Category Archives: Security

Managing trouble if your Cloud is in a Storm

Posted on by
Reply

Cloud computing comes with many key decision and considerations. There are decisions to be made around whom to choose, what to look for and what specific service it is that you ultimately need for your organisation.

When an organisation starts to think about moving to the cloud, the driving force is usually twofold: achieving a competitive edge in business and the cost saving benefits the cloud promises. While these are the incentives, the considerations when choosing a cloud service provider (CSP) need to be a lot more detailed. You are migrating your business from one form of technology to a newer and still developing one, and hence must consider scalability, control and security.

This can be a long, slow and painful process. CSPs are, ultimately, still subject the same cyber problems as your company was back when the humble server was the apple of the CIO’s eye. You may have decided on a CSP boasting near 100 per cent up time. But what about errors in the file system, misconfigurations, abuse attempts, programming errors and bugs? When they hit, service outages happen. Maybe not every time, but they can happen.

The Australian Government Department of Defence, Intelligence and Security have an online resource dedicated to advice for “Cloud Computing Security Considerations”. Aimed to assess the benefits and risk associated to cloud, the site also investigates the potential disasters associated when cloud provider drop outs occur.

The question the site raises is this: what happens if your data is housed in the cloud and your cloud service provider, for some unknown reason, becomes unavailable?

And this is one of the true problems of cloud computing. By placing your organisation’s data, information and trust in a service provider, you ultimately lose the ability to directly and independently fix problems if and when they occur. There is a whole world of security threats floating around that have the potential to wreak havoc with a business’ critical data and applications, and that can damage an organisation’s reputation and bottom line.

And, even more concerning, what happens if your trusted CSP unexpectedly goes out of business. Where does your data go? Who has rights to it? How do you recover it? Is it still secure? The plethora of questions that this potential situation brings up is enough to warrant serious concern, consideration and preparation.

So, below are five tips which you need to consider if and when, and ideally before, you migrate to the cloud to ensure that business can go on as usual if your provider becomes unavailable.

1. Demand connectivity and availability

The Cloud Computing Security Considerations highlights availability, bandwidth, latency and packet loss as the four key concerns when looking at network capacity from vendor to organisation. If there is inadequate connectivity, then ultimately your organisation will reduce its capacity to function as it should when working on the cloud. Similarly, you need to understand the provider’s availability. Availability can be affected by a host of things: targeted attacks, unsuccessful an ineffective maintenance, hardware problems and so the list goes on. As always, doing due diligence on your cloud service provider is critical. You need to ensure that the provider will meet your organisation’s cost, quality-of-service, regulatory compliance and risk management requirements.

The system housing your organisations information and identity must have capacity and ability to deliver a connected and available service, otherwise the CSP is redundant.

Ask yourself: is there any room to compromise on connectivity and availability when looking at my service provider?

Understand the service level agreement (SLA) so there is no confusion around the level and quality of service you are signing up for.

2. Be realistic – the threats are largely the same

Physical systems in offices can crash and fail – losing your data on site and in your office. Whether you have just migrated to the cloud, or have been a long-time resident, the risks you now face are the same as those you faced with a server purring in the back room. The loss of important data is another concern that businesses ignore at their own peril. A hacker or a disgruntled employee could delete important data. However, hackers and employees are not the only ones who might be responsible for such a circumstance. Important, mission critical data can be lost due to the negligence of a cloud service provider.

So what was your plan then? Assess the guidelines you had in place before migration, and then adapt these to the new technology.

Ask yourself: What are the bottom line security standards our organisation needs? Understand your key areas of weakness so you can develop a plan to protect them.

3. Back up. Again. And again.

Moving data to the cloud means it is no longer housed underneath your organisations roof. It is housed in a data centre somewhere across the globe. To future proof your data and ensure that you are not left in the lurch without important information and applications; your best option is to work with two cloud suppliers and house your data in both. This means that when one provider goes down its extremely unlikely the other will.

Either way, the cost is generally a good investment for peace of mind.

Ask yourself: is it worthwhile spending additional money on a second back up to ensure that business can run as usual if one CSP goes down?

4. Your SLA: The scheduled, the unexpected and the unsaid

Any service level agreement (SLA) will have listed the maximum possible unscheduled downtime that can occur without breaching it. The Cloud Computing Security Considerations notes that “typical SLAs that guarantee 99.9% availability can have up to nine hours of unscheduled outages every year without breaching the SLA”. 9 hours may sounds small in the scheme of things, but timing and deadlines could potentially render an ‘unscheduled outage’ catastrophic.

Likewise, your SLA should have an estimate on scheduled downtime, for key activities like maintenance. Understand what notice your contact says you will be given and what the parameters are here.

Another key consideration when it comes to SLA is compensation. Downtime can have huge effects on your businesses functionality and depending on severity could tarnish reputation.

By understanding your SLA you are more capable to assess the potential impact an outage could have, what you should expect in relation to downtime and if your organisation could manage this in day to day workings.

Ask yourself: how much time out can your business take without your business suffering. Is it an inconvenience or a hindrance?

There are huge discrepancies across SLAs for CSPs. Understand your SLA, and be aware that it is likely skewed in the providers favour. Knowledge is power.

5. Good relationships are founded on trust

You are putting sensitive data and critical applications in the hands of your provider. You need to have trust that if they can manage this data, they can manage to get you back on board in a reasonable time frame and without real stresses to your business.

Your provider needs to be reliable and secure, and ultimately be able to protect your data even when there is down time.

There should be minimal doubt when you sign that dotted line.

Ask yourself: what do you know about this provider, their history and their capacity. Understand your demands and their solutions. Do your research, and if you find any red flags, don’t hesitate to ask.

Original publication on CSO.

Cyber security threats through the Cloud

Posted on by
Reply

As with most of technology, security goes through periodic changes, cycles and generations. Hardware, software, applications and methodologies all arrive, become commoditised and standardized to the point of being invisible, and then come back in a new evolved form. New platforms and new devices create new opportunities but are also subject to new evolved threats – something that remains true of security.

Cloud Computing: a brand new landscape for threats

IT security threats evolve and adapt to the new IT environment. As corporate and personal IT usage habits have changed, so too have the types of security threats present in the world. New IT practices like Cloud Computing give end-users great benefits in terms of mobility, flexibility and productivity, but they also give malicious third parties new routes to breaching security and increase risks. So while the Cloud has given users a whole new world of mobile computing, it has also created a whole new landscape for hackers and viruses to attack from.

The rise and rise of mobile usage and the Cloud have seen third party attackers change their approaches. Cloud services, social media websites and Android operating system devices have all become new targets, while traditional user data and website denial of service hacks remain popular.

Recent malicious examples in Australasia have included the damaging loss of over 20,000 customer passwords by surf wear brand Billabong and Web giant Google having its Australia office’s building control system hacked into. Similarly it was revealed recently that the Reserve Bank of Australia wascompromised by a phishing attack, while the Commonwealth Bank of Australia recently stated, in the light of hacking attacks on Australia Security Intelligence Organization, that cyber security is among its top concerns.

The risks posed by hackers and phishing attacks haven’t gone away, they’ve just evolved.

the ever-changing nature of the cyber security threat

Cyber security attacks and the ways in which they affect people and organizations are always in a state of transformation. As one IT specialist finds a solution to a particular problem or type of attack, so the creative hackers out there come up with something new and improved.

So as the Cloud has played out its role as both a disruptor and an enabler in the technology world, so too new threats have emerged from it. The leading threat to both organizations and individuals is data breaches. Companies fear sensitive corporate data falling into the hands of competitors, private citizens fear their bank details and credit card information being misappropriated and abused. This is of course not a new threat in itself, but the Cloud enables new routes to the hack, virtual machines and poorly-designed multitenant databases both offering different access points.

In addition to data breaches and data loss, there are the ever-present threats of account hijacking and denial of service, both of which can now be attempted differently thanks to the Cloud. API keys – the coding that Cloud applications use to identify each other – are another tool in the hacker’s armory, allowing malicious parties to launch denial of service attacks or accumulate fees and charges on a victim’s account.

cyber security: a critical business issue

So while the threat is still similar in nature to previously, the avenues to getting in have increased. What this means is that it is time for companies to start thinking about security as a defined strategic issue.

Data security threats and attacks are major factors in successfully achieving regulatory compliance, whatever industry a company might be in. Non-compliance through having inadequate protection of corporate and customer data is a terrifying thought for any company director, so cyber security now really needs to sit at the top of any senior executive’s ‘to do’ list.

but end-users suffer too

At an individual level, the Cloud has helped to bring phishing into the mainstream of cyber security threats. Phishing was previously quite an insidious tactic, but today it has become incredibly brazen and up front, particularly in the mobile world. Because people now use their mobile devices by second nature, often inputting their password dozens of times a day, users are simply less vigilant.

It is estimated that mobile users look at their devices for one reason or another up to 150 times per day – this means entering that precious four-digit PIN code repeatedly – and how many end-users are really certain about what site they are distractedly tapping their password into?

changing threats mean changing strategy

To address this ever-changing security threat, a change of thinking is required. For many years companies and governments acknowledged the need for IT security, were both aware of and concerned about the threats involved, but were still very reactive. So this change in thinking means no longer considering IT security as ‘just’ an IT issue. The focus must change to making cyberspace a strategic asset which requires as much security as physical borders and buildings do.

The Australian government has recently taken the proactive step of investing in cyber security, identifying the threat as a strategic one which affects not just ‘the Web’, but the country’s entire economy, infrastructure and the nation’s future prosperity. It has been estimated that during 2012, 5 million Australians were affected by cyber security issues, at a cost to the country of around $1.6 billion. So it is to the government’s credit that even in an election year it has given the problem due consideration and taken the initiative, ploughing money into cyber security. That’s how significant an issue cyber security and the new threats available through the Cloud have become.

risk management is required at all three levels

The evolution of cyber security threats to the new environment means that the threat exists at three different levels

  • the personal
  • the organizational
  • and the nation state or community level.

At each of these levels the consequences can be dramatic and risk management is required at all three levels.

Original Publication

The rise and rise of the “as-a-service” (XaaS)

Posted on by
Reply

I recently blogged about Unified Communications as a Service (UCaaS) and how its cloud-based communications and collaboration tools can help companies be more productive. The “as-a-service” (XaaS) approach is really at the heart of so much business transformation at the moment and it is fair to say that it is becoming a strategy in its own right. It is creating a whole new paradigm for customers and service providers.

XaaS: what’s new?

In the past we typically used to ship or download physical products as we needed them, but the introduction of cloud computing as a heavyweight enabler has given rise to the XaaS model. The XaaS approach brings with it an ongoing relationship between customer and supplier, in which there is constant communication, regular status updates and a genuine two-way, real-time exchange of information.

Original Publication

This makes XaaS an attractive approach for customers, they really seem to be buying into it – the managed service nature of the relationship means they have to commit less money up front while enjoying less risk and still keeping up-to-date with the very latest technologies and product developments. Plus companies can also scale up or down, depending on their needs at a given moment in time – another important influencer on costs and another of those flexibility enhancers.

how mobile is helping power the XaaS revolution

So in the same way that the cloud itself has been a disruptive development for conventional IT’s ways of getting things done, so the as-a-service model is also changing the game. It is fair to say that the cloud is effectively the next step in the evolution of the internet, and the cloud is the conduit through which everything will in future be delivered as a service.

The XaaS model is changing everything in that it is both taking over applications and also taking over service delivery channels and basically cutting out the traditional middle man. With mobility becoming the new norm and the standard way of doing things, people can access the services and applications they want no matter where they are. Mobility, mobile device proliferation and the shift to faster mobile broadband connectivity are all helping to accelerate the process.

XaaS going mainstream

Software as a Service (SaaS) was arguably the first area in which the cloud delivery XaaS model found its way into the commercial mainstream, and the sector has gained significant momentum since then. Gartner predicts that the worldwide SaaS market will exceed $22 billion in 2015, almost double its value in 2011.

The benefits that SaaS brings to companies are true of all the other XaaS alternatives, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Storage as a Service, Security as a Service, UCaaS and others. The big data revolution is seeing more organizations look into the possibilities offered by storage as a service – companies are creating more internal and external communications data, more video and so on, which means that storing data securely becomes an increasingly significant legal and compliance issue.

So by outsourcing these service provisions to a qualified expert partner, organizations immediately get lower “Total Cost of Ownership” (TCO) than with traditional, on-premises solutions. Deployment of services and applications is faster and easier which means that companies can reduce OPEX and get new offerings and services to market faster. The initial CAPEX is lower, IT support expenditure is reduced through the XaaS model and scalability is built-in to the proposition. Design obsolescence is also a thing of the past under an XaaS model. So it becomes another major disruptor for suppliers.

Overall people are switching on to the XaaS model because it takes the TCO and converts it from being a concern into something which is more controllable, and which has agreed service levels. Traditionally, IT initiatives were known for suffering from project overruns, where companies didn’t know what they would get at the end of a process which took longer than intended and which of course cost more. Those types of incidents were what cost CIOs their jobs. The XaaS approach removes this risk and while there can be a worry about having less control over the whole, companies have come round to seeing the benefits as outweighing this.

but the network remains key

So while the benefits and reduced risks of the XaaS model are clear, the network backbone is what powers the proposition forward. Cloud services all rely on a robust network to give the reliability that services need and that end-users expect, so as companies make the shift to the XaaS paradigm, they must always think about their networks too. If reliable, high speed connectivity is not available then the user experience declines and the proposition weakens.

innovation acceleration

Perhaps the real proof point of the XaaS model is that it genuinely accelerates innovation. No customer likes deploying something and then finding that a new version of the software, hardware or whatever has come along a few months later and they are already behind the curve. Under the XaaS approach, innovation can occur in real-time, customer feedback can be gathered and acted on immediately, organizations – and their own customer offerings – are able to stay at the cutting edge with minimal effort.

This is where XaaS distinguishes itself from the traditional thinkers who still believe that it’s better to build things themselves – the traditionalists will end up spending a lot more money to be locked into something that could pretty soon be out of date. Open integration environments that encourage application development are flourishing. And through this kind of innovation the smart providers of today are set to kill off the old paradigm by opensourcing this ongoing innovation and new ideas.

This new paradigm, now has a number of competing labels emerging. We will see with increasing frequency XaaS from our industry, no matter which label the industry adopts, the ‘Everything as a Service’ or ‘Anything as a Service’ label. One thing is guaranteed, we will continue to see the rise and rise of the “Everything-as-a-Service” /  “Anything-as-a-Service” (XaaS) model.

Unified Communications as a Service – the third way?

Posted on by
Reply

In my last blog post I wrote about how Technology can be used by ‘disruptors’ to change the competitive landscape and challenge long established segment leaders. In this piece I would like to explore a related technology that can be leveraged to disrupt the current landscape and one that I think is a reality now – Unified Communications as a Service (UCaaS).

UNIFIED COMMUNICATIONS YOU SAID?

The reason I call it a disruptor is that UCaaS is another specific application that is moving into the cloud and having a major impact on the way companies collaborate and communicate.

So what is UC? Unified Communications is an approach to business communication that groups together all the various tools under one umbrella and connects them up, making it easier for company team members to stay in touch. The UC suite typically includes all the communication apps you would expect to find in an average office, including the likes of

  1. voice calling
  2. video conferencing
  3. web conferencing
  4. and instant messenger (IM)

UC is about flexibility. Workers are able to be more productive and effective because they can choose the communication mechanism that works best for them at that time – such as taking a call on a landline, smartphone or tablet device. Bringing all of these ways of communicating together in an integrated format is what UC is all about.

challenges along the way

So UC can genuinely help organizations to see positive impacts on their productivity, worker effectiveness and even staff morale thanks to them being able to do their work more on their own terms. Many companies have attempted to raise productivity through UC and increased collaboration, and different organizations have had varying degrees of success with it.

There are challenges involved however – with the biggest expense being CAPEX, while integration and interoperability can also present problems. Companies must choose whether they want to roll UC out and manage the technology, training and risks themselves or whether they would rather outsource it – which may still require a significant investment upfront for the CAPEX which must be paid up front. It’s a balancing act, and one that causes many companies quite a degree of soul-searching.

“as a service” – the third way

There is a new paradigm that is a reality today and that is Unified Communications as a Service(UCaaS). The cloud continues to change the way that companies work, and it enables us to be more flexible in how we do things. In relation to UC, it means that companies can, rather than having that big initial CAPEX or big PBX, actually use a cloud-hosted service that gives all the benefits and control of an on-premise service. This is a potentially huge benefit for many companies.

Put simply, UCaaS makes Unified Communications and collaboration tools more affordable for all – vital at a time when companies need to reduce costs wherever possible. If you’re looking to manage costs then moving to an OPEX model is very attractive – and UCaaS also means smart outsourcing too. Working with an external partner means having a service level agreement (SLA) in place which covers you in unforeseen circumstances – when many companies have only one or two people responsible for their UC, who could be away on vacation or sick, this kind of safety net is a real advantage.

A further benefit of UCaaS is that it can offer event-based billing as well, meaning companies can offer support at times of greatly increased usage – such as delegates and staff collaborating around an annual conference, for example. The flexibility of UCaaS allows you to offer tools like video conferencing or Web conferencing which you might not otherwise need through the rest of the year.

Cloud – the enabler

One of the other advantages that the Cloud delivers is that of managing transitions of technology, again helping companies to reduce costs. By basing UC tools in the Cloud you don’t need to manage expensive upgrade cycles and you’re able to enjoy all the latest new features and versions as they become available.

What this also means is that companies can better manage the transitions of business models too – relocations, mergers, acquisitions and so on, any big changes to operational routines are more easily supported thanks to the agility of UCaaS. Take an example like mining companies which move operations around to where the next project demand is – starting up and shutting down projects is far easier in the Cloud.

Conclusion

These ideas have been around for quite a while now really, but only now are the service catalogues offering them come to market to make UCaaS a reality. The technology has caught up, meaning that companies can enjoy multi-tenanted Cloud offerings which allow more than one user on a box now. Similarly virtual machines can be had today with a compelling cost versus service proposition. It’s my belief that we are going to being seeing a big shift of people from on-premise UC suites to the cloud version, and adoption of the UC tools themselves is going to continue rising too.

At the end of the day, what UCaaS is about is

  • managing risk
  • cutting costs
  • and increasing collaboration.

By outsourcing your UC needs to a service provider who is an expert in that area you reduce CAPEX risks and the need for costly, long IT equipment recycle periods. You’re not putting all your UC eggs in one basket and get to enjoy the flexibility and agility that comes with the “as a Service” strategy.

Original Publication

How to secure an outsourced project

Posted on by
Reply

Despite our desire for simplicity, IT continues to become more complex. Decentralised applications or client-server models have become the norm. Smartphones and tablets are pushing mobile computing into a new era and changing user behaviour. Cloud has significantly altered the way we provide IT solutions and how we meet business needs with technical solutions.

Long gone are the days when a single person could master and manage an entire enterprise network. Today, many businesses lack the dedicated staff and financial resources to manage their ever expanding IT needs. Faced with this situation, a growing number of companies contract out part of their IT to external suppliers.

While many articles have explored the security issues linked with cloud services, there are still many people who fail to recognise the same arguments apply to other outsourcing services. In fact, the challenge of managing risks and security in a diverse IT environment remains the same; whether it’s cloud, outsourcing or managed services, the reality is you are handing control of your business’ devices or applications to someone else.

The security challenge

The challenge for many businesses is deciding the level of security controls and risks your company is willing to accept – you can choose a fully-dedicated environment where security levels are dictated by your organisation, or you can use a public environment in which you accept the default setup.

Today’s Chief Security Officer is assigned the task of managing security risks associated with these changes and must come up with appropriate solutions to alleviate them. For many businesses, the move to an outsourced model presents an opportunity to increase the level of network security. It could even be the trigger for a security upgrade.

 Establishing an outsourced project

Outsourcers will generally set technical, physical and organisational security controls that will be applied across all of the outsourcer’s services. This creates a baseline and spreads the cost of security across its client base. It is essential to understand your outsourcer’s baseline and request additional security if your project requires it.

Before entering into an outsourcing agreement, it is also important to consider legal matters. If the outsourcer is providing a “standard” service, it up to your company to ensure that your legal requirements are met – for example, regional data storage compliance and confidentiality legislation.

 Managing multiple outsourcers

Outsourcer management is often neglected despite the fact that many companies outsource different parts of a project to a range of suppliers. For example, one company might handle the telephony infrastructure, while another manages WAN. In this situation it is essential to ensure both outsourcers deliver the same level of security for their services. It is also crucial to establish clear communication between the various outsourcers and internal departments – especially during periods of disruption or change.

 Incident management

Incident management (both poor and effective) has significant legal, reputational and operational impacts. It is essential to establish a process that dictates when a security incident is detected by your outsourcers, it is adequately evaluated, and reported to you within a predetermined timeframe.

Before entering an outsourcing agreement, ensure that the outsourcer’s obligations are clearly stated and check to confirm the outsourcer doesn’t have any legal constraints that are incompatible with your business.

Conclusion

Whatever part of your IT or process is outsourced, it is essential to ensure all security aspects are fully considered and met, and each outsourcer delivers the same level of security for their services. Detailed consideration of these challenges will allow businesses to benefit from the cost and productivity gains offered by outsourcing, while maintaining strategic security plan of the business.

Today’s CSO must take a 360 degree view of the project in order to ensure requirements are met and managed efficiently, and incidents will be detected and dealt with correctly.

Original Publication

Six tips for mobile device management security

Posted on by
Reply

There has been a lot of discussion this year about the increasing influx of consumer devices being used for both professional and personal purposes. Many organisations are feeling a little overwhelmed as they try to work out appropriate security levels and device management boundaries. When you take into consideration all the platform and application updates chewing through corporate bandwidth, plus the potential for rogue applications and malware to gain illicit access to company data, there are many headaches for security managers to deal with.

Here are six tips to help get the efficient and secure management of mobile devices under control:

1. Have a strong mobile policy

This may seem like an obvious tip, but there is often a clear disconnect between employees and employers’ expectations of how consumer devices will be used in the enterprise. Research from IDC found that not only were workers using their devices at twice the rate, they also tended to think employers were far more permissive of the use of consumer devices than they actually were. It is therefore very important to have a mobile use policy clearly defined to avoid these kinds of misunderstandings.

A mobile usage policy is a framework that defines who the users are and what devices, platforms and applications they can and can’t use. Enterprises must clearly define policies around reimbursement for services and what applications users can access via personal devices, along with clear guidance on who controls the data on devices.

2. Create an inventory of assets

How can you be assured of the security of employees’ mobile devices if you don’t know how many are out there and what they are? Implementing a robust and regularly updated inventory management system is a vital part of any mobile device management system. While many businesses do have an inventory of fixed and wireless assets, the majority of them are not updated and validated on a regular basis, leading to the potential for security issues to slip through the cracks via unknown devices or inappropriate usage. Businesses with accurate inventories have much clearer insight into their telecommunication environments and as such, more reliable information on which to base policy decisions.

3. Ensure proper configuration of devices

The sheer number of different devices and platforms out there can make the configuration of devices a challenging process. Factor in entry level handsets, smartphones, tablets with different operating systems and employees working in numerous different locations and the issue becomes even more complex. However, if a device is enrolled with a mobile device management server, a configuration profile defined and managed by IT admin can be implemented, enabling the device to interact with enterprise systems. An appropriate level of encryption can also be added to any commands coming from the server to ensure that settings cannot be altered without proper authorisation.

4. Implement appropriate security

Despite the influx of consumer devices into the workplace, many organisations haven’t implemented stronger security controls in response, leaving them at risk of security breaches or loss of sensitive data. Data encryption is a powerful piece of the mobile security puzzle and yet many businesses do not use it on a regular basis. In addition to implementing data encryption, enterprises need to inform workers about the risks of failing to comply with security protocols – there is a good chance that they are unaware of the risks associated with using their personal devices for professional purposes.

5. Regulate application protocols

Taking into consideration that there are thousands upon thousands of mobile applications out there, strong protocols need to be instituted for the deployment of any new applications and the management of existing applications. Malware is steadily creeping into the app world, so even applications from the app store need to be checked before they are allowed into the enterprise. Such malicious applications can take over the mobile device and operate in the background without the user knowing, searching for sensitive information such as passwords or banking details.

6. Provide training and end-user support

A relatively small percentage of the overall functionality of the average mobile device is used on a regular basis. With devices becoming more and more sophisticated, users could end up massively under-utilising all the functions that are at their disposal. As a result, most enterprises would benefit from providing user training, including how to set up email, device customisation, application selection and usage, understanding browser capabilities, using instant messaging, and mobile data services and understanding device functions and shortcuts. Support and training can increase worker efficiency and also reduce security risks, as employees better understand how their devices work.

Managing employee mobility doesn’t need to be a nightmare. With the right systems put into place, employees and employers alike can reap the benefits of mobility.

Original Publication

The magic of mobility vs the safety of security

Posted on by
Reply

Mobility has become a key part of business operations in recent years. Smartphones and tablets have become an accepted part of everyday business as the workforce becomes more and more dispersed, with managers expecting their employees to remain connected and productive while they are away from the office.

However, rather than being issued a separate device, employees are increasingly using their personal devices for business purposes – opening a big can of worms around what is the appropriate level of security on a personal device used for work.

Next-generation opportunities

Basic applications such as email, calendaring and syncing contacts on smartphones or mobile access to CRM and ERP systems are just the beginning. Before long, companies will be deploying and utilising next-generation apps with consumer-like functionality – such as using GPS, the camera and social networks. For example, a marketing manager may snap a photo of a competitor’s billboard and tag it in a database for market research, or use social networks during a meeting to access information for reference or demonstration.

The real challenge for businesses is how to balance this revolution in technology and ways of working with the need to maintain organisational security. IT departments may want to disable camera functions on smartphones to protect data, or ensure that any data on an employee’s phone is encrypted, but users are unlikely to accept such major limitations on their personal devices.

Mobile Enterprise Challenge

In the past, most IT departments have tried to manage the increased complexity of mobile devices by limiting the number of platforms supported, such as only allowing a BlackBerry as a smartphone, or Windows laptops for computing. However, this approach is no longer particularly practical as the influx of consumer devices into the workplace continues to rise. Trying to force such a policy onto employees would likely result in poor adoption of the service.

So what is a business to do? All in all, the mobile enterprise needs the same support as offered to standard PCs. As mobile devices have become progressively more complex, they have the same issues as PCs, such as data security, data management and application support. Plus, with companies embracing more than just one mobile platform, the IT department will need to invest in tools that can manage devices powered by different operating systems. Typical mobile device issues that will need to be secured and managed include assets and settings, passwords, connectivity control and software deployments and updates.

Mobile strategies

Obviously, the biggest potential management headache for IT departments is security. Considering the average smartphone has 8GBs of memory, employees have enough potential to put a serious amount of corporate data at risk through a compromised device, or by losing it altogether.

Designing an appropriate security policy is crucial for mobile application deployment as it gives enterprises the platform and confidence to do so much more with their mobile strategy. There are three cornerstones of security that need to be covered when developing a mobile device strategy:

  • Confidentiality: ensure that data is not shown to the wrong people
  • Integrity: ensure that it is not possible to make unauthorised changes to either data or the system
  • Availability: ensure that the data is available at all times for authorised users.

Security tools also need to be able to support a range of activity such as patch management, keeping applications secure with no vulnerabilities, protecting against malicious code and blocking unauthorised device access to corporate resources. In addition, they also need to give the enterprise the ability to remotely lock or wipe devices and enforce the encryption of confidential data.

Taking the time to develop an appropriate mobility strategy is vital for enterprises. With the right protocols and security in place, employers and employees alike can reap the benefits of increased flexibility and efficiency.

Original Publication

Managing the mobile security paradigm

Posted on by
Reply

There have been profound changes in recent years in the way that people work. Mobility, virtualisation and globalisation have extensively altered how business is conducted. These changes mean that updated and upgraded security systems are needed to ensure data security.

There are new collaborative methods to help companies manage their information systems, solutions for virtualising information applications and cutting excessive investments are springing up and fresh hardware is delivering more mobility every day. But with these altered usage patterns come new threats and risks to security.

Professional and personal data confusion

Mobility is becoming an increasingly important aspect of business, and workers using devices such as smartphones or tablets to access the corporate network are quickly becoming ubiquitous.

However, there is a trend towards employees bringing their own device to work and using their personal smartphone or tablet for professional as well as personal purposes. This consumerisation of computing, with its permanent connection to the corporate network, increases the potential danger of data leaks if the device is lost or stolen. There is an increased risk of professional/personal data confusion, potentially resulting in legal penalties for the business and serious risk of virus and malware issues, as many personal devices are not properly protected.

Recent technologies such as cloud computing and social networking are helping to create these new usage patterns and ways of sharing information. These changes require a much higher level of transparency. Considering many organisations are increasingly subject to compliance regulations, it is vital to have strong and secure information systems in place. Companies need to identify and protect confidential information and show due care and diligence in protecting this information, not just for their own privacy but also for their customers.

Threats

Threats to companies are proliferating at an exponential rate. On average, there are 2,000 new threats every day adding to the estimated 45 million viruses already in circulation.

Attacks are more targeted and sophisticated than ever before, representing a substantial threat to businesses, government and sensitive infrastructures such as the military, utilities, hospitals and others. This makes having appropriate security defences in place for mobile devices paramount. With so many threats out there, the chance of a breach is just too high.

For internal protection against these clandestine threats, strong security infrastructure is required to protect organisational communication and information systems and ensure that everyday business is not disrupted. Different solutions to consider include firewalls, filters for incoming and outgoing web and mail data, IT infrastructure segregation for extranets, partner networks and strong intrusion detection systems that can identify unusual activities and suspicious behaviour and stop threats from infiltrating the corporate network.

External end-user protection is also crucial and may initially seem like a straightforward issue, but becomes increasingly complex when you factor in the multiple devices in use by many workers, in many locations. There are many security systems to consider, such as user authentication and authorisation, secure communications between users and corporate networks, security monitoring to provide transparency and validation of the compliance process and day-to-day security reports and monitoring.

A balance between protection and freedom

However, it is critical to maintain a balance between protection and freedom, as too much complexity within security systems can overburden the network, slowing down application response times and making it difficult for employees to access the network when needed.

Too many different solutions can also have the undesirable result of creating loopholes and system vulnerabilities, making it easier for cybercriminals to infiltrate the network and exploit confidential information.

Implementing appropriate security for the new working paradigm may seem like a formidable challenge. However, mobility does not have to be a risk for organisational security – with the right solutions in place, it can create new efficiencies and cost savings while allowing the workforce to work anytime, anywhere.

Original Publication

Embedded network security: defence at all levels

Posted on by
Reply

Perimeter controls are no longer enough

Confidential information is increasingly at risk in many organisations. Recent incidents have shown that perimeter controls are no longer enough—businesses need to seriously update their security strategies to reflect new threats and new working practices. With bring-your-own-device becoming the norm and employees becoming more mobile, company data is increasingly being taken out of the organisation on laptops, smartphones, tablets and more. Third parties are connecting to the corporate network on devices that the IT department has little, if no, control over, and branch offices are becoming the mainstay of multinational organisations.

The traditional perimeter around a business is no longer there, so companies must adapt to ensure their security, both internal and external, is up to scratch. Those businesses who do not modernise their security will inevitably be more at risk of a security breach that has the potential to seriously disrupt regular business activity.

The Nomadic Challenge

In the knowledge economy, rock-solid security is a must have. Intellectual property is at a financial premium, so it is essential to protect it from inadvertent loss and to keep it out of the reach of professional fraudsters. Information is becoming increasingly difficult to secure in companies that have many branch offices with limited IT resources and growing numbers of mobile workers.

The task of securing information has been made much more difficult by the workforce becoming increasingly nomadic. While this extends a company’s reach, it also extends their risk. Confidential information is frequently out in the field and away from the direct control of the IT department. With increased mobile working, it is not all that surprising that there has been a rise in laptop loss and theft, and yet, few companies encrypt the data stored on mobile devices.

The 3rd Party Challenge

It is not just mobile employees who can put a strain on an organisation’s security. An increasing number of organisations are inviting third parties into their corporate environments and providing them with company services, such as email, web portals and business applications. In security terms, third parties introduce an unknown quantity into the organisation—their devices may not be secured and could potentially introduce malware into the network, or they may not be properly identified and inadvertently given access to confidential information.

The Remote Site Challenge

It is at smaller sites where the risk is most pronounced. Many multinationals have moved away from having a handful of very large sites and offices to a decentralised infrastructure with many smaller offices, depots, sites or outlets. Centralised delivery of enterprise applications over the corporate WAN is empowering this change, however, this often means that there is very little IT resource needed at smaller sites. Although this centralised delivery is an efficient use of resources for application delivery, it leaves smaller locations exposed with little to know IT security onsite.

The Trusted Zone Challenge

Essentially, the corporate network cannot be relied on to be the “trusted zone” that it once was. Organisations need to become “de-perimeterised”. There is no point in having an enterprise perimeter if workers need to access corporate information when they are outside of it. To protect the de-perimeterised organisation, it is important to have security embedded throughout the business.

Enterprises need to have consistent and comprehensive security from the edge of the enterprise through the local area network to the end user. All assets and sites need to be protected as security is only as strong as the weakest link. Automatic preventative devices, which can automatically take action based on what the device has detected, should be embedded throughout the organisation at all layers. Security controls need to be embedded in the infrastructure layer, the transport layer and the application layer in order to ensure that the entire organisation is secure from threats.

For example, user authentication needs to be embedded within the application layer to control access to company resources. The level of accreditation needs to be automatically calculated based on the user’s personal security level and the device and network from which he or she wishes to access the resource.

Embedded network security Opportunity

The de-perimeterisation of an organisation means that security breaches don’t just happen outside a nominal boundary that is protected by a firewall, they can happen just as easily inside. For this reason it is essential to also embed security in the transport layer so that all communications within the business are protected from security breaches.

For too many businesses, security is still seen as merely an expense, when in fact good security offers many business advantages. Security must be seen as an essential element to growing the business, as it not only protects users, but it also enhances productivity by making sure the right people access the right resources at the right time. Embedded network security can ensure that an organisation is secured from top to bottom, providing invaluable peace of mind.

Original Publication

Steps to mastering identity and access management

Posted on by
Reply

As the workforce becomes increasingly mobile and dispersed, identity and access management becomes more important in ensuring organisational security. While managing user identities and controlling access are separate tasks, they are closely related. Identity and access management (IAM) needs to be a key part of business security strategy, particularly as organisations grow and IT architectures become more complex. Here are five things to consider when planning your IAM strategy.

1. Identity data infrastructure

It is not possible to manage user identities without having an appropriate data infrastructure in place to store user information. This generally involves the use of directory and metadirectory systems, usually based on lightweight directory access protocol (LDAP), industry standard for accessing directory data.

Decision makers should consider federated identity as part of the underlying data structure. This allows systems to automatically grant access to users of other systems. Federated identity systems assign permissions to each other, creating a secure web of trusted applications. However, enterprises need to tread carefully when designing these systems—complexity can create more headaches than necessary and increase management overhead, while also limiting the flexibility to change application specifications or relationships.

While federated identity can be used to integrate disparate systems together (including those inside a single organisation), it is also necessary to assign the appropriate level of expertise to the design and maintenance of such a solution.

2. Define roles and entitlements

Two important, but still nascent, techniques that have a significant effect on access control are entitlement management and role-based access control. Systems that carry out these functions allow administrators to define multiple roles in an organisation, along with a granular set of entitlements to allow system access. When combined, they allow for very tight control of user access. For example, someone in a junior accounting role could access a particular database, but only until 6pm.

Defining and maintaining these roles and entitlements requires significant input from business management, which can potentially lead to complications if organisational requirements change. Business management needs to carefully monitor entitlements and roles in order to ensure operational security.

3. Automate the provisioning process

Identity management helps improve company-wide productivity and security, while also lowering the cost of managing users and their identities, attributes and credentials. This requires automation, but it also contains hidden challenges, as just setting up a user name and a password is often simply not enough. Instead, multiple steps must be included in the provisioning process. For example, users might be assigned a sales region, enrolled into a different number of organisational teams or given a list of company resources to which they have access.

4. Simplify access control

Controlling access to systems is a separate but related task to managing identity. The user can only be authenticated if their identity is in the system, but the task of authentication poses another challenge. Users must be able to access the system relatively easily to avoid illicit circumvention of security settings, and yet their credentials must be secure enough to stop attackers simply waltzing through the gate. Enterprise sign-on systems can provide users with access to multiple enterprise applications using just one set of credentials. For added security, hardware-based tokens can also be issued as part of a two-step authentication process.

5. Audit

Any identity and access management system is not complete without a robust reporting capability to meet the needs of auditors facing compliance regulations. Organisations should be able to provide audit trails showing which users had access to what resources, and what was done with those resources. With increasing levels of compliance required from organisations, it is wise to ensure that evidence can be provided when needed.

Summary

Any comprehensive IAM effort is complex, but cloud-based services can help to reduce deployment times. A competent and experienced IT operator can not only host the infrastructure necessary for managing both identity and access control, but can also provide consulting services to help integrate it effectively into a customer’s existing IT architecture. When the time and due consideration is taken, IAM can prove to be a valuable asset to any organisation.

Original Publication