Database Security

Here's another example of SQL Injection on a very popular website. Again - I believe that the SQL I...

Database Security, General

Here's another example of SQL Injection on a very popular website. Again - I believe that the SQL I...

Database Security, General

The insurance industry is contending with a tough market in 2008. Declining premium growth, a bear market, and larger Q1 incurred losses are making insurers more pessimistic this year than last, and that translates into more conservative IT investment plans. Forrester surveyed IT decision-makers at the end of last year and learned that even in this pessimistic time that there are still solid opportunities for technology vendors when it comes to insurance IT. North American insurers are planning to invest in modernizing the software platforms that run their businesses, and the industry is playing catch-up when it comes to its online and eCommerce channels. The most important business initiatives, and where insurers could use help from their technology vendors, are reducing risk, improving customer experience, and exposing better business decision-making information.

Database Security, General

You might be interested in having a look at Gartner's Magic Quadrants for Identity Management. In particular, a recent article (15 August 2008) published by Earl Perkins and Perry Carpenter focused on the "Magic Quadrant for User Provisioning":

"User provisioning delivers capabilities to manage users' identities across systems, applications and resources. Driven by compliance (security effectiveness) and security efficiency, the market is maturing, but identity governance and role-based access concerns raise new issues for customers."

On one hand this kind of reports provides good insights about the current state of the art (in this case about user provisioning). On the other hand, some criticisms have been given about the overall evaluation of current IdM solutions and their positioning in the "magic quadrant". For example, have a look at this article by Dave Kearns.

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Database Security, General

PCI (Payment Card Industry) compliance — a requirement for accepting credit card transactions — can be difficult. About 65% of global enterprises are still working on their PCI compliance initiatives. But PCI compliance is an ongoing effort, not a bounded IT security project. Insight into the process and the role of the qualified security assessor (QSA) can make it easier, while implementing standard security best practices upfront will ease the pain when the on-site audit begins.

Database Security, General

Security managers are overwhelmed with the number of security tools needed to protect their PCs. While organizations have already deployed established security tools, such as antimalware and personal firewalls, this is not enough to mitigate today's security threats — especially unknown viruses and data leakage. Thankfully, technologies have surfaced to address emerging concerns, but these solutions are not well understood and have security managers wondering how they will manage their PC environment once they add yet another agent to the desktop. Fortunately, the client security market is consolidating quickly, and vendors are adding more tools to their portfolio. The ideal solution for your company will be determined by the group responsible for securing the PC environment; security groups should look to vendors like McAfee and Sophos, while the infrastructure and operations group should look to vendors like Microsoft and Symantec.

Database Security, General

In Forrester's 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft's NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base. Cisco's and Juniper's NAC solutions are anchored by mature, standalone appliances with top marks for manageability and ease of use. Bradford has pushed into the enterprise space with one of the most scalable overlay solutions. Symantec, McAfee, and StillSecure are all close behind with software-based solutions, which we predict will ultimately win as the best NAC architecture. Mirage Networks' unique out-of-band system provides superior deployment flexibility and just edges out Nevis Networks, which operates as a secure inline switch with built-in threat prevention. HP ProCurve Networking rounds out the bunch with an approach that marries appliance with Ethernet switches.

Database Security, General

In a recent post published on the Netweaver Identity Manager Weblog, the author  has made a few comments about my post on "Risk Management for Unstructured Data in Enterprises" (well, actually the published URL to my post is apparently broken ...).

Thanks for this input, in particular about three main points that I (tried to) summarise as it follows:

1) Meaning of unstructured data (or the fact that unstructured data does not exist by definition ...)

2) Narrowness of perception of approaches and incompleteness of my list of required solutions

3) Availability of comprehensive methodology for implementing enterprise wide risk management

About point 1), this looks pretty much a philosophical discussion. No doubt that, at the end, we talk about information that has some sort of structure (well, an email has a header, a body with some texts and attachments; a document is made of paragraphs or lines of text; ...). However, the (maybe over-hyped) "unstructured data" term is currently used to (a) identify specific types of information and (b) contrast it against classic "structured data" (e.g. information stored in RDBMS repositories, etc.).  I think I will stick with this terminology ...

Back to the key point, recent reports (including the Ponemon Institute's survey on "Governance of Unstructured Data" and other market and research reports) indeed highlight that the management of unstructured data in enterprises is a raising concern for enterprises, both in terms of governance and risk management. I think this is what really matters - independently from the terminology.

No doubt that classification of data is an important point, especially if you ever manage to "find" where this "unstructured data" is, within a complex enterprise environment ... I would say that, given the particular nature of "unstructured data", a preliminary "data discovery" phase might be required, indeed followed by a classification and assessment of its value (considering though, that the value of some of this information might also come from aggregations and correlations ...).

About point 2), by no means my post was meant to provide a definitive or comprehensive assessment and answer to the problem of information risk management or, more specifically, on "unstructured" information risk management. It was just a statement of some "desirable" properties and capabilities that I would like to see (and I know it would be of some help to customers ...).

I am well aware of the complexity of the overall  (security) "enterprise risk assessment and management" problem, its extent and the fact that, when assessing and managing (security) risks, many factors are involved, including business goals, IT, other assets, people, processes, awareness/education, etc.  

(Security) risk assessment and management techniques/methodologies/frameworks and standards/etc. are indeed out there (e.g. ISO 27005/2700x, CoBIT, etc.). These "standards" provide guidelines and criteria to be carefully refined, grounded and contextualized in various "operational" realities, along with some good, common sense ...

So, no doubt that there are already "comprehensive methodology for implementing enterprise wide risk management", at least from a consulting perspective, but this was not my main point.

My main point was not so focused on these methodologies but rather on the need to better understand and possibly improve the process of exploring, explaining and predicting the consequences and impacts of strategic (policy) choices and decisions in enterprise contexts and environments, in particular when dealing with security matters.

An approach that we are currently exploring is based on modeling and simulation techniques in the security field, coupled with economic theory and social science. Please have a look at the HPL Technical Report on "Identity Analytics" that I mentioned a few times - to see what I mean, in more details (at least from an "IdM perspective").

Specifically, one of my R&D interests is in "(semi-) automation" tools and solutions in this space that can indeed help and support professional and consulting services in their risk assessment & management activities. This includes providing decision support and "what-if analysis", involving modeling and simulation, providing trade-off analysis, etc.

Given the complexity of this space, I deliberately focused on the aspect of "management of unstructured data" and the IdM perspective, well conscious this is just a part of the overall problem and space.

I hope I clarified this point.

About point 3), no doubt about this, as I mentioned above.

However the statement that "comprehensive methodology for implementing enterprise wide risk management is done" sounds (at least to me) sounds a little bit abstract to me ...

It would be of some interest to the readers of this blog if this statement could be elaborated (specifically in the space of IdM and information management) along with providing some recommendations/input/directions (hopefully beyond having to hire a consulting company ...:-)).

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Database Security, General

In the context of the HP Labs' Security and Identity Analytics project I have been investigating the implications of "unstructured data" (i.e. emails, documents, multimedia files, pages in data sharing sites, messages exchanged with Instant Messaging tools, blog posts, data mash-ups, etc.) within organizations, along with how to explain and predict involved risks and explore the consequences of related security (policy) choices.

Is "unstructured data" really a problem for organizations? If so, where is this problem? Well, the content of unstructured data (and/or an aggregation of it) can be confidential as it might include personal, financial and business-critical information. Because of the nature of unstructured data (and associated, emerging tools to handle and share it), there are many ways this data could leak and/or be misused, ranging from accidental disclosures to aggregations of information posted in public areas.

The threat landscape (including threats to data confidentiality, integrity and availability) is potentially broad as many contextual elements, IT components, processes and behavioral aspects are involved.

Most of the current approaches (I am aware of), that mitigate some of the involved risks, are based on traditional IT security and identity "control points" (such as access control, interception points, complex document lifecycle management tools, etc.), addressing "point problems".

I believe this is not enough. Solutions are required to help organizations (and decision makers) to: (1) fully understand the nature of the problem, based on their specific context and environment; (2) have a picture of their overall risk exposure; (3) make informed decisions on which approaches to follow, explain and predict the consequences and define appropriate policies; (3) explore trade-offs.

So far I have found no comprehensive approach/solution providing these features. Is anybody aware of any?

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Database Security, General

Awareness for green IT is increasing, driven by corporatewide greening efforts as well as practical IT concerns like running out of space, power, or budget. As a result, IT ops executives are tasked to formulate and enact their green IT strategy. While technology in itself is not "green," enterprise IT does have the opportunity to harvest the environmental and financial benefits of becoming more eco-conscious. But before investing a single dollar into green IT, Forrester recommends that firms set expectations by measuring their green IT baseline — an annual estimate of the energy consumption, carbon dioxide (CO2) emissions, and financial costs of operating IT. Not only will this data offer a practical green IT starting point by exposing your most eco-taxing assets, but without it you cannot accurately quantify and report the benefits of your greening efforts to senior management.

Database Security, General

A North American manufacturer struggled with meeting an executive mandate for quarterly IT controls testing in a financially responsible manner. Its solution was to categorize IT controls based on business impact and use the categorizations to set IT controls testing scope and frequency. This allowed the manufacturer to increase testing frequency without having to test 100% of the IT controls every quarter.

Database Security, General

A North American financial institution wanted to collect and store evidence of IT control effectiveness in a way that provided rapid access for review and that protected sensitive information. Its solution linked IT compliance test results with corresponding evidence while encrypting for privacy and hashing for integrity. These efforts reduced the costs associated with testing IT controls by approximately 65%.

Database Security, General

The issue of vendor risk has become an increasingly critical topic among sourcing professionals. With that in mind, we wanted to highlight this great report on mitigating supply chain risk — much of which is within sourcing's purview. While it was written several months ago, the growing importance of risk awareness and mitigation make it a must-read today.

Database Security, General

The Digital ID World Conference 2008 is going to take place in Anaheim, California on 8-10 September 2008. A complete agenda is available online. Some of the Keynotes include:

• Identity Assurance: A Backbone for the Identity Marketplace, Peter Alterman, Assistant CIO for E-Authentication and Chair, US Federal PKI Policy Authority, National Institutes of Health; Andrew Nash, Senior Director, Information and Risk Management, PayPal; Frank Villavicencio, Director, Citigroup
• Making Identity Work End to End, Craig Wittenberg, Architect, Microsoft  
• State of the Industry, Jamie Lewis, CEO & Research Chair, Burton Group
• Have I Seen You Before? An Industry Discussion About User-Centric Identity, Kim Cameron, Chief Architect of Identity, Microsoft
• On VRM and Identity, Doc Searls, Fellow, Berkman Center, Harvard Law School

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Database Security, General

Robert Almgren is a co-founder of Quantitative Brokers, a company that is extending the reach of complex event processing (CEP) from its conventional uses in the equity sector into non-equity trading. Before founding this startup, Dr. Almgren was head of quantitative strategies at a major investment bank using CEP to build agency algorithmic trading strategies for equities. Before that, he was a professor of mathematics and computer science at the University of Toronto and a consultant to Citigroup on equity transaction cost measurement. He is currently an adjunct faculty member at New York University, where he teaches time-series analysis for financial applications. In this case study, he discusses CEP and what is needed for its successful deployment. Of particular relevance to application development professionals is that he draws out the need to understand the "event environment" and what this offers before "rushing into code." We present Dr. Almgren's story in his own words.

Database Security, General

As announced by this article, a new UK government-founded project is going to start in October, aiming at developing the next generation of identity management systems:

"A research project will see a team of experts team up for three years to develop the next generation of identity management systems.

The government-funded project will launch in October and will include academics from Cranfield University, Royal Holloway University of London, Salford University, Consult Hyperion and Sunderland City Council.

The research team will look at topics of privacy and consent for identity management, with the aim of helping people and organisations make well-informed judgements about their choice of online services, how they use them, and what information they give out.

"There is a concern that people aren't really clear about the value of their unique identity," said Debi Ashenden, Cranfield's lead researcher. "Our research will engage people in current debates about privacy and consent issues, find out how they think about their identity and what decisions they make. We hope the discussions will provide invaluable information to help develop new identity management tools."

The funding for the project is part of a £5.5m investment by the Technology Strategy Board (TSB), Engineering and Physical Sciences Research Council (EPSRC), and Economic and Social Research Council (ESRC). Two other identity management related projects will also be funded by the investment.

Andrew Tyrer, the TSB's lead for its network security innovation platform said this research will be key to "ensuring that the hardware and software required will meet public expectations about these important issues"."

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Database Security, General

An increasing number of banks are working on long-term business and IT visions of the future, realigning IT strategies on a continual basis. To help enterprise architects better understand the business and IT environment of the future, Forrester surveyed key vendors in the banking space and interviewed banking executives from five continents to get their take on banking's — and banking IT's — future. The net outcome they expect for their businesses? More fluid organizations, changing core competencies, and more specialization, as well as collaborative competition on regional and global levels.

Database Security, General

Ian Grant has recently published an article on ComputerWeekly.com, called "Identity Management: An Essential Guide for IT Professionals".

It is actually an overview of some IdM initiatives and related aspects (thanks for mentioning my blog when referring to HP's initiatives in the IdM space).

Is anybody aware of an online "Complete and Up-to-Date" Guide to Identity Management and various related initiatives?

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Database Security, General

There are no known vulnerabilities that can seriously compromise a virtual server based on hypervisor technology from Citrix/Xen, Microsoft, or VMware today. As vendors improve the control and visibility of the underlying virtualization layer, however, administrators will gain more confidence that their virtual systems can't be exploited. In the meantime, security professionals should sleep at night, knowing that they can protect their organizations' virtual systems by simply updating their security practices.

Database Security, General

There are no known vulnerabilities that can seriously compromise a virtual server based on hypervisor technology from Citrix/Xen, Microsoft, or VMware today. As vendors improve the control and visibility of the underlying virtualization layer, however, administrators will gain more confidence that their virtual systems can't be exploited. In the meantime, security professionals should sleep at night, knowing that they can protect their organizations' virtual systems by simply updating their security practices.

Database Security, General

The "SMART 2020: Enabling the low carbon economy in the information age" report issued by the Global e-Sustainability Initiative (GeSI) will raise the environmental stakes for strategy professionals at IT suppliers. Vendors looking to respond to their customers' increasing demands for environmentally responsible operations and products need to: 1) clean up their internal operations and the transparency of the report progress; 2) improve the environmental footprint of their hardware, software, and services; and 3) incorporate their technologies into solutions that enable greener business, industrial, and societal activities. The GeSI report highlights the enabling capabilities of IT products and services; IT vendors looking for environmental leadership must add this dimension to their slate of green activities.

Database Security, General

Near-term demand for hot roles in IT will be driven by the need for local and cross-discipline knowledge, changes in technology, greater emphasis on managing risk and the enterprise, and a limited supply of key roles. For example, business architects will be hot due to the growth in enterprise apps such as SAP, new business/IT technologies such as business process management (BPM), and the increased risk of changing business processes. To meet the need for hot roles in their organizations, CIOs need to identify their primary skill gaps; determine which roles they should hire, cultivate, or rent; identify where they can compromise; and develop retention and development strategies for these roles.

Database Security, General

With organizations quick to jump on the green bandwagon, consumers are currently overwhelmed with claims of environmental benefits or greater sustainability. However, as superficial claims continue to be exposed, consumers are distrustful of the credibility and honesty of green marketing messages. To overcome this lack of trust and avoid the greenwashing accusations, marketers need to ensure that their green strategies adhere to the seven Es of green marketing: encompassing, evident, earnest, engaging, empowering, enlightening, and evolving.

Database Security, General

Another worm is making the rounds. I really don't see much new in this particular variant but it sh...

Database Security, General

Another worm is making the rounds. I really don't see much new in this particular variant but it sh...

Database Security, General

Until the recent indictment of 11 people for hacking into retailers' wireless networks and stealing more than 40 million credit and debit card accounts, the focus of corporate network teams has been to provide wireless connectivity and availability for convenience and productivity. It's now painfully clear, however, that the wireless LAN (WLAN) has become an effective attack vector for cybercriminals. Wireless networks are now a significant point of exposure, and it's imperative that security professionals focus attention there before it's too late. Tactical steps include firewalling the wireless network, segmenting guest access, monitoring the wireless network for attacks, eliminating rogue access points, and adopting strong wireless encryption. More strategically, however, you should treat wireless networks as "the new Internet." It's an attractive attack gateway for hackers and data thieves. Risk assessments and network policy considerations should include specific considerations for wireless networking, and wireless security strategy should be coordinated with broader IT compliance initiatives.

Database Security, General

Database Security, General

Illuminate Solutions is a young Spain-based analytic database vendor that offers a compelling new approach optimized for complex, dynamic, ad hoc queries. Illuminate's correlation database uses what it calls "value-based storage" to greatly reduce the size of the analytic database and the need for manual data modeling. The vendor's approach enables the analytic database — without manual redesign, tuning, or optimization — to continually deliver fast response to complex, dynamic, ad hoc queries. Expect illuminate, which recently established its North American headquarters, to gain significant adoption among data warehouse (DW) and business intelligence (BI) users and system integrators, and also to expand its partnerships with complementary software, hardware, and hosting providers.

Database Security, General

Database Security, General

A recent article by Laura Milligan, called "50 Firefox add-ons to achieve private and secure web surfing" provides a comprehensive list of add-ons for Firefox to achieve degreees of security and privacy whilst surfing the web:

"Firefox is generally considered a secure web browser, but if you're interested in keeping your activity on certain websites private or giving yourself extra protection against phishing, hackers and viruses, you may want to consider beefing up your Firefox's security in general. Thankfully, there are lots of options available that make achieving privacy and security online as easy as downloading a simple add-on or application that was designed just for Firefox users."

This article classifies these 50 add-ons (and provides links for each of them) in the following categories: Secrecy and Encryption; add-ons that beef-up security; cookies; testing your system; passwords; protect your privacy online.

Have you had any direct experience using these add-ons?  Are they up to their promises?

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Database Security, General