The overall theme this year at the RSA 2010 Conference in San Francisco that surrounded the conference was Information Security in Cloud Technologies how to prevent the Cloud Technologies from raining on everyone's parade. The article that I am highlighting in this blog "Research Challenges in Enterprise Cloud Computing: It is important to highlight cloud computing research challenges from an enterprise perspective because cloud computing is not simply about technological improvement of data centers but a fundamental change in how IT is provisioned and used."

Another interesting insight about this article is the inclusion of Nichols Carr's book "The Big Switch: Rewiring the World, from Edison to Google" noting that in the earily 1900's companies maintained their own power plants even though it was not their main expertise and how companies are maintaining their own Data Centers even though it is not their primary expertise. It is interesting though that last week on CBS 60 minutes broadcast the topic was how Cloud Computing providers are leading the way to provide their own green technology power plants.

The effects on IT and Security roles in their relationships with the user community and service providers will continue to evolve, as IT departments must make sure their cloud services can be migrated or failed over between service providers should one cloud service provider go out of business, as well as issues concerning certification, interoperability, API's between cloud vendors as well as SLA management, Privacy Rights Protection, and Intellectual Property Protection. "It it not clear "whether a cloud will be considered to legally be in one designated location [...] or in every location that has a data center that is part of the cloud"

These research challenges are interdisciplinary in nature, and there is a need for more co-operation between researchers, cloud users, and service providers.

REF;

Research Challenges in Enterprise Cloud Computing

netForensics announced that Network Products Guide, the industry's leading information technology research and advisory guide has named nFX Cinxi One, a winner of the 2010 Product Innovation Award. This award is given to vendors that show excellence and vision in delivering best of breed technology. This honor coincides with netForensics appearance this week at the security industry's premier event, RSA Conference 2010 in San Francisco, CA, where the company will showcase the award winning nFX Cinxi One Security information and event management (SIEM) and log management appliance.

Click here for the full story

Hulver's Impressive IT-Security Background Over Nearly Two Decades and Dedication to Improving America's Security Posture Underscore Reasons for Award

Tracy Hulver, Executive Vice President of Products and Marketing of netForensics, has been named a 2010 Security Superstar by CRN's Everything Channel. CRN's comprehensive list represents today's thought leaders and technology innovators in the information security industry.

"The IT security industry is a rapidly changing landscape that continues to challenge both security vendors and companies of all types and sizes. I am honored to play a role in helping companies gain clear visibility into their security posture," said Tracy Hulver. "The Solution Provider Community is at the forefront of helping businesses improve and manage the security of their networks and through their efforts we can better defend against complex and malicious threats to corporate and government data as well as critical infrastructure."

Click here for the full story

As Gordon Smith from Canaudit Inc. pointed out this week "What do hackers want? they want your data." They go through great lengths not only to obtain your data but to correlate that data to make it even more valuable to their clients.

Last year we posted an article published by a German Online News service "wiwo.de" on a sting operation that involved millions of consumers correlated information for sale that may have come partly from well known back doors in customer corporate data.

Today it was published on that Deutsche Telekom found itself in the middle of a scandal accused of giving mobile phone retailer The Phone House access to data on 16 million T-Mobile Germany Customers according to the report published at wiwo.de "Deutsche Telekom: violation of the law, by secret agreements?"

As we have seen through the recent attacks on Google and Intel that no matter how your infrastructure is secured you can be come a target for an attack that they may have been in the planning for sometime or someone waiting for that pre-zero data vulnerability that allows them access to trust relationships.

Who as access to your personnel information and what information is available from their browsers and shares. As Gordon points out in his article it maybe as simple as someone bringing in a laptop that has internet access or wireless scans from your lobby or elevators.

Related articles by Zemanta

• Deutsche Telekom reportedly considering T-Mobile IPO (seattletimes.nwsource.com)
• T-Mobile USA could be spun off or sold (ecombizcenter.blogspot.com)

According to the New York Times Bits Section Intel and Google were under "sophisticated" Cyber Attacks in around the time frame. Intel reports that although the events were close in time that they were unrelated. The cyber-attacks against Intel was reported in it's annual report to the Security Exchange Commission. Intel reported that it did not suffer a wide spread attack and no intellectual property was exposed.

On 2/20 the New York times reported that two Chinese Universities were involved in the attacks against Google and other corporations since then the Universities have denied any involvement in the attacks. "It was not until 2006 that our graduates began to join the army. So far, 38 students have been recruited by the military for their talent in auto repair, cooking and electric welding," said Zhou Hui, director of Lanxiang school's general office. He disputed claims in the New York Times article, which cited anonymous officials from the US National Security Agency, that there was a link to a computer science class taught at the school by a Ukrainian professor.

in other news the Telegraph.co.uk published that Cyber attacks in 2009 cost on average 1.2 Pounds a year.

Last October we published information regarding published report by Northrop Grumman a study done for the U.S.-China Economic and Security Review Commission
that describes similar tactics. ( Thank you Niels Groeneveld of "Operation Aurora" for reminding me about the relationship. If you have not read the Northrop Grumman report it is an interesting read on social and economic effects of this type of behavior.

SIEM in the Cloud Solutions Drive 3rd Consecutive Quarter of Growth

netForensics' continued growth this quarter was achieved in large part due to is its market-ready SIEM in the Cloud solutions. For organizations looking to deploy software-as-a-service (SaaS), Cloud security is a primary concern. netForensics' capabilities of adding a defensive layer to the cloud architecture enable organizations to achieve the same level of situational awareness as if the security was installed locally. For those organizations that require additional security expertise to mitigate the increasing threats facing their environments, netForensics' deployments with Managed Security Service Providers provides yet another option to ensure an acceptable level of risk.

click here for the full story

Developing an Information Security Privacy Schedule for Service Provider Transactions by David Navetta.

This article points out the need for customers to develop Information Security and Privacy Schedules as part of their Service Provider agreements. As more and more of our Information Technology and Information Security moves to out sourced technologies, customers need to be aware that not only are they still responsible for the privacy and security of their data, but may be undertaking the risks involved with utilizing the service providers information security environment.

"The Customer should think of the Service Provider's security as an extension of their own internal security." IT Services and Information Security Management must undertake the security of how the trust relationships with their Service Providers are handled and how those relationships may impact the business, should the Service Provider be compromised or suffer a breach.

In David Navetta's closing statement, he mentions the impact of incidents, not from the initial impact of the exploitation of an exposure but the after effects concerning liability and reputation damage. "First, it is not unusual for a security incident to yield "consequential damages" in addition to "direct damages," including loss of profits, lost customers, attorney fees, breach notice costs and other similar costs. If the overall contract contains a consequential damages disclaimer, the Customer should endeavor to get an exception for consequential damages arising out of a security incident and/or breach of the Schedule."

The credibility and reliability of your information security program is now an integral part of stability and reputation of the business along with how well you are maintaining the trust relationships with your business partners and service providers which are now part of your extended business and control environment. The days of IT involving a few core services are gone and now have been replaced by data moving in and out of the environment for outside processing and storage, site to site vpns, international privacy and security laws of internal, external data and the rise of "Cyber insurance". David's article covers a wide variety of suggestions of what can be included in the Security /Privacy Schedule in contractual agreements with Service Providers.

Related articles by Zemanta

• Cloud Security and Privacy (oreilly.com)
• National Survey Reveals Privacy Breach Notification and Reputational Damage among Top Concerns with Regards to New Privacy Rules (eon.businesswire.com)
• Why "Verified By Visa" System Is Insecure (news.slashdot.org)

Yesterday at the Security Awareness for 2010 ISACA meeting in Philadelphia John Raezer delivered a welcomed presentation on Risk Management Effectiveness.

How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.

In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.

The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.

If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.

Related articles by Zemanta

• Are You Ready to Implement a Supply Risk Solution? (spendmatters.com)
• ISA chairman assures nation: Your data is safe (go.theregister.com)

According to IT World Canada ,
A Microsoft-employed forum moderator had other advice. "For the people who installed [the update but] cannot start the computer normally, it is better to wait for the next stability and reliability update," said Arthur Li on Feb. 1. "Since there are thousands of different hardware and software configurations, it is hard for Microsoft to test the updates on all the different hardware and software configurations."

Microsoft Support

If there is one thing that makes everyone kind of nervous is the instability of new operating systems being deployed in the enterprise, with IE having control issues, there would be a concern that the OS would also have stability problems.

Just a quick note that 2 Mozilla Firefox Add-Ons were found to include a little more than bargained for in the form of Windows-based trojan malware. To be sure, these weren't the most popular add-ons in the catalog, with only around 4,600 downloads between the 2 infected offerings.

These add-ons were available for download from the Mozilla site. This only goes to underscore the importance of having your local scanners active and up to date. You shouldn't blindly download, install or run code from any website, vendor or media regardless of its intentions or reputation. "Trust but verify," seems to apply here.