Data management – the elephant in the room?

Having been involved in information security for over a decade, I have often talked about data management – long before my least favourite acronym (DLP) was used. As any good Information Assurance/Governance/Security professional will know, it is the data that we are most interested in protecting and making available (to the right people!) – not systems. Yet some organisations are still thinking in terms of protecting infrastructure and therefore approaching matters outside in, as opposed to inside out (I.e. starting at the data)

For those that are thinking from the data out, many are wrestling with masses of data that they have accumulated over the years – unstructured data scattered everywhere, archives creaking, throwing more and more money at storage…….in and amongst which they are then trying to figure out how and if to address cloud, consumerisation, and in the mix security.

I continue to be amazed at how many companies will happily throw significant money at storage (the myth of “storage is cheap” amuses me no end) yet put themselves at risk through cutting back on basic common sense security measures – without having a considered approach to data management.

This isn’t just about pushing users to shared drives – which will become less relevant as cloud services continue their march into the enterprise. This is about taking a proactive approach to classification right from the outset, in order to then decide how the data needs to be handled, by whom, where it should live, and for how long.

I’ve mentioned already how this is imperative if organisations are to be able to embrace cloud, although there is a further consideration here. If we look at the size of an average email, it was approx 18k back in the early days of the Internet. Depending on who you speak to, that average email is approx 250-300k today – notwithstanding the amount of times an email with document can bounce to and fro in and out of an organisation. 10 years later, an average of 50 emails a day, with many multiple copies of the same document – plus additional revisions – means that up to 80% of storage could be duplication (certainly based on projects I have seen recently)

Cutting this down and getting it under management has several benefits; firstly, significantly reduced operational costs. Secondly, makes security rather easier to implement. Thirdly, the costs for ediscovery are significantly reduced.

Where the 3rd point is concerned, the real risks around data management are yet to be felt. I have come across organisations who’s policy to email retention is 2 years – or even to allow their users to decide on deletion. There is a real risk of organisations entering or being pulled into litigation, to then either see a case fail – or worse be fined – for missing information. Even putting aside these extreme scenarios, it cannot be sensible to pay counsel to trawl through a mass of data when potentially they need only be concerned with the 20% that matters.

Consumerisation and Cloud – Information Security’s perfect storm?

Put a load of IT professionals in a room, ask what their definition of Consumerisation is, grab your popcorn, then sit back and enjoy the debate.  After all, if a bunch of IT experts can’t agree between themselves – how can CIO’s and businesses begin to wrestle the problem? I’ll stick my hat in the ring here and state that (IMHO) consumerisation isn’t simply bring your own device/computer (BYOD/BYOC), but also encompasses (generally online) services and arguably software.

Next, ask them what their definition of cloud is – more popcorn.  Those of us who’ve been around a little while will remember an acronym – namely ASP (Application Service Provider), which was perhaps the predecessor of cloud.  But wait a second – was ASP actually what we now know as SaaS?  Or is SaaS a subset of cloud? Wikipedia, NIST, and other sites seem to agree on a broad definition; that cloud computing is a method of accessing computing resources (systems, storage, applications) on demand – generally via the internet.  But this also has highlighted the need for a completely different approach and thinking – especially when considering Information Management & Security.

Certain bodies have been promoting this alternative thinking for some time – most notably the Jericho Forum.  The risk however, is that many organisations may well jump headlong into cloud – seeing it as the current panacea for their IT challenges.  There is an additional danger that organisations and their IT professionals build infrastructure and access methodologies that are an extension of the current approaches – i.e. generally an “outside-in” approach.  By this, I mean the traditional method of approaching the problem from a perspective of “keeping the bad guys out”

Perhaps a better starting point is to assume that you can/will be compromised so in effect your business information is potentially open to all. Start at the data and begin to think about what information is unimportant, important, confidential, and “secret sauce”.  then work outwards – i.e. who needs to access it.  Focus your time and money on securing the information that really needs securing – keeping in mind that users could use any device and be anywhere.

One of the biggest barriers to leveraging cloud services is due to concerns around security.  To address this, many vendors are offering services that incorporate strong encryption of data – meaning you can leverage economies of scale, yet know that your business information is meaningless to anyone that doesn’t hold the keys.  This might be a step too far for an initial foray – and the “secret sauce” may never see cloud –  although some organisations are readily using cloud computing having identified the information they need to protect and the information and applications they are less concerned about.  One notable example of this is AutoTrader, with a very clear cloud strategy led by Tim Jones.  You can see one of Tim’s presentations here

One thing is certain; the rising tide of tablet sales – together with more and more cloud services – mean that organisations need  to adapt and change.  Of course you could try and resist this advance, but then a guy called King Canute thought he could push back the sea…..

Facebook, Websense and the emperor’s new clothes

So the tech newswires, blogs, and Facebook itself are alive with the horror that is the current “virus” going around – hijacking users news feeds and filling them with scenes of gore, porn, and other such.  You can’t help but wonder how different it is to some of the stuff users actively want to share themselves, but hey ho……

Anyhow, I came upon this about 2 days ago and pondered the situation – then remembered a proud announcement from a security vendor back in September at a security seminar in London.  This was followed up with some news announcements in a whole host of places including the BBC, the vendor’s community blog, and also offered to end user organisations to protect their web reputation under the brand Defensio

Straight away, you then have to ask yourself – why wasn’t it protected by their wonderful service?  In true SNAFU style, both Facebook and the vendor (ok, I’ll name them – Websense!) had been very quiet on this matter.  Maybe they are considering their response?  Maybe they are still looking into the root cause?  Either way, when Sophos seems to announce what is going on before them – with some suggestions that their software had alerted users to the problem – it isn’t too good.

But wait you say, don’t bash the poor vendor.  In fact, its not Facebook’s fault either – surely?  In information security, we are always banging on about how the biggest risk is users.  Surely, if they are stupid enough to click on these links, then they are the ones responsible – not the service provider and/or the security partner?

Well actually, you could argue that they both are.  Facebook’s entire business is built around social networking, having users share information, interests, then using that to specifically target marketing to them and ultimately “sell stuff”.  Furthermore, when your security partner makes statements such as “In this way, we are helping Facebook continue their proactive fight to keep malicious links off of their platform and allow safe use for all of its members.” then they can’t be absolved of blame – especially when the majority of the press is referring to a “link spam” issue

As is often the case with these things, there was some awareness of this kind of issue – as reiterated by Zscaler in a recent blog post.  If they were making this kind of thing public back in May then you have to ask why this wasn’t taken account of recently.  Irrespective, now that Anonymous do not appear to be the culprits (according to Bitdefender – or at least, so say the register) then the full force of the law and face book’s wrath may be directed elsewhere.

In the meantime, you’re not wearing anything Emperor Facebook!

Loose lips sink ships

I’ve not blogged for a while – been too busy – but had to fire a little mini-blog up after today’s event.  In keeping with the “change the names to protect the innocent, not so, and downright stupid” theme (and you can choose which category it is) I’ll not name and shame.

So, this morning I was sitting in the reception of a mid-sized business in the North awaiting a personal appointment. As I sit awaiting my meeting, I can’t help but hear 2 IT Sales Professionals discuss their recent job offers, their dislike for certain peers within a large networking company, make disparaging remarks about some competitors from the opposite side of the pennines, and openly discuss the product they were looking to punt onto the company.

Perhaps this is relatively normal and harmless if it was quiet mutterings, but I could certainly hear it – as could the receptionist – loud and clear. In fact, I’m astounded that people would do anything other than choose their  conversation carefully ahead of going into a customer meeting. What was most amusing about this is the fact that I know the IT Director of said company quite well.

My meeting was a short one and as I re-entered reception to leave, said 2 “professionals” are still in reception – literally just being met by the IT Director. Their greeting is interrupted by a “Hello Paul” they go red, followed by a “We must catch up sometime – drop me a call” and he wanders off, with 2 very sheepish looking guys shuffling behind him.

My point? No matter where you are, be very careful what you are saying. The random person in reception, opposite you on the train, in Starbucks could be anyone – even a good friend of the IT Director you’re trying to court!

For the fitness types

So, if you’ve succumbed to things Apple and own an iPhone, you’ll be familiar with apps.  One I have been recommending for colleagues, customers and friends who run is a superb app called Runkeeper.  Usually is cost about £3, but they are offering it for free on the app store – read more.

On its own, this app blows away any need for the Garmin Forerunner GPS watches, however if you need heart rate information then help is finally here.  Just launched is the Wahoo Fitness add-on, which consists of a small widget that plugs into the bottom of your iPhone and also a chest band with the heart rate device on it.  It’s not cheap and has to be ordered from the states, although a bit of research suggests you can use any ANT compatible heart monitor, so you might be able to just order the widget.

An early case for state sponsored sterilisation?……

Dug this old chestnut out after a conversation earlier in the day.  It is allegedly a true story from the WordPerfect Helpline, which was transcribed from a recording monitoring the Customer Care Department. (Apparently the guy was fired)

Actual dialog of a former WordPerfect Customer Support employee.  (Now I  know why they record these phone conversations!)

Operator:  “Ridge Hall, computer assistance; may I help you?”
Caller:  “Yes, well, I’m having trouble with WordPerfect.”
Operator:  “What sort of trouble?”
Caller:  “Well, I was just typing along, and all of a sudden the words went away.”
Operator: “Went away?”
Caller:  “They disappeared.”
Operator:  “Hmm.  So what does your screen look like now?”
Caller: “Nothing.”
Operator:  “Nothing?”
Caller:  “It’s blank; it won’t accept anything when I type.”
Operator: “Are you still in WordPerfect, or did you get out?”
Caller:  “How do I tell?”
Operator:  “Can you see the ‘C: prompt’ on the screen?”
Caller:  “What’s a sea-prompt?”
Operator:  “Never mind, can you move your cursor around the screen?”
Caller:  “There isn’t any cursor; I told you, it won’t accept anything I type.”
Operator:  “Does your monitor have a power indicator?”
Caller: “What’s a monitor?”
Operator:  “It’s the thing with the screen on it that looks like a TV. Does it have a little light that tells you when it’s on?”
Caller:  “I don’t know.”
Operator: “Well, then look on the back of the monitor and find where the power cord goes into it. Can you see that?”
Caller:  “Yes, I think so.”
Operator:  “Great. Follow the cord to the plug, and tell me if it’s plugged into the wall.”
Caller:  “Yes, it is.”
Operator:  “When you were behind the monitor, did you notice that there were two cables plugged into the back of it, not just one?”
Caller: “No.”
Operator: “Well, there are. I need you to look back there again and find the other cable.”
Caller:  “Okay, here it is.”
Operator:  “Follow it for me, and tell me if it’s plugged securely into the back of your computer.”
Caller:  “I can’t reach.”
Operator  “OK.  Well, can you see if it is?”
Caller:  “No.”
Operat or: “Even if you maybe put your knee on something and lean way over?”
Caller:  “Well, it’s not because I don’t have the right angle—it’s because it’s dark.”
Operator:  “Dark?”
Caller:  “Yes—the office light is off, and the only light I have is coming in from the window.”
Operator:  “Well, turn on the office light then.”
Caller:  “I can’t.”
Operator:  “No?  Why not?”
Caller:  “Because there’s a power failure.”
Operator:  “A power …. A power failure?  Aha.  Okay, we’ve got it licked now.  Do you still have the boxes and manuals and packing stuff that your computer came in?”
Caller:  “Well, yes, I keep them in the closet.”
Operator:  “Good. Go get them, and unplug your system and pack it up just like it was when you got it. Then take it back to the store you bought it from.
Caller:  “Really? Is it that bad?”
Operator:  “Yes, I’m afraid it is.”
Caller:  “Well, all right then, I suppose. What do I tell them?”
Operator:  “Tell them you’re too stupid to own a computer!”

Tip for helping enforce strong password policy

Here is a little tip that you can share with your respective user communities when trying to enforce a good password policy – i.e. complex and changing every 30 days

In my experience, a change to a tighter password policy results in kick-back and often an increase in calls to helpdesk for password resets, etc. One simple tip you might want to share could help both meet your requirements and enable users to remember their password more easily.

First off, suggest that they think of their favourite song, book, film, etc. and choose the first two words from a favourite quote/lyric. Then substitute vowels o, a, e, i with 0, 4, 3, 1. Then capitalise the first or last letter of one of the words. Finally, seperate the two words with a symbol such as +, -, *, /, or =

So, using the first two words of Bob Marley “3 little birds” (i.e. Don’t worry), would give:
d0nt+w0rrY

Now, given that the password policy is change every 30 days, all the user has to remember is to change one of the symbols so after one month, d0nt+w0rrY becomes d0nt-w0rrY and so on

All the user has to get used to is this philosophy, they then only need to remember a single character change and they could even rotate this to overcome the requirement not to re-use the same password within 3 changes. The 2 main words that are personal to them are (arguably) easier to remember, so hopefully this can tick the opposing challenges of strict password policy and obstructive/clueless users.

iPad one week in…….

So, the shiny new toy had arrived whilst I was on holiday and with the “we tried to deliver card” burning in my palm, I was knocking on the door of the UPS first thing Saturday morning to make sure I had it for the Bank Holiday.

I have to say first off that from the outset I thought iPad was a genius idea. Overpriced maybe (should be about £250-300 IMHO), but nonetheless a good idea. Why? So you can sofa surf quickly and easily; switch on, launch safari, go. Sure, there’s the thorny issue of Flash (or lack of), but this aside it has to beat faffing with a laptop clunking through windows startup. My better half had reservations, but these were soon nailed (like within 5 minutes of use – more on that later..)

As with iPhone and other things Apple, first impressions were that it is very, very slick. the touchscreen is second to none, it’s easy to handle and type – even when slouching on the sofa (am using it to write this entry), and battery life is excellent. I’d only had my hands on it for 5 minutes when the rest of the household were queuing to use it. 2 hours later and I was able to have a proper play.

All of your iPhone apps can be synced with it and you can then manually choose if you don’t want or need them to be on the iPad (e.g. TomTom). The apps that can run on both appear centred on the screen and you can 2x zoom to fill it – not perfect, but good enough. The “proper” iPad apps are very good indeed. One of the other key reasons for wanting it was to try newspaper subscriptions and it is very neat for that. I have The Times (hurry up with the Sunday Times app please!) and you simply pull down the content each day and then browse offline at leisure. I hear the criticisms about proper ebook readers being better, but for me the app is perfect.

One of the big talking points in the IT world currently is around whether or not they could be used as a business tool. Pages is pretty good as a word alternative and whilst i still wait for the Juniper Pulse client for SSL VPN, simply hitting our server through a standard web browser was a good experience. I reckon if juniper and the other vendors nail this, we will truly see some movement towards “consumerisation” because it beats the hell out of humping a laptop around! It could also stop concerns about DLP for remote devices too if done properly. We’ll see…..

Pretty much everyone i know who has played with it likes it and as for the better half – well, she has conceded. Facebook, rightmove, auto trader, and many more apps are being hit heavily on the sofa.

In summary, it’s a little pricy at the current RRP although if they were to drop it I reckon there that Apple may just have killed the netbook market and could start to seep into the corporate arena. Why so? Because like everything else Apple – it just works

“We’re not a bank”

Here’s a little comment that I must come across every single week in my day-to-day endeavours, which always raises a little smile (if only to myself).  Presumably it’s a justification for not investing in good Information Assurance, for not having the courage to give the business a real wake-up call, or perhaps an inadvertent admission of the person’s lack of understanding of the risk the business carries.  Irrespective, it is clearly misguided and perhaps people really need to think about it a little more.  If nothing else, it is probably a poor metaphor given the current climate…..

This perhaps suggests that banks and businesses in the finance sector need to have better security than others.  Really?  Let’s just think about this for a minute.  If my bank has my financial details compromised , what is the worst that can happen?  A real inconvenience short-term, they sort out the mess, I get my money back – sooner or later.  Now lets apply this thought to say, a local council.  If my personal details are compromised, I’d be rather more concerned because councils have much more “interesting” information.  Like details of my mad uncle who runs around the local green swinging his trousers round his head shouting at the top of his voice – or like details of my delinquent 16 year old, who is under social services for sniffing glue outside the local shops.  Clearly I have neither of these (or at least my kids aren’t that old yet!), however the point remains the same – there is (depending on your point of view) far more valuable information out there than the ability to siphon off a few pounds from someone’s bank account/credit card.

Taking this into the corporate arena, how many companies take the time to vet and check how robust their trading partners are in terms of Information Assurance?  Take the legal sector as an example – they will hold a wealth of information on companies (M&A information, tax avoidance, etc.).  Ask any Head of IT in Legal (off the record!) if they truly have adequate policies, procedures, and controls and I am certain that very few would agree that they have the buy-in from partners to mitigate risk to “acceptable” levels.  I’m not going to pick on poor Legal CIOs though – after all, they generally have a plethora of mini-MDs (aka equity partners) to appease (or at least help maintain their bonuses!)

Extending the consideration to other sectors, the one with the worst under-investment is (IMHO) the manufacturing industry.  A recent visit to a specialist manufacturer highlighted the fact that despite the cries of “We’re not a bank” (along with “Why would anyone target us?”), manufacturing industries are also a high-risk sector.

During the course of conversation, I was told how they had been approached by the security services because there was very strong evidence that they were being targeted by China.  Far from being a “WMD” type gaffe, this was a real and genuine threat – later proven when they found that a recent hire in America was in fact a Chinese sleeper cell, who had been tracked by the CIA and found in possession of highly sensitive documents from his previous employer – despite being American born!  This type of threat has been subsequently confirmed by a Information Security Vendor that has extensive data on threats originating from China.

So, the next time you are in a meeting with one of my peers (or hopefully me! 😉 ), just pause before uttering those immortal words “we’re not a bank” and think what the true value of you’re organisation’s data might be.  After all, you generally get the money back from a bank – whereas once the Intellectual Property has leaked, its out there.

Now, time to tell my uncle to put his trousers back on……..

We say CIA, they want AIC

Whenever there is a discussion around Information Security, the acronym CIA often pops up.  For the uninitiated, this refers to Confidentiality, Integrity and Availability – the holy triad as some might say.  Pondering ways of trying to promote information security (as opposed to IT security) to organisations, it struck me that we are perhaps talking a different language – or coming at it from the wrong direction

Noble a cause as Information Security is, the reality is that a business wants the Information to be available first and foremost, then that it is correct, and finally that it stays within the business.  Some might argue this to be incorrect, but based on 8 years of selling this stuff I can tell you that InfoSec considerations are pushed right to the back of the priority list when times are hard or there is a pressing requirement to fix the core business systems.

So what’s my point?  Simple really.  If we want to increase our chances of success when introducing initiatives to a business, we need to position from an AIC perspective – not a CIA.  Whether it’s whizzy new gigabit UTMs, clever data control solutions, or meeting compliance, I believe we’ll all have more success if we approach it more from an availability perspective as opposed to leading from a confidentiality one.