Will the user define security policies in the future?
I think, I blogged about this event already earlier: Years ago I was meeting a customer and was talking about the future of IT. I was telling the audience (about 10 people including the Security Officer) that there is a good chance that IT will not define a set of hardware anymore but that the user will buy their own and use it for business. Additionally, different people have different ...
Get off XP or Risk your Business?
One of the highest hit rates I ever had on my blog was one I wrote right before Conficker broke out. I called it Playing Russian Roulette with your Network. The background was, that we released an out of band security update and our customers came back and asked us, whether they really shall deploy it – this situation then led to Conficker.
About 12 months from today, Windows XP will ...
Security in 2013 – the way forward?
Typically January is the month where we are asked to make predictions on the trends for the New Year. I do not like this as I am an engineer and not a fortune tellerJ. But there are things we know and things we definitely need to drive this year. I would actually put it into the context of typical hygiene of any IT environment.
Let's try to understand, where we stand ...
The Directory in the Cloud?
It seems that it is an eternity ago – and it is. Pretty much three years ago, Doug Cavit and me published a paper called the Cloud Computing Security Considerations. Even though it is three years, the paper is still worth reading as the content still applies. What we basically said was, that if you look at the Cloud, there are five areas of Considerations:
Compliance and Risk Management: Organizations shifting ...
When I talk with customers about the Cloud, we always talk about a few key themes:
- Identity: I am convinced that you need to be able to federate your identity from your on premise solutions to the cloud. You will want to control the process of decommissioning an identity and want to make sure that of you have to lay somebody off, this person has no access to the data anymore – especially in the Public Cloud as this part of your infrastructure can be accessed from anywhere.
- Transparency: If you move to the public Cloud, you will want to have a certain level of transparency about how the software your business runs on is built and operated.
- Data Classification: A lot of customers raise concerns about having their data leaving their premises, especially if they leave the country. However, for a lot of data in your environment, most probably you do not really care as the data is not sensitive at all. Then there is data (“the keys to the bomb”) you will never ever move to the public Cloud.
Especially the last point typically leads to a hybrid approach as you want to leverage the public Cloud (for the non-sensitive part of your data) and keep the sensitive data in a private Cloud.
Our French team just published a paper, which you will want to leverage, when you are in such a situation: Enabling Hybrid Cloud Today with Microsoft Technologies. To quote the abstract:
With the ambient credo to “do more with less, with a better agility and time to market”, IT inevitably becomes a service provider for its enterprise and need to run like a business. The undertaking also requires a step further in the way the IT delivers its services to its customers: internal businesses and beyond. IT has indeed to deliver the services in an industrialized way for greater speed and lower cost. This requires increasing their overall core infrastructure operational maturity in two main areas.
The first one aims at improving the management of their own on-premises IT landscape and traditional services by evolving towards a private cloud, i.e. an optimized and more automated way to provision and operate (a catalog of) services for businesses. The second one consists in enhancing their service offerings by utilizing off-premises public cloud augmentations (for acceptable cases of use) as (lower-cost) add-ons to existing services in the catalog.
The combination and interaction of these two cloud paradigms results in the emergence of the hybrid cloud which meets the demands and the expectations of the business. Hybrid cloud spans the two above implementations. A service request can be instantiated in either implementation, or moved from one to another, or can horizontally grow between the two implementations (cloud bursting for instance).
This paper discusses how Microsoft can help your organization achieve a successful hybrid cloud strategy and present the enabling technologies from on-premises, cross-premises, and off-premises implementation of (parts of) the services. Several typical patterns and common scenarios are illustrated throughout this paper.
So, download and leverage it!
Often, when I talk to customers, product certification is one of the key themes they want to address. Especially they want to know about our commitment to Common Criteria and whether our products are certified. Typically we certify an operating system on Common Criteria EAL 4+ – the highest level, which seems achievable for multi-purpose . . . → Read More: Is there a future for Product Certifications?
Well, some tablets could be but what about the productivity apps?
I just read a post on slashdot:
During a recent trip to an eye doctor, I noticed that she was still using Windows XP. After I suggested that she might need to upgrade soon, she said she couldn’t because she couldn’t afford the $10,000 fee involved with the specialty medical software that has been upgraded . . . → Read More: Some Windows XP Users Can’t Afford To Upgrade
We could even talk about two-factor authentication in my opinion. The idea is, that whenever you logon from an untrusted PC, you will be asked to use a second factor (or step). In my case, which I show below, I use the Authenticator app on my phone, which is similar to an RSA SecureID.
How . . . → Read More: Microsoft Account: Enable Two-Step Verification
Over the course of the next 12 months, you will definitely hear us turning up the volume on Windows XP end of life. However, I really hope that you started your migration – if you have not already migration until today.
Trustworthy Computing just looked at the end of support through the lens of the . . . → Read More: The Countdown Begins: Support for Windows XP Ends on April 8, 2014
This is a fairly scary view of the world…. Freie Universität Freiburg mapped the Internet accessible SCADA systems. Have a look on your own: https://www.scadacs.org/projects.html
Related articles Worldwide Map of Internet Connected SCADA Systems (cyberarms.wordpress.com) The SCADA security challenge (net-security.org) SCADA’s frighteningly exposed underbelly (blogs.techworld.com) Thousands of Finnish SCADA systems vulnerable to attack (asherwolf.net) . . . → Read More: Internet Accessible SCADA Systems
As you might know, solving CAPTHCAs is not really a difficult task for the underground economy. Initially, they wrote code to do it – but then learned that it is easier to outsource the puzzle solving to cheap labor. For a few dollars you can have a CAPTCHA farm solving 1000 CAPTCHAs for you. Fairly . . . → Read More: The Future of CAPTCHAs?