Be cloudy and secure...

Security


Top Stories

The lead topic of every information technology (IT) conversation today is cloud computing. The key point within each of those conversations is inevitably cloud computing security.  Although this trend is understandable, the sad part is that these conversations will tend to focus on all the standard security pros, cons and requirements. While protecting data from corruption, loss, unauthorized access, etc. are all still required characteristics of any IT infrastructure, cloud computing changes the game in a much more profound way. Until now, IT security has been akin to early 20th century warfare.  After surveying and carefully cataloging all possible threats, the line of business (LOB) manager and IT professional would debate and eventually settle on appropriate and proportional risk mitigation strategies. The resulting IT security infrastructures and procedures t... (more)

Federal Government Releases Guide to Enterprise IT Security

The National Institute of Standards and Technology (NIST) recently released a draft "Guide to Adopting and Using the Security Content Automation Protocol" (SCAP) for public review. The guide takes a close look at what they describe as "the need for a comprehensive, standardized approach to overcoming security challenges found within a modern enterprise IT environment". In case you're not familiar with SCAP, it comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues, mostly geared toward federal government agencies. Although SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, ... (more)

Windows Server 2012 Installation Options

New and flexible ways to make changes of a Windows Server 2012 installation after the fact are available. And IT pros can now convert a server from and to Server Core, and change the availability of server components that are previously committed at an installation time. This introduces new dynamics and exciting scenarios for improving supportability, efficiency, and security. This article highlights the three available installation options and some key operations based on the Release Candidate, Build 8400. There is additional information of Windows Server 2012 including: a free eBook, available editions, and a reference table summarizing the available features in each installation option available elsewhere. Server Core This is the default and preferred configuration for deploying Windows Server 2012. Server Core was introduced in Windows Server 2008 as a minimal ... (more)

Cyber Security Industry Alliance Issues Findings from Summit on Sarbanes-Oxley and IT Security

ARLINGTON, Va., Aug. 15 /PRNewswire/ -- Cyber Security Industry Alliance (CSIA), the only public policy and advocacy group dedicated exclusively to cyber security, today released a report that summarizes key findings and conclusions from a conference held to discuss the adequacy of guidance given on IT security in Sarbanes-Oxley. Today's announcement follows a Sarbanes- Oxley compliance initiative that began in 2004 with a CSIA report outlining the implications of Section 404 for information security. Attendees at IT Security and Sarbanes-Oxley Compliance: A Roundtable Dialogue of Lessons Learned, addressed whether the statutory and administrative materials governing Section 404 provide enough guidance on IT security to enable management and auditors to carry out their compliance obligations. "The conference proceedings and subsequent announcements from the Securities... (more)

Database Security in the Cloud

We often get requests for best practices related to relational database security in the context of cloud computing. People want to install their database of choice, whether it be Oracle, MySQL, MS SQL, or IBM DB2… This is a complex question but it can be broken down by asking “what’s new in the cloud?” Many techniques that have existed for ages remain important, so let’s briefly review database security in general. Database Security in Context A database usually does not stand alone; it needs to be regarded in the light of the environment it inhabits. From the security perspective, it pays to stop and think about: Application security. The application which uses the database (“sits atop” the DB) is itself open to various attacks. Securing the application will close major attack vectors to the data, such as SQL injection Physical security. In the cloud context, it mea... (more)

A Simple Way to Programmatically Create SharePoint Security Groups

When it comes to SharePoint deployments, I try to automate everything I can.  I don’t like manual steps especially when it comes to setting up security.  A common task when deploying any sites is setting up security in some manner.  Today I am going to cover how to easily store definitions your SharePoint security groups in an XML file.  We’ll use LINQ to XML to make reading the file a breeze, and then we’ll use the SharePoint object model to create the groups and add users (or AD groups).   I’ve blogged on how to create a group before, but we’re going to take this a step further by giving you code that you can easily add to a feature receiver or console application.  First let’s take a look at the XML file we’re going to use. more)

Governance Grows More Integral to Managing Cloud Computing Security

Most enterprises lack three essential ingredients to ensure that sensitive information stored in via cloud computing hosts remains secure: procedures, policies and tools. So says a joint survey called “Information Governance in the Cloud: A Study of IT Practitioners” from Symantec Corp. and Ponemon Institute. “Cloud computing holds a great deal of promise as a tool for providing many essential business services, but our study reveals a disturbing lack of concern for the security of sensitive corporate and personal information as companies rush to join in on the trend,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. Where is cloud security training? Despite the ongoing clamor about cloud security and the anticipated growth of cloud computing, a meager 27 percent of those surveyed said their organizations have developed procedures for approving c... (more)

Poll Confirms Cloud Security Concerns

Sam Gross is Vice President of Global IT Outsourcing Solutions at Unisys Corporation, where he leads the vision, strategy, technology development and implementation for Unisys innovative global IT outsourcing solutions. He is a recognized industry expert and thought leader in business and IT alignment, application management, service level management and enterprise systems management. Here's his latest Tweet: Sam_Gross: Poll shows security concerns top other barriers to cloud computing by ~35 percentage points. See results, lower right: http://www.unisys.com. ... (more)

Next Year in the Threat Webscape -- Websense Security Labs Predictions for 2010

SAN DIEGO, CA -- (Marketwire) -- 12/03/09 -- Websense, Inc. (NASDAQ: WBSN) today released its list of security predictions and trends anticipated for 2010. Researchers in the Websense® Security Labs(TM) have identified emerging security exploits and trends anticipated to increase during the next 12 months. The emerging trends and predictions show an overall blending of security threats across multiple attack vectors for the purpose of roping computers into bot networks and stealing valuable confidential information. Researchers believe that hackers will look to compromise new platforms such as smartphones and take advantage of the popularity of Windows 7. They are also expected to compromise the integrity of search engine results and use legitimate advertisements to spread their malicious content. "Threats on the Web continue to parallel Internet users' Web use patte... (more)

Open Group Focuses on Cloud Security

Standards and open access are increasingly important to users of cloud-based services. Yet security and control also remain top-of-mind for enterprises. How to make the two -- cloud and security -- work in harmony? The Open Group is leading some of the top efforts to make cloud benefits apply to mission critical IT. To learn more about the venerable group's efforts I recently interviewed Allen Brown, president and CEO of The Open Group. We met at the global organization's 23rd Enterprise Architecture Practitioners Conference in Toronto. Here are some excerpts: Brown: We started off in a situation where organizations recognized that they needed to break down the boundaries between their organizations. They're now finding that they need to continue that, and that investing in enterprise architecture (EA) is a solid investment developing for the future. You're not going... (more)

Audits and Certificates Won't Erase Cloud Security Concerns

In every cloud survey, security consistently comes out as an inhibitor to cloud adoption. Even though this has been the case for several years, many feel that it is a temporary barrier which will be resolved once cloud offerings get more secure, mature, certified, and thus accepted. But is this indeed the case or do we need another approach to overcome this barrier? During a recent cloud event, two speakers from a large accounting and EDP auditing firm took the stage to discuss the risks of cloud computing. While one speaker dissected the risks for both consumers and providers of cloud services, the second speaker discussed the various certifications and audit schemes that are available in each area. They acknowledged that with the currently available certifications, not all risks were covered, but their envisioned remedy was even more comprehensive certification... (more)