Wednesday, February 23, 2011

Security and Cloud Computing

Two of the big take-aways from the RSA Conference last week:

1) Cloud computing (in all its forms) presents substantial new challenges to an organization's data security and risk management plans.  A speaker in one of the sessions made an interesting point (sorry, I don't have the speaker's name in my notes): organizationally, we've been through a similar sea change before: when PCs invaded businesses roughly 25 years ago, and the data that had been carefully kept in a centralized computing infrastructure spread out into the personally-managed, unsecured personal computers.  Like it was "easy" for employees to bring personal computers into an organization, now it is "easy" for employees to sign up for cloud computing services and start storing protected information outside the organization's control.

We need better ways for organizations to know where in the cloud its information resides, who is putting the data into the cloud, who is accessing the data, and manage the risk of that information.

2) Cloud computing offers very handy new ways to deliver security functionality to customers.  Web application firewalls, data loss prevention, email anti-virus and anti-spam, and other technologies provided as cloud services offer convenient new capabilities for customers, and new market opportunities for providers.

As a result, I think that delivering security functionality as cloud services will help make it easier to provide security for mobile devices, particularly laptops at this point.  I hope we can drive smart phones and tablets towards better security through cloud offerings as well.

Monday, February 21, 2011

Back from RSA 2011 Conference

I'm back from the RSA 2011 Conference.  What an incredible opportunity to meet and speak with others in the industry and find out what is happening across the entire spectrum of security needs, policy, and products.  Near term, I'm planning to read more of the information published by the Cloud Security Alliance and become more familiar with the state of security in cloud computing.

Personally, it was very interesting to hear luminaries including Whitfield Diffie, Bruce Schneier, Ron Rivest, Adi Shamir, Len Adleman, and Dickie George talk about the foundations of cryptography and how their work has enabled modern computing and information security, especially cloud computing.  Great stuff.

Friday, February 11, 2011

WikiLeaks and Business Data

With all the buzz around the exposure of significant amounts of confidential data on the WikiLeaks web site the past few months, attention has been rising on the role of Data Loss Prevention (DLP) to help protect information.

Especially for small and medium businesses, the focus is on giving employees the access to everything they need to get work done.  Access security is baked into operating systems and networks with things like accounts, groups, and firewalls, but the facts for small and mediums businesses are 1) employees have to be generalists so most employees have access to most everything, 2) access management and monitoring get little, if any, attention, and 3) emphasis is on getting the job done, but most employees have no idea of the exposures they are causing by using common tools (e.g., email) to transfer confidential information.

With all these limitations working against good protection of information, it's even more important for small to medium businesses to implement Data Loss Prevention systems.  DLP can help train employees to use better practices for protecting information by responding to well-intentioned but dangerous activities with "sorry, this was blocked" responses, and DLP can help prevent malicious exposures too.  All this can help avoid a "WikiLeaks" moment that can really harm a business.

Thursday, February 10, 2011

Java Security

When Java was new, one of the language's touted features was its safety as it ran programs in its virtual machine in a "sandbox" to thwart malicious code.  It's a useful idea to run security-related code under a trusted monitor, and it's an approach that Adobe is adopting for its applications that have been the target of attacks lately.

However good the sandbox approach is, Java has had quite a few exploitable vulnerabilities.  Brian Krebs has uncovered exploit packs available in the criminal underground that target Java.  For these exploit packs to be useful to attackers, there needs to be a large-enough installed base so that the exploits will be effective.  Java's ubiquity and number of vulnerabilities, as well as a lack of automatically-installed updates (and don't get me started about the updater always wanting to install a browser toolbar!), means there is a wide base of computers on the Internet that can be successfully attacked.

There was a surprising denial-of-service vulnerability brought to light this week in Java involving parsing a particular set of floating-point numbers from string data (or even compiling one of these numbers in a Java program).  Today, Oracle has widely publicized the patch for the problem.  I hope this particular event brings the issue of keeping Java up-to-date to the fore so we can reduce the number of computers vulnerable to the "bad guys".

Wednesday, February 9, 2011

RSA 2011 Conference

I'm heading to the RSA 2011 Conference next week.  I'm planning to hit it hard with lots of sessions, meetings, and fun to learn more about protecting data, especially in cloud and mobile environments with emphasis towards small and medium enterprises that can really make great use of cloud and mobile offerings.

See you there!

Tuesday, February 8, 2011

Cloud Computing

The term "cloud computing" has meanings so wide-ranging that it is difficult to pin down.  It can mean Infrastructure as a Service (IaaS), like Amazon's cloud (public cloud) or a rack of VMware servers in a company's data center (private cloud).  It can mean Software as a Service (SaaS), like Google Mail and Google Docs services.  Then there are Platform as a Service (PaaS) offerings, such as easy-to-build websites such as GoDaddy or Network Solutions offerings.

Many of these offerings involve storing data or moving data outside of the protected domain of a company's internal network.  Even for data kept in an internal private cloud, security and compliance issues can be complicated by storage and transfer of data between systems that used to be physically separated and more "visible" to analysis by firewalls, intrusion detection (IDS/IPS) systems, and data loss prevention (DLP) systems.

I have worked with a number of companies deploying security solutions into private clouds, and am planning to teach my students about management and security issues in cloud computing this semester.  I am also researching putting security systems, such as DLP systems, into public clouds to provide Software as a Service offerings for easier accessibility and scalability.  As with the range of definitions for cloud computing offerings, the range of security issues involved in cloud computing can be overwhelming.

As I attend the RSA Conference 2011 next week, I plan to dig deeper into security, compliance, and legal issues in cloud computing.  It will be great to compare notes with others who are concentrating full-time on these cloud computing issues, and I plan to bring back lots of technical and operational guidance for both my students and the people I work with.

Monday, February 7, 2011

Firesheep

There's an extension for the Firefox web browser called Firesheep.  For those who install it, it allows passive capture of cookies for web sites.  Why is it a big deal?

For anyone who uses an unencrypted WiFi network, it means a "bad guy" with Firesheep can easily steal their web site cookies and use them to access private web sites.  If you ever use an unencrypted WiFi network, such as at a coffee shop, airport, or anywhere else, your Facebook, Google Mail, or other personal web accounts could be compromised.

Solutions?

1. Only use WiFi networks encrypted with WPA or WPA2.  Usually, this involves using a WPA-PSK or WPA2-PSK password.
2. If you use an unencrypted WiFi network, only use SSL (Secure Sockets Layer) security.  Some web sites don't provide SSL-enabled access, though.
3. Use a VPN (such as through your corporate network) when working from a WiFi network.
4. Only use a wired network.

Friday, February 4, 2011

Intro

Welcome to Info Loss.  I'm Guy Helmer, CTO of Palisade Systems and lecturer at Iowa State University in the College of Business.

My professional focus is on keeping data and systems safe.  Over the past two decades I have researched and engineered information systems that get work done while keeping information secure.  I'm teaching students about software development and network systems at ISU using these same principles, and I'm building systems to help small and medium businesses protect their data.

I'll use this blog to discuss topics, big and small, relating to data protection as the world of computing and networks continues to grow and evolve.