The congress was held Sept 19-22 at the Orange Country Convention Center in Orlando. This was (ISC)²’s first annual Security Congress, hopefully not the last! It was co-located with the ASIS International’s 57^th annual seminar and exhibits, a move that recognizes the convergence of physical and information security.

After attending this congress, I realized how big the physical security world is. To give you the numbers, there were 280 attendees from (ISC)² versus 20,000 from ASIS, and enough exhibitors for this crowd to visit: 700.

There were 3 hour-long educational sessions per day, with about 25 topics to choose from for each session.

What were they talking about?

The 3 topics that was heard and discussed and debated on in almost every session (among the 10 or so (ISC)² sessions that I attended) were:

1. Cloud Security
2. Mobile Device Security
3. Social Media

The trend and the focus for the information security industry in the next couple of years will be on addressing the above 3 topics with policies, regulations, products, and services. Below I’ll expand a little bit on why each area is attractive, and what are the security risks. 

1. Cloud Security

Why cloud? - Flexibility and scalability, cost savings, availability and disaster recovery

Threats? - Data loss/leakage, abuse of cloud, account/service hijacking, shared technology

What to do? - Like any other technology, cloud has risks associated with its benefits. All the classic principals of information security should be applied to it, having it in mind from the design/architecture phase. Have an incident response plan. Consider private/community/public/hybrid cloud options. 

2. Mobile Device Security

Why mobile devices? - Business rewards (response time, availability, flexibility), employee experience (ubiquitous mobile devices, employee owned), executive adoption

Threats? - Data loss/leakage, employee privacy concerns, compromise of corporate network from mobile device

What to do? - Look into device ownership (= liability) issues, have a corporate and a personal mobile device use policy, provide training to go along with that policy, harden mobile devices 

3. Social Media

Why social media? - It’s ubiquitous and unavoidable, it is the basis for Web 2.0, it has great potential to be used as a marketing and customer communication tool for the enterprise

Threats? - Faster spread of malware through the ‘trust’ factor, phishing attacks, worms, shortened URL’s, Evil Twin attack, session hijacking, identity theft, all leading to information leak and corporate liability issues

What to do? - Social media use policy (AUP), education and awareness, use of content filtering and DLP products to control traffic to and from social media sites

Some interesting notes:

• Security is not about security, it’s about risk management
• What is the perimeter of your network? It’s the end user!
• A smartphone on your network should not be treated ANY differently from any other computer on your network
• 1 out of 5 tweets names a product brand
• Facebook mobile users are 50% more active than other users of the site
• Sources of social media risk include: clients, employees, vendors, competitors, activists, and cyber criminals

Some interesting links:

• Cloud Security Alliance
• British Computer Society - Five Ways to Stay Safe with Social Networks
• Mobile Active Defense
• Trend Micro 2Q 2011 Threat Roundup

Some interesting speakers:

• Jeb Bush, Former Governor of Florida
• Vicente Fox, former president of Mexico
• Burt Rutan, designer of SpaceShipOne
• Janet Napolitano, US DHS Secretary
• Winn Schwartau, celebrity and power thinker on security/privacy/infowar/cyber-terrorism
• Charlie Blanchard, Manager of Security & Privacy Services, Deloitte & Touche LLP
• Simon Hunt, VP and CTO, Endpoint Security, McAfee
• Shayne Bates, Director Security Cloud Strategy, Microsoft Global Security
• James Hewitt, Director of Security Governance, CGI Federal

Vahid A.

I’ve been asked numerous times over the past few months on whether or not clients should be using the cloud.  The original “cloud” providers were web hosting organizations.  These providers provided redundant internet paths, redundant hardware, networking infrastructure, power, cooling and all the bells and whistles now touted by some of the larger cloud vendors.  They simply “rented” space on their physical hardware for a low monthly price.  Many customers chose to host their web content on external providers assuming that a dedicated provider would be able to patch and maintain a web server much more efficiently than their own staff.  While true, much of the web content hosted 10 years ago was static content, contained really no sensitive data and was accessed by relatively few individuals.

Fast forward to 2011 and the explosion of on demand services, hardware, virtual-desktops, hosted Microsoft Sharepoint & Exchange, hosted apps like SalesForce give organizations a choice between in-house or in-the-cloud.  These dynamic applications rely upon a tremendous amount of information being stored and hence the security concern.  We all understand that security is a trade-off between risk and cost.  The more money you spend on security should buy us additional security, but at a certain point the risk / reward just doesn’t make sense.  We should take the same approach to the cloud.  Many clients today are conducting SoS (Statements of Sensitivity) on applications.  Depending on the level of risk an organization is willing to undertake with specific applications may make them perfect candidates for the cloud.  For example, an e-commerce site with a limited number of products and a hosted payment page may be a perfect candidate to try out the cloud.  By completing a statement of sensitivity it may become clear that there isn’t a tremendous amount of risk or exposed data.  Why not use this as your cloud trial?

In 2010 Tiffany Bova from Gartner hosted a session and described the cloud as simply a different method of service delivery – perhaps we should think of the cloud as we did with virtualization six or seven years ago, start with some light weight, low resource intensive applications that aren’t mission critical to get comfortable with the cloud infrastructure.  Who knows?  You just might like it – just don’t wait 3 days to call it back.

Eugene N.

This post deals primarily with the concept of 'public cloud'. If you have questions or comments regarding this subject, or would like to talk to someone regarding the distinction between public, private, and hybrid cloud, please leave a comment or contact us via our contact page.

Today, there is a growing trend worldwide amongst private and public organizations to move towards having an open non-private data ideology. Reason being there is a growing need to facilitate access to non-private data for citizens and employees. This is as a result of the Information Age and its predominance in today’s society. The issue this raises is what kind of impact would routine publishing of non-private data have on an organization’s infrastructure? It is evident that cloud computing can be a clever and cost effective means to achieve this end.

Organizations have begun to create what is referred to as an “open data catalogue” hosted in the cloud as this was the most time efficient manner to make non-private data easily accessible to those individuals this information was meant for. This also allowed for minimal infrastructure changes, flexibility, convenience and at a low cost. It has proven to be a great way for organizations to be transparent to their employees and drive interest from the public. It has also been fundamental in fostering a feeling of empowerment to employees as they feel more involved in the shaping of the organization they are a part of.

Moving forward organizations are looking to develop a process for establishing standard operations for the addition and maintenance of data sets in the catalogue in order to create an open data infrastructure.  It is imperative that employees and citizens have a good understanding of the benefits and value in making this type of information available. Transparency is key to building and fostering trust. It will help to generate employee interest in being more involved and excited about where they work resulting in strengthened unity. Unity within any organization is of paramount importance to its long run health and viability.

Chris Medina

Do you have an open date catalogue project on your radar? What are the challenges and obstacles you foresee in the future?

Recently, I took a few minutes using the Wayback Machine to look at how our website has evolved over the past decade. It was a very interesting exercise because it revealed a few things about our corporate culture and emphasized some dramatic shifts in the way we develop and use websites today.

A few things to consider when looking at the pictures (above):

Read the rest of this post »