Posts tagged Security
Ask a CIO what her top concerns are with public cloud services like Amazon Web Services (AWS), and she’s almost certainly going to list security as her #1 concern. But ask her whether she’s running serious applications in the public cloud, and the answer increasingly is “Yes.”
Put simply, the increased agility of cloud computing trumps its many drawbacks, including security.
Security And The Cloud
And let’s be clear: security is a very big issue. At least, it’s a very big perceived issue. According to a recent 451 Research survey of IT executives, security concerns dwarf other inhibitors to public cloud adoption:
And yet when Forrester polled IT management, 40% of the 2000-plus enterprises surveyed indicated they have already rolled out workloads on public clouds or have near-term plans to do so, up from 30% in 2012. In 2014 that number is projected to hit 50%.
Clearly, the oft-maligned public cloud is holding its own.
For one thing, security is something of a non-argument, as enterprises generally under-invest in security. According to a 2013 SIM IT Trends Study, IT security ranks as the second-highest priority for IT leaders, yet is the 14th largest IT investment. If we assume enterprises vote for their real priorities with their wallets, then security isn’t truly their biggest concern.
This isn’t surprising. Security doesn’t net an enterprise new customer. It’s a somewhat invisible feature that gets pushed down the priority list when implementing a Big Data project or any number of other revenue-generating applications are needed.
I’ll Take Your Security And Raise You Business Agility
The security argument is just one reason pundits have mistakenly assumed private cloud adoption would dwarf public cloud adoption. The other thing they’ve missed is how dependent the modern enterprise is on speed. At least for now, public clouds better deliver business agility and associated speed of development. Lines of business can’t afford to wait around on IT to provision private cloud capacity for them when they can more easily grab it from AWS, Rackspace, Microsoft Azure or another public cloud option.
Which is not to say that private cloud won’t take off. In a conversation with Eucalyptus CEO Marten Mickos, he pointed out that private cloud adoption is happening exactly the opposite of how many expected it to grow. The early wisdom was that risk-averse enterprises would start with private clouds and then embrace public cloud as a way to add elasticity to these private clouds.
Instead, we’re seeing widespread public cloud adoption and then enterprises are looking to complement it with private clouds to shelter data/workloads that aren’t appropriate for the public cloud. Eucalyptus, fully compatible with the EC2 API, suddenly looks like a shrewd strategy.
It’s Amazon All The Way Down?
OpenStack, under Red Hat’s guidance, is almost surely going to mount a significant challenge to AWS in cloud adoption. But for now, as Gartner analyst Lydia Leong argues, “Nothing about OpenStack’s growth trajectory suggests by EOY 2014 it gives Amazon, Azure, or Google a serious run for the money.”
In other words, for now it’s Amazon’s world, and we’re just invited to buy from it.
This was on clear display at Amazon’s big re:Invent conference. The sold-out event drew over 11,000 attendees and featured an impressive array of sponsors and exhibitors, which Leong picked up on:
Huge expansion in show floor at #reinvent this year illustrates a very interesting ecosystem around AWS.
— Lydia Leong (@cloudpundit) November 14, 2013
Can anyone knock AWS off its perch? Maybe. Forrester highlights growing interest in Microsoft Azure and Google Cloud Platform as but two examples of significant competition:
Even so, these are public clouds. For now, whether AWS-, Microsoft-, Google- or Rackspace-branded, the dominant cloud by far is the public cloud. Valid or not, security and other concerns are getting swept aside by the public cloud’s promise of improved business agility. That’s likely to continue for some time for, as Forrester analyst James Staten highlighted in a recent OpenStack Conference keynote, the vast majority of enterprise IT professionals remain cloud novices.
In other words, even with its impressive adoption, the public cloud has nowhere to go but up.
View full post on ReadWrite
As Adobe’s latest security breach reveals, people are pretty terrible at choosing hard-to-guess passwords. But as security expert Graham Cluley’s (@gcluley) response also makes clear, security people are equally terrible at choosing easy-to-follow security protections.
Let’s be clear: the passwords that dominate Adobe’s top-10 list are really, truly bad. The rest of the top 50 aren’t much better. Here are the top 10:
These are made doubly easy to crack by the hints users set for themselves to help them remember: 1to6, numbers, 123, 654321, numeros, 1-6, number, 1, 12.
Memory Is The Problem
That need to remember, of course, is the problem. It’s not as if nearly two million Adobe users chose “123456″ because they thought it would be hard for someone else to crack. No, I suspect they chose it precisely because it would be easy to remember. We’re asked for passwords on nearly every website now. Having a different, hard-to-crack password for each of them is a nightmare.
Yes, one can use a password manager like LastPass or 1Password, but here’s the thing security people don’t seem to grok: normal people don’t have the slightest clue what these are.
Ditto for Cluley’s other suggestions:
[Y]ou should never use the same password on multiple websites. And you need to stop choosing obvious, easy-to-crack passwords…
Again, the reason people re-use passwords is because it’s otherwise impossible to keep track of a variety of different, hopelessly complex passwords. As I learned when my daughter’s Gmail account was hacked, it’s critical to keep one’s accounts protected. But as I’ve learned in daily interactions with her and many other friends and family members, it’s also really hard to maintain stringent security measures.
Making The Matter Worse
This problem is compounded by the well-intentioned efforts of IT administrators and other security pros who follow Cluley’s advice:
And maybe it’s time to implement tougher requirements on your customers in the first place, ensuring that they use passwords that are more complex and harder to guess in future.
Perfect. This is precisely why my wife can’t remember the passwords she has set on a number of different sites, forcing me to use Keychain on her Mac to help her remember what passwords she has used. And it’s why my parents keep files on their computers within which all of their passwords stored. Not because they don’t know this is a security problem, but because it’s otherwise impossible to master all the complex password hoops genius security folks force them to jump through.
Again, I’m not suggesting that such security precautions aren’t important. They are. But they make an online existence cumbersome.
Two-Factor Authentication: Security Made Simple
Which is why I’ve actually come to love something that I once dreaded: two-factor authentication. When my daughter’s account was hacked I turned it on for myself, my wife and my kids. Since then Twitter and Facebook have also joined in. Basically, it forces someone intent on cracking your password to also have access to your phone. Not impossible, but much more difficult than simply stealing a password.
I somewhat regularly get texts from Google with an authentication code, suggesting that one of my kids has attempted to log into Gmail from an unrecognized device. I call or text them to clarify that it’s them, and then send them the code. As added security we use my phone number to receive the authentication codes. It’s slightly more burdensome but also lets me talk them through how to restore access and otherwise serve as their IT administrator.
This, to me, is the ideal way to solve consumer security. Rather than forcing people to use special software or develop superhuman memory, security becomes a matter of having a device that others will rarely be able to compromise. It lets average users remain average, lame passwords and all, and still be secure.
View full post on ReadWrite
A new section within Webmaster Tools offers a portal for “Security Issues” to alert webmasters when they have a security issue or evidence that a site has been hacked, as well as give more detailed information on the nature of the issue.
View full post on Search Engine Watch – Latest
Google has announced the addition of a new section within Webmaster Tools named “Security Issues.” This new section is aimed at better communicating to website owners security issues, such as site hacks, malware, and so on and then giving a more detailed and concise method of fixing the…
Please visit Search Engine Land for the full article.
Google Analytics search words gone: “security overhaul” gives webmasters less … – SmartCompany.com.au0
Google Analytics search words gone: "security overhaul" gives webmasters less …
“Without a doubt, Google's recent changes make performance reporting less accurate. SEO professionals and marketers no longer have the raw data that we once used to measure SEO results,” said searchenginewatch.com journalist Ray 'Catfish' Comstock.
View full post on SEO – Google News
Android security has come a long way since the days when malware filled the Google Play app store. But as Google preps the latest version of Android—version 4.4 KitKat—it still has gaps to fill. In the recent past, many of the security questions that have plagued Android were solved by third-party security vendors. The likes of Lookout, Kaspersky, McAfee and others have patrolled Android, plugging the holes that Google was too busy to see.
Where are those holes in Android security now? We turned to the antivirus maker Bitdefender for some reference.
Unlike Apple’s iOS, the Google Play app store has long been much more vulnerable to malefactors; there’s no formal review of apps prior to display like there is at Apple. One consequence: Waves of malware, spyware, viruses and trojans in Android apps (although exactly how much users have suffered remains unclear).
Google has done quite a bit to beef up Google Play security with programs such as “Bouncer,” which monitors apps in the store for malicious activity. Google also released the Android Device Manager to locate lost or stolen phones, a long overdue service previously offered only by third party vendors.
Android 4.3 Jelly Bean brought some more security features to the operating system, such strengthening the Android sandbox designed to prevent malicious programs from infiltrating other parts of the OS. Yet those sandboxing capabilities are invisible to users and developers, and limit what security companies can do to protect Android users outside of Google’s own solutions.
Google has definitely come a long way on security for Android after the first mass wave of malware hit its app store in early 2011. But malicious hackers never sleep and are constantly evolving to find ways into users phones. With Android on near a billion devices in the world, that is a pretty big target for bad actors to chase. New types of Android malware such as thiefware (in 1.2% of apps in Google Play, according to Bitdefender) and fake antivirus apps are still targeting users … and their wallets.
Bitdefender has some ideas for improving security on Android. Here are five suggestions that the antivirus company would give Google as it prepares KitKat 4.4:
1. Allow Antivirus Scanner APIs
Currently Android doesn’t allow many apps to interact with each other. Especially if those apps were made by different developers. This hampers third party antivirus services because they cannot layer their own antivirus scanning capabilities onto Android apps and protect them from malicious permissions or downloads. Allowing an antivirus scanner API would enable the security companies to get malware at the source and protect users through the life cycle of an app.
Of course, this recommendation from company like Bitdfender is a little self-serving. Of course it wants to allow third-party antivirus scanner APIs in Android because that is essential to its business model. Yet outside of Bitdefender’s own business, third-party security APIs from enterprise-grade security vendors would be highly appreciated by IT folks around the world looking to secure and maintain the flood of employee devices on their networks.
2. Control Over Individual App Permissions
When you download an app, Android will show you what that app is allowed to do. Smart users tend to stay away from apps that give way too many permissions for the function that app is performing. For instance, why would a gaming app need access to your text messages or your calendar, or permission to modify your contacts list?
Bitdefender thinks users should have the ability to selectively grant particular permissions to an app before they download it. As long as those choices don’t completely disable an app, this freedom would let users safeguard their privacy and keep apps from accessing any more of user data than they need to function.
3. Allow Some Apps To Survive A Full Wipe
If your smartphone is lost or stolen, anyone who finds it can start rummaging around in your digital life—including any services where you have a credit card attached, like Google Play. They can also wipe the device and sell it. There’s a good chance that a thief would do both; alternatively, Android itself now allows you to remotely wipe your device to safeguard your data.
Either way, wiping the device also deletes any installed security apps , negating the ability to remotely lock out the thief or using a “Find My Device” feature. If Google were to allow some apps to survive a full wipe in KitKat 4.4, this would negate the advantages that a thief has after obtaining your phone.
The problem with this approach though is that malware could also learn how to survive a full wipe by mimicking the security software. Sometimes it is better to burn all the fields to keep your enemy from being able to sustain itself in your backyard.
4. Built-In Sandbox To Isolate Apps From Untrusted Sources
Do you really know what your app is doing when you aren’t looking? App permissions can allow for some things you never really expected. This is especially true for apps that you download from an untrusted source, like a 3rd-party app store or a side-loaded APK file. Also, many apps employ 3rd-party advertising networks that can bypass permissions entirely, giving them access to your contacts and other information.
Bitdefender thinks that applications from untrusted sources should have their own little private jail to live in (like being quarantined at the airport) to prove they are behaving nicely before letting them play with the rest of the device that stores your confidential information.
5. Separate Profiles For Business & Personal Uses
Do you bring your own device (BYOD) to work? Well, you probably have some company apps on the smartphone, like your accounting and CRM apps as well as some personal apps (Facebook, games, e-books etc.). If Android could create different profiles on your phone for your business and your personal use, then it would protect employees from the information harvesting apps of the enterprise. BlackBerry and several 3rd-party services can do this, but it is not built in on the system level of Android.
Do you have any suggestions for improving security in Android? Let us know in the comments.
View full post on ReadWrite
In this week’s Search In Pictures, here are the latest images culled from the Web, showing what people eat at the search engine companies, how they play, who they meet, where they speak, what toys they have, and more. Google Skeleton: Source: Google+ Ping Pong At Google Oslo: Source: Google+…
Please visit Search Engine Land for the full article.
Fake reviews land SEO companies in hot water
Oh, yes, representatives from some leading New York SEO companies told the undercover agent from the office of New York Attorney General Eric T. Schneiderman, we sure can! Did the helpful SEO companies come up with suggestions for better yogurt …
View full post on SEO – Google News
Editor’s note: This post was originally published by our partners at PopSugar Tech.
After spying on our personal online data from social networks to Internet providers, the National Security Agency might not currently be seen as the most trustworthy group, but when it comes to securing the privacy of personal computers, you bet the NSA knows what they are talking about.
The Atlantic highlighted a tip from an NSA document urging their employees to put tape over their iSight camera or just remove it entirely. The suggestion came from a document titled “Hardening Tips For Mac OS X”, which definitely piqued our interest — if the agency tapping into our phones is taking these security precautions, maybe we should too!
If you intend on keeping the data on your computer confidential, heed this advice straight from the NSA for Mac OS X 10.5 Leopard users to “harden” your system against hackers.
- Safari—Select Safari > Preferences. Under the General tab, uncheck “Open safe files after downloading.” This means that you will have to manually open newly downloaded files.
- AirPort—If WiFi is not necessary, open System Preferences, click Network, and select “Turn Airport off.” Then head to “Advanced” and click on the TCP/IP tab. Set “Configure IPv6″ to “Off.”
- Software Update—According the NSA, “regularly applying system updates is extremely important.” From System Preferences, open Software Update, click “Check for updates” and make sure it is set to “daily.”
- System Accounts—In System Preferences, select Accounts. Click on “Login options” and disable Automatic Login. Set login to display name and password. Disable the guest account and sharing by selecting “Guest Account” and unchecking “Allow Guest to log into this computer.” However, if the Guest account is necessary, deslect “Allow guests to connect to select folders.”
- Security—In System Preferences, open the Security pane. In General, check the following: “Require password to wake this computer from sleep or screen saver”; “Disable automatic login”; “Use secure virtual memory”; “Disable remote control infrared receiver” for added peace of mind.
- FileVault—Consider activating FireVault for your laptop, which can protect data if the computer is stolen. But be careful to read the warnings first! To enable FireVault, head to System Preferences > Security > Filevault.
- Firewall—In System Preferences > Security > Firewall, select “Allow only essential services,” click on “Advanced” and enable “Firewall Logging” and “Stealth Mode.”
Image courtesy of Corbis Images
More stories from PopSugar Tech:
The Tesla Model S Is the Safest-Rated Car Ever
Internet.org Makes Digital Connection a Human Right
Marissa Mayer Strikes a Sultry Pose in Vogue — and Riles Up Critics
Space Mission? That’s No Reason to Stop Pinning!
6 Fictional Characters the Internet Wants to Make a Better Batman
View full post on ReadWrite