Skip navigation
Twitter   Follow us  •   Share   Share    Become a member
Home Business Technology Strategy Business Technology Execution Professional Development Live Exchanges Smart Archive Smart Enterprise Magazine
Up to Blog Posts in IT Security

IT Security

7 Posts tagged with the security tag
George Hulme
0

Protect and Innovate in IT Security

Posted by George Hulme May 11, 2012

In business, there’s always been friction between the need to protect information and the desire to push technology forward and innovate. Today, perhaps, that friction is hotter than ever, as end users want to bring their own devices and applications to work. While some organizations try to block everything that isn’t approved — employees can use only corporate-approved-devices and software — others are trying to accommodate the trends by opening the floodgates.

 

Neither is the ideal approach.

 

The first is too draconian and won’t work because users will sidestep overbearing rules. Tell them they can’t tweet from work? They’ll tweet from their personal iPhone. Tell them they can’t use tablets for work? They’ll do it anyway from their 3/4G-enabled tablet and on their personal network connection. All of this happens outside corporate IT’s view because IT doesn’t control the devices, the networks or even the data that employees use outside the office. Counterintuitively, controlling the user too much in this way actually decreases security; out of sight is not out of mind — when user actions are pushed out of view, IT and security teams don’t know what’s going on.

 

The second approach — a laissez-faire environment — doesn’t work either, as it sets up the organization for data breaches in the making, especially from mobile devices accessing corporate data. Reaching a balance: to protect systems and data while enabling the business to push forward with innovative initiatives, was the subject CA Technologies Director of Research, Carrie Gates, and Mike Denning, General Manager, Security Business, tackled at the recent RSA 2012 security conference. The pair told security officers to move from “No” to “Know” — that is, security teams should no longer say no to new initiatives such as cloud and mobile, and instead should arm themselves with the “KNOW”-ledge which can help IT to let employees use the devices of their choice at work.

 

Finding Alternatives

So, rather than tell employees that they can’t use online file-sharing services, provide business managers with an alternative. Perhaps that could be turning to a competing service that caters to the enterprise, or maybe building private cloud storage where the appropriate access controls and monitoring can be put into place. Whenever there is friction between what users need for their jobs and the organization’s need to protect its data, look for a viable alternative and detail the costs versus the business risk and reward for all alternatives. 

 

To gain this knowledge, listen to user needs. If the HR department is having a hard time attracting talent because the company doesn't allow tablets at work, IT should see an opportunity to enable the business to be competitive in the marketplace for talent.

 

Access vs. Risk

As Gates and Denning described in the talk, that can include looking for ways to manage device access to corporate applications, such as single sign-on authentication; by backing up work files to corporate storage in the cloud; or by segmenting the users’ personal workspaces from their work data and applications. None of this is especially easy to do today, but the tools are maturing, and it’s time to start taking a close look at how to make it happen. Each organization has to weigh its own business needs against its own level of tolerance for risk.

 

For instance, ask whether data can appropriately be stored in an on-demand software service. Can security controls be put into place, such as proper authentication and access monitoring, to satisfy security policy and that data level’s classification? If not, maybe that data isn’t suitable for that service, and an internally managed option would be the way to go.

 

The ability to innovate, and perhaps even drive increased revenue, doesn’t require esoteric technology. You just need to keep an eye on what can be done, and how to secure it with the available technologies. When this is done right, you’ll be rewarded with the ability to effectively — and securely — move forward with innovative initiatives in mobile, cloud, or new services and applications in your industry.

489 Views 0 Comments Permalink Tags: carrie_gates, security, innovation, rsa, michael_denning, authentication, cloud, mobile, george_hulme, byod
George Hulme
0

There has long been talk of security being a “business enabler.” The reality of IT security, however, has been quite different from that. While it’s true that organizations want their transactions to be safe and private and their data to be secure from snoops and tampering, security is viewed as a necessary evil by many businesses. Think of it as the way one may view the military — it’s necessary to keep trade lines secure. Anarchy isn’t good for business.

 

And disrupted transactions, hacked applications and stolen data clearly aren’t good for business, either. Such incidents diminish trust among employees, partners and customers. In spite of this, I constantly hear that most organizations invest only in security that is “good enough” to get the job done.

 

In fact, as Joshua Corman, Director of Security Intelligence at Internet and cloud services performance management firm Akamai Technologies, recently told attendees at the 2012 RSA Conference that organizations “hate” security. "It's a tax that prevents IT from doing what it wants to do. Security is a toxic word," he said at the session, which was titled, Security Is Dead. Long Live Rugged DevOps. And it’s so true.

 

Less Painful Security Options

Still, it doesn’t have to be that way, and a number of emerging trends in enterprise development and operations are making security less painful. Chief among these are virtualization, cloud computing and agile development and management systems, as well as the merging of development and operations teams, commonly known as DevOps. Taken together, these technologies and practices are making it possible for security guidance and processes to be built into organizational development and operational workflow. Hopefully, the result will be infrastructures that are not only more agile but also much more resilient.

 

For instance, with the increased popularity of DevOps over the past few years, many organizations have been merging their IT operations and development teams. By doing so, experts say, the software-deployment cycle is compressed from many months to days. Some organizations that previously performed a dozen deployments over the course of a year are doing dozens per day now.

 

The trade-off of moving that quickly, however, is the potential for weakened security. For example, if a build were not properly secured, those errors would be replicated quickly; or if code isn’t tested by the Quality Assurance team, security-related software mistakes are more likely to slip by. Such errors may not worry others, but they are of critical concern to security officers, who are already running a number of steps behind most deployments.

 

Agile Development, Competitive Advantage

That’s where DevOps comes in. Agile and DevOps workflows are business enablers that allow swift and highly competitive enterprises to rapidly add and process customer requests into products or services. However, success at achieving such innovative development will depend — in no small measure — on an organizations’ ability to learn how to move securely at such speeds. 

What they need to consider — in the same way that virtualization and agile development processes help make DevOps possible — is how IT can also help to instill security throughout the DevOps process. This is what Corman and his co-presenter, Gene Kim, President of Visible IT Flow, dubbed Rugged DevOps.

This approach is about instilling secure practices into the fabric of an organization’s workflow, reducing risk while enabling the business to move at today’s more competitive pace.

To achieve the goal, security managers need a good seat at the DevOps table. Specifically, according to Corman and Kim, the key is to sell the benefits of security — and how security enables business — rather than focusing on security for its own sake. Those benefits include increased uptime, and, fingers crossed, fewer successful breaches.

 

Once they are part of the DevOps process, security teams can provide release managers with additional checks to add to their development and release cycles to succeed at all of the objectives stated here. And, for operations teams, security can provide the tools (such as firewall and network security checks) needed to ensure that the environment is stable and safe from an operations perspective. It’s a win-win.

 

With organizations forced to move fast to succeed, models such as DevOps will continue to emerge. At the same time, businesses have to make certain that the proper level of security is embedded along the way and that security truly enables agility and competitive advantage.

 

George V. Hulme writes about security and technology from Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.

 

 

For more on security and business enablement, read a recent article here and another here.

1596 Views 0 Comments Permalink Tags: devops, rsa, security, george_hulme, business_enablement, agile, workflow, quality_assurance, akamai, virtualization
Larry Lange
0

Numerous start-up cloud vendors are busy hyping their "Security-as-a-Service" wares, with requisite promises of turnkey "Security in a Box" and the like. But enterprise CIOs have tough questions about the validity and reliability of such firms and their services — as well they should. Securing a global IT infrastructure is paramount — with millions of dollars and customers at stake, not to mention a company's tarnished reputation if a major security breach occurs. It’s wise to ask whether such a mission-critical task can be entrusted to a third-party host.

 

That’s why Matthew Clark, Senior Director of IT at telecom provider Qualcomm in San Diego, is taking a cautious approach to cloud services. "Trust and security in cloud computing are big deals to companies,” he says, and too often cloud providers are more concerned with protecting their own business than the customer’s. As a result, “We are very, very cautious about what we allow to be put out into external clouds," Clark says.

 

Lina Liberti, VP of the Security business at CA Technologies, understands the concerns. She told me recently that, "Some of these new-to-the-market Security-as-a-Service providers are great for small to midsize business, as smaller firms are more likely to take risks in order to realize the benefits from a cloud deployment." But, she warns, outsourcing large enterprise security to a new, immature vendor is a risky consideration.

 

That doesn’t mean a large or growing enterprise can’t take advantage of the cost and resource savings cloud security offers; they just need to partner with companies that have hardened enterprise-grade security tools delivered as a service.

 

Peter Hinssen, one of Europe's leading tech gurus, noted that "CA [Technologies] realized that cloud was going to happen faster than anyone else anticipated, and the company has taken a leading role in this market. Hinssen believes that CA Technologies also is out front with its Identity Management-as-a-Service as well.

 

The company recently released several cloud solutions aimed at the identity and access management (IAM) security market. The CA CloudMinder portfolio, for example, is morphing the firm's long-established IAM solutions into hosted, subscription-based security services for customers. With the new services, CIOs no longer need to purchase, install and maintain their IAM tools via old-school methods (as applications on CDs, for instance). Now, they're available in the cloud as services customers can procure or buy or license from CA Technologies.

 

Besides its experience with enterprise data centers, CA Technologies provides trained support 24x7x365 — critical to most global online enterprises. These “comfort factors” may boost Security-as-a-Service among skeptical CIOs — even those like financial and healthcare CIOs, who need to meet stringent requirements and regulations with their cloud deployment.

 

To me, that's hope, not just hype.

 

 

Larry Lange is a freelance writer on the business of technology and a contributor to Smart Enterprise magazine.

573 Views 0 Comments Permalink Tags: matthew_clark, security-in-a-box, larry_lange, lina_liberti, iam, cloud, security, peter_hinssen, cloud_services, services
Michael Denning
0

New Content-Aware Identity and Access Management (IAM) technologies promise to help enterprises rapidly embrace cloud-- and new business models-- without increasing risk.

 

Some security managers have a reputation for always trying to put the kibosh on new projects and new ways to use IT. In many organizations, the CSO and team have become known as “Dr. No” when it comes to certain device use, social networking tools or even cloud computing. (See related blog here.)

 

It's not necessarily their fault. The job of a security chief is to protect enterprise assets, after all. And the reality is that security applications — identity and access management, data-leak prevention tools, user activity reporting, among others — alone don't provide the necessary insight into users and the information and resources they want to use at the moment of the transaction. That is, they don't provide the context needed to measure real-world risk.

 

But this is changing.

 

At CA Technologies, we believe a new twist on identity and access management and data protection technologies — what we call Content-Aware IAM — will help to move this conversation forward by adding the necessary intelligence around content and data to reduce risk while maintaining productivity, whether working in a traditional or a cloud environment or both.

 

For instance, the more tightly coupled the identity information — such as who the users are, their job role, etc. — is with the actual data accessed, the more secure the migration to cloud services can be. With Content-Aware IAM, enterprises can more granularly control not just what applications and data users are attempting to access, but also what they can do with that information.

 

Risk-based Decisions

With that user and data information at hand – and even information about the device the user is operating from — organizations can put the information to use at the time of transaction and create a risk-based judgment about individual transactions. Think of this risk-based judgment as being similar to that of a credit or FICO score. Instead of checking credit history and opening a new credit card or car loan, Content-Aware IAM will evaluate the user and look at who she is, what devices she is using and what data she wants to access. Then, based on a set of predetermined criteria and policies — just like a FICO score — the advanced authentication portion of Content-Aware IAM (specifically, our CA Arcot RiskFort technology) can assign a risk score that determines whether or not a transaction can proceed.

 

For instance, if a user is accessing data daily from her desk PC during normal business hours, we'd assume a low-risk data transaction and can assume most actions would be allowed without further authentication. However, should this user suddenly start attempting to access that same data from an iPad after business hours from across the country, we'd have an entirely different risk score for the transaction. To proceed, even more advanced authentication can be required to verify her identity, such as a one-time-password sent to her cell phone number on file, or even delivered by a phone call.

 

Content-Aware IAM with advanced authentication allows security executives to control users, their access and what they can do with information. This helps organizations embrace the benefits of cloud computing and consumer technologies, such as tablets or smartphones, without bringing too much risk into the organization. That’s the path to saying “yes” to new IT projects and technologies.

 

 

Read the related article in Smart Enterprise magazine here.

617 Views 0 Comments Permalink Tags: security, authentication, ca_technologies, michael_denning, risk, identity_management, access_mangement, access, iam, cso, ciso, social_networking, cloud_computing
Rob Ayoub
0

What do the royal newlyweds and IT have in common? Both need a large number of qualified security professionals to guard the castle--and enterprises are falling behind.

 

At the recent royal wedding, the world watched, and thousands of Britons and tourists turned out to witness the live event, which was very well secured. News reports indicated that more than 5,000 police were in attendance to ensure the security of the royal family, global dignitaries and spectators.

 

Now imagine for a moment that instead of 5,000 professional police, the security force was comprised of 5,000 people who worked in security in addition to their primary job. Say, for example, that the royal family and world dignitaries were defended by factory workers, doctors, accountants, lawyers or other professionals. Seems silly, doesn’t it? And yet, many organizations treat IT security as a second job for their staff or they put staff in charge of operations without sufficient training. This results in added risk for the enterprise, employees, information and clients.

 

As security threats heighten, it’s clearly time for staffing to keep pace and for the gap between needs and skills to be addressed. Organizations must elevate the role of information security professionals and put sufficient support and resources at their royal gates.

 

The Changing Threat Landscape

 

I have been the lead analyst for the (ISC)2 Global Information Security Workforce Study (GISWS) since 2007 and have seen many changes both in technology and the threats to organizations during that time. In 2007, the primary threat to organizations consisted of viruses and worms. This year, more than 10,000 information security professionals from more than 120 countries responded to our survey and reported new vectors that criminals were using to attack.


barchart.jpg

 

Information Security Professionals’ Top Concerns, 2011

 

As shown in the bar chart above, application vulnerabilities, mobile devices, and traditional virus and worm attacks keep information security professionals up at night.

 

The Skills Gap

 

Information security professionals are on the front lines when it comes to data protection. They are tasked with securing the organization’s systems even as end users bring in new devices and applications and move corporate data into the cloud. And yet, our research indicates that in the next several years there is likely to be a severe gap in skill sets industrywide. Information security professionals are stretched thin, and like a series of small leaks in a dam, the current workforce may show signs of strain.

 

For example, nearly 75 percent of respondents indicated that new skills were needed to meet the demand for cloud computing. Of that group, an overwhelming 92 percent indicated that a more detailed understanding of cloud computing was necessary by security professionals. In another question, mobile devices were ranked as the second highest threat for the organization despite the fact that more than 60 percent of respondents said they had controls in place to defend the mobile workforce.

 

Ironically, these challenges are creating healthy growth in the sector. Frost & Sullivan estimates that the number of information security professionals worldwide in 2010 was approximately 2.28 million. This figure is expected to increase to almost 4.24 million by 2015, displaying a compound annual growth rate (CAGR) of 13.2 percent from 2010 to 2015.

 

The chart below reflects these findings, based on our observations of staffing behavior during the past 12 months and from our primary research on organizations’ intentions to increase their information security budgets, including staffing.

 

2010-2015 Forecast for Information Security Professionals

 

 


2010201120122013201420152010-2015 CAGR
Americas920,8451,058,9721,214,6411,393,1931,570,1281,785,23614.2%
EMEA617,271703,689796,576897,7411,014,4481,148,35513.2%
APAC748,348830,666924,5311,038,2481,168,0291,310,52911.9%
Total2,286,4642,593,3272,935,7483,329,1833,752,6054,244,12013.2%

 

 

The 2011 GISWS clearly illustrates the concerns held by information security professionals in a variety of areas. As I noted above, it is well known that many organizations expect IT professionals to also wear the security practitioner hat. This is a corporate mindset that cannot change overnight; budgets and spending will have to open up and a change in corporate culture has to occur.

 

What can an organization do in the meantime?

 

Organizations can take three key steps to foster a culture of security and eventually build the role of information security professional.

  1. Enlist upper-management support. Without support from the top, security initiatives are doomed to fail.
  2. By raising the awareness of end users, organizations can begin to solve the problem from the inside out.
  3. Create a specialization and an interest in security for the existing staff. By assigning security tasks to interested professionals, an organization can organically build its dedicated information security workforce from within.

 

Given the challenging economic times, organizations are hesitant to spend money on new positions unless absolutely necessary. However, as cyber-risks increase, it is imperative that information security be given top priority. Organizations willing to take even small steps toward training and building a strong information security workforce will see the benefits in the form of lowered risk to their data and to their customers’ information.

 

 

Robert Ayoub, CISSP, is Global Program Director of Network Security and Information & Communication Technologies at Frost & Sullivan. He is a member of Smart Enterprise Exchange and can be reached on the site.

 

 


1172 Views 0 Comments Permalink Tags: security, risk, chief_security_officers, ciso, security_professionals, frost&sullivan, isc, workforce, cybercrime
Paula Klein
2

Chief Information Security Officers and corporate risk officers need a break. These execs may have the hardest jobs in the organization and instead of being praised for their efforts to protect enterprise data and prevent breaches, they are often maligned as obstacles to progress and innovation. Even CIOs, whom many business users view as blockers to social media, cloud computing and other leading-edge technologies, sometimes do an end-run around CISOs and compliance folks in order to push projects forward more quickly.

 

Can a truce be reached? Several speakers at yesterday's Smart Enterprise Exchange meeting, agreed that security and the cloud can coexist, but partnerships have to be forged first. Here are some views and tips from our panelists, but we also want to know what you think about this topic. Add your comments and views to these:

 

 

  • Arnold Felderbaum, Chief IT security and Compliance Officer at Reed Elsevor Tech Services, and adjunct professor at New York University's Polytech Institute, leads a committee looking at cloud models. "Cloud computing is not a tech challenge," he said, the challenges are more about compliance, risk, and the types of data that will flow through the cloud. "You need to bring together architects, back-office managers and IT to forge the road ahead."  Also, when a business person says 'I can escape privacy, compliance and legal issues,'  an attorney has to be available to respond.

 

  • Michael Denning, General Manager, Security Customer Solutions Unit, CA Technologies: IT needs to change from the "Power of No, to the power of Know." CISOs don't want to bear all the burden, they need to become a partner, get smarter and turn risk management into knowing what’s going on and granting access." Bring business users into the process and incent them to use internal services.

 

  • Timothy Chou, author and cloud evangelist suggests that the  tougher issue is how to foster innovation among business users without bogging them down in bureaucracy and restrictions like security and compliance. Best way? Create dedicated groups, away from the rest of the organization and "protect them until there’s some legs."

 

  • Ajit N. Maira, Vice President, Strategy Cloud-Connected Enterprise Management Business Unit, CA Technologies: Business units are "taking initiative, not control, like it or not." The question now is, how can we describe cloud services so that IT and the CISO can have an intelligent discussions with the business? ...The CIO is  becoming a supply chain manager for business processes. In this model, systems architecture gets elevated for cloud services and CIOs need new skills for very carefully managing SLAs, security and vendors.

 

  • Joseph A. Puglisi, V.P. and Chief Information Officer, EMCOR Group: Traditional security methods like firewalls, can’t stop breaches and won't stop business users from going around IT. Unless you create a good relationshp with the business, and find out what they think they can't get from you, problems will persist.

 

  • Elizabeth Butwin Mann, Chief Information Security Officer at Mycroft, suggested that a Chief Services Officer position may be needed to provide cloud options to the organization. That person would be agile enough to make it as easy for users to get services "as using a credit card and Amazon, but can still partner up and exert some control within the confines of the business." Enterprises need to become an internal managed services provider (MSP), she said. To do this, they need to speak with business users about their needs but also state that security can’t be avoided. Open the dialogue and discuss options, she said.

 

  • Tony Orlando, Senior VP and GM CA Technologies Eastern U.S.: "Change can be uncomfortable and shifting a paradigm creates fear." Moving services off-premise can eliminate people and jobs. At the same time, if you roll out slowly or wait for dollars, lines of business get  frustrated and go directly to the service provider bypassing IT. You  need to be aware of these dynamics."

 

Share your experiences. Also read more from the event here.

1005 Views 2 Comments Permalink Tags: ciso, reed_elsevor, ajit_maira, tony_orlando, arnold_felderbaume, elizabeth_butwin_mann, security_officer, mycroft, new, cloud, service_providers, cloud_security, event, joseph_puglisi, york, cloud_computing, timothy_chou, security, tim_chou
George Hulme
0

No doubt 2010 will go down as a seminal year for IT security. The adoption of software-as-a-service and cloud computing hit full speed on the adoption runway – as did all of the regulatory compliance and security concerns that go with these new platforms. It was also the year we saw the Operation Aurora attacks that affected Google and a number of other U.S. high tech firms and the alleged theft of 250,000 classified cables by Private First Class Bradley Manning which were reportedly made available to the document leaking site Wikileaks.

 

 

If your organization has data it needs to protect, there are clear lessons here:

 

 

1. Log management. As demonstrated by Operation Aurora, attackers are increasingly skilled. If you want to better protect your organization against sophisticated attackers, you need to be aware of the security event data within your server, application, and security logs. There is a ton of insight within those logs, and they often are the best place to spot attacks that are underway early enough to stop before serious damage is done.

 

 

2. Data and system classification. Want any hope of stopping an insider from stealing reams of proprietary data?  It's crucial that your organization know not only what data is vital to protect, but where it is stored and who has access. Which brings us to identity and access management.

 

 

3. Identity And Access Management. If your organization hasn't: now is a good idea to take an enterprise-wide assessment of its identity and access credentials. Are they out of date? Are there previous employees and contractors who still have access?  Do employee and partner access rights reflect their current roles? As your enterprise extends its use of virtualization and the cloud – having sound identity management is place is even more critical.

 

 

4. Database and access monitoring. It doesn't matter how closely you watch your logs for potentially bad behavior, how well your data is classified, or how tightly controlled access is: bad things are going to happen. That's why it's important to be continuously monitoring databases and files for unusual access patterns.

 

 

I'm sure you have plenty of priorities and pressing issues on your agenda. But interviews with dozens of CIOs and CISOs during the past few months have revealed just how far behind many organizations are on the basics.

 

 

 

Now is as good of a time as any to turn that around.

724 Views 0 Comments Permalink Tags: security, 2010, access, identity_management, breaches, wikileaks


Incoming Links

We encourage your feedback. Reach out via the "Contact the Editor" and "Contact the Concierge" services for any needs, questions or comments. We look forward to serving you!

Paula Klein, Smart Enterprise Exchange Editor
e-mail

Ellen Lalier, Smart Enterprise Exchange Concierge
e-mail
phone 516-562-5727; fax 516-562-5466