Security after Snowden – what do I need to do?

securityThe implications of the revelations of ex-NSA employee Edward Snowden have been much discussed and many people who were not previously concerned with cyber-security are now wondering what they should be doing. This is a good thing – but the danger has not changed, only the perception of it. Most of the ideas outlined here were well known, at least in broad terms, before this, but those who argued for them were considered paranoid.

If you’ve been asked to put a presentation together; maybe your Board is suddenly wanting to know what can be done. Then this, I hope, will be just the article for you. It is intended to be a quick, high-level guide to exactly that. The solution is not all, or even mainly, technical, the solution is actually a matter of sound service governance, as I’ll describe. So, what to do?

First; don’t panic! There is not very much that can be done in the short term – rushing about trying to fix firewalls is likely to make things worse, a worthwhile solution must be thought out properly.

Secondly; do you need to do anything at all? Maybe not. It is only worth spending money to address a risk if the risk is credible and, if it happens, will have a large impact. If the worst happened and your most important competitor and all your customers and suppliers, were to see all your corporate information, in detail, would your business suffer? For a good many businesses, the answer is ‘no, not really, not much’. If that is the genuine answer, then there is no need to waste money on expensive security measures. Many companies, on the other hand, would go out of business quite quickly in this situation – for them, it is essential, for good governance, to be certain that a proper cyber-security policy is in place, and then put into action.

What is the threat? Exactly the scenario outlined above. If somebody can access your information through a secret trapdoor in your firewalls, your applications, or your operating systems, then, in principle, anybody can.

Governance and Cyber-Security

The biggest risk to security isn’t technical at all. Anybody in your organisation can, if disgruntled, take what they’re allowed to have access to and share it with your competitor, the regulators or a foreign government. This is always the biggest risk.

How do you mitigate this one? Staff Satisfaction. If you have good governance, so that, as an organisation, you have fair policies, you are a good corporate citizen, so you help your community and you look after your staff by treating them fairly, giving them opportunities for advancement and training them, then you will have satisfied staff who will be loyal to you and won’t wish to let you down by revealing your corporate secrets to competitors.

So the first firewall you need to build is a wall of trust between your organisation and your staff – the same applies to suppliers and customers, you need to make sure that they also are part of your circle of trust so they don’t reveal things that could damage the organisation.

It helps too, because good governance ensures that the organisation is behaving ethically, so there are no skeletons in the cupboard waiting to be revealed by whistle-blowers.

Beyond that, you can make sure that your infrastructure is safe from cyber-criminals, spies (both genuine spies and industrial spies), hackers and so forth. This is not as easy as it seems, so it is worth considering technical solutions to cyber-security in a bit more detail.

Firewalls

The most obvious danger highlighted by the Snowdon’s revelations was how vulnerable organisations are to closed source solutions. In the past the simple-minded solution many people saw to security was to put everything behind a firewall. This has three problems:

  1. The firewall can be breached through any trap doors in its firmware and this breach will be undetectable
  2. Even if the firewall isn’t breached, closed-source operating systems can communicate back to the ‘mother ship’ through the firewall through their trap doors
  3. Even if your closed operating systems and closed firewalls are not letting anybody in, your closed applications can be.

On that last point, if you’re running Microsoft Office products on your computer, have a look at the activity monitor. Even if you’ve not used word, say, for many hours, you’ll see it has clocked up lots of activity. What is it doing? It’s connecting back to Microsoft to check that your license is OK – that’s it, you’re paying for it to do this several times a day, on your CPU. If Microsoft wanted it to send other information back, would you have any way of knowing?

Can you trust any closed-source firewalls, Operating Systems or Applications? Snowdon has shown that you can’t. It makes sense for anybody wanting to spy to put their bugs (in the sense of listening devices) as close to you as they can – and putting secret trapdoors into these devices simply makes sense (to a spy).

Why is open source any different?

It is still possible to put trapdoors into open source software. The difference is that you can get somebody to check the software and cut out anything in it that you don’t need, or looks suspicious – and you can get open source software to log what it is doing honestly. Closed source software can put what it wants to into a log, if it leaves out certain things it doesn’t want you to see it is doing, you can’t even know that they are missing.

If you look on the market, you will find that there are no open source firewalls, at least not hardware boxes. There is an open source operating system, though, Linux (let’s hope that in future there will be more, and better ones), open source word processing and spreadsheet software and other open source applications.

To reduce the risk, where possible, remove proprietary closed-source devices and replace them with open source ones. It would be expensive overkill to throw out everything proprietary at once. Rather, produce a service portfolio and concentrate on the services that are most important to the organisation and replace them with open source solutions first.

If you have a firewall made in China, and a firewall made in the US, you could try putting one firewall inside the other – that way you’re banking on the Chinese firewall blocking the US secret trapdoor and vice versa. Even if this worked, though, you still have the problem with operating system and application trapdoors.

A better solution is to shut down your firewalls. That seems a bit extreme, but, if you have physical boxes as firewalls, you can’t do anything about the firmware they are running, so don’t. Make a Linux box your firewall with a software firewall. It might be a bit slower, but it will be safer.

What can be done in the long term?

If you have closed source solutions, see if your supplier can give you, or sell you, the source code. Then you can check that for trap doors and remove anything you think suspicious or unnecessary.

Invest in open source development. There is no reason why an ‘open source’ router or firewall can’t be developed, where the hardware and firmware are all revealed and can be tested to see they have no trapdoors. This takes money, so organisations interested in long-term solutions need to invest in such efforts.

If you are going to have firewalls, make sure that they are governed properly. Do you actually know what the rules are on your firewalls at the moment? Probably not. Usually the rules are written in ‘techie-speak’ and only a few experts know what they are. This is bad governance. Invest in rule-based firewalls where the rules can be set by the policy you have for each service in a way that is understandable to non-technical people.

If you do invest in open source development, the most promising area for fast, easily configured and effective cyber-security is using the same machines that are currently being used for bit-coin mining. They are getting cheaper all the time and are very, very fast. They are seen to be difficult to programme though, and, again, only experts know what they are doing.

There is a solution, though, which is to invest in open source development in Ada for these boxes (FPGA, or field-programmable gate arrays – to give the jargon). Ada is a language invented by the US DoD to be reliable. It is very fast, it is proven to be faster to write and faster to execute than assembler. It is possible to produce secure routers and firewalls with no trapdoors that can be configured at the service level (so the rules are understandable in business terms) using Ada – but a number of companies need to put up the investment capital to achieve this.

What can I do about it now?

Here is a short checklist of actions that should lead towards a more secure organisation. Not every organisation will need to do all of them, and not all will need to start with them at once, but this is the basis:

Short Term:

  • Audit your staff satisfaction
  • Audit your customer satisfaction
  • Audit your business and technical infrastructure
  • Identify the greatest risks from weaknesses in the above
  • Produce a plan to address these

Medium & Long Term:

  • Fund a programme to govern services.
  • Establish a service portfolio to enable the board to understand which business services deliver most value, what they cost, what risks they are exposed to and how to mitigate those risks.
  • Use this portfolio to prioritise the requirements for the organisation into a corporate requirements register.
  • Design a set of solutions to address these requirements
  • Build business cases for these solutions
  • Execute the plans from the most appropriate business cases

Conclusion

Security has never been a truly technical matter. The best security in the world can be circumvented in a few seconds by a whistle-blower. The correct response is not to panic, but to put in place a set of well thought-out policies and then, through well-designed procedures and processes, make sure that these policies are complied with. It takes time and money, but it is the only route to reaching a tolerable level of security. If you use a modern governance framework, such as that proposed by the King III commission, it will ensure that you act to be a good corporate citizen – which will reduce the risk of whistle-blowers by achieving satisfied staff, customers and suppliers.

It is worthwhile establishing service governance as the organisation’s main governance tool because it enables and improves all business processes, delivering value to stakeholders by ensuring, along with many other things, a proper balance between risk and investment in cyber-security. Decisions to invest in an aspect of security should be based on the appropriate requirements of each particular service and its stakeholders.

Much needs to be done to develop the secure infrastructure that can be used to implement the cyber-security policy. In an ideal world, companies exposed to the risk would invest collaboratively in producing components for secure infrastructure.

Why not suggest to your board, as part of good corporate citizenship (an important part of governance) investing in a secure open source project?

Image Credit

Future of ITIL workshop – a little insight

AXELOS

The following comment piece is contributed by Stuart Rance of HP and Stephen Mann of ServiceNow.

Yesterday a number of ITSM professionals convened in London to talk about the future of ITIL. From the get-go, it was stressed that the purpose of the meeting was to provide input to AXELOS’ thinking and not to make decisions.

Who was involved?

It was a passionate group of people that represented: ITIL authors, examiners, consultants, service providers, vendors, penguins, and AXELOS. The attendees were:

Of all the qualities we might look for in a SAM Managed Services Provider - proven track record is key.
AXELOS CEO, Peter Hepworth and ITSMPenguin

And of course ITSMPenguin. Everyone had opinions and ideas to share and it was a good mix of people.

Some attendees travelled a long way to attend: Anthony from Houston, Sharon from Canada, Jayne from Florida, and Rob Stroud would have attended from New York but for personal reasons. Even though most of the attendees reside in the UK, they work for global organizations and as such have global experience and global views. Not withstanding this, we all agreed on the need for more input across geography, culture, industry, and language.

If you wish to provide your input please respond to this blog (in the comments section) or email AXELOS direct.

Community input

You can already see much of the input from things people have already shared with the ITSM community:

Scope and content of ITIL

The discussions included the scope, content, and structure of both ITIL and the ITIL exam system. And started with people suggesting ideas for strategy and principles for ITIL going forward. It was surprising how long this took (shouldn’t we already know this?) and not unsurprisingly everyone agreed that ITIL should be driven by business and customer needs.

Other suggestion related to:

  • Having a visible set of values
  • Separating architecture and structure from narrative and examples
  • Collaboration with a wide community of practitioners, examiners, trainers, consultants, vendors, and industry bodies across geographic and industry boundaries
  • An emphasis on relevance to end-user organizations
  • Quality being more important than time to market.

From a content perspective, AXELOS introduced the concept of what it calls the “Onion Model”, shown below, that encompasses the previous feedback on how there is a need for different types of content and, importantly, community input to the ongoing development of ITIL.

photo

Where:

  • The centre has the very stable ITIL core
  • The next layer has modular content such as role or industry-specific information
  • And then further layers have more practical content such as templates, guides, and case studies
  • The very outside layer is community owned and community driven with AXELOS and the community curating and promoting this

Content is able to move inwards as it becomes accepted best practice.

                                       Training and exams

Of all the qualities we might look for in a SAM Managed Services Provider - proven track record is key.
The workshop group

We discussed the importance of people, culture, and organizational aspects. In particular the need for more practical guidance about how IT organizations can benefit from the experience of others, and how they can start to gain value from ITIL within their own organization.

There was a lot of passion around training and exams. An interesting point was the absence of guidance on the development of skills such as negotiation and management as part of effective IT service management. Everyone recognized the need to make the exam system more valuable to both individuals and employers. But there was a consensus that that any change requires more input, more time, and needs great care not to disrupt the status quo. Again, if you have an opinion as to the future of ITIL exams, please respond to this blog or email AXELOS direct.

Next steps

Following day two of this workshop (a second blog will follow), AXELOS will continue to seek out global community input.

If you want to follow what’s happening, please look for their communications on Twitter or Google+

As always, thoughts and comments are encouraged.

So you want to be an ITSM consultant?

Financial-Trader

So you want to be an ITSM consultant? 

Why not pit your wits against Peter and analyse this financial services case study. Do you agree with Peter’s analysis? How would your diagnosis differ?

Case Study Introduction – The scenario

By  Peter Brooks.

There’s an interesting article on Financial Trading systems here. It raises many questions, and I thought it would be interesting to see how a consultant would tackle it if asked by an organisation to give service management consulting on the future of its trading systems.

It’s often easier to tease out the important matters by looking at a specific example.

So, here’s your mission: You’re new to the world of consultancy though you’re fairly familiar with service management and you have a background in IT. A friend of yours in the financial world has recommended you. He has convinced the trading manager that you can help him improve his bottom line with consultancy exercise. What would you do?

Scope – terrifying!

You’re completely new to this world. You’ve seen both the ‘Wall Street’ films, and you’ve got a picture. People in this world are seen as brilliantly clever, hugely impatient, highly aggressive and not the sort who lose many night’s sleep worrying about the ethics of their actions. So that’s the stereotype.

So the first question, as an inexperienced consultant is; ‘Should I take this job at all?’. A good question. You should ask this about every consultancy job you ever have, actually, and consider the answer seriously. Not just because it’s the right thing to do, but because it will help you think out your approach before the engagement and help you understand the big picture of what you’re going to be doing before you are too lost in the fast moving detail to have time to spare for big picture thinking.

A list of pros and cons helps – particularly if some allow you to rule it out or rule it in depending on what you hear when you first meet your client.

Pros

  • If it works out it’ll be great for the CV, give you a useful insight into the financial world and might even make a difference to the world as a whole, in a positive sense.
  • They know that you’re young and inexperienced, so they’ll probably ignore what you say anyway – it’s more being done as a favour, so, if you get it wrong, you may not do too much damage.
  • It’ll impress everybody to know that you’re working in such a high-pressure environment, particularly if they don’t know all the details.

Cons

  • If somebody does take you seriously, and you get it all wrong, then you might contribute to yet another crash and huge misery for millions, if only in a small way.
  • Some people may be impressed, but some of your more environmentally friendly friends may never talk to you again.
  • If your scope is limited to advising on one particular financial system, financial service or IT system, you truly don’t have the knowledge or experience, so you must say “no”.
  • If you do discover major risks, serious ethical problems or other dangers, you must make sure that you are not made complicit. So you can ask your client, at the first meeting, what you should do if you do discover these. If you are told that you’d have to cover them up, then walk away. If your answer is that you should produce a private report for the board if that happens, or similar, then things look set fair.
  • Will you have enough time to find out what you need to know? Make sure, at the first meeting, that you’ll be able to meet and interview all the major stakeholders to get a proper understanding of the situation. If you’re expected to only talk to one or two people, then you might accept the job, but make sure that your result must be accepted as tentative and a first-pass effort.

The last three are the important ‘cons’. At least now you have something to talk about at the first meeting.

Your approach

Expect to be asked how you will approach the assignment at the first meeting. This is easier than you think because you’re not going to ‘wing it’ on your own, you’re going to be using industry standard advice on service management to guide you.

First you’ll need to understand what the business is actually doing and why and what your role is going to be in helping them. This is known as ‘enterprise analysis’ and, in this case study, we’ll be using the article from The Register.

Next you’ll need to identify the stakeholders and understand their various requirements, at least at a high level.

Then you’ll use this to build a preliminary picture of the services and service strategy that the company is following and gaining idea of the strategy it should be following to achieve good governance.

Finally, based on this understanding, you’ll be recommending a road map, with a picture of the first steps to be taken, and that will be the basis of your final report.

So, let’s pretend we’ve had that first meeting and go through the steps, based just on our knowledge and on the brief outline in the article. Remember that this is just an exercise and that you’d have to do a lot more proper work in any real situation!

Enterprise Analysis

Some firms trade on their own account and that is their main business. This requires a considerable amount of money and is, consequently, not so common. More usually, the trading entity is part of a larger financial organisation, a bank, a hedge fund, an insurance company or similar.

The particular trading that this article about, ‘high-frequency trading’ or ‘algorithmic trading’ is usually used for a small portion of the companies overall wealth with the aim of reducing risk and increasing return.

The reason that you’ve probably been asked to come in is that this form of trading, though fairly new and, in some ways, very dangerous, is surprisingly unprofitable. It costs a lot of money and doesn’t produce much return despite the high risk it involves. So little is lost getting your advice because they can try it without losing much and, if it works, they can gain enormously. This should help with some of your fears about the ethics of being involved – if you can reduce the risk, at least, you’ll be doing good for most of the stakeholders.

Stakeholders

Let’s look at the stakeholders, and their main requirements, from the most remote to the closest to your direct client:

  • The general public: less volatility, market growth based on genuine value of the underlying stock.
  • The financial world: less volatility, market growth, reduced risk of short-term losses (avoiding another ‘flash crash’)
  • The bank who’ll be paying you: reduced risk, increased profit, fewer missed opportunities, better governance of trading services
  • The trading team: increased profit, reduced risk, beating the market, medium term stability
  • The technical team: faster trades, better intelligence, better forecasting (short & long term), lower risk from software bugs, use of latest hardware technology, better algorithms, ability to change algorithms more quickly, more confidence that algorithms are accurately implemented.

Requirements

As is often the case, the solutions (the software and hardware) change often, but the requirements are long term. You’ll need to understand what this company and trading team have as their particular requirements, and recommend setting up a requirements register, but the stakeholder analysis provides these:

  • Improved governance
  • Reduced market volatility
  • Market growth
  • Recognition of underlying stock value (should the trading team trade in their own Bank’s stock, possibly to its disadvantage, for example?)
  • Reduced trading risk
  • Increased trading speed
  • Increased profit
  • Improved forecasting
  • Fewer bugs

Some of these appear contradictory, some are inter-related. From the point of view of ethical consultancy and the concern of most stakeholders, the key ones are – governance, reduced risk (which includes volatility, bugs & poor forecasting) and increased profit.

Services, risks issues, strategy and governance

It’s likely that, as the article describes it, the trading team is not thinking in terms of business services, but, rather, in terms of technology. It’s important to separate the various services to understand the investment cost and return of value per service, rather than just lumping them together. The actual services as perceived by the business would emerge in discussion, but a few obvious ones are:

  • Fast buying service
  • Fast selling service
  • Forecasting service
  • Risk analysis and management service (micro-risk)
  • Algorithm design & deployment service
  • Algorithm Service X – each algorithm has a cost/value profile based on risk, cost, stability, average & max/min of profit/loss in short, medium term

The issues are:

  1. Poor Governance: It’s pretty clear that the risks are very high because only the technical team understand the algorithms, the forecasts and the technology – so there is no way that effective governance can be in place at a board level because even the trading team can’t quantify the cost/value ratio for their services.
  2. Poor stock recognition: The emphasis on speed means that only a limited reference can be made to the medium and long-term underlying value of the stock. So software can easily be led into a bubble caused simply by instability, like the flash crash.
  3. No Control: The development and deployment, of algorithms, forced by the technology leads to poor control, high risk of error and poor forecasting
  4. Instability: The use of technology such as FPGAs means slow development times, high error rates and poor understanding of how the algorithms are actually working – reinforcing the lack of stability, high market volatility and poor governance. The banks don’t know what their machines are doing, and don’t know if they’re even delivering value for the bank, they may even be destroying value.

Recommendations

There are major short-term risks – of the worst sort, governance risks. No short-term solution is going to address them. It is, though, urgent to put in place some longer-term structures that can reduce the risk in the medium to long term.

  1. A service portfolio should be constructed for all business carried out by the trading teams, so that particular deployments of hardware and software can be understood in terms of the value/cost ratio, based on a genuine understanding of risk, volatility, forecasting accuracy and measured profit/loss ratios in particular markets
  2. Metrics need to be designed to measure the effectiveness and efficiency of these services
  3. A requirements register should be produced so that algorithm design and deployment can be tied to compliance, corporate strategy and policy as well as trading team objectives. This must be tied to the corporate risk register
  4. A plan must be produced to replace the high-risk development techniques being used. Firmware design and development of ASICs, GPUs and FPGAs is slow and error prone if carried out in low level logic design, assembler/microcode or unreliable languages such as C++. This should all be replaced by a corporate policy to use only Ada as this is reliable, documents properly, is designed for embedded systems of this nature, and is quicker to develop and faster (this is proven empirically) than assembler or microcode.
  5. Forecasting must be designed to incorporate board policy, longer-term views of the value of stock and to use the power of Ada to reduce volatility by enabling decisions to incorporate longer views.
  6. Staff need to be trained in service management to understand the service metaphor and to start to understand the contribution of services in terms of their contribution to business value, not simply to technical short-term gain (even if the algorithms themselves actually exploit this)

Do you agree with Peter’s recommendations? 

Further Reading

For more advice on ITSM consulting check out Peter’s publications:

Image Credit