This is the time of year that most of us look back at the last twelve months and evaluate what was accomplished.  We also look back at things we worked on to improve our internal networks to determine if we made a difference.  The same can be said of many companies in the security industry, RSA, Comodo, and GlobalTrust looked back to determine how to prevent a recurrence of the problems they suffered.

We in the security field look at security as a fluid set of controls that will minimize the possibility of a breach.  We understand that risk is defined as vulnerability multiplied by the possibility of exploit multiplied by the value of asset.  The key variables in this equation would be vulnerability and exploit possibility.  We then attempt to control these two variables in order to reduce the risk. 

Most of us have used many of the devices that are implemented by the vast majority of companies to reduce the chance of an exploit.  Firewalls, Intrusion Detection, and the usual cadre of Anti-Virus, Anti-Spam, and Anti-Spyware are a few of the tools used to reduce the opportunity of an exploit being deployed.

We all know that there are many other tools that can be used to "lock" the systems down or create a secure environment.  We also know that our best efforts are only as good as the latest version of the tools we deploy.  We constantly update our systems, security devices, AV, and other aspects of the overall security posture.  This done to minimize our threat exposure and in theory will reduce the possibility of exploit of vulnerabilities on our network.

All of these actions are part of "due diligence" we hear so much about when the auditors arrive to test our compliance with the standards which we are to adhere.  Part of due diligence is maintaining an Information Security Policy (ISP) that is reviewed annually to track with changes to the company's business needs and IT infrastructure. 

This document is one of the pillars of information security posture for any company.  Depending upon how strong the ISP is maintained will determine the ability of a company to pass an audit for one of the major security standards.  The ISP will cover all the aspects that make up the security posture for the company.

When an auditor or an information forensics examiner comes to a company, the ISP should be the first thing that person asks to read.  The Auditor will then determine if the ISP covers all the aspects of information security that will enable a compliant rating.  If the auditor or forensics examiner decides that the ISP isn't sufficient, they can revert to "best practices".  This is not something you as an IT manager want to have occur. 

One of the aspects that a strong ISP will cover and be very stringent about is the Security awareness training for all employees at time of hire and annually to ensure the employee is aware of the policies that might have changed.  The employee should be required to sign a form stating that they have had training and understand their responsibilities.  This training is also very important if the employee is being terminated due to failure to follow the policies.

If the security policy changes and personnel aren't given yearly training then if terminated for cause, they might have an avenue for redress by stating they weren't aware of the policy that they violated.  The signing of a document that shows the training was completed and understood is critical to a company in the case of litigation.

The second aspect to ensure that employees are aware of the company's policy to educate them in regards to information gathering techniques used by people with malicious intent.  There are many methods of gathering information that can lead to an intrusion into an internal network. 

Most employees have heard of social engineering, pharming, phishing and  malicious spyware.  The problem is, though they may have heard of these techniques they aren't aware of how to identity when someone is attempting to garner information about their company or personal identity assets.

Most of us have heard that the weakest link in any security program that a company is implementing is the human element.  I personally enjoy the statement; "The weakest link in any security program is the biosphere sitting between the chair and keyboard."  My statement says "If you make your security measure too restrictive, the users will find a way around them."  All these are really saying is our users are the easiest target for penetrating our secure networks. Just look at some of the breaches for 2011 for proof of this belief.

The RSA breach was caused by a successful spearphishing attack.  The targeted RSA end user clicked on a bogus spreadsheet and launched the malware that ultimately compromised secureID token data.  The GlobalTrust and Comodo certificate problems stemmed from an Iranian hacker being able to convince employees at Comodo to issue certificates that represented major companies. 

Both of these breaches caused doubt in the minds of the users of the products that RSA and Comodo provide. I am sure that both of these companies have strengthened their procedures to prevent a recurrence of the problem.  The damage has been done to the image.  I am confident that their security programs were strong but the human factor entered the security equation and the event happened.  The best remediation of their problem is security awareness training; doing this annually raises the awareness of the employees and strengthens the overall security posture.   

One of the advantages of using SaaS for anti-spam, anti-virus, and anti-spyware blocking is the ability of these services to reduce the amount of traffic into the private network.  The reporting of the amount of blocked malware would do a security professional proud.  We all know that one of the best ways to showcase your hard work is to have a dashboard that the executives can view that shows them in real time what your security measures are stopping at the border.

A useful service for companies that deal with customer sensitive data like credit cards, electronic health records, or financial results is the ability to have a comprehensive data leak program.  One of the toughest things to monitor is the data that is allowed to exit the company and stopping it from being allowed to exit.  Working with a good DLP vendor in the cloud as a part of the SaaS  described can improve over data protection immensely.

One of the questions I get asked is; "Is the security in the cloud complete?  My answer is always the same, it depends on what you are asking the cloud provider to accomplish.  If your company does its due diligence by studying the cloud provider's security posture and asking for a test of one or more aspects to give you a comfortable feeling.  I wouldn't take the security statement of the cloud provider as the end all answer.  I have been studying cloud security for a few years and I would ask many questions before I trusted my company data or security posture with a particular  provider.

Here is the take away I want readers to understand about cloud providers.  It doesn't matter what service you are considering putting in the cloud, a good strong SLA is worth the effort and will give you a method of holding your provider accountable.  I have read a few articles on cloud computing and many of them list the number one problem centers around the expectations between the client and provider are too vague.  If you have any concerns them put it in a strong SLA that has penalties for not performing.

I have been asked many times in the last few years about my definition of security in the cloud.  I find this a question that should be answered with a question.  I personally don't like it when I ask a question and the response is another question unless it is a rather broad topic and the question needs to be narrowed.  In the case of the question of cloud security, the scope needs to be narrowed to discover what aspect of cloud security the asking person is interested.

My favorite definition revolves around Security as a Service; SaaS since there are a few definitions of SaaS.  There is Storage as a Service, Software as a Service, and Security as a Service.  There are other services offered in the cloud but for this blog we are going stay with security in the cloud.

Security as a Service as defined to me is like having a proxy server in the cloud.  Whenever a user goes to the Internet, their browser is pointed to a web site.  This web site is set as the only trusted site for any PC that is owned by a company.  This site is like an extension to the private network of a company.  Any web traffic that is entering and exiting must go through this site's security systems before being routed to the company PC.  This includes; antivirus, anti-spam, anti-spyware, email, and URL filtering.

I know this may sound a lot like the security that is present at your existing network with some very convenient differences.  If all of the companies PC/laptops are forced to go through the "proxy" web site regardless where they physically log onto the Internet, the security measures will always be available.  An example, your company has numerous road warriors that spend minimal time at the "office" and they are going to the Internet from cellular Internet cards, hotspots, or their home cable/dsl.

When they are away from the office, all those protections that we as security professionals so painstakingly chose to stop malware are out of the picture.  The user can go wherever they wish on the Internet, download whatever they want to the company computer.  Many of you are thinking, have them sign a document that tells them what is allowed to be done with the company PC.  I will tell you from personal experience; the end users will forget whatever they signed and do things that will put their system at risk without intentional malice.

Using Security as a Service defined as I have stated will not only limit them from being compromised but will decrease the number of Laptops that need to be re-imaged.  Another benefit of SaaS is URL filtering that will not allow the users to go web sites that are listed as malicious.  The security personnel will have the ability to log wherever a user went on the Internet and/or block them from using a company asset for illicit purposes.

That would be my definition of Security as a Service but there is other definitions.  There are services that are offered that will manage the email for a company in conjunction with email encryption.  The backup of the mail store would be part of the service so it eliminates the hardware or software maintenance.  Whenever a new version of the mail system software is released the IT team can chose if and when they want to migrate to the latest and greatest.

Vulnerability management has and is an important aspect of a company's security posture.  The managing of vulnerabilities was instituted by IT professionals that were involved by what they affectionately call patch Tuesday.  This day was anticipated every month with trepidation by most System administrators.  One of the reasons for the concern was the number of patches that were typically delivered by Microsoft.  It always seemed that the majority of the patches were labeled critical which meant the system admins would be expected to install them within 24-48 hours. 

This created a two-fold problem, one being the sheer workload of installing the patches on all the systems on the network and the second was since there wasn't a lot of testing of the patches installation sometimes caused problems.  The second being, while the patches have gotten better, if you don't know what systems are resident on your network, you could install patches on a system that doesn't have the vulnerable process or service running.

These requirements lead the industry to provide services that can scan a network, look for systems then check them for vulnerabilities that need to be patched.  This is the method that most security standards want used on a network that could have data to be protected.  The scanning will identify the vulnerabilities that provide an avenue for an attacker to gain access to systems then use that access to obtain protected data.

The advantage of scanning a network is the identification of the systems that reside on a particular segment.  This can determine if an attack being malware or internal intrusion attempt is looking for a vulnerable service that isn't running on any system, on the network so the attack level can be downgraded. 

The security standards that require vulnerability scanning do so because the large majority of exploits can be attributed to systems that if they were patched correctly, would not have been compromised.  These standards know that the percentage of vulnerable systems can be surprising and thus the security regulators are attempting to minimize the risk.

One report that is very interesting is the Dimension data barometer report that monitors the number of security vulnerabilities for network devices and reports them in many different ways.  For instance, for the 2010 the report states that percentage of network devices with security vulnerabilities overall is 73% (Overall for any region in the world, organizational size, or vertical).  While some regions, organizations, or verticals are worse than others the overall number was the same.

The report shows that for 2008 the overall percentage was virtually the same as 2010 with a significant drop in percentage in 2009.  The drop in 2009 was attributed to a new tool that was more accurate and gave a more relevant discovery of vulnerabilities. 

The old assessment tool reported a vulnerability if the IOS was affected along with the affected software module.  In 2009 the tool only reported the vulnerability only if the affected software was actually enabled.  This leads to a more statistically credible jump in the number of vulnerabilities in 2010.  After further study, the reports states that one specific vulnerability was found in more than 66% of the devices analyzed in 2010, which caused the increase in overall vulnerabilities.

While this study was primarily looking at network devices, the study shows that the number of vulnerable devices in a network scan can be misleading.  It goes back to what was stated earlier, that systems may have a vulnerable service or software but if it isn't enabled the system is not vulnerable. 

The report also states the position I have always taken when it comes to patching systems on a company's network.  The first step is having an up- to- date asset inventory of the systems on the network.  These devices should be scanned on a regular basis to determine the state of patches compared against list of known vulnerabilities.  The scans should also ensure that the systems either don't have vulnerable features enabled when not needed or the patches are up- to- date and tested. 

A good approach to patching is discovering the devices on the network, then prioritize these assets by the importance to the business.  Once the discovery and prioritization is accomplished, performing a vulnerability scan and risk assessment should be done to determine which systems ought to be patched first. 

Most companies perform scans of their systems on a regular basis, but what exactly does this mean, is it annually, quarterly, or monthly.  Many would state that the period of regular scanning should be often enough to maintain patched systems.  This could be quite often for a network comprised of systems that need their OS and applications to be patched regularly.  If your network is comprised of these type systems then you need to have someone that dedicates a large portion of their time scanning, testing, and patching. 

If your company doesn't have the resources to maintain the patch levels for their systems on a regular basis, then outsourcing the task could be the best option.  The outsourcing company could also monitor your systems along with traffic on the network to ensure exploits that might appear would find no open doors.

The ultimate result for scanning, patching, and monitoring is to have the most stable, secure network possible.  This should entail a comprehensive vulnerability management program, patch as often as required, and to monitor the network for attempted exploits even if the network isn't vulnerable.

We  look at the privacy items in this manner to discuss something many of us have done and will probably do in the future.  We have filled out online forms that capture our personal "public" data with a promise by the company gathering the data to protect it.  We know from experience that our privacy was a major concern for these companies since we received many emails extolling the virtues of products that we might be interested.  
We were aware that our data was being sold to marketing firms or directly to companies that were interested in our buying or browsing habits.  This grew into an industry that specialized in blanketing consumers with emails that we now call spam.  Early on in our internet experience, we typically weren't given the ability to opt out of our data being "shared" with partners of the company that we gave our data.  We started to wise up to the game the companies were doing and they had to devise another method of gathering data on us without being obvious.

Web sites began to use pieces of data called cookies that were sent by the server and returned to create a state of connection in an otherwise stateless transaction.  They intended to "assist" us in quickly loading pages from a site that we were visiting and the cookies were eliminated when the browser was closed.  Persistent cookies, now called tracking cookies, were originally used to assist in connecting to a site and would report to the server about how we initially connected.  Tracking cookies can also report back to the server every time a new page is requested, which can be stored on the server as a log file to assist companies tracking browsing history?

Since cookies can also remember login data for a particular web site to ease the process for the user when returning, they can store data that might compromise the privacy of the user.  In 2000, the U.S. government set strict rules for their sites regarding the usage of these cookies.  Daniel Brandt, a privacy activist discovered that many government sites were setting tracking cookies on computers that were visiting their websites.  These agencies discontinued the use of these cookies but by later directive can use these cookies if the server gives the user the ability to refuse the cookies.

The European Union thought by many to be the strictest in controlling data collected by the cookies, isn't without issue with their directive that states that setting cookies can't be stored unless the user is informed that the cookie is being stored.  Their directive says that the user must have the ability to refuse the cookie unless the cookie is needed for technical reasons.  All this is useful information about cookies but we all know that our browsers are full of them, mostly tracking cookies.  Users began to realize that cookies weren't always our friend in relation to our privacy data. Hence another security software industry was born.  We now have many types of spyware removal tools to remove the "bad" cookies.  I am certain that the majority of us use some form of spyware removal to improve the performance of their browser if not for increased security and privacy.

This brings us back to our discussion of privacy and the laws that are constantly being hailed as the silver bullet for our privacy.  I have studied a few state privacy laws and very few devote much time on browser based privacy.  But we need not fear out federal government has a solution to the privacy problem related to tracking cookies.  They don't address the myriad of personal privacy issues raised by the enormous amount of data collected about us by all the federal, state, and local governments.

They have come up a proposal that should be a world beater, a Do Not Track mechanism that would be similar to the Do Not Call List.  This proposal would create a tool integrated in the browser that would allow the user to opt out of tracking cookies from web sites.  We all remember when the banking industry was told to give us the ability to opt out of their "sharing" our private data.  They created letters that were sent to all customers whenever a new account or feature is signed up for by a user, we all know how well that worked.
This approach from a high level sounds great but I suspect that if the tool works to prevent cookies to be installed on you system then the companies that desire or need to collect that information will find another way of obtaining it.  These companies may take a page from the banking industry, the healthcare industry did, and create a document that is so verbose with legalize that no one will read it.

It seems to me that as an article stated; some technology companies are going to devise a stopgap method in an attempt to forestall additional regulation.  This may be true but the allure of the advertising dollars being spent online, over 5 billion dollars, the data will still be collected.  We also have to deal with the element on the web that will see the potential for making money and find a way around the mechanism that is supposed to protect us.  I guess those of us that have been waiting patiently for a real privacy law from congress will have to continue our vigil.

As a security professional, I have monitored privacy laws for the past decade or so. My interest in these laws started long before that when a friend gave me a book about privacy that was prompted by the 1974 Privacy act. One of the things I learned from this book, if it was all true, was our federal government has 4 or 5 databases that gather data about every citizen in the United States.

The Privacy Act of 1974 states that a citizen can request from a government agency the following things about their data in any of these databases. Who has accessed their data, when it was accessed, how many times, what is collected, how often the data is updated, and if it has been modified. This was to give the citizen the ability to ensure the data that is collected is accurate and can be corrected if erroneous.

If you have followed my blogs in the past, you immediately see the dilemma. In let's say 1980, there were 250 million people in the U.S., it would be very difficult for a government agency to respond to a request from a citizen regarding access to their data. Something to remember about the Privacy Act of 1974, the legislation only applies to citizens of the U.S. If someone isn't a citizen, they can't request the access data as described above. One of the reasons the Freedom Of Information Act was enacted is to give non-citizens the ability to request the access information of data collected about them.

All of the above is to give us a starting point for our discussion about privacy laws. Our federal government has attempted to pass a privacy law for many years; they might have be at it for a couple of decades. I along with many security and privacy officers have waited patiently for the U.S. to catch up with Europe or Canada in the protection of private data. There have been several instances in the past where European countries have challenged the U.S. in regards to our privacy laws.

Our federal legislators seem to be leaving the task to other legislation like HIPAA or GLBA to strengthen our position regarding what is to be protected and the methods used to accomplish the task. The problem with this approach is that while these two regulations address personal privacy, it is typically centered on data that is related with the industry that is being regulated.

The protection of our personal data has been relegated to the states for regulation, which can be good in a lot of ways but doesn't protect someone from Florida that has data collected in another state. For example, if a company is based in a state that has less stringent privacy laws than Florida then the residents’ personal data may be at risk. There are a few states that call out penalties for companies that don't protect their residents’ private data, California's SB1386, was the first to include breach notification in their legislation.

As of the writing of this blog, there are four states that have no privacy law on the books. In defense of these states, many of the state privacy laws were passed within the last few years. Of the 46 states that have passed more stringent privacy laws, 23 were passed in 2007-2011 and 17 in 2006. 43 states had no protection for Social Security Number, Credit Card Numbers, Driver's license, or breach notification before 2005.

The protection of Personal Identifiable Information, PII, varies significantly from state to state and can be studied by searching the web for sites that show what each state protects. The states with the strongest privacy laws are in order of when enacted are; California (2003), Florida (2005), Massachusetts (2007) and Maryland (2008). By strength, I refer to the number of items that are protected by the legislation such as medical, SSN, CCN, criminal records, bank records, tax records and school records. As you can see the items I chose for example are items that could be used to steal someone's identity.

While medical records are protected by all states except for two, this may be in part due to HIPAA/High Tech being a driving force to the states. According to my research, all states except one protect social security numbers with many of the states enacting this protection within the last 5 years. As for credit card numbers this is a more hit and miss item, PCI-DSS is attempting to protect that data and there are now states that are embracing these standards. The rest of the items mentioned in the previous paragraph are generally left unprotected for various reasons.

The general position of privacy experts about PII is there are two levels of data that need to be protected. The first level of data usually comprises four items, SSN, Passport number, Drivers license number and vehicle registration. The first three are easy to envision being in the highest level of protection while vehicle registration can be somewhat puzzling. The explanation being that the first level is made up of data alone that can enable someone to steal an identity, which seems intuitive for the first three items. The reason vehicle registration is in this level is due to the amount of personal information associated with registering a car.

We can understand this better by looking deeper into the level two items of PII. Level two has been considered public data for a long time. Examples of what is typically considered public data are; first and last name, address, phone number, and email address. Each in of itself isn't enough to allow identity theft but if all or many level two items are gathered then the task of stealing a person's identity becomes easier. There are other items that fall in this category but it becomes cumbersome to list them all. When looking at the level two items, one can see that a car registration has enormous potential for gathering data about someone's identity.

Many of us have heard of Moore's law or have used the term when discussing the increases in computing power over the last couple of decades. The law was named after Gordon E. Moore, co-founder of Intel. He wrote a paper in 1965 that stated, since the invention of integrated circuit, IC in 1958 until 1965 the number of devices in an integrated circuit had doubled every year. He then went on to predict that the trend would continue for the next decade. His prediction has proven to be uncanny since the semiconductor industry still uses his premise for planning purposes.

In 1975, Moore altered his prediction that the number of transistors doubling from every year to every two years. He adamantly denies that he predicted 18 months, even though that is what I always heard. I suppose that the modifier I heard was that every 18 months the CPU, RAM, or hard disk would double. I thought it was interesting that Moore actually predicted IC capabilities to double every 2 years. According to the sources I was able find, this trend has continued from the 70s until today. That is definitely an exponential growth in the number of transistors within an integrated circuit. 

This growth has been accomplished by overcoming heat and separation of the devices that are part of the circuit. This advancement of further miniaturization of transistors has lead to advancements in memory at the same time. The miniaturization of the transistor and the subsequent IC capability increase has lead to memory in devices to grow by orders of magnitude.  This is evident in the memory cards in digital cameras, smart phones, and USB memory devices.  Each of these devices have memory capabilities that are beyond mainframes of years past.

The term Moore's law has also been linked to trends in technology that experience exponential growth. We need to remember that Moore's law pertains to transistor count in ICs and for the purpose of this discussion the effect it has had on computers.

The ultimate effect is on the growth of data being created as discussed in a previous blog.   In that blog we discussed what the increase in disk size has contributed to the massive growth of data being stored.  The first question that should come to mind is; if computing power is increasing at this exponential rate, why does it still seem like our computers still run slowly? 

The explanation may lie in another law named Wirth's law, commonly referred to as the great Moore's law compensator.  The principal of Wirth's law is that generations of software accumulate enough "bloat" to overcome the performance gains from Moore's law. 

A prime example is a test where a Word task using Office 2007 on a prototypical 2007 computer accomplished the task in half the time of Office 2000 on a typical 2000 computer.  According to Moore's law, the computational speed increased by more than eight times but the task accomplishment only improved by a factor of .5 instead of .125.

The blame can't be totally leveled against software bloat as there are other factors that contribute to the computational speed reduction.  If the processor speed has truly doubled, has system components like disks and memory been able to keep pace with the faster CPU.  A system isn't judged by CPU speed alone but by how well all the components work together. 

Since the latency of disk access or even memory access can slow up the computational abilities the overall performance gains aren't what we should expect.  Designers have been working on reducing the access time for disk drives along with utilization of cache memory on the disk controllers.  The use of solid state drives to decrease the performance hit caused by high disk access times is also highly beneficial. 

The CPU manufacturers have created innovative designs to alleviate some of the bottlenecks by methods such as out-of-order execution, on-chip caching, and prefetching.  They have also added cache memory to the CPUs, level 1, level 2, and even level 3 to reduce the latency of data retrieval.

One recent design change by CPU manufacturers is to use is a multi-core chip to aid in the power dissipation and give the system multiple processors.  These have many of the attributes of a multiple CPU system only from a single processor component. 

The computer architects that design the overall systems chose components that take into consideration how the software utilizes the increased system capabilities.  The issue becomes, does software/system utilize the increased processing power to the fullest.  One way to accomplish this is to make applications that are multi-threaded to better use the capabilities of the faster multi-core systems. 

One of the major drawbacks to Moore's law is the continued and sometimes rapid obsolescence of the systems we purchase.  This aspect can be a concern to a company that might have limited resources therefore a rapid deployment of an upgraded processer could threaten the continuation of a legacy application.  If an application that a company relies upon doesn't work on the latest processor or be modified to utilize the capabilities, the application might be retired. 

The last aspect of any system is networking of computers enabling the exchange of data between systems.  The amount of data that is created, shared and stored is growing at an extremely fast rate as discussed in the blog, Data Explosion.  The network needs to increase the speed with which it can transmit data to the various systems.  While the network interface cards have increased their speed from 2Mb/s to 10Mb/s to 100Mb/s to1Gb/s to 10 GB/s, the backbone for most companies hasn't been upgraded.  While the computing system may be very fast, again we see that the transferring of data can be the choke point.

If we look at this increase of capability from a security standpoint, the computing power can cause a paramount problem.   To be able to handle the massive amounts of network traffic, log data, and security decisions on a daily basis, security professionals must be constantly looking for more processing power.  The advent of the powerful dual or quad core processors are great if the security software can utilize the increased power.  If the security software that we rely upon to assist us isn't multi-threaded then most of the computing power will be of no avail.

So how do we as security professionals find multi-threaded software?  We seem to be in the same predicament as the network or system architects that are attempting to utilize the amazing capabilities of these new processors and the inherently powerful systems.  We need to find tools that operate in such a way as to utilize the computing power.

The other side of the coin is; these amazing capabilities of the new computers create an environment for the nefarious ones to utilize this power for their gain.  Brute force attacks can be accomplished faster along with fingerprinting of edge security devices can be done with more stealth.  I can only imagine that the tools being created by malware developers are using the multi-threaded design we sorely need to protect our networks.   

From the research I have done, I find that the majority of software is not multi-threaded.  Why is that true?  There may be a list of reasons, one could be the software doesn't lend itself to multi-threading.  Another could be that the concept isn't taught in depth to programming students.  We, as IT professional, need to request the software we purchase be multi-threaded and make conscious decisions to mention this when asked for our input for improvements to an application that already is in use.  As for those of us that are in the security profession, we need to push for multi-threaded applications to enable us to gather and process the data that we use to make our networks more secure.

We can wait for the security vendors to improve their software or we can make conscious buying decisions that will push our vendors to provide more capable tools.  I expect our security tools will become more and more capable but I hope we keep pas with our adversaries.

Many years ago, MANY years ago, I bought a PC with a 10 Megabyte hard drive.  All my friends were envious of me having that tremendous amount of storage. I would joke that I would never use that much storage and I have to admit that during the entire time I owned that PC, the hard drive never filled up.

The onset of Moore's law, which states that the computing power, ram speed, and hard disk size will increase by about 2 times every 2 years has changed how we look at storage. While disk drive size may not have kept pace with the speed of the processors or ram, disks have reached a level that most of my friends and I would have scoffed at. Today, it is fairly inexpensive to buy a terabyte hard drive for under $100.  If one wants to have a 1TB hard drive for a new PC, the increase in cost is minimal when ordering.

At this point we should probably discuss the definition of a byte of data so we can better understand what it means when we continue discussing the ever increasing size of data storage.  We all know that a byte of data is 8 bits; these eight bits can represent one character of a word or expression. That means that a million byte document contains a million characters, spaces, or special characters. I realize that is a simplistic explanation but stay with me and it should make sense later.

The ten megabyte hard drive in my first paragraph could store ten million characters used to make up documents. It sounds like a lot even today, and it sure did at the time I purchased my system. We all know that the system hard drive doesn't just store documents but all sorts of binary representations that make up the software. The documents and spreadsheets that are created haven't grown much in bytes when created. Then we should ask the question, why do we have these huge hard drives? The follow up question is how come we keep running out of space?

The world has become wrapped up in saving anything and everything in the electronic space.  We have become accustomed to putting all our information in electronic form. An example of this is the pictures we have of our family for numerous occasions. We create them using a digital camera then off load them to our computer for storage.

We can now view our favorite pictures with just a few clicks. I will speak for myself that even though it is convenient to view, print, or edit the pictures, it is still rather cluttered. When I am looking for a particular picture, I find myself viewing page after page of pictures to find the one I want. Even though I have the pictures in folders that somewhat describe the event when the pictures were taken. The point here is we take more pictures then we used to because it is recorded on a memory device instead of on film. We can view the picture after it was taken without the expense of having it developed.  As we take more pictures and store even the ones that we may never use, we end up with thousands of pictures to sift through when we look for one in particular.

Our cameras can use multi-gigabyte memory cards that even if we use a very high resolution format we can save thousands of photos. I have stopped adding up the number of gigabytes of photos I have on my home computer. I also store them on a USB 1 terabyte hard drive as a backup just in case something happens to my computer. So we can see that if we had 10 gigabytes of photos, that number is doubled in storage requirements due to backups.

The second reason that we have been getting larger and larger hard drives is the operating software needed to make the pile of metal, silicon, and other materials become a computer is growing at an amazing pace. The operating systems that we use couldn't even be loaded onto my old system. The truth is my old system's hard drive wouldn't even come close to matching the amount of RAM needed to run today's "enhanced", "feature rich" operating systems.

We haven't even touched on the applications, virtual memory, or security software needed to perform our daily tasks. All of these necessities add to the amount of disk space needed to make the computer operate, much less store the things we create each day. All of these applications contribute to the size of the backup space needed in the "rare" event of a system failure and we have only discussed the desktops or workstations sitting at our desks.

When we begin to discuss the systems needed to create and operate a local area network the storage requirements become much greater. Every system needed to run a network has storage space requirements for its operating system, configurations, and security. Some of these systems need to be redundant to ensure the network will continue to function in case of a system failure. We could go on and on about systems and redundancy but that is for another day, another blog. All these systems need backup disk spaces; which are becoming larger as the "features" keep being added.

We started earlier to discuss definitions of bytes at a very low level. In order to understand the “data explosion” we have some more terms we need to cover. We know that megabyte means a million bytes of data, a gigabyte is a billion bytes of data, and terabyte is a trillion bytes of data.  We utilize these numbers on a daily basis while dealing with computers and storage.

Do we know what comes after terabyte? The next one is a petabyte, which is quadrillion bytes of data or a million gigabyte. The one after that is an Exabyte, then Zettabyte, then Yottabyte. The last one being slightly humorous if one thinks about it. A Yottabyte is essentially a trillion terabytes of data. There are higher numbers but for the purpose of this discussion, I am only talking about these four.

According to a report by the International Data Corporation, IDC, in 2009 that the total amount of data in the World was 800 exabytes. It is expected to rise to 35 zettabytes by the end of 2020; this is 35 X 10²¹ or 35 trillion gigabytes. The second statement they made was that 11 zettabytes of this data will be stored in the cloud.

This massive explosion of data within the next 9+ years causes many people to pause and ask some intriguing questions. Why do we save everything? Is it because of regulatory compliance?  Is it because of the migration of everything being digitized then saved? I believe all of the above as the reasons the explosion is occurring.

Then the questions that need to be answered are: How do we find things that are useful in all that clutter; remember my picture story? How do we ensure that the data that is truly important is backed up? How do we secure the rapidly growing information within our own companies? Are the storage vendors watching this trend? I would bet money they are and they are working diligently to provide products that will answer these questions.

A very knowledgeable storage expert I was talking to once said; "If the data is stored or backed up but is extremely difficult to find the information you need, the data is just a blob of binary digits."  I believe that we as IT professionals; administrative, database, or security need to stay on top of this so we can enable our end users to deal with information not just as a blob.

As security professionals we need to ensure that confidentiality, integrity, and availability are maintained. This can be a daunting task with the rapid growth of data. We will need to ensure that the data owners of the different silos of data understand the importance of maintaining the Access Control List (ACL) for their data. Another aspect of confidentiality is the monitoring of data in regards to users that aren't given full access to the data, work within the access they were granted.

Many of the regulations require data at rest to be encrypted to protect the data in the event of a breach. Encryption of the burgeoning data can be an issue due to sheer size. This is an issue when the encryption keys need to be changed periodically while the data is needed for daily business. The tools that will be used to ensure the data is accurate and unmodified by an unauthorized user will need to be resilient.

Sometimes the most difficult tenet of the security triad is availability; security needs to ensure that secure methods are used when large blocks of data are transmitted in order to satisfy a business need. Secure availability will be especially important to health care facilities because the push is having Electronic Medical Records (EMR) to allow easier access to patients’ data.  HIPAA's security rule will come into play for all doctor's office that are moving to EMR.

Data management will be one of the significant issues to face us in the coming decade. The regulations for HIPAA, privacy and PCI will be driving forces for how data is stored, accessed, or transmitted. The amount of data will continue to grow as the study has shown and our job as security professionals is to protect it.

The issues around social networking are basically the same as in the past.  The general user population wants, even demands that social networking be allowed within and from outside the corporate network.  Employees herald the importance of connectivity to their customers, business partners, and other employees as a paramount reason to allow the technology to be adopted.  We as security professionals are required as an unwritten job description to slow the train that will leave holes in the security of the company.

The idea of social networking isn't a new concept; there have been several attempts at creating an environment of communication that is easy to use. We can all think of type and here are the ones that come to mind; Netmeeting, Instant Messaging, Chat, and others.  Most computer savvy people that use these methods of communication understand the risks that are associated.  We all want to have greater communication with all our contacts and look to the Internet for these solutions.

The problems occur when the users adopt a new technology or method of communicating because it is "cool" without thinking of the security ramifications. Security professionals work diligently to understand the inherent problems that these new methods bring to the protection of corporate networks. 

Those of us that attend conferences like DefCon in Vegas have heard the "black hats" state that the social networks have all been compromised.  We then notify these Internet sites that their security needs to be improved, which will cause some to make improvements while it falls on deaf ears to others.  We might ask; "Why do some sites seem to ignore our concerns?"  My best guess is the sites that ignore the concerns are too busy bringing other "cool" aspects to their site that they haven't got the resources to make them secure.

Since we know that the social networking sites are somewhere between mostly secured to open, we need to create an environment that will mitigate the security concerns.  The security posture becomes that of creating a policy that secures our private network from the open sites therefore reasoning that it will secure the mostly secure sites.  We need to look at social networking sites as having a difficult task of securing their customers information.  They face a daunting task of securing a constantly moving target of infrastructure, users, and data.

If we take the position as security professionals, that social networking sites are doing the best they can, we can create a policy or procedure that will maintain the security of our private network.  Information security in this ubiquitous world of connectivity all the time for all users is becoming more and more difficult.  We, as security professionals, have all dealt with finding the balance between security and allowing the "cool", "cutting edge", or "wave of the future" apps to be used for the betterment of our companies.

I attended a security conference a short time back (http://nuspire.com/CAMPIT.aspx).  There were two panel discussions that involved the securing of network data sources while allowing social networking by employees. The discussions covered a wide range of topics of which the first was whether to allow access to social networking with corporate networking resources. The second was to allow employees to utilize privately owned devices with social networking capabilities to connect to the corporate network.  The last was to allow employees to use their smart devices while at work but not connect them to the corporate network.

The audience was obviously very interested in this topic since it carried over to a table discussion during lunch.  I listened to the banter back and forth about the reasons why it should be allowed and while most had their valid points, they reminded me of similar discussions in the past about other new emerging technologies.

These types of discussions always start the same, this is really "cool', "cutting edge", "enabling", or "wave of the future". I was surprised to hear this same rhetoric while attending a security conference.  In the past it was usually prevalent while speaking about networking, server or desktop support personnel. The security person has always dealt with the attitude that all data must be available all of the time to everyone.

While this may be an over statement of the attitude, it is indicative of the problem of securing data.  There are many reasons for this attitude, one being it is easier to just give everyone access.  The creation of role based access, RBAC, is a significant administrative effort by the network and system administrators.  This effort is an ongoing task that includes determining who should have access to what and when.  This type of policy change is typically a new mindset change for the entire company. 

The "new" emerging technologies that were discussed in years past were; Wireless Local Area Network,  Cell phone "air cards" for Internet/Intranet access, Remote desktop software, and Web conferencing, to name a few.  These were all "cool" technologies that solved many IT problems but from a security perspective created many more.

The concerns the security experts had revolved around creating access "doors" to the internal private network.  The perimeter or edge protection that was painstakingly put in place was being pierced for the sake of making the administrators jobs easier.  The security personnel understood the reasons for the opening of these doors since many of them had cut their IT teeth as administrators.  They also understood the risks these doors represented to the data they were hired to protect.  The risk became greater after certain legislative measures along with industry regulations were created to strengthen the protection of certain select data constructs. (check back soon for part 2 of this post)