The Onus of Great Power - Part II

Earlier today, Paramount Defenses officially released Gold Finger (http://www.paramountdefenses.com/goldfinger.php), the most powerful access assessment solution in the world.

At the touch of a single button, and within minutes, the Gold Finger can identify thousands of security privilege escalation paths across an Active Directory deployment. (Over 85% of IT infrastructures across the world run on Active Directory.)

The Gold Finger is designed to empower administrators accurately and instantly identify (and subsequently eliminate) excessive access in their Active Directory deployments.

Along with great power comes great responsibility. In the wrong hands, the Gold Finger could significantly aid a malicious entity in very quickly obtaining the keys to the kingdom at over 85% of IT infrastructures around the world. Thus, at Paramount Defenses, we take the onus of protecting the availability and the use of the power of the Gold Finger very seriously.

It's time to make the world a safer place.

Best wishes,
Sanjay.

The Onus of Great Power

[10.04.06: Penning in from my suite at the Waldorf Astoria Towers in Manhattan.]

There’s an old adage – “Along with great power comes great responsibility.”

After giving it considerable thought I have decided against providing the answer to the two questions posed in my previous blog entry, and for a respectable reason – while there is much to talk about in regards to the security posture of the free world, and numerous eye-opening stories to share and incidents to narrate, the onus of ensuring that I don’t give away the slightest of hint that could be misused to inflict significant damage to the very companies we are working to protect, is one I take seriously.

The free world is not yet capable of surviving an attack to their security infrastructures and thus I have decided against shedding any light in the public on the answers to the two questions posed below.

When the time is right, I will provide the answer to those questions.

Best wishes,
Sanjay

PS: I'm going to put blogging on the back-burner for a bit, so I can devote all my time to helping our customers secure their security infrastructures. It may be a few weeks before the next entry.

Who needs WMDs today?

I was planning on blogging an entry on the need for accountability in security across Corporate America. As I was about to do so, I stumbled upon an interesting article on Yahoo titled “Cyber crime becoming more organized”.

One statement in particular is worthy of mention – “A growing worry is that cyber crooks could target emergency services for extortion purposes or that terrorists may be tempted to attack critical utility networks like water and electricity.”

I'd been meaning to blog this entry for a while now and the coincidental timing of the above mentioned article makes this blog entry highly meaningful today; the blog on accountability will just have to wait.

That statement in many ways resonates our concern regarding the inadequacy of security infrastructure protection controls across the free world.

Today, the threat of cyber terrorism is very real, especially given our complete dependence on IT. The reality on the ground is that our IT security infrastructures are easy targets for terrorists and it is only a matter of time before terrorists realize how soft our underbelly really is; once they do, we will be in trouble, for they will waste no time in gaining and using the technical know-how required to attack and compromise our security infrastructures.

If you take into account that such avenues of attack can be pursued from virtually anywhere in the world, and be carried out without physically putting the perpetrators in harms way, imagine how appealing this option would be to them, in stark comparison to the expensive and dangerous option of attempting to acquire and use nuclear weapons.

Who needs WMDs today, to make the world a dangerous place?

All you need is two WDs in the same pl(ace). After all, we live in the Information age.

Puzzled? Here’s one simple question for you – what does the following string represent and why should it be a grave cause of concern?

(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

It shouldn't take the astute mind more than a minute to figure it out, given that I’ve actually already provided the answer. It's all about perspective.

Speaking of perspective, which happens to be the topic of my next blog entry, as I take your leave, I’ll leave you with yet another simple question...

What do the following organizations have in common?

Microsoft, Hewlett Packard, Intel, Cisco, Dell, the US Army, the US Air Force, the US Navy, the White House, the Department of Justice, Bank of America, Citibank, Wells Fargo, Chevron Texaco, Goldman Sachs, Fidelity Investments, Blue Cross, Walmart, KPMG, the Carlyle Group of companies, Los Alamos National Labs, Wipro, Charles Schwab, Boeing, Lockheed Martin and virtually every other organization that is an American household name?

[Hint: The two questions above are closely related. The connect lies between the lines.]

I’ll shed light on the answers on Monday, October 09, 2006.

Have a wonderful weekend,

Best wishes,
Sanjay

Thank you

Folks,

I'd like to thank all of you for your best wishes.

It’s been an incredible 36 hours since we launched Paramount Defenses.

We’ve received congratulatory emails from all over the world, including from various prominent folks in the information security space such as Eric Pulaski, Ankit Fadia, Tim Guleri and others. We've also received best wishes from folks at prominent organizations including the White House and the Department of Homeland Security.

It’s been an incredibly busy 36 hours and thus I haven’t been able to get to blogging yet, but from tomorrow onwards, I do intend to start blogging on a weekly basis.

As I take your leave, I’d like to publicly express my heartfelt thanks to Scott Charney for his encouragement and inspiration through out my journey thus far – thank you Sir.

Best wishes,
Sanjay

Houston, we have Lift-Off

Hi Folks,

As promised, earlier today we launched Paramount Defenses Inc., the world's first company engaged in the development and delivery of a dedicated IT security infrastructure protection solution.

Best wishes,
Sanjay Tandon
Founder,
Paramount Defenses

It’s time to change the world

I just got back from vacation – rejuvenated and recharged.
Now that I’m back, it’s time to make the world a safer place...


On September 12, 2006, at the touch of a button, we will positively impact the security posture of the world.

Microsoft’s Unsung Heroes

Earlier today, Microsoft made a rather bold move – they publicly invited hackers to test Vista. (Yahoo News: Microsoft invites hackers to test Vista)


Having been on the other side of the fence, I can tell you that it’s no easy job ensuring that the world’s largest piece of software is highly secure.

Over the last few years, Microsoft has put in significant and commendable efforts to raise the security worthiness of their products. If you read the news article above, you’ll come across the mention of a security team with oversight of every Microsoft product. That security team is led by none other than my good friend and former colleague John Lambert. John’s a fiercely intelligent and truly remarkable gentleman, and he leads a team that bears a great responsibility – ensuring that Microsoft ships secure and trustworthy software.

John recently presented at the Black Hat conference where he spoke about the security engineering process behind Vista. (Incidentally, he’s one of the seven people at Microsoft who had the opportunity to be privy to my risk-assessment of Microsoft global security infrastructure.) He and his team work night and day hand-in-hand with the various product teams across Microsoft and together they ensure that delivery of trustworthy products.

Speaking of his team, every Microsoft employee (from the Michael Howards of the world to the thousands of unsung developers and testers) deserves praise for their admirable dedication and their (usually under-rewarded) perseverance and contributions to the company. It’s rather unfortunate that over the last few months or so, some of the best at Microsoft have been moving on.

In fact, Jesper just publicly announced that he was moving on from Microsoft moved on just yesterday. He’s a good friend and a phenomenal guy and I wish him well. Jesper’s departure is truly a loss to Microsoft.

Microsoft has some of the best brains in the world, and each Microsoft employee, no matter what their role, is an unsung hero, for their work directly and truly impacts millions of people around the world. I wish all my former colleagues at Microsoft the very best.

Thanks,
Sanjay

A Despicable Act of Cowardice

As you may have heard, on Tuesday July 11 2006 (i.e. 07-11), India’s financial capital, Mumbai was hit by a series of coordinated bomb-blasts leaving over a hundred innocent people dead, and injuring hundreds more.

(Yahoo News Coverage: Bombay bombings leave city paralyzed )

My own brother was travelling on one of the trains hit. In Bombay, like in Manhattan, almost everyone takes the train. He usually travels in first-class, but as luck would have it today, he was running late and thus barely made the train, so he ended up boarding a second-class compartment just two compartments behind the first-class compartment.

A few minutes later, the bomb exploded in the first class compartment at Jogeshwari, killing so many innocent people. I spoke to him a while ago – having providentially escaped death and lucky to be alive, and still coming to terms with what had just happened, he managed to provide a sketchy first hand account of the grisly scene on the ground. Scores of innocent people are dead, the terror indiscriminately killing all alike, children, youth, women and men. For some, their lives have sadly come an abrupt end, and for others the suffering of a lifetime is only beginning.

What has the world come to? What motivates a human being to engage in such dastardly acts of cowardice against innocent people? Why do people resort to such desperate ignoble means to communicate their voices? What do such despicable senseless inhuman actions really achieve? Where are we headed as mankind?

Our hearts and prayers go out to the victims and the loved ones of this truly tragic and barbaric act of cowardice. May they find the strength and the courage to cope with and face this despicable tragedy.

Taking a break...

It's been a very busy year thus far - I'm off to French Polynesia to take some time off...

...I'll be back sometime in August.

Best wishes,
Sanjay

Ignorance is Bliss

I recently performed a security infrastructure risk assessment for a prominent Fortune 100 company with annual revenues exceeding US $20 Billion.

At the end of my risk assessment, I submitted my report to the head of a special steering committee that reported directly into the CEO. The findings of my risk assessment were passed up to the CEO - the first line of the first paragraph of the summary of findings went something like this - The company’s security infrastructure, as it stands today, is highly vulnerable, may potentially already be compromised and should not be deemed trustworthy...

Each finding of which was backed by irrefutable evidence.

The company’s global IT infrastructure was primarily based on the Windows family of operating systems. At the heart of their identity and access management lay an undisclosable number of Active Directory forests, which cumulatively contained over a hundred thousand user and computer accounts, half a million security groups and between them covered the company’s global IT presence across five continents.

Interestingly, the company had over one hundred dedicated infosec personnel and their annual information security spending on staff salaries alone easily exceeded $ 10 million.

The following is a highly summarized version of the summary of findings (certain details have been obfuscated on purpose):

1. There exist at least five hundred individuals who possess the capability to compromise the company’s security infrastructure in its entirety. Over 70% of these people aren’t even aware of the fact that they’re capable of inflicting such damage to the company.


2. There exist at least six score unique escalation paths that could be used by an anonymous user to compromise the company’s security infrastructure in its entirety.


3. There exist at least two score physical locations across the world from which an anonymous user could escalate his privilege to that of a God-like administrator within minutes.


4. There exist at least one score user accounts with God-like administrative privileges that are currently in use and that do not map to a human user.


5. There exist at least two enterprise security applications running as System on over three dozen Domain Controllers. These applications were purchased from a vendor with no demonstrated expertise in information security and furthermore, the development teams responsible for developing this product were based out of Russia.


6. At least one Domain Controller is known to have been compromised by an unknown user.


7. Every user in the company possesses the capability to launch at least two specific types of denial of service attacks each of which would cripple the company’s global security infrastructure for at least one business day per occurrence.


8. There exist at least one score Help Desk administrators that belong to an outsourced company operating from India, that possess the capability to escalate their privilege to God-like adminsitrators.

…

There were about forty more entries in this summary list, each one backed by irrefutable evidence.

Internal follow-up inquiries revealed that neither the CIO nor the CISO of the company were aware of the existence of these currently unmitigated risks. In fact, most members of their 100 person infosec team weren't aware of these risks. What made the situation worse was that there was not a single individual in the entire IT department that was responsible for the security of their security infrastructure.

Think about it for a second – this is a prominent Fortune 100 company with annual revenues exceeding US $20 Billion and even with an IT security budget exceeding $20 million and there was not a single individual responsible for guarding the guards. Oddly enough, there were about fifty people within the company working to ensure that the company was SOX compliant.

I couldn’t help but wonder if they understood the ramifications of doing business on a foundation whose trustworthiness was suspect. (It’s akin to flying a jumbo jet whose fuselage could rip apart any second.)

Ignorance is bliss, (that's until reality stares you in the face... then you turn white)

PS: I was pleased to see that the company immediately mobilized all its resources towards mitigating most of these risks. It was also brought ot my attention that the company has decided to make the protection of their security infrastructure a top executive priority.

All the best, Dan!

Folks, please join me in wishing Dan Farmer and his team at Elemental Security the very best in their endeavor.

For those of you (mostly referring to my ex-Microsoft colleagues; we barely know what the world outside our offices looks like) who don’t know Dan, he’s an accomplished network security expert with a rather illustrious background. I believe he’s best known for producing and releasing a tool called SATAN a few years back.

SATAN is a powerful Unix-based, system-auditing tool that was designed to scan networks connected to the Internet, conduct a remote analysis, provide a detailed explanation of security risks, identify fixes, and even reference other network security information resources on the Internet.

I first heard of Dan during a meeting with Sameer Gandhi at Sequoia Capital on Sand Hill road last year – Sameer had invited me over to learn more about my endeavor. Dan’s the man at Elemental Security, a privately held company funded by Sameer (representing Sequoia) and others. I’ve a lot of respect of Sameer and personally I think he’s one of the sharpest guys I’ve ever met (and I’ve met a lot of people, from Presidents to Bill Gates and from MENSA champs to Rajeev Motwani).

So I did check out Elemental after Sameer mentioned that he had invested in them. By the way, to this day, I look up to Sameer - he's simply phenomenal (; and no I have no ulterior motives in praising him; and I'm most definitely not looking to entertain any VC interest)

I liked what I saw. Personally, I think are some similarities between our visions (his, mine) – if you actually take the time to read our visions you’ll find that we’re both strong proponents of a single unified framework that delivers a host of security capabilities that are designed to truly help organizations assess their overall security posture and improve it.

So while I’ve never viewed my endeavor to be one that is competitive in its nature (in that its meant to do good), the reality is that it’s a competitive world (even when you’re trying to do good ;-), and from that angle the only company that comes remotely close to what we’re out to do is, Mr. Dan Farmer Inc. aka Elemental Security.

But I don't worry about it, because I think we tend to differ significantly in our areas of focus, in the way we intend to deliver value to the world, and in one more (elemental) aspect, which I would rather not comment on just yet.

While I wish him all the best, I only worry in that I hope that he always continues to take the high road and that he doesn't end up resorting to the use of fear-selling given that the entire security industry already thrives on the low road (although it appears that SOX compliance is giving fear-selling a run for its money as the leading #1 sales ploy used to sell security products, and the likes of none other than Gartner glorify it!). I would so not like to see him take that route, especially when he has something respectable to offer to the world. I don't happen to hold fear-sellers in very high regard (and for a good reason).

I only bring this up because I believe that he once happened to say something to the effect that "...people are so motivated by fear." - while that statement may very well be true, without context, one could almost conclude that he'd espouse fear-selling but I'm sure he didn't mean it in that way.

In a way, I guess we share a similarity and a difference beyond the obvious (i.e. his forte is network security and mine is systems security). Dan produced and released SATAN and it radically changed network security around the world (because it revealed numerous existing deficiencies in networks around the world). On a similar note, while I could potentially release the Golden Eye in the public domain, I would never do so (and therein lies the difference) for it has the potential to (overnight) modify the list of the Fortune, 500 and at a stretch even change the world map.

Here's what Jim Settle, former head of the FBI's computer crimes squad had to say about Dan's releasing SATAN out ... "Now the bad guys can pull it down and use your own tools against you." Now you know why releasing the Golden Eye in the public domain may not be a good idea.
Anyways, so Elemental had a web-cast earlier today led by Dan himself – I decided to drop in for a few minutes to hear him speak to his vision – I wouldn’t say I was impressed by their vision but I did enjoy listening to him. Of concern though was one logistical fact – Elemental’s got about $25 million or so in funding already (or so I hear) and recently won the award for most innovative product at the RSA conference this year – so you’d expect the world to be excited about what they’re out build? I happened to be running late and thus dialed into the meeting about 35 minutes after it started (i.e. > half way into the webcast) and the automatic conferencing system politely informed me that I was caller number 37.

With all due respect, 37 is less the number of folks who'd show up for our inconsequential weekly webcasts on Active Directory security @ MSFT. Something seemed amiss there and I was deeply disappointed, for I do believe that they have something of value to offer to the world – having just 37 people on that webcast didn't quite sound right.

By the way, I did happen to ask Dan a question since the I noticed that while he was expecting questions, there were barely any being asked. So I asked Dan a question – “If you could summarize it in 30 seconds, what would you be say is the business value of your product, and how does one justify the information security spend on such a product to the C*Os?” – he was kind enough to take the question and though his answer wasn't particularly impressive, I have to admit that I appreciated the fact that he took the question – I mean it was akin to being asked for your elevator pitch when you’re already in it and half way up; I imagine he must have alot on his mind.

By the way, speaking of elevator pitches, while I’m not a big believer in them, I do think one ought to be able to quickly and concisely articulate matters close to one’s heart – speaking of the heart (and quips), here's a snippet from memory lane - I was at TechEd 2004 in San Diego – there were about 1037 attendees attending my presentation on Active Directory security. At the tail end of it, an administrator from a Fortune 100 company stood up and asked me a simple question – “so, if you were to send my cynical CIO a 30-second message about why he should give a damn about protecting our Active Directory deployment, what would you say?” I told him to respectfully ask his CIO a simple question – "Sir, what do you think might happen to your life if your heart stopped beating?" There was a long silence in the room...

I have to admit that this has been my longest post yet, which is uncommon; I guess I had 11 free minutes after a pretty long time today. Whoever said talk is cheap, doesn’t have a clue as to how short life is.

I should wrap this up – well, I just wanted to convey my very best wishes to Dan and his team – good luck guys! I wish you well... may the best man win!

PS: By the way, it does feel nice when Dan's guys drop by. :-)

Do you play Chess?

Defending an enterprise is sort of like playing Chess.

It’s you versus them. Each party has an army. You're on the defensive while the bad guys are on a constant offensive. It’s your defense strategies against their attack strategies.

Each move takes into account the state of the entire battlefield. They’re looking for a weak link; anything that will get them closer to your King (or the keys to your kingdom). That is their ultimate aim. Should they fail in accomplishing their ultimate mission, they’ll seek satisfaction in inflicting maximum damage before fleeting the battlefield – don’t take it personally, they’re merely frustrated. On the other hand, if they’re successful, well, its game over.

But that's where the similarity ends for there are also differences, and unfortunately none of them are in your favor...

They know exactly who you are. You have no clue as to their identity, their strength, their location,their motivation, their next move. Also, you cannot expect them to play by the rules.

Speaking of which, you definitely cannot expect them to be polite, courteous, compassionate or merciful. And unlike you, they’re not working sixty hour weeks with umpteen responsibilities, a life to live, kids to go back to in theevening, a lovely vacation to look forward to and a hard-earned retirement to dream about.

On the contrary, most of them are ruthless, determined, focused and highly driven to accomplish their objective at any cost. They’ve already compromised their integrity - what more could they have left to lose? Remember the old adage “beware of he, who has nothing to lose.”

How does one win this constant battle against a ruthless and faceless enemy? (This is the stark reality that thousands of organizations around the world face everyday )

These last few weeks...

It's been an incredibly busy last few weeks, amongst other things, working on the Golden Eye and preparing for a rather important meeting (at what might be considered a notably prominent address) in Washington, DC next week.


I should be back soon - stay tuned.

So much to share, so little time ... stay tuned.

There’s so much to share but so little time. Would like to start sharing but there are some matters of paramount importance that need my attention this fortnight.

I’ll be back soon sometime in May. Upon my return, time permitting, I intend to blog the following entries (not an exhaustive list)…

Things I worry about – The free world’s walking on really thin ice.

Time and Tide – Why I had to say "No Thanks" to the marquis venture capital firm Greylock's interests?

Nairobi, Kenya – One of the weakest links in our national information security.

Godzilla Turns – Why the likes of Symantec and McAfee are gasping for breath ($1,$2) today?

Back to the Future – Why I declined to pursue the matter further with Kleiner Perkins.

In the grand scheme of things – an email exchange with Elemental Security's Dan Farmer.

I’m flattered – Microsoft finally starts using the term "Security Infrastructure"

The SOX bandwagon – can't think of a single security vendor that hasn't jumped the SOX bandwagon yet.

On my way back from Monte Carlo – a flagrant lapse in homeland security.

The million dollar bullet – and how it could take Google's Larry and Sergei to rags.

The Tsunami’s on the way – you’ve got to be blind not to see it.

Zdraas Veete! - Why might the Russian mafia be interested in owning a US ISP?

One bit is all it takes – no kidding.

Lofty aspirations, harsh reality – NetPro's challenges.

Godzilla doesn't have the time yet – why a little company like Desktop Standard does so (supposedly) well with a simple idea.

Justify - Identify, Simplify, Centrify... brilliant marketing pitch ... now it's time to justify.

Use at your own risk – how trustworthy is your security software?

Walking the line – Many a security vendor offer security solutions, but how secure do you think their own security infrastructure is?

The Writing on the Wall – and how it will take Corporate America by storm.

Who cares about WMDs – all it takes is two WDs in the right (pl)ACE, and its game over.

Fighting lost battles – Organizations worldwide struggle to secure their information assets.

The need for accountability – How can we have security without accountability?

Everyday Heroes -A day in the life of an IT administrator.

Battling Social Engineering -Secure Computing Practices 101 should be required reading

It's all about trust - The role of trust in Information Security

Bootstrapping Trust - How to recover from an attack on your security infrastructure

The Perils of Outsourcing - Why outsourcing IT can come back to haunt us

Paramount Defenses – coming soon.

Stay tuned...

Sanjay Tandon
President, Paramount Defenses

The (Active) Directory Experts Conference 2006

The Directory Experts Conference (DEC) is around the corner … as usual, Stuart Kwan kicks it off (in Vegas this year) on Monday March 26th with his annual keynote.

DEC is primarily an Active Directory focused conference presented by NetPro Computing Inc, co-sponsored by Microsoft and primarily attended by AD admins and architects from AD deployments. It’s also currently the only conference that is focused on Active Directory and increasingly on Microsoft’s foray into identity management (er, MIIS.)

While there are some like to believe that it’s really NetPro’s annual sales conference, in all fairness, there’s more to it than that – amongst others, many Microsoft folks from the AD dev team speak at the conference. (e.g. the AD security workshop last year).

So if you’re looking to learn more about AD and Microsoft’s long-term identity and access management strategy (yes, there is such a thing at Microsoft), DEC might be worthy attending.

While on the subject, I should also mention that NetPro's been working really hard on image and product-line enhancement and it deserves a pat. I love the new tag-line – NetPro, a company that builds software to drive the security, compliance and health of distributed network services. Now, if only tag lines could sell products, NetPro’d be a happy camper.

I’m happy to see them embrace my suggestion and introduce an Active Directory security product. Also, glad to see that they’re off to a good start with their first version – in my humble opinion, it should definitely be worthy of some serious consideration in a few versions - I'd give them a year or so to get it stable and solid.

While time isn't a luxury I can afford, I might just drop in for a half a day for Stuart's keynote.

The last 192 hours

Doesn't seem like it, but it’s been 192 hours since I last took out a few minutes to blog – it’s been a busy week.


Between helping a major financial institution bolster its Active Directory defenses, advising a prominent government agency on matters of vital importance and getting ready to launch my new endeavor, Paramount Defenses, the last 192 hours seem to have jetted by at Mach 2.

It’s Saturday morning around 2:30am – perhaps I’ll be able to blog a few thoughts down before the next 192 hours flies by.

The Journey Thus Far

Process note: While the intention of foraying into blogging was primarily to share my humble perspectives, I've decided to make a one-time exception, to thank everyone who's reached out and conveyed their best wishes and inquired about the journey thus far.

Over the last few weeks, I’ve received emails from so many people around the world, sending in their best wishes and inquiring about the journey thus far. I’m very thankful to all of them for their support and wishes and I wish them all the very best in life.

As for the journey thus far, well, I can only say that it’s been a very satisfying start. Over the last few months, I’ve been approached by some of the most respectable and successful venture capital firms in the world, made the acquaintance of some incredibly talented and remarkable folks (e.g. Ray Lane, Rajeev Motwani, Bruce Schneier, Lawrence Lessig, Dipak Jain, others) and humbly accepted notes of admiration (from some highly respected industry leaders) and invitations to leading industry conferences (RSA, others).

I've also had the opportunity to personally share my vision with many Fortune 100 companies and vital government agencies and above all had the opportunity to personally help them assess and enhance their security posture.

Its been a great start, but we've only begun... there’s much important work to be done ahead. Please accept my sincere thanks for your best wishes - I sinerely appreciate your kindness.

Sincerely,
Sanjay

Finite Time, Infinite Possibilities

Blogging's a great way of sharing one’s thoughts and perspectives with the world. It's also the easiest way to easily lose your most valuable possession.

Having seen some of my ex-colleagues indulge in it (e.g. Kim's blog @ http://www.identityblog.com/), it is clearly evident that unchecked, it has the potential to easily turn into a highly addictive activity (albeit highly intellectually stimulating) and in certain cases, very quickly turn into long-drawn ego-bouts, thereby easily quenching one's precious time.

While time is finite, the possibilities life presents all of us are virtually infinite, and the clock continues to tick away. In an attempt to efficiently use blogging as a means to share my prespectives, I’ve decided to establish and adhere to a few blogging ground rules:

Rule #1 – Blog at most one (terse and cogent) entry a day
Rule #2 – Share meaningful, thought-provoking perspectives
Rule #3 – As a principle, resist engaging in a blog discussion of any kind

I look forward to sharing my perspectives with you.

PS: Thought for the day... How much trust can you impose in the machine you're browsing from, and on what basis?

Hello World !

Hi,

Welcome to my blog and thanks for stopping by.

I'm Sanjay, until recently Program Manager for Active Directory Security on the Windows Server development team at Microsoft. I moved on from Microsoft last year to do my bit to secure the world.

Between doing my bit to secure the world and getting some sleep, I intend to spend some time blogging to share my humble perspectives on Information Security.

My blog should be up and running in a few days. As I take your momentary leave, I wish you all the very best on your sojourn of this marvel we call life.

Cheers,
Sanjay