Monday, February 29, 2016
RSA Security Octagon: What's the Best Way to Secure Applications?
We're doing something a little different this year at #RSA with a Security Octagon. Everyone loves a good debate and in the security community discussions pop up constantly around a myriad of topics at any given point - with individuals or groups in the community taking opposing sides in these quarrels. While we’re not looking for a knock-down drag out geek fight, we are looking for a spirited debate in hopes of engaging with security pros to lend their support and opinions to the topic.
In the first debate we focus on the topic of application security. Is application security just secure coding or is it more than that? Preston Hogue from F5 and Jeremiah Grossman from WhiteHat Security are our first participants to discuss 'What's the Best Way to Secure Applications?'
How can you play along?
Visit https://f5.com/securityoctagon to cast your vote and comment on the discussion.
1. Make sure to use the appropriate #hashtag:
a. #TeamGrossman
b. #TeamHogue
2. Can’t pick a camp to support, promote the program overall:
a. #SecOctagon
If you're at RSA, visit F5 booth 1515 and say 'Aloha' to DevCentral folks John Wagnon and Jason Rahm and ask how you can Integrate WhiteHat Scans With BIG-IP ASM.
And a very special thanks to Jeremiah for participating this year. Always appreciate his security insight and for a look back at previous RSAs, here are the past 5 years of interviews we did together.
RSA2015 - The InfoSec Landscape with Jeremiah Grossman
RSA 2014: Jeremiah Grossman Interview
RSA2013: Interview with Jeremiah Grossman
RSA 2012 - Interview with Jeremiah Grossman
RSA2011 - Interview with Jeremiah Grossman
Enjoy the show!
ps
Tuesday, February 23, 2016
Would You Put Corporate Applications in the Cloud?
There once was a time when organizations
wouldn’t consider deploying critical applications in the cloud. It was too much
of a business risk from both an access and an attack perspective—and for good
reason, since 28
percent of enterprises have experienced more security breaches in the public
cloud than with on-premises applications. This is changing, however. Over
the last few years, cloud computing has emerged as a serious option for
delivering enterprise applications quickly, efficiently, and securely. Today
almost 70 percent of organizations are using some cloud technology. And that
approach continues to grow. According to the latest Cisco
Global Cloud Index report, global data center IP traffic will nearly triple
over the next five years. Overall, data center IP traffic will grow at a
compound annual growth rate of 25 percent from 2012 to 2017.
This growth is to support our on-demand, always connected lifestyle, where content and information must be accessible/available anytime, anywhere, and on any screen. Mobility is the new normal, and the cloud is the platform to deliver this content. No wonder enterprises are scrambling to add cloud components to their existing infrastructure to provide agility, flexibility, and secure access to support the overall business strategy. Applications that used to take months to launch now take minutes, and organizations can take advantage of innovations quickly. But most IT organizations want the cloud benefits without the risks. They want the economics and speed of the cloud without worrying about the security and integration challenges.
Use of the corporate network itself has become insecure, even with firewalls in place. Gone are the days of “trusted” and “untrusted,” as the internal network is now dangerous. It'll only get worse once all those IoT wearables hit the office. Even connecting to the corporate network via VPN can be risky due to the network challenges. Today, almost anything can pose a potential security risk, and unauthorized access is a top data security concern.
Going against the current trend, some organizations are now placing critical applications in the cloud and facing the challenge of providing secure user access. This authentication is typically handled by the application itself, so user credentials are often stored and managed in the cloud by the provider. Organizations, however, need to keep close control over user credentials, and for global organizations, the number of identity systems can be in the thousands, scattered across geographies, markets, brands, or acquisitions. It becomes a significant challenge for IT to properly authenticate the person (whether located inside or outside the corporate network) to a highly available identity provider (such as Active Directory) and then direct them to the proper resources. The goal is to allow access to corporate data from anywhere with the right device and credentials. Speed and productivity are key.
Authentication, authorization, and encryption help provide the fine-grained access, regardless of the user’s location and network. Employee access is treated the same whether the user is at a corporate office, at home, or connected to an open, unsecured Wi-Fi network at a bookstore. This eliminates the traditional VPN connection to the corporate network and also encrypts all connections to corporate information, even from the internal network.
In this scenario, an organization can deploy the BIG-IP platform, especially virtual editions, in both the primary and cloud data centers. BIG-IP intelligently manages all traffic across the servers. One pair of BIG-IP devices sits in front of the servers in the core network; another pair sits in front of the directory servers in the perimeter network. By managing traffic to and from both the primary and directory servers, the F5 devices ensure the availability and security of cloud resources—for both internal and external (federated) employees. In addition, directory services can stay put as the BIG-IP will simply query those to determine appropriate access.
While there are some skeptics, organizations like GE and Google are already transitioning their corporate applications to cloud deployments and more are following. As Jamie Miller, President & CEO at GE Transportation, says, 'Start Small, Start Now.'
ps
Related:
This growth is to support our on-demand, always connected lifestyle, where content and information must be accessible/available anytime, anywhere, and on any screen. Mobility is the new normal, and the cloud is the platform to deliver this content. No wonder enterprises are scrambling to add cloud components to their existing infrastructure to provide agility, flexibility, and secure access to support the overall business strategy. Applications that used to take months to launch now take minutes, and organizations can take advantage of innovations quickly. But most IT organizations want the cloud benefits without the risks. They want the economics and speed of the cloud without worrying about the security and integration challenges.
Use of the corporate network itself has become insecure, even with firewalls in place. Gone are the days of “trusted” and “untrusted,” as the internal network is now dangerous. It'll only get worse once all those IoT wearables hit the office. Even connecting to the corporate network via VPN can be risky due to the network challenges. Today, almost anything can pose a potential security risk, and unauthorized access is a top data security concern.
Going against the current trend, some organizations are now placing critical applications in the cloud and facing the challenge of providing secure user access. This authentication is typically handled by the application itself, so user credentials are often stored and managed in the cloud by the provider. Organizations, however, need to keep close control over user credentials, and for global organizations, the number of identity systems can be in the thousands, scattered across geographies, markets, brands, or acquisitions. It becomes a significant challenge for IT to properly authenticate the person (whether located inside or outside the corporate network) to a highly available identity provider (such as Active Directory) and then direct them to the proper resources. The goal is to allow access to corporate data from anywhere with the right device and credentials. Speed and productivity are key.
Authentication, authorization, and encryption help provide the fine-grained access, regardless of the user’s location and network. Employee access is treated the same whether the user is at a corporate office, at home, or connected to an open, unsecured Wi-Fi network at a bookstore. This eliminates the traditional VPN connection to the corporate network and also encrypts all connections to corporate information, even from the internal network.
In this scenario, an organization can deploy the BIG-IP platform, especially virtual editions, in both the primary and cloud data centers. BIG-IP intelligently manages all traffic across the servers. One pair of BIG-IP devices sits in front of the servers in the core network; another pair sits in front of the directory servers in the perimeter network. By managing traffic to and from both the primary and directory servers, the F5 devices ensure the availability and security of cloud resources—for both internal and external (federated) employees. In addition, directory services can stay put as the BIG-IP will simply query those to determine appropriate access.
While there are some skeptics, organizations like GE and Google are already transitioning their corporate applications to cloud deployments and more are following. As Jamie Miller, President & CEO at GE Transportation, says, 'Start Small, Start Now.'
ps
Related:
- CIOs Face Cloud Computing Challenges, Pitfalls
- Google Moves Its Corporate Applications to the Internet
- GE's Transformation... Start Small, Start Now
- Ask the Expert Why Identity and Access Management?
Connect with Peter: | Connect with F5: |
Thursday, February 18, 2016
Wearing Emotions on Your Sleeve...Literally
Imagine if your emotions and feelings could be measured, tracked and
included in a data graph.
I'm sure you've heard the saying 'wearing your heart on your sleeve' to indicate that someone expresses their emotions freely or exposes their true emotions without caution. This can be good in that you become open and vulnerable when showing your true feelings but can jade areas like composure in situations where you might be frustrated or irritated.
I tend to be fairly open with my emotions.
There are a few stories about the origin of the saying going back to the Middle Ages. Emperor Claudius II felt unattached men make better warriors so he outlawed marriage. To alleviate some of the grievances, every year during the Roman festival honoring Juno, he'd allow temporary coupling where men drew names to determine who would be their lady friend for the year. The man would wear her name on his sleeve for the festival. Around the same time, when knights performed jousting matches, they'd dedicate their match to a lovely lady of the court. By wearing her hanky around his arm, he was signaling that he was defending her honor.
And in Shakespeare's Othello, Iago confesses,
But imagine if your emotions and feelings could be measured, tracked and included in a data graph. Other than a polygraph. Daydream no more.
There are now wearables that track your emotions. This is not your father's old-skool mood ring but devices that read your current emotional state and attempts to sooth and lower stress levels by encouraging deep breaths and relaxation techniques to get you through the haze. Sensors that gather skin temperature, sweat gland activity and blood pulse along with movement gauge your activity level. From that, it generates a graph on your mobile phone so you can see when your stress levels peaked and the mood at the time. You can see real time or over the course of the day. Emotional analysis in your pocket...or sleeve if you got one of those runner's arm band things. I'm sure someone will create a shirt that has color changing sleeve threads depending on a person's emotional state. The Iagonaut.
This is not the future but today.
A Fitbit captured the moment of a broken heart during a relationship ending phone call. This man was wearing his Fitbit when the unexpected call came and his daily graph tells the whole story:
Koby (@iamkoby) shared his heart wrenching moment (and graph) on Twitter and it saturated the internet. The red arrow indicates the moment that the news hit him. Instantly, his heart rate jumped from 72 to 88 beats per minute and stayed high for the rest of the day. Clearly this healthy, athletic person was under duress and if you couldn't tell by the yellow peak marks, he had trouble sleeping that night. Talk about exposing your emotions with technology.
Would you share your sleeve with the world?
ps
Related:
I'm sure you've heard the saying 'wearing your heart on your sleeve' to indicate that someone expresses their emotions freely or exposes their true emotions without caution. This can be good in that you become open and vulnerable when showing your true feelings but can jade areas like composure in situations where you might be frustrated or irritated.
I tend to be fairly open with my emotions.
There are a few stories about the origin of the saying going back to the Middle Ages. Emperor Claudius II felt unattached men make better warriors so he outlawed marriage. To alleviate some of the grievances, every year during the Roman festival honoring Juno, he'd allow temporary coupling where men drew names to determine who would be their lady friend for the year. The man would wear her name on his sleeve for the festival. Around the same time, when knights performed jousting matches, they'd dedicate their match to a lovely lady of the court. By wearing her hanky around his arm, he was signaling that he was defending her honor.
And in Shakespeare's Othello, Iago confesses,
For when my outward action doth demonstrateWhatever the origin, humans are emotional creatures. We typically make choices based on emotion, even though we'd like to think it was a rational decision. We may try to hide our emotions as to not upset or reveal something to another person. Often called a Poker Face.
The native act and figure of my heart
In complement extern, ’tis not long after
But I will wear my heart upon my sleeve
For daws to peck at. I am not what I am.
– Othello, Act 1, Scene 1, 61–65
But imagine if your emotions and feelings could be measured, tracked and included in a data graph. Other than a polygraph. Daydream no more.
There are now wearables that track your emotions. This is not your father's old-skool mood ring but devices that read your current emotional state and attempts to sooth and lower stress levels by encouraging deep breaths and relaxation techniques to get you through the haze. Sensors that gather skin temperature, sweat gland activity and blood pulse along with movement gauge your activity level. From that, it generates a graph on your mobile phone so you can see when your stress levels peaked and the mood at the time. You can see real time or over the course of the day. Emotional analysis in your pocket...or sleeve if you got one of those runner's arm band things. I'm sure someone will create a shirt that has color changing sleeve threads depending on a person's emotional state. The Iagonaut.
This is not the future but today.
A Fitbit captured the moment of a broken heart during a relationship ending phone call. This man was wearing his Fitbit when the unexpected call came and his daily graph tells the whole story:
Koby (@iamkoby) shared his heart wrenching moment (and graph) on Twitter and it saturated the internet. The red arrow indicates the moment that the news hit him. Instantly, his heart rate jumped from 72 to 88 beats per minute and stayed high for the rest of the day. Clearly this healthy, athletic person was under duress and if you couldn't tell by the yellow peak marks, he had trouble sleeping that night. Talk about exposing your emotions with technology.
Would you share your sleeve with the world?
ps
Related:
- Fitbit captures exact moment man's heart breaks
- The Origins of Wearing Your Heart on Your Sleeve
- Forget fitness, this wearable tracks your emotions
- Connecting the Threads
- The Digital Dress Code
- Wearables Head to Tail
- Gartner Says Worldwide Wearable Devices Sales to Grow 18.4 Percent in 2016
Connect with Peter: | Connect with F5: |
Monday, February 8, 2016
OK 2016 Monkey, Whatcha Got?
The Year of the (Fire)
Monkey is upon us and the curious, playful, smart, opportunistic and
sometimes mischievous character could influence events throughout 2016. Whether
you were born under the symbol or not, Monkeys thrive on challenges and 2016 is
sure to bring some obstacles during the year.
2015 (Year of the Sheep) brought us a rash of high profile breaches, a bunch of new IoT devices and wearables, continued, bigger clouds and innovative attacks on vulnerable infrastructures along with the continuous deluge of big data. This is sure to continue as our digital, software-defined lives connect and intersect with the things around us. Organizations will need to extend their risk management focus to areas outside their control like the cloud and social channels but also consider the human element in all this. The new threats and heightened risk may put some companies in peril due to the lack of knowledgeable security IT personnel available.
Mobility, both the state of being and the devices we use, will continue to grow and be an immense enabler and/or inhibitor for organizations. Mobile is not only the new shiny phone you got over the holidays but also all the IoT gadgets looking for a place in our home, offices and bodies…along with how we interact with them as humans. Cutting the cord will mean more than subscribing to some streaming media service but the way of the wireless life. You are now the device, controller and data generator. With that, security challenges like authentication, privacy, malware/data protection, compliance and the management of those services will be paramount.
And as our lives – personal and professional – continue to be chronicled on the internet, thieves, nation states and activists will continue to be one step ahead probing data and looking for that golden slab of info. Making money, causing disruptions or outright take downs through online attacks are big motivations for those seeking notoriety or simply a big score. But it’s not always from the crook or spy half a globe away. Insider threats, malicious or not, have made the traditional perimeter almost useless.
So while trends like cloud, mobility, IoT and big data will consume IT departments, securing those trends and how they map to business objectives will be the monkey on organizations back for 2016. Let’s try to be intelligent, dignified, clever, optimistic, confident, agile and curious about our challenges or the arrogant, deceptive, reckless and manipulative bad guys will get the best of us.
The 2016 Monkey is here, and we’ll need to handle it with grace.
ps
Related:
2015 (Year of the Sheep) brought us a rash of high profile breaches, a bunch of new IoT devices and wearables, continued, bigger clouds and innovative attacks on vulnerable infrastructures along with the continuous deluge of big data. This is sure to continue as our digital, software-defined lives connect and intersect with the things around us. Organizations will need to extend their risk management focus to areas outside their control like the cloud and social channels but also consider the human element in all this. The new threats and heightened risk may put some companies in peril due to the lack of knowledgeable security IT personnel available.
Mobility, both the state of being and the devices we use, will continue to grow and be an immense enabler and/or inhibitor for organizations. Mobile is not only the new shiny phone you got over the holidays but also all the IoT gadgets looking for a place in our home, offices and bodies…along with how we interact with them as humans. Cutting the cord will mean more than subscribing to some streaming media service but the way of the wireless life. You are now the device, controller and data generator. With that, security challenges like authentication, privacy, malware/data protection, compliance and the management of those services will be paramount.
And as our lives – personal and professional – continue to be chronicled on the internet, thieves, nation states and activists will continue to be one step ahead probing data and looking for that golden slab of info. Making money, causing disruptions or outright take downs through online attacks are big motivations for those seeking notoriety or simply a big score. But it’s not always from the crook or spy half a globe away. Insider threats, malicious or not, have made the traditional perimeter almost useless.
So while trends like cloud, mobility, IoT and big data will consume IT departments, securing those trends and how they map to business objectives will be the monkey on organizations back for 2016. Let’s try to be intelligent, dignified, clever, optimistic, confident, agile and curious about our challenges or the arrogant, deceptive, reckless and manipulative bad guys will get the best of us.
The 2016 Monkey is here, and we’ll need to handle it with grace.
ps
Related:
- Chinese New Year 2016: Facts, Dates, And Ancient Traditions
- 5 information security trends that will dominate 2016
- Defending Data Report 2015 Infographic
- Cybersecurity Skills Gap Making Companies Vulnerable To Major Attacks
- Samsung Builds Smart Home Tech into Its 2016 TVs
- The weird and wacky of 2015: strange security and privacy stories
Friday, February 5, 2016
Five Ways #IamF5
In 2013, F5 Networks was honored by the City of Seattle when the mayor proclaimed February 5 as F5 Day to recognize the contributions of F5 to our community and we’re celebrating in all of our offices around the globe. Check out Celebrating F5 Day in our Newsroom.
I shot this last year in honor of F5 Day and honestly, it's pretty fun. I present to you the 5 Ways I am F5.
Happy F5 Day!
ps
Wednesday, February 3, 2016
The New, Old Kid in Town
For nearly 12 years at F5, I've had only two job titles -
Security Systems Architect from 2004-06 and Technical Marketing Manager since
2006. Whenever anyone asks what I do at F5, I typically answer, 'Writer,
speaker and video producer,' in that order. Above all, I focused on
covering emerging trends within our industry and evangelizing the various
solutions - including F5's - to solve some of these challenges.
I am now embarking on my third adventure at F5 - joining the F5 DevCentral team as a Sr. Solution Developer - concentrating my writing, speaking and videos on our amazing community.
DevCentral’s mission is to deliver technical thought leadership to the community through connecting, preparing, and empowering professionals engaged with F5 technologies and I'll be helping develop, test and share technical solutions to some of today's technology challenges. In many ways, my job really doesn't change all that much, except for digging a little deeper into technical solutions and engaging deeper within our community.
Now, I'll be the first to admit that my technical chops have slightly eroded since my SSA days installing FirePass (now our BIG-IP APM) and TrafficShield (BIG-IP ASM) but I'm looking forward to returning to my technical roots exploring and explaining how some of this stuff works in the real world. I'll still write lighter stories about IoT, mobile, cloud and the usual (or unusual) things that interest me along with contributing to DevCentral's already awesome LightBoard Lessons video series and reporting from industry events. If you remember the 'In 5 Minutes' video series, I'm also toying with the idea of resuming that - in LightBoard - so if you got any early requests, let me know.
I published my first blog post ever on DevCentral in 2007 and with over 1000 entries later, including close to 400 videos, I feel like I'm coming home.
ps
I am now embarking on my third adventure at F5 - joining the F5 DevCentral team as a Sr. Solution Developer - concentrating my writing, speaking and videos on our amazing community.
DevCentral’s mission is to deliver technical thought leadership to the community through connecting, preparing, and empowering professionals engaged with F5 technologies and I'll be helping develop, test and share technical solutions to some of today's technology challenges. In many ways, my job really doesn't change all that much, except for digging a little deeper into technical solutions and engaging deeper within our community.
Now, I'll be the first to admit that my technical chops have slightly eroded since my SSA days installing FirePass (now our BIG-IP APM) and TrafficShield (BIG-IP ASM) but I'm looking forward to returning to my technical roots exploring and explaining how some of this stuff works in the real world. I'll still write lighter stories about IoT, mobile, cloud and the usual (or unusual) things that interest me along with contributing to DevCentral's already awesome LightBoard Lessons video series and reporting from industry events. If you remember the 'In 5 Minutes' video series, I'm also toying with the idea of resuming that - in LightBoard - so if you got any early requests, let me know.
I published my first blog post ever on DevCentral in 2007 and with over 1000 entries later, including close to 400 videos, I feel like I'm coming home.
ps
Subscribe to:
Posts (Atom)