The other day I found myself in conversation with a couple of senior execs from a large and well-known security vendor.  During the discussion, they made the point that oftentimes a security health check or investigation means presenting bad news.  The CISO is not always going to be overjoyed by what you have to report, so you need to present your conclusions direct to the decision maker.

So, this was the challenge – how are you going to get the CEO’s attention and a commitment to action, all in just 15 minutes?  Clearly, there’s no use talking about operational security – that’s the CISO’s patch.  So, I mused, frame the discussion in terms of Governance, Risk and Compliance (GRC).  Most organisations of any size are now quite adept at security compliance.  Faced with a plethora of legislation, regulation and contract schedules and armed with a bewildering array of control frameworks and certification schemes, IT security teams spend most of their time looking backwards at what already happened.  Beyond that, the Business grants authority to the CISO and his team to implement sufficient controls to enforce the corporate IT security policy.  Governance is about monitoring how that decision-making process is working.  Finally, the real objective looking forward should be to deploy adequate security to meet the business risk.  That ought to be something the CEO cares about.

OK, so now we have a context, but what are the big issues in security for the business?  I came up with a Top 3 (you may well disagree):

1. Consumerisation:  Like it or not, staff are going to use their own devices (smart phones, tablets, home computers) in the course of their work.  Of course, these devices are outside the control of the IT department, so how do you enforce security policies?  What happens if the device is lost?  Can you do a remote wipe (which will include the owner’s data as well as the company data)?  This loss of control of physical assets and their configuration provides a toehold in the network for an attacker.
2. Advanced Persistent Threats:  The business may find itself under attack from an APT, armed with a wide range of skills and resources and focused on a long-term (months or even years) objective.  Even if the IT Security team detects ATP activity, this may only be a fleeting glimpse of what’s actually happening The business may well have no idea why it is being targetted.  All the while, the APT will be syphoning off vast amounts of data, maybe sensitive business information, maybe intellectual property, but also maybe personal information belonging to the business’s clients or employees.
3. Cloud Services:  I wrote in a previously post about the threats to security governance posed by cloud services.  In many organisations, business units are adopting cloud services without the advice and support of their IT security specialists.  The resulting agreements often provide little or no oversight as to how the provider will assure the security of critical or sensitive data and can place the business’ legal and/or regulatory compliance status in jeopardy.

All of these conspire to present a real and growing threat to the personal and sensitive information, stored by virtually every organisation these days. But, how to persuade the CEO that these threats are real?   The challenge is to come up with a set of “world-class” questions – they don’t require an answer at the time, rather they should make our CEO reflect on what matters to the long-term health of the business.  By coincidence, fellow IBMer Marc van Zadelhoff recently described his set of questions for the CISO in a blog post for the IBM Institute of Advanced Security.  His candidate questions are rather more technical than what I had in mind, but that really reflects the dilemma of how to engage with the Business at a senior level.  So, I thought about it for a while and this is what I came up with:

1. Where is your data stored right now?  Can you account for every copy?  If you’ve entrusted data to a 3rd party, are you sure you can get it back if you end the service?  Are you sure they’ll delete it when you tell them?
2. Can you be sure that your sensitive data isn’t being exfiltrated  by an attacker?  If it was happening, would you know?
3. If the worst were to happen and you become the target for a large-scale, highly public data breach, do you have a credible, tested crisis plan for dealing with it?  Can you withstand the reputational damage while you execute your plan?

So, that’s my list, all related to the need to protect critical and sensitive data.  How would your CEO answer?

Something we can all do to help.  Publish the banner on your website or your blog or retweet the post.  Let people know, so they can turn out to help with getting things back to normal.

For me, this picture sums up the violence of the whole thing.  This morning’s television news showed footage of a 150 year old family run furniture store ablaze.  Why?  What did that achieve?

But, as bad as things get, people act with kindness and show their appreciation to the police..

#riotcleanup pictures on PicFog riotcleanup pictures

Check out this site for more pictures of the clean up operation around London.

Now something else we can all do to help.  Look at the pictures from the Met Police.  If you know any of these clowns, tell the police.  They need to be stopped before someone gets seriously hurt.

The Times 13 May 2011

It’s been a pretty hectic time for me work-wise recently – you may have noticed from the tumbleweed blowing through this blog in recent weeks!  But, after a concerted push to get some deliverables out, I finally found myself working from home today, with a little less pressure than normal.  So, I decided to set myself up for the day with an early morning trip to my favourite coffee shop, for a cappuccino (skinny, of course!) and a chance to read the newspaper in peace.

So it was that I found myself reading in the Times about a minor spat between two Members of Parliament.  In a nutshell, a senior (male) MP challenged a young woman he encountered in a restricted area, on the basis that “”Well, I thought you looked too young to be an MP”.  He challenged her to produce her pass, which she did.  Awkward.  Now, I don’t intend to defend the MP’s possibly boorish manner (after all, it seems he has form when it comes to acerbic remarks).  Equally, it seems at least possible that the younger (newly elected) MP might have been less than cooperative, when challenged.  So all in all, a storm in a tea-cup, but it reminded me of a serious point.

Must we wear photo passes?

Regular readers will know that I work for IBM where, in common with all technology based organisations and many large organisations of all types, it’s mandatory for all staff to have a pass to gain access to and move around the company sites.  These access passes form a key component of physical access control systems and even, in more advanced deployments, provide strong authentication for access to computer systems.  They also generally display a photo of the owner and their name.  The idea is that the most basic element of physical security is for those in a restricted area to be aware of who should be present and who shouldn’t.

In modern organisations, staff often visit their “home” office only infrequently.  Equally, the number of staff in any one location is often very large.  As I wrote in a previous post,  Dunbar’s Number suggests that we have difficulty keeping track of a circle of acquaintances numbering more than (say) 150.  This is, in large part, the reason behind photographic ID.  I’m sure IBM is not alone in insisting that these badges are worn in plain sight by all staff at all times.

They also help in avoiding embarrassing situations like the newspaper story, with which I opened.  ”Tailgating” is frowned upon at card operated doors and clearly visible photo ID makes it easier for security staff to detect.  It’s everyone’s responsibility – and should be drummed into new staff through security awareness training –  to be aware of who is in the area and to confirm their right to be there.  We also have to be prepared to challenge anyone not displaying the correct pass, though hopefully showing a little more tact than the Tory MP.

Over the last 20 years or so, I’ve had a hand in the design and delivery of a wide variety of systems for handling Protectively Marked or otherwise sensitive data, from both the vendor side and the customer side.   In every case, it was easier to prove the required level of assurance to the Accreditor, when the solution was built on certified products.

However, the certification schemes available – principally the internationally supported Common Criteria (ISO 15408 – originally ITSEC in the UK) and the UK’s CESG Assisted Product Scheme (CAPS) for crypto products – are aimed mainly at the higher Impact Levels.  As a consequence, certification is a lengthy and expensive process for the vendor.  This commitment of cost and time must inevitably be passed on to the purchaser.  For systems handling data up to Impact Level 3 (or Protectively Marked as Restricted), the level of both functionality and assurance offered by CC or CAPS products is more than is needed and the cost often prohibitive.

Such systems form the bulk of deployments in the UK’s Public Sector and Critical National Infrastructure, so what has long been needed is a catalogue of commercial security products, approved for use at the lower Impact Levels.  The progress from the Claims Test Mark Scheme, piloted by CSIA and the Cabinet Office from 2004 to this new scheme is well documented in the Excelgate blog.  For me though, the most attractive attributes of the CPA scheme include:

• CPA products are approved for use up to IL3 (CTM products may be used up to IL2);
• The criteria for approval recognise that threat levels differ even at the same Impact Level and provide for a Foundation and Augmented level of approval for each product.  This allows a product to be awarded Foundation level approval (relatively) quickly, while evaluation continues for Augmented level.
• The process will accept evidence generated for other certification schemes, greatly reducing both the time and the cost to vendors of the approval process.  Hopefully this will be reflected in a much wider range of security enabling products being submitted for approval.
• A wide range of security characteristics have been defined against which products can be tested.  The scheme has established 3 tiers of priority for initial product testing, ensuring that the most commonly required security mitigations are served first.

What Next?

Details of the transition from the CCTM scheme to CPA were published by CESG in February 2011.  Acceptance of new products for CCTM evaluation will end in December 2011, with no product certificates remaining in force after December 2012.  The CPA scheme goes live this month (April 2011) and of course, it remains to be seen how it works in practice.  In my opinion, it will stand or fall by how well it succeeds in reducing the time and cost burden on vendors seeking approval.  Success in that will ensure a wider range of solutions with security adequate to meet the business risk will be available to public sector customers, removing the need to over engineer their solutions in order to achieve accreditation.  When that happens, everyone wins, not least the UK tax payer.

How many times have you agreed to a meeting  (or conference call or webex) and then, when you got back online, found that it clashes with another commitment?  No?  Well, it’s happened to me often enough that I decided I need to do something about it.

Up until the time (nearly 2 years ago now) when I stepped out of the corporate world and into independent consulting, I was happy to manage my work commitments through Outlook and Exchange server, conveniently relayed to me wherever I was through Blackberry.

When I set up Identigrate UK, the Outlook calendar on my home desktop PC became the heart of my time management strategy.   Judicious use of categories allowed me to distinguish between business and domestic commitments, while allowing MrsV1951 to act as unpaid diary manager in my absence.  Fine for starters, but as I figured out how to run a consulting operation, so I needed to add some sophistication.

Step 1 – Add a laptop

The ability to work at a client site makes a decent laptop an essential item of kit for any consultant.  The problem is, how to maintain a single coherent diary across both desktop and laptop, with the ability to make changes to either.  The answer proved to be very simple and – like a lot of things these days – came from Google.  I already had a Google account and, though I didn’t (and still don’t) make much use of Gmail, I am a big fan of Google Reader.  It was a simple matter to add Google Calendar and to install and configure the free calendar sync application on each of the two machines.

I have both machines set to sync once per hour, so on average their Outlook Calendars are up to date within 30 minutes.

Step 2 – Sync to iPhone

My next acquisition – and destined to become a vital part of my travelling toolkit – was my iPhone.  Now, I could send and receive emails on the road, in much the same way as I used to do with Blackberry.  Initially, I chose to sync the iPhone calendar to my Outlook calendar when I connected to iTunes.  Of course, this meant remembering to do this before setting out on each trip.  I needed to do better than that.  Once again, the answer lay with Google Calendar.  The iPhone can be configured to sync to Google Calendar, by adding it as a new Microsoft Exchange account.  If the iPhone is configured for Push delivery, then it will sync whenever you start the calendar app.

So, now, I have calendars on the desktop, laptop and iPhone.  I can add, delete or modify entries on any one of those devices and within a short time (say 30 minutes), it’s propagated to the other two devices.

Step 3 – Lotus Notes

In May 2010, I joined IBM Global Business Services and found myself with yet another laptop and yet another calendar to include in my synchronisation scheme.  This time however, I had to find a way of dealing with Lotus Notes.  The solution came in the form of CompanionLink,the only paid-for commercial product in my strategy.  CompanionLink is actually a very versatile tool, which can sync events, contacts and to do lists between a wide range of applications and mobile devices.  The version I used, CompanionLink Express limits you to one from each category to sync.  Once installed, it runs in the system tray on the laptop and connects to sync (you choose either one-way or two-way) according to a pre-defined schedule.

This brings our running total to 3 PCs/laptops and one iPhone all synchronised through a single Google Calendar, still with a latency of around 30 minutes to propagate a new entry to all the devices.

Step 4 - Add travel destinations

I’m a long-time user of LinkedIn and in the past, have occasionally used the built-in TripIt application for travel planning.  It occurred to me that, whether I use TripIt (on LinkedIn or through its website) to plan the details of a trip or not, it might be a useful way of just recording my whereabouts geographically.

TripIt supports iCal as a mechanism for keeping a calendar up to date with travel plans.  This facility is available for all the components of my sync strategy, with the exception of Lotus Notes, where I would need to upgrade to v8.5 to get iCal support.  However, there’s a small catch in this plan.  Subscribing a device (with Outlook, Notes, Google Calendar or iPhone) to an iCal feed actually creates a separate calendar on that device.  Google Calendar and iPhone will happily display all calendars simultaneously on a single display, but Outlook only allows you to view two separate calendar panes side by side.

Notwithstanding the small problems over display, the effect is that I can quickly and easily publish my whereabouts in advance and show them as an all day event on the calendar.  I can do this from within LinkedIn, via the TripIt website or using the TripIt widget in the Lotus Notes sidebar.

Step 5 – Publishing a schedule online

So, now I have a (more or less) single consistent view of my diary across all the devices I use and that view will update everywhere as soon as I make a change.  The last challenge then is to make that information available to others.  Of course, I could just give access to my Google Calendar, but that contains a lot of detail about my activities, both business and personal.  The solution came from fellow IBMer Emily O’Byrne.  I noticed that Emily points people to Tungle.me to view her schedule.  Tungle.me publishes your availability in real-time to interested parties and allows them to schedule a meeting or call with you at a time when you’re free.  Tungle does this by syncing with your existing calendar and works for people inside and outside your organisation.  It can sync simultaneously with multiple calendars and you have control over how much detail to share.

So, you can check out my schedule on tungle.me, which uses Google Calendar to show times when I’m available and uses TripIt to show where I am on any day when I’m travelling.

Try it Yourself

Back in the 1980s, as PCs were becoming available for the first time, the Managing Director of a major British computer company was asked if he’d be using one of his company’s new PCs.  He replied that if his life ever became so complicated that he needed a computer to manage his time, he’d change his lifestyle.  Now though, for many of us, it’s hard to imagine not using PCs, laptops, smart phones and the web to plan our activities and track down those that we deal with.

I’m not saying what I’ve described is the only way to get a single synchronised view, nor even necessarily the best way.  But, I am saying it works for me.  Try it out yourself and let me know how you get on.  If you find a neater way of doing things, I’d really like to hear!

Identity 2.0

Identity 2.0 or digital identity has long promised to solve these problems in a world where a user can potentially have one online identity, with a pre-certified proof which is submitted when required for authentication.  This model is represented by Microsoft’s Cardspace and the open source Higgins project, but has been slow to gain momentum.  However, in recent years, a number of the larger IAM vendors, starting with CA Technologies, have added support for these technologies to their Web Access Management products.

Multiple Identities Online

Of course, being able to use a single identity and set of credentials for all your online activities is a real “good news/bad news” story.  The convenience of managing a single set of credentials comes at a price:  it’s quite conceivable that your visits to different websites could be aggregated and correlated, to build a far more comprehensive (and revealing) picture of your online activity than you might feel comfortable with.  It’s also true to say that not all web sites we visit (and register for) justify the same level of strength in authenticating our identity.  For example:

• Online Banking: There’s so much at stake if your banking credentials become compromised that it’s obvious to all but the hard of thinking that those credentials should never be used elsewhere.  In a previous post, I described how my bank allows me to be warned if I try to re-use internet banking credentials on another site, by providing me with a free copy of Trusteer Rapport.  This protection can be easily extended to other high risk sites.
• Social Media: As I’ve described on these pages before, I use a wide range of social media applications (in the widest sense of the term) to maintain my contact list, collect and collate information and publicise this blog.  Each site requires a separate set of credentials, but increasingly I’m offered the chance to sign in to one application using the credentials from another (very often, either Twitter or Facebook).  This makes use of the Open Authentication (OAuth) protocol.  OAuth allows the user to authenticate with their chosen service to generate a token.  The token can then be used to allow another application to access resources for a given period of time.  So, for example, when configuring Tweetdeck, I authenticate in turn to Twitter, Facebook, LinkedIn and Google Buzz and authorise Tweetdeck to use the OAuth tokens to retrieve data from those applications until I revoke that access.

Single Sign On
This still leaves a wide range on different sites that require a login.  I use a wide range of Cloud Services, including Drop Box (of which, more in a moment), Windows Live Mesh, Mind Meister (for collaborating on mind maps), MobileNoter (for sharing and synchronising Microsoft OneNote) and of course, Google Docs.  These (or at least the data I entrust to them) are important enough to me to warrant good quality credentials and together they make a good case for Single Sign On.  With more than 10 years’ experience in Identity Management projects, I’ve always viewed SSO as primarily a user productivity tool, with some incidental security benefits.  However, I came across a story on Mashable, describing tools for managing web passwords and quickly realised that I could:

• Store all my credentials in a single location;
• Secure them with a single strong password, which never leaves my machine;
• Synchronise that credential store across multiple computers by locating the credential store on Drop Box;
• Use the same, synchronised solution on my iPhone.

So, armed with these requirements and the Mashable product reviews, I eventually settled on 1Password.  As well as a management app, which sits in the system tray, 1Password installs a plug-in for all the modern browsers (I’m using it with IE and Firefox) which detects when you’re completing a registration or login form and prompts you to save the credentials.  Next time you visit the site, just press the 1Password button to login.  Incidentally, the Mashable article mentions that 1Password is primarily a Mac product, with a Windows version in beta.  The Windows version is now in fact available as a paid-for GA product.

Summing Up

So, in conclusion, it’s possible to figure out a strategy to at least simplify sign on and credential management to a wide range of web sites and applications, each with differing needs for strength and protection.  By and large, the tools to do this a available for free and even the commercial components I chose are available for a very modest fee.  All in all, the benefits far outweigh the modest outlay of time and cash.

The Blog-Health-o-Meter™ reads Fresher than ever.

Crunchy numbers

A Boeing 747-400 passenger jet can hold 416 passengers. This blog was viewed about 3,000 times in 2010. That’s about 7 full 747s.

In 2010, there were 23 new posts, growing the total archive of this blog to 37 posts. There were 75 pictures uploaded, taking up a total of 9mb. That’s about 1 pictures per week.

The busiest day of the year was April 7th with 32 views. The most popular post that day was OneNote in the Cloud.

Where did they come from?

The top referring sites in 2010 were 74.125.155.132, mobilenoter.com, ifreestores.com, iheartonenote.com, and stumbleupon.com.

Some visitors came searching, mostly for onenote iphone, iam governance, one note iphone, motorola5200, and mobilenoter.

Attractions in 2010

These are the posts and pages that got the most views in 2010.

OneNote in the Cloud September 2009
12 comments

OneNote, iPhone and Wi-Fi January 2010
8 comments

Send Back Pictures to OneNote January 2010

1st Impressions – IBM and IAM Governance August 2009
1 comment

OneNote to go … September 2009
2 comments

I know it won’t be easy, but it might be fun and it will be inspiring.  Therefore I’m promising to make use of The DailyPost, and the community of other bloggers with similar goals, to keep me going, including asking for help when I need it and encouraging others when I can.

If you already read my blog, I hope you’ll encourage me with comments and likes, and good will along the way.

Wishing you a peaceful and prosperous New Year,

Tom Mellor

This time last year, we were cruising the Caribbean, on our way to the Panama Canal.

This year, looking out the window of V1951 Towers, I can see the Christmas lights in the trees reflecting on the snow.It’s been another frenetic and eventful year, with business making an unexpected but thus far fruitful change of direction.

We’re taking just a short break over the holiday period and we’ll be back in the office (and back on WordPress) from Wednesday December 29th, but in the meantime, we’d like to wish all our friends and colleagues

Best Wishes for the Holidays

and a

Happy and Prosperous New Year

We look forward to chatting with you again in 2011.

Kind Regards,

Tom and Hilary

A few weeks back the BCS Information Systems Security Group held their AGM at IBM Bedfont and a number of IBMers including myself presented during the course of the day.  My topic was “Maintaining Security Governance in the Cloud”.

Follow @Vintage1951@Vintage1951
Tom Mellor

Maintaining Security Governance in the Cloud. Presentation to the BCS ISSG http://bit.ly/dBA9vB

November 1, 2010 11:33 pm via TweetDeckReplyRetweetFavorite

My central theme was that cloud computing offers the prospect of delivering IT capacity that dynamically flexes to meet changing business requirements.However, this flexibility and cost-effectiveness comes at a price.There is a substantial risk that sensitive information will leak out of the business, and the lack of transparency of the provider’s security processes make it essential that the business’s security governance processes are adapted to reflect these new risks.

Burton Group (recently acquired by Gartner, Inc.), Cloud Computing Security in the Enterprise, Dan Blum, July 15, 2009

So, faced with a new set of risks and preparing to trade control over IT systems (and their security) for the benefits of the SPI model of cloud services, never has it been so vital for the business to take good advice from  security Subject Matter Experts on the increased governance processes needed to protect the business data and (more importantly) its reputation.   Studies and surveys regularly report that 75% or more of businesses view security as the biggest single inhibitor to moving their IT operations into the Cloud.  This suggests that those businesses understand – at least intuitively – that traditional controls are built on physical access to the technology stack and that Cloud deployment models mean that control is passed to the Cloud Provider.  Nevertheless, a recent study conducted by Ponemon Institute for Symantec (“Flying Blind in the Cloud.  The State of Information Governance“) suggests that businesses are prepared to enter into contracts with Cloud Service Providers, without engaging their IT security team to advise them:

• 65% select a CSP based on market reputation (word of mouth) while only 18% utilise their in-house security team to carry out an assessment
• 80% admit that their in-house security team is rarely or never involved in the selection of s CSP
• 49% are not confident that their organisation knows all the cloud services that are deployed.

In fact, businesses need to enlist the specialist knowledge of their security SMEs to help with the selection of a CSP and the negotiation of contracts.  The Cloud Security Alliance suggests in “Security Guidance for Critical Areas of Focus in  Cloud Computing V2.1″ that,  together, they need to: