Blog posts by Sachar Paulus

Have you seen this WSJ article ? This is great news for privacy, human rights and a profound public security based on individual freedom: nations can no longer require IT and telecom companies to store communication data about all customers and communication partners – at least there need to be clear indications for the need to store that data and clearly defined, very restrictive rules on doing that. For some time now, security organizations claim that they can only cope with the new risks through internet and information technology by having more or less unlimited access to the...

The Connected Enterprise is opening new opportunities for business, for innovation and for growth - it is a fundamentally important imperative for today’s business world. But it does not come for free: there are a number of caveats to circumvent, risks to address and changes to execute. One important activity is to re-shape your security leadership.The Connected Enterprise makes a number of changes necessary: implement a holistic security management beyond technology domains, move from an asset-oriented towards a risk-centric protection strategy, and move fundamentally closer to...

Every Summer, Eskenzi PR organizes the IT security analyst and CISO forum. It basically consists of one-on-one meetings between vendors and analysts and round table discussions between vendors, analysts and end-users, typically CISOs. And the event this year was excellent! The quality and density of information is quite high, and it allows to grasp trends, both on the vendor as well on the end-user side, quite well in a highly condensed format. So: an ideal opportunity to review a number of technology trends. Here are a few insights of the event I want to share with my followers....

As you, dear reader, can imagine, the information about the SecurID breach was really shaking the minds of us analysts here - for a long time, we were telling the story that SecurID was the right compromise between security, convenience and manageability - until SMS became so cheap, that they made the first place for cheap, manageable and strong authentication. There has been said much about the management aspects, whether it will shake the industry (I personally believe, yes, but much slower than some people argue) or what this means for the reputation of the world's largest strong...

„Security“ and „Cloud“ are often seen as mutually exclusive. Many CIOs live in fear losing control over their data despite the claims by cloud providers that sensitive information is in fact in safe hands with them. But once data gets replicated, it gets harder and harder to keep them under lock and key. Many organizations hesitate to enter the era of cloud computing because they want to keep their data on a tight leash. Most products in the realm of cloud security fail to address these worries. And while federated identity management, coding security into new software, and security...

Winter holiday season is almost over, and business claims its attention back - it was a nice time with family, good food, and so on. But the world didn't stop, so we had to spend some time to look at a number of products. I would like to mention two here, especially because they help us getting closer to the Secure Cloud. The first is Novell Cloud Security Service (shortly called NCSS). It is not clear according to todays product categories whether it is a product or a service, and this shows that we need to abstract more and more from this separation when moving into the cloud. Let me...

IT Security in and for the Cloud is one of today’s hottest topics. Unfortunately, it is almost as complicated as the Cloud itself, spanning from Identity Management and logging intelligence to data encryption. This article explores the various scenarios and demonstrates both strengths and weaknesses. Vendors both like to invent and employ hype expressions to describe their technologies, and it is clear why: They want to make their products stand out from the rest. It's been that way since the earliest days of modern computing, and it goes especially for the field of IT Security. Remember...

A long time ago my last post... Anyway, lots of first-year students and research grant applications kept me busy. The IT-SA is now THE event for IT-security in Germany. It has not the flavour of the RSA conference, altough it may actually be of a similar size, at least in the exhibition area. It is much more about small conferences around the exhibition floor, organized / owned by different people and groups, such as e.g. the AppSec conference in Germany or the KuppingerCole Enterprise Cloud Security summit. Consequently, and this is especially true for folks from abroad, don't expect a...

In the last weeks, I had a number of interviews and product / vendor briefings about GRC related products. And as you may have noticed, the marketplace is yet pretty unstructured. Since there is still no generally accepted common definition or reference architecture for GRC (altough I have developed one, see my reports), anyone touching functionality related to GRC assumes it is in the core. And so you can find extended document management solutions there (for policy managemnet) as well as controls and IT controls management tools, besides access governance and financial risk management...

Last week I was invited to the IT-Security Analyst & CISO Forum Event in London, with a few vendors and a few CISOs. The form of the event is unique, and thanks to Eskenzi PR it is an excellent opportunity to gather the expectations from CISOs and the answers to these by vendors. Here are a few impressions and take-aways: - "Most of the vendor's products are crap, they are fundamentally flawed in the sense that they do not increase security a pence", as one of the CISOs said (Chatham House rules applied). More specifically, asking for more details, most of the tool and product...