Informazioni personali

Cerca nel blog

Translate

Visualizzazione post con etichetta IBM. Mostra tutti i post
Visualizzazione post con etichetta IBM. Mostra tutti i post

mercoledì 16 aprile 2014

RightScale Releases 2014 State of the Cloud Report

RightScale Releases 2014 State of the Cloud Report (via MarketWired)

SOURCE: RightScale April 02, 2014 09:56 ET Public Cloud Adoption Nears 90 Percent on the Journey to Hybrid Cloud SANTA BARBARA, CA–(Marketwired – Apr 2, 2014) – RightScale® Inc., a demonstrated leader in enterprise cloud portfolio management, today…

venerdì 11 ottobre 2013

Wanted Dead or Alive: The Human Factor

TECHNOLOGY originally published on DaftBlogger.com

Wanted Dead or Alive: The Human Factor

By Antonio Ieranò on September 29, 2013 at 7:45 PM

Contents [hide]

  • 1 From where should we start?
  • 2 I said it all but…
  • 3 Theory?

OK I confess I am quite bored to listen to all those knowledgeable IT security experts talking about what is needed to secure a system. Everyone has his own point of view; of course they’re right when they say we need end-point security, mobile protection, anti-malware, anti-hacking, dlp, advance threat defense and protection. We all know we need firewalls, IPSIDS, cypher encryption systems, SSO, 802.1x, strong authentication, anti-virus, anti-everything, application and context aware systems but what is the point? Seems to me that beside all the technicality we are losing sight a focal point: security, even within the IT sector, is a matter of human behavior.

dead or alive

I do not dispute that a patched system is harder to hack than a not patched one, but the point is where was the careful planning before? We can, of course, employ dlp, sim, advanced threat defense system firewalls and so on but how can they save us if we do not understand what we need to protect? And, even worse, how we can even think to implement any security measure if we do not know what to protect?

From where should we start?

Probably we should start form the basic trying to consider what we need to protect starting from the very beginning. And at the beginning there is a human being that want to interact with another human being through a process.

men-men

Of course we filled our systems with great security garbage all around the process box and also we put in place all those great barriers to make the user harder to use the process’ instruments itself.

men men men

And keep adding and adding we realized we need siem to monitor all this crap, and control systems, and dashboards and smart whatever and….

I said it all but…

Wait a moment are we missing something here? Here are some considerations :

  1. Who is the guygirl that wants to “communicate” with the other guygirl to do something that both value “valuable” for some unknown reason?
  2. How do they want to “communicate”?
  3. What do they want to “communicate”
  4. Why do they want to “communicate”?
  5. Why they need to “communicate” in that specific way?

Isn’t it funny that those considerations are still the key points for any successful security project? The 3 main subjects of ANY security implementation should be: human sender, human receiver and the process involved. Therefore there is no such thing as a successful security implementation without entering deeper inside those 3 aspects. Of course, this requires a careful interaction between the so-called security expert and all the players involved in the security process: because human and technical aspects are strictly connected.

There could not be security if security is not perceived as a value from the stakeholder of the process; you can put in place all the rules you want, but it will eventually fail. The worst scenario is that people will stop using the process to build a parallel one that is more suitable for their needs. This is the main cause behind security project and implementation failures; it is not a matter of technology but of not carefully evaluating the human factor.
Things like planning and training are not naïve requirements in an implementation but the most valuable asset of the project.

Theory?

Funny enough all the statistics and literature we find on the internet state that the biggest threat of all is always the user, no matter whether skilled or not. Bad guys already know it, and social engineering is not a recent invention when as far as hacking is concerned. It can be done on purpose, or by mistake, or by simply looking for a way to avoid a crazy close policy. Eventually though a user will breach your security.

Alas doors are slammed in our faces when we try to explain that security is only in part a question of how I encrypt a disk or how I make server hardening. At the end of the day, what should a CSO worry about? Basically speaking, that rules and processes are built to be secure, among others, through the use of technology but not because of the technology implemented.

All we do is related to our interactions with others human beings, the rest are “tools” to implement a process. Changing human behavior and technology we change the tools, we discover more needs we create new processes so security needs to adapt, and IT people should drive the change from the process point of view. Or we will continue to have security breaches, PRISM and Snowden cases, Anonymous groups and we will again be forced to live unpleasant surprises due to humans bypassing all those so carefully implemented security systems.

Go on, buy your firewall

 

Wanted Dead or Alive: The Human Factor

TECHNOLOGY originally published on DaftBlogger.com

Wanted Dead or Alive: The Human Factor

By Antonio Ieranò on September 29, 2013 at 7:45 PM

Contents [hide]

  • 1 From where should we start?
  • 2 I said it all but…
  • 3 Theory?

OK I confess I am quite bored to listen to all those knowledgeable IT security experts talking about what is needed to secure a system. Everyone has his own point of view; of course they’re right when they say we need end-point security, mobile protection, anti-malware, anti-hacking, dlp, advance threat defense and protection. We all know we need firewalls, IPSIDS, cypher encryption systems, SSO, 802.1x, strong authentication, anti-virus, anti-everything, application and context aware systems but what is the point? Seems to me that beside all the technicality we are losing sight a focal point: security, even within the IT sector, is a matter of human behavior.

dead or alive

I do not dispute that a patched system is harder to hack than a not patched one, but the point is where was the careful planning before? We can, of course, employ dlp, sim, advanced threat defense system firewalls and so on but how can they save us if we do not understand what we need to protect? And, even worse, how we can even think to implement any security measure if we do not know what to protect?

From where should we start?

Probably we should start form the basic trying to consider what we need to protect starting from the very beginning. And at the beginning there is a human being that want to interact with another human being through a process.

men-men

Of course we filled our systems with great security garbage all around the process box and also we put in place all those great barriers to make the user harder to use the process’ instruments itself.

men men men

And keep adding and adding we realized we need siem to monitor all this crap, and control systems, and dashboards and smart whatever and….

I said it all but…

Wait a moment are we missing something here? Here are some considerations :

  1. Who is the guygirl that wants to “communicate” with the other guygirl to do something that both value “valuable” for some unknown reason?
  2. How do they want to “communicate”?
  3. What do they want to “communicate”
  4. Why do they want to “communicate”?
  5. Why they need to “communicate” in that specific way?

Isn’t it funny that those considerations are still the key points for any successful security project? The 3 main subjects of ANY security implementation should be: human sender, human receiver and the process involved. Therefore there is no such thing as a successful security implementation without entering deeper inside those 3 aspects. Of course, this requires a careful interaction between the so-called security expert and all the players involved in the security process: because human and technical aspects are strictly connected.

There could not be security if security is not perceived as a value from the stakeholder of the process; you can put in place all the rules you want, but it will eventually fail. The worst scenario is that people will stop using the process to build a parallel one that is more suitable for their needs. This is the main cause behind security project and implementation failures; it is not a matter of technology but of not carefully evaluating the human factor.
Things like planning and training are not naïve requirements in an implementation but the most valuable asset of the project.

Theory?

Funny enough all the statistics and literature we find on the internet state that the biggest threat of all is always the user, no matter whether skilled or not. Bad guys already know it, and social engineering is not a recent invention when as far as hacking is concerned. It can be done on purpose, or by mistake, or by simply looking for a way to avoid a crazy close policy. Eventually though a user will breach your security.

Alas doors are slammed in our faces when we try to explain that security is only in part a question of how I encrypt a disk or how I make server hardening. At the end of the day, what should a CSO worry about? Basically speaking, that rules and processes are built to be secure, among others, through the use of technology but not because of the technology implemented.

All we do is related to our interactions with others human beings, the rest are “tools” to implement a process. Changing human behavior and technology we change the tools, we discover more needs we create new processes so security needs to adapt, and IT people should drive the change from the process point of view. Or we will continue to have security breaches, PRISM and Snowden cases, Anonymous groups and we will again be forced to live unpleasant surprises due to humans bypassing all those so carefully implemented security systems.

Go on, buy your firewall

 

venerdì 8 febbraio 2013

EVENTO SUL CLOUD: IL CLOUD COMPUTING AL SERVIZIO DELLE PICCOLE E MEDIE IMPRESE

IL CLOUD COMPUTING AL SERVIZIO DELLE PICCOLE E MEDIE IMPRESE

Type: Event
Owner: Easycloud.it
Event Date: 2/20/2013
Start Time: 02:00 PM
End Time: 05:00 PM
Time Zone: (UTC) Casablanca
Location: ComoNExt – Parco Scientifico Tecnologico
Tags: pmi, cloud computing

Details:
Agenda
inizio ore 16:00
– Introduzione al Cloud Computing
– Cloudeconomy e il ruolo del Cloud Service Broker
– Il Cloud Computing per le PMI: applicazioni a supporto del business – Case study e strumenti per calcolare il ROI

ore 18.30 Aperitivo offerto da Easycloud


EasyCloud.it cloud service broker – easyCloud
www.easycloud.it
Easycloud.it è un Cloud Service Broker a supporto delle aziende che intendono evolversi mediante l’utilizzo del Cloud Computing.
Numero massimo partecipanti: 20
per maggiori informazioni ed iscrizioni contattare l’organizzazione:
email academy@easycloud.it
web www.easycloud.it
tel 02 3671 4024

NOTA: è preferibile notificare la presenza per l’aperitivo.

lunedì 21 maggio 2012

CLUSIT: Rapporto della sicurezza informatica aziendale nel 2012

CLUSIT: Rapporto della sicurezza informatica aziendale nel 2012: L’ultima edizione del Rapporto CLUSIT (Associazione Italiana per la Sicurezza Informatica) fotografa un’Italia ancora claudicante sulla sicurezza informatica,

www.massimilianoforner.it/blog/?p=4241

CLUSIT: Rapporto della sicurezza informatica aziendale nel 2012

CLUSIT: Rapporto della sicurezza informatica aziendale nel 2012: L’ultima edizione del Rapporto CLUSIT (Associazione Italiana per la Sicurezza Informatica) fotografa un’Italia ancora claudicante sulla sicurezza informatica,

www.massimilianoforner.it/blog/?p=4241