Friday, March 29, 2019

New Paradigm

Just watched the Tom Field, Steve Katz “interview.”

I might have identified one or two new threats or changes to the environment. Not sure I would do anything different as a result of what I heard. We need drastic changes to security to address the applications and environments that Steve described. I used to believe that risk increased in proportion to use, uses, and users but now it is increasing exponentially. We are around the knee of the “hockey stick” curve.  Doing the same things harder is not cutting it.

We need strong authentication, adaptive authentication, federated identity, end-2-end application layer encryption (Network Defined Security) (“zero trust”), “least privilege” access control (or at least “read-only” or “execute-only”), multi-party controls for sensitive capabilities, strong accountability and control for privileged users (PAM), and greatly improved pro-active threat detection. We need out-of-band confirmations and alerts for all transactions, many data changes, and some uses. We need document management systems for intellectual property. Some enterprises may be doing one or two of these, almost none are doing all of them.  

See my interview with Peter Denning.

Thursday, March 7, 2019

Interview in the Communications of the ACM

In this article, I argue that there is a significant difference between today’s state of security practice, in which convenience trumps security, and the real requirements.  The current practice leaves us vulnerable to the threat sources and their attack methods that we are seeing.  I make a number of recommendations for changes to the practice.