July 18, 2016 Comments Off on Presenting a Webinar on Delivering Data Security with Hadoop and the IoT
On August 9, I’ll be teaming with Reiner Kappenberger from Hewlett Packard Enterprise to explore some of the most pressing security implications of Hadoop and the Internet of Things (IoT). Hosted by the IT GRC Forum, here’s what we’ll be covering:
The Internet of Things (IoT) is here to stay, and Gartner predicts there will be over 26 billion connected devices by 2020. This is driving an explosion of data which offers tremendous opportunity for organizations to gain business value, and Hadoop has emerged as the key component to make sense of the data and realize the maximum value. On the flip side the surge of new devices has increased potential for hackers to wreak havoc, and Hadoop has been described as the biggest cybercrime bait ever created.
Data security is a fundamental enabler of the IoT, and if it is not prioritized the business opportunity will be undermined, so protecting company data is more urgent than ever before. The risks are huge and Hadoop comes with few safeguards, leaving it to organizations to add an enterprise security layer. Securing multiple points of vulnerability is a major challenge, although when armed with good information and a few best practices, enterprise security leaders can ensure attackers will glean nothing from their attempts to breach Hadoop. In this webinar we will discuss some steps to identify what needs protecting and apply the right techniques to protect it before you put Hadoop into production.
If you’d like to join us, register here.
October 1, 2013 Comments Off on Big Data security and privacy risk podcast
I recently participated in a podcast sponsored by Edward Haletky at The Virtualization Practice.
My co-panelists (Edward, Iben Rodriguez @iben, Mike Foley @mikefoley) and I discussed many aspects of the inherent security and privacy risks that enterprises and the general public alike are encountering with Big Data. You can find a recording of the podcast here.
August 4, 2013 Comments Off on Introducing a half-day Big Data security training class
Beginning on September 20, I’ll be teaching a half-day Big Data security Webinar. These classes will take place once a month, and will cover the following topics:
Big Data information categories
- Document store
Big Data security requirements
- Legal and regulatory
- Internal guidelines
- Industry standards
- User access
Big Data security risks
- Meta data
- Distributed processing (e.g. MapReduce, Hadoop, and Cassandra)
- Overt attacks
- Covert attacks
Best practices for securing Big Data
- Setting realistic security goals
- Reducing surface area for attacks
- Protecting physical assets
- Safeguarding the network
- Encrypting data
- Data obfuscation via tokenization and masking
- Retiring data
To allow for maximum student interaction, classes will be limited to 10 people. You can register here
February 11, 2013 § 1 Comment
I’m looking forward to my speaking engagement at the Conference on Big Data Security this July in Boston. I’ll be talking about how to keep your Hadoop environment safe and secure. In particular, I’ll be discussing:
- The key diverse technologies contained within a typical Hadoop environment
- Current and trending security risks characteristic in Hadoop implementations
- Setting and attaining realistic goals
- Contrasting open-source vs. proprietary Hadoop security tools
- Protecting your Hadoop landscape through controlled access
- Inherent differences safeguarding data-at-rest vs. defending data while in motion
I hope you can join me there – it should be a very interesting conference.
November 10, 2016 Comments Off on Helpful article on journalist protection is relevant for us all
In the aftermath of this week’s US election, it’s worthwhile to – once again – revisit techniques to protect private information from those that have no business seeing it. Here’s a link to a very useful article from The Atlantic that might give you some ideas about how to safeguard your data. If you’re curious about other security and privacy topics that I’ve written about, here’s a shortcut to them.
October 30, 2016 Comments Off on Why the recent Internet of Things (IoT) attack is just the beginning
A few days ago we witnessed a new type of distributed denial of service (DDoS) incident. Unlike previous botnet attacks that enlisted compromised computers, this one corralled assorted unprotected devices like Internet-ready webcams, DVRs, and baby monitors to flood Domain Name System (DNS) servers, and thereby seriously degrade the Internet for hours. I’ll leave the explanation of the mechanics of this incident to more qualified commentators, but I do want to weigh in on why I think these types of events are very hard to combat and why I’m very skeptical about the hype around the Internet of Things (IoT).
We all (well, many of us) know how important it is to keep our computers and software patched and up-to-date; most people also get why firewalls are essential. But consider these facts about IoT devices:
- They’re being created for just about every industry. This diversity means that it’s much harder for the entire universe of vendors to agree on common security standards: defining safeguards for a heart pump is a little different than for a Web-ready washing machine. I’ve served on my share of standards committees: to say that they move slowly is an understatement!
- They have really short development cycles. IoT is shaping up to be a brutally competitive landscape. The winners will be those vendors that deliver solutions to market quickly. Designing and building strong security safeguards takes time, and time is money. The end result is that device protection takes a back seat to market pressures.
- There’s limited space for security software. Margins are very thin on hardware devices: security-focused onboard storage space adds costs that aren’t directly related to functionality.
- They frequently rely on APIs for communication. I’ve blogged about API security in the past. Suffice it to say that it’s a rare API that’s locked down properly.
- New models are always coming on the market. Here’s the really scary part: even if vendors do start getting their security act together, it will be years before today’s highly insecure devices get retired. Meanwhile, they’ll be standing by for their next set of DDoS orders.
March 30, 2016 Comments Off on Excellent article about FBI’s iPhone crack
Bruce Schneier has long been one of my favorite technology authors and bloggers. He manages to write about extremely complex topics in a very accessible way – a notably rare and highly admirable skill. His latest article explains why the secretive approach that the FBI is employing to unlock iPhones will eventually harm innocent users unless Apple is notified of the device’s vulnerability.
The problem with computer vulnerabilities is that they’re general. There’s no such thing as a vulnerability that affects only one device. If it affects one copy of an application, operating system or piece of hardware, then it affects all identical copies. A vulnerability in Windows 10, for example, affects all of us who use Windows 10. And it can be used by anyone who knows it, be they the FBI, a gang of cyber criminals, the intelligence agency of another country … anyone.
This is precisely why Apple needs to understand what’s happened. Otherwise, the next entity to break into iPhones may not be doing so in the legitimate and honorable interest of solving crime.
I read Bruce’s blog regularly, and recommend it to anyone interested in security and information protection.
October 16, 2015 Comments Off on Helpful, easy-to-follow instructions to assess and correct your browser’s SSL vulnerability
SSL has long been the primary method for encrypting the communications between your browser and the websites you visit. However, for years there have been reports about potential ways for unauthorized parties to exploit SSL weaknesses and thus gain access to your ostensibly secure interactions.
The latest news is that the Diffie-Hellman key exchange algorithm (using 1024-bit primes) has been compromised. This has serious implications for the privacy of your sensitive communications, including banking, shopping, and email, to name just a few.
Fortunately, there’s a very helpful online tool that will evaluate your risk. You can find it at https://www.howsmyssl.com/
You should run this tool for each browser that you use, and take action based on what it tells you. More about that later in this post.
Here’s what I learned when I ran it on my system:
Opera (I haven’t updated this for a while, so it’s no surprise that it’s vulnerable):
Safari (Based on these results, Safari is now a no-go until I get it corrected)
Firefox (I applied the fix from the article that I’ll describe below. The results are good)
Finally, here’s Chrome. Once again, I configured this browser using the information from the article below.
So what should you do if you get a ‘Bad’ message from the How’s My SSL tool? The Electronic Frontier Foundation (EFF) has published an excellent, easy-to-understand article with step-by-step instructions about how to tighten your browser security.
You’ll find it here.
March 1, 2015 Comments Off on ServiceV – a superb service virtualization technology for the API and Agile era
I’ve been working with SoapUI since its earliest days, and I’m very excited about the direction that SmartBear is taking the Ready! API platform, which includes products such as SoapUI NG Pro, LoadUI NG Pro, Security, and ServiceV Pro.
At WiseClouds we deliver classes and supporting consulting services on all these exciting solutions, and we’re honored that SmartBear directly sells these courses to their clients. Many of our students go on to earn their SoapUI certification after attending these classes.
Mock services have long been one of the most useful features in SoapUI. Customers use mock services to quickly stand up virtual versions of the real services (SOAP and REST) that are in development. They can then construct their tests using these virtual services and then quickly switch over to the live services once they’re ready. Some of these enterprises have come up with really creative uses for mock services, including simulating middleware, third party APIs, telecom switches, and all sorts of other scenarios.
ServiceV represents a bold step forward for SmartBear, offering tremendous new functionality (such as assertions, datasources, and simulation for network latency and message buses – to name just a few) for creating virtual services, which are now known as Virts.
ServiceV is an idea whose time has come, for two primary reasons:
1. The rise of the API economy
It’s no secret that APIs are more essential than even before: it’s nearly impossible to go through your day without interacting with an API, whether or not you know it. They are the foundation of modern software, infrastructure, and the entire Internet. And APIs commonly invoke other APIs, which is an enormous increase in complexity.
This means that properly testing these assets is not an optional responsibility: it’s mandatory, and will continue to gain in importance. Failing to adequately test APIs can be disastrous – just read the news most days for the latest examples of outages, breakins, and other API failures.
ServiceV makes it easy to develop comprehensive tests that truly reflect the realities of the modern, API-based information-processing environment.
2. The advent of Agile delivery methodologies for software
Thanks to Agile techniques, software of all types – including APIs – is delivered much more frequently now. In many organizations, the quality assurance team is finding it nearly impossible to keep pace with the frenetic schedules driven by these practices.
ServiceV is a way for architects, developers, and operations staff to provide something for their quality assurance colleagues to use while the actual services are still being shaped and refined.
At WiseClouds, we’re so enthusiastic about what ServiceV represents that in addition to our current training and consulting solutions, we’ll be launching an exciting new Software as a Service offering that’s built upon ServiceV. If you’d like to learn more about that, be sure to subscribe to the blog and I’ll keep you posted.
January 18, 2015 Comments Off on Bad Sales Engineer Behavior #1: Jealousy
Sales engineering (SE) can be a rewarding, intellectually challenging, and lucrative career. I’ve written many blog articles about the characteristics that exemplify a successful SE, but this series of posts is all about the kinds of actions that can damage a career.
I’ll begin with jealousy: one of the seven deadly sins that can rear its head even in places like technology sales. Surprisingly, envy is often worst when the firm’s having a great year, and everyone’s making money.
Enterprise technology salespeople live a professional life that’s fraught with peril. They must cope with constant rejection and dashed hopes from prospects, while their own management shrinks territories yet raises quotas. Predictably, this results in high job turnover and continual insecurity, not to mention lots of lost sleep.
With all these downsides, who would take on this job? Someone who wants to make lots of money, that’s who: it’s not uncommon for a sales professional to make two, three, or even ten times their expected income if (and only if) they have a good year. Meanwhile, their SEs tend to bring home a relatively predictable income every year. In a bad year, they’ll make less, but not drastically so, and in a good year, they’ll make more – maybe 25% or so, which is great, but not stunning.
In my experience, jealousy arises when a salesperson is paired closely with a single SE, and the team far exceeds their quota. Naturally, these uneven financial outcomes can breed resentment and envy in the SE, particularly when they perceive that they’ve “done all the work” to win the deals. Some SEs internalize this bitterness, while others broadcast it to the world.
A single, loud, jealous SE is all that’s necessary to create a toxic environment. First, other SEs may start questioning the compensation system and making demands, while salespeople will start wondering if their own SEs will “turn on them” if they have a good year. Ultimately, all of this reflects badly on the instigator and can even result in their replacement.
Fortunately, thwarting income envy is quite achievable. For the SE, it’s vital to accept that there’s a fundamental difference between themselves and salespeople. Quota-carrying salespeople get fired much more easily when they miss a number, while SEs tend to be kept on even when inevitable revenue shortfalls occur.
SEs should also be mindful about never complaining out loud about the disparity in take-home pay. If things seem really out of whack, it’s reasonable to discretely engage management to discuss the problem, but nothing will change the reality that salespeople will always make more money in a good year.
Finally, a relatively small percentage of SEs are capable of making the difficult shift to becoming winning sales professionals. A progressive management team should offer a clearly defined career path and supporting procedures for those that want to undertake this ambitious transition.
I’ve written quite a lot about sales engineering and the entire technical sales process. Click here for a comprehensive list.