It’s time to sit down and think about the past year. This 2013 was definitively one of the busiest of my career, I’ve never traveled so much, mostly across Telcos, ISPs and biggest companies of Germany, UK and Switzerland. But it was as well one of the worse year in security, especially when it comes to passwords.
Crackers were able to get Adobe encrypted passwords for approximately 38 million active users. Evernote had a security breach with stolen information from the user base, forcing them to reset all passwords. And more than 2 million accounts have been compromised from popular sites such as Google, Yahoo, Twitter, Facebook and LinkedIn after malware captured login credentials from users worldwide. This just to mention some highlights of this year in the consumer space.
Just imagine what happened o could potentially happen in a corporate environment and how many trade secrets, inventions and personal confidential information are at risk. Passwords are definitively over and cannot be considered a secure method to protect information in a cloud world. That’s why I consider 2014 the year of Cloud IAM (Identity & Access Management).
What am I doing to help?
- When involved in designing OpenStack architectures for Canonical, I am very conscious in implementing security as it should be. Most of the world’s biggest hosting and housing providers are having issues on misuse of their infrastructures. The biggest issue is that they cannot control and enforce security in their guests and Gigabits, or even Terabits, are wasted in botnet and coordinated attacks.
- I am driving SecurePass to be able to handle groups and access policies for web-based applications, as well as in RADIUS and LDAP. Moreover, during 2014 we will release a beta of the public APIs with the same security and segregation of the existing protocols. Through APIs, customers and partners can build lot of new applications, provisioning and more.
- IBM labs with my cooperation created a SecurePass plugin for WebSphere applications. With this partnership, I helped protecting two of the largest financial companies across Europe, helping them to reduce costs while increasing protection and confidence in their extranets and applications accessed by 3rd parties. Public reference will be published in 2014 by both IBM and GARL.
- I am cooperating with Google’s engineering team to enhance Ganeti, Google’s virtualisation platform that is used to manage Google’s internal corporate network. GARL’s SecureData is the result of our co-operation, bringing the reliability of Ganeti with the protection to SecurePass to help companies reducing the costs of their VMware installations. SecureData is available on Debian, Ubuntu, CentOS and RedHat Enterprise Linux (RHEL). Early 2014 it will be installed in the Labs of a popular italian telco.
- GARL traditionally offered Vulnerability Assessment and Penetration Tests. These audits usually targets banks and ISPs, but there’s specific cases in which even medium-sized companies should need a security audits (ex: healthcare, factories, …). GARL introduced EasyAudit in its offering an “audit package” in cooperation with ISGroup, headed by the well-known and respected Francesco Ongaro, that mixes security with affordability. Myself and Francesco were the auditors that acted on behalf of Symantec when the well-known firm used to deliver VA and Penetration Tests in Europe, so who better than us can deliver these services?
- As always, I’m trying to write papers to help people understand how security and quality are important during a project. Most of the time it’s not a waste of time, it could take less than what you expect (or other company are trying to sell you), but on the long run you will save time, money and … headaches!
Let me thank you publicily my wife Maria, she’s sustaining me on my decisions and she understands the massive amount of travel I am doing. A big thank you goes to Donatella, my right-hand woman and my invaluable assistant, as well as all my staff at GARL.
Wish you and your families a joyful 2014.
Giuseppe Paternò