VentiSys – Security Tech Trailblazers Winners

Tech Trailblazer Winner

Tuesday 18th December 2012, Sligo, Ireland – VentiSys Technology Ltd announced today that it has won the global tech trailblazer award in the security category for its product Oudles Vault. The Tech Trailblazers is a new concept in awards, designed explicitly for smaller businesses and start ups that are less than five years old and at C-series funding or below. The awards have low barriers to entry and prizes that not only recognize startup innovation, but also proactively help startups grow their business with exclusive coaching, mentoring and development as well as an estimated prize fund in excess of $1 million. The awards seek to recognise true innovators in enterprise technology and other areas.

The Product

VentiSys’ product Oudles Vault, helps organisations protect their data at a time when new trends and cultural shifts are occurring in enterprises of all sizes. Specifically Oudles Vault protects business data amid the shift to “bring your own device”, which opens up a Pandora’s box of security issues. The category finalists were selected by a distinguished panel of industry specialist international judges, a public vote process was then employed to get wider industry feedback.

The Awards

Joe Morrissey, CEO of VentiSys Technology Ltd, is delighted with the win. “This is super validation of the VentiSys’ team efforts – not only have we received a thumbs up from the industry peer judges, but the wider industry voted strongly for our value proposition, we put our customers needs at the core of everything we do – it’s so nice that our efforts are recognised globally.”

Rose Ross, founder of the Tech Trailblazers awards, commented, “Our goal in our first year was to create a truly global award for enterprise tech startups with prizes that would actually help them grow their businesses. The Tech Trailblazers has proved itself as the enterprise tech world’s independent award dedicated to discovering the hottest new enterprise tech innovations from around the world.”

“The awards have proved that technological innovation is not just for the so-called “major players.” Exciting new technologies are being developed all over the world by fledgling companies that need only the recognition and resources to succeed. We look forward to watching our 2012 winners flourish, and welcoming even more entrants to the 2013 awards.”

Award Sponsors include, Amoo Venture capital advisory, The data chain, The next Silicon Valley, Outsource, TiE Silicon Valley, beSuccess, SNIA, Startup America, Wazoku, The Cloud Security Alliance, Launchpad Europe, The Green Grid, ExecEvent, my News Desk, Prezi, MIT / Stanford Venture Labs, Realwire, VM Ware, and Listed.

The categories and winners can be viewed here.

About VentiSys Technology ltd

Founded in 2007 by Joe Morrissey and Jon Guymer and headquartered in Sligo, Ireland the VentiSys team consistently listens to the market and it’s customers, building and honing software and security solutions to meet and exceed their needs.

PRESS RELEASE

For Immediate Release

Monday 16 April 2012

Oudles Vault secures success in Silicon Valley

Sligo company VentiSys Technology shortlisted for prestigious CODiE Awards

Monday 16 April 2012, Sligo, Ireland – VentiSys Technology Ltd announced

today that it has been shortlisted as one of three finalists for the 27th

annual CODiE Awards on May 10th 2012, San Francisco, in the Best

International Data Protection Solution business software category for their

product Oudles Vault, www.oudlesvault.com. The prestigious CODiE

Awards are organised by the Washington DC based Software &

Information Industry Association, a leading international trade association

for the software and digital content industry. VentiSys Technology, based

in Sligo, Ireland, is an innovative high potential start up client of

Enterprise Ireland.

Oudles Vault, the company’s flagship product, helps organisations protect

their data at a time when new trends and cultural shifts are occurring in

enterprises of all sizes, an example being the emerging “Bring Your Own

Device” shift, where enterprises struggle to control data security

across heterogeneous devices.

Joe Morrissey, CEO of VentiSys Technology Ltd, is extremely encouraged

by the nomination and said: ‘Oudles Vault provides a new, effective

alternative to the problem of maintaining control and compliance of data,

as well as maintaining business continuity for CIO’s and CISO’s – the

problem it addresses predominately is the awkward position a company

faces when it loses a device with sensitive data on board.

‘Having Oudles Vault peer reviewed as one of the top three data

protection solutions internationally, validates the effort of the VentiSys

team and the company’s philosophy of excellence in market requirement

analysis, intuitive user interface design and software development. One of

the greatest honours in any industry is gaining the recognition of one’s

industry peers and being selected as a top three category finalist. So

when we learned we were shortlisted with peer companies such as Google

Apps, Red Hat, Adobe, SAP, Dow Jones, Fortify and Bloomberg – it really

re-confirmed our work and naturally, it is a huge honour’, he said.

Greg Treston, Enterprise Ireland Head of High Potential Start Ups and

Scaling said: ‘This is a significant development for VentiSys and we

congratulate them on their success. This is an ambitious and exciting

company and an example of an innovative Irish company that is winning

customers with the quality of their product and service. We look forward

to working closely with VentiSys as they grow their business’.

The overall category winners will be announced on Thursday, May 10, at

the prestigious CODiE Awards Presentations held in conjunction with the

SIIA’s annual All About the Cloud conference, in San Francisco, California.

The category finalist products were extensively reviewed by executives

with deep industry expertise who acted as judges. All nominated products

were reviewed through live demonstrations, trial access and

supplementary documentation.

ENDS

For further information contact:

www.oudlesvault.com

VentiSys Technology Communications contact: contact@ventisys.com

Oudles Vault product team communications contact:

contact@oudlesvault.com

VentiSys Technology Press contact: +353 (0)1 443 4272

Background Information

Project details:

Joe Morrissey, CEO of VentiSys Technology Ltd, outlined the project: ‘First

generation technologies such as Full Disk Encryption have some

shortcomings as it is impossible to determine the status of the now stolen

(problem) device. Additionally, the mandatory reporting of data breach or

machine loss is now, under the data protection acts, law, in the EU and

many US states (European Communities [Electronic communications

networks and services] Privacy and electronic communications)

Regulations 2011.

The Irish Offices of the data protection commissioner summarises this law

as requiring:

“Compulsory notification of individuals concerned , and the Office

of the Data Protection Commissioner in the case of data

breaches.”

This is law for companies of all sizes, additionally it holds company

directors personally culpable should they fail to comply. Whenever a

machine is lost or stolen, the first questions asked by a Data

Protection investigating official are:

1 – Was the stolen machine encrypted?

2 – Can you prove it?

3 – Was it decrypted or encrypted at the time of loss or theft?

4 – Was the decryption key written somewhere on the machine?

The Solution? – Oudles Vault

For company directors, a product that proves that a data breach did not

occur is invaluable – and this is what Oudles Vault does – simply and

conclusively. But it even goes a step further, Oudles Vault is fundamentally

different, offering secure backup by design. Files are continuously backed

up while the machine is safely with its authorised user, so we can wipe the

machine regardless of web connectivity after loss. The machine may be

lost, failed or stolen, but the data is always readily recoverable. All backed

up data is encrypted to strong industry standards before being

transmitted. Then, it is stored in SAS 70 Type II , PCI compliant, HIPAA

and ISO 27001 compliant data centres. No one except the client

organisation can decrypt the backed-up data, not even Oudles Vault staff.

Your data remains always in your control.

About the CODiE Awards

The CODiE Awards, originally called the Excellence in Software Awards,

were established in 1986 by the Software Publishers Association (SPA),

now SIIA, so pioneers of the then-nascent software industry could

evaluate and honour each other’s work. Since then, the CODiE Awards has

carried out the same purpose – to showcase the software and information

industry’s finest products and services and to honour excellence in

corporate achievement. Previous winners include Apple, Microsoft, IBM,

Electronic Arts, Citrix, Cisco, Symantec and Salesforce.

The “best international data protection solution” recognises the best

application or service that adheres to compliance, privacy and security

regulations across international borders. This award includes services

dealing with sensitive personal, government or business data; identity

systems; behavioural targeting; analytics; defence, healthcare and other

verticals.

About VentiSys Technology Ltd:

VentiSys Technology Ltd was founded

by Joe Morrissey and Jon Guymer in 2007 to provide, manage and deploy

innovative cloud based technology solutions to business process problems.

Oudles Vault is the companies flagship product. The company is Head

Quartered in Sligo Ireland, with offices in Canary Wharf, London.

We were delighted to be recently announced as a winner in the National  SFA (Small Firms Association)  ”Emerging New Companies award for 2011″ at Trinity College Dublin this month (March 2011).

This is a fantastic endorsement of our efforts and hard work required to develop the www.oudlesvault.com Software as a Service, from a working concept to a commercial offering, and it is a fitting recognition of the VentiSys Technology team’s diligence and commitment to that goal.

After a fabulous awards ceremony, we all enjoyed a fantastic dinner and networking event, where we caught up with old friends – made new friends, and afterwards enjoyed a “long” night in Dublin City – let’s just say, a good time was had by all.

Pictured above (centre) is Jon Guymer of VentiSys Technology Ltd, collecting the national award on behalf of the VentiSys team. Jon is pictured with Mr Ian Martin (left) Chairman of the SFA, and Mr Michael Kelly of the Irish City and county Enterprise Boards, (sponsors of the Award).

We are delighted to announce that we have been short listed as a finalist in the Best Emerging New Companies category. the information below is taken from the SFA website.

The following companies have been shortlisted as the finalists for the SFA National Small Business Awards 2011. The overall winner from each category will be announced at a Gala event on the 3rd of March 2011 and will be presented with an Award by the Patron of the awards, An Taoiseach, Brian Cowen, TD.

Manufacturing: up to 50 employees), sponsored by Chartered Accountants Ireland:

Shortlist of the finalists 2011:

BMS Ireland, Limerick

Broadway Bagels, Waterford

Euroflex Teo, Donegal

Label Craft, , Dublin

Megazyme International Ireland, Wicklow

Skyway Safe Access Equipment, Meath

• • Services: (up to 50 employees), sponsored by Eircom:

    Shortlist of the finalists 2011: Eolas International Research, Cork

    Espion, Dublin

    H2 Compliance Limited, Dublin

    O’Connell Group, Cork

    Sea Cargo Services, Cork

    Zarion Limited, Dublin

Outstanding Small Business: (up to five employees), sponsored by AIB:

Shortlist of the finalists 2011:

ALS Labelling Solutions, Dublin

Ann McGee Consulting, Dublin

EuroEvents, Dublin

Good Food Ireland, Wexford

Clevamama, Dublin

Wexgen, Wexford

Innovator of the Year: (up to 50 employees), sponsored by Enterprise Ireland:

Shortlist of the finalists 2011:

BMS Ireland, Limerick

Euroflex Teo, Donegal

Megazyme International Ireland, Wicklow

Easydry, Louth

Multihog, Louth

Tower Aqua Products, Cork

Environmental Sustainability: (up to 50 employees), sponsored by Sustainable Energy Ireland:

Shortlist of the finalists 2011:

Clane Building Works, Kildare

Croke Park Stadium, Dublin

Daintree Paper, Dublin

Drawinginc, Dublin

McNally Joinery, Dublin

Ryan’s Cleaning Event Specialists, Tipperary

In addition, 5 of the best recently established companies have been selected to be profiled:

Best Emerging New Business: (up to 50 employees and under 2 years in business), sponsored by the County and City Enterprise Boards: Shortlist of the finalists 2011:

VentiSys Technology, Sligo

Irish Ambulance Training Institute, Galway

Mc Evoy Family Foods, Tipperary

Sonru, Wexford

Clever Box Club, Dublin

The awards will be presented by Awards Patron, An Taoiseach, Brian Cowen, TD, to all category winners and the Overall Winner at a Gala Event on March 3rd 2011.

No doubt in some quarters, the headline of this short post will be greeted with shock, surprise,  and a probable and almost audible “tut tutting” from the administrators of patents, that so many invest in heavily to obtain. Please don’t get me wrong –  I’m not saying this applies in all cases, they do serve a purpose – however this is one in which I think they fail enormously, please- stay with me and see our viewpoint.

The reason I raise this observation, in a granted “self serving manner”, is that it recently dawned on us in VentiSys, that the trophy we were chasing was in fact – possibly the most poisoned chalice, we could set our goals against. This rant (for want of a better word) –  is the conclusion we have distilled down to presently.

So no apologies – you have been warned – this is somewhat self serving  - in that we’d like to share our experience thus far, and that it may get a response that could jolt us out of our current thinking? Or get some other takes on it, possibly people with comments in relation to the dilemma, we find ourselves in.

Our perspective.

To appreciate where we are coming from on this, requires readers to understand we provide information security tools / software and service, to businesses. We have a “novel” new, “non obvious” “useful” and exciting “technical effect” that secures information on data endpoints (Laptops and PC’s).

The words novel, new,  non obvious, useful, and technical effect could be put beside tick boxes on a patent attorneys initial review, and as the line above shows – he would get ticks in all the boxes, Woohoo? – well, not quite.

The damn thing is – if we file even a long term patent application it would be kept secret for 18 months, after which – low and behold, and without warning, –  it is published for all and sundry to read, study and fully grasp.

Now – I don’t know about you – but if you had devised a new, novel, non obvious and useful lock for protecting your house – would you give the thief a drawing of the lock, so he could fabricate a key? No, bloody right you wouldn’t – nor would I.

The thing is when filing a patent for our “security system” that’s exactly what we would be required to do. It’s a bit like giving a hacker directions to the Map Store (Patent Office), and giving him the map reference (Patent filing reference) and expecting him after studying this – not to be tempted to have a go breaking into our house.

Not going to happen folks, now is it?

So, how can this be the case?

Off course, there is a very good reason  - The patent system is there since it’s first iteration in 500BC, when a guy from Greece / now southern Italy sought to increase refinements of luxury. Basically any profit’s arising from the sale of silk toilet paper etc, went to the inventor for a period of 1 year, where they went after that- who knows, but that is beside the point.

A Florentine architect was the next benefactor, devising a barge with a hoist on it – he upped the duration to 3 years. Then King Henry in 1449 granted a patent to a coloured glass maker introducing the technology to England, and prevent even those knowing how to directly copy the techniques and material usage from doing so for the duration of the patent.

And it evolved from this, to what we have today, a conduit for the spread of knowledge- but the guarding of the interest and rights of those who filed first- the same thing effectively as what was knocking around medieval England under Henry. A hacker, on the other hand doesn’t give a hoot for this history, the system design, the rights, or interest’s of anyone- he / she only wants  to understand it’s design, so as to craft a key that fits the lock.

What I’m saying is that the hacker does not profit from emulating-  he profits from theft, or simply enjoy’s grinding keys to look at what’s held inside the Vault, maybe even only leaving a “Joe woz ere – nice system”.

If the sum total of the technical effect, achieves a greater system, but that technical effect is negated because of disclosure- what’s the damn point?

Our Choice?

If we had a choice (and thankfully we do) between keeping secret (how our lock works) knowing the hacker could never look at it / or dismantle it / reverse engineer it- V’s having disclosed the design in order to prove it delivers it’s technical effect- you have no doubt probably guessed that we would not give a damn about a piece of paper that says we protected it, but were dumb enough to tell the world how it worked and where to get the details.   Oh, by the way here is the cited reference numbers you will need.

Angel investors, and venture capitalists love patents don’t they?

So how does this affect company valuations then- Patents are considered the strong arm to guard against one of Mr Porters five forces,  namely the threat of competitive entry. But they don’t really apply here, or do they? Mr Porter in his unquestionable wisdom correctly suggested that we set off on our voyage in the race to secure our  chalice,  but, when we had it in our grasp, overflowing- we didn’t like the scent of the wine- it was corked!

This is becoming a huge increasing headache across jurisdictions, it is dis-jointed with the result that companies operating in different jurisdiction’s have different compliance parameters to grapple with, the perception of workload and costs are ever increasing as governance tries to adapt and adjust to the rapid pace of technology.

History dictated that Europe get it’s act together long ago -

In order to understand the differing perspectives on either side of the atlantic,  it has to be viewed in the context of things that happened in the past arising from the miss use of data (remember nothing is more powerful than intelligence, and intelligence at grass roots level is information).

World War II

Since the fall of Facism Europe has arguably been ahead on this,  Europeans are acutely familiar with the dangers associated with uncontrolled use of personal information from their experiences under world war 2 era fascist governments and post-War communist regimes, and are highly suspicious and fearful of unchecked use of personal information. World War II and the post-War period was a time in Europe that disclosure of race or ethnicity led to secret denunciations and seizures that sent friends and neighbors to work camps and concentration camps. Europe has experienced atrocities directly related to privacy and the release of personal information inconceivable to most Americans. In the age of computers, Europeans’ guardedness of secret government files has translated into a distrust of corporate databases, and governments in Europe took decided steps to protect personal information from abuses in the years following WW2.

The U.S.A Slant

The United States prefers what is called a ‘sectoral’ approach to data protection legislation, relying on a combination of legislation, regulation, and self-regulation, rather than overarching governmental regulations. Former U.S. President Clinton and former Vice President Al Gore explicitly recommended in their “Framework for Global Electronic Commerce” that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology. To date, the US has no single, overarching privacy law comparable to the EU Directive. Privacy legislation in the United States tends to be adopted on an “as needed” basis, with legislation arising when certain sectors and circumstances require (e.g., the fair credit reporting, and the recently passed (March 1st, 2010) Massachusetts data security law ). Therefore, while certain sectors may already satisfy the EU Directive, at least in part, most do not. The reasoning behind this approach probably has as much to do with American laissez-faire economics as with different social perspectives. The First amendment of the constitution guarantees the right to free speech. While free speech is an explicit right guaranteed by the Constitution, privacy is an implicit right guaranteed by the Constitution as interpreted by the United states supreme court.

This brings us nicely to the New Massachsetts data security law.

Extract taken from INFORMATION WEEK http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=224400426&queryText=massachusetts%20cmr

The new Massachusetts data security law, 201 CMR 17.00, is a prime example of the increasingly aggressive role states are taking to protect their citizens. More than 40 states have data breach notification laws already on the books–a trend that started with California’s SB 1386 but certainly didn’t end there. Much like those other laws, Massachusetts’ has impact beyond the state’s borders and could spur similar legislation in other states./p>

Federal action is also a distinct possibility.

If you hold personal information on a Massachusetts resident, you were on the hook as of March 1. The question for security groups is, How do we comply with the myriad state-mandated data security laws without putting an undue burden on the business? And comply you must, because CMR 17.00 raises the stakes in terms of potential penalties. The law will be enforced, quite literally, in the breach, and companies can potentially be fined $5,000 per violation and per record lost. One stolen laptop loaded with a database containing the names and Social Security numbers of 200 Massachusetts residents puts you in the hole for a cool million.

The Massachusetts law isn’t remarkable in its overall requirements, but it is special in two areas. First, it requires businesses to attest that they have a working data security program in place to protect any personally identifiable information (PII) they’ve collected from state residents. Companies must maintain a comprehensive written information security program (WISP) that includes “technical, administrative, and physical safeguards” to protect PII. Covered businesses range from neighborhood dry cleaners to Fortune 100 companies, but the law stipulates that the program be appropriate to the size and resources of the business.

The Massachusetts law also stands out by mandating encryption of data in motion and at rest, including on laptops and other portable devices like smartphones, USB drives, and MP3 players. That’s going to be a sticking point for many shops; our InformationWeek Analytics State of Encryption survey found we’re still moving in fits and starts despite the momentum that compliance frameworks like PCI have generated. While 86% of the 499 business technology professionals responding to that poll employ some encryption, 31% of those respondents say it’s just enough to meet regulatory requirements. Only 14% characterize their encryption as pervasive, and just 38% say they encrypt mobile devices.

That puts a majority of respondents on a collision course with CMR 17.00.

Other directives cover, in fairly general terms, most of the areas you’d expect: secure authentication and access controls; firewalls; up-to-date patching and endpoint anti-malware protection; and user training in the technologies, policies, and proper handling of PII. In addition, an individual or a team must be named the official data security coordinator. This person is charged with the plan’s initial implementation, training of those involved, as well as with ongoing testing and evaluation of the WISP to ensure it evolves as business realities change. The coordinator also must assess third-party service providers’ ability to comply.

With any compliance mandate, IT’s goal should be to implement a program that doesn’t impose onerous changes to the way business is done. But the fact is, some business processes may need to be adjusted to meet compliance requirements. End-user training is a critical, and often overlooked, component as well. These are the people on the front lines, they need simple to use advanced tools that can pro-actively mediate access to data, and pursue compromised devices to ensure the integrity of the data resident on them.  This is where VentiSys Technology comes in.

We can see from above that this act is similar to the message that the UK’s ICO, and Ireland’s DPC have been voicing with respect to PII, namely you need a system to ensure the data you collect is safe, the data collected is warranted for the purpose of use, that it is not stored or used for purposes other than which it was intended and so on. So it seems there is a conflict across the pond, (for the record – we are resident in the European side) but the US nationally is been told to self regulate, be proactive and reactive by the highest powers in the land –  contrasted against a state level, for Massachusetts (for now) business and residents are being governed and fined for non compliance of state law, Who is calling the shots – and how could anyone be compliant, will website’s have to filter out Massachusetts (for now)and deny service provision, and do we really think they will ? Surely a more pragmatic approach is required?

Confidentiality

Defined in ISO-17799 as “ensuring that information is accessible only to those authorized to have access” and is one of the pillars of information security.  Confidentiality is one of the design goals for many cryptosystems, made possible in practice by the techniques of modern cryptology.

Integrity

Data integrity is data that has a complete or whole structure. All characteristics of the data including business rules, rules for how pieces of data relate, dates, definitions and lineage must be correct for data to be complete.

Availability

Simply put, availability is the proportion of time a system is in a functioning condition, or with respect to data – the data providing systems ability to deliver the correct data to the correct person within the bounds of the correct policies.

Well that’s all very well, but how can I use these as digital tools?

The systems that provide “Digital information systems” can be further dissected into the following components, the hardware (physical devices like desktops, laptops etc), the software – that acts as the conduit for information and interfaces with us the humans,  and the communications with a view to identifying and applying standards and policies, as mechanisms of protection and prevention. Essentially, procedures or policies are implemented to tell people (administrators, users and operators)how to use products to ensure information security within the organizations.

In short every information system that has integrity, should have

1 – The right hardware,  up to date, and well maintained.

2 – The right software, with easy to use automated advanced techniques.

3 – The right policies,  to guide practices.

Computer security could focus on ensuring the availability and correct operation of a digital information system, without concern for the information stored or processed by the computer – this is an unbalanced approach.

Governments, Corporations, Financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks VPN, or otherwise to other computers.

Should confidential information about a business’ customers or finances or new product line, or sales pipeline, forecasts etc. fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement.  This business “know how” as it is collectively is one of the most valuable assets a company has – and we discuss it in greater detail in our “data and it’s associated value” category.

For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures. This is collectively known as custodial data and is support by the data protection acts, and policed by the data protection commissioner’s, or information commissioner’s.

Our aim on this blog is to address all three areas

1 – Hardware – we can suggest suitable equipment, or advise on updates to legacy systems you already may have

2 – The right software, with easy to use automated advanced techniques. We will discuss the most advanced methods, and document how our solution is a better offering than current industry standard offerings.

3 – Policy – Every enterprise will have it’s own requirements, and whilst we cannot input directly, we can assist and advise.

The study centered on 305 in depth surveys with IT decision makers, and found that secrets form roughly 66% of the firms “information portfolio” – proprietary knowledge and secrets are usually considered twice the value of custodial data. As a result these “secrets” are clearly identified as real money making, lucrative targets for malicious theft. We’ve said it before and we’ll say it again – A $400 laptop is not worth $400.

Billy Hawkes – The Irish Data Protection Commisioner

To quote Billy Hawkes The Irish Data Protection commissioner (DPC) “the extent of the damage a laptop theft can create is limitless – no longer can the value of  the laptop be based on hardware costs, the cost of a stolen laptop could be a whole lot more.”

Where’s the action?

Given that trading in corporate secrets was found to be bigger and more lucrative than ever, companies strive to maintain competitive advantage by increasing their IP, and securing the IP already in their domain. This is broadly in line with what was found in the Forrester research, namely that 80% of security budgets are spent on 2 priorities.

Priority 1 – Compliance.

Priority 2  - Securing sensitive information.

A twist to the tale!

Here’s an interesting twist, whilst secrets comprise 62% of the overall information portfolio value, compliance comprises just 38% of the portfolio “value” – this suggests that compliance consumes the greater proportion of sanctioned budgets when looked at from the “value” perspective.

Isn’t it ironic – don’t ya think?

The irony is that whilst firms focus on preventing accidents, and data “spills” malicious theft is where the action and the money is. Data security incidents related to accidental losses and mistakes are unfortunately common, but by comparison with malicious theft cause little quantifiable direct damage, (prior to the DPC or ICO hearing about it, after which fines are commonplace, sometimes huge), but still CIO’s value lost know how from malicious theft even greater.

Respective value

The study found that the more valuable a firms information is – the more incidents or malicious theft attempts it will have. The portfolio value of the information managed by the top quartile of enterprises was twenty (20) times higher than the bottom quartile.

These high value enterprises had four times as many security incidents as low value firms – High value firms are not sufficiently protecting data from theft and abuse by third parties, having six times the amount of security incidents due to outside parties than low value firms. Maliciously identified as a target, and maliciously executed on through laptop or PC / Media theft.

Alarm Bells Please

The single most alarming fact that fell out of the Forrester Study was that of the 305 CISO’s (Chief information security officers) surveyed, none can quantify or say that they know – how effective their security controls actually are. Regardless of information, asset value, spending, or the number of incidents observed – nearly every company rated their controls to be equally effective – despite the number and costs varying widely.

It was found that even enterprises with a high number of incidents are still likely to imagine their programs are “very effective”

So –  How much does this all boil down to in money terms?

This post tries to draw comparisons between two types of data 1 – Corporate secret data, and 2 – Custodial data held by a corporation distinct to support it’s business processes.

For Secret data, only the corporations can assign a euro or dollar value to it, and again this is unfortunately often only done after it has been lost , but it is clear it is a growing lucrative target for theft and trading.

For Custodial data, also a growing lucrative target especially in respect of identity theft, it is policed on behalf of the subject matters interest by the DPC in Eire, the ICO in the UK, and agencies under and including the supreme court in the U.S (a bit different that side of the pond) but to put a $ value on it’s potential impact. – The most expensive data breech event in the study cost a company almost $31 million to resolve, the least expensive breech was $750,000.

Punchline?

Forrester concludes that most enterprises do not actually know whether their data security programs work or not. A frightening proposition in todays competitive, and policed landscape.

I’m not going to dissect and re-assemble what is already a good piece of journalism, so to state categorically this has not fallen from my pen but is the work of John Kennedy – the original article should be here.

Nice job John………..

Data Protection Commissioner Billy Hawkes has hit out at the reluctance of Irish public sector bodies to deal with data protection issues. Over 900 breaches in the private and public sector were investigated and breaches were up 50pc year –on-year.

Once again, Hawkes’ report focuses on the responsibility of private and public sector organisations to treat the personal information of their customers and clients with respect.

During 2009 the Office of the Data Protection Commissioner opened for investigation 914 complaints. This slight decrease on the figure for 2008 (1031) can be accounted in some respects for the almost halving over the last two years in complaints about unsolicited direct marketing text messages, phone calls, fax messages and emails.

The Data Protection Commissioner said this is attributable in part to a series of prosecutions against a number of companies operating in the premium rate text messaging sector.

Successful prosecutions in 2009 included four companies operating in the premium rate text messaging sector, a restaurant and a gym. In all cases it was for repeat offences.

The Commissioner considers that the message from his Office should now be clear – entities that continue to commit offences in relation to electronic marketing face prosecution.

The Commissioner also reports on efforts to minimise the number and impact of personal data security breaches and, when such breaches occur, to encourage organisations to voluntarily report the incidents to his Office.

Some 119 data security breach incidents were reported to the Office in 2009, a 47% increase on the number of reports received in the previous 12 months (there were 81 reports in 2008).

The Commissioner reports on high profile data security breach incidents that occurred in 2009 involving Bord Gáis Éireann and the Health Service Executive.

The Commissioner highlighted his concerns about the current inability of his Office to investigate the sending of unsolicited text messages, emails or the making of unsolicited phone calls by candidates for election or political parties.

He also outlined the outcome of an enagement with the Garda Siochana on its automatic number plate system. The Report also outlines views conveyed by the Commissioner on the DNA Bill, the Communications (Retention of Data) Bill and a Spent Convictions Bill.

The report also details discussions with Google in relation to Google Streetview in Ireland.

The Commissioner’s report also includes case studies of a number of specific investigations including:

·        Quinn Insurance seeking excessive Penalty Point information from individuals seeking motor insurance quotes

·        A paternity test result sent to the wrong address

·        The use of postcards to communicate with customers regarding overdue accounts

·        An employer covertly surveilling an employee

·        Prosecution of Jackie Skelly Fitness for unsolicited marketing text messages

·        Prosecution of Brasserie Sixty6 for the sending of unsolicited direct marketing text messages

·        Disclosure of personal information by an airline due to inappropriate security measures

·        Four legal enforcement notices issued two of which were to Iarnród Éireann

·        Both Bord Gáis and HSE were called out has having inappropriate security measures on laptop computers

·        Complaints about unsolicited text messages in the run-up to the local elections last year could not be investigated due to an exemption for politicians

·        The number of requests about drivers made to Motor tax offices is increasing

Security firm Esoion’s technical director Colm Murphy said that as today’s workforce becomes more mobile technologies such as VPNs, wireless and the ubiquitous laptop have for many, replaced the traditional desk bound computing environment.

“As laptops, blackberries and other mobile devices become defacto, data no longer just resides on secured servers located at corporate headquarters. Although this shift has advantages for companies and their employees in terms of productivity and flexibility, it presents a host of challenges as to how the data outside the four walls of the office can be adequately safeguarded.

“Whereas previously security threats came in the form of hackers targeting the server rooms of companies, now every laptop could potentially contain confidential customer and/or corporate data that is critical to a company’s operations.

The extent of the damage a laptop theft can create is limitless – no longer can the value of the laptop be based on the hardware cost, the cost of a stolen laptop could be a whole lot more.

“Beyond the Bord Gais and HSE examples, the records of over 171,000 Irish blood donors were on the a laptop that went missing New York in February 2008 and in November 2007 two British Revenue and Customs CDs containing the personal details of 25 million Britons were reported missing and to date have not been found.

“As today’s world calls for people to have access to data regardless of where they physically are, laptops and mobile devices will become more and more prevalent, not just as the means of doing business, but as a target for data thieves,” Murphy said.

Problem Statement “I want to let Glassfish handle access and authentication for my web app but I want it to tie in with the user the credentials I already have in my database“.

Configuring a security realm in Glassfish v3 to tie in with your pre-existing MySQL database for user credentials is actually easier than you might think.

So here goes…

Step 1 – Create a connection pool and JNDI source

Make sure that the current MySQL JDBC connector jar file is in the following directory:-

$GLASSFISH_HOME/glassfish/domains/YOURDOMAIN/lib/ext

Restart your app server then fire up the admin console and from the navigation tree on the left click:-

JDBC -> Connection_Pools -> New

Give your connection pool a name and fill in the rest of the fields as shown below, click next.

Add new connection pool

The datasource classname should have populated to

com.mysql.jdbc.jdbc2.optional.MysqlDataSource

Next we need to fill in a few fields in the ‘additional properties’ section:-

• user – (your database user name)
• password – (the password for your database user)
• databaseName – (your database name)
• portNumber – (usually 3306)
• serverName – (e.g. localhost)
• URL – jdbc:mysql://localhost:3306/your_DB_name_here

Save these settings and then click ‘ping’ to test everything is ok:-

The message you should see

From the navigation tree on the left click:-

JDBC -> JDBC_Resources -> New

Give the Resource a name and select your connection pool from the previous step then go ahead and hit the save button.

New JDBC Resource

Step 2 – Create a new security realm

Ok, so before we  point Glassfish to our database, we’ll need to have the following information from your database available:-

1. The name of the table in which your user’s username and password are stored.
2. The column names where the username and password are stored.
3. The name of the table where the users are assigned to user groups.
4. The column name in this table which stores the user group name.

Here’s an example:-

Users Table – user_details

Groups Table – user_groups

So, to create a new Realm; from the navigation tree, click:-

Security -> Realms -> New

Give your realm a name.

Select com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm in the ‘Class Name’ field.

Enter the ‘JAAS Context’ as jdbcRealm.

In the ‘JNDI’ field, enter the name of your JDBC Resource from the previous step.

Fill in the table and column fields with your database info you have ready from the above step.

If your passwords are stored as MD5 hashes, enter MD5 in the ‘Digest Algorithm’ field.

The database username and password is already set in the connection pool so no need to duplicate here.

You can leave the rest of the fields blank.

New Security Realm

That’s it s far as Glassfish is concerned! easy huh?

Next we’ll take a quick look at how to implement basic authentication in a web app.

Step 3 – Set up your web app to use this security method

If you’re not familiar Java EE security using realms, users, groups and roles here is a good tutorial to get you started.

Ok, so we’re gonna use some example user credentials, groups and roles to implement security in our web app.

Users can belong to:-

Admin-Group or Regular-Group (these are mapped to users in the group table in your database).

First we’ll map some security roles to our groups; this is done in our sun-web.xml config file in the WEB-INF folder of our web application.

For convenience sake, we’ll create one role for each group with the same name as the group.

So, Admin-Group will have the role Admin-Group assigned to it (and the same goes for Regular-Group).

Go ahead and paste this into your sun-web.xml file:-

<security-role-mapping>
<role-name>Regular-Group</role-name>
<group-name>Regular-Group </group-name>
</security-role-mapping>
<security-role-mapping>
<role-name> Admin-Group</role-name>
<group-name>Admin-Group </group-name>
</security-role-mapping>

Next we’ll set a security constraint in our web.xml file (also in the WEB-INF folder of our web application).

You have to give the constraint a name, set the url pattern and state which roles are allowed to access this secure area.

As you can see we are securing the whole web app by supplying  ’/*’ as the url pattern.

Add this snippet to your web.xml file:-

     <security-constraint>
        <display-name>SecurePlace</display-name>
        <web-resource-collection>
         <web-resource-name>Secure Place</web-resource-name>
         <description>Description here</description>
          <url-pattern>/* </url-pattern>
    </web-resource-collection>
       <auth-constraint>
         <description>descrition here</description>
         <role-name>Regular-Group</role-name>
         <role-name>Admin-Group</role-name>
        </auth-constraint>
    </security-constraint>

We also need to tell the web app to actually implement security by forcing the users to login (this is also done in the web.xml file).

For this example we are using basic authentication, so we set the auth-method to ‘BASIC’.

Then we specify the jdbcRealm we created earlier for the realm-name.

Then we add all of the roles we want to be able to log in.

Add this snippet to your web.xml file:-

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>myRealm</realm-name>
    </login-config>
    <security-role>
       <role-name>Regular-Group</role-name>
    </security-role>
   <security-role>
        <role-name>Admin-Group</role-name>
    </security-role>

And that’s it! If you test your web application in a browser, you should get prompted for a username and password to continue.