Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Sounds like a job for Control Vault. Wal-Mart is all about good PR so unsecure medical records would not be in the cards.
Remember cost cutting and Dell royalty impact was limited to 2 months of 4Q08. 1Q09 Wavx gets the full quarter benefit.
Interesting indeed. Content is key. EOM
CES-UPDATE 1-Disney backs new Intel chip, hints on "Lost" finale
Thu Jan 8, 2009 10:40pm EST
http://www.reuters.com/article/marketsNews/idINN0844366620090109?rpc=44
By Anupreeta Das
LAS VEGAS, Jan 8 (Reuters) - Walt Disney Co (DIS.N) on Thursday threw its weight behind a new Intel (INTC.O) chip that lets TV viewers interact with their favorite programs, underscoring a continuing effort to merge computers and media.
Anne Sweeney, president of the Disney-ABC Television group, said viewers may be able to access complementary content during the series finale of the hit TV series "Lost" next year through the chip, designed to power Internet applications on TVs.
The new chip from Intel could offer content providers like Disney and electronics manufacturers new ways to collaborate on programming, Sweeney said at the Consumer Electronics Show [ID:nN05368327] in Las Vegas.
The chip, which Intel launched last year to specifically target the consumer electronics industry, is designed to be included in TV sets and contains software that lets networks, content creators and other developers add their own applications.
It has the "potential to make TV viewing more functional and more fun," Sweeney said.
ABC's popular "Good Morning America" and "Lost" were good candidates for this type of interactive, add-on programming, she added.
Sweeney said they could work on widgets -- small software applications -- that allow GMA viewers to cast votes or comment in real-time on stories being broadcast. ABC could even build widgets that take viewers through the step-by-step instructions for recipes shown on GMA's cooking segment.
And ABC may also develop an application specifically for the series finale of "Lost" next year that could heighten the audience's involvement, say, providing clues to the plot. The series follows the lives of plane crash survivors on a tropical island and will kick off a new season this month.
"We know fans of Lost have a huge appetite for insight and information into the show," Sweeney said. "Using the Intel Widget for the series finale could be a great way to give our fans an extraordinary viewing experience for the end of a truly iconic show."
But she added there are legal issues to be sorted out before Disney can introduce such widgets.
U.S. households are rapidly accessing content through channels other than traditional broadcasting. About 30 percent of U.S. homes have a digital video recorder and 39 percent have video-on-demand, Sweeney said, citing recent research.
About 38 percent of wireless subscribers have a video-capable cell phone, and U.S. viewers watch as many as 7.5 billion online video streams in any given month.
"It's not just about great content and cool technology," said Sweeney, dressed in a black pantsuit and pink blouse.
People like easy-to-use interfaces and simple navigation, she said, pointing to Apple Inc's (AAPL.O) iPhone and iPod as devices that "(get) this fundamental fact." Continued...
Weby, could not have said it better myself. Agreed.
Good stuff Barge. Coming full circle. EOM
Fujitsu, Western Digital talking on hard drives-source
Wed Oct 1, 2008 8:20pm EDT
TOKYO, Oct 2 (Reuters) - Japan's Fujitsu Ltd (6702.T: Quote, Profile, Research, Stock Buzz) is in talks with Western Digital Corp (WDC.N: Quote, Profile, Research, Stock Buzz) and others on the sale of its money-losing hard drive business, a company source said on Thursday.
Reports that it was in talks sent Fujitsu's share price up 3.3 percent to 620 yen, against the benchmark Nikkei's .N225 0.3 percent rise at 0008 GMT.
Fujitsu denied that it was now approaching an agreement or arranging a sale.
Fujitsu, which competes in hard drives with bigger rivals Seagate Technology (STX.O: Quote, Profile, Research, Stock Buzz), Western Digital and Hitachi Ltd (6501.T: Quote, Profile, Research, Stock Buzz), aims for a sale of the business by year-end, under pressure from price falls, said the source.
If talks with Western Digital succeed, the deal would expand Western Digital's presence in laptop hard drives in its bid to catch up to No.1 Seagate.
Fujitsu and Western Digial are negotiating a price of 70 billion yen to 100 billion yen ($661.5 million to $945 million), the Nikkei business daily reported Thursday morning.
"There is no truth at this time to the Nikkei report concerning our hard drive business," Fujitsu said in a statement.
Fujitsu, which also competes with International Business Machines Corp (IBM.N: Quote, Profile, Research, Stock Buzz) and Electronic Data Systems Corp EDSCL.PK in IT services, is trying to focus more resources on its IT consulting business. (Reporting by Mayumi Negishi; Editing by Chris Gallagher)
I missed week one. Am I too late?
New Microsoft Xbox Reinvents Home Entertainment
http://biz.yahoo.com/prnews/080714/aqm527.html?.v=14
Nice suprise this morning. EOM
This must be the bagging of HP. Unless I am underestimating the WaveExpress valuation. The FDEs may have driven HP right to our door.
Pickle
Toro,
I just received my Information Week in the mail today. I love seeing Trusted Computing in publications like this. I know momentum is gaining.
Pickle
NAC Gains State Data Cache
http://www.informationweek.com/news/security/NAC/showArticle.jhtml?articleID=208402260
Thanks, Toro!! EOM
CEO of Infineon Technologies resigns
Monday May 26, 3:42 pm ET
By Matt Moore, AP Business Writer
Infineon Technologies says CEO Wolfgang Ziebart has resigned over strategic differences
BERLIN (AP) -- Infineon Technologies AG said Monday that its chief executive, Wolfgang Ziebart, will resign at the end of the month over what it said was a difference in strategy for the money-losing semiconductor maker.
In a brief statement issued after the German stock exchange closed for the day, the company said that Ziebart's resignation would be effective June 1.
The company named Peter Bauer, a member of the company's executive board who has been running its automotive chip business, to succeed Ziebart.
Infineon also said that its supervisory board, the U.S. equivalent to a board of directors, had declared "its vote of confidence for the chairman Max Dietrich Kley."
Ziebart was appointed CEO of the company on Sept. 1, 2004. Before coming to the company, he worked with Continental AG, rising to deputy chairman of its executive board. He also worked at BMW AG.
Infineon Technologies has been losing money in recent months amid a slowdown in spending in the market and because of wider losses at Qimonda AG, its memory chip unit.
Last month, the Neubiberg-based company reported that it lost nearly 1.4 billion euros ($2.21 billion) in the second quarter of its fiscal year, dragged down by a loss of 482 million euros ($759.7 million) at its memory chip unit Qimonda. It was the fifth consecutive quarterly loss.
Without Qimonda, in which Infineon holds a majority stake, Infineon said it would have posted a profit of 19 million euros ($29.9 million).
Despite the drag on net profit, the company's sales rose 7 percent to 1.05 billion euros ($1.6 billion) in the second quarter from 978 million euros a year earlier.
Over the weekend, German newspaper Die Welt reported that the Investment company Kohlberg Kravis Roberts & Co. was in advanced talks with Infineon that could see it become the German company's biggest stakeholder.
Infineon did not comment on the report which said that KKR could take a 40 percent to 50 percent stake in Infineon by issuing new shares and then combine it with Dutch chip maker NXP.
The paper, citing unidentified people familiar with the talks, said that Ziebart has opposed such a deal.
Shares of Infineon fell nearly 2.5 percent to close at 6.14 euros ($9.68) on Monday in Frankfurt.
http://www.infineon.com
I am naive enough to believe the last funding was small due to management's belief that Wave would be in a stronger position come May/June. This may be in the form of surprise upside 1st quarter revenue, alliance, HP, DOD, etc....
Pickle
Infineon up on talk of interest from Samsung, Intel
Tuesday May 6, 6:54 am ET
FRANKFURT (Reuters) - Shares in Infineon (XETRA:IFXGN.DE - News) rose more than 7 percent on Tuesday as traders cited market talk that Samsung Electronics (005930.KS) and Intel (NasdaqGS:INTC - News) could be interested in the German chipmaker.
ADVERTISEMENT
"The rumor is that they (Samsung and Intel) would bid more than 10 euros," one trader said.
Other traders in London and Paris also heard the rumor.
Infineon declined to comment.
Infineon shares were up 5.2 percent at 6.65 euros by 6:48 a.m. EDT (1048 GMT), while Germany's DAX index (XETRA:^GDAXI - News) was down 0.6 percent.
(Reporting by Eva Kuehnen, Kirsti Knolle and Stefan Schaaf in Frankfurt, Amanda Cooper in London and Juliette Rouillon in Paris)
Yes. EOM
McAfee, Inc. and Microsoft Showcase Joint Network Access Control Solution for Defense Customers
Monday May 5, 9:00 am ET
Integrated Solution Provides Enhanced Endpoint Security for Defense Networks; on Display at DISA Customer Partnership Conference
ORLANDO, Fla., May 5 /PRNewswire-FirstCall/ -- DISA CONFERENCE -- McAfee, Inc. (NYSE: MFE - News), is demonstrating its new Network Access Control solution, integrated with Microsoft Windows NAP (Network Access Protection) technology, an endpoint policy enforcement platform for Windows Server 2008. The offering, which helps protect private networks from being accessed by unauthorized systems and devices, is being showcased by McAfee (Booth #532) and Microsoft (Booth #881) at the DISA Customer Partnership Conference in Orlando, FL.
ADVERTISEMENT
"Our first priority is to secure government data, at all levels, on all operating systems," said Mike Carpenter, senior vice president of McAfee's Public Sector. "We're proud to provide this deep integration of our threat protection with the latest Microsoft platforms to deliver the best possible protection for our Defense customers."
The offering will provide extended endpoint health check tests for the native Microsoft platform, covering hundreds of software applications and Windows patch levels. This approach leverages current large DoD investments in McAfee and Microsoft solutions deployed under programs such as the Host Based Security System (HBSS).
"Security is a core pillar of Microsoft's focus on Trustworthy Computing and it is fundamental to the Microsoft platform and our value to customers," said Greg Bateman, Manager of Microsoft's Joint Defense Agencies Team. "Through this partnership with McAfee, we can significantly increase DoD's IT security in an era of increasing threats and network attacks."
In addition to expanded health checking for systems and devices attempting to access controlled DoD networks, the Microsoft and McAfee offering consolidates network-wide endpoint enforcement onto a centrally managed console using McAfee® ePolicy Orchestrator®. By adding more than 600 health checks, proactively authenticating and remediating out-of-policy devices and giving customers the ability to create customizable assessments against mandated security policies, McAfee adds significantly to the complete protection of mission-critical Defense systems, including classified networks. Several major agencies within the Department of Defense are currently piloting the new offering.
Wave Systems Showcases Hardware Security Verification System at RSA Conference 2008
Tuesday April 8, 7:45 am ET
Proof-of-Concept Solution Limits Access to Critical Data Based on Proof of Data Encryption on Seagate FDE Hard Drives
LEE, Mass. & SAN FRANCISCO--(BUSINESS WIRE)--Wave Systems Corp. (NASDAQ: WAVX - News) today announced a proof-of-concept solution for ensuring the integrity of data protection hardware. At RSA Conference 2008, Wave will show the Trust-and-Verify Web service, in which a server interrogates computers seeking access to sensitive data in order to verify the status of their Seagate full disk encryption hard drive. Only after this verification step occurs and the level of data protection is deemed adequate, can a PC download requested data. This next-generation solution measures and reports the integrity of a user’s PC, a critical requirement for protecting sensitive information.
“The computer security industry has made great strides in enabling data encryption and strong authentication,” said Steven Sprague, president and CEO of Wave Systems. “But that’s only half the battle. These security products are only useful if the enterprise can be sure they are installed, enabled and working properly before they allow their users to access confidential or proprietary information. They must also provide proof to others, such as auditors and regulators. With our new ‘Trust-and-Verify’ solution we are looking to bridge that gap.”
The Trust-and-Verify demonstration system pairs Wave’s EMBASSY® Remote Administration Server (ERAS) on the server side, with Wave’s EMBASSY Trust Suite and Seagate FDE hard drives on the client. When the client attempts to access pages from a local network, ERAS polls the client to confirm the presence of a prerequisite Seagate FDE drive, and the fact that the drive’s state-of-the-art encryption and strong access control are enabled.
By leveraging the ability to measure and verify PC integrity, enterprises can:
Better prove that a PC is in compliance with data encryption policies and regulations
Make resource access decisions by using hardware integrity measurements as part of any authentication process
Ensure that sensitive data is delivered only to machines able to protect that data
“Wave is committed to pushing the envelope on security,” concluded Sprague. “Leaders such as Seagate have brought advanced hardware encryption to the enterprise and now Wave is broadening the possibilities for enterprises’ overall data protection solutions with its Trust-and-Verify technology.”
For more information about Wave Systems activities at RSA Conference 2008, or to schedule meetings with company experts at the show, please contact Dave Bowker or Tiffany Archambault at 781-684-0770 or e-mail wavesystems@schwartz-pr.com. For more information about Wave’s products and services, please visit www.wave.com.
OT: Microsoft and Cisco Enhance Branch Offices Through Integration of Windows Server 2008 and Cisco WAAS
Tuesday February 26, 8:00 am ET
Customers to Gain More Efficient IT Architectures and Higher Performance Through Integration of Windows Services and WAN Optimization on Common Platform
REDMOND, WA and SAN JOSE, CA--(MARKET WIRE)--Feb 26, 2008 -- Microsoft Corp. and Cisco® (NasdaqGS:CSCO - News) today announced that they intend to work together to offer Windows Server 2008 with Cisco WAN optimization in a solution for branch office environments. Cisco will embed a virtualization component within its Wide Area Application Services (WAAS) appliance family that will help customers to host Windows Server 2008 services within their existing network infrastructure for branch offices.
ADVERTISEMENT
The two companies intend for Cisco to offer Windows Server 2008 preinstalled on its new virtualized Cisco WAAS appliances that are scheduled to be available later this year. To optimize the value of this solution for customers, the two companies plan to test and validate the resulting architectures for the remote information technology (IT) infrastructure in the branch office and to offer customers joint support. In addition, Cisco and Microsoft plan to work together to promote awareness of the integrated solution among channel resellers and customers by offering business frameworks and marketing programs.
"Extending our collaboration with Cisco to integrated solutions for branch offices presents an exciting opportunity for our customers and for Microsoft and Cisco," said Bob Muglia, senior vice president, Microsoft Server and Tools Business division. "The technologies announced today will help boost performance and availability by making critical Windows Server 2008 services available to remote offices through integration with Cisco's WAAS solution."
The integrated solution will provide an optimized architecture for Cisco and Microsoft customers, such as Monsanto, one of the world's leading agricultural companies, to help consolidate their remote IT infrastructure and accelerate application delivery from centralized data centers while simultaneously delivering Windows Server 2008 services in the branch, for maximum performance and availability. By integrating Cisco WAN optimization with Windows Server 2008, customers can help ensure branch end-user performance for accessing centralized data centers and applications, while efficiently deploying locally critical Windows Server 2008 services, all through a common remote IT platform.
"Cisco and Microsoft solutions serve our employees in our headquarters as well as in branch offices," said Dwight Wheeler, enterprise architect, Monsanto. "I am excited to see these two companies working together to simplify the management of branch office resources so we can quickly deploy Windows Services to remote offices and, more importantly, better service our remote users."
With the combination of Windows Server 2008 services and Cisco WAAS appliances, mutual customers can reduce the number of devices and the complexity of the infrastructure they have to deploy and manage in distributed branch offices. The Windows Server 2008 services that will be offered as part of Cisco WAAS platforms initially include Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Active Directory, and Print Services.
Cisco WAAS is an application acceleration and WAN optimization solution that optimizes the performance of any TCP-based application operating in a WAN environment. The upcoming Windows Server 2008 services available with the WAAS family of products mark the ongoing evolution of Cisco's Application Delivery Networks solutions. These advanced technology solutions are designed to make the network a highly efficient platform for application delivery -- accelerating and enhancing security of business-critical applications while dramatically improving both end-user experience and IT productivity.
"Building on our announcement last summer, Microsoft and Cisco are collaborating on a joint architecture and offering new technology that enhances the performance and efficiency of applications both locally hosted as well as delivered over wide-area networks," said Jayshree Ullal, senior vice president of Cisco's Data Center, Switching and Services Group. "This joint effort extends Cisco's Application Delivery Network strategy to meet customers' needs for flexible IT resources."
Nortel Tailors Always-On Data Network for Macquarie University
http://www.foxbusiness.com/markets/industries/telecom/article/nortel-tailors-alwayson-data-network-macquarie-university_485860_13.html
http://www2.nortel.com/go/news_detail.jsp?cat_id=-8055&oid=100195562
As hype subsides, NAC moves ahead
By Neil Roiter, Senior Technology Editor, Information Security magazine
20 Feb 2008 | SearchSecurity.com
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1301578,00.html
SL, Tremendous! Thanks for being the Windex on the window into Wave's future.
Pickle
Best Buy Loses Laptop: Owner Sues... for $54 Million
Tue Feb 12, 2008 11:33PM EST
http://tech.yahoo.com/blogs/null/72016
Don't dismiss Raelyn Campbell as a crackpot. Not yet. Listen to her story, and then decide if she's doing the right thing by asking Best Buy to compensate her to the tune of $54 million for a laptop that went missing when she took it in to Best Buy for repair under the store's own extended warranty.
Like many people, Campbell bought an extended warranty for her laptop when she bought it from Best Buy, and she took advantage of that when the power button broke off after a year. Best Buy accepted the machine for repair and said it would be ready in two to six weeks. But six weeks passed and the computer wasn't ready. After three months of ruthlessly hounding the company, Best Buy finally admitted it couldn't find the machine.
Ultimately, Best Buy offered to pay her $900 for losing the machine... as a gift card. She countered that it had originally cost over $1,100, not to mention all her data that was now gone for good. She demanded $2,100, and Best Buy simply ignored her.
At this point, Campbell was made aware that all her personal data on the machine could lead to a major identity theft issue, though Best Buy never filed their legally required notice that she was at risk. That was the last straw, and she filed suit for $54 million, representing herself. Best Buy has since upped its offer to a total of $4,100 if she withdraws the case. She says she doesn't expect to win, but wants to go to court anyway to force Best Buy to explain how her laptop was lost.
I have to agree that $54 million seems wildly optimistic, but it's amazing to hear how smug Best Buy has been throughout this process. Lowball, "go-away" offers that don't even value property properly, much less the value of the data inside it, are frankly embarrassing, and good for Campbell for making an issue out of it... even if she doesn't ultimately prevail.
i2Telecom International Awarded "Best of Show" at INTERNET TELEPHONY(R) Conference & EXPO East 2008
Monday February 4, 9:01 am ET
MyGlobalTalk(TM) Singled Out for Innovation and Quality at Leading IP Communications Event in January
ATLANTA, GA--(MARKET WIRE)--Feb 4, 2008 -- i2Telecom International, Inc. (OTC BB:ITUI.OB - News), a developer of proprietary high-quality Voice-over-Internet Protocol ("VoIP") products and services, today announced that its MyGlobalTalk(TM) has been named winner of a "Best of Show" Award at Technology Marketing Corporation's (TMC®) INTERNET TELEPHONY Conference and EXPO East 2008. TMC reports that the conference, which was held at the Miami Beach Convention Center in Miami, Florida, was attended by over 7,100 people January 23-25, 2008.
ADVERTISEMENT
MyGlobalTalk(TM), i2Telecom's internally developed proprietary technology, is a new and advanced mobile VoIP ("Mobile VoIP") application targeting the mobile handset market. Leveraging i2Telecom's patent-pending VoIP Service Access Module (VSAM) or VoiceStick® technology, MyGlobalTalk(TM) places Internet telephony in the hands of every cellular phone user at the service edge, independent of wireless carrier technology, handset manufacturer, or the type of wireless carrier voice/data plan involved. The objective is to enable mobile users to access low-cost Internet telephony communications in a completely "untethered" manner via their MyGlobalTalk(TM) enabled cellular phones. Once MyGlobalTalk(TM) is installed on cellular handsets, users are enabled to call any telephone in the world directly from their cellular phones, using Mobile VoIP technology, at a fraction of normal long-distance rates. In addition, MyGlobalTalk(TM) is fully functional without local access to the Internet or proximity to an Internet "hotspot." Users also need not wait for the availability of dual-mode WiFi phones, because MyGlobalTalk(TM) provides the benefits of a dual-mode phone at a fraction of the cost using the customer's existing mobile handset.
MyGlobalTalk(TM) is being released in phases, beginning in the first quarter of 2008 to customers in the United States and the United Kingdom with SmartPhone handsets that utilize the Windows Mobile® 5.0/6.0 operating system. Accompanying the release of the MyGlobalTalk(TM) Mobile VoIP application is a MyGlobalTalk(TM) branded web site. Subsequent releases extend the availability of MyGlobalTalk(TM) worldwide and will include support for Symbian, Blackberry and Java-enabled handsets, while adding new features specifically designed for mobile handset users. For additional information please visit www.myglobaltalk.com.
"We are very pleased to receive this recognition for MyGlobalTalk(TM) at the INTERNET TELEPHONY® Conference," commented Paul Arena, chairman and chief executive officer of i2Telecom International, Inc. "Early interest in MyGlobalTalk(TM) has exceeded our expectations, and we look forward to announcing a number of new distribution and strategic relationships that will generate revenues to the Company in the near future. MyGlobalTalk(TM) users now have the ability to make calls anywhere in the world over the i2Telecom network using their cellular phones."
Mr. Arena continued, "In 2008, we look forward to taking advantage of MyGlobalTalk(TM)'s Mobile VoIP portable technology, which is rapidly gaining traction, by leveraging the growth of our customer base. Furthermore, we intend to maximize the value of our VSAM or VoiceStick® patent, upon approval, and aggressively pursue additional intellectual property value propositions through technologies such as MyGlobalTalk(TM)."
"i2Telecom and its innovative product, MyGlobalTalk(TM), are a standout indication of why so many enterprise buyers, developers, resellers and service providers attend the INTERNET TELEPHONY® Conference & EXPO," said TMC President and Conference Chairman, Rich Tehrani. "i2Telecom's innovation and commitment to quality attracted many serious prospects to its presentations, as attendees knew they would find solutions with i2Telecom that empower their businesses with innovative technology solutions."
The Best of Show awards are presented to companies unveiling the most impressive new products or releases at the show. Each winner displayed and demonstrated its product on the INTERNET TELEPHONY Expo show floor.
A full list of the winners appears on the TMC Web site, www.tmcnet.com, and will be published in the March 2008 issue of INTERNET TELEPHONY® magazine.
The next INTERNET TELEPHONY Conference & EXPO is scheduled for September 16-18, 2008 at the Los Angeles Convention Center in Los Angeles, California. For information, visit www.itexpo.com or call (203) 852-6800 ext. 146.
About i2Telecom International, Inc.
i2Telecom International, Inc. is a developer of its own proprietary high-quality Voice-over Internet Protocol (VoIP) products and services that employs best-of-breed VoIP technology and uses a combination of the Company's own network and the Internet to deliver high-quality phone calls, stream video and text chat to customers on a global scale. i2Telecom International provides its VoiceStick®, MyGlobalTalk(TM), Digital Portal communications and microgateway adapters for VoIP long-distance and other enhanced communication services to its subscribers. Its proprietary technology platform is compliant with the Session Initiation Protocol ("SIP") telecommunications industry standard. i2Telecom International has received a Notice of Allowance from the U.S. Patent and Trademark office for the VoIP Service Access Module (VSAM) or VoiceStick® technology patent. For additional information visit www.i2telecom.com or www.voicestick.com or www.myglobaltalk.com or call 404-567-4750.
Microsoft touts security in Windows Server 2008
By Michael S. Mimoso, Editor
01 Feb 2008 | Information Security magazine
http://searchsecurity.techtarget.com/news/interview/0,289202,sid14_gci1295446,00.html
Windows Server 2008, expected to release Feb. 27, is first server product built from scratch since the advent Trustworthy Computing at Microsoft. Bill Laing, general manager of the Windows Server Division at Microsoft, says security in this product is "unprecedented." This interview accompanies an article in the February issue of Information Security magazine.
What has to happen for Microsoft to consider this release of Windows Server 2008 at success from a security point of view?
Bill Laing: In developing Windows Server 2008, three key aspects of security were imperative in achieving our goal to create our most secure operating system to date. We wanted customers to be confident they had a secure platform, a network that was safe to access, and that their data was protected and compliant.
Innovative features such as Network Access Protection (NAP), Federated Rights Management, and Read-Only Domain Controller (RODC), have aided in us achieving that goal. In addition, BitLocker and Active Directory Rights Management improve information protection to secure sensitive data from being captured and misused.
These new security features provide unprecedented levels of protection for a company's network, data, and business, making Windows Server 2008 the most secure Windows Server ever, with a hardened security platform that provides secure policy-based access to the network and ensures sensitive information is not compromised, allowing businesses to host the most mission critical applications and workloads.
As beta testers began reporting feedback on the security of Windows Server 2008, what were some of the positives and negatives they reported? How were they addressed?
Laing: As beta testers began reporting their feedback on the security of Windows Server 2008, what were some of the positives and negatives they reported? How were they addressed? A: One of the main concerns from customers was ensuring health and compliance of their networks. With that in mind, the server team developed a deployment wizard specifically to address this issue. We continue to get feedback from testers that this wizard has greatly improved the deployment experience. Additionally, we incorporated NAP into Windows Server 2008, giving organizations the power to isolate computers that don't comply with security policies that they have set. Giving customers the ability to enforce security requirements is a powerful means of protecting their network.
We also knew the importance of customer data and platform security. Therefore, we integrated Active Directory Rights Management Services (AD-RMS) into Windows Server 2008. This helps prevent unauthorized access and use of documents, data and emails. RMS enables document owners to identify authorized users and manage restrictions on usage of documents. Read-Only Domain Controller (RODC) improves security of branch office servers and reduces risk of stolen information branch data centers. This helps reduce corruption and compromise of the system.
RODC running on Server Core proved to be especially popular with customers looking to deploy that configuration, either to authenticate users or apply policy to servers. Server Core installation--a new feature for customers using Windows Server 2008--offers a minimal environment for running specific server roles, reducing the maintenance and management requirements and the attack surface for those server roles. Server Core installation installs only the subset of the binaries that are required by the supported server roles. The list of Server Core roles include Active Directory Domain Services; Active Directory Lightweight Directory Services; Dynamic Host Configuration Protocol (DHCP) Server; DNS Server; File Services; Print Server; Streaming Media Services; Web Server (IIS); and Hyper-V (Virtualization).
Other optional features supported by Server Core include Microsoft Failover Cluster; Network Load Balancing; Subsystem for UNIX-based applications; Windows Backup; Multipath I/O; Removable Storage Management; Windows BitLocker Drive Encryption; Simple Network Management Protocol; Windows Internet Naming Service; Telnet Client; and Quality of Service.
We've built Windows Server 2008 on a solid foundation of customer feedback, which reflects in the product's ease of management, security enhancements and overall reliability. The range of choices and virtualization enhancements will help customers tailor solutions built to fit virtually any business need. With more than one million downloads and evaluation copies, our work with customers and partners gives us the confidence that these security enhancements will offer organizations the type of security assurances they desire from their server platform.
In developing Windows Server 2008, it was clear that we needed a platform that addressed the changing landscape of how our customers do business.
BILL LAING
GM, Windows Server Division, Microsoft
Can you provide some insight into the internal security testing and threat models applied to Windows Server 2008?
Laing: Windows Server 2008 was developed end to end using the Security Development Lifecycle (SDL), and leveraged all of the improvements and testing that went into Windows Vista. We enlisted the help of a number of third-party security professionals to perform code reviews, design reviews and in-depth security testing on Windows Server 2008. Windows Server 2008 went through some of the most intensive protocol testing ever, focused on the security of all of the exposed network protocols.
The code reviews and in-depth security testing showed us we needed a platform that is secure. By hardening the platform, we ensure that the file system and registry is safeguarded from abnormal activities. Through service hardening, we reduce the risk of the platform being hacked, preventing critical Windows services from being used by abnormal activity in the file system, registry, or network. In addition, Windows Firewall with advanced security is built into Windows Server 2008 so no other ports are opened by default. This provides centralized firewall filtering and connection security rules and policies and reduces conflicts and coordination overhead between technologies.
We have also enhanced and improved the TCP/IP stack, improving security by providing filtering capabilities at all layers of the TCP/IP stack. The new stack provides improved future-proof security at the platform level while also ensuring backward compatibility. The new Server Core installation option also helps keep the platform secure. When installing Windows Server 2008, roles and optional features are not installed by default, reducing the attack surface that otherwise may be vulnerable.
From your interactions with customers, what sways them to prefer security built into the operating system as opposed to the trend of building security into the networking infrastructure? Can you cover the pros and cons of both from Microsoft's point of view?
Laing: Based on feedback from our customers, we believe that it shouldn't be an "either/or" situation. Ideally, security and privacy should be built into every layer in the IT infrastructure stack with a "defense-in-depth" strategy that makes it difficult for anyone with malicious intent to find an opening to attack.
In developing Windows Server 2008, it was clear that we needed a platform that addressed the changing landscape of how our customers do business. Enhanced auditing, Drive Encryption, event forwarding, and Rights Management Services are just some of the technologies that help organization adhere to today's strict IT compliance standards. In addition, NAP addresses the industry-wide problem of unhealthy computers accessing and compromising an organization's network.
With NAP, any computer connecting to the network has to meet corporate policy for "health" requirements, while continually performing ongoing compliance-checking. Windows Server 2008's auto-remediation capability means the updates can be conducted automatically, reducing strain on corporate IT help desks.
Managing servers, services, and security at remote locations is an on-going challenge for IT Professionals. Windows Server 2008 simplifies administration of the servers in branch offices with enhancements to Active Directory, including Read-Only Domain Controllers and administrative role separation. Technologies like BitLocker, and the Server Core installation option are specific features that increase security and privacy and address the unique needs of branch offices.
The perception remains, however, that Microsoft lags in security. What do you believe Windows Server 2008 will do to reverse this perception?
Laing: It will take time. We understand that the changing nature of customers' networks means that it is no longer a completely managed resource where security can be implemented as it has been done in the past. We have taken a more holistic approach that starts with a fundamentally secure platform. The expectation of having data available anywhere, anytime means that only depending on a network based security solution is no longer a viable option. By ensuring that every layer of the IT infrastructure is secure and private, we believe Windows Server 2008 is the most secure operating system we have ever built.
Customer input has played a large role in understanding the security needs of our customers and working diligently in addressing those needs in all of our products. We have made a number of enhancements over the last year to provide quality information to customers, particularly when issues require real-time clarity and guidance, such as security advisories, MSRC blog, publishing incident pages, Web casts, RSS feeds and more. We will continue to look for ways to improve processes and offerings to ensure communications with customers are authoritative and clear information as quickly as possible.
We also believe the Security Development Lifecycle is an industry-leading methodology for developing secure, reliable and privacy-enabling software. We currently have information and tools derived from internal experiences with the SDL available to customers and partners, and plan to do this more extensively in the future. We are continually looking to enhance the SDL, and to share concepts and tools with ISVs, partners, and customers with the objective of improving the security of the entire computing ecosystem.
The multitude of security features built into the operating system will help our customers protect their data like never before. Ensuring our customers are able to safely run their mission critical applications is a top priority and the feedback we have received from customers and partners has been encouraging. In addition to the more than 1 million downloads and evaluation copies, we have over 300 partner enrolled applications in the Microsoft Early Access Program supporting software certification and "Works with" validation. Also, partners and customers have downloaded well over 5,000 copies of the software certification program test tools since July. These programs are intended to allow partners deliver solutions that customers can immediately deploy with confidence on Windows Server 2008
And soon Microsoft will be pushing (yes, probably indirectly)EEE for Server 2008.
Pickle
OT: The security badge for the future
It could be years before agencies realize the full capabilities of the new personal identity verification cards that Homeland Security Presidential Directive 12 requires
By John Pulley
Published on January 21, 2008
HSPD-12: The ABCs
Many management questions about the government’s ambitious smart-card program are still unanswered. Who better to ask than Michael Butler, program manager at the General Services Administration’s HSPD-12 Managed Services Office.
FCW: How are agencies handling personnel challenges of Homeland Security Presidential Directive 12?
Butler: The Agriculture Department recently instituted a Web service that automatically loads updated personnel records to GSA’s Managed Service Credentialing System. GSA has introduced a system that receives information from GSA databases, highlights areas that require human attention, verifies the records and collates them for uploading to the MSO every evening.
FCW: How should agencies handle these records challenges?
Butler: They have to clean and verify data — e-mail directories, physical-security databases, some human resources data — and reset it back into the system. When cards are issued, systems like the MSO promote data integrity by generating a database of personal identity verification cardholders and cross-checking identity-based information.
FCW: Many agency employees and contractors who have been in the government less than 15 years did not get HSPD-12 cards by the Oct. 27, 2007, deadline. Is their access being restricted?
Butler: All agencies are different. Right now, I just want clean data and the person to be near an enrollment station.
FCW: How has the directive added to the work of chief human capital offers?
Butler: Many have brought in help to work the records submission.
FCW: How has the directive added to the work of chief information officers?
Butler: For those who have responsibility for the program, obviously a lot. Our MSO office has taken orders for more than 50,000 [computer-access card] readers in the past three months.
FCW: How have information technology employees been affected by the HSPD-12 directive?
Butler: There is heightened awareness of token-based security and interest in [public-key infrastructure technology].
FCW: Are agencies creating a huge backlog of requests to the Office of Personnel Management for fingerprint and background checks?
Butler: I see programs like the GSA MSO enabling many agencies to reduce the paper fingerprint submissions through better efficiency and accuracy.
FCW: How are agencies tracking down all their contractors?
Butler: Rules differ by agency. The ones that I have dealt with have better control over contractors than most people would think. Their need for computer access keeps the bar high.
FCW: Are they compiling databases of all their contractors?
Butler: Though discussed, it requires more study before launching into an expensive new program.
FCW: Have most agencies created an HSPD-12 program management office?
Butler: There is an HSPD-12 presence in every agency that works with the MSO, from a single person coordinating across an agency to large PMO staffs. Others have placed HSPD-12 as a duty of the CIO’s office or the human resources officer or the physical-security officer.
FCW: What new job functions have agencies created to comply with HSPD-12 requirements?
Butler: HSPD-12 formalizes efforts of privacy officers, sponsors and the staff who run enrollment stations. The directive creates a constantly audited system as well as legal implications for falsifying data.
FCW: Must these people be certified? Who certifies them?
Butler: Federal Information Processing Standard 201 [the mandatory federal standard for personal identity verification] requires certification. Agencies set their own rules. In the case of the GSA MSO, each role holder must take an exam [online] and pass a test.
FCW: How are senior agency officials handling their new role in signing off on the risk associated with implementing the directive?
Butler: If you look at the agency officials doing the risk assessment, many of them are in a position that makes them experts in this area.
— John Pulley
HSPD-12: The critics
Federal officials charged with implementing Homeland Security Presidential Directive 12 aren’t rocket scientists, but some of the directive’s most ferocious critics are.
Twenty-eight employees of the California Institute of Technology who work as scientists and engineers at NASA’s Jet Propulsion Laboratory are engaged in a running legal battle since filing a lawsuit in August against the research university and the agency. The lawsuit claims that mandatory background investigations required as part of NASA’s plan for complying with HSPD-12 are intrusive and violate plaintiffs’ privacy. The lawsuit includes complaints about inquiries into sexual orientation and provisions that would allow investigations of former employees for as long as two years after they have left the lab.
The government’s justification for gathering such information relies on “a series of McCarthy-era statutes and cases,” said Dan Stormer, a lawyer who represents the Caltech employees.
In the latest round of legal wrangling, the Ninth Circuit Court of Appeals granted a victory Jan. 11 to the employees, none of whom work on sensitive projects requiring security clearances. Overruling a lower court that had dismissed the workers’ claims, the appellate judge justified the reversal on the grounds of “serious legal and constitutional questions and because the balance of hardships tips sharply…toward appellants, who face a stark choice — either violation of their constitutional rights or loss of their jobs.”
Susan Foster, a senior technical writer employed by the lab for 39 years, said she became concerned about the implementation of HSPD-12 after learning that the agency had disregarded problems with equipment used to record, store and match employees’ fingerprints.
“They were willing to turn in substandard prints,” Foster said, noting that such an oversight is anathema in a culture obsessed with exactitude. “You don’t get to Mars with things being done imprecisely and inaccurately.”
— John Pulley
A funny thing happened on the road to issuing state-of-the-art personal identity cards to federal employees and contractors: old-fashioned cooperation.
Efforts to comply with Homeland Security Presidential Directive 12, an ambitious agenda for stiffening security and tightening access to the government’s physical assets and computer networks, have had the unintended consequence of forging coalitions within and among historically independent agencies. Although it will be years — at least — before agencies meet all the goals of HSPD-12, the struggle to achieve them is already having an impact.
“The HSPD-12 process forces everyone to talk, which is not the culture in many agencies,” said Michael Butler, program manager at the General Services Administration’s HSPD-12 Managed Services Office. “This is a great unintended consequence.”
Implementation of HSPD-12 requires the cooperation of the human resources, information technology and physical security departments — areas within organizations that often have had only a passing acquaintance with one another.
“From the very beginning at Labor, we treated this as an HR, security and IT project,” said Patrick Pizzella, chief information officer and chief human capital officer at the Labor Department. Labor has issued HSPD-12 credentials to 60 percent of its employees, which is a high-water mark for compliance among the largest departments and agencies.
Comparing notes for the first time can be an eye-opener, said Daniel Chenok, a vice president at technology consulting firm SRA International. A federal client of SRA discovered, for example, that data collection associated with hiring new employees was, by turns, wastefully redundant and woefully inadequate.
Having identified the problem, “they were able to re-engineer the onboarding process” of employees for greater consistency and efficiency, said Chenok, who cited privacy in declining to name the client. CIOs and “HR and physical-security directors have not had to have the same type of interactive work arrangements as they have under HSPD-12. People get in the same room and discover things to streamline that they didn’t know about.”
And some that they do. As a member of the National Guard, Ivan Hurtt sat at a desk with three identical classified computers with the same level of clearance that couldn’t share data because they belonged to separate programs. At times, he toted a collection of security badges that looked like “a janitor’s key ring.”
“HSPD-12 is largely about sharing the right amount of data with the right people at the right time,” said Hurtt, product marketing manager at Novell Identity and Security Management. “This is about breaking down silos.”
Interoperability is key
Imagine building an interoperable security system that can control access to every building and validate the identity of every worker and first responder in Manhattan. Now contemplate implementing that system nationally, and you’ll have some idea of the scope and complexity of the challenges involved in meeting the goals of HSPD-12, said Patrick Hearn, who leads the identity market division at Oberthur Card Systems Security.
“Compliance on this is a long and complex process,” Hearn said.
Agencies are taking varied approaches to the challenge. The Defense Department, having issued millions of smart cards in advance of HSPD-12, is well ahead of the pack in meeting the new requirements. Other governmental organizations have barely begun to tackle the issue.
The Veterans Affairs Department is among a small number of departments and agencies that are developing in-house solutions. With 12 identity systems nationwide, VA is working to create a single, unified system that is interopera ble with DOD’s Common Access Card program, a personal identity verification program that predates HSPD-12. By contrast, about 70 agencies have opted to participate in the General Services Administration’s Managed Shared Services program, an option that comes with its own challenges.
“GSA has a particular structure in place, and some agencies can’t electronically transmit information the way GSA wants to see it without making major changes to it,” said Randy Vanderhoof, executive director at the SmartCard Alliance, a nonprofit industry association that promotes smart-card technology.
Technical challenges abound. EDS, the primary integrator for GSA’s managed-services solution, has more than a dozen teams and subcontractors working on the HSPD-12 program. The HSPD-12 card uses 200-bit credential numbers, which are so large that they overwhelm the capacity of some existing hardware. Many building security systems still in use were developed 15 years ago. During a transition period, some agencies plan to introduce hybrid solutions that meet the requirements of advanced smart-card technology while retaining compatibility with existing physical security systems.
Technological advances are changing the way agencies view security systems, which in the past were seen as part of the physical plant. Systems in development to comply with HSPD-12 are more likely to be viewed as part of an organization’s IT systems portfolio, a disruptive shift in the status quo.
“Security directors and physical-plant people are not used to technology marching as rapidly as dictated by Moore’s Law,” said Roger Roehr, manager of the government market at Tyco. Moore’s Law holds that the transistor capacity of integrated circuits doubles every two years, a phenomenon posited by Intel co-founder Gordon Moore.
“You don’t see Moore’s law in air conditioning units,” Roehr said.
The upshot for federal agencies is the necessity for people working on HSPD-12 from different functional areas “to cooperate and understand each other and learn each other’s language. That has been a growth curve,” Roehr said. “The people and processes are always harder than the technology.”
Given the challenges of implementing HSPD-12, delays in implementation are hardly unexpected. Earlier this month, the Office of Management and Budget reported that less than 1 percent of federal employees and contractors have received the required secure identification cards despite a deadline of Oct. 27, 2007, for completing background checks and issuing credentials to federal employees and contractors with less than 15 years of government service.
“That, in some respects, results from a failure to make sure that agencies had the resources to meet the very ambitious timelines that were laid out,” said Lynn McNulty, a consultant who founded McNulty and Associates after retiring from the National Institute of Standards and Technology. NIST developed Federal Personal Identity Verification Standard 201, which specifies personal identity verification requirements for federal employees and contractors.
The next major deadline is Oct. 27 of this year, by which date federal agencies must issue credentials to all employees and contractors who require them in accordance with HSPD-12. Reports issued in the past six months by the offices of inspectors general for GSA and the Homeland Security Department made clear that the only suspense involving the deadline is the degree to which the government will collectively miss it.
DHS, for example, isn’t expected to meet the credentialing deadline until 2010.
The department is experiencing delays in implementing a technical solution and issuing compliant cards to its employees and contractors, the DHS IG’s report s tes.
Moreover, a number of technology vendors predict that HSPD-12’s thorniest challenges lie ahead. Despite various delays and setbacks, issuing cards is relatively easy. The hard part is using them to reliably manage building and computer access within and across agencies.
Expensive flash passes
In theory, a cardholder would use his or her HSPD-12 credential to access secure computer networks, cutting by an order of magnitude the vulnerability of networks protected only by user names and passwords. In addition, a smart card would provide access only to those areas of a network for which the cardholder has privileges. In the realm of physical security, a governmentwide interoperable system of identity verification would provide easy access for first responders and authorized personnel who need to move among the facilities of multiple agencies.
“The ultimate dream is [that] when an employee is no longer part of an organization, the HR department can press a button and have his paycheck, building access and network access stop simultaneously,” said Bryan Ichikawa, a solutions architect at Unisys Federal Systems.
Until such capabilities are available, Ichikawa said, smart cards issued by the federal government will amount to “the world’s most expensive flash passes.”
Labor’s Pizzella said Phase 2 of HSPD-12 compliance will be difficult, “but the first thing you have to do is issue the cards. If you can’t issue cards, the rest of it doesn’t matter. You walk before you run.”
OT: G&D to Supply SIM cards for Turkcell and Garanti Bank NFC pilot project
Thursday, January 17 2008
Mobile provider Turkcell and Garanti Bank in Turkey this month launched a Near Field Communication trial for mobile payments involving a contactless MasterCard PayPass credit card application stored on the SIM card of a mobile phone. E-Kart, collaborating with Giesecke & Devrient is supplying the NFC-enabled SIM cards. In addition, Venyon, a joint venture between G&D and Nokia, will handle the secure uploading and administration of the payment function over the air.
Munich, Istanbul–Turkcell, the leading mobile communication provider in Turkey, and Garanti Bank, one of the largest financial institutions in the country, have selected E-Kart as their technology partner for a trial beginning in autumn 2007 for mobile payments using Near Field Communication (NFC) technology. E-Kart, a leading provider of smart card solutions in Turkey, is working in collaboration with Giesecke & Devrient (G&D), the second largest smart card manufacturer in the world, to supply NFC-enabled SIM cards. In addition, the solution for the secure uploading and administration of the payment application and the user data is provided by Venyon, a joint venture between G&D and Nokia. Venyon specializes in the secure management of NFC applications over the mobile network, i.e. over the air (OTA).
“The trial is very important for us to check the functionality of the NFC technology and its acceptance by our customers. Given this relatively new technology, it was very important for us to find reliable and technologically competent partners for the pilot project. In E-Kart, G&D and Venyon we have on board three companies with extensive know-how, who can also smoothly implement the technology on a wider scale following a successful trial run”, said Cenk Serdar, Chief VAS Officer of Turkcell.
The pilot project is part of the “Pay-Buy-Mobile” initiative of the GSM Association, which wants to support the SIM card-based worldwide introduction and application of NFC technology. Mobile devices should be interoperable and securely linked to already existing payment and contactless systems.
In the trial, some 100 Turkcell and Garanti employees and customers will be provided with an NFC-enabled mobile phone that they can use to make payments quickly and simply by holding the phone to an NFC reader. NFC is a wireless radio frequency technology through which mobile phones and other mobile devices function as contactless credit cards or tickets, i.e. data is sent to a reader on a contactless and secure basis. However, data on a contactless chip can also be read by an NFC mobile device.
Applications with higher security requirements, such as a credit card function, can ideally be put on the SIM card as a secure storage element. In the Turkcell and Garanti Bank pilot project the contactless MasterCard PayPass credit card application is stored and enabled on the SIM card from G&D. The SIM card is linked to the NFC chip in the mobile device via the single wire protocol.
The PayPass application and the customer data required for the payment function are loaded flexibly on the SIM card via the mobile network, i.e. using the secure OTA service of Venyon, without the user of the service having to visit a Turkcell or Garanti branch. Also potential updates and life-cycle management can be performed at any time using the same user-friendly and secure method.
“We are convinced that NFC technology will provide an important impetus to contactless payments. Compared to a contactless credit card, a mobile phone has the advantage of a display function for checking the payment transaction. G&D has been supplying us with credit cards for a long time and is recognized as a leading technology provider in the NFC market. We are focusing on this expertise” confirms Reha Emekli, Executive Vice President of Garanti Payment Systems. Garanti Bank, one of the most innovative financial institutions in the use of chip technology, has over six million credit card customers in Turkey and back in summer 2006 implemented the MasterCard PayPass system based on contactless cards. Some 3000 retailers already use contactless readers, which can also be used for NFC variants.
“This trial, which is one of the first in the world that uses a SIM card as a secure storage element, will enable us, E-Kart and Venyon, to demonstrate our role as leading NFC technology providers. The users of this service can rely at the same time on the highest security,” comments Dr. Klaus Vedder, Head of the Telecommunications division at G&D.
About Giesecke & Devrient
Giesecke & Devrient (G&D) is a technology leader in the field of smart cards, providing smart card based solutions for telecommunications, electronic payment, health care, ID, transportation, and IT security (PKI). G&D is also a leading producer of banknotes and security documents and is dominant in the field of currency automation. Based in Munich, Germany, the G&D group has subsidiaries and joint ventures around the world. In fiscal 2006, the Group employed close to 8,300 people and generated revenue of almost €1.3 billion. For more information, visit www.gi-de.com.
Winter of Disc Content
(18/01/2008)
November and December 2007 have certainly had a wintry outlook for UK Government departments, and have given much cause for discontent. First, HM Revenue & Customs mislaid CDs with 25 million personal records on them. This was swiftly followed by a number of admissions of other data leaks from Govt. offices, all involving the loss of discs with sensitive content that wasn’t encrypted or protected.
It’s easy for us to tut, shake our heads at the folly of it all, and say “that couldn’t happen to us”. But a November 07 survey of UK IT managers and directors in the public and private sectors showed that a majority of companies are at risk of similar leaks – simply because they don’t have adequate security measures in place.
Risky business
Less than 50% of the survey’s respondents have deployed any form of data encryption, and fewer than 40% have any endpoint security set up on their PCs, laptops and mobile devices.
Despite this, a startling 65% of the IT managers surveyed said they were unlikely to change their IT spending priorities. Yet when asked about their IT security policy, 73% admitted their organisation’s IT policy included data protection guidelines covering the use of USB drives for transporting data.
So a majority of companies surveyed are in exactly the same position as HMRC – they have policies covering data leaks, but don’t have technology to enforce those policies. This puts those companies equally at risk of losing sensitive data, despite their confidence in their own security.
So how should businesses address the issue of data leaks, and what solutions should they consider? Broadly, this means looking at three key issues.
The first is hard disk encryption of laptops, and smart devices such as PDAs, mobile phones and USB devices. Second is auditing and controlling data transfer and access to removable media, for example CDs, USB keys etc. The final issue is the security policy running on the user’s endpoint device – whether PC or laptop. Let’s look at each of these issues in turn.
Encryption matters
Encryption for laptops boils down to two choices: full-disk encryption (FDE) or file-based encryption. The latter is tempting, because Windows XP comes with file-based encryption built. While this means that anything stored in specific folders or directories is encrypted automatically, there is a big security flaw. It relies on you and other users putting files in the encrypted folders themselves.
That’s fine in theory, but do you really want to rely on others to decide what’s sensitive information, and to place it in the right folder? The advantage of full disk encryption is that it automates the process and secures the entire disk, so mobile users don’t have to worry about it – and can’t interfere.
Security in hand
So far, so good – but what about PDAs and smart phones? The key here is a rigorous audit of all the devices being used within the company, and then deploying a single encryption solution to cover as many of the devices as possible. Unauthorised handheld devices should not be allowed to connect to the main network, or to store sensitive data. The solution chosen should again encrypt data automatically with no user intervention.
Stopping disc content
It’s also important to remember that hard disks are only one storage medium on a typical laptop. This brings us to the second area for endpoint security: management and control of data leakage. This means controlling the flow of data onto peripheral devices such as CD, DVD or USB drives and portable storage media, including mp3 players and digital cameras.
The starting point for protection against leaks via these USB devices is to include them in the corporate acceptable usage policy (AUP) and to educate all users on the importance of following policy – and the risks of breaching that policy.
Policies also need to be backed up and enforced by port control solutions, which can automatically block a USB device that does not comply with the security policy, or prevent the transfer of certain files or file types.
At the end(point)
This leads us to the third area of endpoint security: protecting the data on the machine from software threats, such as malicious code.
Effective endpoint security starts with every machine running a firewall and antivirus protection with up-to-date signatures before it is granted a connection to the central network. The endpoint security client should also ensure that the laptop is running the appropriate software patches and includes Virtual Private Networking (VPN) for secure transfer of corporate information back to the network – all managed centrally.
In conclusion, it’s easy to be complacent on the issue of data leaks. Yet it’s also easy to put measures in place that drastically reduce the chance of data leaks happening. Wouldn’t you rather be safe in the knowledge that you’re secured against leaks, than run the risk of losing disc content this winter?
Opinion piece submitted by Nick Lowe, managing director, Northern Europe, Check Point
OT?: RSA Enhances its PCI Solutions Through Collaboration with Cisco
Set of audited reference architectures to help retailers worldwide meet broad compliance challenges while bolstering security efforts
January 14, 2008: 09:00 AM EST
NEW YORK, Jan. 14 /PRNewswire/ -- RSA, The Security Division of EMC , today announced the interoperability of five RSA(R) PCI Solutions in the Cisco Payment Card Industry (PCI) reference architectures. The Cisco PCI Solution for Retail Validated Network Designs help retailers of all sizes effectively address the data security requirements mandated by the PCI Data Security Standard (PCI DSS).
The Cisco Validated Network Designs, which have been validated by external PCI Qualified Security Auditor (QSA) Verizon Business, offer a set of cost- effective, audited solutions that help customers meet many of the most challenging PCI DSS requirements, including authentication, encryption and compliance reporting. RSA is leveraging the Cisco PCI Validated Network Designs to help enable retailers to easily integrate new or existing technology solutions into their in-store, Internet edge and data center environments in a PCI DSS compliant manner.
"The complexity of PCI compliance cannot be untangled by a single product or set of products; the requirements call for a holistic strategy that spans people, process, and technology," said Jim Melvin, vice president of Marketing and Security Solutions at RSA. "Smart retailers, who take advantage of PCI DSS as an opportunity to establish a foundation of broad data security best practices, will be better prepared to not only achieve and maintain PCI DSS compliance, but to ready their organizations for new data security and compliance requirements that may emerge in the future."
Delivering one of the industry's most comprehensive PCI DSS solutions
Cisco PCI Solution for Retail in-store network designs, deployed in Cisco's technology labs provide clear, in-depth guidance on how retailers may deploy associated RSA and Cisco products in a PCI validated manner. Retailers can consult Design & Implementation Guides for technical instruction on the deployment of particular products to address specific PCI requirements. Furthermore, retailers may review a Report on Compliance from Verizon Business, which provides feedback from a certified PCI QSA regarding the ability of RSA and Cisco products to be deployed in a manner that meets specific PCI DSS requirements.
"The strategic alliance between RSA and Cisco centers on the development of technology to bring data protection into the network to help customers simplify the protection of sensitive information," said Melvin. "Today with our combined expertise, we are able to offer retailers one of the industry's most comprehensive sets of audited technologies and services designed to protect credit card data whether it resides in-store, at the Internet Edge or at the data center."
The RSA technology solutions included in the Validated Network Designs include:
-- Encryption and key management: RSA(R) Key Manager and RSA(R) File
Security Manager are designed to enable retailers worldwide to address
PCI Requirement 3 by helping to secure data from its creation at the
point-of-sale application, through all endpoints - regardless of
whether data resides in the network, an application, database, files
and folders, or disk/tape storage. In addition, RSA's enterprise-wide
key management solution is engineered to help ensure that data will be
both available and properly protected no matter when or where it is
needed.
-- Authentication and authorization: RSA SecurID(R) two-factor
authentication technology and RSA(R) Access Manager are designed both
to help retailers address PCI Requirements 7 and 8 by creating tools
to positively establish the identities of users, and to ensure that
only authorized users may access cardholder data. RSA's strong
authentication and authorization solutions are designed to deliver
out-of-the-box integration with hundreds of products that can be part
of a PCI infrastructure, such as VPNs, firewalls, and application
servers, enabling retailers to ensure that users accessing cardholder
systems are trusted.
-- Compliance and security information management: RSA enVision(R)
technology is engineered to allow retail businesses to effectively
meet PCI DSS Requirement 10 by establishing a centralized point for
tracking and monitoring access to cardholder data throughout a PCI
environment. RSA's solution is also built to retain an audit trail
history as required by PCI mandates. These solutions also allow for
out-of-the-box PCI compliance reports, significantly easing the
process of demonstrating compliance to auditors.
RSA Professional Services and Technology Solutions offer strategic, consultative approach to broader compliance
Beyond the RSA technology solutions included in the Cisco PCI Solution for Retail reference architectures, merchants embarking upon PCI compliance initiatives can look to RSA(R) Professional Services for up-front consulting services that will help them begin with a clear understanding of their current PCI posture so that they can then develop a compliance strategy that best matches their needs.
In order to secure card holder data, as in accordance with the PCI DSS, companies must monitor where the data is stored throughout their enterprise. RSA Professional Services helps enable customers to understand where cardholder data exists across the organization so that it can be secured and managed throughout its lifecycle. To achieve this, RSA Professional Services uses a range of application, network and data discovery, and classification technologies to analyze the location and transaction flow of cardholder data, making securing the data easier.
After discovering cardholder data, retailers must understand any existing PCI compliance gaps in order to identify remediation needs. Through a PCI Readiness Assessment service, RSA Professional Services helps retailers understand their current PCI posture and develop a prioritized remediation roadmap prior to undergoing a formal PCI audit.
In addition to these consulting services, RSA PCI Solutions - including RSA(R) Data Loss Prevention Suite, RSA(R) Database Security Manager, RSA(R) Digital Certificate Solutions, EMC Smarts(R), EMC Voyence(R) and EMC Physical Security Solutions - help retailers address PCI requirements related to data leakage, database encryption, strong authentication, application discovery, network change management and physical security, respectively.
To see demonstrations of RSA PCI Solutions at the National Retail Federation conference, please visit booth #3154. For more information about RSA PCI Solutions, please visit www.rsa.com/pci.
Dell back to strong growth; economy a concern: IDC
Wed Jan 16, 2008 8:12pm
http://www.reuters.com/article/marketsNews/idINN169090720080117?rpc=44
Fishin - Love that post! EOM
Windows Server 2008 and virtualization dominate in 2008
By Christina Torode, Senior News Writer
02 Jan 2008 | SearchWinIT.com
Ask any IT manager which technology he thinks will bring about the most change at his company and the industry at large, and virtualization immediately comes to mind.
Some are just starting to envision how virtualization can solve desktop management issues, like Brian J. Uzwiak at Wake Forest University Baptist Medical Center in Winston-Salem, N.C. Uzwiak manages network and information services there.
More on Windows 2008
and virtualization
A closer look at Server Manager's role in Windows 2008
Application virtualization myths debunked
Virtual PCs and SaaS force IT to rethink Windows desktop
"We're looking at application virtualization with SoftGrid because it will help us fill in the gap between what Citrix [Systems Inc.] and SMS [Microsoft's Systems Management Server] can do for us as far as software deployment and application incompatibility issues," he said.
Office 2007 is a likely candidate for virtual deployment, he added.
With Windows Server 2008 and its Network Access Protection (NAP) feature, which isolates a device to check for security risks before allowing the user to connect to the network, Uzwiak might have finally found a way to secure his desktops.
The medical center's IT shop has already been testing out NAP on its Windows servers and clients. "This technology is covered under Software Assurance and we won't have to go with third-party [security] layers on top of our investment in 802.1x [wireless technology], which have been a huge investment already," Uzwiak said.
Often, the medical staff and physician assistants are off campus. Wireless access combined with NAP will give the center a secure way to access the network and update clients, he said.
Virtualization to the extreme
If there is a possibility to swap out a physical device, Bob Williamson over at law firm Eisenhower & Carlson PLLC in Tacoma, Wash., has it virtually covered.
Practically a one-man band at the firm, Williamson has embraced the technology to the point where 80% of the firm's IT is running virtually using VMware Inc.'s ESX Server and an iSCSI storage area network. "Everyone is talking about virtualization, but I'm living it," Williamson said. "Whether [IT shops] like it or not, it's coming and it helps significantly for numerous reasons."
Looking ahead at 2008, Willliamson wants to give users anywhere access to applications from virtual XP machines through new capabilities in Windows Server 2008.
"I'm looking forward to getting my hands on [Windows Server 2008]. "We'll be able to have users just double click to access applications through a seamless window in Terminal Server," Williamson said. "These new remote desktop capabilities [in Windows Server 2008] will let users go to a Web site and access a remote desktop. They won't need laptops."
Virtualization built into the hardware will not only open up new configuration possibilities, but it also stands to change how companies buy technology licenses.
Configuring virtualization into the system BIOS
Thomas Intemann, lead systems programmer, data center operations at Citrix Systems in Fort Lauderdale, Fla., said he believes that virtualization may do away with costly third-party software and licenses.
"I see hardware vendors becoming involved where virtualization is built into the BIOS of a system, not just the chip," Intemann said. "When you initially configure a server you'll be able to specify if a server is a virtual host or a standalone server."
By building the virtualization deeply into the hardware, Intemann said he believes individual third-party licenses will go away and just become part of the hardware purchase.
Virtualization stands to "revolutionize" companies' resource allocation and hardware refresh cycles, giving IT shops quicker access to new technology breakthroughs, said Christopher Steffen with Kroll Factual Data, a subsidiary of risk consultancy Kroll, based in Loveland, Colo.
Principle technical architect Steffen estimates that virtualization almost cuts in half the need to buy new hardware resources within his organization, but that money will be used to buy advanced technology. It's a prospect many IT shops can look forward to as a result of virtualization across many layers, including desktops and applications, Steffen said.
"Not to mention the crazy amount of redundancy you gain [through virtualization]," Steffen said. "Imagine the impact on users of just being able to swap over to a different box when a client goes down. It's all the same to the user."
Hardware-based encryption gains most innovation of '07
By Neil Roiter, Senior Technology Editor, Information Security magazine
03 Jan 2008 | SearchSecurity.com
Sensitive data hits the road every day, on poorly protected laptops, removable storage media, PDAs and smart phones. In 2007, businesses long accustomed to protecting information in their data centers turned to new security technologies and products to reduce risk to data on the go.
We're seeing so much buying because it's getting easier to implement and protects you against the most common incidents.
Jon Oltsik,
senior information security analyst, Enterprise Strategy Group
In addition to the expected repackaging, partnering and acquisition and marketing spin, the security industry has responded with some genuine innovation. The simple antivirus products of a few years ago are rapidly evolving into comprehensive integrated suites, combining antivirus/antispyware, HIPS, host firewall, removable device control and even NAC in a single centrally managed agent. Data loss prevention has shifted its focus from the gateway to the endpoint, focusing on data that can simply walk out the door.
Nowhere is the shifting focus on mobile endpoints more pronounced than disk encryption. Businesses that shunned the cost and key management headaches of encrypting laptops have scrambled to deploy it for a perceived quick fix to protect data and satisfy regulatory auditors.
Even so, it's cutting-edge technology that will complete the rapid evolution of full disk encryption from selective to near ubiquitous deployment. Hardware-based encryption is just making its way into the mobile device market, but it's coming on fast. Earlier this year, Seagate announced the Momentus 5400 FDE 2 hard drive, at first available only through clone laptop company ASI, but now available on select Dell models. Intel has announced its chip-based hardware encryption, code-named Danbury, will ship with vPro processors in the second half of 2008.
"By end of 2008, we'll see a fair amount of variety of offerings," said Jon Oltsik, senior information security analyst for the Milford, Mass.-based Enterprise Strategy Group. "By mid-2009, there will be more widespread combinations. By the end of next year, if you are replacing laptops, you'll have several options--not just from Dell. It will be pretty much universal."
Full disk encryption:
How can a corporation assess the costs of whole-disk encryption? Security management pro Mike Rothman explains how an enterprise can estimate the costs of implementing whole-disk encryption.
Federal government pushes full-disk encryption: Businesses need to follow the federal government's lead in reducing data breaches by holding employees responsible and examining full-disk encryption (FDE) products.
Seagate pushes hard drive encryption to the data center: Seagate wants to extend full disk encryption to hardware, but is the enterprise ready?
Hardware-based encryption, whether disk- or chip-based, solves the performance problem that limited adoption. Moving keys into hardware makes encryption easier to implement and manage. Most important, perhaps, for a little more money, it comes with the laptop you already planned to buy.
"If the requirement is to encrypt laptops, the easiest way is to buy laptops that can already encrypt," said Oltsik.
He said that it's not clear which technology--disk- or chip-based--might prevail, but that's in the hands of the laptop makers. It depends on who is most successful in channel distribution and gets into production lines. Users don't really care.
Where does this leave software encryption companies like Credant, Utimaco, PGP, and Safeboot (recently acquired by McAfee) and Check Point (which acquired Pointsec)? Recognizing that their boom will last only as long as it takes hardware-based encryption to take hold, they are partnering with Seagate and Intel to offer integrated solutions. While the hardware companies handle the encryption processing, software vendors will focus on what they day do best--policy creation and implementation, key management, etc.
"In five years, we probably won't sell encryption software," said Malte Pollman, Utimaco vice president of products, but key and other management services for Intel, Seagate and any other hardware encryption companies.
But while hardware processing is making laptop encryption more attractive, it's by no means a complete data security solution. It should be part of a multilayered defense, including data loss prevention and endpoint security tools.
"Encrypting hard drives is a security of last resort, if a PC is stolen from you or me at the airport," said Oltsik. "We're seeing so much buying because it's getting easier to implement and protects you against the most common incidents. There are a lot of other kinds of attacks we have to pay attention to."
Virtualisation: Why existing security measures are no longer enough
(03/01/2008)
Although virtualisation is not a new concept its present implementations are changing the face of corporate IT, through the reduction of the number of physical servers, the consolidation of rack space and the cutting of energy costs.
Virtualisation allows the Virtual Machines (or VMs) running the applications to be divorced from their physical environment. A VM provides an isolated ‘sandbox’ for running applications, with Hypervisor processes managing multiple VMs on each physical machine. This separation of functionality from physical location allows superior management and a pooling of resources with the ability to meet workload on demand. Virtualisation technology is not just applicable to server applications within a data centre it applies across the enterprise be it within storage, security, the network or at the desktop.
The use of virtualisation technologies however causes the complexity of computing environments to mushroom and as we all know additional complexity breeds insecurity. Such obfuscation being an issue for both management and monitoring. With recent virtualisation technologies evolving from mainframe origins to the standard server and desktop market its widespread application is still relatively new.
Full security analysis of many of the vendor offerings reveals large areas of unexplored code in which could lurk potential flaws, this is an ‘known unknown’ since the lack of live deployments until recently has resulted in little testing.
One of the great benefits of virtualisation as mentioned is the pooling of resources with the ability to re-deploy VMs ‘on the fly’. It is easy to create ‘Gold’ master VM images and replicate these as needed to increase computing resources. VM’s can be deployed instantly and shuffled around the infrastructure in a similar way as transferring files, however managing change and introducing security into this mix becomes incredibly complex.
Attacks on virtualised systems have so far been few and far between mainly due to only recent adoption, however the number of installed systems is set to double by 2012 and proof of concept attacks are already in existence. Attacks on virtual systems can come from an extension of older forms of attack such as Denial of Service (DoS), buffer overflows, spyware, rootkits and/or Trojans – all prone to lurk beneath guest operating systems.
Additionally new specific attacks include those from worms, guest hopping, Hypervisor malware and Hyperjacking all involving the Hypervisor itself being exploited and used to subvert each VM it controls. As the volume of virtualised software increases more exploits will be written and they in turn will become increasingly insidious (potentially compromising several VM systems at once).
In the recent rush to deploy virtualisation technologies, cost and mobility have been the top priorities and many other implications (such as security, integration, management etc..) have still to be worked out. Existing security technologies typically revolve around static and IP based controls (be they firewalls, IDS’s, VLAN’s etc..) however with the erosion of technology tied to a particular location, the tracking of IP or static based identifiers is no longer sufficient, indeed most network and admission control technologies are not virtualisation aware.
Additionally IT audit and compliance processes are now far more complex undertakings, what happens with offline or dormant VMs? Obviously these still need to be patched and reviewed on a timely basis, but how - if you can’t keep track of VMs and the applications within them? It is clear that the even with including standard best practices such as enhanced change management, separation of duties and administration controls conventional security measures fall far short.
With potential attacks first compromising one VM and then spreading to others, each needs to be protected with secure policies configured and adapted as needed. Here existing vendor tools can be used in the partitioning, isolating and segmenting of each VM with resource management controls to allocate, schedule, monitor and cap resources as required. Such tools can ensure that the VMs that require like levels of security are grouped together and that controls are in place to stop any unauthorised replication.
Where existing tools largely fall short however is in their ability to monitor the whole enterprise, integrate with other tools and to keep track of and detect VM’s to limit their spread. Detection tools are required to scan VM’s and detect any vulnerabilities or malicious code. Again with reference to some of the newer Hyperjacking type attacks control of inter-virtual data needs to be monitored, with suspicious traffic reported and/or escalated.
Communications between virtual components therefore need to be safeguarded with built-in encryption, digital signatures and hardware based root certificates provided by technologies such as the Trusted Computing initiative TPM (Trusted Platform Module) offering built in security, tamper detection and exploit prevention.
Management tools are required to provision VMs as necessary together with their associated security settings, such tools also need to map interdependencies and data flows ensuring that with all the complexity administrators do not lose an understanding of their environment.
With VM’s being deployed and re-deployed, patching tools are also required.
The need to introduce timely patches is ever more critical to reduce attack surfaces and ensure best-practice compliance. However because of the resulting downtimes or infrastructure complications many applications are difficult to patch in a timely way, therefore new technologies such as inline patch proxying and application correction (modifying data in midstream) have been developed to help mitigate such issues.
In essence the old adage of combined layers of complementary countermeasures applies, protecting the physical devices, the Hypervisors and the Virtual Machines (VMs). It is just that these defences need to be provided dynamically with security policies and settings following and surrounding each newly mobile VM.
The complexity and dynamic nature of virtualised environments means that new threats and vulnerabilities have appeared and will increasingly manifest themselves. Because traditional security practices only go so far new architectural models, design practices and security tools are required. The existing tools however are generally immature and not yet certified, while such vendors and their tools need to evolve, the market also needs to educate itself, raising awareness of potential issues, new vulnerabilities, evolving threats and where necessary pressuring the vendors to enhance their security offerings.
Siemens Enterprise Communications Limited is exhibiting at Infosecurity Europe 2008, on the 22nd – 24th April 2008 in the Grand Hall, Olympia, www.infosec.co.uk
Opinion piece submitted by David Frith, Senior Consultant, Siemens Enterprise Communications Limited