Getting a Grip on Human-generated Data

How many work-related documents, images, and videos do you interact with on a daily basis? Before you answer, include the number of e-mails you send and receive. Tens? Hundreds? Maybe thousands? And that’s just you. Imagine if you’re part of a huge organization with thousands of employees. The number grows exponentially. Now imagine you’re an IT admin who is supposed to be monitoring all of that. Scary, right? Do the right people have access to the right files? Has an owner of the data been identified? Who is accessing which files? How long has it been since a file was last accessed? Are any of the files sensitive? Are the sensitive files exposed to the wrong people? If you answered “I don’t know” to any of those questions, you could be setting yourself up for a major headache down the road.

Topics: Data Protection Information and Risk Management Security and Privacy data governance

Big Data and Security at RSAC

So, what’s a data guy doing at a security conference? Three things come to mind:

  1. Security is increasingly about using massive volumes of disparate data to model user or application access to sensitive info, then identify and investigate anomalous behavior.
  2. The concept of an enterprise data hub or data lake is particularly appealing to attackers (external or internal) as it concentrates valuable info in one place.
  3. Big data often starts as an experiment and the security and governance models are still relatively immature, compounded by rapid innovation and updates.

Most people I met at the show were talking about the first topic. The traditional security vendors are eager to paint themselves as “next gen” with big data analytics to find the subtle patterns that may indicate a problem. Frankly, they use the concept extremely loosely, with one claiming just counting applications and devices into the hundreds was a big data approach. The combination of machine learning and advanced analytics on many data sources to find the baseline, the context, and the worrisome exception is pretty solid though, particularly when built on Hadoop or NoSQL databases to handle the load. The major variation in theme was only what layer of infrastructure they targeted: network and applications being the most popular.

A few were starting to think about the security of a big data repository. Who should have access, how that should be controlled, how it could be masked or tokenized, and the like. This hits an important gap in the market, as the rush to bring out the fastest model user friendly big data and analytics tools hasn’t necessarily thought about the enterprise implications and requirements. I expect to see this changing as big data moves into widespread production, and IT operations teams think beyond the data science analysts to evaluate the inherent risks like data protection and security. By the way, saying it’s a test-bed or sandbox doesn’t mean the data is any less sensitive.

Last, the sheer pace of innovation, the number of new connections, and the rate of updates both proprietary and open source will make it even harder to ensure the big data environments are secure. With components ranging from storage to servers to databases to analytics to applications… and each of these pushing out new code monthly, someone needs to figure out the challenge of building and maintaining a secure technology stack.

More to come, but nice to see the market taking notice of the impacts of big data on security and security on big data.

Topics: Analytics Big Data Data Management & Analytics Enterprise Software Security and Privacy Security RSA

What's New in Data Protection from the Cube at IBM Pulse 2014

While at IBM Pulse 2014, I was invited to sit in at ‘the Cube’ to talk about what’s new in Data Protection.

Topics: IBM Data Protection Information and Risk Management Jason Buffington

137 Cents a Day Keeps the Cybercriminals Away

$2.79. Thats how much I spend every morning for my large iced coffee. From the very first sip I feel more alert, making the morning commute far less dangerous for the other drivers on the road. I am also far more productive at work which allows me to write interesting blogs like this. It would be difficult to think of a better daily investment for my $2.79.

Topics: Cybersecurity Information and Risk Management Security and Privacy ESG Lab

Big Blue Mixing It Up with BlueMix and More

I’m back in Las Vegas for IBM’s Pulse Cloud Conference where the weather is better with apparently 11,000 people who are all into cloud and IBM. This is my fourth industry conference in the past year focused on cloud software – the others were AWS re:Invent, OpenStack Summit, and VMworld. The size of these software events keeps getting bigger, though they all seem to attract slightly different crowds. As you’d imagine, this one has a lot of more mature people with a lot of suits in the mix. I consider this a good thing because it smells like the enterprise is taking cloud seriously and IBM is positioning themselves. Plus IBM is not catering to IT like many of the other providers – but is instead focusing on the lines of business and developers, trying to bring all three together to improve business agility. How are they doing that? Here are a few tidbits:

IaaS:

  • The acquisition of SoftLayer ($2+B) and committing to building 15 new data centers with another $1.2B investment bringing their cloud data center count up to 40 globally gives the enterprise a global and scalable cloud provider with high performance instances delivered on Bare Metal.
  • IBM just announced that they acquired Cloudant, which is a noSQL database built on Couchbase and will be offered as-a-service. Plus Cloudant potentially gives IBM more reach with Cloudant running on AWS, Rackspace, and other CSPs platforms. For the enterprise, they will be able to consume noSQL along with MongoDB, Hadoop, and their own in-memory database plus SAP and Oracle.
  • IBM is a major OpenStack contributor and sponsor as well as being determined to deliver cloud services on OpenStack.
  • IBM will be extending SoftLayer to manage other CPU designs (namely Power and Z series).
Topics: IBM Cloud Computing Private Cloud Infrastructure openstack Softlayer IBMPulse

“Cold” Topics at RSA that Should Receive More Attention

In my blog yesterday, I outlined the hot topics I anticipate at this year’s RSA Security Conference. Since the show is dominated by security vendors, the show hype will focus on products, services, and various technologies.

So what’s missing? A broader discussion on cybersecurity issues, trends, collective efforts, and best practices. Yes, these subjects will get some attention in presentations and break-out sessions but the show floor and cocktail party banter will lean toward a myopic security perspective around bits and bytes.

Topics: Information and Risk Management Security and Privacy Security cybersecurity skills shortage google Bradford Networks Cybereason LogRhythm compliance DHS ForeScout CybOX Great Bay Software Lancope Edward Snowden Facebook FIDO

Lysi-Strata - Big Data’s Act I

This was my first visit to the O’Reilly Strata Conference, and I was impressed by the energy. Many IT industry tradeshows feel like they are in a slow decline, so it was refreshing to see all the buzz around the big data market. Judging from the sheer number of exhibitors, the quality of the talks, and the quality of attendees, the world is now ready to get serious on innovating and implementing new solutions.

So if “the medium is the message,” as Marshall McLuhan says, the theatrical performance was an instant Greek classic, complete with star cameos, love sub-plots, and a couple of good wars.

Topics: Microsoft Big Data Data Management & Analytics Enterprise Software strata O'Reilly

Hot Topics at the RSA Conference

It’s the calm before the storm and I’m not talking about the unusual winter weather. Just a few days before the 2014 RSA Security Conference at the Moscone Center in San Francisco.

In spite of this year’s controversy over the relationship between the NSA and RSA Security (the company), I expect a tremendous turnout that will likely shatter the attendance records of last year. Cybersecurity issues are just too big to ignore so there will likely be a fair number of first-time attendees.

Topics: Cloud Computing Check Point Fortinet Cisco Networking Information and Risk Management FireEye mobile Security and Privacy endpoint security SIEM Cybereason Good Technology bromium 21CT CloudPassage Firewall Cylance click security Bit9 Carbon Black IDS/IPS Firewall & UTM Hexis Cyber Solutions Public Cloud Service

Social Analytics, Facebook, and $19 BILLION

Over the last years, I’ve had the pleasure of having lunch with LinkedIn’s founder Reid Hoffman, hearing Twitter’s CEO speak, dinner with SnapChat investors, and many other meetings or casual conversations with people closely involved with or passionate about popular social networking services.

Last week at Strata there was a lot of talk about “people are data,” integrating social data, and how analytics could provide a far deeper understanding of your business and clients.

Topics: IBM Analytics Data Management & Analytics Enterprise Software social Facebook

Gearing up for the Spring Show Season and ONS

While many are gearing up for another season of IT shows, those of us in the Northeast as still digging out from a very snowy season. The idea of escaping the polar vortex for San Francisco, Barcelona, or San Jose (RSA, Mobile World Congress, or Open Networking Summit) sounds really good to me. Fortunately, I have the privilege to chair a session at ONS this year along with some great speakers from Tail-f, Intel, Goldman Sachs and ONF, so I will be able to get away - for at least a few days!

Topics: IT Infrastructure Networking ONS Open Networking Summit Intel ONF

D2D2C is like 1 box of Legos and 2 manuals [VIDEO]

Last year, I blogged that a modern “Data Protection Strategy” is more than just backup – instead including also snapshots, replication, archiving, etc. (see also bit.ly/jbSpectrum1)

And while some would then call this a hybrid architecture, others prefer to think about “hybrid” as being disk plus tape or cloud. If we dig into where those ideas meet, we’ll find that even with something as simple as “Disk to Disk to Cloud” as a way to first recover locally from disk and then extend that protection to a cloud-repository; every answer just brings up more questions.

Topics: Data Protection Information and Risk Management Jason Buffington STaaS BaaS cloud-backup cloud storage

Can the FIDO Alliance Act as a Game-Changer and Help Obsolete User Name/Password Authentication?

It seems like yesterday when I was logging onto the VAX system at my alma mater UMass so I could work on a market research project with a statistics program. When my time slot came up, I would sit in front of a VT100 terminal, input my username and password, and voila – a timesharing session at the cutting-edge of high tech.

Well this memory may seem recent but in truth it was back in the mid-1980s. I probably had a mullet and was hankering to listen to Flock of Seagulls at the time. The VAX, mullet, and new wave music are now ancient history but we’re still using user names and passwords for authentication most of the time.

Topics: IBM Apple Microsoft End-User Computing Information and Risk Management mobile Security and Privacy Security google Lenovo endpoint security mobile device multi-factor authentication RSA Security Facebook

Enterprise Security Professionals Identify Mobile Computing Security Challenges

Most companies now provide network access and application support for non-PC devices like smartphones and tablets and many are developing new applications and business processes designed specifically for these devices. Business managers look at iPhones, Android devices, and even Windows phones and see opportunities for revenue growth, cost cutting, and improved communication everywhere.

Topics: IBM Cybersecurity MDM Information and Risk Management mobile Security and Privacy Security cybersecurity skills shortage endpoint security Citrix CyberArk Courion Bradford Networks Fiberlink android Good Technology ForeScout Airwatch Blue Coat

A New Perspective on Centuries of IT…and The Demise of Disk Drives

Perspective is everything. And the start of a New Year is traditionally when we look forwards and embark upon some predictions. But our perspective very often – and logically - defines those predictions. After all, what we know (or at least believe we know) is clear, and such clarity determines our outlook. This much is straightforward…..but what if we adjust our perspective? Put another way, a change of perspective can change what we know, or at least can put new facts into the assumptions we use to make our predictions.

Hence the title of this blog. We don’t have centuries of IT history – I don’t think many people would dispute that, even though the roots of current digitized manipulation can be traced back via punch cards and the abacus. But “Information Technology” as we currently understand it has really only been with us for decades; and in those terms every step forward – think of the PC, internet, cloud and mobile computing for instance – looks transformative. These things are certainly dramatic and valuable, but making predictions from these usually restricts us to gradual technology. Sure, we are putting mini-tablets on our wrists now, but that’s just logic and miniaturization. And now for a short diversion from all-things- IT…..but enjoy the story and then we shall return!

Topics: Storage IT Infrastructure flash solid state storage

Good News and Bad News on Cybersecurity Priorities and Spending in 2014

With the Winter Olympics in full-swing, the cybersecurity community anxiously awaits another global event, the 2014 RSA Conference. Like Sochi, the RSA Conference comes with its own controversy, but I still anticipate that most of the global information security glitterati will be in San Francisco two weeks hence.

Topics: Cybersecurity Information and Risk Management Security and Privacy Security Mandiant rsa conference nsa Edward Snowden cyber attack

8 Suggestions for Every Data Protection Strategy [video]

As a “data protection dude”, I have the best job in the world – I have the opportunity to talk to hundreds of IT Pros on what they are doing (or are thinking about doing) in data protection, and then survey thousands more on the same ideas.

So, for all of the IT Pros who are now into the fray of 2014 and asking “What else should I be doing to ensure my organization’s recover-ability?” – this video includes eight suggestions to consider as part of your data protection strategy (including the ESG data that supports those suggestions).

Topics: Backup Data Protection Information and Risk Management Jason Buffington

There are Clouds out on the Verizon

I’ve been watching the cloud scene for a good number of years now and the first iteration of most of the clouds were, well, boring. I’d call these version 0.4 clouds on a good day. Basically they seemed to be made up of standard enterprise storage and servers, running VMware, single tenant except for the rare case of some ‘shared’ storage that was walled off by having the service provider (mostly Telcos) provision and attach storage to specific servers.

Then along came some advances in the software and hardware that actually enabled some basic multitenant capabilities. Of course with the new capabilities came a whole lot more competition as well. To differentiate themselves, some providers went down the acquisition route pretty early with Verizon being one of them (2011). They quickly acquired Terremark for their managed services and their beginnings of a cloud platform. In addition to Terremark, Verizon also acquired CloudSwitch, a cloud software technology that allowed companies to create hybrid clouds between on-premises data centers and public cloud providers as well as between public clouds.

Topics: Cloud Computing cloud VMware Private Cloud Infrastructure Hyper-V Verizon Public Cloud Service

Pushing Database Performance to the MAX

At the time of the first VCE announcement, I was an EMC employee. The announcement sounded too good to be true. “So you’re telling me we’re combining leaders in storage, virtualization, and networking and we’re going to make a super product? Awesome!” I was new to technology and at the time I didn’t have the exposure or the knowledge to understand what they were doing and why they were doing it. VMware, Cisco, and EMC obviously knew a target market existed, but didn’t have the resources to do it alone. I like to think their mindset was similar to a famous quote from a childhood cartoon I grew up with, Captain Planet…“With our powers combined…”

Topics: Storage IT Infrastructure

More Bad News about the Cybersecurity Skills Shortage

ESG is about to publish its 2014 IT spending intentions research as it does each year. In reviewing this data, I found continuing bad news about the IT security skills shortage. ESG research found that:

Topics: Information and Risk Management Security and Privacy

Mobile Device Management (MDM) Deployment Remains Elementary and Immature

Now that it’s February, the entire security industry (sans a few noble protesters) is gearing up for this month’s RSA Conference in San Francisco. Once again, I anticipate a lot of buzz around all-things mobile computing security this year just as there was in 2013. MDM/MAM is sure to come up too – what with Citrix’s buying Zenprise last year, IBM’s purchase of Fiberlink, and VMware’s recent acquisition of AirWatch.

Yup, everyone will be talking MDM, MAM, mobile business processes, mobile development, and so on. They’ll be pointing out killer applications, wonderfully productive use cases, and burgeoning application development trends as well.

Topics: Information and Risk Management mobile Security and Privacy