I type quite a lot. I am not an efficient typist. That I can remember I was never taught to type. Perhaps if I had it might work for me, but it does not. I need a good old fashioned bash the keys hard type of input device. You know like real computers of yesteryear had on them. Real key switches, not a big membrane with key tops.

I found that a company based up in Canada called Matias make such a thing, the Tactile Pro. It is heavy, in fact very heavy, it is noisy, really very noisy but it is so lovely to type on. the weight means it does not move no matter how hard I punch at the keys (the best way I can describe my typing style). the noise would drive people crazy if you were in a shared workspace, but I am not so apart from typing when I am on the phone it is not an issue for me. However that audio feedback is important to me. It helps create a rhythm, my typing is more accurate and faster and those combined are good as they enable me to get more work done and to be more creative.

Next time you need to do some typing go get a proper keyboard and plug it into your laptop. I think you will be amazed at what it can do.

My team work on the four primary mega trends that are driving information security, the cloud, virtualization, mobility and APTs.  There is a 5th but it is less of a trend and more of a fact of life these days and that is the data explosion.  However when I talk to some people they see the cloud and virtualisation as one and ask why we differentiate.

The fact that the two have become synonymous is testament to VMWare’s marketing skill and power, anyone driving around silicon valley will have seen the hoarding from Microsoft on the 101 stating that “VIRTUALIZATION ALONE DOES NOT A CLOUD SOLUTION MAKE” further proof to me how good they are. What is more to a large extent I believe VMWare are right.  The main tool that I see being used to build private clouds within large enterprises is virtualization, it also figures in many public cloud infrastructures.  However from a security standpoint the two are very different and present different challenges.

Over the past few years we have seen a very common theme in surveys about cloud adoption, that concerns around security often driven by the lack of control that a move to the cloud and especially the public cloud is one of, if not the primary block to many large organisations moving to the cloud.  Dig a little deeper especially around the public cloud and you will find that the concerns usually revolve around data.  While enterprises have become skiled in managing an enterprise with a gradually eroding perimeter many still see their data as the piece they keep close and wholesale movement of it to a third party is a risk they are just not prepared to take. There are ways to mitigate these risks such as virtualization and controls such as DLP technologies that can be deployed but today they are not always easily deployed into or with popular cloud services. This will change but currently many a CIO or CISO is able to press the “abort” or at least “lets do some extra thought on this” button on a public cloud adoption initiative because of concerns about how the data is being protected.

In virtualization we see different issues, and ultimately ones that will come to play more heavily than they do today in cloud.  Perhaps this is a function of virtualization having been around a while now (and I do not mean in the x86 world, some of us remember booting MVS under VM/370) so is a maturity thing but I suspect that it has more to do with one important attribute of virtualization and that is it enables you to do things that are either difficult or impossible in the physical world.  Tools like VMWare vMotion allow me to shutdown, de-rack, put on a pallet, ship, rack-up and power up with not much more than drag and drop simplicity rather than the hours of time and expense it would take in the physical world.  Time and expense that would demand inspection and tighter controls. These controls if implemented properly will stop mistakes that lead to increased risk or the violation of governance standards.  Moving a non PCI compliant asset into your compliant environment for example.  Other examples we see whilst not unique to the virtual world are going to be a lot more common once you remove the restrictions imposed by physical hardware.  We now have some very old virtual machines sat dormant on disk, if these were physical hardware they would have be recycled years ago probably to make rack space for nice shinny new blade servers to run virtual farms on. They have not and with often very little work they can be brought back to life and become part of your network in all of their un-patched, out of date glory.

For virtualization the principal issue for security is one of governance and compliance.   That is not to say that managing the risks around data is not important in the virtualized environment, it clearly is, however as we move more mission critical systems into virtualized data centres we apply controls such as DLP technologies and encryption that are common in the physical world for those systems.  What we have to add is the layer of controls over the virtualized environment to make it on par with the physical world.  At the same time we must not discount the challenges that customers face when trying to bring cloud, especially public cloud into their compliance environments as this is a real and growing pain point.

Whilst some of the companies we work with will try and blur the line between virtualization and the cloud we will not.  For the former we must focus on how we create controls that give us equivalency to the physical world and for the later we need to allow people to protect their data no matter where it is.

I am pretty sure out there there are some people who wear little tin foil hats who change all their passwords once a day, possibly some aluminum clad types who sit in a faraday cage they have built in their basements who do it every hour.  However if like the majority of people who I quiz it is very infrequently if ever. So when was the last time you changed your password on your email system or  primary social media network?  within the last month, this year, ever?  I am not judging you, but you probably need to do it more often. Frequency of change combined with password complexity provide you with protection and these days we need all of the protection we can get.

I can hear the complaints already, “there are too many systems to remember all the passwords ….” etc.  You do not have to have a separate password for every site, yes it would be more secure but it is not necessary.  In fact most people can get by having a handfull of passwords that they use for different classes of site or application.

I have five classes of application and except for #5 which is reserved for things that need the extra security that a unique password provides I use one password for all of the sites and apps in the same class.  So at any one time I only need to remember four passwords.

Class #1 – For things that really do not need a password.

Sites and applications that store no personal data and probably only ask for a password as someone re-used some code that needed a password or thought they would cover off a few bases just in case in the future they would add functionality that stored personal data.  This password I change every few years and it has very low complexity.  If I have not been to a site in more than a year I can always remember the previous ones, it is usually an amassing word with some character modifications (see below).

Class #2 – For where the site or application stores some low sensitivity personal data

The kind of information where if you spent 10 minutes in a search engine you could probably find it from public sources.  These include the sites that you need to register before they will grant you access to information.  I may have given them my postal address but not much more.  These I change every year and they follow a pattern, but a pattern with entropy.

One advantage of being brought up in the UK was my exposure to UK Post Codes.  These are not numeric strings as they are in the US a but a combination of letters and numbers.  They have a two part structure, an inbound code of letter(s) + digit(s) combined with an outbound code of a digit + 2 letters.  there are some exceptions but the vast majority follow this pattern and they are very granular often covering less than 10 residential addresses or a single large business.  I also find them quite memorable and am able to associate them with a person or a business.  As a result they make the bais of excellent passwords. I often just pick one off a piece of correspondence. They are however only suitable for sites that have fairly low password complexity requirements as most are 6 or 7 characters long, so if a site required minimun 8 characters you must append something to pad it out.  Sometimes where this is a password I will need to share with someone such as WPA pass phrases I will pre or append the name of the company or building such as rg26uhgreenpark (the post code for our EMEA HQ and what we know it as).

Class #3 – These are the sites and applications where personal data is stored including most retail sites.

Here I use a password that I change every 4 months so I have 3 to remember a year.  I combine a word with a special character and another word. To help me remember them I use a common structure.  The first part is always an emotion or adjective and the second a noun. pink:starFish or grumpy@cloud.

Class #4 – Reserved for sites and applications that store sensitive information, are associated with my work or where their compromise would cause me serious issues.

They are also ones I visit frequently and always enter the password manually so the repition means I can use and learn relitively complex strings.  They get changed usually every 2 months, sometimes more frequently. I extend the on the structure used for Class #3 by adding another special character and one or two digits. As I travel a lot these are generated via using the time offsets from GMT of the place where I changed the password. So an example might be sleepy*india+2 where I had set the password late at night after an indian meal in Munich in the summertime.

Class #5 – These are not really used for access to sites but usually secure applications.

These get changed frequently and are so complex I have to write them down and lock them away.  I use a passphrase generator of my own design to create these.  They consist of a long string of alpha numerics and special characters.

Just in case you are worried that I have just given away the formulas for most of my common passwords and before you head off to crack my email etc. it is probably fair (add wise) that I tell you about a great little trick that adds enormously to password strength.  That is using you own little pad system to modify characters, such as always substituting a certain number for a certain letter and the use of capitals either for fixed positions or specific characters.

Take the class #4 example above and apply the rules that “e” is substituted by “3″ and “a: by “@” (not ones I use but both would be logical as a capital E looks like a mirror image of 3 and the @ symbol is the “at” symbol so first letter).  The password is now sl33py*indi@+2.  I could event tell you the password and you would struggle to get it “sleepy asterix india plus two”.  It becomes even more complex if you compound it with a simple rule such as always replacing a vowel with a capital – sl33py*IndI@+2.  Dictionary hits are going to struggle with that one.  My personal pad has been developed and refined over the years to the point that when I type a password I very naturally make the modifications without even thinking about them.  On the rare occasions I have to tell someone a password they usually see it as a near random string. Whereas to me it is a collection of words, specialis characters and numbers that I can easily remember.

Right time to go change some passwords!

So hands up who has a password protected/encrypted file or directory or a thumb drive possibly even a hard disc that they do not exactly know what is in it? and you are not sure what the password/phrase/key is to unlock or decrypt it are?  My hand is up and waving in the air, and I very much suspect I am not alone.

Most of mine are confidential office documents that I have been sent and the password is possibly somewhere in my email, I also have a few encrypted archives that I could probably by deduction find the password I also have a thumb drive that I have no idea what the key is. With the files the worst ones are where I cannot tell by the file name what it is but because it is encrypted I know it is important, so I keep it, even if I do not have the key!  In effect I have just filled up part of my disk, and my backups with useless digital noise, it is digital goo.

With encryption becoming a common feature in today’s information protection armoury I predict that this situation without the simultaneous introduction of key management will become increasingly common.  One of the first things anyone deploying any technology that encrypts or locks data in anyway needs to consider is how are they going to manage the keys. How will key recovery work? Where is there key material in my environment? Can master keys be used to allow trusted processes such as backup and archiving solutions understand the content and apply appropriate policies? All questions that need to be answered before you deploy the technology, otherwise do not blame me if in a few years time all of your systems are gummed up with digital goo.

I promise to revisit this post next year.

No, there is something intrinsically different about the iPad, just look at how people use them. The only physical difference in terms of things that the iPad has and iPhone does not is screen real estate, yet I am seeing for the typical user that change, and in many cases fundamentally the way the typical users uses the device. This week is CES which is awash with tablet devices and if you get the screen size and resolution right I think what is true for iPad will be true for them.

So what does the bigger screen give you?  Well obviously it gives you space, space where information can be visualised.  I have very good eyesight, the technology on the display on the iPhone 4 is fantastic but give me the same information scaled up on an iPad and it becomes much more accessible to me, especially as the UI is based on my stubby fingers.

Now the screen on an iPad is only a bit smaller than the screen on my workhorse laptop a Lenovo x61 so it would be reasonable to assume that they kinds of information I access on both would be pretty much the same, and it is. Mail, web pages, office documents and presentations are all equally accessible on both.  The difference is with the exception of  web pages is where theses things come from.  On my laptop most of it comes from the hard disk, on the iPad the majority comes from the cloud.  I even use applications on the iPad to render information that I would have previously accessed as HTML is new interactive formats, so to an extent, but I can only see it increasing, the way I access web pages has changed on the device.

The iPad and the tablets that follow it are changing the IT industry and this reliance on the cloud is a key factor in how it is doing it. Be it store and share repositories, thin information visualisation widgets and readers or VDI clients they have all been given a new lease of life by an iPhone with a bigger screen that does not make calls!

For my model of a nightclub, I imagine a private members club within a public bar complex.  Anyone can come into the bar, on occasion they may be asked to prove their age but they typically they get access without having to give any information about themselves.  The bar staff will use some basic physical attributes to determine if they should be there, are they behaving reasonably, are they human, and ensuring that they are not on a picture board of banned individuals.  In the security world most web sites or gateways do much the same using physical attributes such as IP address and behaviors such as port scanning or crawling to limit access to only those that look like legitimate users.  The members club within the bar has door staff who are going to want to see some ID, or to give you access based on some token you have, perhaps some kind of difficult to forge guest card.  Once inside the club you are free to roam all of the communal areas, but to get into the roped off areas you may need something else, and this is where this analog becomes more powerful.

Imagine for one moment that you happen to find yourself on the network inside a large organisation. After you have looked for sensitive data that has spilled out from secure systems into public areas the next best place to go and look is the places that they do not want you to go.  It is often pretty easy to discover on a network where all interesting stuff probably is.  You look for the places where there is no guest access and normal user credentials do not work.  The roped off areas.  Just like in a club you may not know what is in there but you know that if you can get in you will find something of interest.  Penetrate this area and you are inside another hard shell.

I know of several clubs that have exactly this set up.  They sit within a complex that is open to the public, have door staff who check ID, have roped off areas where celebrities can be spotted, but they also have really secure private areas.  The entrances are not obvious, in fact you have to be met by someone to guide you there.  Physical security is strict.  Via the magic of one way glass and dimly lit balconies these areas are invisible from the main club.  I have worked with enterprises who have exactly this replicated in IT, dedicated infrastructure that cannot be accessed from within enterprises own network where the valuable IP or other information is stored.  It is why I like the nightclub analogy.

However like the 1970′s discotheques that many of todays uber clubs are based on this analogy is out of date, or at least will be very soon.  It is based on the premise that there is something physical that we are trying to protect.  However times have changed, we are now in the business of protecting information, and that information will legitimately need to move, so we need to add the concepts of content and context to our analogy.

I use the term content to describe what the information is.  Some content is public.  If we find a document that is also published on a organisations public web site it would be superfluous to secure it beyond making sure that the published version remains read only. If however it contains sensitive information be that derived from the content or the meta data associated with it we will need to treat it differently, and apply different rules to different types of content.

Context covers what is being done to information and that includes where it is.  A confidential document transiting through an email gateway or sitting on a USB key must be treated differently to when it is sat on a well protected server.  As the context changes the way we must treat the way the information is protected.

Of course there is interplay between content and context.  At one end of the spectrum we have public content where context is on the whole irrelevant and at the other our most secret information where the valid contexts are very limited.  In between is where the complexity comes and to date I have come up with no obvious analogies so we must resort to real use cases until we find one. One I have been asked about several times is how the context of location and device type could be brought in to play.  An executive is working on a sensitive business plan.  From their desk using their laptop or desktop computer they have full access to the document, if it is saved it will be encrypted.  When they go to a meeting they may also need access to it on their tablet device, this might be restricted to read only, and again any copy held on the device will need to be encrypted. However even though it is stored in an encrypted format the document should be inaccessible to the executive when for example they leave the office and are travelling on public transport, as someone may read it over their shoulder, but may become accessible once more in their study at home, but with any ability to copy or print it disabled.

Technically, none of this is difficult to do, the challenge will be finding something to replace the candy and the nightclub so we can talk about it.

VIP Access on a Blackberry

Do you use eBay or PayPal?  Ever wondered what happens when your account gets hacked? Credentials for both services are some of the most valuable “assets” available in the underground economy (we publish details in the Internet Security Threat Report ).  Yesterday I discovered that there is a free way using one of our recently acquired technologies to provide sophisticated but easy to use protection for them.

As part of our acquisition of VeriSign security business we acquired the software based One Time Pass-code solution called VeriSign Identity Protection (VIP) this includes a software solution that runs on your smart phone (Blackberry, iPhone, HTC, Nokia, Palm, etc.) and turns it into a security token. Every 30 seconds your device generates a unique pass-code that websites, applications, VPNs etc. can use to provide a secondary factor of authentication in addition to your regular password/PIN.

VIP Access on an iPhone

The B2C sites that use this include PayPal and eBay but there are many more although most are US based.  To get VIP onto your blackberry go here, fill out your number and a download URL and instructions will be sent by text.  If you have an iPhone you will find the free app in the iTunes Store here for other devices refer to this page, or for most devices including Blackberry you can go directly on your device to m.verisign.com.

Once you have downloaded your VIP client you will need to register it with PayPal and eBay or the other services that use it.  This takes just over 30 seconds as you have to enter two consecutive pass-codes.

Of course exactly the same technology leveraging the smart-phone based client and cloud based authentication can be used by businesses to provide B2B or B2E 2 factor authentication for remote access, CRM and line of business applications.

To collaborate using any form of media you must first be able to communicate.  Watch a team working around a whiteboard, unless all of the participants are mute they will talk about whet they are adding or changing.  It is what you do to help sell your contribution.  Wave relied on the users setting this verbal communications channel up, it needed to be right there in the app.  Every Wave hosting it’s own real time voice conference.  So when Google get into that market hopefully they will dust Wave off and give it another try.