Brilliant. Click image or link to see full-size.
Monday, May 13, 2019
Monday, May 6, 2019
How important is risk assessment?
Out of more than 300 controls in PCI DSS 3.2.1, here is the
list of the top 10.
Dangerous (animals, munitions, substances… or data)
- Know what you have
- Know where it goes
- Keep as little as
possible
- Destroy it when you can
- Make sure you got it right (Risk Management)
Saturday, April 6, 2019
Notes on Data Governance -- How do you manage data?
1) What are the major EXTERNAL laws/regulations shaping data governance requirements this year?
Consumer privacy and data sovereignty are in the forefront of the news and the focus of regulatory compliance this year. GDPR, California Consumer Privacy Act, HIPAA, and others are driving internal business decisions related to technology use. Critically, the center point of many of these includes understanding the risk impact across the organization and including risk impact in your business decisions.
2) What are the major INTERNAL factors or requirements that require more vigilant or comprehensive data governance?
Internal factors driving – demanding – more vigilant and comprehensive data governance include respecting consumer and government data rights. Consumers are increasingly savvy and protective of their privacy in the backwash of Facebook and Google’s data analytics practices, and governments continue to require data sovereignty. Organizations with multinational locations must deal with these complexity factors when managing data across use cases and geographic locations. In each case, however, data should be aggregated to the extent possible, protected and monitored per applicable and changing requirements. This is a real challenge that requires proactive management.
3) Are organizations keeping up with these requirements?
Organizations struggle with the requirements. The diverse topology of new cloud-inclusive hybrid architectures and the velocity of new requirements have created a blind spot to understand what needs to be done. There is a lot of activity but it is not always the right activity. Keeping up is a challenge.
4) What tools or technologies are assisting with efforts to achieve more effective data governance? (Note to vendors: okay to discuss product categories, such as AI/machine learning, but we cannot mention specific product names, sorry.)
Three specific elements – visibility, alignment, control – work together to provide effective data governance. There are tools and technologies which provide visibility across portions of the enterprise, perform analytics, and offer some control. The ideal solution digs deep to detect every asset across the enterprise, performs predictive analytics, and provides necessary and often-repeated actions such as reporting, mitigation, and forensic detail. The differences are in scope, scale, manageability, and producing truly meaningful information. If you can’t produce meaningful and actionable information from a tool, that it’s time to rethink the value of that tool.
5) What types of changes are necessary to organizations, and the way people are managed, to achieve more effective data governance?
Organizations looking to understand the people part of the data governance problem over time have to have a firm grip on the content of their data and the body of relevant requirements from regulations, standards, best practices, and organizational policies that apply. Content and Requirements. These can change often. The most effective way to manage people is to communicate the importance of data content and regulatory requirements, including how to provide effective data governance over compliance and data risk.
Saturday, March 16, 2019
Sales Engineering -- Quick Question Hit List
Need a direct list of short questions to identify where you fit in a potential solution? Here you go:
A short list of considerations:
- How painful is this?
- Who's involved?
- When do you want to solve this?
- What are you doing now?
- How can I solve this?
A short list of considerations:
- Your customers buy from people they like. There's a complex vibe going on mixing personality, likability, respect, and trust.
- Keep it simple. The more convoluted the answers, the more I start looking for BS.
- Avoid word games and cliches. Use industry terms in grammatically correct context. But let it go if someone speaks with artistic license as long as the point is made.
- Match tone and pace. If I'm tired - don't come at me like a rabid pit bull. Just slow down and chill. If I'm upbeat, then don't bring me down. Match me. Then take me for a ride. Watch experienced Grandmothers. They'll do this with small children, and it works like a charm for adults too.
Sunday, March 3, 2019
Technology changes. Politics have not.
Excerpt from something I wrote many years ago. Thinking about this now because it's in a chapter I'm updating from nine years ago.
An Introduction to Legislation Related to Internal Controls
An Introduction to Legislation Related to Internal Controls
The global nature of business and technology has [...created standards bodies]. Participation in these standards bodies has been voluntary, with a common goal of promoting global trading for all countries at all levels. Individual countries have gone further to establish governmental controls on the business activities of corporations operating within their boundaries.
The reality is much more complex than this, as national interests, industry concerns, and corporate jockeying create political drivers that motivate the creation and adoption of legislation at all levels. Politics can have a negative connotation, but in this sense, we simply mean the clear understanding that regulations generally benefit or protect a representative group of people. Nations, industries, and companies have concerns about the confidentiality, integrity, and availability of information. Agreed upon standards and legislation is one method of ensuring concerns are met.
The unfortunate reality is that not all sets of requirements are written equally. Sometimes it's the interests involved. Sometimes it's the people. Self-interests, self-promotion, arrogance, inexperience, lack of help, poor communications. These get in the way of results.
The unfortunate reality is that not all sets of requirements are written equally. Sometimes it's the interests involved. Sometimes it's the people. Self-interests, self-promotion, arrogance, inexperience, lack of help, poor communications. These get in the way of results.
Tuesday, February 19, 2019
Cloud Myth: It's all the same... or It's all different...
Another round of questions....
1. What is the biggest myth business and IT departments have about the cloud?
The biggest myth organizations have about IT cloud infrastructure is that you can lift and shift your existing workloads into the cloud using the same architecture, methodology, and tools that you have used in the past. This may be true in some cases, but the reality is the architecture radically changes from one cloud to another. They all have different capabilities, and some have features that may drive business decisions from cost savings or an architectural requirement. Moving to the cloud presumes application distribution and potentially shifting trust boundaries. Risk must be managed. Visibility is required in hybrid and multi-cloud deployments along with the ability to uniformly report on and affect change across the different environments.
Planning is critical to safely and effectively migrate workloads to the cloud. The good news is that at this point there is a large body of knowledge from those that have gone before you. There are astounding successes and equally colossal failures. Work with your cloud provider closely.
2. Why is this myth so pervasive?
It's not uncommon to make assumptions based on what you have known before. However, the shift to software defined architecture creates capabilities, and in some cases limitations, that differ from traditional physical infrastructure.
3. In what way/ways does this myth hamper IT and/or business operations?
Assumptions slow the end game because you start with the wrong ideas and end up with misguided plans. A bad result is that your applications don't work as intended. Worse? The applications work, but risk is mismanaged, resulting in ineffective security or compliance controls.
Work with your cloud provider and correct your assumptions. Then create realistic strategies and a working plan. Ensure you have the proper technologies to support your applications – required to run your business – and the appropriate security and compliance controls in place – required to protect your business. Borrowing from the military, "Prior planning prevents poor performance."
4. What can be done to dispel this myth?
Learn. Attend migration workshops of the cloud providers that interest you. Preferably more than one. Build healthy budgets into the migration plans. Plan. Manage your risk.
And specifically, build budget into the plans to ensure you fully understand geographically distributed deployments and can identify risk across the distributed Data-center. The tools and methodology may change, but the end objectives of visibility and control do not change. Those are fundamental to assurance. Again. Manage your risk.
5. Is there anything else you would like to add?
Good business leaders understand and respect risk. Great business leaders learn how to manage and respond effectively to risk. The presumption is visibility. You cannot act on what you cannot see.
1. What is the biggest myth business and IT departments have about the cloud?
The biggest myth organizations have about IT cloud infrastructure is that you can lift and shift your existing workloads into the cloud using the same architecture, methodology, and tools that you have used in the past. This may be true in some cases, but the reality is the architecture radically changes from one cloud to another. They all have different capabilities, and some have features that may drive business decisions from cost savings or an architectural requirement. Moving to the cloud presumes application distribution and potentially shifting trust boundaries. Risk must be managed. Visibility is required in hybrid and multi-cloud deployments along with the ability to uniformly report on and affect change across the different environments.
Planning is critical to safely and effectively migrate workloads to the cloud. The good news is that at this point there is a large body of knowledge from those that have gone before you. There are astounding successes and equally colossal failures. Work with your cloud provider closely.
2. Why is this myth so pervasive?
It's not uncommon to make assumptions based on what you have known before. However, the shift to software defined architecture creates capabilities, and in some cases limitations, that differ from traditional physical infrastructure.
3. In what way/ways does this myth hamper IT and/or business operations?
Assumptions slow the end game because you start with the wrong ideas and end up with misguided plans. A bad result is that your applications don't work as intended. Worse? The applications work, but risk is mismanaged, resulting in ineffective security or compliance controls.
Work with your cloud provider and correct your assumptions. Then create realistic strategies and a working plan. Ensure you have the proper technologies to support your applications – required to run your business – and the appropriate security and compliance controls in place – required to protect your business. Borrowing from the military, "Prior planning prevents poor performance."
4. What can be done to dispel this myth?
Learn. Attend migration workshops of the cloud providers that interest you. Preferably more than one. Build healthy budgets into the migration plans. Plan. Manage your risk.
And specifically, build budget into the plans to ensure you fully understand geographically distributed deployments and can identify risk across the distributed Data-center. The tools and methodology may change, but the end objectives of visibility and control do not change. Those are fundamental to assurance. Again. Manage your risk.
5. Is there anything else you would like to add?
Good business leaders understand and respect risk. Great business leaders learn how to manage and respond effectively to risk. The presumption is visibility. You cannot act on what you cannot see.
Thursday, February 7, 2019
Don't be Naive - Good to Great
Awesome reporting. Great work guys.
https://www.reuters.com/investigates/special-report/usa-spying-raven
Wednesday, February 6, 2019
Well-Architected Cloud = Manage Your Risk. Seriously.
Manage your risk. You got a cloud? What is well-architected?
Well-Architected = Risk Managed.
This series of questions came across my desk this morning. Interestingly,
it took me back nearly 10 years when I first started in cloud security. I’ve
been in information security for nearly 20 years, and I believe much of the
strategy and definition – the construct – of the secure environment is still
the same.
How would you define a well-architected cloud?
A well-architected cloud provides assurance, or the grounds
for confidence that the integrity, availability, confidentiality, and
accountability have been adequately met. “Adequately met” includes (1)
functionality that performs correctly, (2) sufficient protection against
unintentional errors by users or software, and (3) sufficient resistance to
intentional penetration or by-pass. This is a close paraphrase of the
definition of assurance from NIST SP 800-27.
What are the elements that go into a well-architected cloud?
There are three elements covering the technical
implementation of a well-architected cloud. The technical controls of best
practices, regulations, and standards based on CIS, NIST, PCI DSS, and others
can be summed up into configuration,
solutions, and design. The configuration of
every application and endpoint must be configured to reduce the probability and
impact of intentional and unintentional action. Hardening guides address many
of these issues for the network, compute, storage, and virtualization components.
System solutions provide additional insight, accountability, or control over
the security and compliance of the environment. Examples include firewalls,
identity and access management, and systems monitoring. Finally, given that each
one of the individual components is secured as much as possible and
additional solutions provide you the insight, accountability, and control over
your environment, your last consideration is the environment design. This can
include separating trusted and untrusted zones, implementing a DMZ, providing secure multi-tenancy, etc.
What's the best way to achieve a well-architected cloud?
Identify the business objectives, dataflow, and preferred
user interactions before building the system. Decide how subjects will interact
with data objects and what controls will be in place across the reference
monitor that controls authentication and authorization. The security model of
the most trusted systems in the world depends upon strong access controls. This
only works if you understand who has access to critical data and how to protect
it using secure configurations, solutions, and design. Bottom line. Plan for it. The military has a
saying, “Prior Planning Prevents Poor Performance.”
What should IT never do when constructing a cloud architecture?
Assume that you can do a direct lift and shift into the
cloud. The intent of the controls have not changed, and neither have your
objectives. However, the implementation, visibility, and tools available significantly change. Take the time to understand the platform you are
moving your data into and how that platform functions versus how you have
handled your data in the past on premises.
What are the cloud architecture pitfalls that IT might fall into?
Again. Never assume you can do a direct lift and shift into the
cloud. Never embark on a journey without a known destination and plans for how
to get there. Start with a comprehensive set of security requirements inclusive
of configurations, solutions, and design principles that must be met.
Is there anything else you would like to add?
Is there anything else you would like to add?
Cloud environments bring tremendous opportunity, as long as
you can maintain visibility and manage risk across the entire environment. That's been a consistent message on this blog since its inception in 2011. Manage Your Risk.
Thursday, March 15, 2018
Breaking up the Mundane
Blatantly ripped off some website...
1. What did the traffic light say to the car? -- Don’t look! I’m about to change.
2. Why was the little strawberry crying? -- His mom was in a jam.
3. What do you call a nosy pepper? -- Jalapeño business.
4. Why are frogs are so happy? -- They eat whatever bugs them.
5. How do you befriend a squirrel? -- Just act like a nut.
6. Have you heard about the corduroy pillow? -- No? Really? It’s making headlines!
7. Why did the jaguar eat the tightrope walker? -- It was craving a well-balanced meal.
8. What did the big bucket say to the smaller one? -- Lookin’ a little pail there.
9. Why do chicken coups always have two doors? -- With four, they’d be chicken sedans.
10. What did one hat say to the other? -- You stay here. I’ll go on ahead.
11. Why did the lifeguard kick the elephants out of the pool? -- They kept dropping their trunks.
12. What do you call a pony with a cough? -- A little hoarse.
13. What do you do if someone thinks an onion is the only food that can make them cry? -- Throw a coconut at their face.
14. What do you call a man with no arms or legs wading in a pool? -- Bob.
15. What do cows most like to read? -- Cattle-logs.
16. How does a duck buy lipstick? -- She just puts it on her bill.
17.
What do you call a guy with a rubber toe? -- Roberto.
18. What did the cop say to his stomach? -- Stop! I’ve got you under a vest!
19. What do you call a snowman on a hot day? -- Puddle.
20. What do you do with a sick boat? -- Take is to the doc already.
21. What did the rubber band factory worker say when he was fired? -- Oh, snap!
22. What do you do when you see a spaceman? -- Park your car, man.
23. What did one shark say to the other as he ate a clownfish? -- Well this tastes a little funny.
24. What do you do with epileptic lettuce? -- Make a seizure salad.
25. What did the older chimney say to the younger one? -- But you’re way too young to smoke!
26. Who do call when the ocean needs a little cleaning? -- A mermaid, of course.
27. What do you call a bee that’s having a bad hair day? -- Frisbee.
28. Which plant rules the garden? -- The dande-lion.
29. Why did the skeleton hit the party solo? -- He had no body to go with him.
30. What does the cobbler say when a cat wanders into his shop? -- Shoe!
31. Why was the poor guy selling yeast? -- To raise some dough.
32. What’s a firefly’s favorite game? -- Hide-and-glow-seek.
33. Who does a pharaoh talk to when he’s sad? -- His mummy, of course.
34. What do you call a pooch living in Alaska? -- A chilly dog.
35. Why was the sand wet? -- Because the sea weed.
36. How much does a pirate pay for corn? -- A buccaneer.
37. Did you hear about that wedding? -- It was in-tents.
38. How did Darth Vader know what Luke got him for Christmas? -- He could feel his presents.
39. What do baby kangaroos wear when it’s cold out? -- Jumpsuits.
40. What kind of music to chiropractors listen to? -- Mostly hip-pop.
41. What’s the most famous creature in the ocean? -- The starfish.
42. I just wrote a book on reverse psychology. -- Do not read it!
43. What do ants get when they do all their chores? -- An allow-ants.
44. Why don’t skeletons watch scary movies? -- They just don’t have the guts.
45. What did one egg say to the other? -- Eggs-cuse me, please.
46. What’s so bad about Russian dolls? -- They’re all so full of themselves.
47. Why doesn’t anyone want to shave a crazy sheep? -- Cause it’s a baaaaaaaaaad idea.
48. What do clouds wear under their shorts? -- Thunderpants.
49. What does a farmer say after feeding a stick of dynamite to his steer? -- Abominable! [A-bomb-in-a-bull}
50. Why wouldn’t the shrimp share his treasure? -- Because he was a little shellfish.
1. What did the traffic light say to the car? -- Don’t look! I’m about to change.
2. Why was the little strawberry crying? -- His mom was in a jam.
3. What do you call a nosy pepper? -- Jalapeño business.
4. Why are frogs are so happy? -- They eat whatever bugs them.
5. How do you befriend a squirrel? -- Just act like a nut.
6. Have you heard about the corduroy pillow? -- No? Really? It’s making headlines!
7. Why did the jaguar eat the tightrope walker? -- It was craving a well-balanced meal.
8. What did the big bucket say to the smaller one? -- Lookin’ a little pail there.
9. Why do chicken coups always have two doors? -- With four, they’d be chicken sedans.
10. What did one hat say to the other? -- You stay here. I’ll go on ahead.
11. Why did the lifeguard kick the elephants out of the pool? -- They kept dropping their trunks.
12. What do you call a pony with a cough? -- A little hoarse.
13. What do you do if someone thinks an onion is the only food that can make them cry? -- Throw a coconut at their face.
14. What do you call a man with no arms or legs wading in a pool? -- Bob.
15. What do cows most like to read? -- Cattle-logs.
16. How does a duck buy lipstick? -- She just puts it on her bill.
17.
What do you call a guy with a rubber toe? -- Roberto.
18. What did the cop say to his stomach? -- Stop! I’ve got you under a vest!
19. What do you call a snowman on a hot day? -- Puddle.
20. What do you do with a sick boat? -- Take is to the doc already.
21. What did the rubber band factory worker say when he was fired? -- Oh, snap!
22. What do you do when you see a spaceman? -- Park your car, man.
23. What did one shark say to the other as he ate a clownfish? -- Well this tastes a little funny.
24. What do you do with epileptic lettuce? -- Make a seizure salad.
25. What did the older chimney say to the younger one? -- But you’re way too young to smoke!
26. Who do call when the ocean needs a little cleaning? -- A mermaid, of course.
27. What do you call a bee that’s having a bad hair day? -- Frisbee.
28. Which plant rules the garden? -- The dande-lion.
29. Why did the skeleton hit the party solo? -- He had no body to go with him.
30. What does the cobbler say when a cat wanders into his shop? -- Shoe!
31. Why was the poor guy selling yeast? -- To raise some dough.
32. What’s a firefly’s favorite game? -- Hide-and-glow-seek.
33. Who does a pharaoh talk to when he’s sad? -- His mummy, of course.
34. What do you call a pooch living in Alaska? -- A chilly dog.
35. Why was the sand wet? -- Because the sea weed.
36. How much does a pirate pay for corn? -- A buccaneer.
37. Did you hear about that wedding? -- It was in-tents.
38. How did Darth Vader know what Luke got him for Christmas? -- He could feel his presents.
39. What do baby kangaroos wear when it’s cold out? -- Jumpsuits.
40. What kind of music to chiropractors listen to? -- Mostly hip-pop.
41. What’s the most famous creature in the ocean? -- The starfish.
42. I just wrote a book on reverse psychology. -- Do not read it!
43. What do ants get when they do all their chores? -- An allow-ants.
44. Why don’t skeletons watch scary movies? -- They just don’t have the guts.
45. What did one egg say to the other? -- Eggs-cuse me, please.
46. What’s so bad about Russian dolls? -- They’re all so full of themselves.
47. Why doesn’t anyone want to shave a crazy sheep? -- Cause it’s a baaaaaaaaaad idea.
48. What do clouds wear under their shorts? -- Thunderpants.
49. What does a farmer say after feeding a stick of dynamite to his steer? -- Abominable! [A-bomb-in-a-bull}
50. Why wouldn’t the shrimp share his treasure? -- Because he was a little shellfish.
Monday, February 27, 2017
IoT & Cloud Security Best Practices
**Briefly** in response to a request over LinkedIn... :-)
Here's a couple links that may be helpful regarding IOT and cloud security best practices!
You can use the NIST guidelines here:
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program
Here's a couple AWS resources:
http://docs.aws.amazon.com/iot/latest/developerguide/iot-security-identity.html
https://aws.amazon.com/blogs/iot/category/developer-resources/iot-security
Here's a couple links that may be helpful regarding IOT and cloud security best practices!
You can use the NIST guidelines here:
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program
Here's a couple AWS resources:
http://docs.aws.amazon.com/iot/latest/developerguide/iot-security-identity.html
https://aws.amazon.com/blogs/iot/category/developer-resources/iot-security
Subscribe to:
Posts (Atom)