Security Pie

Finally a bold contester for the “big bucks spent for nothing in a marketing movie”, “what did they think” and “you are so cool. NOT” categories.

Someone from the Windows 7 marketing team thought that the following movie would be funny and interesting. Well, it is not. Personally I feel so stupid spending 6:14 minutes trying to understand if there is a hidden message. I even tried to run it backwards and looked at other movies in this channel, trying to determine if this is indeed an original / legal 
Microsoft publication (it looks legit).

They got the cast right: a young and an older women. The stereotypical geek and a black person (humm, is a real black person? ) but what about the plot?

WTF?

(4:46:13 PM) ashleybishop8327: Hey
(9:31:58 PM) Sharon: BOT
(9:32:13 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!
(9:32:27 PM) Sharon: so you are not a bot
(9:32:40 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!
(9:32:59 PM) Sharon: now I’m confused. Are you a bot or not?
(9:33:11 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!
(9:33:28 PM) Sharon:
(9:33:42 PM) AshleyBishop8327: hello?
(9:35:27 PM) Sharon: bot
(9:35:42 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!

Last week Greg Shipley wrote a nice epilog in InformationWeek regarding lessons learnt from Albert Gonzalez data heist (http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=219501227). He observed that while we are all cavorting merrily at the prospect of the imminent “hanging” of this thief of “modern data horses”, we did little to address the concern of data security. From my perspective, the CEO’s of the companies involved seemed happier to participate in this modern “burning of the witch” then to address the lack of security for what I sincerely hope is not my data.

Similarly, Sharon’s last post discussed the lugubrious habit of equating encryption with security, with a complete disregard to processes, systems and people.

Well, security is getting to be pretty complex, and we humans, in complex situations, tend to flock to iconography.

Original icons are of the deity sort. But postmodern icons can be anything. Espresso crema, evil high fructose corn syrup, local produce, Ken Lewis lying to investors, reduction of carbon footprint.

Encryption can be an icon.
DLP can be an icon (in fact, DLP is fast appearing as an icon, albeit a useless one, on many a security and network products).

Since data security is a need, it can be addressed via a methodical evaluation of risk and rigorously balancing the business virtue vs. the risk of loss; technology becomes a facilitator of process and methods – a requisite part – but nonetheless just a part – of the solution.

Alternatively, it can also be addressed by installing a system of icons: a statue of ganesh, a road prayer, a hamsa, a statue of the virgin mother, a DLP solution, or an encryption solution will all achieve the same – and wanting – results.

For the security practitioner, icons are comforting: they own the latest, the highest performing, the best rated, etc. But unlike board members, who really account for nothing but their quarterly signatures, comfort does not alleviate the need to deliver. Owning the CD of a multi-million dollar high quality application is useless if you can’t afford the 10 servers it needs to run, the abundance of professional services needed for set up and the 100 administrators needed for it to run. All this while the board is waiting to decide if a sacrificial goat is needed.

This has occured in the past. The roads of security are littered with the carcasses of “ex security experts” who have expired when the icons of firewalls became technologies that had to be configured properly and maintained. Similarly, PKI took its pound of flesh to the security alter and raised it to the PKI as an icon gods.

Data security is already setting up to be the kali of the security world. On one hand, effective, business centric data security makes VPs. I know many system operators and administrators who became security and compliance VPs. Similarly, I know many who have been badly burnt by the data security goddess. Those are better off seeking a different employment (barista, perhaps?).

As for me? I am getting to taste the vice of pride, being involved in a market that is fast becoming the chopping block of mediocrity. Bring it on, icon peddlers!

Encryption != Security

I was reading “Enabling cloud Storage for the Enterprise” white paper from Emulex . First, I’d like to the compliment the unknown author. I’ve read (and wrote) many white papers. This document is among the best.

As always, I have some reservations about the Data Security arguments that were made.

First, the unknown authors claim that “When moving data outside of the data center, as is the case with public cloud storage, security concerns become a top priority” since “When data is kept within the confines of a data center, there are recognized methods for ensuring that it is kept safe”. While I totally agree that there are recognized methods to protect data inside the data center, I do not agree that placing data in the cloud is a top concern. In most cases the end user or even the organization that is placing the data in the cloud is unaware of its location and even if it does, security (unfortunately) is not a top priority. I’m saying that when we discuss security in the context of  ”the cloud” one should demand security. In the same way that business users are demanding secure systems today, they should demand it when “the cloud” is involved.

But there is a bigger problem with the security section of this document. A big problem. There is a logical flow with the main security assumption made in that section since the document assumes that IDA (Information Dispersal Algorithms) is good (“enough” ?) to be used as the method to secure the data.

I have an issue here since the white paper sets an agenda that encrypted data should be considered as secure, since ”To make use of the data in the cloud, a hacker or SSP employee would have to also gain access to a quorum of the data slices stored elsewhere” but we know – by way of living, that no encryption method is secure enough, as the problem is related to the application that will get hacked.

Indeed if the risk that Emulex writes about is related to employees stealing drives with data, then encryption might be good enough (depending upon encryption  management  and so many other factors).  But as we know, security issues are mostly related to the way that the application is accessing the data, which will not be encrypted since the application is required to access the data…  Just think about SQL injection and why it happens…

Bruce Schneier begins his book Secrets and Lies by saying “I have written this book partly to correct a mistake” that he made with his utopian vision of cryptography and algorithms keeping “your deepest secret safe”.  I will allow myself to paraphrase that when it comes to secure Cloud Storage ”Cryptography can’t do any of that”. I suggest that anyone that thinks that security=(only) cryptography will think again.

” … Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.”

BTW, IDA was developed by Michael Rabin that won the Turing Award in 1976 and the Israel Prize (in computer sciences) in 1995.

Image source: http://ulcercity.blogspot.com/

The Heroes

So Marvel is getting acquired by Disney ($4 billion and some change). Personally, I like the idea. It will make life easier as now I do not have to think who owns a specific comic character. If Marvel shareholders approve the deal, they would receive $30 per share in cash and 0.745 shares of Disney for each share of Marvel that they hold. The deal is valued at $50 per Marvel share, more than a 29% premium, based on Friday’s closing price. Shares of Marvel (MVL) soared 26% in morning trading.

But the story is even better. Marvel, once a bankrupt company and the target of a how-to-mess-a-company book that was acquired for $82 m (and change) is now sold.

“When Ron Perelman bought Marvel in 1989, he described the company, home to heroes like Captain America and the Fantastic Four, as “a mini-Disney in terms of intellectual property.” His junk bonds and grandiose expansion plans swiftly raised Marvel’s market value to over $3 billion, but also brought its debt past $600 million, at which point corporate raider Carl Icahn smelled blood. He managed to wrest control of the company from Perelman, but the takeover process dragged Marvel through bankruptcy court for years. “

As a person interested in business strategy, I can only admire the level of thoughts, planning and execution my colleagues delivered. (I’m also jealous for the amount of fun and satisfaction they had during this fun ride).