jump to navigation

Twitter settles with FTC for privacy breach June 24, 2010

Posted by jonathanpenn in privacy.
add a comment

Organizations continue to face risk for security breaches. Normally, we talk about the risk of security breaches being fines and other costs around loss of PII, per California Senate Bill 1386 and similar laws in 45-or-so other states.

What’s interesting about Twitter’s settlement today with the FTC is that it had to do with a breach of information that is not protected under these kinds of laws. This isn’t the kind of data breach that the FTC normally delves into. My sense is that the oversight must have appeared to the FTC to be so lax as to be in violation of Twitter’s privacy policy – that is the kind of thing that it would and does pursue. Of course, having someone crack into Barak Obama’s account on your service is certainly going to raise the profile of the incident. (So why isn’t the FTC looking into the breach of Sarah Palin’s Yahoo! Mail account? Where’s the right-wing/tea-party outrage? 😉 )

The FTC specifically identified these practices (among others) that constituted insufficient care:

  • Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
  • Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
  • Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users (that seems to disqualify the use of SSO for those administrative accounts)
  • Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
  • Imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

I wonder how many companies – especially private ones, like Twitter – can claim to satisfy all these requirements?

As a result of the FTC investigation and settlement, Twitter is “barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers.” It also “must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years” and is “barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information” (does that mean that everyone else is allowed to mislead consumers about this??).

The oversight framework is a familiar MO for FTC to take on this. It is not dissimilar from the settlements several years ago with Eli Lily (FTC File No. 012 3214) and Guess, Inc. (FTC File No. 022 3260).

This trend in expanded scope for breach liability is growing, and organizations should brace themselves and prepare for increased oversight and exposure to liability as it pertains to private (but not personally identifiable) information. CISOs need to work more closely with Chief Privacy Officers (anyone with a social network or any kind of Web 2.0 presence, however modest, should really have one) and with the head of enterprise risk (which spans physical security, information security, compliance, legal, insurance, and privacy).


Evolving the consumer security market beyond the PC June 11, 2010

Posted by jonathanpenn in client security, cloud, trends & futures.
add a comment

Today came the news that Trend Micro is acquiring humyo, a service that offers file backup, access, sync, and sharing across PCs and mobile device.

As I wrote about in “New Growth Opportunities In The Consumer Security Market “, my view is that PC-based protection, no matter how broad, is the new “point product”,  and the new “suite” that consumers seek is product plus services whose functionality goes beyond security to help consumers deal with their other major challenges as well. Security is still important, but privacy is a huge and largely unmet need, and so is supporting the new consumer computing models, as my Forrester colleague Frank Gillett formulated a year ago with the concept of The Personal Cloud. Frank and I are currently discussing ways to bridge our research streams more formally.

What does this mean for consumer focused Tech Industry vendors, and especially consumer security vendors? One of the implications of these shifts in consumer computing away from apps running on a single PC to Internet services accessed from multiple devices/device types, is that there is opportunity for what the tech industry likes to term ‘stickiness’. While AV companies may engender loyalty from their customers, AV products are most effective and appreciated when they operate transparently and the user is unaware that they’re there: not slowing down the machine, and not popping up undecipherable warnings requesting your attention. On the other hand, the engagement model for Personal Cloud services is one of regular and deep interaction. In this context, the acquisition by Trend Micro offers far more promise in contrast to, say, McAfee’s partnership with Mozy.

This is not just about backup, but backup does serve as a great example of the way these dynamics change the market, the new services opportunities that can arise, and way consumer security vendors can get into the business of providing consumers with Personal Cloud services. It’s no longer just “backup, but to the cloud”. It’s about anywhere access, file sharing, and file sync services like those of humyo or SugarSync. It’s not even just your device-resident data but also data held at the Internet services you use like Gmail and WordPress, which  is what Backupify is doing that’s new and unique. Eventually, it will also encompass the ability to deliver information from the Personal Cloud to enhance the experience of other services: e.g., having Pandora or Slacker augment their radio streams with users’ own MP3s held in online storage services, or brokering identity information to limit proliferation of personal information while still enabling order fulfillment at retail sites.

What Facebook and Google can learn from Avast! and AVG May 17, 2010

Posted by jonathanpenn in client security, privacy.
add a comment

The latest string of privacy fiascos from Google and Facebook lead me wonder if they will ever learn to respect their consumer users. For both companies, I think one of the dynamics behind this is the fact that their these consumers aren’t the ones from whom the companies collect revenue, the incorrect conclusions the founders and executives derived from that, and the cultures they developed within their companies as they grew based on these erroneous assumptions.

Google has an almost innate ability to develop applications and services that unleash the power of the Internet to transform people’s lives. Yet the engineering culture that drives such stellar technical achievements is what hinders Google in their relationships with consumers. Google doesn’t have what it takes to run a consumer business: it’s just not in their DNA. This is how we can hear on the one hand about how Android is a smashing success from an engineering perspective and is purportedly is now outselling the iPhone in the US, while learning the same week that Google is going to stop selling Nexus One direct to consumers.

To succeed with consumer products would require Google to have more polish and quality assurance beyond the core engineering challenge (versus relegating some services to the purgatory of perpetual beta), development of consumer customer support services (a la the Nexus One), and of course a more respectful approach to users (see: privacy).

It would be a shame if the lesson Google took from the Nexus One would be to forgo future efforts at selling direct to consumers. Having a deeper relationship with consumers and being accountable to them as paying customers would teach Google to be more sensitive to their concerns. It’s same thing with Facebook: it, too, would have a completely different attitude and approach to privacy changes if consumers paid for their accounts.

It doesn’t have to be that way. Some companies that don’t get revenues from their consumer users approach them with understanding and respect just the same. I just spent a few days in Prague, where I met with the AV companies Avast! and AVG. At each of these companies, the vast majority of users are running the free version of their products. But the difference between Avast! and AVG on the one hand, and Google and Facebook on the other, in their attitudes towards their non-paying users cannot be more stark. Avast! and AVG exhibit the utmost deference and sensitivity in dealing with their non-paying consumer users. They are fully aware that the future of their companies depends on their ability retain and expand upon these relationships. As they explore ways to monetize these relationships, it’s by delivering more value and developing stronger bonds of trust. The Google and (especially) Facebook approach seem to be through exploitation and indifference.

Sophos takes on new investors May 4, 2010

Posted by jonathanpenn in client security, news.
add a comment

On the heels of Symantec’s two encryption acquisitions,  there’s another development in the client security space. Sophos’ original investors just sold their stake. Sophos’ new investors, Apax Partners, invested $400m and acquired a majority stake – thus valuing Sophos at just over $800m.

Sometimes, these investments serve as a lifeline for a vendor (e.g., private equity firm Thoma Bravo’s acquisition of Entrust a year ago). That is not the case here. Sophos was a healthy and growing company – though it faces increasingly stiff competition from the top-tier client security companies.

This is not just a buyout of early investors, but an additional investment in Sophos. So this will ultimately help Sophos by fueling acquisitions as well as global expansion.

There are several possible dynamics going on here. It could be that Sophos investors saw a good opportunity to pull out. In fact, those investors (TA Associates), were also the ones who invested $200m in AVG recently. So it could also simply be that TA didn’t want to have two AV vendors in its portfolio and decided to rationalize, especially since these two vendors have very different strategies and business models. Sophos was also purportedly on the IPO track – with estimates placing the valuation at ~ $1b. It could also be that Sophos saw that, for whatever reason, the IPO route wasn’t optimal.

Symantec’s acquisition strategy May 4, 2010

Posted by jonathanpenn in client security.
1 comment so far

Late last week, Symantec made two acquisitions in the encryption space, scooping up both PGP and GuardianEdge. My colleague, Andrew Jaquith, is publishing an in-depth report analyzing the acquisition, so there’s no need to go into too much detail here. We’re in total agreement that encryption has been a significant hole in Symantec’s security portfolio, given that data security is the #1 focus for IT security shops. You can also see some of my initial comments to the press on the acquisition here.

These two acquisitions got me thinking about Symantec’s acquisition strategy in general. What we’ve seen from Symantec over the years is a clear proclivity to paying more in order to acquire market-leading vendors. This doesn’t mean Symantec overpays. Simply that Symantec seems to weigh established customer base and market share more than other security specialists. Certainly, McAfee has its share of big acquisitions (it paid about as much for SafeBoot as Symantec paid for PGP and GuardianEdge combined, and the Secure Computing acquisition was no small purchase either), but as a more general rule Symantec goes after the big game on the plains more than other security specialists. In security, Symantec is clearly moving to more head-to-head competition against the mega-vendors with deep pockets: IBM, Cisco, Microsoft, EMC, etc. I believe that this approach to acquisitions is a key factor that helps Symantec over the long term against this competition.

More detail surfaces about the attack on Google April 20, 2010

Posted by jonathanpenn in cyberwar/CIP.
add a comment

John Markoff’s article yesterday in the New York Times reveals that Google’s authentication system, code-named Gaia, was one of the targets of attack.

The target wasn’t Google users’ passwords, but the authentication system itself (Markoff refers to it as a “single sign-on” system; I’m reluctant to do that, since my own experience shows it to be a rather confusing mesh of both interconnected and disconnected authenticators…seems like Google could do a lot more to help users link and manage their IDs under one master account of their choosing). Why not the passwords? It’s far more valuable to gain access to the code and learn the intricacies – and weaknesses – of the system itself, rather than gain access to a few (or even a few thousand) accounts. My own theory is this is why Adobe and various antimalware companies were targeted by the same network of attacks: the former to find more weaknesses in Flash and Acrobat to exploit, and the latter to learn how to bypass security mechanisms designed to defeat such attacks.

Markoff has several other excellent articles on the cyber attacks made public by Google in January, most notably this one.

Security of open source: Sunlight disinfects, but does it introduce germs as well? April 9, 2010

Posted by jonathanpenn in news.
add a comment

The security of open source software took a small hit this week as Mozilla reported that Firefox currently contains a root certificate authority that has no owner.  The fear being that this is a bogus CA inserted by hackers to provide trustworthiness to malicious sites.

This potentially provides an example of a nightmare scenario the anti-open-sourcers talk about: that hackers can inject back doors or introduce vulnerabilities within the open source development process.

Indeed, Fortify is drawing a rather extreme conclusion to this situation with its European director, Richard Kirk, stating that “this tilts the balance in favour of Microsoft’s Explorer”. That’s a ridiculous claim: in the browser war, this event will not move the needle one way or another. All it’s served to do is get much of the security community (which tends to favor openness) to jump on Fortify. Besides, while good theoretical arguments are made on both sides of the “security of open source versus closed source” debate, in practice it comes down to, well….practice. And it has been shown that one of the best practices is openness: whether closed or open source, an open and transparent disclosure process improves security over time.

I do agree with what Fortify’s Kirk says later, that “The important thing to stress, however, is the need for software security testing to identify and remove vulnerabilities from applications, rather than simply trying to block attacks on software by securing the network.”

Lesson #1: DO use these moments to offer constructive advice by raising awareness of issues and solutions.

Lesson #2: DON’T broadly attack an entire movement with biased statements. You’ll only make yourself a target for wrath and ridicule.

Are we losing yet? March 23, 2010

Posted by jonathanpenn in client security, trends & futures.
add a comment

That’s what I asked myself after reading the IC3 Internet Crime Report, which shows:

  • A 22.3% increase in complaints over 2008
  • Total dollar loss from all referred cases was $559.7 million, up over 110% from 2008
  • Of the top five categories of offenses, identity thieft was #2 at 14.1% of complaints; computer fraud (destruction/damage/vandalism of property) was #5 at 7.9% of complaints.

The security industry readily admits that cyber-criminals are evolving their attack tactics faster than we’re evolving our defenses. How long can we continue to fall behind before we should start saying that we’re losing?

Work blog moved to Forrester site March 15, 2010

Posted by jonathanpenn in uncategorized.
add a comment

Please note that as of Monday March 15th I have migrated my work-related blogging activity to my new blog at http://blogs.forrester.com/jonathan_penn.

Live at the RSA Conference: an industry view March 2, 2010

Posted by jonathanpenn in news.
add a comment

Update – Friday March 5 – Wrap-Up

The session was on how CISOs should be adapting to IT changes, and included Steve Munford, CEO of Sophos, and Sam Ghelfi, the Chief information Security and Privacy Officer of Raymond James. The main topics of discussion were:

  1. Given staffing and budget pressures, and the heightened threat climate, we need to actively seek a way to spend less effort managing security technology, to allow us to devote more time to managing IT risk
  2. How compliance has helped IT Security practices gain visibility, but the business views IT compliance as a check-box with little value beyond avoidance of fines. As Sam eloquently stated “Every time we’re talking with the business about compliance, we’re not talking about risk management.”
  3. Consumerization and the loss of control within IT and IT Security over the technologies and devices that businesses want to run.

Here’s a run-down of my meetings:

  • Lieberman Software. The privileged user management (PUM) vendor announced product and partnerships that provide visibility and control of IT administration in virtualization and cloud environments. No one else I’m aware of in the PUM space has done this, to my knowledge. I pressed Phil Lieberman for references, even of beta customers. No one is yet willing to talk, he said, but I will keep trying. Even off-the-record validation of this could be a significant move forward.
  • VeriSign. VeriSign just released some consumer data and findings around consumers’ trust in the Internet. Great stuff. More detailed than I’ve done in the past.
  • Novell. Novell is another company striving for the revolutionary when it comes to cloud security, embodied in its Intelligent Workforce Management strategy. Things I enjoy most about talking with Nick Nikols: (a) he’s intelligent, (b) as a former analyst him, he really seeks to understand my perspective on the market – he doesn’t just look at me as a marketing tool, and (c) also because he’s a former analyst, I know I can’t get away with anything, so he really keeps me on my toes. Thanks, Nick!
  • AVG. Meeting with AVG was a delight: I find them fascinating, given how freeware is such a completely disruptive force in the consumer antimalware market, with no incumbent vendor seeming to be able to develop a strategy to adapt (hint: read my report).
  • Modulo. Modulo has had some impressive success, but remains under most people’s radar screen. Nonetheless, the whole GRC product market is one in dire need of evolution. Clearly, the message about more efficient controls management and insight is one that is not compelling enough. Hopefully, I’ll write more on that in a subsequent post.

Update – Thursday March 4, 10:40am – Where is everybody?

Just a quick note on the attendance and activity. The first day was actually quite busy and everyone was congratulating themselves on how robust and resilient the security industry is, and how important security must be the business for so many security practitioners to show up. The sessions were nearly packed, and the exhibit floor was bustling – here’s what the show floor looked like even at 5pm on Tuesday.

Since that first day, however, there’s been a steady drop-off in attendance and activity on the show floor and outside the conference rooms. Maybe everyone is just meeting at hospitality suites, or conducting business at the W Hotel’s XYZ Bar. Yesterday’s sessions were pretty thin, and the floor activity was quite slow. Today, it’s looking like a conference that’s ready to wrap up.

Did everyone just come for the security swag? We’re they expecting the beautiful San Francisco spring and were so disappointed by the rains that they just packed up and went home early (RSA: please go back to running this in April)? Whatever the reason, and whatever attendance numbers RSA may put out in the end, this conference is less active than last years in many respects. Attendees are also saying that they’re not really seeing or hearing anything new, either. The value and impact of the conference seems to have dipped again. I think many people limited their attendance to a day or day and half. I also think some of the activity is shifting to the social networking (the physical kind) that exists around the shows periphery.

Update – Thursday March 4, 8:00am – Key conference themes

Major themes or topics of the show:

  1. Cloud security. Thankfully, must of this conversation is shifting to what security is offered in the cloud (vendors’ delivery model), and people are now discussing how to secure the broader set of IT services that are moving to the cloud (ie, IaaS, PaaS, and SaaS).
  2. Web 2.0 threats. These are both external (everything from Koobface to malware links showing up in blogs & Twitter streams to ) and internal (malicious or inadvertent disclosure of sensitive information in blogs, Twitter, LinkedIn, etc).
  3. Consumerization. A lot of talk about “Moving from IT security professionals saying ‘No’ to saying ‘Yes, but…’ when it comes to whether/how to allow devices and technologies that end users are bringing in or adopting on their  own. Frankly, most CISOs I know aren’t in a position to say Yes or No…they aren’t asked; they are told that this stuff is coming in (or, more likley, they discover it by happenstance) and they just have to adapt.

Update – Wednesday March 3,10:00am – AT&T breakfast session

The conference started early for me today, with an AT&T breakfast seesion led AT&T VP Bill O’Hern, who didn’t discuss security, but instead focused on mobility and the growing capabilities of the smart phone. I expect AT&T to position more around what Bill referred to as “smart mobile computing”. The concept itself simply takes the mobility conversation a step further  than we see at present: as smartphones become reach functionality parity with PCs, instead of trying to work in a world where we use both and need to synchronize seamlessly between the two, we can just work on the mobile platform and have a world without desktops and laptops. Naturally, we’d need better interfaces that we could plug our smartphones into (for a full keyboard and a big screen, eg.), but  that’s not much of an issue. And of course, Bill presented the notion of the entire data center moving to the cloud. The vision was interesting. Unlike Bill, I see this playing out our in the 5-15 year timeframe, rather than the 2-5 year timeframe he placed it at.

But it did get me thinking that we have two different sides of the same trend around cloud. The first is that applications and IT infrastructure are moving out of the data center: in effect, pushing server environments into the cloud. This is slowly happening with IaaS, PaaS, and SaaS, etc. The other side of the coin is that user mobility is moving workers outside the LAN and WAN – in effect coming into the organization through the cloud. So we’re getting pulling into the cloud from two angles. I don’t see either as happening rapidly, but looked at in combination it points to disruption and opportunity.

Update – Tuesday March 2, 6:30pm: Briefings, and a quick run of the floor

My afternoon was spend in back to back briefings with EMC/RSA and Cisco. Cisco was a deeper dive into the Secure Borderless Network strategy, which I discussed yesterday (below in this post). With EMC/RSA, we delved into security consulting — which I’ve mentioned before is a critical capability for any vendor wishing to be a strategic security partner to its customers. What I didn’t know was how well-developed EMC’s consulting practice is (not all security-related by any means): EMC reports having 2,200 consultants. I haven’t done the math yet to make a revenue guess, but that’s certainly a significant advantage in having such relationships with so many customers, resulting in a deep understanding of their customers’ business strategy, IT strategy, and security strategy.

Update – Tuesday March 2, 2:30pm: Industry Analyst Roundtable

We just wrapped up our Industry Analyst panel with John Pescatore of Gartner and Chris Christiansen of IDC, hosted by Asheem Chandna of Greylock Partners. and covered  a lot of ground. For 3 analysts from 3 different firms, there was a surprising (perhaps disappointing, to some in the audience) amount of agreement. Among the topics we discussed:

1. The move to cloud/SaaS-based security is far stronger than just a reaction to budget  and staffing pressures. There’s a significant shift happening as organizations outsource operational or discrete security functions. This mirrors our Forrester data, which shows strong enterprise interest across the board for managed security services.

2. The Aurora cyberattacks do not represent any significant new threat. But they do present an opportunity to educate executives on the existence, sophistication, and prevalence of cyber espionage.

3. Adoption of cloud services — the most talked about topic at the conference so far — represents some new  considerations from a security perspective. However, the overall framework of security doesn’t need modification: simply apply what you already do to your own security environment and put requirements into the contracts. It’s not quite that  simple, but cloud (IaaS and PaaS specifically) doesnt’ require a complete rethinking of security…just more diligence. We all stated that solutions which secure the cloud  are far more likely to be sold to cloud provider (who in turn offer them as classes of service) than to end user organizations directly. This will fundamentally shift the dynamic between security vendors and organizations: security solutions will be part of the cloud and adopted by providers, not something bolted on left to end user organizations to integrate.

4. Compliance has been a double-edged sword for security. It’s helped fund projects that in general have improved our security postures. However, they haven’t really elevated the value of security (at the end of the day, compliance is a check-box, after all) and it can often siphon funds away from other projects that provide more security value.

5. Consumerization is just one trend representing how IT is losing control of the corporate environment, and how that challenges IT Security to adapt.

There were some good questions from the audience delving deeper on managed security services (why do it? how do you measure the benefits?).

Update – Tuesday March 2, 9:00am: Art Coviello’s keynote

Just saw the keynote by Art Coviello, President, RSA. The focus was on securing the cloud. His main points were:

  1. Migration of IT to the cloud is inevitable. I totally agree with this, and see security merely as a temporary hurdle.
  2. That adoption of virtualization and cloud has implications on the relationship between IT Security and IT Ops, as the former focuses on governance and the latter on quality of service.

Both of these observations are spot on. The Keynote wasn’t a place to announce how to secure the cloud, or what RSA is doing here to further the effort, but this is obviously where RSA (and VMware and EMC) are in a great position to develop leadership.

Monday March 1, 3:30pm: Cisco’s Secure Borderless Network strategy

I spent the first half of the afternoon with Cisco, which detailed elements of its Secure Borderless Network strategy. This looks like a very significant move, and a compelling direction, for Cisco. It attempts to make network connectivity and access far more seamless than it is today. However, one way the demonstration delivered seamlessness was to hide all aspects of security. Specifically, how Cisco handles identity issues. If Cisco relies solely on device-based identity and NAC, this is potentially troubling or at least limiting. How Cisco incorporates other forms of authentication – a promising area for partnership with authentication and credential management companies – is key to this being successful in the enterprise.

And corporate workers aren’t the only people using multiple devices from multiple locations to access data and services: there are some powerful opportunities for AnyConnect in the consumer space that Cisco doesn’t seem to have fully explored yet.

With this announcement, Cisco is also relying first on the Ironport appliance but also moving more towards reliance on cloud services (enabled by its acquisition of ScanSafe. This also marks a significant shift in Cisco security strategy away from a reliance purely on product to offer its own managed/SaaS solution rather than providing products to service providers. Expect ScanSafe assets to serve as the foundation for more security policy enforcement moving forward.

This will fundamentally shift the dynamic between security vendors and organizations. Security solutions will be part of the cloud and adopted by providers, not something bolted on like a form of duct tape to connect organizations with cloud services