Enterprise IT Watch Blog

February 16, 2011  3:01 PM

Meet Rivest, Shamir and Adleman: The men behind RSA

Michael Morisy Michael Morisy Profile: Michael Morisy

As Michael Mimoso reported earlier, cryptography and security pioneers Ron Rivest, Adi Shamir and Len Adleman were honored at the 2011 RSA conference with the Lifetime Achievement Award. While it might be a bit of an obvious choice – RSA is named after them and all – the tribute video beforehand was excellent as both a primer on the cryptography and history that underlies modern security practices. It’s not embeddable, but you can pop over to RSA’s conference page to watch the presentation, which runs about 10 minutes and is completely worth it.

It was a great, sentimental crypto-geek moment … until it was shattered by a weird pop montage touting the conference’s take on Alice, Bob and Eve with a weird mashup of Madonna and Journey (I think). When will people learn to leave well enough alone? In the meantime, go watch the video.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

February 16, 2011  1:33 PM

Salesforce Head of Platform Research says to change your cloud tune

Melanie Yarbrough Profile: MelanieYarbrough

It’s a common belief these days: Everything is heading to the cloud. With words such as “migration” dictating much of the conversation surrounding cloud, it’s safe to infer that many people view the cloud as an approaching technology rather than one that’s already here.

Peter Coffee, head of platform research for Salesforce.com, disagrees with this feet-dragging mentality. “The cloud is certainly available to everyone,” said Coffee. First of all,  he said “migrate” is an inhibiting word when approaching the cloud. Coffee suggests looking for applications you wish you had but haven’t been able to create. Do you have a business process that’s organized primarily in spreadsheets and email? Consider building an application that can automate that process and deploy it in the cloud.

Continued »

February 15, 2011  4:37 PM

The sneaky vulnerability that beat Coca-Cola’s HDD encryption and leaked the secret recipe

Michael Morisy Michael Morisy Profile: Michael Morisy

Yesterday I wrote about how Lenovo, talking up its new Full-Drive Encryption (FDE) tools, bragged that the technology was used to secure Coca-Cola’s famously guarded secret recipe. Well, that security measure (if accurate) was recently trumped by a 125-year-old vulnerability and an unlikely Black Hat: Ira Glass and NPR’s This American Life, which stumbled upon a 1979 stock photo which, the program’s reporters believe, was actually a photo of the original handwritten recipe.

It’s not the first time the alleged recipe has been released (Wikipedia currently lists a host of candidates), but the release highlights a theme I heard again and again this morning from the wonkier side of RSA: Technology is an incredibly small part of any true security solution. Adi Shamir, the “S” in RSA, made a point of saying that even the bleeding edge in security, and particularly cryptography, can do very little to nothing to stop WikiLeaks-style attacks or even Stuxnet attacks.

The end result is this: Enterprises (and governments) must constantly evaluate the total security scenario and always consider their assets compromised, just like the the NSA does, while evaluating ways to minimize harm.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

February 15, 2011  3:52 PM

RSA Conference takes to the sky

Melanie Yarbrough Profile: MelanieYarbrough

Whether you’re in San Francisco at RSA 2011 or you’re in the middle of nowhere scouring the Web for updates and insights, we’ve got the A-list of Twitter stars that are on the ground at RSA right now. Click, follow, and keep up. If you’re there, why not send them a message – the worst that can happen is you get even more swag!

@atwalls: Gartner analyst who specializes in infosec practices, enterprise governance, security program management, and more.

@rcheyne: This self-described “hacker of the old-school variety” is also CEO of Safelight Security, a security training company.

@Simply_Security: David Lingenfelter, Information Security Officer at Fiberlink Communications, is sending out highlights and reactions to the goings on in San Fran.

@merrittmaxim: Works in Identity & Access Management at CA Technologies. He’s giving frequent updates on his reactions to what’s happening at RSA.

@JDeLuccia: James DeLuccia works in risk management and IT security. Check out more in-depth coverage of the conference at his blog.

@jhaggett: This “lover of all things mobile” is at RSA. Whether he’s interacting with other members of the conference or observing a session, Jamie Haggett’s tweets are just as entertaining as they are informative.

@themeworks: Chief Technologist at Palm Tree Technology UK and Mastlabs USA, is tweeting out questions for his fellow RSA-goers and IT enthusiasts alike.

@Reflex_mike: UPDATE! How did we miss Mike Wronski? He’s VP of Product Management at Reflex Systems, and he’s been tweeting the heck out of RSA the past week.

@morisy & @ITKE: Editor Michael Morisy is on the scene in San Francisco. Check out his in-depth coverage at the Enterprise IT Watch blog.

And of course, for official updates on the conference, check out @RSAConference and hashtag #RSAC for more general, up-to-date information. Did we miss anyone? Send me an email at Melanie@ITKnowledgeExchange.com or leave it in the comments section.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

February 15, 2011  1:50 PM

Oracle Database Firewall: A Babel Fish for SQL Sleazeballs

Michael Morisy Michael Morisy Profile: Michael Morisy

Oracle Database Firewall made its public debut here at RSA yesterday, and for a cool $5,000 per processor the software parses incoming SQL statements, picks out risky ones and translates them into something a bit more mundane, adding a new layer of defense against SQL while minimizing the disruption to non-malicious users. It also means a minimal amount of reconfiguration on the part of the database admins: Just drop the firewall in, theoretically, and you’re (theoretically) protected, as one Oracle honcho explains:

“Evolving threats to databases require enterprises to look at new security solutions,” said Vipin Samar, vice president of Database Security, Oracle. “Oracle Database Firewall offers organizations a first line of defense that can stop internal and external attacks from reaching databases. Easy to deploy and manage, Oracle Database Firewall helps reduce the costs and complexity of securing data across the enterprise without requiring any changes to existing applications and databases.”

Read the full press release here.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

February 15, 2011  11:20 AM

Backupify.com backs up the cloud in the cloud

Guest Author Profile: Guest Author

Once your data is secured in the cloud, where do you secure your backups? Today’s guest post comes from David Strom, and he discusses his experience with one option for backing up the information in your cloud in another cloud.

One of the problems of using online services such as WordPress blogs, Facebook and Twitter is that you can’t easily save the information that you accumulate in the cloud. If you have a WordPress blog, you need to run a regular backup that saves your blog content into an XML file, for example. Now a service from Backupify.com can help. Using Amazon’s Web services and cloud-based storage, they provide backup agents to more than a dozen services, including Google’s Docs, Blogger and Gmail, Zoho, Delicious, Hotmail and Basecamp, YouTube, Tumblr, and general RSS feeds.

Setup for the most part is fairly simple: You have to provide your authentication information, which in some cases is stored in an encrypted place by Backupify. Then the service goes to work on a weekly or daily basis to do the backups, moving your data from its original repository (such as your Blogger blog) to your account on Backupify. You can have the service notify you via email when a successful backup is complete, along with other conditions too. Also, you can download what is stored in your archives using a Web browser. A sample backup history report is shown below.
Continued »

February 14, 2011  2:59 PM

At RSA, Cloud security as hazy as the weather

Michael Morisy Michael Morisy Profile: Michael Morisy

I’m heading to RSA this afternoon, and the weather is already looking cloudy, even before the onslaught of announcements about cloud security this, that, and the other thing. Check out some of the headlines coming from San Francisco:

But securing cloud services is the issue that’s likely to be top of mind. Mogull said conference attendees will see a lot of hype from security vendors. Many vendors are merely using the cloud as a service model for their security technology. Others have simply virtualized their appliances to make the technology deployable in hosted virtual environments. Mogull said attendees should look for specifics from vendors.
Security experts and vendors need to stop talking superficially about the cloud and start speaking more specifically about the aspects of the cloud they are referring to, said Joshua Corman, research director of enterprise security at The 451 Group, a New York-based analyst firm.
Conference attendees should ask vendors whether their product is “in, for or from the cloud,” Corman said. “People are calling everything cloud, and when everything is cloud, nothing is,” Corman said.
So if a latest product line update is full of enough buzz to fill a beehive and leaves your head spinning, fear not: You’re not alone.
Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

February 14, 2011  9:54 AM

Lenovo and WinMagic offer up new Full-Disk Encryption (FDE) management options

Michael Morisy Michael Morisy Profile: Michael Morisy

As the Trusted Computing Group‘s Opal security standard advances, giving enterprises more choices for mixed-vendor Full-Disk Encryption (FDE), Lenovo and WinMagic have teamed up to offer new Full-Disk Encryption administration software that supports managing both hardware-  and software-based FDE options. Publicly debuting the partnership and software at the 2011 RSA Conference in San Francisco,  Lenovo hopes the flexibility will help jump start wider adoption, particularly as Opal-ready drives drop in price to just $10 more than non-Opal devices.

“Adoption [of hardware-based encryption] has been slow,” admitted Clain Anderson, a director of Software Business at Lenovo. “I thought, being Mr. Security, that the big interest would be in fewer vulnerabilities and stronger security, but the hottest topic is gaining 6 to 10% performance just for switching.” Those performance gains come from switching to on-drive encryption which takes the work load off the CPU.

Anderson said that Lenovo has embraced the Opal standard, particularly as enterprises have indicated being uncomfortable signing on to any single vendor’s encryption solution. Now that they have assurances that the drives they buy from one vendor will work with solutions from another, they are beginning to come around to the benefits of hardware-based encryption.

“It’s the regulated industries – medical, pharmaceutical, banking, and anyone with significant intellectual property,” he said. “Coca-Cola has their secret formula on here.”

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

February 10, 2011  2:14 PM

Cloud Security Books and Recommended Reading

Melanie Yarbrough Profile: MelanieYarbrough

As Abraham Lincoln once said, “A capacity and taste for reading gives access to whatever has already been discovered by others.” In the realm of cloud computing security, there is no more valuable information than the hard-earned lessons of those that have come and adopted before you. Don’t make the same mistakes that have crippled others’ applications and data. Read up on the subject with these widely-reviewed and strongly-recommended titles on the subject:

  • Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance: For anyone who is considering deploying to the cloud – whether on the investor side or practitioner side – this book seeks to explain the risks of moving data to the cloud as well as the ways to secure against them. A collaborative project among Tim Mather, Subra Kumaraswamy, and Shahed Latif, Cloud Security & Privacy explores the security measures relevant to the cloud including security-as-a-service.
  • Cloud Security: A Comprehensive Guide to Secure Cloud Computing: Written by senior information systems security consultant Ronald L. Krutz and Chief Security Advisor for Gotham Technology Group, LLC, Russell Dean Vines, this book is a breakdown of the most difficult areas of cloud security. Pick this up if you’re looking for a “guide to helping you find your way through a maze of security minefields.” These days, who isn’t?
  • Cloud Computing: Implementation, Management, and Security: From a co-founder of Hypersecurity and and the Senior Director and Chief Security Officer at the Cisco Collaborative Software Group, Cloud Computing is a great overview of the technology, providing definitions, repercussions, as well as pros and cons. Get the history leading up to cloud computing and finish up with profiles of successful cloud computing vendors.
  • Web Application Obfuscation: One of the misconceptions about deploying existing applications in the cloud is that security will increase upon deployment. The truth? A faulty application outside the cloud will be just as – if not more – faulty in the cloud. Web Application Obfuscation explores, from an attacker’s perspective, traditional infrastructures and security measures to illustrate common vulnerabilities inherent in many security systems.
  • Hacking: The Next Generation: There are many new ways for hackers to reach into your networks, and Hacking seeks to inform users about new hacks as well as attacks aimed specifically at social networking sites, wireless networks and cloud infrastructures.

And one to look forward to…

  • Securing the Cloud: Written by a senior associate at Booz Allen Hamilton, Securing the Cloud presents the cloud in the context of existing security frameworks. Whether it’s the roadblocks standing in front of your deployment in the cloud or the adjustments necessary before and after cloud adoption, your concerns and considerations are covered in J.R. Winkler’s forthcoming book from Syngress.

Is an essential security read missing from our list? Let me know in the comments section or send me an email at Melanie@ITKnowledgeExchange.com!

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

February 10, 2011  12:01 PM

At RSA 2011, Hacktivism is (again) a corporate threat

Michael Morisy Michael Morisy Profile: Michael Morisy

Prepping for RSA, my days this week have been jam-packed with pre-briefings. Most of the announcements I’ve come across have been rather ho-hum: Product line updates, new partnerships, sales goals completed (Got something more exciting? Drop me a line). But one thing that has come up again and again is a more widespread awareness of the dangers of politically or ideologically-motivated attackers, or “hacktivists.” Much of the interest is, of course, stemming from WikiLeaks‘ Cablegate release as well as the planned bank disclosures. But the halo affect has hit far beyond the central players involved: PayPal suffered disruptions, as did a security firm that helped root out the identities of Anonymous attackers.

Several analysts I’ve talked to have said that this awareness is going all the way up to the C-level, and that it brings some real measurable impacts in how attacks are carried out:

  • For one, the attacks are not typically planned in the back channels that financially-driven attacks are, but often out in the open, in forums and Facebook.
  • All press is bad press: One security-minded firm stated that companies are complaining that any mention in the major media is driving attacks.
  • While the tools are often the same (DDoS attacks, data leakage), the participants are a different class, operating from both the inside and the outside in ways that opt more towards disruption and high-profile publicity rather than sustained effort.
In some ways, this is hacking come full circle: For years, security professionals have been discussing that the threat had moved from “fame seeking” attackers to more organized, professional attackers seeking financial profit. The organized crime has not diminished, but we are seeing a resurgence in the former class, particularly at the low-end “script kiddy” level with tools like the Low Orbit Ion Cannon making it easy and, in some circles, “cool” to mindlessly help bring down servers and networks.
Look for a lot of announcements specifically dealing with these threats next week at RSA, particularly if the solutions can also ably handle the more traditional attackers as well.
Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: