Search results matching tag 'Security'

Security--another offshoring risk

StevenSimske — Tue, 17 Nov 2009 16:29:00 GMT

A terse but excellent article on IEEE's USA Today's Engineer site today focuses on the often forgotten--or at least ignored--risk of offshoring. National security.

The full article is at: http://www.todaysengineer.org/2009/Nov/backscatter.asp. The most salient quote is:

"One area the [National Academy of Engineering] study gave relatively less attention to, listing it last in a series of ten findings, was offshoring’s impact on national security. In that regard, its main concern seemed to center on the possibility of detailed plans and other information about U.S. buildings and infrastructure falling into “the wrong hands,” and that maliciously placed code might compromise the security of DOD networks. Yet back in 1988, the Defense Science Board called the dependence of the U.S. military on foreign parts dangerously high."

I have argued in several previous blogs that it is not just national security--but any product security--that may suffer with offshoring. Offshoring is a bandage, not a cure. Always temporary in nature, it is founded on the assumption that labor will be cheaper elsewhere. Cheaper than the differential cost of transportation, shipping, inefficiencies of distributed teams, etc. Guess what? As many are seeing now, the cycle lasts less than ten years, and the first (and second) wave of offshorers are now offshoring themselves. Does this increase product security? Statistics argue otherwise (ref. WEF estimate of counterfeiting as 8% of world trade).

Offshoring makes a lot of sense when those remote, skilled professionals are invested in your company and strategy. Otherwise, it's a short-term fix to a problem that goes unaddressed.

Cheers,

Steve

GS1 Announcement of the Food Recall Portal

StevenSimske — Wed, 04 Nov 2009 15:45:00 GMT

Yes, this is an HP blog, and so you forgive me when occasionally (and inevitably) I take an HP line on an announcement, event or trend. Out of interest of serving the broader anti-counterfeiting/anti-fraud/anti-tamper/customer safety community, I point you to our partner, GS1's, announcement on the HP/GS1 Product Recall program:

http://www.gs1ca.org/Page.asp?LSM=0&intNodeID=6&intPageID=1396

I couldn't agree more with their opening statement:

"November 3, 2009 – GS1 Canada, as part of a coalition of leading Canadian industry associations representing over 65,000 manufacturers, distributors and retailers, today launched a national product recall program that will enhance consumer safety and reduce the administrative burden for business. With the increasing complexities of a global supply chain, this launch could not have come at a more important time."

Further down, you find the statement:

"The Program is founded on a standardized process created by GS1 Canada, the neutral, non-profit supply chain standards organization most well-known for creation and management of the universal product code (bar code), used by millions of businesses worldwide. This global online platform uses robust HP cloud-computing technology and is based on global GS1 standards."

This is a good approach. GS1 provides accepted and well-considered global standards through GTIN, GDSN, etc., as noted in past posts here. Who wants to spend time dickering over competing standards? Not I. A better use of time is working with the industry experts to create a single standard that is simultaneously useful, fair and globally available, and then spend time differentiating applications built atop these standards.

Cheers,

Steve

Cloud Security - New ISACA Whitepaper on "Business Benefits with Security, Governance and Assurance Perspectives"

ArchieReed — Mon, 02 Nov 2009 16:09:00 GMT

ISACA put out a paper on 29th Oct, 2009, titled "Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives"

While somewhat short, this paper is a must read for senior IT and business folks, as it shows that cloud computing still fundamentally requires work in terms of new and updated strategies to mitigate risks and manage governance and regualory requirements in order to truly suceed in broad enterprise computing solutions. Not barring the success of vendors such as Salesforce.com who maintain a huge amount of their own customers CRM data with a very minimal real guarantee of security or even service levels, the broad issue of security in the cloud remains the touchstone for many enteprise conversations.

Cloud Computing holds the promise of offering services on demand that are global, rapidly elastic, cost controlled and with minimal management. However, when you actually try to address the security issues (concerns), such as data loss protection, identity management and those compelling facets of cloud computing start to erode, as security does introduce a level of cost and complexity that most cloud providers are nto fully embracing. Once additonal requriements such as forensics with full audit trails appear, this simple slice of cloud will become a real storm (tropical, .violent, galeforce, unmentionable, or something else, will depend on the stituation).

This is why the efforts of the CSA and others are crticial to get a level of standardized approaches, if not standards themselves, to help organizations adequately deal with this reality. While this is a short paper, it does precede a valuable update and expansion of the original CSA "Security Guidance for Critical Areas of Focus in Cloud Computing".

Looking for that lost waffle?

StevenSimske — Sat, 31 Oct 2009 03:20:00 GMT

Many of you are aware that 2D barcodes--which look like waffles--are becoming ubiquitous for location-based services, mobile commerce, and increasingly point-of-sale and track and trace applications.

Did you know that there are many more you cannot see? They're covert 2D barcodes. And the master at providing reading equipment to find these hidden waffles is John Hattersley of InData Systems. I've had the pleasure to work with him on "ink-specific handheld readers". The concept is simple. The barcode reader has LEDs (or other light source) built-in that are tuned to the excitation bandgap of the covert ink (usually in the UV band), and bandpass filters tuned to the (higher-wavelength) reflected light.

See InData System's brochure (attached below) on John's presentation at the upcoming ITI Security Printing Conference (see http://www.communities.hp.com/online/blogs/securityprinting/archive/2009/09/12/imi-s-security-printing-conference-nov-16-18-2009-baltimore-usa.aspx) for more details. And enjoy the waffles.

Cheers,

Steve

EFPIA Announcment, HP Hosting Services

StevenSimske — Mon, 26 Oct 2009 17:31:00 GMT

Remember the 24 August announcement on the HP/GS1 food recall service? If not, please enjoy as if new the following article:

http://www.communities.hp.com/online/blogs/securityprinting/archive/2009/08/25/big-news-hp-develops-cloud-service-with-gs1-canada-to-enhance-product-recall-process.aspx

This announcement introduced the HP Cloud Computing Platform for Manufacturing, as described here:

http://www.hp.com/hpinfo/newsroom/press/2009/090824xb.html

More on the overall solution, including the roles of partners Siemens, SAP and HP, is provided at:

http://www.controlglobal.com/industrynews/2009/278.html#

"In the EFPIA pilot project, Siemens IT Solutions and Services is the general contractor in cooperation with Hewlett Packard (HP) and SAP. The IT service provider is responsible for the project management and integration of the information interfaces between the pharmacies and the manufacturers. Siemens IT Solutions and Services is also responsible for operating and maintaining the IT infrastructure, including the technology and information systems, data integration, system security and system development. SAP Belgium will be in charge of the SAP object event repository (SAP OER) and the implementation services. Hewlett Packard (HP) will provide hosting services and SAP solutions testing."

The hosting services are through the HP Cloud Computing Platform for Manufacturing, as described earlier. Feel free to contact me for details.

Cheers,

Steve

EFPIA Announcements

StevenSimske — Mon, 26 Oct 2009 17:12:00 GMT

Hi, all

The next few blogs will point you to information on the recent announcement of the EFPIA 2D labelling scheme. The EFPIA is the European Federation of Pharmaceutical and Industries Association.

In-Pharma's article on this announcement is:

http://www.in-pharmatechnologist.com/Packaging/2D-barcodes-make-faking-less-attractive-says-EFPIA/?c=JiBz%2FX6W8967KGa2Liah%2FA%3D%3D&utm_source=newsletter_daily&utm_medium=email&utm_campaign=Newsletter%2BDaily

Importantly, as our partner Siemens notes,

[Siemens] "will provide connectivity for pharmacies and manufacturers to the EFPIA database, which is hosted by Hewlett Packard (HP). Manufacturers will populate the EFPIA database with the serial numbers of the saleable units shipped, and pharmacies will read those serial numbers at the point of sale (via 2D barcode) and authenticate the unit sold against the EFPIA database."

In other words, the cloud enables the crowd. 2D barcode readers are not just in the hands of the pharmacists. Look for us all--corporations, enterprises, brand owners, shippers, retailers, consumers, environmentalists--to embrace this approach. It helps level the playing field for everyone, except--one hopes--the counterfeiters.

Cheers,

Steve

Cloud Security – HP’s CEO finds cloud computing – vague, unsecure, what?

ArchieReed — Tue, 20 Oct 2009 23:01:00 GMT

HP's CEO, Mark Hurd, took the stage today as a keynote speaker at Gartner's Symposium.

Out of the gate we see the headlines such as "HP's Hurd dings cloud computing, IBM" (CNET) and "HP's Hurd: Cloud Computing Has its Limits" (Seeking Alpha).

Leaving aside the grammatical issues with the articles title, and IBM for that matter, let's consider what Mark had to say and what HP thinks are the real issues and real solutions for cloud computing.

Firstly, what about HP's own potential use of cloud computing as quoted by CNET -

"The cloud is real for many consumer services," he said. So why isn't it suitable for HP's core financial records stored in the general ledger? "Security, for one thing. We get about 1,000 hacks a day. They're more sophisticated every month," Hurd said. "Security and reliability is a huge thing. It's unlikely we'd put anything outside the firewall that's material in nature that we couldn't 100 percent secure."

Those in the audience gave me the following insights.

Mark was asked about disruptive technologies and brought cloud computing up as the first example.
Customers that he talks with find the term "cloud computing" too vague... There is a critical need to break it down into clear services and simplify service offerings
"Behind the firewall clouds can do great things"
In front of the firewall, "HP is experiencing 1000 hacks/day"
Mark is NOT in favor of email or financials in the cloud (C/NET article quotes this verbatim)
There is a need for 100% secure clouds
HP will play in 100 percent secure clouds".
Security and Reliability are key...
Critically, Mark talked a lot about security. In fact, he spoke more about security in this cloud context than ever before.

In the broad Security remains the #1 concern or barrier to using cloud computing (definitions aside). IDC recently released their "Cloud Computing 2010 . An IDC Update" report which showed that year over year security not only remains the #1 concern, but in fact grew from 74.6% in 2008 to 87.5% in 2009. What is interesting here is that while security remains the #1 concern for cloud computing, it still does not feature in ANY of the common cloud definitions...

Regardless, HP offers its own views on how to manage the enterprise approach to cloud computing which heavily emphasises security and risk management in general as key components to its strategic use. In fact, this week we published a very high level article on how "Faith-based IT doesn't work in the cloud".

Firstly, when you utilize the cloud, it's critical that you know where your data is, how it's protected, and who can access it. Unfortunately, many cloud service providers don't share these details. Even worse, many make no promises about protecting your data. Here are the key points to consider for a secure approach to cloud computing:

Classify: When considering a cloud service, first classify your data to determine its suitability for the cloud. Doing a cost benefit analysis is an important part of this process. Are the savings of putting data in the cloud worth the risks of breaches in security or privacy regulations?
Assess: Find a service provider that does security assessments to determine whether your application or data is ready for the cloud. The best service providers will determine which compliance regulations you're subject to and help you meet them.
Start with non-sensitive data: Don't begin your foray into the cloud with applications that expose your customers' credit card numbers and bank account information. Start with the less risky applications until you can securely manage the model and your provider's services.
Critically evaluate service provider agreements: Find out exactly how your service provider plans to secure your data and keep it private in the cloud. If your data is critical to the business, demand satisfactory assurances from your provider. These include appropriate terms of service (TOS), acceptable use policies (AUP) and service level agreements (SLAs).
Encryption: Don't leave encryption to your cloud service provider. Make sure you have key lifecycle management in place. Also, using your data classification effort as guidance, encrypt your data as appropriate and necessary.
Insist on transparency: Demand the ability to know what's happening in the physical infrastructure that underlies the virtual infrastructure.

This is a very short article on the issues and how to approach cloud computing in a simpler and more secure manner. Look for much more from us on the HP Secure Advantage for secure cloud solutions alongside our overall HP Cloud Computing Solutions strategy breakdown including: HP's Cloud Assure service enables security and performance in the cloud and HP's Cloud Consulting Services

In Blacksburg on November 12th? Gimme a Holler!

StevenSimske — Tue, 20 Oct 2009 22:40:00 GMT

Growing up, I lived in Eastern Kentucky "for a spell". Rural Rowan (pronounced like "round" without the "d') County, in fact, where the valley I lived in was called "Quail Hollow". As in, a snake bit me and I had to "holler". I lived right next to a "crick" (creek). I only lived there a little over a year, but the accent can come back on demand.

Another beautiful Appalachian spot to give me a holler is Blacksburg, Virginia (http://www.blacksburg.va.us/) if you're on the road in November. A nice little city where the student population is on a par with the town's population. OK, I guess you can get that in Manhattan, Kansas, too, but you might have to drive farther. And you won't have those Appalachians.

So, if you are in the neighborhood, please drop by to catch my talk at Virginia Tech's ICTAS, or Institute for Critical Technology and Applied Science (http://www.ictas.vt.edu/index.shtml). Here's the brief:

ICTAS Seminar Series – Fall 2009

Date: November 12, 2009

Time: 3:00-4:30pm

Place: 310 ICTAS

Speaker: Steven Simske, Hewlett-Packard Labs

Title: “Consumer Safety in a Rapidly Changing World: Security, Identity and Anti-Counterfeiting”

Bio & Abstract: http://www.ictas.vt.edu/pdf/seminarseries_simske.pdf

Cheers,

Steve

Variable Data Printing and Improved Pharma Product Protection and Brand/Customer Interaction

StevenSimske — Wed, 14 Oct 2009 04:18:00 GMT

My previous post was a link to the excellent In-Pharma Technologist blog edited by Nick Taylor. Nick solicited a posting from me back in April, but I could not find it on In-Pharma, so given a 1/2 year grace period, I think its time to post here:

Variable Data Printing and Improved Pharma Product Protection and Brand/Customer Interaction

Pharma brands are concerned with the integrity of their product. All successful pharmaceuticals have one thing in common: they improve the quality of life of the customer. Counterfeit pharmaceuticals, on the other hand, are harmful to both the customer and to the manufacturer; that is, they can simultaneously destroy lives and jobs. Brands pay many times over for counterfeits: loss of original sale, loss of future sales due to erosion of consumer confidence, loss of market capitalization due to perceived non-efficacy of the product, and potential legal recourse as a consequence of the consumer receiving phony goods.

All pharmaceuticals share another important thing in common. Information about the product must accompany the product. From packaging to labels to inserts, this information is conveyed by printing. Therein lies the solution to the problem.

Printing is pre-adapted for its use in security. Useful already in product identification, the variability printing provides is a natural fit for security. Variable Data Printing, or VDP, is the technology enabling the varying of every aspect of a print job. This is advantageous for individually tagging an item—a process called mass serialization. Mass serialization is a means of ensuring that each label, package or document contains a different identifier that can be read (which means interrogated and the data encoded successfully interpreted).

However, VDP can be used for far more than mass serialization in protecting a product. With security VDP, or SVDP, the different printed regions—be they text, image or graphics—contain not just variable data, but usually uniquely variable data. Also, this variable data can be (but isn’t always) read by some type of inspection, authentication or forensic device. That is, every variably printed region contains not just data, but security information. Thus, every region is novel, or unique identified, and so capable of being interrogated for its information.

To prevent counterfeiting, brand owners need to provide a moving target for the would-be counterfeiters, staying one step ahead of them in the deployment of security features. However, this is a tedious game, and often expensive, as brand owners continually research and purchase new deterrents. SVDP offers, however, an innate moving target—the ability to change the very nature of the variability on the fly. With SVDP, a moving target of deterrents is obtained without having to change the technology.

Linking or hybridization is how the set of variable features relate to one other. Examples of deterrent relationships include replication, hashing, sequence fragmentation [sharing the mass serialization data between two or more variable regions], and other techniques for making the multiple variable regions “cooperate” with each other. One particularly powerful method is to use one deterrent—usually one already used for track and trace or point-of-sale—as the registry “look up” sequence from which the signed-in user may then obtain information on one or more other variable regions. The method of hybridization can be changed from one print job to the next, meaning that the would-be counterfeiter must replicate all of the variable features which are monitored to be able to pass the phony product as authentic. Which “extra” features are actually monitored can be varied from day to day, making compliance both simple and thorough.

Monitoring information-containing printed images is getting easier every day. The near-ubiquity of camera-enabled mobile devices, therefore, strengthens the value of SVDP. Already, bar code interpreting software is native or readily downloaded to most internet-enabled mobile devices. Piggybacking image authentication services for other printed patterns is straightforward to implement.

Different variably printed regions can be used for track and trace, authentication, forensics, recall and other contingencies, or just to decoy the would-be counterfeiters. The way in which deterrents relate can be tied to pragmatic product details. For example, if the shelf life of a product is six months, it makes sense to change the relationship between deterrents every six months, so that expired products also exhibit “expired” security strategies. In the meantime, if certain deterrents are being successfully attacked, then adding new variability to the printed material is another way of gathering information on who the counterfeiters might be—insidious insiders, for example, may quickly incorporate these new variable regions, even if they are not tracked by your authenticators, and so tip their hand to you.

Incorporation of SVDP into the printing is straightforward, as there are only three rules: (1) meet compliance standards first, (2) vary several additional regions, and (3) change the relationship between the variable regions (hybridization plan) frequently.

Counterfeiters know all about SVDP, and they’re reading this and other related articles. Recall that there is no security through obscurity—counterfeiters reading this will know what they’re up against, but will not easily be able to spoof SVDP, except one item at a time (which makes the cost of counterfeiting higher). Thus, SVDP offers a means of staying one step ahead of the counterfeiters without running yourself ragged.

Cheers,

Steve

Research on Security and Identity Management

marcocasassamont — Fri, 09 Oct 2009 17:22:00 GMT

The time has come to update the topic (and focus) of this blog.

In the last few years my R&D work and research at HP Labs has been involving a variety of aspects, including security, identity management and privacy.

Most of my posts have actually been reflecting this - hence my decision to update my blog. Hope this will further increase the community of people that are interested and follow my blog.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---