December 2008 Archives

The Need for Quality Metadata

Happy holidays! I'm sitting here, recovering from eating far too much over the past week, catching up on reading. One of the things that has jumped out at me is the growing importance of metadata to the enterprise. This trend is important enough that I believe it will become the defining trend in 2009 and beyond.

There are a couple key scenarios that are driving this increased need: encryption and records management. These needs are somewhat interrelated (or, at least, have commonality in certain key cases). For encrypted data, the problem often ties into indexing and data retrieval. You can't quickly retrieve a specific value without decrypting it, so instead need to build intelligent indexes that tell you what the data is without revealing the data itself. This is important for normal operations and will hopefully drive improved application engineering practices that put more focus on architecting useful metadata that support the encrypted data itself.

The other major driver of the metadata space will be records management, including support for eDiscovery and digital evidence. Data management and assurance will, I believe, become a new growing area of focus in 2009. eDiscovery today accounts for a major cost sink that effectively undermines the civil and criminal justice systems. In corp-corp lawsuits, the company with the most money oftentimes holds a distinct and unfair advantage because of the ability to bury the competition in discovery requests and filings.

The best solution to this challenge is to implement strong records management practices that include developing a comprehensive metadata framework that can be used to quickly identify and retrieve needed information while minimizing the cost of those queries and deliveries. Using a standard language for this metadata would be an interesting development that would then allow for much easier scoping of discovery requests. I'm hopeful that the next couple years will see an organization stepping up to formalize and expand a metadata framework for records management with a specific tilt toward eDiscovery and digital evidence support.

It will be interesting to see who will emerge as players in this space going forward. Standards should play a prominent role, if we can put aside differences to achieve best-interest consensus. There is a lot of up-side financially for enterprises to co-develop and adopt strong practices in metadata, so now we just need to start building the case and driving it forward. The trick will be coordinating support on multiple fronts, ranging from security to audit to operations to general counsel. Add in long-term cost-savings and you have a strong win-win-win-win scenario.

Wait, Wait, No, I Have a Better Idea...

Lest we forget where we as a tech industry in the 21st century came from... :)

Source: http://www.southparkstudios.com/clips/151040

Well This Explains Everything!

Apparently people are just feeling dizzy, and that's why the markets are still screwed up. Or so says the Minneapolis Fed. Of course, these are the same people who came out with the faulty analysis "debunking 4 myths" about the current crisis (see an analysis here).

Allow me to offer another explanation: banks are nervous and greedy, and are thus using the bailout to build up their war chests, waiting for Congress to further bailout the economy. But, what do I know? :)

A Couple Feed Updates

Hello. I wanted to provide a couple updates on feeds. First, before I do that, I wanted to mention that, yes, I'm planning to move back to full post delivery in 2009, just as soon as we can get MT upgraded. Anyway, that being said...

Feedburner has been gobbled by Google. As such, if you're subscribed directly to this blog, then please update to my new Google feed:
http://feedproxy.google.com/secureconsulting/ujTc

Second, if you're a subscriber to the Security Blogger Network feed, then you've likely already read that their feeds were also impacted by the Feedburner acquisition. As such, please make sure that you've updated your subscription to reflect the new address:
http://www.securitybloggers.net/feed/

Lastly, I know nobody will read this far, but just the same, if you feel so inclined, please participate in the first ever Social Security Awards. This is an award hosted by SBN for security bloggers. If you were going to vote for me *ahem* I think I'd best fit under either "Best Non-Technical Security Blog" or "Most Entertaining Security Blog". :) Or not, whatever. :) Vote here:
http://www.socialsecurityawards.com/

I've finally finished reading Daniel Pinchbeck's 2012: The Return of Quetzalcoatl. It's an intriguing book that looks at redefine Apocalyptic predictions into a spiritualistic movement and event horizon, suggesting that what we humans conceive of as "the end" could really just mean "the end of an era" and the beginning of a truly new page in history. Of course, he then ends talking about the Hopi Indians and how they hold a more disturbing vision that includes nuclear holocaust and lots of physical destruction. So, who knows.

If you're interested in the future of the planet and humanity, and if you're open to somewhat "different" interpretations of that future, then this is probably a good book for you. I'm not fully comfortable with the degree of recreational use of hallucinogenics that Pinchbeck practices, and he did leave some issues unresolved, but nonetheless, his views are interesting and unique. I'd rather like to think that his interpretation is correct, that the future will be marked by a sudden evolutionary advancement. What I'll be more interested to see is the number of crazies who will come out of the woodwork the closer we get to Dec 2012.

Twelve Days of EFF (Please Donate)

eff.gifVisit EFF, hear their take on the Twelve Days of Christmas, and donate! :)

The Center for Strategic and International Studies (CSIS) has today published a new report - "Securing Cyberspace for the 44th Presidency". In it they lay out 9 high-level recommendations, which are:
* Create a comprehensive national security strategy for cyberspace.
* Lead from the White House.
* Reinvent the public-private partnership.
* Regulate cyberspace.
* Authenticate digital identities.
* Modernize authorities.
* Use acquisitions policy to improve security.
* Build capabilities.
* Do not start over.

Overall, this looks like an ok report, though I'm always a bit skeptical. I still don't have a reasonable expectation that Congress has enough competency in Internet policy to adequately address concerns. President-elect Obama certainly is more tech-savvy than any prior president, but that doesn't necessarily mean he'll be able to get impart that wisdom to the Congressional common people.

I'm definitely in favor of a new Cybersecurity Directorate being established within the National Security Council - it would provide a much needed elevation in visibility and authority. I do, however, get concerned when I read statements recommending a central government strong authentication and credentialing scheme. We do not need another REAL ID debacle. We do not need the federal government to release a national credential. It's not the role of federal government, but rather a responsibility that has been delegated to the States (see, for example, birth certificates). (For more on why REAL ID is a bad idea, see the EFF REAL ID action site.)

In the end, the report is probably good for the most part, though it does lack creativity in some areas. We need new solutions to these now-age-old problems. What we've been doing thus far has not been effective - so why think that doing more of it would have different results. Anyway... give it a read - I'd be curious what you think! :)

Dilbert on Workstation Security

| 1 Comment

In case you missed it today... :)

Dilbert.com

(click to see full-size in original enclosure)

Uh, What Alan Said

Mr. Shimmel has a good, brief post up on the state of the economy and its impact on infosec. He pretty much hits the nail on the head. Adding on to what he says, I've been reading daily crime reports from my base city, and I've noticed a steady increase in basic theft/burglary/larceny cases. Historically, crime increases as the economy tanks, so this shouldn't surprise anybody.

From an infosec perspective, this reinforces more than anything the imperative to know what info you have, how important it is, and where it is supposed to go. If you cannot describe the "crown jewels" of your information capital, then I'm afraid you're going to have a tough time prioritizing precautions protecting it.

This note brought to you by the letters F and M (for felony and misdemeanor).

Good Round-Up of Mass. 201 CMR 17.00

Bejtlich has posted a good summary of info on the new Mass. law regarding protection of MA resident PII. Several links out to other sites. Check it out here:
http://taosecurity.blogspot.com/2008/12/letters-you-will-need-to-know-201-cmr.html

For the .000000000000001% of you who might be interested, I've posted a complete rewrite of my resume. You can view it here in PDF format. Comments (and job opps) welcome. :)

I've also updated my list of publications under my "professional" section. Feel free to peruse.

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10