Last week’s RSA 2010 Conference highlighted a host of exciting and innovative technologies within the infosec community. While cutting-edge technology and thought leadership (like much of what was unveiled at RSA) plays a significant role in ensuring the security of your organization’s data, applications, and systems, it’s by no means the most important element. Rather, it’s how your existing IT projects, process, policy, and products are implemented that can make the difference between an effective IT department and one that’s vulnerable to data loss, breaches, and other threats.
To help you avoid common pitfalls within your organization, we’ve outlined our thoughts on today’s most common IT project mistakes and risks:
As the excitement around RSA 2010 has calmed down a bit, I thought I’d take a minute to share a few pictures and highlights from the Exhibitor Hall to capture GlobalSCAPE’s team in action over the past week.
We were extremely impressed by the products and insight shared during the event. In his discussion with BankInfoSecurity.com’s Nick Burke, Jim Morris, perhaps, captured best the ongoing discussion at RSA about the delicate balance that government, as the policy makers, and vendors, as the solution providers, must strike if we’re truly going to improve our national security posture.
We were also happy to see GlobalSCAPE’s U.S. Army deployment get some play in Government Computer News’ coverage of the RSA event. Our secure information exchange solutions have been baked into the Army logistics technology for many years now. It’s just one example of how we’re working with Government to help reinforce policy with solutions.
Now for the fun stuff… our staff in the booth!
GlobalSCAPE’ salesman Chris Thacker and Nick Flores pause for a photo opp
CEO Jim Morris and COO Craig Robinson chatting with an attendee
Chris Thacker, Lisa Kelaita and Todd Doerr smiling in the GlobalSCAPE booth
CEO Jim Morris explains how total path security solutions, in particular MFT and application whitelisting technology, can help you more effectively mitigate the risk of data loss or breaches.
CEO Jim Morris discusses the vital role of managed file transfer (MFT) technology in supporting ad hoc exchange of data, and in meeting security and compliance mandates.
Thousands of security professionals and representatives from government and industry are attending this week’s RSA Conference in San Francisco. Without question, the RSA Conference presents a tremendous opportunity for exchanging ideas and learning about some of the latest cyber security challenges and technologies.
The RSA Conference organizers appear to have made a conscious effort to include more ‘real world’ tracks and panels this year. This is a major step forward in increasing the value of these conferences and providing a more substantive basis for improving cyber security practices within industry and throughout the government.
CEO Jim Morris offers thoughts on how the government, private industry and information security vendors must work together to improve national cyber security.
Cyberspace defense has largely been a measure/countermeasure/counter-countermeasure game. The good guys build a fence and, in short order, the bad guys climb over it. The good guys build the fence taller and the bad guys figure a way over it again. I would not be the first to compare this reactive security approach to the famous “whack-a-mole” game, but I thought it would be a fun way to demonstrate the point.
A decade ago, it could be argued that the “mole” poked its head up with sufficient enough malaise that you actually stood a reasonable chance of bashing the little bugger on the head. Today’s threats, however, look more like the Caddyshack gopher–and traditional, reactive security solutions looking about as capable as Bill Murray.
In a recent interview with CNET, Bob Russo, general manager of the PCI Security Standards Council noted, “Becoming compliant with the standard is pretty much a snapshot in time. An assessment company would come in and go through all those requirements and check that this stuff is in place. If everything is in place they issue a report on compliance. It is then your responsibility as a merchant to maintain that compliance.”
Russo’s point about continuous versus point-in-time compliance is interesting on many levels. As a respectable business or IT leader, you can’t argue with the fact that companies must not only meet government and industry standards at a single point in time, but that they must also update processes, tools and systems to maintain their compliance as regulations shift and change. In order to ensure information security (that you’ve mitigated risk to an acceptable level), you must treat the policies, processes and tools that you use to protect sensitive data as an evolving, imperfect set of entities.
However, it’s somewhat of a cop-out by Russo and the council to imply that because companies are not completely in compliance all the time, their information and systems are any more vulnerable than those who might be in complete compliance all of the time. To take it one step further, he also seems to be saying that a company’s lack of compliance explains why a breach occurred. Might it be possible that the standards really only provide a false sense of security for consumers? Read the rest of this entry »
Ad hoc file transfer isn’t the only MFT trend to watch for this year. In today’s world of tight IT budgets, reduced workforces, and security mandates, it’s only natural for us to expect that companies will turn to MFT solution providers who offer intelligent file-centric automation capabilities.
Today’s automation differs from the automated functionality available in the past. We’re no longer talking about just moving files from point A to point B. It’s not enough to rely on homegrown solutions (like custom scripts) built in the past. We’re talking about seamlessly moving files into back end systems while providing full audit tracking, robust monitoring capabilities, and the ability to react to anomalies, which can trigger alerts.
Information exchange, by definition, involves endpoints (analogous to a transmitter and a receiver in a communication system) and at least one transfer medium (analogous to a communications channel). Because information is at risk while at rest on the endpoints and during transfer between endpoints, there is an increasing market need for what we refer to at GlobalSCAPE as “total path security.” Total path security protects information from its creation on an endpoint through delivery and retention on a receiving endpoint.
From our perspective, endpoint information security is a natural extension to managed file transfer (MFT). MFT provides the secure channel. Endpoint security measures protect the sending and receiving information systems, as well as the servers that participate in the information exchange. Without both MFT and endpoint security, a business can’t expect to maintain ‘acceptable’ levels of security. There’s little merit in going through all the trouble of securing the transfer if the information comes from an unsecured source or is going to land in an insecure place.
