Notes on data, AI, IT
and security

Security . January 23, 2014

The Target breach and the end of perimeter security

What the largest retail data breach on record says about why protecting the perimeter is no longer a viable security strategy.

Read

Security . November 29, 2013

Multitenancy and trust boundaries in SaaS

Where the convenience of a shared platform ends and the noisy-neighbour risk begins.

Read

Security . October 11, 2013

Personal data compliance is not just a legal problem

Data architecture and access controls directly shape legal risk. Technical decisions made today will become legal problems tomorrow.

Read

Security . October 4, 2013

FSTEC Order 21: what it changes in the practical protection of personal data

The Russian market gets a more concrete language for protection measures, security levels, and threat classes. What this means for companies that process personal data.

Read

Security . September 12, 2013

Incident communication: who says what while the technical team still has no answers

Reputational damage from an incident begins before the technical answer arrives. The communication plan needs to exist before it is needed.

Read

Security . August 30, 2013

Payment infrastructure as a target: what retail teaches us

The real lesson from payment data incidents is about segmentation, logs, and response time - not just protecting card numbers.

Read

Security . August 23, 2013

Supply chain risk before the SBOM era: why dependencies need to be tracked systematically now

Opaque transitive dependencies are not an academic problem. They are already an active attack vector.

Read

Security . August 15, 2013

Touch ID and corporate identity: what biometrics is actually useful for, and what to avoid overstating

Biometrics is a convenient authentication factor - not a substitute for a proper identity architecture.

Read

Security . July 18, 2013

Least privilege in practice: why access needs to shrink, not just grow faster

Granting access without managing its lifecycle is convenient right up until the moment it becomes a real business risk.

Read

Security . July 12, 2013

The Adobe breach as a lesson in password storage and the cost of old schemes

What the large-scale 2013 breach tells us about the price of outdated secrets storage and how companies respond to incidents.

Read

Security . June 13, 2013

Questions the board should ask after the surveillance disclosures

Backup, jurisdiction, logging, contracts, operator access - what leadership needs to verify after the PRISM story.

Read

Security . June 7, 2013

After PRISM: the cloud is no longer just a cost question

The NSA surveillance disclosure turned trust in cloud providers from a technical question into a political and legal one.

Read