Friday, June 29, 2012

In 5 Minutes or Less Video - IP Intelligence Service

I show you how to configure the IP Intelligence Service available on BIG-IP v11.2, in 5 Minutes or Less.  By identifying relevant IP addresses and leveraging intelligence from cloud-context security solutions, F5's new IP Intelligence service combines valuable information on the latest threats with the unified policy enforcement capabilities of the BIG-IP application delivery platform.   Deployed as part of the BIG-IP system, F5’s IP Intelligence service leverages data from multiple sources to effectively gather real-time IP threat information and block connections with those addresses. The service reveals both inbound and outbound communication with malicious IP addresses to enable granular threat reporting and automated blocking, helping IT teams create more effective security policies to protect their infrastructures.

In 5 Minutes or Less - IP Intelligence Service

A free 30 day evaluation of the IP intelligence service is available.

ps

Related:

Technorati Tags: F5,big-ip,security,threat prevention,infrastructure,big data,cloud,GDI,ip intelligence

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Thursday, June 28, 2012

Will BYOL Cripple BYOD?

Don’t ya love all the acronyms we have?

So by now, you’ve probably heard that BYOD means Bring Your Own Device – a topic that is getting lots of press these days.  The concept of allowing employees to use their own personal device, often mobile, for work related tasks.  This could reduce the overall expenditure for IT issued devices and many organizations feel users are happier and more productive when they are using the device of their desire.  There could be a snag however when it comes to licensing.  Does BYOD also require Bring Your Own License?  In many instances, this is an area that IT needs to keep an eye on and often the answer is yes.

Some of the most common enterprise software licensing agreements require licensing any device used "for the benefit of the company" under the terms of the enterprise agreement.  That often means that all those BYO devices will require a license to access common corporate applications.  This also means that even if the user already has a particular license, which they purchased on their own or it came with the device, the organization might still need to license that device under their enterprise software agreement.  This could diminish any cost savings from the BYOD initiative. 

There are solutions to such as using alternative products that are not restricted by licensing but, those may not have the key features required by your workforce.  Another idea is to move primarily to virtualization for provisioning apps with restrictive client access licenses.    Some software licenses require one CAL per concurrent connection, some require one CAL for each unique client regardless of concurrency and some do not require CALs at all.  IT needs to understand if their situation is per-user or per-device and what impact that may have on a BYOD policy.

ps

Related:

Technorati Tags: F5, smartphone, integration, byod, Pete Silva, security, business, education, technology, application delivery,ipad,mobile device, context-aware,android, iPhone, web, internet, security

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Monday, June 18, 2012

The Exec-Disconnect on IT Security

Different Chiefs give Different Security Stories.

A recent survey shows that there is a wide gap between CEOs and Chief Security Officers when it comes to the origin and seriousness of security threats.  They differ on how they view threats to IT Infrastructure  and remain far apart on how to best address an issue that according to analyst reports, costs organizations more than $30 billion annually.  The survey of 100 CEOs and 100 CISO (or other C-levels with security responsibility), shows that the discrepancy is often due to lack of communication.  36% of CEOs said that they never get a security report from their CISO and only 27% receive updates on a regular basis.  Is it the CISO that doesn’t report back or the CEO that is not interested?  Let’s look at some more data.

The CISO felt that the biggest threat was from internal (their employees) due to lack of education and attention while the CEO felt that the biggest threat was from the outside, such as phishing attacks.   Thus, 61% of CEOs said they did have enough time and resources to adequately train the staff on how to mitigate threats while Only 27% of CISOs felt the same.  It’s opposite day.  When asked if their IT systems were ‘definitely’ or ‘probably’ under attack without their knowledge, 58% of CISOs said yes while only 26% of CEOs agreeing.  The chasm grows.  What percentage of each, do you think, said they were very concerned about their IT systems getting hacked?  30 seconds on the clock, please.  Don’t peek.  Only 15% of CEOs and ‘only’ 62% of CISOs are anxious about breaches.  15%?  That’s it?  Maybe they have great confidence in their security team…or, they don’t have the information.  65% of CEOs admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk.  Wow, the very day-to-day operations.  Granted, the CEO is further removed from the specific threats and how they are handled but there is clearly a distance between how each views threats and the company’s ability to successfully mitigate them.

Lack of interest or lack of understanding/information?  Probably both.  An old adage was that a great boss hired people who were good at the things he/she wasn’t so good at.  Surround yourself with those who know their areas better.  Or maybe there is a culture that you don’t alert the top unless it’s dire, critical or unstoppable.   Communication or interest, it is evident that the C-suite isn’t really talking about these critical business issues especially when 3 times as many CEOs worried about losing their jobs following an attack than did CISOs.

ps

References

Technorati Tags: F5, security research, botnet, threat landscape, Pete Silva, security, business, technology, cloud,compliance,regulations, web,internet

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Monday, June 11, 2012

The Changing Security Threat Landscape Infographic

In conjunction with a new video and a security white paper, this F5 infographic validates the need for organizations to rethink security practices.  The global security threat landscape is rapidly evolving and has changed dramatically in ways unfathomable just a few years ago.  Due to this growing complexity and the rise of many unknown forces in the battle for information and causes, customers must rethink how they protect their network, applications, and data from ever-changing threats.

 

F5_Security-Infograph_RevG-1024_060812

(you can reuse within your own blogs, etc)

ps

Resources:

Technorati Tags: F5, security research, botnet, threat landscape, Pete Silva, security, business, technology, cloud, compliance,regulations, web,internet

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Thursday, June 7, 2012

The Cloud Impact and Adoption Infographic

Maybe you’ve noticed but I’ve been on an infographic kick lately – especially when it’s something interesting.  This time it is an aggregated infographic of data primarily from Forrester, IDC and Gartner as it pertains to the cloud’s impact and adoption thru 2015.  According to Axway, the cloud is expected to become the primary operating system for enterprise by 2014, mobile devices are driving adoption, and the cloud hype is over, this thing is for real.

Print

Full jpg can be found here.

ps

Related:

Technorati Tags: F5, cloud research, integration, cloud computing, Pete Silva, security, business, technology, cloud, compliance, regulations, web,internet

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, June 5, 2012

FedRAMP Ramps Up

Tomorrow June 6th, the Federal Risk and Authorization Management Program, the government’s cloud security assessment plan known as FedRAMP will begin accepting security certification applications from companies that provide software services and data storage through the cloud.  On Monday, GSA issued a solicitation for cloud providers, both commercial and government, to apply for FedRAMP certification.  FedRAMP is the result of government’s work address security concerns related to the growing practice of cloud computing and  establishes a standardized approach to security assessment, authorizations and continuous monitoring for cloud services and products.  By creating industry-wide security standards and focusing more on risk management, as opposed to strict compliance with reporting metrics, officials expect to improve data security as well as simplify the processes agencies use to purchase cloud services, according to Katie Lewin, director of the federal cloud computing program at the General Services Administration.

As both the cloud and the government’s use of cloud services grew, officials found that there were many inconsistencies to requirements and approaches as each agency began to adopt the cloud.  FedRAMP’s goal is to bring consistency to the process but also give cloud vendors a standard way of providing services to the government.  And with the government’s cloud-first policy, which requires agencies to consider moving applications to the cloud as a first option for new IT projects, this should streamline the process of deploying to the cloud.  This is an ‘approve once, and use many’ approach, reducing the cost and time required to conduct redundant, individual agency security assessment.

Recently, the GSA released a list of nine accredited third-party assessment organizations—or 3PAOs—that will do the initial assessments and test the controls of providers per FedRAMP requirements. The 3PAOs will have an ongoing part in ensuring providers meet requirements.

FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted.  Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies.  The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls.  Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution.  There may be instances where additional controls are added by agencies to address specific needs.

Independent, third-party auditors are tasked with testing each product/solution for compliance which is intended to save agencies from doing their own risk management assessment.  Details of the auditing process are expected early next month but includes a System Security Plan that clarifies how the requirements of each security control will be met within a cloud computing environment. Within the plan, each control must detail the solutions being deployed such as devices, documents and processes; the responsibilities of providers and government customer to implement the plan; the timing of implementation; and how solution satisfies controls. A Security Assessment Plan details how each control implementation will be assessed and tested to ensure it meets the requirements and the Security Assessment Report explains the issues, findings, and recommendations from the security control assessments detailed in the security assessment plan.  Ultimately, each provider must establish means of preventing unauthorized users from hacking the cloud service.

The regulations allow the contractor to determine which elements of the cloud must be backed up and how frequently. Three backups are required, one available online.  All government information stored on a provider's servers must be encrypted.  When the data is in transit, providers must use a "hardened or alarmed carrier protective distribution system," which detects intrusions, if not using encryption.  Since cloud services may span many geographic areas with various people in the mix, providers must develop measures to guard their operations against supply chain threats.  Also, vendors must disclose all the services they outsource and obtain the board's approval to contract out services in the future.

After receiving the initial applications, FedRAMP program officials will develop a queue order in which to review authorization packages.  Officials will prioritize secure Infrastructure as a Service (IaaS) solutions, contract vehicles for commodity services, and shared services that align with the administration’s Cloud First policy. 

F5 has an iApp template for NIST Special Publication 800-53 which aims to make compliance with NIST Special Publication 800-53 easier for administrators of BIG-IPs.  It does this by presenting a simplified list of configuration elements together in one place that are related to the security controls defined by the standard. This makes it easier for an administrator to configure a BIG-IP in a manner that complies with the organization's policies and procedures as defined by the standard.  This iApp does not take any actions to make applications being serviced through a BIG-IP compliant with NIST Special Publication 800-53 but focuses on the configuration of the management capabilities of BIG-IP and not on the traffic passing through it.

ps

Resources:

Technorati Tags: F5, federal government, integration, cloud computing, Pete Silva, security, business, fedramp, technology, nist, cloud, compliance, regulations, web,internet

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]