June 15, 2006

Good Morning:
Today let's talk about "compliance" because I continue to see vendors pulling the same stunts over and over again. First, I want to address what is compliance, since if you pay attention to a NWW review it's basically tools to enforce policy on what should (or should not) be running on a machine. I guess you could map what things like HIPAA and GLBA say to specific policies, but these tools are but one piece of a very complex compliance puzzle. So today I object to the continued manipulation of the term "compliance" to pretty mean anything that anyone does.

EARTH TO MIKE: Deal with it, it's not going to change because vendors need to hit their numbers and for some strange reason they think that wrapping a compliance bow around something is going to make a difference. If you read James McGovern's post below you'll see the futility of this. End users are not stupid. 5 years into the compliance game, they understand what will help and what will not. But most importantly they don't want vendors to sell them a compliance vision anymore. They want tools that have a clear value proposition. Maybe it helps with compliance, and they are likely going to pay for it out of the compliance budget - but make no mistake, those vendors that continue to lead with compliance are going to be in a world of hurt.

Have a great day.

Top Security News

Oracle pushes an Identity "ecosystem"
So what?- Oracle made a few Identity Management announcements yesterday at the Burton conference. First they are positioning a set of interfaces to get 3rd parties to integrate with their infrastructure. See my Smokey Novell and the Bandit post below because I've seen this movie before. This time I hope technology like Bandit can alleviate the need for application and infrastructure vendors to build to vendor specific Identity Infrastructures. Of course, looking at it from Oracle's perspective, this is exactly what they should be doing. But to launch with powerhouses like F5, Identity Engines, and Layer 7 Technologies is a bit underwhelming. I guess you need to start somewhere, but not having a Big Security (Symantec, McAfee, Cisco, et al) on the stage hurts credibility.
http://www.oracle.com/corporate/press/2006_jun/oracle-extended-identity-management-ecosystem.html

Oracle bolsters SSO
So what? - Also yesterday Oracle announced a enterprise SSO offering to fit into their Identity Management Suite. Interestingly enough, it's based on Passlogix's technology, so Oracle joins RSA and IBM as big players using Passlogix. It's interesting that one of Passlogix's OEM's haven't acquired them yet, given the hurt it would put on the competition. But all the big stack players have roughly the same capabilities, so differentiation is going to be hard to come by for folks wanting big identity infrastructures.
http://www.oracle.com/corporate/press/2006_jun/oracle-enterprise-single-sign-on_0.html

Where's Mr. Clean when you need him?
So what? - Predictably we've seen the first AJAX worm, targeting the mother of all AJAX applications - New Yahoo! Mail. Am I worried? Nope, but it means that the application security scanner folks (SPI Dynamics, Watchfire) need to get smart on AJAX real quick. The Yahoo worm was low impact, so no real damage occurred, but AJAX is catching fire, so we as security professionals need to get our arms around how to ensure it doesn't burn down the house.
http://www.informationweek.com/news/showArticle.jhtml?articleID=189400799

Zix does push
So what? - Earlier in the week, Zix announced it's new ZixDirect "push" email encryption offering. So now Zix can send an encrypted message to anyone regardless of what they have running on their desktop. I've said quite a bit that encryption is becoming more important, but it's transparency that is most critical. Zix's new offering continues to leverage their own gateway-based policy device to figure out what needs to be encrypted and this adds another mechanism for encryption. So now Zix can pretty much get an encrypted message to a recipient however they want to receive it (ZixNetwork, S/MIME, PGP, pull portal, and push). It's interesting to see the email encryption market starting to bifurcate, where PostX and Zix have their own policy engines while Voltage and PGP depend on other email security gateways to figure out what needs to be encrypted. The rising tide is lifting all of the respective boats, but over time encryption needs to be married with policy, so companies without a policy engine are definitely exposed.
http://biz.yahoo.com/bw/060612/20060612005866.html?.v=1

"Security compliance" review
So what? - For those of you worried about enforcing a corporate "policy" on the devices in your infrastructure, this NetworkWorld review evaluates 6 different tools. My biggest problem with the review is calling it "compliance",  because basically they are configuration assessment tools more than anything else. They enforce policies based on what patch levels, software builds, etc. and can generate some decent reports. NetIQ ended up winning the contest with Symantec's ESM (with the BindView stuff bundled) coming in second. Also interesting is that Elemental Security held its own against "best of breed" desktop/server policy management products, given that the product also does NAC enforcement and auto-endpoint discovery.
http://www.networkworld.com/reviews/2006/061206-compliance-test.html

Top Blog Postings

Winkler on NSA spying
So this post from Ira Winkler has been sitting in my BlogThis! folder for a month and the reality is that I just don't have the time right now to do a full treatment. But this is a classic and not from a political perspective. It is a case study in passionately discussing a topic that is clearly important to Ira in a very balanced, but very convincing manner. Regardless of where you stand on the issues, you have to appreciate the way that Ira made his case that this was the wrong thing for the NSA to do. Personally I agree with him, but it's never cut and dried. But we live by the rule of law in civilized nations and we cannot compromise on that.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000515

Security sales folks don't know how to... sell
This is an entertaining post by James McGovern about some of his frustrations dealing with enterprise security sales people. Clearly this is not an isolated event, as many end users I chat with have similar issues. James rails against positioning everything as SOX related, and that makes me laugh because I've been saying for a while that compliance is a means to an end. So it's good to see a well spoken end user validate that. This quote sums it up: "Why does every single security software vendor nowadays mention as part of their pitch Sarbanes Oxley compliance? Don't you think us customers have heard this one before? It is way too cliche and should be dropped. Instead focus on your real value proposition." My friend Scott Santucci of BluePrint Marketing calls these folks "third rate consultants" as they try to engage prospects in a compliance discussion without really knowing anything about compliance. Back to the drawing board security marketers, whatever you are doing - it ain't working.
http://duckdown.blogspot.com/2006/06/venture-capitalists-please-teach-your.html

Service providers see more stuff
Richi Jennings over at Ferris makes an interesting point in this post about the ability of service providers to react faster to new stuff because they see more. Folks like MessageLabs and Postini on the email security side (and of course Microsoft) and ScanSafe on the Web filtering side definitely have an advantage in that they see ALL mail through their data centers. Software and appliance based content security solutions have to work harder (through honeypots, complicated local data aggregation and then communicating information back to the mother ship) to get that kind of data to stay ahead. Not that it's impossible, but it's harder. This is another reason that over time, a bulk of content security happens in the network.
http://blog.ferris.com/2006/06/why_did_microso.html

Things to keep spam away
Speaking of spam, DarkNet has a good post here about what you can do to avoid being pummeled by spam. If you've been an offender of these rules for a while, well - there isn't much to do besides change your email address. But if these are good rules (don't reply to spam, NEVER unsubscribe, etc.) to follow always. You don't think this stuff matters, think again. When I was in the anti-spam space we had a very high profile customer that told all their users (like 5000 of them) to unsubscribe when they get spam. These folks got HAMMERED. Literally just buried. Their spam volumes went up by a factor of 5 in 3 months. Yes, they had to buy more appliances and we were happy. The customer... not so much.
http://www.darknet.org.uk/2006/06/spam-a-simple-guide-to-keeping-your-inbox-clean/

Recently on the Security Incite Rants Blog

Smokey Novell and the Bandit
Novell announced an open source initiative called Bandit to integrate applications with the identity infrastructure. Per usual, Mr. Wet Blanket (yes, that's me) has a lot thoughts based upon the school of hard knocks. Maybe Novell (and the rest of you) can learn something from my $30 million dollar lesson.
http://securityincite.com/blog/mike-rothman/smokey-novell-and-the-bandit

Inciting: 10 Tips for Pragmatic Security in ComputerWorld
I did a ComputerWorld interview last week about Pragmatic Security. What it is, why it's important and 10 other security tidbits that you may find interesting.
http://securityincite.com/Inciting-10-Tips-Computerworld

Read Wednesday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-june-14-2006