Data-Centric Protection and Management

BitArmor acquired by Trustwave!

noreply@blogger.com (Manu Namboodiri) — Tue, 12 Jan 2010 16:54:00 +0000

Exciting news for us and pleased to announce the acquisition of BitArmor by Trustwave! The press release is here..

Quick FYI - Trustwave is a leader in delivering compliance and security solutions for thousands of large and small customers across the globe. The have a great story about PCI as well. Great to be part of an awesome company!

We believe this is an absolute perfect fit with our vision of information-centric security, our Smart Tag technology and how Trustwave sees the world of security and compliance.

Will post more in a few days.. Lots to do so gotta run!

New Cisco report on state of security

noreply@blogger.com (Manu Namboodiri) — Wed, 09 Dec 2009 17:02:00 +0000

Cisco has just released their annual state of security report - the Cisco Annual Security Report. It mentions the normal stuff that you hear - more malware, 40% more spam in 2010, more banking trojans etc. Scary stuff, no doubt. Read more about it here.

But the stuff that worries me is what is missing (or not highlighted) in the report - i.e. data security in the enterprise. While I, being also a consumer, appreciate the issues pointed out here, the data breached from enterprises also causes significant pain.

Trojans, malware, viruses will always be around and I think we have to expect this going forward. How do we ensure that these get relegated to just annoyances and not become a security threat? This is where an information-centric approach works best - once the data is protected, only the right user opening up the document with the right application can decrypt it. The malware thus cannot access protected data since it does not have the right permissions. This might reduce the impact of much of today's malware - at least for enterprise data.

For transactional consumer data (i.e. credit card information submitted during a web session etc), we have to think of other but similar techniques...

Hannaford case reversal

noreply@blogger.com (Manu Namboodiri) — Thu, 08 Oct 2009 11:53:00 +0000

Some interesting developments for those who have been following the rulings in the Hannaford breach case - the judge had ruled that since cardholders were not affected economically because credit cards were stolen (banks will cover any losses to cardholders), they dont have a civil case against Hannaford.

However, the judge recently reversed himself and asked the Maine supreme court whether "inconvenience" that the cardholders went through should be compensated... Interesting fork and one that could have strong impact to the retailers if the Maine Supreme Court indeed thinks so..

The bottom line is whether retailers should take more care of data entrusted to them - while the judge had a very narrow view of "loss" to the consumer, the defense believes that they have a shot in making cardholder rights heard...

Should be interesting to see the developments..

One million dollars!

noreply@blogger.com (Manu Namboodiri) — Mon, 05 Oct 2009 12:07:00 +0000

As an award that is... Express Scripts has reportedly put up $1M to anyone who can provide information leading to the arrest of those responsible. Apparently the thieves wanted to get the most from the stolen data - sell it to the highest bidder or extort Express Scripts to keep it safe!

Looks like extortion is the new black- from talk show hosts to stolen data! Be interesting to see where this takes the industry. But my question is - is this extortion because the criminals do not have a market demand for the stolen data? If it has a ready market, why bother with extortion?

Josh Corman at IANS

noreply@blogger.com (Manu Namboodiri) — Thu, 01 Oct 2009 14:16:00 +0000

Just attended an interesting keynote by Josh Corman at the IANS event in Boston this morning. Very though-provoking stuff - he also has an article about it in CIO magazine.

Being a good marketer, Josh trimmed down the 8 secrets to 7 (but wait!, one was free and he counted from zero, so we are back to 8 :)). I had previously discussed one of his takes in this blog.

The interesting part about listening to the discussion live, is Josh's emphasis on risk. He believes that we as security professionals have been so caught up with managing around compliance mandates, we have not stepped back to think about what risk we are mitigating.

Excellent point - especially when it relates to projects on hand. Would you do disk encryption based on the knowledge that 31% of all breach incidents are the result of lost and stolen laptops? Of course you would. However, would you rethink your decision if you also know that these lost laptops account for only 9% of all data lost? Hmmm does FDE only reduce risk by 9%?

That begs the question, what else reduces risk by a larger percentage? Interesting topic and subject for another post....

Virtualization and PCI standard - can we do better?

noreply@blogger.com (Manu Namboodiri) — Tue, 29 Sep 2009 15:12:00 +0000

The wheels are turning for another version of the PCI standard. And this time virtualization security is a big focus in the development of the standard. Commendable, I say. Virtualization will become a bigger deal (more than it is today) and almost all organizations will have some form of virtual environments setup.

However, are we prone to repeat the same mistakes? We still seem to be stuck in the legacy world of protecting infrastructure - security professionals have no time to look beyond the normal, staple, security diet of anti-malware, IDS/IPS, firewalls etc, to where the more active threats are.

How do we bring the security world (as well as the business world) forward to rethink how to enable secure business? I have strong opinions on this - I believe an information-centric security approach is vital and imperative in virtualized environments. In fact, I can go so far as to say that this is the only logical and enforceable method, that enables virtualization to be all-it-can-be - so that business can be all it can be!

Let not PCI be a reflection of the past threats - let it become what we need now and prepare us for the future. This is the only way it can stay relevant and useful.

Gartner - Pay now or pay (a lot) later!

noreply@blogger.com (Manu Namboodiri) — Fri, 18 Sep 2009 14:15:00 +0000

Read a few weeks ago a very interesting (and perhaps one of the few) analyst reports that analyze the costs of a fixing a breach as compared to prevention. Check it out here..

The basic premise of Gartner analyst, John Girard, is that the costs of prevention are insignificant compared to the costs of cleanup - less than 2%! How can management of any organization look at this and say that "let's cross our collective fingers" and hope for the best?

Data protection if done correctly, does not have to be expensive. I just read this article based on a survey that said most organizations in MA feel that the costs of data security are hurting firms. While I agree there is an investment to be made. the costs of cleanup are far higher. In fact a recent Ponemon report showed that over 60% of organizations have had breaches in the last 12 months - what this means is any organization has a 60+% chance of a breach!

Any organization should at least start protecting its most vulnerable assets - data in vulnerable locations. Be it on mobile devices such as laptops, USB devices or on file shares.

These costs are minimal compared to the costs of payment later...

SB-20: A California refresh!

noreply@blogger.com (Manu Namboodiri) — Tue, 15 Sep 2009 15:15:00 +0000

The updated California breach law, SB-20, is finally on the Governator's table. It has been a while coming and is most interesting since it finesses the grand-daddy of all breach laws, SB-1386. For more information, check out Ariel Silverstone's blog. There is a very good analysis of the new law.

I like the use of the work "unencrypted" in the new law - implies that even if data was encrypted but the keys were lying around, you cant claim immunity :) Contrast this language with something like "plain" or "open"...

I think this is a good step forward, especially around the notification, use of plain language etc. I would have liked it to be more focused on remedies and "get-out-of-jail" by using encryption (the MA law is one such).

My black-market value? 32 bucks

noreply@blogger.com (Manu Namboodiri) — Fri, 11 Sep 2009 16:56:00 +0000

Interesting tool that Symantec has unveiled - an online risk calculator that figures out how much your identity could be auctioned off for! Apparently I am cheap and can be had for $32.29 - no idea how they got the accuracy down to 29 cents!

Without going into the merits of the calculator (and the random number generator behind it :)), I think it is an interesting thought. While a criminal might not be targeting you specifically, breaching and then auctioning off thousands of such records can make someone some pretty good coin.

It is also likely that the guys who breach have their specialty - getting the records. It is upto the buyer now to steal the actual cash from the accounts or credit cards that have been turned over! Specialization and job segmentation at its best!!

Virtualization security compliance guidelines - quite off base!

noreply@blogger.com (Manu Namboodiri) — Sat, 05 Sep 2009 12:02:00 +0000

I don't know if it is a challenge with today's compliance rules or how folks perceive virtualization security, but the recent guidelines published by VMware and RSA seemed to have missed the mark. I don't want to add the word "completely", but I do think they are quite off base.

Not to say they dont have some good things in there, like platform hardening, network segmentation, change management, admin access control etc.. But this is something one would be doing for non-virtual environments as well - not much different here, just common sense.

A reason for missing the mark is the non-focus on virtualizaiton itself. Virtual environments are different. I think they need some fundamental rethinking of security, including focus on statelessness, shorter session-lifetimes and a true focus on data.

What fills me with a sense of incompleteness from these guidelines is the total non-focus on data! C'mon what are we trying to protect here? It's the data!! And nary a single mention?

WhoHooo! BitArmor recognized in the latest Magic Quadrant!

noreply@blogger.com (Manu Namboodiri) — Thu, 03 Sep 2009 12:20:00 +0000

Apologize for getting a bit excited - BitArmor is named in the 2009 Gartner Magic Quadrant for Mobile Data Protection! The full report can be read from the Gartner website. Our release about this recognition can be read from our website.

In this blog, I usually talk about my thoughts on the industry, evolution of security etc and I don't blog much about our product and the company. However, this I do think is a good excuse to do so :) It is good to be recognized by leading security analysts as John Girard and Eric Ouellet!

The report highlights our unique information-centric security approach to protecting data. It also talks about our No-Breach Guarantee. And one phrase I like is "far advanced" - as a way to describe our technology. Nice!

Being information-centric in our approach to data protection makes us a bit different from the other vendors in the document - most of them protect mobile devices. Because of our Smart Tag technology, BitArmor is able to protect the data itself at all times - thus the protected data can move to a laptop, USB device, via email as attachments or via FTP. It can also move from a file share to a data center server to a backup tape and still remain protected. From this perspective, we are truly fulfilling the real "Mobile Data Protection". I think the naming of this Magic Quadrant report is a bit ahead of its times!

However, as it stands now, most people associate data protection with "mobile devices" - i.e. protecting the devices that the data rests on (laptops, USBs, phones etc). And possibly for good reason - there were no good enough or usable enough technologies that could truly protect the data itself and that too persistently. Until now, of course!

I do think the Mobile Data Protection Magic quadrant will evolve more towards a data or information-centric approach in the coming years. Looking forward to our footprint trending, nay jumping, up and to the right!

Another case for information-centric security

noreply@blogger.com (Manu Namboodiri) — Wed, 02 Sep 2009 16:29:00 +0000

The more I read about how criminals are breaching the perimeter and getting access to sensitive data in an organization, the more I am convinced an information-centirc approach is the only way to go.

Case in point is the recent article from Information Week - 5 Security Lessons from Real World Breaches. Fun stuff!! Here is a short excerpt from one attack the article describes - the conclusion..

"...The attackers used the compromised server as their home base. They deployed tools and scanners and spent several months meticulously mapping the network without being detected. Once they found the systems that contained the data that they were looking for, they simply copied the information, put it into a Zip file, and moved it out."

Emphasis above is mine - basically compromised a server and then copied data out. This data-at-rest protection being perceived as the end-all, is making me frustrated. If this data were protected using an information-centric approach - i.e. protect the data and keep it protected at all times (at rest and in motion), this would have been much harder. All the criminals would have gotten is encrypted data.

I am also looking at the 5 guidelines/conclusions from the report and besides a short mention of layered security and isolation, there is not much emphasis on data protection. I think the authors are missing the point. You can never have enough perimeter security - IDF/IPF, anti-malware works only to a certain extent.

You need to recognize that data is the critical asset,not the network or the server. Protect the data, damn it!!

New HIPAA breach laws taking effect

noreply@blogger.com (Manu Namboodiri) — Wed, 02 Sep 2009 15:53:00 +0000

More rules and more rules... The HHS has issued final guidelines on breach notification requirements for organizations under the HIPAA law. They take effect Sept 23rd... Just in time for the G20 summit?

Maybe not. However, the reality is that organizations are having to now deal with a bevy of such requirements and the bigger problem is not in complying with basic standards, but ensuring the lowest common denominator (or in this case the strictest rules) are being met...

Encrypted is not a boolean variable

noreply@blogger.com (Tim Hollebeek) — Sun, 30 Aug 2009 01:19:00 +0000

Let's face it, encryption is a new thing, and you have to

keep things simple so people can understand it.

But it frustrates me that most of the talk about

encryption technology, law, policy, compliance, etc is

always in terms of "encrypted" vs "unencrypted". Yeah,

all your data should be encrypted. But that's the beginning

of the discussion, not the end. Encryption is easy.

Protecting data is hard.

Once you use strong encryption to protect your data, you

have real security. That sounds great, but the flipside is

that your company's security policy is probably a pile of

paper in a drawer that no one reads or updates, and does

not correspond to reality. How do you organize your data,

backup your data, share your data, manage your data ...

frankly, how do you USE your data in an encrypted

world? Encryption is coming. You need to think about it

now. Do your homework. If you don't, you'll be paying for

your lack of preparation for years.

-Tim

BTW this blog post is encrypted with no less than three

proprietary encryption algorithms (ROT-13^2,

XOR-0x00, and CAESAR-26, among others) and therefore

cannot be read by anyone. "encrypted == true" !

Bernanke hit by ID breach

noreply@blogger.com (Manu Namboodiri) — Fri, 28 Aug 2009 15:06:00 +0000

Did the thief think he could cash into the billions that the Fed chief oversees :) Or maybe he was looking for a bailout himself!

Will this put some fire under the administration to think seriously about national laws for breach? Always seems to happen when something hits close to home and personally...

Interesting news, nontheless...

Dirty secrets and the non-existent perimeter

noreply@blogger.com (Manu Namboodiri) — Mon, 24 Aug 2009 15:27:00 +0000

The perimeter is dead - long live the perimeter (the new perimeter, that is). Which obviously is the data.

I am also intrigued by an article by Joshua Corman from IBM, in CIO magazine, that discusses this. Check out Dirty Secret #3. "There is no perimeter". I love it. Mostly because it is true. And for some small selfish reasons as well... :)

Here is what he says - very eloquently, I might add..

"We need to define what the perimeter is," he said. "The endpoint is the perimeter, the user is the perimeter. It's more likely that the business process is the perimeter, or the information itself is the perimeter, too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn't be more wrong."

The bold emphasis above in mine - and not from Joshua. But I do it to illustrate my point (which I put forth in a recent blog on the benefits of an information-centric security approach as well). Security professionals need to move beyond the perimeter and thinking that has dominated for the past 30-40 years and recognize the world is different now.

For heaven's sake, the internet that allows for rapid dissemination of data and collaboration is already a teenager! Why do we still protect this environment with stuff built for the 70's?

Benefits of information-centric security

noreply@blogger.com (Manu Namboodiri) — Sun, 23 Aug 2009 17:46:00 +0000

For a while I have been meaning to write a short article on what I think information-centric security is - so here goes.

Organizations have focused on securing sensitive data by protecting the infrastructure that hosts the data. This could be implemented by hosting the servers inside a data center, using firewalls and similar perimeter protection techniques to prevent external attackers, encrypting whole drives or encrypting networks. I think of these as protecting data by proxy - i.e. protect the network to protect the data, protect the perimeter to protect the data, protect the device to protect the data.

Information-centric security is the concept of focusing the protection on the data itself as opposed to the device – protection that stays with the data while at rest and while in motion. Access controls and other policies are embedded in data and follow it wherever it goes - thus enforcing these policies at the data level, regardless of where the data is.

This approach has several advantages:

Continuous protection: Data always remains protected since it does not get decrypted as it moves - this has performance benefits as well as security benefits
Device independence: Data can be protected regardless of the devices it rests on or travels between. For eg, it data moves to a USB device, to a backup tape, it still remains protected. No need to deploy a USB protection solution or a backup tape solution separately.
Enabling secure collaboration: Since the data remains persistently protected, you can share it better - the proper access controls of who can access the data remain with the data itself! Therefore data can be self-defending. No need to provide access to networks, file shares etc to share data.
Lower costs and complexity: all this comes down to much lower costs and complexity - no need to have multiple device or network centric products protecting data and that too by proxy..

I think the world is moving to such a method of protecting data - the old ways are untenable in today's world of exploding data and the requirements to share and collaborate.

The same TJX hacker?

noreply@blogger.com (Manu Namboodiri) — Tue, 18 Aug 2009 17:19:00 +0000

How many more breaches were perpetrated by Albert Gonzalez? According to new charges, he is saddled with TJX (from before) and now with Heartland as well as Hannaford! The guy has been busy, no doubt.

What was it that made these breaches similar? And what did we not learn from the first ones that we let Albert and gang do it again and again? Obviously there are many theories - but my view is, at the end of the day, infrastructure protection can get you only so far.

We need an information-centric approach to protection where the focus is not on the pathways, perimeters and devices, but on the data itself. Imagine if this were the case in the above breaches, where data was stripped of networks, or from servers. If that data were protected at rest and in flight, it would not have mattered if the data were copied outside the company - it is protected! It remains encrypted!

Better, more logical and more effective security. But seems like folks are still in the rush of "protect the infrastructure"...

Persistent, information-centric protection, PCI and the Network Solutions breach

noreply@blogger.com (Manu Namboodiri) — Thu, 30 Jul 2009 13:39:00 +0000

The more news I see regarding various breaches, the more I am convinced of the superiority of persistent and information-centric security. For example, take the latest breach at Network Solutions - a PCI compliant organization. Over half a million cards stolen.

Comments galore:
Here is what they say "The company determined that the unauthorized code may have been used by cybercriminals to capture transaction data, including customer names, addresses, and credit card numbers, and transfer it to servers outside of the company...."

Now look at the statements below from industry experts:

"...many enterprises are behind in security protection efforts such as anti-virus updates due to shrinking IT budgets, which results in unpatched vulnerabilities that are easily exploited"
Seems like anti-virus and unpatched systems are the main culprit - long live infrastructure protection!

"...the incident illustrates the risks of cloud computing."
A broad general statement - not clear what the implication is :)

The point:
My point is that the industry is so wrapped around protecting the infrastructure - i.e. protecting dat aby proxy, that they forget what it is they are really trying to protect. With an information-centric security solution, the credit card data would be protected persistently. Even if the data were to be "..transferred over to servers outside the company..", it would still remain encrypted thus making it much harder for criminal organizations to obtain any value from the data.

The last and best line of defense is the data - this is how layered security should be.

Where does a £3M fine hurt?

noreply@blogger.com (Manu Namboodiri) — Fri, 24 Jul 2009 14:54:00 +0000

Not sure, but we will know. Regulatory bodies are becoming increasingly tough on lax organizations for not protecting sensitive data - HSBC was recently fined £3M for not adequately protecting customer records.

The interesting part to notice is the fine was applied even though no customer had an unfortunate incident after the breach - I presume like a lost identity, stolen money from their bank etc.

And even more interesting was that HSBC got a 30% discount for cooperating :). Good boy!

It's the Vision Thing, Stupid!

noreply@blogger.com (Tim Hollebeek) — Fri, 24 Jul 2009 02:17:00 +0000

Let's face it: "It's the software, stupid!" gets almost a million hits

on Google.

And I don't want to belittle software. Software is important.

Software is what processes your data, and unfortunately, software

is horribly badly designed and rushed to marked long before it is

ready. Your data is at risk? Blame software. It's easy, and you

can be 99% sure you are right. Those are pretty good odds.

But think about where you were when "ILOVEYOU" hit. When

I wrote "JustBeFriends", we assumed that Microsoft would blame

the victim, as they had every previous time. Instead, Microsoft

changed direction and started caring about security. Bad news for

me, good news for Microsoft.

This is a blog post. It will not answer all your questions. But it

will make the following points:

(1) virtualization is important,

(2) your data is what matters,

(3) the world is changing,

(4) there are no time machines or magic wands.

We now return you to your regularly scheduled blog.

-Tim

Virtualization security - presentation at the OpenGroup Security Conference

noreply@blogger.com (Manu Namboodiri) — Wed, 22 Jul 2009 15:50:00 +0000

Just presented on virtualization security and some of my thoughts on how an information-centric security approach will be absolutely essential - this is at the OpenGroup Security Conference in Toronto. I am putting up the slides I presented in this post.

This is my first attempt at sharing slides via Slideshare - lets see how it works:

Open Group Virtualization Security Final

View more presentations from mnamboodiri.

The new Missouri breach law

noreply@blogger.com (Manu Namboodiri) — Wed, 22 Jul 2009 15:23:00 +0000

Looks like we have state number 45 - Missouri passed a new breach law recently and will be applicable by the end of August. Nothing earth shattering in the new law - follows pretty much the standard ones.

the interesting part is they decided not to go the Nevada and Massachusetts way and look at prescribing a solution - i.e. encryption. Does this mean there is less perceived value in what MA law is? Or are legislators are unwilling to go the extra step to enforce protection for fear of pushback?

The UCSD and Kaiser breaches

noreply@blogger.com (Manu Namboodiri) — Mon, 20 Jul 2009 14:13:00 +0000

Have not talked much about any specific breach in a while, but this one caught my eye. Apparently the hotline for a hospital that had a breach was swamped with folks trying to understand what happened and whether they were at risk. UCSD had a breach of about 30,000 records, when an external attacker was able to pry through the defenses.

I was beginning to get concerned that folks were not in the least (concerned that is)! Apparently they still do care when their personal information gets out there - but, as is the case all the time, it has to get personal. In fact they were concerned enough to swamp the hospital with calls!

Which brings me to the benefits of small amounts of money, spent judiciously on the right security programs. Even if the cost of losing 30K records was a minimal of $30 bucks per record (including the costs of notification, credit monitoring, legal fees etc), its still nearly a whopping million dollars! A lot of moolah to be sure..

Which brings me to the Kaiser breach - the judge saw it prudent to smack the hospital on its wrists with a fine of $187K. Not a large fine in the context of a hospital, but something to say it is serious about preventing lax management of records.

New Ponemon report - little change

noreply@blogger.com (Manu Namboodiri) — Wed, 15 Jul 2009 14:59:00 +0000

It is interesting to note that the more things change, the more they remain the same! the new Ponemon report is out and the numbers are interesting (but no shocking new revelations). Check out the article from Dark Reading.

74% of organizations had a breach in the last 12 months (the PGP release says 85%)
22% had five or more breaches (and they did not have any encryption)
Compliance is a big driver (64% say this is why they do what they do)

One interesting nugget is the idea that encryption is becoming more strategic and folks are moving away from point solutions. I am not sure how people view the difference between point solutions and a suite of solutions :) (the latter is just a bunch of point products slapped together into an interface).

I strongly believe that this device-centric approach will not get us out of this funk. Every year we have more breaches, even though adoption of encryption is getting better. Why? Poor strategies, poor management of encryption and multiple device centric solutions not really doing the job.

The only way to truly protect data is with an information-centric security approach - and not focus on multiple devices, apps, file shares and now mobile devices as seen in this article.