Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry
Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio
by Neil MacDonald | December 9, 2011 | Comments Off
I’ve just gotten back from Gartner’s Data Center Conference in Las Vegas. Like Gartner’s recent US Symposium and European Symposium, the conference had record attendance and interest in information security was high.
I’ll place the top security-related issues from non-vendor attendees in a separate post.
On the vendor side, I had several information security providers ask me about the potential impact of the Euro crisis on information security spending. Many of the vendors are right in the middle of their 2012 revenue forecasting and budget planning process so the question is top of mind. My recommendation to them was to bound their forecast and budgets with a worst case and best case envelope around their most likely forecast.
Gartner is following the developments closely and we have several resources available to clients and vendors to navigate this turbulent period. First, there is a webcast planned to discuss the impact of the Eurozone crisis that is open to all. Second, there is a special report being developed for Gartner clients that addresses the issue from multiple angles across all of Gartner research. The first research note for this set has already published for clients “CIOs Should Address the Impacts of the Euro Crisis on Their Enterprises Now”. Third, my European colleague has a just posted a survey to gather data for use in his research and his blog posts on the topic.
Category: Information Security Next-generation Data Center Tags: GartnerDC, Information Security, Next-generation Data Center, symposium
by Neil MacDonald | November 14, 2011 | 1 Comment
I spent the last week in Barcelona with 4,000+ attendees at the 2011 Gartner European Symposium. It was a new venue for Gartner (we were displaced from Cannes by the G20), and I’m happy to say it was a fantastic with record attendance.
Security was front and center of attendee interests. We had a total of 23 security sessions throughout the 4 days. Like US Fall Symposium, I was fully booked with 1-1 sessions where attendees are able to meet and discuss their issues and questions with analysts.
The top issues of our European attendees differed from those at Gartner’s US Fall Symposim. Here’s what was top of mind in Europe:
1) Protecting information. I had a large number of discussions on how to move information security beyond just a “bottoms up” approach to information security. These organization felt they had a good handle on traditional firewalling, IPS and endpoint protection but hadn’t done much for information protection beyond encrypting laptops. In addition to encouraging them to think about information security protection as a process, we also discussed specific technical controls such as database activity monitoring, file activity monitoring and web application firewall/monitoring solutions.
2) Cloud security. Cloud isn’t one thing, security isn’t either, so these discussions varied. Most were focused on how to better secure access to cloud-based services at the Software-as-a -service level. There were some questions on IaaS, but only one on securing PaaS. In that case it was a leading -edge client moving their entire business as a service provider to Microsoft’s Azure platform and we discussed encryption options within Microsoft’s Azure.
3) Hosted Virtual Desktop (or if you prefer, Virtual Desktop Infrastructure). In these conversations, the interest was driven primarily as a way to provide access to legacy Windows applications while maintaining control of the information. Several conversations were on the pros/cons of VDI as compared to traditional terminal services.There are strengths and weaknesses to each approach. In a separate roundtable on virtualization and security that I moderated, the preference of the attendees of the session was to use full VMs (VDI/HDV) rather than terminal services..
4) Application security This is really a form of #1 above, but focusing on securing the applications that handle the sensitive information. Most had adopted some amount of security testing, but were interested pushing testing further back into software development. There was a significant amount of interest in testing as a service offerings, many of which are quite inexpensive as compared to testing in house. In most of these cases, testing as a service wasn’t replacing what they were doing, just augmenting it.
Overall, the biggest difference I saw in the interests of European attendees from US attendees was the intense interest on specific ways and mechanisms to augment traditional “bottoms up” security mechanisms with a “tops downs” approach to protecting information. Both are needed.
That’s a good sign that information security organizations are understanding that in a world where IT increasingly doesn’t own or control much of the IT stack (end user device, network, server, OS, etc), our focus absolutely must shift up to various ways to protect the information.
Category: Application Security Cloud Security Virtualization Security Tags: application security testing tools, Cloud Security, GartnerDC, Information Security, symposium
by Neil MacDonald | October 24, 2011 | 1 Comment
Last week I attended Gartner’s US Symposium conference in Orlando. With 8,000+ attendees (25% of which were CIOs) and at least 1,000 more analysts, vendors and support staff, you can imagine it was quite a scene.
In addition to three presentations, I had more than 30 fantastic one on ones with attendees over the four days.
What was hot? Many of the same issues I blog about. In order of priority, most attendee discussions were on:
1) Endpoint security, application control and whitelisting. Microsoft is causing significant disruption in this market with its new version of Forefront Endpoint Protection and its change in licensing policies.
2) Strategies for protection against Advanced threats (note that this overlaps with #1 a bit)
3) Security trends – what are the major trends we are seeing in information security and are they missing anything? What investments should we be thinking about for 2012?
4) Virtualization and security – trust/assurance of the hypervisor for separation of workloads of different trust levels as well as protecting VMs as they move offsite into Cloud-based providers.
Surprisingly, I only had one or two conversations on application security – specifically looking for best practices to push security testing further back in the SDLC.
In terms of “Cloud”, I think most organizations are moving beyond the ill-defined hype of “cloud security” and looking for specific advice and best practices for addressing specific cloud-related computing concerns. That’s a welcome step forward. Cloud is a computing style, not a location. It’s great to see people embrace this computing style and look to proactively build security in. Thursday afternoon’s presentation on securing private clouds had a good crowd for the final day. The biggest reaction was on the evolution of security to a set of software-based services delivered by programmable infrastructure. I think most IT security professionals have become so accustomed to their firewalls as a physical box, they have a difficult time imagining firewall services decoupled from the physical hardware underneath and shifting to security policies based on logical, not physical, attributes. Indeed, I believe the biggest challenges to the security of private clouds will be related to cultural and mindset change issues, not technical.
If you follow my thoughts from the conference on twitter (@nmacdona), you’ll see some of the feedback on my context-aware security presentation.Despite losing AC during the presentation (not good in Florida, even in October!), the crowd stuck it out with some hanging out in the doorways to watch the presentation and catch a breeze at the same time.
As I have discussed previously many times, all of information security is becoming context-aware and adaptive and this attribute will be a key characteristic of all next generation security offerings (IPS, FW, endpoint protection, IAM, DLP, and so on).
Overall, it was another great Symposium conference (my 15th with Gartner!). They just keep getting better. For those of you that didn’t make it, I’m attending Gartner’s upcoming US Data Center summit in December in Las Vegas and we can catch up there.
Category: Application Security Beyond Anti-Virus Cloud Cloud Security Information Security Microsoft Security Next-generation Security Infrastructure Virtualization Virtualization Security Tags: Adaptive Security Infrastucture, Beyond Anti-Virus, Cloud Security, Context-aware Security, DC-Summit-NA, Endpoint Protection Platform, Information Security, Microsoft Security, symposium, Virtualization Security
by Neil MacDonald | October 13, 2011 | Comments Off
Context-aware security is the use of supplemental information to improve security decisions at the time the decision is made. The goal? More-accurate security decisions capable of supporting more-dynamic business and IT environments as well as providing better protection against advanced threats.
In this 2010 research note that provided a definition and framework for understanding context-aware security The Future of Information Security is Context Aware and Adaptive, I used the term “next-generation IPS” to describe how advanced intrusion prevention systems were becoming context aware in order to make improved security decisions (faster, more accurate and better suited to detect advanced threats).
Network security solutions are evolving to incorporate “application awareness” and “identity awareness” into their offerings. Information protection solutions are evolving to deliver “content awareness.” Application, identity and content awareness are all part of the same underlying shift to incorporate more context at the point when a security policy enforcement decision is made.
In the research note, I provided several examples of how information security infrastructure was evolving to become context-aware, including next-generation IPSs:
Intrusion prevention systems (IPSs) — Rather than apply all IPS rules to all traffic flows, next-generation IPS systems are able to use real-time contextual knowledge of what version of an OS or application a workload is running and what vulnerabilities are present in the systems they are protecting (for example, Real-time Network Awareness (RNA)/Real-time User Awareness (RUA) integration with Sourcefire). This context improves the speed and accuracy of IPS decisions, allowing more-efficient use of processing resources, as well as reducing the chance of false positives.
We’ve just published this research note for clients that outlines the key attributes of a next-generation IPS. Context-awareness in the form of application, identity, content and environmental awareness is the foundation for a next-generation IPS.
As I have observed several times, all information security infrastructure must become context-aware – endpoint protection platforms, access control systems, network firewalls, IPS systems, security information and event management systems, secure web gateways, secure email gateways, data loss prevention systems … all of it.
The shift to incorporate “application awareness”, “identity awareness”, “virtualization awareness”, “location awareness”, “content awareness” and so on are all facets of the same underlying shift in information security infrastructure to become context-aware.
Category: Next-generation Security Infrastructure Security Intelligence Tags: Adaptive Security Infrastucture, Context-aware Security, Endpoint Protection Platform, Next-generation Security Infrastructure, symposium
by Neil MacDonald | October 11, 2011 | 1 Comment
Traditional data loss prevention has been focused on looking for signatures and patterns of sensitive data at rest within the organization and as it moves throughout the organization, including to destinations outside of the enterprise (the latter is where most organizations have started).
<digress> You noticed I didn’t use the term “DLP”. That’s because I believe data loss prevention is just one of many controls that need to be mapped to a broader data lifecycle protection process that I believe is the real “DLP”. I digress – that’s another discussion… </digress>
I had an interesting request for a client a while ago. They wanted to look through all of their file shares for inappropriate data. In their case, an employee had been discovered with dozens of gigabytes of pirated music that was being stored on their enterprise servers that represented a potential legal liability for the organization.The client wanted to search all of their repositories for potentially inappropriate data – such as music files, video files, sexually explicit images and so on. We already have data loss prevention tools that rummage through our systems looking for sensitive data, why not expand this capability to inappropriate data? Taking this further, how about inspecting source code files and scanning these for potentially unlicensed or insecure open source libraries (lPalamida, Black Duck and others provide this today as a point solution).
At the time, none of the data loss prevention tool vendors provided this capability and I directed the client the single enterprise third party tool I was aware of that specialized in detecting inappropriate content.
I don’t see how these use cases are so different that it requires different tools for these use case. Learn a data pattern or signature and look for it by crawling through data repositories. Could be sensitive, could be unlicensed, could be inappropriate – same problem. It seems like a security no-brainer for data loss prevention tools to evolve to support the use case of identifying potentially inappropriate data usage in addition to sensitive data usage.
Category: Information Security Next-generation Security Infrastructure Security Intelligence Tags: Defense-in-Depth, Information Security, Next-generation Security Infrastructure, Security No-Brainer
by Neil MacDonald | September 29, 2011 | 2 Comments
I’ve made it a point over the past 6 months to ask clients if they are combining their endpoint protection platform contracts across desktops, laptops and servers. In most cases (about 75%), the answer is yes – contracts are being combined in order to reduce complexity and costs.
Is protecting a desktop different than a laptop? Yes.
Is protecting a server different than a desktop or laptop? Yes
However, does this mean that we need a different vendor, product and console for each of these? Or, is it better to use a consistent set (palette) of controls to pick and choose from and just choose a different mix to protect different types of endpoints based on their needs? For example:
- All desktops and laptops need AV. Some servers need AV (general purpose file servers) and most organizations require AV on all Windows servers by policy.
- Application Control is more easily applied to servers which tend to be more static. However, some fixed desktop scenarios are well-suited to application control (e.g. call centers) and leading application control vendors are innovating in how they manage trusted change in desktop scenarios.
- Host firewalling is important to both, but tends to be more valued on laptops that move out from behind perimeter protection. Servers in the data center behind fixed firewalls may not need this at all.
- Deep packet inspection based host-based intrusion prevention (HIPS) is of value to both desktops and servers, but the ‘virtual patching’ capabilities of this style of protection tends to be more valued on servers that can’t be patched as frequently.
- Rules-based HIPS tends to be used more on servers where rules about normal application behavior are more easily defined
- Behavioral HIPS tends to be used more on laptops and desktops to augment traditional signature-based AV and protect from zero-day attacks because these devices routinely deal with arbitrary code. This isn’t as important on servers as they don’t routinely deal with arbitrary code and organizations don’t want to risk an occasional false positive.
- Servers are great candidates for file integrity monitoring. Few desktops will use file integrity monitoring, but I’ve had clients with desktops that fell in scope of PCI where they used file integrity monitoring on their desktops.
- Laptops are great candidates for full drive encryption, but some fixed desktop and server scenarios make sense for full drive encryption as well.
The set (palette) of controls is the same – AV, firewall, HIPS, FIM, application control, encryption, etc etc working together as a system. You pick and choose which controls are used and which policies are enforced based on the endpoint (desktop, laptop, server and increasingly mobile devices) and its usage scenarios. Think of the information security professional as an artist with a palette of colors/controls.
Do we need a different product/vendor/console for server security versus desktop security? Or a single product/vendor/console with the ability to pick and choose the appropriate controls and policies?
How does your organization handle this?
Category: Beyond Anti-Virus Endpoint Protection Platform Next-generation Security Infrastructure Tags: Adaptive Security Infrastucture, Beyond Anti-Virus, Defense-in-Depth, Endpoint Protection Platform, Lockdown, Next-generation Security Infrastructure, Reducing Complexity, Reducing Cost, Windows
by Neil MacDonald | September 28, 2011 | 1 Comment
I’ve been out the past two weeks visiting with clients and have been meaning to summarize my impression of the upcoming Windows 8 (expected mid 2012) from a security point of view. I attended Microsoft’s recent BUILD conference for developers where Windows 8 made its first official appearance. You can see my real-time tweets and observations from the conference on twitter under @nmacdona.
Like Windows 7, Windows 8 will continue to raise the bar in terms of security capabilities of the base OS. Here’s a list I compiled of the new capabilities:
- Antimalware protection built into the OS – basically Microsoft’ Security Essentials (beyond just Windows Defender included with Windows 7)
- Earlier loading of security protection in the boot process to thwart rootkits and other boot-level malware
- File reputation services (SmartScreen) – was included with IE9, now expanded to protect the entire OS.
- Root of trust measurements of the OS based on UEFI – if we need this for hypervisors, why not all OSs? Microsoft has had something similar with BitLocker using TXT and has now extended this to all versions.
- Windows Refresh – to restore Windows back to a known good state, while preserving end user personalization, enabling Systematic Workload Reprovisioning.
- Windows now supports boot from USB – quite useful in specific scenarios. Combined with BitLocker and root of trust measurements, this becomes a way to place an unknown terminal device into a high assurance state.
For the new “Metro Style” side of Windows 8 (the WinRT side), it is clear that the security model of Apple and the iPhone/iPad has had an impact:
- Reduced rights and strengthening of mandatory integrity controls of the OS.
- Metro-style applications can only be delivered through the Microsoft application store which now includes security testing (a form of implicit whitelisting).
- Sensitive API access is proxied through a security policy enforcement mechanism which validates the application’s right to use them
- “Picture Password” as a touch-native way of authenticating yourself to Windows 8
Overall, Windows 8 provides evolutionary – not revolutionary — improvement in security capabilities and raise the bar in terms of what an OS should deliver in terms of security protection.
Category: Beyond Anti-Virus Information Security Microsoft Security Windows 7 Tags: Apple, Beyond Anti-Virus, Defense-in-Depth, Information Security, Microsoft, Microsoft Security, Whitelisting, Windows
by Neil MacDonald | August 27, 2011 | Comments Off
VMware quietly disclosed it has acquired PacketMotion in this recent blog post by Dean Coza of VMware.
We identified PacketMotion as a cool vendor in Gartner in this 2009 research for clients. Essentially, PacketMotion uses standard Intel-based hardware appliances (as well as a virtualized probe implementation that runs inside of virtualized environments) to deliver full layer 7 decodes of sessions, providing context-aware security monitoring with application and identity awareness.
So why the acquisition?
VMware’s vShield App offering already provides some amount of application-awareness in vShield App that was acquired from its acquisition of BlueLane, PacketMotion’s application decodes will augment this capability. The more important capability is related to delivering identity-awareness. In this recent research note for clients on vShield (“VMware Pushes Further Into the Security Market With Its vShield Offerings”), I identified identity-awareness as a key need for vShield App:
VMware provides only basic application awareness in the first release of vShield App. Richer application, identity and content awareness capabilities are expected in future releases.
Why context? In this research note for clients “The Future of Information Security is Context-Aware and Adaptive”, I stated:
Rapidly changing business and threat environments, as well as user demands, are stressing static security policy enforcement models. Information security infrastructure must become adaptive by incorporating additional context at the point when a security decision is made, and we are already seeing signs of this transformation. Network security solutions are evolving to incorporate “application awareness” and “identity awareness” into their offerings. Information protection solutions are evolving to deliver “content awareness.” Application, identity and content awareness are all part of the same underlying shift to incorporate more context at the point when a security policy enforcement decision is made. To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the point when a security decision is made.
Adding identity, application and content awareness to information security policy decision making are all examples of the same fundamental shift to make information security context-aware and adaptive.
Category: Next-generation Security Infrastructure Virtualization Security Tags: Adaptive Security Infrastucture, Context-aware Security, Next-generation Data Center, Next-generation Security Infrastructure, VMware, vShield, vSphere
by Neil MacDonald | August 24, 2011 | 1 Comment
As I research into the future of adaptive security infrastructure, I am convinced that the future of information security lies in software, not hardware.
If you think about it for a bit, most of information security policy enforcement is in the form of software already – it’s just embodied (entombed?) in physical hardware.
Unfortunately, the rigidity of hardware slows down our ability to support rapidly changing computing environments. As data centers are increasingly virtualized, as users become more mobile and as organizations increasingly adopt public cloud-based services, security controls must shed their physical shackles and exist as software-based enforcement points that can be placed when and where needed.
If you are a science fiction fan, it’s kinda like “ascension” – as intelligent species evolved they shed their physical bodies and exist as pure energy – like this example in StarGate (and I’m sure there are many other examples). As described in the StarGate Wiki:
Ascension is a process that allows beings to be able to separate from their physical bodies and to live eternally as pure energy in a superior plane with greater amount of knowledge and power. It can be a mental, spiritual or evolutionary process—a direct result of obtaining a certain level of wisdom and knowledge…
Superior plane? More knowledge? Wisdom? Bring this to information security! OK, so the analogy may be a stretch.
Regardless, the future of information security is a set of context-aware, software-based security policy enforcement points that can be placed when and where needed within a virtualized or cloud-based computing architecture. Depending on the context, there may be a need to embody the control in hardware, at other times as a virtual appliance in my own data center and in other situations as a cloud-based service provided by someone else. Supporting hybrid scenarios will be an absolute requirement.
Even when embodied in hardware, many architectures are shifting to x86 based hardware foundations with proprietary hardware typically only required for encryption offload and even here, the latest Intel chipsets support encryption instruction acceleration.
The core value proposition and differentiation of security vendors will come from their software, not hardware, and their ability to use context to support dynamic computing models with adaptive security policies that can adjust in real-time as users and devices move between on-premises and cloud-based services.
Category: Cloud Cloud Security Next-generation Security Infrastructure Virtualization Security Tags: Adaptive Security Infrastucture, Cloud Security, Context-aware Security, Next-generation Data Center, Next-generation Security Infrastructure, Virtual Appliances, Virtualization Security
by Neil MacDonald | August 23, 2011 | 2 Comments
Run more of your Windows users without administrator rights.
I’ve talked about this several times before – including here, here and here.
While it may not be feasible to remove administrator rights from all users, it is an absolutely achievable goal to continue to improve the percentage of Windows users running without administrator rights year over year for the foreseeable future. Make this your goal for 2012.
Case in point – I talked with a client today that had removed administrator rights from 90% of their users. This is a noteworthy achievement as they are only in the planning process of migrating to Windows 7. They had achieved this on Windows XP and for large numbers of XP-based laptop users. Impressive.
Better yet, I worked with this client on a strategy to move this to 95-97% using the migration to Windows 7 as a catalyst for further improvements – some coming from improvements in the Windows OS (like a new printer driver model) and some coming from the selective use of a third party tool for Windows privilege management.
If you are struggling with malware infestations and are considering switching out vendors, take a look first at removing administrator rights. For Gartner clients, I’ve outlined the best practices for achieving this in this research document.
Remember, if done correctly, removal of administrator rights does not have to equate to “lockdown”.
Category: Beyond Anti-Virus Endpoint Protection Platform Microsoft Security Windows 7 Tags: Best Practices, Beyond Anti-Virus, Endpoint Protection Platform, Lockdown, Microsoft Security, Security No-Brainer, Windows
