Global and local regulations are evolving across all industries and sectors. Here is a selection of the ever-increasing number of regulatory frameworks:
- All sectors and industries –
Enterprise Risk Management (ERM), Electronic discovery (e-discovery), Financial Statements (IFRS,GAAP), Sarbanes Oxley (SOX), EuroSox, Customer Data Privacy and Protection (EU e-privacy), Business Continuity Management, Data Protection Act (EU, UK, Germany), IT Security, IT Controls and Compliance (ITIL, CobiT, ISO), Payment Card Industry Data Security Standard (PCI DSS). Read more…
在云计算时代,基于IP的安全策略效用将大打折扣,随时随地的数据和服务访问要求安全访问控制要能够基于“用户”和“数据”。同时,为了强化“用户”和“数据”的访问控制,双因子认证将会变得更加普遍,甚至成为缺省设置,例如网络访问与下一代身份证ID之类的硬Token结合在一起。当然,为了保护公民隐私,在实名制的ID认证和实际的网络身份之间有必要在技术上实现一种匿名层(Anonymization)…
上面都是技术层面上的讨论,事实上,最为脆弱的部分并不在于技术,而是在于社会工程打击的目标 – 缺少安全意识和技能的“人”。就如同大家在车站机场商场等公开场合到处可见的“注意保管您的随身物品”提醒牌,互联网上要安全冲浪、保护隐私最重要的就是要有“意识”。撇开普通老百姓,从政府、企业、组织等高度来看,就是要让安全意识从安全经理和安全主管那里,外延到最高管理层、财务和业务负责人、所有的普通员工等。
这是个典型的“说起来容易做起来难”的事,难在有钱有权的没有动力,有动力没有资源。大洋对岸从去年开始设立了全国的安全月 – 十月份。今年的主题是 – 我们共同的责任 (Our Shared Responsibility)。这个事情值得我们借鉴。
今天在浏览Beaker的博客时,看到一则很有趣的活动。Beaker在推动一个叫做Hackid的公益项目 – 安全从孩子们抓起。
Hackid通过举办以孩子们为主的技术沙龙和动手活动,来激发孩子们对于基础电子、互联网、创新等的兴趣,提高孩子们的动手能力,提升孩子们对于互联网基础知识的了解…下面是其官方页面中的活动内容介绍: Read more…
Last week, Symantec(NASDAQ:SYMC) acquired the security businesses of VeriSign (excluding iDefense). There have been tons of news reports and comments by market observers and analysts. In general, given that both negative and positive comments are valid, the below chart gave a different perspective to evaluate the acquisition strategy of Symantec.
It’s a 5 year stock price chart of Symantec, with comparison against that of CA(NASDAQ:CA), McAfee(NYSE:MFE), and Nasdaq.
The overall changes in 5 years are:
- Symantec down by: -35.14%
- CA down by: -30.60%
- McAfee up by: +21.87%
- while Nasdaq up by: +9.67% Read more…
下图取自ENISA关于云安全风险的白皮书,示意图阐述了云安全风险评估的两个维度,即影响和可能性。从两个维度出发,ENISA认为较为突出的几个风险点,它们是:
- 合规性
- 治理(监管)缺失
- 司法
- 事件响应
- 数据保护
- 电子取证分析和传票
- 等
大家可能注意到,和ENISA相关的帖子在这里逐渐多了起来。没错,ENISA的确引起了我的关注,如同CSA一样。ENISA与CSA目前合作非常紧密,有几个项目是双方一起发起并领导,当然也存在良性竞争关系。也推荐大家多关注一下ENISA及其业界活动。
This morning, you might have noticed that the blog title was changed to “Cloud & Telecom Security”. Yes, it’s true.
From one or two years ago, my interests and focus have changed to around cloud computing and telecom or ICT security, while P2P was touched very occasionally. I believe the new title can reflect the new focus better and hope you like it.
2009年12月17日,云计算安全联盟发布了新版的《云安全指南》v2.1[1],代表着云计算和安全业界对于云计算及其安全保护的认识的一次重要升级。
云安全联盟CSA是在2009年RSA大会上宣布成立的。自成立后,CSA迅速获得了业界的广泛认可。现在,CSA和ISACA、OWASP等业界组织建立了合作关系,很多国际知名公司成为其企业成员,绿盟科技也在上个月成为企业会员(似乎应该是亚太地区的第一个企业会员,使用Twitter的朋友请关注@nsfocus_update)。其发布的云安全指南及其开发成为云计算领域令人瞩目的安全活动。下面简要回顾一下云计算、云计算面临的安全威胁、新版云安全指南及其使用。 Read more…
By this acquisition, HP enters enterprise networking market with strong threat management product line from Tippingpoint.
The vulnerability and threats research of DVLabs will greatly improve HP’s capability and image at these areas, so that HP’s competition against IBM will become more effective. X-Force of ISS is one of the critical advantages of IBM over HP, at overall one-stop IT arena.
Historically, after the acquisition of an independent security company, their selling model and focus will change to more aligned with major businesses. As for HP’s scenario, their security product lines, including the IPS/UTM, focuses on their global enterprise customers and outsourcing partners. The security department, mostly, will lose some momentum to find and obtain new customers, instead, they will be more interested at existing customers, bundled within other bigger IT/service orders. Read more…
Categories: -English-, Cloud, Security, Telecom Tags: 3Com, Cisco, Cloud, HP, Huawei, IBM, IPS, Security, Tippingpoint
Gartner, the leading marketing analysis and strategy firm, released its newly-brew TOP 10 technology list today. They are:
- 1 Cloud computing. Cloud has been the top buzz-term in the past months. Gartner raised it from No.2 at 2009 to TOP1 at 2010. With no doubt, this statement will be quoted by tons of articles and vendor solutions in the following seasons.
- 2 Advanced analytic. I would rather explain it as data correlation and data mining tech. This seems to be similar to “business intelligence” (No.9 at 2009).
- 3 Client computing. Mostly client computing is critical for the security impact to the whole Internet.
- 4 Greet IT. It was No.1 at 2008, and No.10 at 2009. Anyway, it’s a concept, containing a lot of technologies, customs, culture, etc.
- 5 Reshaping the data center, with new designs and approaches that include building out incrementally in pod-based approaches, adding only power, chillers and generators to support initial needs.
- 6 Social computing. It has been deeply involved into daily life. Facebook, Twitter, LinkedIn, etc.
- 7 Security activity mornitoring. A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity – often with real-time alerting or transaction intervention. Personally, I think this is similar to the No.2.
- 8 Flash memory. It’s a new face to TOP 10.
- 9 Virtualization for availability. While virtualization has been melted into cloud computing and other diverse areas, Gartner leaves “availability”.
- 10 Mobile applications. No comments at this moment. There have been a lot of developers and app stores you can find at the web. It reflects the hotness. Read more…
This morning Twitter seems to be in trouble of performance issue. Actually, this is not first time to get the below screen:
Read more…
几个月前,读到尼古拉斯·卡尔的《IT不再重要-互联网大转换的制高点-云计算》(中信出版社 2008.10),其中提到了未来数据中心的场景 – 一栋灰色的大仓库,厚重的铁门,冷峻的门卫等等。IBM在美国的支柱数据中心设在科罗拉多州州的Boulder(巨石城),我猜那里的电和成本都比纽约和罗利Raleigh要低一些。后面也看到新闻讲Google和微软都在美国西部某条大河的水电站附近建立了新的大规模数据中心以支撑云计算战略。电费等基础设施开销成为互联网云计算的很大一块成本,在绿色IT的大旗下,Hi-Tech的云计算服务器群正在进行一场轰轰烈烈的上山下乡运动。
请看下面一则新闻。IBM的新数据中心建到了东营…. Read more…
After Google released its new Sidewiki service yesterday, it’s very interesting to imagine what would be Google’s next step. You know, it’s not a new service to let users share comments for specific web pages. Digg, Slashdot, Reddit, delicious, and other peers have been providing this for a few years. From the release note, the key point of Sidewiki is “direct”, ie. users don’t need to submit to somewhere else to share their comments. Sidewiki allows users share comments “directly”. Doesn’t “directly” mean shortcut to other page sharing providers? Read more…
Sept.23, 2009 今天上午Google宣布推出迷你快速评论服务 – SideWiki,该服务允许每个读者可以随时评论所正在浏览的网站。这种快速迷你评论系统将会很大地影响在线书签、Digg、Slashdot、Delicious、Reddit等共享服务,而强化Google ID账号的核心作用,进一步地将用户留在Google的服务上。
SideWiki通过Google工具条实现,在网页的侧栏允许用户评论并浏览其他人的评论,与其共享书签、阅读器、邮件系统、Google Docs等的集成和数据共享相信很快也显现出来。 Read more…
It’s reported that the U.S. Department of Homeland Security was looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. It’s an inspiring finding from unique viewpoint. A slight bite by injection into the grid might lead to an overwhelming avalanche. Isn’t it horrible?
However, what I am thinking is that Internet cloud services have many similarity to those of power grid, ie. these threats and potential attacks are very possibly valid to Internet clouds. What and how Internet clouds respond/react to these potential similar attacks to those against power grid? Yes, those dominant cloud service providers have very robust and strong infrastructure all over the world, how large the bandwidth, how many the servers, how many square feet the data centers, blah blah. Further, there are automatic load balancing and distribution system among those distributed data centers. Once one set of servers and/or circuits, the services would be transfered to other servers and circuits automatically. Your services WILL be there, keeping the same, or NOT? Read more…
转帖一篇程苓峰先生的文章,很欣赏作者辐射出的热情和感染力,PC的普及、互联网的普及、云服务的萌芽和迅速成长的确给了很多个人、公司、组织、地区等很多机遇。 Read more…
Recent Comments