Enterprise IT Watch Blog

October 13, 2010  8:23 AM

A flaw in the cloud is still a flaw: How do your SaaS apps stand up?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Call me a cynic, but I’m still skeptical when it comes to these SaaS “solutions” that are nothing more than a traditional Web application with a pretty front-end. You see, with traditional systems come traditional vulnerabilities – namely Web application vulnerabilities like cross-site scripting, SQL injection, cross-site request forgery and so on. These can be big, big problems that create risks for your business. You can’t overlook them and assume that all’s well just because your cloud provider says so.

The question is: How do you know that your cloud providers’ applications are truly secure? All it takes is some input validation weaknesses, some poor login mechanism controls, or a missing patch such as the Microsoft ASP.NET padding oracle exploit. I’ve seen all three in Web applications I’ve been testing this week. So, how do your vendors’ applications stand up? You’ll never know unless you ask. Even then, you’ll likely hear, “Our applications run in a state-of-the-art SAS 70 Type II-certified data center.” Big deal. (More on that in a different post.) I’m talking about true in-depth vulnerability scanning and manual analysis – both are required on a consistent and periodic basis, period.

Security is one of the ongoing concerns surrounding the cloud and SaaS. Read up on the things you need to consider when considering SaaS in the cloud:

Find unexpected vulnerabilities to ensure cloud compliance

Cloud computing and application security: Issues and risks

What you should know about cloud backup security

Data security concerns with online backup

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

October 11, 2010  8:21 AM

Cloudy about cloud terminology? We can help.

Melanie Yarbrough Profile: MelanieYarbrough

According to a 2009 study done by IBM of over 1,000 IT decision makers regarding perceptions of cloud computing, there is a significant inconsistency of terms associated with both internal and external clouds. How do we expect to have productive conversation if we’re all speaking different languages? Let us help. Continued »

October 7, 2010  8:52 AM

The S/M/L of Software-as-a-Service Adoption: Which companies embrace the cloud?

Michael Morisy Michael Morisy Profile: Michael Morisy

Enterprise software-as-a-service seems to be garnering much of the press these days, but which companies are actually ditching the traditional out-of-the-box for, shall we say, out of the box thinking? Like with almost all things cloud, the numbers get fuzzy very quickly, but I like the sound of two recent reports.

The duo of interesting surveys have shed some light on the question of actual Software-as-a-Service adoption in various-sized companies, as NASDAQ News’ Steve Monfort reports:

Techaisle, an IT market research firm, reports that companies begin to use cloud computing services when they expand beyond 20 employees. As companies grow to 250-plus employees, they become more likely to move IT operations in-house – and if they continue to grow past 500 workers, they turn once again to the cloud. 

Monfort also notes a Novell study that indicated 77% of 2,500-person companies are using “some form of cloud computing today,” mostly to complement rather than replace existing IT infrastructure. Both studies jibe with what I’ve seen anecdotally: The smallest companies are often relying as much as they can on SaaS, whether it’s free products like Google Docs or low-cost SaaS options like Quick Books Online. And the big companies almost cannot avoid it, with the sales force demanding, well, Salesforce.

It’s the medium-sized companies, however, that are being the most cautious: They’re too big with too-specific needs for the “trimmed down” offerings available to the low-end, but not able to afford enough customization and cloud redundancy on the high-end to make it worth their while.

As mentioned, the data itself can be a bit cloudy. See a recent CompTIA study which found mid-sized businesses being the largest “cloud” adopters. Sure, cloud can cover a lot of things beyond SaaS, but perhaps the most important lesson from all this is that the right cloud strategy isn’t what your peers are doing, it’s what’s right for your company.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

October 4, 2010  6:00 AM

James Urquhart helps us find the Cloud’s silver lining

Melanie Yarbrough Profile: MelanieYarbrough

The perennial search for innovation serves as the greatest threat to traditional IT: Has the cloud – with its nebulous definition (pun not intended but appreciated) – simply become the face to blame?

James Urquhart, Market Strategist for Cloud Computing and Data Center Virtualization at Cisco, was recently traveling in Australia. What struck him the most, he said, was how they were equating cloud computing with outsourcing. “They’re not the same thing,” he assured me. “Though they do have a loose relationship with one another. They have the same concerns: service levels, security, liability, legal concerns and all that. They’re still there.”

So, what can cloud computing offer the enterprise? Continued »

October 1, 2010  6:21 AM

Trust No One: Info Security’s Biggest Weakness

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

I came across an intriguing article in a 2009 issue of Fortune magazine about how businesswoman Dina Wein Reis duped high-profile executives, ultimately costing their corporations millions of dollars. In the final paragraph the author states:

Don deKieffer, the lawyer who pursued Wein Reis for years, says that companies will always be susceptible to such schemes as long as executives are so trusting. “In almost every case you had people inside the company not paying attention to the good of the entire enterprise,” says deKieffer. “There are bad people out there — wolves who will eat you unless you pay attention.”

If this doesn’t summarize the very essence of the problem we have with information security today, I don’t know what does. It’s really nothing new. Just look at the infamous hackers from our time – many of them preyed upon this very weakness. Very enlightening insight into the executive psyche. I’ve always believed that as long as people are involved with IT, we’ll always have information security problems.

For further reading, check out these pieces I’ve written on the subject of people and information security.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 30, 2010  3:12 PM

Loosen the reigns: Telecommuting in 2010

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

I’ve been commuting into downtown Atlanta a good bit recently and I’m about done…not with my projects but with the traffic, and even more so, the nasty air. It seems I can’t catch a break from the diesel trucks sputtering their filth, smokers with their cigarettes hanging out their windows, and old junker cars burning oil (I guess a lot of people missed “cash for clunkers”). Having a family member who suffered from lung cancer, I’m extra sensitive to this stuff.

All the traffic and filth in the air reminded me of telecommuting. Where the heck are all the telecommuters? It seems like everyone who has a job is driving into work. Why!!?? It’s 2010, for crying out loud!

I think it’s crazy not to let people work from home as long as the security issues that come along with it (i.e. unsecured home computers, unsecured wireless network usage, weak passwords, and unencrypted laptops/mobile devices) are addressed. Telecommuting helps morale. It helps productivity. You can’t tell me no one is goofing off at the office anyway. I see people doing that all the time. Furthermore, research has shown that when you’re interrupted it takes 20 minutes to get back into the groove of what you were doing. Interruptions occur in the workplace about every 20 minutes; does that mean no one is really getting anything done?

I’ve been ranting about telecommuting for a while, and unfortunately there’s a huge double standard. It’s okay for management to do it but not for regular employees. I have a good friend who has been subjected to this at multiple companies. Does management not trust its employees enough to let them work from home at least a few days a week? Why? If you ask me, this is an HR problem – managers not hiring the right people – more than anything else.

It’s time to step into the 21st century and use some of these technologies we’ve paid so much to put in place. Make telecommuting work for your business and be done with it. It’s not only a matter of thinking things through to do it right – it’s also a matter of choice.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 29, 2010  6:01 AM

Policies for the sake of policies

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Security policies are those “talk is cheap” enablers of compliance and risk management. The problem is they’re often poorly written, disjointed, inaccurate and so on – often creating the very risks they’re supposed to mitigate.

Everyone treats policies differently, so your needs and mileage will no doubt vary. For what it’s worth, I wrote an article for SearchEnterpriseDesktop.com regarding Windows desktop security policies. If you need to create your own policies or revamp your existing ones, I included a security policy template which  can be tweaked to suit your business needs.

Keep in mind that you don’t want to create policies just for the sake of having policies. This practice can end up creating more problems than it solves. You need to understand where your business is at risk and then shape your policies around those risks. Once you understand where the focus is needed, you can go about building out your policy documents into something that truly enables information security in your business.

For further reading including common oversights and mistakes, check out my security policy articles, podcasts and webcasts.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 28, 2010  6:00 AM

Would you like some snake oil with that network assessment?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

There are many IT services firms – including some run by friends and colleagues of mine – that perform something called “network assessments.” The purpose of these assessments, which are usually aimed at SMBs, is to determine the overall health of your network and computing environment, supposedly including security.

First, let me be clear that these are legitimate services to see where your network stands. That’s fine and dandy – a useful service indeed. The problem is that these network assessments are being pushed/sold under the guise of security assessments that, at least on paper, would compete with more in-depth security vulnerability assessments. But they’re not the same.

I saw recent descriptions of such services that claim to “check the security environment of your network” and “help ensure your sensitive data remains protected.” In discussions with my friends and colleagues, none of them have ever claimed to be security experts, yet they still offer these services. I don’t believe “in-depth security assessments” are their intent, but what exactly are such companies purporting to do? Many are just visual inspections or basic questionnaires and may incorporate rudimentary security scanning tools such as Microsoft Baseline Security Analyzer.

My point is: Be careful. Just because a network engineer “checks” your systems, recommends some software updates or network design changes, and ultimately installs a few new security products in your environment, don’t assume that you’ve had a proper information security assessment or that your information is truly secure. Your best bet is to determine what you want and then ask specific questions to help ensure you’re getting the deliverable you really need before you start the project.

Here are some information security assessment articles, screencasts, podcasts, and webcasts you can peruse to help you fine-tune your requirements the next time this comes up.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 28, 2010  5:09 AM

Is a new Obama mandate putting IT security at risk?

Melanie Yarbrough Profile: MelanieYarbrough

We’re not here to discuss politics, but one of the big stories today is the Obama administration’s development of plans to require that backdoors be placed on Internet-based communication services, allowing for compliance to federal wiretap orders.

The bill, slated for 2011, would require communication service providers to have the capability to intercept and decrypt messages. The proposal, as related to the Communications Assistance to Law Enforcement Act (CALEA), which requires telecom providers to provide interception capabilities for law enforcement, is an extension into the realm of the Internet. In the New York Times article on the bill, FBI’s Valerie Caproni said:

We’re not talking expanding authority. We’re talking about preserving our ability to execute our existing authority in order to protect the public safety and national security.

But does “public safety and national security” come at the cost of personal and enterprise security? Extending interception capabilities to the Internet could prove disastrous if not executed correctly. Computer science professor at Columbia University Steven Bellovin thinks “it’s a disaster waiting to happen. If they start building in all these back doors, they will be exploited.” Just like in 2005, he cites, when “hackers [took] advantage of a legally mandated wiretap function to spy on top officials’ phones, including the prime minister’s.”

On the flipside, there may be side-effects to adding to the already overwhelming honey-do lists of enterprise IT. Former Sun Microsystems engineer Susan Landau worries that the mandate would hinder the progress of small startups. Engineers would be dedicated to incorporating wiretapping capabilities rather than innovation and product release dates.

Federal response to the privacy community’s uproar is hardly comforting: Service providers would be the sole carriers of the decryption capabilities, for which the agency would need a court order to utilize. Ira Winkler, president of the Internet Security Advisors Group told Computerworld that his main concern isn’t the “government’s ability to intercept communications for legitimate law enforcement purposes, the real concern should be over continued compromise of personal data online.”

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

September 27, 2010  6:15 AM

Two simple but essential steps for all laptop owners

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Not too long ago I experienced the equivalent of a disaster for larger businesses: My laptop computer died. I’m a technical guy and so I was able to limp along with some workarounds at first. I had an old laptop that I could use for most things, but it wasn’t pretty.

Little did I know that in the process of recovering, I was going to be consumed with other unrelated computer problems. All in all, I lost three full days of work troubleshooting and getting things rebuilt back to normal. I got behind on articles I needed to write. I neglected my blogs. I missed out on some consulting work, and I even missed a book deadline.

But it could’ve been much worse. Through thick and thicker, I saved my rear end by doing two things:

1) Warranty it up: When I purchased my laptop, I paid $295 for an on-site warranty. This not only got me next-day service, but it also kept me from having to spend a couple thousand dollars on a new laptop. I had to have my processor and system board replaced – arguably the best $250 I’ve ever spent. This also kept me from having to send my computer off loaded with sensitive information, something I simply can’t do in my line of work.

2) Back it up: I had a backup; it’s something I do religiously every day. It’d be hypocritical of me, an information security consultant, to not have one, right?

Imagine how much time I would’ve lost had I not done these two things.

So do yourself a BIG, BIG favor and backup your laptop. Do it now. Most laptop users I see in my work are required to do their own backups and guess what? Very few people are backing up their laptops. Use Windows Backup, purchase TrueImage, or just manually copy your data to an external drive (make sure you get everything though!). Just do something.

In the future, spend the extra money for the on-site warranty; pay extra for the drop/spill coverage too. If you’re like me, you will need it (I’ve needed this coverage three times with Dell, IBM, and HP), and you’ll kick yourself for not having it when that day comes down the road.

Even if you work for someone else who’s calling the shots on this stuff, ask for it or buy it yourself. It’s money well invested.

Here’s to planning ahead!

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: