Adaptive Security Management Architecture Overview
The adaptive security management architecture is a method of organizing security-how it is applied, managed, supported, and incorporated into a business-to provide better business alignment, demonstrate value to the business, and be an enabler of success. Ultimately, with these capabilities in place, the objective is to create an operating environment that allows security to adapt to changes in the business and security more efficiently and effectively. The ASMA is, in part, founded on the fact there is a great deal of untapped expertise and capabilities that exist in most information security groups and in the industry. Although these can be very powerful, there is a wide range of definitions of what security should be in the industry and in business, which results in varying forms of how security is performed.Watch an interview with author Jim Tiller as he discusses the adaptive security management architecture.
Preventing Vendor Lock-In as You Migrate to the Cloud
While IT has been battling lock-in since the earliest days of computing, not too much attention has been paid to the problem of vendor lock-in as IT rushes to madly to embrace the cloud. To prevent being locked in to a single vendor, you need to ensure that the architecture you have selected can run on multiple clouds, and that the data can be easily migrated from Cloud A to Cloud B. While that sounds trite and simple, it's still true. And in theory, it is not hard. But as usual, the Devil is in the details.
Stealing Information and Exploitation: Form Grabbing
Key logging, once the favored method of capturing user input, has largely given way to form-grabbing Trojans. Form grabbers target Web applications by capturing the form's data elements before the user submits it. In this way, a form grabber yields the same key and value pairs received by the Web application, thereby assuring accurate and complete information. Several families of malicious code employ this technique, and defending against it requires preventing the initial installation of the Trojan via antivirus signatures and limiting user privileges to prevent the installation of browser helper objects (BHO).
Policy-Based Network Management
Policy-based management (PBM) is a management paradigm that separates the rules governing the behavior of a system from its functionality. It promises to reduce maintenance costs of information and communication systems while improving flexibility and runtime adaptability. It is today present at the heart of a multitude of management architectures and paradigms, including SLA-driven, business-driven, autonomous, adaptive, and self-* management.
Six Keys to Successful Security Strategic Planning
The following six elements of strategic planning are the keys to successful strategic planning: simplicity, passion (emotional energy)/speed of planning and adapting, connection to core values, core Competencies, communication, and implementation.
Secure Service-Oriented Computing
Secure services essentially incorporate security into services technologies. For example, what credentials should an agent have to invoke a web service? What credentials should a web service have to invoke another web service? Should all web service descriptions be visible to every agent? How can access control be enforced on web service descriptions? How can security be incorporated into the service-oriented architectures? What are the security standards being proposed by W3C and OASIS? This chapter provides a high level overview of secure services technologies.
Why Information Security Training and Awareness Are Important
Creating an information security and privacy awareness and training program is not a simple task. It is often a frustrating task. It is often a challenging task. And many times, unfortunately, it is often a thankless task. However, providing your personnel with the security and privacy information they need, and ensuring they understand and follow the requirements, is an important component of your organization's business success.
5 Reasons Why Object Storage Is the Best Choice for Cloud Storage Environments
Cloud storage has changed the rules for deploying simpler, infinitely scalable and more affordable storage. So it makes little sense to burden a cloud storage platform with storage systems that are based on 20th century file systems that inhibit administration, scalability and cost. Selecting the correct underlying storage system can greatly impact the success or failure of implementing cloud storage. The characteristics of object storage are ideally aligned with a cloud storage infrastructure, delivering a superior cloud storage experience with better scalability, accessibility and affordability. Here are five reasons an object storage infrastructure should be the foundation for a cloud storage system.
The Insecurity of Smart Cards
Identity theft. Loss of intellectual property. Data loss. When are we going to get a handle on IT security? It will not happen until we open our eyes to what we are currently doing and make the changes accordingly. Pick up any news line on any given day and the headlines relating to IT security breaches are scary. Although there are many areas that could be addressed within IT security, few have as large of an impact as the use of Smart Cards and the reasons why we cannot stop or even slow down the rise of data loss.
Protect Your Apache Derby Database from Superuser Attacks
Apache Derby is a relational database used by many software vendors because of its small memory footprint. In terms of security though, for every single security protection that it supports, there is at least one type of local attack. This article presents such types of attacks when someone has acquired superuser access on the Apache Derby machine. Moreover, it proposes a mechanism to protect a Derby database from additions, deletions or modifications of the records, by hashing the database entries instead of protecting the database itself.
Protecting Your Organization's Most Critical Data with Privileged Password Management
In data centers worldwide, it is common practice to hard-code passwords and user IDs in applications and scripts. Auditors and IT groups knowingly allow application-to-application passwords and user IDs to remain shared among administrators, developers and contractors. This article reviews the security risks associated with hard-coded passwords and helps organizations.
The Cost of Open Source Licensing Compliance
Open source software has become a significant component of all software development activities, intentionally and sometimes unintentionally, thanks to the abundance of available code, its apparent free cost, and high degree of stability and security. But while open source appears to be cost free, it is not without obligations, as it comes laden with licensing and copyright responsibilities that are enforceable by law. It is important for software organizations to establish appropriate IP policies that determine what specific open source licenses and license terms are acceptable for their business before products go to market.
6 Steps for Responding to a Data Security Crisis
Too often, companies that experience a data security breach only make the situation worse by not responding correctly. Mike Theriault knows what businesses need to do as soon as they realize there's a data security problem. He has boiled the best response down to six steps. He says that although they're generally sequential, the order will depend on how regulated your industry is and the types of security risks your company faces.
Legal Compliance: From Software Development to Delivery
In the age of open source and large scale outsourcing, both assuring the quality of software and taking it to market means ascertaining its legal compliance as well. Numerous legal cases in recent years have highlighted the business risks and the enormous costs incurred when this is not done properly. These costs stem from involvement in judicial procedures, software recalls, fixing legal compliance issues post-release, and missed market opportunities caused by delays in the development process. Other consequences include lowered valuations in due diligence processes triggered by customers, potential or existing investors, mergers and acquisitions, and other major transactions.
Security and the Business: The Need for an Adaptive Security Management Architecture
The adaptive security management architecture (ASMA) seeks to take advantage of existing security practices and build upon them to promote the value of security to the business and to ensure a meaningful security posture. The ASMA is as much about the business and the security organization operating as a business unit as it is about security, risk, and compliance. There are many facets to the ASMA to achieve this. Moreover, the characteristics of the ASMA provide clear visibility into operations and security that ultimately translate to adaptability and enabling the business. This excerpt explains how ASMA closes the gap between business needs and security needs and redefines security in the eyes of the business to be seen as a valuable, enabling force.
A Business Case for ISO 27001 Certification
While your organization's marketing and sales teams attempt to leverage security as a market differentiator, information security leadership faces the daunting challenge of "doing more with less." This chapter sets out the benefits and provides a business case for an information security management system (ISMS) that conforms to the ISO 27001 standard.
Holding Back: A Counter-Intuitive Approach for Virtual Leaders
In this article the authors have created some practical guidelines for virtual team leaders to help discern when team members need direction, support, or a combination--and how best to provide what team members need.
Adaptive Threats and Defenses
The survival of living organisms is often dependent on their ability to compensate for changes in their environment. The ability of an organism to compensate for changes encountered is referred to as adaptation. Predominately, the methods of adaptation involve changes in the organism's behavior, physical characteristics, or both. Some creatures are able to learn new skills or tricks that allow them to cope when changes occur. In other cases an organism might undergo a genetic mutation that provides it with a slight advantage over its rivals allowing it to survive better given the changed conditions. Adaptation can also occur with the combination of altered behaviors and new mutations. The ability to adapt is also exhibited in the cyber realm by threats and defenses. This article is primarily focused on the adaptability of attacker malware and defender security tools.
The Balanced Scorecard and the Project Manager
For project managers, the balanced scorecard is an invaluable tool that permits the project manager to link a project to the business side of the organization using a "cause and effect" approach. Some have likened balanced scorecard to a new language, which enables the project manager and business line managers to think together about what can be done to support or improve business performance. This chapter examines the fundamentals of balanced scorecard as it relates to the precepts of project management. It examines the balanced scorecard in relationship to the organization and the people, processes, technologies, and products that are components of the organization’s discrete projects, programs, and collaborative efforts.
Privacy and Its Relation to Cloud-Based Information Systems
Cloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information. Any information stored locally on a computer can be stored in a cloud, including email, word processing documents, spreadsheets, videos, health records, photographs, tax or other financial information, business plans, PowerPoint presentations, accounting information, advertising campaigns, sales numbers, appointment calendars, address books, and more. There has been a good deal of public discussion of the technical architecture of cloud computing and the business models that could support it; however, the debate about the legal and policy issues regarding privacy and confidentiality raised by cloud computing has not kept pace.
IT Infrastructure Library (ITIL®)
ITIL is a set of best practices built around a process model-based view of controlling and managing IT operations. ITIL is considered one set of best practices in the more general field of ITSM. It is important to remember that ITIL is truly a library of books. The "architecture" of ITIL can be thought of as the structure imposed by the titles of the books that describe the best practices. Alternatively, the architecture can be thought of as the set of practices that make up the life cycle that ITIL describes.
Building Relationships, One Conversation at a Time: Virtual Relationships Require Real Conversations
Can you build a trusting relationship when you've never had an actual conversation? (And no, IM, email, text, Twitter and blog "conversations" don't count!) While it may be possible, it's pretty unlikely. Most business conversations tend to focus on tasks and priorities, whether to review the progress of a current project, delegate actions or make decisions. To build relationships, a certain kind of conversation needs to take place that goes beyond the usual checklist review or status report. While this type of conversation requires more effort, it's almost impossible to collaborate successfully without it. This article offers guidelines to create opportunities for conversations expressly designed to build relationships.
Information Destruction Requirements and Techniques
Organizations need to keep information such as employee personnel records, financial statements, contracts and leases, and more. Given the vast amount of paper and digital media that amasses over time, effective information destruction policies and practices are now a necessary part of doing business and will likely save organizations time, effort and heartache, legal costs as well as embarrassment and more. In today's litigious environment, there are a plethora of aggressive lawyers that would love to devour your organization for failure to take due care around document and media destruction. This article looks at the key areas to ensure that your organization does not fall prey to such lawyers when it comes to the physical destruction of documents and records.
What's Your Core IT Competency? Really?
Most everyone outsources some part of their technology operation for all sorts of good-and occasionally bad-reasons. There's a reason why the IT services industry is clipping along at well over $1B per day in the United States alone. More and more companies have discovered the benefits of outsourcing relative to the recruitment and maintenance of large internal IT staffs. In the early years, we all thought outsourcing was about saving money, but then we discovered the truth: outsourcing it not only about saving money, but it's about rerouting money from non-core to core activities.
Leveraging IT Control Frameworks for Compliance
A variety of laws and regulations have surfaced over the past decade in an attempt to strengthen the security of information stored within the companies to which the information assets are entrusted. As a result of these laws and regulations, various security control "standards" and "frameworks" have evolved and become popular means to meet the requirements of the laws. Because laws and regulations are intentionally developed at a higher, "what needs to happen" level vs. the "how to secure the information" level, the standards and control frameworks become valuable tools to ensure that security is planned, organized, implemented, tested, and monitored.
Mobile Device Security
Watch as Jim Tiller talks with Steve Fried about mobile device security at Infosecworld 2010.
