Skip to main content

Posts

Showing posts from 2011

InfoSec End of Year Review - 2011 into 2012

The end of the year is coming - the goose is getting fat, the gritters are ready (some maybe even with salt...) and the supermarket 2-for-1 offers on mince pies are overwhelming.  As such, I thought it would be a good time to reflect on what have been the main interest areas of 2011 from an information security perspective and what might become of 2012 - the 'new' threats or the possible realisation of the old ones - all before we lose ourself in the midst of Christmas parties, over-eating and the warmth of a log fire.

Everyone is Aiming for the Sky (or at least the clouds) - Now beyond the hype point of deployment, many organisations are dipping their corporate toes into outsourced on-line provisioning of infrastructure, applications and services.  This emphasis on outsourced components will lead to many questions surrounding data privacy in multi-tenanted environments, supplier auditing, 'Chinese wall' considerations and SLA management.  Any organisations considering …

Securing Information - An Ideology not a Tool

Keeping stuff secure - it's a funny old business.  I've been fortunate to work at several different ends of that process.  Firstly within industry working alongside business as usual processes and policies, through to vendors making tools to help automate security processes through to implementation at various sized companies requiring business and technical consulting.

At all stages, the main focus was technology.  Configuring a piece of technology so it was more secure: password management, ACL management, encryption standards, service disabling, policy lock downs and so on.

Whilst working at numerous vendors, the main focus was on selling an idea that a tool could automate many of the manual tasks associated with keeping data secure - access certification processes, creating roles to manage ACL, creating audit reports and so on.

One of the big areas missing, was that of focusing on the human involvement in the security process. Whilst undoubtedly tooling has a huge part to …

The Best Firewall? People

A firewall.  An aggressive connotation. A wall, made of bricks and cement, literally on fire.  As far as protection goes, that is pretty good.  Firewalls in a computing and network sense have been around a while, gaining popularity in the late 1980's when inter-networked computers and later the full blown internet came to the fore.

The main crux of the firewall is prevent network traffic from reaching a destination based on a set of rules.  Pretty simple.  One side of the firewall is a trusted 'safe' area (normally known as the private network) and the other side of the firewall will be untrusted or the public network.  Keeping the two separate makes sense and allows for greater control over network traffic and it's data.  So firewalls are generally placed at the outer most part of the private network, often with a de-militarized-zone (DMZ) in between, which acts like a no-man's land where both public and private traffic can enter.

As security has gained focus over…

Emerging Threats

I was at a recent Information Systems Audit and Control Association event which discussed the future of threats to the individual and the enterprise, including concerns such as cyber attacks, advanced phishing, data governance and more.

Whilst working at Oracle as an EMEA consultant, I worked with many large organisation (> 30k employees) within the financial services and telecomms industries focusing on their approach to identity management - working out who has access to what and why.  This is still a fundamental approach to basic information security management, but now we are seeing information being accessed in a variety of different ways which in turns creates opportunities for information and data attacks in new and sophisticated ways.

Mobile - The increased use of mobile and hand held devices, whilst increases the ability for remote working, also increases the risks to the individual, from the likes of rogue apps, identity threat and virus's.  Whilst many major app store…

Facey and The Social Graph

Sounds like a good film doesn't it?  Well, last week, Mark Zuckerberg et al, announced the next phase of Facebook development and focus at their F8 conference.

Whilst his stage presence still has a lot to be desired, the rich vein of social networking foresight and feature list is as thought leading as ever.  Whilst Facebook can claim it's 750m (or whatever the number is this week) of signed up users, those users have generally been focused on social interactions.  The show and tell of life.  Updates, sharing pictures, engaging with lost contacts, far-flung family and the like.  You know how you use Facebook.

Over time those interactions tried to branch into different categories.  Bands and businesses created pages.  Groups evolved.  Apps became pandemic.  Facebook contains a lot of folks and this attracts advertisers, attention seekers and information distributors.

However, the concept of the social graph is taking those interactions into the next level.  The idea being that …

Simple Design for Happier Users

How many buttons does Google have?  Yes, exactly (2 is the answer if you can't be bothered checking).  OK, so they are a few hyperlinks to click as well, but as far as buttons associated with a form are concerned there are just two.  How many on Twitter?  Once logged in there aren't any!  How simple can it get?

One of the many things the product design team at Scholabo have to manage, is how to control the amount of information each of the end users will be exposed to.  For those who don't know Scholabo, it's an online communication and content distribution site acting as a conduit between schools and parents.  The parents being the consumers of information and the teachers and schools being the producers.

One of the key aims was always to make the decision making part for the end user as small as possible.  By that, I simply mean taking the Convention-over-Configuration approach to how a user actually uses the system.  For 80% of the end user use cases, we aimed to im…

The DNA of Search

The internet.  It's a big old place.  Full of stuff.  Files, stories, movies, music, pictures, news, reviews.  You name it, the internet has a virtual online version of it.  But how do you find what you want?  Via a search engine of course.

The search engine of choice is generally seen to be Google.  Obviously there are local variations to this, with Baidu in China for example and other more specialised engines such as ChaCha which focuses more on human analysis of the results instead of pure computational searching.   However, to generally get the most out of the internet you need to search, index and categorise what you want to view.

The basic idea behind a search engine is firstly for it to create an index of available web pages.  This index is created by automated robots or spiders, that crawl as many existing public web pages as possible, checking links and identifying the contents of the HTML pages to allow searches to be performed.

A user would then enter a list of keywords…

Has The Big Dog Had It's Day?

The end of the megalithic software vendor?


Who Are The Big Dogs?
When you think of the big dog, game changing software companies you think of Microsoft (PC's), Apple (cool-factor), Oracle or IBM (enterprise), Google (search and now mobile) and I guess if you stretch it a little Cisco (yes I know they are primarily network hardware, but that hardware needs an OS) too.  There are a few others, but you get the idea.  Most of these big dog software vendors, are indeed just big dogs, and occupy many positions in the NASDAQ's top 10 for market capitalisation.


But Has the Big Dog Had It's Day?
Is there a point where these organisations like these, either become too 'large' or simply become less relevant?  15 years ago Windows was seen as the only way for desktop operating systems, certainly within the enterprise, being bundled on the latest HP and Dell hardware without question.  Today, it doesn't take long to find the latest netbook running Ubuntu or another Linux dist…

Pizza, Music & Beer - How To Build a Rockstar Team

Building any new team, takes considerable effort, thought and direction.  Building a core startup team, capable of work far out reaching the number and talent of the people involved,is the holy grail, but not impossible.


Create and publicise an end goal - To get the best out of any team requires direction.  That direction comes from identifying an end goal.  What is the team really there for?  Not the small every day tasks and job description values, but what is the underlying value that the team gives above and beyond anything else they have to do to achieve that?  Those goals are generally far reaching and ambitious but still succinct and easy to understand and benchmark.  "It doesn't matter what it takes, but our website must always be up" etc.Identify the path ahead - The path ahead will be rocky.  But it needs identifying for at least the next 6 - 12 months.  The finer points of that journey will (and hopefully should) change.  That's the flexibility of working i…

Agile Programming and Agile Selling

In web tech, everyone is keen on Agile development.  If it's not agile (or a variant delivering similar results) most folks aren't interested.  The main themes behind Agile development tend to focus on speed, change, transparency and increased satisfaction.  Themes, in reality, can and perhaps should, be applied to most areas of customer facing business.

Everyone wants something yesterday.  Most people want improvements or changes to existing processes, standards or services.  Most people want to know what's going on  - and that is especially so when things go wrong.  So that means most people want transparency too.

One of the themes regarding agile design is that of feedback.  Good quality end user feedback is like the holy grail.  I don't mean good as in they like your stuff, I mean good as in it's quick, reliable and appropriate and can accelerate the development process with regards to identifying bugs, incorrect features or processes.

Selling should be the sam…

What's All The Google Plus Fuss?

Unless you've had your netbook / laptop / iPad / iPhone / Android / desktop PC (do they really still exist?) switched off in the last week or so, you would have noticed many people tweeting and blogging about Google's new social networking project.  Google+ (or Google Plus as there isn't a consistency afaik) is the so called death eater of Facebook, the overnight disease of Twitter and for the recently Microsoft acquired Skype who knows?  If the hype is to believed of course.

With features that take arguably take the best out of the most popular of the existing social networking platforms, it's easy to see why the hype and attention that has been placed upon it.  With any product though, there are benefits to be realised from having the first-mover-advantage.  In the case of Google+, you can just argue they've let other players iron out the market before they've come along with a more succinct approach.  If it wasn't for the Wright brothers we wouldn't …

House on the Cloud?

I work in IT.  I know a a few things about computers.  So when someone mentions the word 'cloud' I generally know what they're talking about.  And generally glaze over when they start talking about 'the future', or 'amazon', or they're working on a 'cloud infrastructure'.  So what?  Big deal.  Will it improve the business or end user experience?

In the short term probably not.  Most organizations will have a cloud project of some sort.  Even if that project is to simply find out what the cloud project should be.  That's fair enough.
The technology, process, security and personnel of cloud are *relatively* new in comparison to stuff like server-client computing or thin-client infrastructures.  However the more subtle uses of cloud like services have started to appear in my home.  And that I am all for.

Take television for example.  I last year I upgraded my satellite kit to include a disk based recording system.  So now I can record and watch…

Do Obscure Tools Make Better Products?

If all mechanics used the same set of tools, took the same approach and offered the same service they'd all cost the same and be highly competitive.  This is true for any homogeneous service or product offering.  Salt is salt no matter where you buy it from, so competition is based on price, as salt from one supplier is deemed to be substitutable with salt from another supplier.  The opposite approach to that, is making your product or service offering highly differentiated thus creating brand or product loyalty.  Here, competition can't be based on price as no other offering in the market place is a true replica of your own so substitution can't occur.  Non-price competition allows you to leverage an increased price and gain greater competitive advantage.


Not all products or offerings are suitable for differentiation, as a lot depends on the market place and the existing conditions.  However, one way to become differentiated is to alter what tools and processes you use to…

Is the Internet Too Big?

Well, to be honest I'm not sure what 'too big' actually means.  I guess firstly, you would need to define what the internet is, define a metric, create a yardstick, compare the two, analyze the outcome, create some reasoning for your argument and so on....but that really isn't that interesting.  My thought was really around how do we, as simple human beings, consume, use and manage all the data thrown at us from the internet?  And really, is there two much data out there?

Think of the wave of truly internet ready sites that have become as common as sliced bread, the car and TV.  I thinking Google, Wikipedia, Facebook and more recently Twitter.  There are probably others that most people could not live without, but most people on the planet are likely to have heard of at least one of those 4, even if they'd never used them or indeed owned a computer.  They have become part of our working and personal lives.  We alter our patterns and habits around them, arrange socia…