Webinar: Cloud SerenityCloud

Cheryl Barto ShoultsMay 22, 2012, 09:05 am

• Tweet

• 0

The Serenity Prayer:
Grant me Serenity to accept the things I cannot change
Courage to change the things I can
And Wisdom to know the difference.

 In Josh Corman and David Etue’s presentation at RSA, they unwittingly coined the phrase “Cloud Serenity.” An offhand comment about relinquishing control of certain security factors when moving into virtual and cloud environments spawned an in-depth evaluation of just what can be controlled in the cloud, what can’t, and what security administrators should do about it. What they found is that there are some real limitations presented by cloud computing on our ability to implement and manage controls. To be able to trust the cloud(s), IT security professionals have to understand the differences between what they can control and what they can’t.

Join Josh and David on Thursday, May 24^th at 1pm ET as they explore these questions, and also begin to turn the conversation toward how we can position IT to harness the cloud itself to exercise greater control.

Register Now! Cloud Serenity: Controlling What We Can and Accepting What We Cannot.

This webinar is one of a series of cloud computing webcasts by Akamai. Find more on Brighttalk.com.

Joshua Corman is Director of Security Intelligence for Akamai Technologies. Corman has more than a decade of security experience, most recently serving as Research Director for The 451 Group. His research cuts across sectors to the core challenges of the industry, and drives adaptive strategies amidst changing landscapes. He is a candid and highly coveted speaker and has spoken at leading industry events such as RSA, Interop, ISACA, SANS, DEFCON, and ShmooCon – and was recognized by NetworkWorld as a top Influencer of IT for 2009. As a staunch advocate for CISOs, he serves as a Ponemon Institute Fellow, as an IANS Faculty, and co-founded www.ruggedsoftware.org. He received a bachelor’s degree in philosophy, Phi Beta Kappa, summa cum laude, from the University of New Hampshire.

David Etue brings experience including security program leadership, management consulting, product management, and technical implementation. David is the vice president of corporate development strategy at SafeNet, where he is responsible for SafeNet’s strategic decisions regarding product and solution partnerships, as well as mergers and acquisitions.  He was previously the cyber security practice lead at management consultancy PRTM, VP of Products & Markets at Fidelis Security Systems, led General Electric’s global computer security program, and held various positions in technology strategy, operations and product management. He is a Certified Information Privacy Professional, a graduate of GE’s Information Management Leadership Program, and a certified Six Sigma Green Belt.

Go back to The Art of Data Protection blog homepage.

Mobile Identity for the Post-PC Age Authentication, Mobility

Doron CohenMay 22, 2012, 09:05 am

• Tweet

• 0

Smartphones are now passing PCs in shipments, and if we take tablets out of the equation, PC shipments experience decline. This is yet another indication of that the momentum that has been building over last few years. Users are consuming more and more services using their mobile devices rather than a PC as a primary computing device. In fact, it highlights that:

• More and more users do not even have a “primary” device – they interchangeably use their phone, tablet and their traditional PC, whether a laptop or a desktop
• Tablets are becoming a multi-user device that is shared especially between family members, and in certain cases, in the workplace, much like  “personal computers” have been shared

In short, we have a new endpoint – the mobile endpoint – and it is changing the way we experience computing.

It’s also changing the way we secure our computing devices. There are mobile operating systems and devices being always-on , they create new vulnerabilities and attack vectors. And as we rely more and more on cloud/network services, we expect all information to be available at all times, regardless of which device we’re using. So we store our passwords and credentials on our mobile for seamless access. In fact, we store it on more than one but rather several devices – how can we be sure our credentials are not compromised and used by someone else?  How do we manage/rotate and sync these credentials across the different services & devices?

These issues may bother us on our personal life (such as the odd case of reselling refurbished tablets without clearing user data), but when  you add to the mix the consumerization of IT , and how personally owned devices are changing the way people work and do their job, the enterprise IT manager suddenly has a vested interest in your personal devices. These issues are critical for businesses and organizations. Enterprise IT departments need visibility and management of user and network credentials, no matter which endpoint device employees are using.

There is clearly a need for better protection and management of credentials for the mobile and post-PC era.  Some of the most important areas for improvement are:

1. Devices need a truly secure credential store so that their credentials cannot leak.
2. We need to reduce the amount of passwords being used, and look for schemes that utilize claims-based identity.
3. Current device authentication isn’t intuitive for users. We need less intrusive and more secure a way to leverage the mobile form factor for better authentication schemes – using contextual information, or biometric and behavioral  information to establish our identity.

What do you think?  Where is the future in mobile identity?

This is the first post in a series on mobility & authentication. Stay tuned for more posts in the coming weeks.

Back to The Art of Data Protection blog homepage.

Saying No to Mobile Devices Is Only a Temporary Security SolutionAuthentication, Crypto

Cheryl Barto ShoultsMay 21, 2012, 11:58 am

• Tweet

• 0

By Andrew Younger, CISSP, SafeNet

At the Cards & Payments 2012 Conference last month, it seemed that every second person was talking about some sort of mobile financial app. And, thinking from an information security perspective, I have to say, it seriously concerned me.

We know that cyber criminals are just biding their time before they unleash the sort of advanced attacks on smartphones and tablets that have netted them serious cash through the theft of money and intellectual property from breaching desktop computers and laptops.

I think it marks a turning point in our love affair with mobile technology. As people first rushed to embrace mobile devices, they were blissfully unaware of the potholes along the way. Now we can see that there are potholes to avoid, the focus needs to shift to how to patch them up.

Given the astronomic adoption rates for new mobile devices, not to mention the generally woeful state of their endpoint security, the time has come to start planning for how we cope with the losses that will inevitably come, and how we mitigate our risks to contain them.

It’s a similar problem that IT Security faces with cloud computing. While there is no ignoring the fact that security concerns exist, there are real dangers in IT Security stopping projects from going ahead. And one of those dangers could be your own job security.

Coming back to the security of mobile devices, they, like cloud computing, are such a difficult issue for IT Security because they cannot be easily secured using the traditional security paradigm of perimeter defence.

With cloud computing, data is subject to additional risks as it travels and resides outside the defined network boundary. With mobile devices, data is placed at risk both from insecure devices operating within the network boundary – AKA Bring Your Own Device – and tunnelling into the network from outside.

What’s the answer? It would be naive to suggest that organisations could immediately stop relying on perimeter defences and adopt the cryptographic paradigm of encryption and multi-factor authentication for all their data.

The reality in the current era is that we need both. We need to maintain traditional perimeter security because it mitigates many existing risks for a relatively low cost. And we also need to invest in new cryptographic solutions to protect our most valuable and vulnerable data and to mitigate the risks of emerging and advanced threats.

In his last blog post, my colleague Vince Lee talked about the importance of building a flexible, scaleable and sustainable encryption key management infrastructure.

The same is true for authentication infrastructure. Security challenges like BYOD and securing mobile apps provide a strong business case for new and stronger authentication solutions. With a credential management solution for personal mobile devices, for example, organisations can ensure that only authorised devices have access to corporate networks and other resources.

But it’s not sustainable to create new islands of authentication in addition to existing solutions for on-premise network access and remote access via VPN, Citrix, OWA and Web-based portals, not to mention access to cloud-based applications.

More practical is to build economies of scale around cryptographic solutions by investing in a comprehensive solution that handles multiple security applications. For authentication solutions, that means one server that handles all of the above. With the simplified management, greater flexibility and lower cost of ownership of a single authentication server, each new security application becomes easier and more cost-effective than the one before.

Because like it or not, saying no to mobile devices – whether they be mobile phones, tablets or whatever’s next – is only a temporary solution at best.

“Big Data” ExplainedUncategorized

Russel DietzMay 17, 2012, 10:05 am

• Tweet

• 0

I hate this term. People are throwing around “Big Data” the way they threw around “cloud” three years ago, without actually knowing what it is or how to manage and secure it.

Basically, relational databases were designed to deal with small transactional elements. But now we have lots of data with large file sizes (video, audio, docs) that is aggregated from lots of different sources. The big questions people have are, “How do I manage it?” and “How do I search it?”

Databases put information into an ITS system. But these large files and new formats say “you have to relate to me no matter what I look like.” So not only do we have these large, non-conforming files, but we also have to store information about the data with the large files so that we can manage video elements as easily as we manage everything else.

In essence, Big Data is to Relational databases and file systems as cloud is to virtualization. A few years ago, virtualization was paper thin. Now we add the ability to use public and hybrid clouds, and suddenly there’s depth to the concept. Big data is doing the same thing for traditional data bases. As we add these enormous files and new file formats, there’s a purpose for data management and file systems.

I did a lot of work on the Wikipedia entry about Big Data. You can read more of my ideas and other relevant articles there.

Back to The Art of Data Protection blog homepage.

We Remember...Corporate Culture

Cheryl Barto ShoultsOctober 26, 2010, 03:23 pm

• Tweet

• 1

   Elena Maggiore 

Receptionist, Chicago, IL USA

Elena Maggiore was the beloved receptionist, and overall office “ mother,” for SafeNet’s Chicago office. Since 2003, Elena had been taking care of the Aladdin employees – coordinating  employee outings, events, charity drives, global meetings and everything else a busy office could need. Born July 24, 1946 in Chicago, she died Sept. 19, 2010 at Highland Park Hospital.

In 2009, Elena was diagnosed with breast cancer. She underwent a mastectomy and was told she would make a full recovery. After just a few weeks, she was back in the office, smiling and greeting everyone as if nothing ever happened.  “Elena brought joy to not only those that worked out of the Chicago office, but any visitor or vendor that stopped in,” said Gordon French. “Elena always checked in with me to ask how everything was going and make sure I was eating right.  I miss the positive energy and special attitude that Elena projected.”

But in the spring of 2010, Elena began to feel unwell. Further testing revealed that the cancer had progressed further than they imagined and the removal of the infected breast had not eradicated all the cancer: it had moved into her liver. Almost immediately, Elena began a rigorous chemotherapy regimen that left her weak and tired.

Elena’s co-workers remember her fondly.  “Elena was the first face you’d see in the Arlington Heights office as you walked in the front door,” said Nancy Ragont. “She’d always have a smile and a kind word and she’s always make people immediately feel at ease.  She really liked taking care of people, always making sure you were comfortable and that you had whatever you needed.”

“Elena was always so considerate and thinking of others,” said Mark Felix. “She made everyone feel comfortable and welcome at work and treated everyone with respect. She was a great family person and made us all feel part of "her family".  

Even through the trauma of chemotherapy, Elena continued to come to work as much as possible,  cheering on the rest of us and running the office with her warm smile. When she lost her hair, she wore her wig with pride, making everyone laugh with her story of getting it fitted and choosing the color. In support of her new bald head, Niles Leisti, a technical support specialist in Arlington Heights, shaved his head too. It was just one month later that she experienced severe side effects from the chemotherapy and was hospitalized. Her body was simply not strong enough to fight the cancer and treatment a second time, and she died peacefully on Sunday, September 19. To the end, she was surrounded by her family, just as she always wanted.

“She made everyone around her feel loved, appreciated, and like they belonged,” remembers co-worker Theresa Damato. “She created for us in the office a family atmosphere that will always be there as long as we are – a tribute to her and her amazing gift for bringing people together.  Her beautiful spirit will always be with us.”

“What can I say about our Elena – there  are so many things she did to make everyone happy,” said Manuela (Manny) Delgado. “Elena knew the right things to say or do to make things all better.  Elena, you will always be in my heart and will never be forgotten!”

Goals for 2011: Kathryn SampsonCorporate Culture

Maureen KolbJanuary 21, 2011, 10:00 am

• Tweet

• 1

I would like to continue to develop the positive habits I started in 2010 including:

1) Reach my goal weight on the Weight Watchers program-only 17 pounds more to go!
2) Stay credit card free.
3) Learn knew skills in knitting-actually make a sweater or pair of socks.
4) Develop a consistent exercise routine.

Kathryn Sampson
SafeNet –  Columbia, MD office 

At Last: New Guidelines for Online Banking AuthenticaitonAuthentication, Compliance

Motty AlonJuly 1, 2011, 06:46 am

• Tweet

• 1

You can call it symbolic, but the first bars of Etta James’ “At Last” started to play on the radio when I ran into the FFIEC announcement on their long awaited update to the Internet Banking Authentication Guidelines. At last — a fresh look at info-security guidelines, regulations, and best practices in the wake of all of the recent attacks and breaches.

In its “Supplement to Authentication in an Internet Banking Environment” the FFIEC addressed two important issues. First the idea that not all customers were created equal and that different customers are banking differently, have different risk profiles, and thus need different risk mitigation tools.

The second interesting idea is the understanding that a good security strategy should be based on multi-layered approach. So if hackers manage to find vulnerabilities in one of the authentication methods there are, in most cases, other methods that will continue to authenticate or protect customers.

On the less positive side, the FFIEC guidelines do not provide any good risk mitigation options to Man-in- the-Browser (MitB) attacks. MitB is best fought with Out-of-Band transaction security solutions, but FFIEC revised regulations do not mention this at all.

Moreover it seems that the updated regulation does not offer real detailed guidelines, but rather talks about concepts in general. I guess that bankers and their CISOs that are looking for definitive direction on how to comply with the regulation, are not going to get a good answer.

It also seems that the new FFIEC document targets the market and threat landscape of 2 – 3 years ago and has not caught up to the environment in 2011.

I would recommend the FFIEC focus on building guidelines that focus on how company’s respond to evolving threats instead of trying to solve yesterday’s problems. And company’s should focus on looking for security and authentication solutions that can not only ensure compliance with guidelines like these, but also evolve and react to today’s complex and evolving threat environment. Learn more.

Roy Walker Plays Catchphrase at Infosec 2012Corporate News, Featured

Cheryl Barto ShoultsApril 24, 2012, 12:16 pm

• Tweet

• 1

This year, the SafeNet UK team decided to do something more fun for the Infosecurity Europe conference. So they brought in Roy Walker, legendary host of the popular UK game show “Catchphrase.” All this week, Roy will be hosting infosec-themed games of Catchphrase at the SafeNet booth, D81. Stop by to see the legend in person!

3 Steps to More Reliable PKI DeploymentsCompliance, Crypto, How To

Cheryl Barto ShoultsDecember 27, 2011, 10:05 am

• Tweet

• 0

SafeNet’s Experts Offer Guidelines to Re-establishing Trust in PKI

For all the infrastructure advantages and business benefits of PKI, the number of 2011 security breaches clearly indicate that the way in which PKI is implemented may not be as inherently secure as most organizations have mistakenly assumed. What hasn’t been clearly understood is that the private key system used by PKI to encrypt and decrypt messages creates a single and significant point of vulnerability. A recent flurry of breaches involving certificate authorities have exposed this weakness, and have shaken the very foundation of trust that organizations have in PKI.

In order to help enterprises build greater integrity and reliability into their PKI deployments, eliminate unwanted exposure and close security gaps, SafeNet’s cryptographic experts advise the following actions:

1. Know your options for securing keys, weigh the risks, and choose wisely. All recent breaches have had a common theme –private keys and certificates were protected in software, and were left vulnerable. Software-based security has many benefits – it’s portable and offers great flexibility. Software can be copied easily and live in multiple locations at the same time, making the very benefits of software the areas of greatest security risk. A hardware-based security module (HSM) creates the trust anchor that locks the private keys and only allows access to vital information from an authorized source. Similarly, hardware based tokens and cards lock the certificates and avoid software-based certificate risks.

2. Don’t assume that because you are working with a certificate authority your infrastructure is secure. If you rely on the certificate authority to authenticate, authorize, and secure application services, understand that the certificate itself is the vital piece within PKI. If the certificate private key is compromised, the entire PKI environment is compromised. Utilize layers of secure cryptography and select hardware-based options when securing your critical processing PKI end points.

3. Plan for the next generation of critical applications. It is critical to establish a trust anchor for the protection and issuance of keys and certificates within these vital applications, ensuring that keys cannot be stolen, and the operations/transactions performed by those keys are auditable.

“PKI is many beneficial things, but standalone security isn’t one of them,” said Mark Yakabuski, vice president, product management for SafeNet. “It is important to realize the certificate identity itself is the vital piece within PKI – if the certificate identity is compromised, the PKI environment is compromised. The good news is that critical certificate identities can be secured with the proper hardware-based security mechanisms.”

Cryptocard + SafeNet: Providing Global Cloud, Mobile & Authentication-As-A-Service Cloud

Cheryl Barto ShoultsMarch 29, 2012, 02:00 pm

• Tweet

• 0

By SafeNet’s Chris Holland, VP of Cloud Services and Cryptocard’s Jason Hart, VP of Cloud Solutions

Individually, Cryptocard and SafeNet are both well-respected authentication solution providers. Together, they provide organizations around the globe with unparalleled options in technology and consumption models.

Cryptocard is identified by Gartner as a Visionary player in the authentication market, primarily for its authentication service and its unique capabilities oriented towards Service Providers.  That same report (2012 Magic Quadrant for User Authentication) identified SafeNet as the market Leader in terms of both execution and vision. Bringing these two organizations together strengthens both companies.  It gives Cryptocard a global reach, and gives SafeNet proven cloud technology, and for both companies at a rate faster than either could have achieved independently.

With the breadth of the SafeNet portfolio and global footprint, combined with the Multi-Tier, Multi-Tenant Authentication-as-a-Service offering from Cryptocard, together we can now serve many segments of the market with on premise, cloud, mobile and certificate-based authentication options.

The need for strong authentication either for compliance reasons or common sense business practices is represented by demand and growth for an authentication-as-a-service delivery model (predicted by Gartner to be 70% of the authentication market by 2017).  Being able to deliver secure solutions more effectively to smaller organizations through services and service provider-oriented solutions helps more organizations achieve compliance more effectively – as well as helping smaller organizations realize the benefits of securing their intellectual property and critical IT assets.

As compliance mandates reach more broadly across organizations of all sizes, broad and flexible solutions like those delivered by SafeNet + Cryptocard are essential in helping small, medium and large business effectively and easily implement solutions.  All of these organizations can benefit from instant provisioning, utility-based costing  and the convenience, ease of use, and simplicity of the “as a service” platform.

As we integrate and leverage these two strong and successful technologies, we expect to be able to deliver even greater value to the market the benefits of innovation and through enhancing the convenience and access options to customers.

About the authors:

Chris Holland, VP of Software Rights Management, is responsible for enhancing the value the company brings to customers thorough new product developments. He oversees product development and marketing. Chris joined SafeNet in March 2004, after the acquisition of Rainbow Technologies.

 Jason Hart now serves as SafeNet’s VP of Cloud Solutions. He served as Cryptocard’s Managing Director of EMEA since the March 2006 merger of Cryptocard and WhiteHat Consulting Ltd. With a background in ethical hacking Jason brings a unique perspective to the Cryptocard/ SafeNet organization.

Coming Full Circle: White House Re-sets Cybersecurity PrioritiesAuthentication, Crypto, Cybersecurity, Data Breach, Government

Chris EnseyApril 4, 2012, 10:05 am

• Tweet

• 0

Information week recently compiled a few sound bytes from cybersecurity coordinator Howard Schmidt, who has “set an agency-wide goal for agencies to implement priorities to help protect federal IT systems against cyberattack.”

Many have criticized the White House cybersecurity leadership for being slow to ignite positive change in the security posture of the federal government. But lets face it, there are over 1,300 distinct organizations across the three branches of the federal government. This challenge will not be solved over night, nor in a single term of office. This is a multifaceted, budget constrained and red tape laden ecosystem of old and new mindsets and technology. Impacting cultural change will take very distinct mandates with aggressive timelines.

On the surface, it sounds like we are in a very similar place we were nearly four years ago. Reactionary. Focused on fighting battles at the perimeter. Loosing ground to an agile and well-funded adversary.

The article dives slightly deeper into the priorities, stating that by 2014 nearly all of federal organizations would achieve utilization in the following areas:

1.) Consolidating External Connections – a.k.a. Trusted Internet Connection or OMB Memorandum M-08-05 originally issued in 2007. Reducing the attack surface from 4300+ connections down to less than one hundred will enable programs like Einstein (NCSP) to achieve operational relevance.

Anyone in the industry will tell you this is a good idea. The question is: Can you cost effectively monitor the entire federal governments network traffic and identify even a minority of the attacks?

2.) Continuous Monitoring – Overall improvement in situational awareness moving away from static compliance review to dynamic or even real time assessment of controls and operations. Last September, OMB released a memo mandating the use of CyberScope for both manual and automated FISMA reporting.

This is a good start! Through the use of CyberScope, OBM can at least cut the paper pushing. Automation will prepare agencies to exchange information but it is presently limited in scope (no pun intended). At the heart of CyberScope is the Security Content Automation Protocol (SCAP) which is focused on configuration management in primarily windows environments. Hopefully future versions of SCAP will expand to include network devices, storage and other cyber intelligence related data (for example: Malware focused “MAEC” and attack data focused “Cyber Observables” or “CybOX”).

3.) Improved use of Strong Authentication, Digital Signing and Encryption – Implemented properly, these initiatives can dramatically reduce the attack surface. Comprehensive adoption of certificate based authentication, in conjunction with expanded use of digital signing and data encryption establishes a strong security foundation.

This foundation will improve the federal governments ability to guard mission critical and private citizen data while contributing to situational awareness. Correlating access logs, metrics from enterprise key management systems and audit trails from data encryption tools can provide a unique view of user and service level behaviors. This “data centric” monitoring approach could empower analysts to improve security controls, identify insider threat and capture exploits targeting weak applications without the limitations and overhead of processing terabytes of network packet capture.

Imagine the work involved in rolling out just one of these efforts across a single agency, let alone thirteen hundred. The federal agencies, Howard Schmidt and the White House have their work cut out for them. With the budget constraints and limited resources at their disposal staying on target will be critical. Making the 2014 goal is optimistic. The next few years will be interesting to watch. Just keep on target… distinct mandates and aggressive timelines.

Back to The Art of Data Protection blog homepage.

Welcome Steve Messick, Senior Vice President of Worldwide SalesCorporate News

Cheryl Barto ShoultsOctober 7, 2011, 01:05 pm

• Tweet

• 0

“Failure is not an option.”
Gene Kranz, NASA Flight Director, Apollo 13

Steve Messick wants the SafeNet sales team to be perceived as the best sales organization in the industry. As SafeNet’s new SVP Worldwide Sales, he’s uniquely positioned to ensure we reach that goal. “We have a great starting point,” said Steve. “We’re well respected, have good people who work very hard, and we have the right goal in mind. The great thing about taking over the sales organization from Phil [Saunders] is that he provided a really strong foundation.”

Phil stepped into the newly created Chief Revenue Officer position last month, creating an opening for Steve to lead the SafeNet sales organization. Steve has more than 15 years of experience in security, and more than 30 in high tech, and he was drawn to SafeNet because of the importance of our products, as well as the quality of our people. “Everyone I met in the interviews, and since then, has a passion for being successful with customers,” said Steve.

Customers are the heart of Steve’s plans and goals for the SafeNet sales team. He loves when he can see customers achieving success because of something he’s been involved in. Steve wants to make sure that SafeNet is more than just a bunch of products – he wants SafeNet to be a partner, set customers up for success, and be relevant in their businesses. Of course, in our ever-changing industry, that’s easier said than done. “As the industry changes, so do our customers’ needs,” Steve explained. “It’s our job to make sure we’re still aligned.”

Second only to helping customers achieve success is helping SafeNet employees reach their goals. “There is nothing better than seeing someone – whether they’re a sales rep, an SE, or administrative staff – achieve their goals in whatever way they define success,” said Steve. “I want our sales team to exceed plans, to make more money, and achieve their personal goals. Sometimes reaching personal milestones is just as important as achieving corporate goals and I want to help them do that.”

When he’s not working, Steve spends his time with his wife and three boys, ages 23, 20 and 16, who are all very athletic. As a family, they enjoy playing and watching everything from baseball and basketball, to golf or wakeboarding.

Read the press release welcoming Steve to SafeNet.