Gartner Blog Network

Posts from Date:   2010-1

Vendors are a Big Part of the Problem in Getting off of IE6

by Neil MacDonald  |  January 29, 2010

Get off of Internet Explore version 6. Now. IE6 has become an anchor (and a security risk). For Gartner clients, we’ve been advising this since October 2006. In blogging, I’ve said it here and most recently, here again. However, in reality, the move is easier said than done. Here’s what I said in this research […]

Read more »

Addressing the Most Common Security Risks in Data Center Virtualization Projects

by Neil MacDonald  |  January 27, 2010

One of my frequent blog posting topics is virtualization security. Virtualization isn’t inherently insecure, but in many cases, it is being deployed insecurely. The latter is a result of the relative immaturity of our tools, processes, staff and service providers. Also, in many cases, information security isn’t proactively involved in the virtualization planning. Survey data […]

Read more »

Another Lesson from the IE Zero Day Attacks on Google: The Power of Whitelisting

by Neil MacDonald  |  January 21, 2010

In my previous post, I discussed three lessons from the recent breaches of Google’s infrastructure as the result of attacks on unknown vulnerabilities in Internet Explorer where no patch was available. I need to break one out explicitly that falls under the broader category of host-based intrusion prevention: Application Control/whitelisting. I am convinced that whitelisting […]

Read more »

Google, IE, China and Zero Day Attacks: Three Lessons

by Neil MacDonald  |  January 18, 2010

We’ve got a team of analysts working on a broader event research note that will be published shortly. What I wanted to discuss here is “so what do I do if my organization is using IE?”. Longer term, there are three key takeaways from the recent events: Lesson #1 – Run more users as standard […]

Read more »

More Application Security Goodness From OWASP

by Neil MacDonald  |  January 14, 2010

I’ve written before about OWASP and the guidance they provide to organizations looking to improve application security. One of the best practices for improving application security is to ensure that any code we produce or procure is more secure right from the beginning. Many of the clients I talk with are highly focused on the […]

Read more »

Virtualization Security Using Desktop Virtualization

by Neil MacDonald  |  January 11, 2010

As I discuss multiple security alternatives for enterprise desktops with clients, one of the options that must be discussed is the use of server-based computing and terminal services also referred to by vendors as “presentation virtualization”. One of the questions that comes up is “are terminal services really a form of virtualization, or are vendors […]

Read more »

Food for Thought Friday: REST, DNA and the Diversity of IT

by Neil MacDonald  |  January 8, 2010

Over the holiday break, I watched an excellent presentation on PBS titled “What Darwin Never Knew” During the 2 hour show, it stuck me that all of the diversity — from the simple to the complex — of life on earth is expressed with DNA using only four types of molecules called bases – abbreviated […]

Read more »

Next-Generation Data Center Security: Cisco Acquires Rohati

by Neil MacDonald  |  January 7, 2010

I saw this article yesterday on Cisco’s acquisition of Rohati. Gartner’s full analysis will be out shortly, but here are my thoughts. I believe this further confirms what I’ve already stated: Identity-awareness should be a feature, not a product. We don’t need to buy yet another box to add identity-awareness to our networks – it […]

Read more »

Six Trends That Will Further Reshape Information Security in 2010

by Neil MacDonald  |  January 4, 2010

Food for thought to kick off 2010. The convergence of these trends (listed in my opinion of the order of impact) will radically reshape the future of information security – both the vendor landscape and how we architect and manage information security internally: Convergence onto Security Platforms: The movement of related security controls into “security […]

Read more »