I think that it might be a novel approach to build a flat cloud security control model centered around consumers (stake holders, users and developers) of business applications software and the performance of the cloud services that they consume. This might be a more productive and relevant control model than then the current complex, multiple layer, …
Read more »A risk assessment of a business always starts with data collection. The end objective is identifying and then implementing a corrective action plan that will improve data security in a cost-effective way, that is the right fit for the business. The question in any risk assessment is how do you get from point A (current …
Read more »Seems like ages since I last blogged. Got my head down on a few data security and compliance projects and the raw material is piling up. Today is Israel Memorial Day and the JP Big Band appeared last night in the Modiin Cultural Center with an evening of 23 Israeli classics arranged for large jazz …
Read more »One of the biggest problems facing organizations is lack of rigorous definitions for trusted insider threats, data loss and how to estimate potential damage from a data loss event. With a lack of rigorous definitions for data loss and trusted insider threats, it’s hard to benchmark with other companies and difficult to select a good …
Read more »I submit that a “no tickee, no washee” strategy might improve US Federal data security. An article published in the Federal Times states that Cyber attacks on Federal networks are up 40% from last year according to a report compiled by the OMB (Office of Management Budget) that is based on numbers reported by the …
Read more »A pitch from Alex Whitson from SC TV for a Webinar on the LinkedIn Information Security Community piqued my attention with the following teaser: As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally. Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the …
Read more »3GPP Long Term Evolution (LTE), is the latest standard in the mobile network technology tree that produced the GSM/EDGE and UMTS/HSPA network technologies. It is a project of the 3rd Generation Partnership Project (3GPP), operating under a name trademarked by one of the associations within the partnership, the European Telecommunications Standards Institute. The question is, what will be …
Read more »ניהול אבטחת מידע בענן – על תבונה ורגישות ,ממשל נתונים הוא דרישה הכרחית להגנה על נתונים כשעוברים למחשוב בענן. קביעת מדיניות ממשל נתונים היא בעלת חשיבות מיוחדת במודל העבודה של מחשוב ענן שמבוסס על אספקת שירותים בתשלום ליחידת צריכה, בניגוד למודל המסורתי של מערכות מידע המבוסס על התקנה, שילוב מערכות ותפעול מוצרים. יחד עם ההיצע …
Read more »Vulnerabilities in rich Web 2.0 applications are definitely a problem when you start deploying more of your business to the cloud. Here is a good article from a Norwegian developer and security researcher – Erlend Oftedal on exploiting crossdomain.xml and clientaccesspolicy.xml in RIAs (rich internet applications). Unrestricted crossdomain.xml and clientaccesspolicy.xml files can be abused by …
Read more »ISO 27001 certifications are growing rapidly because of compliance regulation and increased awareness of information security risk. The ISO organization recently (October 2010) took measures to make ISO more accessible by “providing practical advice for small and medium-sized enterprises (SMEs) on how to achieve the benefits of implementing an information security management system (ISMS) …
Read more »