Posts Tagged ‘Future’
The Future Of Audit & Compliance Is…Facebook?
Last Updated on Monday, 12 March 2012 01:20 Written by Celframe Security Team Friday, 27 July 2012 05:16
I’ve had an ephiphany. The future is coming wherein we’ll truly have social security…
As the technology and operational models of virtualization and cloud computing mature and become operationally ubiquitous, ultimately delivering on the promise of agile, real-time service delivery via extreme levels of automation, the ugly necessities of security, audit and risk assessment will also require an evolution via automation to leverage the same.
At some point, that means the automated collection and overall assessment of posture (from a security, compliance, and risk perspective) will automagically occur (lest we continue to be the giant speed bump we’re described to be,) and pop out indicatively with glee with an end result of “good,” “bad,” or “pass,” “fail,” not unlike one of those in-flesh turkey thermometers that indicates doneness once a pre-set temperature is reached.
What does that have to do with Facebook?
When we’ve all been sucked into the collective hive of the InterCloud matrix, the CISO/assessor/auditor/regulator will look at the score, the resultant assertions and the supporting artifacts gathered via automation and simply click on a button:
You see, the auditor/regulator really is your friend.
It’s a cruel future. We’re all Zuck’d.
Revisiting Virtualization & Cloud Stack Security – Back to the Future (Baked In Or Bolted On?)
Last Updated on Monday, 12 March 2012 12:25 Written by Celframe Security Team Saturday, 7 April 2012 04:26
[Like a good w[h]ine, this post goes especially well with a couple of other courses such as Hack The Stack Or Go On a Bender With a Vendor?, Incomplete Thought: Why Security Doesn’t Scale…Yet, What’s The Problem With Cloud Security? There’s Too Much Of It…, Incomplete Thought: The Other Side Of Cloud – Where The (Wild) Infrastructure Things Are… and Where Are the Network Virtual Appliances? Hobbled By the Virtual Network, That’s Where…]
There are generally three dichotomies of thought when it comes to the notion of how much security should fall to the provider of the virtualization or cloud stack versus that of the consumer of their services or a set of third parties:The virtualization/cloud stack provider should provide a rich tapestry of robust security capabilities “baked in” to the platform itself, orThe virtualization/cloud stack provider should provide security-enabling hooks to enable an ecosystem of security vendors to provide the bulk of security (beyond isolation) to be “bolted on,” orThe virtualization/cloud stack provider should maximize the security of the underlying virtualization/cloud platform and focus on API security, isolation and availability of service only while pushing the bulk of security up into the higher-level programatic/application layers, or
So where are we today? How much security does the stack, itself, need to provide. The answer, however polarized, is somewhere in the murkiness dictated by the delivery models, deployment models, who owns what part of the real estate and the use cases of both the virtualization/cloud stack provider and ultimately the consumer.
I’ve had a really interesting series of debates with the likes of Simon Crosby (of Xen/Citrix fame) on this topic and we even had a great debate at RSA with Steve Herrod from VMware. These two “infrastructure” companies and their solutions typify the diametrically opposed first two approaches to answering this question while cloud providers who own their respective custom-rolled “stacks” at either end of IaaS and SaaS spectrums such as Amazon Web Services and Salesforce bringing up the third.
As with anything, this is about the tenuous balance of “security,” compliance, cost, core competence and maturity of solutions coupled with the sensitivity of the information that requires protection and the risk associated with the lopsided imbalance that occurs in the event of loss.
There’s no single best answer which explains why were have three very different approaches to what many, unfortunately, view as the same problem.
Today’s “baked in” security capabilities aren’t that altogether mature or differentiated, the hooks and APIs that allow for diversity and “defense in depth” provide for new and interesting ways to instantiate security, but also add to complexity, driving us back to an integration play. The third is looked upon as proprietary and limiting in terms of visibility and transparency and don’t solve problems such as application and information security any more than the other two do.
Will security get “better” as we move forward with virtualization and cloud computing. Certainly. Perhaps because of it, perhaps in spite of it.
One thing’s for sure, it’s going to be messy, despite what the marketing says.
Slideshow: Ten Weird Biometrics In Your Future
Last Updated on Sunday, 11 March 2012 09:43 Written by Celframe Security Team Sunday, 1 April 2012 11:49
VIEW SLIDESHOW: Weird Science: 10 Forms of Biometric Authentication
In the past twenty years, we’ve gone from using amber-tinted dumb terminals connected to refrigerator-sized mainframe computers to sleek tablet computers and smart phones tucked into our pockets. Despite those changes, one technology has stubbornly persisted: passwords. Indeed, the explosion in computing devices and Web-based services has made us more dependent on passwords than ever.
Experience has shown that all those passwords adds up to less security not more. Our brains weren’t designed to memorize long strings of random digits, so folks just end up reusing the same password – and often a pitifully insecure one at that. Those kind of ingrained behaviors have lots of companies looking for alternatives.
IBM recently said that its researchers believe that the password will eventually go the way of the Brontosaurus, replaced with technologies like biometric identification. Recent developments give credance to that. Google released a new phone last year that unlocks itself with a simple scan of your face. Technology like Nuance’s Dragon and Apple’s Siri continue to break new ground when it comes to voice authentication.
What other weird ways might researchers and entrepeneurs find to let you identify yourself? Threatpost put together this collection of 10 crazy biometrics…that just might work. Click through the following slide show to see 10 odd – and slightly obscure – forms of biometric authentication being investigated today.