Greg Young

This topic could be a blog unto itself.  I liked the comment from Steve L. about ‘experts’. 

I’ll end my 3 part series today with a pragmatic one: opaque proposals.  I see hundreds of these each year from our Gartner customers.  One line proposals with nothing more than a part numbers and a 6 or 7 figure amount after.  Sometimes the vendor name.  Customers don’t want a binder, but at least describe in a few words what the customer is buying. 

In the lifecycle phase after we have helped with needs (”do I”)and selection (”with whom”,  I take a lot of calls where, armed with the bill of goods and advise customers on whether what they are buying is indeed what they identified in their requirements and is it priced competitively.

But here is the little something extra.  This isn’t (just) about being nice to your customer: this stuff stops deals for vendors and deployments for enterprises. I speak often with procurement staff who have rightfully put the brakes on the hurried (”you are either with us in the fight against hackers and the Russian mafia, or you are delaying this purchase and are with the hackers and the Russian mafia.”) yet cryptic purchase of SCU1914383-2525-09-456-YOO (”its technical – you won’t understand”). 

To procurement officers who haven’t called me, just say “I’m pretty sure SCU1914383-2525-09-456-YOO is the single port 5U 1 mbps token-ring model.  I sure hope that is the one you want since we can’t return it” and you’ll get the proposal Description section converted to human readable format.

Thank you for the comments and emails for the least post.

Here is the second, the Chameleon.  I see a lot of this worst practice from security companies with products that are in the “climbing the slope” of enlightenment phase of the hype cycle, who miss the buzz of those products that are new and seen to be cool at the Technology Trigger phase.  Of course, they forget that there isn’t usually much money for pre-Slope products. 

Although not unique to security markets, security has a high incidence rate because of the fast rate of new product introduction.  The security market has this high rate in response to the change in threats, and the introduction of new technologies that need securing.

I used to see this a lot with products being called a new kind of IPS, and today see it with sometimes with NAC,DLP, or next-generation firewalls being thrown about liberally.  In the slide below, “See also #1″ refers to the slide here.

I was invited to give a keynote at a vendor’s sales kickoff last week.   This was kind of brave of them considering Gartner doesn’t allow for any real censorship or vetoing of the presentation.

One section I included was the Worst and Best sales practices I see in security from our interaction with our customers.  Here’s the first of the 3 slides I used in that section, with the others to follow in the next few days.

The slides are sparse, but I hope you enjoy them.  Please feel free to comment.

Every Gartner analyst has a list of ‘Notes I Want To Write’ sitting under a pile of vendor marketing material somewhere on or near his or her desk. The list grows by 5 or more entries for every one that actually gets published, so, even when you take into account that most those ideas are the crackpot musings of an addled mind, there is still a huge amount of good stuff that might never see the light of day.

One that Greg Young and I have on our lists is titled, ‘Personal Security for Corporate IT Workers’. Our thought was to create a Best Practices note on ways the individual can  protect themselves, their jobs, and their personal information when working in the corporate environment. Many of the Best Practices in this area may be self-evident. For example, keeping in mind that pretty much anything you do on a corporate device or using a corporate network may be archived and/or monitored seems pretty straight-forward. So if you’re going to be sending a lot of email to any recruiters, you might want to do it from home.

However, there are some things that may be less obvious. Usually, this occurs in situations where the corporate security policy may not take into account the needs of the user, or the user may need more strict protections. For example, making sure you have your own personal backups of important work documents regardless of the company backup policy is a good idea (unless you are specifically forbidden from doing so). Even if your company has a great backup policy and good technology in place, the important file you lose might take awhile to find (or, more likely, the backup will have run just before you made major updates). With 8 gig USB sticks selling for pennies (OK, nickels), it’s relatively easy to make sure you have copies of at least the most important stuff with you. This would apply especially to records of any ‘contentious’ communications with any business participant.

There’s a lot of blending of work life and personal life today, and it’s not unusual for IT workers to have some personal data on their work machines. However, there are times for that NOT to be the case – crossing certain international borders, for example. You certainly might lose the data for anywhere from 10 minutes to forever, and there could be other consequences which I’d rather not (Midnight Express) contemplate. Some countries are testing policies in which you MUST provide them with the password to any encrypted information or face criminal charges, so having a scrambled disk may not be as big a protection as it seems.

This is a discussion that could go on and on, and maybe we’ll manage to write that research note in 2010. For now, it’s still on my list, sitting right….um…it’s around here somewhere.

Ray Wagner, Ph.D. | Managing Vice President | Gartner
Information Security and Privacy | Secure Business Enablement
ray.wagner@gartner.com

Business and security can conflict.  The stereotype of security hindering innovation is sometimes true.  However in the case of telephone toll fraud, it is the a reverse-double-whammy where security can stop the business side from doing things that are bad for business in the long term.

Take the case reported here, and imagine yourself as a small business using about $250 worth of telephone per month.  Then you get a bill for say $60,000.  Toll fraud? Yup.  Are you responsible for keeping your phone equipment safe?  The phone companies in the geographic reported on say yes unless you use their equipment. 

Credit card companies have advanced the technology of unusual-use detection to impressive levels.  Most of us who have had to take the phone from the checkout clerk and answer some questions posed by the credit card company appreciates the efforts to protect them.  But with toll fraud I’m suggesting even near-cave-man levels of detection; things like if this month’s toll has reached double that of last month’s bill, phone or email the customer.  The full recovery rate on those $60k bills must be near 1%, and any other partial recovery must be wiped out with lost opportunity business (the stuff that doesn’t show up on spreadsheets) from a lot of bad will and bad news traveling fast.  I expect that whatever extra money is made by convincing a small customer to switch to your equipment doesn’t cover the bad experience and loss of confidence in the whole market in this age of Skype.

Are customers responsible for protect themselves?  Yes.  Is it good business to help protect them from catastrophic levels of risk?  I think so.

This kind of business case where customers are hung out to dry when some basic measures could protect them has no legs. 

Greg Young| Research Vice President | Gartner
Network Security
http://blogs.gartner.com/greg_young/
http://twitter.com/Gartnergreg
Browse my published research

Hospital Workers Snooping.

• According to a report, 15 hospital workers have been fired from a Southern California hospital for taking a peek without authorization at octuplet mom Nadya Suleman’s records. [link]
• UCLA Medical Center will fire more than 13 employees and discipline others for snooping at the confidential medical reports of Britney Spears, who was recently hospitalized in its psychiatric ward. [link]
• As an update on the firing of 16 employees of the Harris County Hospital District, KTRK in Houston reports that the employees were from different facilities: nine from Ben Taub, six from Northwest Community Center and one from Holly Hall. [link]

44 employees gone in 3 cases.  This is encouraging that first it was detected and second that action was taken.  Security education alone doesn’t work, and has to be backed with measures for detection, protection, access, continuity and ‘capital P’ Policy.

Greg Young| Research Vice President | Gartner
Network Security
http://blogs.gartner.com/greg_young/
http://twitter.com/Gartnergreg
Browse my published research

In Canada Nov.11th is Remembrance Day, the equivalent of Memorial Day and a holiday for Gartner associates in Canada.  Poppies are worn on the lapel by most everyone and it is a fairly significant event here.

Pretty much every male in our family served, so today we’ll take time at the 11th hour of the 11day of the 11th month to think of old army buddies, the thousands serving in nasty places, and military families worldwide who don’t have a dad or mom around for long periods.  To those serving today, thanks.

Grand-dad (middle) after liberation of Paris, Dad, my brother and I with mom.

Some unhappy bloggers ended up on the Wall of Shame at a recent security/hackers conference and (I summarize…) cried foul because it wasn’t pre-advertised that the network would be hostile.  There is a good post on the hub-bub here.

The yin of rubbing elbows with vulnerability researchers and semi-bad guys who reveal the most recent hacks on the the unassuming comes with the yang that you are the nearby unassuming one to these semi-bad guys and vulnerability researchers. 

Blogging is the new gonzo journalism.  To those crying foul, I suggest a lesson from the gonzo-est journalist Hunter S. Thompson who while writing his book Hells Angels he enjoyed the access and excitement which he knew would sell books.  At the end of his tale when he became the unwanted object of the excitement he made that a part of the story.

The object lesson here for me is really that OPN (other people’s networks) generally give you as much security as you pay for.  OPNs are the bad part of town, and it is a good idea to change your behavior accordingly, which could include not connecting.

John Pescatore and I published today “Defining The Next Generation Firewall” (NGFW).  The note ‘liner notes’ may help provide some context.  Gartner has been talking about Next Generation Firewalls (NGFW) for a while – in 2004 we had a note titled “Next generation Firewalls Include Intrusion Prevention”. 

We have been increasing the weighting for NGFW capabilities in each successive Enterprise Network Firewall Magic Quadrant (MQ), so there will not be a separate MQ for NGFW: this next generation is not a new product or an artificial label, but a progression of firewall and IPS technology.

The note was published now because the market is starting to see early versions of these enterprise class products: some firewall vendors waking up to a big IPS market, changes in network traffic to being squeezed through fewer ports and protocols, an emerging firewall policy management market, and the signaling between other network security products.  In the note we also specify what a NGFW is not, in response to inquiries from Gartner clients and as a further guide to where this market is heading.

Two items this week bring into focus the security issues around cloud computing.

According to an article on DISA’s RACE (Rapid Access Computing Environment), the comment is made that RACE is more secure and stable than the Google cloud.  Arguments aside about the definition of clouds and whether private clouds are really clouds, I find this interesting because it highlights that looking at clouds is not a “if you don’t like it, leave” security proposition, but you can have choices.  Just don’t try to shoehorn your requirements into an existing cloud that doesn’t meet those.

Second was the news from the BBC that an estimated 30k Gmail accounts had allegedly been compromised through phishing: 1) you get the security you pay for and 2) not much new here – this wasn’t likely a new cool super-sophisticated attack but an old one, and it just went where the fishing (arg) was good.