Day: August 20, 2015

Posted on

COBIT 5—Yoga for Enterprise IT

Yoga is a popular science and art of well-being. Its benefits range from as modest as being helpful for fixing specific ailments or disorders to transforming one’s body-mind communion to attain a state of eternal exhilaration and union, by aligning oneself with the world and nature.

Consider applying the concept of yoga to enterprise IT—if business is seen as the body, information surely is its mind. And, the right information at the right time with the right person can make the difference between exceptional success and dooming failure.

Given that we now inhabit an increasingly connected digital world, there is less disagreement on the ever more critical dependence on IT. Businesses clearly recognise the strategic nature of IT, but also often find themselves entangled in a range of IT pains and disillusioning disorders. Such issues include IT operational issues, IT project failures, cost over-runs and data breaches and a stagnating, or, at the other extreme, hyper IT that keeps costing resources and attention, without synchronised business deliveries. Baffled with finding the answers, organisations increasingly tend to find themselves at a loss when it comes to ascertaining the right approach to making IT work optimally for business.

COBIT 5 is a framework for enterprise IT governance that provides compelling reasons for a shift in an enterprise’s approach to management and governance of enterprise IT. Built on five key principles, many of COBIT 5’s principles resonate the yogic thinking, such as starting with the need to focus on stakeholders’ needs, covering the enterprise end to end, adopting a single aligned framework with a holistic approach and separating governance from management.

Many organisations suffering from impulsive or chronic IT operational and management issues have found solutions from COBIT 5 to effectively alleviate their burning pain points. But then there are the larger and often constipated IT governance questions of finding sustainable ways to make enterprise IT naturally meet strategic, compliance and reporting needs. Profound IT governance issues include chronic disorders, such as IT management deadlocks, certification fatigue, and goal disconnects between the board, the executive level and underlying operational layers. Also, governance issues can include, as I mentioned previously, either a stagnating or disintegrating IT or hyper IT.

As with yoga, there is emerging realisation that in the digital connected world, there are fewer chances for a business entity to achieve sustainable growth, unless it clearly recognises how it can make a difference to the world at large. There is a need for moving from an inside-out-focused thinking to one that is outside-in-driven. The focus on the goal needs to clearly shift from chasing profits and numbers to being relevant and making a difference to stakeholders, and aligning enterprise IT capabilities accordingly.

As a first step, take a cue from the transformational aspects of yoga that first looks at transforming the fundamental thinking through deeper introspection on questions such as, “Why do I exist?” Enterprise leadership could apply this question in their capacity as stakeholder representatives. That would help trigger a whole business-IT (body-mind) transformation at every layer. And, when an organisation experiences such a transformed realisation, suddenly it tends to be unexpectedly rewarded with answers and solutions that appear to be so simple—as if they were always there—and loaded with eternal benefits for all stakeholders.

To achieve this, an organisation would need to look within. It needs to challenge its approach at every layer of enterprise IT to see if what is being done has the goal of stakeholder value maximisation in mind, rather than the narrow perspective of maximising its own profits and numbers. All of this means experiencing information and IT capability empowerment at every level—not for mere IT sake but for governance sake.

Much like there is no one form of yoga that fits all, there is also no one COBIT 5 approach that will fit every organisation. Every organisation will, according to its near- and long-term goals, need to churn through the COBIT 5 guidance to concoct its own IT governance framework that aligns with its business and enterprise IT needs. Besides, an IT governance approach founded on COBIT 5 not only co-exists very well, but also inspires greater alignment with various standards that an enterprise considers as relevant.

If approached and practiced diligently enterprise-wide, every organisation could experience several rewards that include quality information-driven decisions, maximising stakeholder value from IT enabled investments, IT operational excellence, and IT risk and resource optimisation.

Hence, it may not be out of place to believe that to survive and sustain in the emerging global cyber economy, enterprises could do well to move from their narrow pursuit of IT happiness to a broader expression of enterprise information-aligned IT joy!

Vittal Raj,CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, COBIT 5 Foundation Accredited Trainer
Founder and partner of M/s. Kumar & Raj, and Director at Pristine Consulting Private Limited

[ISACA Blog]

Posted on

Recognizing the Best of the Best

Earlier this week Mark Anderson and I had the distinct honor of unveiling our five Global Partner Award Winners as part of our FY16 Sales Kickoff.

This year’s Sales Kickoff was a milestone event for us as this was the first time in our company’s history that we invited partners from around the world to join our Sales Kickoff Meeting. The reason is simple, partners are not an extension of our global salesforce…they are an integral part of it.

Recognizing the best of the best is a global activity that has stood the test of time. Whether you are reaching back in history to the early days of competition and the quest for Olympic Gold or you are talking about today’s modern business world, teams and individuals are working hard to earn the prestigious honor of being recognized as the best.

And, when you are competing in a partner ecosystem that had 481 partners grow more than 100% year-over-year these awards truly recognize the best of the best, which is why I wanted to highlight them in this blog post.

We recognized five partners for their superior performance in the following areas: year-over-year growth, enablement, joint planning and services capabilities. And the winners were:

Americas Partner of the Year: Optiv

Accepting the award is Dan Wilson, Executive Vice President of Partner Strategy

APAC Partner of the Year: Telstra

Accepting the award is Euan Prentice, Director of Services Business Development

EMEA Partner of the Year: Dimension Data

Accepting the awards is Chris Jenkins, General Manager Security, Europe

Global Distribution Partner of the Year: Westcon Group

Accepting the award is Bill Corbin, Executive Vice President, Global Partner Management and Business Development

Japan Partner of the Year: Techmatrix

Accepting the award is Takaharu Yai, Director Senior Operating Officer General Manager

I want to thank all 548 partners from around the world that joined us in Las Vegas this week. Palo Alto Networks wouldn’t be the company it is today without you, but more importantly we can’t succeed in the future without you.

Let’s accelerate together in FY16.

Ron

[Palo Alto Networks Blog]

Posted on

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Ben RothkeThe Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography (2009) by Simon Singh

Executive Summary

It’s not clear who first uttered the quip: Of course I can keep a secret. It’s the people I tell it to that can’t. But what’s clear is that there are plenty of times when it’s a matter of life and death to ensure that secrets remain undisclosed.

In The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, author Simon Singh reveals the often hush-hush world of the science of secrecy.

How powerful are these cryptography tools? Until about only a decade ago, the U.S. Department of Commerce categorized strong cryptographic tools the same way it did F-15s and M-16s (more about that in Chapter 7).

Singh is a particle physicist who understands the science well and, more importantly in the case of this book, knows how to explain those details quite well.

Sit back and be enthralled by the fascinating world of cloak-and-dagger spies, and how without strong cryptography, we wouldn’t have online banking, Amazon Prime, and other things that make life meaningful.

Review

For anyone who ever had to study for the CISSP certification examination, the cryptography domain was almost always the hardest and most intimidating of the ten exam domains. While the ISC2 recently retired the cryptography domain and put it under Security Engineering, any topic with obscure terms such as hash function, public key cryptosystem, side-channel attacks and the like will certainly be intimidating.

In The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, while not a comprehensive overview of cryptography, this masterful book by Simon Singh is a history of encryption, with a focus on the 16th century to the end of the 20th century. As a history book, Singh strikes a good balance between writing about the history, and providing a good technical and mathematical overview of the topic of cryptography

With a Ph.D. in physics, Singh follows in the footsteps of fellow physicist, Richard Feynman, who was a great explainer. Feynman noted that if a specific topic couldn’t be explained in a freshman lecture, it was not yet fully understood. In the book, Singh spends about 400 pages on this freshman lecture. It’s worth noting that a number of freshman university courses use this book as a reference; it’s that good.

I first became acquainted with Singh when he gave a most entertaining keynote at an information security conference about a decade ago, where he dispelled the claim that Stairway to Heaven contained subliminal satanic messages.

Classic cryptography goes back thousands of years. While the book provides details into cryptography from the times of the Bible, Caesar and more; its focus is predominantly on the modern era, starting with the cryptography used by Mary, Queen of Scots in the mid-1500s, up to the topic of quantum cryptography.

The book covers a wide range of topics, from both a historical and technology perspective. Singh takes a broad approach to the topic and doesn’t focus entirely on ciphers and algorithms, rather he brings historical stories like the Rosetta stone, Man in the Iron Mask, Manhattan Project, Navajo Code Talkers and much more.

While encryption and cryptography have their roots in the world of mathematics and number theory, the book often places a focus on the human elements. While many cryptosystems work perfectly in the pristine environs of a lab, they will fail miserably when incorrectly implemented. Singh gives numerous examples, from Mary, Queen of Scotts to the German Enigma cipher machine, where the human element leads to extreme failures.

A number of the eight chapters start with a story, which Singh then uses as a lead to provide the underlying details of a specific aspect of security and cryptography.

For the story of Mary, Queen of Scots in Chapter 1, the message is that the underlying cipher needs to be reasonably impenetrable. In Chapter 4 on cracking the Enigma machine, the message is that even the strongest of cryptography devices finds its kryptonite if its users don’t follow the directions.

Chapter 5 on Language Barrier is perhaps the most fascinating chapter in the book. Singh details the story of how the U.S. used Navajo Indians and their obscure language as a means of ensuring the Japanese would have a much harder time deciphering the messages. By the time the war ended, the Japanese were never able to read a single message when Navajo was used.

The chapter also details the story of the Rosetta stone. While not a cryptographic issue in the common sense, hieroglyphics had been indecipherable for thousands of years. Singh writes how common wisdom at the time was that the Ancient Egyptian language of hieroglyphs should be treated as symbols and not letters. Singh highlights the story of how Jean-François Champollion was able to decipher the stones by using new research that the hieroglyphs were indeed letters, not symbols.

Anyone involved with cryptography knows terms such as Diffie–Hellman and RSA on a first-name basis. Those cryptosystems are the very backbone of today’s Internet security infrastructure. Singh does a good job of explaining how they work and what makes them secure. For RSA, it’s built on a very simple premise, that factoring the product of two huge prime numbers is difficult.  While most people may be oblivious to it, much of the underlying security for online banking and the Internet is built on top of RSA.

The book closes with the next generation of secrecy, which is quantum cryptography.  As a particle physicist, quantum mechanics is Singh’s bread and butter. When Singh wrote the book, quantum cryptography was not a practical technology, and that is still the case.

As a side note, if and when quantum cryptography becomes practical, it would be so powerful as to be able to break every RSA key in existence.

Conclusion

The Code Book was first published in 1999, around the time Windows 2000 came out. While the latter became obsolete in 2005, The Code Book is still quite germane given the value of the information in the book, which is still relevant and of interest.

For those looking for an encyclopedic reference, David Kahn’s The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet is the definitive tome on the topic.

For those looking for a more informal and selected overview of some of the core topics from the last 600 years of cryptography, this book is readable and interesting, and a perfect read for those looking for an introduction to the topic.

Those looking for a captivating and very readable book on the history of modern cryptography will find The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptographya valuable read, and one that is certainly worthy of being in the Cybersecurity Canon.

 
[Palo Alto Networks Blog]
Posted on

Getting the Most Out of IPv6

What is NPTv6?

IPv6-to-IPv6 Network Prefix Translation (NPTv6) performs a stateless, static translation of one IPv6 prefix to another IPv6 prefix (port numbers are not changed). NPTv6 for IPv6 addresses is similar to NAT for IPv4 addresses. However, NPTv6 does not translate an entire IPv6 address; it translates only the prefix portion of the address. The host portion of the address is untranslated and therefore remains the same on either side of the firewall.

Why Would I Translate IPv6 Prefixes When IPv6 Addresses Are So Abundant?

With the limited addresses in the IPv4 space, NAT was required to translate private, non-routable IPv4 addresses to one or more globally-routable IPv4 addresses. But in the case of IPv6, the reason to translate prefixes is not due to a dearth of addresses. You might want to use NPTv6 to translate IPv6 prefixes for the following reasons:

  • You can prevent the asymmetrical routing problems that result from Provider Independent addresses being advertised from multiple data centers. Asymmetric routing can occur if a Provider Independent address space (/48, for example) is advertised by multiple data centers to the global Internet. By using NPTv6, you can advertise more specific routes from regional firewalls, and the return traffic will arrive at the same firewall where the source IP address was translated by the translator.
  • Private and public addresses are independent; you can change one without affecting the other. That is, you need not change the IPv6 prefixes used inside your local network if the global prefixes are changed (for example, by an ISP or as a result of merging organizations). Conversely, you can change the inside addresses at will without disrupting the addresses that are used to access services in the private network from the Internet. In either case, you update a NAT rule rather than reassign network addresses.
  • You have the ability to translate Unique Local Addresses to globally routable addresses. Thus, you have the convenience of private addressing and the functionality of translated, routable addresses.
  • Your IPv6 prefixes are less exposed than if you didn’t translated network prefixes. However, NPTv6 does not provide security; you must set up firewall security policies correctly in each direction to ensure that traffic is controlled as you intended.

See more information on NPTv6 in the PAN-OS 7.0 Administrator’s Guide.

[Palo Alto Networks Blog]

Posted on

The New PA-7080: Delivering Breach Prevention at Scale

Today we announced the release of our highest-end firewall, the PA-7080. It is pretty common in our industry for vendors to come out with a new bigger chassis with more speeds and feeds. So why is the PA-7080 big news and why is it important?

There is a yawning gap between what large enterprises, cloud providers and telecom service providers need in order to meet their security challenges and the capability of the technologies they have in place today. The basic limitations of those technologies create that gap.

Traditional firewall vendors have focused their efforts on building faster and bigger chassis firewalls but have missed the bigger picture. Their concept of security and scale is confined to how many packets per second their device can process in the course of making traffic decisions based on port, protocol and IP address. While these devices can certainly pass traffic, they arenot adding value. They fail to identify and control applications, fail to detect threats and fail to provide an automated closed loop response that actually prevents successful attacks. In effect, they are passively passing traffic, making security decisions at a layer in the protocol stack that is irrelevant to the modern threats on large-scale networks.

Attempts to address this problem by adding “firewall helpers” in the network or adding full traffic security into old chassis firewalls have not worked.  The performance impacts and operational hurdles are too great and ultimately do not add much security value. As a result, our largest and most critically important networks have the least effective security. This is why the PA-7080 is so important.

The PA-7080 architecture provides a prevention capability that scales not just speeds and feeds, but in the ability to control applications, to identify threats and deliver real time automated response.  Combining power, intelligence and simplicity it gives large enterprises and service providers a security capability that is relevant to threats they face — without compromising the performance integrity of their networks, data centers and cloud infrastructure.

Our engineers made a lot of thoughtful and clever design decisions to make the PA-7080 ideally suited for operation in service provider and large enterprise environments.

For more

[Palo Alto Networks Blog]

English
English
Exit mobile version