Informazioni personali

La mia foto
Vistarino, Lombardy, Italy

Cerca nel blog

Translate

mercoledì 31 luglio 2013

Xiadani and ah ah ah after surgery

Everything is fine now !

Posted by at Nessun commento:
Labels:

domenica 28 luglio 2013

Two Cats in a hand

Posted by at Nessun commento:
Labels:

Yummy

Another shot

Posted by at Nessun commento:
Labels: , ,

Looks good it's good

Japanese home made food, tuna fish. Wonderful, thanks Rika

Posted by at Nessun commento:
Labels: , ,

venerdì 26 luglio 2013

Digging it up on Security Costs and Security Budgets - part1

In my previous article, security costs and security budget, I made some assumption to simplify an introductory analysis on how much we should spend on security.

Some of those assumptions have been made to simplify out tasks.

Today I would like to quickly analyse some of those simplifications.

One of the biggest assumption I made on the previous article is that if a problem cost us X then we can find a number n that express the number of incidents I’m allowed to permit so that nX can express the cost I’m allowed to accept. This simplification was based on two ideas, the first is that (as reported in the article)

Just to translate this in terms of Systems engineering this means: would it make any difference if the service stop is due to a broken disk, a server HW failure, a software failure, a network failure or a Dos attack?
I should answer really  I DON’T CARE  since the result would be systems down anyway.

the second is that the incident cost is X and the cost remain the same for each repetition.

The truth is a little different since, again, we have to take into account some human behaviour aspects and other occurrences.

with the simplified model presented in the previous article we were able to assume that

stating C as the cost we could afford we were able to find a relation where

C=nX

would be quite easy so determine the n number of incidents since would have been

n=C/X

now the n number would have been useful when trying to determine the kind of technologies we need to put in place.

In a real environment C is not a constant because the process “P” has not a fixed value. This means that C is a function and not a constant value, and depends on some factors as the sensibility of the management, the risk perception and of course the value of the process itself.

C(P,t ….)

Of course C and the process P can be fixed to make our budget to predetermined values at a certain time “t0” for example we can consider the value of P and C at the start of the year based on the previous year experience.

on the other end it is not truth that all the incidents that make me to stop the process can cause me the same costs.

If I stop the process “P“, for example, for a HW failure I’ll have different internal impact if the stop to “P” is due to an hacking.

Even if the two occurrences make the same damage (for example think of a disk failure because of a HW failure as a broken controller, or software failure due to a virus) the perceived quality of the damage is different (and somehow irrational).

An HW failure is usually well understood and usually some mitigations are improved by design and usually well tolerated from the upper management, on the other end an Hack would be perceived as a more serious matter (and, as a matter of fact it should be).

Here we have the irrational behaviour, although an Hacking, or malware attack would be perceived as more dangerous the risk perception on those kind of aspect is so low that management do not even put some effort by design as for an HW failure.

This means that the X is different for any kind of accident and so we will not have a single “n” to count on but

csommatoriaxni

where the

niXi

are related to the different kind of incidents that can occur to the  process P

Obviously we have to take in account the fact that  niXi    are somehow critical where ni and Xi  (with n related to X both bound to a specific type of incident)  are the parameters we should use to understand what part of the budget should be allocated on a specific technology.

so here the question:

if both the incidents we talked before (HW failure and Software Hack) have to be considered how I have to deal when balancing the budget?

One way, used by most of the company, is to transfer part of the risk to another department.

This is usually the dept. in charge of storage or servers or…..

So apparently this seems a good thing, you as a security guy have to deal with less stuffs, but the reality is that a portion of the security budget is diverted on other budget voices so that you loose control and contract power when contracting your budget. Basically the problem is how you can ensure that the HW failure worths more or less money than the money related to the hack?

On the other end, an objection I usually receive is: if we put this in the security spending we we’ll see just that that budget would be reduced without further explanations.

in other words Ctot would be not equal to the sum of the two C(HW) + C(Hack)

Ctot<C(Hw)+C(Hack).

Alas security metrics are still considered too much complicated for most of the management, and this is not my statement but the result of several survey and literature, so it is hard to change this behaviour.

To Be Continued ….


Related articles

[contact-form]

Posted by at Nessun commento:

giovedì 25 luglio 2013

Security Costs and Security Budgets

When I’m talking about security with customers, partners or at an event the first question I usually receive is:

“how much this will cost to me?”

This is an understandable question, costs have to be monitored and expenditure have to be planned wisely, the problem of  how much I canshould spend on security is a quite interesting topic.

The problem, alas, is that usually IT managers do not use a clear model when planning investment in security but seamed to be attracted more by strange inner believes than a empirical analysis of cost and benefits.
Another point that I’ve always found quite curious is that I’ve been asked lot of times the ROI of a security implementation, while the only parameters taken in account are how much I will spend now and how much I would spend the next “X” years.

To be honest there is a great hole when talking about security costs in literature. One of the reason is probably that  this is quite a new area in terms of studies, on the other end there are not in the market clear and wide used models that can help us to design and understand the impact of security or un-security.

So I’m wondering if it is really possible to understand how much it is worth to spend for security and if there are guidance that can help us to drive our efforts.

The first points I take in account are two postulates:

The first one is quite simple, no matter how much you spend you will never be able to avoid any risk: perfect systems just simply does not exist. you can transfer or mitigate a Risk, but the risk itself does not disappear.

The second point means that is really hard to understand what happen and the impact of a risk. Even if we’re talking about a simple field like information security there is not an enough lever of understanding of what really happen. Dealing with risks and relative costs should involve the impact a risk can have on a business, and the aspect of this impact are, partially, unpredictable because depends on external factors, externalities and the unpredictable human behavior.

So does this means I should not care abut security?

On the contrary this means that this is a quite difficult exercise, and more study on this subject would be appreciated.
Let’s start with some considerations:

Why I need security on my IT networks?

The main reason we should secure our networks is because our networks are used to let our company make profits.

Without our networks we would not be able to handle data, communications, business process and so on.

Networks are not just a silly benefit or a luxury optional but are an integral part of our business, we live in an interconnected world, we like it or not, and networks are the instruments we use to reach our customers, sell o buy things, works and communicate.
Networks are also used for personal fun and most of the time, nowadays, the same tools can be used either to work and leisure vanishing the differentiation between the two enivornment.

As IT networks pertain to business, it pertains also to human behaviour, so we have to take in account business needs as well as human needs.

If we cannot expect that someone works 2424365 without losing concentration or productivity, as well we cannot expect to increase productivity if our systems upset their users or does not meet their standard or expectation.

Our IT networks and their components are a foundation for our business and personal relationships. this means they will be used to process data that are valuable, and a disruption of the service provided could result in a loss of money, direct or indirect.

What I’m talking about? I’m talking about your laptop that you use for work and to play or watch movies, your smartphone or tablet, your internet browsing, your Skype and your VoIP, your teleconference and videophones, your email, your home internet connection, your mobile internet edge connection, your iPad, your iPhone, your android Samsung S4, your 3d smart TV…. Everything that is under our experience is, somehow, related to IT networks and data processing.

But if IT networks are such a relevant part, and if over the network we pass such a great amount of data, we need to do something to protect the reliability of the service provided and the data we exchange through it.

So make sense to consider some money for IT security, but how much and what this means?
Of course there are several consideration to take in account when we talk about security, and a network design should implement by itself most of the security related issues: for example all the stuff related to HA, redundancy, performance and management are common fields for networks designers and IT geek.
A network should be fast, reliable and friendly to manage. But since our networks should be used also by users for business transactions and more, should be understandable, usable and the closest to user proof as possible (someone once told me that IT networks without users would have been perfect, although, he agreed, quite useless). The user experience is not secondary, but is one of the most important factor related to security and productivity (yes both).
Another important consideration: network is not for IT gurus or IT geek or Hacker and stuffs, so stop to consider user like morons (OK sometimes they seems to be, I admit it, but usually they give the same feeling also in other life and work field), users are the reason of our incomes Smile.

The need for security is not so far away from the need of a network itself, security is just one of the aspect and so should be take in account also during network design, and, at the end, security has a relevant impact on our activities.

  • What would you think if someone else read your email?
  • or if someone read your credit card transaction to steal you money?
  • or if your e-commerce site would be taken down?
  • Or if your customers would be affected by something taken in your site?
  • Or if your  employees data would be stolen?
  • or if your network would shut down for some reason?
  • Or if someone modify data of your transactions…

those kind of questions are deeply related to security issues; this is security.
So if it is quite simple to understand the issue, the problem is to understand:

  • how much make sense to spend?
  • what I need to implement?

The answers usually are:

  • the less is the better,
  • well I will never allow this in my network,

and

  • do I really need it?

Wait is this an answer for something that seems to be so important?

The problem is that network owners and managers are usually not involved in business procedures as well as in human behaviour. It is just recently that security analysis start to consider the human effect on decision and risks (not only in IT I have to say Smile).
But if the network owner is not involved in the business process design, at the same time the business owners are not involved in network design. To make them understand each other we use a shared media: money. Everything have to be converted in how much I spend and the ROI related.
Let’s say I do not like the ROI, is something really difficult to calculate, and what is worse, usually the most important parameters are not even taken into account. But anyway a good IT manager should be able to translate needs into money to allow the other managers to understand what he is talking about.

To convert IT security into money is an extraordinary difficult effort, because (remember postulate 2) I never met anyone who is able to estimate correctly the profit and loss of an IT departmentHot smile.

Let’s take some real life examples to understand what I’m talking about.

Sony security approach

Consider Sony PSN Hack;they did not spend quite anything on security to secure their networks. The reason has been, obviously, that they estimated the risk exposure and the damage of an hack quite insignificant. Alas they made a mistake and this would cost them a lot of money in terms of loss of profit for the days the network has been closed (direct loss), costs of recovery, cost of image (that at the moment I’m not able to predict but considering the coverage this hack have had I should say will cost a lot), legal cost for customers that will sue Sony….
So the network managers have not been able to explain the need of securing the networks, and I suppose this has been related partially to the fact they didn’t have a clear vision of the business model they were implementing (as well as the other managers I should say).
Do they analyse the impact of this hack when they were designing the PSN network? Do they make a risk assessment considering the loss (direct and not direct) related to such stop? I don’t think so otherwise they would have bought at least a firewall and implemented patch management strategy Smile.
I can hear their thoughts before the hack: “But, come one is just a game platform, and we need to make profit and cut costs, so why we should care about security,just marketing. we do not need it what could happen? some kid playing for free? does not worth the cost.”
As well as their thoughts after the hack: “how the hell this could be happen? nobody told us anything, someone (else) will have to pay for this.  … We did all possible we could not imagine something like that (sic)…. Hack? what’s hack? …”

  • Was so hard to suppose that someone could have broken into the network? (a global and well known one. )
  • Do they really not realize that they were processing sensible data?
  • Do they really thoughts that recover form an hack would have been quick, easy and without consequences (or minimal ones)?
The RSA way

On the other way is not assured that if you have great skills on security you’re invulnerable, as RSA hack showed us. Come on this is a security company that has been hacked in one of the most protected networks because of someone leverage Human behaviour with spear phishing email, social engineering and some good hacking work.

  • were they expecting someone would have been able to force their defences?
  • did they prepare a public communication schema to address public and customer concerns?
  • did they put in place countermeasures to protect their customers for risks related to this data loss?

RSA Hack demonstrate how much damage can be related to not direct costs, although the hack itself didn’t bring any damage to RSA products and it’s customers, costs related to bad press coverage, word of mouth and image damage has been quite high. think a RSA guy going to a customer where a competitor just told the RSA hack story…

The truth is that even if we feel confident we can be fooled. Either if we put in place security or not, we can be hacked. So it does not worth to be protected?
Those two examples are extreme situations, but most of our networks (all of them actually) could fall in between those two extreme.

The others does not feel better:

Lockheed Martin,  Honda, Toyota, Epsilon, Vodafone, Word press, Google, The Gawker media…do I have to name more hacked reality or this is enough to make you feel I’m talking about something real?
Don’t considering correctly security could be damn expensive, those days events are full of those example.

  • So is there a way to make a guideline to understand the first brick of our security wall?
  • How much would I lose if I don’t put security in place? and what I need to address correctly a problem?
  • And what are the risks I can be exposed to?

Basically the problem for an IT manager is to understand how much money he can ask to company management for security.
Well the aspects to take in account are several, the idea is to put an insurance on business process to allow continuity and minimize money loss. Apparently this is an easy task, but it is an exercise that usually IT managers don’t do not because they do not want to but because information required are not usually available.

Again we can take as an example the Sony affair, the PSN networks was used to generate revenue, and the hack stopped those revenues.

We should try to ask to ourselves: how much would this kind of security incident cost?
We have different elements that could be taken in account:

  • What is the value of the process I’m trying to protect?
  • How can I estimate is the direct loss related to the security incident?
  • Are there indirect loss related to the incident (image loss, customer disaffection, credibility loss…)?

Once we have outlined all the questions we should be able to define somehow the kind of security outbreak we’re trying to address and the relative process to secure it.

What is the value of the process I’m trying to protect?

It is not so easy to define the value of a process, we know that if we are selling a good we earn something, so we could assume that the value of this process (selling a good) is just  equal to “what I get in terms of money” – “the money I spent to make the sell”.
Alas in a world where data, trust and communication are valuable this is not enough. How much the PSN Sony network was valuable to Sony? Just only related to the money they directly collected? or there were some externalities that should have been taken in account?

To use a different point of view we can consider a best selling products as Samsung smartphone Samsung S3 and Samsung S4. The value of each sold piece was not only in the commercial deal itself, but even more important was the marketing related to the sell. Each S3 sold was increasing the marketing share the image and the strength of Samsung brand. Selling so much S3 was the key to become the anti-Apple and gain the throne with s4. I leave to marketing analyst and economist to understand how much was related to each sold piece. 🙂

As a good exercise we could try to understand the value of something just trying to consider what happen when I got a problem.

So I have the PSN network up and running, after the hack I have had to face some direct costs:

the money I did not received during the stop, the cost to rebuld the network and make it up and running again…

But then I have had to face cost related to the hungry customers so I offered something to them to make them calm down…
wait I have to make customer happy again?
This means that the value of a service is not only related to the direct revenues, but also, just as an example, to the image value that this service is providing to the company.
There are factors that rise the value of a process that can be indirectly related to the process itself but can have a strong impact in case of failure or security incident. Customer satisfaction, trust, image are just a few.

How much worth a process is outside the scope of this article, but I wanted jut to make you realize that things are not so easy at it could seems. At the end some values are just determined by a good dose of guessing Smile. We are not able to determine how is the real value, but we can make some assumption and create a target value indicator that we can use for any further analysis. But to do so we need to involve all the player of a business process.

How much can I afford to loose?

Once we’re able to determine somehow the value of something we should try to evaluate how much we can afford to lose of that value.
So, for instance, assuming that a service provide me a net value of 100day once I’ve taken out all the related direct and indirect costs, how much I can loose without forcing me to close?
Let’s say I have to stop the service for some reason, will this be acceptable? and if it is acceptable how much this service can be down without affecting my activity?
So if I have 100day I can think in a month to have 100 * 20 working days = 2000 net income
a day off will cost me 100 (I’m over simplifying, I know) .
if I stop for 5 days a month means that I would lose  500 so my net income would be 1500: can I afford this?

There is not such a standard answer, it could be yes I can or it could be no I can’t.

If I can afford the loss basically it makes no sense to address the 5 days stop problem, and maybe I can concentrate on the >5days stop problem.
What we have here is a way to measure how much money can be related to a certain problem. It does not make really any sense to understand, at this level, what can cause the problem, we’re just trying to understand the effect of the problem no matter what is the cause.
Just to translate this in terms of Systems engineering this means: would it make any difference if the service stop is due to a broken disk, a server HW failure, a software failure, a network failure or a Dos attack?
I should answer really  I DON’T CARE  since the result would be systems down anyway.

The best baseline I can create the best consideration I’ll be able to do, and some empirical experience is usually a good indicator, that means managers usually understand the value of security AFTER they have been punched (PSN affair teach Angry smile).

Risks % and Murphy’s law

We know now that we have a process that is valuable, and we know that if we have a problem it will cost us a certain amount of money “X”, and we know that we can afford to loose “nX” money where “n” is the number of incidents.

The next step is to be able to understand (or guess) what is the risk that the incident happen to me so to be able to identify “n“.
we have, basically, 3 possibilities

  • 0 chances that the incident comes: so no blocks at all
  • 100% chances that the incident happen and block me 100% of my time
  • something in between

The first possibility has simply not to be taken into account. Murphy’s law teach us that if something can go wrong it will, and this is basically truth for any engineering process. There is nothing that can be perfect and invulnerable, even Superman has his low moments (remember the Kryptonite).

This means we cannot be sure that we will never see a problems, but does not means you will see it Smile.  Sometimes incidents happens without anyone realize it, one of the most controversial areas of IT and generally speaking of process management is the analysis of the incidents.

The second bullet refers to a condition where you are 100% sure that the process will not work, this case is worthless to spend time dealing with this. If I’m sure it will not work I don’t need anything else Party smile. The process itself has no reason to exist, although is not so unusual find process implemented and never used, think of IPS and IDS implementation never actually monitored or used.

So we’re somewhere in between, the only thing we know is that we’re vulnerable Smile.
Recap the steps done till now: we know our process is valuable, and we know that we can convert this value in money terms so that the rest of the managers can understand it.
We also know how much will cost us a “general” security incident in terms of missed revenues and how much we would be allowed to loose without affecting the business.
What we need now is to understand how many chances I have to be affected by the incident. We know that this is an exercise of black magic 

The best way is to call the dark forces of evil and ask them what are their plan for the next period of time. Alas since they’re forces of evil it is hard to have a good answer, and so I think we should take some other ways to try to do this.
The best alternative way usually is statistics, baselines, and expertise.
We usually know that a disk chance to broke is generally low, mostly because by design we use redundant raid systems, as well for software and HW server failures we usually have this kind of prevision. But for a denial of service? do we actually risk one? how much?

What I have to consider when I try to understand my exposure to kacking attacks?

The answer is, again, not so easy; taking in account the process you’re trying to protect, the things that could be valuable for any external source, the risk trends, the visibility of the company and so on.  Arrghhhhhhhhhh

Turning back to Sony: appear quite clear to me the risk of being hacked was considered very low, but they did not realize that there were at least 3 factors that would have been taken into account:

1) the hack was a way to reach something valuable : user information, email, and credit cards.
the way someone value a data can differ from it’s owner, email are not considered so valuable if you’re not a marketer, but if you’re a spammer they worth the hack.
2) the Sony name was a big name and this would have turn all media and expert eyes on the hack itself, this would have magnified the damage in terms of image, as well redirecting other hackers onto the target that showed such a big vulnerability. And in effect the hack was followed by  numerous other ones.
3) Sony was dealing with some hacking problem related to the PS2 hacking code, and was exposed for its strict comment on internet piracy. This would have expose the brand also to acktivism and not only cybercrime.
Just considering those 3 factors would be clear that a hack would have been not only possible but probable.

This is something we should think more about, we need to protect our assets because they’re valuable for us, this does not means that someone outside would not find something else valuable even if we do not consider it worthy.
Sony as been hacked because hacker found something valuable that Sony managers were not valuing , this increased the risk of a security incident as well as the repetition of it.

Assuming we are so smart to understand the % of risk an incident can happen we have enough element to start to understand how much worth security and so how much we should spend on it.

Let’s do some math

If we did our homework’s and follow the simple steps provided previously we have now some elements to make some guessing,

  • A – We know more or less how much worth our process
  • B – We know more or less how much would cost us a single incident
  • C – We know how much we can afford to loose.
  • D – We know that there is some % risks that the incident will hit me.

Alas those are not static value but functions that changes during time and are strongly related to what happen at the  border, the equation able to describe the relationship between all of this elements and the external worlds are out of the scope of those articles (come on this is an introduction Angel)
Basically we are now in the process of building our insurance based on something we will negotiate internally to our team and with the management.
The idea is that I want to spend some money in order to address the incident, and I want to do it , basically, to achieve a couple of goals:

  • Lower the % of risk the incident will hit me
  • Lower the cost of the single incident

It is clear to me that we have a couple of considerations to take in account.
The security expenses cannot be higher or equal than the value we can loose. It’s worthless to protect an asset spending a bigger value than the value of the asset itself.
This means that the Total Cost of Security (TCoS) cannot be higher of A where A is the value of the process (I know those variables does not exist but I love to create those sort of things Hot smile sound so professional Nyah-Nyah)

TCoS << A

the reason is that if our protection systems costs close to the value of the process would be useless.

On the other end we knows that TCoS should be lower than C, this is because if security costs the same amount we are ready to lose there would not be any good reason to spend those money. So

<

p style=”text-align:center;”>TCoS <<C

At the same times we know that TCoS is related to the value D and the kind of security incident (Can I call it SI? ) basically TCoS can be represented by a function of some variables:

TCoS=F(C, t, SI, D)

where “t” is the time.
Basically TCoS is the highest amount of money I can afford to pay to protect my process. But we know that this is a target value and the management will newer allow to spend this, so we will have just a fraction of this value, let’s call it the Available Total Cost of Security (ATCoS).

We will have that ATCoS << TCoS  basically the amount of money we will be able to allocate for security is just a small fraction of what we should spend.

Why ATCoS is sensibly lower than  TCoS? The basic reasons are related to the:

  • great dose of guessing that we use to determine A, B, C and D functions.
  • negotiation with the management in order to allocate resources
  • a usually very low understanding of the implication of security in business
  • some strong cultural barrier to understand the impacts of new technologies
  • bad capability to present the value of a solution in understandable terms for the management
  • mix of allocated security resources in different departments and

Of course I strongly doubt that there is any IT man that create it’s own Total Cost of Security function so we usually use some empirical experience to guide us and some easy rules:

  • 1) the less is the better
  • 2) the less is the better
  • 3) they will never give me what I need
  • 4) they do not understand
  • X) have I told the less is the better?

Some tricks can be used when trying to define a security budget, the first of all is to find a sponsor, and marketing usually is a good resource. We should be able to point out the risks related to the image and the bad influence that some security risks can have.
think again about Sony affair, but also to Honda and the other big firms that have been targeted recently.
The second trick is to be aligned on what is happening in the world in the security space.

You do not have to be a guru, just you need to find good and impressive events that can be used in a discussion to enforce your point. Those days are full of events, just use Google news or similar service to have in your mail a updated recap. would be useful for us to be able to explain our needs (the company needs actually) by examples.
If Sony PSN Networks Managers would have been instructed that identity thefts are so common nowadays and can be so destructive in terms of image probably would have adopted a completely different approach to security.
The two parameters TCoS and ATCoS are also a function of times and communication effort spent, if there are a lot of security warnings and previous incidents experience those two parameters changes
Again if we think about the Sony PSN affair  we have had pre-incident a TCoS that was close to 0 and consequently the ATCoS was basically 0.
What drive the TCoS close to 0 was the misunderstanding of the % of risks of an incident to occur “D” and the cost of the incident itself “B”.

If we look at what happened it appears clear that the risk of the incident was underestimated just because managers were not taking into account the damage would have result form the hacking (remember, it’s not just the direct costs…) and were not taking in account that there was something valuable for other (personal data) that could have been reached. Likewise they did not took in account the consequences in terms of emulation and acktivism.

Once again we have to remember that security is something that require cross-functional experience to be correctly evaluated.
At the end to have an idea of the value of ATCoS we should make some assumption, take some agreement and do some negotiation. But is this enough?

Sony affair teach us that there is another term of the equation that should be taken into account: the minimum cost of security I’m allowed to put in place.

This quantity is the minimum expense I have to budget in order to provide a minimumlifesaver level of security.
If we call mTCoS the Minimum Total Cost of Security we should assume that

0<<mTC0S<ATCos<<TCoS

The mimum Total Cost of Security is what make sense to spend in order to provide a minimum level of security in our systems.
It is related to several constrains:

  • How much I can loose in case of incident
  • legalcontract requirement
  • the technical aspect of the implementation of the solution:
    • direct costs of implementation (project, devices, training)
    • personnel
    • managementsupport
  • business impact of the implementation

mTCoS is a key parameter when negotiating with the management, this is the lowest level you can go in terms of resources, if you do not even reach this level you will not able to provide the level of service that can avoid the function we defined at point C (how much we can afford to loose in case of incident)
since mTCoS is <<TCoS it is obvious that is also << of the value expressed in the function a point “C”
If mTCoS is close to TCoS this means we have no margin for negotiation (and this is really bad, believe me) or we made the wrong assumption.
Although this condition appear to be far from be real, there are areas where security expenditure are usually calculated with a mTCos close to TCoS. The typical example is the Storage area, where security (well part of it) is usually integrated in the solution, so nobody consider a Raid implementation an extra security level anymore.

When we have this kind of situation, a sort of undisputed must to have, the negotiation is really easier. There are some other areas where this security approach can be taken, think, for example, about the desktoplaptop implementation of an antivirus client.

How rational is this kind of approach? Well usually this is an approach consolidated and taken for correct without any critical analysis. The risk here is to avoid to take in consideration solution that can provide a better coverage of the security needs and security needs change every day.
We need to be able to estimate the mTCoS in order to negotiate our security budget to do so we need some tools and instruments, that should be generally used also for our routine management and IT budget calculation.
I don’t spend a word now about legal constrains, but I would like to make some considerations upon the technical aspect.
If we know that we need a minimum level of security we should be able to measure it, make confronts versus a data baseline that can help us to understand if we are doing the right thing or not, make some measurement on the changing threat landscape and some forecast.
All this require some statistical knowledge, at least at high and light level,  to forecast what we need and we’ll need.
But here comes an area where people makes a lot of mistakes and I would like to spend a few words on it.

The trucks and the wheels

Let’s assume there is a statistics that say the average wheels for a truck is 5, what do you understand?
If you aspect to find a 5 wheels truck on the road you should have a problem Smile!
If the average wheels are 5 it could means you have some trucks with 4 and some with 6 let’s say 50% and 50%.

With only two options understanding this is quite easy, but if the output options are higher sometimes is hard to understand statistics.

This is quite common in the security space where the interactions between aspects that are, apparently, unrelated are enormous.

Alas a lot of people in the security space is looking for the 5 wheels trucks and does not check the 4 and 6 ones. Sometimes we concentrate just on some aspect of the process because we think are the only relevant objects, and do not analyse the process itself; the result is that we focus on the wrong target or, better, we invest more money on the 5 wheels truck hunting than on the 4 and 6 ones.
The result is that we miscalculate the element that are used to calculate the mTCoS diverting resources to some other things.
The classical example is the email management.
It is quite common to implement an anti-spam solution, but spam is not considered in the whole aspect,is just considered an annoying thing to deal with because managers can complain.
As well some content filter policies are implemented but without a real understanding of the consequences and potential threats or productivity impact.
The result is a set of policy and security services that, from a security perspective, does not actually make any sense, and the money invested basically does not provide the level of service that with the  mTCoS should be provided.

Since probably the mTCoS has not even been calculated (it require the definition of the process we need to secure and the relative minimum level of service) this simply means that security implementation does not address a security concerns but just some random aspects with, probably, a sub-optimal allocation of resources

IT managers don’t allow to exchange executable files through the mail, but at the same time allow to use external webmail without restriction.

Use anti spam gateway systems but do not provide an antimalware gateway system to protect form the few mail that can pass through the solution even if mails are 99.9% html based.

Provide some security effort to protect mail client but the allow users to use their unprotected smartphone or tablet.

So while we’re looking for our 5 wheels security  truck a lot of other vehicles pass under our noses.

Understanding what we have to look for to secure a process is mandatory in order to be able to analyse costs.

The mTCoS is strictly related with the process we want to secure and the minimum level of service we can accept.

To be able to calculate mTCoS we should be able to understand:

how the process works :components, storage, users, structure …
how (if) the process is related to other process
which kind of data are of any interest to secure within the process

The best approach is to minimize the process structure and divide it in smaller elements that can be analysed in an easier way.

The final mTCoS will be the sum of all the mTCoSx provided for every subsystem.

so basically if we have a process P we can divide it different sub-steps p

and the resultant mTCoS will be (more or less)

First we should try to find out what process we want to protect and determine the minimum level of service we can accept, then we should be able to divide it in smaller process to make our task easier and define for each smaller process requirement and interaction.

Once we have created our process model we can finally define which are the risks for each sub process and the whole process that we should consider in order to give the required level of service.

Once we have defined the risks and process we can prioritize them in an arbitrary way considering some aspects: the impact of the risk, the percentage that that event can occur.

The final step of this operation is to watch the market to see products and technologies that address our list of risks in order to secure our process at an acceptable level and define our mTCoS.

Of course we should do a little exercise of imagination when dealing with risks:  how much can we transfer? how much can we mitigate? How much can we recover? …?
Several technologies offers different approach and different costs for the several aspect of risk management.

Just theory?

Believe or not this is an approach that can drive our expenditure in the right direction, that is not spend the less possible, but spend the correct amount of money do address correctly the problems I need in order to provide the level of services requiredrequested.

On the other end we can use the Sony approach :) but remember spending “0″ or “100″ without a correct plan is equally a nonsense.

[contact-form]

To be continued….
 
Related articles
Posted by at Nessun commento:

venerdì 19 luglio 2013

Looking for a new career opportunity

Dear All,

As you may know I’m looking for a new career opportunity.

Many of you knows me because we have been working together in Europe or USA in one of my previous work experiences, including Cisco, Ironport, Symantec, BrightMail, Mondadori Informatica and so on, or met in conferences and events.

With over 16 years of experience in the leadership of IT product development, project management, marketing, and representation and as a reputable and renowned contributor to the tech industry particularly within the security community, I think I have often provided outstanding results and proved my soft and technical skills, but the situation now force me to ask for support.

 

If you know of any position I could be right for I would really appreciate if you could share it with me, I would prefer an EMEA position (would allowed me to move from home to work without relocate) but anything could fit my skills would be appreciated.

Thank you for your support and wish you all the best

Antonio

 

Posted by at Nessun commento:
Labels: , , , , , , , ,

Dell PowerEdge VRTX

PowerEdge VRTX shared infrastructure platform

Redefine office ITcheck it here: http://www.dell.com/us/business/p/poweredge-vrtx/pd

I usually do not make comment on HW infrastructures or platforms but I have to admit that today, after a chat with my neighbourhood, I fall in love with this one.

When thinking about SMB market and IT we always face a dualism between computational and storage needs and, on the other side, strict budgets and low resources. Low resources also means space, energy, people constrains and so on.

So here we are a small object, that contains all the HW needed for a SMB or a branch, flexible and easy to manage.

Drive Bays

Up to 12 x 3.5in NLSAS, SAS, or SAS SSD hot-plug drives or

Up to 25 x 2.5in NLSAS, SAS, or SAS SSD hot-plug drives

An cheap solution that can easily provide 40 TB of space is quite a good start for a small business or a branch office.

Embedded NIC

1GbE internal switch module (standard) with 16 internal 1GbE ports and 8 external ports

Ethernet pass-through module with 8 external ports (optional)

RAID Controllers

Shared PERC8

Power

Redundant power supply units:

100V-240V auto-sensing redundant power supplies support 2+2 (AC redundancy), and 3+1, 2+1, and 1+1 (power supply redundancy) modes

What you need more 🙂 i would like it in my home

Cooling

VRTX comes standard with 6 hot-pluggable, redundant fan modules and 4 blower modules:

Based on Dell Energy Smart Technologies, VRTX fans and blowers are a breakthrough in power and cooling efficiency The fans and blowers deliver low-power consumption, but also use next-generation fan technologies to ensure the lowest possible amount of fresh air is consumed to cool the enclosure

And, really, it does not make the horrible noise we usually associate to those stuffs, means it can really be a desktop DataCenter 🙂

Chassis Form factors:

Tower or 5U rack enclosure

Tower configuration:

48.4cm (19.1in) H with system feet x 31.0cm (12.2in) W with system feet opened x 73.0cm (28.7in) D

Weight (empty) = 31.7kg (69.7lb)

Weight (maximum) = 74.8kg (164.9lb)

Rack configuration:

21.9cm (8.6in) H x 48.2cm (19.0in) W x 73.0cm (28.7in) D

Weight (empty) = 24.7kg (54.5lb)

Weight (maximum) = 68.7kg (151.5lb)

Server node options

Dell PowerEdge M620 and M520 servers, that can provide enough power for most of smb needs

Rack Support

ReadyRails™ II sliding rails for 4-post racks with square, round, or threaded holes

Price is competitive so I wish this thing a lot of success 🙂

Related articles
Posted by at Nessun commento:
Labels: , , , , , , , ,

FW SPAM: Ultimo sollecito attivazione sistema Sicurezza web Postepay

For my Italian friends, Postepay Spam

—–Original Message—–

From: Servizi finanziari Postepay [mailto:support@update.com]

Sent: Tuesday 16 July 2013 09:06

Subject: Ultimo sollecito attivazione sistema Sicurezza web Postepay

 

Gentile cliente,

 

 

Dal 17° luglio 2013 non potrai utilizzare la tua prepagata PostePay se non hai attivo il nuovo sistema di sicurezza web.

 

 

Il nuovo sistema di Sicurezza Web PostePay e una soluzione innovativa che garantisce maggiore sicurezza e affidabilita per le operazioni dispositive con PostePay effettuate online sui siti de Poste Italiane.

 

 

Il nuovo sistema per l`autorizzazione delle operazioni di pagamento (ricariche PostePay,ricariche telefoniche,pagamento bollettini) effettuate con la PostePay sui siti di Poste Italiane,prevede l`utilizzo di due strumenti:

 

 

1. La Carta PostePay

 

2. Il telefono cellulare “associato alla carta”,sul quale verra inviata via SMS la password dispositiva “usa e getta” denominata OTP(One Time Password) appositamente generata per ogni operazione di pagamento.

 

 

L`attivazione e semplice,gratuita e richiede 1 minuto.

 

Le alleghiamo la documentazione necessaria per attivare la protezione.

 

 

 

Cordiali Saluti,

 

Poste Italiane

Posted by at Nessun commento:
Labels: , , , , , , , , ,

FW SPAM: My dear friend

I’m crying

—–Original Message—–

From: hjgrelee@daum.net [mailto:hjgrelee@daum.net]

Sent: Tuesday 16 July 2013 11:27

To: mrsleejesicca@yahoo.com.au

Subject: My dear friend

My dear,

My name is Mrs. Jesicca Lee; a dying woman who has decided to donate what I have for the good work of charity. I was diagnosed for breast cancer for about 2 years now.I have been touched by God to donate from what I have inherited from my late husband to you for the good work of God, rather than allow my husband evil relatives to use my husband hard earned funds ungodly. They don’t care about man kind, all they want is to take away everything my late husband left for me.

Please pray that the good Lord forgives me my sins. I have asked God to forgive me and I believe he has because He is a merciful God. I will be going in for a surgery soon and I want to make this donation before undergoing my surgery.

I want you to help the motherless and less privilege and for the assistance of the widows and unfortunate mothers. At the moment I don’t want any telephone calls due to the fact that my husband’s relatives are always around me and trying to see if they can overhear my conversations and my health status as well.

please use the funds well and always extend the good work to others. I don’t know you and you don’t know me, but I have been directed by God to contact you for this project. I will appreciate your utmost confidentiality in this matter until the task is accomplished.

Reply me through my private email (mrsleejesicca@yahoo.com.au) Regards, Mrs. Jesicca Lee

<mailto:hjgrelee@daum.net>   <>

Posted by at Nessun commento:
Labels: , , , , , , , , ,

FW SPAM: From The Ceo.Malik Ali Deputy Director.

Here again my spam message review, please if you receive something similar be cautious! But if you get the million dollars I will appreciate a donation J, lol.

From: Ceo Malik Ali [mailto:ceoali@voila.fr]
Sent: Friday 19 July 2013 12:16
To: undisclosed recipients:
Subject: From The Ceo.Malik Ali Deputy Director.

Compliment of the Season,

I Know That This Mail Will Come To You as a Surprise As We Never Meet Before Request for Urgent Transfer Of The Sum Of Nine Million Three Hundred Thousand Dollars {Us $9,300,000.00} Only, Into Your Account.

I Am The Deputy Director Of Finance, Foreign Payment Approval Dept. Of West African Monetary Control Board (Wamcb). North-West Regional Office.Burkina Faso. My Office
Oversee All Developmental Projects Financed By The Economic Community Of West African States (Ecowas). Within This Zone (Burkina Faso,Benin,Cape Verde,Gambia,Ghana,Guinea,Guinea-Bissau,Ivory Coast,Liberia,Mali,Niger,Nigeria,Senegal,Sierra Leone.Togo ).With Reference To An Introduction And Recommendation Of You By A Friend Who Works In The Burkina Faso Chambers Of Commerce And Industry, I Do Hereby; Wish To Commence Talk With You On A Highly Confidential Level. After Due

Consultations, I Have Decided To Contact You In Order To Arrange For A Possible Transfer Of The Sum Of Nine Million Three Hundred Thousand Dollars (Us$9.300.000.00) Into Your Account. This Money Is A Subject Of An Over Inflated Sum Acquired From Contracts Awarded By My Agency In The Past Years.The Original Contractors Have However, Been Paid And All Projects Executed By Then Commissioned. This Over Inflated Amount Can Not Be Withdrawn Locally From The Paying Bank Because The Contractors Concerned Are Foreign Firms. As A Matter Of Trust, Honesty And Secrecy,I Have Decided To Contact You As To Assist Me Provide An Account For This Transaction If You Have Accepted To Assist And Fully Participate In This Transaction, Kindly Furnish Me With The Necessary Information Such As

Your Full Name…………………………………?

Your Sex………………………………………….?

Your Age………………………………………….?

Your Country…………………………………….?

Your Occupation And City……………………?

Your Personal Mobile/ Fax N°……………….?

With This Information Provided, The Said Sum Will Be Transfer To Your Account Without Difficulties The Terms Of Sharing The Money After A Successful Transfer Will Be Discuss As You Indicate Your Interest In Assisting To Transfer This Money. Immediately All These Information Gets To Me, I Will Then Present Every Document To The Paying Bank And The Copy Will Be Send To You For Verification And Record Purposes. Be Rest Assured With My Connections, Everything Will Be Through Within A Short Time. After Many Years Of Meticulous Services To The Government And People Of Our Sub Region I Would Not Want My Image To Be Dented.

Therefore I Expect You To Handle This Transaction With Utmost Maturity By Keeping Everything Secret. I Can Assure You That If My Instructions Are Carefully Adhered To, There Will Not Be Any Hitch Through Out The Transaction, There Is No Risk On Your Side, Because I Have Perfected The Deal Very Well Over Years. After The Transfer, We Will Be Coming Over To Your Country For Further Sharing And Possible Investments.

I’m waiting to Read from You Urgently through the Electronic Mail Address
ASAP

Ceo.Malik Ali.

Posted by at Nessun commento:
Labels: , , , , , , , , ,

giovedì 18 luglio 2013

Anatomy of a conference day in Rome

Let’s focus on that day

1) Wake up in the morning, raining in vistarino

2) Reached Pavia station went to the automatic ticket machine to take the train  I discover it does not work, ok no prob I queued at the ticket store

3) Took the train in perfect time, so this sis not such a bad day after all…

4) The train is arriving late, damn will I take the coincidence? Of course not! lost for 1 minute (I saw it leaving) 🙁 bye bye Italo, by by first class

5) OK nothing is lost, I look for another ticket counter and I ask if I can change it. Of course they explain me that I could have changed it before train leave, alas not now, so I have had to buy another one, sigh I have took an offer for first class and now I pay the same amount for a economy

6) The lady tells me I have to run and make the ticket directly on the train, even if I have to pay a penalty

7) After 3 hours where nothing happen I finally arrive to Rome tiburtina station. my first time here. Weather is sunny, Rome is beautiful, the station New and clean… now I need a Cab. now you have to notice that in Italy is quite unusual to find a cab that accept credit or debit cards, they want cash and, of course, I have only a few coin. but don’t worry I will go to an ATM machine but…. There aren’t ATM machines at tiburtina station. Of course I discover it after looking, and asking, everywhere.

8) finally I decide to talk with a taxi driver (not the movie one), and we agreed he will bring me to an ATM machine so I can get the cash and Then bring me to the final destination.

9) The Taxi driver kindly drive me to the ATM machine, queue again…dam I took an old quite blind lady that needed a lifetime to do her operation, and then a young lady with a thousand of operation to do, so after half an hour finally i get the money, turn back to taxi.

10) I arrived to Rome University and look for the place, I manage to arrive without loosing my way, the place is nice, I also find some people I know or I met some of my LinkedIn contact I never met great…

The conference itself is very interesting and the speeches are high level, I also enjoyed the catering (Rome is Rome and (ISC)2 organization is outstanding).

and then…my turn

11) I start the presentation (an extract of my webminar on mobility for (ISC)2 italian chapter) and at the second slide, when I say that most of the IT policy on mobile have been incomplete and I take as an example protection screens for laptop, one of the attendee stop me telling that what I say is absurd not real, out of the world, and that I’m insulting all the managers, ceo, VP and so on….

I try to calm down the guy, but as a matter of fact he blocked me again at the second statement, at the end any word coming form me was used for complains by the guy. I honestly didn’t know what hurted him so much, at the end I were telling things that are quite easy to find in literature and, by the way, I have experienced in more than 20 years of IT consulting. but at the end, to make a long story short, he complains against me all the presentation keeping quite all the time  and forcing me to make an incomplete speech because of time restriction.

I have had, to ask the attendees if i could go on or, if they agreed with the guy, i could have stopped the presentation. they told me to go on so I managed somehow to finish.

12) my via crucis finally end, and it’s another break time. come on most of the attendees comes to me asking why the guy was so mad with me… I don’t know I don’t even know him…. 🙁 probably he did not liked my rings ….

13) finally the panel, I’m again there… planning to keep it quiet this time. in a panel usually should be a discussion between the panellist and the attendees but my guy star talking again and took quite all the time, well he was having a lot of thing to say (and, funny, some of the tings are the same he complains when i told them in my speech) but now the goal is surviving the end so i keep quiet 🙂 lesson learned…

13) ok time to go home, guess what it’s 4:30 pm and start raining cats and dogs

14) I wait with some attendees, meanwhile eat the rest of the great catering, there is also beer and sparkling wine….

15) It’s going late, so we decided to go anyway, I went to the reception and ask for a cab, with the usal hald an hour time before having an answer (go to Rome to understand).

16) Cab sweet cab, it arrives and brings me to the station, but i have to wait another hour for my train so I wait in the wait area for italo passengers (Italo is the name of the train by the way).

17) it is not raining anymore, just a few drops so the weather is…how and with a 100% of humidity and no air conditioned rooms

18) finally it’s time, now everything is perfect i took my seat, the service is outstanding I also have the television so the run back to milano rogoredo station is quick and pleasant, I can even watch a movie ….

19) night now, and I have to wait for the local train that will bring me to pavia where my lovely wife will take me home.

another hour waiting, and the mosquitoes attack! Never saw so many mosquitoes in my life, I surrender and keep scratching walking changing places aaarghhh I surrender.

finally the train and then car and then home

I survived

so at the end not so bad…

PS at the end I’ve got a B as a score, but honestly is not so bad considering the situation…just i never took such a low grade . 🙁

PSS: does anyone knows the conference guy and why he hates me so much?

Related articles
  • (ISC) 2 conference in Rome (thepuchiherald.wordpress.com)
Posted by at Nessun commento:
Labels: , , , , , ,

Bring Your Own Device - parte 4 (dal webminar che ho tenuto per (ISC)2)

Tutto è in evoluzione….

image

Visto che tanto si parla di BYOD ma il supporto numerico spesso latita vediamo cosa è successo in termini di personal computing negli ultimi 10 anni. Risulta evidente come ci si presenti una situazione in cui i paradigmi sw e hw sono profondamente cambiati in termini di uso. Guardando ai sistemi operativi, ad esempio, si vede come una volta il mercato parlasse esclusivamente microsoft e in quota minore linux, mentre gli ultimi anni hanno visto una situazione dove almeno 4 sono i sistemi operativi di riferimento: mac OX iOS Windows e Android, con una presenza marginale di linux.

La inter-comunicabilità applicativa è stata gestita, come vediamo nella evoluzione dei trend software, da uno spostamento verso mobile application e cloud (SaaS) cosi come lo shifting delle interfacce verso multitouch e cosi via.

image

 

risulta estremamente chiaro dalla tabella presente come si siano evolute le interfacce e l’HW. Un tale movimento ha, nei fatti, ribaltato i paradigmi in uso negli anni 90. e form factor, interfacce, HW OS e Software sono estremamente diversi da quello che appariva in uso 20 anni fa, quanto sia cambiata la impostazione del disegno di una rete e dei suoi elementi costitutivi è tuttavia ancora oggi oggetto di dibattito: vi sono IT manager che non ritengono questi cambi tali da giustificare un diverso approccio alla rete mentre altri stanno abbracciando il nuovo ma con la sconsolante evidenza di ancora pochi riferimenti tecnici e culturali.

image

Volenti o nolenti comunque oggi il set standard di riferimento di un utilizzatore aziendale medio è portatile aziendale (circa il 100%) + telefono (50% personale 50% aziendale) + tablet personale (circa il 90/100% personale).

Possiamo fare finta che tutto sia fermo agli anni 90 ma nei fatti il mondo è profondamente diverso, vuoi per adesione alle mode, per necessità operative o finanziarie.

Del resto il mondo della tecnologia, non me ne vogliano i tecnici, è sempre stato guidato più da scelte marketing che da effettivi ed oggettivi riscontri tecnici, e il ritornare di tecnologie ed approcci ciclicamente nei nostri percorsi tecnologici ne è una evidenza.

image

Il punto focale è che lo spostamento che stiamo osservando oggi nei nostri modi di usare la tecnologia è sempre più orientato alla intercambiabilità.

Non importa il device, ma facciamo le stesse cose con tutti….. (insomma più o meno, io fartdroid non lo ho…sul portatile)

Questo uso si riflette, ovviamente, sulle statistiche di accesso ai dati e applicazioni aziendali.

Questi dati possono essere facilmente relazionati alle statistiche di outbreak delle policy aziendali: tanto più queste sono chiuse e costrittive tanto più gli utenti cercano scappatoie che consentano a loro di continuare ad essere produttivi anche in arre NON considerate dalla struttura aziendaleIT

image

si noti come  la presenza di device personali si sia allargata in solo un anno. Paesi più restii ad abbracciare le novità, ed a fornire nuovi devices ai propri utenti, come l’italia, vedono impatti di crescita ancora maggiori: se l’azienda non fornisce device “attuali” l’utente li sostituisce con i propri indipendentemente dai desiderata aziendali.

Questo fatto di per se non è ne positivo ne negativo, soppesare pro e contro e fare una corretta analisi economica è, a tutti gli effetti, il lavoro di un CSO e di un IT manager. L’introduzione, ad esempio, di device non aziendali potrebbe essere fonte di notevoli risparmi in termini di gestione ed acquisto, a patto di avere una struttura che sposti le competenze sulla sicurezza mobile e sulla sicurezza applicative, piuttosto che sul primo livello di supporto HW per il pc con immagine standard.

Che lo si voglia o meno comunque il trend è questo, e occorre reagire alla introduzione di questi oggetti all’interno della nostra vita lavorativa, cosa che ha costretto molti vertical ad adottare politiche di accettazione dei device personali, anche in feudi tradizionalmente restii, si veda il financial.

Non ci si lasci traviare però dai numeri, le statistiche ci dicono si che il financial è stato più reattivo, ma il motivo è semplicemente che gli altri settori sono meno reattivi e più laschi riguardo l’introduzione ufficiale di tali device rispetto un ambito ove la security è sempre stata considerata cardine, si pensi che al giorno d’oggi il 100% delle transazioni finanziarie avviene in forma telematica e si capisce la paranoia.image

Purtroppo la storica mancanza di sviluppo di modelli di gestione ed integrazione della sicurezza dei device mobili ha esasperato l’uso di vecchie piattaforme di sicurezza ed amministrazione portandole a deliranti, quanto attuali, realtà come descritto bene in questo grafico ove si vede che i più attenti hanno introdotto la bellezza di oltre 10000 regole, policy di gestione, per il BYOD.

image

Forse non è noto ai più ma uno dei primi cardini della gestione e della sicurezza è l’approccio Kiss «keep it simple stupid», maggiore è la complessità minore è la capacità della struttura di reagire agli eventi in maniera sia reattiva che proattiva; chiedete poi ai disgraziati che si occupano di forensic analisys cosa gli tocca fare per capire in quale ambiente stanno operando.

Ultimamente vanno di moda un sacco di surveystatistiche inerenti il BYOD, questo è un esempio vi riconoscete?

Si noti come in queste risposte si evinca la mancanza di un quadro generale e coerente, in cui management, sicurezza ed accesso ai flussi informativi non sembrano far parte dello stesso nucleo operativo…

image

Il paradosso è che, come abbiamo visto dall’escursus storico, molte delle problematiche sono presenti sin dagli anni 80, e dopo oltre un trentennio vengono alla luce come se fossero nuove.

image

Per affrontare correttamente la introduzione e gesione del BYOD occore fermarsi un attimo e pensare a come si sta gestendo il piu generale discorso mobile in azienda. Magari organizzandoci con una tabella di raffronto.vantaggisvantaggi:

VantaggiSvantaggi
Piace agli utentiNon piace all’ IT
Aumenta la produttivitàAumenta la complessità gestionale
Espande il perimetro lavorativoAumenta la superfice di rischio
Rende più flessibiliRende più flessibili
È coolNon posso standardizzare
Permette risparmi operativi di gestione ITNon riesco a giustificare porzioni di budget
Permette risparmi in termini di supportoComunque gli utenti mi chiamano

Quando cerchiamo di fare una tabella di vantaggi e svantaggi dovremmo cercare di vedere i diversi punti di vista. Talvolta una maggiore complessità operativa per l’IT significa realmente un vantaggio all’utenza, talvolta il voler porre regole di controllo da come risultato solo la costante violazione di queste ultime. Il vecchio esercizio dei buoni e cattivi è in questo senso estremamente utile e serve, si noti, non a decidere se il BYOD è un fenomeno da arrestare, ma a capire come gestirlo. Ognuno di questi punti di esempio, pro o contro, possono essere l’inizio di un lavoro di design della introduzione di byod che permetta la soddisfazione degli utenti e magari una semplificazione operativa, purtroppo occorre che facciano parte del gioco tutti i player, gli utilizzatori, l’IT ma anche chi decide regole aziendali (management e HR) in quanto l’attenzione ai flussi informativi, alle regole della privacy non sono più secondarie anche dal punto di vista legislativo.

MobileBYOD
Compro il deviceSiNo
Gestisco il deviceSiNo
Location controlNoNo
Network (IP) RulesSiNo
Privilegi AmministrativiNoNo
Controllo IdentitàNoNo
UsernamePasswordSiNo
Network Access ControlNoNo
Application Access ControlNoNo
AntivirusAntimalwareSiNo
Application Store ManagementNoNo

Una altra cosa utile da fare è mettersi a tavolino per fare un elenco di cosa si dovrebbe fare e cosa si fa per gestire sia l’attuale parco mobile che la sua evoluzione BYOD. Ci si rende di solito subito conto che spesso richieste imposte al BYOD non vengono attese neanche nel classico mondo mobile.

Classici esempi sono la gestione dei diritti amministrativi (quasi tutti i laptop sono con diritti amministrativi presenti), la mancanza di Application Access Control e la mancanza di identity management.

MobileBYOD
Data Protection (DLP)NoNo
Data EncryptionSiNo
Data Location controlNoNo
Geo IP RulesNoNo
Policy su furtoSi (parziali)No
IstruzioneNoNo
Segregazione Reti WirelessSiSi

esiste poi una evidente esigenza di inventory ed una analisi da fare eventualmente col vendorprovider per quello che concerne le licenze.

Queste ultime infatti rappresentano una area ancora abbastanza oscura, non esistendo ancora vere e proprie licenze BYOD al momento a parte i cloud services (magari con identità gestite via Saml) , rimane il dubbio di come gestire e registrare a norma applicativi che seppur acquistati da un soggetto vengono installati su un apparato di propietà di soggetti terzi.

da analizzare anche con attenzione sono le possibili implicazioni legali che possono sorgere in caso di infezionehacking o sospetto di uso improprio delle risorse aziendali (ma lo sono?)

in questo caso il consiglio è quello di rivolgersi ad una struttura legale specializzata nelle problematiche IT (interna od esterna all’azienda) per chiedere la stesura di una “liberatoria” che consenta in funzione di regole ben definite di determinare quali sono i limiti di accesso e di uso che l’azienda ha nei confronti del device personale del dipendente e, vicerversa, quali sono vincoli e limiti di accesso che ha l’utente ne portare tale device in rete.

La questione è solo apparentemente accademica, per quanto lasche confuse e talvolta deliranti esistono ovunque, anche in Italia, normative cui fare riferimento. esistono vincoli di responsabilità ad esempio da parte della azienda se dalla sua struttura parte un attaccoinfezione verso un altra, tanto per citare uno degli obblighi da valutare.

image

image

image

Posted by at Nessun commento:
Labels: , , , , , , , ,
Iscriviti a: Post (Atom)