Monday, July 28, 2014

Security zou volledig over data moeten gaan

Security zou volledig over data moeten gaan

door
data, brei, bigdata
door
    
Achtergrond - Deelnemers aan een paneldiscussie die donderdag in Boston onder Dell securityexperts, partners, analisten en klanten werd gehouden, stelden dat ingebedde security in data niet alleen wenselijk is, maar op termijn zelfs noodzakelijk.
Tijdens het evenement, de Dell 1-5-10 Series, werd ingegaan op de vraag wat over 1, 5 en 10 jaar de risico's zijn op gebied van security en wat bedrijven daartegen kunnen doen.
Hoewel altijd lastig is iets binnen IT te voorspellen, waren de panelleden het met CTO Don Ferguson van de Dell Software Group eens dat het securitymodel voor applicaties, dat al decennia lang ongewijzigd is, in de toekomst niet langer houdbaar zal zijn.
Het huidige model, waarin het programma verantwoordelijk is voor de identificatie van de persoon en de omgang ermee, hoort in de prullenbak thuis, zegt Ferguson. "Data is overal. Op een apparaat, in de cloud, op netwerken. Je kunt niet alle plekken overal beveiligen, dus data moet zichzelf beveiligen. De huidige generatie applicaties is niet geprogrammeerd om daarmee om te kunnen gaan."

Data overal kunnen volgen

Dit model veranderen kan volgens directeur Patrick Sweeney van Dell SonicWALL het BYOD-probleem oplossen. In plaats van je te richten op een apparaat of gebruiker, zou het alleen moeten gaan om de data - niet om het device of het netwerk. "Je moet data kunnen beschermen, er eigenaar van kunnen zijn en het kunnen intrekken."
Om dit binnen een termijn van vijf jaar te bewerkstelligen, zijn er drie dingen nodig, zegt Sweeney. "Allereerst moet data via enterprise key management versleutelt gaan worden. Dat hoort eigenlijk in iedere BYOD-strategie thuis."
"Daarna moet de data staan in een virtuele container waarover ik controle heb, net als een ambassade die rekening houdt met mijn regels en mijn wetten. Iemand anders kan het niet een andere betekenis geven, het uitsturen via e-mail, of wat dan ook."
"Tot slot moet ik eigenaar zijn over de policies die controleren wie toegang heeft. Als ik de sleutel wil intrekken, moet ik op een rode knop kunnen drukken en de bytes op afstand onleesbaar kunnen maken", zegt hij. Sweeney haalt daarbij aan dat als de NSA zulke controle over zijn data had gehad, dan had dit Edward Snowden kunnen verhinderen data te verzamelen en te verspreiden aan journalisten.


Sweeney ziet het liefst dat het toegang hebben tot data hetzelfde gaat zijn als "het kijken van tv".
Fellow en directeur van de Dell Software Group Tim Brown zegt dat dit van de data vraagt dat het "zelf begrijpt wat de policy zou moeten zijn, hoe gevoelig het is en wat de regels moeten zijn voor toegang". Hij zegt: "Pas als we op dat punt geraken, dan pas kunnen we informatie meer vrijelijk laten rondstromen."


Zulke doorbraken in security zijn, hoe significant ze ook mogen zijn, nog niet de uiteindelijke oplossing. Een reden dat het risico toch groter zal worden, is de komst van het Internet of Things.
Fellow en CTO Jon Ramsey van Dell SecureWorks zegt dat de samenkomst van cyber en fysieke domeinen - smartphones, smart cars, smartgrid - zorgen baart. "Het geeft kansen aan criminelen in het fysieke domein die die kansen niet eerder hadden", zegt hij.
"Er worden dingen met elkaar verbonden die oorspronkelijk niet ontworpen zijn om in verbinding te staan, wat betekent dat we de risicoafweging sterk negatief beïnvloeden", aldus Ramsey.
Daarnaast is er nog de menselijke factor. Vice-president David P. Wrenn van Advanced Office Systems vraagt zich af hoe technologie "idioten als ikzelf gaat verhinderen op een kwaadaardige link te klikken. Dat vind ik één van de grootste uitdagingen die onze branche kent."

Gevaar zit in software development

Over het feit dat de menselijke factor in security nog steeds het belangrijkst is en ook zal blijven, waren de panelleden het eens. Wat daarbij volgens Ferguson niet helpt, is dat security nog steeds als een bijzaak wordt gezien in softwareontwikkeling. "Als civiele ingenieurs gebouwen zouden bouwen op de manier waarop programmeurs applicaties ontwikkelen, dan zouden spechten de beschaving ten gronde kunnen richten", zegt hij. "In die zin maakt het Internet of Things me bang."
Executive director Brett Hansen van Client Solutions Software is iets optimistischer ingesteld. Hij denkt dat security van IT naar de boardroom verplaatst. "Het zal een fundamentele businessdiscussie gaan worden waarin gezocht wordt naar een balans tussen productiviteit en veiligheid."


http://cio.nl/beveiliging/83347-security-zou-volledig-over-data-moeten-gaan?utm_source=+SIM&utm_medium=email&utm_campaign=20140728-15%3A10%3A02_webwereld_daily_cron&utm_content=&utm_term=_7815

Sunday, July 27, 2014

25.07.2014 Only 16% of fund managers believe AIFMD regulations have a positive impact

Only 16% of fund managers believe AIFMD regulations have a positive impact

A significant 47% of real assets fund managers believe the Directive will have a negative impact on the industry, and 37% believe it will have no noticeable impact
Only a small proportion of fund managers active in infrastructure and real estate think that AIFMD regulations will have a positive impact on their firm and industry, following a recent survey of over 140 managers active in the asset classes.
Nevertheless, almost half (49%) of infrastructure managers and 34% of real estate managers worldwide indicated to Preqin in June 2014 that they would be compliant by the AIFMD’s July 2014 deadline.
Other AIFMD Key Facts:
-          36% of real estate fund managers believe regulation in general is having a negative impact on their industry, compared to 16% of infrastructure managers.
-          Almost two-thirds (63%) of infrastructure managers felt the AIFMD will have a negative impact on the industry, with 41% of real estate managers feeling the same way.
-          A greater proportion of real estate managers will not market within the EU. 38% of real estate managers indicated they will not market their funds in the region, compared to 26% of infrastructure managers. This may present opportunities for other managers to secure capital from investors based in the EU, with over 2,000 European institutional investors investing in real estate or infrastructure.
JOBS Act Key Facts:
-          A notable proportion of real estate managers, 30%, believe the JOBS Act is having a positive impact on their firm and industry, although only 1% of managers surveyed have registered and will market under the Act.
-          18% of infrastructure managers believe the JOBS Act is having a positive impact, with 8% of respondents either already registered or planning on registering under the Act.
-          Over 70% of both infrastructure and real estate fund managers either will not market their funds under the JOBS Act, or do not plan to at the moment.
-          Increased scrutiny from the SEC was named by the greatest number of real estate managers (18%) as the main reason preventing them marketing under the JOBS Act.

“The recent implementation of various regulations on the alternative investment industry has received mixed reviews from fund managers, with many wary of the additional costs and administrative requirements associated with compliance. In particular, fund managers appear to have a negative outlook on the AIFMD, with many unhappy with the additional cost and administrative burden required in order to be compliant and to continue marketing their funds within the EU.
Regarding the JOBS Act, although this allows managers to market to a broader audience through registration under section 506©, very few intend to follow this route in the short term, with many firms concerned about increased scrutiny of regulators and the additional costs that advertising would bring, as well as the potential negative perception of wider marketing. Only time will tell whether managers will adapt to and take advantage of the new opportunities created by the JOBS Act.” - Andrew Moylan, Head of Real Assets Products


http://www.iss-mag.com/regulations-and-compliance/only-16-percent-of-fund-managers-believe-aifmd-
 

Friday, July 4, 2014

The Ultra-Simple App That Lets Anyone Encrypt Anything

The Ultra-Simple App That Lets Anyone Encrypt Anything

 By  
Original illustration: Getty
Original illustration: Getty

Encryption is hard. When NSA leaker Edward Snowden wanted to communicate with journalist Glenn Greenwald via encrypted email, Greenwald couldn’t figure out the venerable crypto program PGP even after Snowden made a 12-minute tutorial video.
Nadim Kobeissi wants to bulldoze that steep learning curve. At the HOPE hacker conference in New York later this month he’ll release a beta version of an all-purpose file encryption program called miniLock, a free and open-source browser plugin designed to let even Luddites encrypt and decrypt files with practically uncrackable cryptographic protection in seconds.
“The tagline is that this is file encryption that does more with less,” says Kobeissi, a 23-year old coder, activist and security consultant. “It’s super simple, approachable, and it’s almost impossible to be confused using it.”
A screenshot from an early demo of miniLock.
A screenshot from an early demo of miniLock.
Kobeissi’s creation, which he says is in an experimental phase and shouldn’t yet be used for high security files, may in fact be the easiest encryption software of its kind. In an early version of the Google Chrome plugin tested by WIRED, we were able to drag and drop a file into the program in seconds, scrambling the data such that no one but the intended recipient—in theory not even law enforcement or intelligence agencies—could unscramble and read it. MiniLock can be used to encrypt anything from video email attachments to photos stored on a USB drive, or to encrypt files for secure storage on Dropbox or Google Drive.
Like the older PGP, miniLock offers so-called “public key” encryption. In public key encryption systems, users have two cryptographic keys, a public key and a private one. They share the public key with anyone who wants to securely send them files; anything encrypted with that public key can only be decrypted with their private key, which the user guards closely.
Kobeissi’s version of public key encryption hides nearly all of that complexity. There’s no need to even register or log in—every time miniLock launches, the user enters only a passphrase, though miniLock requires a strong one with as many as 30 characters or a lot of symbols and numbers. From that passphrase, the program derives a public key, which it calls a miniLock ID, and a private key, which the user never sees and is erased when the program closes. Both are the same every time the user enters the  passphrase. That trick of generating the same keys again in every session means anyone can use the program on any computer without worrying about safely storing or moving a sensitive private key.
“No logins, and no private keys to manage. Both are eliminated. That’s what’s special,” says Kobeissi. “Users can have their identity for sending and receiving files on any computer that has miniLock installed, without needing to have an account like a web service does, and without needing to manage key files like PGP.”
In fact, miniLock uses a flavor of encryption that had barely been developed when PGP became popular in the 1990s: elliptic curve cryptography. Kobeissi says that crypto toolset allows for tricks that haven’t been possible before; PGP’s public keys, which users have to share with anyone who wants to send them encrypted files, often fill close to a page with random text. MiniLock IDs are only 44 characters, small enough that they can fit in a tweet with room to spare. And elliptic curve crypto makes possible miniLock’s feature of deriving the user’s keys from his or her passphrase every time it’s entered rather than storing them. Kobeissi says he’s saving the full technical explanation of miniLock’s elliptic curve feats for his HOPE conference talk.
Despite all those clever features, miniLock may not get a warm welcome from the crypto community. Kobeissi’s best-known previous creation is Cryptocat, a secure chat program that, like miniLock, made encryption so easy that a five-year-old could use it. But it also suffered from several serious security flaws that led many in the security community to dismiss it as useless or worse, a trap offering vulnerable users an illusion of privacy.
But the flaws that made Cryptocat into the security community’s whipping boy have been fixed, Kobeissi points out. Today the program been downloaded close to 750,000 times, and in a security ranking of chat programs by the German security firm PSW Group last month it tied for first place.
Despite Cryptocat’s early flaws, miniLock shouldn’t be dismissed, says Matthew Green, a cryptography professor at Johns Hopkins University who highlighted previous bugs in Cryptocat and has now also reviewed Kobeissi’s design spec for miniLock. “Nadim gets a lot of crap,” Green says. “But slighting him over things he did years ago is getting to be pretty unfair.”
Green is cautiously optimistic about miniLock’s security. “I wouldn’t go out and encrypt NSA documents with it right now,” he says. “But it has a nice and simple cryptographic design, with not a lot of places for it to go wrong…This is one that I actually think will take some review, but could be pretty secure.”
Kobeissi says he’s also learned lessons from Cryptocat’s failures: miniLock won’t initially be released in the Chrome Web Store. Instead, he’s making its code available on GitHub for review, and has taken special pains to document how it works in detail for any auditors. “This isn’t my first rodeo,” he says. “[MiniLock's] openness is designed to show sound programming practice, studied cryptographic design decisions, and to make it easy to evaluate miniLock for potential bugs.”
If miniLock becomes the first truly idiot-proof public key encryption program, it could bring sophisticated encryption to a broad new audience. “PGP sucks,” Johns Hopkins’ Green says. “The ability for regular people to encrypt files is actually a valuable thing…[Kobeissi] has stripped away the complexity and made this thing that does what we need it to do.”


http://www.wired.com/2014/07/minilock-simple-encryption/