SearchSecurity: The new breed of unified threat management tools

Unified threat management devices have traditionally been suited for small and medium-sized business networks. UTMs combine a number of essential technologies, including firewall, perimeter antimalware and antispam, VPN, Web content filtering and more, but historically have not been capable of handing the traffic load of a large enterprise network. Now, UTM vendors are integrating a host of new features in an attempt to become more competitive against other enterprise-grade security appliances.

You can watch the five minute screencast that I did for SearchSecurity here. I cover several different products, including Fortinet, Sophos, Checkpoint and Juniper.

Dice: Time to Reassess Your Network Access Rights

At the heart of the celebrated case of Edward Snowden lies one important fact: The infamous contractor gained access to the trove of documents that he ultimately leaked to journalists by escalating his access rights. And despite this very real poster boy having been in the news for the past several months, many enterprises haven’t done much with reeling in — or even auditing – the access rights they have in place.

You can read the story posted on Dice here.

Time to catch up on new encryption protocols

lock-and-key-icon-thumb355812Remember when encryption meant scrambling your hard drive and using PGP for your email? It seems so quaint. Nowadays encryption has gotten much more complex, thanks to our friends in government agencies that have tapped into the Internet and made copies of our data out in the Utah desert. Or, make that metadata, sorry, it is hard to get the precise information, even with the NSA giving demos of its software tools to CBS.

The Electronic Frontier Foundation recently compiled a report card of the many faces of encryption that a modern Internet provider needs to operate on. It is a daunting list, but one that you all should read carefully and see how much work needs to be done in this area.

The report lists five different encryption practices that the major cloud players need to take, including:

  1. Encrypt all of the links between their data centers that traverse the public Internet.  Ever since we all found out how the NSA was taping into public peering points, this seems like a good precaution for any provider to do. Microsoft and Facebook are in the process of implementing this; Google, Dropbox and Twitter already have.
  2. Support Secure HTTP by default for all Web access: this isn’t anything new and something that began several years ago, but Yahoo (always a day late) has only implemented this for its email services.
  3. Use HTTP Strict Transport Security (HSTS) protocols for all their Web traffic to avoid any of the newer browser-in-the-middle attacks. This protocol has been around for a year, although it is still far from being implemented widely.
  4. Use forward secrecy to hide encryption keys. Without this, someone who learns of a key can decrypt previously archived messages: does this sound familiar?
  5. Use the START TLS protocol to encrypt email traffic between different email servers, again to avoid man-in-the-middle attacks. This protocol has also been around for some time, but isn’t implemented universally.

If we look through the EFF list, LinkedIn comes up short on all measures, although promising to get started next year. The same is true for the many connectivity providers, such as Comcast, Verizon, and AT&T. Coincidently, that is where the government taps seem to be located. Harrumph.

One thing the EFF report could do a better job of is showing the major browsers and whether they support all these not-so-newfangled protocols: guess what, they don’t. For example, IE 10 lacks HSTS support. Here is a report from the good folks at OWASP that does show this information, although it is somewhat outdated.

FedTech magazine: Cisco’s ASA-5512-X review

dashboard betterTo better protect the enterprise network, organizations need stronger firewalls. Cisco Systems’ Adaptive Security Appliance 5512-X delivers a solid set of features to address those needs: Zero-day malware protection, application-aware software and integration with endpoint device control for end-to-end security.

You can read my review here for FedTech Magazine.

Network World: Mobile Device Manager Review

airwatch 2Mobile Device Managers (MDMs) make a lot of sense when you are trying to control whom can access your enterprise network and applications from particular phones and tablets. But to effectively evaluate these products, you should first consider what exactly are you trying to control: the apps on particular devices, the pairing of a user with his or her device, the device itself, or the collection of files on each device. Each MDM has a somewhat different perspective, and has strengths and weaknesses in terms of what it can control best.

In my review today for Network World, I looked at six different products: AirWatch (pictured above), Apperian’s EASE, BlackBerry’s Enterprise Server 10 (BES10), Divide, Fixmo, and Good Technology’s Good for Enterprise. No single MDM product won this review; all had serious flaws that would prevent them from being successfully deployed, depending on your circumstances.

The need for better mobile security is obvious: witness this story from last year about a hospital volunteer taking pictures of patient records with his phone and them selling them. Sadly, most current MDMs still wouldn’t be able to prevent something this overt.

The MDM arena is still pretty immature, akin to where the anti-virus world was decades ago. Security profiles are somewhat clunky to install and administer and some vendors don’t support vintage versions of iOS or Android. Topping this off: once you find phones that have been compromised, there is no easy way to return them back to a pristine condition, largely through the fault of the mobile OS vendors.

Expect to pay between $20 to $75 per user or per device per year, which can add up if you have a lot of phones to protect. Few vendors are transparent about their pricing (Airwatch and Blackberry are notable exceptions).

Good and BlackBerry do the best jobs of protecting your messaging infrastructure, so if that is the primary reason for picking an MDM product you should start with these two. Divide had the most appealing management console and overall simplest setup routines, and also supports licensing unlimited devices per user. And Apperian is great for corporations that have developed a large collection of their own apps and want a consistent set of security policies when deploying them.

You can see the full range of screenshots for my review in this deck.

Restaurant Technology: How loyalty programs can help

LoyaltyWhether based on cards or mobile apps, single-brand restaurant loyalty programs have lots of appeal. In this article for Restaurant Technology magazine (see the PDF copy), I write about what some of the leading chains are doing with digital loyalty programs (such as this screenshot from POSiq’s CRM system shown above) and how they benefit their sales and marketing programs.


ITworld: A/B tests: Cut the fluff and spend the pixels on what works

surlatableA/B testing is like many things that can be vexing about the Web: a simple concept can turn into a complex programming project. But while the idea is simple — producing two (or more) different web pages for your site and instrument them to see which one drives more traffic or more sales – getting it to work can be fraught with politics and the actual implementation details.

Why bother? Mainly because there is almost nothing else that you can do that can have such a big effect. Just by changing the text size or button color you can generate a 50% increase in clickthrough rates.

You can read more about A/B tests in this article for ITworld and also view an accompanying slideshow that illustrates how to improve your own Web pages with four interesting examples, such as the one above showing three different versions of the Sur La Table website.

ITworld: 6 mapping trends from Techonomy13

streetrx2If you haven’t yet gotten into mapping your data, now might be a good time to take a closer look at the technologies available. While maps have been around for thousands of years, the digital kind are a more recent innovation and more of a communications language, to visually display content and get context. Plus, they are universally recognized by everyone.

In this article for ITworld and the accompanying slideshow of maps, I talk about six trends that businesses can capitalize on with using these tools.

ArsTechnica: Why it’s not time for converged networks

The days of having separate, dedicated networks for video, voice, storage, and general data applications are behind us. In the past, many IT departments had separate groups to manage voice and data, with separate wiring and infrastructures. They even used different vocabularies.

Many companies have been tempted by the notion that everything should be managed in one big happy converged infrastructure, with everything running through the same switches and wires.

To read why that may not be such a great idea, see my story posted in ArsTechnica today.