Tag Archives: security

Can service and security co-exist? What is the Glue that brings them together?

01 Wednesday Jun 2016

Posted by in Uncategorized

Leave a comment

Tags

, , , , , , , , ,

There are a number of pilot implementations on smart access for providing services for the last mile for eCommerce.   These include DHL having access to your vehicle by means of a smart access code to your car locks in order to leave a package you ordered in the trunk (boot for my British friends), working together with Audi and Amazon to create a trial service for Audi users. Volvo has also started addressing this area.

The audit ability of who has had access to your vehicle, particularly from an auto insurance perspective, would be a concern as to know who exactly has been in the vehicle in case of theft of personal objects of value.   However, there is a trend for your vehicle to be more of a storage facility than just a transport option, as discussed here.   Personally, while moving house recently, my car became a storage locker as well!

Those of us who are used to having house cleaning services know the dilemma of giving someone access to your home without your presence.   Anyone who has rented out part of their home for AirBnB has had to deal with this issue.

The latest pilot that caught my eye was in Sweden, where a combination of postal courier and grocery stores are testing a service that stocks your refrigerator while you are not home, so you can come home to a fully stocked kitchen.  PostNord is running this pilot with 20 homes in Sweden.

Here you would have to have a smart lock installed on your home which can be opened with the smart phone app of the courier service.   The company that has created this lock is called Glue AB and it allows residents to decide remotely who to give access to their homes.    You can see the video on the project here.

Is “in-fridge” delivery the next wave of on-demand commerce services?  Will this encourage people to think differently when it comes to opening up their homes (cars, or other personally owned objects) for convenience services?    Will access control to your home, intelligent alerts and secure encrypted technology give you greater peace of mind as Glue states on its homepage?

I think the audit ability (again insurance and theft/damage) with immutability would be useful, and could easily be tracked and audited not only for damage, but for performance (e.g. number of hours house cleaner worked, correlated to access to the home).  Can this be tied to the objects themselves, with an IoT component?

Smart access is a growing trend that I will continue to be examining and discussing in the coming months.

 

 

 

 

 

 

 

 

Webinar on securing IT assets

02 Monday May 2016

Posted by in Uncategorized

Leave a comment

Tags

, , ,

Having secure IT assets should enhance the overall user experience by ensuring security is more effectively and more seamlessly embedded into everyday IT and IT services provisioning activities. But IT assets have a lifecycle, and they need to be protected differently during this lifecycle. Automation of the protection process allows the core competencies of the staff to be focused on more strategic aspects of asset security than patch management or stolen passwords.

I recently shared a webinar with Dell and Markit on IT asset management and information security, which you can listen to on InfoSecurity Magazine here.

Some of the points I was making in my presentation on IT asset management were:

  • The lifecycle cost of an IT asset begins with planning and design and continues through procurement, adoption, operations, maintenance, rehabilitation/renewal, and disposal/replacement.
  • IT asset management (ITAM) seeks to optimize costs through each stage of this lifecycle, while meeting established levels of service, reliability, and risk. In today’s enterprise, ITAM plays a dual role of asset management and risk protection.
  • Protection levels can be performance-related (critical value to the business), or customer/regulatory related (impacting response times, complaints, information availability, etc.).
  • Risk is the exposure and uncertainty assumed due to the opportunity for significant damages. And data from IDC had previously forecasted that by this year, 25% of large enterprises will make security-related spending decisions based on analytical determinations of risk.

But what kind of IT assets bring the most concern to the enterprise today? Half the world’s population will be on mobile Internet by 2020. And the key drivers behind the growth in the mobile worker population include the increasing affordability of smartphones and tablets combined with the growing acceptance of corporate bring your own device (BYOD) programs. In addition, innovations in mobile technology such as biometric readers, wearables, voice control, near-field communications (NFC), and augmented reality are enabling workers in completely new ways, increasing productivity by enhancing communications and business workflows.  And these devices need to be secured to protect the enterprise.  But it is not just about endpoints, but also the network and the physical assets of the enterprise that are impacted by IT asset management not being automated and hardwired into the organization.

So one of the key points I made was that the key to a successful IT asset management program is the legwork performed before selecting solutions, including evaluating your existing IT environment, gaining executive sponsorship, setting program goals, committing the appropriate human resources, and designing strong processes that support your organization’s business objectives. Before getting started with your asset management security program, it is important to achieve the following milestones to ensure not only that the right solution is selected, but that the processes are formally established, understood, and documented.

One of the discussion points between myself and my fellow presenters was the fact that older IT assets are not as well documented as the newer ones.  I mentioned in the conversation that I had a 10 year old Dell from previous employment that was still able to access that domain. ( I am not sure which was the more startling statement, then 10 year old Dell still worked or that it could still log on to the systems of my previous employer!)   We discussed the concept of good practices (ISF Standard of Good Practice) and the importance, not only from a risk perspective but also from a compliance agenda, to be able to reduce the risk of information security being compromised by weaknesses in hardware / software and protect assets against loss, as well as support development of contracts and meet compliance requirements for licensing.

One other point I made in the presentation was around encryption. It is necessary that an IT department have an encryption plan to provide reasonable assurance that all enterprise owned devices, such as laptops, can be identified and encrypted. Encryption is at the heart of a complete endpoint security solution. When you safeguard the data, you reduce the risk of compromising sensitive customer or employee information, confidential files, and your company’s reputation.  So you need to make it easier to identify and activate new devices as they come on the network for their usage of encryption.  And to find the older devices as they log back in for software updates into the network.

The CISO on our panel from Markit talked about the convergence of IT asset management (ITAM) and security.  His point was the security professional had a very different point of view in the past on what an asset is because their focus is information risk. IT managers focused instead on where physical hardware was at any time; from a software standpoint, the focus was on consolidating license negotiations.  Now this is coming together, not only due to cyber threats but for protection of the rest of the assets (data or otherwise) of the enterprise.  Another point he made was that decisions regarding procurement, deployment and management of technology are not made centrally and then there is a disconnect. There is no point in putting into place sophisticated network forensic tools (from the network team) if there is no basic patch management from the desktop team.

Our main point: There needs to be a holistic view of IT asset management throughout the lifecycle of the object in question, and throughout the entire IT team as to how to address the risk profile of the assets.

IBM expands its ecosystem by opening APIs for QRadar

08 Tuesday Dec 2015

Posted by in Uncategorized

Leave a comment

Tags

, , , ,

IBM today (8 December 2015) made some interesting information security announcements. The first was that IBM is opening the APIs of its IBM Security QRadar to allow developers to build custom apps utilizing the platform’s advanced security intelligence capabilities. The second announcement is that IBM has created a marketplace community called IBM Security App Exchange to engage developers to create and share apps based on the company’s security technologies.

The rationale behind IBM opening up the APIs for QRadar is to extend the ecosystem to encourage and engage developers and partners to further utilize the capabilities of its advanced security platform and take it deeper into the enterprise. In the newly built community, IBM and partners including Bit9 + Carbon Black, BrightPoint Security, Exabeam and Resilient Systems already have populated this exchange with dozens of customized apps that extend IBM Security QRadar security analytics in areas like user behavior, endpoint data and incident visualization. This opening of the APIs allows the security community to rapidly build new QRadar applications using software developer kits. IBM Security will be monitoring and testing every application before it is posted to the App Exchange to examine the integrity of these community contributions to the platform.

To further address cyber threats in the enterprise space, there is a need for a more open and collaborative approach to security to get more developers involved and more applications integrated into the advanced platform of IBM. Enlarging the ecosystem will allow IBM to integration with third-party technologies and provide even better visibility into more types of data threats.

With thousands of customers now standardizing on IBM’s security technologies, opening this platform for closer collaboration and development with partners and customers changes the economics of fighting cybercrime,” said Marc van Zadelhoff, Vice President, Strategy and Product Management, IBM Security. “Sharing expertise across the security industry will allow us to innovate more quickly in order to help stay ahead of increasingly sophisticated attacks.”

Who benefits from this announcement are software security tool developers wanting to partner with IBM Security to get access to some of the best security analytics out there. IBM Security operates one of the world’s broadest security research and development, and delivery organizations.

IBM was also announcing today a new release of IBM Security QRadar, which further integrates QRadar with IBM BigFix endpoint security management to help customers better prioritize threats and patches on user devices.

Servicing the IoT – an industry onto itself?

11 Sunday Oct 2015

Posted by in Uncategorized

Leave a comment

Tags

, , ,

I was reading the press release from last week’s Gartner Symposium in Florida.  Although I do not agree with the timing of the events they predict, two of them are of distinct interest to me given my own areas of research in marketing automation and IoT infrastructure.

First point:  All of the enabled objects (IoT) will require service and maintenance.  Well, they do now already require service and maintenance, but with the “phone home” ability of connectivity and some level of intelligence, the down time of objects can be significantly reduced.  This will be helpful given our reliance on said objects will increase as a function of their intelligence.

It is likely that an unique service industry will develop in and around IoT objects, and those who provide service to infrastructures will need to add knowledge about internet enabled devices to their portfolio.  Real time automation again rears its head, so those with skills in simulation and utility management will benefit.

Second point: A certain percent of business content will be authored by machines.  [To be frank, given the poor writing skills of many of the millennials I teach, this can only be a good thing. 😉 ]   Seriously, there are many items that can be automated in terms of corporate communication.  I would agree that business reports can become automated and their contents more automatically disseminated. And preferably NOT in terms of increasing the volume of email!

I have to say I like their point 5, and agree with the statement: “Smart building components cannot be considered independently, but must be viewed as part of the larger organizational security process. Products must be built to offer acceptable levels of protection and hooks for integration into security monitoring and management systems.” It is clear that holistically a smarter workplace must be greater than the sum of its parts.   Integration and baking security into the workplace is a necessity for protection of corporate capital.