Adrian Lane joins Securosis!

Believe it or not, I'm going to work with Rich Mogull at Securosis. Worst yet, I'm excited about it!

On the outside looking in, Rich and I have dissimilar backgrounds. I have been working in product development and IT over the last ten years, and Rich has been an analyst and market strategist. But during the four years I have known Rich, we have shown an uncanny similarity in our views on data security across the board. We are both tech guys at our core, and have arrived at the same ideas and conclusions about security and what it will look like in the years to come.

As our backgrounds are both diverse and complimentary, my joining Securosis will facilitate taking on additional clients and slowly expand the types of services provided. I will contribute to strategy, evaluations, architecture and end-user guidance, as well as projects that involve more ‘hands-on’ assistance. I will also be making contributions to the Blog on a regular basis as well. 

Anyway, I am really looking forward to working with Rich on a daily basis. And yes, before Amrit Williams has a chance to ask, I am a card carrying NAHMLA (North American Hoff-Mogull Love Association) member. We may even sell Polo Shirts on the web site.

Launching InfoCentric

It only took the company Blog being down for a week to get me annoyed enough to consider starting my own Blog.  Thank you, Rich Mogull, for pushing me over the edge.  Who knows, maybe Trackbacks will actually start working.

More to come ...

April Conferences

A busy start to April   

                            

 

I am going to be attending a couple of events the first week of April, so let me know if you are going to be in the area so we can meet up!

I am going to the IDC Virtualization show on April 8^th, during the day. And there is a Ziff Davis reception that evening over at the Westin. 

I am going to be at RSA on April 9^th for most of the day. And then I am going to be at the Security Bloggers Meet-Up on Wednesday evening as well.

Hope to see you there!

Upcoming Conferences

Ping me if you are going.

                            

I am going to be at the IT Security Forum held at Stanford University on March 11^th, and the Data Protection Summit on the 12^th and 13^th down in Irvine. Let me know if you plan on attending either event. See you there!

Tech Security Conference

Feb 20th.

 

                           I was headed over to the Tech Security Conference on February 20th.   It's being held at the Santa Clara 'Network Meeting Center'. Never been there, but I wanted to check out one of the end point security presentations.   Shoot me an email if you are planning on going.

Virtualization and Security

InfoWorld Executive Forum

I spent Monday up at the InfoWorld Virtualization ‘Executive Forum’ up in

San Francisco

. It ended up being a really educational event on a number of different fronts. Database Security & Compliance is not usually considered part of this revolution, but as Virtualization breaks many IT infrastructure models we have been using and creates dozens of new trust relationships, it requires rethinking data collection, policy management, enforcement and many other areas of data security as well. I will be making a couple of posts on this in the next few days, covering some of the high points and interesting revelations about these changes.

 

Virtualization is here.  And if your in IT, you probably already know this.  The degree that companies are rushing headlong into Virtualization I found startling. It’s like the IT administrators said “Hey, this is cool, and it could save us money”, and then people in  middle management said “Wow, that is cool”. Then they rushed off to see how fast they could virtualize their infrastructure, like high school kids rushing off with spastic euphoria on the first day of summer vacation. And in a very short time we have arrived at a point where a majority of US firms already implementing Virtualization, or they are in process.

 

Then someone in accounting asks “Why did you pick Virtualization platform A over platform B or C. Couldn’t we negotiate a better price is we play the vendors off each other?” Then the CIO asks “What is our Virtualization Strategy? How will we manage this infrastructure and what other tools do we need?” And the Risk Management group asks “What metrics are you using and how are we incorporating this into our Capability Maturity Model?” And then the CISO (Played by Chris Hoff in this movie) asks “Have you given any though what-so-ever to security?”  This is approximately where we are today, killing IT's "Buzz" by asking a lot of ugly questions.

 

The technology is very cool and the conference opened my eyes to a couple ways the technology can be used that I had not considered before. The different ways you can slice and dice the IT services is truly amazing. But it feels a little ‘Wild Wild West’, with lawfullessness and civilization left behind for the exciting new frontier.  This is certainly accelerating the adoption of the technology, and the appropriate timescale to measure the changes will be months, not years. Formal processes & controls will eventually catch up, and I imagine much of the double-digit cost savings will boil away to more modest levels given the needs for documentation, planning, training, workflow, source control, backup and disaster recover. Oh, yeah, and Security.  Once again, security and compliance will be forced to play catch up, and be patched onto existing infrastructure.

Say what you will, it will not be dull in Security for the next couple of years.

Santa and ‘The Insider Threat’

My final post of the year, and what to write about? Top 5 security challenges for the coming year? Nope. Recap of the past years events? Nah.  Analysis of change in Hacker tactics?  Blah.  Costs associated with Data Breaches?  Boring.  None of that, but as I am on my way out the door for this Holiday Season, I will offer a couple Christmas news items of interest. 

 Looks like Santa needs to worry about the Insider Threat.  Turns out there is a Rogue Elf out there writing letters back to children, chiding them on grammar and a whole lot more.  Wonder how long before we have Elf Audits?  Santa and the Insider Threat. Is it just me, or does that sound like a Jean-Claude Van Damme movie?  But I digress ... 

 

So you change your name to Santa Claus, advertise yourself as The Genuine Santa , does that make you a target?  Sure does, as it appears Santa was breached last year (his site, not Mr. Claus).  Hopes are high that the server has been patched and a Santa Bot-net does not appear any time soon.

 

And speaking of Santa, nothing says “Holiday Cheer” like accusing Santa of violating the privacy rights of children.  I don't know if this is true or not, but if it is, it's akin to Baskin-Robbins turning over their 'Birthday Club' list to the US Selective Service.  Anyway, Ho Ho Ho, and don’t forget to comply with the Santa Privacy Claus Clause.  It’s an addendum to CA 1386. No, really, go check it out …

Have a wonderful Holiday Season …

Adrian

OWASP & Oracle OpenWorld

Drop me a line if you are going ...

I am going to be at Oracle OpenWorld a couple of days next week, probably the 13th and the 15th.  I will also be at OWASP on Wednesday the 14th, so drop me a line if you are going to either event so we can catch up.