Don’t get me wrong at all, I love Cloud computing and even invest in cloud computing companies but since cloud computing is becoming more popular than ever as more and more applications core to our businesses move into the cloud we need to consider some of our own risks. One thing I’m not sure if you or your business has thought of is availability on your own end (your internet connections). Availability is not just on the provider side which is normally fully redundant. Being that I am a CISSP, of course I know the clever Triad, but given that most of availability issues are still addressed by other parts of our organizations (network engineering, telecom etc). I know that I myself mostly focus on confidentiality and integrity related controls and not on availability. I don’t think I’m the only one in the security industry that is in this boat.
So, if we take a moment and step back from our little paper cluttered desks filled with pie charts and excel spreadsheets of PCI or SOX controls and take a look at availability, we should ask ourselves these questions: Would our company function if we lost our primary internet connection? How about if we lost our internet connections entirely? How about if a global routing event or some other attack on the Root DNS servers was successful? hmm…
My 2 cents is that companies are relying very heavily on a mixed bag of routing protocols and interconnected networks who don’t always have your company’s goals at heart. I’d love to see a lawyer try and say that the company internet connection going down should be reimbursed to the level of reliance that has been placed on those same connections. So please please please ensure you have fully redundant internet connections and think this issue through. Keep in mind that you may have two circuits coming out of your data center but they often could go physically through the same single fiber connection at the Telco (a single point of failure). You should also consider financial risks associated with the 2nd and 3rd Tier cloud providers. Providers such as Salesforce.com and Amazon are best suited to provide you financial stability and fault tolerance, but startups often lack the resources or money to really cover all these availability issues effectively so be cautious and have a backup plan in place to address any of the issues that could arise.
More questions to ask….If your internet went down:
1. Would your helpdesk software work?
2. Would your finance portal work?
3. Would your out-sourced marketing work?
4. Would your advertising continue?
5. Would your paycheck administration continue?
6. Would your recruiting efforts continue?
8. Would your customers be able to buy from you?
9. Would your banks be able to communicate to you?
10. Would you be able to get updates for your operating systems?
The list goes on and on…. Think about it at least a little.
Join Silicon Valley and San Francisco ISSA and the Bay Area InfraGard for our annual Cornerstones of Trust 2009 security conference in Foster City, CA on October 14, 2009. The theme of this year’s conference is “Meeting Security Challenges in Changing Times”.
If you are in the San Francisco Bay/Silicon Valley area security community, Cornerstones of Trust 2009 is the place to meet top security experts from the business and technology communities and learn about real world solutions. Come and find out how other companies are effectively and successfully managing their security postures in these changing and challenging times.
Featuring Two Keynote Speakers:
Morning:
Mark Weatherford, Executive Officer and CISO of California Office of Information Security and Privacy Protection
“Security: From the Left Side of the Equation” Future threats, much ado about SOMETHING
Afternoon:
Pascal Levensohn, Founder and Managing Partner of Levensohn Venture Partners
“Why We Must Develop a New Model for Collaboration in Cyber Security: A Perspective on America’s Innovation Crisis”
Featuring Four Parallel Tracks (including both panels and individual presentations)
- The business side of security – becoming a business enabler and staying ahead of the curve
- Disruptive Technology – From Data Bits to Clouds
- E-Discovery and Digital Evidence
- Governance Risk and Compliance in today’s changing and challenging landscape
CPE credit
Earn 8 CPE credits when you attend
Exhibitors
- 20 + technology vendors exhibiting the latest security solutions
Food and Entertainment
- Great food (breakfast, lunch and snacks)
- Post conference vendor reception
Vendor Raffle Prizes
- iPod Gear
- Memory Sticks
Who should attend?
- CIO’s, CSO’s & CISO’s
- Information security managers and directors
- Security practitioners and specialists
Registration Costs
| Level | Pre-Pay | Day of Pay | Type |
| Member | $60.00 | $70.00 | ISSA & InfraGard |
| Associate Member | $90.00 | $100.00 | ISACA, ASIS, ISC2, OWASP |
| Non-Member | $120.00 | $130.00 | Any |
-
Tags: able, america, business, California, cloud, com, companies, compliance, cyber, data, day, end, October, oh, Protection, Security, something, special, technology, threats, time, today, trust, vendor
Best Enterprise Vulnerability Management Product: Rapid 7 NeXpose
Summary
After reviewing the top players in my select list, it is my opinion that the vendor who is the most feature rich, low cost and safest deployment option currently available is the Rapid 7 appliance. Qualys is my second choice based on the same criteria and mostly due to my favoring onsite deployment. Finally with McAfee and they come in last for me mostly due to their lack of web and database scanning. I just jotted down SWOT thoughts on the following vendors so if there are any corrections please send me them via my blog’s contact form.
Vendors I Selected for the SWOT
- Rapid 7
- Qualys
- McAfee, Inc.
Rapid 7 – NeXpose
Strengths
- Highly focused on just vulnerability management
- Quick deployment
- Fast customer adoption (high growth)
- Recent infusion of growth capital (VC funding)
- Enterprise ticketing integration
- Web application scanning
- Database scanning
- VMware capability
- Onsite deployment
- Low cost (depreciable)
Weaknesses
- Small company
- Limited policy compliance functionality (ITGRC)
- Operations cost (management, power, rack space etc)
- Small research team
- Small support team
Opportunities
- Take greater market share as larger vendors lag
- Expansion to policy management (ITGRC)
- Expand distribution channel
- Integration with 3rd party blocking technology (web app firewalls)
- Integrate web app scanning ticketing to development bug tracking systems
Threats
- Company aquisition
- Alternative technologies are developed
- Large players address weaknesses
Qualys – QualysGuard Enterprise
Strengths
- SaaS and cloud adoption increasing
- Web application security
- Database security
- Quick deployment
- Enterprise ticket integration
- Highly focused on vulnerability management
Weaknesses
- SaaS only (high cost for onsite deployment option)
- High ongoing fees (non depreciable)
- Lower ROI due to continuous yearly subscription model
- Limited database scanning support
Opportunities
- Commitment to on site deployment option
- Reduce yearly subscription renewals to address ROI argument
- Move more towards SaaS based ITGRC platform
- Integrate web app scanning ticketing to development bug tracking systems
Threats
- ITGRC vendors expand to Vulnerability management space
- Smaller (more nimble companies) develop better functionality
- Larger players lower pricing further
- Larger players match SaaS offering
McAfee – McAfee Vulnerability Manager
Strengths
- Large market share
- Countermeasure awareness
- Vmware option available
- Foundstone research heritage
- Instant new threat assessment reporting
- Onsite deployment option
Weaknesses
- Limited web application scanning
- Limited database scanning
- Countermeasure awareness limitations (competitor products?)
- Console strategy unknown (epo?)
- Some functionality requires separate console
Opportunities
- SaaS expansion to include ticketing and policy compliance (ITGRC)
- Consolidate existing SaaS offerings under one single website console.
- Consolidate separately managed products into EPO (i.e. Vuln manager, Risk and compliance manager and remediation manager)
Threats
- Poor execution of consolidated console strategy
- Possibility of Acquisition
- Reduced revenue due to commoditization
Note: The results of this analysis are not quantitative in nature and are only opinions of the author and no other associations, organizations or persons.
Tags: able, analysis, application, capability, choice, cloud, com, companies, comparison, compliance, console, data, development, end, Firewalls, just, managed, management, market, mcafee, option, product, review, scanning, Security, selected, site, swot, systems, technology, threats, use, vendor, vulnerability, vulnerability management
Apparently Nessus has really hit the mainstream with this company (Edgeos) offering “managed” security to other security vendors that wish to provide managed scanning services. Interesting, but again kinda scary to host your vulnerability data off-site like that. Apparently hosting your vulnerability data is really catching on as lots of major companies seem to be doing it. Cloud based scanning services were also just released by Rapid7, a strong new vulnerability vendor that has been doing quite well to compete against Qualys and McAfeeSecure (aka Hackersafe).
Tags: car, cloud, com, companies, data, end, just, managed, mcafee, scanning, Security, security vendors, site, vendor, vulnerability, wish
