Author Archives: erinkbanks

November 22, 2011

Policies Are (some) Man’s Best Friend

By erinkbanks

I recently got into a discussion (not an argument… a discussion) with a fellow electrical engineer. We were discussing the impact of Steve Jobs and his recent passing. To be completely honest, I am a true Apple believer through and through. To the 6 iPods, 3 Mac laptops, iPad, iPhone, AirPort, and my personal favorite, Apple TV that I own… wait lets not forget the Apple stock… I believe in Apple but most importantly, I trust them. If you look at a couple of blog posts back, you will see my triangle of trust. Part of that triangle is TRUST… another part is POLICY. Apple has policies. In order to get an application into their App Store, you need to meet their policies. I love the fact that because I purchase items from the App Store my risk level is reduced. Not just any app can go in to the store. Clearly I do not jail break my iPhone, I find no reason to. Why? I use my phone for personal use (and a blackberry for work), I don’t need an unstable, unsecure environment, I don’t need to put myself into any more risk.

You see, my fellow EE wanted to submit some apps and he was upset because his apps didn’t meet Apple’s policies. He didn’t like this fact at all but he seemed to forget who he was writing the app for. As I tried to explain to him, not everyone that accesses the app store is an EE. This is a smart phone but that doesn’t necessarily mean that everyone that uses it is smart. Policies are in place to protect those that don’t quite understand the ramifications of their actions. The policy for password configuration is there so that people don’t use “password” for their password. When people use this word, they clearly are not thinking about security. So what do we have to do? Put a policy in place that says you must special characters, capitals, etc. At least make it harder to get hacked and make it “P@$$w0rd”… let’s make them work for it. If you don’t have policies like this, people will do anything. This isn’t just needed for security, we have policies for everything both for personal and authoritative reasons. Policies such as locking the door at night, turning the alarm on, turning the lights off when you leave the room, wearing a helmet when I snowboard, speed limits, wearing seat belts, or wearing a helmet when I ride a motorcycle. Policies are everywhere and they create stability, why would you not use them in your data center and your corporate environments. The kids need to be home by 11:00 pm, why wouldn’t you ensure virtual machines are deleted?

It would be great if we lived in a world where policies did not need to be implemented, I would love that and I am not saying that we need to have rules for everything. I understand his frustration and I understand this is why he does not have an iPhone but if you forget who your audience is, if you forget the level of security knowledge that is out there, then maybe your app should not be available in the store. I am not saying that the App Store is perfect and that all Apps are 100% safe but when I am still explaining to my nephews and nieces about the information they are posting on facebook and youtube, then I will take the policies. It gives us all one less thing to worry about… I will take that any day.

2 comments | posted in policies, security

November 15, 2011

EMC and RSA… Enabling Virtual Administrators

By erinkbanks

Every day as I work with virtualization and the components that surround it, I am reminded why I love working at EMC and RSA. Yes, I have the privilege to work with the mother ship, EMC as well as the security division, RSA because both virtualization and security are my passion. One of the many reasons why I feel that EMC and RSA are the correct choices when developing your virtual environment is because EVERY… and I mean EVERY product manager of the EMC and RSA products tells me that their role is to “enable the virtual administrators”. Every product that EMC and RSA rolls out their doors at the core has two things in mind, security and virtualization. EMC and RSA build their products with security at step one. As a person who preaches about security, how can I not love the fact that the company that I work for chooses to build security into the fabric of their products. More importantly how can I not love the fact that the products are being developed specifically with the virtual administrator in mind

Simplification of the technology is the easiest way to ensure adoption. Outside of that, the users are just looking for excuses. If you simplify the technology, why wouldn’t someone implement the capabilities. If you break down the silos and give users the things they need to get their job done, why wouldn’t you implement the capabilities. If you enable the virtual administrators, why wouldn’t you implement the technologies that are there to simplify and break down your daily tasks. Are these not the tools that we have been asking for… the tools that we needed?

This blog post isn’t to go through the entire list of integration points or to cover the capabilities, this blog post is to clearly state the obvious… (my stake in the ground)… when you think virtualization you must think EMC and RSA. I have discussions with customers daily about their frustrations with wanting to move further down their journey to a virtual data center, customers want to be enabled and I am here to tell you that EMC and RSA understands that. We understand the pains mainly because we are our own best and worst customer but built in to us, built into our culture is virtualization and simplification. We work with these technologies daily just like you and we beg to have the capabilities that make sense. All our solutions, across the board, from the management suite, to backup, to recovery, to storage, to security are on the journey with you to the virtual data center.

Leave a comment   |  tags: , , | posted in EMC, RSA, security

October 31, 2011

The Security Landscape is Changing

By erinkbanks

I was recently reading the document created by RSA, “When Advanced Persistent Threats Go Mainstream” . It talks about the changing landscape of security, specifically regarding Advanced Persistent Threats (APTs) and how it once again has made us rethink security. Now, I am completely fine with rethinking security. I love the fact that security is constantly moving, I like to be kept on my toes but what I found most nerve wracking is that it seems the new landscaping means that we need to wave the white flag. Are we at the point that we have “given up” on security and we now want to focus on realizing the level of acceptance? Ok so I may be exaggerating a little bit but what this papers identifies is that everyone is susceptible to being attacked. The target is constantly moving and yet everyone is the target. Taking pieces from individual entities and putting them all together in order to get the full puzzle. Does admitting defeat define companies now? Does admitting you are susceptible along with hundreds of others companies make it “cool”? When it comes down to it, there are two types of companies, those that have hacked and those that admit they have been hacked.

It appears that we are changing this landscaping specifically because of the end users and their realization of security. I get annoyed when I hear others talk about the fact that security is hindering their day to day life either at work or at home. Clearly people are not getting the message. Even though their personal accounts might have been violated through other breaches such as Sony, Nintendo, and Gameloft, people are not asking for more security…. they are asking for less. Taking how the end users look at their security helps define the security policies and plans but does this new landscape change anything pertaining to the end users? I know that we can not shut down all access but I feel like we need to use the tools we have it prevent such situations. For instance, using virtual machines for individual internet surfing sessions or using virtual machines to open attachments and scanning them could be ways to reduce risk as well. We have some of the tools and we need to continue to grow our capabilities but I am not sure I am ready to wave that white flag. The fighting will make us stronger and make us smarter, we can’t back down on this challenge.

Leave a comment | posted in security, virtualization, virtualization

September 21, 2011

You Want Security? Google Your Name

By erinkbanks

Wow… this one scared me!!! I recently received a call from a friend in the past… the far far past. I had not spoken to this person in over 15 years so to hear their voice on my home answer machine scared me. It scared me not because this was a voice from the past but because I did not know my house phone number…. how did he get it? Seriously, anyone we had in common would not have my home phone number so they did not give it to him. What is going on here… I started getting paranoid. So what was left but to google myself. First off, as much as this blog post is about knowing what is out there regarding you… googling yourself is a scary activity. I found some crazy things out there and some crazy people that have my name. Don’t forget to click that “images” option. I giggle thinking about it as I write this post.
Anyway… googling yourself is important to understand what others can know about you. I constantly stress that security will always come down to the individual, come down to you. If you don’t know what others know, how can you protect yourself, your life, your job, your career. For instance, the website www.spokeo.com had way too much information out there about me. It “blocked” out some information. For instance, XXXX’d out the last four digits of my home phone number but if you paid for the service, you got everything (we have a winner!!!!) This site had a lot more information about me to the point that I felt that I needed to remove myself from the site. Sometimes I wonder if I should pay the fee to see what else you get but I just refuse to give them my money… then again, I should know what they have. They do allow you to remove yourself from the website (go to privacy section) but it is not permanent and you have to keep going back to see if you reappeared.
My point, you must be vigilant and protect yourself. As we have seen, protecting yourself is not just about protecting your credit card information, protecting yourself comes down to so much more. What if you are one that opens the attachment or clicks the link that lets in the bad guys… nobody wants to be that person. Say you get a personalized email or phone call and you think that there is no way someone would know about the information, you are more then likely… wrong. Think about it, they know where you work, where you went to school, where you live… they can call you up and say they are from the alumni organization and they want to get some additional information from you for their records. They know it, they know about you, you just didn’t know it. They are getting smarter and therefore you must be smarter. I know that it isn’t a solution but it is a start and that is all I am looking for. I know that spokeo pulls the information from other sources but I have to fight what I can. If you realize this information is out there (whether you choose to remove yourself or not) will only require you to think a little bit differently about security. I know we all like to think that we are all safe and sound in our internet bubble (well my mom does), I wish that were the case, but it isn’t and not to scare you, it is only getting worse. Take care of yourself and take care of your public information.
I thank websites like these mentioned for providing me great context during my conversations and for helping me prove my points. Without you, my friends from the past would not be my friends of the present (then again, I thought is what facebook was for).

ps… while we are on the topic of google… if you have a gmail account if you aren’t using the google authenticator … you are crazy

4 comments   |  tags: | posted in security

August 11, 2011

Why Virtual Desktops are the BEST Thing in the World

By erinkbanks

I have been dying to write this blog for months because every conversation that I have with customers includes asking them if they are planning on implementing virtual desktops. The discussion does not need to be focused on security for me to ask this question either. The customer may want to talk about virtualization and I bring up virtual desktops because I feel that it will benefit their organization. I can not tell you how many times I see new employees join a company and they do not have a laptop available for them the first day. It ends up being days until they can get their hands on a system. If the time gets too long, they have to find a loaner system that is incredibly out of date and slow. This puts such a bad taste in the new employee’s mouth. I am sure they are real happy about taking that job. Now imagine the employee gets to bring in whatever system THEY want, including their own personal computer or tablet and they can connect into a corporate virtual desktop that is up to date with all the appropriate enterprise and security software. The system is available immediately and there is no time wasted and the employee gets to use what they want. Now the employee is excited they took this role. They don’t have to worry if they have some clunky and heavy system that they need to be dragging around. Now you can eventually give them a corporate laptop if you wish, based on what the new employee wants but no worries because their virtual desktop is still available and immediately accessible from the new system. No downtime for anyone.
Now lets add some security into the discussion… an employee acquires a virus on their corporate laptop because they are using it for personal access. This virus requires a complete rebuild of the system. This employee is a remote employee and needs to send the system in to the corporate IT organization, wait for the IT department to fix the system and then ship it back to your location. This could take days… possibly more then a week. That is a long time to not have an employee working. Imagine a world where the employee could access their virtual desktop from a secondary item like their personal system or tablet. Lets take the security discussion further and identify the general advantages it provides such as all the data stays in the data center, the ability to implement additional authentication capabilities like RSA SecurID, the data loss prevention capabilities. I personally love this one the best. As an employee, I personally can launch my virtual desktop from my personal system and the information stays within the virtual desktop because I can not copy to my personal system. Even better, say that the RSA Data Loss Prevention system is implemented and I am working a couple of programs for separate customers. They do not want the information co-mingled or to even move to the underlying system, RSA DLP can stop this. When the program is over my access is removed and the customers’ data stays with them (they keep the IP). No worries by the customer what I am doing with the information because I no longer have access to the desktop and the information is not on any other system.
There are so many advantages for companies, organizations, or programs when implementing virtual desktops. I understand that there are challenges to starting this process. It may not be something that you implement immediately. Maybe you need to wait until the users systems need to be refreshed. There are many reasons why you need to hold off but that does not mean you should not be having the discussion. For instance, say you want to implement a data loss prevention system within your company. You know you will eventually go to virtual desktops, does the vendors solution work with virtual desktops and which virtual desktop. Does your two factor authentication solution work with your virtual desktop solution?  This is a process and I highly recommend you start off small. Get the users used to the new system and find the right users for the beta program. Not everyone needs a virtual desktop, some will need many… either way, it is a discussion you should… no I take that back… MUST be having for the sake of security as well as the sake of your business

2 comments   |  tags: , | posted in security, virtualization

July 12, 2011

vShield App with Data Security … my favorite part of vSphere 5

By erinkbanks

Today was a big day in VMware land. Paul Maritz and Steve Herrod announced the release of vSphere 5. There are a multitude of capabilities and features that are just too many for me to list… but then again, maybe it is because I am only really excited about one… the vShield App with Data Security embedded with RSA DLP. I am sure you don’t have to ask, I mean finally we have incorporated data loss prevention capabilities directly into a virtualization solution. Finally we are simplifying security for the customers… finally we are providing out of the box capabilities to the administrators whether they are responsible for the infrastructure or the security of the infrastructure. I have said many times that the solutions are there but the customers are just struggling to get discover them and use them. How amazing will it be when I get to talk to customers and get to show them what they can do without having to discover anything BUT the data.

The vShield App with data security has the ability to (OUT OF THE BOX) discover and classify PCI, PII, and PHI sensitive data in your virtual machines. The RSA DLPs product suite always has the knowledge needed to provide OUT OF BOX capabilities to accurately discover what you are looking for. There is no need to create policies for credit card data, social security numbers, driver’s license numbers (and many more)… it is already in there. This is the information you want to look for. You want to ensure that you are complying with the security policies that your company has developed and those that they have to follow. Now imagine that you are you can bring up reports that identify what policies are violated and what files created this violation. Imagine that you can receive syslog messages and then compare it to the other activity that is occurring within your network.

It is a start… the future opportunities are endless. My hope is that when the customers get familiar and comfortable with the RSA DLP capability available within the vShield App with data security, they will expand on it. They will incorporate all the RSA DLP solutions. The technology that RSA DLP has available to assist users in determining sensitive data on endpoints, data centers, and data in motion is invaluable. RSA literally has teams that specialize in linguistics, information sciences, and regulations. They have taken the difficulty associated with wondering how you actually define the information you are looking for.

I do not have to provide you with the multiple examples of data that have gotten in to the wrong hands. With this new capability the excuses are not going to be able to stick. Users can start off “small”, getting comfortable with the idea of discovering and classifying data in their virtual machines and build up to discovering even more data in more areas. Eventually… no data will be able to hide or escape any secure infrastructure.

If you are looking for additional information, please review the press release from RSA and VMware

1 comment   |  tags: , , , , , , , | posted in security, virtualization

June 25, 2011

Are you putting your security at risk?

By erinkbanks

With so much news right now regarding security, laws, and breaches, my security discussions have increased. Maybe “discussions” isn’t the correct word because although I want to talk about it they just want to state. They want to state what they have heard but don’t really want to talk about any of it. This worries me because if you are not having the discussion, then you may be putting your security at risk. Now you may be thinking that they may not be talking to me because this is security and part of being secure is being secretive, but that is not the case here.
For those that have chosen to answer the question, “why did you make that decision”, most answers are “I am not sure”… seriously?… You aren’t sure? How can that be? This is your job right? And yet you can’t tell me why you chose that product? Reminds me of the arguments I get in with TSA agents regarding the two bag limit for carry-ons. First off, females are always down one bag because most of us carry a purse. Second, if you are going to ask me to consolidate, you must realize that when I get past security, I just unconsolidate. I have not reduced space at all. I still have not received a single explanation for this rule . No one knows the problem that TSA is trying to solve. I digress… the fact is if you don’t know what you are fighting or what you are fighting for, the battle becomes harder. If you don’t know why you picked that product or implemented that solution, you certainly can’t fight your battle correctly.
If you react and only make claims based on what you see on the t.v., read on the web, or read in the papers, you aren’t getting the whole truth and you more then likely are not making the correct decision. If you pull out one solution and implement another one, this does not mean you are any safer. This isn’t how security works. Security requires you to spend time thinking about the known and unknown problems and the best ways to tackle them. It means picking the product, software, education, configuration and policy changes that solves the known and unknown problems. It means being proactive and not reactive. Ripping out one vendor for another vendor or changing the technology all together will not make you secure. If anything, you may be putting your security at risk. There isn’t one product that will solve everything, there isn’t one answer. It is a journey and a discovery and you need to put time in to it. Security is not solved or fixed with a flick of a switch. There are layers to it. I understand that it is difficult and the unknown is scary and there are no guarantees but if you don’t know why you made the decision, you will never be secure. You need to stop putting your security at risk.

Leave a comment   |  tags: | posted in security

May 22, 2011

Is Security Easy?

By erinkbanks

As I have discussions with the customers I meet and talk to on a regular basis, I constantly yearn to understand the challenges they are facing. What is stopping them from moving forward and implementing the security tools that are available to them. Why purchase that SIEM to only put it on the shelf? Sure, you need to use the money but why would you not use it after you bought it? You know the response that I keep getting… (it rips my heart apart)… “It Is DIfficult”… wait.. what did you say? I just showed you how RSA enVision has reports available out of the box, I informed you of the fact that we use no agents, I just pointed out all the VMware messages that RSA enVision can correlate… OUT OF THE BOX. Doesn’t “out of the box” mean simple?
As I was busy worrying about the products, they were busy worrying about all that stuff that happens before you put the product in place. What am I actually looking for you? What do I need to look for in the future? How do I know what I need to do when I don’t actually know what to do? What policies… what compliance… where do I begin to start? I get it… I get the pain. People think that security is like a big jigsaw puzzle. You open the cover and look at the thousands of pieces and you have no idea where to start. It becomes overwhelming and sometimes you just want to put the cover back on the box. You leave the box sitting there and tell yourself you will get back to it, and it just keeps sitting there…
My concern is without starting the jigsaw puzzle you will be missing more then the finished product. You have to understand, security is a piece in the jigsaw puzzle, not the puzzle itself. It has the correct place in the bigger picture and once you put it in place, the others can easily link up around it. I understand that it is tough to find the piece but once you do, you will see why you needed it and why without it, you will never have a complete solution. You are lost until you have the piece.
Of course there are many companies out there that provide the consulting services to help you find the piece. You see, it is their job to find the piece and help you finish your puzzle. No matter how you start, you can not be afraid of security. It may be difficult in the beginning but everything that you don’t know is difficult in the beginning. That should never stop an organization from implementing solutions that are built to be easy. I understand that it isn’t the products that are difficult, it is taking the first step into the security puzzle piece that is difficult. So let me recap… security in itself is a puzzle piece in a very large jigsaw puzzle. Putting the puzzle together can be difficult, but it isn’t the security piece itself that makes it difficult. The security puzzle piece is essential in the grand scheme of things. Without it, the puzzle can never be complete. Don’t be afraid of it, it can be done and must. Don’t be afraid of the box… opening it… look inside… take a deep breath and start it. Don’t wait until someone throws the box away or until someone opens your box for you and starts taking your pieces.

Leave a comment   |  tags: , , | posted in security

May 6, 2011

ISSA Boise Meeting – Recap

By erinkbanks

I covered for my fellow vSpecialist Jim Brigham (@i2speakgeek) at the Boise Idaho ISSA Meeting. The partner Cerium Networks asked RSA to speak at the event. I of course spoke about “Securing the Cloud”…  I mean really, what else am I going to talk about? The slides that I presented are below. Before the presentation, I spoke to some great attendees about the cloud and the struggles and how some people just don’t get it and never will. I wish I could give one on one attention to everyone, pushing the fact that this is the movement of IT and eventually you will need to make the changes. Of course there are exceptions, of course there are organizations that will never touch the cloud. I can’t think of what type of company this would be. I mean even my sister’s company backs up her systems to a cloud provider and she uses an email service. She is a one person company, she can’t afford to manage her IT systems. She works with numbers and not IT. Isn’t that one of the greatest advantages of the cloud? The fact that it services companies at all levels. Whether it is a company of one to a company of the largest size, the cloud provides something to them that they could never provide on their own or wouldn’t want to. I remember a sad time before the cloud, when companies were actually limited to local resources who knew only certain tools and you were stuck with them.
Anyway, the presentation and conversations went very well and I met some amazing people and got to talk about my favorite subjects. I did not get to catch many of the other discussions and the questions that came up. My specific presentation brought questions about the RSA Archer and VMware vShield technologies. The best statement that I got at the end of the discussion was… “thank you, you make it seem so easy”… I said that isn’t easy if it isn’t implemented correctly, planned correctly, and managed correctly but any time that I can take the fear out of security, I will accept that high compliment… thank you!!!

Leave a comment   |  tags: | posted in security

April 28, 2011

RSA Labs at EMC World 2011

By erinkbanks

I spent last week in North Carolina working on the EMC vSpecialist Hands-On Labs for EMC World… the infamous vSpecialist vLabs. On the week of May 9th, 2011 in Las Vegas we will be providing a 200 seat lab for EMC World attendees. The hands – on labs are available for the following EMC products:

  • RSA Archer, RSA enVision
  • Atmos, IONIX UIM
  • VMAX, VPLEX, Avamar
  • Isilon, VNX, VNXe, VSI Plug-in
  • Greenplum, Recover Point, VAAI

You will be able to sign up for a lab session of your choice by simply entering your details into a console which will be situated outside the entrance of the vLabs. When there is an available seat you will see your name on one of two large plasma screens also outside the front of the vLabs room. You will then be escorted to your lab seat by a vSpecialist where you can then start your chosen lab. It is as simple as that.
All of these labs (with the exception of the VMAX lab) will be run out of the EMC Cloud based in North Carolina. When I was in North Carolina, Jase McCarty and I racked and built out plan “b” for the labs. You can see more information regarding this at www.jasemccarty.com. These racks are also going to be used  for VMUGs and other lab events so that we can continue to take full advantage of all the work that has been put in to it. It has been a great experience and I feel so lucky to be a part of it. I hope that participants enjoy the lab as much as I do and I look forward to getting input specifically around the Archer and enVision labs. We really wanted to showcase the capabilities that the RSA products bring to the virtual world. We know how great the products are with regard to the physical world but I worry that a lot of people do not understand their capabilities in the virtual… but I am working on it!! The RSA enVision lab will allow you to get your hands on the Event Explorer tool used with enVision.  The use cases in this lab are VMware based. The RSA Archer lab will walk you through the Cloud Security and Compliance solution, also VMware based. See my previous blog on the Archer solution based on the VMware hardening guidelines.

1 comment   |  tags: , , , , | posted in security

Follow

Get every new post delivered to your Inbox.