Network World

Security: Risk and Reward

By Andreas M. Antonopoulos

Search Security: Risk and Reward

Antonopoulos is a senior vice president and founding partner at Nemertes Research, a leading independent technology research firm. Contact him.

This column is also available as an e-mail newsletter called Security in Practice. Sign up to receive the newsletter here:

Can you keep users from importing their own applications?: 09/30/08; Shadow IT is all the IT that was neither planned nor approved by anyone but gets chosen, deployed and used by end users. Some see this as grass-roots deployment of cool technologies; some see it as weeds growing from any crack in the IT plan. If you don't build it, they will go find it elsewhere. And even if you build it, if it isn't adequate, comprehensive, flexible and easy to use, they will go find it elsewhere.
Privacy, security issues darken cloud computing plans: 09/16/08; Enterprises are increasingly interested in cloud computing as a potential solution to capacity challenges. The idea is that if you have a virtualized data center, the cloud could potentially be an “overflow” data center where you expand capacity during periods of high demand. If the cloud can extend your data center, then you don’t need to build another one or increase the capacity of the one you have just to handle intermitted spikes in computing demand.
The challenge of securing virtualization operations: 09/02/08; I have been very interested in virtualization security since early 2004 and it now seems like it has become a mainstream topic. Most of the focus however is on securing the technology of virtualization (the hypervisor) and providing virtualized security (usually as virtual appliances). My focus nowadays is more on the operational impact of virtualized infrastructure and by extension the impact on security operations. After all, security controls (technology) are essential but without operational controls (people) they are not sufficient. So what is the operational impact of virtualization?
Georgia cyberwar overblown: 08/19/08; Last week Russian tanks rolled into South Ossetia while Russian bombers were taking out critical communications infrastructure. But even before the first tank rolled across the disputed borders, another war was brewing in cyberspace.
What you don't know about security can hurt you: 08/05/08; In reading an early release of an information-security survey conducted by the RSA Conference, two findings caught my attention.
No excuses -- encrypt all laptops: 07/22/08; No more excuses: If you're not encrypting laptops, you are not applying due diligence.
Security tribulations breed guilt by association: 07/08/08; The headline read “Google loses employee data.” It caught my attention as I thought of all the implications this has for all the other data Google stores. A headline like that hits a nerve, I take it personally, because like most of us I immediately think of my search history from the last 10 years.
Communal security?: 06/24/08; I’ve visited quite a few countries in Asia over the last two years. In the various airports I passed through I often saw people wearing surgical masks. I also saw “fever checkpoints” in most major airports. These checkpoints have infrared cameras that show a thermal false color picture of passengers as they are funneled through immigration. The signs surrounding the checkpoints indicated that the purpose was to identify people with a fever so as to screen for various types of flu (avian or other). This is classic perimeter control, network access control even, applied in the real world.
A question of trust and identity: 06/10/08; What is the right balance between security and privacy? This is a common starting point in many policy discussions, especially in government. It’s a trick question because it presets the conversation as a balancing act between two values as if they are antithetical – they are not. In practical terms, privacy is security.
Less is more (secure): 05/27/08; Complexity is the enemy of security. Simple systems are inherently more secure than complex solutions.
Which IT security skills are most important?: 05/13/08; I often hear from IT executives that it is hard to recruit and retain 'good security people.' Many lament the shortage of skills in this area and cannot reconcile the skills offered with the positions that need to be filled. Is there really a shortage of good security people? Or just a mismatch in the skills and the jobs?
Security preparedness instead of threat prediction: 04/29/08; In the last column I talked about the challenge of trying to predict attacks, and how that approach leads to "anti-X" security strategies that are rapidly made obsolete by each new wave of threats.
Attackers are thinking outside the box: 04/16/08; Security expert Andreas Antonopoulos explores the challenge of figuring out what the next big security attack will look.
Security in a bubble: 03/18/08; Sometimes small, incremental changes add up in a way that isn't noticed until a change in degree becomes a change in kind.
Virtualized security: the next frontier: 03/11/08; Companies are adopting virtualization technologies at a faster and faster rate. They are virtualizing servers, desktops, storage, networks. But one aspect of infrastructure has been lagging – very few companies address the growing demand for virtualized security.
Privacy and the coming backlash: 02/27/08; Network World security columnist Andreas Antonopoulos discusses the growth of identity theft and the need in the United States for stronger privacy protection.
Network threats develop 'antibiotic' resistance: 02/12/08; The scientific field of biology has provided many useful metaphors, such as "virus" and "infection," for the study of malware. Many researchers have used biology and evolution science to create innovative defenses against malware, in many ways simulating the functions of biological immunity systems. I find that biological sciences and especially evolution provide some great insights into the behavior of malware, malware creators and malware defenses over longer periods of time. I also see a lot of parallels between the evolution of malware and the evolution of darknets (stealthy P2P networks).
When it comes to security, chaos may be your friend: 01/29/08; Viruses and other malware are getting better at evading antimalware systems despite the sophisticated behavioral-analysis systems that are used to detect them. This week a rogue trader in France was able to hide a growing loss until it reached $7 billion and was impossible to hide. What do these two events have in common? Both exploit the predictability of defenses to evade detection.
Floating data offers unique security challenges: 01/15/08; You've probably already read the news of a company planning to use container ships as floating data centers. The plan is similar to the modular shipping container data centers. Only instead of parking them in your back lot, you moor them to a nearby pier. The company, International Data Security, is planning to deploy the first such data-ship next to Pier 50 in San Francisco.
Security: What will be hot in 2008?: 12/19/07; There are two ways to predict the future with 100% accuracy. You either have the power to shape the future to your predictions (the God method) or you make your predictions vague enough so that they fit most conceivable outcomes (the Nostradamus method). For those of us without omnipotence and with a desire to write something meaningful, that leaves the alternative: extrapolate from in-depth research, solid statistics and current trends and hope for minimum volatility (disruptive innovation or externalities) in the outcome.
Convenient credit = security threat: 12/05/07; There were more than 20 major data compromises in the last three months that went almost completely unreported. Eventually we all become resigned to the fact of identity theft/loss. But I’m not giving up so easily.
Re-assessing risk (The crown jewels are almost worthless): 11/19/07; A popular expression in security circles is to equate critical company intellectual property with the crown jewels. The crown jewels are protected by many layers of security, but the truth is that they make very poor targets for theft because they are far too distinctive to fence. To sell such items, a thief would have to take great risks and heavy discounts. Yet, in most information security risk-assessment methodologies we measure the loss impact for the company and ignore the gain potential for the thief.
Encryption is the name of the game: 11/06/07; Up to now we’ve used encryption to protect against criminal elements, but what about using it to protect our data from service providers?
Divided we fall: 10/23/07; I’ve always believed in the importance of maintaining a well-designed emergency response capability. For many years I helped organize security operations centers (SOC), computer emergency response teams (CERT) and incident response teams (IRT). No company is ever 100% secure. Breaches happen and will continue to happen. “Secure” companies are the ones that are able to efficiently and effectively mitigate the damage from a security incident. Looking back, I would probably do things a bit differently now. A key difference would be the balance between company privacy and involvement of law enforcement.
Combining work and play threatens business security: 10/10/07; Nine-to-five is quickly becoming a quaint memory in many workplaces. Flex time, teleworkers, road warriors and home offices are increasingly blurring the distinction between "my time" and "work time." That means more work is done during off-hours but also that more "play" is done during work.

View more Most Read

Rss Feed

Get instant email notification when white papers, webcasts, executive guides are added to our library. Stay informed and up-to-date with the latest on IT Technologies with Network World's Resource Alerts.

Network World,to go. Wherever you are. Breaking news delivered to your mobile device. Select the hottest topics in networking and start receiving Network World on your mobile device today.

Partner Content

Brilliantly simple security and control solutions for email, web and endpoint

www.sophos.com

Stopping data leakage

Learn how to exploit your current security investment to control the information that flows into, through and out of your network.

Download the white paper.

Why detection rates aren't enough

Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.

Download the white paper.

Applications: taking back control

Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.

Learn more today.

NetworkWorld, Inc.	About Network World, Inc. \| Advertise \| Careers \| Contact us \| Terms of Service/Privacy \| Reprints and links \| Partnerships \| Press room \| Subscribe to NW
IDG, Inc.	CIO \| Computerworld \| CSO \| Demo \| GamePro \| Games.net \| IDGconnect.com \| IDG World Expo \| Infoworld \| JavaWorld.com \| LinuxWorld.com \| MacUser \| Macworld \| PC World \| Playlistmag.com \| The Industry Standard \| IDG List Services \| IDG TechNetwork
	Copyright © 1994-2008 Network World, Inc. All rights reserved.

Skip Links

Network World