Tuesday, October 23, 2012

Do security like a start-up or get fired - Standards, APIs

This is part of a blog series. For more details, start with the intro.

Standards & APIs

If you build an application today, you get laughed out of the room if you don't have an Application Programming Interface (API). You also get laughed out of the room occasionally, if you don't use standards where possible.

In terms of standards, we're talking both industry (open) and internal (proprietary) standards. In the enterprise, it's sometimes acceptable to use a proprietary standard in the absence of a semi-mature industry option because it's the architecturally elegant way to go about things. The point I'm making is, use one. Just make sure there's a standard, published way for teams within the organisation (and externally when required) to hook into common services.

The proliferation of systems across traditional enterprises that reinvent the wheel instead of reusing existing services is a joke. Unfortunately, this is the norm rather than the exception due to various factors, the most common being that the powers-that-be did not bother architecting, implementing and mandating a centralised, standardised way to reuse core services. Ultimately, this is really about the APIs an organisation makes available. More importantly, APIs have to scale. If not, no one is going to use it, even if it's mandated.

What the enterprise service bus and services oriented architecture marketing blurbs were promising a few years ago, agile companies are making a reality today. The difference is that they’re not doing it with enterprise web service standards like SOAP, which is too heavy for many of the use cases today. Everything is about REST. It’s a lighter weight, more natural way of doing things.

Like with most things in the technology world, the poor cousin of the API world is security. This needs to change. Security is the one thing that MUST be used across all systems. It is also the most difficult aspect to manage if you do not centralise it. Most organisations don't realise this until they have a huge mess, at which point it's too little, too late.

With the maturing security standards available today, there is no excuse not to bake security into how systems interact and also not to have common security services be centralised. OpenID, OAuth and SCIM are starting to gain real traction as they are REST-friendly and work well enough in the web-enabled world. In an enterprise setting, many organisations are starting to really explore these as options whereas in the past, many would insist on sticking with SAML, XACML and SPML.

In reality, many look at a hybrid model; instead of mandating a single standard for a use case type (e.g. federated single sign-on), organisations are relying on off-the-shelf software products to provide the range of support for the varying use cases required and using policies to determine the appropriate standard based on context.

An agile enterprise is built on interoperability, reuse and centralisation of key services. Security is one such service. The moving parts need to be secured and the common security mechanisms need to be centralised and made available to all systems. Standards and APIs are core to being able to deliver on this.

This brings the "Do security like a start-up or get fired" blog series to a close. If you missed anything along the way, head back to the start and catch up on the considerations you didn't get a chance to read.

Monday, October 22, 2012

Confirmed - Sharing your Dropbox files via Facebook makes them public

Late last month, I wrote a blog post regarding the sharing of Dropbox files via Facebook and the fact that doing so made your file public. At the time, I didn't have the feature available in my account so couldn't test it.

I've since managed to test it out and my conclusion was correct. If you share your file with a Facebook Group, you've just made it public. In other words, don't do it for anything other than your public files.

Read the full post here.

Wednesday, October 17, 2012

Do security like a start-up or get fired - It's just IT

This is part of a blog series. For more details, start with the intro.

Cloud and BYOD are just IT

BYOD of course, stands for "Bring Your Own Device". I've written a few articles about this (here and here) if you're interested in more in-depth content. I'll also be writing a follow-up post to recap my recent series of presentations on the Consumerisation of IT (update - 20 Nov 2012: follow up post is now available). For these reasons, I'll keep this post fairly short.

Almost everyone I come across is talking or asking about Cloud and BYOD. News outlets can’t help themselves either, because putting Cloud or BYOD in the headline is click bait. An agile company however, doesn’t talk about Cloud or BYOD. It’s called Information Technology.

Cloud is really just a change in the economic model of how an organisation pays for IT, unless you're still running everything on mainframes. Why? Because the perimeter disappeared some time ago. From a security standpoint, organisations need to focus on one thing: information.

Protect the information (notice I didn't say data), and you've solved a huge part of the Cloud security issue. This is obviously easier said than done, especially if you don't know where everything is, what information you have and how to protect it. But identifying the problem and learning what to focus on is usually the hardest part. Once you figure out what to focus on, good project management, prioritisation and resource allocation will get you most of the way. Execution gets you the rest of the way.

Both Cloud and BYOD are simply the compelling events for organisations with their heads in the sand to finally notice that there hasn’t been a security perimeter for quite some time. If you realised that a long time ago and did something about it, you're in a great position to deal with both.

Going the extra mile with tactical products like Mobile Device Management (MDM) and Mobile Application Management (MAM) should really be an extension of the endpoint management policy you've had in place. MDM and MAM should NOT be the way you deal with BYOD. As mentioned above, I'll expand on this in a later blog post (here's a sneak peak of what I said, nicely written up by ZDNet). Update - 20 Nov 2012: blog post now available.

Ultimately, it's all about the information. Figure out where it is. How people get to it. Control access (and understand context). Know the identities. Have the visibility required to react quickly when required. This is called having a good security foundation to build on, with identity being at the core. Your organisation becomes more agile and security becomes a lot easier once you've got your foundation in place.

Don't let Cloud and BYOD intimidate you out of running business as usual if you've been doing it right. If you haven't been doing it properly, consider Cloud and BYOD your kick in the backside.

Next up - Standards & APIs.