David Lacey's IT Security Blog

Today I attended an all-day Jericho Forum Members’ meeting hosted by Eli Lilly at their Bagshot campus. It was a good session. We had some excellent and lively debates, with interesting contributions ranging from abstract academic posturing to eminently practical suggestions. As usual we agreed on many points and disagreed on others. This is the thing I like most about Jericho discussions. Everybody listens hard but they also give as good as they get. I’m a great believer that strong argument is the best vehicle for developing quality policies and standards. We could do with a lot more of it. There’s far too much consensus thinking in the security and risk communities.

You are probably asking yourself what is this Jericho Forum? What is it achieving? These are good questions that we constantly ask ourselves to make sure that Jericho continues to add real business value. The starting point in understanding what it’s all about is to dismiss the popular assumption that when the Jericho Forum talks about de-perimeterisation it is advocating the removal of firewalls from company networks. Far from it. We like to see defence-in-depth security measures. The real goal is to solve the business problems created by the fact that our perimeter security has already been shot to pieces.

The fundamental objectives of the Jericho Forum have been to highlight this problem, identify and articulate the business requirements, and then engage with vendors to develop the standards and products we need to build practical and long-term security solutions. This is no mean task and I believe that Jericho has been spectacularly successful in publicising and poularising the issue, uniting many influential CISOs behind a common goal and developing a body of knowledge to support the development of new standards and products.

Key deliverables this year have been the publication of the Jericho Forum Commandments and the drafting of more than twenty position papers examining specific aspects of the problem and solution space. But the real challenge for the future is to hand over the lead to the vendor community as we move the focus from business requirements to technology solutions. This will be a particularly difficult phase because user organisations love to collaborate and exchange their security practices but vendors have to compete and safeguard their intellectual property. That’s why I believe that the next year will be the making or breaking of the Jericho Forum as a long term vehicle for thought leadership. Let's hope - for all our sakes - that we can achieve the same success going forward.

Looking ahead at tonight’s television schedules set me thinking about Torchwood and how we could exploit this concept. I don’t mean the alien stuff but rather the idea of establishing a free-thinking institute to address the extraordinary security problems that we are likely to face in the future. After all we face some big challenges and there’s nowhere near as much research going on as there used to be. It’s largely dried up in most large organisations, and what’s left tends to be focused largely on short-term product development. Most of out military research has turned into a commercial services company and our universities seem more interested in setting up start-up technology companies with fast exit strategies. MIT Media Lab is a fun research concept but it lacks real business focus, relying primarily on serendipity, the outside chance that a passing business visitor might charm a researcher into tackling something from the real world. Most other stuff going is “themed”, i.e. anything can be done provided it relates to a fashionable subject area. (“Human factors” is this season’s security theme.) Personally, I’ve always found that research is most productive when focused on real business problems, but with the freedom to explore any avenue that might bear fruit. I recall that my best security researcher in Royal Mail Group used to have a sign on his desk saying “If I knew what I was looking for it wouldn’t be research.” But he did solve our problems.

I just couldn’t resist signing up for a free trial of a new identity management service from a UK start-up company called garlik (sic). This fascinating new product promises to find, track and monitor all my personal electronic information. Now that would be very useful. The company management team is also interesting. Headed up by Mike Harris and Tom Ilube from Egg and with a couple of BCS Presidents on the Board and financial backing from heavyweight VCs such as 3i and Doughty Hanson, it should be fairly respectable. At the very least I can assure you that it’s definitely not a scam to grab your personal information. And having met Tom Ilube when chairing an expert panel session at a recent Financial Services IT Summit I expect that there’ll be some smart thinking and clever software behind it. The garlik Web site even provides security advice on how to protect your information, though it’s a little prosaic, with warnings such as “do not use the same passwords for everything” and “try to use combinations of letter and numbers that do not form words”. Great in theory but just how do you remember all those different, non-memorable passwords? I’ll keep you posted on how I get on.

It’s always easy and fashionable to knock big vendors, especially when there are vested interests at stake. So it’s not surprising to see one or two negative press comments on the release of Microsoft’s new operating system. But it’s hard for anyone to deny that Vista is a most welcome arrival because it does represent the launch of a new era for enterprise and desktop security in many organisations.

Like everybody else, I’ve always been concerned about the large number of security flaws in previous releases and the need to install additional point solutions to achieve a decent level of enterprise security. These problems are not confined to Microsoft. Very little shrink-wrapped software is designed with good security in mind. There are simply not enough security-trained programmers out there. And there are very few systems development life-cycle methodologies that contain sufficient security checks, such as the need for a security risk assessment, for security architecture, for secure coding standards and for scans of source code for security flaws. Microsoft has addressed these points, whilst others have not. But you can’t change everything overnight. It will take many years to correct the imperfect practices of the last two decades.

And the stakes are high. The consequences of not addressing the insecurities in our operating systems are enormous. The security of Microsoft products is fundamental to safeguard our critical national infrastructure and business services, and to help check the current escalation in organised criminal activity. So it’s reassuring to see Microsoft responding to these problems with a serious change programme, rather than a few cosmetic security features. Ed Gibson, Microsoft’s Chief Security Advisor and former FBI agent assures me that Microsoft is fully committed to building a safer computing environment. And I know Ed would not put his reputation on the line if this were not true.

Vista offers much greater potential for organizations to achieve industrial strength desktop security. It introduces major new features such as full disk encryption, better user account control, better network access protection and the potential for easier incorporation of strong authentication devices. The software itself has been designed using a superior security development lifecycle. So hopefully we may see fewer security vulnerabilities in the future. Of course the jury will still be out on the effectiveness of some built-in features, such as the anti-malware system. Only time will tell if this will be as effective as alternative options. But Vista represents a firm step in the right direction, so we should all celebrate its arrival.

My last posting stimulated some interesting discussions about the merits of strategic IT platforms with integrated security features versus “best of breed” security “point solutions”. Which is best? The simple answer is that we would all love to see the former but in many cases are forced to run with the latter. Unfortunately it sends a mixed message to vendors. They see what sells and spot that it doesn’t correspond to what customers say they really want. There’s even a danger they might even stop listening to their customers. I recall a colleague of mine at Shell once saying to a group of vendors at an Open Group meeting: “Just because you can’t build it, doesn’t mean we don’t want it”. A decade later people still remember that statement. But vendors don’t want to hear this. They want something they can easily build now that will guarantee sales. So they paid no attention to his requirements, though it might have given them a longer-term edge.

In the past, vendors could safely ignore this contradiction in the marketplace. Because security didn’t sell IT platforms. And any security procurements were generally based on implementing or replacing individual products, such as a file encryption system, a remote authentication system, an enterprise firewall or an anti-virus solution. But the market has changed. Customers today have more sophisticated, all-encompassing requirements. They are building security architectures. They are thinking "services" rather than "components". And IT vendors can now offer better security features in their products, though many still fail to hit the spot.

So what is a point-solution vendor to do? The simple answer is to ensure that their product or service can be integrated into a broader business solution. At the very least, proprietary protocols and interfaces should be avoided at all costs. But what exactly is a “broader business solution”? This is a good question because I believe there are two quite distinct answers. The first option is to be able to integrate with other security products in the same IT services space. Be part of an integrated network services solution for example. The second is to be part of a complete end-to-end security or risk process, such as vulnerability management, delivering a complete solution across business, security and IT functions.

Which approach works best? The jury is still out. Analysts would probably recommend the former, but I will always prefer the latter. Because I believe that security is a process that needs to be integrated and managed consistently across the enterprise. And I’ve been highly impressed in recent months working with security vendors such as nCircle who have been progressively extending the capabilities of their discovery tools to interface with the business risk profiling requirements of their customers. But whatever direction a vendor chooses, the important point is to listen very closely to the needs and wants of their customers. And if you can't build what they want now, then keep them in mind until you can.

So Bill Gates has also discovered that Digital Rights Management “is not where it should be” according to reports from a group of influential bloggers he invited to Redmond. ”We don't have the right thing here in terms of simplicity or interoperability” he is quoted as saying. And what should people do who want to transfer songs across systems? “Buy a CD and rip it.”

So much for progress. The whole future of IT Security hinges on our ability to safeguard data at rest and in flight across multiple applications and infrastructures. This does not need rocket science. Just sensible application of well-established security technologies.

But expectations need to be kept in check. After all we still haven’t got fit-for-purpose access control systems. ACLs don’t cut it. And Role-Based Access models are not rich enough to meet the real-world requirements of a normal organization. Nor are they agile enough to keep up with the wholesale restructuring that’s part and parcel of normal modern business life.

Researchers and vendors need to do a lot more to develop more imaginative frameworks and management tools to sort out Identity and Access Control and to get DRM working. That’s why I’m backing the Jericho Forum.

Bruce Schneier’s blog drew my attention to a recent report on the limits of predictive data mining for counterterrorism, published by the Cato Institute, a libertarian public policy research organization. We’ve already seen a fair amount of debate about the dangers of large-scale data mining for the identification of potential terrorists. And it’s been pretty damning. But this report provides a good, professional summary of some of the major issues.

Now I’m a great supporter of data mining, data fusion and information visualization to help solve business and security problems. In fact I believe they’re the most under-utilised management tool in the security armoury. But there are dangers in applying such techniques across large databases of information without strong human guidance and a very clear set of rules, patterns and filters to separate the wheat from the chaff. And that’s the problem. We simply don’t have enough of a basis to filter out the mass of false positives that will emerge.

Smart use of neural networks, especially Kohonan mapping, can be tremendously useful when applied on a smaller scale to identity anomalous behaviour. And the right combination of imaginative human and computer skills can work small wonders on large sets of data. We even built a partially-successful model of the human immune system to detect fraud in Post Office transactions. But you simply can’t expect computers to find needles in haystacks without an awful lot of reliable clues.

So the Home Office has decided to scale back its controversial plans for National ID Card Programme. Instead of a single, clean database generated from scratch, it will now build on three existing databases. This might be cheaper and present a much lower risk, but it represents a major step back for Identity Management across Government.

The critics and pundits will no doubt be pleased with themselves. They said it was too expensive, too risky and a threat to civil liberties. But most of the media debate missed the point. From an Identity Management perspective, a single, clean, meta authentication directory makes sense, provided the business case stands up. And there are Gateway reviews to examine this.

I must admit to some involvement with this Programme, having chaired the Private Sector User Group that helped to identify the business benefits for the ID Card. The business representatives involved were positive, though few would have been allowed by their PR departments to voice their support in public. I’ve also had the opportunity to discuss some of the societal issues with members of the public through the Royal Society Science in Society Programme. They were in favour provided the costs were not excessive.

Implementing an identity management programme in any organisation is a hard task. You know instinctively it’s the right move strategically. And you can identify dozens, perhaps hundreds, of solid business benefits. But up-front infrastructure investments that deliver longer-term savings shared across an organisation are never popular with business managers and investment appraisal functions.

In the case of ID Cards, the facts are also clouded by political spin, both for and against. And it’s an easy target for critics, who can simply play the FUD factor. Just point out that big Government IT projects never work, that the costs always overrun and that it will create a Big Brother State. Game over.

Several of my colleagues have pointed me to a highly-publicised paper entitled “A Cost Analysis of Windows Vista Content Protection” by Peter Gutmann, a researcher at Auckland University. Now anything from this academic outpost always captures my attention because I’ve always found their security researchers to be pretty smart. Rather appropriately, Peter describes himself as a “professional paranoid”. He’s certainly been spreading an awful lot of it about with this paper.

In essence, the paper slams Microsoft’s decision to incorporate content protection in Vista. It pulls no punches, pointing out the downside of incorporating such protection (on performance and security) and even suggesting that “The Vista Content Protection specification could very well constitute the longest suicide note in history”. I recommend you read the paper. But bear in mind that it is peppered with comments such as “details are sketchy” and “it’s possible there may be inaccuracies present”. Also check out an interesting critical response from a DRM blogger called Paul Smith, as well as the critical comments on his own posting.

Clearly this debate will run for some time, as most commentary so far contains elements of spin, fear, doubt and uncertainty. That's unfortunate because there are some potential security implications that need to be surfaced. But politics, technology bias and a general lack of solid information continue to cloud the real issues, which are all about the difficulties of implementing DRM and the desire of Hollywood to enforce it on platform suppliers.

Looking at a couple of web sites from security vendors, I noticed a curious resemblance in the photographs. Chronicle Solutions, a UK vendor of digital communications monitoring solutions, and High Tower, a US vendor of security event management solutions, may be separated by several thousand miles and an ocean, but they clearly share the same computer room.

Reading a recent Techtarget email summary of security content from 2006 pointed me to an excellent paper "Security without firewalls: Sensible or silly?" about the San Diego Supercomputer Center's “no firewall” approach. It’s a very interesting case study for any security architect. And their track record on security is pretty good, with just one major incident in six years. I also know one other high-profile, but relatively incident-free organisation that manages to cope without perimeter firewalls. So does this mean that firewalls are superfluous? Far from it. Because they’re an extremely useful countermeasure. And one that can - and should be - applied at different levels in an enterprise infrastructure.

The key to achieving the optimal security posture often lies in breaking away from traditional models. Before the age of firewalls, we used hand-crafted approaches to network security architecture. They generated many clunky solutions. But they also inspired many interesting and varied solutions that had to navigate the difficult journey from local connections to open enterprise networks. In the early nineties at Shell, for example, we developed an iterative methodology for enterprise architectures, based on combining the access requirements and controls at the business, application, computer and network levels. The trick was to work top-down and outside-in, progressively defining the policies and controls before translating it into technology.

Unfortunately such methodologies were overtaken by security products. Today we usually start with the corporate firewall and then add point solutions to compensate for deficiencies. Or we look for a federated identity management system that can solve all of our problems. But simple solutions can't solve rich problems. That requires holistic methodologies. We can aim to harden our applications. But we can't completely abandon our corporate firewalls given the intrinsically insecurity of many of our legacy systems. We don't need fewer firewalls, just more imaginative and innovate security architectures.

For some months I’ve been beta testing an entirely new form of firewall. In fact it’s much more than that with 13 layers of security protection contained within a smart, pocket-size USB device that plugs into your laptop.

The Yoggie Gatekeeper does everything you’d expect a modern security appliance to do, including intrusion detection/prevention, anti-virus, anti-spam, ant-spyware, anti-phishing and policy enforcement. It even intercepts and protects your wireless communications.

And it looks good too. Who said firewalls had to be boring?

A few months ago I commented on Guidance Software, a company with a near monopoly on the PC forensics market with their EnCase product. That was following their recent settlement with the FTC. And since December, when they floated on the Nasdaq I’ve been keeping an eye on their share price (currently up 26% on the issue price) as it’s not often we see an IPO for a security technology company. So I was interested yesterday to run into Brian Karney their product development director, who's in London to promote their products. In particular I was keen to hear their take on what’s new in the forensics world.

And things certainly have moved on in computer forensics. Today you can interrogate PCs across a network, so there’s no need to seize end user’s PCs and cart them away for examination. But more interestingly, you can also use this capability for e-Discovery, searching across remote PCs for traces of documents needed for litigation cases. Now if you were designing an information archiving capability to support e-Discovery, you probably wouldn’t think to use such a specialised technology. But if, like many organisations, you suddenly find yourself in a situation where you have to search across numerous remote PCs, then this technology would be very handy. Which just goes to show how versatile some security technologies can be.

I couldn’t make last week’s RSA Conference in San Francisco because of other commitments, but I was interested to read the transcript of the keynote session given by Bill Gates and Craig Mundie. In particular the comments about moving away from physical security perimeters took me back fifteen years to my days at Shell when we first addressed the problem of how to manage connectivity and access control across shared networks. In those days IPsec looked a promising solution but that was before VOIP had entered the equation and before we experienced the pitfalls associated with making IPsec work across organisational boundaries. I tend to agree with Paul Simmond’s reported comments on the Microsoft keynote address. IPsec is not the solution. We need security at higher levels (in OSI model terms). The Jericho Forum has been studying these problems for several years. Microsoft should learn from their not inconsiderable experience.

And by the way, if you do rely on IPsec for your security, do check out the learning points from Royal Holloway University’s research on how to break badly configured implementations.

For the last few weeks I've been reviewing a business process model for a client. It's an interesting task for me as I've always been fascinated by models and how best to structure them. Being a bit of a perfectionist and a keen futurist, my immediate reaction is always to see if I can find a model that is completely agile. It's a do-able challenge.

Of course I do have the advantage of having worked alongside leading data management luminaries such as Matthew West of Shell. So my first reaction was to catch up with the latest learning from Shell. And there is some impressive work going on there, especially in the use of applying 4-Dimensional concepts to high-quality business data architectures.

"Pretentious!" some of you might say. But that washes off me. I'm used to hearing this from old-fashioned security managers. Particularly the ones that hope we could reduce the entire subject area to a handful of simple common-sense principles. That will never be true. Security is a subject of growing complexity. And we have to step up to the challenge.

And there are some major learning points for Identity Management architectures in applying the 4D paradigm. Because we continue to build major problems into our identity management processes through a failure to take sufficient account of how entities change over time. Think about it. And try to spot how many deep-seated flaws you have embedded into your own access management systems. User roles and circumstances are in constant flux. We need to cater much more for this.

And when you grasp this concept you will also understand that we have some way to go to crack the so-called "laws of identity". We need to learn more from emerging science in related fields. That's the only way we will understand just how to design fully agile, fit-for-purpose identity management systems.

Clairvoyance is a skill I'd be reluctant to claim, so perhaps there really are morphic fields out there that shape our common thinking. Either way, it seems that at the same time that I was posting my recent blog entry on software development standards, John Harrison was inviting me to join his Cyber Security KTN special interest group on Secure Software Development. For those of you interested in this area there is a first meeting of this important group in London next Tuesday.

It's a promising development looking to solve a serious problem. When was the last time you encountered a set of software development standards that required practitioners to evaluate risks, consider regulatory compliance, develop security architecture, implement secure coding standards and apply static and dynamic security testing? The answer is almost certainly no.

So what do we have to do to make it work? Not a lot. Just join forces and agree a new set of standards. And there is plenty of good stuff already out there. We just have to bring it together in a palatable form and demand that our software suppliers adopt it.

Seagate Technology is now shipping hard disk drives with built-in encryption in the latest ASI laptop computers. This technology has been around for some time but it's a step forward to see it bundled with security management software on a new laptop. No doubt other manufacturers will follow suit. Because full-disk encryption is now becoming a mandatory requirement for all laptops.

The most interesting and significant story this week has been EMI's announcement that they are launching DRM-free superior quality downloads across its digital repertoire. Not surprisingly Apple's iTunes Store will be the first online music store to sell the new downloads. Ironically, such an open approach might help them to reinforce a proprietary standard.

Many observers have interpreted this announcement as the beginning of the end for Digital Rights Management. That may well be the case for the entertainment industry. The technical design concept is fundamentally flawed. Any system that involves content being decoded in a hostile environment is vulnerable to interception and copying unless you can you install tamper-proof hardware at every location. That's wishful thinking. On top of that, customers don't like the inevitable restrictions on fair use of the content. As a consequence the business model has failed to deliver. No amount of lobbying or marketing will compensate for these flaws.

But don't write off the usefulness of DRM technologies. Some of the early developers of DRM products found a more fruitful market in the protection of sensitive Boardroom documents - an application that's both compelling and easy to implement. And of course the longer term future of all information security relies on safeguarding data between trusted environments across insecure channels. That's an objective that DRM technology can help deliver.

My last posting, on the distractions associated with building an enterprise security architecture, may have strayed a little too far towards the cynical side of modern business life. Some people took it to mean, in the words of Private Fraser of Dad's Army, that "we're all doomed". I have to correct this misconception. Because good, useful security architectures can be developed if sensible principles are followed. So I thought I'd set out a few tips of the trade. I invite others to chip in. We could all use some practical guidance. They don't teach this stuff in schools and universities. You have to discover it by trial and error or at the feet of an experienced practitioner. Here's my recommended principles.

Many of you, like me, will be attending Infosecurity Europe in London this week to see what's new in the IT Security field. With hundreds of stands and dozens of presentations it's a major challenge to work out how to optimize the opportunities on offer. At the last count there were more than seven hundred security technologies out there. Some of them must be good. But where do you start? For what it's worth, here's my view on what to look out for.

Firstly, for those lucky enough to get a ticket to the Jericho Forum Conference, listen out for tips on how to develop a security architecture for a de-perimeterised world. It's not as straightforward as you might think, and the full technology to implement such a vision is not yet available, but it's certainly coming. In particular, think about how it affects your choice of protocols, where to place your security controls in the network protocol stack, and how to operate identity management across a more open network environment. When it comes to access control and authentication, don't think "employees", think "colleagues", including contractors, partners and customers.

I've commented in previous postings that those predictions by big vendors of the death of standalone security solutions are no more than wishful thinking. My view was reinforced at Infosecurity Europe this week. A quick glance around the exhibition hall confirmed that standalone products are thriving. More stands than ever. Yet some big names (such as Computer Associates) absent. The prime sites are already booked up for next year. And they're not cheap.

What else caught my eye at Infosecurity? Well the first thing that hit me was the strong focus on technology, both in terms of stands and visitors. Softer issues such as risk management and human factors may dominate the CISO agenda, but there's also a growing interest in technical issues and security products. Perhaps this reflects the current trend to embed security activities and budgets in IT operations.

Security consultancies are thriving, but many of the big names were absent. Niche vendors of soft services such as Martin Smith's The Security Company are experiencing high growth but they win business by word of mouth rather than passing trade. Having a stand at Infosecurity however conveys an image to the broader security community. It's more about brand-building than sales leads.

Was there anything new on display at Infosecurity? Not much. Largely more of the same solutions. New products such as those from Secerno, Chronicle Solutions and Yoggie have deservedly collected recent awards for innovation. But they seem to be the exceptions. There are few new ideas. Just better versions of older products. That's a shame because we could all use some fresh, imaginative and inspirational solutions. Perhaps DTI's Technology Programme (which for the first time is addressing human vulnerabilities in network security) will help develop some new approaches to current business problems.

The Jericho Forum Conference was well attended by the Great and the Good, but there was little new on offer, largely a consolidation of the knowledge and learning points developed over the past few years. One interesting development was the emergence of quantum-immune cryptography in the problem space.

And the best stand? Well that was definitely the Portcullis Arms, which always attracts the cream of the Information Security Community through personal invitation. So my special thanks go to Mark Lane and his excellent Portcullis team for a first class show of hospitality, company and conversation.

Just published on the Jericho Forum site are the presentations from last week's conference in London. They include the results of an interesting survey of attendees (carried out with the help of Qualys) which has already attracted some media attention.

It seems like an opportune time to reflect on the progress of the Jericho Forum. To assess just where we are on the road towards true de-perimeterised working. Is it achievable now? Or is it all just a pipe dream? The short answer is that it can't be the latter. We have to make it work. Otherwise we'll be sleepwalking towards a future crisis. Corporate perimeters are already leaking confidential data and letting in malware. The situation will progressively get worse. It's not good enough to shore up traditional defences. We need to be proactive and implement new solutions.

Examining the poll of around 100 top security practitioners is illuminating. Around 70% believed that insiders represent the greatest risk, with employees at the top of the list. Traditional "hard shell" security doesn't address this risk. A majority of those polled also believe that their network already has a porous perimeter. But in five years time, they expect things to be different. By then, network perimeters will mainly exist for quality of service purposes. Most organizations are not yet where they want to be. They are still growing in maturity. And the main obstacles to progress are lack of budget, time and personnel.

From all of this one can conclude that de-perimeterisation remains a future goal rather than an achievable state. So what exactly do we need - other than time, budget and staff - to make it work? In my view the key enablers are strategy and architecture. To achieve true de-perimeterised working requires state-of-the-art components assembled in a beyond-the-state-of-the-art architecture. We need new ambitious infrastructure such as a modern federated identity management system that can work efficiently across an open network environment. Implementing such infrastructure is not a trivial task. It involves a complete rethink of authentication, provisioning and management processes. It demands an architecture and network topology that can deploy encryption, authentication and policy enforcement controls in the most effective positions. But most of all it requires a big vision, an up-front investment in technology and a realistic migration plan.

I've been reading with great interest the media reaction to the discovery that DRM-free iTunes downloads actually store hidden personal data, including email addresses, about the people who purchased them. As I've said before, DRM is an interesting and useful security technology but it's inherently flawed as a means of protecting intellectual property from piracy. But if you can't stop users making illegal copies of downloads, then the next best thing is to ensure that you can at least monitor your customers' activities.

Interestingly enough, this is a sound security principle, which is rarely exploited to best effect in practice. Monitoring is an excellent compensating control for situations where preventative controls are not feasible, either for technical, financial or commercial reasons. Sometimes it's a better strategy. Back in the Eighties I always believed that that the mandatory access control model set out in the Orange Book was the wrong approach for the Cold War. Because in those days it was much more useful to detect potential spies through intelligent monitoring rather than to prevent them from attempting attacks. But monitoring is rarely at the forefront of people's minds when implementing security. Most security mangers prefer to play it safe by aiming to eliminate, rather than control, unauthorised activity.

But the World is changing. In a highly-connected Web 2.0 business environment, it's far from easy to shoe-horn users into neat categories of access entitlement. In many organizations, more than half of IT users are not employees. It's getting harder to be differentiate legitimate users from the rest of the Internet world. And in such circumstance, blocking user access on the basis of simple models can be more damaging to business than letting it go ahead under a watchful eye. That is unless of course you're the type of security person - and there are many of them about - who would prefer to shoot first and ask questions later.

It's not often we encounter innovation in security technology, so I always take my hat off to new concepts in security design or functionality. I wrote some months ago about the innovative Yoggie Gatekeeper, a pocket-size hardware security device with 13 layers of security protection, including firewall, intrusion detection/prevention, anti-virus, anti-spam, ant-spyware, anti-phishing and policy enforcement. My immediate reaction was: "It's the Blackberry of Security". And I though the design would be hard to beat.

That was before I took delivery of the Yoggie Pico, the latest model. It's even smaller and sleeker, about the size of cigar lighter and a very desirable device. The style is reminiscent of Prada or Apple. Strong security in a neat, easy-to-install device. Full marks to Yoggie for raising the bar on security design. I now look at firewalls with new eyes.

I was interested to spot an item on The Register site about the "slow death" of anti-virus technology. This article, written by Robin Bloor, a US analyst (who appears to be running a one-man "anti-virus is dead" campaign) makes some valid points. Essentially it claims that AV technology is gradually dying and being replaced by far more effective "whitelisting" technology. Such technology works by authenticating the applications and executables that users can run. It's a sound approach. So he has a good point.

Now I'm a great supported of whitelisting. If you can implement such an approach across your estate, then you will have achieved the most elegant and effective solution. And one that's more in tune with the de-perimeterisation strategy that we've been promoting through the Jericho Forum. Black lists are inelegant, incomplete and can present scaling problems. But one has to admit that they've served us remarkably well for the past two decades. Whitelisting is the smart approach for the long-term. However, we haven't yet experienced all of the practical management issues associated with this technology. Whitelists can also be incomplete and present one or two performance problems. The jury is still out for the time being.

And technologies can also bounce back. Many said that Cinema would kill the Theatre, that TV would kill Cinema, that Video would kill TV, etc. They all survived. Blacklisting is too useful a control to discard. It's used in other fields of security, for example to screen new recruits to large organisations. So don't write off AV technology just yet.

You probably won't read much in the computer press about yesterday's Cyber-Security KTN Conference, as most of the security press were attending the BT Security Journalist of the Year Awards Lunch. But I can confirm it was an excellent event and well attended by many leading experts from Government, Academia and Industry. The agenda was dominated by Human Factors, yet again confirming that this is one of this year's hot subjects. And it's not only the user perspective that's important, but also the need for better design of systems to minimise their exposure to social engineering attacks.

I've long supported the need for more attention to this area. In my days at Shell we brought in behavioural psychologists to help develop our security education campaigns. That was money well spent, as it transformed the effectiveness of our efforts. In my view, it's important to get professional advice before designing such campaigns. That's why many educational initiatives still fail to hit the spot, though I have to admit that the quality of ideas, material and advice available today is much improved.

The DTI also announced awards to four consortia for human factors research. I'm delighted to say that I'm involved in one of them, working with Chronicle Solutions and the University of Plymouth. We're researching the analysis of human behaviour from network communications. It's a tough subject so I'd be grateful to hear from anyone with any relevant experience or ideas that they're prepared to share with the project team.

It's good to see human factors getting the attention they deserve, but I wouldn't go as far as Dr Richard Ford, from the Center for Security Science at Florida Institute of Technology, who stated at yesterday's conference that "technology holds some answers, people hold the rest". For me it should be the other way around. Because we need more investment in technology to compensate for the limitations and failings of humans.

An interesting article in The Register caught my eye today. The story comes from Sunnet Beskeming, an Australian security consultancy with an unusual Dutch-derived name. They point to some interesting activity (or lack of it) on the Internet. Their researchers have noted an unexplained deviation in Global network traffic in the last few days, particularly in South America, Asia and Australia.

The researchers spotted a 5% dip in the measured index, accompanied by an 11% climb in packet loss and a significant improvement in response times. These changes, combined with other traffic analysis observations suggest an event or series of events. Yet none have been reported.

This type of analysis is significant to all security professionals. Not so much because there might be something brewing that’s about to hit Europe and the USA. But because it signals a new tool in the CISO’s toolbox. Communications traffic analysis, previously the preserve of Government signals intelligence agencies is becoming an important source of real-time intelligence to anyone who needs to spot zero-day attacks or large-scale leakage of confidential data. And that’s most of us. So we should all be looking to exploit this technique. Because with today's technology, we can identify, analyse and report on many types of anomolous activity, shedding a new searchlight on the dark side of network behaviour.

Security in Identity Management is this week’s hot topic in London, with a Conference at DTI tomorrow on the subject of “Ensuring privacy and consent in identity management infrastructures”, followed up by an IAAC Conference on Wednesday on “Government's Role in Identity Assurance”. Although there's a strong Government flavour to these events, they are subjects that affect all of Industry.

It’s about time too. For the past three decades we’ve all lived with leaky network perimeters, insecure platforms, poorly designed access control systems and inadequate management of access rights. Not to mention the risks presented by information brokers and organised crime infiltrating our call centres to gain access to identity information or sensitive database records. On top of that we now have a growing backlash of citizen concern about what happens to all the sensitive customer information they give up to vendors and service providers. Are these organisations applying adequate safeguards? Are they selling it off to the highest bidder?

So there’s a lot to do. Start with a few regulations requiring reporting of incidents and security standards for safeguarding sensitive citizen information. Californian Law SB 1386 and the PCI Security Standard are both making a big difference to the attitude of organisations. They may be painful but they work. Then try to bridge the gap between the sophistication of the security standards community and the practical realities of actually implementing federated identity management. There is a need for a lot more guidance on best practice in action. Finally address the human factors, including how to design systems that are less susceptible to human mistakes and social engineering. It’s a big, big field. And it requires immediate attention by Government, Industry and Academia.

People often ask me what De-perimeterisation really means for organisations. Is there, for example, a recommended architecture, methodology or action plan? That’s not easy to answer. I can articulate the problem space very clearly. But defining the solution is harder. There are still many emerging issues to address. Some are technical, some political and many are operational. And the most appropriate short-term response will be unique to each organisation.

The staff of the Software and Information Industry Association (SIAA), a trade association for the software and digital information industry, recently published a Top 10 of the most significant e-commerce developments of the past 10 years. Inspired by this I decided to put together my own Top 10 Security developments of the last decade. All alternative suggestions are welcome.

A colleague in a large organisation recently asked me for advice on the design of their security classification system. On the surface this might seem a simple task, but I can assure you that there’s a lot more to this subject than meets the eye. And I can speak from experience, having designed enterprise classifications schemes for two very large organisations. But it's generally a rather black art, i.e. a relatively obscure subject area. Because few practitioners ever get the chance to research and develop the design for a classification scheme. And it’s not something you can learn from a book or from a university training course. Which is a shame, because classification schemes are a key, underpinning framework for all organisations. And there’s a lot more to them than most people realise.

I was pleased to read that data mining has delivered spectacular results for the Insurance Fraud Bureau. Using Detica’s specialist services they were able to uncover gangs causing or faking car accidents, resulting in 74 arrests and a five-to-one return on investment, saving insurers at least £8 million.

I’ve long been a proponent of the use of data fusion, mining and visualisation techniques to detect fraud and solve business problems. I've sponsored several such projects in the past and was highly impressed with the potential for saving money through these techniques. The difficulty has always been the first hurdle of developing a convincing business case to invest in the necessary resources, technology and services. That's always the challenge when the technique is unproven and results cannot be guaranteed. It’s a leap of faith. When budgets are tight it's hard to persuade business managers to invest in experimental methods.

But as the IFB discovered the investment is more than justified. As Richard Davies, their Deputy Chairman, put it the results “exceeded all expectations” and “we never expected it to be as powerful as it turned out”. Yes, that’s the power of data mining. It’s one of the most under-utilised weapons against crime. And it can also solve all manner of day-to-day business problems.

The blog postings have been a little thin over the last fortnight as I’ve been holidaying in one of those chic designer hotels. You know. The ones that have Zen styling, Eastern spa treatments, candle-lit rooms, designer landscaping, etc.

Of course in practice such styling is entirely impractical: shelves at the wrong height; darkened rooms you can’t read in; sunken baths that take an hour to fill; Japanese gardens that are a maze to navigate. But we wouldn’t have it any other way. We’d gladly suffer this inconvenience in the interests of style and one-upmanship. Because it’s the “wow factor” and the exclusive features that sells products. Not simplicity and utility.

It’s the same with IT and Security. Organisations rarely go for cheap, functional products. We look for the brand name, the fancy features and the Gartner rating of “completeness of vision”. This in turn makes big vendors and start-up technology companies focus on unnecessary functionality, standards and architectural potential. Their inclination is to develop new product features that will attract new customers, rather than perfecting simple, tried-and-tested functions that might delight existing clients. Which is why, over the years, vendors have been able to sell us security systems for authentication, risk analysis and identity management that have been less than fit-for-purpose.

And in the end, do we get the products we deserve? Unfortunately, yes. Of course it’s no bad thing that security standards and features continue to evolve. But we’d just prefer them to be a little more relevant to our day-to-day business problems.

Bruce Schneier is a bright guy and a first-class writer but he does have the unfortunate habit of appearing to rubbish new security products, without any evidence that he’s actually looked at them. With most people this wouldn’t matter a jot, but Bruce is a highly influential blogger and thousands of people might be left with a negative opinion of the product.

So I was disappointed to read his recent posting on the press coverage of the EADS Ectocrypt encryption system. When he mentions snake-oil he might have had the media reporting in mind, but it reads to me as though the product itself is worthless. And Ectocrypt is not a worthless product, it’s a high-performance, award-winning encryption system, built to the highest NSA and CESG standards.

But unfortunately a large chunk of the blogosphere will now assume that it’s all hype. As Spiderman put it “with great power comes great responsibility”.

My last posting generated a few comments condemning vendors who exaggerate the capabilities of their security products. The security market is now fairly mature so it’s surprising that vendors are naïve enough to think that slick marketing is the way to boost their sales. Product spin is a complete turn off for security professionals. Encryption products, in particular, require careful marketing, because they are one of the hardest sells of all. And that’s not just because of the aversion of the security community to bad marketing campaigns. It’s also because there are fundamental difficulties in introducing new encryption systems. Here's why.

First there’s the business case. Encryption is usually expensive to buy, disruptive to implement and difficult to manage. And it adds little obvious direct business value. It’s one of those invisible assets that you only notice when it messes up your communications. Business managers and Boards won’t be excited by the prospect of having unbreakable security protection for their information. They’re more interested in the business benefits. And these are more likely to be a leap of faith rather than a certain bet.

Secondly there is the enormous gestation period between conception and market acceptance for a new encryption system. New algorithms have to be peer-reviewed, debated, tested and accepted by the international community before they can be productised. And new products have to be evaluated, certified and in many cases approved by government or regulatory authorities before many customers will even consider them.

Then there is the marketing of the product. If it’s revolutionary and offers competitive edge, then it probably won’t be suitable for communicating with the rest of the business world. If it simply meets the latest standard, then it will lack a unique selling point. If it’s claimed to be foolproof, nobody will believe it. If it makes false claims it will be discredited. And if it’s questioned by a leading guru, it’s dead in the water.

Finally there is the long sales cycle, as customers consider the numerous implications of rolling out a new encryption system. Will it satisfy the standards of the service manager? Does it require a refresh of the desktop? Will legacy applications or hardware (e.g. ATMs) need to be adapted? Does an engineer have to visit each user site? These requirements might take months, if not years to implement. And in the meantime, the venture capitalists that originally backed the product will be developing ulcers and considering pulling the plug on their investment with little prospect of an early sale to prove the concept.

The cold, windy Docklands setting was an appropriate backdrop for the RSA Conference in London this week. There was little new, hot or entertaining on show. But, like Infosecurity, it’s a useful opportunity to network and assess trends in the vendor marketplace. In particular I was interested to meet Steve Hanna of Juniper who co-chairs the Trusted Computing Group, an organisation with a high-profile presence at this year’s conference and exhibition.

For some years TCG has been quietly establishing the standards to enable platform vendors to incorporate the trusted mechanisms to support data encryption and device authentication. Some products have hit the streets, and many more are in the pipeline. TCG are also addressing mobile and wearable computing devices, offering a partial antidote to the risks presented by consumerisation of client devices. When will it all take off? According to Steve, 2008 will be the year when “the rubber hits the road”.

IBM’s latest press release caught my eye. It sounds great, announcing a major investment in new security services, products and research breakthroughs to help business effectively manage operational and IT risk. I was particularly interested in the announcement about a collaborative research initiative with academia, called Security Risk Management (SRM), to align security controls with critical business processes and their risk management objectives. In particular, it aims to enable assessments of Business Value at Risk, a useful metric to present to business managers and Boards. It sounds like a great ambition.

The bit that worries me is the concept of a product that sets out to perform critical assessments across the enterprise, in a “more precise, automated and objective manner”. Nice in theory. But will it work in practice? Highly unlikely, in my experience. Even if we actually had sufficient base data to underpin such calculations, there would be too many contextual dimensions that are simply not measurable. Also, the value of information and the levels of risk change constantly, generally without warning or announcement. The model would always be out-of-date. Further, automated calculations have an unfortunate tendency to spill out bizarre results, requiring significant manual adjustments. And, most importantly, people are responsible for processes and assets – you can’t cut them out of the loop. It’s their call, not the computer’s, to assess the risks to their operations.

It’s an interesting phenomenon that chip speed and memory size both keep increasing in leaps and bounds, yet laptop performance continues to get slower. It’s always been the case as far as I can recall. In the Seventies I was assured that program efficiency was no longer desirable as processor speed and storage would be plentiful in the future. I was advised badly, though the software vendors certainly took this on board because they’ve long been eating up more resource than they require.

So it’s always a pleasure to revisit a simple design from the past and see it pitted against today’s technology. I’m referring of course to the tests of the re-built Colossus at Bletchley Park, currently being used to crack intercepted enciphered radio messages in competition with modern PC technology. Of course it's a publicity stunt, but it also demonstrates an important learning point, as well as highlighting an impressive piece of engineering by Tony Sale, an early pioneer of the use of technology for intelligence purposes.

The point to note is that an efficient, purpose-built design will for many decades outperform the latest general-purpose technology. It’s because vendors build in huge amounts of inefficiency, in their chip designs, operating systems, protocols, database systems and applications. There are many reasons for this: financial constraints, design by committee, need to maximise features, as well as plain old incompetency. The learning point for security is not to underestimate the potential power of purpose-built code-breaking or monitoring technology. Colossus might be an exceptional piece of engineering. But as they say, exceptio probat regulam in casibus non exceptis.

Cisco’s recently published annual security report is not what you’d expect from a vendor of leading edge technology products. If you’re looking for a state-of-the-art analysis of emerging security technology, you’ll be disappointed. The report opens with an analysis of 21st Century trends but presents recommendations based on elementary security principles from decades long past. In fact there’s more focus on physical security, natural disasters and people than there is on technology. To me it’s further evidence of the current evangelistic, back-to-basics trend.

And that trend is not unexpected. There are three underpinning drivers. Firstly, it’s a consequence of a new focus on human factors arising from the growing empowerment and vulnerability of IT users. Secondly, it’s a necessary correction for security budgets which have failed in recent years to allocate sufficient resources to people-focused controls. But thirdly, it’s also a sad reflection on the continued lack of initiative and imagination to develop effective new technical measures to counter the increasingly sophisticated portfolio of threats.

The latter point is a concern that should not be overlooked. We need 21st Century solutions to counter emerging threats. You can’t simply dust down old solutions. Security education is an essential line of defence but users and customers are human. They will never be completely reliable, and they simply can’t address invisible or high-bandwidth threats that might be lurking in the infrastructure. We need new thinking and solutions, not old platitudes, from our leading vendors.

I’m always nervous about connecting safety-critical systems to other networks. I’ve seen far too many unnecessary security exposures introduced to SCADA systems by engineers who should have known better. Fortunately SCADA systems are supervisory systems and are one layer removed from the systems that directly control industrial process. But they still have an impact on safety, so connections have to be strictly controlled. Firewalls are a start, but software security measures are not foolproof. They are a calculated risk. As is every design decision for a safety-critical system. And unfortunately the risk profile of a software control tends to increase with time, as new vulnerabilities and attack vectors come to light.

I was therefore more than a little surprised to read that Boeing’s new 787 Dreamliner passenger jet allows a network connection between the passenger’s in-flight Internet access network and the plane’s control, navigation and communication systems. It’s hard to imagine any functional or business requirements that might justify this. No doubt the designers will have carried out all the necessary safety-critical calculations to ensure the system has adequate safeguards against failures and accidents. That’s a major challenge given the nature of software which generally requires more than the estimated lifetime of the Universe to test the full input/output space or to traverse every permutation of path. But the real risks are from deliberate security threats, which don’t fit the neat safety calculations used by engineers. A qualitative assessment is needed, and that’s a leap of faith against the background of a changing threat landscape.

I was once asked by a safety authority to design a security control that would guarantee that a hacker would not access the system more than once every hundred years. Impossible of course, but it illustrates the challenge of designing effective safety-critical security controls. None are perfect and there's a high degree of uncertainty, so it’s generally better to be safe rather than sorry and say no to unnecessary network connections.

Earlier this week I was at an excellent CISO dinner at the Capital Club hosted by Dr Steve Moyle of Secerno. For those of you who haven’t come across Secerno, they’re one of Oxford University’s finest innovations. Steve is a real authority on database security and he’s developed an impressive solution to SQL injection and other database attacks. It’s very well regarded by companies that have looked at it.

One of the interesting conversations was whether security technology should block or alert on suspected intrusions. It's a difficult call. Intrusion prevention systems are heavily promoted as the contemporary successor to intrusion detection systems. But it’s clear that many large top companies have yet to take the plunge, preferring to think first before closing down access attempts.

In fact there is no absolute answer. It depends on the level of confidence you have in your security technology and its ability to differentiate users from attackers. And that’s a moving target, as business connectivity grows and new technology emerges. In today’s virtual business environment where many of your IT users are not company employees, it’s getting harder to tell the difference between the bad guys and the legitimate users. Blocking is always safer from a security perspective but mistakes can be damaging to business. Monitoring is a useful compensating control but it’s potentially resource-intensive and alerts can be overlooked at busy times. But generally it’s all down to the reliability of the security technology, which is why I was interested to hear that at least one early adopter of Secerno’s technology has plumped for full blocking of detected anomalies from day one.

So what is best practice in this area? In my view it depends on whether you’ve experienced a serious attack. If you have you'll be under management pressure to close down potential attack vectors. If it’s a DDOS attack you’ll certainly have an IPS system in place, ready for action in the event of a future incident But the action is now moving to database security. That’s the new target for identity theft and it requires new thinking and technology. CISOs have to get to grips with database security. It’s an area long overdue for attention. And one where the stakes can be very high if you don't strike the right balance between business demands and prudent security.

Howard Wright and others have asked me about the possibility of alternative solutions to storing confidential data on laptop hard drives. It’s a good question. We can’t eliminate losses and thefts so it makes sense to explore innovative ways of securing the data, especially if they offer other business benefits, such as lower costs or greater agility.

Of course the preferred solution is encryption of hard drives. That's now mandatory. But you shouldn’t attempt it until you have a bulletproof key management system in place. And you can’t install a PKI overnight. It requires planning, specialist advice, new policies and operational processes. So how about the use of thin client devices, perhaps supplemented by USB devices? It could be a quick practical fix.

There are quite a few thin client laptops emerging. Major vendors such as HP have introduced new models, and there are outlets such as Thin Client that specialize in the sale of thin client devices. With limited storage options, they don’t meet every need but are ideal for mobile devices predominantly used in wireless equipped locations. USB devices can be used to store data and applications to enable off-line working but then you’re back to the original problem of encrypting data or losing data on stolen or lost devices.

Well not quite. USB devices hold less data than hard drives (though they’re getter bigger) and they're much smaller, presenting a different risk profile. They’re likely to be carried around a lot more and they’re easier to mislay. But they’ll attract less theft and are unlikely to be left behind in vulnerable locations such as hotel rooms, unattended offices and car boots. They’re also less likely to be reported missing. So you might suffer unreported business damage but at least you won’t attract any embarrassing publicity.

Last Thursday I was speaking on the future of security at an excellent seminar organised by Maxima, a fast-growing UK vendor of systems integration and managed IT services. Last year they acquired 3net, a security and network specialist, to extend their portfolio into the security market. I was impressed with their pitch. When I asked them what they did, they replied “We save money for our customers”. That's just what we all need. And it got me thinking about the changing role of managed security services.

I first encountered the need for managed security services in the nineties, when complex security solutions, such as IDS, began to emerge, and platform security was our Achilles Heel. We were finding it harder to maintain the skills needed to secure a complex IT environment. Managed services seemed a step in the right direction, but there were few vendors, and we didn’t have the tools to communicate our unwritten security policies and risk profiles to an external supplier. But the concept became increasingly compelling.

At the turn of the Century, John Thompson, CEO of Symantec, asked me what I wanted from his company. “Services” I replied. “Why sell us products when we really need services?” He subsequently introduced managed services, though it took time for the skills and prices of the early pioneers to match the requirements of customers. But since those early days most users have bought into a growing portfolio of managed security services, either to extend the capability of an in-house function, or to ensure there is independent testing of the security delivered by an IT service provider.

Today we face a new security challenge. Working out how to get the best out of the growing number of single point solutions coming onto the market. At the last count there were several thousand to chose from, and they're growing. No user can keep track of this marketplace. And the more products you consider, the less thorough your evaluation will be. That’s why we need the services of external experts with the time, experience and incentive to evaluate new products. I expect this market to grow considerably. Because as Maxima point out, you can save money if you get the solutions right.

Of course, you also burn a lot of money on security consultants and still get it wrong. So always seek recommendations before employing external suppliers.

A National Academy of Engineering committee, including technologists such as Google’s Larry Page, have drawn up a list of Grand Challenges for Engineering . One of the fourteen challenges is that of securing cyberspace. Noting the dangers presented in the fictional scenario dramatized in the Bruce Willis movie “Live Free or Die Hard”, the committee correctly point out that research and development for security systems has not progressed much beyond a strategy akin to plugging the hole in the dike. Taking a leaf out the Jericho Forum’s book, they also rightly claim that “the perimeter defense doesn’t work”.

Let’s hope the government and research councils pay attention, and make a bigger effort to seek out and encourage imaginative solutions from new, innovative sources. My experience of the research community is that it fails to hit the spot because it’s far too conservative in both its approach and its criteria for funding. We continue to get too much of the same from the usual suspects. And it stops well short of delivering anything useful, such as a working product. In fact anything that remotely approaches a practical solution simply doesn’t qualify for research funding. If we are to meet the challenge, we need more support for practical groups such as the Jericho Forum, and we need more initiatives such as Peter Jaco’s excellent new OrbisIP venture, which seeks out useful security research and connects it with venture capital and customers.

Microsoft researchers at Cambridge are on the back foot after publicizing details of research into Sampling Strategies for Epidemic-Style Information Dissemination. This rather technical piece of work was highlighted in a New Scientist feature last week. It reported that the authors wanted to “make software updates behave more like computer worms”. The researchers were also quoted as suggesting that it may also help defend against malicious types of worm.

The article triggered a wave of criticism. Bruce Schneier pointed out that patching people’s machines without their consent is a stupid idea. His comments spurred journalists to dig further. Microsoft went on the defensive, confirming there were no plans to incorporate such features into Microsoft products. There were suggestions that the writer of the New Scientist story might have “sexed up” the research by using terms such as “friendly worms”.

Now I agree with the points that Bruce makes. It's not a new suggestion and it sounds like a dangerous idea. But it would be a terrible shame if we end up in situation where theoretical research avenues are constrained by assumptions about what is considered to be currently practical or, worse, what is deemed politically correct. Researchers need to be free to think the unthinkable and to experiment with new or crazy ideas. Research work produced for one purpose often ends up being applied to an entirely different set of problems. MIT Media Lab operates on that basis by introducing unconventional, freeform research to hard-nosed business executives. Let’s keep at least part of our research efforts free of criticism, censure and politics.

Back in 2003 Gartner announced that Intrusion Detection Systems were a costly failure and would be obsolete by 2005. They saw problems with false positives, false negatives, bandwidth limitations and the growing resources needed to carry out monitoring and incident response. Better to invest in firewalls they said.

Yet five years later IDS is alive and well. And it’s Intrusion Prevention Systems that are failing to penetrate the market. False positives continue to be a problem for network-level systems. So nine out of ten security managers still prefer to monitor rather than block. It might be resource-consuming but the risk of blocking an important business transaction is too great for most companies.

But the future is brighter. Security is always more intelligent and effective when applied at the application and data level. New products such as the impressive intelligent database activity monitoring technology from Secerno are much more reliable. In fact Paul Davie, Secerno founder and COO, tells me that their clients have never experienced a single false positive or false negative. It's because of the more precise nature of their algorithms.

So the future is blocking, not monitoring. And the smart approach is to focus your security efforts at the application level, not the infrastructure level.

The Jericho Forum will be unveiling details of its new Collaboration Oriented Architecture (COA) at the RSA show in San Francisco in April followed by Infosecurity in London. COA provides guidance on how organisations can achieve secure business operations across a de-perimeterised network environment. Meanwhile, Ron Condon provides a nice summary of the principles behind COA in his recent SearchSecurity feature.

The debate over BAA’s proposal to fingerprint passengers at Heathrow’s new fifth terminal is a sign of the times. It’s part of the growing dilemma of how to optimise the balance between security, privacy and convenience.

BAA claim that the extra security measure is needed to authenticate that the person arriving at a gate is the same one that checked in, thereby preventing domestic passengers from switching boarding passes with international travellers in the shared passenger lounge.

Passport checks are clearly not sufficient, so just how do you design a system that's fast, easy, reliable and secure? Fingerprints seem a reasonable approach, especially if the system is secure and they’re thrown away after 24 hours (though one has to question whether four of them need to be taken).

A few years ago, the Co-op retail supermarket trialled fingerprint reading with customers without any great fuss. At the time they claimed it to be "the least squeamish and the most acceptable” biometric technology.

So what’s changed? Perhaps it’s our perception of how far organisations can be trusted - or not - to secure our sensitive personal data. Or maybe it’s because privacy is now much higher on everyone’s agenda.

It’s reported in The Register that the latest edition of the Chaos Computer Club’s magazine contains a copy of the fingerprint of Wolfgang Schauble, the German Interior Minister. The image is reported to be printed on a plastic foil that registers a fingerprint when it is pressed against biometric readers.

Of course no one has yet been able to test the fingerprint to see if it’s genuine or if it works. It might just be a publicity stunt. And it is very close to April 1st. But the article does raise the important issue of the appropriateness of biometrics as a primary method of authentication.

It’s clear we need a lot more education and debate about the merits of fingerprints and other forms of biometric identification, especially as in the words of Sir James Crosby, former CEO of HBOS, Identity is the new currency.

There are widespread assumptions that physiological biometrics such as fingerprints and DNA are foolproof - even though they are easily obtainable and potentially transferable - and that readers will have adequate safeguards to detect forgeries. We also expect that in the event of a compromise there will be a simple means of resolving the situation.

The public needs more assurance about the design of biometric systems. That’s not to say they cannot play a useful part in identity management systems. Biometrics offer many advantages, and the technology has been under development for a long time. But there are still question marks about proposed implementations. Let's have a heated debate.

According to Computer Weekly, Jesper Frederiksen of Google will be explaining at next week's Infosec Europe 2008 conference that centralising critical applications, services and processes is the key to ensuring information security in the face of increased mobile working and communications convergence.

This logic is based on an assumption that a higher level of security exists around large, centralised web-driven datacentres. Centralisation therefore enables increased security at a lower cost because of the economies of scale.

I can certainly accept that it’s cheaper to centralise security. You need fewer security staff. But there’s no such thing as a free lunch. Fewer staff and centralised storage of records will also introduce a few security risks that we didn’t have before. Of course not everyone is concerned about risks such as large-scale data compromises. They affect some companies more than others.

And that's why, when it comes to security solutions, one size does not always fit all.

It will be very interesting to see what’s new at Infosecurity Europe this year. It starts tomorrow and continues through three days of intensive networking, presentations, lunches, receptions and dinners. For those that are not impressed by the regular stands there are many private sessions, such as the legendary Portcullis stand in the pub across the road.

I have to admit that I’ve been a little disappointed in recent years. This gathering is the number one event in my book. It should be the smartest and most thought provoking of all of the international security conferences. London has the highest concentration of top CISOs in the World. Most will be attending and many are presenting. There’s should be plenty of thought leadership and innovation.

Infosecurity doesn’t suffer from the heavy vendor spin of the RSA conferences. The programme is a reasonable balance of user and vendor perspectives. And we have lots of top gurus in town, including Bruce Schneier.

Let’s hope it will set the scene for the Year. I'll be there for the duration. I’m certainly looking forward to connecting with my friends and forging new partnerships.

I’m just getting back to normal after 3 days and nights of intensive networking at Infosecurity Europe. I was a great event, with excellent people, many new stands and slightly edgier presentations. The main value for me is in the networking. I always run into dozens of old friends I haven’t seen for years, especially at the excellent Portcullis Arms.

Amongst all the noise and bustle I managed to conduct filmed interviews for Computer Weekly with Ray Stanton, BT’s Global Security Director and Bruce Schneier. You’ll be able to see the results in a few days on the CW Web site.

As usual there was little that was truly innovative but many new products and a few interesting trends such as more focus on security “in the cloud” and data leak prevention, and better management tools to help tackle the increasing complexity of security solutions. I’ll be covering further highlights in later postings, so watch this space.

Demand for software as a service (SaaS) has been steadily growing in recent years, ever since Salesforce.com seduced large organisations into taking it seriously.

Security SaaS has also become a widespread option for security services. IDS services such as Counterpane and email-scanning services from MessageLabs were first on the scene, followed by Qualys’s pioneering vulnerability scanning services. Over the past year we’ve also seen the emergence of further filtering services from Scansafe and Webroot, and application testing services from Veracode.

Security in the cloud was a common buzz phrase at Infosecurity last week. There’s a clear trend here and it’s a very useful one as it enables organisations to escape the restriction of having to operate exclusively through their corporate networks. Security SaaS is a major step on the road towards de-perimeterised business operations.

In recent years I’ve taken the opposite view from the analysts and vendors who have been continually predicting the death of standalone security products. I believe the future will be even more security solutions. And that’s a good thing. We should encourage more innovation, variety and competition.

I can understand why big vendors prefer to imagine a future free from single point solutions. But I find it sad and strange to hear customers complain about the number of security products available for them to buy. Bruce Schneier drew attention to that in his report of this year’s RSA Conference. His observations were correct, though I disagree with his forecast of the death of end user attendance at large exhibitions. In my view these events will go from strength to strength, as products proliferate and security becomes even more fashionable. 12,500 visitors are reported to have attended Infosecurity Europe. Next year’s event will be even bigger.

There are several reasons for the frustration of users. The market is immature and inefficient. Products are improving but marketing is still weak. I know that because I advise many start-up companies and venture capitalists. But inefficient markets present business opportunities. And networks are a powerful tool for improving searches and communications. That will all get fixed over time.

It’s also becoming much easier for customers to deploy new products when offered as Software as a Service. That at least overcomes the complaints of operations staff about the number of different boxes they have to install in their equipment racks.

I’ve pointed out before that acquisition of smaller products by bigger vendors will not reduce the number of standalone security products. The problem space is huge and growing. The solution space is tiny by comparison. What we’re really lacking is imagination. There is plenty of existing academic research to underpin dozens of new security product concepts that would deliver value to customers. I can think of several that are easy to build and that customers would buy. But we keep seeing variations of the same solution. A lack of creative product development is the real Achilles’ heel of the security market.

My last blog posting attracted an interesting comment from Lee Sutterfield, suggesting that voice firewalls are going to be the next major product investment. We should take note of that. Lee is a smart guy who operates years ahead of the field.

For those that don’t know Lee, I should point out that he’s the guy who sold the concept of Information Warfare to the US Air Force. He’s also the father of intrusion detection. He developed the first commercial product, NetRanger, which Cisco immediately acquired.

For several years Lee has been working on voice firewalls, initially to help control and manage PABXs but increasingly as a solution to converged data/voice architectures. His company SecureLogix has a unique perspective on this solution space.

And the security risks presented by voice and data convergence should not be underestimated. Over the next few years we’re going to see increasing pressure for more effective architecture solutions.

My blog postings have been a bit thin this week, as I've been awaiting the latest blog software upgrade, which should improve the performance substantially.

I've been reflecting on last Friday's excellent Cyber Security KTN workshop on Secure Software Development. This special interest group has been meeting for some time and I'm pleased say there's been a fair bit of progress as the sessions are broader, deeper and the group is better joined up with other standards activities, including ISO and OWASP initiatives.

The workshop included parallel streams addressed business cases, good practices, training, and the systems development lifecycle. That illustrates the large scope of the problem space. It's not just about cutting secure code or developing better testing tools. We need to get things right much earlier in the development process.

It's a strange phenomenon of security that encourages us to address issues from the end point of a process, rather than its starting point. I noticed this when writing the original BS7799 text. The weakest chapter was the one on systems development. It's always been the last place we focus our efforts. In fact our development lifecycles have for decades ignored security. And when we do address this area, we start at the end of the cycle, focusing on operational issues first, then testing and then coding standards, with more emphasis on securing the finished product than educating the designers.

Ideally we should have started at the beginning of the cycle: address the business case for security, then the requirements analysis, then the design principles and then the architecture. These are easier areas to improve, and yet they remain the least developed. We could make a big impact by if we could agree a simple set of design principles (such as always use open, secure protocols) and provide guidance on security architecture.

One of the most underdeveloped areas of security is the art of designing systems that are intrinsically secure, for example by designing in deterrents to attackers and thieves. Classic examples of this are digital rights management, and the design of US Postal Service vans, which are unlikely to be stolen because of their unique shape.

There are many ways to achieve this: designing products that resist attack; reducing the value of stolen assets; least privilege access; visible audit trails; having a tough policy on breaches, etc. But very little effort seems to be focused on this aspect of security.

So I was pleased to read about the Design Against Crime Centre at London fashion college Central Saint Martins which devises innovative gadgets and adapts everyday items to make theft as difficult as possible. They've developed things such as a slash-proof backpack, an alarmed laptop case and a pub chair with space to hide a handbag inside.

I loved the quote by the Professor Lorraine Gamman, the Centre's Director "I personally would like to design a phone that blows up when someone steals it. That would be one way to stop thieves using it."

According to The Register, ENISA, the European Network and Information Security Agency, have just rediscovered the forgotten and widely ignored risks of uncontrolled printing.

Having shared laser printers and photocopiers with colleagues working in personnel, security and other corporate centre functions, I'm used to the common sight of discarded sensitive information. It's a big problem.

ENISA describes printing as the "forgotten link" in the security chain. They're right. As Donn Parker used to say, the written word and the spoken word are the most vulnerable of all channels.

Donn used to have an excellent after-dinner speech in which he drew attention to this fact and suggested, very sensibly, that we should all keep a shredder next to our printers. He then went on to describe IBM's latest revolutionary product, the combined printer and shredder....
 

I met up this morning with Marty Roesch, the CTO and founder of Sourcefire and SNORT, the open source intrusion detection engine. It's always a delight and a privilege to meet Marty. He's one of the nicest and most enthusiastic technologists on the security scene, and he's been incredibly successful in rapidly building a business worth a few hundred million dollars on the back of an open source product. And Marty's not in it just for the money. He's just rejected a $187 million dollar takeover bid.  

Gartner Group has rated the Sourcefire product range as the most visionary in the solution space. It's not surprising. It's built on a solid engine and it has a powerful user-centric set of features. Several years ago, Gartner Group said IDS was dead. They could not have been more wrong. But they were looking at early, clunky products, not the flexible products of today, with sophisticated risk-based, programmable rules and intelligent dashboard reporting. 

I generally get bored listening to technology vendors. They often lack insight of the problem space and innovation in the solution space. But Marty is different. He understands the importance of visibility, context and integrity, the three most important emerging issues in information security.

If you can't see what's happening across your infrastructure, then it's out of control. And if you don't appreciate the context of what you see, then you'll draw the wrong conclusions. And of course if you can't detect changes to data, systems and infrastructure, then you're not able to detect and recover from attacks.

Contextualisation is one of Marty's terms. Not as catchy as de-perimeterisation but equally important. We need to understand the context of risks and events. We need to appreciate the contextual limitations of systems and infrastructure. And, increasingly, we need to recognise the context of the information itself. Smart use of technology is essential to achieve this.

I'm watching with interest to see how long it takes for the security community to develop an antidote to the latest version of the Gpcode virus which encrypts files using strong encryption.

A week ago, researchers at Kapersky called on the community to help crack the 1024 bit encryption key. That's a tall order. But I never underestimate the power of the network to harness processing or thinking power to find a solution. During the Second World War, Bletchley Park always managed to bounce back from every major setback.

You can follow the progress on this forum.

Today's press reports that Councils in England have been urged to review the way they use surveillance powers to investigate suspected crime. The suggestion is that they should not be used for trivial offences, such as dog fouling.

The problem is that for every person that objects to surveillance powers being extended, there seems to at least one who wants to see it used to catch litter bugs and dog foulers.

Council actions tend to reflect the demands of citizens. Most people write to them about trivial offences that irritate them, rather than bigger problems such as terrorism and organised crime.

As Alun Michael MP correctly points out in his excellent presentations on Internet Governance, when it comes to solutions to crime, one size does not fit all. What we need to tackle serious crime is rarely effective for more trivial offences.

Interception laws were not designed with dog fouling in mind. We need solutions more in keeping with the problem.  

Last week I met up with Microsoft to catch up with their progress in developing a better, user-centric identity infrastructure.

Microsoft's journey started with an ambitious but ill-fated venture called Hailstorm, which aimed to implement a secure, global identity system, but misjudged the marketplace. The post mortem prompted Kit Cameron, a Microsoft architect, to develop a set of principles called the Laws of Identity that attempted to set out key requirements of global identity systems. 

Now I'm not fully convinced that these laws are all necessary or sufficient to deliver effective identity management solutions. But they're a step in the right direction and a huge improvement of early concepts such as Microsoft Passport. 

Of course it's one thing to evangelise about principles, and another one to build products that meet them. How far is Microsoft from achieving this vision? 

Well they've certainly come a long way. Recent announcements about Windows CardSpace and their acquisition of Credentica, a product that enables user control over identity information demonstrate that the pieces of this jigsaw are coming together. Microsoft is clearly serious about making the concept of a privacy-enabling, interoperable, global identity system a reality.

The next question is whether it will catch on. Even the most perfect products can sometimes fail to catch the imagination of the marketplace. And technology alone cannot solve the identity problems of today's business. We need a lot more work on collaborative architectures and processes. But I wish them well because they've clearly gone to enormous lengths to establish, debate and promote the principles behind the technology. 

This month's SC magazine has some rather critical quotes of mine in a feature on Network Access Control. I'm not completely negative about it. It's a useful tool in the security manager's armoury, but it's still on an upward path and not quite the panacea it's sometimes claimed to be. 

I was interested to read that Westminster City Council is planning to be infrastructure-free by 2015, by outsourcing all IT services.

It's refreshing to find an organisation that's prepared to think that far ahead. Most directors today seem to be obsessed with ninety-day projects. That might be fine for new systems and upgrades. But radical changes to the underpinning legacy infrastructure take a very long time.

You need a powerful vision to get away with that. And it's good to see a vision that aims to go all the way.

Taking out infrastructure is a form of de-perimeterisation. It's about moving to "the cloud". That requires a collaboration-oriented architecture, to ensure that services can fully exploit the potential of operating outside the confines of the corporate infrastructure.

I recall that Westminster were early pioneers of wireless services, not just to provide facilities for visitors, but also as a vehicle for transforming service delivery. Infrastructure changes are a powerful vehicle for driving through process change

It's refreshing also to read that they are aiming for value for money, rather than cost cutting. That's a much smarter approach. When it comes to IT, the cheapest service is usually the worst value. I shall watch their progress with interest.

I see that McAfee has announced that it's buying Reconnex, a data loss prevention firm, for $46 million. It's the latest in a line of similar acquisitions by rival security vendors.  

Data loss prevention seems to be the hot new technology focus. Content monitoring has taken over the spotlight from firewalls and intrusion prevention. That's in line with my long-standing prediction that in the future, dynamic information flows, rather than static data stocks, will be the primary focus of information security. 

Technology can help prevent data leakages. But it will only work if people take the trouble to apply it and use it properly. We have the same problem with corporate policy. We can set out the rules, but managers don't have the time to read and absorb them. And even if they did, they're unlikely to have the time, budget or resources to enforce them. 

Effective prevention of data leaks needs to start with good security awareness, and the encouragement of a more sophisticated security culture. Not the old fashioned one that locks everything away from prying eyes. But one that appreciates the benefits of information sharing, yet, at the same time, also addresses the associated risks. That's the real challenge for data loss prevention.

Security technology has a habit of replacing the problem that it solves with an entirely new one. Encryption, for example, hides your data from others, but that also includes the user if he forgets the key. So we put in a PKI to manage all the keys, and that introduces a raft of other new problems. And so it goes on.

The latest idea for solving man-in-the-middle attacks is an ingenious solution from Carnegie Mellon University, called Perspectives. This looks very interesting, as it's claimed to be simple and cheap. Essentially it uses a network of "notaries" that check the web sites you visit to ensure that authentications returned to them are consistent with ones sent to you. 

This of course raises a privacy issue. The notaries, which might be universities, will have a lot of information on IP addresses and web activity. I hope they have an answer that's more than simply asking the notaries nicely to avoid recording client IP addresses.

Yesterday I was speaking at a Butler Group masterclass on Information Risk and Data Loss Prevention. The discussions with delegates confirmed for me how seriously organisations now take this issue, as well as how difficult and complex it is to address it. There are no easy solutions. Technology offers very limited solutions, in most cases little more than a discovery mechanism for the security function.

That will change with time of course. Security technology will progressively become more effective and reliable at preventing leaks. The question is how long it will take before we will have the confidence to allow it to block suspicious transfers without human intervention.

The same arguments about intrusion detection and prevention apply to data loss prevention. The goal should be to stop breaches in real time, rather than just flag the event for later analysis. But we have to be confident that we can avoid the "false positives". Otherwise we might end up closing down important business transfers.

In fact it's rare to find organisations that have the confident to block rather than monitor intrusions. One reason for that is the need for better appreciation of the context of the transaction. This improves as we go higher up the protocol stack, which is why Secerno's data-level security technology can be trusted to block transactions.

Data loss prevention technologies offer the potential for recognising the context of transactions. Hopefully they will mature to a level that can deliver the confidence that security managers seek.

Today was the opening of the Gartner IT Security Summit 2008 in London. It's becoming a major event, attending by hundreds of people. And it was certainly an interesting curtain raiser: a mixture of pretentious aspiration coupled with fundamental security basics. 

The three introductory keynote sessions were a strange brew. The first one, by Neil MacDonald, a Gartner analyst, was quite surreal. It was probably over the heads of many of the audience. I suspect this, because several people commented to me that they had absolutely no idea of what he was talking about. But it had many good points, including the need to align security architecture with the human immune system. And it's always a good thing, of course, to stretch people's perceptions.

Neil's presentation, in fact, had some great points about architecture, biology and de-perimeterisation, the sort of stuff I was preaching myself around ten years ago. Unfortunately, my early experiments with building real life models of the human immune system showed that this technology is not quite ready for prime time. However the concepts are good. And, as I often say, if you want real survivability, try building sex and death into your systems.

Interestingly, Neil advocated death as a recommended process, so he's clearly on the right lines. He went on to suggest some very sophisticated ideas for architecture, suggesting CISOs should focus on tomorrow's problems rather than the routine issues of the day. That's a good point, but I expect that most executive boards would prefer a more immediate focus on long-standing issues.

Neil also emphasised the need to break down the traditional silos in information security. Unfortunately, he completely failed to mention anything about people or processes. Presumably they're in a "too difficult or messy" silo. However, his session was followed by a contrasting session by Martin Smith, of the Security Company, and Andrew Strong, of Unilever, who both evangelised the importance of security education.

Martin and Andrew are absolutely right about the need for companies to get to grips with the issue. And they presented some interesting examples, including material designed to address the Generation "Y" community and their virtual worlds. But, unfortunately, their session was light on real content and practical advice. I guess that means you have to buy Martin's product to get the real stuff. 

The third session returned to the surreal, with a discussion of "now and future" issues. This session would have been fascinating if it had been based on a CISO panel from the financial sector. But unfortunately it was a question and answer interview with a business development executive from CA, attempting to gauge the likely response from such organisations to today's emerging issues.

But, overall, it was a good, mixed bag to set the scene. Not all of it came off, but at least Gartner are including some imaginative ideas and subject matter variety. That's what people need today. And at least they're addressing the human dimension, something that seems strangely absent from the agenda for RSA Conference 2009. 
   

It's been my second day at the Gartner IT Security Summit. Many of my CISO colleagues were clearly flagging by lunchtime. Several went home early as there was little of interest for them, generally sessions led by Gartner analysts spouting their latest theories, or the odd vendor promoting a product. There were few practical sessions or case studies of interest to user organisations. Gartner need to rethink this programme if they are to retain their top customers. It's an agenda that's clearly vendor driven, rather than one that's customer focused.

But I was keen to listen to Gerhard Eschelbeck, CTO of Webroot, who's both a malware expert and a pioneer of Software-as-a-Service (SaaS) security products, as well as being a very nice guy and a bright, articulate speaker. I was particularly interested to hear Gerhard's latest views and experiences of developing security services that operate in the cloud, rather than on the desktop or at the corporate perimeter.

Cloud services are the future as they're cheaper, easier to manage, more up-to-date, easier to scale and avoid capital expenditure. They also enable support for remote clients operating outside the corporate perimeter. The business case is compelling, as long as you're comfortable with the idea from a security perspective.   

Performance is not an issue. In fact, you can generally boost the speed and reliability of services by going for a SaaS service, as many offer faster Internet connections than your existing services. Not all performance is the same though, as not all vendors invest in the additional hardware that's needed for a multi-tenant service. You have to check this out.

But security is a genuine concern, as, in practice, you have to check out the actual security practices on the ground, unless you're comfortable with the credentials of the vendor. It's a difficult area, especially for small or medium enterprises who can't afford to fly an expert out to California or India. But there's no easy answer other than organising an audit yourself, or carefully checking out the customer list to see if there are lots of blue chip clients who might well have already conducted a thorough audit to satisfy their requirements.

References are a possibility, but there can be liability implications for companies that vouch for a service, so this is not an ideal solution. At the end of the day, you simply have to decide whether you trust your partner. And it takes years to build a mature security management framework. So my advice is not to go for the cheapest service, but to go for the one that shows they understand security and has sufficient experience to get it right. Let's face it, you're already saving lots of money on SaaS products, so don't aim to skimp on their security.  

I was fortunate today to attend a Microsoft security day. Yes, I know it sounds like an oxymoron, but there's a lot of good security stuff going on in Redmond these days. And it's all in the right direction, with developments such as security in the system development lifecycle, laptop encryption, federated identity management, secure unified communications and various other security solutions.

This particular session was arranged by the ISSA. It's an excellent institution, which is building an impressive UK base, around a thousand members. If you're not a member, I'd recommend you join because this is without doubt the best value security club. It has quality members, impressive influence and has sensibly sought to exploit vendor sponsorship to keep down the costs of membership. They're also offering a free trial membership at present. I shall certainly be joining. 

Several things caught my eye at Microsoft. For example, I'm very interested in Microsoft's internal security. They are the most attacked organisation on the planet, yet they survive with no special technology. If nothing else, this demonstrates that we're certainly not short of adequate solutions. They claim to have no special "magic wall". That demonstrates that today's technology is still fit for purpose.

What's also interesting is that Microsoft has elected to be early adopters of their own emerging technologies. Of course that's something that all vendors should do. I'm especially interested in voice and data convergence, for example. And I'm impressed that Microsoft seem to have implemented this without any significant, reported problems. They do of course invest quite heavily in internal security, much more than the average organisation, and definitely at the high end of any benchmark, though they will argue that the free software makes it all seem relatively cheap. 

I'm also interested in laptop encryption, which is vastly more complex than appears at first sight. There is no single solution. It depends on the level of risk. I like the fact that you can select one of several levels of security by combining features. 

Building security in the system development lifecycle is also extremely important, and I'm pleased to see that Microsoft are not only addressing this issue themselves but also providing the benefit of their experience to a wider community. It's one area that would deliver massive benefits if we could achieve a collective upgrade in our approach to system development. However, we have to work on convincing our business customers that security is equally important as development speed and agility. 

But one thing that particularly caught my eye was the fact that Microsoft offer free support to people who experience cyber attacks. If you're attacked and compromised then you get a completely free support service. That's something you rarely see in today's cash-strapped business world.

There are, of course, still many things that are far from ideal about Microsoft security. But you certainly can't fault them for trying. 

People often ask me what's happening these days at the Jericho Forum. It's been around for some years, but the computer press coverage has been relatively light lately. Well I'm pleased to report that it's very much alive and well, and it's making steady progress.

The first phase of the Jericho Forum's long range programme was to raise awareness and define the problem space for de-perimeterisation. That's been achieved through the series of international conferences and numerous position papers that have been published. The current phase is the development of the solution space. That's a much harder task, but good progress has been made in developing a common architecture to support collaborative working. This phase is targeted to be complete by the end of January. 

There's a lot of current activity by members to fill in the elements of the collaboration oriented architecture. It's an important stage. In my view, none of it will be earth-shattering or great. But that's not the point. The main achievement is that several dozen important organisations will have agreed it. And that's significant. Collaboration is about consensus, not perfection.  

And architecture is, of course, a means to an end, not an end in itself. The next phase will be focused more on implementation. That's when it will get interesting.

I was interested to read that Truecall, a UK firm, has brought out a firewall-style device for phones. It operates on the basis of a white list of approved callers and a black list of nuisance callers. They claim to have future plans to download blacklists from a central database but apparently this requires a few legal issues to be resolved. I'd quite like to have one myself but unfortunately it retails at a hefty £99.99.

One long-awaited trend that's finally begun to take off is attention to security at the application level. It's not surprising as hackers are increasingly focusing on applications and data. But it takes time to develop the capability to build better security into applications. Fortunately we're now seeing the emergence of better methods, technologies and services to manage and identify vulnerabilities throughout the system development lifecycle, as well as to secure legacy applications.

Over the last few years I've been impressed by the expertise of specialist companies in this area such as Secerno and IOActive. Earlier this week, I met the team behind SPI Dynamics who were acquired last year by HP. They're a bright, creative bunch of guys out of Georgia Tech, who seem set on revolutionising HP's capability in application security management. I particularly like the fact that they're also focusing on securing HP's internal systems. That's an essential basis for building a good reputation, and an example to others. I wish them well.

My vote for the best exhibitor stand at the RSA conference in London this week goes to Optenet, a Spanish company specialising in web content. Content filtering is becoming such a commodity that I'd normally have just taken a quick glance at the stand, noticed nothing especially innovative, and then walked on. But with champagne and snacks on offer, I was compelled to linger a little longer, and I was impressed with what I heard.

Optenet have only recently launched in the UK, but they have a top-performing product in the growing market for parental control. And they've already picked up contracts with ISPs such as Orange and with several NHS Trusts. Hopefully that's a further step towards helping to build the equivalent of a clean water supply for Internet content. ISPs and other responsible organisations need to enable more control over the content they're delivering to consumers. There's no excuse now that effective technology is readily available.  

Security practitioners today face a near-impossible task of bringing order to a technology landscape in which the problem space is accelerating beyond the reach of the available solutions. Most enterprise networks are already well out of control, and the situation will get much worse. Tackling this dilemma is arguably the greatest technology challenge that we face.

Today's response is inadequate. We need solutions that are rich and scalable enough to secure our intellectual assets across an increasingly complex, virtual infrastructure. And I use the term "intellectual assets" deliberately to make the point that it's more than just information that we need to secure. It's also ideas, know-how, trust, relationships, information flows and reputations. This problem space is far bigger than the one we currently address.

The effort and scale required to conceive, build and maintain such solutions is enormous. As Homeland Security Secretary Michael Chertoff's pointed out at this year's RSA Conference, it's no less than a Manhattan project for cyberspace. And in the current financial climate that's likely to put it beyond the capabilities of governments, academia and technology vendors.

In fact the real answer lies with people. Networks provide the lever to harness the efforts of a global community. Open source research and development is the vehicle we need, though it remains an esoteric media for most traditionalists. How do we go about it? What's the secret? In fact, it's not that difficult, though it does require special individuals.

A few days ago I met up with Marty Roesch, founder of Sourcefire, the highly rated IPS/IDS product family, and SNORT, the de facto standard for open source intrusion detection. It's always a privilege to meet Marty. He's one of the nicest, brightest, most enthusiastic technologists on the security scene. And he has a stunning track record of building both a visionary product and a hugely successful business underpinned by open source development. His products also continue to stay ahead of the solution space.

What's the secret behind this? What does it take to build an open source community? In fact, it's simple according to Marty, you just cut great code, establish a central contact point and then, most importantly, answer your emails. He's right. The process is simple, though it takes a special kind of person to pull it off.

Some people claim it's luck. I disagree. So-called lucky people view the world differently. They spot and grasp opportunities that others fail to see. We need more of these special people, though, there's no reason, of course, why we could not teach ourselves to be so lucky. 

The European Network and Information Security Agency (ENISA) has just published a comprehensive position paper on Web 2.0 Security and Privacy. It's a good overview of the problem and solution space, and a useful reference document for all information security practitioners.

ENISA also conducted a survey of 1,500 end-users of Web 2.0 sites and applications. The results of that are also worth reading, though I'm not sure that the reported differences in user behaviour between countries are really as large as they appear from the survey, perhaps reflecting differences in the targeted audiences.

It's always interesting to observe the reaction of the media and cryptographic community to announcements that an algorithm has been broken. It says a lot about our perspective on security countermeasures. Too often, we regard them as either perfect or ineffective, when the truth is that they all have varying degrees of effectiveness, and these can change over time, due to new threats, vulnerabilities or occasional breakdowns. 

A classic example is the recent claim that MD5 had been broken as an exclusive hash function, resulting in the possibility that it might be possible to forge some types of SSL certificate. Many media reports, like this one in The Register, suggest a sensational blunder. But the reality is that SSL certificates represent only one layer of security for authenticating sources, and the expertise and computing power required to achieve a successful attack are neither trivial nor widely available.

No countermeasure is perfect. Most can be expected to expire, wear out or fail at some point. That's why defence-in-depth will always be the preferred model for security.

Earlier this week I attended the ISPA Parliamentary Advisory Forum on e-crime reduction in Westminster. It was an interesting event. There was nothing really new to hear, but the discussions reflected a growing understanding and maturity about the nature of e-crime and how it needs to be tackled.

Most e-crime escapes the traditional radar of law enforcement because it's small and difficult to categorize. But ignoring it can send out a damaging signal to both citizens and criminals. The Right Honorable Alun Michael MP gets it right when he draws a comparison with the "broken windows" theory, which helped reduce crime in New York City. The concept is simple: tackling small, visible crimes builds confidence in the environment and deters local criminals. Some pundits have questioned whether this theory was the primary reason for the sudden drop in crime in New York. But they miss the point. The theory makes sense, and research has shown that it works in other environments. 

The difficulty of course is how to implement this in cyberspace. Lots of small crimes are difficult to police. And some jurisdictions offer safe havens for criminals. You can also argue that excessive citizen confidence is a dangerous thing, as citizens already take rather too many risks in cyberspace. But some actions are clear. Education and engagement of a broader community of stakeholders are key enablers for tackling e-crime. Better visibility of small crimes will also enable patterns to be spotted and repeated attempts packaged into bigger cases for investigation. In fact, whatever your views on broken windows, it's clear that the solution to e-crime lies as much with the community as the authorities.  

I couldn't get across to the RSA Conference in California this year. I did originally think it would be a well-timed platform for my new book on Managing the Human Factor in Information Security. But there is little space at RSA for the "softer" security issues, and not a single stream devoted to human factors.

With hindsight it looks like I missed very little. Media coverage was very thin. Incredibly, there appears to have been nothing new in a high-profile, fast-moving field that's recession resistant and, at the same time, witnessing emerging discontinuities in both strategy and practice. That's a huge disappointment. It seems that the vendors and government speakers that dominate the keynote programme have nothing new up their sleeves.   

Let's hope that we can rattle a few cages at Infosecurity Europe in London next week. There's certainly potential for some heated debates. And the emphasis is more on practicalities and business reality, rather than technology. I shall be trying my best to be controversial, of course, and will be contributing to five sessions. Hopefully we can get some challenging and imaginative points across.

And that's important because we seem to be heading for an imminent discontinuity in information security. We certainly can't carry on in the same way without witnessing major catastrophes to e-Business. And we haven't yet experienced the full strength of the potential threat to business operations and assets. Innovation and new ideas are badly needed to establish a long overdue new direction in security. How difficult can that be in a profession that attracts millions of workers?  

I've commented a few times already on the use, and misuse, of standards, architectures and other forms of model to help us to manage information security. There are now so many control frameworks, process maturity models and Zachman-style architectures appearing on the scene that we're in danger of drowning in a sea of frameworks.

"Give me a framework and I'm free" was a quotation I vaguely remember from my time at Cass Business School. We might equally add "Give me too many frameworks and I'm lost". In fact, as more and more people enter the security profession, it's inevitable that yet more models will be developed. It would be a nice aspiration to imagine that we could all agree on one, single, standard framework. But in practice they don't serve the same purpose, so it's natural that they will vary in style, terminology and perspective. And the richness of the solution space suggests that a single, universal framework would be impossibly broad and complex to manage. We all know that it's far better to eat a barbecued elephant in bite-size pieces.  

Many models share common definitions and concepts, but that doesn't always help the situation. To paraphrase Eric Morecambe, they use "all the right words but not necessarily in the right order". We're faced with a rag bag of overlapping, inconsistent and sometimes contradictory tools. And that won't go away. It's just part and parcel of the rich tapestry of contemporary security management. The missing link is the lack of accepted wisdom on where we should start, what we should build ourselves and what we should steal or adapt from others.

To be fair, frameworks are very useful devices. They help us to define, structure, and communicate ideas and requirements. And their potential is surprisingly broad. We can develop different structures at varying levels of abstraction to structure policies, processes, standards, principles, commandments, risks, activities, services, compliance requirements, projects or technologies. In fact, any interesting set of artifacts you might wish to model for one purpose or another.

We can call them models, frameworks, architectures or management systems. We can present them as shapes, tables, guidelines, standards or position papers. They can be general or specific, and flexible or prescriptive. They can describe who does what, when, where or how. They can represent long range aspirations or short term goals. They can define evolutionary steps or methodologies, or just serve as a snapshot of the current situation.

Each approach is generally designed to serve a particular purpose or audience. Some are primarily for the benefit of the developers. Some will save significant time and money. Others will turn out to be an expensive drain and distraction. A small number of good frameworks will survive the test of time, enduring for a decade or more. A lot more will be consigned to the scrapheap, quickly sinking without trace after years of patient development. And one or two will grow into powerful vehicles for selling related products and services.

What we really need is not more frameworks, but better guidance on how to use them. we need to know which models to pick, what to use them for, and how best to develop and exploit them. My book Managing the Human Factor in Information Security provides a few suggestions in this area. But more guidance is needed. So I've decided that over the next few blog postings I'll try to set out some suggestions on how best to surf this expanding ocean of frameworks, whilst avoiding the many sharks that lurk in wait for the inexperienced practitioner.

The Jericho Forum and the Cloud Security Alliance announced today that they're working together to promote best practices for secure collaboration in the cloud. It's encouraging news as both groups have been developing models and guidance on cloud computing security.

Cloud computing offers substantial business benefits and, given enough effort, the risks can be mitigated to an acceptable level. But a lot of the benefits of cloud computing will be lost if organisations decide to adopt different security models for expressing their requirements. A common approach to security is the best way forward. 

Both groups share a common goal of helping business to understand the opportunity posed by cloud computing and encouraging common and secure cloud practices. And both have recently published initial guidelines for cloud computing. The Jericho Forum is committed to open standards and has no political or commercial baggage, so there's less risk of vendor lock-in in following their advice.

Back in 2003, Gartner declared that intrusion detection systems were a market failure and would be obsolete by 2005.

Six years and 3.7 million downloads later, Sourcefire is celebrating the 10th anniversary of Snort, the de facto standard for intrusion prevention and one of the world's most popular network security technologies. With 244,000 registered users, including 80% of Fortune 100 companies, Snort demonstrates that intrusion detection is far from obsolete.

It couldn't have happened to a nicer guy. Here's a nice shot of Marty Roesch, founder of Sourcefire and Snort, celebrating their tenth anniversary. I wish him another ten years of success. His products are excellent.

Bruce Schneier's excellent blog drew my attention to an interesting web site that prints copies of expenses receipts "for novelty use only". Perhaps our members of Parliament might find this useful. But to be honest they were unlucky to be so heavily scrutinised, because in practice expense claim fraud is a much more widespread practice than many managers realise.  

Submitting paper receipts is irritating and far from foolproof. Personally I've always believed that life would be much easier if we replaced these paper trails with an agreed allowance. Many organisations pay set allowances to staff for business travel. This is much easier to administer and less open to uncertainty or fraud. A further example of smart design is the UK flat rate scheme for calculating input VAT for small businesses, based on a set percentage for each category of business.

We should design more systems on this basis. Not only do they make our lives easier, they can also reduce the temptation for small-time fraud.

Some security software needs to be labeled with a hazard warning, because it can do immense damage when it goes wrong. Security software glitches can trash client machines, close down access to essential services, trigger false alarms, or even destroy data. As one security pundit recently put it, if 2009 is the year of encryption then 2010 will be the year of lost encryption keys. There's certainly a lot of truth in that remark. 

In the last few days, there have been reports of large numbers of PCs being felled by a false alarm caused by a McAfee update. And, in a separate incident, I found myself cut off from the Internet by an upgrade to my Norton Internet Security software. In my case, the bug seems to have been associated with the fact that I upgraded from a CD rather than a download. But you'd have to be stupid to choose the online option when the CD version is half the price. Greedy vendor marketing strategies don't help.

Whatever the cause of any incident, however, the key point to note is that security software is getting more powerful and becoming increasingly critical to business operations. That means we need to pay more attention to the design of management systems and the ease of use of product features. Unfortunately, these are probably the two weakest areas of security software. Key management, for example, attracts the least amount of university research. And usability is widely ignored by vendors as it's not guaranteed to generate product sales. 

Both these areas need greater funding from universities and research councils. It's starting to happen, but there's a long, long way to go. Education of customers is also important. Again, there are some token gestures, but not nearly enough to ensure that the average citizen or SME can set up a firewall or encrypt their laptops without creating an unsafe environment. Until we overcome these shortcomings, we should be alert to the hazards of security software, especially in untrained hands. Because sometimes a little knowledge can be a dangerous thing. 

As Joni Mitchell might have put it, you can look at cloud computing from two sides now. On the one hand they can introduce a worrying uncertainty as to where your data is stored and who might have access to it. And on the other, they can reassure you that everything is secure, available and safely backed up.

This press release from Fujitsu caught my eye today. It announces a cloud-based infrastructure service with a difference: it's on-shore and it offers improved security, whilst still promising substantial cost savings. Now that's a cloud service with a silver lining. 

Symantec's share price dipped last week following profit and sales forecasts that fell short of analysts' estimates. The explanation from Enrique Salem, their CEO, was that companies were switching to shorter term one-year deals rather than buying three year licenses.

That's no surprise of course. You can't expect to continue to grow profit and revenues on commodity products in mature markets. Customers expect more for less each year. And in hard times, they'll strike harder bargains and focus less on long term investments.

The underlying problem for security vendors is that they simply don't have enough smart new products, preferring to bank on slick salesmen rather than innovative researchers. Aiming to squeeze more out of the same old cash cow will only slow down the inevitable journey towards extinction.

I had a few comments from friends after my last posting on Adam Laurie's attack on the UK Identity card. Many missed the point. The issue is not whether it's possible to forge or modify an Identity card. It's whether that forgery can be detected in circumstances where the risk becomes significant. You can't determine that without a full knowledge of the controls that are deployed in each scenario in which it will be used.

Context is everything in the world of security. Just because something is possible, doesn't mean that it will happen, or that the damage cannot be tolerated, contained or repaired. We've managed the risk of forged banknotes and passports for many years. Why should Identity cards be any different?

Today's UK Daily Telegraph has an interesting article on the history of counterfeiting. Amongst other things, it reminds us that little has changed in security thinking over the last 300 years. No token can be made forgery-proof. The best you can do is make it hard to copy, incorporate hidden detection mechanisms, and provide a compelling deterrent. On the latter note, I particularly liked the motto on the New Jersey 30 shilling note that read "To counterfeit this bill is DEATH."

I also keep an eye out for winners and finalists in the Global Security Challenge, as it often brings to light some original, imaginative technologies. One that caught my attention this year is ksplice, a new technology out of MIT that enables Linux systems to be patched without re-booting. With increasing dependence on 24x7 web services and cloud computing, this is an essential business requirement. The ksplice solution will work with any platform, as long as the source code of the systems and platforms is available. Hopefully this should herald the end of painful arguments with system owners about the need to take down systems for the sake of security. Perhaps, one day we'll look back and wonder what all the fuss was about vulnerability management.

Yesterday I was in Brussels, speaking at the Western Europe regional final of the Global Security Challenge. For anyone that takes an interest in new security technologies, this is a must-see initiative, highlighting and supporting the very best of today's emerging products.

I was highly impressed by the quality of the finalists. In fact it was hard for the judges to pick winners as there were so many impressive products on display. Each finalist demonstrated a unique capability, reflecting a potential step change in the state of the art. These technologies included a scanning device that detects explosives in bottles; a sophisticated facial recognition and search system; an innovative solution for fingerprinting electronic devices; a new approach to document leakage prevention; a more effective non-lethal weapon; and a range of high-strength, lightweight materials that can better protect people and buildings from close-range explosive blasts.

These products reflect the emergence of security technology as a game-changing catalyst, one that has a real impact on everyday business and law enforcement. I came away with a much high level of optimism that behind the scenes there is a rich pipeline of new science awaiting commercial exploitation. Creating new solutions is perhaps not so difficult as we sometimes imagine. The real challenge is to implement slicker development and procurement cycles that can get these technologies out of the research labs and into actual use.

Last week's IDC IT Security Conference 2009 in London offered free attendance for the first 100 guests, so it's not surprising that there was a full house of security managers. As with many of these events, the presentations were primarily talks by sponsors, or case studies showcasing products. Now that's fine if we get to hear about new ideas for solving emerging solutions. But this year's crop of products does seem rather lackluster. 

The most illuminating talk was from Josh Pennell on cloud computing security attacks, a fascinating and fast-moving area, which justifies a lot more attention by users and vendors. The most entertaining presentation was from an exuberant Dr James Lyne on malware trends. Most of the rest were rather superficial discussions of long-standing challenges, such as de-perimeterisation, data leakage prevention and the difficulty of demonstrating return on investment. Managing the human factor was also a recurring theme. As Eric Domage, IDC's French research manager quaintly put it 'The user is king ... of nightmare'. I couldn't disgaree with that. 

It's clear that we all agree on the list of problems. But where are the answers? Unfortunately, there were few suggestions of solutions. Even ISF, with their relatively generous research funds, could contribute little more than vague responses to unproductive questions such as 'Is AV dead?' and 'Is DLP a fashion?' As one of my colleagues put it afterwards 'I felt like a drowning man listening to someone describing water'.   

Over the last week, I've attended a security awareness forum and spoken at a cloud computing conference. The major learning point highlighted by both events, was both predictable and significant: our current approach to security is failing to deliver and requires a major re-think.

I touched on this issue in my latest Infosecurity blog posting. The new world of cloud computing, for example, introduces a new set of problems that we have yet to experience. For many years, we've assumed that we can manage emerging problems through risk management or best practice controls. Both approaches fail because we simply don't know what's lurking in those clouds.

The obvious answer is to switch to a more pragmatic approach of addressing the underlying, root causes of incidents, rather than trying to predict the future. Human failings, for example, are the most important factor in the vast majority of incidents, and this people-oriented trend will grow with increasing user power and connectivity.

Is this too simple? It probably is. Otherwise we would have adopted it decades ago. Just think, for example, how much better the world might be if we'd fixed the password problem two decades ago. Simple is not easy but it often works best.

Just talk to any business owner, whether small, medium or large, and you'll quickly spot a golden opportunity for the security industry. This season's postal strike will generate a tipping point for many companies to finally ditch paper and move to the Internet.

In practice, however, it's far from easy to authenticate and secure electronic transfers of sensitive data over public networks. Tactical fixes rarely scale well. Hard-to-use security features fall into disuse. Legacy systems might not handle modern security protocols. Without careful planning and strict standards of security, we're likely to create a flood of new exposures to identity theft.

Now, more than ever, we need to raise our strategic game and design lasting security architectures that can safeguard information across a boundaryless, extended-enterprise environment. It's not easy or immediately achievable, but it has to be done if we are to build achieve an agile, compliant infrastructure that can support secure operations in a virtual business world.  

Tomorrow sees the start of the year's RSA Conference Europe in London. As usual it's a largely vendor oriented event, with keynotes from sponsors, rather than thought leaders, and with a focus primarily on technology solutions rather than business problems. The marketing also has a strong US flavour, such as the rather strange draft letter to your boss to help justify your attendance (though if RSA is really serious about marketing to CIOs, they should start by beefing up the rather throwaway strapline of 'where the world talks security').

But beyond the sales pitches and the corny advertising there are some interesting sessions and exhibits worth attending. I shall certainly be spending some time checking out the latest products to see if they can actually solve current and emerging business problems. You never know what you might uncover. In some cases, the sheer proliferation of competing products can be a barrier to further progress in solving an industry wide problem. In other cases we simply don't have enough imagination. But what really counts is that user organisations devote some time interacting with vendors in order to bridge the yawning gap between business problems and technology solutions.

This year's theme is Edgar Allen Poe, an excellent choice as he was not only a cryptologist but a John Wiley author. And if you happen to drop by the Wiley stand on Wednesday afternoon, you'll find me signing books for anyone that takes up the cut price offer on my book 'Managing the Human Factor in Information Security'. Now that's surely a compelling reason to attend?

This year's RSA Conference Europe kicked off yesterday in London. There were the usual keynotes from RSA top management and the usual US style arrangements, including a photo identity check (arguably more of a threat to your personal data than a national security safeguard), a Darth Vader lookalike, and the inevitable 'brown bag' lunch. But, as usual, the whole show is brilliantly organised and runs like clockwork. 

Behind all this there where also some interesting security trends to be noted. This year there was more emphasis on fraud prevention, more focus on community solutions, and more discussion of cloud solutions.

Cloud solutions are especially interesting in the security space, as there is a clear added value from the global community perspective available to vendors. I was particularly impressed with RSA's e-fraud network, which neatly illustrates how to fight networked threats with networked defences. Now that's the real future of security.

Big conference web sites seem to be evolving into on-line magazines. RSA Conference and Infosecurity Europe publish news items and blog postings all year round. During last week;s RSA Conference Europe, Dawn Erska of SolutionSet was circulating with a Flip video camera filming opinions from speakers and attendees. You can view her montage of clips on the RSA Conference web site.