Tag Archives: information security

Questions for the Upcoming 2013 Security Priorities Tweet Jam – Dec. 11

By Patty Donovan, The Open Group

Last week, we announced our upcoming tweet jam on Tuesday, December 11 at 9:00 a.m. PT/12:00 p.m. ET/5:00 p.m. BST, which will examine the topic of IT security and what is in store for 2013.

Please join us next Tuesday, December 11! The discussion will be moderated by Elinor Mills (@elinormills), former CNET security reporter, and we welcome Open Group members and interested participants from all backgrounds to join the session. Our panel of experts will include:

The discussion will be guided by these seven questions:

  1. What’s the biggest lesson learned by the security industry in 2012? #ogChat
  2. How will organizations tackle #BYOD security in 2013? Are standards needed to secure employee-owned devices? #ogChat
  3. In #BYOD era, will organizations be more focused on securing the network, the device, or the data? #ogChat
  4. What impact will using 3rd party #BigData have on corporate security practices? #ogChat
  5. What will global supply chain security look like in 2013? How involved should governments be? #ogChat
  6. What are the biggest unsolved issues in cloud computing security? #ogChat
  7. What should be the top security priorities for organizations in 2013? #ogChat

To access the discussion, please follow the #ogChat hashtag during the allotted discussion time. Other hashtags we recommend you use during the event include:

  • Information Security: #InfoSec
  • Security: #security
  • BYOD: #BYOD
  • Big Data: #BigData
  • Privacy: #privacy
  • Mobile: #mobile
  • Supply Chain: #supplychain

For more information about the tweet jam topic (security), guidelines and general background information on the event, please visit our previous blog post: http://blog.opengroup.org/2012/11/26/2013-security-priorities-tweet-jam/

If you have any questions prior to the event or would like to join as a participant, please direct them to Rod McLeod (rmcleod at bateman-group dot com), or leave a comment below. We anticipate a lively chat and hope you will be able to join us!

Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.

Comments Off

Filed under Tweet Jam

The Open Group Newport Beach Conference – Early Bird Registration Ends January 4

By The Open Group Conference Team

The Open Group is busy gearing up for the Newport Beach Conference. Taking place January 28-31, 2013, the conference theme is “Big Data – The Transformation We Need to Embrace Today” and will bring together leading minds in technology to discuss the challenges and solutions facing Enterprise Architecture around the growth of Big Data. Register today!

Information is power, and we stand at a time when 90% of the data in the world today was generated in the last two years alone.  Despite the sheer enormity of the task, off the shelf hardware, open source frameworks, and the processing capacity of the Cloud, mean that Big Data processing is within the cost-effective grasp of the average business. Organizations can now initiate Big Data projects without significant investment in IT infrastructure.

In addition to tutorial sessions on TOGAF® and ArchiMate®, the conference offers roughly 60 sessions on a varied of topics including:

  • The ways that Cloud Computing is transforming the possibilities for collecting, storing, and processing big data.
  • How to contend with Big Data in your Enterprise?
  • How does Big Data enable your Business Architecture?
  • What does the Big Data revolution mean for the Enterprise Architect?
  • Real-time analysis of Big Data in the Cloud.
  • Security challenges in the world of outsourced data.
  • What is an architectural view of Security for the Cloud?

Plenary speakers include:

  • Christian Verstraete, Chief Technologist – Cloud Strategy, HP
  • Mary Ann Mezzapelle, Strategist – Security Services, HP
  • Michael Cavaretta, Ph.D, Technical Leader, Predictive Analytics / Data Mining Research and Advanced Engineering, Ford Motor Company
  • Adrian Lane, Analyst and Chief Technical Officer, Securosis
  • David Potter, Chief Technical Officer, Promise Innovation Oy
  • Ron Schuldt, Senior Partner, UDEF-IT, LLC

A full conference agenda is available here. Tracks include:

  • Architecting Big Data
  • Big Data and Cloud Security
  • Data Architecture and Big Data
  • Business Architecture
  • Distributed Services Architecture
  • EA and Disruptive Technologies
  • Architecting the Cloud
  • Cloud Computing for Business

Early Bird Registration

Early Bird registration for The Open Group Conference in Newport Beach ends January 4. Register now and save! For more information or to register: http://www.opengroup.org/event/open-group-newport-beach-2013/reg

Upcoming Conference Submission Deadlines

In addition to the Early Bird registration deadline to attend the Newport Beach conference, there are upcoming deadlines for speaker proposal submissions to Open Group conferences in Sydney, Philadelphia and London. To submit a proposal to speak, click here.

Venue Industry Focus Submission Deadline
Sydney (April 15-17) Finance, Defense, Mining January 18, 2013
Philadelphia (July 15-17) Healthcare, Finance, Defense April 5, 2013
London (October 21-23) Finance, Government, Healthcare July 8, 2013

We expect space on the agendas of these events to be at a premium, so it is important for proposals to be submitted as early as possible. Proposals received after the deadline dates will still be considered, if space is available; if not, they may be carried over to a future conference. Priority will be given to proposals received by the deadline dates and to proposals that include an end-user organization, at least as a co-presenter.

Comments Off

Filed under Conference

Data Protection Today and What’s Needed Tomorrow

By Ian Dobson and Jim Hietala, The Open Group

Technology today allows thieves to copy sensitive data, leaving the original in place and thus avoiding detection. One needn’t look far in today’s headlines to understand why protection of data is critical going forward. As this recent article from Bloomberg points out, penetrations of corporate IT systems with the aim to extract sensitive information, IP and other corporate data are rampant.  Despite the existence of data breach and data privacy laws in the U.S., EU and elsewhere, this issue is still not well publicized. The article cites specific intrusions at large consumer products companies, the EU, itself, law firms and a nuclear power plant.

Published in October 2012, the Jericho Forum® Data Protection white paper reviews the state of data protection today and where it should be heading to meet tomorrow’s business needs. The Open Group’s Jericho Forum contends that future data protection solutions must aim to provide stronger, more flexible protection mechanisms around the data itself.

The white paper argues that some of the current issues with data protection are:

  • It is too global and remote to be effective
  • Protection is neither granular nor interoperable enough
  • It’s not integrated with Centralized Authorization Services
  • Weak security services are relied on for enforcement

Refreshingly, it explains not only why, but also how. The white paper reviews the key issues surrounding data protection today; describes properties that data protection mechanisms should include to meet current and future requirements; considers why current technologies don’t deliver what is required; and proposes a set of data protection principles to guide the design of effective solutions.

It goes on to describe how data protection has evolved to where it’s at today, and outlines a series of target stages for progressively moving the industry forward to deliver stronger more flexible protection solutions that business managers are already demanding their IT systems managers provide.  Businesses require these solutions to ensure appropriate data protection levels are wrapped around the rapidly increasing volumes of confidential information that is shared with their business partners, suppliers, customers and outworkers/contractors on a daily basis.

Having mapped out an evolutionary path for what we need to achieve to move data protection forward in the direction our industry needs, we’re now planning optimum approaches for how to achieve each successive stage of protection. The Jericho Forum welcomes folks who want to join us in this important journey.

 

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

1 Comment

Filed under Cybersecurity

#ogChat Summary – The Future of BYOD

By Patty Donovan, The Open Group

With over 400 tweets flying back and forth, last week’s BYOD Tweet Jam (#ogChat) saw a fast-paced, lively discussion on the future of the bring your own device (BYOD) trend and its implications in the enterprise. In case you missed the conversation, here’s a recap of last week’s #ogChat!

There were a total of 29 participants including:

Here is a high-level a snapshot of yesterday’s #ogChat:

Q1 What are the quantifiable benefits of BYOD? What are the major risks of #BYOD, and do these risks outweigh the benefits? #ogChat

Participants generally agreed that the main risk of BYOD is data security and benefits include cost and convenience.

  • @MobileGalen Data policy is core because that’s where the real value is in business. Affects access and intrusion/hacking of course secondarily #ogChat
  • @technodad Q1 #BYOD transcends time/space boundaries – necessary for a global business. #ogChat
  • @AWildCSO Q1 Risks: Risk to integrity and availability of corporate IT systems – malware into enterprise from employee owned devices #ogChat

Q2 What are the current security issues with #BYOD, and how should organizations go about securing those devices? #ogChat

The most prominent issue discussed was who owns the responsibility of security. Many couldn’t agree on whether responsibility fell on the user or the organization.

  • @AWildCSO Q2: Main issue is the confidentiality of data. Not a new issue, has been around a while, especially since the advent of networking. #ogChat
  • @cebess .@ MobileGalen Right — it’s about the data not the device. #ogChat
  • @AppsTechNews Q2 Not knowing who’s responsible? Recent ITIC/KnowBe4 survey: 37% say corporation responsible for #BYOD security; 39% say end user #ogChat
  • @802dotchris @MobileGalen there’s definitiely a “golden ratio” of fucntionality to security and controls @IDGTechTalk #ogChat
  • @MobileGalen #ogChat Be careful about looking for mobile mgmt tools as your fix. Most are about disablement not enablement. Start w enable, then protect.

Q3 How can an organization manage corporate data on employee owned devices, while not interfering with data owned by an employee? #ogChat

Most participants agreed that securing corporate data is a priority but were stumped when it came to maintaining personal data privacy. Some suggested that organizations will have no choice but to interfere with personal data, but all agreed that no matter what the policy, it needs to be clearly communicated to employees.

  • @802dotchris @jim_hietala in our research, we’re seeing more companies demand app-by-app wipe or other selective methods as MDM table stakes #ogChat
  • @AppsTechNews Q3 Manage the device, manage & control apps running on it, and manage data within those apps – best #BYOD solutions address all 3 #ogChat
  • @JonMoger @theopengroup #security #ogChat #BYOD is a catalyst for a bigger trend driven by cultural shift that affects HR, legal, finance, LOB.
  • @bobegan I am a big believer in people, and i think most employees feel that they own a piece of corporate policy #ogChat
  • @mobilityofficer @theopengroup Q3: Sometimes you have no choice but to interfere with private data but you must communicate that to employees #ogChat

Q4 How does #BYOD contribute to the creation or use of #BigData in the enterprise? What role does #BYOD play in #BigData strategy? #ogChat

Participants exchanged opinions on the relationship between BYOD and Big Data, leaving much room for future discussion.

  • @technodad Q4 #bigdata created by mobile, geotgged, realtime apps is gold dust for business analytics & marketing. Smart orgs will embrace it. #ogChat
  • @cebess .@ technodad Context is king. The device in the field has quite a bit of contextual info. #ogChat
  • @bobegan @cebess Right, a mobile strategy, including BYOD is really about information supply chain managment. Must include many audiences #ogChat

Q5 What best practices can orgs implement to provide #BYOD flexibility and also maintain control and governance over corporate data? #ogChat

When discussing best practices, it became clear that no matter what, organizations must educate employees and be consistent with business priorities. Furthermore, if data is precious, treat it that way.

  • @AWildCSO Q5: Establish policies and processes for the classification, ownership and custodianship of information assets. #ogChat
  • @MobileGalen #ogChat: The more precious your info, the less avail it should be, BYOD or not. Use containered apps for sensitive, local access for secret
  • @JonMoger @theopengroup #BYOD #ogChat 1. Get the right team to own 2. Educate mgmt on risks & opps 3. Set business priorities 4. Define policies

Q6 How will organizations embrace or reject #BYOD moving forward? Will they have a choice or will employees dictate use? #ogChat

While understanding the security risks, most participants embraced BYOD as a big trend that will eventually become the standard moving forward.

A big thank you to all the participants who made this such a great discussion!

Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.

Comments Off

Filed under Tweet Jam

Optimizing ISO/IEC 27001 Using O-ISM3

By Jim Hietala, The Open Group and Vicente Aceituno, Sistemas Informáticos Abiertos

The Open Group has just published a guide titled “Optimizing ISO/IEC 27001 using O-ISM3” that will be of interest to organizations using ISO27001/27002 as their Information Security Management System (ISMS).

By way of background, The Open Group published our Open Information Security Management Maturity Model last year, O-ISM3. O-ISM3 brings continuous improvement to information security management, and it provides a framework for security decision-making that is top down in nature, where security controls, security objectives and spending decisions are driven by (and aligned with) business objectives.

We have for some time now heard from information security managers that they would like a resource aimed at showing how the O-ISM3 standard could be used to manage information security alongside ISO27001/27002. This new guide provides specific guidance on this topic.

We view this as an important resource, for the following reasons:

  • O-ISM3 complements ISO27001/2 by adding the “how” dimension to information security management
  • O-ISM3 uses a process-oriented approach, defining inputs and outputs, and allowing for evaluation by process-specific metrics
  • O-ISM3 provides a framework for continuous improvement of information security processes

This resource:

  • Maps O-ISM3 and ISO27001 security objectives
  • Maps ISO27001/27002 controls and documents to O-ISM3 security processes, documents, and outputs
  • Provides a critical linkage between the controls-based approach found in ISO27001 to the process-based approach found in O-ISM3

If you have interest in information security management, we encourage you to have a look at Optimizing ISO/IEC 27001 using O-ISM3. The guide may be downloaded (at no cost, minimal registration required) here.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Vicente Aceituno, CISA, has 20 years experience in the field of IT and Information Security. During his career in Spain and the UK, he has worked for companies like Coopers & Lybrand, BBC News, Everis, and SIA Group. He is the main author of the Information Security Management Method ISM3, author of the information security book “Seguridad de la Información,” Director of the ISM3 Consortium (www.ism3.com) and President of the Spanish chapter of the ISSA.

3 Comments

Filed under Cybersecurity, Information security, Security Architecture

Challenges to Building a Global Identity Ecosystem

By Jim Hietala and Ian Dobson, The Open Group

In our five identity videos from the Jericho Forum, a forum of The Open Group:

  • Video #1 explained the “Identity First Principles” – about people (or any entity) having a core identity and how we all operate with a number of personas.
  • Video #2 “Operating with Personas” explained how we use a digital core identifier to create digital personas –as many as we like – to mirror the way we use personas in our daily lives.
  • Video #3 described how “Trust and Privacy interact to provide a trusted privacy-enhanced identity ecosystem.
  • Video #4 “Entities and Entitlement” explained why identity is not just about people – we must include all entities that we want to identify in our digital world, and how “entitlement” rules control access to resources.

In this fifth video – Building a Global Identity Ecosystem – we highlight what we need to change and develop to build a viable identity ecosystem.

The Internet is global, so any identity ecosystem similarly must be capable of being adopted and implemented globally.

This means that establishing a trust ecosystem is essential to widespread adoption of an identity ecosystem. To achieve this, an identity ecosystem must demonstrate its architecture is sufficiently robust to scale to handle the many billions of entities that people all over the world will want, not only to be able to assert their identities and attributes, but also to handle the identities they will also want for all their other types of entities.

It also means that we need to develop an open implementation reference model, so that anyone in the world can develop and implement interoperable identity ecosystem identifiers, personas, and supporting services.

In addition, the trust ecosystem for asserting identities and attributes must be robust, to allow entities to make assertions that relying parties can be confident to consume and therefore use to make risk-based decisions. Agile roots of trust are vital if the identity ecosystem is to have the necessary levels of trust in entities, personas and attributes.

Key to the trust in this whole identity ecosystem is being able to immutably (enduringly and changelessly) link an entity to a digital Core Identifier, so that we can place full trust in knowing that only the person (or other type of entity) holding that Core Identifier can be the person (or other type of entity) it was created from, and no-one or thing can impersonate it. This immutable binding must be created in a form that guarantees the binding and include the interfaces necessary to connect with the digital world.  It should also be easy and cost-effective for all to use.

Of course, the cryptography and standards that this identity ecosystem depends on must be fully open, peer-reviewed and accepted, and freely available, so that all governments and interested parties can assure themselves, just as they can with AES encryption today, that it’s truly open and there are no barriers to implementation. The technologies needed around cryptography, one-way trusts, and zero-knowledge proofs, all exist today, and some of these are already implemented. They need to be gathered into a standard that will support the required model.

Adoption of an identity ecosystem requires a major mindset change in the thinking of relying parties – to receive, accept and use trusted identities and attributes from the identity ecosystem, rather than creating, collecting and verifying all this information for themselves. Being able to consume trusted identities and attributes will bring significant added value to relying parties, because the information will be up-to-date and from authoritative sources, all at significantly lower cost.

Now that you have followed these five Identity Key Concepts videos, we encourage you to use our Identity, Entitlement and Access (IdEA) commandments as the test to evaluate the effectiveness of all identity solutions – existing and proposed. The Open Group is also hosting an hour-long webinar that will preview all five videos and host an expert Q&A shortly afterward on Thursday, August 16.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

 

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

1 Comment

Filed under Identity Management, Uncategorized

Summer in the Capitol – Looking Back at The Open Group Conference in Washington, D.C.

By Jim Hietala, The Open Group

This past week in Washington D.C., The Open Group held our Q3 conference. The theme for the event was “Cybersecurity – Defend Critical Assets and Secure the Global Supply Chain,” and the conference featured a number of thought-provoking speakers and presentations.

Cybersecurity is at a critical juncture, and conference speakers highlighted the threat and attack reality and described industry efforts to move forward in important areas. The conference also featured a new capability, as several of the events were Livestreamed to the Internet.

For those who did not make the event, here’s a summary of a few of the key presentations, as well as what The Open Group is doing in these areas.

Joel Brenner, attorney with Cooley, was our first keynote. Joel’s presentation was titled, “Turning Us Inside-Out: Crime and Economic Espionage on our Networks,” The talk mirrored his recent book, “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare,” and Joel talked about current threats to critical infrastructure, attack trends and challenges in securing information. Joel’s presentation was a wakeup call to the very real issues of IP theft and identity theft. Beyond describing the threat and attack landscape, Joel discussed some of the management challenges related to ownership of the problem, namely that the different stakeholders in addressing cybersecurity in companies, including legal, technical, management and HR, all tend to think that this is someone else’s problem. Joel stated the need for policy spanning the entire organization to fully address the problem.

Kristin Baldwin, principal deputy, systems engineering, Office of the Assistant Secretary of Defense, Research and Engineering, described the U.S. Department of Defense (DoD) trusted defense systems strategy and challenges, including requirements to secure their multi-tiered supply chain. She also talked about how the acquisition landscape has changed over the past few years. In addition, for all programs the DoD now requires the creation of a program protection plan, which is the single focal point for security activities on the program. Kristin’s takeaways included needing a holistic approach to security, focusing attention on the threat, and avoiding risk exposure from gaps and seams. DoD’s Trusted Defense Systems Strategy provides an overarching framework for trusted systems. Stakeholder integration with acquisition, intelligence, engineering, industry and research communities is key to success. Systems engineering brings these stakeholders, risk trades, policy and design decisions together. Kristin also stressed the importance of informing leadership early and providing programs with risk-based options.

Dr. Ron Ross of NIST presented a perfect storm of proliferation of information systems and networks, increasing sophistication of threat, resulting in an increasing number of penetrations of information systems in the public and private sectors potentially affecting security and privacy. He proposed a need an integrated project team approach to information security. Dr. Ross also provided an overview of the changes coming in NIST SP 800-53, version 4, which is presently available in draft form. He also advocated a dual protection strategy approach involving traditional controls at network perimeters that assumes attackers outside of organizational networks, as well as agile defenses, are already inside the perimeter. The objective of agile defenses is to enable operation while under attack and to minimize response times to ongoing attacks. This new approach mirrors thinking from the Jericho Forum and others on de-perimeterization and security and is very welcome.

The Open Group Trusted Technology Forum provided a panel discussion on supply chain security issues and the approach that the forum is taking towards addressing issues relating to taint and counterfeit in products. The panel included Andras Szakal of IBM, Edna Conway of Cisco and Dan Reddy of EMC, as well as Dave Lounsbury, CTO of The Open Group. OTTF continues to make great progress in the area of supply chain security, having published a snapshot of the Open Trusted Technology Provider Framework, working to create a conformance program, and in working to harmonize with other standards activities.

Dave Hornford, partner at Conexiam and chair of The Open Group Architecture Forum, provided a thought provoking presentation titled, “Secure Business Architecture, or just Security Architecture?” Dave’s talk described the problems in approaches that are purely focused on securing against threats and brought forth the idea that focusing on secure business architecture was a better methodology for ensuring that stakeholders had visibility into risks and benefits.

Geoff Besko, CEO of Seccuris and co-leader of the security integration project for the next version of TOGAF®, delivered a presentation that looked at risk from a positive and negative view. He recognized that senior management frequently have a view of risk embracing as taking risk with am eye on business gains if revenue/market share/profitability, while security practitioners tend to focus on risk as something that is to be mitigated. Finding common ground is key here.

Katie Lewin, who is responsible for the GSA FedRAMP program, provided an overview of the program, and how it is helping raise the bar for federal agency use of secure Cloud Computing.

The conference also featured a workshop on security automation, which featured presentations on a number of standards efforts in this area, including on SCAP, O-ACEML from The Open Group, MILE, NEA, AVOS and SACM. One conclusion from the workshop was that there’s presently a gap and a need for a higher level security automation architecture encompassing the many lower level protocols and standards that exist in the security automation area.

In addition to the public conference, a number of forums of The Open Group met in working sessions to advance their work in the Capitol. These included:

All in all, the conference clarified the magnitude of the cybersecurity threat, and the importance of initiatives from The Open Group and elsewhere to make progress on real solutions.

Join us at our next conference in Barcelona on October 22-25!

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Comments Off

Filed under Conference, Cybersecurity, Enterprise Architecture, Information security, OTTF, Security Architecture, Supply chain risk, TOGAF®

Overlapping Criminal and State Threats Pose Growing Cyber Security Threat to Global Internet Commerce, Says Open Group Speaker

By Dana Gardner, Interarbor Solutions

This special BriefingsDirect thought leadership interview comes in conjunction with The Open Group Conference this January in San Francisco.

The conference will focus on how IT and enterprise architecture support enterprise transformation. Speakers in conference events will also explore the latest in service oriented architecture (SOA), cloud computing, and security.

We’re here now with one of the main speakers, Joseph Menn, Cyber Security Correspondent for the Financial Times and author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet.

Joe has covered security since 1999 for both the Financial Times and then before that, for the Los Angeles Times. Fatal System Error is his third book, he also wrote All the Rave: The Rise and Fall of Shawn Fanning’s Napster.

As a lead-in to his Open Group presentation, entitled “What You’re Up Against: Mobsters, Nation-States, and Blurry Lines,” Joe explores the current cyber-crimelandscape, the underground cyber-gang movement, and the motive behind governments collaborating with organized crime in cyber space. The interview is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. The full podcast can be found here.

Here are some excerpts:

Gardner: Have we entered a new period where just balancing risks and costs isn’t a sufficient bulwark against burgeoning cyber crime?

Menn: Maybe you can make your enterprise a little trickier to get into than the other guy’s enterprise, but crime pays very, very well, and in the big picture, their ecosystem is better than ours. They do capitalism better than we do. They specialize to a great extent. They reinvest in R&D.

On our end, on the good guys’ side, it’s hard if you’re a chief information security officer (CISO) or a chief security officer (CSO) to convince the top brass to pay more. You don’t really know what’s working and what isn’t. You don’t know if you’ve really been had by something that we call advanced persistent threat (APT). Even the top security minds in the country can’t be sure whether they’ve been had or not. So it’s hard to know what to spend on.

More efficient

The other side doesn’t have that problem. They’re getting more efficient in the same way that they used to lead technical innovation. They’re leading economic innovation. The freemium model is best evidenced by crimeware kits like ZeuS, where you can get versions that are pretty effective and will help you steal a bunch of money for free. Then if you like that, you have the add-on to pay extra for — the latest and greatest that are sure to get through the antivirus systems.

Gardner: When you say “they,” who you are really talking about?

Menn: They, the bad guys? It’s largely Eastern European organized crime. In some countries, they can be caught. In other countries they can’t be caught, and there really isn’t any point in trying.

It’s a geopolitical issue, which is something that is not widely understood, because in general, officials don’t talk about it. Working on my book, and in reporting for the newspapers, I’ve met really good cyber investigators for the Secret Service and the FBI, but I’ve yet to meet one that thinks he’s going to get promoted for calling a press conference and announcing that they can’t catch anyone.

So the State Department, meanwhile, keeps hoping that the other side is going to turn a new leaf, but they’ve been hoping that for 10 or more years, and it hasn’t happened. So it’s incumbent upon the rest of us to call a spade a spade here.

What’s really going on is that Russian intelligence and, depending on who is in office at a given time, Ukrainian authorities, are knowingly protecting some of the worst and most effective cyber criminals on the planet.

Gardner: And what would be their motivation?

Menn: As a starting point, the level of garden-variety corruption over there is absolutely mind-blowing. More than 50 percent of Russian citizens responding to the survey say that they had paid a bribe to somebody in the past 12 months. But it’s gone well beyond that.

The same resources, human and technical, that are used to rob us blind are also being used in what is fairly called cyber war. The same criminal networks that are after our bank accounts were, for example, used in denial-of-service (DOS) attacks on Georgia and Estonian websites belonging to government, major media, and Estonia banks.

It’s the same guy, and it’s a “look-the-other-way” thing. You can do whatever crime you want, and when we call upon you to serve Mother Russia, you will do so. And that has accelerated. Just in the past couple of weeks, with the disputed elections in Russia, you’ve seen mass DOS attacks against opposition websites, mainstream media websites, and live journals. It’s a pretty handy tool to have at your disposal. I provide all the evidence that would be needed to convince the reasonable people in my book.

Gardner: In your book you use the terms “bringing down the Internet.” Is this all really a threat to the integrity of the Internet?

Menn: Well integrity is the key word there. No, I don’t think anybody is about to stop us all from the privilege of watching skateboarding dogs onYouTube. What I mean by that is the higher trust in the Internet in the way it’s come to be used, not the way it was designed, but the way it is used now for online banking, ecommerce, and for increasingly storing corporate — and heaven help us, government secrets — in the cloud. That is in very, very great trouble.

Not a prayer

I don’t think that now you can even trust transactions not to be monitored and pilfered. The latest, greatest versions of ZeuS gets past multi-factor authentication and are not detected by any antivirus that’s out there. So consumers don’t have a prayer, in the words of Art Coviello, CEO of RSA, and corporations aren’t doing much better.

So the way the Internet is being used now is in very, very grave trouble and not reliable. That’s what I mean by it. If they turned all the botnets in the world on a given target, that target is gone. For multiple root servers and DNS, they could do some serious damage. I don’t know if they could stop the whole thing, but you’re right, they don’t want to kill the golden goose. I don’t see a motivation for that.

Gardner: If we look at organized crime in historical context, we found that there is a lot of innovation over the decades. Is that playing out on the Internet as well?

Menn: Sure. The mob does well in any place where there is a market for something, and there isn’t an effective regulatory framework that sustains it – prohibition back in the day, prostitution, gambling, and that sort of thing.

… The Russian and Ukrainian gangs went to extortion as an early model, and ironically, some of the first websites that they extorted with the threat were the offshore gambling firms. They were cash rich, they had pretty weak infrastructure, and they were wary about going to the FBI. They started by attacking those sites in 2003-04 and then they moved on to more garden-variety companies. Some of them paid off and some said, “This is going to look little awkward in our SEC filings” and they didn’t pay off.

Once the cyber gang got big enough, sooner or later, they also wanted the protection of traditional organized crime, because those people had better connections inside the intelligence agencies and the police force and could get them protection. That’s the way it worked. It was sort of an organic alliance, rather than “Let’s develop this promising area.”

… That is what happens. Initially it was garden-variety payoffs and protection. Then, around 2007, with the attack on Estonia, these guys started proving their worth to the Kremlin, and others saw that with the attacks that ran through their system.

This has continued to evolve very rapidly. Now the DOS attacks are routinely used as the tool for political repression all around the world –Vietnam, Iran and everywhere you’ll see critics that are silenced from DOS attacks. In most cases, it’s not the spy agencies or whoever themselves, but it’s their contract agents. They just go to their friends in the similar gangs and say, “Hey do this.” What’s interesting is that they are both in this gray area now, both Russia and China, which we haven’t talked about as much.

In China, hacking really started out as an expression of patriotism. Some of the biggest attacks, Code Red being one of them, were against targets in countries that were perceived to have slighted China or had run into some sort of territorial flap with China, and, lo and behold, they got hacked.

In the past several years, with this sort of patriotic hacking, the anti-defense establishment hacking in the West that we are reading a lot about finally, those same guys have gone off and decided to enrich themselves as well. There were actually disputes in some of the major Chinese hacking groups. Some people said it was unethical to just go after money, and some of these early groups split over that.

Once the cyber gang got big enough, sooner or later, they also wanted the protection of traditional organized crime, because those people had better connections inside the intelligence agencies and the police force and could get them protection. That’s the way it worked. It was sort of an organic alliance, rather than “Let’s develop this promising area.”

… That is what happens. Initially it was garden-variety payoffs and protection. Then, around 2007, with the attack on Estonia, these guys started proving their worth to the Kremlin, and others saw that with the attacks that ran through their system.

This has continued to evolve very rapidly. Now the DOS attacks are routinely used as the tool for political repression all around the world –Vietnam, Iran and everywhere you’ll see critics that are silenced from DOS attacks. In most cases, it’s not the spy agencies or whoever themselves, but it’s their contract agents. They just go to their friends in the similar gangs and say, “Hey do this.” What’s interesting is that they are both in this gray area now, both Russia and China, which we haven’t talked about as much.

In China, hacking really started out as an expression of patriotism. Some of the biggest attacks, Code Red being one of them, were against targets in countries that were perceived to have slighted China or had run into some sort of territorial flap with China, and, lo and behold, they got hacked.

In the past several years, with this sort of patriotic hacking, the anti-defense establishment hacking in the West that we are reading a lot about finally, those same guys have gone off and decided to enrich themselves as well. There were actually disputes in some of the major Chinese hacking groups. Some people said it was unethical to just go after money, and some of these early groups split over that.

In Russia, it went the other way. It started out with just a bunch of greedy criminals, and then they said, “Hey — we can do even better and be protected. You have better protection if you do some hacking for the motherland.” In China, it’s the other way. They started out hacking for the motherland, and then added, “Hey — we can get rich while serving our country.”

So they’re both sort of in the same place, and unfortunately it makes it pretty close to impossible for law enforcement in [the U.S.] to do anything about it, because it gets into political protection. What you really need is White House-level dealing with this stuff. If President Obama is going to talk to his opposite numbers about Chinese currency, Russian support of something we don’t like, or oil policy, this has got to be right up there too — or nothing is going to happen at all.

Gardner: What about the pure capitalism side, stealing intellectual property (IP) and taking over products in markets with the aid of these nefarious means? How big a deal is this now for enterprises and commercial organizations?

Menn: It is much, much worse than anybody realizes. The U.S. counterintelligence a few weeks ago finally put out a report saying that Russia and China are deliberately stealing our IP, the IP of our companies. That’s an open secret. It’s been happening for years. You’re right. The man in the street doesn’t realize this, because companies aren’t used to fessing up. Therefore, there is little outrage and little pressure for retaliation or diplomatic engagement on these issues.

I’m cautiously optimistic that that is going to change a little bit. This year the Securities and Exchange Commission (SEC) gave very detailed guidance about when you have to disclose when you’ve been hacked. If there is a material impact to your company, you have to disclose it here and there, even if it’s unknown.

Gardner: So the old adage of shining light on this probably is in the best interest of everyone. Is the message then keeping this quiet isn’t necessarily the right way to go?

Menn: Not only is it not the right way to go, but it’s safer to come out of the woods and fess up now. The stigma is almost gone. If you really blow the PR like Sony, then you’re going to suffer some, but I haven’t heard a lot of people say, “Boy, Google is run by a bunch of stupid idiots. They got hacked by the Chinese.”

It’s the definition of an asymmetrical fight here. There is no company that’s going to stand up against the might of the Chinese military, and nobody is going to fault them for getting nailed. Where we should fault them is for covering it up.

I think you should give the American people some credit. They realize that you’re not the bad guy, if you get nailed. As I said, nobody thinks that Google has a bunch of stupid engineers. It is somewhere between extremely difficult to impossible to ward off against “zero-days” and the dedicated teams working on social engineering, because the TCP/IP is fundamentally broken and it ain’t your fault.

 [These threats] are an existential threat not only to your company, but to our country and to our way of life. It is that bad. One of the problems is that in the U.S., executives tend to think a quarter or two ahead. If your source code gets stolen, your blueprints get taken, nobody might know that for a few years, and heck, by then you’re retired.

With the new SEC guidelines and some national plans in the U.K. and in the U.S., that’s not going to cut it anymore. Executives will be held accountable. This is some pretty drastic stuff. The things that you should be thinking about, if you’re in an IT-based business, include figuring out the absolutely critical crown jewel one, two, or three percent of your stuff, and keeping it off network machines.

Short-term price

Gardner: So we have to think differently, don’t we?

Menn: Basically, regular companies have to start thinking like banks, and banks have to start thinking like intelligence agencies. Everybody has to level up here.

Gardner: What do the intelligence agencies have to start thinking about?

Menn: The discussions that are going on now obviously include greatly increased monitoring, pushing responsibility for seeing suspicious stuff down to private enterprise, and obviously greater information sharing between private enterprise, and government officials.

But, there’s some pretty outlandish stuff that’s getting kicked around, including looking the other way if you, as a company, sniff something out in another country and decide to take retaliatory action on your own. There’s some pretty sea-change stuff that’s going on.

Gardner: So that would be playing offense as well as defense?

Menn: In the Defense Authorization Act that just passed, for the first time, Congress officially blesses offensive cyber-warfare, which is something we’ve already been doing, just quietly.

We’re entering some pretty new areas here, and one of the things that’s going on is that the cyber warfare stuff, which is happening, is basically run by intelligence folks, rather by a bunch of lawyers worrying about collateral damage and the like, and there’s almost no oversight because intelligence agencies in general get low oversight.

Gardner: Just quickly looking to the future, we have some major trends. We have an increased movement toward mobility, cloud, big data, social. How do these big shifts in IT impact this cyber security issue?

Menn: Well, there are some that are clearly dangerous, and there are some things that are a mixed bag. Certainly, the inroads of social networking into the workplace are bad from a security point of view. Perhaps worse is the consumerization of IT, the bring-your-own-device trend, which isn’t going to go away. That’s bad, although there are obviously mitigating things you can do.

The cloud itself is a mixed bag. Certainly, in theory, it could be made more secure than what you have on premise. If you’re turning it over to the very best of the very best, they can do a lot more things than you can in terms of protecting it, particularly if you’re a smaller business.

If you look to the large-scale banks and people with health records and that sort of thing that really have to be ultra-secure, they’re not going to do this yet, because the procedures are not really set up to their specs yet. That may likely come in the future. But, cloud security, in my opinion, is not there yet. So that’s a mixed blessing.

Radical steps

You need to think strategically about this, and that includes some pretty radical steps. There are those who say there are two types of companies out there — those that have been hacked and those that don’t know that they’ve been hacked.

Everybody needs to take a look at this stuff beyond their immediate corporate needs and think about where we’re heading as a society. And to the extent that people are already expert in the stuff or can become expert in this stuff, they need to share that knowledge, and that will often mean, saying “Yes, we got hacked” publicly, but it also means educating those around them about the severity of the threat.

One of the reasons I wrote my book, and spent years doing it, is not because I felt that I could tell every senior executive what they needed to do. I wanted to educate a broader audience, because there are some pretty smart people, even in Washington, who have known about this for years and have been unable to do anything about it. We haven’t really passed anything that’s substantial in terms of legislation.

As a matter of political philosophy, I feel that if enough people on the street realize what’s going on, then quite often leaders will get in front of them and at least attempt to do the right thing. Senior executives should be thinking about educating their customers, their peers, the general public, and Washington to make sure that the stuff that passes isn’t as bad as it might otherwise be.

************

If you are interested in attending The Open Group’s upcoming conference, please register here: http://www3.opengroup.org/event/open-group-conference-san-francisco/registration

Dana Gardner is president and principal analyst at Interarbor Solutions, an enterprise IT analysis, market research, and consulting firm. Gardner, a leading identifier of software and cloud productivity trends and new IT business growth opportunities, honed his skills and refined his insights as an industry analyst, pundit, and news editor covering the emerging software development and enterprise infrastructure arenas for the last 18 years.

Comments Off

Filed under Cloud, Cybersecurity, Information security, Security Architecture

The Open Group Announces New Information Security Management Standard: O-ISM3

By Jim Hietala, The Open Group

The Open Group yesterday announced the approval of a new standard in information security, O-ISM3. This standard, which derives its name from The Open Group Information Security Management Maturity Model, aims to help information security managers and practitioners to more effectively manage information security. Information security management is one of two focus areas for The Open Group Security Forum (security architecture being the other).

The development of the O-ISM3 standard has been in process in the Security Forum for the past 18 months. Like all Open Group standards, O-ISM3 was developed through an open, consensus-based process. The O-ISM3 standard leverages work previously done by the ISM3 consortium to produce the ISM3 version 2.3 document.

O-ISM3 brings some fresh thinking to information security management. O-ISM3:

  • Provides a framework to align security objectives and security targets to overall business objectives
  • Delivers a much-needed continuous improvement approach to the management of information security
  • Expresses security outcomes in positive terms

O-ISM3 can be implemented as a top-down methodology to manage an entire information security program, or it can be deployed more tactically, starting with just a few information security processes. As such, it can deliver value to information security organizations of varying sizes, maturity levels, and in different industries.

The O-ISM3 standard is available free on The Open Group website (registration required), and on Kindle. The standard provides an approach which is complementary to ISO 27001/2, as well as to ITIL and COBIT.

The Open Group is conducting a series of webcasts on the O-ISM3 standard in April and May. Details and registration may be found here.

Many thanks to the many members of The Open Group who worked hard over the past 18 months to make O-ISM3 a reality. Many had a hand in developing O-ISM3 in the Security Forum, and I thank them all; however, I would be remiss if I did not recognize the leadership of workgroup chair Vicente Aceituno, who brought this work to The Open Group, and who has continued to work tirelessly to make O-ISM3 an important standard for information security.

The working group will in the coming months be developing maturity levels for O-ISM3, and exploring certification programs. If you have interest in O-ISM3 and these future developments, please contact us at ogsecurity-interest@opengroup.org and we will help you get involved.

Jim HietalaAn IT security industry veteran, Jim is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.

2 Comments

Filed under Information security, Standards

Looking back at Day One in Chennai: The Open Group India Conference

By Raghuraman Krishnamurthy, Cognizant Technology Solutions

The Open Group India Conference in Chennai Monday was well-attended with a lot of interesting topics covering EA and Cloud. The choice of topics and the order of presentation ensured continued interest throughout the day; distinguished speakers across the industry shared their views. The morning session featured speakers covering topics like Global Architecture Trends, EA as a Platform for Connected Governments, Federated Cloud Computing, Information Security, and How Cloud is Transforming Business. There were two tracks post-lunch: one for Cloud and one for EA.

There were two panel discussions. I attended the panel discussion about ‘Should CIOs Manage the Enterprise Architecture Initiative?’. The panelists debated about the pros and cons. One sentiment that emerged was that much depends on the type of organization, the maturity level of the organization and the personality of the CIO. The lively debate touched topics such as permeation of IT across the divisions of enterprise: how IT is no longer an enabler but the critical component for conducting business itself. Thought-provoking discussions ensued on how the role of CIO is continuously changing from managing IT to contributing to business strategy. The moderator threw out an interesting dimension that no longer is the CIO the Chief Information Officer, but increasingly Chief Innovation Officer. This resonated well with the audience and the panelists.

I am glad that my talk on ‘Reorienting EA‘ found a great deal of resonance in some of the earlier presentations. The need to cultivate Symphonic thinking and the ability to see connections was one of the main points of the presentation. The focus was on the pharmaceutical sector and how the flat world trends are influencing the EA. I am enriched by this experience on two counts: By sharing my thoughts with the distinguished audience I have gained deeper appreciation of my topic; and by listening to the great presentations.

The Open Group India Conference is underway this week; it will next travel to Hyderabad (March 9) and Pune (March 11). Join us for best practices and case studies in the areas of Enterprise Architecture, Security, Cloud and Certification, presented by preeminent thought leaders in the industry.

Raghuraman Krishnamurthy works as a Principal Architect at Cognizant Technology Solutions and is based in India. He can be reached at Raghuraman.krishnamurthy2@cognizant.com.

Comments Off

Filed under Cloud/SOA, Enterprise Architecture

PODCAST: Impact of Security Issues on Doing Business in 2011 And Beyond

By Dana Gardner, Interabor Solutions

Listen to this recorded podcast here: BriefingsDirect-The Open Group Conference Cyber Security Panel

The following is the transcript of a sponsored podcast panel discussion on how enterprises need to change their thinking to face cyber threats, from The Open Group Conference, San Diego 2011.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference, held in San Diego in the week of February 7, 2011. We’ve assembled a panel to examine the business risk around cyber security threats.

Looking back over the past few years, it seems like threats are only getting worse. We’ve had the Stuxnet Worm, The WikiLeaks affair, China originating attacks against Google and others, and the recent Egypt Internet blackout. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

But, are cyber security dangers, in fact, getting much worse or rather perceptions that are at odds with what is really important in terms of security? In any event, how can businesses best protect themselves from the next round of risks, especially as Cloud, mobile, and social media activities increase? How can architecting for security become effective and pervasive? We’ll pose these and other serious questions to our panel to deeply examine the cyber business risks and ways to head them off.

Please join me now in welcoming our panel, we’re here with Jim Hietala, the Vice President of Security at The Open Group. Welcome back, Jim.

Jim Hietala: Hi, Dana. Good to be with you.

Gardner: And, we’re here with Mary Ann Mezzapelle, Chief Technologist in the CTO’s Office at HP. Welcome.

Mary Ann Mezzapelle: Thank you, Dana.

Gardner: We’re also here with Jim Stikeleather, Chief Innovation Officer at Dell Services. Welcome, Jim.

Jim Stikeleather: Thank you, Dana. Glad to be here.

Gardner: As I mentioned, there have been a lot of things in the news about security. I’m wondering, what are the real risks that are worth being worried about? What should you be staying up late at night thinking about, Jim?

Stikeleather: Pretty much everything, at this time. One of the things that you’re seeing is a combination of factors. When people are talking about the break-ins, you’re seeing more people actually having discussions of what’s happened and what’s not happening. You’re seeing a new variety of the types of break-ins, the type of exposures that people are experiencing. You’re also seeing more organization and sophistication on the part of the people who are actually breaking in.

The other piece of the puzzle has been that legal and regulatory bodies step in and say, “You are now responsible for it.” Therefore, people are paying a lot more attention to it. So, it’s a combination of all these factors that are keeping people up right now.

Gardner: Is it correct, Mary Ann, to say that it’s not just a risk for certain applications or certain aspects of technology, but it’s really a business-level risk?

Key component

Mezzapelle: That’s one of the key components that we like to emphasize. It’s about empowering the business, and each business is going to be different.

If you’re talking about a Department of Defense (DoD) military implementation, that’s going to be different than a manufacturing concern. So it’s important that you balance the risk, the cost, and the usability to make sure it empowers the business.

Gardner: How about complexity, Jim Hietala? Is that sort of an underlying current here? We now think about the myriad mobile devices, moving applications to a new tier, native apps for different platforms, more social interactions that are encouraging collaboration. This is good, but just creates more things for IT and security people to be aware of. So how about complexity? Is that really part of our main issue?

Hietala: It’s a big part of the challenge, with changes like you have mentioned on the client side, with mobile devices gaining more power, more ability to access information and store information, and cloud. On the other side, we’ve got a lot more complexity in the IT environment, and much bigger challenges for the folks who are tasked for securing things.

Gardner: Just to get a sense of how bad things are, Jim Stikeleather, on a scale of 1 to 10 — with 1 being you’re safe and sound and you can sleep well, and 10 being all the walls of your business are crumbling and you’re losing everything — where are we?

Stikeleather: Basically, it depends on who you are and where you are in the process. A major issue in cyber security right now is that we’ve never been able to construct an intelligent return on investment (ROI) for cyber security.

There are two parts to that. One, we’ve never been truly able to gauge how big the risk really is. So, for one person it maybe a 2, and most people it’s probably a 5 or a 6. Some people may be sitting there at a 10. But, you need to be able to gauge the magnitude of the risk. And, we never have done a good job of saying what exactly the exposure is or if the actual event took place. It’s the calculation of those two that tell you how much you should be able to invest in order to protect yourself.

So, I’m not really sure it’s a sense of exposure the people have, as people don’t have a sense of risk management — where am I in this continuum and how much should I invest actually to protect myself from that?

We’re starting to see a little bit of a sea change, because starting with HIPAA-HITECH in 2009, for the first time, regulatory bodies and legislatures have put criminal penalties on companies who have exposures and break-ins associated with them.

So we’re no longer talking about ROI. We’re starting to talk about risk of incarceration , and that changes the game a little bit. You’re beginning to see more and more companies do more in the security space — for example, having a Sarbanes-Oxley event notification to take place.

The answer to the question is that it really depends, and you almost can’t tell, as you look at each individual situation.

Gardner: Mary Ann, it seems like assessment then becomes super-important. In order to assess your situation, you can start to then plan for how to ameliorate it and/or create a strategy to improve, and particularly be ready for the unknown unknowns that are perhaps coming down the pike. When it comes to assessment, what would you recommend for your clients?

Comprehensive view

Mezzapelle: First of all we need to make sure that they have a comprehensive view. In some cases, it might be a portfolio approach, which is unique to most people in a security area. Some of my enterprise customers have more than a 150 different security products that they’re trying to integrate.

Their issue is around complexity, integration, and just knowing their environment — what levels they are at, what they are protecting and not, and how does that tie to the business? Are you protecting the most important asset? Is it your intellectual property (IP)? Is it your secret sauce recipe? Is it your financial data? Is it your transactions being available 24/7?

And, to Jim’s point, that makes a difference depending on what organization you’re in. It takes some discipline to go back to that InfoSec framework and make sure that you have that foundation in place, to make sure you’re putting your investments in the right way.

Stikeleather: One other piece of it is require an increased amount of business knowledge on the part of the IT group and the security group to be able to make the assessment of where is my IP, which is my most valuable data, and what do I put the emphasis on.

One of the things that people get confused about is, depending upon which analyst report you read, most data is lost by insiders, most data is lost from external hacking, or most data is lost through email. It really depends. Most IP is lost through email and social media activities. Most data, based upon a recent Verizon study, is being lost by external break-ins.

We’ve kind of always have the one-size-fits-all mindset about security. When you move from just “I’m doing security” to “I’m doing risk mitigation and risk management,” then you have to start doing portfolio and investment analysis in making those kinds of trade-offs.

That’s one of the reasons we have so much complexity in the environment, because every time something happens, we go out, we buy any tool to protect against that one thing, as opposed to trying to say, “Here are my staggered differences and here’s how I’m going to protect what is important to me and accept the fact nothing is perfect and some things I’m going to lose.”

Gardner: Perhaps a part of having an assessment of where you are is to look at how things have changed, Jim Hietala, thinking about where we were three or four years ago, what is fundamentally different about how people are approaching security and/or the threats that they are facing from just a few years ago?

Hietala: One of the big things that’s changed that I’ve observed is if you go back a number of years, the sorts of cyber threats that were out there were curious teenagers and things like that. Today, you’ve got profit-motivated individuals who have perpetrated distributed denial of service attacks to extort money. Now, they’ve gotten more sophisticated and are dropping Trojan horses on CFO’s machines and they can to try in exfiltrate passwords and log-ins to the bank accounts.

We had a case that popped up in our newspaper in Colorado, where a mortgage company, a title company lost a million dollars worth of mortgage money that was loans in the process of funding. All of a sudden, five homeowners are faced with paying two mortgages, because there was no insurance against that.

When you read through the details of what happened it was, it was clearly a Trojan horse that had been put on this company’s system. Somebody was able to walk off with a million dollars worth of these people’s money.

State-sponsored acts

So you’ve got profit-motivated individuals on the one side, and you’ve also got some things happening from another part of the world that look like they’re state-sponsored, grabbing corporate IP and defense industry and government sites. So, the motivation of the attackers has fundamentally changed and the threat really seems pretty pervasive at this point.

Gardner: Pervasive threat. Is that how you see it, Jim Stikeleather?

Stikeleather: I agree. The threat is pervasive. The only secure computer in the world right now is the one that’s turned off in a closet, and that’s the nature. You have to make decisions about what you’re putting on and where you’re putting it on. I’s a big concern that if we don’t get better with security, we run the risk of people losing trust in the Internet and trust in the web.

When that happens, we’re going to see some really significant global economic concerns. If you think about our economy, it’s structured around the way the Internet operates today. If people lose trust in the transactions that are flying across it, then we’re all going to be in pretty bad world of hurt.

Gardner: All right, well I am duly scared. Let’s think about what we can start doing about this. How should organizations rethink security? And is that perhaps the way to do this, Mary Ann? If you say, “Things have changed. I have to change, not only in how we do things tactically, but really at that high level strategic level,” how do you rethink security properly now?

Mezzapelle: It comes back to one of the bottom lines about empowering the business. Jim talked about having that balance. It means that not only do the IT people need to know more about the business, but the business needs to start taking ownership for the security of their own assets, because they are the ones that are going to have to belay the loss, whether it’s data, financial, or whatever.

They need to really understand what that means, but we as IT professionals need to be able to explain what that means, because it’s not common sense. We need to connect the dots and we need to have metrics. We need to look at it from an overall threat point of view, and it will be different based on what company you’re about.

You need to have your own threat model, who you think the major actors would be and how you prioritize your money, because it’s an unending bucket that you can pour money into. You need to prioritize.

Gardner: How would this align with your other technology and business innovation activities? If you’re perhaps transforming your business, if you’re taking more of a focus at the process level, if you’re engaged with enterprise architecture and business architecture, is security a sideline, is it central, does it come first? How do you organize what’s already fairly complex in security with these other larger initiatives?

Mezzapelle: The way that we’ve done that is this is we’ve had a multi-pronged approach. We communicate and educate the software developers, so that they start taking ownership for security in their software products, and that we make sure that that gets integrated into every part of portfolio.

The other part is to have that reference architecture, so that there’s common services that are available to the other services as they are being delivered and that we can not control it but at least manage from a central place.

You were asking about how to pay for it. It’s like Transformation 101. Most organizations spend about 80 percent of their spend on operations. And so they really need to look at their operational spend and reduce that cost to be able to fund the innovation part.

Getting benchmarks

It may not be in security. You may not be spending enough in security. There are several organizations that will give you some kind of benchmark about what other organizations in your particular industry are spending, whether it’s 2 percent on the low end for manufacturing up to 10-12 percent for financial institutions.

That can give you a guideline as to where you should start trying to move to. Sometimes, if you can use automation within your other IT service environment, for example, that might free up the cost to fuel that innovation.

Stikeleather: Mary Ann makes a really good point. The starting point is really architecture. We’re actually at a tipping point in the security space, and it comes from what’s taking place in the legal and regulatory environments with more-and-more laws being applied to privacy, IP, jurisdictional data location, and a whole series of things that the regulators and the lawyers are putting on us.

One of the things I ask people, when we talk to them, is what is the one application everybody in the world, every company in the world has outsourced. They think about it for a minute, and they all go payroll. Nobody does their own payroll any more. Even the largest companies don’t do their own payroll. It’s not because it’s difficult to run payroll. It’s because you can’t afford all of the lawyers and accountants necessary to keep up with all of the jurisdictional rules and regulations for every place that you operate in.

Data itself is beginning to fall under those types of constraints. In a lot of cases, it’s medical data. For example, Massachusetts just passed a major privacy law. PCI is being extended to anybody who takes credit cards.

The security issue is now also a data governance and compliance issue as well. So, because all these adjacencies are coming together, it’s a good opportunity to sit down and architect with a risk management framework. How am I going to deal with all of this information?

Plus you have additional funding capabilities now, because of compliance violations you can actually identify what the ROI is for of avoiding that. The real key to me is people stepping back and saying, “What is my business architecture? What is my risk profile associated with it? What’s the value associated with that information? Now, engineer my systems to follow that.”

Mezzapelle: You need to be careful that you don’t equate compliance with security? There are a lot of organizations that are good at compliance checking, but that doesn’t mean that they are really protecting against their most vulnerable areas, or what might be the largest threat. That’s just a letter of caution — you need to make sure that you are protecting the right assets.

Gardner: It’s a cliché, but people, process, and technology are also very important here. It seems to me that governance would be an overriding feature of bringing those into some alignment.

Jim Hietala, how should organizations approach these issues with a governance mindset? That is to say, following procedures, forcing those procedures, looking and reviewing them, and then putting into place the means by which security becomes in fact part-and-parcel with doing business?

Risk management

Hietala: I guess I’d go back to the risk management issue. That’s something that I think organizations frequently miss. There tends to be a lot of tactical security spending based upon the latest widget, the latest perceived threat — buy something, implement it, and solve the problem.

Taking a step back from that and really understanding what the risks are to your business, what the impacts of bad things happening are really, is doing a proper risk analysis. Risk assessment is what ought to drive decision-making around security. That’s a fundamental thing that gets lost a lot in organizations that are trying to grapple the security problems.

Gardner: Jim Stikeleather, any thoughts about governance as an important aspect to this?

Stikeleather: Governance is a critical aspect. The other piece of it is education. There’s an interesting fiction in both law and finance. The fiction of the reasonable, rational, prudent man. If you’ve done everything a reasonable, rational and prudent person has done, then you are not culpable for whatever the event was.

I don’t think we’ve done a good job of educating our users, the business, and even some of the technologists on what the threats are, and what are reasonable, rational, and prudent things to do. One of my favorite things are the companies that make you change your password every month and you can’t repeat a password for 16 or 24 times. The end result is that you get as this little thing stuck on the notebook telling them exactly what the password is.

So, it’s governance, but it’s also education on top of governance. We teach our kids not to cross the street in the middle of the road and don’t talk to strangers. Well, we haven’t quite created that same thing for cyberspace. Governance plus education may even be more important than the technological solutions.

Gardner: One sort of push-back on that is that the rate of change is so rapid and the nature of the risks can be so dynamic, how does one educate? How you keep up with that?

Stikeleather: I don’t think that it’s necessary. The technical details of the risks are changing rapidly, but the nature of the risk themselves, the higher level of the taxonomy, is not changing all that much.

If you just introduce safe practices so to speak, then you’re protected up until someone comes up with a totally new way of doing things, and there really hasn’t been a lot of that. Everything has been about knowing that you don’t put certain data on the system, or if you do, this data is always encrypted. At the deep technical details, yes, things change rapidly. At the level with which a person would exercise caution, I don’t think any of that has changed in the last ten years.

Gardner: We’ve now entered into the realm of behaviors and it strikes me also that it’s quite important and across the board. There are behaviors at different levels of the organization. Some of them can be good for ameliorating risk and others would be very bad and prolonged. How do you incentivize people? How do you get them to change their behavior when it comes to security, Mary Ann?

Mezzapelle: The key is to make it personalized to them or their job, and part of that is the education as Jim talked about. You also show them how it becomes a part of their job.

Experts don’t know

I have a little bit different view that it is so complex that even security professionals don’t always know what the reasonable right thing to do it. So, I think it’s very unreasonable for us to expect that of our business users, or consumers, or as I like to say, my mom. I use her as a use case quite a lot of times about what would she do, how would she react and would she recognize when she clicked on, “Yes, I want to download that antivirus program,” which just happened to be a virus program.

Part of it is the awareness so that you keep it in front of them, but you also have to make it a part of their job, so they can see that it’s a part of the culture. I also think it’s a responsibility of the leadership to not just talk about security, but make it evident in their planning, in their discussions, and in their viewpoints, so that it’s not just something that they talk about but ignore operationally.

Gardner: One other area I want to touch on is the notion of cloud computing, doing more outsourced services, finding a variety of different models that extend beyond your enterprise facilities and resources.

There’s quite a bit of back and forth about, is cloud better for security or worse for security? Can I impose more of these automation and behavioral benefits if I have a cloud provider or a single throat to choke, or is this something that opens up? I’ve got a sneaking suspicion I am going to hear “It depends” here, Jim Stikeleather, but I am going to go with you anyway. Cloud: I can’t live with it, can’t live without it. How does it work?

Stikeleather: You’re right, it depends. I can argue both sides of the equation. On one side, I’ve argued that cloud can be much more secure. If you think about it, and I will pick on Google, Google can expend a lot more on security than any other company in the world, probably more than the federal government will spend on security. The amount of investment does not necessarily tie to a quality of investment, but one would hope that they will have a more secure environment than a regular company will have.

On the flip side, there are more tantalizing targets. Therefore they’re going to draw more sophisticated attacks. I’ve also argued that you have statistical probability of break-in. If somebody is trying to break into Google, and you’re own Google running Google Apps or something like that, the probability of them getting your specific information is much less than if they attack XYZ enterprise. If they break in there, they are going to get your stuff.

Recently I was meeting with a lot of NASA CIOs and they think that the cloud is actually probably a little bit more secure than what they can do individually. On the other side of the coin it depends on the vendor. I’ve always admired astronauts, because they’re sitting on top of this explosive device built by the lowest-cost provider. I’ve always thought that took more bravery than anybody could think of. So the other piece of that puzzle is how much is the cloud provider actually providing in terms of security.

You have to do your due diligence, like with everything else in the world. I believe, as we move forward, cloud is going to give us an opportunity to reinvent how we do security.

I’ve often argued that a lot of what we are doing in security today is fighting the last war, as opposed to fighting the current war. Cloud is going to introduce some new techniques and new capabilities. You’ll see more systemic approaches, because somebody like Google can’t afford to put in 150 different types of security. They will put one more integrated. They will put in, to Mary Ann’s point, the control panels and everything that we haven’t seen before.

So, you’ll see better security there. However, in the interim, a lot of the software-as-a-service (SaaS) providers, some of the simpler platform-as-a-service (PaaS) providers haven’t made that kind of investment. You’re probably not as secured in those environments.

Gardner: Mary Ann, do you also see cloud as a catalyst to a better security either from technology process or implementation?

Lowers the barrier

Mezzapelle: For the small and medium size business it offers the opportunity to be more secure, because they don’t necessarily have the maturity of processes and tools to be able to address those kinds of things. So, it lowers that barrier to entry for being secure.

For enterprise customers, cloud solutions need to develop and mature more. They may want to do with hybrid solution right now, where they have more control and the ability to audit and to

have more influence over things in specialized contracts, which are not usually the business model for cloud providers.

I would disagree with Jim in some aspects. Just because there is a large provider on the Internet that’s creating a cloud service, security may not have been the key guiding principle in developing a low-cost or free product. So, size doesn’t always mean secure.

You have to know about it, and that’s where the sophistication of the business user comes in, because cloud is being bought by the business user, not by the IT people. That’s another component that we need to make sure gets incorporated into the thinking.

Stikeleather: I am going to reinforce what Mary Ann said. What’s going on in cloud space is almost a recreation of the late ’70s and early ’80s when PCs came into organizations. It’s the businesspeople that are acquiring the cloud services and again reinforces the concept of governance and education. They need to know what is it that they’re buying.

I absolutely agree with Mary. I didn’t mean to imply size means more security, but I do think that the expectation, especially for small and medium size businesses, is they will get a more secure environment than they can produce for themselves.

Gardner: Jim Hietala, we’re hearing a lot about frameworks, and governance, and automation. Perhaps even labeling individuals with responsibility for security and we are dealing with some changeable dynamics that move to cloud and issues around cyber security in general, threats from all over. What is The Open Group doing? It sounds like a huge opportunity for you to bring some clarity and structure to how this is approached from a professional perspective, as well as a process and framework perspective?

Hietala: It is a big opportunity. There are a number of different groups within The Open Group doing work in various areas. The Jericho Forum is tackling identity issues as it relates to cloud computing. There will be some new work coming out of them over the next few months that lay out some of the tough issues there and present some approaches to those problems.

We also have the Trusted Technology Forum (TTF) and the Trusted Technology Provider Framework (TTPF) that are being announced here at this conference. They’re looking at supply chain issues related to IT hardware and software products at the vendor level. It’s very much an industry-driven initiative and will benefit government buyers, as well as large enterprises, in terms of providing some assurance of products they’re procuring are secure and good commercial products.

Also in the Security Forum, we have a lot of work going on in security architecture and information security management. There are a number projects that are aimed at practitioners, providing them the guidance they need to do a better job of securing, whether it’s a traditional enterprise, IT environment, cloud and so forth. Our Cloud Computing Work Group is doing work on a cloud security reference architecture. So, there are number of different security activities going on in The Open Group related to all this.

Gardner: What have you seen in a field in terms of a development of what we could call a security professional? We’ve seen Chief Security Officer, but is there a certification aspect to identifying people as being qualified to step in and take on some of these issues?

Certification programs

Hietala: There are a number of certification programs for security professionals that exist out there. There was legislation, I think last year, that was proposed that was going to put some requirements at the federal level around certification of individuals. But, the industry is fairly well-served by the existing certifications that are out there. You’ve got CISSP, you’ve got a number of certification from SANS and GIAC that get fairly specialized, and there are lots of opportunities today for people to go out and get certifications in improving their expertise in a given topic.

Gardner: My last question will go to you on this same issue of certification. If you’re on the business side and you recognize these risks and you want to bring in the right personnel, what would you look for? Is there a higher level of certification or experience? How do you know when you’ve got a strategic thinker on security, Mary Ann?

Mezzapelle: The background that Jim talked about CISSP, CSSLP from (ISC)2, there is also the CISM or Certified Information Security Manager that’s from an audit point of view, but I don’t think there’s a certification that’s going to tell you that they’re a strategic thinker. I started out as a technologist, but it’s that translation to the business and it’s that strategic planning, but applying it to a particular area and really bringing it back to the fundamentals.

Gardner: Does this become then part of enterprise architecture (EA)?

Mezzapelle: It is a part of EA, and, as Jim talked, about we’ve done some work on The Open Group with Information Security Management model that extend some of other business frameworks like ITIL into the security space to have a little more specificity there.

Gardner: Last word to you, Jim Stikeleather, on this issue of how do you get the right people in the job and is this something that should be part and parcel with the enterprise or business architect?

Stikeleather: I absolutely agree with what Mary Ann said. It’s like a CPA. You can get a CPA and they know certain things, but that doesn’t guarantee that you’ve got a businessperson. That’s where we are with security certifications as well. They give you a comfort level that the fundamental knowledge of the issues and the techniques and stuff are there, but you still need someone who has experience.

At the end of the day it’s the incorporation of everything into EA, because you can’t bolt on security. It just doesn’t work. That’s the situation we’re in now. You have to think in terms of the framework of the information that the company is going to use, how it’s going to use it, the value that’s associated with it, and that’s the definition of EA.

Gardner: Well, great. We have been discussing the business risk around cyber security threats and how to perhaps position yourself to do a better job and anticipate some of the changes in the field. I’d like to thank our panelists. We have been joined by Jim Hietala, Vice President of Security for The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: Mary Ann Mezzapelle, Chief Technologist in the Office of the CTO for HP. Thank you.

Mezzapelle: Thanks, Dana.

Gardner: And lastly, Jim Stikeleather,Chief Innovation Officer at Dell Services. Thank you.

Stikeleather: Thank you, Dana.

Gardner: This is Dana Gardner. You’ve been listening to a sponsored BriefingsDirect podcast in conjunction with The Open Group Conference here in San Diego, the week of February 7th, 2011. I want to thank all for joining and come back next time.

Copyright The Open Group and Interarbor Solutions, LLC, 2005-2011. All rights reserved.

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirectblogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

Comments Off

Filed under Cybersecurity

What’s the future of information security?

Today, Jan. 28, is Data Privacy Day around the world. While it’s meant to bring attention to personal privacy, it’s also a good time to think about organizational and global challenges relating to data security.

What is your organization’s primary cybersecurity challenge? Take our poll below, and read on to learn about some of The Open Group’s resources for security professionals.

The Open Group has several active working groups and forums dealing with various areas of information security. If your organization is in need of guidance or fresh thinking on information security challenges, we invite you to check out some of these security resources (all of which may be accessed at no charge):

  • The Open Group Jericho Forum®. Many useful guidance documents on topics including the Jericho Commandments (design principles), de-perimeterization, cloud security, secure collaboration, and identity management are available on The Open Group website.
  • Many of the Jericho Forum® members share their thoughts on a blog hosted by Computerworld UK.
  • The Open Group Security Forum: Access a series of documents on the topic of risk management published by the Security Forum over the past couple of years. These include the Risk Management Taxonomy Technical Standard, Requirements for Risk Assessment Methodologies, and the FAIR / ISO 27005 Cookbook. These and other useful publications may be accessed by searching for subject = security on our website’s publications page.

Cybersecurity will be a major topic at The Open Group Conference, San Diego, Feb. 7-11. Join us for plenary sessions on security, security-themed tracks, best practices, case studies and the future of information security, presented by preeminent thought leaders in the industry.

Comments Off

Filed under Cybersecurity, Information security

Underfunding IT security programs

By Jim Hietala, The Open Group

A news story in my local newspaper caught my eye today. State fails “hacker” test was the headline. The state of Colorado (U.S.) hired an outside security assessment firm to perform penetration tests across various state agency IT infrastructure.

The findings from the assessment firm were sadly predictable. The pen testers were able to find their way into many state networks and IT systems, and they found many instances of common security problems, including easily guessable logins and passwords, system default passwords that were never changed, and systems that were never hardened and had unnecessary ports open and services running. The assessment firm was able to access lots of private data and personally identifiable information. The story also had predictable comments from lawmakers expressing indignation at the sorry state of security for Colorado’s IT systems.

http://www.freedigitalphotos.net/images/view_photog.php?photogid=659The real story, however, was buried in the article. The state agency in Colorado that was tasked with securing state IT systems estimated that the cost of implementing an adequate cybersecurity plan across all state IT systems would be $40M… and the office had a budget of $400K! Is it any wonder they failed their security audit? For every $100 that they need to perform the job adequately, the IT security professionals are getting a whopping $1 to implement their security plans and controls.

With the present economic climate, I’d guess most governmental entities (and probably a lot of businesses as well) are in a similar situation: They don’t have the tax revenues to adequately fund IT security, and therefore can’t effectively protect access to information.

The “reality disconnect” here is that in the U.S., at least 45 of the 50 states have passed something similar to the groundbreaking California data privacy law, SB1386. It calls to mind that old hypocritical saying from parents to children, “Do as we say, not as we do”.

I talk with and work with many security professionals, and I rarely hear one say that things are getting better on the threat side of information security.  Underfunding IT security programs is a recipe for disaster.

Situations like this also point towards the need for better alignment of security controls with business objectives, and increased use of metrics in information security. The Open Group’s Security Forum is working on initiatives in this area… Watch this space for announcements of standards that security practitioners will find useful in driving more effective information security management.

Jim HietalaAn IT security industry veteran, Jim Hietala is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.

Cybersecurity will be a topic of discussion at The Open Group Conference, San Diego, Feb. 7-11. Join us for best practices, case studies and the future of information security, presented by preeminent thought leaders in the industry.

1 Comment

Filed under Cybersecurity

Security & architecture: Convergence, or never the twain shall meet?

By Jim Hietala, The Open Group

Our Security Forum chairman, Mike Jerbic, introduced a concept to The Open Group several months ago that is worth thinking a little about. Oversimplifying his ideas a bit, the first point is that much of what’s done in architecture is about designing for intention — that is, thinking about the intended function and goals of information systems, and architecting with these in mind. His second related point has been that in information security management, much of what we do tends to be reactive, and tends to be about dealing with the unintended consequences (variance) of poor architectures and poor software development practices. Consider a few examples:

architecture under fireSignature-based antivirus, which relies upon malware being seen in the wild, captured, and having signatures being distributed to A/V software around the world to pattern match and stop the specific attack. Highly reactive. The same is true for signature-based IDS/IPS, or anomaly-based systems.

Data Loss (or Leak) Prevention, which for the most part tries to spot sensitive corporate information being exfiltrated from a corporate network. Also very reactive.

Vulnerability management, which is almost entirely reactive. The cycle of “Scan my systems, find vulnerabilities, patch or remediate, and repeat” exists entirely to find the weak spots in our environments. This cycle almost ensures that more variance will be headed our way in the future, as each new patch potentially brings with it uncertainty and variance in the form of new bugs and vulnerabilities.

The fact that each of these security technology categories even exist has everything to do with poor architectural decisions made in years gone by, or inadequate ongoing software development and Q/A practices.

Intention versus variance. Architects tend to be good at the former; security professionals have (of necessity) had to be good at managing the consequences of the latter.

Can the disciplines of architecture and information security do a better job of co-existence? What would that look like? Can we get to the point where security is truly “built in” versus “bolted on”?

What do you think?

P.S. The Open Group has numerous initiatives in the area of security architecture. Look for an updated Enterprise Security Architecture publication from us in the next 30 days; plus we have ongoing projects to align TOGAF™ and SABSA, and to develop a Cloud Security Reference Architecture. If there are other areas where you’d like to see guidance developed in the area of security architecture, please contact us.

Jim HietalaAn IT security industry veteran, Jim Hietala is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.

Comments Off

Filed under Cybersecurity