Facebook’s new privacy settings

Last week, Facebook just upgraded its privacy settings. I am sure by now many of you have gone through the new privacy setting wizard. But do you know all the ins and outs of the new settings and how to navigate them?

In general, the new Facebook privacy setting menu is easy to use and straightforward. Some of the new options Facebook provides are positive changes. For instance, you can now hide a wall post to specific individuals (or make them visible to specific individuals). This level of fine-grained control was not available before, which is a welcome change.

However, in the course of migrating to the new privacy settings, Facebook has made several categories of information visible by default to “Everyone”. If you didn’t actively manage your privacy settings through this new migration, some of your information, such as Family and Relationship, Education and work, and your posts will be left visible to everyone, regardless of what your previous privacy settings were.

Another puzzling thing is that Facebook apparently does not think the ability to control who can see your “Friends list” belongs in privacy settings. Moreover, they’ve made everybody’s Friends list visible to the world by default. To turn that off, you have to go to your profile page and click the little crayon icon next to your friends list to unselect the “Show Friend List to everyone” option. If you have previously hidden your Friend list from public view, they are now free for all to see unless you did the little trick with the crayon icon! Even worse, your Friend list will now show up in search engine results.

Speaking of indexing by search engines, Facebook’s privacy settings do provide an option via which you can prevent search engines from indexing your public Facebook information, which is information that you’ve elected to be viewable by everyone (or is it?). Despite the fact that I had strenuously set and checked all my privacy settings, including uncheck the “Show Friend List to everyone” option, Facebook is still showing a sample of my friends to search engines! And we know that once a search engine has indexed and cached your information, it’s virtually impossible to purge the info completely. 

The specific options and settings aside, this concept of PAI, short for publicly available information, is one that worth a bit of ink. Everyone has a different idea of what their PAI should be. However, Facebook has decided that certain categories of information, such as your profile picture, family and relationship info, education and work info, interest and activities, and group memberships, etc. should be PAI, and they’ve gone ahead and made these categories visible to everyone by default. You have to go through the entire privacy menu to change that.

In this age of search engines, content caching, and near-ubiquitous connectivity, have you really thought about what you should place (and not place) in your PAI? Do you really understand all the consequences of putting a specific piece of information in PAI? Do you know how long the information will be available long after Facebook has become yesterday’s news? Most of us don’t internalize the fact that every time you label something public, this “thing” will probably live in the public domain forever in some way, shape and form. Is this something you can live with? Will you still write that paragraph of “About me” and make it viewable by “Everyone”, if you know 50 years from now people can still find that? This is of course independent of Facebook or any social networking platforms in general, it is about fundamentally what information, as an individual, you want to expose to the world. Once we have a good grasp of PAI, we can then look at specific social networking or social media tools and demand them to give us the flexibility and controls to manage our PAI.

(Updated) Cloudy with a chance of “non-compliance”

Compliance, along with security and privacy, is a big topic when firms consider cloud services. I recently did a Forrester Webinar on the topic of compliance for cloud computing. You can access the recording here: http://www.forrester.com/cloudsecuritywebinar. This blog entry is a recap of the Webinar.

In terms of compliance for cloud services, there are four categories of issues of concern:

• Where: Geographically related issues
• How: This is about operational details that affect compliance
• Audit: Show me evidence that you can help me achieve compliance
• Others: Everything that doesn’t fit into the above categories

 For the “where” category, you need to be conscientious of the following aspects:

• Datacenter locations
• Implications of local laws and regulations (where the datacenters are operating)
• Third-party access: Does the vendor use any “third-party” resources that may affect the locations of relevant data?

 We recently helped a client evaluate the business suitability of a SaaS provider. In the course of doing so, we discovered that the SaaS vendor used a third-party backup service to back up their logs. Although the SaaS provider is located entirely in the US, the backup service provider is not. Therefore there is a question whether my client’s logs will get stored in a datacenter outside the country. This made my client uneasy.

The “How” category is the biggest and most comprehensive, as it includes many operational aspects. For example, along with other aspects, you need to consider:

• Do the datacenter’s operations meet the specific regulatory requirements that you have (e.g., is it PCI compliant – audited by a PCI QSA?)
• Does the provider have a compliance management program?
• Does the provider have a DR/BC plan that is consistent with my requirements?
• Does the provider’s data breach/incident handling procedure meet your requirements?
• Is the data center SAS 70 Type II certified?

 The “Audit” category deals with the procedure of audits, framework of audits, whether or not the provider can supply adequate audit evidence or agree to a third-party audit.

In addition, you need to consider eDiscovery and enterprise investigation support. Too often enterprises tell me that cloud providers do not let them be the administrator of their data living in the cloud. You need to ask your vendor what support they will provide for discovery and investigation purposes, such as any restrictions on access to data, means of access to data (self servicing vs. manual), responsiveness to discovery requests, flexibility to data access, etc.

Finally, third party is often the “fly in the ointment”. Even when you are satisfied with every aspect that you can conceivably think of with respect to your cloud provider’s operations. You need to understand whether they use any third party in a way that impacts your compliance status (see the example I listed above). Everything we talked about so far applies to third party accesses.

What does this boil down to? In the next 90 days, we recommend that you form a cloud game plan, which looks like the following (for compliance aspects):

• First step, gather legal and regulatory requirements, involve legal/compliance/risk officers early
• Second, conduct a high-level feasibility study based on these requirements
• If the feasibility study indicates a preliminary green light, then perform detailed evaluation (based on the “where”, “how”, “audit” framework here)
• Require audits when in doubt, embed recourse actions in your contracts, and engage trusted third-party assessment services.

For details, please refer to the Webinar recording located at: http://www.forrester.com/cloudsecuritywebinar

Let me know what you think. Any other compliance aspects that we missed here?

To Facebook or not to Facebook (40% of companies said yes to Facebook)

Recently Forrester received a flurry of inquiries concerning social network access inside enterprises. Many firms are reluctant to deny their employees’ access to social networking sites but in the same time worried about consequences such as malware threat, data loss, and the loss of productivity.  

More specifically, risks associated with social networking come in three flavors:

• Malware and Phishing: Social networks have become a hot bed for malware and Phishing activities. As such, allowing access to sites like Facebook, MySpace, LinkedIn, etc., does carry a certain amount of security risks.
• Data loss: Employees post content to social networking sites pose a potential threat of data loss, which has many up in arms about the use of social networks in enterprises.
• Damage to corporate image: There is no reliable way to ensure that no one can set up a fake corporate page in LinkedIn or Facebook, and that no one takes your official promotional video and repost it to Youtube after unauthorized edits.  

Should you allow access to social networks and social media? The answer is “Yes”. Even if you do not currently allow access to social networks, you will have to soon—access to social networks is approaching the status of a “must-have” at work places. Competitive pressure will sooner or later make you rethink your restrictive stance on social network access. One question we often get asked is: “How many firms out there are allowing access vs. denying access to social networks?” We do not have an accurate answer to that. A small survey we conducted in the beginning of this year indicated that today nearly 40% of companies (enterprises and SMBs) allow access to social networking sites like Facebook and LinkedIn.   

What best practices should you follow in regulating access to social networking and media sites?

 First, you need to establish an acceptable-usage policy with respect to social networking and media access. Consider these aspects when writing your policies:

• Does everyone need the same level of access to social networking sites? The answer is often “no”. For instance, the marketing and sales team may need to post video and other media files for legitimate business purposes. But for other parts of the company, there isn’t such a compelling need. Perhaps a read-only policy is adequate. Of course this would depend on the general company culture – how liberal or how restrictive you are in terms of personal computing at workplace plays an important role in these decisions.
• Be vigilant about software downloads. Remember malware travels via software downloads over the web, a prudent policy might allow users to access Facebook content but will block any software installation as a result of visiting Facebook pages. This will of course dilute the social networking experience, but in many ways, it is an acceptable compromise for workplace access.
• Should you allow access any time anywhere? Again, the answer depends on how liberal your company culture is. On one hand, you do not want to place unnecessary restrictions. On the other hand, there has to be a balance between personal uses of social media vs. workplace productivity. So, the acceptable-usage policy may state that employees should use their best judgment when it comes to the amount of time they spend on Internet social networking sites. Or, if the company culture allows, you may enforce time or bandwidth-based limitation on access to social networking sites.
• Acceptable data posting policy. Social networks allow data posts, which may pose a data leak threat to enterprises. In your usage policy, make it clear what kind of data/content is considered non-appropriate in data posts to public social networking sites. For example, some companies prohibit their employees from posting endorsement or commenting on the company on LinkedIn. 

Second, you need to clearly communicate the policies to your users and educate them on the risks of social networking and acceptable usages with regards to data posts and software downloads. Make it clear that these security threats are not just against individuals, but also have the potential to compromise the security posture of the corporate environment.  

Lastly, if you decide to enforce your policies technologically instead of simply stating the policies and hoping for compliance, you need to employ a web filtering product (you probably want one regardless for anti-malware reasons). You may also want the product to collect and report usage statistics on your users. For any outlier population, e.g., the a few employees who spend an exorbitant amount of time on social networks, his/her manager can be made aware of the situation and deal with it in an appropriate way. Often, just the knowledge that access to social networks is monitored would curtail such behaviors. Be mindful that not every web filtering product is equipped to deal with script-based web malware. The ones that come with an anti-virus engine but no script processing capabilities do not fit the bill. Finally, it is imperative that the web filtering product comes with data leak prevention (DLP) capabilities to enforce acceptable usage policies for data posts.

 

Follow up: Cloud security

Since the publication of the last entry on cloud security, I received many emails from clients and colleagues who have an interest in this topic. Because of the sensitive nature of the topic, they chose to email me rather than leaving a comment here. I have synthesized and sanitized the feedback, and decided to publish the summary here:

a) Investigation support: A few responses stressed the importance of support for enterprise investigation. They  voiced frustration with the lack of timely response and technical support from some of the cloud vendors. One senior IT officer said: “For every investigation, I have to work with the vendor to get the data I want. They don’t have an option for me to be the administrator of my users’ data and logs. This goes against the self-service nature of cloud computing, and essentially takes away some of the benefits”.

b) Security and privacy are equally important for all layers of cloud, as customers may be buying a combination of  services (of different layers) from the same provider. The so-called ”layers of cloud” include infrastructure-as-a-service(IAAS), platform-as-a-service (PAAS), and software-as-a-service (SAAS). Each layer may have its own unique challenge. 

c) Incident response and disclosure: Readers pointed out that you may want to know that a data breach has happened within the cloud environment even though your data may not be breached. This is a tough issue because from the users’ standpoint, you want to know the incidents so you can make an informed decision whether to stay with the cloud. But on the flip side, you may not want the provider to offer too much information to other clients if it were your data that were breached. There is no standard procedures today people follow for incident disclosures that impact other people’s data.

d) Compliance: Some compliance requirements demand that relevant data be encrypted both at rest and in transit. Many of the cloud providers do not support that and in some cases due to the way the application is configured, encryption by the customer of the cloud is also not an option. For instance, some cloud applications leave sensitive information in the database index, which is typically not encrypted even if the blocks are encrypted. In this case, having block-based encryption is clearly not sufficient.

Cloud security front and center

Cloud computing is the latest trend that has the industry abuzz. Everywhere you go, there are cloud services for every functionality imaginable. Many believe that cloud computing can deliver tremendous business and operational efficiencies. There is even a movement at the national level: Vivek Kundra, the country’s recently named federal CIO, is being tasked to push the adoption of cloud-based services across the federal IT landscape.

Cloud computing differs from traditional outsourcing because in the latter model, it is still very much standalone computing — either you take your server and put in someone else’s data center, or you have a MSP managing your devices. In many cases, you know exactly where your data/host is and what resources, if any, you share with others. Cloud computing decouples data from infrastructure and obscures low-level operational details, such as where your data is and how it’s replicated. Multitenancy, while it is rarely used in traditional IT outsourcing, is almost a given in cloud computing services. These differences give rise to a unique set of security and privacy issues that not only impact users’ risk management practices, but have also stimulated a fresh evaluation of legal issues in areas such as compliance, auditing, and eDiscovery.

I’ve had many conversations recently with IT security and compliance professionals about cloud security, and the universal concern seems to be that there is a lack of visibility and standards across cloud providers. Users of cloud services therefore are left to fend for themselves, especially in terms of understanding and addressing security risks associated with outsourcing to the cloud.

Earlier this year, I published a Forrester report titled: “How secure is your cloud: A closer look at security issues for cloud computing”. I received tremendous feedback after the publication. This quarter, I am embarking on a big research effort to evaluate security and privacy practices of some of the leading cloud providers, such as Salesforce, Amazon, Google, and Microsoft. We will be conducting the evaluation on three broad aspects:

• Security and privacy: Concerns such as data protection, operational integrity, vulnerability management, business continuity (BC), disaster recovery (DR), and identity management (IAM) make up the list of security issues for cloud computing. Privacy is another key concern — data that the service collects about the user (e.g., event logs) gives the provider valuable marketing information, but can also lead to misuse and violation of privacy.
• Compliance: Data privacy and business continuity are two big items for compliance. Specific issues such as geo-location of data centers, incident response procedures, eDiscovery support, and proper handling of logs and audit trails all come to focus here.
• Legal and contractual issues: Legal issues are the least well-understood areas of cloud computing. Though I will not be giving out legal advice, I will be looking at what legal issues may arise in the context of cloud computing. For instance, liability and intellectual property are two examples of legal issues that often being discussed. Other contractual issues include end-of-service support —when the provider-customer relationship ends, customer data and applications should be packaged and delivered to the customer, and any remaining copies of customer data should be erased from the provider’s infrastructure, etc.

I’d like to know if anyone has any specific concerns to cloud security that may be outside of what’s mentioned above. If so, please leave a comment here. Also, I’ve so far identified vendors who are more in the platform-as-a-service and software-as-a-service areas, should I include infrastructure-as-a-service vendors like Rackspace? Let me know what you think. If you would like a snapshot of the cloud security report, send me an email cwang@forrester.com

Dreamforce in force

Today is the first day of dreamforce. Due to a scheduling conflict, I am actually not attending, much to my dismay. I’m writing this post in flight to NYC, using WIFI on a united flight (nice!). My colleagues who are in attendance told me that they are putting on a good show. In any case, I have an ongoing research effort to evaluate security and privacy practices of leading cloud vendors, such as Salesforce. So far, Salesforce has been very accommodating in terms of granting interviews, etc. Stay tuned, more on that topic to come soon.

BSIMM Begin web survey

Friends over at Cigital are starting a web BSIMM survey. While I do not generally endorse vendor studies, I do think the original BSIMM study a well-done investigation of how software security is practiced in some of the leading enterprises. If you belong in an organization that has a software security program, you may want to participate in this study. URL is here:

http://www.bsi-mm.com/begin/

MIT’s attack on Amazon EC2 an academic exercise

Researchers from MIT and UC San Diego recently demonstrated an attack against Amazon’s EC2 where an attack virtual machine can launch attacks against a victim virtual machine that is located on the same physical server. The paper describing this attack will be presented at ACM’s cloud security workshop next week in Chicago.

This is an attack against virtual computing resources, not necessarily against EC2 per se. In fact, this attack can potentially work against any virtual infrastructure, private cloud included.

Does this mean that there is a security vulnerability within EC2? Yes.

 Should you be concerned? Not really.

 To understand how this attack works, we need to first describe how virtual infrastructure works. A virtual “computer” is an abstraction that maps processes (computing tasks) to physical resources (CPU cycles, OS, and memory). When you are using a virtual computer, you typically don’t know on which physical server your virtual computer is located. This is one of the fundamental concepts that allows cloud computing to deliver benefits such as dynamic scaling.

Now on to the actual attack itself: the researchers demonstrated that because EC2, with a larger than random probability, may allocate virtual machines that launched in similar time frame onto the same physical server. The researchers took advantage of this fact and demonstrated that they were able to, with a reasonable number of tries, start a virtual machine on the same physical server that houses the target victim’s virtual machine. They call this process “cartography”.

One possible consequence of this is that the attack machine can starve the victim machine of physical resources—a denial of service attack. This is especially bad if the attacker knows that the victim is in need of critical access to resources—think code release time. Denial-of-service would come handy in an espionage attack.

Another outcome might be that by observing the fluctuation in resource consumption, the attacker can obtain sensitive intelligence of the victim. Think Disney and Dream Works host their animation renderings on the same physical server (which they will never do, by the way) and try to hide from each other their respective release dates. A spike in resource consumption by Dream Works may indicate to Disney that the former is close to their release date (therefore accessing their rendering more frequently). This is so-called side channel attack. A famous real world example of side channel information leak is the “pizza index” incident in Washington D.C.: The L.A. Times reported that CIA set the single-night record for pizza delivery on August 1^st, 1990, the night before Iraq invaded Kuwait. Anyone who was observing the pizza delivery index (and knowing they are going to CIA) could conclude that a major International political event was about to happen.

But why is this NOT an attack that you should be concerned about? For this attack to be feasible, certain conditions must be true a priori. These conditions include that the attacker has knowledge of when the victim virtual machines would be launched. Some of these conditions, though not entirely impossible, are on the impractical side. While the author concedes that it is possible that an espionage attack with high-valued stakes may very well undertake such a method, it is hardly a concern for run-of-the-mill computing tasks running in EC2.

How can EC2 (or other cloud providers) protect themselves against this attack? The answer is simple—namely making the virtual machine placement process as close to random as possible. If you have N servers, a random process would mean that a virtual machine has 1/N probability to be placed on any particular server. As a result, the probability that an attacker virtual machine is placed on the same server as a victim machine is 1/(N²). If N is sufficiently large, this probability will be pretty small. As we last checked, EC2 has close to 40,000 servers. Consequently, 1/(N²) is 6.25×10^-10, which is less than 2^-30. This is not impossible, but will make the cartography attack significantly harder and a lot more expensive to launch. I should add that in practice you don’t need true randomness—adding a little bit of randomness would go long ways.

Another possible but highly impractical countermeasure is for EC2 to periodically remapping virtual machines. This method is akin to “proactive secret sharing” where each share of the secret is only valid within the current epoch—at the end of an epoch, the shares are regenerated and re-distributed. Here the virtual machine placement would last only as long as the current epoch and it is dynamically replaced to a different physical server at the end of the epoch. 

Of course, these countermeasures will break some of the features that EC2 offers, such as being able to specify the IP range for your virtual machine. In addition, they will add considerable complexity to EC2 operations.

Summary. Virtual infrastructure has become the backbone of cloud computing, particularly in the area of infrastructure-as-a-service, whereby the provider supplies virtual resources on a pay-per-use basis. Security of the data/applications hosted has everything to do with security within the virtual infrastructure. What does this mean? Providers of IAAS must take extreme care when it comes to security and privacy of their operations, or risk facing far-reaching consequences.

Here at Forrester, I’m starting a study to investigate the security and privacy practices of leading cloud providers. I’ve identified Salesforce, Google, Microsoft, and Amazon as the four vendors that I would study initially. I have yet to make Amazon commit to an interview, but the former three have all expressed willingness to participate in this study. I will write more as the study gets underway. Until then stay tuned and let me know what you think …  

A shortened version of this post can be found on Forrester’s security team blog: http://blogs.forrester.com/srm

 

Another acquisition in the web security service space — Cisco acquires Scansafe.

Cloud security service is hot, hot, hot. My last blog post highlighted the acquisition of Purewire by Barracuda earlier this month. Today, Cisco announced the intention to acquire Scansafe, another web security services company. Cisco’s entering this space shows that web security services are now on the radar screen of enterprises.

At Forrester we are seeing a definite rise in interest in web security services, partially fueled by the general interest level in cloud services. Many IT managers told me that they are being asked by their management: “Why not consider cloud services (to fulfill this IT function)?”

Is cloud web security service for you? A good answer to the “Why not consider cloud services” question requires your examining the pros and cons of outsourcing to the cloud, which should cover, at the minimum, the following decision points:

•  Cloud benefits: Outsourcing to the cloud comes with the common benefits, which include self-servicing features, lower upfront investment, lower ongoing management overhead, and easy scaling to demand. You need to understand how important these aspects are to your organization.
• Total cost of ownership: In terms of TCO, however, it is not always a clear-cut argument. In fact, sometimes a three-year term with a cloud solution may cost you more (in total) than an on-premise product. You must tradeoff TCO with the other cloud benefits, such as lower upfront investment, to make an informed decision.
• Compliance: For folks who have rigorous compliance requirements, using cloud services can be a complex decision. For example, if you are using someone like Akamai to accelerate your content, and if the content contains regulated data (e.g., customer login info, credit card data), you need to not only ensure that Akamai is compliant, but also the numerous third-party data centers that Akamai uses to host their servers. If you are a global player, this could amount to examining over 100 datacenters around the world—a truly complex undertaking. The same goes for web filtering service offerings. -
• Cloud vendor’s security/privacy practices: In addition to what’s required in meeting your compliance goals, you need to understand how the cloud vendors handle various security and privacy issues. See my “How secure is your cloud” report for more details on this discussion.

What does this mean for Cisco? Cisco already has its own email filtering services in the cloud. Getting into web security services is the natural next step. This is another signal that Cisco is stepping away from the on-premise-only security vendor image and casting itself as a “We have all the form factors you can possibly want” vendor.

This is a move that Cisco needs to make. Look at their competitors: Symantec has MessageLabs. McAfee has their own web filtering services, in addition to MxLogic. Their SMB competitor Barracuda now has Purewire. Websense, the Behemoth in the web security space, has its own hosted offering. To stay healthy in the web security market, Cisco needs to show their conviction in the service space. Acquiring Scansafe, the most mature player in web security service, is the quickest way to do so.

What will happen to Scansafe’s partners/customers? Scansafe is the first company in this space; they were the only company in this space for a number of years before it became a hot new market. Scansafe has a relationship with Google as well as a number of large Internet service providers—they OEM Scansafe’s services. The word from Cisco is that they will maintain the existing partner relationships, at least for the foreseeable future. In the short term, I don’t anticipate any changes in Scansafe’s existing relationships. However, I would not be surprised that in a year or so, Cisco will re-assess the terms of these partnerships. The word from Google is that they are not doing nearly as much on the web security services front as they are on the email side. This acquisition will undoubtedly change the dynamics of the relationship. I don’t see Google actively resell Cisco services, do you?

The only pure play web security services vendor left is Zscalar, another startup from the former CipherTrust folks. How long do you think they’ll last as an independent company? I’d be interested to know what you think. Leave me a comment here or write me a note to cwang@forrester.com.

This post will be cross-posted to Forrester’s security team blog: http://blogs.forrester.com/srm

Barracuda acquires Purewire, jumps into cloud computing

Barracuda, the networking appliance vendor headquartered in campbell, CA, announced today that they acquired Purewire, Inc, a web security services startup in Atlanta, in a cash/stock deal.

I have to say this announcement came as somewhat a surprise to me. Barracuda is a known networking appliance vendor, selling low-cost, on-premise network security appliances from firewalls to anti-spam devices. When I spoke to the Barracuda folks a few months back, they remained skeptical about the whole cloud computing craze. This move to acquire Purewire, unexpected as it was, serves as another testimony that cloud computing has reached mainstream status.

Barracuda made a name for themselves in industry by targeting small, medium businesses. Their SMB-oriented sales strategy has paid off, as Barracuda were able to make a number of acquisitions in the past two years. In 2007, they acquired NetContinuum, a web application firewall company. Following that, they acquired BitLeap and Yosemite, which form the foundation of their cloud backup services, and now Purewire.

Even with their cloud backup services, Barracuda is still largely a vendor for on-premise security products. Switching from selling appliances to selling services is a non-trivial change. Distribution partners who are used to pushing boxes have to be re-trained to sell services. Incentive models have to be changed to entice them to sell services. Or new distribution partners have to be acquired. Barracuda will do well to bring in more experienced personnel in service marketing and sales.

The technical brains behind Purewire are well respected in the industry. By acquiring the company and retaining the expertise, Barracuda gains research credentials, which are needed in order to enter a new market (e.g., cloud services). It is therefore crucial for Barracuda to retain the founding staff of Purewire. The formation of the Barracuda research lab, made up largely of former Purewire personnel, is seen as a positive sign. One would expect the research lab to, in addition to performing threat research, drive innovation to turn Barracuda’s other on-premise products into service offerings.

But what is in this deal for Purewire? Won’t it be better if they were acquired by someone like Symantec? Additionally, why is Purewire looking for an exit so early? The company was only established in November 2007. I suspect this deal came at the right time for Purewire, who probably needed an additional infusion of funds in order to scale. Is Barracuda the right company to take Purewire, who already has a slew of industry awards and recognition, to the next level? Barracuda certainly has the financials to do so, but can they execute as well in the cloud space as they did for on-premise security? It remains to be seen.

In the mean time, this is positive news for Barracuda customers—they now have the option of buying appliances or services. For the larger industry, Barracuda’s ferocious marketing engine will now be tuned to promote services, which means more competition in the cloud security service space. Ultimately, that is a good thing.

This entry is also published on Forrester’s security team blog: http://blogs.forrester.com/srm