I remember back-in-the-day when Virtual meant ‘almost,’ ‘simulated’ or ‘in essence’ as in, ‘I’m virtually there.’  Today, as it has made it’s way into computer terminology, it can mean actual or real things that are done over computers.  Virtualization has been the main enabler of Cloud Computing and has become an important tool for IT.  I recently attended the 2009 Cloud Computing and Virtualization Conference & Expo in Silicon Valley and wanted to share some of my observations.  The show has certainly grown from last year but still a nice small(er) conference with a lot of opportunity for good conversations.  Cloud ‘solutions’ seemed to dominate the talks even though there is still a lot of confusion about the Cloud with a good portion of participants appearing to be in the investigative/learning stage.  Many of the attendees were still just trying to understand the whole ‘cloud’ terminology and I felt like one of the most informed – which means there is still plenty of opportunity to educate folks.  Security was a big topic as you can imagine but this year it seemed like the presentations were focused on solving those fears instead of just listing them as inhibitors.

One of the sessions I enjoyed was ‘Cloud Security – It’s Nothing New; It Changes Everything!’ (pdf) from Glenn Brunette, a Distinguished Engineer and Chief Security Architect at Sun Microsystems.  He first reviewed the hallmarks of information security: CIA, the Guiding Principals, Managing Risk and so forth and indicated that the Cloud doesn’t change any of that – there’s no difference in what drives security or the concepts, it’s the Implementation that is different.  So if the overall Security Services are the same, and if the traits are the same – what’s missing?  According to Glenn, the thing that Cloud Computing Security demands is: CONTEXT.

He reviewed some of the challenges facing Cloud Security:

Speed – the agility to quickly configure services.  Security is usually the last part of the architecture but how do you secure services and enforce them when units are getting spun up/down at a rapid pace. It’s an opportunity to re-think.  One thing Sun (and others) are starting to do is bake security best practices right into the image before sending it to the cloud. Why make the customer deal with securing the underlying system when the provider can build the needed security right into the image.  Pre-integration and assembly allows the customer to still deploy quickly but securely.

Scale – Today Security administrators deal with 10’s, 100’s, even 1000’s of servers but what happens when potentially tens of thousands of VM’s get spun up and they are not the same as they were an hour ago. Security assessments like Tripwire, while work, inject load and what if those servers are only up for 30 minutes?  How can you be sure what was up and offering content was secure?  One idea he offered was to have servers only live for 30 minutes then drop it and replace.  If someone did compromise the unit, they’d only have a few moments to do anything and then it’s wiped.  You can keep the logs but just replace the instance.  Or, use an Open Source equivalent every other time you load, so crooks can’t get a good feel for baseline system.

Assessability – anyone with a credit card can now deploy cloud services.  Maybe someone feels IT is too slow in deploying a particular service and decides to do it themselves.  They now have substantial resources available and not a lot of knowledge of current policies.  How can you be sure that the policies are enforced across the board on all deployments.

Transparency – Customer’s need a comfort level to know how the data is kept safe, how keys are managed, how do they constrain a problem in the cloud – essentially understanding the provider’s standards and processes.  There are more IT elements, more change events, more data and less control – that’s the fear.  The cloud makes these challenges more visible.

Consistency & Integrity – knowing the exact configuration of any machine at any time.

Key Management – this is a huge problem with providers. Doing a backup to the cloud (while keeping the keys close) is OK but if you intend to use that data then the keys also need to be stored in the cloud. Being able to do a fast recover can also require keys out there. Additional legal verbiage is what typically covers key management today.

Accountability – Service Level Agreements. SLA are not so strong on the provider end and customers often need to negotiate this area.

Compliance – auditors.

There are changing architectural strategies in the cloud. Tight Integration becomes Dynamic Assembly; Inspections become Telemetry of Objects; Repair & Recover turns to Recognize & Restart; and Log Scraping becomes Analytics. You just need to change some of the old habits. Opportunities exist for standardization but in the meantime, get to a manageable set of things that need to be done and build upon the automation. Glenn closed with his Cloud Security Rules:

• Embrace Security Systematically
• Design for High Survivability (fight thru)
• Compartmentalize failure (nodes going down)
• Minimize Trust Boundaries (how far does the data go)

Good advice.

ps

• #22 out of 26 Short Topics about Security
• previous stories: 21, 20, 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Related Resources

• F5 and the 8 Ways to Virtualization (pdf)| Audio |
• Virtualization Changes Application Deployment But Not Development
• Server Virtualization versus Server Virtualization
• Architects Need to Better Leverage Virtualization
• Audio White Paper – Intelligent File Virtualization
• f5 Networks and GoGrid Share Their News
• Cloud Computing Expo – An Interview With Pete Silva
• Cloud Computing Expo – An Interview With Michael Sheehan

Hello and Welcome to the new hit Game Show: You’ve Taken that Out of Context! Hilarity ensues in this action packed half-hour when contestants try to deliver the appropriate resources to end users depending on several factors and circumstances.  So let’s get right to it: Our first contestant is Danny, an IT Director from Boston and he’s getting his first request…..OK, user is coming from a home computer, without a certificate, from a broadband connection and is a partner – what are you going to give them Danny?  Wow, Excellent!  You’ve provided a simple web application, delivered through a reverse proxy so he can enter his time & materials expense report.  Great decision, Danny!  Our next contestant hails from Chicago and runs a data center for a large manufacturer, please welcome Greg.  Whoop, here comes Greg’s request…..User is a trusted employee in sales needing to enter customer info, using an IT issued laptop with specific reg-keys and updates but working from a wireless network.  How you going to handle it Greg?  Nice move!  Offering them not only their specific order entry application that’s optimized but also giving them a connection to Exchange so they can download their email to stay current.  Sweet – keeping users productive while on the road – great work.  And our last contestant comes from Texas where he’s the Network Engineer for  a distribution company – round of applause for Tom!  Alright Tom, let’s see your request.  It’s coming fast, user is a vendor who needs to see inventory levels.  They are coming from their corporate LAN on an IT issued computer and does have a certificate for certain applications.  Whatcha gonna do Tom?  A full Layer 3 network connected tunnel?  Well, let’s see.  They get connected, they are navigating to their favorite app, so far so good, and logging in, cool.  Wait, what’s this – the user has initiated a sniffer and found some financial docs.  Oh no!  He’s downloading the latest financial statements that aren’t public!  That spreadsheet has much of our sensitive data but it’s too late, they are long gone along with your data.  Sorry Tom, a little too generous with that but you do get a copy of our home game where players act out partial scenes and you have to guess the context!  Thanks for playing.

User Centric or Contextual Aware Computing is finally starting to gain  some traction partially driven by cloud computing.  User Centric or Contextual Based networking is simply Adaptive Access using intelligence to dynamically change the security applied to a specific access request based on the context of that request, the resources being accessed and the policy applied between the two.  The goal is to provide a unified method of applying security and delivering applications regardless of the actual security in effect, the network or the device being used to request access.  It’s access security based on user, device, location and integrity both at the time of the request and the duration of access.  It provides intelligence, adaptability and auditability for every user, every time.  It is about the environment or conditions surrounding an event and  informs us about it. With that information, we may perceive something differently which might change our view and maybe our decisions.  It’s about seeing the bigger picture and making better decisions by comparing the information we have about the request along with the requirements of the application and policies in place to deliver the proper access.  Garner calls this the ‘Digital Me.’

Gartner predicts that by 2012, there will be more than 7.3 billion networked devices worldwide and 298 million subscribers of location-based services.  This is more than just delivering secure applications, it’s also about delivering the right resources to the right user at the right time.  More than ever users are dispersed all over the globe, arriving from a multitude of devices and networks while requesting access and information from your systems.  You need to offer the proper access to that user in a quick, secure and efficient manner with the proper controls.  You need to make the right decisions based on that moment of information as we move from Identity (user/password with some customization) based to Contextual (Identity plus a whole lot more) based delivery models.  You need to ensure that no-one is coming in or taking anything out, without context.

ps

• #21 out of 26 Short Topics about Security
• previous stories: 20, 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Related Blogs

• The Context-Aware Cloud
• Windows Vista Performance Issue Illustrates Importance of Context
• WS-Context
• Location, Location, Location
• Context-aware

There’s always been a certain amount of conspiracy theories when security type events happen or instances where there is secrecy. There are those who don’t buy the ‘reported’ reason a security event (like a breach) occurred, those who claim to have inside information or just those who see a story and draw their own conclusions. The following is my take (Satire Alert) on Transmission Control Protocol/Internet Protocol v6 and the end of the world as we know it. That can affect our security, right?!?

Recently there have been more than the usual number of articles about IPv6 and the need to deploy it soon since the v4 blocks are almost gone. Yes we’ve been hearing this for years (RFC2460 was defined in December 1998) but now the hype may be over as indicated in this article. There are many security enhancements in v6 nicely covered here but that’s not where I’m going.

In my first blog post on DevCentral, aptly titled First Post, I introduced psilva’s prophecies. I’ve been in the Internet industry since ’94 and while not a ‘know it all’ I have seen my share of changes and have seen a bunch of ‘ideas’ over time come true. For instance, I had always thought that the Internet would eventually become our entertainment delivery method and some 14 years later, that’s the case. That’s not that wild as I’m sure many of you figured it was only a matter of time once we started to see streaming video and broadband to the home. In that First Post, I offered my prediction of how our nomenclature might change over the next 50-100 years. That now, we no longer give our full name/address for contacting/correspondence as we’ve done in the past – we just give email. The idea was that over time, our current first/last naming convention might dissolve to where we are known as users@domains or a single string of characters. Twitter is enforcing that with their @namingconventions.

IPv6, at 128-bits (v4 is 32-bit), gives us the ability to assign an IP address to just about anything – heck, all the portable mobile devices we carry each need one and consumer appliances like TVs, refrigerators, thermostat, DVRs, garage door openers, coffee machines and just about any electronic item could potentially have an IP address. Schedule your toaster via a Web GUI to perfectly brown your bagel when you get home. You can already control your lights and alarm systems over the internet. In addition, each one of us, worldwide, would be able to have our own personal IP address that would follow us anywhere.  Hold on, I’m getting a call through my earring but first must authenticate with the chip in my earlobe. That same chip, after checking my print and pulse, would open the garage, unlock the doors, disable the home alarm, turn on the heat and start the microwave for a nice hot meal as soon as I enter. I could chip my child (like the dog) to be able to GPS their behind if they are not at the movies as indicated. Not so farfetched. That doesn’t sound so sinister, psilva, how can that be the beginning of the end?

OK, now the fun begins.  While not a Nostradamus follower, although History/Discovery Channels have covered him often, he does have something to say about numbers. You might remember he got a lot of press and was the subject of spam after 9/11 due to this quatrain which his followers say indicates that he predicted that disaster. Conspiracy? He was very much into numbers and also indicated that when we are all identified as numbers, that will be an sign of the impending doom. We do have a numbering system in the states called a Social Security Number, which is our Gov’t identity and very much linked to our own security. With IPv6, now the entire world can be identified by number and thus fulfills psilva’s prophecy #2.  The timing is right also.  2012 is getting a lot of play as the end of time.  Both the Mayans and Nostradamus feel that 2012 is the end of days and Hollywood has taken notice.  Now this does slightly negate my 1st prophecy since I’m giving our name change around 50 years but 2012 does sound about right for a full IPv6 transformation so it does fit nicely with doomsayers – if you’re into conspiracies.

ps

• #20 out of 26 Short Topics about Security
• previous stories: 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Social Networks are now part of our society for better or worse.  It has allowed us to both connect with current friends and find pals from the past; it offers businesses another outlet for marketing and sales; it allows us to collaborate, discuss and converse on any topic imaginable.  And due to it’s popularity, it also gives thieves and other criminal types an inroad to deliver malware, steal identities, spam, stalk, and many other nasty things to expose personal and corporate information.  Since so many people are on a single platform, where trust is somewhat inherent, it’s much easier to get someone to click a link than it is to technically hack their system.  There has been so much written about this topic, and in the spirit of sharing, I thought I’d offer just a few interesting stats, stories and suggestions from the various pundits on the topic:

Tweet Breach: 140 Characters of Sheer Destruction: This article tells the tale of a seemingly innocent tweet that turned into a nightmare.  He also defines the term – tweet•breach.

NFL restricts Twitter use: This is just one instance of how professional sports is dealing with social media and the instantaneous updates.  We’ve already seen a few players get into some trouble over their tweeting.

Statistics Show Social Media Is Bigger Than You Think: This is a fascinating list of statistics pertaining to Social Media including this gem – Years to Reach 50 millions Users:  Radio (38 Years), TV (13 Years), Internet (4 Years), iPod (3 Years)…Facebook added 100 million users in less than 9 months…iPhone applications hit 1 billion in 9 months. Many of the comments are just as engaging.

Top 8 Social Media Security Threats: A listing and description of many of the most recent Social Media focused attacks.

Social Networks Increase Risks to Online Privacy: His own personal account of falling for a scam.

Are social networking sites good for our society?: Very detailed article with plenty of stats and stories including the ever popular Franklin T-Chart with Pros/Cons of Social Networking.

Identity theft is too easy and can even be automated says IT security expert: From RSA Europe, this article describes a co-worker’s challenge to steal her identity and the steps the ‘friendly-perpetrator’ took to do just that.

Breach 2.0: some best practices for protecting company info and employee data.

Developing Social Media Policies for Business: Another with stories, stats and considerations when developing a Social Media policy.

And with that, I’ll let you get back to mingling on Twitter, Facebook, MySpace, YouTube, Digg, Technorati, and all the others.  Incidentally, you can follow F5 Networks tweets at http://twitter.com/f5networks (@f5networks) and mine is @psilvas.

ps

• #19 out of 26 Short Topics about Security
• previous stories: 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Some of both, apparently.  A recent Ponemon Institute PCI-DSS Compliance survey revealed that 71% of companies actually admitted that data security is not a top priority and 55% say they are only protecting credit card data and not other sensitive information like bank account info, social security numbers and drivers license data.  Additional statistics show that a miniscule 28% of smaller companies (501-1000 employees) are PCI-DSS compliant and around 70% of large companies (>75,000 employees) say they meet the Regulations.  The one that jumps out for me is the small merchant stat.  I understand that cost is a large factor for smaller companies to be PCI compliant but just imagine how many companies and industries that fall into the 501-1000 employee category.  And that doesn’t count all the even smaller ‘Family Owned’ restaurants, auto repair shops or any other service where you say, ‘I like them because they are local or family owned.’  Unfortunately, those friendly establishments might not be a BFF with your sensitive data.  I’m not saying to avoid your favorite Chinese take-out but also be aware that the numbers are against you.

There are a couple interesting PCI developments coming over the next year.  As I mentioned in Regulation Roundup back in February, the PCI deadline for unattended, Point-of-Sale PIN entry devices is July 10, 2010.  These are those standalone ‘Pay for your parking’ machines, gas station terminals, ticket kiosks, vending machines and any other terminal where a PIN might be entered.  First, July 1, 2009, was the deadline for Triple-DES to be mandated for all debit transaction processing.  And next July, all fuel pumps (and like terminals) will need to have encrypted PIN entry pad, be able to encrypt the PIN itself and process using TDES.  I imagine there will be another mad dash next spring for merchants to get in compliance.

The other PCI piece is come summer 2010, PCI will be making some regulatory changes to update PCI standards including 3rd party audits (Level II), tokens, end-to-end encryption and potentially Virtualization Security.  Some of these changes should help in protecting our data.

And if you think skirting regulations might be a money saver, take a look at this article where the FTC has recently fined ChoicePoint for not adhering to the agreement made in 2006 for the huge 2005 data breach.  They just got whacked with another $275,000 for removing a database security monitoring tool.

As I finish up the 18th entry of 26 Short Topics I’ve noticed Regulatory Compliance, especially PCI, comes up frequently.  Maybe it’s the constant surveys, startling numbers, never ending breaches and media reports or maybe, it’s that PCI-DSS, while not perfect, affects almost all of us and it’s like we’re in it together.  You might not know, get along with or like your neighbor but if you shop at the same store and they are breached, suddenly you’re both in the same boat – ‘Hey, that happened to me too!’  It’s one of those things that we all should care about.

ps

• #18 out of 26 Short Topics about Security
• previous stories: 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

UPDATE – Added 10.22.09:  ChoicePoint would like to clarify the characterization of the FTC situation and I’m happy to include this for accuracy:

“Your piece titled “Will you Comply or Just Check the Box” touches on recent ChoicePoint/FTC news and the company would like to request a clarification.

1.      In regards to your report that a “fine” was levied by the FTC
a.      While the Commission has authority to seek a civil penalty, http://ftc.gov/ogc/brfovrvw.shtm it expressly did not do so in this case, as the language of the Order and the amount of monetary relief indicate.  The Supplemental Stipulated Order itself in Part I provides for “monetary relief…to be used for equitable relief, including, but not limited to consumer redress and any attendant expenses….”  The FTC incorrectly characterized the monetary payment as a “penalty” in its initial press
release and has since revised its press release to correct this point.  The payment was made pursuant to the courts equitable authority to address compliance with its orders.  The payment is not punitive in nature and neither the Order nor the FTC press release (as modified) characterizes the payment as a fine or a penalty.

Thank you so much for you time and attention. We would very much appreciate your correction of the record.“

- Not a problem, thanks for the update and appreciate the clarification.  ps

………………………………………………….….oh, you’re waiting for me?  This will probably be a short post since there are not that many security terms that begin with the 17th letter of our alphabet.  However, keeping Quiet is a common theme in security.  As mentioned numerous times, locking passwords, logins, and other sensitive information in your mouth vault keeps them from leaking to others.  Social Engineering has always been about compromising that vault.  Recently there was a post by Roger Thompson, AVG’s Chief Research Officer, which actually suggested to Write Down your passwords, especially complex, hard to remember passwords.  While this practice has been frowned upon for many years – as in the ever popular post-it’s stuck to laptops – there is some sense in creating (and writing down) difficult passwords that are extremely hard to guess.  Just put that paper in a safe location.  Our own Alan Murphy offered some advice about passwords just a few months ago.

Keeping Quiet is also what most companies do when they discover a breach, at least initially.  A survey from the 2008 RSA conference showed that 89% of security incidents go unreported.  More often it’s the insider breaches that say under the covers.  Some of that could be due to just being undetected but many companies don’t want the public exposure of a breach.  Laws have changed some of that and huge breaches, like the Heartland incident, must be reported so people can protect themselves.  Even the Heartland incident wasn’t detected for a couple months, and when it was, it didn’t get reported for yet another month.  Granted, sometimes law enforcement does ask victims not to say anything so evidence can be gathered and, as to not tip off the crooks.  In any event, keeping quiet about a breach happens more often than you think and it’s often due to the fear of a damaged reputation.  Of course there is an opposing view to the damage factor by Larry Walsh where he talks about the multitude of brands who have suffered major breaches and how consumers have either forgotten or forgiven.

While silence can be golden and rests are written into music for effect, when it comes to Data Breaches not saying a word can put your business in jeopardy and in the cross-hairs of the law.

ps

• #17 out of 26 Short Topics about Security
• previous stories: 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Nearly 80% of companies reported an increase in the number of employees wanting to bring their own devices into the workplace in the last 6-12 months according to ‘The Device Dilemma,’ a report by Vanson Bourne and Good Technology. In addition, two thirds of IT Managers have been under more pressure to increase compatibility with people’s personal handsets in the workplace with 82% saying the most requested device is the iPhone.

Personal devices pose a difficult challenge to IT departments and it’s not just iPhones/personal cell phones; mp3/music players, portable video/game consoles, personal laptops and just about anything with an internet connection or USB hookup can pose a risk.  The age of social networks, streaming video, tele-work lifestyle and the basic computing power of mobile devices have made them constant companions in our daily lives since they do more than just make calls.  We have grown personally attached to these mini-computers (even customizing them) and don’t want to carry around 3 different mobile devices.  Employees now want to use their own devices for work related tasks.

It can be a Catch-22; IT might save a little money by not having to procure new corporate hardware but could spend significant time dealing with all the variants and security risks unauthorized personal devices pose.  With all the different types of models, manufactures, operating systems and capacity, configuring and securing each device is not an easy task.  Even if IT is able to apply a policy to individual devices, there still is no real guarantee that each device will support/enforce it.  Management and control of those is a huge concern.  The report also noted, ‘IT Managers don’t want to prevent people from using their own devices, almost half (44%) said they would let people choose if they were assured of security and configuration. Even then, 74% of IT Directors think that employees will still use their own devices even if IT doesn’t support it and more than 25% have experienced a security breach due to an employee using an unauthorized device.

Work Styles have changed also.  Employees are now more dispersed: Different time/different location, Same time/different location, Same time/same location or working alone.  While this model has enabled employees to work from anywhere, the need for collaboration has become critical especially with a global enterprise.  What can you do?  Don’t panic, as indicated in this article by Kim Boatman (hope I Linkedin the correct journalist) called Personal Tech Checklist for the Workplace.  She has a checklist of steps IT can take when dealing with personal tech issues:

Establish or re-evaluate usage policies. Many businesses wrote Internet usage policies a decade or so ago and haven’t revisited them.

Evaluate how you expect employees to use – or not use – social networking. After all, there can be a business benefit to your employees’ presence on Facebook or Twitter.

Inventory employees and equipment. Keep track of the level of access granted to each employee.

Understand the security implications of your policy. For instance, says Storms, allowing employees to install proprietary information on their personal devices is a high-risk proposition, while permitting access to social networking sites at work is less risky.

Educate users. It’s not enough simply to establish plain-language guidelines. If you want employee buy-in, explain why certain actions are limited and what the consequences could be.

Involve IT. It makes good sense to vet policies and practices through the people that keep your systems going.

Give yourself wiggle room. Create that clear usage policy, explain it, and publicize it. But give yourself leeway.

ps

• #16 out of 26 Short Topics about Security
• previous stories: 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Related links

• Personal Tech Checklist for the Workplace
• Enterprise IT Face Mobile Device Dilemma
• The Device Dilemma
• The Threat Behind the Firewall

Honestly, this was not timed and I actually had a different topic to discuss for #15 of 26 Short Topics but this cool news today.  F5 and Oracle have announced plans to unify access management for web applications.  Press release can be found here.  The solution will combine F5’s BIG-IP system with Oracle Access Manager to enhance single sign-on (SSO) capabilities and simplify access control.

The Authentication Alternatives Today

Code in the Application

• Costly, difficult to change 
• Not repeatable
• Decentralized
• Less secure

Agents on servers

• Difficult to administer
• Interoperability
• Decentralized
• Less Secure

Specialized Access Proxies

• Don’t scale as well
• Often inferior reliability
• More boxes for network operations

 

A Better Alternative: BIG-IP and OAM

• The solution is to replace the OAM Proxy with BIG-IP.
• Gain superior scalability and high availability
• Benefit from F5’s Unified Application Delivery Services

 

 

 

 

Benefits of Oracle OAM & F5 BIG-IP Integration

• Reduced TCO and dramatically lowers deployment risk and streamlines operational efficiencies.
• Integration with OAM Single Sign-On (SSO) for superior end-user experience and enhanced user productivity
• Unified point of enforcement to simplify auditing and control changes in configuring application access settings

Unifying application delivery and web access management. 

Availability in 1H2010 – More to come soon!

ps

• #15 out of 26 Short Topics about Security
• previous stories: 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

In 2005, a Preventsys (now McAfee) and Qualys survey found that 52% of companies rely on a ‘Moat & Castle’ approach to Network Security but also admitted, at the time, that once the perimeter is penetrated, they are at risk.  I haven’t been able to find a more recent statistic but I’m still betting that once a network is breached, it’s at risk.  Networks are evolving, expanding and exploding with more data than ever before which means they also need to be smarter about who and what they allow on.  They have become Application Delivery Networks and soon, truly Identity Aware.  At the same time, many Enterprise networks are making  interconnections with other Corporate networks enabling Federation or trust between the two to create an extended network.

The good news/bad news about this is that according to Verizon  Business’ “2009 Data Breach Investigations Report (pdf)” 32% of the data breaches implicated a business partner.  The good news is that breaches linked to business partners fell for the first time in years (-7%) but it was still 3rd on the list (behind External Sources and  Multiple Parties).  They conclude that the decline wasn’t due to any additional security focus (in fact, the majority was due to lax security practices at the connection level from the third-party) in that particular area but a change in what criminals were going after.  In 2008, the Food/Beverage industry had a high percentage (70%) of breaches attributed to partners and in 2009, the bad-guys decided to go after higher payouts – like financial institutions.  Only (with a grain of salt) 1,509,000 records were compromised by partners compared to 266,788,000 by external sources based on the report.  Usually it was the third-party systems that were compromised and the attacker used the trusted connection to make inroads to the target.  Since it’s coming from a ‘trusted’ authorized connection, these are difficult to detect and stop.

Exchanging information is critical to this extended ecosystem and some level of trust is inherent.  But you can’t necessarily expect that your security policies will be consistently enforced on a separate network.  It’s important to look at these deployments, consider your visibility/accountability for those partner connections and create policies that enable, benefit and secure both ends.

ps

• #14 out of 26 Short Topics about Security
• previous stories: 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Source : The 2009 Data Breach Investigations Report by Verizon Business

On a couple occasions, I have  have offered advice on how to deal with disasters and just yesterday I wrote about Mitigating risks.  Today, I’m deviating slightly from 26 Short – make this #13.5 – to share some of F5’s Emergency Preparedness plans for the possible resurgence of H1N1.  While we often try to give interesting tips, ideas and suggestions to help you and since many of you might be going thru the same exercise, I though I’d share how we are preparing ourselves.  Per usual, this is not to flame the fears already in the media but offer calming assurance that there is no reason to panic.

F5’s main objectives for Emergency Preparedness for Employees is to provide a safe and healthy working environment and to ensure business continuity.  All of us received an email outlining our policies along with a link to an internal portal page dedicated to Emergency Preparedness.  It contains several governmental and informational resources pertaining to H1N1 along with Emergency Hotline Phone Numbers and a short video from HR so we all can clearly understand this particular flu strain and what to do if we contract it.  Each region around the world has a page specific to their needs.  We have also put together a cross functional pandemic planning team that has identified critical business activities, resources and responsibilities to support a pandemic mission along with taking precautions within our own facilities – like simply providing hand sanitizers among other supplies.

Following tips offered by the Centers for Disease Control, if any of us do get symptoms, one of the primary actions we can take as employees is stay home since the virus appears to be easily transmitted from person to person.  This is to protect all employees.  The great thing is that there are also Work from Home instructions on how to connect remotely using our own FirePass SSL VPN.  We’re already prepared for any increase in needed capacity and have policies in place to check any connecting device, even un-trusted home computers, to ensure internal security compliance.

It’s a comfort to me knowing that my employer is ready for H1N1 and any other emergency that suddenly appears and hopefully a comfort to you knowing that F5 is prepared to still support you even if you experience a crisis.

ps

• #13.5 out of 26 Short Topics about Security
• previous stories: 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Additional note added after posting:
One thing I forgot to mention about Work at Home strategies – Do keep in mind that with the additional workforce potentially using home broadband for work, there might be some capacity constraints on carriers in certain areas of the country.  There might also be some Acceleration solutions, like a WAN Optimization or Web Acceleration that can help with bandwidth reduction.