Skip to main content

Posts

Showing posts from January, 2013

Identity Management: Data or Security?

I was having a discussion this week with a colleague, regarding identity management transformation projects and how organisations get from the often deep quagmire of complexity, low re-usability and low project success, to something resembling an effective identity and access management (IAM) environment.  Most projects start off with a detailed analytics phase, outlining the current 'as-is' state, before identifying the 'to-be' (or not to be) framework.  The difference is wrapped up in a gap analysis package, with work streams that help to implement fixes to the identified gaps.  Simples right?

IAM Complexity

IAM is renowned for being complex, costly and effort consuming from a project implementation perspective.  Why?  The biggest difference to for example, large IT transformation projects (thinking enterprise desktop refresh, operating system roll-outs, network changes and so on), is that IAM tends to have stake holders from many different aspects of the business.  …

Sony ICO Fine: Damage Was Already Done

This week tech and games giant Sony, was hit with a nifty £250k fine from the UK's Information Commissioners Office (ICO).  This was in response to Sony being hacked back in April 2011, in a situation which exposed millions of customer records - including credit card details -  for users of the Play Station Network (PSN).  The ICO stated that Sony failed to act in accordance with the Data Protection Act, for which as a data controller, it must do, to certain standards of information protection.

The incident itself proved to be a logistical and PR nightmare, costing Sony an estimated $171m in lost revenue, legal and fix up costs.  Whilst the fine by the ICO is insignificant to the actual cost of the damage done nearly two years ago, it acts as a timely reminder that every significant data breach by a data controller, will be investigated, with any irregularity identified, and appropriate accountability applied.

The ICO has the ability to fine organisations up to half a million poun…

Security Analytics: Hype or Huge?

"Big Data" has been around for a while and many organisations are forging ahead with Hadoop deployments or looking at NoSQL database models such as the opensource MongoDB, to allow for the processing of vast logistical, marketing or consumer lead data sources.  Infosec is no stranger to a big approach to data gathering and analytics.  SIEM (security information and event monitoring) solutions have long since been focused on centralizing vast amounts of application and network device log data in order to provide a fast repository where known signatures can applied.

Big & Fast

The SIEM vendor product differentiation approach, has often been focused on capacity and speed.  Nitro (McAfee's SIEM product) prides itself on it's supremely fast Ada written database.  HP's ArcSight product is all about device and platform integration and scalability.  The use of SIEM is symptomatic to the use of IT in general - the focus on automation of existing problems, via integrati…

Protection Without Detection

I read an article this week by the guys at Securosis, that referred to a study on anti-virus testing.  I'm not going to  comment on the contents of the article, but I loved the title of the blog, which I've subtly used for inspiration here.  The concept of protection without detection.  Just think on that for a second.  It's a mightily powerful place to be at.  It's also a position we generally see applied to the 'real world' too.  Not that information security isn't the real world of course.

You take prescribed medicine or wash your hands with antibacterial gel without knowing the names, consequences or impact of the bacteria you have killed.  You lock your luggage with a combination lock and are not aware at the other end of the flight, who has attempted to touch up, open and get into your bag.  Your salary gets paid in to the bank every month, at which time the bank can invest that cash, lend it to other people and so on.  You aren't really concerned…