Securing all of the things – Valory Batchellor – Ep44

It’s not news to anyone listening to this show that the challenge around the security of our data and systems is a substantial one. Our technology seems to be under constant threat, from external hackers, to insiders, from targeted attacks to malware finding its way randomly onto our systems and causing havoc and all of this before we look at increased regulation and compliance demands.

The ever-increasing threat has led to us looking to technology to help protect our systems, however this has now led to its own problems, with many of us investing in numerous platforms and tools which has created a huge sprawl of solutions, that do not interact, all have their own consoles and all are presenting us with alerts and notifications that we then expect our already stretched IT function to understand and act upon.

This range of individual tools of course, also means that problems can “slip through the net” as the disjointed use of technology does not necessarily allow us to see the correlation between alerts that in themselves are insignificant, but when put together point to an attack or breach in progress.

It is this problem that has inspired this series of Tech Interviews episodes looking at the security challenge, we have episodes looking at some new approaches with anonymization and blockchain, but we start by looking at the bigger picture, of building a modern security strategy.

I’m joined by Valory Batchellor of IBM. IBM has done some interesting work in building what they call their Immune System, this looks to help people step back from the problem and take a wider strategic approach to tackling the security threat.

In this chat we look at the current and evolving threat, the challenges presented by multiple, disjointed security tools and we also discuss the future and how machine learning and artificial intelligence could give us an infinite amount of security analysts, working on an infinite amount of security problems, with unlimited resources!

Valory provides some fantastic insight with a real enthusiasm and obvious expertise for her subject, so enjoy the show as we look to “secure all of the things”.

You can find Valory on twitter @ValBatchellor

You can find out more from IBM security at securityintelligence.com and www.ibm.com as well as look at some of the research from IBM x-force.

And do look at the work the national cybersecurity centre here in the UK is doing via their website www.ncsc.gov.uk

Next week I’m joined by Harry Keen from anon.ai as we look at data anonymization and the part it plays in data security.

To catch that show, why not subscribe on iTunes, SoundCloud or Stitcher.

Thanks for listening

Advertisements

What you don’t know, may hurt you – John Hughes – Ep 20

We are all familiar with the saying “what you don’t know, won’t hurt you”. Well in the world of data management, security and privacy the opposite is most definitely true.

For most of us, as our organisations become more digital, we are increasingly realising the value of our data, how big an asset it is and how important maintaining it is.

However, although we understand how valuable our data is, we actually have very little insight into what is happening to it on a day to day basis.

Ask yourself, do you know exactly what data you have across your business, do you know exactly who has access to it, where it is stored, when it gets accessed, if it even gets accessed and when it’s accessed what gets done with it?

In my time administering IT systems, or working with those that do, I’ve lost count of the amount of times I’ve been asked “who changed that file”, “who deleted that file?”, “can you tell me the files that a user has accessed and copied to a USB stick?” the answer is normally no, and it’s normally no, because our standard storage solutions can’t tell us.

Imagine a logistics company asking questions like, “who’s driving that lorry”, “who was the last person to drive it?”, “where is Fred taking that lorry?”, “can you tell me the type of lorries we have?” and been told, no, we don’t know any of that information, ridiculous right? Yet we do that with our data asset.

We have talked in recent episodes about the threat to our data security and privacy, be it policies or procedures or our people. Just as significant a threat is the inability to fully understand what is going on with our data sets, a lack of insight and analysis means it’s very easy for our data to be abused, lost and stolen without us having the slightest knowledge of it happening.

That’s our focus this week, in the last of our data security & privacy episodes, I chat withjohn hughes John Hughes of Varonis. Varonis provide data analytics and insights into how we use our data, what our data is, who is using it, what it’s used for and if it’s even used at all.

We discuss a little of the history of Varonis, why data insight is so critical, why it’s a cornerstone of our ability to meet compliance requirements and how it’s a crucial part of our defence against data security attacks.

Enjoy the show and thanks for listening.

To find out more about Varonis;

Check out varonis.com

Have a look at their excellent range of BLOGS at blog.varonis.com and of course follow them on twitter @varonis

You can also request a free GDPR data assessment via their website

If you want to learn more about any of the topics in this series, and you are in the North West England on April 5th, you can join me and a range of speakers at www.northwestdataforum.co.uk

You can find the previous 3 episodes in this series here;

Best Take Care Of Those Crown Jewels – Sheila Fitzpatrick – Ep 17

Don’t Build Your Data Privacy House Upside Down – Sheila Fitzpatrick – Ep 18

Make People Our Best Data Security Asset – Dom Saunders – Ep 19

If you’ve enjoyed this episode, then why not subscribe;
Subscribe on Android

http://feeds.soundcloud.com/users/soundcloud:users:176077351/sounds.rss

Make People Our Best Data Security Asset

Losing USB sticks, leaving laptops on trains, installing malware, clicking phishing links. From maliciousness to stupidity, our people are a constant problem. In fact people are our biggest data security issue aren’t they?

Aren’t they?

We have to ask ourselves, are we doing all we can to help our people? Rather than seeing them as a security problem, have we thought about how we can make them an asset as we continually look to take on the threats to our critical data?

That’s the subject of this week’s podcast, as I chat with Dom Saunders from NETconsent.dom saunders

NETconsent specialise in the human side of technology, ensuring users are fully up to date with policies and procedures, as well as continually educated about new threats and solutions.

Our people can be a huge benefit in our data security and privacy plans. In this episode we look at why many IT policies fail, the risks that poor procedures introduce, why education is so critical and how to make sure our people are getting access to the best help they can.

We wrap up looking at 5 steps you can take to make sure your users are a data security asset rather than a risk.

To find out more about NETconsent then check the NETconsent website.

To see how other businesses have worked with their people, have a look at these case studies.

You can also catch up with NETconsent on twitter @NETconsent

This is the third show in our series on data privacy and security – if you’d like to catch the other two episodes, you can here;

Best Take Care Of Those Crown Jewels – Sheila Fitzpatrick – Ep 17

Don’t Build Your Data Privacy House Upside Down – Sheila Fitzpatrick – Ep 18

Subscribe on Android

http://feeds.soundcloud.com/users/soundcloud:users:176077351/sounds.rss

The Data Privacy Challenge – Sheila Fitzpatrick – Ep8

The security of our data is a significant challenge for us all, as individuals and as organisations, big or small, keeping our data secure and maintaining privacy is no longer a nice to have, it’s a necessity.

In this episode, global data privacy expert Sheila Fitzpatrick joins me, Sheila is data privacy officer for global storage giant NetApp. Her job is not to sell NetApp solutions, her role is to ensure they comply with global data privacy legislation.

In our chat, we discuss the difference between privacy and security, is the data security challenge a myth?, the impact of GDPR and how to start building robust data privacy solutions.

Sheila is an attorney and renowned global expert in her field. She is truly passionate about the topic of privacy and shares some fantastic tips.

So dive in and enjoy the episode.

if you’d like more information from Sheila you can follow her on LinkedIn and also on twitter @sheilafitzp

I also had the pleasure while at NetApp Insight to interview Sheila for NetApp’s own event coverage, you can find that brief interview here.

I hope you enjoyed this latest episode, next week, I’m chatting software developer careers with Joshua Lowe as he tells me about his already exciting progress as a developer, oh and did I mention he is only 12!

If you want to make sure you don’t miss out, you can subscribe to the podcast on iTunes, Soundcloud or wherever you get your podcasts.

You can of course catch up on all the back catalogue here in the TechStringy Interview section of the site.

Subscribe on Android

Simplify My Data Leak Prevention

data_theftA little while back I wrote a post about how important it is to stop making technology so hard (feel free to have a look back here) and that successful technology delivers what people need.

How do we do that? by giving them technology that just simply works, I’ve written a few times about the OAP Internet Virgins show on Sky, here in the UK, which gave older folk an iPad and taught them how this simple bit of well designed technology could work and how it truly changes lives in a host of these cases.

Well I also said i’d give some examples of where I’ve seen simplification of technology have real benefit, however since that promise, times have been hectic, traveling, presenting, doing press and video interviews, a podcast debut and my actual job, all that got in the way of my good blogging intentions!

Well in the midst of all that was a presentation I was asked to do by Microsoft to the Institute of Financial accountants, the topic of which was data security. The idea been to give these predominantly small business owners some tips on how to secure their most critical business asset, their data. Just because these where small businesses, it doesn’t make their data any less critical than the very largest enterprise. However these guys potentially have a much bigger problem, they are financial services people not IT people and the idea that they need complex technology solutions to stop them losing critical data would mean that, in reality, they never would have that option and that’s not the way it’s supposed to work, technology should be an enabler and help us do things better, smarter, easier and shouldn’t be bound by budget, or in-depth IT skills.

Well what have all these things go to do with making things simpler?

Take a bow Office365, Microsoft do lots of really good stuff on their cloud platforms, across 365 and Azure, it’s what you’d expect from a hyperscale cloud provider. One of the things that cloud does is help to greatly simplify IT deployment, need a new server, go to the portal click go and up it comes, need storage, select what you need and like technology magic these things appear, the behind the scenes technology is very complex, but to you the user, it looks a doddle and that is exactly how it should be.

How does that relate back to our our finance friends?

During our event we focussed on a number of areas that you should look at as part of a data leak prevention strategy.

data protection areas

Now some of those things are practical things you can do, sole trader or huge corporate, but some of these areas are more tricky.

If we wind back 5 years or so, how many businesses of all sizes, found some or all of the above areas a real challenge, both technically and commercially.

Technology to address all of these things of course has been around for ages, but let’s just pick on one area and show how cloud and Office365 specifically has made something so much simpler, both technically and commercially.

I remember sitting in a presentation a few years ago showing the power of information rights management (IRM) in a Microsoft infrastructure, for those not familiar, this is a really powerful ability, where you can start building rules into your document work flows and applications to stop important and sensitive information being shared in ways it shouldn’t.

Let’s give an example, how many of us have accidentally emailed the wrong person thanks to auto addresses? I know i have, now normally you are emailing something relatively harmless, but a few months back, I was accidentally sent someone’s personal financial information, as I shared the first name of their financial adviser.

How do we stop that? Well that’s what IRM is there for, IRM would either have rules in the document or rules in exchange that would stop information leaving the safety of your internal systems by mistake.

Brilliant, so why don’t lots of people do it? Because it’s to hard, it’s complex and expensive to set up on-prem.

“But I’d love that kind of capability” I hear you shout, well step forward the bright world of cloud based service, specifically in this case Office365 and Azure.

As we look in our 365 management portal, what’s this handy little option?

rights management

When we click into manage, we get the opportunity to activate rights management, if it’s not already running, and when you click activate – that’s kind of it, your organisation now has rights management enabled for it’s Office365 estate.

What does that mean?

We can now add data security policies to a whole range of documents and emails, so yes, there is a bit of configuration (don’t be afraid to ask for some skilled advice here) but to get you started there is a range of preconfigured templates ready to roll.

ILM Templates

Once enabled, then you have ILM implemented and usable in your business productivity applications.

ILM in Word

There it is, now sat as an option in Word, where you can simply add rights management controls and apply protection templates to your sensitive company info.

Enabling this in your organisation also opens up capabilities into tools like Exchange and SharePoint Online.

For me this is a great example of how cloud technology can hugely simplify, what in reality, is a complex bit of technology too setup.

That is the power of well built cloud (whether that’s private, public or hybrid), making technology deployment quick and easy to deliver and in many businesses allowing you to enable technology that, in a more traditional model, would be too complex or expensive.

It is this kind of approach that is revolutionising the IT industry at the minute, and for all of us in the industry we need to understand this, whether we create applications, architect them or even consult on them. To meet the challenges in the modern business regardless of how complex and challenging it may be behind the scenes.

There’s the challenge for us all!

Like I said at the beginning of this, when working with our financial services friends, their data is just as important as everyone else’s and they shouldn’t be excluded from solutions to their business challenges by complexity and cost, now should they!

If you’re looking for Information Rights Management as part of your data leak prevention strategy, hopefully this post has given you some ideas of how this is not out of your reach either technically or commercially by utilising cloud services where appropriate.

Any questions, feel free to give me a shout on Twitter, LinkedIn or via the comments section here and we can swap some ideas.

Thanks for reading.

Want to know more – try these

What is Azure Rights Management (Technet Article)

What is Azure Rights Management Overview (Short Video)

More data security onions or Data Security is like a great big onion-Part 2

more onions

A couple of weeks ago I wrote a post about some security events we’d been running and how in between the sessions exploring I’d covered where each solutions sat and the problems that we were trying to solve.

A few people suggested that a post about the multiple layers of data security problems we where addressing would be useful, this lead to what turned out to be a popular post, with a very tenuous music link, Data security is like a great big onion part one (feel free to have a read) and as we all know, data security is one heck of a big tear inducing onion, with lots of layers, so big in fact that it needed two posts to deal with just the bit we covered during our events.

Since then, we’ve run our final event in the series and now I’ve finally had the chance to write part two of this onionesque data security post.

By way of a quick recap, the event we ran brought together 6 leading data security vendors  to look at the challenges that our day to day usage of our data brings, what those problems are and how we address them.

We where not covering the more “traditional” data security tools anti-virus, firewall, anti-spam etc. not because we feel they are any less important, but we had to assume that our attendees, as probably with most readers of this BLOG, already deal with that problem with well established solutions. The areas we looked at where some of the problems we don’t necessarily consider.

The areas covered fell into these categories;

In part one we dealt with the initial core parts of the challenge, understanding who’s accessing our data, how we ensure compliance in our key systems and how to manage encryption on all of our devices, (feel free to check part one out if you need too)

So now let’s move a little further outside of the core and out to our edge devices, as we look at three further challenges.

The Endpoints

One of the most overlooked areas we find in securing data is those plethora of end point devices, we often see these devices remain relatively unmanaged and uncontrolled in many environments.. but why!?

Think of the risk, it’s great securing our core data and our line of business applications, however once the data gets out to the endpoints, where that unstructured data spends most of it’s time, it really is only as secure as the endpoint it sits on and today of course, how many of those endpoints sit within the safety of our network?

Of course the mobility and the range of devices makes it hard to secure them and besides, if we are securing the data in the core, is the endpoint really that big a risk?

Our friends at Lumension where happy to share exactly why it is such a problem;

The main challenge out on the endpoints, was not one of lack of AV, but almost that organisations believe that in itself that is enough, but the challenge of protecting these devices is as multi layered and oniony (sure that is a word!) than anywhere else, the threat comes from unauthorised software, unauthorised devices, lack of patching and of course the inability to look for behaviours outside of what we understand, especially if we are relying on signature based AV or application blocklisting.

Over 90% of cyber attacks exploit known security flaws for which a remediation is available” – Gartner

Lumension covered some key areas, as they looked at the importance of patching, understanding of behaviour and also some really smart technology around software application control, and anyone who’s used group policy to manage that, knows any smart tech is a big help!

Having full and smart control of our endpoints is hugely important and something that does tend to get overlooked more than it should, but something our attendees really grabbed and took away from the event.

Edge Data

At last we are right out at the extremities of where we put our data, the outer layer of our big juicy onion.

One of the huge changes in IT usage over the last 10 years (at least) has been the massive increase in technology mobility, today we have our data on laptops, tablets, smartphones, heck even watches, and our users have an expectation that we can give them access to data on all of these devices all of the time.

Our guests from Druva shared a really interesting statistic with us;

Recent figures from Gartner and IDC suggested that 28% of corporate data now resides only on endpoint devices.

Gartner and IDC suggested that 28% of corporate data now resides only on endpoint devices

82074d1272615744-gordon-browns-face-palm-yesterday-priceless-trading-during-election-run-up-brown_facepalmYep, i did repeat that, read that statement again, 28% of corporate data residing only on endpoint devices. Think about what we’ve done so far with our onion, we’ve controlled out data access in the core, we’ve added compliance to our corporate apps, we’ve encrypted, we’ve controlled the endpoints, all of these really good things, however we’ve got people in our organisations running around with key data, only on their mobile devices, heck it’s a good job those devices never go missing with that data on!

Of course the reality is, this is extremely high risk, we risk permanent data loss, potential for easy breach and a real problem when it comes to compliance – if we want to search all the data we have, then how do we pick that data up when its only hidden away on someone’s tablet?

It goes without saying then, that it’s a critical element of our overall strategy that we take care of all of these areas and that we have a strategy that allows us to;

  • Captures and Centralises our data
  • Ensures we have strong rules and controls on data at the edge to avoid data loss
  • Making sure we can analyse and discover all of our data out at the edge
  • All of this while ensuring this is a simple and unobtrusive process for each of our client devices.

Quite a challenge, but one we really have to take…unless you want to be having face meet palm at high speed!

Pesky Users

The last layer of this challenge (or the first layer if you came to the Manchester event!) was all pesky kidsaround the people, yep those pesky kids…I mean users!

That brought up our final speakers NETconsent who posed some very interesting questions around the human factor in information security.

We’ve said all along the issue of data protection is multi layered and, of course, so are the solutions, there isn’t a magic bullet out there that is going to cure it for us with one press of a button. However what is also the case is that without our users understanding why we are securing the data and how to make sure they use our systems and data in a way that keeps it secure, we are probably wasting our time.

I’ve recently done some work with a local organisation about data leak prevention and one of the very first questions we asked was;

What buy in do you have for data security?

Because if you don’t have buy in from the leadership of your organisation, then your data protection strategy is never going anywhere, it’s equally important however, that not only your leadership buys in but that there is an understanding of why you have a data security strategy across all levels of your business, because if you are putting strategies and solutions in place, that may appear to users as an inconvenience, regardless of how minor, then if everyone across the business doesn’t understand how to adhere to your policies and maybe even more importantly why data protection is important at all, you really are fighting a losing battle.

In reality the only way we achieve all of this is a mixture of things it’s having buy in, having technology to help implement our policies is of course key, however none of this delivery and enforcement can be done, without documented policies and user education, which is a huge task, to manage the process and measure the effectiveness is very difficult to many organisations.

Our Partners from NETconsent shared a range of techniques and solutions to ensure that we have a controlled and centralised repository, that we ensured our documentation and training was up to date and that we could measure the effectiveness of all of this.

Well none of us want to be saying “my data would of been secure if it wasn’t for those pesky users!”

Sliced and Diced

chopped%20onionSo there it is, our data security onion sliced and diced, hopefully if you’ve been able to follow this post all the way through, you’ve not shed too many tears!

As I said right back at the beginning, data security is a huge problem, one that’s ever changing, even the stuff I’ve covered in these two lengthy posts, are only looking at a subset of the areas that you should consider and of course the threat is ever evolving, even with these things in place, don’t rest on your laurels thinking you have your data secured, you need to keep looking at the ever changing landscape and the threats it contains, to ensure you keep your data secure and safe and that it isn’t wandering out of your organisation and you only find out when it’s to late.

Hope you enjoyed this onion related set of posts and I hope that it’s given you some food for thought (collective groan!) and at least has helped a couple of you to develop some new areas of your data security strategy.