As the second law of thermodynamics tells us, all things trend toward chaos and this is no less true with a virtual environment. Sprawl can have a real security impact, and it takes discipline and planning to control sprawl — discipline and planning that won’t occur without someone from the security team actively monitoring the problem and formulating strategies for how to address the issue.

VVirtualization has been one of the most rapidly and widely adopted technologies in recent memory. It’s huge, and it’s here to stay.

And as security professionals know, setting up a virtual environment securely isn’t easy. Significant effort goes into tasks like evaluating off-premise service providers, ensuring regulatory compliance, and standing up technical controls like monitoring and encryption. But in the excitement to stand up the new environment and get security to an acceptable “target state,” organizations sometimes don’t address security hygiene long-term. In other words, security is in high gear while the environment spins up, but it doesn’t lay the groundwork for what happens once things are chugging along.

Read the rest of Ed’s article over at E-Commerce Times.

[Excerpted from "Security Via HIPAA Compliance," a new report By Diana Kelley and Ed Moyle, posted on Dark Reading's Compliance Tech Center.]

Healthcare compliance requirements can be a driver to improve your organization’s overall security. Here’s how:

If your security organization is in the healthcare space, you inevitably are wrestling with the Healthcare Information Portability and Accountability Act (HIPAA). HIPAA compliance is one of the biggest challenges healthcare IT organizations face — but it also could be an opportunity to advance your security agenda.

For security professionals to leverage compliance investment and activities for broader benefit, they must understand what’s driving current compliance investment.

First, it bears saying that the standards outlined in the HIPAA Security Rule are designed to address broad swaths of industry—from small clinics and physician offices to the largest institutional care providers and insurance companies. Because of this, the high-level security control objectives outlined in the Security Rule (standards) as well as the supporting controls are extremely broad and lacking in technical specificity.

How can security organizations make use of compliance activities?

Check out the rest of the excerpt at Dark Reading or download the entire report at the DR Compliance Tech Center.

Ed’s October article for TechNewsWorld takes a look at why it’s so hard for companies to determine the true cost of security initiatives and controls.

Organizations love false economies. It may not be an entirely conscious act on their part, but it’s certainly the truth: Hang around any organization long enough and you’ll find at least one instance where it tries to save on doing A but winds up spending more on doing B in the process.

Consider, for example, expense policies that require employees to stay one or more extra nights when traveling. Because airfare is lower when weekend travel is involved, organizations might be tempted to ask employees to do this to keep air costs down; however, very seldom do recouped airfare dollars come even close to combined dollars lost in extra hotel stays, extra meal expenses, lost productivity and reduced employee morale. The combination of hard and soft costs far outweighs possible savings in the area of airfare.

For the rest of Ed’s article, please click here.

In his monthly Opinion piece, Ed discusses why BYOB requires a fresh look at AUPs:

The use of personal devices for corporate tasks is on the rise, and too many IT departments haven’t fully addressed the information security ramifications of the trend. To tackle the situation, you’ll need to first get a handle on what your current policies are as they relate to management intent as well as what policies you’re already enforcing technically.

It’s a myth that ostriches bury their heads when they spot danger. It sounds plausible, but in reality, they’re just like us: In the face of imminent danger, they either run or attack (“fight or flight”).

This makes sense when you stop to think about it. After all, one thing that seems almost painfully obvious is that ignoring signs of danger isn’t an effective defense strategy. In a high-stakes situation (like being a prey animal on the Serengeti), ignorance isn’t an evolutionarily productive strategy. Successful ostriches are more likely to live by taking evasive action; less-successful ostriches are more likely to ignore danger and perish.

For the rest of Ed’s article, please click here.

TechTarget just published my analysis on the PCI Tokenization Guidelines:

For years, security experts have touted the value of credit card tokenization for limiting PCI scope. The National Retail Federation (NRF) listed tokenization in its January 2009 “Key PCI Best Practices” document, and Gartner Inc. analysts John Pescatore and Avivah Litan explained how tokenization can be used to reduce PCI scope in their August 2009 research note, “Using Tokenization to Reduce PCI Compliance Requirements.”

Now, following the long-awaited release of its PCI Tokenization Guidelines in August 2011, the PCI Security Standards Council (SSC) has made it official: tokenization can reduce scope for PCI audits. Organizations that were waiting for the council’s opinion can now forge ahead with implementations, knowing that credit card tokenization is approved for use in a PCI DSS-compliant cardholder data environment (CDE). That in itself will be welcome news to many merchants.

To read the rest of my analysis, please click here.

Ed’s column in TechNewsWorld this month takes a look at “Big Data” -

Over the past few decades, most IT shops have followed a somewhat similar trajectory: Starting from a centralized model (i.e., the mainframe days), computing resources, much like the cosmological Big Bang, have exploded outwards to become ever-more-distributed and decentralized. This makes sense given market dynamics. Computing platforms evolve quickly, so monolithic computing platforms that require heavy up-front investment are less efficient from a depreciation standpoint (i.e., from a MIPS per dollar per year point of view) than numerous, incremental investments in lower-powered devices.

So it’s natural that processing would decentralize. And in fact, there have been numerous technologies invented over the years to support exactly this paradigm.

By virtue of ever-more decentralized processing, it logically follows that storage would be (in general) decentralized as well. In fact, storage becomes a balancing act. Data is placed in such a way as to be centralized enough to be manageable, while still being distributed enough to be efficiently used by consumers of that data. That’s the paradigm of recent history. But this paradigm is changing — changing in a way that impacts how we manage IT overall from a security perspective. And that change is “big data.”

To read the rest of the article please click here.

In his July article for TechNews World, Ed discusses ways to make an organization more resistant to social engineering:

Let’s face it: Social engineering — attacking an organization through deception by “tricking” internal users into sharing inappropriate levels of access — isn’t a topic that comes up very much in most IT shops. This isn’t because social engineering is ineffective or because organizations aren’t susceptible to it.

To the contrary: Although direct, quantifiable evidence about social engineering is difficult to come by, what statistics we do have (for example, the 90+ percent success rate at Defcon 18′s Social Engineering “Capture the Flag” contest) suggest that success rates for social engineering attacks are disproportionately high relative to attacks against technological components within our infrastructures.

To keep reading the article, please click over to TechNews World here.

SearchSecurity just posted my 45 minute webinar: IT Patch Management Best Practices: Overcoming the Challenges.

With targeted attacks and zero-day vulnerabilities shrinking the window of time between vulnerability disclosure and exploit availability, it’s becoming more incumbent on security managers to understand the assets in their IT environment and the patch levels of those machines.

In this presentation on vulnerability management and IT patch management best practices, application security expert Diana Kelley explains how to improve your asset discovery processes, determine the patch level of the machines in your environment, and improve testing and deployment processes to keep pace with patch and vulnerability management.

In this presentation, Kelley discusses:

• Patching and remediation as a component of the vulnerability management lifecycle.
• Implementing a vulnerability management program including scanning and prioritization.
• Remediation:When and what to patch:

• Testing
• Deployment
• Validation
• Remediation alternatives
• Keys to successful configuration and patch management lifecycle

No registration required! So if you’ve got some time and are interested in patch management please give a listen here.

The second part of my two part guest blogger post for the Tufin blog is up:

Think about how much your organization spends annually on firewall hardware, software licenses, and management. Now think about watching all that money washing down the drain because a single poorly implemented rule circumvented all of the other firewall-based protections. Sounds a little alarming, but if you’re a firewall administrator, you know how real that possibility is.

In a previous post we took a look at “shadow rules” and why investing in automated tools that help eliminate them can be a solid business, not to mention security investment. But eliminating redundant, outdated and ineffective rules is only part of the problem. For many firewall administrators, the bigger challenge is handling the day-to-day requests for firewall rule changes without introducing vulnerabilities or exposure points.

Firewalls aren’t static sentries that are set up once and run without change for years.

To read the full post please visit the Tufin blog here.