Saturday, April 6, 2019

Notes on Data Governance -- How do you manage data?

1) What are the major EXTERNAL laws/regulations shaping data governance requirements this year?

Consumer privacy and data sovereignty are in the forefront of the news and the focus of regulatory compliance this year. GDPR, California Consumer Privacy Act, HIPAA, and others are driving internal business decisions related to technology use. Critically, the center point of many of these includes understanding the risk impact across the organization and including risk impact in your business decisions.  

2) What are the major INTERNAL factors or requirements that require more vigilant or comprehensive data governance?

Internal factors driving – demanding – more vigilant and comprehensive data governance include respecting consumer and government data rights. Consumers are increasingly savvy and protective of their privacy in the backwash of Facebook and Google’s data analytics practices, and governments continue to require data sovereignty. Organizations with multinational locations must deal with these complexity factors when managing data across use cases and geographic locations. In each case, however, data should be aggregated to the extent possible, protected and monitored per applicable and changing requirements. This is a real challenge that requires proactive management.   

3) Are organizations keeping up with these requirements?  

Organizations struggle with the requirements. The diverse topology of new cloud-inclusive hybrid architectures and the velocity of new requirements have created a blind spot to understand what needs to be done. There is a lot of activity but it is not always the right activity. Keeping up is a challenge.

4) What tools or technologies are assisting with efforts to achieve more effective data governance? (Note to vendors: okay to discuss product categories, such as AI/machine learning, but we cannot mention specific product names, sorry.)

Three specific elements – visibility, alignment, control – work together to provide effective data governance. There are tools and technologies which provide visibility across portions of the enterprise, perform analytics, and offer some control. The ideal solution digs deep to detect every asset across the enterprise, performs predictive analytics, and provides necessary and often-repeated actions such as reporting, mitigation, and forensic detail. The differences are in scope, scale, manageability, and producing truly meaningful information. If you can’t produce meaningful and actionable information from a tool, that it’s time to rethink the value of that tool.

5) What types of changes are necessary to organizations, and the way people are managed, to achieve more effective data governance?

Organizations looking to understand the people part of the data governance problem over time have to have a firm grip on the content of their data and the body of relevant requirements from regulations, standards, best practices, and organizational policies that apply. Content and Requirements. These can change often. The most effective way to manage people is to communicate the importance of data content and regulatory requirements, including how to provide effective data governance over compliance and data risk.

Saturday, March 16, 2019

Sales Engineering -- Quick Question Hit List

Need a direct list of short questions to identify where you fit in a potential solution? Here you go:

  1. How painful is this? 
  2. Who's involved? 
  3. When do you want to solve this? 
  4. What are you doing now? 
  5. How can I solve this?

A short list of considerations: 

  • Your customers buy from people they like. There's a complex vibe going on mixing personality, likability, respect, and trust. 
  • Keep it simple. The more convoluted the answers, the more I start looking for BS.
  • Avoid word games and cliches. Use industry terms in grammatically correct context. But let it go if someone speaks with artistic license as long as the point is made. 
  • Match tone and pace. If I'm tired - don't come at me like a rabid pit bull. Just slow down and chill. If I'm upbeat, then don't bring me down. Match me. Then take me for a ride. Watch experienced Grandmothers. They'll do this with small children, and it works like a charm for adults too. 

Sunday, March 3, 2019

Technology changes. Politics have not.

Excerpt from something I wrote many years ago. Thinking about this now because it's in a chapter I'm updating from nine years ago.

An Introduction to Legislation Related to Internal Controls
The global nature of business and technology has [...created standards bodies]. Participation in these standards bodies has been voluntary, with a common goal of promoting global trading for all countries at all levels. Individual countries have gone further to establish governmental controls on the business activities of corporations operating within their boundaries.

The reality is much more complex than this, as national interests, industry concerns, and corporate jockeying create political drivers that motivate the creation and adoption of legislation at all levels. Politics can have a negative connotation, but in this sense, we simply mean the clear understanding that regulations generally benefit or protect a representative group of people. Nations, industries, and companies have concerns about the confidentiality, integrity, and availability of information. Agreed upon standards and legislation is one method of ensuring concerns are met.

The unfortunate reality is that not all sets of requirements are written equally. Sometimes it's the interests involved. Sometimes it's the people. Self-interests, self-promotion, arrogance, inexperience, lack of help, poor communications. These get in the way of results. 

Tuesday, February 19, 2019

Cloud Myth: It's all the same... or It's all different...

Another round of questions....

1. What is the biggest myth business and IT departments have about the cloud?
The biggest myth organizations have about IT cloud infrastructure is that you can lift and shift your existing workloads into the cloud using the same architecture, methodology, and tools that you have used in the past. This may be true in some cases, but the reality is the architecture radically changes from one cloud to another. They all have different capabilities, and some have features that may drive business decisions from cost savings or an architectural requirement. Moving to the cloud presumes application distribution and potentially shifting trust boundaries. Risk must be managed. Visibility is required in hybrid and multi-cloud deployments along with the ability to uniformly report on and affect change across the different environments.

Planning is critical to safely and effectively migrate workloads to the cloud. The good news is that at this point there is a large body of knowledge from those that have gone before you. There are astounding successes and equally colossal failures. Work with your cloud provider closely.

2. Why is this myth so pervasive?
It's not uncommon to make assumptions based on what you have known before. However, the shift to software defined architecture creates capabilities, and in some cases limitations, that differ from traditional physical infrastructure.

3. In what way/ways does this myth hamper IT and/or business operations?
Assumptions slow the end game because you start with the wrong ideas and end up with misguided plans. A bad result is that your applications don't work as intended. Worse? The applications work, but risk is mismanaged, resulting in ineffective security or compliance controls.

Work with your cloud provider and correct your assumptions. Then create realistic strategies and a working plan. Ensure you have the proper technologies to support your applications – required to run your business – and the appropriate security and compliance controls in place – required to protect your business. Borrowing from the military, "Prior planning prevents poor performance."

4. What can be done to dispel this myth?
Learn. Attend migration workshops of the cloud providers that interest you. Preferably more than one. Build healthy budgets into the migration plans. Plan. Manage your risk.

And specifically, build budget into the plans to ensure you fully understand geographically distributed deployments and can identify risk across the distributed Data-center. The tools and methodology may change, but the end objectives of visibility and control do not change. Those are fundamental to assurance. Again. Manage your risk.

5. Is there anything else you would like to add?
Good business leaders understand and respect risk. Great business leaders learn how to manage and respond effectively to risk. The presumption is visibility. You cannot act on what you cannot see.

Thursday, February 7, 2019

Don't be Naive - Good to Great

Most people like money and opportunity. A lot. Ideally, the mission objectives and sense of purpose drive motivation, but given a similar sense of purpose and higher pay.... It happens. People move on. Getting faced with shifting slightly grey lines... Operatives working for government entities get some of the best training and are forced to learn to be resourceful. Great assets. You have to think, where do these people go in their careers? One of my closest friends is a combat mercenary. Why? Because he learned a specific skill set from the government that enables him to be effective in the physical combat theater - And he gets paid a lot of money to use this skill set. The pay? Good to Great.

Awesome reporting. Great work guys.

Wednesday, February 6, 2019

Well-Architected Cloud = Manage Your Risk. Seriously.

Manage your risk. You got cloud? What is well-architected?

Well-Architected = Risk Managed.

This series of questions came across my desk this morning. Interestingly, it took me back nearly 10 years when I first started in cloud security. I’ve been in information security for nearly 20 years, and I believe much of the strategy and definition – the construct – of the secure environment is still the same.

How would you define a well-architected cloud?

A well-architected cloud provides assurance, or the grounds for confidence that the integrity, availability, confidentiality, and accountability have been adequate met. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors by users or software, and (3) sufficient resistance to intentional penetration or by-pass. This is a close paraphrase of the definition of assurance from NIST SP 800-27. 

What are the elements that go into a well-architected cloud?

There are three elements covering the technical implementation of a well-architected cloud. The technical controls of best practices, regulations, and standards based on CIS, NIST, PCI DSS, and others can be summed up into one of three categories including configuration, solutions, and design. The situation is straightforward. The configuration of every application and endpoint must be configured to reduce the probability and impact of intentional and unintentional action. Hardening guides address many of these issues for network, compute, storage, and virtualization components. System solutions provide additional insight, accountability, or control over the security and compliance of the environment. Examples include firewalls, identity and access management, and systems monitoring. Finally, given that each one of the individual components are secured as much as possible, and additional solutions provide you the insight, accountability, and control over your environment, your last consideration is the environment design. This can include separating trusted and untrusted zones, implementing a DMZ, providing secure multi-tenancy, etc. 

What's the best way to achieve a well-architected cloud?

Identify the business objectives, dataflow, and preferred user interactions before building the system. Decide how subjects will interact with data objects and what controls will be in place across the reference monitor that controls authentication and authorization. The security model of the most trusted systems in the world depends upon strong access controls. This only works if you understand who has access to critical data and how to protect it using secure configurations, solutions, and design. Bottom line. Plan for it. The military has a saying, “Prior Planning Prevents Poor Performance.”

What should IT never do when constructing a cloud architecture?

Assume that you can do a direct lift and shift into the cloud. The intent of the controls have not changed, and neither have your objectives. However, the implementation, visibility, and tools available do change. Take the time to understand the platform you are moving your data into and how that platform functions versus how you have handled your data in the past on premises.

What are the cloud architecture pitfalls that IT might fall into?

Again. Never assume you can do a direct lift and shift into the cloud. Never embark on a journey without a known destination and plans for how to get there. Start with a comprehensive set of security requirements inclusive of configurations, solutions, and design principles that must be met. 

Is there anything else you would like to add?

Cloud environments bring tremendous opportunity, as long as you can maintain visibility and manage risk across the entire environment. That's been a consistent message on this blog since its inception in 2011. Manage Your Risk.

Thursday, March 15, 2018

Breaking up the Mundane

Blatantly ripped off some website...

1. What did the traffic light say to the car? -- Don’t look! I’m about to change.
2. Why was the little strawberry crying? -- His mom was in a jam.
3. What do you call a nosy pepper? -- JalapeƱo business.
4. Why are frogs are so happy? -- They eat whatever bugs them.
5. How do you befriend a squirrel? -- Just act like a nut.
6. Have you heard about the corduroy pillow? -- No? Really? It’s making headlines!
7. Why did the jaguar eat the tightrope walker? -- It was craving a well-balanced meal.
8. What did the big bucket say to the smaller one? -- Lookin’ a little pail there.
9. Why do chicken coups always have two doors? -- With four, they’d be chicken sedans.
10. What did one hat say to the other? -- You stay here. I’ll go on ahead.
11. Why did the lifeguard kick the elephants out of the pool? -- They kept dropping their trunks.
12. What do you call a pony with a cough? -- A little hoarse.
13. What do you do if someone thinks an onion is the only food that can make them cry? -- Throw a coconut at their face.
14. What do you call a man with no arms or legs wading in a pool? -- Bob.
15. What do cows most like to read? -- Cattle-logs.
16. How does a duck buy lipstick? -- She just puts it on her bill.
What do you call a guy with a rubber toe? -- Roberto.
18. What did the cop say to his stomach? -- Stop! I’ve got you under a vest!
19. What do you call a snowman on a hot day? -- Puddle.
20. What do you do with a sick boat? -- Take is to the doc already.
21. What did the rubber band factory worker say when he was fired? -- Oh, snap!
22. What do you do when you see a spaceman? -- Park your car, man.
23. What did one shark say to the other as he ate a clownfish? -- Well this tastes a little funny.
24. What do you do with epileptic lettuce? -- Make a seizure salad.
25. What did the older chimney say to the younger one? -- But you’re way too young to smoke!
26. Who do call when the ocean needs a little cleaning? -- A mermaid, of course.
27. What do you call a bee that’s having a bad hair day? -- Frisbee.
28. Which plant rules the garden? -- The dande-lion.
29. Why did the skeleton hit the party solo? -- He had no body to go with him.
30. What does the cobbler say when a cat wanders into his shop? -- Shoe!
31. Why was the poor guy selling yeast? -- To raise some dough.
32. What’s a firefly’s favorite game? -- Hide-and-glow-seek.
33. Who does a pharaoh talk to when he’s sad? -- His mummy, of course.
34. What do you call a pooch living in Alaska? -- A chilly dog.
35. Why was the sand wet? -- Because the sea weed.
36. How much does a pirate pay for corn? -- A buccaneer.
37. Did you hear about that wedding? -- It was in-tents.
38. How did Darth Vader know what Luke got him for Christmas? -- He could feel his presents.
39. What do baby kangaroos wear when it’s cold out? -- Jumpsuits.
40. What kind of music to chiropractors listen to? -- Mostly hip-pop.
41. What’s the most famous creature in the ocean? -- The starfish.
42. I just wrote a book on reverse psychology. -- Do not read it!
43. What do ants get when they do all their chores? -- An allow-ants.
44. Why don’t skeletons watch scary movies? -- They just don’t have the guts.
45. What did one egg say to the other? -- Eggs-cuse me, please.
46. What’s so bad about Russian dolls? -- They’re all so full of themselves.
47. Why doesn’t anyone want to shave a crazy sheep? -- Cause it’s a baaaaaaaaaad idea.
48. What do clouds wear under their shorts? -- Thunderpants.
49. What does a farmer say after feeding a stick of dynamite to his steer? -- Abominable! [A-bomb-in-a-bull}
50. Why wouldn’t the shrimp share his treasure? -- Because he was a little shellfish.

Monday, February 27, 2017

IoT & Cloud Security Best Practices

**Briefly** in response to a request over LinkedIn... :-)

Here's a couple links that may be helpful regarding IOT and cloud security best practices!

You can use the NIST guidelines here:

Here's a couple AWS resources:

Sunday, October 30, 2016

2016 Controls Map - Indexed to NIST - Free Gift

Delivered to you with pleasure and as a courtesy of one of the best managers I have had. Jerry Breaud trusted me to run with my gut instinct and allowed me to work on a personal project designed from its initial conception to give as much to the community as it does to our company.

Thank you to VMware and Intel, both of whom supported this effort and allowed me to create, validate, and openly give this information back to the community so that others can benefit from this work product.

You can find the mapping under the documents tab. Direct link here.

Look for 2016 Controls Map New_River_v5 CG (012).xlsm. Please note this is a macro-enabled spreadsheet. View the macro using [ALT]-[F11].

Quick Summary
The purpose of the build kit is to create a blueprint for a repeatable solution that is capable of meeting multiple compliance requirements. The objective is to build the solution properly the 1st time, and have the solution meet the technical control requirements for multiple regulations, standards, and best practices. While we have appreciation and understanding for administrative and physical controls, our focus is understandably on the technical configuration and setup of these complex virtual systems.

We continue to see large multinational organizations struggling with the complexity of multiple regulations and required combined control frameworks. We have spoken with senior security and compliance executives from financials, defense, and many other entities with sensitive data. This is a serious and daunting problem – and we have good news.

The opportunity is to create a sustainable common controls baseline to address multiple regulations and standards. It's as simple as this. The result helps organizations quickly to a lowest common denominator set of technical configurations that collectively create a technical build gold configuration. This is a baseline set of configurations with a target of achieving 90+ % compliance for a majority of authoritative sources out-of-the-box aligned with NIST controls.

Someone recently looked at the body of work and made the assumption we simply borrowed from existing mappings. We looked. And were not satisfied with the accuracy and usefulness of the common existing mappings out there. This was several months of heads-down effort reviewing every single control and then getting two different third party audit firms to supplement the effort.
  • Review and complete where necessary control mappings from common regulations, standards, and best practices into NIST.
  • Identify any control gaps and create an effective control overlay. 
  • Independently validate results by at least 2 different consulting companies formally, and informally with a number of peers.

The incredible work NIST has done with bodies of work like NIST SP800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems by Dr. Ron Ross, Michael McEvilley, and Janet Carrier Oren greatly inspired our team. We borrowed generously from these materials.
  • Recommended common control alignment map to NIST with additional control overlays addressing multiple regulations and standards. 
  • Recommended product configurations, security solutions, and specific design requirements to create repeatable, compliant, secure systems.

But I didn't think PCI mapped directly into SP800-53?
It doesn't. Please allow me to introduce the concept of overlays in case you haven't run across them before. Taken from the summary document...

[...] To help ensure that selected and implemented controls are sufficient to adequately mitigate risks to organizational operations and assets, SP 800-53 Rev. 4 introduces the concept of overlays. An overlay provides a set of security controls, control enhancements, and supplemental guidance for community-wide use or to address specialized requirements, technologies, or unique missions and environments of operation. For example, the federal government may decide to establish a government-wide set of security controls and implementation guidance for public key infrastructure (PKI) systems that could be uniformly applied to information. [...]

Tuesday, October 4, 2016

Microsoft Throws Down!

First, I read this... Then I reviewed the Trust Center *once again*... to see if there have been any changes in the last couple weeks.

For those that are unaware of the great strides Microsoft has made in the world of audit attestation, pay close attention to the additions and greatly enhanced Microsoft Trust Center. You can search services, location, and/or industry for compliance adherence.

I know several people over at Microsoft, and it is with sincere pleasure that I'm excited about the way that Microsoft is executing on using trust as a competitive differentiator. My hat is off. Excellent work. The cloud competitive market has no option but to respond. The speed with which Microsoft has built parity with Amazon's compliance technical marketing should be noticed.

Microsoft is serious about compliance and fully intends to capitalize on the investment that went into appealing to a broad market shaken by shifting regulatory requirements and frequent security breaches. What they have done isn't cheap. Or easy. But it will surely pay off.