I once again had the pleasure and privilege to attend the RSA Security conference in San Francisco, CA. rsaconference.com/events/us18. The conference keynotes, sessions and sidebar conversations were a good opportunity to see what the hot topics in security are. I attended a broad selection of sessions. Here are five diverse observations that I came away with:
Is Microsoft really claiming pre-boot authentication (PBA) for Full Disk Encryption (FDE) is not necessary? One could certainly get that impression from recent articles (HERE and HERE) posted by the organization. The first article on “Types of attacks for volume encryption keys” lists a few known historical attacks that “could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution”, and the second makes statements like “For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented.”
Back in November of last year, I was part of a conference call with a European customer who needed some high level reassurance from us. As part of that request, they mentioned that our customer portal could not help them properly manage support tickets. Thus, I hijacked the call and started a GoToMeeting session from my desktop. I gave them the opportunity to walk me through exactly what they found problematic about our customer portal. For the next 20 minutes they did a masterful job of highlighting what areas of the customer portal simply weren’t working for them. And If put myself in their shoes, I could see that they were not only right, but it was likely that other customers felt this way and had never said anything to us.
With this knowledge, I did something radical, which was to hold many meetings over the next two months where I would bring a proof of concept to the table, and have the customer critique it. This helped us to get to where we are today. Which is, to announce the release of Phase One of our enhanced customer portal.
In April 2015 I wrote about “Intelligent Key Management for the Cloud”. In that blog I described the various models for encryption and key management for virtual workloads running in IaaS including:
Recently, I was on the phone with a customer who asked me this question: “How can we better help you to help us?” That’s a question that I was not used to getting. But it made me think about what customers could do to get better tech support. I ended up taking a day or two for me to really think about it, but I came up with the following which I decided to share with you:
In the past I have tried to make the case for encrypting physical servers on premise. The argument for not needing to encrypt them is usually that these servers run for weeks, months or even years without being brought down, and that they are physically protected within a well-fortified data center. The protection that FDE (Full Drive Encryption) brings only really applies to data at rest and it seldom is at rest on these servers. I would counter that all drives eventually leave the data center for repair or disposal and having them encrypted protects you from having your old drives with your customer data on them show up on eBay. An encrypted drive can be quickly and easily crypto-erased if it is still operational, and if not, the data is still not accessible without the encryption key.
Managing BitLocker in Windows 10
So you’ve heard – Windows 10 has hit the PC world by storm, with widespread adoption in the private and public sector catching up to the consumer side. According to Gartner, the adoption of Windows 10 is faster than previous OS and the traditional refresh cycles are shortening. What’s driving the movement? Well, it’s a combination of events really, all based on one common need – Security.
One of the things that is unusual about me is the fact that I like to take customer support calls. Now you might find that weird as I do run a global support organization, and presumably I have better things to do than to take tech support calls when I have a staff that I have hired to do that for me. However, I feel that in the interest of making my support organization better, I need to be on the phones from time to time, digging into cases that get submitted via our customer portal, or by e-mail. Here’s why:
Our Product Marketing Manager, Aaron, and I had a watercooler chat the other day about taking a fresh approach to a corporation’s IT Security in the likes and regularity of spring cleaning. An approach like this would be ideal – you would have an up-to-date inventory of your hardware, you would have up-to-date software, and a complete 360 view of your organization. After completing what might be an onerous task, you would be able to identify the robustness of your environment, where your gaps might be, and where you have room to improve. In general, one might argue you would feel ‘in control’.