RSA Conference is THEinformation security event of the year. As part of my coverage of this years conference I did a series of podcasts with some cloud/hosting providers who are exhibiting in the Alert Logic Partner Pavilion. This is the third in the series and is with Urvish Vashi, VP of marketing at Alert Logic.
I know Urvish for over 10 years, since our time together at Interliant. Urvish was the force behind the Partner Pavilion for Alert Logic this year. Having 5 of the leading hosting/cloud providers exhibiting at the worlds largest security conference may at first blush seem a stretch. After all, are these cloud providers security providers? Yes they are!
Urvish's point is that with partners like Alert Logic, these cloud providers are providing a wide range of best-in-breed cloud security services.
This is just a short 15 minute or so interview, but Urvish gives us some great insights. Check out what he has to say and be sure to visit the Alert Logic Partner Pavilion on the show floor at RSA!
RSA Conference is THE information security event of the
year. As part of my coverage of this years conference I did a series of podcasts with some cloud/hosting providers who are exhibiting in the Alert Logic Partner Pavilion. This is the second in the series with Chris Patterson of Navisite.
My friends at Alert Logic have 5 of the largest cloud and hosting providers in the world exhibiting with them this year. I thought it was worthwhile to expore why these cloud/hosting providers were exhibiting at the largest security conference in the world.
I caught up with Chris Patterson, VP of Product Management at Navisite.Chris is one of the driving forces behind the Navi cloud. He also has some great insight into the state
of cloud security and what market drivers are influencing the direction of
future innovation.
Chris shares some great insight into Navisite's offerings
including not just cloud, but security, managed desktop and the state of the
market.
RSA Conference is THE information security event of the
year. Kicking off my coverage of RSA this year is a series of podcasts I did with cloud/hosting providers who are exhibiting this year in the partner pavilion of Alert Logic.
My friends at Alert Logic have 5 of the largest hosting/cloud providers in the world exhibiting with them. I was curious why these cloud and hosting providers wanted to exhibit at a security conference.
The first provider I spoke with was Sunguard. Specicifally Sunguard Availability Services. I spoke with Cara Camping, Product Manager, Managed Security Services for
Sunguard AS. Cara talks about Sunguard's approach to security
in depth, why they partner with Alert Logic and what they expect from
exhibiting at RSA Conference.
Below are two slides that Cara references in our discussion:
You can feel the pace rising to a crescendo, you sense it coming. But don’t look now, RSA is just next week. The last two months have been pretty much a blur in getting ready for the big conference. As usual I should have done 12 things I didn’t, but the dozens of things I have done is going to have to be enough.
I am happy to be chairing two panels during RSA week this year. The first is on Monday, the 25th (also my 23rd wedding anniversary) at the annual and well attended Americas Growth Capital Conference, over at the Westin. The panel I am chairing is at 11:30 a.m..
The topic is Cloud Security Services: The Evolution Continues
Here is the abstract:
With the initial gold rush to the cloud it seemed that every security vendor was pushing a cloud security service. Every security company had to have their “story on the cloud” for customers, analysts and investors. But over the months and years we have seen a steady evolution of cloud security services beyond those early “everything but the kitchen sink” strategies.
More than just putting data and analysis off premises, today’s cloud security services are truly leveraging the unique features of the cloud like elasticity, massive scale and instant on provisioning.
Just because you can do it in the cloud doesn’t mean the cloud is the best place to do it. As we move beyond the explosion of cloud security services, which types of security services are best suited to the cloud? Which cloud security services will have markets large enough to create substantial business opportunity? Which cloud security services are so disruptive that they will eliminate or replace non-cloud based security services?
Evolution can be a cruel master, only the strong survive. The losers fall into the trash heap of history. Our panel will tell you who the winners will be in cloud security services.
I am joined on the panel by:
Matthew Prince, Co-Founder, Chief Executive Officer, CloudFlare
Dave Dewalt, Chief Executive Officer, Chairman, FireEye, Chairman, Mandiant
Jay Chaudhry, Founder, Chief Executive Officer, Zscaler
Then on Wednesday I am chairing a great panel at RSA at 9:20 am in room 304 on Ipv6 Vulnerability Management: From Theory to Reality. The agenda:
Join the leading lights of the vulnerability management industry as they carry forward their discussion on the challenges of managing vulnerabilities and network security in an IPv6 network. Where last year the discussion was theoretical, this years panel will focus on actual case studies of standing IPv6 networks in govt., retail, large enterprise and the cloud.
Besides that I will of course be at the Security Bloggers Meet up and Security Blogger Awards on Wednesday. Besides that I will be in and out of meetings and sessions, parties at night and usually at the W bar before heading in for the night. If you see me, be sure to say hi.
I have written recently about two friends of mine from the security industry, Carl Banzhof and Billy Austin and a company they started called iScan Online. Carl and Billy first told me what they were thinking about last spring or so. Over the next months they kept me in the loop as they continued to develop. Over the summer they showed me early versions of a new kind of security scanner they had developed. They started offering free scans in the fall and today they officially launched iScan Online.
I have been very impressed with what Carl and Billy are doing. So impressed in fact that I have been helping them with the launch activities and consulting with them over the last few weeks. I really like what they are doing and the space they play in. Utilizing the cloud for a SaaS based security scanner, they actually do internal scanning on any device, anytime, anywhere. The internal scan is done on the endpoint itself, so no hardware or virtual appliance necessary, no complicated software. Fast and accurate, it is a great security tool for a BYOD world. They call it Opportunistic Scanning.
The company has written a white paper that I really like and even helped with, that explains what they do. It talks about the dark matter of your network. What is the dark matter of your network? Well like the dark matter of our universe, it makes up a large percentage of the mass of your network. These dark devices access your network, but are largely invisible to your current vulnerability management solutions. They are not always on, are not in your office regularly and are not static desktops, servers or infrastructure. Nevertheless they represent a significant risk to your security. Using iScan Online you can gain visibility to this dark matter. You can download the white paper (without the usual “give me your contact info”) right now from the web site here.
The scans are quick and easy delivered via a web browser plug in, command line or API. They work on PCs and Macs, with mobile apps coming very soon. The scans themselves are done on the endpoints so thousands of scans can be done at once. iScan Online can scan for traditional vulnerability scans, compliance scans (PCI, HIPAA) and data scans (PAN, PII). You get instant reports per device and there is a cloud based portal for organization wide reporting that is pretty sophisticated. You can get a free scan right now so you can see for yourself what it is does and how it works. Go check it out.
Carl and Billy have a lot of experience in this area. Both guys worked at Citadel Security, makers of the Hercules Patch management solution. Carl was the CTO there. Billy went on to be the CSO at SAINT, a vulnerability management company. After the sale of Citadel to McAfee, Carl was a VP over there continuing to work on endpoint security. Both Carl and Billy are really passionate about what they are doing. iScan Online has already attracted seed investment from a strategic investor and will be expanding in the near future with more capabilities, as well as sales and marketing activities.
I really do like what they have done and how they are doing it. I think this represents a “next gen” approach to vulnerability management, just when we need one. BYOD, mobile and remote workers and offices have left a gap in our vulnerability management coverage, iScan Online’s opportunistic scanning is a great solution to fill that gap. I am looking forward to seeing how the market responds and am happy to be helping them.
Also many thanks to Mike Rothman of Securosis for allowing iScan Online to put a quote from the Securosis Evolution of Vulnerability Management research in the release. What Mike wrote is dead on to the issues that iScan Online solves.
This is a reprint of an article which I wrote on my Network World Blog yesterday.
As part of a series of interviews I did looking back at 2012 and ahead at 2013 and beyond, I had a chance to sit down with Ed Abrams, IBM's VP of marketing and strategy for SMB. Ed and I spoke about what IBM’s 2012 Tech Trends Report shows. Our full conversation (about 18 minutes long) is available to listen to below.
For me there were several highlights in my conversation with Ed and the trends shown in the report. Perhaps the biggest was the findings that at least for the midmarket and SMB space, security is no longer a significant deterrent in moving to the cloud. For almost as long as we have heard about the cloud, we have heard that security is the single biggest factor that is preventing companies from moving to the cloud. The “cloud bogeyman” as I have called it to me was always more FUD then truth. The fact is most cloud providers have better security then many organizations; especially midmarket and SMBs can afford to implement themselves. The fact that security is no longer a significant barrier is welcome news. I am not sure if it is because people realized that security in the cloud is not that bad or if people just don’t care though. In any event I was glad to hear of these findings from Abrams.
Another trend that IBM found was that midmarket and SMBs are planning on moving mission critical applications to the cloud this year. Several reports last year showed that while many organizations were experimenting with the cloud, for the most part they were doing development projects in the cloud, but were not migrating mission critical functions and applications to the cloud. Abrams says that the IBM research shows this is changing. Companies are now moving more and more of their entire IT functionality to the cloud. This includes their mission critical functions. Ed says that we are going to see this trend accelerate.
I asked Abrams how midmarket and SMBs would master the skills and resources necessary to accomplish this. Abrams gave me a one word answer, MSPs. IBM believes that managed service providers will be the key to moving to the web. Many organizations are never going to internally have the resources to manage their IT in the cloud or on premises. It is an MSP future according to Abrams and IBM. As such IBM is investing heavily in both their own MSP business, as well as IBM business partners who offer MSP services.
I asked Abrams if the cloud would really save money for organizations using it. Ed said that IBM’s research showed that utilizing the cloud could save organizations from 25% to 30% or more. I have heard from others that utilizing the cloud and MSPs would actually not necessarily be any cheaper than doing it yourself, on premises. Ed was very clear that IBM’s research showed exactly the opposite.
Finally Abrams mentioned that by moving to the cloud, Big Data analytics will have a huge impact on the SMB and midmarket in 2013 and beyond. Abrams says that IBM’s Big Data analytics, as well as their cloud portfolio leverage open source technologies throughout. Harnessing big data to give companies greater insight into their business will of course be valuable. I just don’t know if it will really come to the midmarket quite yet.
Ed Abrams has more to say about IBM’s research and what it means for the midmarket. Have a listen to our conversation to hear more and download the trends report for yourself.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
We have heard so much about the cloud for so long now that it is really percolating in the mid-market. Peeling away the hype the truth is that the mid-market has not yet fully embraced the cloud. They are not alone either. Even in the enterprise what is being placed in the cloud is not mission critical. It is mostly developer environments and experiments.
Security concerns I don’t believe are the biggest inhibitor to seeing mid-market and others utilizing the cloud more fully. I think it is more of a case of testing the waters before jumping in. The biggest problem I think is one of what exactly should go in the cloud. For a mid-market company being bombarded with a bevy of cloud based services and offering, how do they know what makes sense to put in the cloud and what doesn’t? Put another way, just because you can do it in the cloud, should you?
As part of my CISO Group consulting duties I have spoken to many CEOs and CIOs of mid-market companies. Like CEOs and CIOs everywhere, they are always looking for ways to do things better, faster and cheaper. They recognize the cloud may have the promise to deliver better, faster, cheaper. They just don’t know what and how to put there.
One midsize company I have dealt with is subject to the PCI DSS regulations. They would like to shrink their IT footprint. The edict from the executive team was to “move everything to the cloud”. Now the CTO, CIO and IT department started trying to make that happen.
As might be expected the developers had no problem setting up some public cloud instances as a dev environment. They went to their hosting company and set up a private cloud to begin to store some data. But they still had to worry about email, desktop productivity applications, on site network connectivity and of course security. They were very reluctant to move custom applications they used and developed to the cloud.
Faced with the fact that moving stuff to the cloud did not absolve them of obligations, the executive team realized that the cloud was not going to provide everything they had hoped for. Finding PCI compliant cloud solutions was also a daunting task.
At the end of the day the team there learned that that though they could if they really wanted to move a lot of their IT infrastructure to the cloud, the cost, complexity and potential savings were not necessarily worth it. Securing their data in the cloud was possible, but it was no cheaper and not necessarily easier either.
So when thinking about moving to the cloud, the question may be not if, but what.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet
Recently on line file sharing vendor Dropbox announced that it was doubling the amount of space it offers to its paying customers. The reason they said they were doing this is that people are using more storage now. Others say it was to remain competitive in the face of competition from Microsoft, Google, Apple and others.
No matter the reason, having cloud based storage and file sharing is a great benefit for many people in companies and as consumers. You can store your files in the cloud and access them anytime, anywhere from a wide variety of devices. You can share them with designated friends and associates and some services even allow version control.
But if it is so good, why have companies like IBM banned their employees from using it? The answer is simple, security. Many companies who initially embraced the whole BYOD and cloud app concept are now realizing that there is a price to be paid for the ease of use.
Once you have employees with the ability to move and store files in and out of your network, you lose control over who can access them and where they go. The fact is most employees were using their own Dropbox accounts with no control whatsoever from IBM.
If IBM had no control over these accounts, how can you as an SMB have any control? The answer is you probably can’t. The Dropbox case is an example of how BYOD (bring your own device) can impact your business. While giving employees freedom to use their own devices anywhere and anytime can be productive, it also introduces a whole new set of complications into the picture.
Managing these devices and services like Dropbox on your network is one consideration. Are you prepared to do so? Without a well thought out policy, having all of these devices on your network could become a disaster.
Also, remember these devices and their users don’t have to be physically on your premises to access your network and assets. The flip side of BYOD is access from anywhere, anytime. Are you prepared to manage that?
I think you can quickly see some of the problems that led to a company like IBM saying that Dropbox, as well as Siri and other BYOD tools are not allowed on their network. If IBM couldn’t put the policies, process and technologies in place to do this right, how can you?
So what are you doing regarding BYOD? It does make life easier in many cases, but there is a price to be paid. Have you thought it through? Am interested to hear your thoughts on this. Is Dropbox and similar BYOD apps OK for your SMB?
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
Now that I have had a few days home from the RSA Conference to digest what I saw and heard, I am more convinced than ever that we are on the cusp of a sea change in IT. This profound rethinking of the way we use information technology is going to mean a huge change in the way the mid-market does business. It will also have a huge impact in designing a successful security strategy in mid-market organizations.
The change we are seeing in IT is the move away from on premises servers on the LAN storing databases and data that are accessed by applications running on desktop and laptop clients. Instead we will access apps via app servers located in the cloud. The data will reside in the cloud as well. Our clients will be a variety of mobile-enabled devices ranging from smartphones to tablets/pads and other lightweight devices. They won’t need giant hard drives, as the apps and data won’t live on them.
This promises to turn the traditional IT equation on its head. You are probably already seeing this dynamic in action with Bring Your Own Device (BYOD) having an impact in your organization, as well as web apps being accessed from all over your network. We won’t have to invest in expensive hardware which needs to be upgraded every two to three years. Even desktop and laptop machines will not be as in demand. It may be that employees bring their own access device of choice into the workplace and you have to deal with it.
This is also a game changer for the information security of your mid-market organization as well. The standard layered security model has resulted in security being deployed in lines. At the perimeter we have built a castle and moat system. We have invested millions of dollars in this perimeter defense where firewalls, IDS/IPS, gateway A/V and spam filters reside. Perhaps the greatest culmination of that entire perimeter defense is the UTM (Unified Threat Manager). Moving inward from the perimeter we have invested in identity and network access & monitoring, server or host based defenses and finally endpoint security.
All of this adds up to lots of security technologies operating often in their own silos. Finally, some of the larger enterprises have invested lots of dollars and time into SEIMs to pull all of this information together into one comprehensive view.
With the change coming to IT, our security model is going to change. Throwing all of the money and iron at the perimeter is going to be a waste. Building a castle locks us in, when our organizations want to get out. With everything we need “out there” we need a lighter, quicker but still secure perimeter. Next Gen Firewalls (NGFW) with their application and identity access control are a great option for these new perimeter defenses.
Identity and device access control is being built into the fabric of our network with smarter and more secure switches. Network monitoring solutions have also taken it up a notch, but overall can our networks just be flatter? If all of the “good stuff” is out there, what zones and areas do we need to establish in here? Maybe just who can get out there and when?
For server security, that will be a joint venture between your organization and your cloud/hosting provider. The service provider will be expected to provide host based security on the server whether it is physical or virtual.
Finally we come to the endpoint. There are some who say that much of our endpoint security anti-malware products are actually pretty useless today. While I realize there are many attack vectors that go right through our endpoint security, I am not ready to write them off just yet. In fact I think we need endpoint security products that go on our Macs, on our smartphones, on our tablets and everything else we use
Would I like to see them be better and more effective? You bet I would. But just because they could be better, I don’t subscribe to the “they are useless” theory either.
This is of course just a general overview of what we might see. At each level if we drill in there will be more and more changes and adjustments. At the end of the day we will need to rethink each of our security strategies and see if they are still effective in this new IT architecture.
So how about you? How do you think this change in IT is going to change your security strategy?
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
With all of the rush around RSA week last week, I didn’t get a chance to post on the “State of Cloud Security” report published by my friends at Alert Logic last week. I think this first installment of what promises to be a semi-annual report sheds some real light on the differences between on premises and cloud security environments and also advances the notion that despite the FUD, the cloud may in fact be safer for certain kinds of applications.
The report itself is an analysis of over 2.2B security events that were monitored by Alert Logic’s security team across over 1500 customers. With that volume of data you can really see trends and patterns develop. Also the fact that this was split between both hosted, cloud and on premises environments it gives you well rounded view of what is being seen in the way of attacks out there. BTW, you can download the report here.
Here are the important takeaways I would like to focus on:
• When compared to traditional in-house managed IT environments, service provider environments show lower occurrence rates for every class of incident examined. • Service provider customers experienced lower threat diversity (i.e., the number of unique incident classes experienced by a customer) than on-premise customers. • On-premise environments were twelve times more likely than service provider environments to have common configuration issues, opening the door to compromise. • While conventional wisdom suggests a higher rate of Web application attacks in the service provider environment, Alert Logic found a higher frequency of these incidents in on-premise environments.
So what does it mean? First of all, there is a real difference in the kinds of attacks and events we see in the cloud versus on on premises. Anyone who is still saying that cloud security is no different than on premises cloud security to paraphrase President Obama, “doesn’t know what they are talking about”.
Secondly, the cloud does appear to be safer. They see fewer kinds of attacks, fewer attacks overall and on the whole cloud/hosted environments have less configuration issues.
A third thing that is borne out in the data is something that I think intuitively we know. The bigger and more complex your environment, the more risk you have.
The report is chocked full of other great information. It is free and you really should go download it. Also stay tuned for future versions of the report in the months and years ahead. Nice work by the Alert Logic team!
