This is Andrew Jaquith's Typepad Profile.
Join Typepad and start following Andrew Jaquith's activity
Join Now!
Already a member? Sign In
Andrew Jaquith
Boston
Recent Activity
This is a fast-moving story, and not all of the facts have been established. Adobe's Brad Arkin sent me a note via Twitter indicating that malformed PDFs have NOT been shown to be one of the attack vectors. I attempted to hedge my bets in my post above, but to be clear, we don't know yet. http://bit.ly/5AoAoP Also, Gregg Keizer just filed a story that provides some valuable additional commentary from Carlos Carrillo, a researcher at Mandiant, the forensics team Google called in to help with the investigation. Carrillo claims the attack on Google was probably a PRC-sponsored. Mandiant has a top-notch staff, and their work is highly credible. Definitely worth a read: http://www.computerworld.com/s/article/9145279/Chinese_authorities_behind_Google_attack_researcher_claims?taxonomyId=1
Wow. Great comments! This is exactly the sort of discussion I like to have with smart, passionate people. See also Rich Mogull's excellent post here: http://securosis.com/blog/sorry-forrester-data-labeling-is-not-the-same-as-drm-erm As a result of everyone's insightful comments, I am re-considering whether renaming the ERM category to "data labeling" is actually a good idea. I've considered tacking on "enforcement" to the end (making it DLE) to make it less passive and to address the management layer that I was clearly implying but did not spell out in my post (a concern of Rich's and Pete's). It might also make sense to change the "D" from "data" to "document," which is more precise. But I might roll it back entirely to E-DRM or use IRM because the market is so well conditioned to those acronyms (Ed's point). That said, I believe it is important to think critically about market segmentation and category naming. When a category name doesn't accurately characterize what products in that category do, or if it has outgrown its usefulness, it should be scrapped. We are clearly there with "ERM." Nearly everybody seems to agree that it sucks. But nearly everyone also agrees that that even though it sucks, it's an acronym that is fairly well recognized. "DLP" suffers from the same problem. On that note, here's a funny story that I've told in private many times. At a previous analyst firm we refused to use the DLP three-letter acronym. We called it CBM, short for "content and behavior monitoring," not too dissimilar to what Gartner called it. Here's the funny part: one day a vendor comes in for a briefing. Right at the start, I stated that we don't use that acronym here (DLP); we prefer CBM. Their product manager asked, "Why is that?" My response, "because Big Brother was already taken." Much nervous laughter ensues. Then I added: "Well if you don't like that, why don't we just call it 'Employee Surveillance' and be done with it?" Even more nervous laughter. To make a long story short: I offer no firm conclusions today. But I'm still looking for a better category name.
Here's my take (caveat: I don't write about these issues actively, so this is just armchair quarterbacking from another Forrester analyst's point of view). * RIM isn't dead -- but Windows Mobile is. WinMo is being squeezed on the business side by RIM (who has become the ultimate business tool by virtue of utility-grade mobile e-mail), and on the lifestyle side by Apple. They'll never be perceived as being as good at e-mail as RIM, and they will never be as cool as Apple. * Microsoft's mistake is that it thinks that mobile phones are really just little PCs -- commodity products where features aren't as important as price, and where distribution rules. Microsoft might well have 50 licensees for WinMo, but who cares? All of the phones are crap. No phone needs a "Start" menu. Apple, by contrast, knows that phones are jewelry, at least to consumers. And they control the whole stack, without any dilution in the user experience. RIM knows this too. * The one area where RIM is weak is in its application strategy. RIM apps are all Java apps, and no matter what kind of Java-optimizing hardware they put in their phones they will never run as smoothly and fluidly as a native app can. So they will suffer by comparison with Apple or the Pre. Also, while Java tools are decent in general, they aren't that great for mobile devices, and they can't touch Apple's Xcode environment for iPhone development. In short, I don't see RIM dying. I see them vacuuming up Microsoft's share, and Palm's after the Pre flames out. Their share will probably flatline at some point, but the pie will be a lot bigger. So they will do fine.
Toggle Commented Jul 31, 2009 on Goodbye BlackBerry at George F. Colony
Roger, In your article, the rhetorical device you used was a classic "straw man": creating an easy-to-discredit opponent by claiming they said something they did not say: that they would create a "perfectly secure" operating system. I don't see how you could conclude they said that, considering that you did not link to a single primary source or directly quote anyone at Google -- until your message post this morning on this blog. If you think that "don't have to deal with viruses, malware, and security updates" must mean "perfect security", and can ONLY mean a zero-defect, risk-free, bulletproof OS, then we have entirely different conceptions of the English language. When I your article was "sloppy" in my tweet, that is what I meant. Considering that you work for Microsoft, I expected better from you. There is no question that Google is setting a high bar for themselves. But that bar is not perfection, and no common-sense reading of one sentence from a blog post would suggest that perfect code is what they aspire to. I interpreted what Google is aiming for is "a lot less hassle factor" related to keeping the PC clean from viruses and updates. They can achieve that goal without creating an OS that is "PERFECTLY secure" (your term, not theirs).
@Alexander: Thanks for your comments. Although I haven't read the ICE bill in detail, it seems to codify many of the recommendations from the Cybersecurity review. As such, I don't see any additional impact to the private sector other than what I've written already. But as you point out, certain sectors like energy could be affected. It's likely that when we get into the debate on the bill, we'll have a better sense of it. @John: Thanks for your comments. John Stewart is one smart dude, and always fun to talk to. @Della: I agree that sometimes repetition is the key to getting the message across. The truth about the US public sector security preparedness isn't great (putting it mildly). That truth needs to be acknowledged and dealt with.
@Brian: Thanks for your comments. I appreciate, in particular, that it sounds like what your firm is trying to do involves more than just the usual "toxic data" detection. The kinds of use cases you cite are exactly the sorts of things we want to create criteria for measuring. (Although to be frank: we will still spend plenty of time looking at the credit card/PII scenarios too, because it's what the majority of the inquiries we get are about.) As for your usage and operational questions: these are good things to ask about. Those things we can evaluate objectively, we will try to include. @Schratboy: You are right to point out that Waves aren't all things to all people. They are definitely not about process evaluation. Waves are about products. I agree that DLP is a process; I make this point much more forcefully in some of my non-Wave reports. See, for example, my report "Data-Centric Security Requires Devolution, Not a Revolution" (http://www.forrester.com/Research/Document/Excerpt/0,7211,47649,00.html)
Like I asked on Twitter: does it come with roll-based access control?
1 reply
Hoff, Insightful post. I agree that in the abstract that whizzing nodes around the network is the sort of thing that should give security people pause, at least when said node whizzes past a security zone boundary. In practice, though, most enterprise networks are flatland. They have very few security zones other than the DMZ plus a big squishy one for everything else. So, in most cases, the simple rule would be this: thou shalt not whizz thine VMs between the DMZ and the corporate network. Failure to do so shall cause the offending admin to be slapped across the face with a pickled herring. But this seems like common sense, right? Am I missing something?
1 reply