Archive for April, 2008

What part of DR is expensive?

Monday, April 14th, 2008

Simple answer: Data recovery.

Detailed answer: It would depend on your RPO expectations and data storage/retrieval strategy. If the data is mirrored (in real-time or almost real-time using NAS/SAN), it turns out to be expensive but RPO can be low. However, if the data is stored on tapes, it would be cheaper however, RPO would be high.

Companies like NetApp are  a key element for the first approach (Data mirroring approach) while Companies like SunGard are key players for the second approach.

Security vulnerabilties in SW - Should we worry?

Friday, April 4th, 2008

I was speaking to a VP of IT of a financial institution in the San Francisco bay area to understand what keeps him up at nights - Two issues - Security vulnerabilities of financial SW that was developed in-house  & some of them that they have installed several years ago. And the other issue was telcom applications. The telcom applications support is slowly outsourced to MSP so he was not concerned on a long term.

Security vulnerabilities in SW can be used as a vehicle to expose the privacy and data. Vulnerabilities from inadequately designed or written code create opportunities for attackers to threaten privacy and steal data.

The major vulnerabilities that is taking a lot of attention these days are:

Buffer Overflow

Cross-Site Scripting

Parameter Manipulation

SQL Injection

Tools from companies such as Coverity (SWAT), Fortify (360), Ounce, etc help detect the Security vulnerabilities and eliminate in the place they reside : in the source code itself.

Which applications should an organization be concerned about?
Security vulnerabilities can exist in virtually any application accessible via the Internet or other networks. Web applications provide a popular avenue for delivering information and services, which makes them attractive targets for attack. These applications can contain security vulnerabilities that, unless identified by some reliable means, can remain undetected until an exploit is discovered and the damage has been done.

Newer SW development tools along with coding SW applications with Security in perspective (adequate checks and closing doors for any threats such as crosss-site scripting) would make more robust SW leading to reduced threats and hence exposures. But these software wou;ld interface with legacy SW applications and thats where my new connection (VP) was expressing his top most challenge that he is facing now.

What are the most common application vulnerabilities that could compromise the information security?

The most common application security vulnerabilities fall into two categories:

  • coding errors and
  • design flaws.

Coding errors are programming flaws related to input validation, unbounded parameters and encoding, and they include:

  • Unvalidated sources of input
  • Use of unvalidated input
  • Unvalidated output streams

Design flaws could include the following issues not implemented appropriately:

  • Flawed authorization and access control - Access control and authorization would
  • Flawed authorization and session management
  • Native code and buffer overflows
  • Dynamic code
  • Weak encryption
  • Application configuration
  • Denial of service
  • Network communications - Network communications btw applications, one feeding fake data and the other not validating for fake data can mislead the design, and design based on this data could end up as a fraud - somebody on the other end could be data-diddling for all you know.
  • Unsupported application interfaces - Connecting to/from an interface that has not implemented security measures to overcome compromise of information security can be a nightmare as the interface cannot be brought down instantly and even if the measures are taken at the receiving end, it costs a lot of processing power at the receiving end to detect, process and respond back with a error code for each data instance. So, data interface should be treated with utmost importance whenever interfacing with a legacy applications that known to have none/weak in security design.
  • Improper administrative and exception handling

So,….. What would you recommend to strengthen the security for legacy applications? I will write in the next blog.

PMO or no PMO?

Wednesday, April 2nd, 2008

I can’t imagine a company without a PMO however, a PMO with lots of project managers can intervene in achieve annual goals.

What do you mean?

I view PMO as the platform for delivering projects - a company without such a platform (of discussion, planning, budgeting, allocating etc.) is probably less successful.

 A company can have a mix of Run, Transform & grow objectives - typically set by Senior Management & Board. For example, a company trying to put itself on acquisition track would try to focus equally on ‘Run’ & ‘Transform’ projects and less on ‘Grow’ projects while a company in a highly competitive market would focus more on ‘Grow’ projects. A company which has acquired company (or companies) would focus more on Transform projects.

The PMO is a platform to take the company objectives of Run-Transform-Grow and helps balance the IT deliverables vs. IT Availabilty.

Bottomline PMO is mandatory department however, should there be lots of PM (Project Manager) in a company? How much is too much?

I do not believe, there should be lots of PM in a company - it has to be right sized to about 6 high risk, low impact or 3 medium risk, high impact projects per PM.  Having more PMs in an organization can get the organization culture muddled and can interfere in the execution of the projects.

Can metrics cheat?

Tuesday, April 1st, 2008

yes and no.

 I constantly see companies use ‘metrics’ with a notion ‘if IT cannot be measured, it cannot be grown”. For example, outsource companies offering help desk services as well as internal service departments close the tickets once a month however, does this mean the IT department is efficient? As another example, we see the security department’s Anti-virus team has detected and processed 10% more virus than last year. Does this mean Information security team is getting more efficient or the AV tool is efficient or the virus strains out there are increasing?

 Metrics without an enterprise objective is useless. Better yet, an organization without KPI and KGI behind the metrics is totally useless.

For example, for the above helpdesk issues, KPI is overall customer satisfaction, KGI is ‘fair to good’ and the metrics without customer satisfaction associated is useless. Similarly the KPI for security example above is hard however the objective is Secure against attacks and goal is prevention.  The above metrics is nicety to have!