Data

Meet the Cloud Pioneers… and a Note about Security Limiting Cloud Adoption

Meet the Pioneers, the group of enterprises leading the way with Cloud adoption. They are distinguished from their colleagues, Cloud Planners and Cloud Stragglers in many ways.  In this post, we’ll keep it to security.  As the figure below show, when Cloud Pioneers prepare for Cloud deployment, tops on the list is upgrading security and implementing encryption.

Source: WaveLength Market Analytics/Winn, Five Key Themes on Enterprise Cloud Computing

For this reason, Pioneers are less concerned with security, as opposed to Stragglers, where security truly limits their adoption.  As you can see from the table below (click it for a larger view) that combines all the concerns we asked about, it is easily apparent.  The highest ranking for a security concern, which is “Reduced control/visibility for security” is 8th for Pioneers, tying with “Technology not yet proven.”  This is because Pioneer’s upgrade security prior to their Cloud deployment.  Because of these projects, for Pioneers, all security concerns rank in the bottom half of the list.   For Stragglers, it’s a different story.  Of their concerns, all security concerns we asked about rank in the top half.  After costs, lack of trusted third parties to help them, and the perception that it’s an unproven technology, security concerns are the real barrier for this group.  It all suggests the opportunity for security vendors to develop the market by easing  the fears of the mainstream market.

 

 

Source: WaveLength/Winn Five Key Themes in Enterprise Cloud Computing

 

 

Data

Hard Drives Can Pose Risks to Sustainability

By Sarah Sorensen

Extending the use of computing devices is critical if we are to create more sustainable consumption. We can divert waste from landfill and reduce the energy it takes to extract materials and build new devices, if we can lengthen the life of the devices we already have or find new ways to use its components.

I think most of us try to recycle our devices and are happy to pass along those that have outgrown our needs. But what if its reuse poses a risk to you?  Hard drives can pose such a risk and, as such, often have their lives and usefulness cut short.

What do you do with your hard drive, which often houses all of your intellectual property and sensitive information, when you are done with it? How do you make sure your information isn’t found and used by someone else? Just deleting the information off of it doesn’t mean it’s gone, it is not too difficult to get the data back. (Something I am often thankful for when I delete a file by accident, but which opens up a huge risk when you really want to get rid of the information.) Even when your hard disk is corrupted or physically damaged, all is not lost.  just do a quick search on hard disk recovery and you will find a whole host of sites and solutions that can help  recover information.

It’s no wonder that organizations that can afford them have “disk drive chippers” that completely destroy a hard drive once it is no longer needed, so that no data can be recovered from it. Others go a more conventional route and use what a colleague of mine calls “Fred Flinstone” or “Young Dr. Frankenstein” techniques – you get the picture.

But wouldn’t it be more sustainable if we could extend the life of that device? What if there was a reliable way to permanently erase the data on it without having to shred the device?  Just because the model is no longer of use to you, it is very likely it would suit the needs of someone else. We could divert that device from landfill for a little while longer. Then, because we have a way to erase the data, we could explore recycling and reusing the components to further reduce waste.

This is something that has been done with cell phones and copiers; they often receive an extended life in the hands of those who find an older model perfectly suitable. (I know I have donated my cell phone in the past; you can check outhttp://charityguide.org/volunteer/fifteen/cell-phone-recycling.htm to find organizations in your area who have needs.) But is this safe to do now?

In the past, phones were only used for voice calls – the data potentially exposed consisted of your phone book. Remove your SIM card and you could be fairly sure that future users would not find anything personal left on your phone.  Today’s smart phones have the computing power of many desktops; they are being used to conduct our business and personal lives. Ever search the Web? Take a photo? Check your bank account? Pay a bill? Read your email? Download a file? Think of all the data that is potentially on your smart phone stored on the hard drive that now sits on that phone… how do you make sure that it is gone when you are done with the phone? Does this mean we are back to destroying the device? Again, it would be great to know that we can reliably erase the data, so the device can be used by someone else.

Same thing with photocopiers; over the past five to seven years, most copiers are networked to a variety of computing devices and each have a hard drive that records all the information that is copied, printed, faxed or scanned. Since most organizations don’t want to spend the capital to buy a copier they lease it from a provider (which also enables them to offloading the repairs and maintenance). When the lease is up, the copier provider will come, delete the data, and send it off to another customer. But we have already mentioned that simply deleting data doesn’t mean it is gone. So these copiers can provide a wealth of information to those who know to look for it. (Check out http://www.identitytheft.com/article/are_photocopiers_a_risk this site to get some tips on how to protect yourself when using a copier). Again, this doesn’t make it a sustainable solution.

So what can you do? As an organization, you

  • Need to first put in place a proactive data leak prevention program; because only after you are sure you can identify all the potential risks, can you put the processes or technologies in place to mitigate them.
  • Consider using a disk management program that adheres to any of the eradication standards used by many international governments and military (such as DoD 5220.22, Gutmann method, Schneier Standard, AFSSI 50220, NAVSO P5239-26, VSItR, AR 380-19, GOST P50739-95, Crypto-secure Random Data.
  • Ensure you can securely delete data from hard drives, including “locked” or “in-use files.”
  • This requires overcoming some operating system limitations that exist to ensure continual operation – which is what you want when you are using the system, but not so great when you want to get rid of the data.
  • So, make sure you are able to delete all the different file systems from all the different operating systems you have on the device.
  • You also want to make sure that you can eliminate “zombie-data” stored in the recycle bin or in the blank space of the hard drive.

For individuals:

  • You can download software that enables you to erase hard drives, such as Active@KillDisk or LSoft Technologies. They write over the data, because deleting and reformatting the drive doesn’t actually delete it.
  • Note, data that has been written over only one or two times can be recovered; however, it takes expensive equipment to do. So unless you are expecting a super sleuth or crime lab to want to read your data, you are probably safe.
  • If in fact you are worried about professionals taking the time to get at your data (you probably have bigger problems than I can imagine!), experts recommend rewriting the data seven times to make sure it is unrecoverable.
  • Make sure you pay attention to those files that are “locked” or “in-use” and “zombie data”- you don’t want to leave them on the drive.
  • Something to think about is the ability to remotely initiate and manage an erasure, so that if your phone or computer is lost, you can delete the data as soon as it connects to the network.
  • Some operating systems have a “kill pill” feature that allows you to remotely erase and lock it, make sure it’s enabled.

Once the hard drive no longer poses a risk, it can be reused. The goal is to promote a more sustainable way to use technology, so we can reduce our impact and drive change on a global scale.

Data

Reflections on RSA – Security is Really a Control and Data Management Problem

By Sarah Sorensen March 4, 2010
http://broadcast.oreilly.com/2010/03/advanced-persistent-threats-ar.html

This week, I spent some time at RSA, an event where security vendors and professionals connect. As I have mentioned in past blogs, security is paramount to the sustainability of the network. If we are to leverage the network as a powerful tool for change, we need to be able to trust that the information and resources on it are secure.
As recent headlines have demonstrated, attacks on the network are ever-present; 2009 saw malware and social networking attacks surge (spam carrying malware was averaging 3 billion each day by the end of the year) and increasingly sophisticated mobile attacks emerge. Just as in the physical world, there are individuals motivated by greed, power and personal gain (the riseand co-opting of the Zeus attacks, which originally targeted financial institutions, is just one example – to date it has infected about 74,000 PCs, and that’s just one attack), and there are those who are looking to achieve political or ideological ends.
But, as the show floor and conference discusssions demonstrated, there are a lot of technologies out there designed to help organizations combat and mitigate against all these attacks. There are literally thousands of companies, focused on everything from user and data authentication to spyware and cloud security. So why is it that even though there is an answer or feature out there for almost every threat or need, organizations are still struggling to protect the network? I think it’s because security is more of a control and data management problem than a feature-set issue.
I heard Palo Alto Networks talk about controlling exactly what should and should not be allowed on the network, based on the user and their role, the application and exactly what they are trying to do. This approach makes sense because with a focus on control, you can eliminate a lot of the risks right off the bat. You can restrict peer to peer traffic and file sharing applications that can be used by attackers to gain access to the network (through malware/trojans) and all its resources. The key is to have this level of control over every aspect of your network, from the edge to the core and within the hosts themselves, and then, for what is allowed, look for threats and mitigate attacks within that “allowed” traffic.
This gets us to the data management problem; a typical network’s security infrastructure contains multiple different devices, each with different management consoles, each producing a lot of logs that can contain thousands of pieces of information. Linking all this data and making sense of it all requires a lot of manpower and expertise. Oh, and don’t forget that physical security measures, which can also provide clues and contain indicators of risks, are kept almost entirely separate from the network security activities (typically they are run by two different groups with very little connection, though I did see a company that was trying bridge that gap).
I think it is telling that it took Google and a host of other companies targeted by attackers originitating in China MONTHS to figure out exactly what happened (in fact, I believe the investigation is still going on now). So, under the cover of the data deluge that network administrators are under from all these different security devices, attackers can infiltrate a network and operate undetected.
All of the calls to better manage business information and increase the value derived from insights and analysis of that information (take a look at last week’s Economist’s special report) need to be applied to network security. Organizations need a singular, meaningful view into the network that helps them identify in real-time what is going on and any threats to that network. To date, I haven’t seen big advances on this front, sure there are the large, generic platforms offered by the likes of HP and IBM and security-specific management platforms from folks such as ArcSight. I would love to hear from you if you have seen promise in this area. Right now, I think we need more innovation; we need truly comprehensive visibility and the ability to easily and actively control and manage of the network. The security and ultimate sustainability of the network as a platform for change is reliant on it.