Securosis

Research

Help Me Pick My Next Paper Topic

Hey folks, Just a quick note that I am trying to decide between a few different topics for my next paper. If you have a moment, I could use your opinion. Which will take no more than 5-15 seconds when you click this link. The options are: BYOD Security Fundamentals Defending Cloud Data – Encrypting for Dropbox, Box.net, and Friends Defending Data in Cloud Infrastructures – IaaS Encryption and Data Security Defending Enterprise Data on Mobile Devices Other (please specify) I threw it out on Twitter and IaaS encryption took an early lead, which is interesting because I expected it to be BYOD. Thus I decided to double up and push it out through the blog. Thanks. Share:

Share:
Read Post

Happy Out of Cycle IE Patch Monday

Microsoft to release emergency Internet Explorer patch on Monday The vulnerability, which is present in IE 6, 7 and 8, is a memory corruption issue. It can be exploited by an attacker via a drive-by download, a term for loading a website with attack code that delivers malware to a victim’s computer if the person merely visits the website. Microsoft released a quick fix for the issue earlier this month, but did not have a more permanent patch ready when it released its monthly batch of patches last Tuesday. The company will occasionally release an emergency patch if the software vulnerability is considered a high risk. So if Mondays weren’t bad enough, have fun applying this out of cycle patch because Microsoft couldn’t get it done in time for the regular patch cycle. Of course you need to be running an older version of IE for this to be an issue, so there’s that. Share:

Share:
Read Post

Let’s Get Physical—Road Rules Edition

It’s a new year, so let’s get physical and personal. I wondered what people do about physical security specifically – how do you protect your laptop while on business travel? Hotels, airports, cars, etc. We have all seen that “road rules” can be pretty different, so what precautions do you take to ensure your laptop and devices return home safely? Do you always carry your laptop? Carry a lock? Have ways to hide it? It seems like there are no real 100% answers or ‘best’ practices – just least-bad practices, and answers I hear are an interesting mix of personal and technology options. I asked a number of folks and here is what they said. (please comment on your own “least bad” approach) “I usually carry my laptop. But have left it in an in-room safe and locked in my bag. I don’t leave anything out and visible.” Hotels: “On rare occasions that I leave it in my room, i leave the Do Not Disturb sign up. Disinformation FTW. I think the real answer is try to travel with tablets and not laptops if possible” “I try to avoid traveling with a laptop anymore, although I still need it for conferences usually.” “I use the do not disturb trick, and I never use the hotel safe since that’s the first place they’ll look. I bury my laptop in my clothes bag when I leave it. With an 11-inch MacBook Air, that’s easy. But the truth is it is disposable for me. I’d be out the money, but being well encrypted I don’t worry about data loss. And everything is synced anyway.” I have only been able to do this for the past few years thanks to Dropbox and a few other things. (This one is from our very own Rich Mogull). “I rarely travel with a laptop, and keep a short lock on iOS devices.” On TSA: “I don’t care about TSA – nothing to hide. But I do shut down if I’m someplace where I worry about cold boot (China).” What are your road rules? Share:

Share:
Read Post

Bolting on Security—at Scale

GigaOm offers a fascinating glimpse into Netflix’s EC2 architecture: Netflix shows off how it does Hadoop in the cloud: “Hadoop is more than a platform on which data scientists and business analysts can do their work. Aside from their 500-plus-nod[sic] cluster of Elastic MapReduce instances, there’s another equally sized cluster for extract-transform-load (ETL) workloads – essentially, taking data from other sources and making it easy to analyze within Hadoop. Netflix also deploys various “development” clusters as needed, presumably for ad hoc experimental jobs.” The big data users I have spoken with about data security agreed that data masking at that scale is infeasible. Given the rate of data insertion (also called ‘velocity’), masking sensitive data before loading it into a cluster would require “an entire ETL cluster to front the Hadoop cluster”. But apparently it’s doable, and Netflix did just that – fronted its analytics cluster with a data transformation cluster, all within EC2. 500 nodes massaging data for another 500 nodes. While the ETL cluster is not used for masking, note that it is about the same size as the analysis cluster. It’s this one-to-one mapping that I often worry about with security. Ask yourself, “Do we need another whole cluster for masking?” No? Then what about NoSQL activity monitoring? What about IAM, application monitoring, and any other security tasks. Do you start to see the problem with bolting on security? Logging and auditing are embeddable – most everything else is not. When the Cloud Security Alliance advised reinvestment of some savings back into security, I don’t think this is quite what they had in mind. Share:

Share:
Read Post

Mobile Identity—WTF?

Identity management on mobile devices: How do we do it? I have been taking a lot of calls on mobile identity issues and solutions over the last three months, and I am just as confused now as when I started looking into this subject. And I think the vendors I have spoken with are reaching, in their assessments of the right course of action and where the market is heading. If you want to implement identity on a mobile device, what do you do? Option 1, Crawl: Use a mobile browser and capture user names and passwords just like we do on the desktop. But mobile browsers kinda suck. People don’t want to use them and they suffer many of the same security problems we have had for a decade (see OWASP Top 10). Option 2, Toddle: Augment with OAuth tokens. Is OAuth 2.0 even a standard? But what about the security issues of encryption, digital signatures, and bi-directional verification of trust? Option 3, Walk: Adopt the ‘App’ model, and create an IAM app, which handles all the complicated identity stuff on your behalf. How does that app cooperate with other apps? How do we deal with personal and corporate personas? How do we deal with knowing the user is who they are supposed to be, and not a random person who found your phone? Option 4, Run: Use special features of the mobile platform, such as voice recognition on phones, or cameras for facial recognition? Will that work when I am on the subway or in Starbucks? Does Joe User want that – enough to pay for it – or will they look at such things as privacy violations? These are the options I am hearing about. And none of them seem to be fully thought out. And once we get past Toddle, who’s the buyer? Seeking wisdom, I scaled the mountain to discuss the topic with Securosis’s IAM guru, Gunnar Peterson. What I got was: “Mobile Identity? Ooohhh – it’s early days and it’s an unholy mess”. Yes, that pretty much summed it up. Gunnar agreed that this is the current progression, and that Identity definitely gets ‘stronger’ with each progressive step outlined, but it also gets much more complicated. Do you think I am over-reacting? Did I miss anything that concerns you? This is a topic we will dive into over the coming weeks, so I would like to hear from the community. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.