Archive for the ‘Risk Management’ Category

In the second part of our earlier eSecurity Planet coverage of the announcements at RSA, here’s a link to our coverage of the smaller vendors:

On Wednesday, we mentioned that Cloud Computing security is the front-and-center focus of RSA 2010 and we took a look at the announcements from some of the biggest players. In this part of our RSA coverage, we’re bringing you announcements from some of the other innovative vendors.

First up, the company that won the “Innovation Sandbox” award, beating out 10 other finalists is Altor Networks for their VF3.0 virtual firewall.[1] The VF3.0 virtual firewall brings traditional security services – such as policy enforcement, intrusion detection, and high-performance stateful inspection – to the virtual world and in the cloud. It’s an interesting product and the tie-in to virtualization is top-of-mind for attendees; however, let’s not forget that the Innovation Sandbox focuses on entrepreneurial ventures, so post-acquisition players that are also developing and shipping firewalling solutions in the virtualization space (e.g. ThirdBrigade, recently acquired by Trend Micro) are de facto out of the running.

Jennifer Kavur cites Diana in her ComputerWorld Canada article, Pros and cons of SaaS-based messaging security.

“My top piece of advice is to understand why you want to outsource this kind of solution and then what you need as you outsource it,” said Diana Kelley, partner at Amherst, N.H.-based IT security consultancy SecurityCurve.

Speaking at a recent seminar hosted in Markham, Ont., sponsored by security vendor Symantec Corp., Kelley outlined key points companies should keep in mind prior to signing a contract for SaaS-based messaging security and hygiene.

Any size organization, from businesses with one employee to Fortune 100 companies, can get value out of the SaaS model, she said. “The bottom line is, companies don’t want all of this stuff coming to their mail server,” said Kelley.

The National Weather Service (NWS) recently started a project that invites the Twitterverse to submit weather reports. The reports can be manually tagged with the Tweeter’s location, or automatically tagged using Twitter’s geotagging functionality. For anyone who’s watched a local weather reporter explain that today will be cloudy with a remote chance of rain, and then looked out the window at an active downpour, the promise of more accurate location-based weather reporting is appealing. And on the surface, what possible harm could come from letting the world know you’re in Old Orchard Beach, ME right now and the weather is perfect? Thinking beyond weather, though, consider an Executive retreat at a Twitter-friendly enterprise. Auto-geotagged Tweets could instantly update others on the precise location and current travel conditions for employees as they journey to the meeting. Add presence awareness to geotagging, and you can identify not only when one of your in-flight colleagues is back on the ground, but also if they’ve landed safely at their target destination or were unexpectedly re-routed to another airport.

Geo-location and presence have a myriad of positive uses for individuals and enterprises. But, as with many things, there is another side to consider: privacy and risk. Specifically, what are the mis-use cases for presence and geotagging?

For the rest of my article, please click here to visit eSecurity Planet.

This month in E-Commerce Times, I focus on the true pitfalls (and the false ones) of cloud security:

Just because using a cloud service means your important enterprise data will reside on an off-premise site does not make the system in inherently less secure than keeping it in-house. Before making the jump to the cloud, though, some research should be done in terms of security — both the service provider’s and your own.

If you’d like to read the rest of the this article, please click here.

Marcia Savage has a nice round-up on spending for 2010 in the latest issue of Information Security Magazine.

After the extensive cutbacks at the end of 2008, enterprises seem to be feeling a little more comfortable about overall budgets, says Diana Kelley, founder and partner at Amherst, N.H.-based consulting firm SecurityCurve. However, security spending will likely be slower to pick up than other spending.

“If people are feeling a little more comfortable, they’ll want to see what happens with profit and the bottom line before they start allocating big huge chunks back into security,” she says, noting that security is traditionally seen as a cost center rather than a profit center.

Ed’s January article for eCommerce Times/TechNewsWorld:

Times of high workplace stress can often cause employees to be less productive. When morale takes a dip, IT security is put at higher risk, as some workers may become indifferent to whether they’re doing their jobs properly. IT managers should look at workplace morale as one more factor affecting a company’s overall security risk situation.

Karen Hobert, our colleague at Collaborative Strategy Guild, just published a White Paper on Mitigating Risk and Finding Opportunity in Software as a Service (SaaS) E-mail for Small and Medium Businesses.

Software as a Service (SaaS) e-mail offerings provide some operational productivity benefits at lower prices, although it is not a silver bullet, and should not be considered a compromise to existing solutions. SaaS e-mail service bundles can provide capabilities not previously available with existing e-mail solutions especially with operational aspects of managing an e-mail infrastructure. Although total cost of ownership (TCO) is a leading driver for choosing SaaS e-mail, customers should approach SaaS e-mail options based on how the solution will improve the e-mail experience and increase user and operational productivity as well as mitigate risks.

Linda Tucci’s got a piece on “leveraging log management for IT and business process efficiency,” up over at SearchCIO. Linda spoke with me as part of her research for the article.

Companies were telling me, ‘I put this in for compliance, but look at all the amazing things I can do,’” Kelley said. “Once these folks do the work for compliance — have all the sensors and collectors in place — they are realizing that, essentially, SIEM is like shining a spotlight on areas of the network and on business process.”

2009 was a hard year economically for a lot of companies and their employees. So we’ve been thinking about ways to spend budget dollars wisely in 2010. Not just on new projects, but on enhancing efficacy with existing technologies. In Ed’s November piece for TechNews World he takes a look at some of the IT security “basics” and how we might fine tune and improve on them in the coming year.

It’s around this time of year that we often see lists of the top new security and IT threats on the horizon. That sort of information has its place — everyone should be aware of trends in their profession. Just don’t let tomorrow’s scare have undue influence over budgeting decisions. Fundamentals are still just as important as ever.

If you haven’t heard – the FTC moved the Red Flag fraud deadine out to June 1, 2010. Good news if your an entity that needs to comply, because the last deadline (November 1, 2009) already passed.

Bill Brenner has an article on InfoWorld about the extensions. And Ed is quoted in it:

Ed Moyle, founding partner at SecurityCurve, former VP of information security at Merrill LynchTruthfully, in the field, a lot of the folks I’ve come across are pretty much where they need to be from a regulatory standpoint (i.e. they’ve hit the bar required by the regulation). But just hitting that bar doesn’t mean a company is all the way there in terms of protecting customers from identity theft.

My recommendation to folks that think they have everything in hand on this is two-fold: First, make sure all the i’s are dotted and t’s crossed before the deadline to make sure they’re compliant with the reg. (i.e., make sure that they have the defined identity theft processes and that their staff are trained on what to do if someone calls in to report identity theft). Second, while the iron’s hot, look to see if there’s something that they can do to address identity theft proactively for example, maybe can they change the business processes to reduce the likelihood of identity theft? This isn’t always possible, but why not use compliance with the law as an opportunity to go over and above?