Stories by Andreas M. Antonopoulos

Parting Thoughts: The world of security has turned on its head

For the past several years, I have had the honor of writing for Network World in "Risk and Reward." Unfortunately, that time has come to an end as I am leaving the world of independent analysts to pursue new adventures. In my last column, I'd like to explore some of my recurring themes and offer some predictions for the future.

Written by Andreas M. Antonopoulos12 Oct. 11 02:29

Fail a security audit already -- it's good for you

Failing an audit sounds like the last thing any company wants to happen. But that's because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a "friendly" exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you're not failing any audits there are two possible explanations:

Written by Andreas M. Antonopoulos05 Oct. 11 03:24

Competing for privacy in a social media world

For years, Facebook users have been clamoring for better privacy controls and clarity, while Facebook engineers oscillate between improvements and major privacy snafus. Every now and then a new wave of exasperated users cry out "That's it, I'm leaving". Up to now, users really didn't have anywhere to go after quitting, so they effectively quit the social media scene, self-ostracized (MySpace is equivalent to being exiled, perhaps worse). Now that they have somewhere else to go (Google+), Facebook is ramping up its privacy controls and seems to be taking privacy more seriously. Let the privacy competition begin!

Written by Andreas M. Antonopoulos08 Sept. 11 08:48

The changing face of identity and location security

For two decades, the dominant security model has been location-centric. We instinctively trust insiders and distrust outsiders, so we build security to reflect that: a hard perimeter surrounding a soft inside. The model works best when there's only one connection to the outside, offering a natural choke point for firewall defense.

Written by Andreas M. Antonopoulos15 Aug. 11 20:41

How to be an effective security buyer

In previous columns I have repeatedly emphasized the importance of interoperability and the danger of security fragmentation. Security is so fragmented that it is often hard to discern between hype and reality. Large security vendors try to draw you into a single-vendor closed integration package. Small vendors try to sell you the latest magic bullet, presenting what should be a feature as a whole new industry. Inevitably, you are left to cobble together disparate systems in order to get the depth of defense and layering of controls that you need.

Written by Andreas M. Antonopoulos02 May 11 21:45

Security fragmentation needs to end

A new week, a new rash of attacks against security vendors, email marketers and banks. It would be easy to point fingers and laugh at the irony, especially in the case of security vendors, but that would be both petty and shortsighted.

Written by Andreas M. Antonopoulos14 April 11 07:45

Security will rescue cloud computing

Whenever the topic of security is mentioned in the context of cloud computing, it is usually discussed as the "big barrier" to adoption. The perceived or actual lack of security in the cloud makes it impossible for businesses to make the leap into this new computing paradigm. I propose a different perspective: Security will rescue cloud computing.

Written by Andreas M. Antonopoulos18 March 11 06:46

Security-as-a-service growing

When you ask IT professionals if they use cloud computing or software-as-a-service, most start by saying "no". But if you ask some follow up questions, you will quickly find out about "that one application" that is a SaaS application.

Written by Andreas M. Antonopoulos01 Sept. 10 01:32

Our growing security quagmire

Information security was always an esoteric field but with personal computing came personal security issues, culminating in the identity theft problem that concerns even the most techno-phobic of consumers. It's about to get much worse.

Written by Andreas M. Antonopoulos21 May 10 05:44

Building a data center security architecture

<a href="">Data center</a> architecture has been changing quite dramatically over the past few years. In many data centers, organic growth had left them broken up into <a href="">application silos</a>. The standard three-tier architecture was copied for each application leading to a fairly hierarchical network. In this architecture, some core security services, such as firewalls and intrusion prevention, were concentrated at the root of the network tree, closest to the ingress routers and around any  DMZs.

Written by Andreas M. Antonopoulos11 June 09 03:13

The fantasy and reality of government security

In the movies the government has always got the best toys, the cutting-edge technology and the tightest security standards. Those who have worked on security projects within the government know that in real life government security standards and implementations can vary all across the range from quite serious to laughable.

Written by Andreas M. Antonopoulos05 March 09 11:09

E-discovery and Records Retention

At almost every conference I go to, I get asked "How long should I keep documents, e-mail and other records?"

Written by Andreas M. Antonopoulos04 July 07 12:47

CSO: Regrettable Veto

No CSO has "veto power" explicitly stated in his job description. But security is one of the few things other than money that can bring a project to a screeching halt

Written by Andreas M. Antonopoulos25 June 07 16:14

CIO and CSO: Fox Watching the Henhouse?

The chief security officer is a fairly new position. We first saw it emerge in larger corporations in the late 1990s; these days, it's standard in most organizations. The CSO's role varies, but typically it combines risk management, policy development and investment in security technologies.

Written by Andreas M. Antonopoulos14 May 07 10:54