Have you seen this WSJ article?
This is great news for privacy, human rights and a profound public security based on individual freedom: nations can no longer require IT and telecom companies to store communication data about all customers and communication partners – at least there need to be clear indications for the need to store that data and clearly defined, very restrictive rules on doing that.
For some time now, security organizations claim that they can only cope with the new risks through internet and information technology by having more or less unlimited access to the user data. The primary idea is that keeping this data in the first place makes it easier to have evidences on communication and its metadata. But it may also be used for creating profiles and thus prejudging innocent people. And recent history has shown that it is not only possible, but that security agencies actually proactively act on this.
The reasoning is wrong in the first place, anyway. To have access to profiling information does neither support better prevention of crime nor does it help solving it. Crime will always exist, and those committing crimes will always try to use means by which the risk of being tracked is as low as possible. Consequently, security organizations will only be successful if they do not uncover the tracking means and technologies - but exactly this is the very same risk of creating prejudice and destroying social freedom.
Many European nations now have to revisit their legal frameworks. Since Europe by now is one of the largest legal ecosystems, this will have a significant impact on individual information security and freedom – at least within Europe. It will be interesting to observe whether it also influences other regions.
This will, in turn, have some impact on companies' IT security architecture on the long run. Those companies that have started to track their employee's digital activities for security prevention and did bet on such a practice being allowed or even supported for nationwide cybersecurity, need to rethink this approach. Many solution providers have emerged in the last years, offering profiling information as used by security agencies, these will need either to step out from Europe or have additional, privacy/friendly products in their basket.
Note that this is not the end of profiling end users (and especially security organizations shall listen carefully): most consumers actively offer more than enough data to track and trace them across the internet - one only needs to go look at these data, e.g. with Google and other ad companies. This area is not in scope of the EU court decision. And just as with communication metadata: you will with high probability not find the REAL bad guys there...
The Connected Enterprise is opening new opportunities for business, for innovation and for growth - it is a fundamentally important imperative for today’s business world. But it does not come for free: there are a number of caveats to circumvent, risks to address and changes to execute.
One important activity is to re-shape your security leadership.The Connected Enterprise makes a number of changes necessary: implement a holistic security management beyond technology domains, move from an asset-oriented towards a risk-centric protection strategy, and move fundamentally closer to the business.
A holistic security management integrates all necessary security disciplines, independent of the technology of organizational area. Whether IT security, personnel protection, physical safeguards or process security controls: since the Connected Enterprise requires a high level of flexibility in the protection measures employed, it is necessary to be able to choose among all possible protection measures and controls to pick the one that not only theoretically protects „at best“, but also allows fast reaction times and short returns on invest.
The classical security paradigm „know your assets, and how to protect them“ becomes more and more difficult to follow in the connected enterprise. The primary reason is that the assets themselves are no longer the „stable entity“ in the business architecture - instead, they serve as resources that feed the value creation through connectivity. The way out for security leaders is to start thinking in risks instead of assets and protection goals. Furthermore, security leaders can no longer rely on a mid-to-long term validity of the „security ground work“ - instead, they need to adopt a „daily risk posture“ approach and accommodate to quickly change focus - just like a police department in a vibrant city.
Classical security practitioners and leaders either have a security services or a technology background. In both cases, they understand themselves as „mastering“ the security of the enterprise through their specific expertise. Due to the fast pace of the Connected Enterprise, they will more and more lose their value. The way out for security leadership is to „sit by the business“ - that means, to help business leaders to evaluate the risks, and enable them to securely develop their business. In the CISO speak: protect the „I“, not the „T“ in Information Technology.
These three recommendations will help organizations tackle the constantly changing security posture of the Connected Enterprise successfully. If you are ready for a certification, then you should go for an ISO 27001 certificate - the new 2013 program requires to set up your security leadership and organization along these lines.
And what skill set should security leaders strive for? They must be consultants, coaches, awareness experts and auditors at the same time - technical expertise is no longer the primary imperative, it is much more about social skills that help convincing the business to take their risks seriously. And if they are successful, they will greatly contribute to the value creation in the Connected Enterprise.
This article was originally published in the KuppingerCole Analysts' View Newsletter.
Every Summer, Eskenzi PR organizes the IT security analyst and CISO forum. It basically consists of one-on-one meetings between vendors and analysts and round table discussions between vendors, analysts and end-users, typically CISOs. And the event this year was excellent!
The quality and density of information is quite high, and it allows to grasp trends, both on the vendor as well on the end-user side, quite well in a highly condensed format. So: an ideal opportunity to review a number of technology trends.
Here are a few insights of the event I want to share with my followers. This list is not exhaustive and represents my personal view on the products discussed, and obviously this is not an objective analyst review as it should be. Nevertheless, it might give you some fruit for thought...
- Regarding Cloud Security, there is always the discussion how to secure the information in the Cloud against the Cloud service provider, in case one might not trust him. Safenet has introduced the concept of pre-boot authentication, well known from Laptop security, to secure virtual machine images in the Cloud. A pretty neat idea - we will see how it will evolve, esp. because it of course uses a proprietary format (as all device encryption software manufacturers do).
- You don't know where your devices are? What is part of the standard for iPhones, now comes for all mobile IT devices, including Laptops of any kind: location services, including remote destruction, and even selected data retrieval. And the best: the solution is preinstalled in the BIOS of most manufacturers, so just turn on an the security is there. Great, because very pragmatic, solution. Go and visit Absolute Software's portfolio.
- Standard IRM solutions - and for those not reading my blog regularly, I believe this is a necessary technology for a Secure Cloud usage - are missing the identification and classification means for data to be protected, and thus leave the use alone with that mess. Secure Islands, a small innovative vendor from Israel, provides the solution: it re-uses standard IRM, but integrates nicely into e-mail suites, browsers and local programs. The Secure Islands solution really boosts the usage of IRM because of the high simplicity.
- Knowing where your data is - and who actually accesses it - is an important prerequisite for secure data management and access management in general. A totally different approach than we usually see is the one followed by Varonis, who enable IT people to discover - and track, if necessary - where the data is that people are using. And this across all shares, web content management systems, ftp servers and alike. Monitor who actually accessed a specific folder with insider information in the last 4 weeks? This information is just a few clicks away. Interestingly, most customers are buying the solution not because of security needs, but for optimizing storage concepts and their implementation.
- It just happened again this morning: a certificate expired, and I had this damned popup saying that I cannot trust a specific web site any more. I cannot really do anything about it and I blame the web site owner for not keeping its certificates up to date. Venafi takes care about this problem, and helps you manage the thousands of certificates and key pairs that are in use in a professional IT environment.
These are only a few of those companies I have seen, and of course there are more, that do a great Job such as Lieberman Software, Imperva of M86Security.
Overall, one might identify a trend: more and more vendors respond to the demand of end-users that preventive controls are nice and if doable and affordable they are the best one can do, but in the meantime it is necessary to manage the insecurity, so a lot of products focus on more transparency and thus helping at least knowing what is going on - right or wrong.
As you, dear reader, can imagine, the information about the SecurID breach was really shaking the minds of us analysts here - for a long time, we were telling the story that SecurID was the right compromise between security, convenience and manageability - until SMS became so cheap, that they made the first place for cheap, manageable and strong authentication.
There has been said much about the management aspects, whether it will shake the industry (I personally believe, yes, but much slower than some people argue) or what this means for the reputation of the world's largest strong authentication player. I want to add my few cents on the concept itself.
To do that, I need to go back in time when I was a postdoc, some (ugh, more than 15) years ago. We were working on analyzing the strong authentication landscape, and of course SecurID was already there, with a remarkable footprint in the market. We analyzed a number of technologies, including PKI with different crypto systems, one-way functions for authentication purposes, HMACs and so on, among others, of course, the market leader, SecurID. But what really made us worry - and remember, it was the time where Europe feared that the U.S. can hear and do everything in our IT-systems - were two observations:
- The algorithm of SecurID was kept secret, and there was no way for us post doc researchers to get our hands on the code or even an algorithm and
- The fact that there were a number of open, secure and understood algorithms doing basically the same thing.
In fact, soon after our team developed an HMAC based authentication algorithm with Smart Cards and mobile readers that was adopted by a number of German players - which, of course from todays perspective, did not succeed. But back to SecurID - so we wondered why such an important player could sell - technology-wise, and in the eyes of a security designer - such a crap thing so well...
We went on, analyzing it without having our hands on the code, and found in our eyes a serious weakness, that was to our understanding by no means due for keeping the security tight: some information pieces about EVERY user (in fact, about every token) was kept at the site of the customer. And the reason was not user experience, either: because if you loose your token, then you need to go through a re-personalization process, so it was not for that purpose... So why was this necessary? Of course - remember the times - we were imaging a number of more political than technical reasons...
Anyway - it was, and it is, an important weakness of the protocol, since it offers an unnecessary attack vector. Any other clever hacker could have come to that same conclusion. Now with the right motivation, the right customers - there you go!
It simply had to happen one day.
„Security“ and „Cloud“ are often seen as mutually exclusive. Many CIOs live in fear losing control over their data despite the claims by cloud providers that sensitive information is in fact in safe hands with them. But once data gets replicated, it gets harder and harder to keep them under lock and key.
Many organizations hesitate to enter the era of cloud computing because they want to keep their data on a tight leash. Most products in the realm of cloud security fail to address these worries. And while federated identity management, coding security into new software, and security service level agreements may from the groundwork for application security in the cloud, they do not ensure that the data cannot be read by the provider himself.
For that, data would have to be encrypted. Yes, there are Rights Management products out there that can do this with different degrees of success. In fact, ways of controlling access through Rights Management have been around for years, for instance in order to protect software (from Microsoft, Apple and others) as well as in consumer applications such as Pay TV, Video on Demand, digital music, etc.
But how would cloud applications deal with encrypted data? Typically, such apps are created today using Web Service architecture which means that individual components can be classified as trustworthy or not-no-trustworthy. One way would be to keep the data locked up but to allow trustworthy component to be opened using a decryption key. This could be done by sending an online request to the company’s key management server. This substantially reduces the overall risk, and transactions can be documented for auditing purposes. A typical instance of this approach in action can be found in many health care telemetric infrastructures.
However, business processes to day tend not to terminate at the company gate but instead to reach out into the supply chain to allow the exchange of data with partners and affiliates. If that partner is running different Rights Management software, some kind of translation process must be implemented. Unfortunately, that kind of interoperability remains to be developed.
Ideally, of course, it should be possible to process encrypted data directly without first having to unlock them. A number of researchers are working on just that, but their solutions aren’t ready for market yet. However, hopes are high, so continue watch this spot!
Winter holiday season is almost over, and business claims its attention back - it was a nice time with family, good food, and so on. But the world didn't stop, so we had to spend some time to look at a number of products. I would like to mention two here, especially because they help us getting closer to the Secure Cloud.
The first is Novell Cloud Security Service (shortly called NCSS). It is not clear according to todays product categories whether it is a product or a service, and this shows that we need to abstract more and more from this separation when moving into the cloud. Let me describe it by what its main benefits are from my point of view: it allows to run cloud services with the identities of enterprise-managed identity services, and to monitor security related information from an enterprise perspective.
Well, this seems not really interesting, after all, we can all set up a could service and let users authenticate against our company-run LDAP store. But this is different: it allows enterprise users to use GMAIL oder other real open cloud services to use their usual identity store, even with SSO (based on SAML, of course). The effort of integration with the app services is minimal, and identity information never leaves the companys's control. By this way, we can now allow business departments to choose their own cloud service provider, and yet keeping control over the identities and the security of the data (you can even connect this to your SIEM to get alerted appropriately).
Obvously, there is a catch-22 situation here from a market point of view: cloud service providers like to maintain users, and will integrate other identity stores only when they are ready, and the connection of existing identity stores depends on the willingness of the cloud service providers. Novell solves this problem by selling this to the operators that manage the cloud access for enterprise customers, but for those to be interested, CIOs need to formulate the demand... Clever approach, but may be tedious in selling. Anyway, it works technically, and those telcos that see security services as an added value will probably jump on it quite soon - once they get the real potential of such a solution.
The second big area of concern in the could besides using identities from managed sources is the security of information. Classical information security practices recommend to classify information according to confidentiality classes, and to define data management principles that must be applied by everyone to adequately protect the confidential data. Now everybody involved into that know how difficult it is to operationalize this strategy, namely to make sure the people are making the right choices when classifying (at all!) documents they create and/or handle.
The second product that I find pretty interesting is that by SecureIslands, called IQProtection, which does classification of documents based on several rules that can be defined (key words, sources, metatags etc.) AND - and this is new - integrates with a multitude of rights management technologies to immediately apply the necessary controls. They can even "change" the protection mechanism, e.g. when a document leaves the company, or when information is taken out of a web site (that can be protected as well) to be used with e-mail and S/MIME. Especially interesting is that they consider E-DRM as a commodity, and that they "only" deal with the management processes and the application of the protection mechanisms. Cool stuff, esp. when data is in the cloud. And of course, they can integrate with existing identity services for the credentials, to close the loop with my first example.
So, as said, I think the market is moving and we will see a lot of innovative stuff in the next months in that respect.
IT Security in and for the Cloud is one of today’s hottest topics. Unfortunately, it is almost as complicated as the Cloud itself, spanning from Identity Management and logging intelligence to data encryption. This article explores the various scenarios and demonstrates both strengths and weaknesses.
Vendors both like to invent and employ hype expressions to describe their technologies, and it is clear why: They want to make their products stand out from the rest. It's been that way since the earliest days of modern computing, and it goes especially for the field of IT Security. Remember "Endpoint Security" or "Perimeter Defense"? But now, with Cloud Computing all the rage, the industry is straining to reach new heights of hyperbole.
Sadly, no one seems to be answering the real questions, which are: How do you make the Cloud secure, and is there a substantive difference between IT Security outside and inside the Cloud? The going argument, which will do very well as a starting point for this article, is that by moving to the Cloud, IT loses control of their data. This is the argument you hear from most CIOs and CSOs today in order to justify their reluctance to adopt cloud-based strategies or to outsource parts or all of their computing to external service providers. And yes, it's a pretty strong argument.
Others seem resigned to their fate. That's just the way it is, these people say - you just have to get used to total transparency and the loss of privacy and trust your Cloud provider. Providers on the other hand are trying gain trust by following some set of "industry best practices".
Cloud Security - where's the light at the end of the tunnel?
Of course, the providers know there really are no arguments to justify their pretentions to trustworthiness, much less a way for them to really guarantee the confidentiality of the data they are entrusted with. So the best thing for them to do is haul out a plethora of top-notch security measures that have been more or less successful in the past, like identification, authentication, fine-grained rights management, SIEM (Security Information and Event Management), compliance tools and encryption.
But what does this old-fashioned brand of IT Security protect the data from? From external threats, of course - the same way companies protect data on their internal systems today. However, this is beside the point. The challenge in the world of Cloud Computing is how to get your data into the Cloud in the first place without running undo risks since these security mechanisms don't really care who is actually processing the data at any given time.
The only way to solve this problem is through DRM (Digital Rights Management) or, even better, through IRM (Information Rights Management, also known as Enterprise DRM). Documents that are protected by IRM can be blithely sent off to the Cloud, since they can only be decrypted by authorized users according to policies laid down beforehand.
IRM beats classical encryption hands down since it allows you to give permission to use the data retroactively without having to touch the data itself at all. To do the same thing in a traditional encryption scenario would mean revealing the key or the password.
IRM brings many benefits. For instance, you can limit the visibility of the data to certain times or even geographically by using modern location-based systems. And if the application supports this feature, you could make only certain passages editable; the rest of the document cannot be changed.
By separating rights management (which usually involves some kind of identity management) from enforcement through selective, flexible encryption you can develop very sophisticated rules and policies which could even be offered as a Cloud-based service themselves.
A good example of an area that would greatly profit from am IRM approach to Cloud architecture is healthcare. The new German eHealth Card will support telematics systems in which the patient data can be protected by IRM, thus giving the patient full control over who gets to see his records.
Every man for himself
The big drawback of IRM in its present form is the lack of common standards or in fact of any real standards at all. Almost every vendor - first and foremost Microsoft, Adobe and Apple - have chosen to take a different path towards IRM and DRM, thus locking in existing customers and creating huge entrance barriers for others, since one system won't work with any other.
Creating industry-wide standards is an imperative, but it won't happen overnight. A good idea would be to develop some kind of "intermediate IRM" that would enable the exchange of documents between different formats through some kind of "IRM middleware" which would form the basis for the IRM handling of corporate information and thus achieve true Cloud Security.
There are a number of specialist vendors in the IRM market today, some using technology supplied by the big players, others travelling the proprietary route. As a rule, these niche systems do a very good job of handling complex and differentiated policies. This is convincing from a technological viewpoint, and it provides compelling arguments for the security people. However, most solutions is use today get along with rather simply policies which make them easy to scale and administer.
Finding common ground for IRM and DRM
Naturally, the vendors of IRM solutions hesitate to compare their products with "old-fashioned" DRM technology (read: "content protection"). We feel that there is some common ground. After all, DRM is rather prevalent already and has established itself for instance in the realm of video-on-demand (Maxdome, Microsoft), music distribution (iTunes) and apps (virtual every app store for smartphones uses some form of it). Yes, there exists a community of crackers who know how to get around DRM protection, but they are seldom criminally inclined.
It would be interesting to see what the success factors for DRM systems are and how they might play in the Cloud space. And it turns out they do: most large-scale DRM systems are engineered to protect information (usually digital content) in mostly uncontrolled environments.
As a rule, these systems already allow distributors to create simple policies governing the type of devices that can be used for access (such as set-top boxes or MP3 players) and exactly when they may be used. Apple, for instance, lets customers of its iTunes store retroactively change the settings for a certain song or clip to "home use" so they can be seen or listened to by other members of the family on different devices. These models all have in common that they allow policies to be both flexible and straightforward.
This begs the question of whether IRM policies really should be forced to take every imaginable scenario into account, or whether the market would profit from the far simpler policy model of DRM to protect data and administer the systems.
Gradually getting there
No matter which course is taken, DRM and IRM are poised to become important building blocks in future Cloud strategies, so the earlier vendors and service providers adopt them the better. At least this would give users a way to store and at least partially process data in the Cloud without running undue risks.
However, it is still very early days for the processing of encrypted information since this involves removing the protection most IRM systems provide today. This is the Holy Grail of Cloud Security since it would mean that we can all start storing all of our data - HR, CRM and even analysis results - in the cloud without having to worry ourselves sick. Getting there will eventually involve some kind of "homomorphic" encryption, but that is an area in which research is just beginning to get under way.
A long time ago my last post... Anyway, lots of first-year students and research grant applications kept me busy.
The IT-SA is now THE event for IT-security in Germany. It has not the flavour of the RSA conference, altough it may actually be of a similar size, at least in the exhibition area. It is much more about small conferences around the exhibition floor, organized / owned by different people and groups, such as e.g. the AppSec conference in Germany or the KuppingerCole Enterprise Cloud Security summit. Consequently, and this is especially true for folks from abroad, don't expect a huge number of people showing up at your booth - you need to organize traffic yourself. But then - uh lala, lots of intense discussions...
A few takeaways more from the content point of view from my side about the IT-SA:
1. "bring your own device" is now a mainstream topic. Security folks: like it or not, you will need to cope with it. There are a number of arguments for this being financially-wise a good decision. But what does that mean security-wise, really? Well, my take is that the IT-security guys now need to think about how to protect corporate information instead of protecting the infrastructure from viruses. Come on, be honest: company confidential information is anyway already on devices that are not under your control, even today. The solution is: intelligent awareness, and - maybe some day - intelligent IRM.
2. IRM, IRM, IRM: the more I wandered along the different booths, the more I see the need for a good solution. All these different offerings that pretend to make your IT secure, but actually don't (no, I won't name them), all suffering from information not being protected adequately, still relying on a benign, controlled infrastructure. You that time is over, right? Unless you are a bank (you make your money yourself) or a government (you don't even need money in the first place ;-) chances are quite bad that you know what is going on in your network aeh on your machines, aeh I mean on the devices in your network...
3. Privacy-friendly IDM: there is a trend to use IDM against people's intention. And indeed, that may happen, if the data is under legitimate control of the authority maintaining the IDM information. Consequently, we need to think about how to make that happen in a privacy-friendly way. There are cryptographic protocols, and frameworks available, such as MS U-PROVE and the new German E-ID-Card. We need to spread the word that this is indeed possible!
And finally 4.: the Cloud is real. Companies do no longer think whether they will do it, but HOW, and how the security can be setup. Most importantly, companies were asking how to extend their security management processes to the cloud provider. And indeed, ISO 2700X et al can be applied, but they don't provide operational help. ITIL is much better suited, but does not really cover confidentiality...
In the last weeks, I had a number of interviews and product / vendor briefings about GRC related products. And as you may have noticed, the marketplace is yet pretty unstructured. Since there is still no generally accepted common definition or reference architecture for GRC (altough I have developed one, see my reports), anyone touching functionality related to GRC assumes it is in the core. And so you can find extended document management solutions there (for policy managemnet) as well as controls and IT controls management tools, besides access governance and financial risk management applications.
I believe though that it makes only sense to actually implement a holistic GRC management framework in an enterprise, if there is a common, integrated and standardized way of managing policies, controls, risks, improvement projects. There is no value in buying a multitude of isolated, on certain aspects extremely well performing solutions, because then the integration know-how still relies with the people - and isn't GRC actually exactly about reducing the risk that the enterprise is exposed to by people involvement, for personal, political or financial motivation?
The real value of implementing GRC projects only comes - very similar to ERP, history repeating - with an integrated framework. There are two ways of achieving this: first, by standardization (such as SOA), and second, by market dominance (such as R/3) . And to be true, none of the vendors I have been able to listen to is in my view in a position to advance the standardization path in that market.
With the recently announced partnership between SAP and CA, SAP pursues - similarly to Oracle - a pretty intelligent move: they will be able to integrate real-time information from SIEM and other solutions from CA, one of the established players in the IT infrastructure environment. The simple annoucement will shake up the space: until now, GRC was about prevention, mitigating activies, but the reaction part was left to the IT respectively other reaction facilities (fraud management, corporate security, e.g.). But with that partnership, GRC actively covers a "real-time" view on the threat / risk situation.
Another aspect is with the partnership of two giants, there will automatically be a de-facto-standardization happening. If, say, RSA now wants to provision SAP GRC too, they will need to adopt the interface definitions that the two have defined...
So: good move, SAP and CA.
Last week I was invited to the IT-Security Analyst & CISO Forum Event in London, with a few vendors and a few CISOs. The form of the event is unique, and thanks to Eskenzi PR it is an excellent opportunity to gather the expectations from CISOs and the answers to these by vendors. Here are a few impressions and take-aways:
- "Most of the vendor's products are crap, they are fundamentally flawed in the sense that they do not increase security a pence", as one of the CISOs said (Chatham House rules applied). More specifically, asking for more details, most of the tool and product vendors are still relying on the wrong assumption that CISOs want to "extend the border of the enterprise" or "secure the perimeter". But this is good for nothing, for businesses to be productive, information has to flow, and must be protected there - and not retained "within" the enterprise.
- Consequently, DLP (Data Leakage Prevention) is a market which does not really exist. Those that are buying DLP do this for compliance purposes, just like buying Anti-Virus products (although they do not even discover 40% of the more recent attacks...). So the chance of using actual DLP products to really detect resp. prevent information leakage is pretty low.
- Secure software development is still to a large extent not understood, neither by vendors nor by the CISOs. They mostly think that they are done with the subject when they employ white box testing and use an application level firewall. Oh man - so much work ahead to communicate what this is really about.
- Top-notch on their priority list (very interesting): the "bring in your own device" policy. How to enable business infrastructure and applications to securely support personal devices (from notebooks to smart phones) as endpoint. Very interesting direction, finally we got the "all in the internet" type of assumption for company information access through a more financial motivation... Still, many questions around legal responsibilities and technical capabilities are to be solved.
Now to the vendors (just a few interesting notes):
- FaceTime (the name needs to change, after Apples announcement that their VideoConferencing on the iPhone is called that way) basically does compliance-driven monitoring and management of the usage of social media for enterprises. Seems low profile. But driven by customer innovation they have built a strong capability of detailed authorizations for internet apps, so they do in fact "GRC Access Control" for internet apps... Interesting development.
- S21Security from Spain, currently perceived as a SIEM vendor in the financial vertical, is actually able to detect fraud on the basis of log information of core banking systems, with first experiences in the SCADA world. So they actually do interesting GRC analytics...
- BeCrypt has a nice application to simply, but securely extend the enterprise using bootable USB sticks. Defence-grade!
- M86Security, one of the largest vendors of realtime threat detection for web, with a footprint of 24000 (!) customers, seem to be a pretty useful solution - what if they would offer this "as a service" for consumers, that route their web traffic through one of their servers? Would be pretty cool...
All in all: the market slowly changes from pure compliance products towards real protection solutions. This is definitively a sign that the customers get more educated about the real threats. But on the other side (see the note on secure software above), still a long way to go...