CA Community






This Blog
Syndication

July 2011 - Posts

Do IPads Dream of Electric Sheep?

Published: July 25 2011, 05:06 AM | 1 Comment(s)
by Tim Dunn

Devices of every kind are becoming ever more "Intelligent". I own a "Smart" phone, a car that decides what type of driver I am (but is charitable enough not to tell me) and my gorgeous looking tablet device tells me where I can shop, eat and sleep in the area I'm standing.

So with all this technology making our lives richer and more productive, you'd think our business lives would be festooned with aids to make us more agile, efficient and mobile right? Well, sadly not.

How many people travel with a personal smart phone and a work mobile, or sigh with derision at their old, corporate build laptop whilst tucking their iPad into the same laptop bag?

Businesses need to think of these technology assets in a whole new way. Instead of seeing them as dumb items attached to their network they need to give them their own identity and treat them as we would any other "user" wishing to leverage corporate information.  If we took this approach, it would allow us to open up our corporate systems and provide the right information to the right resource at the right time.

Picture a world where my car has an identity and is linked to me as the current driver. The manufacturer knows how I use / drive that car and which services would benefit me, allowing them to personalise my relationship with them. I'm happy, they're happy (in the future, maybe even my car is happy). This example isn't far away, except for the car's happiness of course.

There are various stages an organisation currently goes through when "embracing" the use of personal devices.

  • 1. No you can't - it's against policy
  • 2. Well, it's not really official policy, but for you (senior executive) we'll make an exception.
  • 3. Well OK, policy now allows you to access the corporate network from your iBerry, but don't expect any IT support if you have problems.

How great would it be for Enterprises to take the brakes off and say at stage 1 - "These new technologies could revolutionise how we deliver information to our workforce and enable them to perform their roles in a much more mobile and agile manner.  Let's make it happen".

Identity and Access Management (IAM) is the fundamental mechanism for exploiting these new technologies (including the Cloud, which is a whole separate blog).  This means that more than ever IAM is a business consideration (rather than a Security or IT one).

It does mean an exponential growth in the number of identities that we will need to manage, but the Cloud and Internet enabled appliances will force that anyway.  I will discuss CA Technologies strategy and plans regarding Identity and Access management for devices in more detail in an upcoming blog. For now though, suffice to say, I truly believe IAM will revolutionise the way progressive companies operate and give them a real competitive edge. Customers, Partners and Employees will be happier.  Hopefully you agree. I know my wrist watch thinks it's the way to go.

Share this post:  
Tags: ,
Leave a comment

 

By: Tim Dunn
Tim Dunn has spent 13 of his 23-year career in Enterprise software focused on the security market in EMEA. Tim is currently responsible for the strategy and go to market approach for CA Technologies security solutions, ensuring that CA continually evolves technologies which meet customer requirements...
Read More..

Soon strong security will be the reason to adopt cloud, not the excuse for delaying.

Published: July 19 2011, 04:21 AM | 2 Comment(s)
by Tim Dunn

OK, we might not be there quite yet, but if Service Providers do their job right, the cloud will be a much safer and less risky proposition than your internal infrastructure.

Why do I say this when current, common opinion is that the cloud is pretty much the Wild West right now?  Some people are going so far as to compare it to the ".Com" era, when hype far outpaced any reality in how the brave new world would look.

It's Interesting to consider that analogy though. Take a look back at the ".Com" days we were promised that we would all trade on-line and have digital identities in a virtual world (I must admit, that I was one of the people full of such predictions). Compare it to today's world of Social Networks, Smart Devices, highly mobile global users, online commerce and I'd say all we really got wrong was the time-scales (oh yes, and the economics!).

In fact, in the ".Com" era we even had some pretty impressive models for securing the new on-line world. Public Key Infrastructure (PKI) for example was very robust, if a little heavy weight for all scenarios. I remember being involved in a global corporate banking model called IDENTRUS, which promised to offer corporate customers the ability to transact with other corporates by leveraging the trust relationship that both organisations had with their bank. It was elegant and gave a blue print for today's federated trust models.

So back to the argument that the cloud will offer better security than your traditional on-premise infrastructure, how could that be when you have so much control over your own environment? Well firstly most current in-house, IT Infrastructures were built with one particular business model in mind. All users were within your Enterprise's control; even customers, partners and suppliers were within your own systems. Also, all your business applications were in-house, either developed by your own teams or implemented from an off-the-shelf software package.

Figure 1: Courtesy of CloudTweaks.com

 Security was also generally considered with a different philosophical point of view. We had a fortress mentality that built walls to protect sensitive information. Now I concede that we have changed our thinking from "keep the wrong people out" to "let the right people in," but adapting our security infrastructure has been a slow process.

The challenge is exponentially more complex with greater data volumes, more mobile users, many more channels for access data (PCs, tablets, phones, fridges??), business applications that are consumed from the cloud and users who are out of your direct control and who need a more agile federated trust model between their security systems and yours.

My conclusion is that a service provider who can provide a "trust brokerage" service and Service Providers building state of the art security capabilities into their offerings will be a much better approach to security.  Mark my words, this will come to pass, my predictions are seldom wrong*

*see paragraph 3.

 

 

 

Share this post:  
Leave a comment

 

By: Tim Dunn
Tim Dunn has spent 13 of his 23-year career in Enterprise software focused on the security market in EMEA. Tim is currently responsible for the strategy and go to market approach for CA Technologies security solutions, ensuring that CA continually evolves technologies which meet customer requirements...
Read More..

Why the Cloud is Not Another Fad

Published: July 06 2011, 02:13 PM | no comments
by Merritt Maxim

Over the last six to nine months, cloud computing has dominated the IT headlines whether in the form of vendors announcing cloud-based services and partnerships to analysts and other surveys all proclaiming cloud as the next major IT trend.  I have experienced numerous IT trends that have underachieved, so I have approached cloud computing cautiously, especially as it relates to cloud-based security services.  But a recent experience has made me more sanguine about cloud computing.

At a recent industry event, I spoke with an experienced CISO of a 1,500 employee organization.  Our conversation naturally led to cloud computing especially as it relates to identity and access management (IAM). He stated that while his organization could clearly benefit from IAM, his organization had evaluated all the major IAM on-premise offerings but found them too "heavyweight" for their needs.  Simply put, his organization has a more homogeneous environment and did not need many of the capabilities in IAM solutions that are designed for more complex and distributed organizations.  For these reasons, his organization decided to stick with homegrown IAM solutions and manual processes.

Cloud based IAM offerings have changed his organization's perspective.  Much of the complexity is abstracted in the cloud and an on-demand pricing model now makes cloud-based IAM affordable and practical.  Even more important than this is the fact that this CISO stated that the senior executives are all talking about cloud computing and want to explore it for many aspects of the business from ERP to CRM, collaboration, storage and security.   And as he succinctly put it, "When the business starts asking for it, chances are it that it will happen."

This quote crystallized for me what makes cloud computing a more sustainable trend than previous ones -- namely that it provides some real economic benefits (either in terms of cost or efficiency) and also opens new markets (namely smaller to medium sized businesses for whom on-premise software was too costly or complex).

Time will tell if IAM as a cloud computing service reaches its full potential.  If other organizations feel the same as this one, the future is bright.

Share this post:  
Tags: , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

Raise your hands if you're responsible for cloud security .... thought not

Published: July 04 2011, 12:08 PM | no comments
by Tim Dunn

To say there is a lot of debate regarding the security in "the cloud" (or lack of, depending on your point of view) is an understatement. This article illustrates the point and also demonstrates some of the problems with how the debate is being conducted.

The first problem with how the debate is being played out is based on the fact that "cloud is treated as if it is one thing with a single, simple definition. This makes for catchy headlines such as "The cloud is insecure" and "On-premise is better," but such generalisations don't make for a good quality discussion, or stand up to any serious scrutiny. For example, are the risk and security issues the same for Platform as a service as they are for Infrastructure or Software / Application as a service? Same goes for Private vs. Hybrid vs. Public cloud. What are the risks / security challenges we're talking about? Doesn't security responsibility shift depending on what cloud service we are talking about and what risk we are addressing?

I will concede that many companies' adoption of cloud based services is introducing risks to their business, but I believe this has less to do with technology challenges than a lack of proper risk assessment or an understanding of who is responsible  for ensuring the cloud service is secure - the Service Provider or the Enterprise customer.

 In a recent research report produced by The Ponemon Institute and sponsored by CA Technologies, there is a very mixed view of where security responsibility lies. According to the report, 69 percent of cloud providers see the cloud user as most responsible for security, while only 35 percent of cloud users believe they are most responsible for ensuring security. Thirty-two percent of cloud providers and cloud users say security is the responsibility of the cloud service provider.

These different perceptions between cloud providers and cloud users about who is responsible for securing the cloud means organisations may be over relying on their cloud vendors to ensure safe cloud computing.

 

 

 

 

Share this post:  
Leave a comment

 

By: Tim Dunn
Tim Dunn has spent 13 of his 23-year career in Enterprise software focused on the security market in EMEA. Tim is currently responsible for the strategy and go to market approach for CA Technologies security solutions, ensuring that CA continually evolves technologies which meet customer requirements...
Read More..

Trust vs. Security when it comes to Public Cloud

Published: July 01 2011, 10:28 AM | no comments
by Leanne Agurkis

We all have read and discussed the issues of security and cloud computing, but this blog by Matthew Gardiner at InfoSecurity Magazine looks at the additional issue of trust - particularly when it comes to public cloud services.

In his blog, Gardiner points out that trust is about more than security controls, and he highlights three starting points for cloud providers to consider as ways to improve trust.  Check it out http://bit.ly/m70Y6F.

Share this post:  
Tags: ,
Leave a comment

 

By: Leanne Agurkis
Leanne Agurkis has spent 20 years in the communications field working in the areas of public relations, internal communications, and publishing. She has worked on the CA business for six years as both a consultant and now a full-time employee supporting CA’s Security & Compliance business which includes...
Read More..

More Posts