Capgemini recently released a report, “The Deciding Factor: Big Data & Decision making,” which states that:

“nine out of ten business leaders believe data is now the fourth factor of production, as fundamental to business as land, labor and capital.”

Furthermore,

“Two-thirds of executives consider their organizations are ‘data-driven’, reporting that data collection and analysis underpins their firm’s business strategy and day-to-day decision-making.”

According to Gartner Inc.,

“Business executives and IT managers are increasingly referring to information as one of their organization’s most critical and strategic corporate assets. Certainly there is a sharp rise in enterprises leveraging information as a performance fuel, competitive weaponry and a relationship adhesive.”

This all begs the question, “If this data is so important to enterprises, what are they doing to really secure it?”

CNET reported today on a congressional committee wants to know whether Huawei, a telecommunications powerhouse is a national security threat.

Huawei is much larger than I realized:

Huawei is the second largest telecommunications equipment maker in the world, behind only Sweden’s Ericsson. It generated $32 billion in revenue last year, selling its networking technology to such global giants as Vodafone, Bell Canada and Telekom Malaysia, though only smaller U.S. carriers Leap and Clearwire use the company’s gear. Huawei’s heft has allowed it to pour resources into adjacent markets, such as mobile handset development and data center technology that’s already paying off with new customers and billions more in revenue. …

And Huawei is a patent machine, with about 50,000 patents filed worldwide. Though accused years ago of pilfering the innovations of Cisco and others, Huawei gets credit these days for breakthroughs in complex technologies such as radio access networking that lets mobile carriers support multiple communications standards on a single network. It also pioneered the dongles that consumers slip into laptops to wirelessly connect to the Web.

Because of their size, power and national origin, some are very worried:

The broader concern, though, is of a dangerous marriage of Huawei’s capability — it wants to build a massive swath of the telecommunications network, from routers and switches to the phones consumers use — with the Chinese government’s motive and intent. A report last year from the Office of the National Counterintelligence Executive found that the Chinese are the “world’s most active and persistent perpetrators of economic espionage.” The committee wants to thwart the possibility Chinese cyberattacks in the United States over Huawei’s technology before the company, which has only a modest U.S. presence, grows into a powerhouse here. …

Hawks in the federal government remain unconvinced that his company is merely a financial success story. They worry that Huawei, whose technology provides infrastructure to communications networks, is a tool of the Chinese government, potentially enabling it to snoop on critical corporate and government data through digital backdoors that Huawei has the ability to install.

I don’t know the answers here, but this is certainly food for thought.

One of the high-value benefits of an integrated Identity and Access Management platform is the ability to leverage a unified corporate directory as the primary authentication source for database access.

On July 11, 2012 at 08:00 am PDT, Oracle will host a webcast showing how Enterprise User Security (EUS) can be used to externalize and centrally manage database users in a directory server. The webcast will briefly introduce EUS, followed by a detailed discussion about the various directory options that are supported, including integration with Microsoft Active Directory. We’ll conclude with how to avoid common pitfalls deploying EUS with directory services.

Discussion topics will include:

• Understanding EUS basics
• Understanding EUS and directory integration options
• Avoiding common EUS deployment mistakes

Make sure to register and mark this date on your calendar! – Click here to register.

April 15th marked the 100th anniverasary of the sinking of the RMS Titanic – by any measure a catastrophe of epic proportions. As we think about lessons collectively learned from this event, may I suggest a nugget worth remembering that has little to do with sinking ships, but a lot to do with the enterprise we serve today?

According to a recent ABC article:

… the Titanic was fully compliant with all marine laws. The British Board of Trade required all vessels above 10,000 tonnes to carry sixteen lifeboats. The White Star Line ensured that the Titanic exceeded the requirements by four boats.

But we all know that twenty lifeboats were not nearly enough for this ship.  The article continues:

But the ship was 46,328 tonnes. The Board of Trade hadn’t updated its regulations for nearly 20 years. … The lifeboat regulations were written for a different era and enforced unthinkingly.

“Enforced unthinkingly.”  Therein lies our little lesson.

In discipline of information security, we may be tempted to think that “compliant” means secure.  But we must not accept that at face value.  We must really understand what regulations mean and how they apply to our enterprises.  PCI DSS or HIPAA compliance may go part way, but do they really go far enough to protect our vital information that is the lifeblood of our businesses?

Let’s make sure we have adequate “lifeboats” and not rely completely on those who write regulations to protect our businesses.

Recently, Jack Crail and I gave a joint presentation at the SecurePhoenix event sponsored by (ICS)2, the folks who oversee the CISSP certification.

Our presentation was based on a whitepaper entitled “The Business Justification for Data Security,” published by Securosis, which outlined a five step process for evaluating data security investments, mapping the potential investment to business needs and building a business justification case.

More to come as I explore some of these topics …

Technorati Tags: Information Security, Business Justification

This should be an timely and relevant webcast for those of us involved with information security: “Key Fraud and Security Considerations for Confidence in the Cloud.” It will be held Tuesday, January 17, 2012 at 10 a.m. PST.

This executive panel webcast will explore how leading IT organizations are moving to the cloud with confidence. The following items will be addressed:

• Maintain control of your data across multiple on-premise and cloud environments
• Evaluate cloud providers to meet your specific requirements for security and risk management
• Apply authentication and identity management solutions and expertise from the online banking industry for improved protection and fraud mitigation

The Oracle outward-facing website is a virtual cornucopia of valuable information.  Unfortunately, I often just stumble onto valuable gems of knowledge instead of discovering them in an organized fashion.  Today was such a case.  Quite by accident, I found an excellent overview of Information Security issues in “Information Security, A Conceptual Architectural Approach.”  It provides, in an easy-reading 25 pages, a good overview of information security principles and approaches to addressing them.

This document referenced a larger treatise, the Oracle Reference Architecture – Security, which dives more deeply into information security issues and solutions.  In about 130 pages, this reference architecture document provides an excellent treatment of the basic principles of information security and recommended approaches to mitigate security risk.  The introduction aptly states:

Information is the lifeblood of every organization. If this Information is compromised there can be a wide range of consequences ranging from damage to a company’s reputation through to financial penalties such as regulatory fines and cost of remediation. …

Information Security is a strategic approach that should be based on a solid, holistic framework encompassing all of an organization’s Information Security requirements, not just those of individual projects. …

By taking this approach to Information Security, organizations can ensure that the components of their Information security architecture address all business critical Information and are driven by the requirements of the business.

The document is organized as follows:

1. Introduction to Information Security
2. Security Concepts and Capabilities
3. Common Security Standards
4. Conceptual Architecture View
5. Logical View
6. Product Mapping View
7. Deployment View
8. Summary

This afternoon, I received word that Veriphyr, a provider of SaaS Identity and Access Intelligence services, announced the results of new survey on Protected Health Information (PHI) privacy breaches. According to the report,

More than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months. …

Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.

Some interesting statistics:

Top breaches in the past 12 months by type:

• Snooping into medical records of fellow employees (35%)
• Snooping into records of friends and relatives (27%)
• Loss /theft of physical records (25%)
• Loss/theft of equipment holding PHI (20%)

When a breach occurred, it was detected in:

• One to three days (30%)
• One week (12%)
• Two to four weeks (17%)

Once a breach was detected, it was resolved in:

• One to three days (16%)
• One week (18%)
• Two to Four weeks (25%)

79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI

52% stated they did not have adequate tools for monitoring inappropriate access to PHI

The report’s conclusion was not surprising:

Respondents who indicated strong satisfaction with their monitoring tools also tended to report fewer breaches of PHI and faster resolution times. The reverse is also true: respondents who indicated dissatisfaction with their monitoring tools tended to report more breaches and longer resolution times.

If you are going to invest in security to keep the bad guys out, please take the sage Pearls Before Swine advice and “Change the Top Secret Security Code” to something a bit less obvious than “Password.”

Last week, I reported that the US Department of Defense had released a highly-anticipated document, entitled, “Department of Defense Strategy for Operating in Cyberspace.”  Here is a bit of an overview of the document.

The high degree of the Department of Defence’s dependence on cyberspace is abundantly evident:

Along with the rest of the U. S. government, the Department of Defense (DoD) depends on cyberspace to function. It is difficult to overstate this reliance; DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe. DoD uses cyberspace to enable its military, intelligence, and business operations, including the movement of personnel and material and the command and control of the full spectrum of military operations.

In speaking of the risks the DoD faces in this area, the report states:

Potential U. S. adversaries may seek to exploit, disrupt, deny, and degrade the networks and systems that DoD depends on for its operations. DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial of access or service that affects the availability of networks, information, or network-enabled resources; and destructive action including corruption, manipulation, or direct activity that threatens to destroy or degrade networks or connected systems.

In response to these concerns, the DoD has outlined five strategic initiatives:

• Strategic Initiative 1: Treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential
• Strategic Initiative 2: Employ new defense operating concepts to protect DoD networks and systems
• Strategic Initiative 3: Partner with other U. S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy
• Strategic Initiative 4: Build robust relationships with U. S. allies and international partners to strengthen collective cybersecurity
• Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation