Rational Survivability

I’ll be off today to Scotland, the UK and ultimately France for almost a week. 

There’s a really interesting conference taking place at our center in St. Paul de Vence (France) regarding the Consumerization of IT. 

You’ll recall that this is one of the topics covered in my "Embracing Disruptive Innovation" deck.

In fact, that’s what I’m going to be speaking about; the ramifications and implications that the consumerization of IT is having on enterprise security.

Back the night before Turkey Day so that missus isn’t too wound up! 😉

Have a great Thanksgiving, everyone.

/Hoff

This month’s BeanSec! will be even more informal than usual given its proximity to Turkey Day.  We didn’t want to cancel or move it, so those of you who want to show are up welcome to do so.

Please be aware that I will not be there and as such, food and drinks will not be paid for as the usually are.

Yo!  BeanSec! is once again upon us.  Wednesday, November 21st, 2007.

BeanSec! is an informal meetup of information security
professionals, researchers and academics in the Greater Boston area
that meets the third Wednesday of each month. 

I say again, BeanSec! is hosted the third Wednesday of every month.  Add it to your calendar.

Come get your grub on.  Lots of good people show up.  Really.

Unlike other meetings, you will not be expected to pay dues, “join
up”, present a zero-day exploit, or defend your dissertation to attend.
Map to the Enormous Room in Cambridge.

Enormous Room: 567 Mass Ave, Cambridge 02139.  Look for the Elephant
on the left door next to the Central Kitchen entrance.  Come upstairs.
We sit on the left hand side…

Don’t worry about being "late" because most people just show up when
they can.  6:30 is a good time to aim for.  We’ll try and save you a
seat.  There is a parking garage across the street and 1 block down or
you can try the streets (or take the T)

In case you’re wondering, we’re getting about 30-40 people on
average per BeanSec!  Weld, 0Day and I have been at this for just over
a year and without actually *doing* anything, it’s turned out swell.

We’ve had some really interesting people of note attend lately (I’m
not going to tell you who…you’ll just have to come and find out.)  At
around 9:00pm or so, the DJ shows up…as do the rather nice looking
people from the Cambridge area, so if that’s your scene, you can geek
out first and then get your thang on.

The food selection is basically high-end finger-food appetizers and
the drinks are really good; an attentive staff and eclectic clientèle
make the joint fun for people watching.  I’ll generally annoy you into
participating somehow, even if it’s just fetching napkins. 😉

See you there.

/Hoff  

A couple of weeks ago I penned a blog entry titled "The Battle for the HyperVisor Heats Up"
in which I highlighted an announcement from Phoenix Technologies
detailing their entry into the virtualization space with their
BIOS-enabled VMM/Hypervisor offering called HyperCore.

This drew immediate parallels (no pun intended) to VMware and Xen’s plans to embed virtualization capabilities into hardware.

The marketing continues this week with interesting announcements from Microsoft, Oracle and VMware:

1. VMware offers VMware Server 2 as a free virtualization product to do battle against…
2. Oracle offering "Oracle VM" for free (with paid support if you
   like) which claims to be 3 times as efficient than VMWare — based on
   Xen.
3. Microsoft officially re-badged its server virtualization technology as Hyper-V (nee Veridian)
   detailing both a stand-alone Hyper-V Server as well technology integrated into W2K8 Server.

It seems that everyone and their mother is introducing a virtualization platform and the underpinning of commonality between basic functionality demonstrates how the underlying virtualization enabler — the VMM/Hypervisor — is becoming a commodity.

We are sure to see fatter, thinner, faster, "more secure" or more open Hypervisors, but this will be an area with less and less differentiation.  Table stakes.  Everything’s becoming virtualized, so a VMM/Hypervisor will be the underlying "OS" enabling that transformation.

To illustrate the commoditization trend as well as a rather fractured landscape of strategies, one need only look at the diversity in existing and emerging VMM/Hypervisor solutions.   Virtualization strategies are beginning to revolve around a set of distinct approaches where virtualization is:

1. Provided for and/or enhanced in hardware (Intel, AMD, Phoenix)
2. A function of the operating system (Linux, Unix, Microsoft)
3. Delivered by means of an enabling software layer (nee
   platform) that is deployed across your entire infrastructure (VMware, Oracle)
4. Integrated into the larger Data Center "Fabric" or Data Center OS (Cisco)
5. Transformed into a Grid/Utility Computing model for service delivery

The challenge for a customer is making the decision on whom to invest it now.  Given the fact that there is not a widely-adopted common format for VM standardization, the choice today of a virtualization vendor (or vendors) could profoundly affect one’s business in the future since we’re talking about a fundamental shift in how your "centers of data" manifest.

What is so very interesting is that if we accept virtualization as a feature defined as an abstracted platform isolating software from hardware then the next major shift is the extensibility, manageability and flexibility of the solution offering as well as how partnerships knit out between the "platform" providers and the purveyors of toolsets.

It’s clear that VMware’s lead in the virtualization market is right inline with how I described the need for differentiation and extensibility both internally and via partnerships. 

VMotion is a classic example; it’s clearly an internally-generated killer app. that the other players do not currently have and really speaks to being able to integrate virtualization as a "feature" into the combined fabric of the data center.  Binding networking, storage, computing together is critical.  VMware has a slew of partnerships (and potential acquisitions) that enable even greater utility from their products.

Cisco has already invested in VMware and a recent demo I got of Cisco’s VFrame solution shows they are serious about being able to design, provision, deploy, secure and manage virtualized infrastructure up and down the stack, including servers, networking, storage, business process and logic.

In the next 12 months or so, you’ll be able to buy a Dell or HP server using Intel or AMD virtualization-enabled chipsets pre-loaded with multiple VMM/Hypervisors in either flash or BIOS.  How you manage, integrate and secure it with the rest of your infrastructure — well, that’s the fun part, isn’t it?

I’ll bet we’ll see more and more "free" commoditized virtualization platforms with the wallet ding coming from the support and licenses to enable third party feature integration and toolsets.

/Hoff

Last week, Jim Rapoza from the ZD Enterprise’s Emerging Technology blog wrote an article that caught my eye titled "Emerging Security Threats." 

I popped on over to get what I suspected would be my weekly fill of Botnets gone wild and other malware-laden horror stories only to be surprised to find that the top emerging security threats were actually many of the same strategic technologies that CIO’s reported to Gartner as those  "…with the
potential for significant impact on the enterprise in the next three
years."  Go figure.

Jim summarized the intent of his post thusly:

Emerging technologies can bring a whole host of benefits, often
improving productivity, changing the way businesses interact and
enhancing the lives of people all over the world.

And whenever a new technology comes out and gets a lot of hype,
there is a lot of enthusiasm about the many benefits and new
capabilities that this technology provides.

But, also without fail, there is one key thing that almost no one ever talks about. What is this hidden factor? It’s security.

Over the years I’ve gone to lots of conferences and seminars
dedicated to emerging technologies, from Web 2.0 to virtualization to
virtual worlds. And the one thing that pretty much never gets covered
(or even mentioned) in these conferences in security.

Of course, this is understandable. New technologies are just
introducing themselves to the world. It’s sort of like a first date.
When you go on a first date, you probably don’t start out talking about
all of your illnesses and insecurities. The same goes for emerging
technologies. Their creators just want to promote their good points.

But for users of these technologies, ignoring the potential security
threats that these emerging technologies introduce can lead to big
problems, including data theft, system compromises and the spread of
malware.

I think that Jim’s analogies are basically good ones; security has been shown historically as an afterthought, but in the context of my last couple of posts, by attempting to draw attention to the disruptive effect these technologies have and their generally under-capitalized security investment in the manner in which he does in effect sensationalizes an already flammable scenario.

The reality-based analog that is suitable for contrast here is the old
cliche: "guns don’t kill people…people kill people."  As corny and over-played as that is, technology
doesn’t cause threats to materialize magically, the poor implementation of
the technology does. 

Rather than work to rationally discuss security in context and consider these disruptive technological innovations as opportunities to leverage, they are ultimately painted here as evil.  This is exactly the sort of "security is a speed bump" persona we need to shed!

Check out the purported horror show of "emerging threats" below and compare them to Gartner’s Top 10 Strategic Technologies for 2008-2011 to the right.   These technologies possess "factors that denote significant impact include a high potential
for disruption to IT or the business, the need for a major dollar
investment, or the risk of being late to adopt"

1. Ajax
   
2. Google Apps
3. Mobile Devices & Applications
4. RFID
5. Rich Internet Applications
6. RSS
7. Social Networks
8. Virtual Worlds
9. Virtualization
10. VoIP

How many of either of the Top-Ten lists above are you dealing with today?

Check out the slideshow.  Lovely artwork, but abrasive and vague at best.  Rather than paint a balanced portrait of pros and cons as his introduction alludes to or suggest how these technologies can be deployed securely, we instead get soundbites like this:

VOIP – VOIP systems have greatly broadened the telecom options for
businesses, not only freeing them from traditional phones but making it
possible to easily tie voice into other enterprise applications. But
VOIP systems can be easily tapped by anyone and have become an
attractive target for hackers.

The reality is that any new technology has the potential to allow "bad stuff to happen."  I think we all know that already.  What would be really useful is a way of managing this process.  I think there’s a better way of communicating without relying on fear.

/Hoff

Continuing on from my last post titled Security and Disruptive Innovation Part I: The Setup we’re going to take the general examples of innovative technological industry disruptors in slide 3 and highlight some security-specific examples to bring the point a little closer to home.

In this case, we’re going to reflect upon security practices, movements and methodologies and how disruptors, market pressures and technology are impacting what we do and how.  The point of this is to discuss a framework of how to embrace and manage the process of evaluating emerging technologies and disruption and manage to it proactively.

13.  Examples of Disruptive Innovation in Security

As we demonstrated previously in slide 3, the impact that disruptors in the right-hand column caused against those who enjoyed market dominance in the left-hand column was profound.  In many cases, they incumbents never saw it coming. 

Some of these shifts were incremental and some were radically game-changing.  Some took quite a while to catch on, while others benefited from the viral "sneezers" (as Seth Godin is fond of saying.)

Here we see a list  on the left featuring established thought leadership, generally observed practices and methodologies and what some might describe as the status quo within the security industry.   

The corresponding list on the right represents emerging disruptive innovation and technology.  Most of you should be familiar with these issues.  To some, they are merely background noise — glacially eroding the landscape while the day-to-day priorities are dispatched —  while to others they represent pressing business concerns and abrasive friction, threatening the manner in which security programs are executed and competing for attention at every turn.

Let’s take a look at each of these samples in more detail; the slides are just talking points, so I’ll add color in the accompanying text.  This will be split into a couple of posts.

14. The Outsourcing of Security

In my experience, outsourcing in general provokes a visceral response no matter which side of the fence one may choose to sit.  Pro or con, outsourcing of services is a due matter of course in today’s world.

Whether the motivation is taking cost out of the business, focusing on competencies, the transference of risk or improving operational efficiency, if you haven’t felt some impact from the outsourcing movement already, you surely will at some point shortly.

If one starts poking around the notion of outsourcing "security" functions to resources outside of an InfoSec shop’s interal corps, it’s often bound to generate sparks. 

In general, my observations have been that InfoSec staffers become incredibly defensive about the feasibility and perception of security when discussing outsourcing elements of a security program.  Many of these arguments are instinctual and not business-driven but are autonomic and reflexive.  It’s really hard to let go of the fact that the value we purport to provide the business is, in many cases, becoming a feature set of a larger operational machine.

In many cases I have personally witnessed, the arguments against outsourcing security are supported with knee-jerk comments citing "possible exposure," "unacceptable risk," or "regulatory issues" but rarely have any hard data (read: quantifiable metrics) to back them up.  Neither hope or FUD is a very good strategy.

The reality is that in many cases, mature operational functions represent excellent opportunities for outsourcing.  Many of these have capital and operating expenses that can be reduced or altogether eliminated and allow for the "security" team to focus on more important things.

Common examples of outsourced low-hanging fruit security functions today include:

• Managed firewall
• Managed Intrusion Detection/Prevention
• Anti-Spam
• Vulnerability Assessment/Management
• Secure Messaging

Combined with operational models such as Software as a Service (SaaS) which we’re going to talk about shortly, we’re even seeing examples of outsourced application and code analysis, complete application outsourcing, etc.

Obviously this all comes down to the type of business you’re in and the risk associated with letting some other party operationalize elements of your business processes, but it’s happening in a big way and will continue to do so.

I’ve personally witnessed and example of Fortune 500 companies dissolving their entire operational administrative and security teams and sell their data center hard assets to a management services company.  This company then leases back the management of the IT and Security operations as a service allowing the security team to act as architects and focus on more pressing relevant business issues instead of firefighting.  They become much more strategic and integrated with the business.

The disruptive argument for outsourcing revolves around addressing the issue of spending time and money paying legions of administrators and security folk to perform tasks which are often times not critical and do not add business value and that can be obtained elsewhere at competent levels of quality (or perhaps higher) that are also faster and cheaper.

How would you take the cost savings/avoidance benefits of outsourcing and describe how you might invest it elsewhere in your security spend to demonstrate better alignment to the business?

15. The Consumerization of IT

A good number of security professionals are also masterful consumers and collectors of toys of one kind or another.  As aficionados of all things tech, you’ll often find even the most conservative security wonks lining up to buy the latest kit with the newest features on release day.

Rationalizing why we might need to upgrade to a phone with video playback, camera, massive storage, WiFi, web browsing and open API’s is easy: flexibility, agility, efficiency, connectivity…it let’s one do what one wants/needs/likes to do faster, better, easier, and cheaper, right?  At least that’s what we tell our wives 😉

In what can only be described as a case of clinical schizophrenia, the same iPhone-toting CISO might also be the first to rail against the introduction of these new technologies within the enterprise despite the exact claims and justifications being made by the business.

New technology is often introduced into the organization and championed under the same banners of enhanced efficiency, agility or customer experience, and these initiatives are often critical elements that a business invests in so as to secure a competitive business advantage against the competition.

Strangely, the business value for the adoption of many of these consumer-based technologies entering the enterprise (even if it’s merely "good will") is often times ignored and cast aside in the name of "security" with the overriding inflexibility chalked up to "implied" risk, undisclosed (invisible?) vulnerabilities and simply bad "juju" — all grouped under the iron-clad containment of the almighty "security policy."

Now, there are also many very reasonable reasons to suggest that allowing employees to use consumer technologies within the enterprise is a difficult concept: support, confidentiality, privacy, regulatory requirements.  There are valid issues to be dealt with and awareness of the impact by the business of what their decisions to allow this sort of technology to be used is really important.

There are two dirty little secrets that must be accounted for when discussing the consumerization of IT within the enterprise and your business constituents:

1. It’s not Security’s place, birthright, charter or problem to be the judge, jury and executioner as to what is allowed or not allowed.  It *is* Security’s job to advise the business and allow them to make a (gasp!) business decision on the matter.
2. They’re doing it anyway and will continue to do so. 

If a technology or innovation allows an employee who actually contributes to the bottom line to do his/her job better, more efficiently, less costly and helps driven revenue that contributes to your budget (read: paycheck) why is this bad thing!? 

If you’re doing your job, the business will take your advice seriously and will make a decision based on fact.  They may decide that despite your advice, the technology or innovation is compelling enough to outweigh the potential risk.  Other times they might not.

Either way, you’ve done your job. 

Remember when WiFi first appeared?  Most enterprises and their IT and Security teams vehemently attempted to prevent its use by policy citing the lack of business need and security concerns.  There were certainly security issues that needed to be solved, but today WiFi has emerged as a disruptive technology that is indispensable as a tool.  If you have remote employees, you are first-row-center observers as to how WiFi as a disruptive innovation has changed the landscape.

Many companies have these enormous virtualized and distributed workforces.   To facilitate such a decentralized model, these companies are beginning to embrace a program that my company calls the "Digital Allowance." 

Digital Allowance provides an annual stipend to employees to allow them to go out and purchase technology that they will use to do their jobs.  They can use their home computers, their iPhones, etc. to do their jobs if it meets pertinent and reasonable requirements.

It is the job of the IT and Security teams to provide a safe and reasonably secure computing environment to allow employees to do their jobs without putting the company in harm’s way.

This sort of program is taking off as companies realize that consumer, pro-sumer and enterprise technologies are colliding at velocity of change that makes it difficult to distinguish between them and the business benefits outweigh the downside.  In fact, my company has a business consulting practice that teaches other companies how to put these programs in place.

Most security professionals curl up in a fetal position (as I first did, admittedly) when considering this sort of program.  How are you dealing with the consumerization of IT within your company?

Up Next: Part III – The Examples Continue…

As a follow-on to my post on security and innovation here, I’m going to do a series based upon my keynote from ISD titled "Why Security Should Embrace Disruptive Technology" with a brief narrative of each slide’s talking points

The setup for the the talk was summarized nicely:

IT departments have spent the last 10+ years enabling users by delivering revolutionary technology and
delegating ownership and control of intellectual property and information
in order to promote agility, innovation and competitive advantage on
behalf of the business. Meanwhile IT Security has traditionally
focused on reigning in the limits of this technology in a belated
compliance-driven game of tug-of-war to apply control over the same sets
of infrastructure, intellectual property and data that is utilized freely
by the business.
  Christofer Hoff, chief architect for Security Innovation at Unisys and
former Security 7 winner, will highlight several areas of emerging and
disruptive technologies and practices that should be embraced, addressed,
and integrated into the security portfolios and strategic dashboards of
all forward looking, business-aligned risk managers. Many of these topics
are contentious when discussing their impact on security:          
      

• Outsourcing of Security
• Consumerization of IT
• Software as a Service (SaaS)
• Virtualization
• De-perimeterization
• Information Centricity
• Next Generation Distributed Data Centers

Hoff will discuss what you ought to already have thought about and how to
map these examples to predict what is coming next and explore this
classical illustration of the cyclical patterns of how history, evolving
business requirements, technology and culture repeatedly intersect on a
never-ending continuum and how this convergence ought to be analyzed as
part of the strategic security program of any company.

I will be highlighting each of the seven examples above as a series on how we should embrace disruptive innovation and integrate it into our strategic planning process so we can manage it as opposed to the other way around.  First the setup of the presentation:

1. What is Innovation?

Innovation can simply be defined as people implementing new ideas to
creatively solve problems and add value. 

How you choose to define
"value" really depends upon your goal and how you choose to measure the
impact on the business you
serve.

Within the context of this discussion while there is certainly technical innovation in the security field — how to make security "better," "faster," or "cheaper," rather than focus on the latest piece of kit, I’m interested in exploring how disruptive technologies and innovative drivers from the intersection of business, culture, and economics can profoundly impact how, what, why and when you do what you do.

We are going to discuss how Security can and should embrace disruptive technology and innovation in a formulaic and process-oriented way with the lovely side effect of becoming more innovative in the process.

2. What is Disruptive Technology/Innovation?

Clayton Christensen coined this term and is known for his series of work in this realm.  He is perhaps best known for his books: The Innovator’s Solution and The Innovator’s Dilemma.

Christensen defined disruptive technology/innovation as "a technology, product or service
that ultimately overturns the dominant market leader, technology or
product."

This sort of event can happen quickly or gradually and can be
evolutionary or revolutionary in execution.  In many cases, the
technology itself is not the disruptive catalyst, but rather the
strategy, business model or marketing/messaging creates the disruptive
impact.  It can also be radical or evolutionary in nature.

3. Examples of Disruptive Technology

Here are some examples from a general technology perspective that highlights disruptive technologies/innovation.

Mainframe computing was disrupted by mini computers and ultimately client-server desktop computing.  Long distance telephony was been broadly impacted by Internet telephony such as Skype and Vonage.  Apple’s iTunes has dramatically impacted the way music is purchased and enjoyed.  The list goes on.

The key takeaway here is that the dominant technologies and industries on the left often times didn’t see the forces on the right coming and when they did, it was already too late.   What’s really important is that we find a framework and a process by which we can understand how disruptive technology/innovation emerges.  This will allow us to try and tame the impact and harness disruption positively by managing it and our response to it.

4. Technology Evolution: The Theory of Punctuated Equilibrium

I’m a really visual person, so I like to model things by analogy that spark non-linear connections for me to reinforce a point.  When I was searching for an analogy that described the evolution of technology and innovation, it became clear to me that this process was not linear at all.

Bob Warfield over at the SmoothSpan blog gave me this idea for an evolution analogy called the Theory of Punctuated Equilibrium that describes how development and evolution of reproducing species actually happens in big bursts followed by periods of little change rather than constant, gradual transformation.

This is really important because innovation happens in spurts and is then absorbed and assimilated, but forecasting the timing of these events is really important.

5.  Mobius Strips and the Cyclic Security Continuum (aka the Hamster Wheel of Pain)

If we look at innovation within the Information Security space as an example, we see evidence of this punctuated equilibrium distributed across what appears to be a never ending continuum.  Some might suggest that it’s like a never-ending Mobius strip.

Security innovation (mostly in technology) has manifested itself over time by offering a diverse set of solutions for a particular problem which ultimately settles down over time with solution conformity and functional democratization.  A classic example is NAC or DLP; lots of vendors spool up in a frenzy and ultimately thin down when the problem becomes defined and solution diversity thins.

Warfield described this as a classic damped oscillation where big swings in thinking ultimately settle down until everything looks and sounds the same…until the next "big thing" occurs.

What is problematic, however, is when we have overlays of timing curves of technology, economics, business requirements and culture.  Take for example the (cyclic) evolution of compute models: we started with the mainframe which were displaced my minis, desktops and mobile endpoints.  This changed the models of computing and how data was produced, consumed, stored and managed.

Interestingly as data has become more and more distributed, we’re now trending back to centralizing the computing experience with big honking centralied virtualized servers, storage and desktops.  The applications and protocols remain somewhere in between…

So while one set of oscillations are dampening, another is peaking.  It’s no wonder why we find it difficult to arrive at a static model in a dynamic instance.

6. Using Projections/Studies/Surveys to Gain Clarified Guidance

Trying to visualize this intersection of curves can be very taxing, so I like to use industry projections/surveys/studies to help clear the fog. Some folks love these things, others hate them.  We all use them for budget, however 😉

I like Gartner’s thematic consistency of their presentations, so I’m going to use several of their example snippets to highlight a more business-focused logical presentation of how impending business requirements will drive innovation and disruptive technology right to your doorstop.

As security practitioners we can use this information to stay ahead of the curve and not get caught flat-footed when disruptive innovation shows up because you’ll be prepared for it.

7. What CIO’s see as the Top 10 Strategic Technologies for 2008-2011

Gartner defines  a strategic technology as  "…one with the potential for significant impact on the enterprise in the next three years. Factors that denote significant impact include a high potential for disruption to IT or the business, the need for a major dollar investment, or the risk of being late to adopt."

Check out this list of technologies that your CIO has said are the technology categories that will provide significant impact to their enterprise.  How many of them can you  identify as being addressed in alignment to the business as part of your security strategy for the next three years?

Of the roughly 50 security professionals queried by me thus far, most can only honestly answer that they are doing their best to get in front of at most 1 to 2 of them…rot roh.

8. What those same CIO’s see as their Top 10 Priorities for 2007

If we drill down a level and investigate what business-focused priorities CIO’s have for 2007, the lump in most security manager’s throats becomes bigger.

Of these top ten business priorities, almost all of those same 50 CISO’s I polled had real difficulty in demonstrating how their efforts were in alignment to these priorities, except as a menial "insurance purchase" acting as a grudge-based cost of business.

It becomes readily apparent to most that being a cost of business does not put one in the light of being strategic.  In fact, the bottom line impact caused by the never-ending profit draining by security is often in direct competition with some of these initiatives.  Security contributing to revenue growth, customer retention, controlling operating costs?

Whoops…

9. And here’s how those CIO’s are investing their Technology Dollars in 2007…

So now the story gets even more interesting.  If we take the Top 10 Strategic Technologies and hold that up against the Top 10 CIO Priorities, what we should see is a business-focused alignment of how one supports the other.

This is exactly what we get when we take a look at the investments in technology that CIO’s are making in 2007.

By the way, last year, "Security" was number one.  Now it’s number six.  I bet that next year, it may not even make the top ten.

This means that security is being classified as being less and less strategically important and is being seen as a feature being included in these other purchase/cost centers.  That means that unless you start thinking differently about how and what you do, you run the risk of becoming obsolete from a stand-alone budget perspective.

That lump in your throat’s getting pretty big now, huh?

10.  How Do I Start to Think About What/How My Security Investment Maps to the Business?  Cajun Food, Of Course!

This is my patented demonstration of how I classify my security investments into a taxonomy that is based upon Cajun food recipes.

It’s referred to as "Hoff’s Jumbalaya Model" by those who have been victimized by its demonstration.  Mock it if you must, but it recently helped secure $21MM in late-stage VC funding…

Almost all savory Cajun dishes are made up of three classes of ingredients which I call: Foundational, Commodities and Distinguished.

Foundational ingredients are mature, high-quality and time-tested items that are used as the base for a dish.  You can’t make a recipe without using them and your choice of ingredients, preparation and cooking precision matter very much. 

Commodity ingredients are needed because without them, a dish would be bland.  However, the source of these ingredients is less of a concern given the diversity of choice and availability.  Furthermore, salt is salt — sure, you could use Fleur de Sel or Morton’s Kosher, but there’s not a lot of difference here.  One supplier could vanish and you’d have an alternative without much thought.

Distinguished ingredients are really what set a dish off.  If you’ve got a fantastic foundation combined with the requisite seasoning of commodity spices, adding a specific distinguished ingredient to the mix will complete the effort.  Andouille sausage, Crawfish, Alligator, Tasso or (if you’re from the South) Squirrel are excellent examples.  Some of these ingredients are hard to find and for certain dishes, very specific ingredients are needed for that big bang.

Bear with me now…

11. So What the Hell Does Jambalaya Have to Do with Security Technology?

Our recipes for deploying security technology are just like making a pot of Jambalaya, of course! 

Today when we think about how we organize our spending and our deployment methodologies for security solutions, we’re actually following a recipe…even if it’s not conscious.

I’m going to use two large markets in intersection to demonstrate this.  Let’s overlay the service provider/mobile operator/telco. market and their security needs with that of the common commercial enterprise.

As with the Cajun recipe example, the go-to foundational ingredients that we based our efforts around are the mature, end-to-end, time-tested firewall and intrusion detection/prevention suites.  These ingredients have benefited from decades of evolution and are stable, mature and well-understood.  Quality is important as is the source.

In the case of either market space, short of scaling requirements, the SP/MSSP/MO/Telco and Enterprise markets both utilize common approaches and choices to satisfy their requirements.

Both markets also have many common overlapping sets of requirements and solution choices for the commoditizing ingredients.  In this case, except separated by scale and performance, there’s little difference the AV, Anti-Spam, or URL filtering functionality offered by the many vendors in the pool who supply these functions.  Vendor A could go out of business tomorrow and for the most part, Vendor B’s product could be substituted with the same functionality without much fuss.

Now, when we look at distinguished "ingredients," this is where we witness a bit of a divergence.  In the SP/MSSP/MO/Telco space, they have very specific requirements for solutions that are unique beyond just scale and performance.  Session Border Controllers and DDoS tools are an example.  In the enterprise, XML gateways and web application firewalls are key.  The point here is that these solutions are quite unique and are often the source of innovation and disruption.

Properly classifying your solutions into these categories allows one to demonstrate an investment strategy inline with the value it brings.  Some of these solutions start off being distinguished and can either become commoditzied quickly or ultimately make their way as features into the more stable and mature foundational ingredient class.

Keep this model handy…

12.  Mapping the Solution Classes (Ingredients) to a Technology/Innovation Curve: The Hype Cycle!

So, remember the Theory of Punctuated Equilibrium and it’s damped oscillation visual?  Check out Gartner’s Hype Cycle…it’s basically the same waveform.

I use the Hype Cycle slightly differently than Gartner does.  The G-Men use this to demonstrate how technology can appear and transform in terms of visibility and maturity over time.  Technology can appear almost anywhere along this curve; some are born commoditized and/or never make it.  Some take a long time to become recognized as a mature technology for adoption.

Ultimately, you’d like to see a new set of innovative or disruptive solutions/technologies appear on the left, get an uptake, mellow out over time and ultimately transform from diversity to conformity.  You can use the cute little names for the blips and bunkers if you like, but keep this motion across the curve top of mind.

Now, I map the classifications of Foundational, Commodities and Distinguished across this map and lo and behold, what we see is that most of the examples I gave (and that you can come up with) can be classified and qualified across this curve.  This allows a security manager/CISO to take technology hype cycle overlays and map them to an easily demonstrated/visualized class of solutions and investment strategies that also can speak to their lifecycle.

The things you really need to keep an eye on from an emerging innovation/disruption perspective are those distinguished solutions over on the left, climbing the "Technology Trigger" and aiming for the "Peak of Inflated Expectations" prior to sliding down to the "Trough of Disillusionment."  I think Gartner missed a perfect opportunity by not including the "Chasm of Eternal Despair" 😉

We’re going to talk more about this later, but you can essentially take your portfolio of technology solutions and start to map those business drivers/technologies prioritized by your CIO and see how you measure up.  When you need to talk budget, you can easily demonstrate how you’re keeping pulse with the dynamics of the industry, managing innovation and how that translates to your spend and depreciation cycles. 

You shore up your investment in Foundational components, manage the Commodities over time (they should get cheaper) and as business sees fit, put money into incubating emerging technologies and innovation.

Up Next…Some Really Interesting Examples of Disruptive Technology/Innovation and how they impact Security…

If you haven’t been following Rich Mogull’s amazing writeup on how to "Understand and Select a DLP Data Leakage Prevention Solution" you’re missing one of the best combinatorial market studies, product dissection and consumer advice available on the topic from The Man who covered the space at Gartner.

Here’s a link to the latest episode (part 7!) that you can use to work backwards from.

This is not a knock on the enormous amount of work Rich has done to educate us all, in fact it’s probably one of the reasons he chose to write this opus magnum; this stuff is complicated which explains why we’re still having trouble solving this problem… 

If it takes 7 large blog posts and over 10,000 words to enable someone
to make a reasonably educated decision on how to consider approaching the purchase of one of these solutions, there are two possible reasons for this:

1. Rich is just a detail-oriented, anal-retentive ex-analyst who does a fantastic job of laying out everything you could ever want to know about this topic given his innate knowledge of the space, or
2. It’s a pie that ain’t quite baked.

I think the answer is "C – All of the above," and t’s absolutely
no wonder why this market feature has a cast of vendors who are
shopping themselves to the highest bidder faster that you can say
"TablusPortAuthorityOakelyOnigmaProvillaVontu."

Yesterday we saw the leader in this space (Vontu) finally submit to the giant Yellow Sausage Machine.

The sales cycle and adoption attach rate for this sort of product must
be excruciating if one must be subjected to the equivalent of the Old
Testament just to understand the definition and scope of the solution…as a consumer, I know I have a pain that needs amelioration in this category, but which one of these ointments is going to stop the itching?

I dig one of the first paragraphs in Part I which is probably the first clue we’re going to hit a slippery slope: 

The first problem in understanding DLP is figuring out what we’re
actually talking about. The following names are all being used to
describe the same market:

• Data Loss Prevention/Protection
• Data Leak Prevention/Protection
• Information Loss Prevention/Protection
• Information Leak Prevention/Protection
• Extrusion Prevention
• Content Monitoring and Filtering
• Content Monitoring and Protection

And I’m sure I’m missing a few. DLP seems the most common term, and
while I consider its life limited, I’ll generally use it for these
posts for simplicity. You can read more about how I think of this progression of solutions here.

So you’ve got that goin’ for ya… 😉

In the overall evolution of the solution landscape, I think that this iteration of the DLP/ILP/EP/CMF/CMP (!) solution sets raise the visibility of the need to make decisions on content in context and focus on information centricity (data-centric "security" for the technologists) instead  of the continued deployment of packet-filtering 5-tuple network colanders and host-based agent bloatscapes being foisted upon us.

More on the topic of Information Centricity and its relevance to Information Survivability soon.  I spent a fair amount of time talking about this as a source of disruptive innovation/technology during my keynote at the Information Security Decisions conference yesterday.

Great conversations were had afterwards with some *way* smart people on the topic, and I’m really excited to share them once I can digest the data and write it down.

/Hoff

(Image Credit: Stephen Montgomery)

Let’s hope the Windy City isn’t as windy as Beantown is thanks to that hurricane from the Carribean.  I’m digging the car out from under what leaves haven’t already fallen.  The forecast for Chicago showed <gasp!> snow on Tuesday.

I’ll be in Chicago Sunday-Monday, speaking at the TechTarget Information Security Decisions conference.

Ping  me: hoff [at] packetfilter.com or +1.978.631.0302

/Hoff

Back in August I wrote a post debating against the notion that SaaS vendors were apparently, by definition, "…able to secure assets better than customers." 

My position on the "quality" levels of security from SaaS vendors was reasonably straightforward.  I’ll summarize it here:

Not one to appear unclear on where I stand, I maintain that the SaaS
can bring utility, efficiency, cost effectiveness, enhanced
capabilities and improved service levels to a corporation depending
upon who, what, why, how, where and when the service is
deployed.  Sometimes it can bring a higher level of security to an
organization, but so can an armed squadron of pissed off armed Oompa
Loompa’s — it’s all a matter of perspective.
…
So just to be clear, I believe in SaaS.  I encourage its use if it
makes good business sense.  I don’t, however, agree that you will
automagically be *more* secure.  You maybe just *as* secure, but it
should be more cost-effective to deploy and manage.  There may very
well be cases (I can even think of some) where one could be more
or even less secure, but I’m not into generalizations.

This is all a matter of context; what sort of data is stored, what value does it hold, who can access it and what assessment of risk has been performed to determine the impact to the company should it fall into the wrong hands? 

Many times the "security" of the SaaS service comes right down to basic security practices such as access control.  For example, I’ve seen multiple times that SF.com login accounts of salesfolk that went to competitors were left enabled after separation, potentially exposing the forecast, pipeline, customer service records and customer details of the entire customer base.  That’s not the SaaS vendor’s fault, but is a potential issue systemic to the model.

As the adoption of SaaS increases driven by compliance, outsourcing, or efficiencies of a leveraged business model, we’re going to have to pay more attention to what it means to have our data spread out beyond those supposedly impenetrable perimeter boundaries we’ve spent all that time and money on.

Again, that means more than reviewing a SAS-70 or taking the vendor’s word that they are secure.  It means making sure your policies extend and are applicable "outside the castle."  It means potentially engaging a third party to test the assertions the company makes about their posture.

A great example are two recent debacles from SaaS vendors Salesforce.com and Monster.com. Brian Krebs from the Washington Post recently did a great job illustrating the issues that a breach from an SaaS vendor causes; there’s a "secondary market" for breach data and once the information is loose, the lost trust can mean lost business:

A database of e-mail addresses and other contact information stolen from business software provider Salesforce.com
is being used in an ongoing series of targeted e-mail attacks against
customers of several Salesforce.com business clients, including SunTrust and Automatic Data Processing Inc. (ADP), one of the nation’s largest payroll and tax services providers.
…
In August, job search giant Monster.com‘s resume
database was breached by hackers, exposing confidential data on 1.3
million job seekers. The attackers then used the contact information
from that database to send users targeted e-mails that appeared to come
from Monster.com. Recipients were directed to click on a link in the
message, which tried to install malicious software through Web browser
security vulnerabilities.

Salesforce.com and Monster.com provide valuable SaaS functions to corporations globally and it illustrates the fragile mantle of trust upon which we tread.  There exists a tenuous balance when outsourcing applications and information processing/storage to a third party.

Some folks argue that any information entrusted to a third party business partner or vendor (email addresses included) are "private" while others might suggest that if you’ve decided to outsource this function beyond the realm of your ability to protect it, any information outside the castle should be considered public and dealing with its exposure should be something you’re prepared for.

This comes down to a maintaining a posture of what I call Information Centricity and an appropriate level of information classification paired with the assessment of risk assuming something ‘bad’ happens to it.

As a free piece of advice to SaaS vendors and customers alike, comments like this are not a good way of handling the press regarding a breach:

Salesforce.com’s Bruce Francis, the company’s vice
president of corporate strategy, declined to say whether any
customer-specific data was stolen, and refused to answer direct
questions about the alleged incident, saying that doing so would not be
in the best interests of its customers. He did, however, stress several
times that "phishing is a fact of life for any company that does
business on the Internet these days."

/Hoff

Update:  Bill Brenner just did a nice write-up on this same topic and was kind enough to reference/quote me and the RS Blog.  You can read his piece here.  I also got some interesting feedback from Bob Warfield over at the SmoothSpan blog ( a fantastic SaaS reference) which I will ask if I can reprint.

I’ll give Rothman the props/ping for highlighting an interesting post from Sammy Migues at the Cigital "Justice League" blog.

Sammy’s post is titled "The Risk of Too Much Risk Management." 

Short of the title and what I feel is a wholly inappropriate use of the "meaning" of risk management as the hook for the story, the underlying message is sound: security for security’s sake is an obstructionist roadblock to business; the deployment of layer after layer of security controls as a knee-jerk reaction to threats and vulnerabilities is a bad thing.

I totally get that and I totally agree.  The problem I have with Sammy’s post is he’s doing the absolute worst thing possible by defining what he improperly describes as "risk management" and it’s meaning to the business and suggesting that a technology-centric application of rapid-fire reflexive information security is the same as risk management.

It’s basically making excuses for people practicing "information security" and calling it "risk management."

They are NOT the same thing. 

By associating the two he’s burying the value of the message and marginalizing the impact and value that true risk management can have within an organization. 

To wit, let’s take a look at how he describes what risk management means:

Let’s put a stake in the ground on what risk management means. I’m
not referring to how it’s defined so much as what it actually means to
business. Risk management means there is a thought process that
includes ensuring the right people with adequate skills are given
useful information and actually decide whether to do this or that to
more effectively achieve security goals. Something like, “The available
data indicate that path A at price B mitigates problems C, D, and E,
but causes problem F, while path Z at price Y, mitigates problems C, E,
and X, but causes problem W. What’s your decision?”

I’m very puzzled by this description because what’s stated above is not  "…what [risk management] actually means to the business."   The first part which describes ensuring that the right people are given access to the right data at the right time is really the output of a well-oiled business resilience operation (information survivability/assurance) which factors risk assessment and business impact into the decision fabric.

However, the "business" doesn’t "…actually decide whether to do this or that to
more effectively achieve security goals" they factor on whether they can achieve their business goals.  Security is the stuff that gets added on usually after the decision has been made.

Some people have
good gut instincts, shoot from the hip, and end up with decisions that
only occasionally burst into flames. For my risk appetite, that’s too
little risk management. Others wait for every possible scrap of data,
agonize over the possibilities, and end up with decisions that only
occasionally aren’t completely overcome by events. That’s too much risk
management.

Again, neither of those cases describes "good" risk management.  The example paints a picture of "luck, decent guesswork and perhaps a SWAG at risk assessment" or "irrational and inflexible analysis paralysis due to the lack of a solid framework for risk assessment" respectively.

The impact of too little risk management is usually too few security
controls and, therefore, too much unpredicted expense in a variety of
areas: incident response, litigation, and recovery, to name a few.
These are often the result of public things that can have lasting
effects on brand. This is easy to understand.

The impact of too much risk management is usually too many security
controls and, therefore, too much predicted expense in a variety of
areas: hardware, software, tools, people, processes, and so on. These
are all internal things that can setiously impair agility, efficiency,
and overhead, and this is usually much harder to understand.

This isn’t a game of measures from the perspective of "too little" or "too much."  Risk management isn’t a scaled weighting of how many controls are appropriate by unit volume of measure.  Within this context, risk management describes investing EXACTLY enough — no more and no less — in the controls required to meet the operational, business and security requirements of the organization.

The next paragraph is actually the meat of the topic — albeit with the continued abuse of the term risk management.  Substitute "Information Security" for "Risk Management" and he describes the very set of problems I’ve been talking about in my "Information Security is Dead" posts:

Let me clarify that I’m being a little fast and loose with “too much
risk management” above. In my experience, the problem is almost never
too much “risk management,” it’s almost always too much security fabric
resulting from a fixation on or over-thinking of each and every
security issue, whether applicable or not, combined with a natural
tendency to equate activity with progress. As a consultant, I’ve heard
some form of the following dialog hundreds of times: “What are we doing
about the security problem I’ve heard about?” followed by a confident
“We have people choosing A as we speak.” More security controls,
especially generic plug-n-play things, does not automatically mean less
risk, but it sure is highly demonstrable activity (to managers, to
auditors, to examiners).

The last paragraph basically endorses the practices of most information security programs today inasmuch as it describes what most compliance-driven InfoSec managers already know…"good enough is good enough":

All in all, too few security controls is probably the greater of the
two evils. On the other hand, it’s probably the easiest to remedy. Even
if you do no risk management at all, if you have the money to purchase
and correctly install most of the major security technologies out
there, the shotgun approach will in fact reduce security risk. You’ll
never know if you’ve done enough or if you’ve overspent, but you’ll
have a story to tell to the masses. On the other hand, a thoughtful
security approach based on sound risk management will give you a story
to tell to savvy customers and increasingly well-educated auditors and
examiners.

If the shotgun approach gives the appearance of "reducing risk" why do anything else?  Sammy certainly did not make the case as to why evolving to managing risk is paramount, valuable, and necessary and worse yet, risk management is ill defined.

If you had limited resources, limited budget, limited time and limited enthusiasm, given the options above, which would you pick?  Exactly.

Risk management is hard work.  Risk management requires a focus, mission, and operational role change.  That sort of thing has to be endorsed by the organization as a whole.  It means that in many cases what you do today is not what you’d do if you transformed your role into managing risk. 

Managing risk is a business function.  Your role ought to be advisory in nature.  It can even be operational  once the business decision has been made on how best and how much to invest in any controls needed to manage risk to an appropriate level.

Rothman summarized this well in his post "The
point I want to make is that all risk management (and security for that
matter) need to be based on the NEEDS OF THE BUSINESS. If your business
is culturally risk-taking, entrepreneurial and nimble, then you are
probably going to be on the less side of the risk management continuum.
The converse also applies. Just remember to map your security strategy
to the characteristics of your business, not the other way around."

Today, Information Security has positioned themselves as the judge, jury and executioner as a red-headed stepchild outside of the risk management process.  The problem is, it’s not really Information Security’s problem to "solve," but we nevertheless bear the weight of the crucifix we nail ourselves to.

Time to get off the cross…someone else needs the wood.

/Hoff

Update: Of course the moment I hit "Send" on this, my Google Reader alerted me that Alex Hutton had already responded in kind.  He, of course, does it better and more succinctly 😉