Skip Links

Andreas Antonopoulos

Security: Risk and Reward

By Andreas M. Antonopoulos

Antonopoulos is a senior vice president and founding partner at Nemertes Research, a leading independent technology research firm. Contact him.

This column is also available as an e-mail newsletter called Security in Practice. Sign up to receive the newsletter here:

Parting Thoughts: The world of security has turned on its head
For the past several years, I have had the honor of writing for Network World in "Risk and Reward." Unfortunately, that time has come to an end as I am leaving the world of independent analysts to pursue new adventures. In my last column, I'd like to explore some of my recurring themes and offer some predictions for the future.
Fail a security audit already -- it's good for you
Failing an audit sounds like the last thing any company wants to happen. But that's because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a "friendly" exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you're not failing any audits there are two possible explanations:
Competing for privacy in a social media world
For years, Facebook users have been clamoring for better privacy controls and clarity, while Facebook engineers oscillate between improvements and major privacy snafus. Every now and then a new wave of exasperated users cry out "That's it, I'm leaving". Up to now, users really didn't have anywhere to go after quitting, so they effectively quit the social media scene, self-ostracized (MySpace is equivalent to being exiled, perhaps worse). Now that they have somewhere else to go (Google+), Facebook is ramping up it's privacy controls and seems to be taking privacy more seriously. Let the privacy competition begin!
The changing face of identity and location security
For two decades, the dominant security model has been location-centric. We instinctively trust insiders and distrust outsiders, so we build security to reflect that: a hard perimeter surrounding a soft inside. The model works best when there's only one connection to the outside, offering a natural choke point for firewall defense.
IT security's scariest acronym: BYOD, bring your own device
The torrent of smartphones and tablets entering companies has created some interesting challenges for security managers. The new devices introduce new operating systems, new development environments and new security risks, but no new control. The scariest acronym in security might well be "BYOD," or "bring your own device." As companies develop security and mobility strategies to deal with these devices, it is worth bearing in mind the lessons learned from managing laptops. But it is also worth applying some of the new lessons from smartphones on the laptops, too!
Imagine: Massively scalable multi-core security
Desktops and servers are being transformed by virtualization and multi-core CPUs, but that effect is a bit harder to see in security. Multi-core CPUs especially hold the possibility of completely transforming how and where we do security. One of the effects is to shift more of the security functions into the network. Another may be to radically change the software architecture within and across security appliances.
Lockdown: How would you handle emergency network operations?
Are you ready for a natural disaster, denial of service or security breach? If one happened right now, would you have a plan ready to respond to it? What the recent highly publicized security breaches demonstrated was that some companies were ready and some were woefully unprepared. Part of that has to do with technology and security controls, but most of it is about planning and process, not tools. So what does it take to be ready for an attack?
Regaining perspective on security problems
With all the bad security news that has come out over the last few months, you might think the sky is falling. Once a story catches people's attention, we start seeing it everywhere, kind of like noticing a lot of blue cars after you just bought a blue car. The problem with all this is that it distorts the conversation and we may fail to notice the really important security lessons that can be learned:
Can you have too much security?
Is there such a thing as too much security?
Do-not-track me!
In just one week, privacy advocates have seen two major proposals to promote consumer privacy on the Internet. In California, SB-761, a "Do-Not-Track" bill regulating tracking cookies, passed through committee clearing a major hurdle to adoption. Simultaneously, Sen Rockefeller introduced a very similar bill in the US Senate. Both bills would require companies to honor a "Do-Not-Track" preference set by consumers, usually as a browser setting. The bills represent a significant step forward in online privacy and should be strongly supported by voters.
How to be an effective security buyer
In previous columns I have repeatedly emphasized the importance of interoperability and the danger of security fragmentation. Security is so fragmented that it is often hard to discern between hype and reality.
Security fragmentation needs to end
A new week, a new rash of attacks against security vendors, email marketers and banks. It would be easy to point fingers and laugh at the irony, especially in the case of security vendors, but that would be both petty and shortsighted.
Attacks on the foundation of our industry
In the two weeks since my last column, the security industry has been rocked by several extremely serious attacks against some of our fundamental pillars of trust: two-factor authentication (RSA SecurID) and SSL certificates (Comodo). 
Security will rescue cloud computing
Whenever the topic of security is mentioned in the context of cloud computing, it is usually discussed as the "big barrier" to adoption. The perceived or actual lack of security in the cloud makes it impossible for businesses to make the leap into this new computing paradigm. I propose a different perspective: Security will rescue cloud computing.
We need to ignite a Layer-1 revolution
Egypt's revolution was heralded as a success story for social media services such as Twitter and Facebook. Western journalists fawned over every rare example of social media, ignoring the more mundane but far more important communication services such as cellular phone calls and text messaging. The really interesting story out of Egypt, and more recently Libya, Iran and other places was the communications blackouts imposed by each regime. While the west focused on layer-7 technologies, the tyrants were smart enough to strike at the root of their citizens efforts: layer-1 physical layer connectivity for phones.
Should you worry about rogue wireless network access points?
The subject of rogue access points (RAPs) has been on our minds lately, and in our ongoing 2011-2012 benchmark interviews we have been asking folks about their experiences with them.
Can you guarantee secure remote access from devices in the wild?
In the course of scores of conversations about security, I have regularly elicited a gobsmacked silence with a simple question: "How do you reliably secure access from an untrusted computer?"
Is SaaS office safe?
Is software as a service (SaaS) office safe? We get this question a lot and the SaaS office most often asked about is Google Apps for Business and Microsoft Office. This security concern reflects in our research numbers: Fewer than 18% of organizations are planning to deploy SaaS office but nearly twice as many companies are evaluating.
Recalculating the telephony security equation
Among the threats that keep IT security managers up at night, attacks against phone systems have often ranked near the bottom. The last time we asked IT leaders about their telephony security plans, just 2% had experienced a security incident, and in almost all of these cases, the attack was internal misuse of phone systems for personal long-distance calls. Few had developed any sort of comprehensive security or risk analysis plan covering their voice systems.
More censorship, data breaches and devices: Security predictions for 2011
This past year has been a doozy in the security world. We kicked off the year by discovering operation Aurora, saw the first national-industrial sabotage attack with Stuxnet and are closing the year with Wikileaks about to become a constitutional crisis between the First amendment and a 1917 espionage law. Reality has well and truly become weirder than fiction.
What security wrought in 2010
Every year, I try to predict the top trends in security for the upcoming year. To give myself a sense of accountability I always look back at how well those predictions worked out and either abandon them or double-down for the next year! It's time to test my annual security predictions for 2010.   
Password cracking in the cloud
On-demand cloud computing is a wonderful tool for companies that need some computing capacity for a short time, but don't want to invest in fixed capital for long term. For the same reasons, cloud computing can be very useful to hackers -- a lot of hacking activities involve cracking passwords, keys or other forms of brute force that are computationally expensive but highly parallelizable.
Don't be an application bigot
Many security decisions and acceptable use policies are based on a false categorization of applications. "Business applications" are good, safe and have business value. "Personal applications" are bad, unsafe and have no business value.
Privacy? Run a background check on yourself
My company hired a new employee recently and as part of my responsibilities, I ran a basic background check for our new hire. If you've never seen a professional background check, you will most likely be shocked by the level of detail that can be gleaned from public records.
Waging crypto wars 2.0
I was drawn to security in the early 90s during the crypto battle against the U.S. government, which was trying to force companies to adopt broken encryption with built in backdoors, like the failed Clipper Chip. Fortunately, the crypto wars were won by the side of reason, not least because of activists hoarding crypto technology in offshore locations.

Latest News
rssRss Feed
View more Latest News