UTM, or even Chris himself - although he seems to be a nice chap and he's always questioning the big security "names" instead of taking their wisdom as gospel, which I think needs a lot more encouraging. I say "yay" for my own data-centric reasons, and because I think UTM might just be a way towards it without offending my sensitive security nature too much.

So, compliance and data security, the death of the network, where could this possibly be leading?

I think security really needs a shake-up. It's in a bit of a rut, like we're scared of getting it wrong, or moving forwards. No-one seems to know where convergence is going, because it could just stay like it is or everything could end up in huge mainframes which we attach to with terminals...

No-one trusts data security or user-security, and everyone HATES network security. Actually, I should qualify that, I don't hate network security, I think it's a necessary evil - a place where research about other types of security is done. Network security in itself doesn't really exist you see. If you can think of device in which it does, it's pointless (ahem, firewalls). The network isn't actually where the security is taking place, it's always on a device, which is essentially a host of some sort anyway, which requires linking to something, with users, ending up at data, etc, etc. Then it gets built into the most useful device, or a UTM box. Where will the UTM boxes end up, probably one at the perimeter, and one at the data. One for users, one for, er, data. Yawn. It's all got a bit dull really, this discussion of convergence and UTM, NAC, blah, blah, blah. Just buy a couple of Crossbeam boxes and futureproof yourself, get on with your life.

So where was the big encryption explosion I was waiting for? Never happened, why? Because confidentiality isn't the whole story of security, and in fact isn't much of a story at all. Availability has been massive over the years of course, but why not integrity? Well, no-one understands it properly, that's why.

I think we're about to see a big shift here as the repercussions slowly dawn on the market however. And that's why I'm doing what I do. Selling integrity to people is hard. If they haven't experienced a loss of integrity they don't understand how damaging it is. We have to rely on compliance, and internal compliance at that. "External" compliance STILL isn't properly secure. I'd like to see some proper leaps forward in security, with some proper international compliance driving it, across every industry: something simple that we can all comply with.

Maybe that's why everyone's talking about ISO27001 all of a sudden?

Sunday, 27 May 2007

Google takes a shot at security.

So Google are entering the world of online security... and how do we feel about this?

1. Every time Google get involved in something, it improves. Search engines, advertising, maps, etc.

2. Google has a huge amount of money.

I have mixed feelings. Google will undoubtedly revolutionise the way malware can spread, stop it in its tracks, warn businesses before it gets to their networks, release patches in real-time, etc. There is also an argument that Google allows phishing, and needs to be fixed before it starts playing policeman. This is largely a moot point in an organisation this size, but it would be good for show. OK, so from a pure security standpoint, it should be A Good Thing.

Google will also undoubtedly sink money into other areas of security, and huge amounts of it. This is something which could ruin it for me. I enjoy working in startups. I enjoy working in Europe. I enjoy having a unique view of the security market, and access to businesses on both sides of the pond. Google could severely dilute this for me. So from a personal standpoint, this might be A Bad Thing.

On the other hand, Google will need to consider the future too, it's what they're good at. Security is converging and changing, the web itself it becoming semantic. The next few years will see a shift towards data-centric operations, and they may well need to look at the things we are doing.

You know where to find me!

I need help!

I've never tried this before, so I don't know how or if it will work. Very simply, I've got so much work on at the moment that I need someone to give me a hand. You might have noticed that I've been blogging less of late. I just haven't had the time or energy in the evenings.

We've got a load of projects on at Kinamik at the moment, and I'm being torn between drumming up business and keeping the day to day PM stuff running. It mainly looks after itself because the technical team are superb, but there's a load of new input that's needed which I just don't have the time for.

We've put ads out in the usual places asking for someone, but so far the response has turned up no-one useful. So briefly speaking, what am I looking for?

1. You need to live in or be able to commute to Barcelona daily, as that's where the job is. We had 2 people from Canada apply last week...
2. You need to be interested in IT, security, and new technology.
3. You need to be prepared to do research and analysis of established products for me, and create some product related marketing material.

Preferably you will have some business skills and know a little about PKI too, it would help.
Oh, and you must speak English, otherwise we're going to have trouble communicating... and essentially that's what this job is all about.

It will be a fun role, which will lead to a high profile in the industry and is potentially very rewarding. We're going places, and anyone who joins now will be coming with us. We will do an initial 3 month contract, so it can suit someone studying for an MBA or suchlike, and then if you're what we want, we'll ask you to stay or come back after studies finish. Essentially, we're very flexible, and an enthusiastic personality is more important than a list of qualifications.

If you're interested, or know someone that you think might be able to fill this, please drop me a line and I'll call you. You can either answer this post, or if you are more cunning and manage to find my work address, reach me there.

Thanks, normal service will resume shortly. As soon as I find someone to take the load off.

Friday, 25 May 2007

Blog 'til I die

It's been a while since I posted regularly because I've been traveling a lot recently, I was also in hiding. Jon Robinson asked me to write some more stuff about frameworks and security models. I should have kept my bloody mouth shut. :)

I will write more on Bell-LaPadula, Biba and Clark-Wilson over the weekend if I get time (the in-laws are approaching as I write, so I may not). It can be quite dry and to tell the truth not the most enjoyable part of IT security, unless your name is Bell, LaPadula, Biba, Clark or Wilson.

Read Jon's blog. Not only is he clever and well informed in security, he uses a lot of economic theory which makes his blog really interesting, he's like his own little analyst community. I was going to set up a data-centric security blog (and indeed I did, but don't use it), like we do with PCI Answers, and invite a few people to contribute, but no-one told me how much time blogging takes up.

I'm sure the clock said 20:00, not 0:00 just 5 minutes back...

I'm sure my wife was here a moment ago...

When I die, there will be 2 things written on my tombstone: "Publish post" and "Save now".

I want the truth

OK, so this isn't going to be a very serious post.

I posted a couple of weeks ago using what is probably my favourite film quote, that of Strother Martin's "Captain" in Cool Hand Luke after he's (Luke = Steve McQueen Paul Newman [thanks Alex]) tried to escape and been caught. Solely because it had the line "failure to communicate" in it. And that's a big deal in security.

So, I started thinking about other security related film quotes (I have way too much time on my hands). I could only think of one off the top of my head:

In A Few Good Men, Colonel Jessop takes a military stance to security and undoes all the hard work of the Jericho Forum:

"You can't handle the truth! Son, we live in a world that has walls, and those walls have to be guarded by men with guns." - Jack Nicholson

OK, it's not very good, but I invite you to do better.

But then I was reminded of a classic, and for lovers of boring internet porn by over-privileged valley girls, from Casablanca:

"We'll always have Paris." :)

Have a good weekend.

Wednesday, 23 May 2007

Security Challenge

I saw an interesting poll on the ISC2 website earlier today, asking: "What is your company's biggest challenge in regard to information security?"

"Insufficient funding" came in third, lack of education second, and our all time number one biggest challenge of all time, "lack of management buy-in".

None of it particularly surprises me. I sent this over to my friend Andrew in Gibraltar to see what he made of it. He's a Security Officer with a distinct lack of management buy-in. He ventured forth the opinion :

"I wonder how much of the inability to secure sufficient funding and management buy-in is due to the approach of the security professionals themselves?

This suggests that the ability to improve Information Security is well within the grasp of the average company but they are just not dealing with it."

Another comment on PCI Answers from my old mate Tom Grubb from my Vormetric days (now at Polivec) made me realise that we're really only just beginning the real education of security. In fact we haven't even finished getting it right yet. I use a simple table in many of my presentations on data integrity to show the state of the industry, I won't reproduce it here, simply because I don't have a copy on my home PC, but the fact that I introduce data integrity as the cutting edge of security and where security is right now, shows you that we aren't in a mature industry yet.

I said to Tom that he has a big job of education to come, in fact I've been educating for nearly ten years now and still learning loads at the same time. When that stops, companies will be able to address compliance much more easily, from a reasonably static baseline, as Tom desires. As which point most of the fun stuff (weirdo geek solutions that no-one in their right minds would try to sell) surrounding security will have disappeared and I'll have to move into the mobile market or something equally as hideous.

Until then, I'm happy where I am. Read into that what you will.

Thursday, 17 May 2007

Data-centric security is here!

I told you this day would come! But before I do the victory dance I still have to explain a little about compliance and where I am.

I've been at Complitech today, over at ExCel in London. A small-ish event, reminds me of InfoSec about 400 years ago when it was really about ideas rather than nurses in short skirts. Not that there's anything wrong with marketing, especially not in skirts, but this feels like a return to proper security, people who actually know what they're talking about, talking about it.

Note that I say security. Compliance isn't just doing network scans and getting expensive consultants to tick a box. Compliance tells us the best ways to do things. It's there to protect customers and end-users, which essentially protects the business. Guess what? That's security.

Everyone there today understood my technology, and that's NEVER happened at a trade show before. Still I had some 'interesting' conversations however. A guy who shall remain nameless (mainly because I can't remember his name) started talking to me about what he did: "I'm in security software", he said, "so I just came here to see what all the fuss was about." O...K... said my brain. "Security isn't the same business as compliance." I made my excuses and left. It's sad that some people in "security" as they call it, don't understand what they are doing.

A guy I spoke to earlier in the week, Phil Maynard, had a different view. A man with incredible credentials in storage and the connections to prove it. He never once pretended to be in security, and yet understands it with more clarity than anyone I spoke to today. We had a meeting booked for what I think we both expected to be half an hour or so whilst we swapped notes, but an hour and a half later I was still talking to him as he gently ushered me out of his office so he could attend a meeting.

Storage companies like the ones Phil used to work for have been buying up security companies left right and centre of late. EMC now owns RSA, (which owns Network Intelligence). NetApp own Decru (who never return my emails :( ), IBM owns ISS, amongst others. So storage people like Phil find themselves in a world of security, and security people like me find ourselves in a world of storage. It is all very strange to us both, and to have someone knowledgeable who can tell you what you need to know is frankly a relief. I hope this is the beginning of a long and fruitful relationship.

Phil told me that the solution he was pushing - data classification - was sold on an ROI argument, saving companies from duplicated data, and in the process, tidying up their filesystem. This can save up to 30% in a typical company, and hence the ROI. However, this has a limited lifetime, "de-duping" as it is called in the industry has almost had its day and the big players are moving in on their turf. Phil is pragmatic and his company still small enough to be nimble and out-manoeuvre the big guys however. Hence their move towards compliance once de-duping is yesterday's news. Phil's company will build engines on their current offering to encrypt, compress, add integrity, etc. to the data.

You know what this sounds like? Proper DATA-CENTRIC SECURITY. I'm in heaven.

I am less interested in explaining to people the many equations around compliance and security. Besides, I'm busy, I have a dance to do.

Friday, 11 May 2007

Let's get physical

Of course data security isn't just about protecting data when it is in storage, or even when it is in transit on the network. It's about the dreaded DRM, rights management, or who is allowed to use the data, for what.

The real problem we have with data is that once it's at an endpoint, a screen or a printer for example, it is almost impossible to control or secure. Once the data can be seen, it can be photographed, copied, memorised even. What controls do we have then?

When that endpoint is a USB storage device, the threats are even more difficult to control, it is up to the user to decide whether to encrypt the information, copy it, give it out, etc.

Well, there are policies, physical controls, monitoring. Everything you have on your network, you can have in the physical world, only better, and easier to manage. Security isn't just about the network. How many times do I have to tell you!

But this is still something which makes people give up on data security before they have begun. They see data as inherently weak once out of the network, so they hide their heads in the sand, and secure what they see. The network. This is a bad way of thinking, not only does it lead to weak data security, it leads to an over emphasis on network security. It's like buying yourself an armour plated car, but not getting insurance.

The way I like to look at it is to think of the network as your house, and the data as your children. OK, spend a wad on your house to put the kids in to start with, and make sure it's got doors and windows, but don't let your kids play on a building site, make sure they are properly protected wherever they go.

Someone over on PCI Compliance Demystified pointed me in the direction of this piece of writing last week. It is still as relevant today as it was when written 10 years ago.

Consider these 2 pieces of information for a moment if you will, and then look at the state of security today. Do you see a model of data-centric security surrounding availability and integrity of information, with confidentiality applied where necessary? Or do you see a ton of devices cluttering up every server room, all clamouring to be the safest because they claim some sort of extra secrecy for your network?

As Fred Cohen rightly asserts: ", I believe that anyone who thinks that information security is primarily about privacy probably just doesn't know very much about information security."

As I rightly assert: "Anyone who thinks information security is about networks rather than data, doesn't know what the word 'information' means."

Wednesday, 9 May 2007

Network security is dead, long live network security!

I'm a firm believer in providence, things come to you as you need them, not as you want them. And today as I have been gearing up to finish my recent triptych on data-centric security, an email landed in my inbox about a cool little startup back in Blighty.

They are looking at something very exciting, data classification. Oh dear, I don't hear the rave whistles and cheers. OK, maybe it's only exciting to me, but the last time I was this excited about a technology I rented out my house, pleaded with my wife and moved to Barcelona.
I'm not going to name names here, because that isn't the point, there are actually plenty of companies doing data-classification already, and finding them is a Google away. The point is that data-classification is something very necessary for security to move forwards, and people are doing it better all the time.

The military have recognised the importance data-centric security for many years, with their use of the Biba model for integrity (read up/write down) and Bell-LaPadula model for confidentiality (read down/write up). [Note for security buffs, they also use Clark-Wilson for integrity which hinges on well-formed transactions - constrained data transformations leading from one consistent system state to another. This also requires application classification, but then what is an application if it's not just a bunch of data?].

Without proper data classification you cannot enforce any of these models, we need to be aware of the classification level of the user and the data to enforce read and write permissions. This doesn't tend to happen in organisations because ordinary users and administrators aren't as disciplined in their use of the network as military ones, plus there is a higher turnover. Corporate accounts are therefore managed with the same level of security as George from accounts' holiday pictures and MP3s.

So, once we have all the data classified, our users properly defined on the network, and the network working for us to match the two together (as per previous posts), our security should be much simplified. The users can have multi-factor authentication with IAM to address their self-administrative needs, the network can lose all of its unnecessary devices and we can just let it apply access to data if it is allowed by policy. I know of at least one framework (actually I can think of 3 off the top of my head, and there must be more) that will apply this security at the OS level or lower. The data will look after itself, and the network can be used for what it was intended for, carrying data.

This is still only the beginning, but it's happening at last. I've waited for it for years, but now I can see it coming. When it starts it will avalanche as people begin to realise the savings they can make and the all round improvements they can apply to their infrastructures. If you want to slim down your network, speed up communications and still have weapons grade security, come to the data side.

Taking the печенье

More on my current thread later, first today I wanted to talk news & politics. This story on the Register surprised me today. Headteacher Alexander Posonov, in the village of Sepych, in the outer reaches of the Ural Mountains, in Russia has been fined $195 for Microsoft software piracy. He bought some PCs with knock off software already installed.

So why is this a surprise to me? Well, the fine came not from Microsoft, but a regional court, the case having already been thrown out by a district court. Before you go thinking that this is a reasonably lenient fine, $195 was half a month's salary for this poor man.

Apparently the motives behind this are to do with Russia trying to join the WTO and is some thoughtless attempt at strengthening a trade accord with the US. Even Vladimir Putin has said it is "ridiculous", so there is an official somewhere in the Urals with яичко on his face.
Rather than chase after the undoubtedly corrupt vendor, they chased the purchaser, which not only qualifies them for a bad cop award, but surely disqualifies them from entering any "fair trade" agreement with the US? Maybe fair trade isn't what they're both after however. I digress.

Microsoft themselves have "distanced" themselves from the investigation, and I can't say I blame them, and while this might seem like a magnanimous gesture, there is more to it than just an insane lack of justice at work.

When Microsoft officially released its software in China, they decided not to go after the pirates, because they knew what a huge economic power China were about to become. What could be more attractive than building an economy on Windows, then milking the new rich?

Russia is one of the largest economies in the world. It has the fourth largest fishing industry, so Google tells me, and is of course the largest producer of energy worldwide, most of which now belongs to Boris Yeltsin's old mates.

The flip side of this P&L examination comes in this story in the Inquirer, which says that Russian schools are now so terrified of getting caught and bankrupted for using Microsoft products which they didn't know were knocked off, they are using Linux instead. I tried to stifle my laughter, because I'm in a busy office and there's work going on. If I was the Russian official I'd be hiding in the stationery cupboard - that's more than $195 he just lost the district. Now he has Putin AND Microsoft after him.

So what's next? Will said official mysteriously disappear in the night and peace return to Sepych? Will Microsoft lean on the district court to get it turned over, will they refund the poor headteacher his half month's salary? Will we see Putin stick his oar in and get everyone back on Windows so the trade agreement goes ahead without a hitch? Will anyone make an example of this miscarriage of justice and get the real culprits so all of this mess can be sorted out? None of the above? You've got to start asking questions about how Russia/Microsoft/US trade agreements work sooner or later. I should probably stop before I get a knock on the door.

I'll be in the stationery cupboard.

P.S. "печенье" means "biscuit", "яичко" means "egg" - why, what did you think?

Tuesday, 8 May 2007

Theory of everything

My opinion changes as often as my pants, possibly more so. As a result I am no closer to the holy grail of complete and simple security than I am to consistently clean underwear.

I posted yesterday on IAM, and my opinion rests where it lay then. IAM seems to be more about easing administration of users, or rather handing them back the control they use when entering a network. This is a good thing, and should be encouraged, but it doesn't help me in my quest for data-centric security as much as I'd hoped. I think IAM is trying to do too much. I'm not sure it has a place in access control. Access control should be addressed where the users meet the data, but is there a place for this in IAM? Maybe, but only if there is a link to the data as well. Otherwise the layers should be kept separate and open for communication.

But for now I move on to network security. Network security is such a minefield. There are so many devices, so many business problems that need fixing, and as many solutions as there are issues. Not every device on a network is necessary in my opinion. In fact I will go further and say that none of the devices on a network are necessary if proper data access controls are applied. These obviously have to be rigorous if this model is to work, and that's why we've got so many devices.

Think about any device on your network, a firewall, proxy, load balancer, database encryptor, HSM, etc. and ask yourself why it's there, no really, WHY is it there? Firewalls, to stop people accessing your network. Yes, but WHY? Because there's sensitive data there. Proxies, to control connections out to the internet. Yes, but WHY? To stop things being brought back in which might corrupt the data (or the users I suppose!). Encryption? To protect the data. HSMs, to protect the keys (which are data in themselves) which... protect the data.

It strikes me that all the network needs is a good access control framework. Maybe this is why NAC is so popular at present. However, I'm not so sure NAC is doing what we require of it, or rather it is trying to do too much. NAC does not need to control users, merely know them. NAC does not need to touch data, merely give a yes or no answer.

Data centric security is not just thinking about the data. It is about addressing security in the right place. User security needs to be addressed by the users as far as possible. Access controls should be addressed at the point where the users meet the data, i.e. the network, but in a meaningful way. Data security needs to be address as close to the data as is possible, i.e. at the data itself.

Stick with me here. I'll continue tomorrow.

Monday, 7 May 2007

The big IAM

I haven't had a data centric security post for a while as I've been very much business focused in my day job recently. By night however, I've still been scouring the internet for morsels of security information by any means feasible, just short of selling my mother.

My last trick was to publish something that someone else said in Dutch, thereby snagging the interest of a Security giant and Afrikaans speaker from South Africa, Karel Rode. Karel is the Security Strategist at CA and a board member of Internet Security Group Africa (ISGAfrica). Therefore I listened and absorbed all he had to say with great interest.

Karel wrote to me about IdM/IAM and how important it was in my continuing quest for data security. I wasn't totally convinced at first, saying that I thought 2 and 3-factor authentication was probably enough given proper access controls. Karel kept on resolutely and kept on explaining that IAM was necessary. Then I remembered, I used to work for a company who wrote their own access controls around the data, he works for a company which puts their access controls around the user, there's bound to be some conflict, even if there's valid arguments on both sides. So who's right?

My argument is that the data should control who accesses it, rather than the user controlling what they access. It's a simplistic view of a much more complex set of ideas, but it will do for now. Centralising security around the data makes a lot of sense to me, data is hard to control, it moves around, gets broken up, becomes dispersed, gets appended, replicated and deleted. Users tend to stay as discreet packages and we can normally define them fairly easily in the context of our network.

However, before I get too excited, Karel wasn't disagreeing with this notion, in fact he made it very clear that he agreed. He just advised that I think harder about the user security. There are very good arguments why you should look into IAM.

1. IAM seems to be good at addressing compliance issues from a user perspective.

2. With IAM, users can self-service a request for access to more or new services through forms.
a) System owners are automatically informed through workflow routing.
b) Password resets are in the hands of the users with IAM.

3. IAM is not SSO, widespread use of SSO is a myth. Many companies will not allow pervasive SSO if the perceived risks in some instances are too high.

I will comment further on these points tomorrow, from a data-centric perspective. Thanks to Karel for opening my eyes a little further.

Sunday, 6 May 2007

"What we have here is... failure to communicate..."

"...Some men you just can't reach, so you get what we had here last night, which is the way he wants it. Well, he gets it, and I don't like it any more than you men. " - Strother Martin, Cool Hand Luke.

There's a lot in the news today about the vulnerabilities which TJX left in their network to allow their recent breach to take place. They were apparently using WEP to secure their stockroom wireless, which had access to the central user database. This goes beyond careless, and it's therefore unsurprising to hear that it could cost TJX in excess of $1bn. What is worth taking a look at is exactly how that is being calculated however. I'm not going to steal Alex's thunder on this one, including the possible costs of securing ($100million), as he's done a great job.

What I'm interested in considering is the business case which TJX could have presented to avoid this. A company with a $13bn turnover surely has some security people SOMEWHERE, probably different ones now, but this wasn't new news. TJX had been vulnerable for around 4 years, and had been warned previously that they were vulnerable, so somewhere something has gone wrong.

From previous discussions I've had here and on PCI Answers, it is clear that security is not well understood by many people running a business. Of course now anyone with any doubts can just site TJX, but what could TJX have done?

First let's examine the facts again, they used WEP encryption, with no MAC filtering and broadcast SSIDs. This is like closing your front door, leaving the key under the mat, with a note on the door saying "The key's under the mat". Turning off SSID broadcasting, putting in MAC filtering and using WPA is a 10 minute job, basically free of charge. It doesn't cost $100million and certainly not $1bn.

I'm sure there were other holes, they were not PCI compliant after all, but this is the thing that got them and the issue which is in the news today.

So, assuming that there were security and technical people aware of these securing methods, and they are the most basic ones I can think of in wireless security, the issue really lies somewhere else. TJX is a vast company, covering many countries, and the evidence is that only this one area was hit. That sounds lucky. The issue seems to come down to one of communication, pure and simple. This is so often the case in security breaches and one rarely discussed.

As I said, business people are rarely in tune with security, they are focused on profit, and security does not equal profit (unless you are a vendor). A vital part of security is communicating ideas, making sure people know about password strengths, recommended practices, etc. It may well be that someone at TJX had already rung alarm bells, but unless that person has a voice, it can be ignored. It's time for businesses to put more emphasis on security, and the only way we are going to have those voices listened to is by enforcing regulations.

PCI is a good start, along with SB1386 disclosure rulings, ISO17799 guidelines, etc. but until we have international laws instructing businesses in how to communicate and not giving get-out clauses (PCI has compensating measures), these events will continue to occur.

Thursday, 3 May 2007

Me, me, me.

I'm feeling pretty smug today, not for the obvious reasons (tall, good looking, own teeth, etc.) but for a couple of pieces of feedback I've had. One from Mike Rothman here and the article I referred to here finally got printed here in its original form, and again here! Must have been a slow news day.

First of all, I thought Mike had forgotten about me, and I was feeling a little disappointed because I am genuinely in awe of "The Pragmatic CSO". I've never had such a strong feeling of "I wish I'd thought of that" before. Now he's got back to me AND said that I've got some good ideas, I'm kind of excited, especially considering he must be an extremely busy man.

Second, I thought the old InfoSec articles got chucked out with the stand flair at the end of the show, so I was really surprised when the Business Development director at Kinamik told me I was in print.

I checked with the palace, and apparently my knighthood is in the post.

Tuesday, 1 May 2007

Pooling knowledge

I have a question for the community at large: has anyone ever produced an IT Security timeline in the US, showing us when major advances in security were made, i.e. firewalls, IDS, IPS, UTM, AV, encryption, etc?

I think this could be not only very interesting, but also helpful in analysis of the market in Europe moving forwards. All I'd have to do is look at what happened 4 years ago in the US and I'd become a visionary in Europe.

It's a serious question however, does such a timeline exist? Let me know if you find one.