When Gartner security and risk analysts give presentations, write research or talk to clients, we often get criticized for using the terms security and risk management interchangeably. This is deemed to be confusing by the audience as they try to articulate a clear differentiation between these terms. Indeed, in large sections of our client base, vigorous debate is being held on defining, differentiating and positioning information security vs. information risk management.

Well, maybe such a clear differentiation is not always required. Maybe security and risk management is so intertwined that continuously trying to separate them becomes counterproductive. Let's try to look at this objectively: I can make a clear argument that security is an integral part of risk management. But I can make a similarly cogent argument that risk management is an integral part of security management. The definition is largely in the eye of the beholder. It is contextual and situational. Maybe security and risk management are not the two sides of the same coin - maybe these disciplines are so integrated that they ARE the coin. The business is interested in the coin, not the pictures embossed on either side of it.

I am not arguing that the security and risk management are one and the same. They are indeed discrete disciplines with different functions and activities. And from an organizational perspective, is it important the different roles are named appropriately to the responsibilities of the individuals concerned. But let's be frank, does your business really care whether you call yourself a security manager or a risk manager? All they want is for (both of?) you to help them manage your information security and IT risks appropriately.

Risk management and security management. It's not either/or. Black or white. So here is my call: Let's spend less time debating and arguing the differences, and more time on using and maturing these extremely important, completely interrelated disciplines.

2 Comments | Submit a Comment | Permalink

Gartner's Compliance & Risk Management Research Community met recently and considered what IT managers should do given the economic turmoil spreading around the world.

What started as a problem with risky mortgages in hot real estate markets in the United States has spread to Wall Street with a devastating impact on the financial health and well being of a number of banks and an insurance company. Each day, the turmoil spreads, first to the equity and commodity markets where investors and speculators attempt to preserve what capital remains. Next, the central banks and governments rush in with an infusion of liquidity in an attempt to keep the money flowing through the world's financial market.

The media commentary on the current financial crisis sounds the tone that all the laws of economics and free markets no longer apply. The reporters sound as if the next developments will be Mother Nature suspending the laws of physics and gravity. Against this backdrop, CIOs and IT managers wonder, "What do we do?"

There is no denying that business as usual is not currently happening. To speculate or attempt to deal with the regulatory fallout that will follow this financial crisis is currently a waste of time. The central focus that CIOs must address now is what impact will this financial crisis have on IT in the next budget cycle. Also, how can IT help the enterprise demonstrate trustworthiness to key stakeholders, maintain critical functions that drive revenue and cash flow, and focus on the needs of the people who work for your organization.

At the heart of the current financial crisis is a lack in confidence in the credit markets. Government officials report that interbank lending has ground to a halt, which prompted the U.S. Federal Reserve to step in on 7 October 2008 and offer direct short term lending to U.S. corporations.

First, to combat this lack of confidence permeating the market, enterprises should take extraordinary means to increase their financial transparency and demonstrate that they have the ability to meet their obligations to creditors, customers, and the communities where they are located. Senior management must develop and exercise a voice in the public policy dialog immediately - and voluntarily. Do not wait for Congressional subpoenas, shareholder meetings, or ambush interviews by the media. Tell the world, honestly, about the state of your company and its plans for the near term and the long view.

Second, everyone must develop a laser-like focus on the organization's value proposition, those intangible reasons that define why your enterprise exists. To leverage an old cliché, every oar must be in the water and pulling in the same direction. The goal is not just to make it to the finish line, but to survive. Ancillary or tertiary projects must be postponed for a later time; and tasks that improve customer service, remove friction from processes, and increase cash flow should be top priorities.

Finally, think about the people who work for you. No doubt they are scared by the uncertainty about the future. Management must be honest and open in keeping the rank and file apprised of the organization's situation. They should be encouraged to communicate that information in a timely fashion with friends and neighbors in the community. Management should be extremely sensitive to non-work related issues that may have an impact on employee morale and well being. The most obvious is related to housing, mortgage default and potential foreclosure. However, it can extend beyond the most obvious issues. The problem with short-term lending is also having an impact on some governmental agencies, and some school districts are cutting back to only four days of instruction, forcing many parents to scramble and find new daycare arrangements.

Submit a Comment | Permalink

The IT security market is moving faster than almost any area of technology. The churn of new companies popping up and existing companies getting acquired or disappearing can be seen by comparing a Magic Quadrant with the previous year's version. The ever-changing threat is the major driver for this hyperactivity.

Every security professional needs a list of the vendors used, including open-source projects. Don't just do due diligence with new vendors. Do a vendor check when you are renewing support or upgrading a product, and ensure that you check the status of all your vendors at a regular frequency. Have any vendors been acquired? Are they suddenly cool? Having problems with product vulnerabilities? Talking to their other customers about end of life for a product before there's a formal announcement?

We can help you with this - don't hesitate to call or e-mail us on the status of any IT security vendor before making a purchase or renewing a big-ticket support agreement. At a minimum, you may want to do this before your annual internal budget setting.

Submit a Comment | Permalink

Mergers and acquisitions in the information security industry always come in waves, just like they do in the IT industry. After every wave, there is always talk of "consolidation" and "enterprises want one stop shopping" – and that talk is always proven wrong. Just as in the overall IT industry, the majority of mergers and acquisitions do not succeed and the ones that do are all about rationalization, not consolidation – adjacent areas of the market coming together into platforms that make sense to deliver security controls that have lower total cost of ownership to deal with older threats or provide more effective security against evolving threats.

There are some clear failure patterns for mergers and acquisitions in the security space:

• Those that only have the “single vendor” argument as justification – see Symantec exiting the network security space it got by acquiring Raptor and Recourse and CA selling what was left of SilentRunner.
• Those that are essentially two sinking ships roping themselves together – too numerous to mention.

Some clear patterns that can lead to success:

• Host or network based security "platforms" acquiring technology to add protection vs. building it themselves: firewall companies acquire and integrate network IPS, AV companies acquiring anti-spyware and host-based IPS to integrate into end point protection platforms.
• Major IT platform companies acquiring “let the good guys in” technology such as IAM products to embed access control and authentication capabilities into these business-driven products

Easily six out of 10 mergers fit the failure pattern. Plus, after every wave of acquisitions, for every company that disappears two or three new ones pop up. That's one of the reasons why the information security space is so interesting and complex – between changing threats, changing business practices, and changing technology, nothing stays still.

Submit a Comment | Permalink

The theme of the 2008 Executive Women's Forum on Information Security, Risk Management & Privacy is "risk convergence is inevitable." The risks associated with information security, privacy, physical security and so forth are converging such that an integrated management approach is required from within the firm.

Interestingly enough, business continuity management was not a key risk area mentioned by all panelists of the session titled "Convergence: The Good, The Bad & The Ugly." There were two pieces of strategic program management advice from the panelists. The first point is that you have to partner with all of your lines of business and corporate support areas. Since risk is related to the delivery of the business, no one department can address all of the issues. And, you might find that there are good practices already in place within your firm, so that you are not reinventing the wheel - leverage the good stuff throughout the firm. The second point is to focus on the budget issue - how many risk-related activities are already in place in your organization that could be combined, and possibly duplicated, so that more work gets done with less money spent? Pooling of already limited budgets can go a long way toward developing a program that is more mature, delivers more benefit to the organization and eliminates a lot of duplicative work.

But all of this convergence comes at a price - mainly in fear, uncertainty and doubt of the workforce. Some feel that they will lose authority (especially in siloed risk approaches); others might lose their jobs as a result of the convergence. This human aspect was mentioned as the key challenge of an integrated approach. Therefore, communicating not only up within the firm but down to the workforce is critical to achieving a well-run and integrated program.

And finally, for those areas that just don't want to "play the game," use your internal audit department as the "stick" that can get them to act. When I was an IT risk manager, I always said that I was management's best friend - let me tell you the gaps in your risk program rather than having them come from the audit department, which then become part of the records of the firm.

Submit a Comment | Permalink

Sometimes, two negatives do make a positive. Gartner has avoided using the term UTM (that is, unified threat management) in our research because:

1. You can't (and wouldn't want to) manage threats.
2. UTM originally applied to products for small and midsize businesses (SMBs), but UTM has been recently co-opted by some enterprise security vendors under the guise of fresh marketing.
3. There is little evidence that many of the components in these platforms are integrated, much less "unified." Now, there is some promotion of the new acronym XTM (that is, eXtensible threat management) as a new generation of UTM. We're not referring to any product name, but the attempt to create a new and confusing acronym, and create another artificial market to size and make predictions about.

No matter what you call it, the arc of advancement of network security products for the SMB will continue: New threats will drive the development of new safeguards that will be included as an option in that same appliance. This is not true for the enterprise, where best-of-breed buying of point solutions will continue, with consolidation of products occurring in three places, aligned by buying center and safeguard profile (see "Introducing the Secure Web Gateway").

The next-generation firewall (NGFW) will serve the enterprise and combine firewall and IPS,; however, there will be no UTM for the enterprise (see "Magic Quadrant for Enterprise Network Firewalls, 2H07"). We are already seeing SMB multifunction firewall vendors optimizing performance by assigning separate ASICs, emphasizing that the inspection tasks on content and network processing are very different (see "MarketScope for Multifunction Firewalls for Small and Midsize Businesses"). Even among SMBs, we are seeing little evidence that many are deploying network, content and e-mail processing in the same platform, usually leaving e-mail security to a separate product or service.

Submit a Comment | Permalink

How often have you watched the news on television and seen people carrying boxes full of electronic media and digital files out of some well-known company's headquarters? It's a familiar scene in the United States, because of the number of companies subject to e-discovery actions. But even though this subject is disturbing the sleep of CIOs in companies large and small in the U.S. - and even though vendors of tools supporting e-discovery are all looking for the next "killer app" - most Europeans just look on and say, "What on earth is this 'e-discovery'?"

The concept of legal discovery (called "e-discovery" when electronic information is involved) is unique to the "common law" countries - notably the U.S., the U.K., Canada, Australia and New Zealand. Discovery in common-law civil litigation is a form of interrogatory in which both parties agree to the pretrial exchange of information, so that the plaintiff can prosecute a cause for action and the defendant can build a defense. By contrast, in countries with legal systems based on the Roman or Napoleonic traditions - which is to say, most of continental Europe - the obligation to produce information that is relevant to the cause for action is nowhere as comprehensive as the obligation attached to discovery in common law.

There is an important difference between criminal and civil litigation, irrespective of a country's legal system. In a criminal case, if the authorities have a warrant or an indictment, the subject is obligated to produce relevant information, and this is true both in common-law countries and in continental Europe. In civil litigation, however, only common law requires the pretrial production of information and its exchange between affected parties. In non-common-law civil litigation, the relevant information is produced before the judge for consideration and evaluation.

Despite these differences, there are some important lessons for all Europeans about e-discovery and about legal discovery in general. The first is that if an external party demands information, whether during civil or criminal proceedings, it pays to deliver that information quickly. Gartner has seen many cases where enterprises simply didn't know how to find the requested information or couldn't produce it for several days - just long enough to generate some damaging media coverage.

The second lesson: It also pays to be able to deliver precisely the information requested. Law enforcement officers may seize folders and binders, disks and tapes, files and e-mails, reports and logs - anything they can get their hands on, really. This may include information that is not relevant to the case, and it may include information that is highly sensitive. This information will be reviewed, processed and analyzed, and some of this sensitive information might leak to the public or to competitors. It's much better to be prepared to hand over just the requested and required information.

The e-discovery landscape is made even more confusing by international jurisdictional differences. In the global economy, a business relationship with an entity in the U.S. is becoming more the rule than the exception. But a company's duty to release information following a U.S. legal discovery claim - for example, for a European subsidiary - and how that would be seen in relation with European privacy legislation remain unclear at best. E-discovery rules require quick delivery of information that has not been tampered with, but privacy protection requires that personal data be removed first.

E-discovery simply does not exist in most European legal systems, but European companies would be well-advised to familiarize themselves with the concept, in case an e-discovery claim originates elsewhere. Companies that have processes and automation for information archiving and retrieval, document and records management, and a retention policy (including disposal when information is no longer needed) will be well-prepared for any e-discovery claims that arise.

1 Comment | Submit a Comment | Permalink

On 26 June, Cisco, IBM, Intel, Juniper and Microsoft announced the formation of the Industry Consortium for the Advancement of Security on the Internet (ICASI). The major goal of the consortium is to be a forum where technology vendors can work together to share information and address new threats that have common impacts across their product lines. This is markedly similar to the goals of another consortium that all five vendors belong to, the Information Technology Information Sharing and Analysis Center (IT-ISAC), established way back in 2001 and largely ineffective.

There are some differences, though. ISACs were always U.S.-centric with the U.S. government trying to be involved. ICASI is supposed to be more global, but since it is being established by North American vendors, there is no real difference there, but at least it is government-neutral. The IT-ISAC had many member companies that were security product vendors and security services vendors, while ICASI is currently limited to five of the biggest infrastructure vendors, with Oracle and Sun and any telecom vendors noticeably missing.

Back in 2001, I commented that the IT-ISAC could make a difference only if it was driven by the vendors' corporate security officers, not by product managers, and if it focused on inward-looking improvements in security and not outward-bound marketing and press releases. The IT-ISAC never really met those goals and was largely ineffective. ICASI will have to take the same behind-the-scenes focus, or it will end up being just another multivendor acronym that goes nowhere.

Submit a Comment | Permalink

An FBI PowerPoint deck on the threat of getting counterfeit routers and such was reportedly found via an Internet search and posted here. The FBI (allegedly) makes the case that buying counterfeit network gear and getting your network gear with a trojan installed by a foreign power are linked.

Counterfeit gear has nothing really to do with having a backdoor installed. Having counterfeit gear can increase the likelihood of having some kind of rootkit or malware, but only in a general sense. If a foreign power wants to get you, it will do so on what looks like genuine gear in the original packaging - it doesn't need knock-off gear to do that (see the public domain examples listed in the article).

Creating a homeland security nexus is a good path to funding, albeit not always a legitimate case. There are too many examples of this bad behavior to list. The deck contains a point about vendors needing to link government sales and brand protection - instead, the point should be that government sales need to link to a trusted supply path.

Getting a trojan in new network gear is a big concern for very few people, and those few people may want to consider buying direct, rather than through resellers/channels.

Submit a Comment | Permalink

Everybody has heard of the international standard ISO 27001 (or at least of its U.K. predecessor, BS7799-2). Now, more and more people wonder: How do I get a certificate for my organization? While in some countries (such as the U.K. and Germany), it's more common to get a certificate, in the U.S. it's not. Well, there are two ways to approach this: Find an accredited auditor (person), or find an accredited certification body (organization).

Auditors must be accredited by the International Register of Certificated Auditors (IRCA), so www.irca.org is a good starting point. For example, you'll find 40 auditors in the U.S. who are accredited for ISO 27001. They work for large consultancies or system integrators, but also for some smaller companies. Alternatively, you can look for an organization that issues certificates. Unfortunately, there is no international register for them; you'll have to look for a certifying organization that is accredited by a national accreditation body (for example, UKAS in the U.K. or TGA in Germany). These bodies maintain a list of accredited organizations (see http://www.ukas.com/about_accreditation/accredited_bodies/certification_body_schedules.asp and http://www.tga-gmbh.de/scopes/index.php?id=0051). For other countries, see the member list in http://www.iaf.nu. In the U.S., ANSI is in charge and has delegated this responsibility to ANAB (American National Standards Institute - American Society for Quality National Accreditation Board). However, the corresponding database (see http://www.anab.org/Directory/Certs_Search.asp) lists only two accredited organizations. The better way is probably to either look at the U.K. register (because many organizations can issue certificates for companies in the U.S. as well) or have a look at the unofficial register of ISO 27001 certificates (see http://www.iso27001certificates.com). There, you'll find a list of certified companies and the corresponding body that issued the certificate.

No matter which entry point you choose, the list of auditors, the list of certifying organizations or the list of issued certificates - the names that come up are often the same: BSI Management Systems, one of the TÜV companies, PricewaterhouseCoopers, Bureau Veritas and Atsec.

Submit a Comment | Permalink

I'm in the process of reviewing the first 150 court cases using the revised Federal Rules of Civil Procedure (FRCP) for electronic discovery (e-discovery), which went into effect on 1 December 2006. Now, I know what you're thinking - but it's not nearly as glamorous as it sounds. The decisions average 40 single-spaced pages in length, they're painfully detailed, and the writing is as dense as only a lawyer can make it. It takes several cups of strong black coffee just to get through one case, and believe me, it's not something you want to try doing late in the afternoon.

Some of these cases are making serious progress toward closing the gap between the requirements of public policy mandates and the market-driven power of technology. But far too many of them are tangled up in two fundamentally opposed, but equally dangerous, fallacies: 1) the "urban myth" that it's impossible to erase an e-mail or other piece of digital information; and 2) the idea that the only smart practice is to keep nothing.

Where e-discovery and especially e-mail are concerned, most enterprises find themselves at a critical juncture at which public policy is failing to keep pace with the evolution of technology. I call this situation "Star Wars technology with Gutenberg laws." Just how bad is the business/technology/policy disconnect? Well, when I graduated from college in 1975, I got a job with United Press International (UPI), which had just implemented a rudimentary form of computer-based "e-mail" to replace the telex (TWIX) messaging system. The messages we sent were available on the computer for 24 hours, not a second more. If we needed a copy of one, we had no choice but to print it out. That's the way e-mail was originally conceived - as the technological equivalent of a Kleenex tissue - to be used once and thrown away. But that's not the way most enterprises are using e-mail now.

The fact is, for many enterprises, e-mail is now the primary workflow tool, the primary collaboration tool, the personal archive and, in some cases, the institutional archive. If there's any e-mail product that was designed with those uses in mind - and with the robust features and functionality to support them - I'm not aware of it. And that's where the business/technology/policy gap comes from. We have tools deployed that were originally designed for ephemeral communications, which are now expected to be eternal repositories of the truth. And, of course, to compound that problem, the world is full of litigators who are happy to win cases on mechanics, rather than merits - all because somebody didn't get e-discovery exactly right.

The bottom line: Don't accept the urban myth that you'll never be able to erase an e-mail, and don't believe that the only smart practice is to keep nothing at all. The trick is to understand what you need to keep, to know where it is, and to make sure that you can get at it when you need it. It's not simple, and it's not easy, but it is absolutely critical.

Submit a Comment | Permalink

When my husband and I were in a motorcycle accident in Big Southwestern City last January, EMTs gathered me up off the pavement and rushed me away in an ambulance. My husband had to remain at the scene answering questions and filling out endless paperwork, after which the cops sped off to answer another call. Only then did my husband realize that he didn't know where I was. As a visitor, he was not familiar with city or its hospitals and had no clue where the ambulance had taken me. Already shaken up from the accident and beginning to panic, he asked one of the people cleaning up the scene, who said, "I don’t know. Big City Medical Center, maybe." He found the number and called BCMC, at which point he encountered the HIPAA stone wall.

He was connected with ER and told that no patient with my name was in ER and that no one from a motorcycle accident had been brought in that evening. Then he called the ambulance company, which, due to HIPAA requirements, could not reveal patient information but – after he pleaded – recalled that they had dispatched an ambulance that evening to take someone to BCMC. He decided to risk a $50 cab ride to see if I was at BCMC. When he got to ER about three hours after the accident, they said, "Sure, she’s right down there at the end of the hall." Didn’t even ask who he was. Although I am grateful for the superior emergency medical care I received, for husband it was frustrating ordeal and remains an unpleasant memory.

Gartner encourages clients to maintain consistent compliance and enforcement across their entire organization. Inconsistent enforcement may result in a bad experience for your customers or partners and could result in legal liability.

Submit a Comment | Permalink

Is corporate governance all about the U.S. Sarbanes-Oxley Act (SOX)? The answer is, of course, "no," but you could be forgiven for wondering, given how often people say "SOX" when they're really talking about internal controls. I suppose it's not surprising, then, that many new pieces of audit-related legislation take on the "SOX" suffix. Japan's Financial Instruments and Exchange Law has come to be widely known as J-SOX, and now we're hearing all kinds of talk about something called "EuroSOX" — and that's a mistake.

We Europeans don't like to be seen as copying the U.S. - surprise, surprise! - especially when we aren't. There are at least as many differences as similarities between Sarbanes-Oxley and the various European Union (EU) directives on related topics. The simple fact is: Europe isn't the United States. The legislative processes are longer and more complex. Many variations remain between different countries and jurisdictions within Europe. Noncompliant enterprises will be asked to explain their actions, instead of their CEOs being sent straight to jail. The only people who'll really benefit from the "EuroSOX" hype, with its current Peak of Inflated Expectations, are vendors trying to sell compliance tools that may or may not be appropriate to European needs. The Trough of Disillusionment that will follow is likely to be long and deep and come at the worst possible time — that is, when enterprises really do need to make some adjustments to their internal controls.

Despite the differences I've identified here, Europe, like the U.S., is striving for improved corporate transparency and accountability. Specific guidance must, and will, be developed, and it will have an impact on IT — sooner in some countries, later in others. Europe can benefit from the experience of overly prescriptive U.S. legislation by ensuring that proper risk management is in place focusing on high-risk areas, enforcing segregation of duties and automating key controls. But learning, not copying, is the key here.

1 Comment | Submit a Comment | Permalink

Every industry has its particular concerns about information security. Companies in the utility industry, particularly those providing electricity, gas and water to citizens worldwide, have specific requirements that have been highlighted as infrastructure ages, while threats external and internal underscore the "critical" in "critical infrastructure." In North America, bulk electric systems now have compliance goals in the form of Critical Infrastructure Protection (CIP) rules to improve the reliability of their systems. Ironically, this comes at a time when many of those same electric utilities are in the process of evaluating, engineering and implementing new advanced metering infrastructure (AMI) systems, a relatively mature and much-hyped technology for automated meter reading for commercial and industrial customers. While a significant market with significant vendors, concerns about project scope, business requirements and technology standards, particularly in security, worry some. Concerned utilities have taken a leadership role in those standards efforts, and not just in technology standards. Key processes for developing an AMI program, documenting an effective security design and identifying AMI security requirements have been the purview of utilities such as Southern California Edison (SCE), which has spent years developing a secure AMI program in the form of a product offering called SmartConnect. Others, including SCE, have been heavily engaged in standards bodies such as the Utility Communications Architecture (UCA) International Users Group (IUG), UtilityAMI working group and AMI Security (AMI-SEC) task force to close the gap between need and reality.

So, what's the message here? There are several. Major issues aren't static; they're dynamic. While infrastructure ages, new demands are being made on it. The parties that deliver the service must find a way to deliver compliance and a solution plan simultaneously, while still providing critical infrastructure services - not an easy task. Having the right participants at the right level of engagement and at the right pace is, well, I guess you could say critical.

Submit a Comment | Permalink

At the recent Gartner Mobile and Wireless Conference, Sanjay Khunger, the chief technologist of GM's OnStar unit, gave a presentation on the history of OnStar's satellite-based remote safety, security and diagnostic service. GM looks at auto safety as being in three distinct phases: before the crash, during the crash and after the crash. Another way to look at this is preventing/avoiding the crash, surviving the crash and recovering after the crash. GM designs features into cars in each of those phases (anti-lock brakes to avoid crashes, chassis design and airbags that reduce injury during the crash, and so on). I always thought of OnStar as a "push the button to call for help" service, but Khunger explained how it was an integrated part of GM's overall safety strategy.

Beyond the obvious capabilities to call for help after a crash, OnStar has features that also apply to the first two phases. Hands- and eyes-free navigation and cell phone capabilities minimize driver distraction and reduce accidents. Remote proactive diagnostics and remote door unlock services reduce the time a driver spends standing next to a dead car on the side of the road. Multiple sensors in the vehicle provide information on the type of crash and the number of occupants so that emergency personnel have more information to ensure that EMTs have the right equipment to best save lives at the crash scene.

This isn't meant to be a commercial for OnStar - if you watch sports on TV, you've already seen plenty of those. However, GM's placement of a security-related service in the larger context of customer safety really hits home on a larger point: Security and, just as importantly, safety need to be worked into all the critical business and IT processes at your business. The biggest bang for the buck comes from avoiding incidents - minimizing vulnerabilities in applications, not just by having secure development life cycles but by thinking about user safety. What are the abuse cases where a user or customer might accidentally put themselves in danger? What features are built into your business applications to avoid those situations?

Financially, OnStar makes more money by helping its customers avoid accidents. But stuff happens, and building in instrumentation, response and recovery features to minimize damage during an incident and speed to ensure swift resumption of business after an incident is important, as well. This applies as much to car crashes as it does to identity theft incidents, insider attacks and every other IT security "crash." Build security into your critical business processes, and keep your customers safe.

Submit a Comment | Permalink

As reported on in several recent articles, security consultant Adam Boileau has found a relatively simple way to exploit FireWire ports to hack into Windows machines.

I'm not going to lie awake at night worrying about FireWire hacks, but this news should serve as a reminder that the more interfaces you stick on a computer, the harder it becomes to control what happens to that computer. The more network services you have, the more remotely accessible things that can break. The more hardware interfaces, and the higher the level of service they provide, the more likely it is that a physical attack can be conducted without the use of the keyboard.
Complex things break in unforeseen ways.

Submit a Comment | Permalink

A growing number of commentators are pointing the finger at the Societe Generale security function as being at fault in allowing "rogue" trader Jerome Kerviel to eventually bring the bank to its knees. Security product vendors are taking the opportunity to position their technology as being solutions that could have prevented this failure.

It is certainly the case that many forms of control technology can overcome human weakness. But at best, it is misguided to believe that technology failure is the root vulnerability, and at worst, this is an attempt to turn the security staff into the scapegoat. Believe me, the security managers were fully aware of the problem and had warned about it many times.

It has always been well-recognized in the financial services arena that trading staff do not follow even the simplest security procedures. Sharing of logins on the trading floor is the normal way that they do business. These are people who do not follow the rules. Not only do they not follow the rules, but their management and the bank management also feel that rules should not apply to these people.

The crux of that problem is that they are treated as golden geese, and any attempt to inhibit their flexibility is avoided, because the result might be fewer golden eggs. It isn't a security failure; it is a governance failure. And it is not a problem unique to SocGen. This is the way financial services firms run their trading floors, and there should be no reason to feel that other banks aren't equally or even more vulnerable to such an incident.

If you want to douse the flames of the bonfire of the vanities, you have to start at the top, not the bottom. Real improvements in risk management can come about only if top management is sincere in setting an agenda that balances short-term profits with long-term corporate viability and social responsibility.

Submit a Comment | Permalink

The rise of risk management as both a discipline and a reference has led to confusion in terminology and applicability. The word "risk" has proliferated in titles for traditional roles and responsibilities such as security, business continuity, privacy and many operations functions. In some cases, this is nothing more than a title change with no fundamental shift in methodology. This proliferation has led organizations to struggle at the top with clearly defining what enterprise risk management (ERM) means to their organization, and at the bottom with defining what "risk" people do vs. their counterparts in traditional operational roles. Even within the various risk management groups, organizations must clearly define how responsibility is assigned.

The term "risk management" has grown in popularity to the point where it has been watered down, made irrelevant and considered a failure in many organizations. IT vendors have precipitated this by labeling many automation and management products with "Risk Management" or "GRC" in an attempt to take advantage of the popularity of the term. Many organizations have followed suit by mislabeling traditional, less mature approaches to addressing risks that typically involve isolated decisions in reaction to loss events or the indiscriminate application of technology without good governance, risk measurement or a transparent methodology. Organizations should use the label "risk management" only with efforts that apply a proactive approach to measuring reasonably anticipated risks and applying appropriate controls.

Organizations should start with a good internal risk hierarchy definition to which all risk-related groups can align. There is no single definition that works for all organizations, and differences will remain in the silos, but it is important to start from a common, overarching definition. This will help eliminate overlap in the silos, avoid gaps in coverage and facilitate good governance.

We have research on the way to help you.

1 Comment | Submit a Comment | Permalink

We all know about the law of unintended consequences - the principle that the actions we take can have results that are unpredictable, and sometimes even the exact opposite of what we're hoping to achieve. Media reports out of the United Kingdom this week seem to offer a spectacular example of this principle at work in the world of enterprise security. The details are still emerging, but what's come out so far should be a wake-up call for security and risk professionals everywhere.

Last month, HM Revenue & Customs (HMRC), the U.K.'s tax and excise agency, acknowledged that it had suffered one of the worst data breaches in history (see "Data Loss Could Have Huge Impact on U.K. Banking Industry"). The agency had somehow managed to lose the entire national child benefits database, which contains highly confidential information on a staggering 25 million individuals - literally every household with dependent children in the U.K. The database was stored on two computer disks that were apparently lost while being transported and that still haven't been recovered. The U.K.'s citizens, who are very sensitive about privacy issues, were predictably outraged, parliamentary and regulatory inquiries were launched, and HMRC's chairman was forced to resign. But the agency blamed a single comparatively low-level staffer for causing the breach by downloading the benefits database onto disk. Now it looks like the story was a lot more complicated than that - and HMRC still hasn't learned its lessons from this debacle.

Reports in the U.K. media in the past few days suggest that the downloading was actually ordered by senior officials as part of official HMRC policy. As if that weren't bad enough, HMRC still seems to be working hard - even after the data breach - to make sure that most of its personnel don't even know what the agency's official policy is, much less follow it. It turns out that HMRC has a detailed policy manual governing the handling of confidential information. But in the days after the data breach, HMRC apparently decided that the manual itself was so sensitive that it had to be kept confidential. According to the media reports, only senior staff are allowed physical access to the manual, while lower-level personnel receive only a Web-based briefing that discusses general principles of security and confidentiality.

How are people supposed to follow a policy when they don't know what it is? I'll leave that question to the bright lights at HMRC. Even if they aren't ready to learn the lessons of this data breach, I hope you are. And one of the most important is that well-crafted, well-communicated security policies and policy documents are the bedrock of effective enterprise security. That's why Gartner security analyst Les Stevens recently published a three-part series of Toolkit documents focusing on creating, implementing and communicating an enterprise security framework. You can use these documents to build enterprisewide consensus on security issues, develop appropriate security policies and processes, and - crucially - communicate them to the necessary stakeholders within your enterprise. Take a look. I think you'll be glad you did.

Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 1)

Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 2)

Toolkit Best Practices: Creating a Security Policy Process (Security Policy Guidelines, Part 3)

Submit a Comment | Permalink

Lately, I have been speaking with a lot of clients about guest networking. In nearly every discussion, a client will tell a "war story" about a visitor that plugged his or her laptop into the wall jack and brought down the network (either via a worm or via a misconfigured device). A guest network would prevent most of these problems, by providing only Internet access to guests (or possibly tightly limited internal access to a contractor).

A lot of people confuse guest networking and network access control (NAC). A guest network is really a subset of NAC: It authenticates a user or device before it gains access to the trusted network. NAC takes things a step further: It says "let's make sure that this device is not dangerous to our network before we grant it access." In other words, we baseline the PC to make sure that it is free of malware or that it is at least compliant with our device policies. The guest networking/NAC distinction is an important one. Not all guest networking projects can easily and cost-effectively evolve to a full-blown NAC implementation. But, any true NAC solution can first be used to perform basic endpoint authentication for guest networking and then evolve to a complete NAC implementation.

There are multiple approaches to building guest networks, and some vendors have started to offer dedicated guest networking products. Last month, Cisco announced its Network Admission Control Guest Server, an appliance for building guest networks. It includes a management application that makes it simple enough for any employee to sponsor a guest. Startup vendor Identity Engines sells a guest networking solution with similar features. Cisco's solution works best in Cisco environments (it needs to integrate with Cisco's NAC appliance or Cisco's wireless LAN controllers). Alternatively, Identity Engines' solution works best in an 802.1X environment (although it does have an offering for non-802.1X LANs). Some network managers that I have spoken with have implemented a homegrown guest network based on MAC address authentication (although this approach is not a good steppingstone to NAC, since it does not provide a mechanism for baselining endpoint health).

Gartner advises clients not to think of guest networking as a stand-alone point solution, but to think of it as the first step toward a strategic NAC implementation. When you design a guest network, you should do so with the end goal of NAC in mind; that's the most cost-effective approach. You can read more in "Findings from the 'Security' Research Meeting: Go Beyond Guest Networks to Achieve NAC Benefits."

Submit a Comment | Permalink

An analyst stirred up some drama at the Gartner Identity & Access Management Summit in Los Angeles this month with some comments about user provisioning. (Yes, you read that right: the words "drama" and "user provisioning" in the same sentence!) The analyst referred to user provisioning as "tactical." But by the time that simple remark had been passed around the halls and the lunch tables, it had changed, just like in the game of "Telephone" we played when we were kids. Somehow, "User provisioning is tactical" turned into "User provisioning is dying out" and even "User provisioning is dead." Because of the confusion, I thought I should clarify what Gartner believes about this important area of identity administration.

If we have the opportunity to build applications and services correctly … and if we choose them wisely … and if they create an adaptive, contextual, policy-driven set of business solutions, then the need for a technology like user provisioning to synchronize changes across disparate platforms and applications will be minimized or eliminated. But that's a lot of ifs, isn't it? The reality is, as long as we have those disparate platforms and applications, user provisioning will remain a necessary evil — the "plumbing" that makes the best of our past decisions, both good and bad.

The Gartner analyst's comments about tactical user provisioning were hopeful and forward-looking. They were meant to suggest that enterprises can plan their way out of a perpetual reliance on "plumbing" — but only if identity and access management (IAM) planning is part of consolidated application development and integration planning, and part of services planning. If they remain separate silos of planning and architecture, user provisioning not only will remain very much alive, but unfortunately will move from tactical to chronic.

1 Comment | Submit a Comment | Permalink

When you're in the midst of analyzing a number of trends and indicators about markets, technologies and other areas of responsibility, it is possible to miss some of the more obvious occurrences in the industry - events my mother would call "common-sense" conclusions. I'm struck by how little the identity and access management suite concept matters to customers.

I realize this may be heresy and some of my vendor colleagues may be unhappy with me, but I've noted buying decision habits by a considerable number of clients across a broad spectrum of industries and enterprise sizes, and one conclusion keeps arising - there is often little or no connection between what initially leads clients to identity and access management (such as role restructuring, single sign-on, account provisioning, fine-grained authorization administration) and the decision to buy multiuse functions of a suite rather than addressing those initial needs with a point product from that suite vendor or a dedicated product vendor. Few customers think in terms of a suite. They don't view their identity and access management issues in terms of identity administration plus access management, or identity verification melded with identity auditing, though sometimes the business drivers lead them to a solution that can be addressed by two or more suite components. In fact, many identity management decisions still appear linear rather than concurrent or multithreaded.

Should that be the case? Isn't it important for customers to think of the broader issues of identity and access management across platforms, applications, and data and the concerns for access and protection that might lead them to an integrated view of administration and enforcement of the kind suites provide? Perhaps. But the real question is what drives customers in the first place to be worried about identity-specific issues, or access-specific issues, and at what point in their IT road map. What are they able to provide for their infrastructure at that point versus what they wish to provide, and what can they justify in the context of their information security strategy? If this aligns with the idea of a suite, then perhaps the rose can bloom after all.

In the meantime, we must face the fact that identity and access management suites are primarily aggregations of convenience, capable of providing licensing discounts and streamlined maintenance environments for customers. But as an evolutionary step in integration or as a means of smoothly interlacing successive layers of identity services for a customer - I'm afraid not.

Submit a Comment | Permalink

The turbulent saga of 3Com's joint venture with Chinese telecom equipment vendor Huawei has finally reached an end, with Huawei and Bain Capital acquiring 3Com for $2.2 billion in cash. The joint venture activity started in 2003, a time where Huawei was looking to expand internationally and chose 3Com as a partner for enterprise networking. The deal saw Huawei provide hundreds of engineering resources while 3Com provided the startup capital. At that time, the view was that Huawei needed 3Com more than 3Com needed Huawei. However, it quickly became clear that Huawei's growing presence and increasingly strong brand in developing countries was the most valuable asset, and Huawei was not going to benefit from the partnership in the North American and Western European markets. With Huawei a reluctant partner, it set out to maximize its investment by helping to ramp the joint venture sales and allowing 3Com to first buy a controlling stake in the joint venture in 2005, then a full acquisition of the joint venture in 2006 for a total of more than $900 million. At that point, Huawei effectively turned its back on the joint venture and exited the enterprise market. Without Huawei's support, the joint venture's sales and the value of the asset were sure to decline over time.

It was clear that the story was not over, and that the logical course would be for Huawei to re-emerge with a partner to acquire 3Com outright. With Huawei's support and commitment, the new company has a chance to thrive in the developing world, and with a possible name change ("Huawei Enterprises"?) will attempt to re-invigorate sales in the developed economies. Success is likely in developing markets; however, both the 3Com and Huawei brands are a difficult sell in North America. In Europe, the 3Com brand will sell to smaller businesses but not large enterprises, while the Huawei brand has low, but growing recognition.

Submit a Comment | Permalink

What is sensitive data? If you don't have a good answer, then you have gaps in your data encryption plans.

I specialize in security for road warriors and teleworkers, so every day, I talk with clients about their needs and plans for implementing encryption tools to protect data stored on workstations. A common theme for all these conversations is a desire to save money by only implementing protection for a small group of PCs that are carrying the company's sensitive information. Three problems arise from this theme.

The first is "less is more" - in this case, less can be more money! If you want to manage your encryption, you need a management console. It's not free, nor is it discounted for small purchases. There is also the matter that prices per seat decline for larger purchases. I have seen situations where a client paid less overall and per user seat by negotiating well for a larger purchase, which brings more workstations under protection. Larger purchases also mean that the cost can be distributed to more managers and business lines, taking some of the burden off the early adopters.

The second problem is the matter of defining sensitive data. Most clients limit their thinking to information that is linked to specific laws, because of the connotations of a breach. However, data that is not covered by a strict interpretation of a law or regulation can be just as important and just as damaging if it is exposed. For example, I had an oil company that planned only to encrypt a handful of notebooks used in HR. The company did not plan to secure HR desktops. However, we all know that the majority of cybercrimes are inside jobs, so why wouldn't the same information need to be protected on the inside? Beyond the HR data, I presented several scenarios where general information in the company deserves protection. For example, unencrypted mobile, remote and wireless-enabled systems contain information that could be used to infiltrate, monitor, disrupt and misdirect supply chains for parts and services for oil rigs, processing equipment, transportation and other critical systems that would not automatically come under the spotlight of a specific law. Hackers do not just look for financial and medical data; if you lock up one treasure, then they look for the next.

The third problem is that users and workstations change roles over time. We must also account for employees who change jobs or projects within a company. A person who at one point is working with "nonsensitive information" can be promoted or transferred, but will this be recognized by the IT department? And if there is a gap of time before IT catches up to protect that person, a gap has been created that could lead to a breach. Then there are the people who have copied data they should not be carrying, but no system in the company is designed to stop them, and their systems are unprotected.

In my role I have always been sensitive to data protection challenges, but now it's hitting close to home. In August, a laptop computer belonging to my own state's government was stolen from a car, and it contained personally identifiable data on more than 100,000 taxpayers. Then, another laptop was stolen from a car, containing records for family welfare cases, all sitting in a private consultant's laptop.

It's time to recognize data protection as a cost of doing business. We need to stop trying to save a bit of money and face the risk of becoming another headline!

Read more here and here.

Submit a Comment | Permalink

Western democracies have deployed video monitoring systems in places like airports and busy city districts for years. The largest-scale deployment to this point is the U.K.'s 4 million video cameras; you see them in practically every public place. The systems are generally sold to the public as a means to reducing crime in public places, but so far, they're much more useful for investigating crimes after the fact than for preventing them. In other words, results of these deployments so far are mixed, tending toward poor. But the deployments go on.

The People's Republic of China (PRC) is now running a very large-scale pilot for video monitoring in Shenzhen, China (20,000 cameras), coupled with smart residency cards containing a lot of personal information for the majority of the population of that city (a total of 12.4 million people). Details can be found here (link requires a password).

Given the relative lack of restraint on what the PRC can do with its citizens, we may find the Chinese pioneering uses for these systems. Certainly, the PRC can experiment more aggressively than most Western governmental agencies. The potential for combination of large-scale video monitoring with detailed personal information, obviously present in the PRC's experiment, is particularly interesting. No Western government has experimented with this approach on this scale; so far as I know, the largest facial recognition system database deployed publicly was Tampa's, which included a database of over 10,000 wanted felons, sexual predators and runaway minors. That's a small database indeed compared to the population of Shenzhen, and the Tampa database was aimed only at people already known to be of legitimate interest(in Western terms) to the police.

My guess is that Western democracies, which have employed plenty of video monitoring systems in the past few years, will be watching the Chinese experiment carefully for clues on how to make these systems more effective. The question is whether Western democracies will be willing to do what the Chinese will have to do to make the systems effective.

Submit a Comment | Permalink

We are receiving a rapidly growing volume of inquiries about information security governance. This trend started a few years ago and is now very visible in our statistics. To get an idea of the current state of the world, we posted a poll on the Gartner for IT Leaders Web page. We received 237 responses. Because respondents must be subscribers to the Gartner for IT Leaders product and will almost always be security professionals, the results should reflect a somewhat better result (higher maturity level) than a full-population poll:

Poll: How does your organization handle information security governance - the way in which the enterprise sets direction, limits and budget for infosec?

One way to understand the results is to use the same model we frequently refer to for security program maturity. This model divides the world into four categories: blissful ignorance (very low maturity); awareness (low maturity); corrective (moderate maturity); and operations excellence (high maturity). We can approximately map our four response selections from the poll to these maturity levels. The results are:

• We don't do infosec governance (lowest maturity level): 17.1%
• Part of IT governance process (better, but not at current expectation): 45%
• A separate governance process (very good, current): 15%
• Part of larger risk governance process (best practice or leading edge): 22.9%

If we adjust these numbers about 5% toward the lower end of the curve to approximate a broader responding audience, we get an interesting result. The numbers for the bottom and top levels match our estimates for overall information security program maturity levels. But the two middle levels show a significant delay in moving from common IT governance to separate security governance, as compared with our maturity estimates. This bottleneck connects well to the increase in inquiries on this topic that we have been experiencing. Security officers apparently know they have some catching up to do.

I wonder what is preventing the separation of security governance from IT governance in these organizations. Please respond!

Submit a Comment | Permalink

I recently returned from working at Microsoft to life as a research analyst at Gartner. Working in Redmond gave me a healthier respect for both the complexity that goes into delivering solutions for customers and the type of problems customers ask vendors to solve. When I arrived back at Gartner, one of the first tasks I was given was to work with a colleague to coordinate an update to the Magic Quadrant for user provisioning in identity management. Now here is a problem type that has driven many customers to distraction, either by its complexity, its cost to achieve, or its lack of good tools or process. The Magic Quadrant was completed this week. Did we really learn anything new from last year's first study on the subject?

Yes, we did. There is both good news and bad, actually. The good news is that the products for user provisioning are better now. The features for provisioning, de-provisioning, workflow and audit have greater functionality across more platforms and applications, perform better, and integrate and interoperate better than they did 18 months ago - as they should. System integrators are more numerous and more available geographically, and deployment successes exceed deployment failures - these are good things. So, what's the bad news?

Well, for large projects, user provisioning is still very hard. It often takes far too long, years even, and in many instances the program objectives are ill-defined or improperly defined, resulting in poor implementations that ultimately lead to failure or projects that simply stop in midphase, sometimes to be restarted later under different leadership. The purpose of user roles is ill-understood, whether they are business-specific or technology-specific, and without clear definition of such roles, many times user provisioning projects can go awry. Tinkering in midphase with the goals, a temptation if the project is taking a long time, makes the project take even longer as the parameters change. These disappointments have even caused Gartner to move user provisioning in the "Hype Cycle for Identity and Access Management Technologies, 2007" back to reflect basic customer views of the current state of the overall user provisioning experience.

All in all, things are moving forward in identity management. Yes, it's complex. Yes, it's expensive. Yes, it takes a long time. But for some things, it actually is getting a little easier.

Submit a Comment | Permalink

How do you choose a PCI assessor?

Gartner's clients often ask what we think of various "qualified data security companies" that the PCI Security Standards Council says are okay to work with on PCI assessments. Well, there are some important areas where we part company with the council. One of the most important is that the council sanctions the use of an assessor that is also trying to sell you security services. This is completely at odds with established best practices in audit and compliance. Is it difficult to imagine a scenario like this? The assessor - which is also a vendor of security services - tells you you need a scanning service for all your nodes and servers, since they’re all somehow connected to the servers holding your cardholder data. Oh, and by the way, they can sell you the scanning service. And once they’ve finished scanning all the servers, you’ll also need intrusion prevention service (IPS) for all of them - which they just happen to sell, too - and that once you’ve done all that, you’ll finally be "PCI- compliant."

Well, the card companies may not learned anything from the Enron and accounting/audit firm debacles of the past few years, but we have. That’s why Gartner strongly recommends that you hire an assessor that doesn’t try to sell you security software or services. If, for whatever reason, you really want to use an assessor that does both - assessments and sales - make sure it has the proverbial "Great Wall of China" between the two business divisions.

2 Comments | Submit a Comment | Permalink

So, which applications are acceptable for use under the terms of the PCI?

It's clear that there's a real need for Security Standards Council to come up with hardware and software standards for the applications and platforms that retailers and other card-accepting organizations use to process their payments. The council says it's soon going to issue its own PIN Entry Device (PED) standards, so that users won’t have to worry about the separate brand standards for payment terminals. Even so, we also need a cross-brand standard for payment software used by retailers, and so far, none exists. The only standard we have is Visa's Payment Applications Best Practices (PABP). While we're all waiting for cross-brand standards, don’t let your payment application software providers tell you they’re PCI compliant. They're not. Make it clear that what you're asking about is their actual software, not their internal organizational data protection practices.

1 Comment | Submit a Comment | Permalink

As researchers, we know the Williams v. Taser case is only a single data point. In research as in Euclidian geometry, we need two points in space to draw a straight line.

I recently learned about some work under way over the last year to revise the Federal Rules of Evidence (FRE) - specifically Rule 502, which deals with the waiver of attorney-client privilege and work product.

This is related to e-discovery in that privilege is waived accidentally too often in e-discovery, due to both the volume of material produced and the fact that attorneys reviewing e-discovery material for production review only the surface content of the documents and not the underlying metadata.

The proposed changes to FRE Rule 502 would set up a consistent way for waiver disclosure and claw-back of information to be handled in all jurisdictions. The committee's commentary on the new rule also suggested a way to protect accidental disclosures. This is from the committee notes on FRE Rule 502(b):

"Depending on the circumstances, a party that uses advanced analytical software applications and linguistic tools in screening for privilege and work product may be found to have taken 'reasonable steps' to prevent inadvertent disclosure. The implementation of an efficient system of records management before litigation may also be relevant."

To me, this is the second sign that Whit and Debra were really onto something about the importance of search in trying to deal with this e-discovery issue. Good work guys! Sorry I was such a Doubting Thomas!

Submit a Comment | Permalink

John is too kind in implying Deb and I were insightful; instead, we just put ourselves in the position judges must find themselves constantly - wrestling with the misery of a case that won't get out of the dull part (setting up the soldiers) and get to the good part (flinging the corners of the counterpane toward each other). We talked with a number of lawyers in developing our assumptions for that note, and the division was clear: The lawyers who were often of the Google generation (in inclination, if not age) felt we were not insane; those who did not use technology regularly or who clung to the idea that massive review sets were an entitlement of the legal system felt we were.

I can subdivide it further. The bigger the firm, or the bigger the company where corporate counsel was employed, the more likely that it agreed with our premises. These lawyers deal with judges who face hundreds of gigabytes of data often, and will face terabytes routinely if "something is not done," and they know that market forces will not support untrammeled growth of potential evidence. There are not enough junior associates on the planet to beat back the locust swarm of documents that now is routinely sought in cases. We talked with one lawyer whose firm estimates the amount of documents to be reviewed before taking a case, and makes a straight volume v. settlement size decision in deciding whether to take contingency cases.

We believe that decisions like the one John references are just the beginning. We predicted last year that "… by 2011, U.S. courts will demand that the processes by which documents are selected for use in law cases, including any keywords and algorithmic or rule-based expressions used, be revealed to them (0.8 probability)." It's already happening, and soon it will be just another clause that lawyers will expect to see.

Submit a Comment | Permalink

Last fall, Whit Andrews and Debra Logan published a very insightful research note, "Prepare for Technologically Driven Document Selection for U.S. Courts," in which they suggested that the U.S. judicial system would favor electronic content filtering as part of the e-discovery process. While I fully agreed with their advice and analysis, I was extremely skeptical (and very tough in peer review) about how quickly they thought all of this was going to happen.

As a law student (majoring in IT law, no less), I was put off by the ambitious timeline Whit and Debra had sketched out in their three Strategic Planning Assumptions. If I learned nothing else in three years of law school so far, it is that case law and judicial reasoning (stare decisis) evolve very slowly. How slow you ask? Well, in my opinion, it makes "dog years" look like "Internet time."

What does that mean in a practical application? There was a court decision handed down earlier this summer (see "E-Discovery of RAM Ruling Is Bad for Both Law and Technology") about making RAM accessible for e-discovery. The decision was based in part on a 1993 decision that is still landmark law regarding copyright infringement. It establishes that RAM "was sufficiently permanent or stable to permit it to be perceived, reproduced, or otherwise communicated for a period of more than transitory duration."

Now, think about that in light of Moore's Law and what has changed in terms of technology in the last 14 years. Add in Metcalfe's Law and Gilder's Law.

As an IT pro, you have to ask yourself how the courts are going to keep up with this blistering speed. Actually, the Federal Rules of Civil Procedure were, until recently, the poster child for how slow the courts moved in dealing with technology. While the FRCP have been around for more than 70 years, they have addressed the impact of technology in discovery only three times: in 1970, 1994 and 2006 (see "Organizations and In-House Counsel Must Prepare to Comply With New E-Discovery Rules."

When I came across the case Williams v. Taser Int'l, Inc., 2007 WL 1630875 (N.D. Ga. June 4, 2007), it reminded me of Whit and Debra's note. Here was a judge who was still trying to get past discovery motions 18 months into the case. After repeated incidents of both parties' inability to work together, she picked up the lawyers for both sides by the scruff of the neck, gave them a good shake, and set the Court's own protocol and ordered the production of e-discovery, including the exact search terms. The Court recognized this decision would put undue burden on both parties: the defendants would be required significantly to increase privilege review, and the plaintiffs would have to wade through more documents. However, after a year and a half, the Judge felt that was better than what was happening, which was nothing.

This actually brings me to something else I learned in law school: Judges hate getting involved in discovery motions. They expect both parties to "work things out" - show up for his or her approval and signature and then get down to business, which is about the merits of the case, not procedural issues. The bench also rarely suggests how lawyers should practice law. For example, when Lexis and Westlaw became available, I am not aware of any judge who told a lawyer "go use the computer-based legal search tool rather than the books in your law library." This action about the judge setting the e-discovery search protocol is very significant.

Submit a Comment | Permalink

Last week, the state of New Hampshire's governor signed a law to reject the REAL ID Act. New Hampshire is one of several states that has enacted legislation against the act. The REAL ID Act is a federal law that was enacted as part of a larger defense spending bill, with little consideration or debate. Under the act, U.S. states must strengthen their identity-proofing processes, link with other states to ensure no duplicate licenses are issued to the same individuals, and follow physical security card and data standards. License holders from states that don't follow the new rules will be barred from boarding commercial aircraft and entering federal facilities. Licenses from these non-REAL ID Act sites must be marked as noncompliant.

Like it or not, state driver licenses have become de facto IDs for several government and nongovernment purposes. The idea of making it more difficult for bad guys to get a fake ID is, on the surface, naturally appealing. However, the current act is deficient:

- Much of the rationale for the states' complaints has to do with the act being a federal unfunded mandate. While federal grants are being provided to states, the current funding levels are only a pittance relative to the larger price tag for nationwide implementation. The federal government will need to pony up.

- There is considerable debate regarding the privacy protections for identity data as it is held in various state databases and as it becomes a part of federated network to prevent fraudulent duplicate issuance. Concerns regarding data theft and misappropriation of data scanned from licenses are valid here, and the act should be extended with greater privacy protections.

The goals of the REAL ID Act cannot be perfectly reached. Identity proofing requirements are imperfect, because people are involved and the processes will likely be circumvented by determined individuals. Ultimately, implementation is a political issue, because it will be nearly impossible to prove the act's efficacy. How will it be shown, for example, that denial of fraudulently obtained licenses has contributed to reduction in terror?

Raising the bar against scofflaws seems like a good thing, but confidence in new IDs will be improved only marginally, and the high implementation price tag can't be borne by the states alone.

Submit a Comment | Permalink

Earlier this month, I participated in the 13th annual Gartner IT Security Summit in Washington, D.C. One of the hot topics at the summit was the Payment Card Industry (PCI) initiative. The card companies, and their banks and processors, are clearly stepping up their enforcement efforts, and Gartner's clients have a lot of questions about how they should respond.

One of the most important was about how stakeholders can - and should - influence the PCI standards-setting process. Both technology providers and the enterprises that use their products and services would like to have influence on PCI standards, but they're understandably skeptical about whether the input processes that are now in place (the PCI Security Standards Council's Participating Organizations structure, and its new Advisory Board) will provide that opportunity. It's too early to say for certain whether this input structure will be effective, but my cynical inclination is to think it will be only marginally useful in conveying standards concerns to the card brands that enforce them. Is membership in the Participating Organizations group worth the $2,000 fee? That's for you to decide. Personally, I think the Security Standards Council could have come up with better criteria for membership than a $2K annual membership fee.

Submit a Comment | Permalink

I've been covering the role management for enterprises (RME) market for a few years now and have seen a huge shift in organizational willingness to implement a role-based access control (RBAC) solution. Over the last 12 months, many user provisioning (UP) projects have started with defining a role framework, rather than automating the manual security administration processes first. Starting with roles can delay the actual technical implementation of the UP product, but it's well worth it, even if just starting with high-level roles such as employee, manager, retiree, alumnus, consultant, etc. Many early efforts to create an RBAC solution went down in flames (one or more roles per user didn't cut it in most organizations); however, during the past 24 months, we've seen a refinement in the process of creating and managing roles - what we call "role life cycle management" - such that a repeatable methodology is now emerging in the industry.

Gartner has been asked recently by its customers to start a blog on role life cycle management. Here's the first entry! It is now your turn to provide your experiences - lessons, best practices, success factors, etc. to learn from and educate your fellow IAMers. I look forward to the continuing dialogue.

Submit a Comment | Permalink