Cloud Security Policy

8 steps to write a cloud security policy

Everything is moving to the cloud - a cliche we have heard so often that we have started to believe it to be true. To some extent, it is. The infosec professional has been caught on her heels about cloud security. Just when she got round to analysing the risks of virtualisation, the monster of cloud based services crept up behind her. The simplicity and attractive pricing offered by cloud service providers makes the shadow IT sign up for the service before you could say ‘cloud security’.  There are myriad arguments flying around…

“Everyone’s using Evernote! What’s infosec got to do with it?”

“…but it is free for up to 5 users and we are not more than 5 users!”

“This is way cheaper than what my accounts package costs…and I can access it from home.”

These are words that strike terror in the heart of infosec professionals.


Password image

The quest for good passwords

Passwords are easily the most talked about infosec control. Perhaps the simplest concept the explain and surprisingly hard to implement well. Allow a user to keep any password, without restriction, and she will keep her username as the password. Add complexity requirements and she will write it down.

Infosec professionals take every possible measure to get users to keep their passwords confidential. They provide guidelines on creating good complex passwords. They use analogies - ‘  A password is just like a key! Would you share the key to your house?’. They enforce password rules by building them into the systems. Try as you might, it seems that people and passwords seem to have a healthy dislike for each other.


The Product-Process chasm – and how to bridge it

product-process gap

Have you implemented a firewall? An IPS? An AV? An IAM solution? A DLP? A DRM? An APT solution? A gateway proxy? An MDM solution? An SIEM? Chances are that you have answered “Yes” to at least two questions. (If not, please leave the information security industry right away and do something else. Really. Anything else will do!)

All these are very good technologies. They solve an information security problem, and they solve it well. What worries me, is that many (if not most) implementations of these technologies are not as effective as they can me. The problem? - Lack of well defined processes.


The mysterious disappearance of TrueCrypt

It is difficult to imagine a time without TrueCrypt. I do not even remember how I first got to know of TrueCrypt. I remember, however, moving the mouse randomly to create a new container. Young and foolish at that time, I thought it was a gimmick - not knowing that random number generation can be such a big pain. However, the software itself was great to use. Ever dependable. It had an element of mystery as well - the password for ‘duress’ where you could dump dummy data. It made you feel like a bit of a spy.




The Info-Sec Idiots Guide



Info-Sec Idiots Classification

Info-Sec Idiots Classification

“Can you get us a security certificate in a week’s time?”

If you have been in the infosec consulting business long enough, you will, for sure, have come across this sentence. In this post, I want to vent my frustration and tell you the answers that I actually want to give - not the answers that I actually give!


The HeartBleed FAQ

The dust seems to be settling over the Heartbleed storm. Questions have been asked and answered. The experts and the newbies have voiced their opinions. This, I feel, is a good moment to answer those little questions that we have always been meaning to ask, but feared being thought of as stupid. Here is my attempt to explain Heartbleed in simple question and answer format. I have provided as many references as possible for further exploration. Feel free to suggest changes / corrections!



Terrorist Outfit Seeks ISO 27001:2013 certification

I generally write long and boring stuff about obscure standards and esoteric practices. Sometimes, I do get bored of this and want to write some fiction. I tried to be Sir Arthur Conan Doyle here. This post is my attempt at faking a news report!

TORA BORA: An infamous terrorist outfit has decided to implement and get certified on ISO 27001:2013 as information related to critical projects it undertakes keep getting leaked to outsiders.


The truth about the information security industry

The information security industry is in doldrums. If it is not, it probably should be.

For the past decade, there has been no change in the basic way we operate. For an industry that is reasonably new and supposedly at the cutting edge of technology, it has not done anything different. Don’t get me wrong here. We have improved out tools. We have dutifully automated stuff. We have created more glamorous reports and siphoned of truckloads of money from unsuspecting customers. BUT, there is no change that we bring in the VALUE that information security adds to the industry.


The case of the missing PDCA cycle

‘My dear Watson!’ exclaimed Holmes. “You are no doubt wondering about how they work in Japan.” I looked up in surprise. I was indeed pondering about the work culture in Japan.

“Have you started performing black magic, then, Holmes? There can be no other explanation to this” I spake with wide eyes. “How can you even know what I am thinking?”

“Elementary! I have been observing you for the past ten minutes. You started reading the new ISO 27001:2013. A few minutes later, your eyes widened. You left your seat, went to the shelf and retrieved the ISO 27001:2005.”

“And how can that possibly tell you that I am thinking about Japanese work culture?”


Questioning Security Paradigms

Verizon has released its annual report on data breach investigation for 2013. The data breach report is a barometer of sorts for the infosec industry. Organised survey’s about incidents and data breaches are few and far between in the the infosec world. It is surprising, however, that the industry tends to ignore key findings of these reports and continue on their path of inertia. Here are a few key observations from the report that question our regular security paradigms: