Monthly ArchiveAugust 2017

Security Policies Rebooted

Matt Konda No Comments

Here’s a deep dark secret:  I don’t particularly like security policy.  I don’t always follow policy.  Goodness knows that with the 50-250 page policies I’ve seen, I didn’t even understand the whole policy at a legal level – and if you don’t understand them at a legal level can you really say you’re following them?  Not to mention when one policy contradicts another.

Even at companies with very robust security programs that include policy, it is very common that I approach developers and they don’t understand their companies policy either – like for example what data they need to protect.  At a previous employer, we used to tease the folks that worked on PCI as having a “passion for compliance.”  That was not a compliment.  Policy came to sort of feel like a necessary evil at best.

Then I met and started to work with our CISO Rocio Baeza.  I didn’t know that I’d end up hiring her as an internal policy, governance and risk resource for Jemurai but I’m lucky I did.  Initially, we did policy because many of our clients that needed technical help also needed policies – some kind of rules to follow.

As we challenged Rocio to “get meta” on the problems with policy the way we try to “get meta” with the technical issues we see, she extended and then surpassed our expectations by developing an approach for Agile Governance.  She implemented policies for clients that were short, to the point, readable and in our collective judgment captured the important things they needed to think about even better than the policy “books” we saw.

Writing policy in layman’s terms, with a focus on simplicity, was something that wasn’t immediately easy to appreciate.  The shorter simple policy reads easily and doesn’t feel like it hurts the same way some policies do.  Its like the old quote from Blaise Pascal:

 “If I had more time, would have written a shorter letter.”

We worked hard to make it shorter.  Does that mean it doesn’t work?  On the contrary, we think it works even better.  In fact, it works so well that we captured the policy in a more digestible way so that people could get access to the policies without a whole consulting engagement.  You can now purchase the policy bundle, which includes the core policy, a license and a simple one page implementation guide right off of our website for less than an hour of a security pro’s time.  Check it out:  https://jemurai.com/product/general-security-policy-bundle/ and let us know what you think.

Incubator: Canary Data

Matt Konda No Comments

Incubator

At Jemurai, we have started incubating products.  We love security consulting and the engineering we do there, but there is something amazing about building a product.  In particular, I constantly crave the experience of pushing the limit and trying something new and a little different.  I’m even embracing marketing and failing fast.  So each month, we take an idea out of our product backlog of ideas and try pushing ourselves with it a bit.

Last month, we released a set of simple Security Policy Bundle for $249 that you can download here.  This month, we’re pushing the canary.

Canary in the Coal Mine

What is the canary in the coal mine all about anyway?  Well, miners used to take a canary with them into the mine so that if carbon monoxide levels rose enough to be dangerous, they would know.  The canary would die and they would hopefully get out before the CO caused problems for them too.

In short, the canary is an early warning signal.

How Does Canary Data Work?

The way we envision canary data working is that we provide known data that is bad.  Sounds silly, right?  Except that we track it and know who we gave it to, when and for which of their environments.  Then we search for the known bad (canary) data in increasingly sophisticated ways and when we find it, it is a strong indication that a client has had a breach (of any kind!) at a certain point in time, in a certain location, application, part of their network, cloud, etc.

By tracing which canary data shows up, we can help both notify clients early of potential issues but also pinpoint where and which parts of their operations may have issues.  Its an early warning signal.

Input?

As with any “incubator” project, we have a lot of fresh ideas about how it could work, but it will have to be tested in the wild – so we’re interested in input or anyone that would like to help us test it in the realz.  Contact me to talk further.