Moved the blog to typepad: http://infocentric.typepad.com.  I will update this link in the next couple of days. 

Read more...

 

The Washington Post reported that the illegal viewing, and subsequent disclosure, of passport information from Barak Obama, Hillary Clinton and John McCain was caught by a monitoring system. 

This is precisely the type of activity that monitoring can detect, and it can be used very effectively for alerting to suspicious behavior regardless of the user. 

In early 2005 I was invited by some people at DHS to pay a visit a couple of congressmen and senators to discuss trends in information privacy & security.  I later discovered the reason for the invite was one of the Republican staffers had been reading a couple of the Democratic rivals files and documents.  It turns out that both parties shared a common file server & database that had little to no security beyond access control.  The staffer was fired and escorted out by the Secret Service.  I advocated database monitoring to detect this type of activity in the future, coupled with assessment as a preventative control. 

It appears that the state department already has something like this in place so ‘Bravo’! And they, like most public companies, only deployed after a breach had occurred.

 

I selected the email example on Information Centricity for a couple of different reasons.  One of which was based upon several Blog posts out there talking about what changes would need to be made to the infrastructure, or basically ‘how do we get there from here’.   And now that I have seen Mike Rothman’s comment  that “I'm not going to be so bold as to say it isn't happening, but it's nothing I've seen before” I am glad I did.  When you start thinking about how to implement Information Centricity, let’s say in an SAP environment, it’s enough to make your head explode.  I wanted to start small to demonstrate a couple ways Information Centricity addresses security issues in changing IT landscape.

Read more...

IDC Virtualization Show on April 8th.
RSA on April 9th.

Read more...

I went on a long rant in one of my previous posts, motivated by the Hannaford Bros. Breach.  Not so much because I have anything specific to say about that breach, but simply to express my view that merchants should not be storing credit card numbers in the first place.  I was not planning on saying anything else as I am not really sure what to make of the information we have been provided through the various press releases and news items.

Read more...

What I want to do to take this one step further is provide a tangible example of this model.   I want to provide the simplest example of what I consider to be an information centric security.  I have never spoken with Rich directly on this subject and he may completely disagree, but this is one of the simplest examples I can come up with.  It embodies the basic tenants, but it also exemplifies the model’s singular greatest challenge.  Of course there is a lot more possible than what I am going to propose here, but this is a starting point.

Read more...

“To unlock the value of logs, a new class of appliance has emerged that combines universal log-data collection, analysis, event management, automated report distribution and incident response”.  Wow.  I have many problems with that statement, but the list is too long to really cover, so I will just mention a couple of points.

Read more...

After my previous post on privacy and security on the Internet, I ran across Rich Mogull’s ‘Picking apart the Hannaford Breach' post.  To me, issues of privacy and security are related to this post. .  I am going out on a limb here because I am making an assumption – assertion, actually - of intent, but it appears to me this is the crux of the issue.  Merchants want to maintain the relationship with the customer, and probably more importantly to them, the data about the customers.  Financial data, purchasing data, location data and preferences that is in turn cross referenced with other data sources to further extrapolate valuable information.  The merchant then uses this to make themselves more competitive in the marketplace, or sells the information to others for profit.  This data is sensitive and not obfuscated because it is this direct and targeted marketing data that others will pay for.  But keeping this data forms the basis for credit fraud and identity theft as it relates to these merchant breaches.

Read more...

Do you believe Security & Privacy on the Internet are diametrically opposed? 

Seriously.  This is not a loaded question.  At the forum, one of the panelists, a respected member of the US Intelligence Community stated that we cannot have Internet Security and Privacy.  It’s one or the other, and privacy groups’ demands do not allow policing of Internet activity.  They are diametrically opposed. This person then gave the analogy that Privacy on the Internet was just like putting cops (His word, not mine) on the street, and allowing them to watch crime occur, but not draw their guns and not make arrests. 

Read more...