Recent articles by Andreas M. Antonopoulos
October 11, 2011
For the past several years, I have had the honor of writing for Network World in "Risk and Reward." Unfortunately, that time has come to an end as I am leaving the world of independent analysts to pursue new adventures. In my last column, I'd like to explore some of my recurring themes and offer some predictions for the future.
October 04, 2011
Failing an audit sounds like the last thing any company wants to happen. But that's because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a "friendly" exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you're not failing any audits there are two possible explanations:
September 07, 2011
For years, Facebook users have been clamoring for better privacy controls and clarity, while Facebook engineers oscillate between improvements and major privacy snafus. Every now and then a new wave of exasperated users cry out "That's it, I'm leaving". Up to now, users really didn't have anywhere to go after quitting, so they effectively quit the social media scene, self-ostracized (MySpace is equivalent to being exiled, perhaps worse). Now that they have somewhere else to go (Google+), Facebook is ramping up it's privacy controls and seems to be taking privacy more seriously. Let the privacy competition begin!
August 15, 2011
For two decades, the dominant security model has been location-centric. We instinctively trust insiders and distrust outsiders, so we build security to reflect that: a hard perimeter surrounding a soft inside. The model works best when there's only one connection to the outside, offering a natural choke point for firewall defense.
July 27, 2011
The torrent of smartphones and tablets entering companies has created some interesting challenges for security managers. The new devices introduce new operating systems, new development environments and new security risks, but no new control. The scariest acronym in security might well be "BYOD," or "bring your own device." As companies develop security and mobility strategies to deal with these devices, it is worth bearing in mind the lessons learned from managing laptops. But it is also worth applying some of the new lessons from smartphones on the laptops, too!
July 15, 2011
Desktops and servers are being transformed by virtualization and multi-core CPUs, but that effect is a bit harder to see in security. Multi-core CPUs especially hold the possibility of completely transforming how and where we do security. One of the effects is to shift more of the security functions into the network. Another may be to radically change the software architecture within and across security appliances.
June 23, 2011
Are you ready for a natural disaster, denial of service or security breach? If one happened right now, would you have a plan ready to respond to it? What the recent highly publicized security breaches demonstrated was that some companies were ready and some were woefully unprepared. Part of that has to do with technology and security controls, but most of it is about planning and process, not tools. So what does it take to be ready for an attack?
June 14, 2011
With all the bad security news that has come out over the last few months, you might think the sky is falling. Once a story catches people's attention, we start seeing it everywhere, kind of like noticing a lot of blue cars after you just bought a blue car. The problem with all this is that it distorts the conversation and we may fail to notice the really important security lessons that can be learned:
May 31, 2011
Is there such a thing as too much security?
May 12, 2011
In just one week, privacy advocates have seen two major proposals to promote consumer privacy on the Internet. In California, SB-761, a "Do-Not-Track" bill regulating tracking cookies, passed through committee clearing a major hurdle to adoption. Simultaneously, Sen Rockefeller introduced a very similar bill in the US Senate. Both bills would require companies to honor a "Do-Not-Track" preference set by consumers, usually as a browser setting. The bills represent a significant step forward in online privacy and should be strongly supported by voters.
The Connected Enterprise
