Next week, I am doing a webinar with Patrick Harding from Ping Identity called Cloud Security: The Identity Factor. We will address security architecture issues for the Cloud, how STS plays a role as your enterprise scales out into the Cloud.
One of the interesting stories of the Great Recession is that companies are less enamored of MBAs. Instead we are seeing the rise of the business-savvy engineer. The Master of Engineering Management (MEM) - the confluence of business and tech - is now a sought after degree.
In an age of intense global competitive pressure, more companies are striving to maintain an edge over rivals by continuous innovation and effective management of their technology base. This requires a manager who grasps both operations and technology, says Brad Fox, executive director of professional masters programmes at Duke’s Pratt School of Engineering.
“Companies . . . want people with technical depth, but [also] the business breadth that enables them to be successful at their jobs in a corporate environment. We’re really trying to prepare business-savvy engineers,” he says.
Here is a related story, from Solazyme. Solazyme is a nanotech startup company that is focused on making fuel out of algae (I've got one word for you: pond scum). Killer features include - ability to scale rapidly, no modification on engines, cheap ($60-80 a barrel) and of course drastically cleaner emissions.
The US Navy has a goal to run 50% of its fleet on clean, renewable fuel sources.
The Navy is going green. Solazyme, the San Francisco-based renewable oil and green bioproducts company, recently delivered its 100 percent algae-based jet fuel to the U.S. Navy for testing and certification.
The fuel, showcased at last week’s Farnborough International Air Show in the U.K., is called Solajet HRJ-5, and it provides an 85 percent reduction in greenhouse gas emissions compared to traditional fossil fuels. It is designed to meet all of the requirements for Naval renewable aviation fuel. In early testing, it also met the fuel requirements of the Air Force and commercial aviation industry.
How did this arrangement with the Navy come about?
We went to the military to pitch this to them about two years ago, and they said to us, “It sounds great, but every biofuel company in America has come through here telling us the same story. So if you really want to do this, you have to make fuel and not just show us a PowerPoint.”
So at our own expense, we made a barrel of fuel and sent it to them. They said, “You’re the only company that has made us the fuel. Let’s do it.”
There are many business-centric tasks involved in infosec, but it cannot just be about risk management and compliance, and governance power point, to make security improvements, we have create new code.
The intersection of business and technology is where the most interesting things happen, call it architecture, call it a MEM, call it a planner, but its about both having the business context *and* the ability to deliver.
Anton Chuvakin (the Security Warrior himself) and I have a paper in the current IEEE Security & Privacy Journal - "How to Do Application Logging Right." The paper explores app logging from a developer's perspective. There are various standards that mandate logging, most famously PCI DSS. PCI mandates a regime around log storage and security and provides an event model and log format for certain data (like financial data). For developers though its does not provide guidance on audit logger placement, what's useful to include and not include in event payloads.
In my experience, Audit logs are one of the quick, dirty and cheap things that can improve enterprise security. Quick, dirty and cheap are a very rare trifecta in enterprise security and that by itself makes it worth paying attention to, but there are other good reasons for building visibility into your applications, that's neatly described by G.K. Chesterton (emphasis added):
The real trouble with this world of ours is not that it is an unreasonable world, nor even that it is a reasonable one. The commonest kind of trouble is that it is nearly reasonable, but not quite. Life is not an illogicality; yet it is a trap for logicians. It looks just a little more mathematical and regular than it is; its exactitude is obvious, but its inexactitude is hidden; its wildness lies in wait.
Access control models implement authentication and authorization models that rely on accurately identifying the subjects, objects, rules, conditions and actions that must be present to make an access control decision. This is sufficient to mitigate many threats, but does not account for all and specifically does little to address intentional misuse. This is where the accountability layer from such tools as audit log observers is essential. Monitoring has been confined to networks, which lack context that is available in the app and data layers, now we are entering an a moment where this is becoming apparent and starting to see the some large organizations putting monitoring at the app and data layers to understand the use and misuse of those resources.
There are several things an app can do more effectively than any other part of the stack. First you can add event-specific triggers to initiate some action, next the app has access to additional context that it can pull in as necessary, such as session data. Take an example like a web app that is reporting on vanilla HTTP information, a logger at the web server level just reports on request and response strings, however an app logger could have a trigger for a sensitive event (say, transferring money out of an account). In this case the logger can dump all session variables to the audit log including the authentication, access events, record management, transaction data, and other useful information.
So not only does the app have context that is not available elsewhere it can also be used to gather that additional context from sources.