RSA Security Blog: A Blog for Security Professiona

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6, 7

A Single Europe for Data Protection?
2008-07-15 02:00:00
Last Friday I spent the morning in the company of a lawyer from a top international law firm. Once we'd marvelled that the sun had finally deemed to make an appearance over the grey skies of London, our conversation turned to the rather weightier subject of data privacy. We've been doing a lot of work around using ISO27002 as a framework best practice in developing and deploying a robust information security strategy. As part of that work, I and my "Evangelist" colleagues have taken a stab at mapping various regulations against this "gold standard" in order to help customers understand where overlaps, or indeed gaps, may occur between these various regs...
More About: Europe , Data , Single , Data Protection

Speaking of Security Podcast #113
2008-07-14 02:00:00
Click to Download/Listen (11:11) With users wanting more real-time, self-service options, many organizations have migrated their services to remote channels including the Internet or Call Centers but these services and benefits come with added risks of fraud and identity theft.  Knowledge-based authentication (KBA) offers customers the opportunity to benefit from remote interactions with stronger security as well as the added convenience of real-time authentication. Learn more in this week's podcast. In other news, we bid a fond farewell to co-host Matt Buckley.
More About: Security , Podcast , Speaking

Virtualization and Authentication
2008-07-08 02:00:00
Virtualization is one of the most hyped technologies in Information Technology today -- and rightly so. It offers the potential to improve utilization, lower cost of ownership of computers, enhance productivity, ease compliance, increase reliability and potentially improve security. Let's explore the last claim. Without a doubt, there is an impact of virtualization on security, and in particular authentication...
More About: Virtualization , Authentication

Speaking of Security Podcast #112
2008-07-07 17:08:00
Art Coviello Keynote at EMC World Art Coviello tells a cautionary tale of the future of security and its impact on business innovation at this year's EMC World. Hear how to avoid the perfect storm by integrating security into the platform and using information risk management strategies.
More About: Security , Podcast , Speaking

Timing is Everything...
2008-07-07 02:00:00
I don't want to spend all my time on this blog talking about HMRC (otherwise referred to in the UK as "the taxman"), but a colleague just forwarded me a phishing email he'd just received purporting to be from them, asking him to resubmit his personal details as a "new security measure" While in itself there's nothing particularly big or clever about this attack, it's interesting in that it illustrates a couple of key things. Firstly, that sometimes in order for an attack to be successful, timing is everything...
More About: Timing

More RSA Compliance Solutions Bloggers
2008-07-03 21:30:00
Please join us in welcoming a two more RSA Bloggers . The RSA Compliance Solutions team (which already includes Dave Howell and Brad Davenport) has been joined by Andrew Maloney and John McDonald. Please take advantage of the comments field to get answers to your compliance-related security queries!

Why I welcome the Hannigan Report
2008-07-03 20:00:00
As an RSA 'Evangelist' with pan-EMEA responsibilities, I obviously take a special interest in what's happening in the information security world that pertains to this region. Last week saw the publication in the UK of the long-awaited Hannigan Report -- detailing the steps that UK Government departments have taken -- and are expected to take -- to mitigate recent data leakage events which have occurred, most notably in the instance of HMRC. It's a cracking read and one I'd recommend to all insomniacs with an penchant for such topics, but I have to say, I'm actually pretty encouraged by what I read...

Correlation is no silver bullet
2008-07-03 19:26:00
I talk to a lot of security folks about SIEM and log management, and quite often the conversation turns to event correlation. You can spot the people who've never bought a SIEM product, because they start by saying, "Well, I want to know whenever 'x' happens, and then 'y' happens soon after". Admittedly, the situation they cite is a usually real one, and granted, if you do see 'x' and 'y' happening in reasonably quick succession then, chances are, you have a problem. But it's usually not their biggest problem -- in fact, far from it. My favorite is "the guy swiping his badge in Tokyo and then logging on in New York", which I hear time and time again...
More About: Silver , Bullet , Silver Bullet

Finished? Where should I start?
2008-07-01 02:00:00
Many of the merchants I speak with are sharply focused on addressing specific PCI security requirements. While implementing the controls needed to meet the requirements is absolutely critical, I can't stress enough the importance of taking time to aim before firing. It's no secret that PCI compliance is focused on securing cardholder data and infrastructure. Simply put, you can't secure what you don't manage and you can't manage what you don't know about. Before you go looking for all instances of cardholder data, you must be prepared to find more than expected. Most merchants are aware of the cardholder data in their database(s). But what about payment applications or payment portals that temporarily store the data? Or customer service reps e-mailing credit card information to confirm or dispute an order?...
More About: Start

Speaking of Security Podcast #111
2008-06-30 02:00:00
Click to Download/Listen (07:04) The fear of data leakage through loss, theft or careless use of USB flash drives is rising dramatically throughout the enterprise. This week we discuss the problem and potential solutions with Dror Todress, Senior Manager, Marketing, for SanDisk Corporation’s Enterprise Division, an RSA Secured Partner.
More About: Security , Podcast , Speaking

The SIEM and the SOC -- what's useful and what's not?
2008-06-26 02:00:00
So earlier this year, again in my past life as an analyst, I spoke to a bunch of users, vendors and experts hoping to get some best practices about creating a Security Operations Center (SOC). For Forrester customers, I published my findings here. To be honest, I originally came at this piece of research as a way to define what the place of a SIEM product in a SOC, so I diligently asked everyone I interviewed what technologies they thought were central to a security operations function. The answers I got were pretty unexpected, and normally started with the phrase "Technology? Oh that's an afterthought." When we think of a SOC, we often have this picture of a big room, full of people in rows staring at a big screen up front, with monitors in front of them...

New RSA Compliance Solutions Bloggers
2008-06-25 02:00:00
Please join us in welcoming a new set of RSA Bloggers . The RSA Compliance Solutions team--including Dave Howell and Brad Davenport--will be penning a set of blog entries for "Speaking of Security" around the theme of Simplified Compliance. Please take advantage of the comments field to get answers to your compliance-related security queries!

Defining "Compliance"
2008-06-25 02:00:00
As part of the RSA Compliance Solutions team I meet with companies all over the world to discuss their security challenges and priorities. Inevitably I spend much of my time discussing ... you guessed it ... compliance. It is eye-opening to see how differently our customers and partners, as well as folks within RSA, define compliance. From what I've seen, most will immediately gravitate towards the notion of meeting the stated or implied security requirements within governmental mandates, such as Sarbanes-Oxley and HIPAA. In addition, "compliance" certainly conjures up images of the PCI Data Security Standard, which isn't surprising considering how many organizations these requirements impact. What we don't tend to see initially is a broader view of compliance...

The "E" word
2008-06-24 02:00:00
I met with a merchant this morning to talk PCI compliance. Like many of the conversations I've had with merchants, things got a bit more interesting when the discussion focused on cardholder data protection. They joked that the new rev of the PCI Standard, version 1.2 -- due out in October -- would eliminate the data protection requirements. All joking aside, the truth is that data protection isn't going anywhere when it comes to the PCI DSS. While there are other alternatives, such as hashed indexes, truncation and...
More About: Word

Speaking of Security Podcast #110
2008-06-23 02:00:00
Click to Download/Listen (12:39) Both Gartner and Forrester, two of the leading independent technology and market research firms, recently evaluated data loss prevention (or DLP) vendors in their annual reports on this market. RSA's Data Loss Prevention Suite was named as a leader by both of these firms. Paul Joyal talks about these reports with Tom Corn, Vice President of Products for RSA's Data Security Group. And we continue with another giveaway for Podcast Listener Appreciation Month for all responders to our Authentication Poll! Listen to this week's podcast for the secret word!
More About: Speaking

Musings of a former analyst
2008-06-19 02:00:00
Morning all, Welcome to my new blog, where I'll be musing upon the weird and occasionally fascinating world of security information and event management (SIEM). Before we start, though, people might have a few questions that I'll try to answer right now. Didn't you used to be an analyst? Yep, I used to cover the SIEM space for Forrester, as well as a bunch of data security and architecture topics. However, all good things must come to an end - I was certainly approaching the end of my shelf life in that world. It was a privilege, though, as I got to spend a huge amount of time talking to people about their security priorities and looking at how that translated into requirements for new tools and ways of doing things. Now I get to help turn these conversations and ideas into something tangible...
More About: Musings , Analyst

Speaking of Security Podcast #109
2008-06-16 02:00:00
Click to Download/Listen (05:48) Last week's headline: "RSA, The Security Division of EMC, Expands Identity Assurance Portfolio with Flexible Card-Shaped Authenticator to Provide Convenient Online Security" is the topic of this week's interview with RSA's Rachael Stockton. And we continue with another giveaway for Podcast Listener Appreciation Month for all responders to our Authentication Poll! Listen to this week's podcast for the secret word!
More About: Speaking

Speaking of Security Podcast #108
2008-06-09 02:00:00
Click to Download/Listen (08:24)We continue June with another giveaway for Podcast Listener Appreciation Month! Listen all month long for chances to WIN fabulous prizes... Details are in the podcast for this week's contest. In this episode, Matt Buckley interviews one of our new Speaking of Security Bloggers, Paul Stamp, formerly of Forrester Research who is now a Senior Manager, Product Marketing, in RSA's Information and Event Management Group. Speaking of SIEM, RSA is positioned in the Leaders quadrant within Gartner's Q12008 Magic Quadrant for SIEM.

RSA DLP Suite Riding the Forrester Wave™
2008-06-06 19:22:00
So the weekend is approaching and you decide to go to the movies. If you are like me, you probably check your trusted source for movie reviews and then think twice about going if the review is less than favorable. In the IT industry, the opinions of Forrester and other lead analysts carry even greater weight in the eyes of customers than Siskel and Ebert in their heyday. So, we are very pleased indeed to see the June 2008 Forrester Wave ™: Data Leak Prevention, Q2 2008 which cited RSA as a leader in the Data Loss Prevention (DLP) product category with our RSA DLP Suite . Some highlights from the report include...
More About: Riding

What does 'PCI Compliance' Really Mean?
2008-06-06 02:00:00
I've just returned from EMC's annual user conference, EMC World. The attendance at the PCI sessions and the related discussion between many of the 9,000 customers and partners in attendance really underscored the progress that's being made with respect to cardholder data security. One of the issues that came up in nearly every conversation I had, in some form or another, was: "What does PCI compliance really mean?" This question brings up two very important concepts....
More About: Compliance

Speaking of Security Podcast #107
2008-06-02 02:00:00
Click to Dowload/Listen (08:24) June is Podcast Listener Appreciation Month! Listen all month long for chances to WIN fabulous prizes... Details are in the podcast for this week's contest. This episode also includes an encryption Q&A with Rich Mogull, founder of Securosis.com and formerly of Gartner. Earlier this week he presented "How Encryption and Key Management Solutions Fit into an Overall Information Risk Management Strategy" during part 1 of a 2-part RSA web seminar series on encryption. Watch the full replay here and/or sign up for next week's part 2 here.
More About: Security , Speaking

Password Expiration: Like Margarine and Water?
2008-05-27 02:00:00
We often swallow ideas that we needn't or shouldn't. Take the onetime urging of nutritionists to substitute margarine for butter in the cause of cardiovascular health. When this advice was first circulating, most margarines contained high quantities of trans fats, concoctions that have turned out to be so harmful - to the heart, among other things - that they are now banned in restaurants in NYC. Similar dogma applies to the advice to drink eight eight-ounce glasses of water a day for overall good health. Everyone knows the advice. But no one seems to know where the 8x8 rule comes from or if it is good or bad. So what pieces of conventional wisdom in computer security are like margarine and the 8x8 water doctrine? I'd hold forth password expiration as a prime candidate.
More About: Water , Password

Speaking of Security Podcast #106
2008-05-26 02:00:00
Click to Dowload/Listen (07:13) Paul Joyal interviews RSA's Rachael Stockton and Phil Darringer about how the RSA SecurID software token for BlackBerry and other mobile and portable devices can be used to authenticate to network and online resources. For more information on this technology, visit www.rsa.com and/or download our solution brief, "RSA SecurID® Authentication Solutions for BlackBerry® Devices."
More About: Security , Podcast , Speaking

Key Congressional Committee Strongly Criticizes Efforts to Mitigate Electri
2008-05-21 02:00:00
Today's hearing on the security of the United States' critical infrastructure was as spirited of a Congressional hearing on cyber security issues that I have seen during my career, and it's clear that key Members of Congress from both political parties are running out of patience and want to see immediately cyber vulnerabilities taken more seriously in the bulk power industry in particular. In a scathing opening statement, U.S. Representative Jim Langevin (D-RI), Chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science & Technology, said that "I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security."...
More About: Committee

Speaking of Security Podcast #105
2008-05-20 02:00:00
A Framework-Based Approach to Regulatory Compliance In Speaking of Security 's 105th security podcast we talk to Dave Howell, Senior Manager Solutions Marketing, about how organizations are turning to a framework-based approach to manage ever-expanding and overlapping regulatory requirements.
More About: Podcast

UK's Information Commissioner gets expanded powers in Criminal Justice and
2008-05-15 02:00:00
The United Kingdom's Information Commissioner 's Office received new authority to levy fines on organizations that "deliberately" or "recklessly" violate the U.K.'s "Data Protection Act", or DPA, of 1998. In a little noticed amendment to the Criminal Justice and Immigration Act of 2008, the 1998 DPA was updated to enable the Information Commissioner to impose serious fines on organizations. This change in the UK's data protection law was spurred by a string of high-profile breaches of personally-identifiable information in the U.K. over the last year, including the large-scale data breach at Her Majesty's Revenue and Customs agency...
More About: Criminal Justice

Follow-up on RSA Conference
2008-05-13 02:00:00
It was another great RSA Conference this year, with interesting workshops, great exhibitor activity, informative sessions and lots of time to network with customers, partners and fellow employees. My flight was cancelled on Sunday, so I missed the Concordia Workshop on Monday, but the Liberty Alliance Workshop was very interesting. Geisinger Health System had a very nice presentation on how they are using federation to provide improved information to health care providers to improve patient care, particularly in emergency room visits. RSA also made a number of exciting announcements...

Speaking of Security Podcast #104
2008-05-12 02:00:00
Click to Listen/Download (10:14)Paul Joyal interview's the President of Corporate Integrity, Michael Rasmussen, about "Developing a Sustainable and Cost Effective IT Compliance Program." For the companion white paper, click here. Other RSA resources on this approach can be found at www.rsa.com/compliance.
More About: Security , Podcast , Speaking

Speaking of Security Podcast #103
2008-05-05 02:00:00
EMC PowerPath Encryption with RSA Happy Cinco de Mayo and welcome to the latest Speaking of Security video podcast. Today Host Paul Joyal speaks with Colin Bailey of EMC and Katie Curtin-Mestre of RSA, The Security Division of EMC, about this new scalable solution that leverages RSA Key Manager for the Datacenter.
More About: Podcast

Is it safer to fly or drive? (and why you can't do one without the other)
2008-05-01 02:00:00
Kevin Bowers is a Research Scientist at RSA Laboratories. Here are his views on the controversy surrounding REAL ID. What do you think? I'm getting married this summer and my family will be traveling to the wedding. In order to make the trip, my parents recently renewed their passports. Not because I'm getting married at an exotic destination, but because they live in Montana and have to fly to the wedding. Like several other states, Montana has refused to comply with the requirements of the REAL ID Act of 2005. The Department of Homeland Security (DHS) had threatened to prevent residents from those states from using their state-issued driver's licenses as identification at airport security, effective May 11th. As it happens, the DHS recently granted all states an extension to the May 11th deadline, allowing them additional time to become REAL ID compliant.
More About: Drive