Twitter Feed
Lynn DeCourcey Showcased in ExecutiveBiz
Kudos to my colleague Lynn DeCourcey for her recent interview on ExecutiveBiz.com! Lynn is NJVC vice president and general manager, cyber security. She oversees all aspects of the company’s cyber…
BISNOW Data Center Event Highlight’s Cloud
A big thank you to BISNOW and my fellow panel members for an outstanding discussion and very informative event, last week’s Data Center Investment Conference and Expo. The federal marketplace…
GSA Seeks Cloud Brokerage Information
GSA is using the RFI process to collect information about alternative models and/or solutions for future cloud acquisition vehicles and processes that further these goals. One emerging concept in cloud…
DoD Cloud Computing Strategy
The DoD recently released the department’s formal cloud computing strategy. DoD Cloud Computing Strategy View more documents from Kevin Jackson. In the forward, DoD CIO Teresa Takai said that: “The…
FedRAMP PMO Releases First Set of 3PAOs
Late today the FedRAMP Program Management Office released the first list of certified Third Party Assessment Organizations (3PAOs). These companies are accredited to perform initial and periodic assessment of cloud…
FedRAMP Releases Updated Security Assessment Plan Templates
Last week the GSA FedRAMP Program Office released the latest version of the cloud computing Security Assessment Plan (SAR) template. This document is the most recent step toward the Federal…
NJVC® and Gravitant® Announce New Strategic Alliance: Partnership to Benefit Federal Agencies with Powerful Provision and Management of Cloud Services that Unify Multiple Providers
Vienna, Va., April 4, 2012 — NJVC®, one of the largest information technology solutions providers supporting the U.S. Department of Defense, and Gravitant®, a provider of cloud brokerage and management…
NJVC® VP and GM, Cloud Services, Kevin L. Jackson to Speak on Cloud Security at 2012 Emerging Threats and Cyber Defense Symposium
Vienna, Va., March 15, 2012 — NJVC®, one of the largest information technology solutions (IT) providers supporting the U.S. Department of Defense, is pleased to announce that Kevin L. Jackson,…
NJVC’s Kevin L. Jackson Co-Authors INSA White Paper on Cloud Computing for the Intelligence Community
Findings Reflect Insight from More than 50 Cloud Thought Leaders VIENNA, Va.–(BUSINESS WIRE)–NJVC®, one of the largest information technology solutions (IT) providers supporting the U.S. Department of Defense, announces…
INSA Study on Cloud Computing in the Intelligence Community: Rollout 13 March 2012 | SYS-CON MEDIA
(Originally posted by Bob Gourley at CTOvision) Over the last year I’ve had the pleasure of serving with a team of volunteers from the Intelligence and National Security Alliance…
On Tuesday, October 6th, the European Court of Justice (ECJ), invalidated the U.S./EU Safe Harbor Framework. This framework, in place since 2000, gave blanket permission to data transfers from the European Union to the United States. The ruling means that national data protection authorities can now review such data transfers on an individual basis. It also complicates many aspects of data security for any enterprises doing business across the Atlantic Ocean.
This recent ruling highlights the value of having a strong security partner shepherding your enterprise through these types of perturbations. Luckily during Dell Peak Performance in Las Vegas, I had the opportunity to discuss the importance of such a partnership with Bill Evans, senior director of product marketing for Dell’s Identity and Access Management businesses.
Kevin: Bill, thank you joining use today. What is your role at Dell?
Bill: Thank you for the invitation, Kevin. I work in the product marketing group within Dell Security. Specifically I support the Identity and Access Management product portfolio.
Kevin: Identity and Access Management is a very important aspect of cloud security. What has changed in the IDAM (identity and access management) marketplace over the past 12 months? The proliferation of devices seems to be the Achilles heel to having secure IT.
Bill: Historically, when it came to IT, everything was centralized. The mainframe, the client-server model and desktop computers were all contained within a company’s network perimeter. That perimeter is now gone and organizations are now trying to deal with an IT world that has no boundaries. A recent analyst report actually stated that identity is now the new perimeter. Protecting the network from intrusion, malware and other threats is still as important as ever. Additionally though, companies need to work harder to control access to data and applications. The focus is not only on outside hackers trying to get in but on the malicious insider as well.
Kevin: With identity and access management as the new boundary for now and into the foreseeable future, how do your customers step up to this formidable challenge?
Bill: Above all, leaders and managers need to be intelligent about the investments they make in this area. This also means avoiding reflexive “knee-jerk” reactions. The first step of the process is conducting an inventory of their current infrastructure. It’s actually impossible to protect every piece of data and frankly, they don’t need to waste money and effort trying to do so. Companies do, however, need to categorize and strongly protect data that is important. Things like personally identifiable information (PII) or healthcare records need to be isolated and surrounded with strong access controls. We call this process prioritizing the need which means developing plans that protect the most sensitive data by using the strongest operationally practical protections. Organizations are then in a position to assess available tools for implementing the needed protections. Dell’s portfolio not only provides solutions for today’s problems, but it also delivers a platform that can address future needs and challenges. Security is not a one-time project so we partner with our customers over the long haul. Making intelligent business decisions across all available technologies is key.
Kevin: You’ve outlined an approach that includes infrastructure deployment decisions in combination with a sort of data triage process. I’ve also been impressed with the breadth and depth of Dell’s security portfolio. With that said, what issues are top of mind for you and the Dell security team. Which of these issues are you planning to address over the next twelve months?
Bill: That’s really a great question. The thing we’re looking at very closely right now is the impact that security has on user productivity. To be honest, on a scale from one to 10, a security and risk professional wants to turn the security dial up to 11. They want to secure everything with multiple credentials that all have very long passwords. Users don’t tend to like that approach, so if you go down that implementation path, people will generally avoid the issue by going around what they perceive as a “security hurdle”. This isn’t good for anybody, including the company.
So what we’re doing is applying some new technology that we refer to as the Dell Security Analytics Engine. Though the use of Dell’s uniquely broad security portfolio, the security analytics engine can enable context-aware security. This capability collects data in real-time from multiple security assets deployed across an enterprise. We can pull information from the Dell laptop as a managed or unmanaged device. We also extract data from the Sonicwall firewall on who is accessing what type of data from where. Data from Dell Secureworks also compares the scenario with blacklists and known threat signatures. All this information is then combined to deliver a context derived risk score to the Dell One Identity Cloud Access Manager. The access manager can then make a real-time decision on that connection.
Let me give you an example. If I log in on a Monday morning at 8:30 a.m. from the office with correct credentials, it’s a pretty safe bet that I am who I claim to be. On the other hand, this week I’m in Las Vegas at Peak Performance and will probably log in from my hotel room tonight at 9:00 p.m. The security analytic engine would flag that as being an unusual occurrence and Cloud Access Manager would interpret the higher risk score as a cue for stepping up authentication requirements. This, for instance, may mean using a one-time authentication token. If my credentials were subsequently used to login at on a Sunday at 2 a.m. from North Korea, the system would read that as a probable attack and block the transaction. The challenge is in finding that right balance between tight security and user productivity. Nine times out of 10, username and password is good enough. That tenth time, however, a little extra precaution is warranted. Users are generally willing to accept a security related inconvenience every once in a while so they won’t try to circumvent the controls. So in effect, the security team can adjust the security dials in real time.
Kevin: This seems to be a more balanced approach to security. At Dell Peak Performance we heard that enterprises have suffered over $600B in cybersecurity losses this year against just a $200B investment to protect against these losses. That doesn’t sound like a balance at all. What should senior decision makers and IT professionals learn from this statistic?
Bill: This really indicates how tough security decisions can be. While enterprises today are spending more money on security, they are also feeling worse about their security posture. Knee-jerk reactions contribute to this dichotomy. Executives, with the best of intentions but focused on addressing singular security issues, serially purchase disparate security products. These types of actions eventually lead to a patchwork of siloed security solutions. Between each of these perfectly effective solutions, however, you will find security gaps through which threats can invalidate a security strategy. As discussed earlier, we strongly recommend targeting a long-term goal with the understanding that the company cannot solve every security problem in one day. Success in this game requires partnering with a vendor that can not only address today’s issues, but also work with you to leverage a coordinated investments over time.
Kevin: With respect to identity and access management, are any specific industry verticals better positioned for this type of balanced approach? Are there any industry specific insights that you can share with us?
Bill: There is an interesting dynamic in play when it comes to user behavior and industry related expectations. While no one industry is easier or harder when it comes to data protection, they all have specific requirements related to their industry’s business model. While the requirements within industries like banking and finance are certainly different than those in healthcare, they all deal with the challenge of balancing security with the desired consumer community experience. In private, management will demand two-factor authentication throughout their respective user communities, but why hasn’t this proven control been broadly implemented? Multifactor authentication isn’t being widely used in the consumer space because of its intrusive impact on the consumer experience. A prospective customer’s decision to bank with Company A or Company B may ultimately be driven by how easy it is to get account information through a smartphone application. Daily decisions of this type forces a constant balancing between security and business needs. As consumers, we decide with our buying actions whether to accept the cost of improved security. Eventually, those same consumers will need to stand-up and state through their buying actions a willingness to pay for more robust security. We advise organizations to act smart by optionally offering enhanced security, now, because over time, all organizations will be moving in that direction.
Kevin: Do you have any final recommendations for the CEO dealing with this dilemma?
Bill: I would counsel all CEOs to start with research. You need to understand your infrastructure, thoroughly understand your threats and attack surfaces and plan for the long term. This will pay high dividends when selecting a security partner that can serve your needs as they morph and change over the long haul.
Kevin: Thank you, Bill, for your words of wisdom.
Bill: You’re welcome Kevin.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
( Thank you. If you enjoyed this article, get free updates by email or RSS – © Copyright Kevin L. Jackson 2015)
Cloud Computing
- CPUcoin Expands CPU/GPU Power Sharing with Cudo Ventures Enterprise Network Partnership
- CPUcoin Expands CPU/GPU Power Sharing with Cudo Ventures Enterprise Network Partnership
- Route1 Announces Q2 2019 Financial Results
- CPUcoin Expands CPU/GPU Power Sharing with Cudo Ventures Enterprise Network Partnership
- ChannelAdvisor to Present at the D.A. Davidson 18th Annual Technology Conference
Cybersecurity
- Route1 Announces Q2 2019 Financial Results
- FIRST US BANCSHARES, INC. DECLARES CASH DIVIDEND
- Business Continuity Management Planning Solution Market is Expected to Grow ~ US$ 1.6 Bn by the end of 2029 - PMR
- Atos delivers Quantum-Learning-as-a-Service to Xofia to enable artificial intelligence solutions
- New Ares IoT Botnet discovered on Android OS based Set-Top Boxes