tag:blogger.com,1999:blog-33886888271969423432024-03-19T12:25:45.426-06:00The Security BeardA great source for information security and compliance related news for the IT executive and security technician. csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-3388688827196942343.post-10742199398544212092020-04-10T09:47:00.001-06:002020-04-10T09:47:15.549-06:00Prioritizing Security When Selecting A Video Conferencing Solution...<i>Originally posted at the EMA blog site. You can find it <span id="goog_1975596305"></span><a href="http://blog.enterprisemanagement.com/prioritizing-security-when-selecting-a-video-conferencing-solution" target="_blank">here</a>.</i><span id="goog_1975596306"></span><br />
<a href="https://www.blogger.com/"></a><i></i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBQhRmWlTWD01BmiNYp6MMohoGQup73BTvKDfuw1k8kd1A_xAWoWnWZEgiaavYrqR2dvWzrOL9WUAe3263Mu4QyeNzs5IBFZkRaNEgI6CN3w-hBUzC1Xa3hrScy4f3fYsAzieX_N37h-HG/s1600/SecureVideoConferencing.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="653" data-original-width="960" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBQhRmWlTWD01BmiNYp6MMohoGQup73BTvKDfuw1k8kd1A_xAWoWnWZEgiaavYrqR2dvWzrOL9WUAe3263Mu4QyeNzs5IBFZkRaNEgI6CN3w-hBUzC1Xa3hrScy4f3fYsAzieX_N37h-HG/s320/SecureVideoConferencing.jpg" width="320" /></a></div>
Before the recent CoVID -19 pandemic, most companies have looked at unified communications and collaborations (UC&C) solutions as a “nice to have” technology, often used by sales and marketing teams as part of their process and certainly not a critical part of the business infrastructure. With Work From Home (WFH) becoming the mandated norm, businesses have come to look at their UC&C solution as a mission critical tool, allowing managers and leaders to communicate with their employees, and allowing employees to try to conduct some semblance of normal business.<br />
<br />
All things being equal, businesses would do well to use or augment their existing infrastructure for video conferencing. Those licenses have likely been purchased, and it makes sense to continue to use products that people are already trained to use.<br />
<br />
<i>But things are not equal.</i><br />
<i></i><br />
In the past weeks since the pandemic has spread, and the various states have mandated stay at home orders, there have been plenty of news reports demonstrating that not all of the UC&C solutions are created the same. Which isn’t to say that some of the solutions are “bad”, but I believe it is fair to say that some have differing priorities when it comes to what is most important in their software lifecycle.<br />
<br />
For businesses and enterprises looking for a unified communications and collaboration solution, security should be the starting point in which enterprise and productivity applications are built upon. For complete transparency – these are the criteria I have personally used in my previous IT and security roles before becoming a security researcher.<br />
<br />
<b>Functionality / Features</b><br />
<b></b><br />
This may be the most obviously important factor, but it is also the “table stakes” criteria. The solution needs to be able to connect and host video conferences, without failures, latency, and delays (this was a significant problem for many, if not most, of the providers immediately after the WFH and virtual classes began). Call recording, screen share and recorded chat are all necessary, as are presenter controls and dial-in options. From there, the sky is the limit, though virtual lobbies, third party integrations (with Outlook and video systems) and virtual whiteboards are differentiators. <br />
<br />
<b>Usability / Interface</b><br />
<b></b><br />
A good video conferencing solution must be easy to use on pretty much any device. The interface should be intuitive, and a client should be available for any / every platform. Most of the solutions will claim they can be used on every kind of device through their web portal. This is likely true, but most solutions require a client to take advantage of all of the solution features, and there may be security concerns with a web-based or web-only solution. <br />
<br />
<b>Cost</b><br />
<b></b><br />
There are generally two types of pricing: free and licensed cost. The licensed solutions run the gambit in pricing, based on number of meeting participants, geographic scope (paying for international dial-in numbers), length of meetings and number of enterprise users. Many of the licensed solutions offer a free or trial, with limited functions, participants, meeting length and very little in the way of support. <br />
<br />
<b>Security</b><br />
<b></b><br />
Last on this list is the security of the UC&C solution. Security is the foremost consideration in choosing a UC&C solution, after moving past the standard feature checklist (in which the top solutions nearly all have in common). <br />
<br />
Finding a UC&C solution that protects your employees and enterprise is the best way to narrow down the list:<br />
<br />
- <i>Secured Out of the Box</i>: Many of the UC&C solutions on the market concentrate on the user experience and interface at the expense of security. And when they “discover” security as a priority, it comes from bolt on fixes and patches, requiring updates and procedural changes. Look for a solution that has a track record as a security leader in the industry, with a platform of millions of secured installs and a commitment to focus on security first.<br />
<br />
- <i>Support is Critical</i>: Many of the UC&C solutions provide little in the way of support, and the free solutions generally providing none. An enterprise ready UC&C solution should have proven and dedicated support, able to respond to requests. When considering the mission critical nature that the UC&C solutions have become, examine the company’s ability to respond to vulnerabilities and response times to resolve their security gaps. <br />
<br />
- <i>Addressing Data Privacy</i>: How is the data transmitted and communicated within a session stored, maintained, and used? Are the chats kept private? Is the information encrypted when stored? Is the session encrypted? Can anyone just “boom” an open session? As information technology professionals, we are all aware of the necessity of maintaining data security and data privacy, and many enterprises have engaged in data privacy projects and campaigns before the pandemic outbreak. Enterprises cannot abandon their data privacy efforts because of the pandemic, and must ensure that their UC&C solution is aligned to their data privacy goals.<br />
<br />
- <i>Newer is NOT Better</i>: There are plenty of UC&C solutions on the market today, but some are literally in their infancy as far as install base and working out the bugs, while several have been the leaders in the industry – in some cases before there WAS an industry. Those solution that have an established track record of success and stability are always worth considering when making an investment in mission critical infrastructure. Plus, it gives comfort to management and executives knowing that they are selecting a proven solution.<br />
<br />
Never has there been a time when a Unified Communications and Collaboration solution has been so critical to the success of the enterprise. Understandably, there is an immediate need to select and deploy this type of solution to meet the business need and for companies to keep their doors open during this crisis. But IT and security managers would do well to choose their UC&C solution carefully, focusing on the security that the solution provides instead of the shiny bells and whistles.csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-31714823853875737882020-03-13T13:25:00.000-06:002020-03-13T13:25:55.867-06:00Righting a Wrong: IBM is a Leader in the Cloud...<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDKvsjtTZcQyvll7nlVGWHiGVtkpewMvmZnAgacP2AwMnaRl6IuQIILXGURnBVGPvSj6pdkitzdLdaZHMWgW0PbICzHDRJwrY-v902TPsHpRzDUS4n7qlWWsRSOV971nTwllthv0al_Oju/s1600/Understanding+Cloud+Market+Share+copy.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1068" data-original-width="1600" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDKvsjtTZcQyvll7nlVGWHiGVtkpewMvmZnAgacP2AwMnaRl6IuQIILXGURnBVGPvSj6pdkitzdLdaZHMWgW0PbICzHDRJwrY-v902TPsHpRzDUS4n7qlWWsRSOV971nTwllthv0al_Oju/s320/Understanding+Cloud+Market+Share+copy.jpg" width="320" /></a></div>
Year after year, the various media outlets release their report on the cloud: who does this or that, security breaches here and there (and who is/is not to blame), and the quasi-regular report of cloud services market share. And every year, there is some controversy as to who has the largest share of what. It is pretty obvious—based on whatever metric that one may use—that AWS is the market share leader in overall cloud services consumption. Great for them: it has democratized the cloud and cloud technologies, bringing an affordable, basic cloud solution to everyone. Second is Microsoft, with their Azure offering. They are doing some interesting things with their cloud solution and continue to gain market share (usually from AWS) with innovation and capabilities.<br /><br />Despite what some may want you to believe, the cloud is not a “two offerings only” show. There are plenty of other vendors doing extremely interesting things with their cloud offerings. IBM was recently featured in <a href="https://www.bloomberg.com/news/articles/2020-03-10/ibm-says-it-s-no-3-in-cloud-revenue-analysts-stick-to-google" target="_blank">an article from Bloomberg news</a> discussing their place in the market, and I wanted to offer an alternative to some of the views discussed in that article.<br /><br />First, the concept of market share based on sales reporting is outdated. Arguably, the way some analysts firms determine market share is based on an antiquated calculation of compute cycles purchased (or something equivalent), while excluding anything that may also contribute to the overall cloud solution. It was likely generated at a time when AWS was nearly the only player in the market, and AWS did not (and still does not) provide significant consulting services or integration services, making the number of compute cycles a relevant measure. Again, there is little doubt that AWS leads this market, but excluding the multitude of other offerings and services that IBM delivers to their cloud customers from the market share figure is wrong and arbitrarily dismisses the value of their cloud offering.<br /><br />Second, there is even some dispute over the numbers included within the article. At the beginning of the article, the author claims that Google reported $9 billion in sales, while IBM reported $21 billion. But (much) later in the article, the author claims that only about half (I’ll use $10 billion for round numbers) of IBM reported that cloud income comes from cloud sales, while Google’s $9 billion in revenues also include their other, non-core cloud offerings (such as Gmail and Google Docs). So no matter how you parse the math, it appears that the traditional IBM cloud offering DOES outpace Google (IBM’s $10 billion > Google’s $9 billion), something that should have been mentioned right at the very beginning of the article.<br /><br />Lastly, and likely the most important, is the IBM cloud offering itself. While I’m not trying to become part of the marketing team at Big Blue, their cloud solution vastly differs from Amazon, Microsoft, and Google. While AWS, Azure, and GCP provide cloud to the masses via point-and-click setup and deployment, they also have devised a barebones solution that allows pretty much anyone from any vertical of any size to get up and running on their cloud. The end configuration and compliance and everything else after the initial setup is the purview of the client or their third-party support. While this model may work for some, IBM has taken the complete cloud solution: scoping, setup, implementation, migration, and maintenance. If the customer needs additional services related to their cloud, IBM is the full-stack solution that provides those services. Highly regulated environments (such as healthcare, financial services, etc.) have turned to IBM specifically because of this level of service and support. <br /><br />The analyst community is often asked about “who is best” and “how does this impact our business.” Personally, I have advocated for the security benefits of ALL cloud solutions for years, as the cloud solutions provide better, more comprehensive security than most on-premises environments could ever hope to provide. It is also why it is important to understand that all of the cloud providers mentioned here give outstanding value to their customers. But I also believe that we need to compare apples to apples when looking at some of the claims in the market, and to revise our models to reflect how companies are actually consuming cloud services. The conclusions found in the Bloomberg article about IBM’s share of the cloud market are misleading, and readers would do well to get a perspective of the whole picture when making their cloud provider decisions.csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-4615194646980903502019-05-08T08:28:00.000-06:002019-05-08T08:33:12.844-06:00How to Delete the Web Tracking Google is Keeping...<i>From an article located <a href="https://www.blogger.com/"><span id="goog_761880377"></span>here<span id="goog_761880378"></span></a>. Take a quick moment and follow the instructions.</i><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ8p4aQ85VzUzoMAcPR5v0xLK0hzbz5BWJ_5qjvCfwJT75eoHpKGA5aDYOWqSpMeOCLR_F8k3TocDe_rxjZP_JStiV-M5Fso8aFZ5ke2dy-nQi2Lwjv3O_ZypglXiwoj_AHhnhAjtHsb-m/s1600/download.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="183" data-original-width="275" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ8p4aQ85VzUzoMAcPR5v0xLK0hzbz5BWJ_5qjvCfwJT75eoHpKGA5aDYOWqSpMeOCLR_F8k3TocDe_rxjZP_JStiV-M5Fso8aFZ5ke2dy-nQi2Lwjv3O_ZypglXiwoj_AHhnhAjtHsb-m/s320/download.jpg" width="320" /></a><br />
Google has begun rolling out a feature that allows you to configure how long it can save data from all of the Google services you use, like maps, search and everything you do online.<br />
<br />
Until now, you had to manually delete this data or turn it off entirely. Deleting it means Google doesn’t always have enough information about you to make recommendations on what it thinks you’ll like, or where you might want to go.<br />
<br />
Now, you can tell Google to automatically delete personal information after three months or 18 months. Here’s how you can do that.<br />
<br />
Visit <a href="http://myaccount.google.com/">myaccount.google.com</a> and log in if you haven’t already.<br />
Choose “Data & Personalization” on the left-side panel.<br />
Select the arrow next to “Web & App Activity.”<br />
Choose “Manage Activity.”<br />
Select “Choose to delete automatically.”<br />
Select either 18 months or three months.<br />
<br />
It isn't perfect, but it is better than nothing. Pass this along to your friends and family.csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-17585439549322982832019-01-28T09:31:00.000-07:002019-01-29T07:39:01.132-07:00Happy Data Privacy Day...<em>This blog was originally posted at the Cloud Native Digest. You can find it </em><a href="https://www.cloudnativedigest.com/2019/01/happy-data-privacy-day.html"><em>here</em></a><em>.</em><br />
<br />
It’s Data Privacy Day or, if you are part of the EU, Data Protection Day.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirPfI1H0fl4HsvkphpxcMjVAd6wQm3OEG4Y3h3Hsn61sI2VS4FloPGs8PGP0XtZubdguS1EUWuNw3paPMlk4sUHGge2UB1T3jxyMaoAM71rgdvuryZ1Ri1PX6YoxJ-6J9_hl4JGY5M44Ip/s1600/untitled.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="401" data-original-width="610" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirPfI1H0fl4HsvkphpxcMjVAd6wQm3OEG4Y3h3Hsn61sI2VS4FloPGs8PGP0XtZubdguS1EUWuNw3paPMlk4sUHGge2UB1T3jxyMaoAM71rgdvuryZ1Ri1PX6YoxJ-6J9_hl4JGY5M44Ip/s320/untitled.png" width="320" /></a>Data privacy and data protection have been top of mind for information security professionals for a number of years now. While the United States is paying greater attention to privacy legislation (California and several other states have various bills in process), the European Union has led the conversation with General Data Protection Regulation (GDPR) enacted in May 2018.<br />
<br />
Last week, the EU (specifically France) issued the first fines associated with a GDPR violation. While the tech company is going to appeal the finding, it is only the start of what will be many fines from EU nations in 2019 for GDPR infractions. Technology professionals will be watching the news to understand how these findings affect their enterprises, and possible steps that they will need to take to remediate violations proactively.<br />
<br />
This might go without saying, but it is vitally important — personally and professionally — to make every effort to follow data protection best practices. Still, today is as good a day as any to remember that there are numerous tools and solutions available to help you do so.<br />
<br />
That’s certainly true in the cloud. Never in the history of technology have companies paid more attention and spent more on resources to protect data.<br />
<br />
The biggest companies in the public cloud space spend BILLIONS of dollars per year improving security controls and compliance standards. The environments that they provide serve as some of the most scrutinized and protected environments ever to exist — far more than the average company can possibly hope to achieve on its own. Companies moving to these sorts of environment not only stand to gain massive savings in costs and resources, but they also end up with an environment that is better, more secure, and easier to manage.<br />
<br />
So, to observe the day, take a moment and try to understand what data you have available in digital form. Then, try to determine how that data is protected. You might be shocked at what you find.csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-27073100957765972712018-11-05T09:37:00.000-07:002018-11-05T13:33:28.493-07:00Why Do I Write...<div>
<i><span style="color: #ea9999;">Recently, I was presented with a question: Why Do I Write? As a writer, I thought I would share my response.</span></i></div>
<i></i><br />
<div>
<i><br /></i></div>
<i>
<span style="font-size: large;"><div style="text-align: center;">
<i><span style="font-size: large;">Words offer the means to meaning, </span></i></div>
</span></i><br />
<div style="text-align: center;">
<i><span style="font-size: large;">and for those who will listen, </span></i></div>
<div>
<div style="text-align: center;">
<i><span style="font-size: large;">the enunciation of truth. </span></i></div>
<div>
<div style="text-align: center;">
<span style="font-size: large; font-style: italic;"><br /></span></div>
<i></i><br />
<div style="text-align: center;">
<i><i><span style="font-size: large;">- V, V For Vendetta</span></i></i></div>
<i>
</i><br />
Everyone writes for the same reason – to communicate a thought, feeling or idea. It can be as simple as a text message, as complicated as a technical whitepaper or as elegant as Shakespearean verse. Yet all are used to communicate. Why do I write? At the most basic level, I write to communicate, and because I generally have things to say. <br />
<ul>
<li><b>Writing is hard:</b> Using the written word to express an idea is a difficult task. There is an aptitude for it, and it takes a certain amount of skill to convey an idea or emotion. I have never underestimated the skill of writing – it certainly does not come easy to most, and has not always come easy to me. You can always tell the skill level of a writer – how engaging it is, how it includes the reader, how it expresses the idea. None of these things are easy, but the best writers seem to have a way of producing words so that they flow onto the paper, and equally flow to the mind of the reader. </li>
</ul>
<ul>
<li><b>Writing is challenging:</b> Using words to express an emotion or to deliver a message is a challenge. It is a particular challenge that I enjoy, as it can be a powerful method of self-expression. Finding the right tone, finding the right words, narrowing your audience, and crafting a dialogue between the writer and the audience is as difficult as it is rewarding. I think we can all remember a time when we read something – maybe as simple as an article in the news – that was particularly moving or pertinent. Those that can accept the challenge of using words to communicate have a power that no one can take from them.</li>
</ul>
<ul>
<li><b>Writing is powerful:</b> So many in the world do not have a voice. It is not because they do not have ideas, or have opinions to share. But they do not have a way to communicate those ideas in a way that is meaningful. I write because it is an outlet for me to express my thoughts and ideas, and – even occasionally – my emotions. I personally enjoy public speaking as well, but it is difficult to find an audience that is constantly available. Whereas writing is always – always available, always refreshing, always influencing. It becomes part of the record, regardless of how insignificant it may seem. Writing allows me to create a historical legacy.</li>
</ul>
I am privileged to have a profession where writing is an integrated part of the role. I spend hours every week sharing my thoughts about the latest in technical innovations, using words to describe the qualities or value of a particular technical solution. I get to shape my messages to specific audiences. And I know that my writing has an impact – literally tens of thousands of people read my written words every month. <br />
<br />
Simply, I write because it is an extension of my abilities, my intellect and my soul.</div>
</div>
csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-21383003277791822322018-01-12T08:59:00.000-07:002018-01-12T09:07:18.544-07:00CyberSecurity Predictions for 2018: Threat Analytic Services On-Demand Has ArrivedHappy New Year! <br />
<div>
<br /></div>
<div>
I recently penned a piece for general distribution about cybersecurity predictions for 2018, this one on threat analytics. the folks at Verdict (as well as several other media outlets) picked it up and published it.<br />
<br />
You can find the original post <a href="http://verdict-encrypt.nridigital.com/verdict_encrypt_jan18/cybersecurity_in_2018_39_predictions_for_business">here</a>.<br />
<br /></div>
<div>
<div>
<span style="color: #ea9999; font-size: large;"><b>Move Over Netflix: <br />Threat Analytic Services On-Demand Has Arrived </b></span></div>
<div>
<span style="color: #ea9999; font-size: large;"><b><br /></b></span></div>
<div>
<span style="color: #ea9999;">We are a world at war – and most people don’t even know it. It is not a traditional war with bombers, battleships and bazookas. Rather, it is being fought everyday by cyber soldiers, protecting governments and organisations from state-sponsored hackers and organised crime.</span></div>
<div>
<span style="color: #ea9999;"><br /></span></div>
<div>
<span style="color: #ea9999;">Unfortunately, most private enterprises and organisations do not have the resources to effectively combat coordinated cyberattacks – it isn’t their core business and information security resources are expensive and hard to come by. But the picture isn’t as bleak as it sounds.</span></div>
<div>
<span style="color: #ea9999;"><br /></span></div>
<div>
<span style="color: #ea9999;">2018 will see cybersecurity-related services dramatically increase, especially around threat analytics. In the past, only the largest companies could afford to invest in the procurement, management and maintenance of threat analytics services (TAS), but now they are becoming readily available to customers on demand for whatever purpose needed. Maybe it’s a point-in-time situation, like incident response or strategic advisory to evaluate existing infrastructure, determine regulatory compliance, or confirm the veracity of a particular security architecture.</span></div>
<div>
<span style="color: #ea9999;"><br /></span></div>
<div>
<span style="color: #ea9999;">Cyberattacks will continue to increase. But organisations are no longer defenceless in the fight. TAS are not just for the big boys any more – every size company can take advantage of on-demand specialised services to improve their overall cybersecurity.</span></div>
</div>
csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-18630253952095285162017-12-11T09:05:00.000-07:002018-01-12T09:06:48.019-07:00Podcast with RackN on Cloud Security...Recently, I created podcast with the folks at RackN on cloud security, GDPR and a whole list of other cybersecurity related topics. Rob Hirschfeld and Stephen Spector are part of the leadership at RackN and experts at data center automation. <br /><br />From the RackN website:<br /><br /><i><span style="color: #ea9999;">RackN allows Enterprises to quickly transform their current physical data centers from basic workflows to cloud-like integrated processes. We turned decades of infrastructure experience into data center provisioning software so simple it only takes 5 minutes to install and provides a progressive path to full autonomy. Our critical insight was to deliver automation in a layered way that allows operations teams to quickly adopt the platform into their current processes and incrementally add autonomous and self-service features.</span></i><br />You can find the podcast here:<br /><br /><a href="https://www.rackn.com/2017/12/11/podcast-chris-steffen-security-cloud-edge-coming-gdpr/?utm_content=social-ka5na&utm_medium=social&utm_source=SocialMedia&utm_campaign=SocialPilot">https://www.rackn.com/2017/12/11/podcast-chris-steffen-security-cloud-edge-coming-gdpr/?utm_content=social-ka5na&utm_medium=social&utm_source=SocialMedia&utm_campaign=SocialPilot</a>csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-18420131598459137662017-11-10T07:37:00.000-07:002017-11-10T07:39:12.063-07:00IoT Security: Understanding my Connected Thermostat<span style="color: #ea9999;"><i>Today, I wanted to share a post from a guest author. My friend Jason Garbis (<a href="https://twitter.com/jasongarbis">@jasongarbis</a>) created this piece about IoT and your home thermostat. It is a great read and the research is really interesting! I know many folks that are adopting IoT devices in their homes, and likely will not put the level of effort that Jason went through to understand their security. Good news in this case - he did it for you!</i></span><br />
<br />
I’m a technical guy, and I like understanding how things work. Because I’m employed at a network security company, I’ve been doing a lot of reading and writing about network security, the (in)security of connected devices, and attacks such as the Mirai botnet.<br />
<br />
Which brings me to my connected home Thermostat, a Trane model which uses the Nexia home automation platform. I wanted to understand the network model for this device. I can use the Nexia app on my phone to control the thermostat from anywhere, but how does this work? Does my device have an open connection to a service in the cloud? Or is there (shudder) an inbound connection to it?<br />
<br />
I’ve been able to answer these questions with some research, but this was harder than it should be, and there’s little hope for less-technical people to be able to figure these kinds of things out for their home automation systems.<br />
<br />
So let’s get started!<br />
<br />
One note: For privacy purposes, I have redacted my home IP address throughout this document.<br />
<br />
The thermostat is on my home wireless network, with an IP address assigned to it from my wireless router: 192.168.1.7.<br />
<br />
I performed a quick port scan with two different tools – nmap running on a local machine, and fing running on my phone – and they both showed no open ports on the device. This is a good first result from a security perspective! (Note that I’ve also configured my wireless router to not have any open ports, or to allow any incoming network connections, so even if the thermostat had an open port, it would only have been accessible on the wireless network, and not from the Internet. And yes, UPnP is also disabled on the router!).<br />
<br />
Let’s take a look at the device itself – it’s a Trane XL824, which shows up on the network as a Murata Manufacturing device. This device displays a local weather forecast, and is controllable from a smartphone app.<br />
<br />
It’s clear that the thermostat is making an outbound connection to a server, and obtaining data such as the weather forecast, and commands such as temperature setting changes from the phone app over this connection [note that while some systems might use a peer-to-peer connection over the local wifi, that’s not how this system operates]. In particular, I’m very interested in understanding the command model, and the security around this. How are changes to my thermostat settings performed? What’s the data flow from the phone app to my thermostat?<br />
<br />
My standard-issue home wireless router offers very little in terms of actual network monitoring features. If you dig through the painfully slow admin UI, it does offer a crude security log with a shockingly small capacity of 16KB. This corresponds to only a few seconds of traffic, apparently, before we see:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZsh9D8qwgy30uGcRRO-dkqOkaFTNwaOdHKbL_iCDwU9DayqyyzuRcqt1y-jT-pUaOS9Df_ZK23p6N5fkDGrcWfac_4qZZgkZRWc2WFT7IV663UMqZ0He7VVCIP8U0fomuV9r3rp7Hkyev/s1600/jason+blog.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="44" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZsh9D8qwgy30uGcRRO-dkqOkaFTNwaOdHKbL_iCDwU9DayqyyzuRcqt1y-jT-pUaOS9Df_ZK23p6N5fkDGrcWfac_4qZZgkZRWc2WFT7IV663UMqZ0He7VVCIP8U0fomuV9r3rp7Hkyev/s400/jason+blog.png" width="400" /></a></div>
<br />
Fortuitously, in this brief snippet of log I discovered an outbound connection from the thermostat’s private IP address (192.168.1.7) out to a remote system, at IP address 23.194.182.156 on port 80.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLK9tW4B0BbIN8TMZa58skXDQmtG6a5Krw_SJwUJ-dMHGWmhCyvvJMWUHwVz6U4EsI9V7abiCB9o5BLMoSiKbXzfBHsnsp4rM0n_kVQP0JqxVoM61IfDYlZqIyXIA_RXpcehRm8_KmTy8p/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="85" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLK9tW4B0BbIN8TMZa58skXDQmtG6a5Krw_SJwUJ-dMHGWmhCyvvJMWUHwVz6U4EsI9V7abiCB9o5BLMoSiKbXzfBHsnsp4rM0n_kVQP0JqxVoM61IfDYlZqIyXIA_RXpcehRm8_KmTy8p/s400/2.png" width="400" /></a></div>
<br />
This IP address is operated by Akamai – it’s not surprising that the Nexia folks, with probably hundreds of thousands of thermostats running 24x7, would make use of a CDN to farm out content to nearby nodes. But, I still have a few questions about this.<br />
<br />
Why is it using port 80 rather than 443? A simple port scan shows that the target IP address has both ports 80 and 443 open. Should I be concerned about this traffic being unencrypted?<br />
<br />
Trying this IP address in my browser results in a web server error –<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOYQBuY8D-c_MwNzTOWvKhHvkrYjJzFZN1paPJPfDCuMIO8AZFDDGJ_mi-TxbbHBIUp_807NaXjShEsCQRGSauEdt67hjUFFfO77sg0JR2FctgDvcCwVVFNX63IWac0L2VcQJYmDgfqwOu/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOYQBuY8D-c_MwNzTOWvKhHvkrYjJzFZN1paPJPfDCuMIO8AZFDDGJ_mi-TxbbHBIUp_807NaXjShEsCQRGSauEdt67hjUFFfO77sg0JR2FctgDvcCwVVFNX63IWac0L2VcQJYmDgfqwOu/s400/3.png" width="400" /></a></div>
<br />
So, let’s try HTTPS:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqrU_TPYgmRZl0_g3ToMfCRbHWpBRkLhVXSjf38doDcVIhI0QoJK4bOMCja9ulcIi3uxl9DyNsYs6UcI6G-9jAJZ1xmVhs67lAhm0j8rYmXKRCL-y-hgzltLa3otei6aAtAsckxaU9dOwX/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqrU_TPYgmRZl0_g3ToMfCRbHWpBRkLhVXSjf38doDcVIhI0QoJK4bOMCja9ulcIi3uxl9DyNsYs6UcI6G-9jAJZ1xmVhs67lAhm0j8rYmXKRCL-y-hgzltLa3otei6aAtAsckxaU9dOwX/s400/4.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTkdrgChNKs6_z8qDrhtkBReGK99t8Z8ouBO8qlfXYcSGUiXKZjZ_NzOhb_sJvHGIT8o_i20rXemSYYT9nBO1aY62_sQjLF4nkhV4D5bkB3G7RCVpMKe-m4nNm1m5fYlUP2FD87iK-vscB/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTkdrgChNKs6_z8qDrhtkBReGK99t8Z8ouBO8qlfXYcSGUiXKZjZ_NzOhb_sJvHGIT8o_i20rXemSYYT9nBO1aY62_sQjLF4nkhV4D5bkB3G7RCVpMKe-m4nNm1m5fYlUP2FD87iK-vscB/s400/5.png" width="386" /></a></div>
<br />
Aha! Look at the domain associated with the certificate. This is a site providing the weather forecast data to the thermostat. Presumably it makes regular outbound calls to the Akamai-hosted CDN site to obtain this data.<br />
<br />
I happened to catch an outbound call to this service in that brief log snippet. I’m guessing that it was preceded by a DNS lookup, which returned this nearby Akamai IP address based on my geolocation. Obtaining weather data over HTTP rather than HTTPS may seem fairly benign, but does introduce a potential vulnerability. A man-in-the-middle or DNS hijacking attack could pretty easily serve up bogus or malformed weather data, and this malformed data could be used to perform an attack and obtain a foothold on the thermostat, for example via a buffer overflow. So I need to give Nexia a small demerit for this. Ideally they’d use HTTPS to preserve the integrity of the data, and also perform a certificate revocation check.<br />
<br />
Back to the task at hand, it’s clear that I need more comprehensive logging of my home network. Despite my wireless router’s limitations, it does support the ability to log to a remote system:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNzoqSuQKJvQQUVMgrpMKo7SvSG3Dha2Z-ozNpjcbTzmESl6Rtx0O9-CiLaELX9i9lvPIR5cKlEXQgn9vtFNi4XSihMv4FuEL24RqRJrLrFjrcsDPEH2k15Cy211oJN9mzbfcVW8MuZDOx/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNzoqSuQKJvQQUVMgrpMKo7SvSG3Dha2Z-ozNpjcbTzmESl6Rtx0O9-CiLaELX9i9lvPIR5cKlEXQgn9vtFNi4XSihMv4FuEL24RqRJrLrFjrcsDPEH2k15Cy211oJN9mzbfcVW8MuZDOx/s400/6.png" width="400" /></a></div>
I have an old laptop at home on which I’ve installed Linux, so I got this fired up and configured to listen for SYSLOG data coming from the router.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw0spof9mB5kBttDZRLNMM946PDgjWtpF28egs38HtpHVyMxk263eQVXfe0zXSU8npAMhRrmzrfvBtGnU_Sratk1br_K1XsdJO5A-XWJT0D9gd6T2_5TyTPZ15-K-Y0CQvm6Ci5RLTkjiu/s1600/7.png" imageanchor="1"><img border="0" height="10" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw0spof9mB5kBttDZRLNMM946PDgjWtpF28egs38HtpHVyMxk263eQVXfe0zXSU8npAMhRrmzrfvBtGnU_Sratk1br_K1XsdJO5A-XWJT0D9gd6T2_5TyTPZ15-K-Y0CQvm6Ci5RLTkjiu/s400/7.png" width="400" /></a><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib3aZ5qBxcI2v7_ADSoAf10CmG0Xts89W-J_q81ByNPHD9CRBCa5zz8b7G591EK6IUEjbVcNRmKAweGDnPzuq37DmvEraRE7B1eXR4UEX-MHaI9i7ftYp98RuWIC89xu3g56oX4wE5r-Tk/s1600/8.png" imageanchor="1"><img border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib3aZ5qBxcI2v7_ADSoAf10CmG0Xts89W-J_q81ByNPHD9CRBCa5zz8b7G591EK6IUEjbVcNRmKAweGDnPzuq37DmvEraRE7B1eXR4UEX-MHaI9i7ftYp98RuWIC89xu3g56oX4wE5r-Tk/s640/8.png" width="640" /></a><br />
<br />
Ok…lots of data to parse. Let’s filter it a bit…<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ2HZLEOjWLudg8_TBqkuetwFOhvJNdCK2XPFDUJztahPsHSLze-2fqRhe2i8P9VfyPVgEKmGQhVm8WvSWQsvEKaRfhkCX6dIJ3UZ15IXFtok60abuKV95KKr2-ogkcGw_X2_P0UWIw7Kd/s1600/9.png" imageanchor="1"><img border="0" height="11" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ2HZLEOjWLudg8_TBqkuetwFOhvJNdCK2XPFDUJztahPsHSLze-2fqRhe2i8P9VfyPVgEKmGQhVm8WvSWQsvEKaRfhkCX6dIJ3UZ15IXFtok60abuKV95KKr2-ogkcGw_X2_P0UWIw7Kd/s320/9.png" width="320" /></a><br />
<br />
And (reformatted for clarity) a basic pattern emerges:<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEr0zhizTvzSnkrF56gTVO7XyANC8Ev4xWo6taBQnGfknPkWCaccwIpa4-BpZ4cKSD_vG5N2L0YZU-F8mPisUOsim2e-CNiISoVR7knbY3L41ouktHvm2T-TZP7SqozVMf0FEpcReCjn2p/s1600/10.png" imageanchor="1"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEr0zhizTvzSnkrF56gTVO7XyANC8Ev4xWo6taBQnGfknPkWCaccwIpa4-BpZ4cKSD_vG5N2L0YZU-F8mPisUOsim2e-CNiISoVR7knbY3L41ouktHvm2T-TZP7SqozVMf0FEpcReCjn2p/s640/10.png" width="640" /></a><br />
Looks like the thermostat is calling out to the Weather service every 5 minutes. This pattern is quite regular:<br />
<ul>
<li>Generally the outbound connections are going to either 23.194.182.156 or 23.192.142.167. These are both Akamai IP addresses, so I’m guessing that DNS is returning these as part of a load-balanced set.</li>
<li>These calls are all preceded by a DNS call using UDP port 53. The log shows these going first to the router (192.168.1.1), which then sends them along to the external DNS server. </li>
</ul>
But wait – there’s an odd set of outbound connections going to port 443!<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdg0ac7HjG2TssH62ho4PGXd-4T2rWpg52KGhPj65lSb-rkenqpt4I0LUQKFmhlLgmNddylZNfsem2s2f-c415AIw5xfKHiO_fS9L4KPT3pYTWJpY0Ry7Uv4cbaKXbJ9ZxYWqefteIVPiL/s1600/11.png" imageanchor="1"><img border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdg0ac7HjG2TssH62ho4PGXd-4T2rWpg52KGhPj65lSb-rkenqpt4I0LUQKFmhlLgmNddylZNfsem2s2f-c415AIw5xfKHiO_fS9L4KPT3pYTWJpY0Ry7Uv4cbaKXbJ9ZxYWqefteIVPiL/s640/11.png" width="640" /></a><br />
<br />
These are not only off-cycle from the other connections, they’re also the only ones going out from the thermostat to port 443.<br />
<br />
Based on a reverse DNS lookup, these servers are running in AWS – and map to an EC2 instance and an S3 bucket. These are presumably the control mechanisms for the thermostat.<br />
<br />
Let’s see what these services are: 52.1.236.158 has ports 80 and 443 open, so loading this in a browser leads us to…<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmZUWPrfr9pKNy-SBPyfFJnTc842zwesYmxu6s-5s4FRQ11_5acT8qIXTtfbeIRIthHpmb4__Z35itC8yWYs07pDBDon4G9Aryx_VRxH8Esay4wwkxEycs2MN6sNOx9vB2byiAf3_C6-Bx/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmZUWPrfr9pKNy-SBPyfFJnTc842zwesYmxu6s-5s4FRQ11_5acT8qIXTtfbeIRIthHpmb4__Z35itC8yWYs07pDBDon4G9Aryx_VRxH8Esay4wwkxEycs2MN6sNOx9vB2byiAf3_C6-Bx/s400/12.png" width="400" /></a></div>
<br />
the Nexia site (properly redirecting to HTTPS).<br />
<br />
The other two destinations for port 443 correspond to S3 buckets, which don’t offer a Web interface without authentication, and without permission I’m not going to poke around them in any case.<br />
<br />
Just for kicks, let’s do a DNS lookup on the mynexia.com domain:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN4n3EjMeCT0l9OuQL-48XDU0yAstT9NWTMU4XBgG67ANi9_F5rlLdUHNynlX0iiYpgjO017y-vVh-pvLmznU1VP1fZHUUYKKn8yCqUVhDc7Vjy_FfPkzrJ2c-OE4_d6Gaeu7V5z_VWLcd/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN4n3EjMeCT0l9OuQL-48XDU0yAstT9NWTMU4XBgG67ANi9_F5rlLdUHNynlX0iiYpgjO017y-vVh-pvLmznU1VP1fZHUUYKKn8yCqUVhDc7Vjy_FfPkzrJ2c-OE4_d6Gaeu7V5z_VWLcd/s400/13.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
And there it is, 52.1.236.158. Hosted in AWS and assigned to mynexia.com. This is clearly the connection we’ve been looking for! Let’s think about the system behavior for a moment – I can use the Nexia iPhone app to adjust my thermostat, and these changes take place essentially immediately – within ~5 seconds based on my handful of tests.<br />
<br />
This implies near-real time communications over an existing network connection, not something that’s polling-based. And because we’ve established that there are no inbound connections to the thermostat, this outbound connection to the Nexia system must be long-lived.<br />
<br />
Let’s take a look at the log files to see what else we can discover. We can see several connections outbound to port 443 on the Nexia server.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFSmgeD_a-DwX0_UzN21qmBUUDFohMCJCCYaC_JYFYHzQxEew_jn2kNtlZ7gbkv83wQ_Z8NZ2D6Qw2SCEQ1WlxG1xIIl7nEUUtYDWUQoJih__hB7-z_gIl1EG2r3k5NR-PR1DNU9rIlqRL/s1600/14.png" imageanchor="1"><img border="0" height="84" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFSmgeD_a-DwX0_UzN21qmBUUDFohMCJCCYaC_JYFYHzQxEew_jn2kNtlZ7gbkv83wQ_Z8NZ2D6Qw2SCEQ1WlxG1xIIl7nEUUtYDWUQoJih__hB7-z_gIl1EG2r3k5NR-PR1DNU9rIlqRL/s640/14.png" width="640" /></a><br />
<br />
And looking at a DNS log I set up – I used BIND and configured my router to use my Linux laptop as its DNS server -- we can see the mynexia.com domain resolution request:<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3AMmpbLN-66JaIy7u3DBen0WGD_iEig0KuyxXRSD9JAIALBxyVprr2WFo6IAN7EGTAUsaJNIGBybyZvXoXr71bdhGZiq27mxxBQ_tP3DlkqGWCqnjkxe9_zmX2LMHJiOd9d2GrrEvOTfk/s1600/15.png" imageanchor="1"><img border="0" height="30" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3AMmpbLN-66JaIy7u3DBen0WGD_iEig0KuyxXRSD9JAIALBxyVprr2WFo6IAN7EGTAUsaJNIGBybyZvXoXr71bdhGZiq27mxxBQ_tP3DlkqGWCqnjkxe9_zmX2LMHJiOd9d2GrrEvOTfk/s640/15.png" width="640" /></a><br />
<br />
Some of these connections are only open for a few seconds – for example the one outbound on port 44318 is opened at 15:57:09, and closed at 15:57:12. But the connection on port 50216 – opened at 15:27:41 – remains open for a long period (beyond the horizon of when I turned off the logging server that day).<br />
<br />
This is exactly what we’d expect from the observed behavior! A long-lived outbound connection from the thermostat to the Nexia server, used to communicate commands in near real-time.<br />
<br />
Is this secure? Let’s asses – it’s using HTTPS for the connection, which is clearly a good foundation. I can’t tell whether it’s doing any certificate validation on the mynexia.com domain. Doing so would require deploying a firewall and performing HTTPS inspection, which is beyond the scope of this article.<br />
<br />
So let’s summarize what we learned here, and assess its security. The thermostat is only making outbound connections, and doesn’t require either an open port or (the horror of) UPnP. It’s making an HTTPS connection to its command & control system, hosted at a recognizable domain. These are all sound security approaches.<br />
<br />
My only criticism is that it’s making an unsecured call to a Weather.com server over HTTP. This is a small but real vulnerability, since it’s subject to an MITM attack that could exploit a buffer overflow of some sort. I’m not terribly worried about upstream attackers at the ISP, but someone could create a rogue wireless access point and capture the outbound calls to the weather forecast server. Or in theory hijack my DNS, redirect the thermostat to a bogus weather forecast server, and deliver malformed data. Again – these are real but unlikely attacks.<br />
<br />
Overall, I’m satisfied with the security of this device. I learned a lot doing this research, and I hope that you’ve found this writeup useful. Let me know what you think – I’m reachable on Twitter <a href="https://twitter.com/jasongarbis">@JasonGarbis </a><br />
<br />
Thanks!<br />
<br />
<br />csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-36911065875795864822017-09-08T06:57:00.000-06:002017-09-08T06:57:13.621-06:00Equifax Data Breach...Sorry it has been a while since I last posted. As you can imagine – the world of a cybersecurity guy can be slightly busy at times!<br />
<br />
I did want to take a moment and warn everyone about the Equifax data breach. <br />
<br />
For those that may not have heard yet, the credit repository Equifax suffered a massive data breach, losing 143,000,000 records. The hack began in May, and was finally terminated in late July. <br />
<br />
Equifax notified the public yesterday, but presumably they have been working with the federal law enforcement community and the various states attorneys general about the breach (as required by law. I know that their incident response procedure specifically directs that they work with the FBI to determine the source and impact of the breach before notifying the general public – I can only hope that they followed their own procedures.<br />
<br />
I won’t go into specifics about the breach, or the failed procedures on the part of Equifax the allowed this to happen. But I did want to share a few tidbits that are important to the general public, that may help get a better understanding of the breach and how the public is affected. <br />
<br />
<br />
<ul>
<li>- Equifax has credit information on pretty much every American. They are one of three major credit repositories. In most cases of a data breach, the consumer would have had to do business with the retailer to have been exposed (such as the Home Depot credit card breach, or a records breach at a hospital or school). Not so with Equifax. You may have never heard of Equifax before today, but they have ALL of your information as one of the credit repositories. </li>
</ul>
<ul>
<li>- There are about 325,000,000 people in the US, and the Equifax breach lost 143,000,000 records. For simplicity’s sake, that means that 1 out of every 2 people had their credit information stolen as part of this breach. That means that it was you OR your spouse. Your Mom OR your Dad. You OR your siblings. You OR your child. </li>
</ul>
<br />
<br />
Point being, <b><u><span style="color: red;">YOU</span></u></b> or someone close to you was certainly affected by this breach. So please spread the word.<br />
<br />
Equifax has posted this report:<br />
<br />
<a href="https://www.equifaxsecurity2017.com/">https://www.equifaxsecurity2017.com/</a><br />
<br />
You can see if you were among those that were breached, and they will give you instructions. Ironically, if you were affected, they will sign you up for credit monitoring, but not until next week (shrug?).<br />
<div style="text-align: center;">
<span style="color: red; font-size: x-large;"><br /></span></div>
<div style="text-align: center;">
<span style="color: red; font-size: x-large;">Please pass this along to </span></div>
<div style="text-align: center;">
<span style="color: red; font-size: x-large;">anyone / everyone you know.</span></div>
csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-42521291349820936982017-08-28T07:05:00.000-06:002017-09-08T07:07:26.950-06:00Addressing Network Segmentation for PCI 3.2 with the Software-Defined Perimeter<br />
<div class="MsoNormal">
This blog originally appeared on the Cryptzone blog. You can find it <a href="https://insight.cryptzone.com/secure-access/addressing-network-segmentation-for-pci-3-2-with-the-software-defined-perimeter/">here</a>.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Most companies selling to the public – and certainly all
e-commerce companies – are required to comply with the Payment Card Industry
Data Security Standards (PCI DSS). Basically, all businesses that accept credit
card as payment must adhere to the PCI standards, and go through a
certification process on an annual basis.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
While the PCI DSS is nothing new, breaches are still
occurring with alarming frequency. And those charged with protecting credit
card information are paying attention, revising the standards for security
credit card data to combat emerging threats and scenarios.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In December 2016, the <a href="https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf">PCI
DSS Council released “Guidance for PCI DSS Scoping and Network Segmentation”.</a>
This document was created to clarify how businesses and auditors should assess
their Cardholder Data Environments (CDE). Specifically, it includes guidance as
to what systems and processes should be included as part of a PCI evaluation
and scope: <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
<i>Accurate
PCI DSS scoping involves critically evaluating the CDE and CHD flows, as well
as all connected-to and supporting system components, to determine the
necessary coverage for PCI DSS requirements. Systems with connectivity or
access to or from the CDE are considered “connected to” systems. These systems
have a communication path to one or more system components in the CDE. <o:p></o:p></i></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The guidance summaries how environment scoping should be
approached:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
<i>The
following scoping concepts always apply:<o:p></o:p></i></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><i>Systems
located within the CDE are in scope, irrespective of their functionality or the
reason why they are in the CDE.<o:p></o:p></i></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><i>Similarly,
systems that connect to a system in the CDE are in scope, irrespective of their
functionality or the reason they have connectivity to the CDE.<o:p></o:p></i></div>
<div class="MsoListParagraphCxSpLast" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><i>In a flat
network, all systems are in scope if any single system stores, processes, or
transmits account data.<o:p></o:p></i></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
One of the primary areas of focus is how critical network
segmentation is to reduce the overall PCI scope, as even machines that are not
directly involved with credit card processes but still able to access
Cardholder Data (CHD) *MUST* also be included as part of the PCI scope:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
<i>The
intent of segmentation is to prevent out-of-scope systems from being able to
communicate with systems in the CDE or impact the security of the CDE.
Segmentation is typically achieved by technologies and process controls that
enforce separation between the CDE and out-of-scope systems. When properly
implemented, a segmented (out-of-scope) system component could not impact the
security of the CDE, even if an attacker obtained administrative access on that
out-of-scope system. <o:p></o:p></i></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhglE-BzTn3WgttUdqi_RICAG0J9fzWWNhsid83LG6dJNPUzhWGt7HMCD4JyC2sH4oppx3dWGOwL7dIqhjjUv94hwpGSWigxOxUE4IHn8MuLAhgWFnIgxJRrtTqoYg4STuYgJi1PQhHQW4o/s1600/PCI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhglE-BzTn3WgttUdqi_RICAG0J9fzWWNhsid83LG6dJNPUzhWGt7HMCD4JyC2sH4oppx3dWGOwL7dIqhjjUv94hwpGSWigxOxUE4IHn8MuLAhgWFnIgxJRrtTqoYg4STuYgJi1PQhHQW4o/s400/PCI.png" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
As a best practice, and to significantly reduce the scope of
the PCI environment, companies must look to properly segmented networks to
protect their CHD.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><u>AppGate SDP<o:p></o:p></u></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
When looking for tools to segment your networks, you can
always look to a myriad of firewall rules and antiquated third party tools that
might get you to the desired state. But the solution being evaluated and
recommended by PCI QSAs for network segmentation is the Software-Defined
Perimeter (SDP).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
AppGate SDP is the industry’s best and leading Software-Defined
Perimeter solution. Properly deployed,
AppGate SDP will reduce the scope of PCI DSS and other regulatory audits by
eliminating unnecessary devices, networks and appliances from the audit.
AppGate SDP makes any resources that are not specifically granted access to an
environment invisible to the environment, thus reducing the chance of
additional devices and resources being added to the evaluation.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
Many companies are evaluating their annual PCI audit results
and looking for ways to remediate outstanding control gaps, especially those
with protecting their network access.
AppGate SDP addresses these requirements, as well as many of the other
PCI controls. More information about how AppGate SDP addresses PCI 3.2
requirements can be found in <a href="https://www.cryptzone.com/forms/meeting-pci-dss-controls-using-appgate">this
whitepaper</a>.<o:p></o:p></div>
csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-59547419367240533182017-05-15T13:34:00.000-06:002017-05-15T13:43:05.581-06:00Ransomware SUCKS - Here are some things you can do...<div class="MsoNormal">
By now (unless you are living under a rock) you have heard
about the terrible WanaCry ransomware attacks infecting computers across the
planet. Seemingly, no business type is spared, and the malware isn’t just going
after businesses – lots of individuals being infected as well.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
So here is a bit of info about the attack, and what
individuals and businesses can do to prevent it:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #ea9999; font-size: large;">What is it: </span><br />
<br />
Ransomware
is software created by cyber criminals to encrypt the files on your computer,
thus blocking the user from being able to use the computer without paying a fee
(ransom), usually in untraceable BitCoin or in gift cards such as Amazon and
iTunes. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-ftIacMGULJGOuweicbmvdKnRydE9p1j0XPATC98QDHaOn9brc1sR-znCw2b71lSj-3yVhabwkPCh7kkrHbBuKKz7lZ7sxDfAGajKvxLNYdka1-1Lu4g5ZnDc9Ofx3VpihOjmND77MEYT/s1600/WanaCry_Avast.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-ftIacMGULJGOuweicbmvdKnRydE9p1j0XPATC98QDHaOn9brc1sR-znCw2b71lSj-3yVhabwkPCh7kkrHbBuKKz7lZ7sxDfAGajKvxLNYdka1-1Lu4g5ZnDc9Ofx3VpihOjmND77MEYT/s400/WanaCry_Avast.jpg" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In this latest iteration of ransomware, the bad guys used an
exploit discovered and released that was part of an information leak from the
NSA, one that attacks a specific communications system on Windows
computers. Microsoft released a patch
for this in March 2017 to address the issue (<a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">MS17-010</a>,
which can be found <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">here</a>),
but those without the patch are very much at risk of getting the malware on
their computers.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #ea9999; font-size: large;">What can individuals do:</span><br />
<br />
Individuals should consider the following
in regards to protecting their computer:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><u>Windows Update:</u></b> Make certain that your windows update is set
to automatically download and install any critical updates. Windows update is generally located in your
control panel, but may be in a different location depending on the version of
Windows that you are running. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><u>Install Anti-virus:</u></b> While certainly not a catch everything solution,
find a good anti-virus program for your computer. There are lots of options out there – if you
have high speed Internet, there is likely a free download from your Internet
provider as part of your Internet service.
Check with their websites for more information about downloading and
installing this free AV software. If you
do not have high speed Internet, there are still free options available. AVG and several other companies offer very
good and fast anti-virus software for your computer. There is really no excuse NOT to have
anti-virus software on your computer any longer, and it can act as a first line
of defense to protect you from the bad guys.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><u>Regular Backups:</u></b> If you become infected, the only way to get
your files back (without paying the ransom) is to restore from a backup of your
files. You can back up your data to the cloud
– lots of very inexpensive services out there that can do this for you. Or you
can try to do it yourself and backup to an external hard drive – again, very
inexpensive drives are available and easy to use. They can be found pretty much anywhere
(Amazon, Wal-Mart even Sam’s Club had them on sale this past weekend). Those
pictures that you took over the weekend for Mother’s Day cannot ever be
replaced, so invest some time and effort on a good backup solution.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><u>Be Aware on What You Click:</u></b> Lastly, nothing mentioned above
will protect you from everything the bad guys can throw at you. You should be mindful about the websites you
visit, the emails you open, and the applications you install. If you do not know the source of an email or
application, DO NOT OPEN IT! If you don’t know if the website is reputable,
probably not the best site to visit. Be smart about the things you see and do
on your computer – a little common sense will save you from these kinds of
nasty viruses.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #ea9999; font-size: large;">What IT Pros should do: </span><br />
<br />
In addition to everything listed
above (which I would certainly hope is already happening in your organization),
consider implementing technology that help segment your networks, making
malware such as WanaCry less invasive.
Cyxtera CISO Leo Taddeo presented the Software-Defined Perimeter is a
viable solution / technology to combat these kinds of threats. You can see his
CNBC interview <a href="http://video.cnbc.com/gallery/?video=3000618624">here:</a><o:p></o:p></div>
<div class="MsoNormal">
<br />
<a href="http://video.cnbc.com/gallery/?video=3000618624">http://video.cnbc.com/gallery/?video=3000618624</a><br />
<br /></div>
<div class="MsoNormal">
Firewalls and VPNs are decades old technology, and the bad
guys create their viruses to take advantage of these antiquated technologies. A software-defined perimeter creates an
individualized network, specific to the resources authorized for a specific user. In addition to dynamic condition checking, it
is designed to contain a user to only places that they are authorize to go,
thus protecting a majority of your company’s resources. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
You will hear more about solutions to defend your computers
and network in the coming days and weeks from every security / technology pundit
out there (likely me included). Regardless of the solutions that you choose to
augment your security and networks, make certain that it is one that is on the
cutting edge of today’s technology, with a strong vision of how to deal with the
emerging threats of the future. <o:p></o:p></div>
csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-14274936630729227942017-05-04T11:38:00.000-06:002017-05-10T11:38:46.687-06:00Star Wars Day - Revisited!<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_AHpIZDDDLQma2xtzoUsur1O80roiTPX8bpywhYXph3RvtAXf_rL4Q87fv-7w6sCZjqb3Hp4hZa0svvlKlGH-Al9sh7E4exW0v4zINiGo3GrXuz8IjjaktGuqproPerJu8KtPV4zfRyBP/s1600/May4th-250x182.gif" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_AHpIZDDDLQma2xtzoUsur1O80roiTPX8bpywhYXph3RvtAXf_rL4Q87fv-7w6sCZjqb3Hp4hZa0svvlKlGH-Al9sh7E4exW0v4zINiGo3GrXuz8IjjaktGuqproPerJu8KtPV4zfRyBP/s400/May4th-250x182.gif" /></a><i>It just wouldn't be a Star Wars Day without me posting something about it. And I decided to revisit and report my "Empire Information Security Failures" blog from last year, as it was extremely well received. You can find the original post for this year's blog on the Cryptzone website <a href="https://insight.cryptzone.com/general/happens-empire-fails-information-security/">here</a>.</i><br />
<br />
To celebrate Star Wars Day, I thought I would share a few ways in which Information Security best practices where not adhered to by the Empire, and enabled the Rebels to win.<br />
<br />
To be clear: I do not support the Empire, the Sith Lords nor any other types of scum and villainy. Nor am I trying to portray the Rebel Alliance as a weird, Force wielding, Galactic Hacker consortium or something. But had the Empire not been so lax in their security controls, Emperor Palpatine and his buddies might have been able to bring their “order and peace” to the galaxy.<br />
<b><br /></b>
<b>Social Engineering:</b> Social engineering is an attack that uses human interactions and plays on human weaknesses to break established security procedures.<br />
<br />
Scene: Luke and Han, dressed as Stormtroopers, escorting Chewbacca to the prison block (Star Wars IV: A New Hope).<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrc6MPH_N20mpGab_YzCq8qJ6Gk8fc7Raz2UIhbICNl9cr5tWlpZr6KQshTX49TsI8uKOGacMQzqSJaDwzxwGN_dFGf-ZASowseTD6zLPnHKW0oaneqO27nDpw7Md1ojJZ6nnXu6S9k_1M/s1600/Wookie-and-Stormtroopers-700x312.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrc6MPH_N20mpGab_YzCq8qJ6Gk8fc7Raz2UIhbICNl9cr5tWlpZr6KQshTX49TsI8uKOGacMQzqSJaDwzxwGN_dFGf-ZASowseTD6zLPnHKW0oaneqO27nDpw7Md1ojJZ6nnXu6S9k_1M/s640/Wookie-and-Stormtroopers-700x312.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i style="font-size: medium;">© Disney / Lucasfilm</i></td></tr>
</tbody></table>
Lots of things going on here. First, no one wants to mess with a Wookie. So others were less likely to get involved when they saw that the Wookie was being escorted by two (only two) Stormtroopers. Luke and Han knew that if they looked like they knew what they were doing, they could walk around in plain sight without being questioned by anyone. Even after arriving at the detention block, the supervising guard did not suspect them as being bad guys, and only questioned them on a matter of paperwork. Sure, everything fell apart at that point — one of the security controls finally kicked in. But Luke, Han and Chewie were able to walk pretty much anywhere they wanted on the Death Star by exploiting social engineering flaws.<br />
<br />
Lesson: People — not just the bad guys — exploit social engineering gaps every day. When was the last time you piggybacked someone into a controlled building? The really bad guys know this as well, using our politeness (holding a door open for someone) against us. It is extremely hard to break those habits, which is why your security guys are constantly reminding you about them. Who knows if the guy you are holding the door for is coming to blow up the building (or the Death Star)?<br />
<br />
<b>Identity and Access Management:</b> Identity and access management is the system used by entities to allow and prohibit access to resources controlled by the entity.<br />
<br />
Scene: Luke, Leia, Han and Chewie on the Shuttle trying to land on Endor (Star Wars VI: Return of the Jedi)<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYMOkKdluR0JdNVSy-Op-JMJMAfGqB-Lp2hXD0HBvWAkxQGwjbFdqkzmvmEnPU_fgtdvVqBTBFYWAbfnx_v5MrKPHVJ1TGmOTwS80fQvQMMDTxGBGa10rgt5hDC4xTYoBfODHvTTGLRSaB/s1600/Stars-Wars-700x525.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYMOkKdluR0JdNVSy-Op-JMJMAfGqB-Lp2hXD0HBvWAkxQGwjbFdqkzmvmEnPU_fgtdvVqBTBFYWAbfnx_v5MrKPHVJ1TGmOTwS80fQvQMMDTxGBGa10rgt5hDC4xTYoBfODHvTTGLRSaB/s640/Stars-Wars-700x525.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i style="font-size: medium;">© Disney / Lucasfilm</i></td></tr>
</tbody></table>
<br />
<br />
<div style="text-align: center;">
<br /></div>
<br />
The Rebels have stolen (property theft, probably due to lack of physical security controls on the part of the Empire) a small Imperial shuttle and are landing a team on Endor to blow up the shield generator protecting the second Death Star. Apart from using the Imperial shuttle, the Rebels have also stolen a security code that will allow the shuttle to land on the forest moon. There are multiple points that the code could have been rejected, with the admiral even claiming that it was an older code. Eventually, the Rebels are given clearance and allowed to land.<br />
<br />
Lesson: Identity and Access Management is a difficult topic for most businesses. Larger business MUST have a solution for IAM in place, as their employees turn around much more frequently than in smaller companies. And unfortunately, there are always gaps — the employee who was terminated months ago still has an active security badge, because the two system are not connected, and the administrator of the badge system was not notified (or on vacation or whatever) that the employee was no longer with the company. All business need to have controls in place and audited regularly to make certain that there are as few gaps as possible.<br />
<br />
<b>Data Security:</b> Data Security includes the methods used by an entity to protect all manners of data from those not authorized to use it.<br />
<br />
Scene: Princess Leia and her crew intercept the technical plans to the Death Star (Star Wars IV: A New Hope)<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqPOQn18fXacJhGn2yKJS9NmSAu8UVsW-qTmanEO5Un4JAB41fG1HiH0QNDwfDeasEm1KhBsME4Rb0N3ftpk5tGm-hCmeswqTcXyATuo8GL5l9cda-7bTMm-5mwDKuPJf-upjyn5x_nH2f/s1600/Princess-Leia-and-her-crew-intercept-the-technical-plans-to-the-Death-Star-700x393.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqPOQn18fXacJhGn2yKJS9NmSAu8UVsW-qTmanEO5Un4JAB41fG1HiH0QNDwfDeasEm1KhBsME4Rb0N3ftpk5tGm-hCmeswqTcXyATuo8GL5l9cda-7bTMm-5mwDKuPJf-upjyn5x_nH2f/s640/Princess-Leia-and-her-crew-intercept-the-technical-plans-to-the-Death-Star-700x393.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i style="font-size: medium;">© Disney / Lucasfilm</i></td></tr>
</tbody></table>
<div style="text-align: left;">
The very first scene in the very first movie (yes, the original Star Wars will ALWAYS be the first movie to me) starts with an epic space battle — the Empire is beating up a Rebel blockade runner that happens to be carrying Princess Leia and the technical plans or the first Death Star. The Rebels had intercepted those plans, and the Princess was in the process of delivering those plans back to her home world when she was captured. The Rebels had been a thorn in the side of the Empire to that point, but now they had the data necessary to severely cripple the Emperor’s plans of galactic domination using the Death Star.</div>
<div style="text-align: left;">
<br /></div>
Lesson: The Empire should have done a better job of securing the plans. In Rogue One: A Star Wars Story, we find out that the data was stored in the Imperial library on Scarif. We don’t know if the data drive that Jyn Erso stole was encrypted or not (another tenet of data security), but even if it was encrypted at rest, it was transmitted using an unsecured methodology, allowing the Rebel Alliance to intercept them (and break the encryption, if necessary). Most companies and entities have intellectual property / trade secrets / military secrets that they don’t want others to have. Not only should that data be encrypted and protected, but the networks and devices that send and store the data need to be protected as well.<br />
<br />
Some of these examples are a bit convoluted, and I am sure there are some out there that would like to debate the finer details of exactly what happened in the movie (message me — we can talk specifics (I had to amend some things for brevity’s sake)). But the point is that Star Wars Day is just another opportunity to remind you (and your employees and everyone else) about the importance information security has on so many aspects of our lives. If Star Wars makes that point a little more enjoyable, then I’ve accomplished that goal!<br />
<br />
Enjoy the day, and “May The Fourth” be with you!csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-23172050740741028122017-05-01T11:26:00.000-06:002017-05-10T11:27:21.198-06:00Hybrid Cloud - Yes,You can!<i>I recently posted this blog on the Cryptzone website. You can find the original posting <a href="https://insight.cryptzone.com/general/hybrid-cloud-yes-can/">here</a>.</i><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNMGf4HdNqfs0QJ_A0omBjuw-DR1x3RHDlBmL5dL1PVxvAmvLrEX-84wTjSG7wXYsgNe0c2RCdfYevfFycfnizUpgis6f0LbhxK27kSuN877pnoSVwRtPxgxFP5e0FpP6SXiEWSJcgbYGa/s1600/What-is-the-Buzz-in-the-InfoSec-and-Cloud-Community-250x185.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNMGf4HdNqfs0QJ_A0omBjuw-DR1x3RHDlBmL5dL1PVxvAmvLrEX-84wTjSG7wXYsgNe0c2RCdfYevfFycfnizUpgis6f0LbhxK27kSuN877pnoSVwRtPxgxFP5e0FpP6SXiEWSJcgbYGa/s400/What-is-the-Buzz-in-the-InfoSec-and-Cloud-Community-250x185.png" /></a>I was recently with 7,500 of my closest Amazon AWS friends at the AWS Summit in San Francisco. Generally, when you go to an AWS conference, the talk is ONLY about AWS: the latest features, implementation and design, or optimization of the AWS configuration. And certainly – those conversations were happening. But from my vantage point in the Cryptzone booth, there was another conversation, one that I touched on a bit in my previous <a href="https://insight.cryptzone.com/general/aws-summit-san-francisco-chris-steffen-recap/">recap blog</a>. People at an AWS conference are finally talking about the hybrid cloud.<br />
<br />
The concept of a hybrid cloud is not new – in fact, it has been around long before the term was even coined. But the fact that customers / potential customers are searching for ways to integrate their AWS or public cloud infrastructure with their on premises resources is exciting to me for a number of reasons:<br />
<br />
1. Reality Check: For years, I have been preaching the benefits of a hybrid cloud solution. It never seemed realistic to me that an established company would dump 100% of all of their business workloads on a public cloud. Sure, your company could have been “born in the cloud” and optimized from the start to use only cloud-based resources. Some of those companies exist (and are THRIVING, BTW). But most companies that I have chatted with have adopted the cloud over time, meaning that they are in the process of migrating existing on premises workloads to a cloud infrastructure. I think that is great! Testing the waters in a measured and calculated fashion is often the best and most cost productive way of taking advantage of cloud resources. Of course, those in the public cloud space would like you to move a little faster, but conducting thorough evaluation of cloud solutions while maintaining your on premises environment just makes sense.<br />
<br />
2. Manageability: One of the many things that has been a barrier to public cloud adoption is the ability to manage users and resources in the public cloud with the same tools used on premises. Who wants to manage multiple IAM solutions? Also, users that attach to the cloud need to be able to do so without going through a dozen authentication steps. Simply put, IT administrators are hesitant to expose their users to any additional processes or environments that will exponentially increase the IT admin’s workload. Can you blame them? On this front, the great news is that the management solutions for hybrid cloud infrastructures are becoming more mature EVERY DAY! Because of this, those IT admins are not as skeptical about adding another layer of infrastructure to their environments, especially if they can all be managed without any significant changes to how the user would consume that infrastructure.<br />
<br />
3. Scalability: Moving workloads to a public cloud environment has always been about the ability to scale up a workload with very little effort – it is as simple as setting up an AWS account, starting up an instance, and deploying the workload. Easy peasy. Developers have realized this for a while now – creating testing environments for QA, demo and proof of concept for years. It also created a stealth IT problem (something that we will address in a different blog at some point). Traditional IT (and their risk managers, executives, and line of business decision makers) have become more and more comfortable with moving workloads to the cloud, and the ability to expand the technology footprint into this space is very appealing, not only from a time-to-market rationale, but from the enormous cost savings. And the inherent barrier of hybrid cloud integration and management preventing rapid growth has pretty much disappeared.<br />
<br />
As an IT professional, business leader or decision maker, once you cross that hump and gain comfort with having a hybrid cloud architecture for your company, you start to realize the benefits of having that kind of environment (again, the subject of a future blog). AppGate, from Cryptzone, is the perfect tool to bridge your on premises workloads with your AWS or other cloud provider environment(s).<br />
<br />
I challenge you to explore the tools and capabilities that are constantly be invented and revised to help your company embrace the benefits of a hybrid cloud architecture!csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-66680847536314189482017-04-20T11:22:00.000-06:002017-05-10T11:22:44.515-06:00AWS Summit San Francisco...<i>I posted this blog on the Cryptzone website after the AWS Summit. You can find the original posting <a href="https://insight.cryptzone.com/general/aws-summit-san-francisco-chris-steffen-recap/">here</a>.</i><br />
<br />
Another great Amazon conference just wrapped up. The AWS Summit in San Francisco was earlier this week, and 7500 of my closest Amazon friends met at Moscone West to learn about the latest from AWS and their partners.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMLIULahckHcsNWnWtw5LzN0KKfBaecsoOVbJWDP6vLz7v3xgaRH8GveG2CYihjjSyoJb0_S4pscipN48HkcAPCADe3bvtQF4kcxc0fVUldX18hXb1RPmZU2jIjkxd0irRo2BawDLgVQxH/s1600/sad.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMLIULahckHcsNWnWtw5LzN0KKfBaecsoOVbJWDP6vLz7v3xgaRH8GveG2CYihjjSyoJb0_S4pscipN48HkcAPCADe3bvtQF4kcxc0fVUldX18hXb1RPmZU2jIjkxd0irRo2BawDLgVQxH/s320/sad.jpg" width="320" /></a></div>
<br />
Amazon does not traditionally make any major announcements at these Summits (they save those for the re:Invent conference in December), but they did make a couple anyway: A SaaS licensing model (in addition to the other models that they have) and a code writing interface called CodeStar for writing optimized application on the AWS platform. You can read about these and all of the other announcements <a href="https://aws.amazon.com/blogs/aws/aws-san-francisco-summit-summary-of-launches-and-announcements/">here</a>.<br />
<br />
We had hundreds of people stop by the Cryptzone booth, interested in learning how AppGate can help secure their AWS and hybrid environment(s) and more about the Software-Defined Perimeter (SDP). And learning (for me at least) is always a two way street – I am constantly probing and prodding for the real world concerns that our customers and potential customers might be having. Here are the most common themes that I heard about while visiting with exhibitors and attendees in the expo hall:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnhZ5e6O3wOxtbUrIM7521st5IdwT4Yvn0KQQBxYW3odOhSk4GcW1EBorPer3q5Xv6F-1LZ-JG5y5flrMhza6e1I3T1iwQPFvDHHAW7Jrh4gVGj6aVahZhPq4GDF1eFV3SKkvfTh5fI4Y7/s1600/sdsd.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnhZ5e6O3wOxtbUrIM7521st5IdwT4Yvn0KQQBxYW3odOhSk4GcW1EBorPer3q5Xv6F-1LZ-JG5y5flrMhza6e1I3T1iwQPFvDHHAW7Jrh4gVGj6aVahZhPq4GDF1eFV3SKkvfTh5fI4Y7/s320/sdsd.jpg" width="320" /></a></div>
<b><br /></b>
<b>ANOTHER Security Product for AWS: </b>Yes, as you might imagine, there were MANY security vendors at the Summit (and at re:Invent), all claiming that you need to buy their product or your AWS environment will perish and be wiped from the Earth. Well, as much as I appreciate the zeal of our competitors in the security space, those attending AWS are a bit more sophisticated than that – they understand that security in AWS may not be perfect, but it is pretty decent for what their requirements are, and that any third party security solution needs to address specific shortcomings that they see in their environments. The sky is not falling, and they are looking for a partner that will make their enterprise more secure and easier to manage.<br />
<br />
<b>Addressing the Hybrid Cloud:</b> It is almost blasphemy to discuss environments that are not AWS while at an AWS Summit. But the fact is that every person I talked to had workloads that were NOT located exclusively in the AWS cloud – every one of them had some kind of hybrid environment. Connecting and managing those separate environments is a challenge, and IT professionals are looking for ways to solve this challenge. Thankfully, AppGate is the solution!<br />
<br />
<b>Compliance is Lurking:</b> While seemingly never front and center at these events, addressing regulatory compliance considerations is always in the back of people’s minds. So many of the security solutions on the market are purchased – at least in part – to address a compliance-related concern. Security professionals often to not have the luxury of purchasing a tool only for compliance reasons. They are very aware however (and are showing greater awareness) of how a particular tool can be used to address compliance regulations while solving their security needs.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmZipo2N5Fb8I_kqB_wQHAc0lrfxF6M7IbRSm4lbLFns_gOPshpGqVUoGqD9i5Cu7vC2FCEnkAKemlIA7O9WYjzMhzIQ1b452ik1CMmJsRBH0fzN2DMlcXMXDlEFFhULqJfCeO-tzULcoS/s1600/ddssd.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="75" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmZipo2N5Fb8I_kqB_wQHAc0lrfxF6M7IbRSm4lbLFns_gOPshpGqVUoGqD9i5Cu7vC2FCEnkAKemlIA7O9WYjzMhzIQ1b452ik1CMmJsRBH0fzN2DMlcXMXDlEFFhULqJfCeO-tzULcoS/s320/ddssd.jpg" width="320" /></a></div>
<br />
As I said – great conference, and I am looking forward to the future AWS Summits / conferences / meetups!csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-38223499686019572602017-01-23T14:08:00.000-07:002017-01-23T14:08:32.244-07:00Beards - Make Faces Great Again...Lately, I've been trying to stay out of the social media world. Too much has been going on, and social media has been a VERY caustic place, regardless of the topic or view. But I promise that I haven't fallen off the earth. You will see more from me as we approach the RSA conference in a couple of weeks, I promise.<br />
<br />
In the meantime, a former colleague and very good friend sent me this sticker. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUW4Bnt7Nvq_jt3KiGMFCllTmPTdCoF_TtJy-95lTN6J7x7xxcndnw0FKOKAkBxYayNHf0xQCuwpQgf2ejim8a3zhyHDl4ycWbd1TZO_qY0RLVjjmZCYX-JPbY-pIW8jO4TN5uSP7kSCIi/s1600/Beards+great+again.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUW4Bnt7Nvq_jt3KiGMFCllTmPTdCoF_TtJy-95lTN6J7x7xxcndnw0FKOKAkBxYayNHf0xQCuwpQgf2ejim8a3zhyHDl4ycWbd1TZO_qY0RLVjjmZCYX-JPbY-pIW8jO4TN5uSP7kSCIi/s640/Beards+great+again.jpg" width="640" /></a></div>
<br />
<br />
Again, no political message intended. But this site *IS* The Security Beard, right?csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-11747848622687939772016-11-29T08:27:00.001-07:002016-11-29T08:27:49.570-07:00AWS re:Invent - Day 1...<div class="separator" style="clear: both; text-align: center;">
</div>
Greetings from Las Vegas! Today is the official start of the AWS re:Invent 2016 conference, and it is already off to a great start.<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRvrmtH2P7ZQsuM3McqvOfaHk6vtWinKE25avovlfdE7RMIhG0yV3mtmQwqKiViw9AH8gjsEamkkQMNouXWqGpoG9SRePfQ-V3wy99NfUAxXMc9J64Mb2FQxvIH-GpuXf5mkWi2-6kMQia/s1600/AWS+Welcome.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRvrmtH2P7ZQsuM3McqvOfaHk6vtWinKE25avovlfdE7RMIhG0yV3mtmQwqKiViw9AH8gjsEamkkQMNouXWqGpoG9SRePfQ-V3wy99NfUAxXMc9J64Mb2FQxvIH-GpuXf5mkWi2-6kMQia/s320/AWS+Welcome.jpg" width="320" /></a></div>
<div>
<br />30,000 attendees are expected to gather at the Venetian and Sands Expo center for 3 days of all things AWS cloud.<br /><br /><a href="https://www.cryptzone.com/">Cryptzone</a> has a huge presence at the conference, with over a dozen people attending, including most of the executive team. We are in booth 1918 on the show floor, so stop by and say hello. I will personally be there for quite a bit of the show, or out roaming the floor. If you are looking for me, check there first, and if I am not there, the guys at the booth will be able to find me. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh99jcnUQTXDGUGTTC6NkyljpqO7YNbBLmNNzDY-NfOZjq3E-e5BI9JhCz24NLZFU1k6kQvr_-8-E51JpPN81hl3mHvqNTMAM93fRrh9z7Evi3SeO_KHD486MB01JwXTLnIq_TX1qqr2Wgv/s1600/IMG_4553.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh99jcnUQTXDGUGTTC6NkyljpqO7YNbBLmNNzDY-NfOZjq3E-e5BI9JhCz24NLZFU1k6kQvr_-8-E51JpPN81hl3mHvqNTMAM93fRrh9z7Evi3SeO_KHD486MB01JwXTLnIq_TX1qqr2Wgv/s320/IMG_4553.JPG" width="240" /></a></div>
<div>
<br />If you are at the conference, and looking for a solution for pretty much anything that is cloud related, this is the place to be. There are hundreds of exhibitors, representing the best in class that AWS has to offer. <br /><br />This conference is also one of those that brings out the world’s experts at AWS and cloud computing. Some may seem a little scary, but I promise, they are the absolute best at what they do and are here to figure out better ways to help solve your cloud challenges. Don’t be afraid of chatting with them before a session or at one of the meals.<br /><br />I don’t intend on writing a huge blog every day, but I will share some of the things I find particularly interesting as the show continues. You can also follow me on Twitter - <a href="https://twitter.com/cloudsecchris">@CloudSecChris</a> – where I will be giving almost constant updates.<br /><br />Stay tuned!</div>
csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-35514913294979366962016-11-28T04:00:00.000-07:002016-11-28T04:00:01.760-07:00Cyber Monday Shopping Security Tips...This blog originally appeared on the Cryptzone blog site. You can find the original <a href="http://insight.cryptzone.com/general/4-cyber-monday-shopping-security-tips/">here</a>.<br />
<div>
<br /></div>
<div>
Cyber Monday will be the largest online shopping day in history according to a <a href="http://www.cmo.com/adobe-digital-insights/articles/2016/10/19/adi-holiday-predictions-report-2016.htmlhttp:/www.cmo.com/adobe-digital-insights/articles/2016/10/19/adi-holiday-predictions-report-2016.html">recent Adobe Digital Insights report</a>. Thanksgiving Day will show the fastest growth, reaching $2 billion in online sales (15% YoY growth), Black Friday will reach $3.05 billion (11.3% YoY growth), and Cyber Monday will hit $3.36 billion in online sales (9.4% YoY growth).<br />
<br />
Guess what? The bad guys also know that you want to spend money online, and Cyber Monday is a big day for them as well. While <a href="https://www.cryptzone.com/">Cryptzone</a> is not going to directly protect you from credit card fraud, as a security company, we believe in sharing tips and tricks to make everyone more secure, especially during this holiday season. Here are a few tips to consider before you order the latest video game or electronic device online today or this holiday season:<br />
<div>
<ul>
<li><b>Always choose a reputable site. </b>There are soooooo many great e-commerce sites available to choose from. Chances are that you may have ordered from one before. Stick to sites that you know or have done business with previously. Many “brick and mortar” companies have websites offering great deals as well.</li>
</ul>
<ul>
<li><b>If it sounds too good to be true, it probably is.</b> If you decide to travel off the beaten path to find that epic deal, you may not be getting what you want. Worse, you may not get anything at all. Make certain to do a little research about the product and the company that you are buying from before passing along your credit card information.</li>
</ul>
<ul>
<li><b>Beware email and text messages.</b> There are lots of scams this time of year from bad guys supposedly coming from reputable retailers asking you to verify or update your personal information. Be very cautious clicking on links that ask you to enter additional information. It is always a good idea to manually go to a website directly, or, better yet, call the retailer, if you need to update your personal information.</li>
</ul>
<ul>
<li><b>Use a credit card with fraud protection.</b> Check with your credit card company about their fraud protection policies. Most credit cards have some level of protection associated with them, but it is better to know exactly what those limits are. Also, if possible, use a credit card instead of a debit card to make online purchases. Generally speaking, a credit card will offer you greater protection and security, while your bank’s debit card will impound your funds while they conduct a fraud investigation.</li>
</ul>
</div>
<div>
We hope you have a wonderful holiday season, and remember to be safe and smart with your celebrations and purchases!</div>
</div>
csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-78530299526227573632016-11-23T07:32:00.000-07:002016-11-23T07:32:57.476-07:00Geek's Guide to Things to See At AWS re:Invent 2016<i><span style="color: #9fc5e8;">NOTE: I have received ZERO compensation for any of the businesses listed here, nor are they “officially” recommended by anyone else besides myself. Also, I originally wrote a very similar <a href="https://community.hpe.com/t5/Grounded-in-the-Cloud/An-Insider-s-Guide-to-Things-to-Do-in-Vegas-While-at-HPE/ba-p/6861477#.WDMf2bJlCbg">blog</a> for another conference earlier this year. But the recommendations are still very valid, and worth sharing again.</span></i><br /><br />I know that you are likely at AWS re:Invent next week, and it is about time to finalize your conference schedule and what to do when you are not at the conference (when you are not visiting the <a href="https://www.cryptzone.com/">Cryptzone</a> booth, of course!). If you are looking for something apart from computers and conferences to do, Vegas has it all. You can always look to the free “What to Do In Las Vegas” magazines for shows and other attractions, but I thought I would recommend a few things off the beaten path and more tailored to the crowd that will be attending the re:Invent conference – things that don’t require taking out a second mortgage or testing your luck with a one armed bandit.<br /><br /><b>Obligatory Free Stuff: Fountains, Gardens, Water Shows, and Volcanos. </b><br /><br />The Strip can overwhelm the senses – from lights to smells to sounds. And the casinos have to pull you in somehow, so many offer free shows and attractions that are worth seeing. If you make your way down to the Bellagio, the Dancing Fountains are a Vegas “must see” attraction. While you are there, my wonderful wife would have me tell you to pop in and visit the Bellagio Conservatory, which rotates several times a year with the seasons. Next to the Venetian is the Wynn Las Vegas, and behind that man-made mountain of pine trees is actually a pretty cool water show at the Lake of Dreams. Lastly, across the Strip at the Mirage, the Volcano erupts several times every evening, usually on the hour. While not quite Yellowstone, it doesn’t have the sulfur smell that you have to put up with to see the real thing… <br /><br /><b>Get Your Geek On: The Toy Shack and Antiquities</b><br /><a href="http://lasvegastoyshack.com/">http://lasvegastoyshack.com/</a><br /><a href="http://www.antiquitieslv.com/">http://www.antiquitieslv.com/</a><br /><br />If you make your way to Downtown Las Vegas (the Deuce bus picks up right in front of the Venetian, and I think it is $8 for a 24 hour pass), make certain to check out the Toy Shack. They specialize in sci-fi and vintage toys, especially from the 80s. Very cool Star Wars and GI Joe selection. But bring $$$.You will need it. A little closer to the Venetian at the Caesar’s Forum Shops is Antiquities. They have an awesome selection of exclusive memorabilia such as signed movie posters, but also have a good selection of loose action figures in the back of the store.<br /><b><br />Serious Reading: Bauman Rare Books</b><br /><a href="https://www.baumanrarebooks.com/">https://www.baumanrarebooks.com/</a><br /><br />On the second floor of the Palazzo shopping mall is my favorite store / museum in all of Las Vegas: Bauman Rare Books. This is not Barnes and Noble. This is where you come to find that signed first edition or extremely rare copy. They also have one-of-a-kind historical artifacts (I don’t know what else to call them) for sale – they had an original copy of the Declaration of Independence for sale there at one point, and currently have a copy of the Nuremburg Chronicles on display (printed in 1493). If you hit it big (and I mean real big) on the tables or slots, you might be able to afford something from this store. But it is free to have a look, and Rebecca Romney (store manager) will be happy to show you around.<br /><b><br />Pinball Wizard: The Pinball Hall of Fame and Museum</b><br /><a href="http://www.pinballmuseum.org/">http://www.pinballmuseum.org/</a><br /><br />I have no idea why this place doesn’t receive more exposure, but the Pinball Hall of Fame (PHoF) is maybe one of the coolest things in Las Vegas. They have over 150 playable pinball games – all in one place! Entrance to the PHoF is free, and all of the proceeds from the game play go to charity. Even if you are not a Pinball Wizard, this place is worth a look. It is a little ways from the conference, but the website has a decent map and bus routes. <br /><br /><b>Old School Vegas: The Neon Museum and Fremont Street Experience</b><br /><a href="http://www.neonmuseum.org/">http://www.neonmuseum.org/</a><br /><br />Make your way back to Downtown Las Vegas in the evening – the table game minimums are much more reasonable and the slots are far looser (if that is your thing). The canopy that hangs over Fremont Street downtown is part of the Fremont Street Experience – a 5-8 minute show that starts on the hour after dark, and synchronizes to really good music. Worth seeing if you never have. While you are down there, a block off of Fremont Street is the Neon Museum. This is the place all the old casino neon signage comes to rest, and it is especially cool at night when it’s all lit up. <br /><br />I hope these suggestions help you journey out on the town. There are sooooo many more things to do in Vegas that I didn’t have space to list - look me up at the Cryptzone booth (Booth #1918) while you are at the conference and we can compare notes! <br /><br />See ya there!csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-68178372349047751482016-11-22T07:48:00.000-07:002016-11-22T07:48:01.123-07:00Geek's Guide to Where to Eat While At AWS re:Invent 2016<i><span style="color: #9fc5e8;">NOTE: I have received ZERO compensation for any of the businesses listed here, nor are they “officially” recommended by anyone else besides myself. Also, I originally wrote a very similar <a href="https://community.hpe.com/t5/Grounded-in-the-Cloud/Discover-LV-2016-Where-to-Eat/ba-p/6861472#.WDMf37JlCbg">blog</a> for another conference earlier this year. But the recommendations are still very valid, and worth sharing again.</span></i><br /><br />AWS re:Invent is next week, and it is about time to finalize your conference schedule and decide what to do when you are not at the conference (when you are not visiting the <a href="https://www.cryptzone.com/">Cryptzone </a>booth, of course!). When you are looking to break away from the conference action for a meal or two, here are a few recommendations that are a little outside of the usual ones that you will read in all of the free “What to Do In Las Vegas” magazines that seem to be everywhere.<br /><b><br />Best Place for a Business Meeting: Delmonico Steakhouse</b><br /><a href="http://emerilsrestaurants.com/delmonico-steakhouse">http://emerilsrestaurants.com/delmonico-steakhouse</a><br /><br />To start, I included Delmonico’s at the Venetian for a few reasons, even though it is on practically EVERY one of the recommendation lists I was mentioning above. First, you will be hard pressed to find a better steak in Vegas, especially at the price. No, they are not the cheapest (nor the most expensive), but they are quite excellent. And the service is very very good. Second, if you are going to re:Invent, Delmonico Steakhouse is located in the same building as the conference (sort of). But lastly, and the reason I mention this at all: if you are reading this, and have any plans on eating there while there is a conference going on, you had better make a reservation now. You will not be eating there (or any of the finer restaurants at the Venetian) if you do not plan a little ahead and make a reservation. The link is above. Take the time to enjoy the bone-in ribeye. The lobster bisque makes a great appetizer, and so does Emeril’s gumbo. <br /><br /><b>Best Old School Las Vegas Coffee Shop: Peppermill</b><br /><a href="http://www.peppermilllasvegas.com/">http://www.peppermilllasvegas.com/</a><br /><br />The Peppermill is excellent. It is where the locals go to eat on the Strip, and by locals I mean pretty much anyone who is anyone. It is open 24 hours (like many things in Vegas), and this tends to be where a lot of the performers for all of the shows on the Strip go to get a bite to eat after their performances. Great food. And if you are really daring – order the fruit plate. Take a picture. And if you finish it – ALL OF IT – you are my personal hero.<br /><br /><b>Best Secret Restaurant: Secret Pizza </b><div>
(no url… it’s a secret)<br /><br />Yeah, not so much anymore, as it is sooooo good. Secret Pizza is in the Cosmopolitan Casino and Resort, a few block south of the conference. They are known to have some of the all-time best pizza anywhere, so maybe it is worth the visit. To find it, go up to the restaurant floor (third floor). At the left of the Jaleo restaurant, there is a narrow hallway with album covers lining the wall. Go down this hallway to the pizza place. <br /><b><br />Best Spot for Breakfast: Hash House A Go Go</b><br /><a href="http://www.hashhouseagogo.com/">http://www.hashhouseagogo.com/</a><br /><br />I am not really certain how best to describe the Hash House. The food there is incredible, and the quantities are huge. If you are a “breakfast is the most important meal of the day” type of person, this is your place. And while their ingredients are as fresh as they come, this place is not for the “healthy” types. It is always voted as one of the best breakfast spots in pretty much every location where they have a restaurant. <br /><b><br />Best Restaurants for Those on a Budget: White Castle and Denny's at Casino Royale</b><br /><a href="http://www.whitecastlevegas.com/">http://www.whitecastlevegas.com/</a> <br /><a href="http://locations.dennys.com/NV/LAS-VEGAS/200141">http://locations.dennys.com/NV/LAS-VEGAS/200141</a><br /><br />Probably not what you consider gourmet dining by any means, especially when there are so many awesome options in Las Vegas. But there are times that you just want to eat and then get back to the conference (or tables), and the Casino Royale, located right next to the Venetian, actually has some pretty decent low cost options. White Castle moved there a couple of years ago, and their sliders are of special renown (I personally think their crinkle cut fries are the best). The Denny’s has just been completely remodeled, and also happens to be the most profitable Denny’s in the world. Again, maybe not where you want to take a prospective customer, but a person’s gotta eat, right?<br /><br />I hope these have been interesting for you. The next part of this series will be a brief list of things to see and do while at the re:Invent conference. <br /><br />See ya there, and make certain to stop by the Cryptzone booth at the conference – Booth #1918</div>
csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-30362745547546128242016-11-17T14:07:00.001-07:002016-11-17T15:02:12.741-07:00AWS Data Compliance: 4 Tips for Decreasing Audit Times...<i><span style="color: #9fc5e8;">If you are an IT professional, chances are that you are dealing with audit and compliance pressures. I penned this blog for <a href="https://www.cryptzone.com/">Cryptzone </a>to discuss some simple ways to decrease your audit exposures in your AWS cloud. You can find the original post <a href="http://insight.cryptzone.com/network-security/aws-data-compliance-4-tips-for-decreasing-audit-times/">here.</a></span></i><br />
<br />
When we talk to customers about their greatest concerns about moving workloads to the cloud, inevitably one of the top barriers is compliance-related activities. They feel they have an understanding of the technology, how it works and how it will be implemented. But they still have concerns about how they will deal with audit / regulatory compliance issues. In addition, companies are always looking for ways to decrease the time and complexity of their audits.<br />
<br />
The bad news is that moving workloads into the cloud will nearly always increase the complexity of an audit, thus increasing the time it takes to conduct the audit. How complex the audit will be is determined by many factors, some of which can be controlled by the enterprise, but some that are inherent to auditing in the cloud. The good news is that there are steps that a company can take to decrease the complexity of the audit, and hopefully decrease the amount of time auditors spend evaluating your cloud infrastructure.<br />
<br />
Companies considering moving their workloads to the cloud should keep the following audit tips in mind:<br />
<b><br /></b>
<div>
<b>1. Understand The Auditors</b><br />
<br />
Before a company embarks on their workload migration to the cloud, consult the auditors that will be evaluating the cloud environment. Many of the large auditing firms have finally released guidance about how best to implement cloud solutions, and can share the controls that they will be using to evaluate workloads in the cloud. Many times, it is far easier to implement these standards at the very start than to try to retroactively remediate a particular control.</div>
<div>
<b><br /></b>
<b>2. Understand The Regulations</b><br />
<br />
Just as it is important to understand those that will be evaluating the environment, it is also important to understand the specifics of the regulations that govern your company. For example, there may be regulations about where a company’s data can be stored (because of the sensitive nature of the data). Most of the cloud providers (including AWS) have the ability to control where workloads will be hosted, but it is important to fully understand how data locality will impact your cloud solution. <a href="https://aws.amazon.com/compliance/">AWS already has evaluated</a> many of the common regulatory standards, and provides guidance how to best implement a cloud solution within their environment.</div>
<div>
<b><br /></b>
<b>3. Decrease Scope</b><br />
<br />
While most auditors will never suggest that they would prefer to audit less (they are usually paid by the billable hour), they will also admit that decreasing the systems that are part of an audit will generally decrease the cost, time and complexity of an audit. Companies should consider how systems are connected and develop an architecture that minimizes the possible devices that are in an audit scope. <a href="https://www.cryptzone.com/products/appgate/for-aws">AppGate for AWS</a> embraces <a href="https://www.cryptzone.com/pdfs/Case-Studies/SageNet-Case-Study.pdf">this concept</a>. It is a Software-Defined Perimeter solution that delivers highly granular access control, reduces audit scope and provides detailed logging of user access and activities to efficiently feed audit request data needs.</div>
<div>
<b><br /></b>
<b>4. Tools / Logging for the Cloud</b><br />
<br />
Companies should take advantage of tools and capabilities specifically designed for the cloud infrastructure to decrease audit complexity. Logging from cloud resources should be collected by a centralized and easy-to-manage log management tool. <a href="https://www.cryptzone.com/products/appgate">Security tools</a> should have robust logging and event capturing capabilities. These tools should be able to correlate important events and generate reports for auditors to use as evidence of control compliance.<br />
<br />
While certainly not a complete list, companies that use these suggestions before and after implementing their workloads in the cloud will find that their audit times will significantly decrease, and the brain damage that comes with dealing with compliance regulations will decrease as well.<br />
<br />
As IT Professionals, regulatory compliance has become a major facet of our job responsibilities. But we should not let it intimidate us from taking advantage of the benefits of moving to the cloud.<br />
<br />
<i>You can find more information about Cryptzone <a href="https://www.cryptzone.com/">here</a>. The Forrester Research whitepaper “Forrester – “No More Chewy Centers: The Zero Trust Model of Information Security” can be found <a href="https://www.cryptzone.com/forms/forrester-no-more-chewy-centers">here</a>. You can also read additional Cryptzone blogs by going <a href="http://insight.cryptzone.com/">here</a>.</i></div>
csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-33413446619859637982016-11-08T15:20:00.003-07:002016-11-08T15:20:31.910-07:00The Day After...<div style="text-align: center;">
<span style="background-color: white; color: #1d2129; font-family: Helvetica, Arial, sans-serif; font-size: 14px;"><i>I was hoping this day would come. I know it is still early, but - like I said - I'm hopeful!</i></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEFt7teMPbpPIochz55kiK_MgO3hkbRyU1WWFS7jznTod-XxgKxcmrlc98LLgWrksJe4Qbu8vh5jnTPMdgVlWVtICK7To-4B5glnL6LPFSGpw4tDTpi1hDYDswV03V6IIJb6c85tE0paVE/s1600/110916.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="478" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEFt7teMPbpPIochz55kiK_MgO3hkbRyU1WWFS7jznTod-XxgKxcmrlc98LLgWrksJe4Qbu8vh5jnTPMdgVlWVtICK7To-4B5glnL6LPFSGpw4tDTpi1hDYDswV03V6IIJb6c85tE0paVE/s640/110916.jpg" width="640" /></a></div>
<span style="background-color: white; color: #1d2129; font-family: Helvetica, Arial, sans-serif; font-size: 14px;"></span>csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-31619348901868257712016-11-03T06:33:00.000-06:002016-11-03T06:33:00.014-06:00Why Cloud Security Expert Christopher Steffen Joined Cryptzone...<i><span style="font-family: inherit;">Apart from the title being slightly self serving, I wanted to share this first "official" blog that I wrote for my new company Cryptzone. You can see the original post <a href="http://insight.cryptzone.com/secure-access/why-cloud-security-expert-christopher-steffen-joined-cryptzone/">here</a>, and you can learn more about Cryptzone <a href="https://www.cryptzone.com/">here</a>. </span>Enjoy!</i><br /><br />Over the weekend, I <a href="https://medium.com/@csteffen/on-to-the-next-adventure-53a5a45b3c1#.5flh1h1bl">shared</a> how excited I was to join the Cryptzone team as a Technical Director. I wanted to share a few insights into my move, and why I chose Cryptzone as my new home away from home.<br /><br /><b>Technology: </b>There are literally thousands of technology companies out there, and many of them have a focus (or at least pay attention to) the issues that I particularly like to advocate: information security and compliance. Cryptzone is a company dedicated to these issues, and takes a unique approach to all of them. <a href="https://www.cryptzone.com/products/appgate">AppGate</a> is the industry leader in the emerging Software Defined Perimeter (SDP) space, providing security solutions with identity centric security controls to the enterprise while protecting resources from internal and external threats. <a href="https://www.cryptzone.com/products/security-sheriff">Security Sheriff</a> is a product that helps enforce compliance and data security policies for many of your compliance controls. <a href="https://www.cryptzone.com/products/compliance-sheriff">Compliance Sheriff</a> provides users with a means to monitor online content for potential compliance issues across digital environments – keeping information safe, appropriate and within regulatory guidelines. These products are leaders in their respective spaces, used by private and public sector customers to address security and compliance needs.<br /><br /><b>Innovation:</b> If you follow the information security industry at all, you know that there are dozens of security products to address every potential security concern an enterprise may have. Cryptzone may have been dismissed before as just another vendor in the already crowded security software space. <br /><br />
<div style="text-align: center;">
<i><b>Until you actually look at what they do.</b></i></div>
<br /><br />
The <a href="https://www.cryptzone.com/products/appgate/why-a-software-defined-perimeter">Software-Defined Perimeter paradigm</a> is a radically different approach to network and identity centric security. The entire AppGate concept is different enough – authenticating the user before they have access to ANY resources at all – that it often takes a couple of explanations to get it, even to the most seasoned security or network professional. Once they *DO* understand the concept, the first question usually is “Where has this been all my life?” I can happily share examples of the technical overview with you, but it blew my mind the first time I saw it. Enough so that I knew then that I was EXTREMELY interested in the revolution that was SDP and Cryptzone.<br /><br /><b>Message:</b> Cryptzone is unique in the security industry. Often you hear the tales of doom and gloom that accompany most security services and product sells – buy our stuff or your company will be hacked out of existence! The fear marketing happens at nearly every company, and I guess it must work, to some extent. Cryptzone takes a different approach – providing a security solution and support to a customer partner trying to address security and compliance challenges to protect their enterprise. REFRESHING!! As an industry, I think we need to move away from the scare tactics and focus on solutions. While I was able to do this to some degree in my previous professional endeavors, Cryptzone embraces the concept.<br /><br /><b>Culture:</b> I walk into a room with co-workers for the very first time, and the first comment that I was greeted with was “I had better step up my beard game.” No, I do not make employment decisions based on the beards in the room (though that may not be a terrible criteria), but it speaks to the welcoming and collegial atmosphere of the company. My previous professional experiences have varied – from the large, Fortune 50 technical company, to the small manufacturing company, to the small financial services company, to the public sector. Each has been different, and each has their positives and negatives. <br /><br />Cryptzone is an established “start-up”, though it is different than any start-up I have seen or been a part of. It is established and funded, has mature products, industry leadership and all of the usual infrastructure that you would expect from a well-run company. Yet there is definitely a start-up vibe – excited, driven, innovative, and fun. I have been immediately embraced as a person, not just another employee, engaged at every level about my ideas and suggestions. It is the dream of every person to work in an environment where they are valued. Cryptzone convinced me of this on the very first day (actually long before that).<br /><br />I blog ALL THE TIME – this is the first of MANY <a href="http://insight.cryptzone.com/">blogs</a> that I will create for Cryptzone. I am planning a series on a <a href="https://www.cryptzone.com/forms/forrester-no-more-chewy-centers">recent Forrester Research report</a> that you should be able to read soon, as well as thought leadership content on Cryptzone and information security topics. <br /><br /><i>You can find more information about Cryptzone <a href="https://www.cryptzone.com/">here</a>. The Forrester Research whitepaper “Forrester – "No More Chewy Centers: The Zero Trust Model of Information Security" can be found <a href="https://www.cryptzone.com/forms/forrester-no-more-chewy-centers">here</a>. You can also read additional Cryptzone blogs by going <a href="http://insight.cryptzone.com/">here</a>.</i>csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-48017030057345198362016-10-29T11:37:00.001-06:002016-10-29T11:37:48.244-06:00On to the Next Adventure...<div style="text-align: justify;">
<span style="font-family: inherit;"><i>As you may have heard, I have left HPE as part of the reorg / downsizing that you have read about in the news. I feel that I can post to The Security Beard again!</i></span></div>
<div style="text-align: justify;">
<span style="font-family: inherit;"><i><br /></i></span></div>
<div style="text-align: justify;">
<span style="font-family: inherit;"><i>I wanted to share a quick blog that I posted to <a href="https://medium.com/@csteffen">my Medium</a> earlier today about my exit from HPE, and a little about my new position.</i></span></div>
<div style="text-align: justify;">
<i><br /></i></div>
<div style="text-align: justify;">
<i>You can find the original <a href="https://medium.com/@csteffen/on-to-the-next-adventure-53a5a45b3c1#.2pafaazgo">here</a>...</i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The two constants of the universe – change and taxes. And while I could go on for days about taxes, especially in this contentious political season, I thought I would share some thoughts on the changes that are going on with me.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Friday was my last day at Hewlett Packard Enterprise. It has been my distinct pleasure to work for this organization for the past two years, serving as the Chief Evangelist for Cloud Security. I have appreciated the opportunity to offer nearly unfettered advice about the information security topics that are interesting to me – security awareness and regulatory compliance. And some of you must think so too, as those blogs and podcasts received tens of thousands of views. Your consideration of some of these topics, and your support on the various social media platforms has been greatly appreciated!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I wish nothing but the best for HPE. CEO Meg Whitman is doing her best to shape and focus the company as the dominant player in the server market, removing the miscalculations and distractions that had been acquired by some of her predecessors. The merger of the consulting services to form a company with CSC and the sale of much of the software assets to Micro Focus will go a long way to accomplishing that goal. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
These changes also bring changes to how the company is organized. For months, there have been plans for the personnel changes that would be needed to run this tighter ship, and one of those changes is how and what we evangelize as a company. It is not that HPE doesn’t think that cloud security is important – far from it. It is that the company is refocusing its efforts on hardware solutions. So in the grand game of musical chairs, I was one (of many) left without a chair when the music stopped. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
While I may no longer work at HPE, I am NOT fading off into the sunset…</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I am proud to announce that I have accepted a position as the Technical Director of Cryptzone.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJEISIcyqJcwtW73_bOZ6bBYalTcyTSCpIJbDsmyPXuHHeb9krmjY6GSfPpujUfJTei_jiJ6oiroM30Kcalw9tdKcPFkC_5K-o9ojSms4QcIg9tvXvD8cs67gNdlE0Z1sSyj4Qsn128Ryu/s1600/Cryptzone.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJEISIcyqJcwtW73_bOZ6bBYalTcyTSCpIJbDsmyPXuHHeb9krmjY6GSfPpujUfJTei_jiJ6oiroM30Kcalw9tdKcPFkC_5K-o9ojSms4QcIg9tvXvD8cs67gNdlE0Z1sSyj4Qsn128Ryu/s320/Cryptzone.jpg" width="320" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<a href="https://www.cryptzone.com/">Cryptzone </a>is a company that is focused on bringing paradigm shifting security solutions with identity centric security controls to the enterprise, protecting resources from internal and external threats. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: center;">
<span style="color: magenta; font-size: large;"><i>And I get to talk about it!</i></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I won’t go into too much more here, except to say that software defined perimeter solutions are just now starting to draw significant attention from the tech industry, and Cryptzone is far and away the premier solution for those interested in this security solution.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Alexander Graham Bell once said:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<i>When one door closes, another opens; but we often look so long and so regretfully upon the closed door that we do not see the one which has opened for us.</i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I have no regrets for my time at HPE, and am charging full speed through this open door!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Stay tuned…</div>
csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-16802165006975843152016-09-20T08:39:00.000-06:002016-09-20T12:25:45.899-06:00Security vs Compliance...<i>This is a blog I initially published on the <a href="https://community.hpe.com/t5/Grounded-in-the-Cloud/bg-p/sws-661#.V-F9cPkrKbg">HPE Grounded In The Cloud blog</a>. You can see it <a href="https://community.hpe.com/t5/Grounded-in-the-Cloud/Compliance-in-the-Cloud-Security-vs-Compliance/ba-p/6900359#.V-FB1vkrKbg">here</a>.</i><br />
<i> </i><br />
A good friend and colleague once said: “You can have security without compliance, but you cannot have compliance without security.” While that may be a bit simplistic, it does hold a measure of truth. But the question for many IT manager and executives is which one should come first. The simple answer is that you can have both, but it may require you to shift the paradigm.<br />
<br />
There has been several occasions when I have been asked about this (as recently as last week at the HPE Protect security conference), so let me share some of the questions, as well as potential answers...<br />
<br />
You can find the remainder of this blog here:<br />
<a href="https://www.blogger.com/goog_1522218640"><br /></a>
<a href="https://community.hpe.com/t5/Grounded-in-the-Cloud/Compliance-in-the-Cloud-Security-vs-Compliance/ba-p/6900359#.V-FB1vkrKbg">https://community.hpe.com/t5/Grounded-in-the-Cloud/Compliance-in-the-Cloud-Security-vs-Compliance/ba-p/6900359#.V-FB1vkrKbg</a>csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0tag:blogger.com,1999:blog-3388688827196942343.post-17346706549982605892016-09-19T07:43:00.000-06:002016-09-19T07:45:35.776-06:00Data Locality - A Solution?<i>This blog originally appeared on <a href="http://medium.com/@csteffen">my Medium</a> site on April 26, 2016. It was also shared with a number of different LinkedIn groups, and generated hundreds of comments.</i><br />
<br />
<i>PREFACE: While I believe that this is already understood, please understand that the opinions expressed in these stories / posts / blog / whatever you want to call them — are mine, and not necessarily the opinions of my current employer, future employer, former employer, or anyone else that has (or does, or will) contributed to my income or livelihood.</i><br />
<i><br /></i>
To get everyone up to speed (and this is a repeat of the summary I have provided before) — In October 2015, European Court of Justice invalidated the Safe Harbor agreement, requiring the European Commission to revisit the regulations between the EU and the United States. In February 2016, the EU and the US had reached an agreement (called the Privacy Shield) to address the concerns that invalidated Safe Harbor. Two months after approving the Privacy Shield, regulators in the EU have come out and stated that the agreement still did not provide adequate privacy guarantees to European Internet users. Specifically, the concerns revolve around how data is stored and used by social media and search companies. The end goal of the European regulators is to have an agreement in place that forces US based companies to treat and protect data much in the same way that it is treated by the EU countries.<br />
<br />
In short, the Safe Harbor and Privacy Shield regulations make up a portion of the laws and controls that are central to the conversation about data sovereignty. Data sovereignty, then, is the discussion around how data that has been converted into some digital form is covered by the laws and regulations in which it is located.<br />
<br />
So, with that out of the way…<br />
<br />
I was fortunate enough to sit on a panel a few weeks ago on the topic of data sovereignty. The same occurred again last week, this time, in New York. Both panels — and specifically the panelists that spoke with me — were excellent. An idea was presented at the first panel, and discussed again at the second, around the sub-topic of data locality: specifically how, and more importantly — where — data is stored, and the requirements and regulations that differ depending on the country in which the data is stored.<br />
<br />
Let me start with a non-technical narrative (one that my mother can probably understand) — a simple Master padlock, probably much like the one you had on your locker in high school:<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv6NnBNtiWsGLLGq1iPghdnQ9wON-Gqet1NICIBgY3FaSqjEtZMTY6sEn67f0FQqZvE00S-iSsRf4ZFYOji4KFpcvG0lw5ycbgpDYFdxRI-d5QrFIV37N5Een97_6dKS-eCsqYgcTS3I8V/s1600/1-KbbTLoNfQSRHxoPmMX6MfQ.jpeg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv6NnBNtiWsGLLGq1iPghdnQ9wON-Gqet1NICIBgY3FaSqjEtZMTY6sEn67f0FQqZvE00S-iSsRf4ZFYOji4KFpcvG0lw5ycbgpDYFdxRI-d5QrFIV37N5Een97_6dKS-eCsqYgcTS3I8V/s320/1-KbbTLoNfQSRHxoPmMX6MfQ.jpeg" width="256" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="background-color: white; color: rgba(0 , 0 , 0 , 0.6); font-family: , "lucida grande" , "lucida sans unicode" , "lucida sans" , "geneva" , "arial" , sans-serif;"><span style="font-size: xx-small;">Author’s note: never keep both lock keys in the same place…</span></span></td></tr>
</tbody></table>
<br />
Not a complicated device —pretty much everyone has used a padlock at one time or another. You insert and turn the key, and the locking hasp unlocks. To relock it, simply engage the hasp back into the padlock. As long as you engaged the lock correctly and didn’t lose the key, your locker remained relatively secured (I am sure there are many high school locker tragedies, but you get my point).<br />
<br />
When school was over for the year, you could take the lock off of your locker and could use it during the summer for your camp foot locker or the locker at the pool. The lock would still work fine, despite the change in location, so long as you had the key. Regardless of where you took the lock, the lock would function as you would expect it to — so long as you kept the key.<br />
<br />
If you were like most, and took the lock home after the school year, only to find it in a junk box years later with your 9th grade Trapper Keeper, you would likely not remember the location of the key, rendering the lock useless. A padlock without a key is useless.<br />
<br />
In summary:<br />
<br />
<ul>
<li>You can use your padlock to protect things (like your locker or camp foot locker), regardless of the location.</li>
<li>The lock would work fine, regardless of the location, so long as you had the key.</li>
<li>The padlock without the key — regardless of the location — is useless</li>
</ul>
<br />
Applying the narrative to the technical world, and specifically the data sovereignty discussion:<br />
<br />
Nearly all data (the lock) has the ability to be encrypted (the key). Regardless of the location where that data is stored (high school locker or camp foot locker), so long as the data remains encrypted, the data remains protected. Put simply, if the data is encrypted correctly, and the key is kept secure, does it really matter where the data is stored? Isn’t the data useless without the encryption key?<br />
<br />
In summary:<br />
<br />
<ul>
<li>You can use encryption to protect your data, regardless of the location.</li>
<li>The data would be protected, regardless of the location, so long as you had (and properly protected) the encryption key.</li>
<li>The data without the encryption key — regardless of the location — is useless.</li>
</ul>
<br />
One of the major components of the data sovereignty / data locality debate is WHERE data is stored. But shouldn’t the discussion be more about where the encryption keys for the data is stored and not the data itself? Properly encrypted data is practically useless without a method of decrypting the data(*).<br />
<br />
Establishing controls for encryption key management are information security 101 best practices. So the narrative for data protection should be around how encryption keys are stored, where keys are stored, and how the data is being used once it is decrypted. Where encrypted data is being stored will make very little difference from a technical perspective.<br />
<br />
This narrative is still evolving: there is no case law or legal challenges (that I know of) presenting and defending this perspective (yet). But there likely will be, and provided that technically minded jurists litigate the case, a reasonable (and logical) technical solution will find that data locality is irrelevant, so long as information security best practices around key management are enforced.<br />
<br />
And I welcome further conversation about this specific concept: does it really matter where encrypted data is stored?<br />
<br />
As for the data privacy and data use concerns at the center of the data sovereignty debate — well, we still have a long way to go on that front.<br />
<br />
<i>(*) Yes, I fully understand that there are some NSA / government types with massive compute that can probably break 256 bit encryption on demand, but I am not likely trying to protect my data from them. Nor *CAN* I protect my data from them…</i>csteffenhttp://www.blogger.com/profile/18204341510447329666noreply@blogger.com0