RSA Conference Europe 2012 Keynotes; day one part one

The first two keynotes were from RSA and were both very interesting with a LOT of valid points;

Keynote 1 – Art Coviello, Executive Chairman RSA.  Titled ‘Intelligence-driven security: The new model’

The vast majority of security spend is still for edge security and edge focussed monitoring, which is failing in this open world where attacks and breaches are to be expected.

Currently many people think that the security risks are overhyped, but is this true?  Organisation don’t like to reveal that they have been breached so how many breaches go unreported?  Verizon survey has also revealed the majority of breaches go undetected for a long time, if they are ever caught.  So how many organisations have been breached without even knowing it?  This was referred to as ‘the PR gap’ with the tip of the iceberg being what is known, but the unknown massive underwater part of the iceberg is the reality.

We must gain a better understanding of the situation.  How mature and sophisticated is your organisations security?

Proposed four levels of cyber security’

  1. Control – these likely have already been hacked and just don’t know it!
  2. Compliance – likely heavily regulated, but focus on compliance and tick boxes rather than stong governance leading to compliance.  Often caused by management and budgetary pressures
  3. IT risk – good understanding of IT risk, only slightly behind 4, but more tactical and IT focused than strategically aligned with the business.
  4. Business risk – This is where you should aspire to be, security fully aligned and working with the business, leveraging technology and processes in line with business strategy.

How do we get there? – Understand the issues;

–          Budget – pressures, how to best use it, how to justify it and highlight benefits and business cases

–          Security Talent – ensue your team is as good as it can be, are they passionate, engaged, and have an understanding of your industry.  The right team will drive security benefits and change, not just sit back, tick boxes or point further up the chain for reasons they are not acting.

–          PR Gap – explained above

–          Privacy Regulations – understand the regulatory environment your business is operating in.

Keynote 2 – Tom Heiser – President RSA – Intelligence Driven security.

–          Reconsider – our risks.  Move to a risk based approach to security. Understand regulatory challenges to this approach

–          Rethink  – Detection strategies and deploy continuous monitoring.

–          Harden Authentication and tighten access controls

–          Educate.. Educate.. Educate.. – Users, staff, regulators, media, auditors.  Obviously your business will focus on your staff and users, but the security industry also needs to get better at the wider piece.  Consider cyber security education around risks and phishing etc.  This point resonated with me as I come from an environment where we had various security awareness strategies from awareness weeks to educational phishing emails, and I have proposed this approach to my current employer.

Inevitability of compromise – Does not equate to accepting loss – New tactics and tools.  Moore’s law can apply to criminals as much as processors – criminals have more and more tools, last years military grade attack is this years scripted attack tool in the wild.  Example that Stuxnet derived attacks have been found in the wild and used against banking customers.

Improved monitoring and understanding will reduce ‘dwell time’ – how long the criminals can reside on your network.  If we assume breaches will occur (and they will), then minimising this dwell time is key to minimising risk.

This does require new tools.  Consider how we re-distribute budget spend.  Reduce spend on lower value services and premium priced tools such as AV and perimeter security.  Re-allocate spent to more advanced security solutions.

How to we access security knowledge?  How do we share information?  How do we ensure we protect privacy while we do this?  Currently nation states and criminals have much much better intelligence and information sharing processes than legitimate governments and organisations.

We need standardised ways to share information, ideally at machine speed – ‘standardised share act’.  This must be understood and driven from board level down, we as a security industry need to ensure we educate the board in business terms around policy and business risk.  How much does your board currently know about your organisations security stance and the risks you currently face?

We also need to be mindful of managing compliance and risk.  Just focusing on compliance does not necessarily reduce risk.  Remember the criminals can read the same compliance requirements you are meeting, so they know exactly what you are doing if you do not have a risk management / security program in addition to just meeting regulatory and compliance requirements.  This can be a challenge given the volume of compliance projects and budgetary constraints in many organisations, but needs to be considered.

We need a more proactive stance that focusses on intelligence, understanding, and education from user to board level.

Keynote ended with some comments on new RSA products and tools.

I really liked both of these talks, and think we really need to consider the points raised.

K

RSA Conference Europe 2012 – first impressions

As we sit down for the conference introduction and first keynote speeches I thought I’d share my first impressions of the conference.

This is certainly a much slicker and more professionally run event than the service technology symposium I recently attended.  Given the size of both the organisers (RSA / EMC) and the exhibitors (Microsoft, Symantec, Qualys etc.) this is I suspect to be expected.  The only blight on the event for me so far was my mistake of buying a ridiculously overpriced Costa coffee (£4.40 for a regular latte anyone) when I could have grabbed a free one outside of the keynote room!  So the first lesson of the day is never use a Costa that is in a hotel.. and they don’t even give you points on your costa card..

Onto more interesting matters, there are a lot of great keynotes and presentations lined up over the next 3 days with keynotes from heavyweights such as Bruce Schneier and Jimmy Wales, presentations covering everything from secure agile development to in depth research into recent hacks, book signings and even a hactivist movie on Wednesday evening.

In a similar manner to my last conference I’ll provide overviews of the days along with more in depth details of some of the better / more interesting talks.  Look out for several upcoming posts on the themes of the conference!

K

Service Technology Symposium 2012 – Talks update 2

Your security guy knows nothing

This talk focused on the changes to security / security mindsets required by the move to cloud hosted or hybrid architectures.  The title was mainly as an attention grabber, but the talk overall was interesting and made some good points around what is changing, but also the many concerns that are still basically the same.

Security 1.0

–          Fat guy with keys; IT focused; “You can’t do that”; Does not understand software development.

Security 2.0

–          Processes and gates; Tools and people; Good for Building; Not as good for acquiring / mashing

Traditional security wants certainty –

–          Where is the data? – in transit, at rest, and in use.

–          Who is the user?

–          Where are our threats?

What happens to data on hard drives of commodity nodes when the node crashes or the container is shipped back to the manufacturer from the CSP?  (data at rest etc.).  The new world is more about flexible controls and polices than some of the traditional, absolute certainties.

Security guys want to manage and understand change;

–          Change control process

–          Risk Management

–          Alerts when things change that affect the risk profile

Whole lifecycle – security considered from requirements onwards, not tacked onto end of process..  This for me is a key point for all security functions and all businesses.  If you want security to be ingrained in the business, effective, and seen as an enabler of doing things right rather than a blocker at the end, it must always be incorporated into the whole lifecycle.

Doing it right – Business –Development – Security – Working together..

Business;

–          Render the Implicit Explicit

  • Assets
  • Entitlements
  • Goals
  • Controls
  • Assumptions

Development;

–          Include security in design

  • Even in acquisition
  • Even in mash ups

–          Include security in requirements / use cases

–          Identify technical risks

–          Map technical risks to business risks (quantify in money where possible)

–          Trace test cases

  • Not just to features
  • But also to risks (non functional requirements!)

Security;

–          Provide fodder (think differently, black hat / hacker thinking)

–          Provide alternative reasoning

–          Provide black hat mentality

–          Learn to say “yes”

–          Provide solutions, not limitations!

Goal – Risk management

Identify how the business is affected?

–          Reputation

–          Revenue

–          Compliance

–          Agility

What can techies bring to the table?

–          Estimates of technical impact

–          Plausible scenarios

–          Black Hat thinking

 Compliance – does not equal – Security!

–          Ticking boxes – does not equal – Security!

So the key take away points from this are that regardless of the changes to what is being deployed –

 – Work together

– Involve security early

– Security must get better at saying ‘yes, here’s how to do it securely’ rather than ‘no’

No PDF of this presentation is currently available.

————————

Moving applications to the cloud

This was another Gartner presentation that covered some thoughts and considerations when looking at moving existing applications / services to the cloud.

Questions;

–          What are our options?

–          Can we port as is, or do we have to tune for the cloud (how much work involved?)

–          Which applications / functions do we move to the cloud?

Choices;

–          Which vendor?

–           IaaS, PaaS, SaaS…?

–          How – rehost – refactor – revise – rebuild – replace – which one?

  • Rehost or replace most common, quickest and likely cheapest / easiest

You need to have a structured approach to cloud migrations, likely incorporating the following 3  stages;

–          Identify candidate apps and data

  • Application and data-portfolio management
  • Apps and data rationalisation
  • Legacy modernisation

–          Assess suitability

  • Based on cloud strategy goals
  • Define an assessment framework
    • Risk, business case, constraints, principles

–          Select migration option

  • rehost – refactor – revise – rebuild – replace

This should all be in the context of;

–          What is the organisations cloud adoption strategy

–          What is the application worth? What does it cost?

–          Do we need to modernise the application? How much are we willing to spend?

In order to make decisions around what to move to the cloud and how to move it you should define both your migration goals and priorities which should include areas such as;

–          Gain Agility

  • Rapid time to market
  • Deliver new capabilities
  • Support new channels (e.g. Mobile)

–          Manage costs

  • Preserve capital
  • Avoid operational expenses
  • Leverage existing investments

–          Manage resources

  • Free up data centre space
  • Support scalability
  • Gain operational efficiencies

Some examples of what we mean by rehost / refactor / revise / rebuild / replace;

Rehost – Migrating application – rehost on IaaS

Refactor – onto PaaS – make changes to work with the PaaS platform and leverage PaaS platform features

Revise – onto IaaS or PaaS – at least make more cloud aware for IaaS, make more cloud and platform aware for PaaS

Rebuild – Rebuild on PaaS – start from scratch to create new, optimised application.

Note – some of these (rebuild definitely, refactor sometimes) will require data to be migrated to new format.

Replace – with SaaS – easy in terms of code, data migration, business process and applications will change (large resistance from users is possible).

The presentation ended with the following recommendations;

–          Define a cloud migration strategy

–          Establish goals and priorities

–          Identify candidates based on portfolio management

–          Develop assessment framework

–          Select migration options using a structured decision approach

–          Be cognizant of technical debt (time to market more important than quality / elegant code!)

  • Do organisations ever plan to pay back ‘technical debt’?  Where Technical debt refers to corner cutting / substandard development that is initially accepted to meet cost / time constraints.

A pdf of this presentation can be downloaded from here;

http://www.servicetechsymposium.com/dl/presentations/moving_applications_to_the_cloud-migration_options.pdf

Overall another good presentation with very sensible recommendations covering areas to consider when planning to migrate applications and services to the cloud.

K

News and upcoming events

There are quite a few interesting, and for me exciting, things coming up over the next couple of months so I wanted to provide a brief update around these and some upcoming posts I’ll be making;

1.  I’ll be speaking at the CSA summit at RSA Europe!  This is a cloud security event on the afternoon of Monday 8th October, just prior to the main conference.  I’ll be giving a presentation about SecaaS (Security as a Service) and the SecaaS working / research group covering research we have done, the previous and recent publications and where we plan to go next.  The talk may be recorded, if it is I will post a link to it here, and I’ll also be uploading my slides.  The list of speakers and more information about the event can be found here;

https://cloudsecurityalliance.org/events/csa-summit-at-rsa-europe-2012/#_speakers

2.  I’m attending the Service Technology Symposium in London on the 24th-25th September; this is an annual event covering various aspects of Cloud, SOA (Service Orientated Architecture) and Service Technologies.  Examples of the conference tracks include;

–  Cloud architecture and patterns,

– Enterprise Cloud architecture

– Service Engineering

– Governance frameworks

– REST and web services

I’ll likely be following various portions of the tracks relating to cloud architecture, patterns and governance.  Expect various posts relating what is discussed.

3.  I am attending the RSA conference Europe in London from the 9th through the 11th October.  This years conference heading is ‘The Great Cipher; Mightier than the Sword’.  The premise of this is that sharing knowledge and learning at event such as this is the key to staying ahead of the bad guys.  Looks to be loads of great talks from people like Bruce Schneier et al; again look out for various posts on what I learn and what is discussed during this conference.

4.  Security as a Service Implementation Guidance v1.0 is about to be published.  10 documents covering each of the 10 categories of service we identified last year are going to be published any day now.  This has been a pretty large undertaking bringing a disparate group of predominantly volunteer contributors together across the 10 different subject areas to produce a (relatively) coherent whole!  Although this is just v1.0 and will likely receive various updates it is a great step forward for anyone wanting to implement or just better understand Security as a Service.  I’ll provide an update post when these a officially out the door and available for public downloading.

And of course my Masters and the next steps of the SecaaS research group will also be continuing.

Lots coming up; keep checking back!

K

2012 Update

I had meant to update on how my plans for the year were going around June / July so this is a little late, but I have been pretty busy getting the upcoming Cloud Security Alliance (CSA) – Security as a Service (SecaaS) guidance documents.  These are due for publication at the start of September – watch this space..  It has also taken longer than expected to finalise my Masters project choice, but I think I’ve got there with that one, finally!

In January I listed some goals for the year here;

Some 2012 projects / plans

So where am I with the years goals?

1. Choose a project and complete my Masters.  Project finally chosen and extended project proposal handed in.  My proposed project title is;

‘Increasing authentication factors to improve distributed systems security and privacy’

The plan is to cover the current state of distributed systems authentication and to assess how this could be improved by adding further ‘factors’ to the required authentication.  In this instance factors refer to things like ‘something you know’ such as passwords, ‘something you have’ such as a number generating token, and something you are such as your finger print.  I have completed a project plan outlining how I’ll use the time between now and the hand in date in January 2013, and I’ll keep you posted with progress.

2. Lead / co-chair the CSA SecaaS working group.  While it has been challenging to find the time and keep everyone involved working in the same direction, we are almost ready to release the next piece of work from this research group.  The next publication will be in the form of 10 implementation guidance documents covering the 10 SecaaS categories we defined last year.  These will be released on the CSA web site around the end of August, I’ll post a link once they are available.  This has certainly been a learning experience regarding managing the output of a very very diverse set of international volunteers!

3. Become more familiar with the Xen hypervisor.  I have had limited success with this one, increasing my familiarity with virtualisation and cloud generally, and reading up on Xen.  However I have not had a chance to set up a test environment running the open source Xen hypervisor to get properly acquainted with it.  I’ll be looking to rectify this during October, at which time I’ll provide a run down of my thoughts of this hypervisor’s features and how easy it is to install and configure.

4. Brush up my scripting and secure coding.  Scripting opportunities have been limited this year, and I have not had the tine to create side projects outside of the office due to CSA and Masters related work.  Secure coding, I have reviewed both some code and some development practices against OWASP recommendations and the Microsoft secure development lifecycle (SDLC), so have made some progress in this area and will follow with an update in a future post.

Overall, not as much progress in some areas as I had hoped, but I am reasonably happy with the CSA SecaaS and Master progress, while also holding my own in full time employment.

As mentioned, keep an eye out for the upcoming publication of the SecaaS implementation guidance!

K

Further Cloud planning and BYOD reading

I have recently read a few interesting and useful papers relating to some of my previous posts that may also be of interest to some of the readers of this blog.  Feel free to let me know your thoughts!  Incidentally the first three papers below all originate from IBM, this is purely coincidental and I have no affiliation with IBM.

The first paper is titled ‘Defining a framework for cloud adoption’.  Please read previous posts if you need an overview of the benefits of cloud computing.  This paper introduces IBMs cloud adoption framework that is free for any organisation wishing to have a standardised reference to frame their discussions and planning around moving to the cloud.  This can be found here (free registration may be required);

http://research.itpro.co.uk/?option=com_categoryreport&task=viewabstract&pathway=no&title=20268&frmurl=http%3a%2f%2fforms.madisonlogic.com%2fForm.aspx%3fpub%3d220%26pgr%3d493%26frm%3d759%26autodn%3d1%26src%3d8644%26ctg%3d18%26ast%3d20268%26crv%3d0%26cmp%3d5941%26yld%3d0%26clk%3d5778290107730889220%26embed%3d1

The second paper worth reviewing is also around helping your company adopt cloud based services, this one is titled; ‘A logical approach to cloud adoption in your company’.  This paper seeks to aid the discussions around when and how to consider moving to the cloud and covers the fact that there isn’t actually ‘a cloud’, but multiple clouds and variations on the theme, these were covered in my previous post introducing the cloud.  This one can be found here (free registration may be required);

http://research.itpro.co.uk/?option=com_categoryreport&task=viewabstract&pathway=no&title=20770&frmurl=http%3a%2f%2fforms.madisonlogic.com%2fForm.aspx%3fpub%3d220%26pgr%3d493%26frm%3d759%26autodn%3d1%26src%3d8644%26ctg%3d1%26ast%3d20770%26crv%3d0%26cmp%3d6145%26yld%3d0%26clk%3d5778290107730954757%26embed%3d1

The third paper from IBM is titled ‘Building a successful roadmap to the cloud’.  This is a great companion to the above papers, as once you have the conversation started and people are on board with the benefits of utilising some cloud services the next step is to build the plan / roadmap for moving to and adopting these services.  This paper can be found here (free registration may be required);

http://research.itpro.co.uk/?option=com_categoryreport&task=viewabstract&pathway=no&title=20767&frmurl=http%3a%2f%2fforms.madisonlogic.com%2fForm.aspx%3fpub%3d220%26pgr%3d493%26frm%3d759%26autodn%3d1%26src%3d8644%26ctg%3d1%26ast%3d20767%26crv%3d0%26cmp%3d6145%26yld%3d0%26clk%3d5778290107731020294%26embed%3d1

All three of the above papers are definitely worth reading if your company is considering adopting cloud services, or if you want some ideas and terminology to get the conversation and planning started.

The final paper I’ll suggest you read is a balanced review of BYOD (Bring Your Own Device) that covers many of the pros and cons of this current trend.  I have briefly covered BYOD and what it is before, this paper will aid you in further understanding what BYOD is, what the potential pit falls are, and if BYOD may fit into your business at all.   This one if from PC pro, not IBM just for a bit of a change and can be found here (free registration may be required);

http://www.itpro.co.uk/641935/byod-friend-or-foe?utm_campaign=itpro_newsletter&utm_medium=email&utm_source=newsletter

Happy reading, I’ll be back soon with an update on my years progress so far.

K

Handling perimeter expansion and disintegration

One of the most common themes over the last few years in IT security discussions has been the de-perimiterisation of the corporate network.  The term was originally coined by the Jericho Forum and refers to the greying of the split between the internal trusted network and the wider world.

This is briefly described here;

http://en.wikipedia.org/wiki/De-perimeterisation

Traditionally there has been strict demarcation, maintained by devices such as firewalls, between the untrusted outside world, the semi trusted DMZs (De-Militarised Zones), and the trusted internal network.  As more and more business functions require interactions between intenal users and external customers, suppliers, remote users, home workers and other third parties these strict zones of demarcation have become considerably more porous.

This has lead to some people proposing the removal of this network boundary concept and for securing of data and systems to be achieved with encryption, host and network based IPS (Intrusion Prevention Systems), and AV etc.  With the view that data and systems can be kept secure while facilitating easier and more efficient business with customers, partners and other third parties.  Taken to it’s extreme, this is the paradigm of the ‘perimeterless’ network.

If you are faced with dealing with this ever more porous network perimeter while still maintaining the security of the systems you are responsible for, or you just want to read more about how security and this issues raised by the muddying of internal and external network boundaries, Sophos have produced a simple and easy to read guide in their naked security blog titled;

Practical IT: handling perimeter expansion and disintegration

This can be found here;

http://nakedsecurity.sophos.com/2012/07/13/perimeter-security-expansion-disintegration/

Have a read, and let me know what you think.  If there is any interest I’ll write a more in depth post on the topic.

K