Ever wanted a quick, no nonsense explanation of what IBM security products are and where they came from? Well, here it is:

• ISS – network and host security (X-Force acquisition)
• TIM – identity management (access360 acquisition)
• TAMesso – desktop single sign on (Encentuate acquisition)
• TFIM – federation of access (homegrown)
• TDI – data transformation (Metamerge acquisition)
• TAMeb – web app access control (Dascom acquisition)
• TSIEM – security event management (Q1 Lab acquisition)
• TCIM – compliance dashboard (Consul Risk Management acquisition)
• DataPower – XML gateway
• i2 – crime prevention
• BigFix – patch management
• Guardium – database security
• Openpages – governance risk and compliance
• Algorithmics – financial risk management

It’s very comforting to think that your bank is looking out for the customers. Or at least knows consumer laws and respects them. Wrong. I just had a rude awakening to the reality and saved almost $600 in the process.

I have a mortgage with a bank that shall remain unnamed (although, if they do something like this again, their name will be posted).  The mortgage is conventional in every sense of the word, with the escrow handled by the bank. Now, when somebody else pays your taxes and insurance you only get to know what was paid after the fact. This was not good enough for me, so I decided to trade convenience for control and contacted the bank to cancel my escrow. The reply I got was not too encouraging.

They said, that, not only the mortgage had to be in good standing, with no PMI and no overdues within the last 12 months, but also that I had to pay 1/4 of 1% of the outstanding premium to get out of the escrow, which came out to almost $600. Yes, they clearly had some vested interested in keeping my escrow and not letting it go.  I bet the interest they make on the padded balance of my escrow is a big part of it.

However, I remembered something from several years ago that peaked my interest at the time. There was a letter from the bank regarding the escrow account status that they were required by law to mail at the 5th anniversary. Hmm, I thought, what does that law say about the escrow fees….20 minutes of Googling produced a pointer to the Minnessota Statue  § 47.20, subdivision 9(g), that stated:

The mortgagee shall not charge a direct fee for the administration of the escrow account, nor shall the mortgagee charge a fee or other consideration for allowing the mortgagor to discontinue the escrow account.

Moreover, most other states have similar clauses in the laws regarding the lending authority of financial institutions. So, I challenged the bank  on this. The reply I got was just short of mindblowing:

 The escrow account will be canceled and the funds will be transferred to you. There will be no fees charged.

That’s it. No apologies, no acknowledgments. Just a statement of a fact. Not that I expected apologies, but, hey, the bank screwed up big time, it would’ve been at least appropriate to recognize the error. Anyhow, I got what I needed, saved a lot of money and got my lesson in bank’s care of customers. Talk about corporate greed.

The old adage says: “keep your friends close, but your enemies closer”. In this day and age, the IT department of your organization does not have to worry about the second part. The enemies are already at the gates. And keeping them out is an increasingly challenging task.

A recent study sponsored by Juniper Networks showed that not only there has been a dramatic rise in the number of security breaches in the past year, but the targets also got bigger. The CIA, the FBI, the U.S. Senate, and various state police agencies had their systems under attack. In the first half of 2011 security and data breaches have cost U.S. enterprises almost $96 billion. At this rate the cost for the whole 2011 will be almost twice as much as it was in all of 2010. Consider the fact that 2010 saw 90% of businesses compromised with least one security breach. More than 50% of the compromised businesses had at least two breaches.

Another problem is that “the gates”, where the enemies are trying to get through, are everywhere now. The entry points are in the software employees use. They are in files, emails, web apps, web sites, databases, in everything that is on the information highway. The number of incidents related to malware went up from 4 million in the first quarter of 2010 to 6 million in the first quarter of 2011. It is expected that last year’s record $63 billion that companies spent on security will be $75.6 billion in 2011. As the study showed, the enemies get smarter and the attacks get more complicated in every year. Throw all your defenses up, get every firewall ready, the host and network intrusion protection and detection system, anti-virus, anti-malware, application firewalls and it will still be not enough, because the enemies are a step ahead. The solution? “Know yourself and know your enemy” (Sun Zhu, “Art of War”). Get the right security talent on board and use the right strategy.

The correct strategy, rooted in the governance, risk management and compliance methodology can go a long way. Consider the governance, a system by which an organizations controls and directs security development, as a backbone of the approach to managing security and how it relates to the business. (http://www.cert.org/governance/ges.html). Then, focus on the compliance and regulations, a key to proactive defenses and enforced regulations of a company’s behavior as it pertains to security for a specific nature of the business. Governance is strategic, while compliance is tactical and specific. Addressing compliance and security regulations allows business to focus on particular challenges and vulnerabilities specific to the business type and the vertical it operates in. Finally, adjust risk management, a set of technologies that address day-to-day security work, and includes mature components of security such as penetration testing, application security analysis, firewalls and intrusion prevention systems. The success of the security strategy depends on the attention to all three components.

The talent is a different thing. With the increase in the demand for the security experts, in response to the increased attacks, the security talent is becoming more expensive and harder to find. So far, the number of colledge students with who focus on cyber-security has not been keeping up with the demand. There are even less opportunities in finding experienced security consultants who are up to par with the criminal masterminds of the security underground. Security may be on the radar for around 1.9 million people, but there are only around 346,000 fully dedicated security professionals.

There are, however, security consulting firms, like Prolifics Security Practice (http://www.prolifics.com/business-solutions-security.htm) that can help you both with the talent and the strategy. They bring the best and the brightest security personnel on site to analyze, architect, develop and implement proper defenses and policies to address modern security threats. They help set up proper strategy, so you protect the flanks, tie up the loose ends and govern smartly.

With the increasing number and the caliber of the security breaches you can not afford to sit around and wait. Find what others are doing, go to conferences, ask consultants, bring help, but do something, because enemies are at the gate.

If you want to read more on the recent rise of the cyber attacks look here: http://articles.latimes.com/2011/jul/05/business/la-fi-hacking-security-20110705

A desktop based Single Sign-On solution is a joy to have, if you are a desktop user. Equally, it is a pain to have if you are in an IT department that supports it. The middle line is very thin in many organizations. The slant it has often determines success of an Enterprise Single Sign-On implementation. Here is a quick list of the typical gripes and the responses that one can provide to pull the rope in the ESSO’s favor.

• Desktop support team: Man, it replaces the Microsoft Gina. We need to provision it to all of the existing desktops, test it on our gold build, communicate with all the user population affected…It’ll take more than you think to implement it.
• Business: Ok, so let’s see how well you manage your assets. If you know them, can provision them and keep them homogeneous you should not have too many problems. If not, let’s work on the asset management first.

• Infrastructure: Users want to be automatically logged in to an enterprise app that is not covered by ESSO yet.  Now we’ve got to develop another profile. This is not easy. The development, testing and support will take a lot of time.
• Business: Yes, it is the on-going cost of the ESSO. Either engage the vendors, get the training and do it in-house, or outsource it.

• Infrastructure: Now we have to have staff to support another server, another database and a bunch of desktops.
• Security: Hey, but no more sticky notes under keyboards with passwords.

• Help desk: We are getting more calls about desktop apps incompatible with the ESSO.
• Business: The incompatible apps will have to be worked through with the desktop support and the vendors.

• Security: We do not want to accept the responsibility for accidentally exposing all personal logins people may store in ESSO, like passwords for web-mail, Internet banking, shopping, forums, you name it.
• Consultant: Set ESSO up with a personal, per-user key encryption. The downside though is if a user changes their passwords and then forgets their response to a challenge question, they will loose their stored passwords.

• Help desk: Everybody is forgetting their responses to the challenge questions. People are unhappy about having to lose their stored passwords.
• Consultant: Set ESSO up with a global key, and let the Security department worry about an appropriate use policy and the privacy policy.

• Security: We do not want to send people their on-boarding passwords plain-text in an e-mail or print them out.
• Consultant: Integrate your ESSO with an identity management solution and have it automatically distribute passwords to people’s wallets.

• Infrastructure: All the setup, configuration and support takes so much time!
• Business and End Users: Hey, it is nice not to have to type enterprise passwords every time. Helpdesk is getting less calls about recovery of forgotten passwords. It saves so much time!

The end of the story is that for every gripe, there is a good response demonstrating the value and the benefit of having an ESSO solution.



The year is 1995, I am in a small computer shop, bringing back a harddrive. It is a 2 Gigabyte harddrive with bad sectors, that I am exchanging for a brand new, Fujitsu 5 Gigabyte monster. “Wow…that is the space I am not going to fill up for a loooong time”, a thought goes through my mind…Fast forward to 2010 and I am sitting here with my main computer sucking away it’s storage of more than 5 Terrabytes of data (albeit split across 6 harddrives). That’s a thousand times more and counting. If it keeps on ticking with a logarithmic progression I will be looking at 5 Petabytes around 2025. Or is it wishful thinking? (look, no flying cars yet!)

I’ve been thinking recently about the whole “Cloud” thing, “Cloud computing”, “Cloud hosting”, “Identity Management in the Cloud”, cloud-this and cloud-that. In an essence, it all seems be a business telling to its IT department – you are too expensive. We want to get rid of you, without getting rid of the services you provide.

Business knows that an IT department is important. It saves money in many ways, keeps the back-office running and helps in executing business processes. But in many organizations IT costs too much, with all its security, high availability, disaster recovery, compliance and support requirements. Business cringes seeing all the capital job proposals and budgets for IT spendings. This is why they are looking for an alternative. Say, an alternative, that gives the back-office support without having to worry about all the high-ticket items, like HA, DR and GRC. Items that IT seems to stick every year on the annual budget proposals. An this is exactly what the “cloud” tries to provide. The cloud is an abstracted business function, where all high-ticket IT items are spread over multiple clients and thus are cheaper to have for any particular client. The IT department, after all, is just a business paid expense, that has no real, intrinsic value all by itself.

The business, of course, wants the high level of service, the good “Service Level Agreement” to cover the needs of the business. This is where we enter the world of ITIL. The SLA’s the ITIL are a step in getting IT outsourced. An SLA’s without a extra value is a way to make IT separable, commoditizable. I am not saying they are bad. I am saying if you exceed at delivering the services on the SLA’s without bringing benefits to a business, you are no different than a third party outlet selling server time for a monthly fee.

So, before you dismiss the “cloud” business as yet another popular, but short lived word in the IT vernacular, think of the implications that this model has for the future of IT. There is a trend of businesses cutting back on the IT departments. I really see only one way for the IT department to survive this transition. IT can live on by becoming a cloud integration department. On the low level, someone needs to integrate in-house systems with the clouds during and after the transition to could based services. On the high level, someone needs to understand the business and to know how to map it to the services different clouds provide.

Granted, it may take a decade before the onslaught of the clouds, depending on how much push the business is doing toward cost-cutting, but start training up now for one of these roles, if you are working in an IT department.

PS. Yes, the cloud providers will need the IT skills to develop and maintain the cloud offerings, but the number of jobs will be much smaller compared to the in-house IT staff.

I’ll skip all the praises that Apple received for their new iPhone 4 and iOS 4 and jump right at some strange things that the two posses. I can not explain this sub-par behavior without invoking the rush-to-production argument.

The first has to do with double tapping the home button twice to how background apps while the phone is in a landscape mode:

Hmm, shouldn’t they had at least rotated the icons 90 degrees? This makes me dizzy.

Now, let’s use the new lock-orientation feature, again, while being in the landscape mode:

Ouch, it turns the screen to the portrait mode BEFORE locking the orientation. Now I have to do bed-typing on the small keyboard presented in the portrait mode.

Lets’ see if Apple catches this before the upcoming iOS 4.0.1 that is supposed to bring everybody’s reception bar indicator down “to reflect AT&T’s suggested formula”. I acutally like the bars as they are now – they are very granular in the lower signal strength spectrum, where the reception quality actually matters, and are simply 5 bars when the reception is in the good quality range.

As far as the antenna issue is concerned, no, changing how the bars are displayed is not going to fix it. And yes, I fixed it by having the case (actually a thin protective film) that covers the gap so I do not accidentally bridge it. And yes, iPhone 4 reception is slightly better on their on compared to the iPhone 3G.

PS Man, the screenshots are big. I guess the awesome “retina” thing has it’s side-effects too