[Log In] []

Exploring the science and magic of Identity and Access Management
Wednesday, August 17, 2022

Who is Securing Big Data?

Information Security
Author: Mark Dixon
Tuesday, August 28, 2012
5:25 pm

Capgemini recently released a report, “The Deciding Factor: Big Data & Decision making,” which states that:

“nine out of ten business leaders believe data is now the fourth factor of production, as fundamental to business as land, labor and capital.”


“Two-thirds of executives consider their organizations are ‘data-driven’, reporting that data collection and analysis underpins their firm’s business strategy and day-to-day decision-making.”

According to Gartner Inc.,

“Business executives and IT managers are increasingly referring to information as one of their organization’s most critical and strategic corporate assets. Certainly there is a sharp rise in enterprises leveraging information as a performance fuel, competitive weaponry and a relationship adhesive.”

This all begs the question, “If this data is so important to enterprises, what are they doing to really secure it?”

Comments Off on Who is Securing Big Data? . Permalink . Trackback URL

Article: Inside Huawei, the Chinese tech giant that’s rattling nerves in DC

Information Security
Author: Mark Dixon
Tuesday, August 28, 2012
6:59 am

A Pegasus constructed entirely out of Huawei Ascend smartphones sat on the grounds of Mobile World Congress in Barcelona, Spain, just one of the many ways the company made its presence felt.CNET reported today on a congressional committee wants to know whether Huawei, a telecommunications powerhouse is a national security threat.

Huawei is much larger than I realized:

Huawei is the second largest telecommunications equipment maker in the world, behind only Sweden’s Ericsson. It generated $32 billion in revenue last year, selling its networking technology to such global giants as Vodafone, Bell Canada and Telekom Malaysia, though only smaller U.S. carriers Leap and Clearwire use the company’s gear. Huawei’s heft has allowed it to pour resources into adjacent markets, such as mobile handset development and data center technology that’s already paying off with new customers and billions more in revenue. …

And Huawei is a patent machine, with about 50,000 patents filed worldwide. Though accused years ago of pilfering the innovations of Cisco and others, Huawei gets credit these days for breakthroughs in complex technologies such as radio access networking that lets mobile carriers support multiple communications standards on a single network. It also pioneered the dongles that consumers slip into laptops to wirelessly connect to the Web.

Because of their size, power and national origin, some are very worried:

The broader concern, though, is of a dangerous marriage of Huawei’s capability — it wants to build a massive swath of the telecommunications network, from routers and switches to the phones consumers use — with the Chinese government’s motive and intent. A report last year from the Office of the National Counterintelligence Executive found that the Chinese are the “world’s most active and persistent perpetrators of economic espionage.” The committee wants to thwart the possibility Chinese cyberattacks in the United States over Huawei’s technology before the company, which has only a modest U.S. presence, grows into a powerhouse here. …

Hawks in the federal government remain unconvinced that his company is merely a financial success story. They worry that Huawei, whose technology provides infrastructure to communications networks, is a tool of the Chinese government, potentially enabling it to snoop on critical corporate and government data through digital backdoors that Huawei has the ability to install.

I don’t know the answers here, but this is certainly food for thought.

Comments Off on Article: Inside Huawei, the Chinese tech giant that’s rattling nerves in DC . Permalink . Trackback URL

Titantic Catastrophe: Compliant Doesn’t Mean Secure

Information Security
Author: Mark Dixon
Friday, April 27, 2012
9:33 am

TitanicApril 15th marked the 100th anniverasary of the sinking of the RMS Titanic – by any measure a catastrophe of epic proportions. As we think about lessons collectively learned from this event, may I suggest a nugget worth remembering that has little to do with sinking ships, but a lot to do with the enterprise we serve today?

According to a recent ABC article:

… the Titanic was fully compliant with all marine laws. The British Board of Trade required all vessels above 10,000 tonnes to carry sixteen lifeboats. The White Star Line ensured that the Titanic exceeded the requirements by four boats.

But we all know that twenty lifeboats were not nearly enough for this ship.  The article continues:

But the ship was 46,328 tonnes. The Board of Trade hadn’t updated its regulations for nearly 20 years. … The lifeboat regulations were written for a different era and enforced unthinkingly.

“Enforced unthinkingly.”  Therein lies our little lesson.

In discipline of information security, we may be tempted to think that “compliant” means secure.  But we must not accept that at face value.  We must really understand what regulations mean and how they apply to our enterprises.  PCI DSS or HIPAA compliance may go part way, but do they really go far enough to protect our vital information that is the lifeblood of our businesses?

Let’s make sure we have adequate “lifeboats” and not rely completely on those who write regulations to protect our businesses.


Comments Off on Titantic Catastrophe: Compliant Doesn’t Mean Secure . Permalink . Trackback URL

The Business Justification for Data Security

Information Security
Author: Mark Dixon
Wednesday, March 7, 2012
12:23 pm

Recently, Jack Crail and I gave a joint presentation at the SecurePhoenix event sponsored by (ICS)2, the folks who oversee the CISSP certification.


Our presentation was based on a whitepaper entitled “The Business Justification for Data Security,” published by Securosis, which outlined a five step process for evaluating data security investments, mapping the potential investment to business needs and building a business justification case.

More to come as I explore some of these topics …

Technorati Tags: ,

Comments Off on The Business Justification for Data Security . Permalink . Trackback URL

Fraud and Security in the Cloud

Identity, Information Security
Author: Mark Dixon
Wednesday, December 28, 2011
9:52 am

This should be an timely and relevant webcast for those of us involved with information security: “Key Fraud and Security Considerations for Confidence in the Cloud.” It will be held Tuesday, January 17, 2012 at 10 a.m. PST.

This executive panel webcast will explore how leading IT organizations are moving to the cloud with confidence. The following items will be addressed:

  • Maintain control of your data across multiple on-premise and cloud environments
  • Evaluate cloud providers to meet your specific requirements for security and risk management
  • Apply authentication and identity management solutions and expertise from the online banking industry for improved protection and fraud mitigation
You can register for the webcast here.
Comments Off on Fraud and Security in the Cloud . Permalink . Trackback URL

Source Doc: Oracle Reference Architecture – Security

Enterprise Architecture, Identity, Information Security
Author: Mark Dixon
Tuesday, December 20, 2011
10:10 am

The Oracle outward-facing website is a virtual cornucopia of valuable information.  Unfortunately, I often just stumble onto valuable gems of knowledge instead of discovering them in an organized fashion.  Today was such a case.  Quite by accident, I found an excellent overview of Information Security issues in “Information Security, A Conceptual Architectural Approach.”  It provides, in an easy-reading 25 pages, a good overview of information security principles and approaches to addressing them.

This document referenced a larger treatise, the Oracle Reference Architecture – Security, which dives more deeply into information security issues and solutions.  In about 130 pages, this reference architecture document provides an excellent treatment of the basic principles of information security and recommended approaches to mitigate security risk.  The introduction aptly states:

Information is the lifeblood of every organization. If this Information is compromised there can be a wide range of consequences ranging from damage to a company’s reputation through to financial penalties such as regulatory fines and cost of remediation. …

Information Security is a strategic approach that should be based on a solid, holistic framework encompassing all of an organization’s Information Security requirements, not just those of individual projects. …

By taking this approach to Information Security, organizations can ensure that the components of their Information security architecture address all business critical Information and are driven by the requirements of the business.

The document is organized as follows:

  1. Introduction to Information Security
  2. Security Concepts and Capabilities
  3. Common Security Standards
  4. Conceptual Architecture View
  5. Logical View
  6. Product Mapping View
  7. Deployment View
  8. Summary
I hope you will find this to be a useful reference.
Comments Off on Source Doc: Oracle Reference Architecture – Security . Permalink . Trackback URL

Veriphyr Study: Protected Health Information (PHI) Privacy Breaches

Identity, Information Security
Author: Mark Dixon
Friday, September 2, 2011
5:51 pm

This afternoon, I received word that Veriphyr, a provider of SaaS Identity and Access Intelligence services, announced the results of new survey on Protected Health Information (PHI) privacy breaches. According to the report,

More than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months. …

Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.

Some interesting statistics:

Top breaches in the past 12 months by type:

  • Snooping into medical records of fellow employees (35%)
  • Snooping into records of friends and relatives (27%)
  • Loss /theft of physical records (25%)
  • Loss/theft of equipment holding PHI (20%)

When a breach occurred, it was detected in:

  • One to three days (30%)
  • One week (12%)
  • Two to four weeks (17%)

Once a breach was detected, it was resolved in:

  • One to three days (16%)
  • One week (18%)
  • Two to Four weeks (25%)

79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI

52% stated they did not have adequate tools for monitoring inappropriate access to PHI

The report’s conclusion was not surprising:

Respondents who indicated strong satisfaction with their monitoring tools also tended to report fewer breaches of PHI and faster resolution times. The reverse is also true: respondents who indicated dissatisfaction with their monitoring tools tended to report more breaches and longer resolution times.
The morals of this story?
  • Cautiously trust, but verify the internal folks.  They are the biggest breach threat.
  • Do you want to tackle and solve your privacy breach problems? Good tools really do help.


Comments Off on Veriphyr Study: Protected Health Information (PHI) Privacy Breaches . Permalink . Trackback URL

Pearls of Password Wisdom

Information Security
Author: Mark Dixon
Tuesday, August 23, 2011
4:51 pm

If you are going to invest in security to keep the bad guys out, please take the sage Pearls Before Swine advice and “Change the Top Secret Security Code” to something a bit less obvious than “Password.”

Comments Off on Pearls of Password Wisdom . Permalink . Trackback URL

Source Doc: Department of Defense Strategy for Operating in Cyberspace

Information Security, Source Doc
Author: Mark Dixon
Tuesday, July 19, 2011
9:34 am

Last week, I reported that the US Department of Defense had released a highly-anticipated document, entitled, “Department of Defense Strategy for Operating in Cyberspace.”  Here is a bit of an overview of the document.

The high degree of the Department of Defence’s dependence on cyberspace is abundantly evident:

Along with the rest of the U. S. government, the Department of Defense (DoD) depends on cyberspace to function. It is difficult to overstate this reliance; DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe. DoD uses cyberspace to enable its military, intelligence, and business operations, including the movement of personnel and material and the command and control of the full spectrum of military operations.

In speaking of the risks the DoD faces in this area, the report states:

Potential U. S. adversaries may seek to exploit, disrupt, deny, and degrade the networks and systems that DoD depends on for its operations. DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial of access or service that affects the availability of networks, information, or network-enabled resources; and destructive action including corruption, manipulation, or direct activity that threatens to destroy or degrade networks or connected systems.

In response to these concerns, the DoD has outlined five strategic initiatives:

  • Strategic Initiative 1: Treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential
  • Strategic Initiative 2: Employ new defense operating concepts to protect DoD networks and systems
  • Strategic Initiative 3: Partner with other U. S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy
  • Strategic Initiative 4: Build robust relationships with U. S. allies and international partners to strengthen collective cybersecurity
  • Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation
The report concludes:

The Department’s five strategic initiatives offer a roadmap for DoD to operate effectively in cyberspace, defend national interests, and achieve national security objectives. Each initiative is distinct, yet necessarily connected with the other four. Across the strategy, activities undertaken in one initiative will contribute to DoD’s strategic thinking and lead to new approaches in the others.

By pursuing the activities in this strategy, DoD will capitalize on the opportunities afforded to the Department by cyberspace; defend DoD networks and systems against intrusions and malicious activity; support efforts to strengthen cybersecurity for interagency, international, and critical industry partners; and develop robust cyberspace capabilities and partnerships. This strategy will guide the Department’s defense of U. S. interests in cyberspace so that the United States and its allies and partners may continue to benefit from the innovations of the information age.

The work the DoD does will inevitably impact the private sector as well. We can only hope that the efforts the DoD exerts will not subjugate the Internet to military rule.

Comments Off on Source Doc: Department of Defense Strategy for Operating in Cyberspace . Permalink . Trackback URL

Source Doc: PCI DSS Virtualization Guidelines

Identity, Information Security, Source Doc
Author: Mark Dixon
Wednesday, June 15, 2011
1:41 pm

On June 14th, the PCI Security Standards Council announced publication of the PCI DSS Virtualization Guidelines Information Supplement, which “provides guidance to those in the payment chain on the use of virtualization technology in cardholder data environments in accordance with PCI DSS.”

The introductory section in this document outlines four principles associated with the use of virtualization in cardholder data environments:

  1. If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
  2. Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.
  3. Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data.
  4. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.

After giving an overview of virtualization, the report sets forth a detailed review of risks inherent in a virtualized environment and specific recommendations about how to deal with those risks.

The document’s appendix describes in detail how each of the 12 broad PCI security controls that are mandated for logical environments need to be applied in a virtual setting.

I have long thought the PCI DSS specification to be a good example of how an industry regulates itself.  The Virtualization Guidelines document shows once again how the payments industry is in step with recent trends in Information Technology.

Comments Off on Source Doc: PCI DSS Virtualization Guidelines . Permalink . Trackback URL
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.