Security and Risk Management Strategies Blog

Blogger: Eric Maiwald

It is Catalyst time again – it seems like just the other day we were holding Catalyst North America in San Diego. This week Burton Group is hosting Catalyst Europe in Prague. The security service does not have a track on the first day of the conference so I attended the Planning for Pervasive Mobility track (I also had a talk to give in this track so it made a lot of sense for me to be there!).

It seems that mobility is important for enterprises and employees and wireless technology is improving to help us be more mobile. Paul Debeasi (Burton Group Senior Analyst in the Network and Telecom Service) talked about 802.11n and how it is good enough to be used as an Ethernet replacement. You can see what he wrote about 802.11n in the NTS blog. Dan McCarriar from Carnegie Mellon University talked about their deployment of 802.11n so it is not just a standard that will generate products sometime in the future.

As enterprises begin to include more wireless networks instead of wired Ethernet, there will be additional security concerns that will need to be addressed. This could be everything from an increased use of VPN technology to the deployment of wireless intrusion detection (WIPS) to detect rogue access points and track down sources of wireless interference. Increased use of WLANs may also spur the use of network admission control (NAC) as we have seen more use of 802.1X on wireless than on wired networks.

Another change that we will need to pay attention to is the increased use of employee-owned devices on these networks. Employees (and students in the case of CMU) are increasingly interested in using their own devices (including smartphones) for work. It may not matter what controls we decide to put on endpoints if the enterprise does not own the endpoint. The ramifications of mobility do not end with security – applications will need to change to be more useful on the employee devices. Applications may also need to change to keep sensitive information off of the end point.

Lots of changes are coming and security folks will need to be able to advice enterprises about working in the new environments. 

Blogger: Trent Henry

Burton Group’s Catalyst Europe conference is just around the corner. With financial services industry failures at the top of everyone’s mind, now’s a great time to revisit how risk management shortcomings have tremendous impact on organizations of every kind. In a reprise of his insightful Catalyst North America talk, Nick Leeson will once again detail how inadequate controls (and foolish actions on his part) brought about the fall of Barings Bank. In addition, security conversations at Catalyst will include:

- How large enterprises are grappling with governance, risk, and compliance (and why “GRC” is actually a four-letter word)
- What large, distributed organizations are doing to create effective “security embassies”
- The role of metrics in managing protection and communicating with Management
- How information-centric security will unfold over the next five years

Blogger: Ramon Krikken

Many different conference tracks, many different perspectives on 'security' and how to best implement it. I spent most of my time in the Service-Oriented Architecture (SOA) track, looking for little nuggets of wisdom to help with my upcoming SOA security overview, and I certainly did find some. There were - luckily - no huge upsets, but there were certainly lots of questions on how to to implement controls in a service-oriented environment. What was once only the question of what Web Services standards to use, has now evolved to discussions on everything from high-level architecture to the minutiae of security token translations.

One of the discussions in SOA security revolves around the location of controls. In general the architecture is best served if most controls, such as authentication and authorization, are externalized from the application code. It creates a separation of concerns, and usually makes management and auditing more straightforward. So some of the different infrastructure components, like web services modules and the XML gateways, support access control, encryption, and data validation features. Some vendors would like us to believe that pushing all this functionality into their well-packaged, standards-based solution is going to solve the 'security problem,' but does it?

It all works out well as long as we can - in the true spirit of service orientation - view the service as a black box, but that isn't necessarily possible from a security perspective. Certain functionality, like the compute-intensive XML schema validation, is an ideal candidate for infrastructure security, and so is service-to-service authentication. User authorization is all over the map depending on its granularity and requirements for data-awareness. With encryption it also depends on whether we're talking data transport or storage. Service-enabling legacy applications also throws us a curve-ball because of, amongst things, the need for identity and access token mapping that take us into the darkness of the black-box service.

In other words, both applying controls in service orientation, and applying service-oriented principles to security, aren't necessarily as straightforward as some may want us to believe. Security professionals probably already had a feeling this would be the case; we're a bunch of skeptics, after all. But if it's the case that enterprise architecture is far ahead of security architecture in SOA planning or implementation, then there may be some misunderstanding in the organization on how to secure the infrastructure and services. At the surface, and in the common case, the decision to put controls at the infrastructure level seems simple. The devil, it appears, is very much in the details that are invisible to us in some of the higher-level architectural discussions.

Fortunately, all is not lost. We may have thought that 'the SOA train has left the station, and security is not on board,' but it now appears - at least from Burton Group's research - that the train isn't necessarily all too far down the tracks yet. We need to work with the architects to create a security strategy that matures along with the other aspects of SOA implementation, work with the development team to overcome the challenges of building security into the SDLC, and most of all, work with ourselves to make sure we're able to apply consistent principles of information assurance no matter what the next best thing in SOA technology is. There is time to get things right, and the best time to start is now. 

Blogger: Randall Gamby

Across the different security technology presentations given this week at Catalyst, one common theme has been the important role of policy. As people hear about new and better technologies and how they can be integrated into their existing infrastructures, they should take the time to examine their policies to make sure they keep up with the solutions being considered.  Questions to ask:

• When did we review our policies last?
• Do we have not enough or too many?
• Will they still be valid?
• Are there other influencers on them?

But while changes will most likely be needed for many current policies, a question that often isn’t asked is, “Are they enforceable?”  As enterprises create policies based upon what users “should do,” can the security team validate that they “did do” what was asked?  For example, a common policy is, “All sensitive data at rest must be encrypted.”  So this means you must encrypt your Active Directory, your e-mail storage, every production database, yes? That's probably not happening.  So if the enterprise has no way to implement the policy, then it ultimately is not a valid policy and needs to either be modified or the enterprise needs money, resources and time to conform to the policy. 

The social effect on the user population also needs to be considered.  Essentially, the enterprise is teaching users that they don’t have to conform to this policy, so maybe they don’t have to be conformant to others on the books.  Not a good lesson to teach them.

So as the Catalyst attendees go back with “dreams of technology sugar plums dancing in their heads” don’t forget that good governance with valid processes should be skipping around the edge.

Blogger: Trent Henry

The life of an Analyst can be dangerously cloistered. I know many (non-Burton) colleagues whose time is spent almost exclusively at vendor conferences and in briefings with product teams. Although a certain amount of vendor interaction is important--otherwise we can't help clients understand what technologies/solutions are more promising than others--it's easy to get lost. Specifically, it can cause an Analyst to lose his or her way in understanding the day-to-day problems of typical enterprises.

This week at Catalyst is a boon in understanding real problems. With 1700 attendees, most of whom represent the Global 2000, every day brings a dozen conversations that paint a picture of real IT issues--no ivory tower here.

Some interesting questions and issues that have arisen in the security
arena:

• In order to comply with HSPD12, we want to move our PKI to a service provider. How will that transition affect our users and applications?
• The audit team wants more log collection. Should I turn the dials and levers on my existing product or buy something new?
• In the world of a care provider, many network-connected devices are certified by regulatory bodies and can't be patched or otherwise changed. How should those be protected?
• My CISO wants me to explain the benefits of ISO 27002 to the Board: Where should I start?

...and the list goes on.

The key is that emerging technologies can be interesting, but Analysts and vendors alike need to carefully listen to customer challenges.

Blogger: Eric Maiwald

This morning at Catalyst Nick Leeson, of Barings Bank fame, spoke as part of the GRC track. It was interesting to learn what happened back in 1995 as Barings Bank failed. While Nick’s story was interesting, I think there are insights that we can pull out of what he said:

• Technology might be useful in bringing risky activities to the attention of managers but the managers must understand what they are looking at and why the activity is risky
• People who perform oversight activities must understand the activity they are monitoring – in this case, Nick Leeson became his own overseer as his managers didn’t understand what he was doing

In the end, Nick Leeson’s activities led to the failure of the bank and a visit to jail in Singapore. Would proper oversight have prevented this? Well, according to Nick, the signs of imminent danger existed if anyone had bothered to look.