Cyber Security Industry Alliance Newsletter •  Volume 2, Number 9 • May 2006

CSIA Member Spotlight

About Mirage Networks

Name:  Mirage Networks

President & CEO: Toney Jennings

Headquarters: Austin, Texas

Ownership: Privately held

About Mirage Networks:  Mirage Networks is committed to defending the network interior with the industry’s easiest-to-implement network access control solutions. Delivered through a global channel of VARs, SIs, OEMs and MSSPs, the company’s patent-pending technology gives IT managers control in the uncontrollable environment of infected, unmanaged and out-of-policy devices. Its appliance-based approach deploys out of band, and requires neither signatures nor agents to terminate day-zero threats and enforce policies, while ensuring a positive user experience. Delivering security from the moment any device enters the network, Mirage solutions provide powerful answers to the problems of securing networks with heterogeneous infrastructures and fluid perimeters.

The unique design of the Mirage NAC solution is already being leveraged by the likes of AT&T, as part of its Managed Services portfolio; Mitsui & Co. Ltd, one of Japan’s largest companies, to round out its security offerings for its customers; and National Instruments, the premier developer of test and measurement software, to bolster its network security at its offices around the globe.

Mirage has enjoyed industry recognition ranging from winning the SC Magazine 2006 Award for Best Anti-Worm Solution to being named a Network World Enterprise All-Star strategic partner.

For more information, please visit www.miragenetworks.com.

 

Better Regulations for Better Mouse Traps

As a dyed-in-the-wool capitalist, I’m not used to looking for – or seeing – the good in government-enforced regulations. But something happened recently that has shed a new light on things.

The University of Texas at Austin is one of the biggest universities in the U.S. Several of my employees are alumni and were affected by the recent, high-profile hack of 197,000 business school data records. Many of these records included Social Security numbers and other personal information.

  

I have always felt that regulations, in general, are part of the problem …the guys building the better mice are less encumbered than the guys building the better mousetraps

I have always felt that regulations, in general, are part of the problem, not the solution. Simply put, the guys building the better mice are less encumbered than the guys building the better mousetraps. The "black hats" follow their own rules and timelines. Meanwhile, the good guys have protect their businesses and meet complex and daunting government-mandated network security and data integrity regulations. It’s not surprising, albeit shortsighted, that some 'good guys' would rather risk fines than run the gauntlet of compliance.

The aims of many of these regulations support business goals: by making private data harder to get at, we take a step towards making hacking and malware less lucrative, thus maximizing network availability and worker productivity, and minimizing threats to corporate reputations and bottom lines. It’s a win-win.

…Regulations can support business goals:

  • Private data is harder to get at
  • Hacking and malware are less lucrative
  • Network availability and worker productivity are maximized
  • Corporate reputations and bottom lines are protected
  

Nonetheless, regulation can unleash unintended results. Consider HIPAA. Written in 1996, made effective in 2003, this well-intentioned act has spawned its own industry — books, Web sites, email newsletters, and the like proliferate, thanks to HIPAA’s sheer complexity. Google “HIPAA Consulting” and you’ll get over 22,000 hits. The fact that there are so many different HIPAA consultants, with varying methods and approaches, shows just how challenging meeting these requirements can be.

Even the HIPAA agreement you sign at the doctor’s office reflects this. Here’s a favorite quote of mine, pulled from a real HIPAA form:

"If you do not object to these disclosures or we can infer from the circumstances that you do not object or we determine, in the exercise of our professional judgment, that it is in your best interest for us to make disclosure of information that is directly relevant to the person's involvement with your care, we may disclose your protected health information as described."

I’m sure this is not what those at the Department of Health and Human Services had in mind when they crafted HIPAA.

I know it’s easy to sit on the sidelines and point out challenges I don’t personally have to address. I would not for a minute take away from the benefits that HIPAA has wrought, nor posit that those who drafted HIPAA did so with any intent other than revolutionizing the safeguarding of personal information, and to do so in the best, most effective way possible. They are pioneers, and their work is leading the way for all the privacy-related regulations that follow in its wake.

  

The more complex the topic, the more important it is that regulations governing it be easy to understand and implement

So how did all those good intentions result in regulations that many find difficult to understand, let alone comply with? Some make the valid point that HIPAA is a huge undertaking, covering a lot of ground, and its complexity reflects its subject matter. I, however, would argue that the more complex the topic, the more important it is that regulations governing it be easy to understand and implement.

With this in mind, let me make the following proposition, using the higher education scenario as an example. Since regulations governing the security of university and college networks will be met with new technological approaches, let’s commit to a true partnership between the private sector, higher education and government to form, promote and enable the enforcement of easy to understand rules.

It’s in this spirit that Mirage Networks joined the CSIA – we admire and share its goals, and enjoy being part of this important agent of change. And CSIA members must do more than pay lip service to CSIA aims: we have to actively support them. It’s just good business sense.

Let’s be clear: nothing we do will stop cyber criminals. They will continue getting smarter and faster. What we can do is minimize the damage they can do by keeping critical information out of reach. By working together, we can do it in such a way that implementation won’t require an advanced degree in linguistics.