IoT Security is Still a Major Barrier to Adoption

Kathryn Weldon – Research Director, Business Network and IT Services – Americas

Summary Bullets:

• IoT security still comes up as the number one deterrent to IoT adoption, year after year (after year!).

• While point solutions abound, the complex supplier ecosystem coupled with the diversity of IoT use cases and device types makes this a hard nut to crack.

Considering the fact that every survey ever conducted among enterprises over the last five years about IoT has shown that the number one barrier to adoption is lack of security, we would have expected the supplier ecosystem to finally “fix” this problem once and for all. But instead, with the advent of massive proliferation of IoT devices upon us, coupled with an occasional high-profile breach, enterprises are more cautious than ever and rightly so. Continue reading “IoT Security is Still a Major Barrier to Adoption” →

Deutsche Telekom’s Car SOC is Ready to Protect Drivers—Is the Auto Industry?

J. Marcus

Summary Bullets:

• Connected cars are vulnerable to the same threats facing any Internet user or device

• Deutsche Telekom proposes its Car SOC to the industry, but as of today no one is responsible for protecting drivers from cyber attacks

Connected cars, like anything else using the Internet, are exposed to a range of vulnerabilities most drivers dare not even contemplate. Even without being connected, the digital technology in place is at risk from attackers, whether through the cloning of remote control key entry and engine starting, or from malware introduced to internal systems via infected diagnostic tools at the local garage. Continue reading “Deutsche Telekom’s Car SOC is Ready to Protect Drivers—Is the Auto Industry?” →

Dear Intel, Here’s Why Selling Intel Security Would be a Huge Mistake

Summary Bullets:
• A rumored sale of its security business would be a major mistake for Intel.

• Intel Security has strong legacy products, promising new ones, winning leadership and strategy, and presents synergistic opportunities key to Intel’s future.

I’m not sure what surprised me more: Sunday’s Financial Times report that Intel was exploring a sale of its security division, or that industry observers and partners alike seem to be either indifferent or actually in favor of such a dramatic move.

Current Analysis believes a sale of Intel Security or its assets would be a mistake, for a variety of reasons. Here’s a brief look at the value Intel Security provides its parent:

Continue reading “Dear Intel, Here’s Why Selling Intel Security Would be a Huge Mistake” →

Google’s New “Android for Work” Program Actually Puts BYOD to Work

Brad Shimmin

Summary Bullets:

• Google has at last launched its Android for Work program, prioritizing Android devices within the workplace through the separation of personal and professional data profiles.
• But don’t look for Google to secure this data on its own; instead customers can look to partners AirWatch, MobileIron, SAP, Soti, MaaS360, Citrix, and others for full bore data security in the workplace.

Forget the Apple iOS and Google Android user wars. It doesn’t matter which one wins a user’s heart. In the enterprise, any enterprise willing to embrace the BYOD mindset, such questions just don’t matter. What’s important is the ability to make manageable and secure whatever crazy device users decide to bring into the workplace. But that’s never been an easy proposition. Continue reading “Google’s New “Android for Work” Program Actually Puts BYOD to Work” →

Marking HTTP Sites as Insecure: The Emperor’s New Clothes Indeed!

Mike Fratto

Summary Bullets:

• Users don’t have a way for readily knowing when a site should be protected using SSL/TLS or not, and Google engineers are proposing yet another indicator.
• A better use of their time would be in working with existing standards efforts – or starting a new one – that let site owners indicate when a site should be protected.

Google is using its size in the web arena to affect changes in how users view the relative “security” of websites. I put security in scare quotes because that word has a dubious meaning at best and more likely doesn’t mean what the company intends. The short story is that Google wants a way to indicate to end users that a page which is not properly protected using TLS – the current, improved version of SSL – is not secure. Continue reading “Marking HTTP Sites as Insecure: The Emperor’s New Clothes Indeed!” →

The Pendulum’s Swing Back to Privacy is Just Getting Started

Paula Musich

Summary Bullets:

• The growing use of encryption, especially in smartphones, gives privacy controls back to end users, much to law enforcement’s chagrin.
• The backlash against government snooping is just getting started, and it will only get louder with time and a potential defining event that will spur widespread calls for reform.

The government met last month with Apple executives to talk about the new encryption technology used in Apple IOS 8 and now Google’s Android Lollipop release that can block government access to information on smartphones, even if law enforcement has a court order. IOS 8 encrypts all data on the device and passcode protects it. Data can’t be accessed without the passcode, which Apple does not have access to. The Justice Department, FBI, NSA and others are demanding access; the industry is saying customers demand their privacy. Who’s right? The widely used WhatsApp chat service also just significantly upgraded its encryption. I think the government over-reached (especially with the NSA’s Prism program) and failed to understand the gathering backlash created by the Snowden leaks, and the high tech industry, including Apple, is seeing a negative impact on business as a result of lost customer trust. Continue reading “The Pendulum’s Swing Back to Privacy is Just Getting Started” →

Notes from the Front Line: CISOs Share their Problems and Prescriptions

Paula Musich

Summary Bullets:

• The NSA leaks have created new opportunities for non U.S.-based cloud providers.
• Developing people and political skills among IT security pros is equally as important as developing technical skills, but it is often overlooked.

I had the good fortune to attend the CISO Forum in London this week and as usual it offered a lively discussion of critical security concerns faced by enterprises, governments and non-profits. Topics covered long running themes such as how to define, measure and manage risk; how to communicate the value of and need for information security to the C-Suite and board; how getting the basics right is difficult for most organizations; the security skills shortage; the need to provide agile security and more. Continue reading “Notes from the Front Line: CISOs Share their Problems and Prescriptions” →

PII in the Sky – A Cloudy Outlook

Hugh Ujhazy

Summary Bullets:

• Asian governments are evolving their approach to managing PII data through legislative frameworks.
• Data privacy rules are converging across the region, but the onus for protection still rests squarely with the enterprise.

A fully realized cloud infrastructure promises server, storage and applications (along with all their data) floating in a glorious OpEx soup. Managed from afar, provisioned in minutes, flexible and scalable – there is little to dislike. However, for enterprises operating in multiple jurisdictions in Asia, data protection remains a key issue in planning deployments of cloud solutions. Continue reading “PII in the Sky – A Cloudy Outlook” →

Heartbleed Bug Shows Industry is Under-investing in Software Integrity

Paula Musich

Summary Bullets:

• The disclosure of the devastating Heartbleed bug – two years in the wild – illustrates how much the technology industry under-invests in software integrity.
• Bug bounty programs spur greater participation in vulnerability research, and those who benefit most directly from open source software should contribute to an open source bug bounty program.

Unless you’ve taken a holiday from the connected world, you probably know by now about the Heartbleed bug. And if you’re a CSO or CISO, you’ve most likely seen plenty of suggestions on how to respond to the threat posed by this extremely risky and widespread vulnerability. Although the effort to address the problem is not quite as Herculean, it struck me that the response to the Heartbleed bug needs to be nearly as widespread as the effort to fix the date problem at the turn of the 21^st century. Estimates that I saw about how widespread OpenSSL use is suggest that as much as 66% of all the websites across the globe use OpenSSL, and some reports suggested that the technology is embedded in a wide variety of network infrastructure devices, including routers, WLAN controllers, firewalls and more. But while enterprises had plenty of advance notice to address the date problem leading up to the year 2000, web site operators and technology vendors need to move with the utmost urgency to patch this flaw and clean up the mess created by this “catastrophic” vulnerability. It shouldn’t be a surprise that the coding error happened, and I don’t think that its existence is necessarily a condemnation of the way that open source vetting works. Continue reading “Heartbleed Bug Shows Industry is Under-investing in Software Integrity” →

Something for Everyone at Interop Las Vegas 2014

Mike Fratto

Summary Bullets:

• The upcoming Interop event in Las Vegas will offer lots of sessions and workshops from fellow IT professionals and experts to attend and get current on your interests.
• Take part in the social gathering to meet old friends and make new ones. Personal networking is as important as anything in your career.

Interop is next week and I am looking forward to catching up with old friends, peers, and colleagues and making new acquaintances. Still, the draw for me is meeting with vendors and attending a few of the presentations over the course of the event. The content this year is very solid and there’s something for everyone.

Continue reading “Something for Everyone at Interop Las Vegas 2014” →