Network World

Security: Risk and Reward

By Andreas M. Antonopoulos

Search Security: Risk and Reward

Antonopoulos is a senior vice president and founding partner at Nemertes Research, a leading independent technology research firm. Contact him.

This column is also available as an e-mail newsletter called Security in Practice. Sign up to receive the newsletter here:

Iran's data leakage 'problem': 06/24/09; In the wake of Iran's statistically and historically dubious election results, the world has been glued to screens (both TV and IP) watching the unfolding protests and violence. Despite a complete media and communications blackout, the videos, photos and messages are leaking out continuously. But how are all these leaks occurring?
Building a data center security architecture: 06/10/09; Data center architecture has been changing quite dramatically over the past few years. In many data centers, organic growth had left them broken up into application silos. The standard three-tier architecture was copied for each application leading to a fairly hierarchical network. In this architecture, some core security services, such as firewalls and intrusion prevention, were concentrated at the root of the network tree, closest to the ingress routers and around any DMZs.
Why we need a single, strong federal privacy law: 05/26/09; Regulatory compliance continues to be the main driver for security spending in almost all industries. But in essence, compliance is assymetrical warfare: it costs a lot more to comply with new regulations than it does to write them.
Dark cloud computing: 05/12/09; Cloud computing offers tremendous promise for the future of computing. In the cloud you will be able to link together remote computing resources to achieve massive amounts of computing without any of the capital infrastructure costs.
The Kilo-Day threat and mundane security: 04/29/09; In the security business we spend a lot of time worrying about the "zero-day" threat that appears out of nowhere and immediately starts attacking a hereto unknown vulnerability.
UC security: When the shoe doesn't fit -- compress the foot: 04/14/09; If your security model is location-centric and depends on keeping things separate, how do you respond to a disruptive technology like unified communications? This is a pattern that keeps repeating in many different areas: the security paradigm looked good until a technology comes along, changes the assumptions and reveals the inadequacy of the model.
Do I own my machine?: 03/31/09; The built-in Webcam light is on. It shouldn't be on. I'm not using any recording, video-conferencing or photo applications. Why is it on? Is someone watching me? It's at times like this I get the eerie feeling that I don't actually, fully and completely own my machine. Turns out it was a driver problem, all fixed now. But I still can't shake that feeling.
Digital healthcare stimulus brings opportunities, risks: 03/18/09; Healthcare in the United States is going digital, which brings both tremendous opportunities and security risks. Digital healthcare brings the promise of increased quality of care, reduced errors and reduced cost and overhead in the provision of care. Yet the United States lags other countries in the use of technology in healthcare records. Fewer than 10% of hospitals and 16% of doctors use electronic health records. This is about to change.
The fantasy and reality of government security: 03/03/09; In the movies the government has always got the best toys, the cutting edge technology and the tightest security standards. Those who have worked on security projects within the government know that in real life government security standards and implementations can vary all across the range from quite serious to laughable.
ATM hack: Organized crime or market forces?: 02/17/09; In November of 2008, a single scam netted more than $9m in a global ATM heist. According to the FBI the attackers compromised pre-paid payroll cards from RBS WorldPay and gift cards, launching a coordinated attack against more than 130 ATMs in 49 cities around the world. The cards were exploited by "cashers" who withdrew money during a single 30 minute window.
Rogue Firefox add-ons bring security risks: 02/03/09; Security is as much about choices as it is about policies. Which software solution you pick is as important as how you configure and use it. With the vast majority of threats today coming from the Web, the choice of browser is critical. With few exceptions, most Web sites are cross-browser compatible. Choosing a browser is less about compatibility and more about usability and security.
Virtualization security: So far nothing: 01/20/09; In April 2004 I wrote my first article on the topic of virtualization security. I was trying to bring attention to the security aspects of this "new" technology that was getting quite a bit of hype at the time. The hope was that this time security would not be an afterthought, that we would reverse the equine-escape/egress-closure sequence. The naivete of youth!
On botnets, encryption and mega-worms: Security predictions for 2009: 12/30/08; My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should. As always, take these with a grain of salt.
The security prognosticator is in: 12/10/08; At the end of 2007 I wrote a column on the future of security in 2008. Now it's time to look back at my look ahead and see how it all went.
No one gets fired for banning IM: 11/25/08; The argument for security that enables business risk where the risk brings a compelling ROI or competitive differentiation
When insiders attack: How recessions make good people do bad things: 11/12/08; Whom can you trust? In security, many of us nurture a healthy sense of paranoia and tend to be distrustful. But as human beings, as social beings, we form bonds of trust with those around us.
How to sustain security on a tight budget: 10/28/08; Whether you believe we are in or about to enter a recession, IT budgets are certainly tightening up for 2009.
The process and culture of security: 10/15/08; I'm always amazed at the tenacity and inventiveness of my fellow Greeks. They actually manage to get things done in a system that makes it look impossible to achieve much at all.
Can you keep users from importing their own applications?: 09/30/08; Shadow IT is all the IT that was neither planned nor approved by anyone but gets chosen, deployed and used by end users. Some see this as grass-roots deployment of cool technologies; some see it as weeds growing from any crack in the IT plan. If you don't build it, they will go find it elsewhere. And even if you build it, if it isn't adequate, comprehensive, flexible and easy to use, they will go find it elsewhere.
Privacy, security issues darken cloud computing plans: 09/16/08; Enterprises are increasingly interested in cloud computing as a potential solution to capacity challenges. The idea is that if you have a virtualized data center, the cloud could potentially be an “overflow” data center where you expand capacity during periods of high demand. If the cloud can extend your data center, then you don’t need to build another one or increase the capacity of the one you have just to handle intermitted spikes in computing demand.
The challenge of securing virtualization operations: 09/02/08; I have been very interested in virtualization security since early 2004 and it now seems like it has become a mainstream topic. Most of the focus however is on securing the technology of virtualization (the hypervisor) and providing virtualized security (usually as virtual appliances). My focus nowadays is more on the operational impact of virtualized infrastructure and by extension the impact on security operations. After all, security controls (technology) are essential but without operational controls (people) they are not sufficient. So what is the operational impact of virtualization?
Georgia cyberwar overblown: 08/19/08; Last week Russian tanks rolled into South Ossetia while Russian bombers were taking out critical communications infrastructure. But even before the first tank rolled across the disputed borders, another war was brewing in cyberspace.
What you don't know about security can hurt you: 08/05/08; In reading an early release of an information-security survey conducted by the RSA Conference, two findings caught my attention.
No excuses -- encrypt all laptops: 07/22/08; No more excuses: If you're not encrypting laptops, you are not applying due diligence.
Security tribulations breed guilt by association: 07/08/08; The headline read “Google loses employee data.” It caught my attention as I thought of all the implications this has for all the other data Google stores. A headline like that hits a nerve, I take it personally, because like most of us I immediately think of my search history from the last 10 years.