Back around 2005, DLP was the buzz term Du Jour within the information security industry. DLP was designed to find sensitive data and make sure that this data wasn’t accidentally or maliciously misused. The most common DLP implementation was as a network gateway for filtering Layer 7 content. When a DLP device spotted credit card numbers in an e-mail, it simply blocked this transmission, thus preventing a data breach.
Back then, DLP was the proverbial low-hanging fruit for security protection so lots of firms were ready to buy. This prompted VCs to fund companies like PortAuthority, Reconnex, Tablus, Vericept and Vontu to complete in this burgeoning space.
Fast forward to 2010 and DLP has a bit of an identity crisis. Why? DLP was once a tactical point tool for blocking content on the network. Now however, DLP has evolved into:
With these features, DLP is slowly morphing from a security policy enforcement point to a more holistic technology for data governance. In other words, this is an enterprise domain (i.e., consulting, distributed architecture, central command-and-control, etc.), not a tactical security domain. As such, the term DLP minimizes the technology value and no longer accurately describes what the technology does.
I know Gartner is often the default analyst firm for naming IT technologies but since nothing new is coming out of Stamford, let the people decide. I am partial to the term Enterprise Data Governance (EDG) myself–anyone have another suggestion?
Tags: Data loss prevention, DLP, EMC, McAfee, PortAuthority, Reconnex, Symantec, Tablus, Vericept, Vontu, Websense Posted in Uncategorized | No Comments »
Have you heard of the Technology CEO Council? Neither had I until recently. The council is made up of a strange mix of tech CEOs from organizations including Applied Materials, , , IBM, Intel, Micron, and Motorola. Why this group and not Adobe, Cisco, HP, Juniper Networks, Microsoft, Oracle, and Symantec? Beats me.
Anyway, the group published a paper in early October called, “One Trillion Reasons: How Commercial Best Practices to Maximize Productivity Can Save Taxpayer Money and Enhance Government Services.” The paper stresses the need to reduce federal spending and suggests some IT initiatives in support of this objective. The initiatives include:
The paper is available at www.techceocouncil.org.
I agree with the spirit of this paper as there are plenty of ways to use IT costs savings to reduce overall federal spending. That said, the paper is pretty weak and self-serving. Specifically:
The CEOs also need to remember that their own internal IT organizations are far different than those in the federal government. When EMC executives mandate a massive VMware project, all of IT jumps into formation. It doesn’t work that way in the public sector.
There were certainly some good points in the paper, but overall it is really a marketing piece put out by a lobbying organization. In my humble opinion, there is some irony in this paper and organization–while the Technology CEO Council puts out a paper about how the federal government can save money on IT, companies like Dell, EMC, IBM, and Intel are happily wasting dough on a half-baked lobbying/PR organization. Funny world.
Tags: Applied Material, CIA, Cloud Computing, data center consolidation, Dell, DHS, DISA, EMC, Federal Enterprise Architecture, FedRAMP, FISMA, IBM, Intel, Klinger-Cohen Act, Micron, Motorola, NASA, Technology CEO Council, Vivek Kundra Posted in Uncategorized | No Comments »
The international horse show wasn’t the only event in Washington DC this week; I participated in the Virtualization, Cloud, and Green Computing event in our nation’s capital. One of the guest speakers was Ira “Gus” Hunt, CTO at the CIA. If you haven’t seen Gus speak, you are missing something. He is very strong on the technical side and extremely energetic and entertaining.
Gus focused on cloud computing activities at the CIA (I’ll blog about this soon), but I was intrigued by one of his slide bullets that referred to something he called the “encrypted enterprise.” From the CIA’s perspective, all data is sensitive whether it resides on an enterprise disk system, lives in a database column, crosses an Ethernet switch, or gets backed up on a USB drive. Because of this, Hunt wants to create an “encrypted enterprise” where data is encrypted at all layers of the technology stack.
The CIA is ahead here, but ESG hears a similar goal from lots of other highly regulated firms. When will this happen? Unfortunately, it may take a few years to weave this together as there are several hurdles to overcome including:
A lot of the technical limitations are being worked on at this point, so the biggest impediment may be based upon people and not technology. We simply don’t have a lot of experience here, so we need to proceed with research, thought, and caution. To get to Gus Hunt’s vision of the “encrypted enterprise,” we need things like reference architectures, best practices, and maturity models as soon as possible. Look for service providers like CSC, HP, IBM, and SAIC to offer “encrypted enterprise” services within the next 24 months.
Tags: CIA, CSC, EFS, EMC, Emulex, Encrypted enterprise, Gus Hunt, HP, IBM, KMIP, Microsoft, Oracle, PGP, RSA, SAIC, Symantec Posted in Uncategorized | No Comments »
My colleague Mark Bowker and I are at a Virtualization, Cloud Computing, and Green IT conference in Washington DC this week. In one of the panels we hosted, an IT executive from a cabinet-level agency mentioned that the agency was qualifying Microsoft Hyper-V even though it already has an enterprise license in place with VMware. When asked why the agency was doing this, he responded, “we are a Windows shop and have a great relationship with Microsoft. VMware has been great but we simply believe that the world is moving to heterogeneous virtualization platforms and we want to be ready for this.”
This IT executive is not alone. In a recent ESG Research study, 55% of the organizations’ surveyed say that their primary virtualization solution is VMware (VMware Server, ESx, ESxi, etc.). This relationship with VMware doesn’t preclude them from using other hypervisors however. In fact, 34% of survey respondents are using 2 virtualization solutions and 36% are using three or more. This was a survey of 463 North American-based IT professionals working at organizations with more than 500 employees.
My take-aways are as follows:
Yeah, I know, everyone would like one standard IT solution to meet all their needs. It hasn’t happened in the past and it won’t happen with virtualization either. The sooner that IT professionals and the industry recognize this the better.
Tags: Cisco, Citrix, EMC, Hyper-V, Microsoft, server virtualization, VMware Posted in Uncategorized | No Comments »
If you attended VMworld in late August, you know that virtualization security was featured extensively. Ditto for VMworld Europe where VMware CEO Paul Maritz included a few security slides in his keynote presentation. Maritz and VMware get it–virtualization security has been somewhat neglected until recently. If server virtualization is truly to become next-generation cloud infrastructure, security must be integrated throughout the technology.
VMware vShield and partner products are a great start toward bridging this virtualization security gap. Unfortunately, security technology is only part of the problem. ESG recently surveyed 463 large mid-market (i.e., 500-1000 employees) and enterprise (i.e., more than 1000 employees) organizations in North America, to gauge how they were using server virtualization technology. The goal was to understand current use, future plans, successes, and challenges. It turns out that security problems are pretty persistent. For example:
In aggregate, there is a people problem (i.e., security skills), an organizational problem (i.e., project management/cooperation), and a process problem (i.e., no best practices). Yes, these issues do ease over time but it is clear to me that they never go away. At some point, highly-regulated organizations are likely to slow down server virtualization projects to address these security gaps. When this happens, server virtualization/cloud vendors will see sales slow to a crawl.
VMware is a technology company so it is doing what comes naturally–addressing security holes with new products and industry relationships. Nevertheless, VMware needs additional help from standards bodies, IT and security professional organizations, and professional services firms. The ESG Research clearly illustrates that server virtualization is a paradigm-shifting technology that changes IT organizations and processes. The real revolutionary potential of server virtualization won’t occur until IT organization and process changes become as pervasive as hypervisors.
Tags: Cisco, cyber security, EMC, ESG Research, IT security, Paul Maritz, RSA Security, Trend Micro, VMware, vShield Posted in Uncategorized | No Comments »
If you watched any football games yesterday, you are well aware of the fact that October is National Breast Cancer Awareness Month. Kudos to the NFL for bringing national attention to this deadly disease and donating money to find a cure.
You are probably unaware, however, that October is also National Cybersecurity Awareness Month.
Over the course of the last year, we’ve witnessed visible cyber attacks on Google in January. We’ve seen the activation of the U.S. Cyber Command at Ft. Meade. At my last count, there were ten different bills in Congress related to cybersecurity, including, “The Protecting Cyberspace as a National Asset Act,” a comprehensive piece of legislation coming out of the Senate’s Homeland Security and Government Affairs Committee. Former “cyber czar” Richard Clarke published a new book titled, “Cyberwar.” Finally, we’ve recently witnessed the Stuxnet worm, a cyber weapon attacking the Iranian nuclear infrastructure.
I am providing this brief history to highlight a problem–if you aren’t a Washington cybersecurity insider, you would never know it is National Cybersecurity Awareness Month. Ironic? Yes, but also sad.
Now, I know it is early in the month and there is lots of further activity planned. I am also aware of the fantastic work driven by the National Cyber Security Alliance, an industry group spearheading the National Cybersecurity Awareness Month (www.staysafeonline.org). President Obama will step up and talk about cybersecurity and the indefatigable Howard Schmidt will be as vocal and visible as possible throughout October.
These folks deserve a lot of credit, but somehow the IT and security industries continue to offer lip service support for National Cybersecurity Awareness Month through their Federal offices alone. I did a quick website scan of leading IT and security companies this morning: only RSA Security mentioned National Cybersecurity Awareness Month on its website (Note: The acting NCSA President works at EMC/RSA).
My point here is that National Cybersecurity Awareness Month isn’t making enough people aware of cybersecurity vulnerabilities, education, or government initiatives. Why? It doesn’t appear to me like the industry really cares. Oh sure, there is a bit of token money to appease their clients in Washington, but where is the national spotlight? Beats me.
I was on this soap box last year and will continue to be until I’m proven wrong. I probably have 20 meetings scheduled with security industry insiders in October and I’ll ask each and every one of them if they know what month it is. My guess is that they will say National Breast Cancer Awareness Month.
Tags: EMC, Google, Howard Schmidt, National Cybersecurity Awareness Month, NCSA, President Obama, Richard Clarke, RSA, Stuxnet Worm, U.S. Cyber Command Posted in Uncategorized | No Comments »
An industry friend just sent me a story from the Wall Street Journal proclaiming that security management leader ArcSight will be acquired within the next week. The story goes on to say that the likely buyers include Oracle, HP, , IBM, and CA.
Hmm. First of all, anyone familiar with ArcSight was sure this was coming. The company is a leader in a growing market segment, has a great Federal business, and is one of few real enterprise players. It is interesting to me that the Wall Street Journal is spreading rumors but that’s another story.
Let me weigh in by handicapping the field:
Given the Intel deal, McAfee is likely out of the running. I’ve heard through the grapevine that McAfee made several attempts at ArcSight but the price tag was just too big. Symantec, like IBM and CA, has also developed security management products that haven’t taken off in the market. If Enrique Salem is up for another big acquisition, ArcSight would be a great fit.
Finally, wherever ArcSight ends up, there are plenty of other innovative security management companies that may quickly follow. Feisty Q1 Labs would be a natural for Juniper. Brainy Nitro Security could be a fit for Cisco or CA. LogRhythm could be a good addition for HP, Check Point, Websense, etc.
ArcSight deserves what it gets as it really guided the security market moving forward. Its fate will greatly influence the enterprise security market moving forward.
Tags: ArcSight, CA, EMC, HP, IBM, Juniper Networks, LogRhythm, McAfee, Nitro Security, Oracle, Q1 Labs, Symantec, Wall Street Journal, WSJ Posted in Uncategorized | No Comments »
While it may seem like cybersecurity issues have taken a back seat in Washington, there is actually a lot of work happening on Capitol Hill. Senate majority leader Harry Reid (D, NV), is pushing all Senate committees with any type of cybersecurity or industry oversight to get on their legislative horses and address the existing mess.
To that end, Senator Joseph Lieberman (I, CT) is working with colleagues Susan Collins (R, ME) and Thomas Carper (D, DE) on a fairly comprehensive cyberseurity bill called the Protecting Cyberspace as a National Asset Act. The bill seeks to revamp the paper-centric FISMA Act of 2002, centralize cybersecurity management in DHS, and establish a more proactive public/private partnership for cybersecurity risk management.
The essence of the bill is certainly welcome. We need to address cybersecurity issues ASAP like President Obama promised he would do more than a year ago. Unfortunately, the Lieberman bill has a few significant flaws, in my opinion. One major problem is with the bill’s link to federal procurement. The Lieberman bill seeks to legislate security in federal IT spending by “creating a system that requires acquisition officers in the federal government to have the knowledge that they need about the vulnerabilities in products.” This in itself is a good idea but:
I don’t claim to be an expert on the Lieberman bill but it seems to me that we are falling into the old Washington scapegoat mentality of looking for a villain (i.e., the IT industry). Don’t get me wrong, lots of vendors should be called to task for unacceptable security practices but these provisions seem overly simple or impossible to enforce to me.
While the Feds figure out the next act in the cybersecurity play, it is really up to the IT industry to step up and establish its own security best practices and self-certification methodology. Strong examples already exist from vendors like , HP, IBM, and Oracle. While some folks will certainly flame me for saying so, Microsoft’s SDL is also a model for the rest of the industry.
Legislators are caught between a rock and a hard place. They have to do something but these are uncharted and highly technical waters. This being the case, the IT industry has to do a better job of stepping in and demonstrating leadership. If this doesn’t happen, the U.S. IT industry will face difficult, costly, and confusing legislation that could impact financial results for years to come.
Tags: Cybersecurity, EMC, FISMA, HP, IBM, Microsoft, Oracle, Senator Joseph Lieberman Posted in Uncategorized | No Comments »
Yesterday, I hosted a panel at the Cloud Computing summit focused on cloud security for the federal government. The panel was made up of some smart folks: Alex Hart from VMware, Bob Wambach from , and one of the primary authors of the Cloud Security Alliance guidelines, Chris Hoff from Cisco.
While these folks offered great contributions, most questions were focused on the fourth member of the panel, Peter Mell from NIST, the chair of the Federal Cloud Computing Advisory Council. Why? Let’s just say that Mell may be the single individual most focused on cloud security in the world. He has been tasked with defining cloud computing standards for the entire federal government–a big responsibility since President Obama and Federal CIO Vivek Kundra continue to trumpet the benefits of cloud computing and push federal agencies to adopt pilot projects.
Mell’s work will soon come to fruition when the feds introduce the Federal Risk and Authorization Management Pilot program (FedRAMP). FedRAMP has two primary goals:
Since FedRAMP is still a work in progress, the audience made up of federal IT people had a lot of questions about all of the fine points. Thus Mell was in the hot seat for most of the time.
Peter Mell deserves a lot of credit. Federal agencies have often acted independently with regard to IT, so Mell and his team are herding cats.
If FedRAMP works, cloud service providers can deliver to a single set of standards. This will encourage innovation and bolster competition. On the agency side, FedRAMP could pave the way for a wave of cloud computing consumption over the next few years. What happens if FedRAMP fails? The federal government becomes difficult to service, so most cloud service providers treat it as a market niche. If that happens, the federal government could lose its cloud computing leadership and momentum very, very quickly.
Tags: Cisco Systems, EMC, FedRAMP, NIST, Peter Mell, President Obama, Vivek Kundra, VMware Posted in Uncategorized | 3 Comments »
It’s pouring in San Francisco, but ironically, the RSA Conference is already pointed toward clouds–in this, case cloud computing security.
There were two announcements yesterday around securing private clouds. New initiative king Cisco announced its “Secure Borderless Network Architecture,” which is actually pretty interesting. Cisco wants to unite applications and mobile devices through an “always-on” VPN. In other words, Cisco software will enforce security policies for mobile devices regarding which applications they can use and when–without user intervention. Pretty cool, but you would need a whole bunch of new Cisco stuff to make this happen.
On another front, industry big-wigs EMC, Intel, and VMware are pushing for a “hardware root of trust” for cloud computing. The goal here is to create technology that lets cloud providers share system state, event, and configuration data with customers in real time. In this way, customers can integrate cloud security with their own security operations processes and management. This is extremely important for regulatory compliance. (Note: Another reason why EMC/RSA bought Archer Technologies).
These interesting announcement probably presage a 2010 RSA Conferernce trend: “all cloud all of the time.” Since ESG Research indicates that only 12% of midsized (i.e., 100 to 999 employees) and enterprise (i.e., more than 1,000 employees) will prioritize cloud spending in 2010, all of this cloud yackety yack may be a bit over the top.
Two other announcement worth noting here:
See you at the show!
Tags: Cisco Systems, Cloud Computing, Cloud Computing Alliance, EMC, F5 Networks, Federal Government, Infoblox, Intel, VMware Posted in Uncategorized | No Comments »
Your email: