Tag Archives: book

Enterprise Security – A Data Centric Approach – A brief review

05 Wednesday Feb 2014

Posted by in Book Reviews, Books, General, Packt, Technology

Leave a comment

Tags

, , , , , , ,

So I have previously blogged a series of largely chapter by chapter reviews of Aaron Woody’s book Enterprise Security – A Data Centric Approach. This post tries to provide a brief summarised view pulling my thoughts of the book overall together.

As an Enterprise Architect I took an interest in this book as an opportunity to validate my understanding of security and ensure in the design and guidance work that I do I am providing good insights and directions so that the application architects and developers are both ensuring good security practices and also asking the helpful information available to other teams such as IT Security, operational support and so on.

The book has been overall very well written and extremely accessible to even those not versed in the dark arts of IT Security. Anyone in my position, or fulfilling a role as an application designer or product development manager would really benefit from this book. Even those on the business end of IT would probably benefit in terms of garnering an insight into what IT Security should be seeking to achieve and why they often appear to make lives more difficult (I.e. putting restrictions in, perhaps blocking your favourite websites).

So why so helpful, well Aaron has explained the issues and challenges that need to be confronted in terms of Security from the perspective of the organisations key assets – mainly its data (certainly the asset that is likely to cause most visible problems if compromised). Not only that the book presents a framework to help qualify and quantify the risks as a result device a justifiable approach to securing the data and most importantly make defensible cases for budget spend.

I have to admit that the 1st chapter that that introduces the initial step in the strategy was a bit of a struggle as it seemed to adopt and try to define a view of the world that felt a little too simplistic. The truth is that this the 1st step in a journey, and in hindsight important – so stick with it.

Once the basic framework is in place we start looking at tooling strategies and technologies to start facilitating security. The book addresses categories of product rather than specific solutions so the book isn’t going to date too quickly. The solution examination includes the pros and cons of their use (e.g wifi lock down) which is very helpful.

Finally to really help the book comes with a rich set of appendices providing a raft of references to additional material that will help people translate principles into practice.

To conclude, a little effort maybe needed to get you started but ultimately a well written, informative, information rich book on security.

Previous blog entries:

There is also a supporting website for the book athttp://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach

Enterprise Security – A Data Centric Approach – the final chapter

05 Wednesday Feb 2014

Posted by in Book Reviews, Books, General, Packt, Technology

1 Comment

Tags

, , , , , ,

so I have reached the final chapter of the book which covers the handling of security events and security incidents (the differentiation of the two being the consequences of the event – a piece of malware being detected on a desktop can an event as the consequences are relatively trivial compared to the defacing of an e’tailer’s website).

I have to admit I glossed through this chapter as my role within an organisation doesn’t demand the operational management of issues. That said, the book provides some clear guidance on how to develop a process to support the handling of a security issue – important as you don’t want be figuring these things out when something happens, you want to get on and focus on execution. s with previous chapters, this well written and doesn’t demand knowledge of security dark arts to get to grips with.

The book finishes with a series of appendices which provides some illustrative information for chapters in the book, plus a series of appendices of really useful additional reference information sites cover a spectrum of information from security education resources to security tools.

This series of blogs on this book will wrapped up with a short review of the whole book. But I would like to congratulate Aaron Woody on a fine book rich with helpful additional information.

Previous blog entries:

There is also a supporting website for the book athttp://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach

Vinyl Junkies – Adventures In Record Collecting A Review

09 Thursday Jan 2014

Posted by in Book Reviews, Books, Music

1 Comment

Tags

, , , , , , , , ,

So I’ve been luxuriating in reading some books more for the pleasure of it (rather than technical stuff to help authors or the day job).  This book is about, record collectors, the act of record collecting and the general love for music both mainstream, obscure and just down right freaky. For the music fan this is Mills & Boon reading.  For those related or taken on the challenge of a partner who is a record collector an insight into the mind of your loved one.

The books tries to explain the passion of collecting from many different perspectives, through the eyes of collectors (some famous – like Peter Buck (of REM fame), Robert Crumb (cartoonist) and Thurston Moore (Sonic Youth), others not so famous but equally obsessed. From a psychologist point of view – clinical (relationship to low sertraline) to psychotherapy.  As a result we get discussions about the sensuality of vinyl and wonderful quotes like “CDs are like sex with a condom”.

We explore the kinds of collecting that go on – from types of records – old pre-war 78s, 1st issues of records, special prints like shaped coloured vinyl, those quickly taken out of circulation through to records that just seem to be rare and then the plain odd like albums commissioned by Listerine (the mouthwash) advocating the product’s wonders to people thinking they’re going to make it big putting out just tuneless oddities, to the child like contributions like Sammy Squirrel Teaches the Multiplication Tables (Which apparently has a publisher’s address on the cover of The Metaphysical Motivational institute, Drawer 400, Ruidoso, NM) and psychotic wonders such  as “Sit on My Face, Stevie Nicks” by the Rotters and Naughty Rock ‘n’ Roll by the P-Verts or maybe various artists on the Sugar Tits Label.

As the book progresses we get a chance to be taken on an exploration of the validity of the portrayal of collector/obsessive music fan portrayed in Nick Hornby’s book High Fidelity by the character Rob Gordon (portrayed by John Cusack in Stephen Frears‘ cinematic adaptation);  music collectors are geeky single men that can’t sustain a relationship etc.

The book is however 10 years old – and sadly doesn’t reflect how the rise in Mp3s has impacted.  As everything get ripped and becomes for ever available (legally or illegally) on the web, what is happening to the passion of the hunt for the mysterious, weird and rare?  Who knows, but its fun hearing the stories.

Vinyl Junkies

Enterprise Security – A Data Centric Approach – Chapter 4

01 Wednesday Jan 2014

Posted by in Books, General, Technology

3 Comments

Tags

, , , , , , ,

Continuing into a chapter 4 of
Enterprise Security: A Data-Centric Approach to Securing the Enterprise by Aaron Woody we start to look at some technical aspects of security and technology covering things like the capabilities of new generation of firewalls, DNS security and so on. The information is presented in a very readable manner.

As an Enterprise Technology Architect, and having security specialist friends I thought I was reasonably well informed in this aspect of IT, but the book still taught me me things. Interestingly, perhaps not intended but the chapter left me with a number of things that could be incorporated into development governance that would make the work of network security a lot easier.

The chapter continues with lots of really helpful references many, maybe all are incorporated into a series of appendices that are full of helpful information references and links. If these are made available on the book’s website (see below) it would likely become a must go to site for security resources.

It does leave me asking one question how does this all fit in when using a PaaS solution such as those offered by the likes of Amazon and Rackspace?

Previous blog entries:

The book has been published by Packt (who at the time of writing are running a promotion – more here)

There is also a supporting website for the book at http://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach

Enterprise Security – A Data Centric Approach — Chapter 3

29 Sunday Dec 2013

Posted by in Books, General, Technology

5 Comments

Tags

, , , , ,

So I’m back to reading Enterprise Security: A Data-Centric Approach to Securing the Enterprise by Aaron Woody. I’ve not finished reading the book yet but as I’m reviewing one or two chapters at a time, I thought I’d blog about Chapter 3 – particularly given its value (previous blog entry here and here).

Chapter 3 goes by the name of Security As A Process, which addresses the processes to determining security risk, the analysis of cost benefit of implementing security features to address those risks. The chapter then goes on to provide guidance on defining good policies and standards.

In hindsight the process for determining and analyzing the security risks and classifying them is fairly obvious – it took the reading to to draw the points and the mechanisms into focus. But the fact it makes sense in hindsight suggests that the approach the workability and the chance for the business to understand the risks and challenges being taken on.

The chapter also provides some really good information sources for people to use to support the adotion of the processes described. Some I’ve known about such as the SANS Institute others I hadn’t.

I have to say that based on the strength of this chapter alone I’d recommend the book to any architect who is seeking to develop practical appreciation of addressing security considerations or understand what they should be looking for what to ask for in a new organisation. Those trying to drive up the quality of processes or get across the need for a more proactive security strategy that is also pragmatic – reading this chapter alone should help provide some serious points to get a handle on things.

The book has been published by Packt (who at the time of writing are running a promotion – more here)

There is also a supporting website for the book at http://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach

Appetite for Self-Destruction: The Spectacular Crash of the Record Industry in the Digital Age

29 Sunday Dec 2013

Posted by in Book Reviews, Books, General, Music

Leave a comment

Tags

, , , , ,

With the holiday break, I’ve had a bit of time to get through some reading, including finishing Appetite for Self-Destruction: The Spectacular Crash of the Record Industry in the Digital Age. This an excellent book on how the music industry has managed to shoot itself in the feet a number of times (and with a canon at that); although it does only cover events upto 2008 (as we enter 2014 it would be brilliant to see an additional chapter to get insight into how the resurgence of vinyl and the rise of Spotify has impacted thinking – beyond the deadlines of complaints by the likes of Thom Yorke about Spotify).

Thw book feels well researched (certainly references hold testimony to this), but at the same time it doesn’t read like a dry academic read that you would associate with such a well researched text. But given the attitudes and behaviours of some of the individuals in the big labels their egos run riot far more than most of the ‘rock gods’ that they’re trying to sell.

Steve Knopper has done a great job with the book and I’d recommend it to anyone interested in music or how technology such as peer-to-peer has impacted the media industry. You dont need to be a music fiend or geek to find this a satisfying read.

Steve’s website is http://knopps.com/
 

Books, Books & More Books

15 Tuesday Oct 2013

Posted by in Books, Technology

1 Comment

Tags

, , , , , , , , , ,

The blog posts have been a bit slow of late as I’ve been deep into reviewing books for Packt Publishing.  But thought I’d share the fact that Packt are running a big promotion at the moment, offering 50% off all their books if you use the discount code COL50 as part of the celebration of Columbus Day.  The offer currently runs until the Thursday 17th October.

As for books, well I’ve just finished reviewing the Apache Camel Developer’s Cookbook by Jakub Korab and Scott Cranton (Amazon have it currently listed as Camel Enterprise Cookbook.

The version of the book I’ve reviewed was very, very good. I have to admit I went into reviewing this book with high expectations given the fact I’ve worked with Jakub and know the calibre of his output whilst he was consulting for FuseSource (now part of RedHat JBoss) and I’ve not been disappointed.

You can read the book as either a guide to Apache Camel as each recipe builds upon the preceding recipe; or as a dive in as you need a solution to a problem as each recipe pretty much stands up in its own right (cross referencing other supporting recipes or key preceding recipes).  The book explains not only how to do something – from simple routing & filtering through to XA transactions with one of the leading orchestration technology frameworks.

From Jakub & Scott’s fine technical guide, I’ve started to look at a book on Applied SOA Patterns on the Oracle Platform part of Packt’s Enterprise series of books.  I cant say too much on this book yet – it is going to be a fairly chunky book at around 500 pages.  Will post more once we’ve got well into the book I’m sure.

Enterprise Security – A Data Centric Approach

16 Tuesday Jul 2013

Posted by in Books, mindmap, Packt, Technology

6 Comments

Tags

, ,

Enterprise Data SecurityAs I work my way through the Aaron Woody book Enterprise Security: A Data Centric Approach to Securing the Enterprise I’ve been building a mind map of helpful notes -to help serve as a reminder or means to quickly drill back into the book for future reference.

The mind map has been build using freemind – it isn’t the prettiest of documents, but content is king here.

Freemind Mindmap as an image https://www.dropbox.com/s/u1ggk7exi6t0t3o/Enterprise%20Data%20Security.png  as a Freemind file https://www.dropbox.com/s/lf53fs63c4x1v91/Enterprise%20Data%20Security.mm freem,ind can be obtained from freemind.sourceforge.net/

Enterprise Security: A Data-Centric Approach to Securing the Enterprise – book review chapter 2

14 Sunday Jul 2013

Posted by in Book Reviews, Books, Packt, Technology

6 Comments

Tags

, , ,

Enterprise Security - A Data Centric Approach to Securing the Enterprise

Enterprise Security – A Data Centric Approach to Securing the Enterprise

Continuing with the review of Enterprise Security: A Data Centric Approach to Securing the Enterprise by Aaron Woody having given a bit of history and motivation for an alternate approach Chapter 2 of the book starts describing the data centric approach.

We start out looking at why network boundaries need to revisited – as a result of BYOD, closer integration with business partners, collapsed/simplified software stacks etc.  Then go into defining in more details the data centric views and how t go about building a trust model for identifying what needs to be secured. A trust model looks at the different dimensions that can impact data:

  • Data (what actually are we protecting – is the data your commercial crown jewels such as a customer list, classifying the data to understand its characteristics, where is it located and so on)
  • Processes – what can be done to data
  • Applications – systems interacting with data
  • Users – differentiated from roles – their relationship to the data employees, contractors, third parties etc
  • Roles – the roles people have to perform, system admins, data stewards etc
  • Risk – as you can never guarantee everything, what are the consequences of a breach
  • Policy & Standards – legal requirements e.g. HIPAA, PCI DSS, DPA plus internal corporate policies

With the guidance to help gather the information you can start to build a profile of your data and the need (or not) for security with challenges and risks that need be addressed to achieve this within an organisation.  All of which has to take into account of ‘data at rest’ (i.e. in databases, flat files etc) and ‘in motion’ transfers such as email, HTTP, FTP, SQLNet and so on.

The book then begins to talk about architectures that can reflect the considerations and needs of your data.

In terms of the writing, chapter is pretty direct and to the point which is great as long as you have some basic appreciation of security needs.  It would have been good to enrich the information with some examples (although the Appendix does illustrate a bit further). The ideal would have been to have a use case running through the book (perhaps at the end of each chapter applying some of the ideas to a fictitious scenario).

Useful Links

Enterprise Security: A Data-Centric Approach to Securing the Enterprise – book review

02 Tuesday Jul 2013

Posted by in Book Reviews, Books, Packt, Technology

Leave a comment

Tags

, , , , ,

I have started to review another book, this time Enterprise Security: A Data-Centric Approach to Securing the Enterprise by Aaron Woody. Based on the interest that my review of Getting Started with Oracle Event Processing 11g I thought I’d follow a similar approach of reviewing one or two chapters at a time, although because of other constraints possibly not as quickly as last time.

As an enterprise architect, and having worked within some more sensitive environments which means security typically has a lock the world down, particularly at the perimeter. But with an increasingly less practical as we become ever more connected. Not to mention the tighter the old approaches are applied, the more the business will by pass IT (e.g. Go acquire SaaS solutions without IT support), the net result being a home goal in undermining the very thing you’re trying to achieve. So the killer question is, can the book show another way that works matching the challenges ranging from SaaS (software as a service) to BYOD (bring your own device – i.e. connecting your own smart phone to systems and work with them on the move etc) against the backdrop of increasing data legislation and commercial fallout (customer loss etc) as a result of security breaches becoming public knowledge.

Chapter 1 is very much a good scene setter, providing some of the background as to how security approaches have evolved over the last 30 or so years. It sets out some clear perspectives on the challenges of applying security such as

  • making cases for investment
  • Applying security as an overlay on a solution rather than being an integral part of a design and the impacts this can cause
  • The challenges of stakeholders involved
  • The mentality of just locking the perimeter (when statistics regularly show that increasing data leakages are a result of accident or malicious actions by those inside the organisation

The book also challenges the mentality of security is the network, which a grave mistake as security impacts processes and roles just as much as it does the software and physical infrastructures.

This sets up for the journey for defining an alternate approach starting with defining the boundaries that should be considered.