Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.
Wednesday, 29 September 2010
Thursday, 26 August 2010
Monday, 12 July 2010
Thursday, 8 July 2010
Thursday, 1 July 2010
The hype is building for zNext, the next generation of IBM System z servers. z10 brought unprecedented power, resilience and versatility to the large server market. But the next generation - first dubbed z11 and more recently zNext - is rumoured to be a step change in architecture that some are suggesting will change the datacenter game completely.
We know some stuff already, that the processers will be down from 65nm to 45nm junctions and run around 5GHz giving up to 43000 MIPS [PDF] which represents about a 25% improvement on the z10. So far so impressive, but not earth-shattering.
But more recent rumours from Poughkeepsie have suggested something bigger is happening. The word "Hybrid" has been used in connection with POWER systems, suggesting that the new architecture will cross traditional platform boundaries. And one source told me that Teradata will be in the frame.
A System z that also runs native AIX and Teradata right out of the box? Wouldn't that be groundbreaking?
IBM have now announced the reveal will be in a July 22 webcast to partners. If you can't make it, come back soon, I'll be blogging about it here shortly after. Follow me on Twitter, LinkedIn or by RSS feed to get the news first. Might this be the game-changer, the killer blow to IBM's high-end server opposition, and then some?
Thursday, 24 June 2010
However I think the truth lies between Gartner's doom and gloom predictions and Clabby's upbeat "you've never had it so good" optimism. Don't be under any illusion, decades of in depth knowledge of mainframe systems is going to leave your organisation over the next few years. But where Gartner gets it wrong is their insistence that the solution lies in migrating off the mainframe. They have used that phrase "more modern platfom" many times in recent years and this is starting to look like staggering ignorance of what IBM have been doing with System z for ten years.
There's no need to move off System z for modernity. IBM have brought modernity to System z. You want management GUIs? Check out the Tivoli automation range. You want a visual developer platform? Rational Developer for z (RDz). You want to run Java, C and C++? No problem. You want to consolidate your racks and racks of servers? Virtualise them? z/VM is the worlds most mature hypervisor, add SLES or RedHat Linux for up to 1500 servers in a 30kW box 10 feet square.
But I do think now is the time to modernise your mainframe. To streamline and automate the maintenance and management of the infrastructure. The product set has never been richer and I recommend you take a look. The greybeards will go soon, and while there are a new generation of System z afficionados leaving college as we speak, don't make them suffer needlessly. Enable them to be productive and creative. Simplify, streamline and automate with IBM Software.
Tuesday, 15 June 2010
But we still get hit by a security incident. Maybe the theft of thousands of customer PINs has been traced to our software support team where a little known privilege has been exploited. Or the recent DoS attack on our web servers was routed via a previously unknown and unpatched print server. Or a rogue trader in our dealing room has been escalating his privileges to allow himself to both raise and authorise payments to his holiday fund.
How did this happen if we're compliant? Perhaps we focussed too narrowly on the specific directions in each piece of legislation, performing a box-ticking exercise on them all (which in practice often means lots and lots of new, labour-intensive processes such as user recertification, dual authority, two-factor authentication, enhanced monitoring, reporting and change control).
Ironically, it is all of this focus on new processes and procedures - implemented with the right intentions: to enforce security policy - that has made us less secure. Because now our technical staff - the experts in the hardware, OS, infrastructure and applications who were previously doing their best to keep ahead of new threats - are now hamstrung with attestations, visits from auditors and recertifying user access rights.
Well perhaps the new compliance framework was implemented as a stand-alone instrument, a panacea rather than being used to inform and enhance existing standards and processes. Perhaps not enough thought was given to the extra work involved, or in developing systems and software to enable the new processes, ensuring they have minimal impact on productivity. Perhaps we didn't recognise the things we were already doing that were contributing to compliance, and building on these. Perhaps we saw Compliance as a "New Thing" and sought to implement it as such. In short, we sought compliance for its own sake, and thought that compliance would bring us security. And perhaps we hastened to become compliant with a single piece of legislation such as SOX but didn't build a framework scalable or flexible enough to absorb further controls and threats. And we relied on auditors with little technical knowledge to tell us when we had got it wrong, and their technology-agnostic box-ticking failed us.
We need a new approach to compliance. It's the old approach but better. We need to go back to basics and take a proper technical approach to security. We need to identify and tackle all existing threats against all of our components whether hardware, OS, infrastructure, application or web service(which incidentally needs a sound approach to configuration and change management that should include automated discovery) and a means of identifying and tackling new and emerging threats. We need to let our technical guys have greater input to the process and encourage and enable them to raise security issues and resolve them. And we need to bring back the technical audits.
We need to revisit our Security Policy, ensure it supports all of our security and compliance goals, and then use this to inform lower level documents including standards, baselines, guidelines and procedures so they all hang together. Then we need to implement rigorously, allowing our technical experts to decide what controls are needed to achieve each particular policy objective. And we need to remember to lock in compliance, with as many automated detective and corrective controls as we can - thus achieving Continuous Controls Management at the same time.
To give you a flavour of what I'm talking about, consider RACF. A typical (abriged) SOX control might require that "privileged users are kept to a minimum" and another might say "privileged user activity should be reviewed". Typically, well-known RACF privileges such as SPECIAL would be well covered by this control. The control objective, control details, processes and procedures adopted to implement this control would be comprehensive for SPECIAL users. Evidence is collected and preserved showing that SPECIAL users are well controlled.
Enacting a self-fulfilling prophesy then, SOX auditors come in and report compliance, but only because we are doing what we said we would do and protect SPECIAL users. The SOX auditor will not verify that controlling SPECIAL users is sufficient to achieve the SOX control objective of curbing "privileged users".
In our practical example, our Software Support programmer exploits a lesser-known privilege, say SURROGAT authority to a second SPECIAL user, UID(0) or UPDATE authority to a privileged user's EXEC or HOME library where he plants code (somewhat like a Trojan attack on z). These are all esoteric privileges which generally are not well controlled in a System z environment. But they are privileges nonetheless.
Staying with System z for a moment, we can avoid this situation if we let the RACF Admins and z/OS Sysprogs dictate the controls required. The true vulnerabilities of the system should be tackled, the real threats deterred and the actual risks reduced.
Then we provide evidence upwards, with our hierarchy of documents and a decent control framework we can determine which technical controls contribute to which higher control objectives, and therefore we can demonstrate compliance with each standard, baseline or policy as necessary. If we do it right we can secure once, comply with many.
In short, top-down imposed compliance has not made us more secure. Only a bottom-up approach - informed by the policy but driven by the technology - will work.
We need to Secure for Compliance, not Comply for Security.
Friday, 28 May 2010
Available now on Pirean.com is some new System z content, written by me about the services Pirean provides for the mainframe platform. I'm passionate about the platform, System z is truly the "ideal server" and provides leadership resilience, availability and security, and a host of other benefits ably described in this blog post from Jonathan Adams on the excellent MainframeZone.
Also on the Pirean System z page you will see a link to a PDF you can download describing the new adapter for Tivoli Identity Manager Pirean has created. I'm very proud of my role in this, and grateful to Stephen Swann and others for their TDI and TIM expertise without which the product would not have seen the light of day.
Wednesday, 19 May 2010
"In this seminar you'll see how Tivoli, StreamFoundry, and Pirean are delivering highly available Linux on System z platforms that support mission critical workloads and how you can develop your own cost effective solution". Looking forward to it.
Monday, 17 May 2010
And just announced—two-time Olympic gold medalist and co-star of the BBC series On Thin Ice, James Cracknell, will speak at PCTY UK 2010! Don't miss what promises to be an entertaining and inspirational presentation by one of Britain's most successful athletes.
Register via sponsors Pirean here and win an iPad!
Friday, 14 May 2010
More details and registration here .
See you there?
Monday, 10 May 2010
"Veteran mainframe data center managers were baffled when SaaS [...] appeared on the scene years ago. That’s what they had been doing for years, for decades, they would tell me. Only, it wasn’t called that then. How is it any different from time sharing, they would ask.
"Conceptually it isn’t very different. However, three things make it different enough: 1) the emergence of the Internet as a ubiquitous connecting fabric that everyone can use; 2) the browser as the universal client; and 3) the advent of services and service orientation. Previously monolithic code is now extracted as identifiable services and made accessible over the Internet via the browser following a requester-responder model. "
I'm not sure I would call myself a Veteran but I did raise an eyebrow or two when I read about some recent "advancements" in the fields of grid and cloud computing. DD's right, in many ways, cloud computing is very like mainframe time sharing (good old TSO), just much prettier. Which is why IBM have worked hard on System z in recent years to position it in the market as the perfect cloud provider. Even if you don't already own one.
Saturday, 8 May 2010
Join Pirean at Pulse Comes To You to understand more about our portfolio for Smarter Tivoli Solutions
|Join Pirean at Pulse Comes To You to understand more about our portfolio for Smarter Tivoli Solutions. |
On 27th May at The Grange St. Paul's Hotel in London, PULSE comes to the UK. To celebrate we're offering you the chance to get ahead of the pack and win an Apple iPad* when you register for the event at Pirean.com!
With a focus on helping organisations understand how to survive and thrive in today's difficult environment, Pulse Comes To You will showcase how you could minimise cost and drive greater efficiencies in your organisation. All facets of service management – hardware, software and services – will be covered. Join us and our clients as we share real life experiences of delivering business value with these solutions.
As proud sponsors, Pirean will be on hand to showcase an award winning portfolio of IBM Tivoli services and solutions that could help make your business achieve 'Smarter' End to End IT Service Management.
We look forward to seeing you there!
|*Terms and conditions apply, for more information visit http://www.pirean.com/PCTYregister |
© Copyright IBM Corporation 2010. All Rights Reserved. IBM, the IBM logo, ibm.com, Smarter Planet and the planet icons, and Tivoli are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml.
Thursday, 15 April 2010
This is just what I was talking about last month when I said that we should do more enabling and less eliminating. If you insist people use separate, strong passwords for them all without giving them a simple, secure means of storing and retrieving these passwords on demand wherever and whenever they are needed, then don't be surprised if they ignore the advice and/or write them down. It's gonna happen.
Tuesday, 23 March 2010
But it's not like that. Authentication strength comes at a price, and that is usability. If your online bank requires three pieces of personal info, a token and an out of band communication (e-mail, phonecall) just to pay your overdue library fine then your customers will go elsewhere. However if you don't insist on all of these things when they wire £10k to a relative in Africa then they will rightly be suspicious that you are not protecting their money.
In truth, to stay competitive we have to walk a very narrow line between usability and security. Cybercriminals are mostly lazy individuals who go after "low hanging fruit". Make yourself harder to defraud than your immediate competitors and you will avoid a lot of trouble.
It's like an old joke: a safari jeep breaks down in the Serengeti, just a long lens away from a pride of hungry lions. The tour guide takes off his boots and starts putting on Nike running shoes. "You'll never outrun a lion in those" remarks a tourist. "No need," says the guide, "as long as I outrun you."
Thursday, 18 March 2010
So said noted System z Security expert Bob Hansel to Stan H. King in the January edition of
z/Journal - The Resource for Users of IBM Mainframe Systems.
What about your system? RACF is impenetrable isn't it? Well, the article begins with the comforting revelation that in a trawl through news archives and trade journals: "When it came to unauthorized mainframe access by outside hackers, there wasn’t a single published report among nearly 850 full-text documents published over the last decade". Nice. But are we relying on Security through Obscurity? Has System z "never been hacked" because of it's relative reticence on the global stage, it's shy retiring nature well behind the corporate firewall and the comparatively closed shop of MVS/RACF experts looking after it worldwide? As that changes, and z owners exploit Unix System Services and Linux for z, will we find we're behind the curve, that the script-kiddies catch up with us and - worst case - they know more about security on the New Mainframe than we do?
Tuesday, 16 March 2010
While you're patching IE and blocking Facebook, staff are e-mailing eachother huge files of customer data because you have not
a) told them it's wrong
b) enabled effective collaboration through legitimate tools
c) prevented the sharing of data through illegitimate channels.
Educate (the right and wrong ways), enable (the right way), eliminate (the wrong way). Too many security managers do the last point without the first two, which is why they find it so hard.
Monday, 15 March 2010
Protecting against the Internet Explorer zero day vulnerability | Graham Cluley's blog. There are workarounds for IE6 and 7 users, but I don't see why anyone should delay getting IE8. I appreciate there are corporate managed desktops out there and rolling out non-distruptive upgrades to these is tricky but guys, you've now had 12 months, get it delivered.
Thursday, 11 March 2010
Read the rest here: Smarter Tivoli - Managing Compliance on Z at www.pirean.com, free registration required.
Saturday, 27 February 2010
Whatever, if hosts can be held liable for the content they host then not only do we in the developed and politically stable world lose our favourite work-day pastimes, but the less fortunate in repressive states lose a big tool of democracy. Here's hoping the Italians realise their mistake before less enlightened regimes decide to follow suit.
Friday, 19 February 2010
Google is a great innovator, and the projects they began in-house (their search engine, toolbar and mail service for example) are usually excellent, but with Buzz they seem to be jumping on a bandwagon and doing so too hastily.
While I'm on the subject, Facebook's privacy controls are now an unholy mess. Beware if you use any social media for business, get informed about what you are revealing to the world.
Monday, 1 February 2010
Also, the ICO announces in the same press release the increased sanctions applicable to personal data breaches - up to £500,000 for the most serious offences.
Time to review your organiation's handling of laptops and removable media?
In my experience, organisations spend a lot of time and effort on technical data-loss prevention (DLP) solutions while missing the point - that employees don't really want to take data home on a memory stick, but they have no choice. If they were empowered with secure access to their data while away from the office they won't actually need to take anything with them on a thumb drive. Ensure the laptop hard drive is encrypted and protected by a boot-time logon, sure, but if you spend some time and effort on properly enabling remote access to your servers, providing synchronisation and collaboration tools, remote access to e-mail and keep the servers up 24/7 then your employees wil be less inclined to take data home on sticks and disks.
And even more important is connecting your geographically diverse business units. To fail to connect two closely related but separately located departments electronically, such that they have to send CDs to eachother (such as happened in the UK government's child benefit data loss) is just criminal.
Practical security starts with enabling good behaviour through technology, do that and you'll have less bad behaviour to deal with.
Thursday, 28 January 2010
Also one of the many perceived benefits of the cloud is availability and resilience of service, but are your cloud service provider's DR capabilities good enough? Are your data, transaction logs and applications all co-located, or are they stored and hosted in multiple, geographically diverse locations? Do they do DR at least as good as you could with traditional architecture?
Practically speaking, does your cloud provider introduce unacceptable security risks?