Software as a service (SaaS) and cloud computing and cloud storage and other “aaSes” are all the rage these days.  The cloud is going to force security pros to revisit policy and value.  We have to make the case of why we have specific policies and why those policies apply to certain data and applications.  Otherwise biz units will throw apps and data up to the cloud willy-nilly to grab the cost savings.

My buddy Kevin Richards at Crowe Horwath said, "Nobody really cares about “securing the cloud” – outside of the security industry anyway.  In that way, it’s the same as security in general.  Security is not the point.  It’s not our job to secure the cloud.  We have data and applications all over the place.  Some are running on this network segment, some on that.  Some are in this data center, some in that one.  Some are outsourced, or off shore, or cloud based like SaaS."

Una nueva forma de comparar productos beneficiaría a todos

por Steve Hunt (originally published on ZonaSecuridad.org)

La mayoría de comparaciones de productos no dicen gran cosa. Propongo una mejor manera orientada al beneficio para el usuario final.

La mayoría de evaluaciones de tecnología que se leen en las revistas de la industria, o aquellas proporcionadas por los fabricantes, sufren de un defecto común y básico.

Comparan tecnologías con otros productos similares de la competencia y muy rara vez, si es que alguna vez lo hacen, le dicen al lector qué tan bueno el producto es en realidad.

Estas evaluaciones hacen una lista de características a la luz de los competidores. En mi opinión, esto perpetúa la mediocridad.

Pienso que hay una mejor forma de mirar los productos de tecnología. El método que he estado desarrollando durante los últimos cuatro años es lo más cercano que pude encontrar a una forma científica de realizar las evaluaciones.

Mi método también tiene otra diferencia importante: le dice al ejecutivo de seguridad (o al fabricante) qué tan exitoso el producto será en resolver los problemas del usuario final, más que decirle al cliente con lo que él o ella tendrán que conformarse.

Una respuesta adecuada

Facilidad de uso para el cliente

Cada categoría tiene múltiples subcategorías que consisten en diferentes criterios. Cada subcategoría y criterio es medido de acuerdo a su importancia relativa para el cliente.

Por lo tanto, la cantidad de tiempo requerido por el administrador de la base de datos para configurar el sistema puede ser ponderado, en mayor o menor medida, que, digamos, el rango de bases de datos de terceras partes soportadas por el producto, dependiendo de lo que los usuarios prefieren.

De forma similar, la usabilidad e intuitividad de la interfaz gráfica del usuario o las herramientas de ayuda en línea serán ponderadas más que el soporte del producto de una interfaz de línea de comando.

Cuando  mi evaluación esté completada, el CSO o gerente de producto verá en el reporte detallado cada forma principal en que la tecnología cumple, excede o falla con los requerimientos más importantes o con las preferencias de los clientes usuarios finales.

Entonces, en lugar de llorar y avanzar sobre cuál aparatejo tiene más características que el del lado, vamos a enfocarnos en resolver el problema y en cumplir con las necesidades del jefe  de seguridad del usuario final.

Déjenme saber si quieren más información sobre cómo medir el valor real de las tecnologías. Estaría feliz de hablar con ustedes.

COMMENT:

La aproximación al problema es interesante y corresponde a la tendencia que se está observando (aunque aún muy poco) en las evaluaciones profesionales actuale. Lo más importante al final son los beneficios recibidos, siempre y cuando el usuario tenga claros sus requerimientos, o exista la forma y tiempo de asistirle en esta definición. De cualquier manera, los criterios deben estar acompañados de parámetros medibles, como lo son las especificaciones mínimas requeridas para lograr un nivel de satisfacción adecuado. Si me interesaría conocer más acerca de su método.

MY RESPONSE:

I learned long ago that users of security technology do not really want security.  They want systems that help to make the business better or more successful.  Therefore, when I gather technology requirements from enterprise security executives and business leaders, I look for examples of how existing IT and operations systems and processes are already succeeding.  In other words, I discover what the customer likes.  For example, if I find that all of the company databases are Oracle, I will give a higher “weight” to the requirements related to databases.  If I found that the company uses many different databases across the organization, I’d place a lower weight on that criterion.  I do the same with the user interface, the backup and recovery techniques, workflow, and every other aspect of a security technology product. 

I am not trying to understand the “security needs” of my customer.  I’m trying to understand and measure the business and operational needs of my customer.  That’s the main difference between the way I do it and common “competitive analysis” most people use.

An idea posted by Kevin Rose.

Click Here for Video

It's Memorial Day weekend in the States, so you are probably not planning to sit in front of your computer.  I hope to be on a sailboat much of the weekend.  My kids are on a camping trip.  You should get out, too.  But when your crawl back to your desk on Tuesday, why not have some new insights, humor, and cleverness waiting for you.  Sign up for Twitter.  If you aren't yet up to speed on Twitter, read why I use it. 

There is a custom on Twitter to recommend some interesting Tweeps (people who use twitter) to follow on Fridays.  It’s called #followfriday.  This is not everyone I follow, of course.  And I really enjoy many more than this.  But I wanted to present you with a good cross section to get your feet wet.  Use it as your own "starter pack."  Start following these people:

(don't worry, you can unfollow them later if they are not your cup of tea - no feelings get hurt)  :)

• Arj (security industry analyst – one of the good ones)
• Badbanana (the funniest tweeter on the web)
• Beaker (Chris Hoff)
• Cselland (maybe you know him)
• DDubie (Network World journalist)
• Dspark (helps you use media for your biz advantage)
• Enderle  (The silicon valley guru)
• Feliciaday (geek, entertainer)
• GeorgevHulme (uber journalist)
• Idmachines (Sal knows all about FIPS 201 and identity mgmt)
• Jameane (social media maven)
• JDeLuccia (audit and compliance expert)
• Jennyholzer (what can you say?)
• Kristina_Erfe  (hilarious, thought provoking, life poet)
• MarkOOakes (security professional, entrepreneur, triathlete)
• MiaCucina (if you like food)
• Michael_Hoffman (media mogul and Do Gooder)
• Princessleia  (I think it’s really her!)
• Robertbook (economist, political commentator)
• Roland_Hedley (Fox correspondent/Doonesbury)
• Sam_Pfeifle (thoughtful editor of Security Systems News)
• Sarahksilverman (the most excellent comedian)
• SDNEditor (I guess Rhianna doesn’t want to use her real name)
• Securitytwits (name says it all)
• Stephenbonner (chief security officer for really big bank)
• Steve_hunt (me, the securitydreamer)
• Stevesurf (the guy dating my sister)
• Tomwaits (the singer/songwriter)
• Zittrain (Harvard law prof – Internet security and privacy stuff)

A security professional working for a large end user organization contributes occasionally to SecurityDreamer under the pseudonym of "Padded Arrow."  Here are his latest thoughts from a Fortune 500 corporate security department:

You may have noticed that over the last couple years, Security is changing phases in the never-ending cycle.  With the current financial climate, cost is once again the biggest project risk.  If Security departments are to survive, they will need to move from an add-on risk function to an integral part of the organization.  They will need to move from saying "no" to saying "how can we do this securely."

First, let's agree on two things; bolt-on security and security by obscurity don't work.  They cost more and in the end, don't increase security.

Collaboration, collaboration, collaboration
As much as we all want to be special, unique and different, that is a negative when it comes to corporate solutions.  Look for opportunities to collaborate with other business units in your company to save money.  I know this is difficult for most of the "I'll tell you but then I have to kill you" security types but why would you implement a million dollar security platform for monitoring when there may already be a solution available.  Many IT management platforms include functionality that can be leveraged by Security; reporting, logging, monitoring, alerting.  Collaborate during product selection and you may get the functionality you need without any additional cost.

Show costs accurately and realistically
Most business managers have grown immune to the claims of loss that Security has been spouting for years.  "If we don't put this system in, we will be overrun with hackers and that will cost millions if not the company."  Put real numbers to a real problem and then propose a solution that costs less than the potential loss.  You wouldn't spend more than something is worth to protect it.

Learn how to say "yes”
…or better yet, "Here is how you design this solution securely."  Granted, 100% Security is 0% functionality however
100% functionality doesn't necessarily mean 0% Security.  The earlier
Security is involved in the development and requirements process, the easier it is to make sure the organization is protected.

- Padded Arrow

Doug Hendricks, security manager at Sun Microsystems, passed away a few weeks ago.

Doug started his security career working for a security integrator and worked his way to the end-user side of the business over a 27 year period.  He started his security career working for CMC in San Jose as a Project Manager on the Lockheed Space and Missile access control project.

CMC was acquired by JWP and Doug transferred to JWP’s Bay Area office where he ran numerous large projects including the BART CCTV project and the Pelican Bay State Prison CCTV project.  He had responsibility for engineering and managing the installation of the CCTV, intercom, guard panic and MATV systems.

In 1991, Doug joined Integrated Security Control Systems (ISCS).  He was project manager for the Federal Reserve Bank of San Francisco project, where his CCTV design became the standard for many Federal Reserve Banks.  Doug then managed a large CCTV installation at Silicon Graphics Corporation.   As ISCS’s security contract for Sun Microsystems grew Doug became the Project Manager at Sun’s Bay Area facilities and then became ISCS’s Support Services Manager at Sun Microsystems.

Doug was offered and accepted the position of Manager of Security Systems working directly for Sun Microsystems.  In this role he managed Sun’s global access control systems and assisted with developing the current security systems standards, the “Alarm Reduction Program”, the executive protection program, and the “One Badge” project for global access.  His latest project, which he engineered and managed, was the access control system conversion from GE/Infographic Systems to GE/CASI Picture Perfect 4.0 System for all Sun's locations globally.

We will miss Doug.

Sorry my phone didn't have better resolution.  Each of the three days of the Expo Seguridad conference, this woman was painted in very tasteful, beautiful ways.  Each time with a security theme.  The third day was the best.  She was painted as a Borg, with a video camera as an eye.  The sponsoring vendor is Sermex, a Mexican security products distributor.

Sorry it took me so long to post this.  I had..er, technical difficulties.  This short video shows some of the best and most creative ways to waste money and alienate customers at a trade show.  Congratulations, ADI for making into the SecurityDreamer Dog House.

There was so much to like about the ISC West show this year.  More breathing room on the show floor, shorter taxi lines, and an overall higher quality attendance than I've noticed in recent years.  I saw more end users than I think I've seen in the past, and the other folks - integrators, consultants, investors - were really the top tier.  My theory is that with the tight economy, travel budgets for the "regular folks" were restricted, so only the folks who had active and pressing business to perform came.  As a result, the quality of business I witnessed made this a successful show.

I was only able to spend a limited time at the show this year.  So many of you were able to come to Margaritaville on Tuesday night that for awhile it was shoulder to shoulder.  That was fun.  Excellent New Zealand wine supplied by the good folks at Gallagher, and yummy food. 

The show floor was satisfying, especially for those of you who received my SecurityDreamer Travel Guide to ISC West 2009.  Laid out sort of like a Lonely Planet travel guide, the little booklet helped folks to find the best and avoid the worst on the show floor.

One of the best exhibits I witnessed was so simple in its layout and so effectively manned by its personnel, that I'm awarding ACTi's exhibit the SecurityDreamer Best of Show.  Watch this short video about the ACTi booth.

If we limit the conversation just to the technology, you'll hear me sing the praises of DVTel.  The command center console is attractive and intuitive and very functional.  I especially liked the simple, centralized management of video, access control, perimeter sensors and the flexible reporting capabilities.  DVTel's iSOC v6 is a refreshing reinvention of the standard command center interface.