Category: Leadership

Categories
Leadership Security

Coronavirus / COVID-19 creates new remote workers

Originally published by me on 4-Mar-2020 on LinkedIn.

Panicking about COVID-19 is silly. But saying it’s all overblown and it’s nothing to worry about and “people-just-wash-your-hands” is silly, too. 

Preparing is wise. 

The latest estimate is that a vaccine could be available in “months.” And even if it’s not this coronavirus that causes the need, something could necessitate it. So it’s at least worth talking about.

IT & InfoSec Leaders: Are you equipped for what would happen if your staff suddenly becomes 100% remote? Obviously not every business could function with a purely remote workforce. There are roles in service, healthcare, manufacturing, construction, and myriad other industries that simply can’t be done from home. But many roles can survive with a much higher percentage of people working in their PJs. 

It seems inconceivable in our society that circumstances could necessitate mass quarantine, but that’s exactly what’s been happening in some parts of China. Thousands of information workers, stuck at home without the means to work – no laptops and no infrastructure to support a 100% remote workforce.

Can we learn from this before it’s too late? Several industry peers are discussing this, and I’m curious to hear what people in my network are doing to prepare. 

Virtual Private Networking for EVERYONE AND EVERYTHING

No alt text provided for this image

Are you prepared for when every endpoint in the galaxy wants to connect to your network via VPN so business can continue? 

  • What happens when Bob from Legal wants to install the VPN client on his Windows XP machine and wants to connect? 
  • Is your Data Classification or DLP program ready? 
  • Is your Network Access Control infrastructure ready? 
  • Does your MDM program scale when everyone needs email on their phone right now?
  • How can you ensure compliance with regulatory and legal standards? 
  • How do you ensure that any certifications (e.g. ISO 27001) are still valid when the landscape changes so drastically?

What about VDI?

A Virtual Desktop Infrastructure is surely preferable to trying to secure the Acer laptop Linda in accounting got for Christmas of 2003, right? 

  • Do you have a VDI solution in place? 
  • If it is in place, but only for a limited subset of users and use cases, is it prepared to scale for a massive increase in volume? 
  • Can your servers and licenses sustain that kind of increase? 
  • If you don’t yet have VDI in place, are you accelerating any future plans for VDI or remote workforce controls to accommodate for what could happen? 

Other Solutions?

Vendors like Zscaler offer solutions such as ZPA that promise to render the classic VPN solutions obsolete, defaulting to a zero-trust model. Are you exploring any solutions like this?

Really interested in hearing what, if any, considerations you’re making. 

#security #management #infosec #cybersecurity #accesscontrol #vdi #dataclassification#remoteworkforce #areyouprepared #coronavirus #covid19

Categories
Leadership Security

Oracle, your disdain is showing.

.oracle showing its true colors

In case you missed it, Oracle CSO Mary Ann Davidson provided those of us in the InfoSec world yet another reminder that Security is not a priority – not even for the person to whom it should matter above all else. That evidence was provided by way of a meandering, condescending, and frankly (as an Oracle customer) disturbing rant published on Oracle’s corporate blog. It has since been removed. At least somebody there is thinking.

The text of her rant goes from her apparently lamenting her career choice (interestingly, writing appears to be her passion) to expressing her disdain for security researchers (and chastising them for violating the End User License Agreement), to a mock-FAQ expressing her endless frustration with those pesky customers, to a bizarre discussion about her bookshelf complete with not-at-all-witty stabs at innuendo.

I mean, she actually refers to people who report security flaws (which Oracle determines couldn’t have been found through means other than reverse engineering) as sinners. Seriously?

.let he who is without sin cast the first stone

Anyone who writes in a public forum understands that not everything you write is taken in the way it is intended. And I am not one of those people who calls for someone to be fired when they make a mistake, but this is not about a mistake. It’s about a Chief Security Officer who has provided ample evidence that she has no business being any kind of “Security” anything.

.greener pastures

Hopefully Oracle sees this, and Davidson will be able to pursue writing novels full-time; today’s environment has no room for a security officer who leans on EULAs as a security measure and treats people who work to research (driving improvements in security) with utter disgust.

I won’t say too much about this situation. There’s a fantastic breakdown over at ZDNet. If you’re interested — in a train wreck kind of way — the text of the rant has been preserved on scribd. (Because the internet is forever, kids.)