Yesterday I attended the IDC Security Conference in London.
I was not too sure what to think of it as I never attended that event before and only accepted a “spam/unsolicited invite” because for once I took the time to read the agenda and list of speakers who were to attend.
I can now say I do not regret it and it was a great conference with lot of interesting content on the future security context related to cloud and mobile computing with a pinch of data privacy.
One of the reason I decided to attend was also because the keynote speaker was Bruce Schneier, a person I never had the privilege to see at a conference before and whom I appreciate his offbeat approach to IT Security.
Although I have attached a mindmap of my conference notes at the end of the post, if you do not want to see a “Death by MindMap” or have a 50inch screen then I invite you to read the many highlights and industry insights which were discussed at that conference. Please note I have grouped my feedback by themes rather than presentation names.
1. Data Privacy
o What the Zurich data breach incident highlighted is that you can now negotiate fines! They got a 30% discount
o A new US Legislation, the Dodd-Frank Act, is coming and will have worldwide impact. It can apparently be compared as a SOX like legislation where whistleblowing is encouraged AND rewarded (up to 30% of the recovered monies, excluding fines) which could amount for millions of dollars! This will surely impact our internal audit processes. For more info: www.bit.ly/usakzo
o There is a new European regulation coming on the 25th of May 2011. This new regulation will push for the companies to be more pro-active at disclosing data breaches rather than waiting to be find out. The new directive is the 2009/136/ec. http://tinyurl.com/29xwwh2
The speaker, Eric Domage from IDC UK, warned the attendees to be ready for the need of localisation of this directive.
o A short history of the European data privacy laws was given: It started with 2 front the north of Europe including UK where data privacy was company centric and the south including France where it was user centric. Since the eu has expanded with the eastern countries being brought in, they pushed for more user centric data privacy laws, thus supporting what was a south European minority and data privacy laws have became tougher, and will become even stricter with time. The trend is to get stricter data privacy laws
o Privacy laws are moving towards prevention rather than cure, not only do you need to have an emergency plan to answer a security breach but also have to rehearse it!
o The future is: more private law suit, cloud computing and mobile trend to complicate and facilitate data loss, trust is an issue with more and more 3rd parties, there is an increasing generation gap issue, and those issues will have a more global impact.
o As usual, Bruce Schneier provided a refreshing offbeat presentation, it was related to data privacy and generation gaps:
- Data control is mostly about context rather than secrecy. We rarely have secret data, but data we would share with friends and other data we would share with our doctor.
- With the rise of the internet we do now need a privacy policy as Data can more easily be extracted out of the context it is intended for.
- Social site are designed to share as much information as possible, thats their business. We are not Facebook customer, we are Facebook product.
- Parallel between pollution of the industry age and data being the pollution of the digital age
- For more info, you can read the SC article: http://tinyurl.com/2484pd6
2. Cloud Computing
o Many presentations delivered the same message, that traditional security was insufficient for securing services and assets in the cloud.
o Some key new risks are:
- Trust: Hardware can be physically shared with over customers/competitors. But also the problems with the risk of having VM environment attacking other VM within the same private cloud or wider cloud provided by a vendor.
- Resource Contention where performance could be impacted. I.e.: AV scan each VM at the same time, rather than having an AV scan done centrally for all VM per physical box.
- Compliance: A full user activity audit trail may be more challenging to produce if the user has access to many different shared infrastructures with no central logging capacity.
o As we increase our “in the cloud” usage, this could have an impact on network latency experienced by users
o A recent IDC study predicts that by 2015 most services and hardware will be hosted in the cloud
o An interesting issue was highlighted by Alan Fields from Akzo Nobel, when using a Web Filtering SaaS the egress IP you present to a target URL is now shared with other customers of that SaaS. This means the targeted URL may think you are a different company and give you a wrong personalised front page!
o It is good practise to use SaaS logs to quality check your vendors on a regular basis and at the same time there are some difficulties for conducting security monitoring in the cloud, this is due in part by the fact that companies have no control of the infrastructure there.
3. Mobile Computing
o Mobility of users is increasing as well as what they can do with their mobile devices. Most companies do not pay enough attention of the related security risks and it must not be ignored any longer.
o Although there are more security technologies available nowadays there is also more connectivity back to corporate data/network with data flowing in more places than before. As such, we not necessarily more secure than “in the old days”.
o CISCO presented their Secure Mobility Technology for a virtual business desktop environment held into a USB stick which could be used on any type of laptop. This allows for a secure business desktop which is hardware agnostic and can be used alongside a personal desktop/environment.
o CISCO “coined” an interesting trend, that HTTP has become the new TCP.
4. Security Risks Trends
o Attackers have moved on from mass spam to targeted spam to individuals in the enterprise, this make protecting against those new types of attacks more difficult. Plenty of example in the GOM incident
o Security can be increased if it is considered as identity centric: how identity information is gathered, unique, controlled, monitored and policed. An interesting statement was made by Andy Smith from IDC; Identity is how a person is perceived by others
o To identify if a website is valid or not, one need to look at more than just the what/content:
- What: Look at the content
- How: Was it set up with a Dynamic IP, does it has a recent DNS entry, etc
- Who: The owner details seem shady, contact details are missing, etc
- Where: Is it normal that a website for the Haiti relief is hosted in Russia?
o Florian Malecki from SonicWall spoke about the need of NextGen firewall (like the ones they sell!) which can also identify, categorise and control web applications. Such as allowing Facebook but not allowing its IM plugin. Although I spoke to them after the presentation I am not convinced it is any better or different than the Web Fitlering technology offered by company like Websense, Scansafe, etc.
And if you are interested in my full notes, then you can try to look at the mindmap below! (removed)