Research

Data security remains elusive. You can think of it as something of a holy grail. We’ve been espousing the idea of data-centric security for years, focusing on protecting the data, so you can worry less about securing devices, networks, and associated infrastructure. As with most big ideas, it seemed like a good idea at the time. In practice, data-centric security has been underwhelming — it gradually became clear that having security policy and protection travel along with the data, as it spreads to every SaaS service you know about (and a bunch you don’t), was just too much to count on. What we’ve been doing hasn’t worked. Not at scale anyway. We need to take a step back and stop trying to solve yesterday’s problem. Protecting data by encrypting it, masking it, tokenizing it, or wrapping a heavy usage policy around it wasn’t the answer, for various reasons. In this Data Security in the SaaS Age paper, we rethink both the expectations and potential solutions to protect the data stored in SaaS applications. Our research is licensed by companies that put a premium on educating their communities on important shifts in technology, and how security must evolve accordingly. We’re pleased that AppOmni licensed this report. Our research is done using our Totally Transparent research methodology. This allows us to do impactful research while protecting our integrity. You can download the paper (PDF). Share:

Selecting DLP technology can still be very confusing, as various aspects of DLP have appeared in a variety of other product categories as value-add features, blurring the lines between purpose-built DLP solutions and traditional security controls, including next-generation firewalls and email security gateways. Meanwhile purpose-built DLP tools continue to evolve – expanding coverage, features, and capabilities to address advanced and innovative means of exfiltrating data. Even today it can be difficult to understand the value of the various tools, and which products best suit which environments – further complicated by the variety of deployment models. You can go with a full-suite solution that covers your network, storage infrastructure, and endpoints – or focus on a single ‘channel’. You might already have content analysis and policy enforcement directly embedded into your firewall, web gateway, email security service, CASB, or other tools. So the question is no longer simply, “Do I need DLP and which product should I buy?” but, “What kind of DLP will work best for my needs, and how can I figure that out?” This paper provides background on DLP to help you understand the technology, know what to look for in a product or service, and find the best match for your organization. We would like to thank Digital Guardian for pushing us to update our Understanding and Selecting DLP content. Time moves forward quickly, and things change in technology even faster, so we need to revisit our basic research every couple years. As always, our research is performed using our Totally Transparent research methodology. This enables us to publish research that matters, while being able to both pay the bills and sleep at night. You can download the paper (PDF). No Related Posts Share:

Securing_Hadoop_Final_V2.pdfBig data systems have become very popular because they offer a low-cost way to analyze enormous sets of rapidly changing data. But Hadoop, with its incredibly open and vibrant ecosystem, has enabled firms to completely tailor clusters to their business needs. This combination has made Hadoop the most popular big data framework in use today. And as adoption has ramped up, IT and security teams have found themselves tasked with getting a handle on data – and Hadoop cluster – security. We released first our first security recommendations in 2012, just before the release of YARN. Since then the Hadoop security landscape has changed radically. Today a comprehensive set of technologies is available. This research paper delves into the fundamental security controls for Hadoop including encryption, isolation, and access controls/identity management. We start by examining the types of problems most firms need to address, matching them against available security tools. From there we branch out into two major areas of concern: high-level architectural considerations and tactical operational options, exploring decision process you need to go through to determine which problems you need to address. We close with a strategic framework for deploying tactical controls into a cohesive security strategy, with key recommendations for keeping Hadoop infrastructure and data secure. As with all our research papers, we welcome feedback and community participation. If you have comments or you want to see additions, please email us at info at Securosis dot com, or post a comment on this blog. This way we can foster an open dialog with the community. Finally, we would like to thank the companies which have licensed this research and helped us make it available to you free: Hortonworks and Vormetric. Download the research here: Securing_Hadoop_Final_V2.pdf. Share:

October 2015 is the deadline for merchants to adopt EMV-compliant credit card terminals, in exchange for a liability waiver for fraudulent card present transactions. Explaining the EMV shift and payment security is difficult – there is a great deal of confusion about what the shift means, what security it really delivers, and whether it actually offers real benefits for merchants. Part of the problem is that the card brands have chosen to focus all their marketing on a single oversimplified value statement: the liability shift for card present transactions through non-EMV-compliant terminals. But digging into the specifications and working through the rollout process reveals a much larger change underway, with much broader ramifications. Unfortunately the press has failed to realize these implications, so the conversation has focused on liability, and lost sight of what else is going on. We produced this research paper to explain the additional changes underlying the EMV shift, its full impact on merchant security and operations, and where the shift will take the payment ecosystem. The real story is both simpler and more interesting than its coverage to date. Download here Ultimately every paper we write at Securosis has the same core goal: to help security practitioners get their jobs done. It’s what we do. This paper is mostly for those at merchant sites struggling with the rollout and issues it creates. At the end of the paper we offer recommendations for practitioners of EMV and mobile payment; including whether they should adopt EMV terminals and practical considerations to protect themselves from new attack vectors if they do. As always, if you have questions or additional material to add, feel free to post a comment. EMV and the Changing Payment Landscape: download here. Share:

Today we see encryption growing at an accelerating rate in data centers, for a confluence of reasons. A trite way to summarize them is “compliance, cloud, and covert affairs”. Organizations need to keep auditors off their backs; keep control over data in the cloud; and stop the flood of data breaches, state-sponsored espionage, and government snooping (even by their own governments). Thanks to increasing demand we have a growing range of options, as vendors and even free and Open Source tools address this opportunity. We have never had more choice, but with choice comes complexity – and outside your friendly local sales representative, guidance can be hard to come by. For example, given a single application collecting an account number from each customer, you could encrypt it in any of several different places: the application, the database, or storage – or use tokenization instead. The data is encrypted (or substituted), but each place you might encrypt raises different concerns. What threats are you protecting against? What is the performance overhead? How are keys managed? Does it all meet compliance requirements? This paper cuts through the confusion to help you pick the best encryption options for your projects. In case you couldn’t guess from the title, our focus is on encrypting in the data center: applications, servers, databases, and storage. Heck, we will even cover cloud computing (IaaS: Infrastructure as a Service), although we covered it in depth in another paper. We will also cover tokenization and discuss its relationship with encryption. We would like to thank Vormetric for licensing this paper, which enables us to release it for free. As always, the content is completely independent and was created in a series of blog posts (and posted on GitHub) for public comment. Download the full paper. Share:

We have been writing extensively about the disruption currently hitting security, driven by cloud computing and mobility. Our Inflection: The Future of Security research directly addresses the lack of visibility caused by these macro trends. At the same time great automation and orchestration promise to enable security to scale to the cloud, in terms of both scale and speed. Meanwhile each day’s breach du jour in the mass media keeps security topics at the forefront, highlighting the importance of protecting critical information. These trends mean organizations have no choice but to encrypt more traffic on their networks. Encrypting the network prevents adversaries from sniffing traffic to steal credentials and ensures data moving outside the organization is protected from man-in-the-middle attacks. So we expect to see a much greater percentage of both internal and external network traffic to be encrypted over the next 2-3 years. Our Security and Privacy on the Encrypted Network paper tackles setting security policies to ensure that data doesn’t leak out over encrypted tunnels, and that employees adhere to corporate acceptable use policies, by decrypting traffic as needed. It also addresses key use cases and strategies for decrypting network traffic, including security monitoring and forensics, to ensure you can properly alert on security events and investigate incidents. We included guidance on how to handle human resources and compliance issues because increasing fraction of network traffic is encrypted. We would like to thank Blue Coat for licensing the content in this paper. Without our licensees you’d be paying Big Research big money to get a fraction of the stuff we publish, free. Download: Security and Privacy on the Encrypted Network (PDF) Share:

It’s all about the data. You want to make data useful by making it available to users and applications which can leverage it into actionable information. You share data between applications, partners, and analytics systems to derive the greatest business intelligence value possible. But what do you do when you cannot guarantee the security of those systems? How can you protect information regardless of where it moves? One approach is called Data Centric Security, and it is designed to protect data instead of infrastructure. Here is an except from our paper: This is what Data Centric Security (DCS) does: focus security controls on data rather than servers or supporting infrastructure. This approach secures data wherever it moves. The challenge is to implement security controls that do not render it inert. Put another way, you want to derive value from data without leaving it exposed. Sure, we could encrypt everything, but you generally cannot analyze encrypted data. Nor can you expect to securely distribute key management and decryption capabilities everywhere data moves. But you can enable data to be protected everywhere without exposing sensitive information. This research delves into what Data Centric Security is, the challenges it addresses, and the technologies used to support customer use cases. We hope you find this research useful, and see DCS as an alternative to traditional infrastructure security. We would like to thank Intel Services for licensing this research and supporting our Securosis Totally Transparent Research process. Download Trends In Data Centric Security (PDF). Share:

One of the fastest growing cloud services is Cloud File Storage and Collaboration, also known as Enterprise Sync and Share. These tools allow organizations to centralize and manage unstructured data in entirely new ways. They also promise massive security benefits, including centralized control over unstructured data, with a full audit log of all user and device activity. But not all services are created equal – inherent and optional security features vary very widely. Transitioning to these new services also requires a strong understanding of both the platform’s security capabilities and how best to leverage them to reduce your organization’s risk. This paper guides security professionals through the new landscape of cloud file storage services. We cover the basic features, the core security capabilities, and then emerging advanced security options. The Security Pro’s Guide to Cloud File Storage and Collaboration (PDF) Share: