Wednesday, December 17, 2008
Information Assurance, 360is feature in National Computing Centre Magazine
What is Information Assurance (IA)? Why is it so hard for organisations, large and small, public and private to achieve? When there is a failure of IA why don't the causes get put right? For the answers to these and other questions take a look at the latest issue of the UK National Computing Centre magazine. 360is Principal Consultant discusses Information Assurance and addresses the root cause of most IA failures, AKA "the people problem". The article goes on to detail some practical steps that every organisation can take to improve its IA scorecard and avoid becoming another story on the national news. The 2-page article can be accessed directly as a PDF here.
Sunday, November 16, 2008
New "Resources" Page
The amount of 360is articles, whitepapers, software, and interviews has grown to such a degree this year that we have decided to collect them all in one place for easy reference. The 360is Resources section is the place to go for all this information, freely provided by our experienced consultants. Over the coming months look out for new material.
Monday, October 27, 2008
If ever there was a good time to upgrade your CV with training...
IT workers in the city are beginning the annual job of updating their CV early this year, who can blame them. 360is has negotiated a 10% discount from training partner vTrain for students quoting reference 360NOV. vTrain offer short, sharp certified courses for virtualization technologists covering Citrix Xen, VMWare, and Microsoft Hyper-V, based either at your own premises or their dedicated classrooms.
Monday, October 20, 2008
360is Security Seminar, The Insider Threat
360is Principal Consultant, Nick Hutton, is a guest speaker at a breakfast briefing at the Royal Society for the Appreciation of Arts, London on Wednesday October 22nd 2008. The subject for the briefing is "The Insider Threat" and the event will be attended by CSOs and IT managers. Also speaking at the event:
Geoff Harris, President of the Information Systems Security Association in the UK
Damir Rajnovic, PSIRT Incident Manager, Cisco Systems
Presentation start at 9am sharp, find us on the map. If you would like to attend this free seminar, please contact us.
Geoff Harris, President of the Information Systems Security Association in the UK
Damir Rajnovic, PSIRT Incident Manager, Cisco Systems
Presentation start at 9am sharp, find us on the map. If you would like to attend this free seminar, please contact us.
Tuesday, September 02, 2008
SteelEye Certified on 360is v1624 Appliance
SteelEye's Protection Suite for Citrix XenServer is now certified for mission critical use on the 360is v1624 virtualization hardware appliance. SteelEye joins VMWare and Citrix XenServer as the 3rd software vendor to achieve this certification on the v1624 hardware appliance.
The certification allows SteelEye, Citrix, and VMWare customers to benefit from higher uptime and faster Disaster Recovery through the use of a solid state, diskless, hardware appliance, optimised for running high performance virtual machines at superior densities than current conventional server platforms. The SteelEye software can also be retro-fitted to customers existing XenServer installations and can replicate non-virtualized servers to VMs.
SteelEye Protection Suite for Citrix XenServer is based on the proven SteelEye Data Replication product and runs within the XenServer Console OS (Dom 0) and provides highly optimized replication of XenServer VMs across any LAN or WAN network connection. Any or all VMs replicated in real-time to a target server are then available to be brought into service as needed for business continuity.
The certification allows SteelEye, Citrix, and VMWare customers to benefit from higher uptime and faster Disaster Recovery through the use of a solid state, diskless, hardware appliance, optimised for running high performance virtual machines at superior densities than current conventional server platforms. The SteelEye software can also be retro-fitted to customers existing XenServer installations and can replicate non-virtualized servers to VMs.
SteelEye Protection Suite for Citrix XenServer is based on the proven SteelEye Data Replication product and runs within the XenServer Console OS (Dom 0) and provides highly optimized replication of XenServer VMs across any LAN or WAN network connection. Any or all VMs replicated in real-time to a target server are then available to be brought into service as needed for business continuity.
Thursday, August 28, 2008
Out of Chaos, Opportunity
The cost of provisioning a server or desktop has collapsed thanks to virtualization, thin client, multicore CPUs and ubiquitous gigabit networking in the data centre. Indeed, in the last 3 years virtualization software itself has tumbled in price from thousands of dollars per unit and is now given away for free with many Operating Systems.
So what happens when server hardware reaches true commodity pricing levels? What happens when the necessity for new capital equipment expenditure goes away, and the power to spawn whole IT estates ends up in the hands of business units or end users? Virtual system instances surge to meet demand (no bad thing) but the CIO and his team are left responsible for reliability, security, and compliance of an uncontrollable virtual estate. Not all organisations have a powerful CIO or IT function, not everyone is able to effectively enforce central policy on such a fluid infrastructure.
Early adopters of virtualization have already found this out the hard way, and are now trying to cope with this uncontrolled growth in the number of virtual systems.
We have been here before. During the 90's the cost per megabyte of hard drive storage (remember when we used to think about storage in terms of megabytes?) plummeted. Storage proliferated in the data centre, on the desktop, and in a hundred types of portable devices. The struggle to manage this storage still rages today. Do you know where your confidential data is? Perhaps it's on the SAN, and on John's desktop PC, or his laptop, you know, the one he lost on the train. We waited more than 10 years for tools to help us manage this uncontrolled growth in storage. Even now with data de-duplication, filesystem snapshots, disk encryption, and (somewhat) affordable SAN and NAS, managing storage is a daily struggle with huge associated costs.
Common sense tells us that it is better to fix problems now, before they become chronic. How much easier would it have been to manage today's terabytes of storage if all those powerful tools were available to us in 1990?
How can we take the lessons learned from storage and apply them to today's problem of virtualization sprawl?
What if you could devolve the power to create, destroy, and hibernate virtual machines to your authorized users in a carefully controlled way? What if virtual machines were automatically decommission after a projects pre-determined end-date? What if you could report on and produce billing records for virtual machines according to their consumption of physical resources?
If you could do all these things today, how would that help you manage virtual server sprawl now and in the future? How much time would it save, and what would all that be worth to you?
For more than a year 360is have been working with a group of experienced virtualization practitioners at one of our clients, who have recently spun-out a software company, and are taking just such a Virtual Resource Management platform to market. DynamicOps announced the launch of VRM in June and based upon its maturity in production environments are already welcoming new users. We recommend it for medium and large organizations looking to rein in existing virtualization sprawl or stop the problem before it starts. Vendor neutral, multi-platform, and security conscious, DynamicOps and 360is are planning an autumn seminar in the heart of London's financial centre to introduce VRM and and explore how it allows you to re-gain control of your (virtual) IT estate.
If you would like to be invited, please get in touch.
So what happens when server hardware reaches true commodity pricing levels? What happens when the necessity for new capital equipment expenditure goes away, and the power to spawn whole IT estates ends up in the hands of business units or end users? Virtual system instances surge to meet demand (no bad thing) but the CIO and his team are left responsible for reliability, security, and compliance of an uncontrollable virtual estate. Not all organisations have a powerful CIO or IT function, not everyone is able to effectively enforce central policy on such a fluid infrastructure.
Early adopters of virtualization have already found this out the hard way, and are now trying to cope with this uncontrolled growth in the number of virtual systems.
We have been here before. During the 90's the cost per megabyte of hard drive storage (remember when we used to think about storage in terms of megabytes?) plummeted. Storage proliferated in the data centre, on the desktop, and in a hundred types of portable devices. The struggle to manage this storage still rages today. Do you know where your confidential data is? Perhaps it's on the SAN, and on John's desktop PC, or his laptop, you know, the one he lost on the train. We waited more than 10 years for tools to help us manage this uncontrolled growth in storage. Even now with data de-duplication, filesystem snapshots, disk encryption, and (somewhat) affordable SAN and NAS, managing storage is a daily struggle with huge associated costs.
Common sense tells us that it is better to fix problems now, before they become chronic. How much easier would it have been to manage today's terabytes of storage if all those powerful tools were available to us in 1990?
How can we take the lessons learned from storage and apply them to today's problem of virtualization sprawl?
What if you could devolve the power to create, destroy, and hibernate virtual machines to your authorized users in a carefully controlled way? What if virtual machines were automatically decommission after a projects pre-determined end-date? What if you could report on and produce billing records for virtual machines according to their consumption of physical resources?
If you could do all these things today, how would that help you manage virtual server sprawl now and in the future? How much time would it save, and what would all that be worth to you?
For more than a year 360is have been working with a group of experienced virtualization practitioners at one of our clients, who have recently spun-out a software company, and are taking just such a Virtual Resource Management platform to market. DynamicOps announced the launch of VRM in June and based upon its maturity in production environments are already welcoming new users. We recommend it for medium and large organizations looking to rein in existing virtualization sprawl or stop the problem before it starts. Vendor neutral, multi-platform, and security conscious, DynamicOps and 360is are planning an autumn seminar in the heart of London's financial centre to introduce VRM and and explore how it allows you to re-gain control of your (virtual) IT estate.
If you would like to be invited, please get in touch.
Monday, July 14, 2008
Seminar: Mission Critical Virtualization
360is is running an invitation only seminar on the 21st July at Chalfont Park, Chalfont St. Peter, Bucks. The theme is mission critical and production systems virtualization. If you are an existing customer then you should have already been contacted, however there will be a few extra places available. The agenda includes a preview of Citrix Xen v4.2, disaster recovery and business continuity using virtualization, a guest speaker from SteelEye Technology, and one of our own case studies. The whole event lasts less than 3 hours and attendees will also have the chance to win a presentation case of champagne.
Please contact Rob Gilson by Email if you would like to come along, or call us on the main number leaving your full contact details.
--- Update 6pm 21st July
Thanks to everyone for making the seminar a success, we will be in-touch shortly with each of you. Congratulations to Alex of Netui who won the prize draw, and thanks to Citrix for the use of the venue, catering, and staff.
--- Update 6pm 23rd July
It looks like our virtualization hardware appliance made a good impression, Rupert over at Virtualisation Tribulations had some kind things to say about our latest product and the seminar. UK virtualization blogs (or technology blogs of any sort!) are rare, so be sure to check it out for an insiders view on Citrix, Xen, VMWare, and the industry.
Please contact Rob Gilson by Email if you would like to come along, or call us on the main number leaving your full contact details.
--- Update 6pm 21st July
Thanks to everyone for making the seminar a success, we will be in-touch shortly with each of you. Congratulations to Alex of Netui who won the prize draw, and thanks to Citrix for the use of the venue, catering, and staff.
--- Update 6pm 23rd July
It looks like our virtualization hardware appliance made a good impression, Rupert over at Virtualisation Tribulations had some kind things to say about our latest product and the seminar. UK virtualization blogs (or technology blogs of any sort!) are rare, so be sure to check it out for an insiders view on Citrix, Xen, VMWare, and the industry.
Thursday, June 26, 2008
360is Appoints Steve Barnett to Advisory Board
Steve Barnett has been an associate of the company for several years since 360is founders worked with him during their time at Unipalm PIPEX in Cambridge UK. We are now delighted to announce his official appointment as the first member of our advisory board.
Steve brings with him a wealth of experience and contacts in the IT Security sector, having established CheckPoint's operations in Europe as Managing Director, growing sales from $4.5M to $85M in-region.
Welcome Steve!
Steve brings with him a wealth of experience and contacts in the IT Security sector, having established CheckPoint's operations in Europe as Managing Director, growing sales from $4.5M to $85M in-region.
Welcome Steve!
Monday, June 23, 2008
360is Opens Scottish Office
We are delighted to announce the opening of our Scotland office, and the appointment of Bill McMillan as regional sales manager for Scottish and Borders clients. Bill has a long history in the enterprise storage industry and will be managing our existing clients and growing the business in this region. Call us to discuss your requirements.
Monday, May 26, 2008
360is Welcomes Datacenter Services Ltd
We are pleased to welcome the clients and staff of Datacenter Services Ltd to the group. DSL is a specialist in Server Virtualization and was established by some of the people behind Citrix XenSource biggest UK reseller. DSL provides products and services to allow clients to take full advantage of virtualization in mission critical environments, and counts some of the UK largest users of Virtualization technology as customers, including BT and Credit Suisse. Robert Gilson, Managing Director of DSL commented:
"Having worked together with 360is on many projects, we are delighted to be able to formally offer a combined set of security and datacentre professional services to our clients".
"Having worked together with 360is on many projects, we are delighted to be able to formally offer a combined set of security and datacentre professional services to our clients".
Sunday, May 11, 2008
Updated: Solaris 10 package for scponly SPARC
By popular demand, and after many emails from readers of our previous post, we have now released an scponly package for Solaris 10 on SPARC. The package is available for download here. Thanks go to Keith, Jarrod, Jimmy, Dan, and all the rest of you who reminded us.
Friday, April 25, 2008
Where have all the Products gone?
Today we have a guest blogger! Steve has been a long-standing friend of the company and has been involved in the IT security industry since the early 1990's, where he managed the European Operations of CheckPoint. We caught up at one of Europe's busiest events, the Infosec Show at London Olympia.
Here's what he had to say.
Being the first day of the Infosecurity Show in London my eye was caught by the comments of Security Industry guru, Bruce Schneier, now CEO of BT Counterpane.
Bruce reports hearing an increasingly familiar comment at the RSA conference in San Francisco. "I can't figure out what these security companies do!". I would go further and suggest that, if he could figure out what they did he probably wouldn't want them anyway, because often they are not a solution to a problem he will recognise. Because he is unlikely to be the actual customer. As the recent rash of acquisitions shows, for many IT security vendors their "product" is just a future feature, of another vendors products.
It's like the evolution of the automobile; Bodywork, Lights, Speedo's, Rev counters, Disk brakes, Radios and SatNavs were once all retrofit products now they are standard features.
Here are a few security related examples
So, for general business and consumer consumption, IT Security products will further become features; Firewalls in routers, encryption on desktops, PKI & SSL VPN capability built into everything and Antivirus/SPAM increasingly dealt with in the cloud, and so it will continue even applications will become more secure by design.
Saying all this, the next SatNav-like feature will probably still surprise us, maybe not as critical as brakes, but certainly meeting a customer need they didn't realise they had.
IT Security is an enabler, but it is not the application that drives the business. So, I will be at Infosec over the next few days looking for new security "features" that will eventually become part of business solutions. Things that will contribute to my customers bottom line, things like: Virtualisation, Unified Communications, and Smoother Transaction Processing.
---
More of Steve's postings are to be found here.
Here's what he had to say.
Being the first day of the Infosecurity Show in London my eye was caught by the comments of Security Industry guru, Bruce Schneier, now CEO of BT Counterpane.
Bruce reports hearing an increasingly familiar comment at the RSA conference in San Francisco. "I can't figure out what these security companies do!". I would go further and suggest that, if he could figure out what they did he probably wouldn't want them anyway, because often they are not a solution to a problem he will recognise. Because he is unlikely to be the actual customer. As the recent rash of acquisitions shows, for many IT security vendors their "product" is just a future feature, of another vendors products.
It's like the evolution of the automobile; Bodywork, Lights, Speedo's, Rev counters, Disk brakes, Radios and SatNavs were once all retrofit products now they are standard features.
Here are a few security related examples
- SSL VPN: Unlike MPLS, this was absorbed into the Firewall business, with Firewall vendors selling VPNs and vice versa.
- Hard-disk encryption: A "no brainer" for laptops and Seagate now bundle it (though I still recommend Pointsec).
- TCP/IP for PC's: Not security but I like the example; FTP Software, SUNsoft, Wollongong - all distant memories.
- PKI: Baltimore... need I say more?
So, for general business and consumer consumption, IT Security products will further become features; Firewalls in routers, encryption on desktops, PKI & SSL VPN capability built into everything and Antivirus/SPAM increasingly dealt with in the cloud, and so it will continue even applications will become more secure by design.
Saying all this, the next SatNav-like feature will probably still surprise us, maybe not as critical as brakes, but certainly meeting a customer need they didn't realise they had.
IT Security is an enabler, but it is not the application that drives the business. So, I will be at Infosec over the next few days looking for new security "features" that will eventually become part of business solutions. Things that will contribute to my customers bottom line, things like: Virtualisation, Unified Communications, and Smoother Transaction Processing.
---
More of Steve's postings are to be found here.
Sunday, March 30, 2008
5 Common Mistakes Made By Mobile Operators
Our consultants are often contacted by Network Operators to audit and improve security. Having spent our formative years at the worlds largest ISP, Telco security is a subject close to our hearts. Mobile Network Operators face some particularly unique challenges. They have all the normal concerns of a business dependent on IT, plus the added requirement that they must secure the network while making it widely available to their customers and the customers of other operators without compromising the infrastructure, their peers, or the end users and their personal data.
These challenges are set in an environment of changing technology, business models, and industry structure. Couple this with the fact that outages cost big money, and mobile communications are often highly personal, the stakes are very high for MNOs!
To assist fellow security professionals working in the Mobile sector, 360is have come up with our list of the most common mistakes made by MNOs. Enough scene setting, lets begin!
Mistake 1. Over Integration / Under Segregation
One of the tenets of good information security is the separation of networks of differing levels of trust. Unfortunately this practice is easily eroded or rendered ineffective by over-integration of different functions onto a single hardware platform or software infrastructure. Over integration amplifies the effects of any individual security failing . One sure sign of over integration is that you have difficulty in drawing up truly separate network diagrams for subscriber, management, and telemetry functions. Conversely, if you can easily move data and conduct interactive sessions between those 3 networks without a defined intermediate gateway or bastion stage in the process, this is also a bad sign.
Mistake 2. Misplaced Faith In Encryption
The second mistake and the first are often found together. Software and Hardware vendors have tended to treat encryption as a sort of magical security whitewash, to be sprayed liberally over everything, disguising unsightly flaws or cracks in the architecture. Encryption (implemented properly) is a great way to ensure confidentiality of communications on a shared network but historically it has suffered from poor implementation; weak random number generation, flawed protocols, and endpoint vulnerability. In practice attackers rarely focus on the encrypted tunnel itself when there are far easier pickings to be had among the authentication system, the tunnel endpoints, and intermediate proxies.
Mistake 3. Not Considering Atypical Behavior
Once handsets were dumb. They had no user-settings, no expansion, and no ability to run code other than their Firmware. Users could make voice calls and send SMS, life was simple for the MNO. Today a "handset" can be a phone, a smart phone, a laptop, even a server. Services extend to voice, SMS, Internet, Corporate VPN, i-mode style portals, and hosted applications like BlackBerry. MNO's expend huge amounts of time and money testing all these handsets with all these services to ensure a positive experience for their subscribers, but somehow in the testing... security gets ignored. Just because handsets are normally allocated addresses by DHCP and browsers are configured to use your proxy, doesn't mean an attacker with a laptop will follow "regular user behavior". Does your security testing take this into account? Claiming "You can't do that with our (handset/registration process/portal)" is not a very effective defense for your network.
Mistake 4. Incorrect Trust Models
Crashing these mistakes into one-another is becoming a theme. Following on from atypical behavior we come to the problem of trust among network elements, users, and their traffic. The reason why behavior is such a problem is that mobile networks often have their trust models wrong. A trust model that relies on the handset to behave itself is as bad as those that rely on the user to behave himself. MNO security staff should be very wary of trusting source addresses, the interface traffic appears on, or any credentials passed by systems they do not exclusively control. If somebody says "It's a walled garden, we don't need to worry" you are probably already making mistake 4.
Mistake 5. No consideration of Modes Of Failure
Not planning for the inevitable failure of one or more parts of your security architecture is foolish. Sooner or later a configuration slip-up, a careless/malicious insider, or a new bug in your systems will cause one of your security mechanisms not to work. Does it fail-safe? Are you pro-active in checking all the careful steps you took to avoid mistakes 1-4? What is the extent of your exposure if any one of these mishaps occurs? Vendors hate to answer the question "what about when it doesn't work?" but you as security architects for your MNO must accept such eventualities as inevitable and plan for the worst.
Conclusions
The challenges faced by MNOs are similar to those faced by SCADA users a few years ago. They stem from the increasing pervasiveness of IP, the evolution of handsets from "dumb" single purpose devices to more flexible, complex systems, and the increased variety of services offered to subscribers. In an industry where "air gaps" are a myth, we have found many MNOs making the same mistakes as their cousins in the utility sector. Equipment vendors must shoulder part of the blame for vulnerability in mobile networks, many of their systems are based on unhardened main-stream Operating Systems. However, MNOs themselves do not escape criticism. You are guys are too trusting of your vendors!
It is common for entire networks to be sourced from a single vendor, radio-side and fixed-side, but this is no excuse for abdicating responsibility for operational security. That burden rests squarely with the operator, and if you need help in meeting the challenge we know who to call.
These challenges are set in an environment of changing technology, business models, and industry structure. Couple this with the fact that outages cost big money, and mobile communications are often highly personal, the stakes are very high for MNOs!
To assist fellow security professionals working in the Mobile sector, 360is have come up with our list of the most common mistakes made by MNOs. Enough scene setting, lets begin!
Mistake 1. Over Integration / Under Segregation
One of the tenets of good information security is the separation of networks of differing levels of trust. Unfortunately this practice is easily eroded or rendered ineffective by over-integration of different functions onto a single hardware platform or software infrastructure. Over integration amplifies the effects of any individual security failing . One sure sign of over integration is that you have difficulty in drawing up truly separate network diagrams for subscriber, management, and telemetry functions. Conversely, if you can easily move data and conduct interactive sessions between those 3 networks without a defined intermediate gateway or bastion stage in the process, this is also a bad sign.
Mistake 2. Misplaced Faith In Encryption
The second mistake and the first are often found together. Software and Hardware vendors have tended to treat encryption as a sort of magical security whitewash, to be sprayed liberally over everything, disguising unsightly flaws or cracks in the architecture. Encryption (implemented properly) is a great way to ensure confidentiality of communications on a shared network but historically it has suffered from poor implementation; weak random number generation, flawed protocols, and endpoint vulnerability. In practice attackers rarely focus on the encrypted tunnel itself when there are far easier pickings to be had among the authentication system, the tunnel endpoints, and intermediate proxies.
Mistake 3. Not Considering Atypical Behavior
Once handsets were dumb. They had no user-settings, no expansion, and no ability to run code other than their Firmware. Users could make voice calls and send SMS, life was simple for the MNO. Today a "handset" can be a phone, a smart phone, a laptop, even a server. Services extend to voice, SMS, Internet, Corporate VPN, i-mode style portals, and hosted applications like BlackBerry. MNO's expend huge amounts of time and money testing all these handsets with all these services to ensure a positive experience for their subscribers, but somehow in the testing... security gets ignored. Just because handsets are normally allocated addresses by DHCP and browsers are configured to use your proxy, doesn't mean an attacker with a laptop will follow "regular user behavior". Does your security testing take this into account? Claiming "You can't do that with our (handset/registration process/portal)" is not a very effective defense for your network.
Mistake 4. Incorrect Trust Models
Crashing these mistakes into one-another is becoming a theme. Following on from atypical behavior we come to the problem of trust among network elements, users, and their traffic. The reason why behavior is such a problem is that mobile networks often have their trust models wrong. A trust model that relies on the handset to behave itself is as bad as those that rely on the user to behave himself. MNO security staff should be very wary of trusting source addresses, the interface traffic appears on, or any credentials passed by systems they do not exclusively control. If somebody says "It's a walled garden, we don't need to worry" you are probably already making mistake 4.
Mistake 5. No consideration of Modes Of Failure
Not planning for the inevitable failure of one or more parts of your security architecture is foolish. Sooner or later a configuration slip-up, a careless/malicious insider, or a new bug in your systems will cause one of your security mechanisms not to work. Does it fail-safe? Are you pro-active in checking all the careful steps you took to avoid mistakes 1-4? What is the extent of your exposure if any one of these mishaps occurs? Vendors hate to answer the question "what about when it doesn't work?" but you as security architects for your MNO must accept such eventualities as inevitable and plan for the worst.
Conclusions
The challenges faced by MNOs are similar to those faced by SCADA users a few years ago. They stem from the increasing pervasiveness of IP, the evolution of handsets from "dumb" single purpose devices to more flexible, complex systems, and the increased variety of services offered to subscribers. In an industry where "air gaps" are a myth, we have found many MNOs making the same mistakes as their cousins in the utility sector. Equipment vendors must shoulder part of the blame for vulnerability in mobile networks, many of their systems are based on unhardened main-stream Operating Systems. However, MNOs themselves do not escape criticism. You are guys are too trusting of your vendors!
It is common for entire networks to be sourced from a single vendor, radio-side and fixed-side, but this is no excuse for abdicating responsibility for operational security. That burden rests squarely with the operator, and if you need help in meeting the challenge we know who to call.
Subscribe to:
Posts (Atom)