引子:
观放白鹰二首(李白)
八月边风高,胡鹰白锦毛;
孤飞一片雪,千里见秋毫。
RSA大会一向是网络安全圈子里的大场面,传统上各路老大都会赶来捧场,也作为自己后面一年市场理念、产品技术的首发之地。好,对于到场的老大们就不一一赘述了,我们看看哪些大厂没有来。
缺席的第一家是Oracle。大家知道,Oracle其实已经悄悄成为安全圈子里的实力派,尤其是在2005年购并Oblix、2009年购并Sun以后,其在身份和访问控制IAM领域、数据库安全领域、审计等都有很长的产品线。一方面,Oracle的CEO Larry Ellison经常对云计算冷嘲热讽,一方面在几次展会都看到Oracle在不断推进Oracle的云计算解决方案。一方面,Oracle在迅速发展其网络安全解决方案能力,另一方面Oracle又不“与狼共舞”,来拜RSA的山头。这就叫有个性。期间碰到了几位从Oracle过来的朋友,个人身份参与。
缺席的另外一家是Juniper。Juniper在购并Netscreen后,安全产品行销全球,在FW/IPS/VPN等领域实力强劲,是相关产品评论不能不提的厂商,“地球人没有不知道的”。不知为什么,Juniper对家边上的RSA不对眼。Juniper有Speaker出场,可是不参展。Juniper不到场,肯定不是“差钱”。
华为的缺席也情理之中,又在意料之外。华为-赛门铁克(华赛)在国内也一直以国际行销出名,很多同行以其为国际化的模范。华为不愿与这些充满小资情调、脸上写着盲目自信的展览会同流合污,甚至也不屑参加什么Gartner、什么SC Mag的产品评比。”酒香不怕巷子深“吗!呵呵。
闲话讲完,还是来看看这次大会有什么新鲜内容吧。 Read more…
Categories: -Chinese-, Architect, Cloud, Security, Telecom Tags: 2010, CSA, 网络安全, RSA, 云计算, 云安全, 云安全联盟
Cloud Bursting是Amazon技术专家Jeff Barr创造的名词,讲的是如何使用云计算来解决在线零售网站季节性“突发”流量带来的“溢出”请求。也就是短时间的、时效性很强的那种突发流量,IT自己采购硬件扩容,ROI不是很合算,因为有效的使用时间很短。这时候就是云计算大显身手的商业时刻show time。因为云计算服务天生就是“租”的,随用随租的模式使得云服务更有效率地解决季节性、或事件性突发业务。 Read more…
网络安全最常谈及的一个词 – 边界。这个边界是最早的网络安全焦点,养育了Checkpoint,PIX,Netscreen,ISS,等等安全公司和著名品牌。很多安全威胁、攻防、解决方案都围绕边界发生。我们讲P2P/IM/SNS等的出现侵蚀了传统的企业网络边界,天涯海角四处漫游的用户使得边界越来越“虚”,但是,边界依然是我们的第一防御重点,很多安全配置都成为标准配置,包括防火墙/IPS/IDS/UTM, Anti-DoS, VPN, WAF,等等。
云计算环境中,上述的传统边界依然存在,但是作为云服务用户,却需要更多考虑不依赖边界防护的解决方案,更为纵深防御的解决方案,因为云服务从性质上说是多租户的。你无法保证你的“室友”对你是无害的。从此意义上说,云计算环境下的安全架构设计需要更多考虑“边界”或“虚拟边界”的“室内卫生”。这是个巨大的商机,为此,Oracle,IBM,HP,CA,等近期都提高了基于数据库、大型应用自身的、IAM等的安全方案。两周前(1月19日)参加了Oracle在泽西城办的一个技术论坛。Oracle重点推介了围绕着数据库的身份、认证、授权、SOD职责分离、超级用户权限管理、审计等等一长线产品和解决方案。CA的安全广告也到处可见。
值得注意的是,这个“Deperimeterization”并不是不要边界防护,而是在传统“边界”防护的基础上,强调了“虚拟边界”和云服务内部安全。事实上,对抗拒绝服务、及时发现并修复Web漏洞、面向Web服务的细粒度有能力身份认证授权的WAF等在云安全中至关重要。 Read more…
Actually, the whole thread was originated with a message at discuss@securitymetrics.org “Request for ideas” by Dimitrios Stergiou. Dimitrios likes to have some recommendations for his master program. By a sudden idea, I dropped him a message to recommend him to work on this true or false problem at security metrics.
It’s true or false: 70% of security incidents are due to insider threats?
I just read one book, “The New School of Information Security”, by Adam Shostack, Andrew Stewart, Addison-Wesley, 2008, where I found one interesting argument by the authors. The authors doubt the statement that 70% of security incidents are due to insider threats. You know, many consultants and books, articles regard this statement as one basic hypothesis at security. What’s your idea about it?
Completely a surprise, I found Adam, Andew, Dan and many experts jumped in to this discussion thereafter. A lot of fresh ideas emerged at discussion threads. In order to get more experts into this topic, I submitted a discussion at SecurityMetrics group, LinkedIn.
This RSA/IDC report has some information related to this topic – Insider Risk Management: A Framework Approach to Internal Security(Thanks to Hammud). It is a good reference. In summary it told us two things that: Read more…
Gartner, the leading marketing analysis and strategy firm, released its newly-brew TOP 10 technology list today. They are:
- 1 Cloud computing. Cloud has been the top buzz-term in the past months. Gartner raised it from No.2 at 2009 to TOP1 at 2010. With no doubt, this statement will be quoted by tons of articles and vendor solutions in the following seasons.
- 2 Advanced analytic. I would rather explain it as data correlation and data mining tech. This seems to be similar to “business intelligence” (No.9 at 2009).
- 3 Client computing. Mostly client computing is critical for the security impact to the whole Internet.
- 4 Greet IT. It was No.1 at 2008, and No.10 at 2009. Anyway, it’s a concept, containing a lot of technologies, customs, culture, etc.
- 5 Reshaping the data center, with new designs and approaches that include building out incrementally in pod-based approaches, adding only power, chillers and generators to support initial needs.
- 6 Social computing. It has been deeply involved into daily life. Facebook, Twitter, LinkedIn, etc.
- 7 Security activity mornitoring. A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity – often with real-time alerting or transaction intervention. Personally, I think this is similar to the No.2.
- 8 Flash memory. It’s a new face to TOP 10.
- 9 Virtualization for availability. While virtualization has been melted into cloud computing and other diverse areas, Gartner leaves “availability”.
- 10 Mobile applications. No comments at this moment. There have been a lot of developers and app stores you can find at the web. It reflects the hotness. Read more…
Oct.18 2009(Beijing time), China CCTV news reported the release of national vulnerability database of China.
Along with the upsoaring of the Internet applications, the vulnerability number is also in a sharp growth. So the update and automation of vulnerability information is becoming more and more critical for the whole information ssytems. Vulnerability Database is used to research, collect, release, automate the lifecycle of vulnerability management, which is regarded the core of the related activities. Although there have been a series of open source vulnerability database(e.g. OSVDB, etc.), commercial maintained vulnerailibity database(e.g. CERT CVE, Bugtraq, NSFocus VDB, etc.), it’s still regarded very essential to setup one authoritive database for the industry, particularly for government and research organizations. Read more…
Categories: -English-, Architect, Cloud, Security, Telecom Tags: CERT, CNVD, CNVDB, CVE, NIST, NVD, SVM
本想取个大题目,中/美互联网的比较,可自已不是这方面的专家,想想还是这个题目合适一些,做为我这段时间浏览过的一些网页的整理,再加上我对国内网页的了解,做一个比较,整理几点不同,更专业的评价就留给大家吧。
一、 对网页的定位认识不同
1.网站是为了给用户提供服务的 Read more…
现在, 苹果是唯一一个能够和Google相提并论的公司, 我是说在比酷Cool, 在企业形象方面. 即使在Jeff 的WWGD书中, 也特意提出自己总结的以Google为榜样的未来企业原则对苹果不适用. 为什么苹果可以例外? 仅仅是因为Jobs嘛? 它可以起诉自己的用户, 自己的Fans, 它依然拥有狂热的遍布天下的拥趸, 依然占据着媒体的头版. 我们又该如何?
苹果平板电脑新细节曝光 采用iPhone OS系统 Read more…
和大家共享两份AIIM的白皮书, 一份讲的是Enterpise 2.0, 一份讲的是ECM – Electronic Content Management.
今天在会议上看到了OpenText, KnowledgeLake, Oracle, HP, IBM等公司的ECM方案. 按照KnowledgeLake讲他们与Microsoft Sharepoint的集成方案比Filenet便宜甚多, 实施很快. 大家谁家在用Oracle的ECM吗? Oracle拿出Garnter的象限图证明自己是排名第一的leader, 还是让我小小的吃了一惊. Read more…
数月前,应该是二月份,有个帖子讲2009年的安全市场预期,中间和大潘讨论到了2009年的前景,我们俩“谨慎地”预测了一下:“赵博谨慎看多,潘总静候春天”。昨天读到安永公司的一份2008年安全市场调查报告,其中有几个数字很有趣,我把它们转帖过来:
Historically, the IT function is one of the frst to feel the pressure to reduce expenditures, and traditionally,information security has been closely linked with IT. Our survey confrms the link between IT and information security is still very strong (71% of respondents meet monthly with IT), but the pressure to reduce costs does not appear to be carrying over to the information security function. In fact, only 5% of respondents indicate they will be reducing annual expenditures for information security and 50% plan to increase their investment in information security as a percentage of total expenditures.In addition, only 33% of respondents cite adequate budget as a challenge to delivering their information security initiatives. Read more…
读到一个不错、很有思想的帖子,来自于Steven Fox,推荐给大家。
Read more…
It’s reported that the U.S. Department of Homeland Security was looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. It’s an inspiring finding from unique viewpoint. A slight bite by injection into the grid might lead to an overwhelming avalanche. Isn’t it horrible?
However, what I am thinking is that Internet cloud services have many similarity to those of power grid, ie. these threats and potential attacks are very possibly valid to Internet clouds. What and how Internet clouds respond/react to these potential similar attacks to those against power grid? Yes, those dominant cloud service providers have very robust and strong infrastructure all over the world, how large the bandwidth, how many the servers, how many square feet the data centers, blah blah. Further, there are automatic load balancing and distribution system among those distributed data centers. Once one set of servers and/or circuits, the services would be transfered to other servers and circuits automatically. Your services WILL be there, keeping the same, or NOT? Read more…
前面关于架构师如何思考(参见http://sbin.cn/blog/2008/06/16/perfect-architect/ 以及 http://sbin.cn/blog/2008/11/17/architecture-thinking/)进行了一些探讨,架构师应该充分理解业务背景和需求、综合运用IT的多领域技术,对企业IT的战略、发展路线、以及某些具体的实际的需求提出分析或解决方案。所以,架构师注定要是双语的 – 可以使用业务语言和管理层沟通,可以使用很技术的语言和技术专家和工程师们沟通。
在前文中还多次强调了架构师应该充分掌握并熟练运用分类学 – 从多维度、多角度来观察、思考,并深入浅出地阐述展现自己的分析和解决方案。在实际工作中,架构师经常需要面对具有很多不确定性的需求,在具有很多不确定性的环境下开发战略、路线图或解决方案,制定预算等。这时候,通常是两难的: 没有清晰的战略和路线图,制订了不了预算和项目计划;没有预算分析,管理层又很难批准什么战略或路线图。是Top-down呢,还是bottom-up呢? 要解决这种困境,需要架构师们主动地、灵活地出击,抓住问题的主要“矛盾”和关键环节,拿出“高”、“中”、“低”,“近”、“中”、“远”,等一些组合的分析,以便于管理层进行决策。
在诸多不确定性的环境下,要作出较为准确、切中要害的分析,架构师的个人经验和专业知识非常重要。除了分类学一个工具之外,还有一个小工具叫估算。 Read more…
Roger Sessions是ObjectWatch的CTO。他在EA邮件列表中的一个邮件分享了自己关于企业架构的独特观点,非常令人印象深刻,无疑可以给大家带来很多思考。下面我将自己做了稍许翻译+编辑的段落分享给大家。
Roger认为EA企业架构是可以在经济危机萧条时代生存下来的,甚至能够进一步发展。但是前提是EA不再将多少年后的收益、长期的远景目标当作自己的价值定位。而是必须定位为给企业带来立即的、切实的、甚至急迫的。
EA can survive hard times, even thrive. But first we must make some major changes in how we view EA. No more poorly defined payoffs that are years in the future. The payoffs must be immediate. They must be real. And they must be compelling. Read more…
Recent Comments