Gartner Blog Network


Feedback Friday: Security Comments on All Those Other Gartner Blog Posts

by John Pescatore  |  July 10, 2009  |  6 Comments

It has not been a quiet week in Lake WobeBlog, my hometown.

I could never get that sentence into a Gartner research note, as the reference to Prairie Home Companion would be deemed too “non-global,” so apologies to those of you who don’t know who Garrison Keillor is or what uff da means.

Anway, there have been lots of Gartner blog posts that were just begging for security comment this week. I spend a lot of time doing internal peer review in the Lotus Notes system Gartner uses to produce our Research Notes, so here here’s the blog-world equivalent:

Google Chrome OS – the IT industry loves vendor wars, so a simple Google blog post about a Chrome OS  caused all kinds of industry furor and oodles of Gartner analyst blog posts. If Chrome is designed as a “cloud” OS for mostly Netbook like devices with limited need for local processing and storage, it would seem that it could be a very lightweight OS and lightweight *can* certainly mean more secure. However, I think any user OS will inevitably need to support local apps and storage – heck, look at the iPhone or the fact that Google already had to offer Gears for PCs for Google Apps.

So, a lightweight “cloud” OS that later tries to tack on the features needed to be a huskier “real” OS would likely have just as many and likely *more* security issues as an OS that was built from the start assuming local processing and storage as major requirements. Where Chrome should have a security advantage, just like iPhone: not having to deal with years of legacy apps and an infinite number of hardware platforms. That, not the “cloudiness” or Chrome the browser’s security capabilities, is where I think Chrome could change the OS security game.

Social network risks – Andrea DiMaio posted about a Facebook page that appears to be impersonating a government agency. That’s something that has to be dealt with these days, even if you are not embracing social networks. Brand monitoring services exist to let you know if your content or presence is showing up on spoofed web sites or social network feeds or in peer to peer networks. If you do start to officially use social networks for business you still need that, plus processes to deal with inadvertent or malicious exposure of sensitive data.

Employee-owned IT – Nick Jones blogged about the debate on the costs of allowing the use unmanaged PCs and the like on corporate networks. Nick advances the usual arguments about innovation, but the key point he makes that I agree with is “The real challenge is not employee owned technology, you already lost that battle.” This has been true for more than 5 years now – ever since Outlook Web Access and SSL VPNs came out. The issue is making the use of unmanaged IT secure enough for business use. That’s where Network Access Control, host virtual desktops, portable personalities and other areas of Gartner research have been pointing what needs to be done to remain at a due diligence level of security. Without thinking through what is need to protect customer and business data, the first security incident will consumer a decade of capex savings.

Cloud – Lydia Leong had a great post on thinking through if cloud-based computing services make sense or not for you. I invariably find when I do “cloud security” calls with Gartner clients that they are really asking about Software as a Service, vs. cloud. But even real cloud infrastructure as a service is under consideration, to the list of issues Lydia says to think through, I certainly add security – how can the cloud provider prove to you that your data will protected to the level you require? If a traditional hoster can prove that, but a cloud provider today can’t, should it even be on the table for you? Would the business side of your organization work that way? OK, maybe they would – but we are supposed to be security folks…

Category: 

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio


Thoughts on Feedback Friday: Security Comments on All Those Other Gartner Blog Posts


  1. […] T­h­e rest­ is h­ere: Fe­e­db­ack­ Fr­iday­: Se­cur­it­y­ Comme­n&#… […]

  2. […] Continued here: Feedback Friday: Security Comments on All Those Other Gartner Blog … […]

  3. Preston,

    I gather that you don’t know a lot about security models, and why Windows is so insecure as compared to the OSX, Linux, BSD, and Solaris operating systems. You really should check into this, because once you understand the differences, you’ll be too scared to use Windows.

    Me, I gave up on Windows 2 1/2 years ago, and haven’t spent any time on operating system maintenance since.

  4. There have been no shortages of patches out for vulnerabilities in OSX, Linux and Solaris. SANS Internet Storm Center shows an unpatched Linux machine connected to the Internet will get compromised in somthing like 4 hours. Longer than it takes for a Windows machine, but no shortage of attacks against Linux, OSX and Solaris.

  5. […] I mentioned here, 90% of the time it turns out the pressure is really to consumer some application as a service, not […]

  6. Johnf0 says:

    Because here is a list of multiplayer games is that the leave was asked gdccdkckfcdd



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.