Wednesday, June 27, 2012
Microsoft's Surface is sure to have an impact for organizations looking to empower mobile workers with Windows applications. The BYOD revolution will challenge every security team - especially those wishing to exert control. You can read my quotes on the BYOD trend here.
Friday, June 22, 2012
Fortinet briefed me earlier this week on the worldwide BYOD survey they conducted. BYOD is getting a lot of airtime this year and I have honestly been a fan of BYOD for decades if you consider a home PC with a dial-up modem to be a computing device sharing personal and professional uses. I’m not even sure the trend should be called Bring Your Own Application. Sure, the virtualization people love that, but it does not capture the spirit of being able to access applications from anywhere, whenever it is most convenient. There is no question that mobile devices – phones and tablets – are driving the trend along with the easy availability of cloud-based applications. But for now let me stick with BYOD. Anyway, Fortinet does a lot of really good security things in high performance devices. The BYOD trend truly amplifies the need for next generation application security in the network which aligns with Fortinet’s business. It certainly makes sense – you cannot expect a personal device to have all of the security protections that an IT-controlled PC would have. Organizations should be looking at next-gen capability to help free the workforce. The survey of 3872 people between the ages of 20 and 29 was pretty interesting. I loved the fact that 66% of respondents selected “I am ultimately responsible” when questioned about the security of their personal device used for business. That is a healthy response and, correlating with questions about data and application security, encourages me that new approaches to security that maintain user freedoms will be well received. I also liked how Fortinet articulates how personal and business lives remain largely separated (40% chose this first) with social networking applications, but drops as the applications become more focused (email at 23%). My least favorite question was “Of the following what do you think are the greatest risks TO YOUR ORGANISATION if you use your own devices in work, or for work?” The leading response at 46% was “Potential for greater time-wasting on personal activities during work hours”. To me, this is not the job of security, cannot be a compelling purchase criteria for security, and the thought of positioning security as cracking down on users scares me. I was surprised that only 42% chose “Potential for greater exposure to IT threats and the theft/loss of confidential data” – I expected that to be number one. A thought provoking survey by Fortinet – always a good thing!
Tuesday, June 19, 2012
From Day One I felt that NAC was terribly positioned as a "lock out bad guys" technology. To me it has always been an "automate endpoint protection" technology that would appeal to all size companies. Back in the day this was the excitement I felt when talking with Mitchell from StillSecure, Stacy from InfoExpress, and the Arvin/Irene/Rohit triumvirate at Perfigo. Unfortunately, somewhere along the way the NAC vendors all started tilting at the absolutely wrong windmills. I am pleased to say that NAC is now doing much better, and is sorting itself out - I would peg the segment at about $300M in 2012 revenues. One of those vendors that figured it out is ForeScout that has been doing quite well thanks to unique technology, focus on security automation, inclusion of mobile devices, and enthusiastic customer references. You can read a bit of what I think about ForeScout here!
Thursday, June 14, 2012
Sometimes threads just come together at opportune times. Earlier this week my friend Liz was asking me how many followers I had for my Security Vibes blog. My answer was that I didn’t know - I don’t check because my work tends to get around to the right people just fine. A day later I receive this nice email from John at Hirsch Identive (reprinted below without permission, but I don’t think he’ll mind :^). It refers to a video I shot for TechTarget’s security university a few months ago where I mention that NAC is a much better control technology than blocking technology with some interesting events coalescing around IF-MAP. I know I need to be better at tracing where my stuff appears and publishing links. I’ll get started on that Monday!
Eric: I just viewed a video clip at inxpo.com in which you discuss the current state of NAC. I perked up when you brought up the TCG IF-MAP standard as one of the more promising means of deploying effective NAC solutions. Hirsch Identive is possibly the only physical security member of TCG, and we have implemented IF-MAP as part of our offering. We publish our events (persons swiping cards at doors, etc) to an IF-MAP server, making a person’s presence as a piece of IF-MAP metadata. Compliant systems and devices can then subscribe to those events. The first use case we have identified is NAC, and both Juniper Networks and Enterasys NAC solutions can subscribe to our events and add physical presence a policy in granting access to network resources. We see this as a real-world example of the long-awaited “convergence” of physical and network security. We have learned that when it comes to convergence, technology providers are sometimes ahead of customers, and are always looking for ways to reach out beyond our usual physical security customer base for feedback on these kinds of concepts. I recognize that you must be very busy, but since you seem to be finely attuned to the topic, I was hoping to get your thoughts on the feasibility in the real world. If you have a few minutes, I would appreciate your thoughts. I have provided a link to a whitepaper that covers the topic from a physec point of view. http://hirsch-identive.com/sites/default/files/resources/IFMAP%20White%20Paper%20OCT2011.pdf Thanks so much for your time and regards,
Wednesday, June 6, 2012
Tufin has chosen IPv6 day to announce the availability of the latest release the Tufin Security Suite. The key feature of the R12-3 release is support for IPv6 addresses, and the ability to manage firewall rule sets with both IPv4 and IPv6 access control specifications. It turns out that this is a big deal - it will take years for IT to evolve to IPv6 so it is critical that IT start with security tools that can handle the long IPv6 hex addresses as well as the standard IPv4 addresses. Good job by Tufin in taking the leadership position. You can read more of what I think about this here.