Mobility and the mobile workspace: the new demands on the CIO

Technology, as we knew it, is no longer relevant. Every day we are bowled over with a new app, toy or technique. We are moving to a world of smart technology at a pace that is almost impossible to keep up with.

The era of “smart technology” spans the time of smart phones, 3D printers, and beyond. A recent survey by Forrester Research anticipates that shipments of wearable computing devices will reach almost 30 million units this year. This realm is undefined and endless, and relates to anything from items tracking physical activity, to Bluetooth connected watches and the much anticipated Google glasses. 3D printers, currently fitting the bill for the art world alone, are expected to cost less than some PC’s by 2016, at under $2000.00 US dollars. The possibility is endless.

And now, with tablets expected to outsell laptops this year, this mobility aspect is become less and less a preference or request but rather a demand of employees.

The role that consumerism and trend technology plays in driving business structures and styles can no longer be ignored. Gartner expects that 80 percent of organisations will support a workforce using tablets by the end of 2013. This expectation will have a flow on effect: whether organisations are supplying the tablets, or supplying the application and platform for a personal device to be used in a corporate manner.

Regardless of the process, the outcome is the same. Business is changing, and it is becoming increasingly difficult to keep up. The majority of organisations across the world, are not ready to house these technologies. The time has come for a new approach.

The context surrounding this change is also moving at what appears to be the speed of light. Faster broadband availability and the increasing availability of 4G networks will help enhance the way employees use mobile devices, and give further incentive to those considering investing in one.

From the perspective of the CIO, these new networks could redefine business practice and process, offering potentially game changing opportunities.

Working in parallel to these advances is the announcement of new privacy laws legislation. This herald’s big change on the horizon, changes that the CIO needs to understand and incorporate.

To throw a spanner in the works, let’s consider all of these advances in the context of the cloud.

Couple this with Gartner’s expectation that by 2014, 90 per cent of organisations will support corporate applications on personal devices, and you have a problem.

Data is now a defining factor. If the majority of employees start using devices, like tablets, to access both corporate applications and personal data and data security have the potential to spiral out of control. So pertinent questions are begging to be answered:

How safe is the cloud?
What is actually stored in the cloud?
How it is stored?

The list goes on. The combination of the growth in mobility and the continued dominance and reliance on the cloud means CIOs must start considering their organisational structure and if it can cater to this changing environment.

There is no time like the present to consider how to manage risk in the mobile cloud space – what privacy safe guards and good parameters are in place, and what needs to change.

1. Define your organisational policies in relation to Bring Your Own Device (BYOD)

BYOD is a phenomenon occurring in every organisation regardless of size and structure. You must assess whether or not BYOD can have a negative effect on your organisations workings – Is your bandwidth being compromised? Is it introducing large security risks to your network?

Your organisation may decide to ban BYOD and supply devices, or alternatively to create a more structured and regimented use of BYOD through the use of dedicated access points and tracking usage and activity.

Assessing current usage patterns and doing a cost analysis is a good step towards understanding employee and business requirements alike.

2. Assess network based security policies

This is especially relevant for companies who encourage the use of BYOD and don’t offer other devices. Setting these policies up can be difficult and time consuming, but it is an effective way of regulating consumer behaviours and enforcing some hard limits.

Often the issue with BYOD is that there is no limit defined, so building from the bottom up will allow you to gain an understanding of current usage, expectations, and develop a framework to cater these to the organisation’s security benefit.

3. Manage risk across multiple device platforms

Mobility trends encompass smart phones, tablets, PCs, laptops and the next generation of wearable computing devices, including items like the Jawbone UP system. This then becomes a multi-platform environment.

When your employees are reading emails on a smart phone, updating documents on a tablet, and downloading information on a laptop, there is inherent risk. For CIOs, managing risk becomes so much more difficult because each platform is different, and so each platform needs a tailored policy. Investigating and investing in a security policy that addresses all known device platforms will dramatically reduce risk and secure organisational information.

4. Controlling data on the cloud – centrally managing user accounts

Because the cloud is an essential storage device, you need to understand how to control the data you are storing. When you have multiple users in multiple locations moving in and out of your cloud, there is an increased likelihood that something could go wrong. You need to control the way your users can use the cloud, and what they can access. Your cloud service provider should allow you to manage user accounts, create shared folders to enhance collaboration, restrict access based on managerial level, and other tailored solutions to ensure a secure space when dealing with a mobile workforce.

5. Develop a policy plan and take control

The development of a security policy should be organic. After running through steps one through four – define, assess, manage and control – you should already understand what you need in your organisation’s policy.

Your policy should aim to minimise the use of rogue cloud usage by employees, ultimately reducing the likelihood of unfriendly events such as data leakage, malware outbreaks, or hacker theft. To be sure nothing slips through the cracks, develop a list of your top ten concerns, and then make sure these are addressed in your policy.

Some questions you might like to consider include: do we have an existing policy we need to adapt? Where is our data going to be stored? Does the service provider have any ownership of your data? What is the financial credibility of the provider? If things go wrong, what is our exit strategy?

Original Publication

 

Cyber security threats through the Cloud

As with most of technology, security goes through periodic changes, cycles and generations. Hardware, software, applications and methodologies all arrive, become commoditised and standardized to the point of being invisible, and then come back in a new evolved form. New platforms and new devices create new opportunities but are also subject to new evolved threats – something that remains true of security.

Cloud Computing: a brand new landscape for threats

IT security threats evolve and adapt to the new IT environment. As corporate and personal IT usage habits have changed, so too have the types of security threats present in the world. New IT practices like Cloud Computing give end-users great benefits in terms of mobility, flexibility and productivity, but they also give malicious third parties new routes to breaching security and increase risks. So while the Cloud has given users a whole new world of mobile computing, it has also created a whole new landscape for hackers and viruses to attack from.

The rise and rise of mobile usage and the Cloud have seen third party attackers change their approaches. Cloud services, social media websites and Android operating system devices have all become new targets, while traditional user data and website denial of service hacks remain popular.

Recent malicious examples in Australasia have included the damaging loss of over 20,000 customer passwords by surf wear brand Billabong and Web giant Google having its Australia office’s building control system hacked into. Similarly it was revealed recently that the Reserve Bank of Australia wascompromised by a phishing attack, while the Commonwealth Bank of Australia recently stated, in the light of hacking attacks on Australia Security Intelligence Organization, that cyber security is among its top concerns.

The risks posed by hackers and phishing attacks haven’t gone away, they’ve just evolved.

the ever-changing nature of the cyber security threat

Cyber security attacks and the ways in which they affect people and organizations are always in a state of transformation. As one IT specialist finds a solution to a particular problem or type of attack, so the creative hackers out there come up with something new and improved.

So as the Cloud has played out its role as both a disruptor and an enabler in the technology world, so too new threats have emerged from it. The leading threat to both organizations and individuals is data breaches. Companies fear sensitive corporate data falling into the hands of competitors, private citizens fear their bank details and credit card information being misappropriated and abused. This is of course not a new threat in itself, but the Cloud enables new routes to the hack, virtual machines and poorly-designed multitenant databases both offering different access points.

In addition to data breaches and data loss, there are the ever-present threats of account hijacking and denial of service, both of which can now be attempted differently thanks to the Cloud. API keys – the coding that Cloud applications use to identify each other – are another tool in the hacker’s armory, allowing malicious parties to launch denial of service attacks or accumulate fees and charges on a victim’s account.

cyber security: a critical business issue

So while the threat is still similar in nature to previously, the avenues to getting in have increased. What this means is that it is time for companies to start thinking about security as a defined strategic issue.

Data security threats and attacks are major factors in successfully achieving regulatory compliance, whatever industry a company might be in. Non-compliance through having inadequate protection of corporate and customer data is a terrifying thought for any company director, so cyber security now really needs to sit at the top of any senior executive’s ‘to do’ list.

but end-users suffer too

At an individual level, the Cloud has helped to bring phishing into the mainstream of cyber security threats. Phishing was previously quite an insidious tactic, but today it has become incredibly brazen and up front, particularly in the mobile world. Because people now use their mobile devices by second nature, often inputting their password dozens of times a day, users are simply less vigilant.

It is estimated that mobile users look at their devices for one reason or another up to 150 times per day – this means entering that precious four-digit PIN code repeatedly – and how many end-users are really certain about what site they are distractedly tapping their password into?

changing threats mean changing strategy

To address this ever-changing security threat, a change of thinking is required. For many years companies and governments acknowledged the need for IT security, were both aware of and concerned about the threats involved, but were still very reactive. So this change in thinking means no longer considering IT security as ‘just’ an IT issue. The focus must change to making cyberspace a strategic asset which requires as much security as physical borders and buildings do.

The Australian government has recently taken the proactive step of investing in cyber security, identifying the threat as a strategic one which affects not just ‘the Web’, but the country’s entire economy, infrastructure and the nation’s future prosperity. It has been estimated that during 2012, 5 million Australians were affected by cyber security issues, at a cost to the country of around $1.6 billion. So it is to the government’s credit that even in an election year it has given the problem due consideration and taken the initiative, ploughing money into cyber security. That’s how significant an issue cyber security and the new threats available through the Cloud have become.

risk management is required at all three levels

The evolution of cyber security threats to the new environment means that the threat exists at three different levels

  • the personal
  • the organizational
  • and the nation state or community level.

At each of these levels the consequences can be dramatic and risk management is required at all three levels.

Original Publication

Cloud is growing up and challenging IT and business assumptions

With the increasing implementation of cloud infrastructure-as-a-service, companies are taking advantage of new benefits, such as increased flexibility, availability and security.

In Australia, businesses have different levels of maturity in terms of cloud consumption. Some customers look for simple, immediate cost savings, whereas more mature customers value the flexibility and operational expenditure (OPEX) characteristics of cloud services which can result in more than just pure cost savings.

Fear of the cloud: data control, regulations and lack of standards

The real business benefits offered by cloud continue to be overlooked by less mature customers. Fear of the unknown continues to be the critical factor in resisting or recognising the necessity of adoption. At the top of the list of these fears are:

  1. losing IT regulation
  2. supplier shut in
  3. data control
  4. cost of migration

Organisations’ lack of knowledge of the power of tools available and an absence of agreed standardsfor control, remain the two key points that must be addressed to ensure mainstream enterprise existence. These standards will also answer questions about interoperability. Currently, the lack of comprehensive interface standards mean that interoperability between cloud platforms built by different providers presents one of the greatest barrier to entry into the cloud computing realm.

Despite fears, cloud grows fast

More and more, enterprises are focusing on the benefits of attractive OPEX models that deliver new business flexibility. They are overcoming the traditional barriers of security and compliance, as illustrated by steadily increasing adoption rates. A recent Frost & Sullivan ICT Outlook Briefing reported that the Asia Pacific cloud market is set to increase by more than 35 per cent in the 2011-16 period, with Australia leading the region with a current 43 per cent adoption rate.

The more mature customers go beyond just productive workloads in the cloud. They incorporate metrics which report on business results, not just cost of technical metrics such as computing power of bandwidth.

A standard cloud uptake model

There is a standard cloud uptake model we see happening in Australia.

  1. in the early stages of cloud adoption with less mature customers, public cloud is used in an ad hoc fashion with widespread virtualisation
  2. as businesses begin to realise the potential benefits, key processes are shifted to the cloud as the IT environment becomes more complex
  3. as businesses harness the potential for innovation and greater agility, whole industries have the ability and opportunity to be transformed

Why is it here to stay?

In the coming years, cloud will become a strategic business issue. Already we see IT becoming imbedded in the business process. The phenomenon of BYOD has become entrenched, and IT departments are being forced to grapple with BYOA. IT buying behaviours will become more complex as decision making spreads beyond the IT department. In fact, IT departments can improve their internal value communication based on business-centric metrics instead of technical metrics to measure the total cost of ownership or cloud computing consumption.

Forrester Consulting has conducted research into the metrics used to evaluate the ROI of cloud services. The research found only the most mature cloud users tie specific projects to business results, and that overwhelmingly there was an immature relationship between IT and the business.

CIO: a changing role

The role of CIOs and IT workers has already shifted from monitoring technology performance to ensuring employees and the wider business network have full access to required services.

Purchasing decisions are no longer strictly based on price and investment, but instead multifaceted consideration of current business demands, developing organisational needs and future flexibility. Big data and the evolving ability to assess business results and deliver specialist reporting is only just being harnessed by the more mature cloud customers, but offers a plethora of insight into business trends and opportunities if harnessed correctly.

Happy ending?

The recognised increase in overall business agility delivered by cloud computing is ensuring mainstream adoption. The smorgasbord that cloud is so well known for, particularly when referring to Infrastructure-as-a-Service, gives IT departments, and particularly CIO’s, the opportunity to carefully tailor and manage services across the organisations preferred domain.

This transition to coordinating IT environments gives CIO’s and other IT staff the ability to improvise and implement business services on demand, controlling and taking advantage of the cloud phenomenon. With Australia leading the transition in Asia Pacific to cloud services, CIOs are now in the perfect position to investigate and optimise business services, ensuring that the constantly changing workplace is reflected in the flexible and adaptable IT infrastructure.

Original Publication

How to secure an outsourced project

Despite our desire for simplicity, IT continues to become more complex. Decentralised applications or client-server models have become the norm. Smartphones and tablets are pushing mobile computing into a new era and changing user behaviour. Cloud has significantly altered the way we provide IT solutions and how we meet business needs with technical solutions.

Long gone are the days when a single person could master and manage an entire enterprise network. Today, many businesses lack the dedicated staff and financial resources to manage their ever expanding IT needs. Faced with this situation, a growing number of companies contract out part of their IT to external suppliers.

While many articles have explored the security issues linked with cloud services, there are still many people who fail to recognise the same arguments apply to other outsourcing services. In fact, the challenge of managing risks and security in a diverse IT environment remains the same; whether it’s cloud, outsourcing or managed services, the reality is you are handing control of your business’ devices or applications to someone else.

The security challenge

The challenge for many businesses is deciding the level of security controls and risks your company is willing to accept – you can choose a fully-dedicated environment where security levels are dictated by your organisation, or you can use a public environment in which you accept the default setup.

Today’s Chief Security Officer is assigned the task of managing security risks associated with these changes and must come up with appropriate solutions to alleviate them. For many businesses, the move to an outsourced model presents an opportunity to increase the level of network security. It could even be the trigger for a security upgrade.

 Establishing an outsourced project

Outsourcers will generally set technical, physical and organisational security controls that will be applied across all of the outsourcer’s services. This creates a baseline and spreads the cost of security across its client base. It is essential to understand your outsourcer’s baseline and request additional security if your project requires it.

Before entering into an outsourcing agreement, it is also important to consider legal matters. If the outsourcer is providing a “standard” service, it up to your company to ensure that your legal requirements are met – for example, regional data storage compliance and confidentiality legislation.

 Managing multiple outsourcers

Outsourcer management is often neglected despite the fact that many companies outsource different parts of a project to a range of suppliers. For example, one company might handle the telephony infrastructure, while another manages WAN. In this situation it is essential to ensure both outsourcers deliver the same level of security for their services. It is also crucial to establish clear communication between the various outsourcers and internal departments – especially during periods of disruption or change.

 Incident management

Incident management (both poor and effective) has significant legal, reputational and operational impacts. It is essential to establish a process that dictates when a security incident is detected by your outsourcers, it is adequately evaluated, and reported to you within a predetermined timeframe.

Before entering an outsourcing agreement, ensure that the outsourcer’s obligations are clearly stated and check to confirm the outsourcer doesn’t have any legal constraints that are incompatible with your business.

Conclusion

Whatever part of your IT or process is outsourced, it is essential to ensure all security aspects are fully considered and met, and each outsourcer delivers the same level of security for their services. Detailed consideration of these challenges will allow businesses to benefit from the cost and productivity gains offered by outsourcing, while maintaining strategic security plan of the business.

Today’s CSO must take a 360 degree view of the project in order to ensure requirements are met and managed efficiently, and incidents will be detected and dealt with correctly.

Original Publication

Six tips for mobile device management security

There has been a lot of discussion this year about the increasing influx of consumer devices being used for both professional and personal purposes. Many organisations are feeling a little overwhelmed as they try to work out appropriate security levels and device management boundaries. When you take into consideration all the platform and application updates chewing through corporate bandwidth, plus the potential for rogue applications and malware to gain illicit access to company data, there are many headaches for security managers to deal with.

Here are six tips to help get the efficient and secure management of mobile devices under control:

1. Have a strong mobile policy

This may seem like an obvious tip, but there is often a clear disconnect between employees and employers’ expectations of how consumer devices will be used in the enterprise. Research from IDC found that not only were workers using their devices at twice the rate, they also tended to think employers were far more permissive of the use of consumer devices than they actually were. It is therefore very important to have a mobile use policy clearly defined to avoid these kinds of misunderstandings.

A mobile usage policy is a framework that defines who the users are and what devices, platforms and applications they can and can’t use. Enterprises must clearly define policies around reimbursement for services and what applications users can access via personal devices, along with clear guidance on who controls the data on devices.

2. Create an inventory of assets

How can you be assured of the security of employees’ mobile devices if you don’t know how many are out there and what they are? Implementing a robust and regularly updated inventory management system is a vital part of any mobile device management system. While many businesses do have an inventory of fixed and wireless assets, the majority of them are not updated and validated on a regular basis, leading to the potential for security issues to slip through the cracks via unknown devices or inappropriate usage. Businesses with accurate inventories have much clearer insight into their telecommunication environments and as such, more reliable information on which to base policy decisions.

3. Ensure proper configuration of devices

The sheer number of different devices and platforms out there can make the configuration of devices a challenging process. Factor in entry level handsets, smartphones, tablets with different operating systems and employees working in numerous different locations and the issue becomes even more complex. However, if a device is enrolled with a mobile device management server, a configuration profile defined and managed by IT admin can be implemented, enabling the device to interact with enterprise systems. An appropriate level of encryption can also be added to any commands coming from the server to ensure that settings cannot be altered without proper authorisation.

4. Implement appropriate security

Despite the influx of consumer devices into the workplace, many organisations haven’t implemented stronger security controls in response, leaving them at risk of security breaches or loss of sensitive data. Data encryption is a powerful piece of the mobile security puzzle and yet many businesses do not use it on a regular basis. In addition to implementing data encryption, enterprises need to inform workers about the risks of failing to comply with security protocols – there is a good chance that they are unaware of the risks associated with using their personal devices for professional purposes.

5. Regulate application protocols

Taking into consideration that there are thousands upon thousands of mobile applications out there, strong protocols need to be instituted for the deployment of any new applications and the management of existing applications. Malware is steadily creeping into the app world, so even applications from the app store need to be checked before they are allowed into the enterprise. Such malicious applications can take over the mobile device and operate in the background without the user knowing, searching for sensitive information such as passwords or banking details.

6. Provide training and end-user support

A relatively small percentage of the overall functionality of the average mobile device is used on a regular basis. With devices becoming more and more sophisticated, users could end up massively under-utilising all the functions that are at their disposal. As a result, most enterprises would benefit from providing user training, including how to set up email, device customisation, application selection and usage, understanding browser capabilities, using instant messaging, and mobile data services and understanding device functions and shortcuts. Support and training can increase worker efficiency and also reduce security risks, as employees better understand how their devices work.

Managing employee mobility doesn’t need to be a nightmare. With the right systems put into place, employees and employers alike can reap the benefits of mobility.

Original Publication

The magic of mobility vs the safety of security

Mobility has become a key part of business operations in recent years. Smartphones and tablets have become an accepted part of everyday business as the workforce becomes more and more dispersed, with managers expecting their employees to remain connected and productive while they are away from the office.

However, rather than being issued a separate device, employees are increasingly using their personal devices for business purposes – opening a big can of worms around what is the appropriate level of security on a personal device used for work.

Next-generation opportunities

Basic applications such as email, calendaring and syncing contacts on smartphones or mobile access to CRM and ERP systems are just the beginning. Before long, companies will be deploying and utilising next-generation apps with consumer-like functionality – such as using GPS, the camera and social networks. For example, a marketing manager may snap a photo of a competitor’s billboard and tag it in a database for market research, or use social networks during a meeting to access information for reference or demonstration.

The real challenge for businesses is how to balance this revolution in technology and ways of working with the need to maintain organisational security. IT departments may want to disable camera functions on smartphones to protect data, or ensure that any data on an employee’s phone is encrypted, but users are unlikely to accept such major limitations on their personal devices.

Mobile Enterprise Challenge

In the past, most IT departments have tried to manage the increased complexity of mobile devices by limiting the number of platforms supported, such as only allowing a BlackBerry as a smartphone, or Windows laptops for computing. However, this approach is no longer particularly practical as the influx of consumer devices into the workplace continues to rise. Trying to force such a policy onto employees would likely result in poor adoption of the service.

So what is a business to do? All in all, the mobile enterprise needs the same support as offered to standard PCs. As mobile devices have become progressively more complex, they have the same issues as PCs, such as data security, data management and application support. Plus, with companies embracing more than just one mobile platform, the IT department will need to invest in tools that can manage devices powered by different operating systems. Typical mobile device issues that will need to be secured and managed include assets and settings, passwords, connectivity control and software deployments and updates.

Mobile strategies

Obviously, the biggest potential management headache for IT departments is security. Considering the average smartphone has 8GBs of memory, employees have enough potential to put a serious amount of corporate data at risk through a compromised device, or by losing it altogether.

Designing an appropriate security policy is crucial for mobile application deployment as it gives enterprises the platform and confidence to do so much more with their mobile strategy. There are three cornerstones of security that need to be covered when developing a mobile device strategy:

  • Confidentiality: ensure that data is not shown to the wrong people
  • Integrity: ensure that it is not possible to make unauthorised changes to either data or the system
  • Availability: ensure that the data is available at all times for authorised users.

Security tools also need to be able to support a range of activity such as patch management, keeping applications secure with no vulnerabilities, protecting against malicious code and blocking unauthorised device access to corporate resources. In addition, they also need to give the enterprise the ability to remotely lock or wipe devices and enforce the encryption of confidential data.

Taking the time to develop an appropriate mobility strategy is vital for enterprises. With the right protocols and security in place, employers and employees alike can reap the benefits of increased flexibility and efficiency.

Original Publication

Embedded network security: defence at all levels

Perimeter controls are no longer enough

Confidential information is increasingly at risk in many organisations. Recent incidents have shown that perimeter controls are no longer enough—businesses need to seriously update their security strategies to reflect new threats and new working practices. With bring-your-own-device becoming the norm and employees becoming more mobile, company data is increasingly being taken out of the organisation on laptops, smartphones, tablets and more. Third parties are connecting to the corporate network on devices that the IT department has little, if no, control over, and branch offices are becoming the mainstay of multinational organisations.

The traditional perimeter around a business is no longer there, so companies must adapt to ensure their security, both internal and external, is up to scratch. Those businesses who do not modernise their security will inevitably be more at risk of a security breach that has the potential to seriously disrupt regular business activity.

The Nomadic Challenge

In the knowledge economy, rock-solid security is a must have. Intellectual property is at a financial premium, so it is essential to protect it from inadvertent loss and to keep it out of the reach of professional fraudsters. Information is becoming increasingly difficult to secure in companies that have many branch offices with limited IT resources and growing numbers of mobile workers.

The task of securing information has been made much more difficult by the workforce becoming increasingly nomadic. While this extends a company’s reach, it also extends their risk. Confidential information is frequently out in the field and away from the direct control of the IT department. With increased mobile working, it is not all that surprising that there has been a rise in laptop loss and theft, and yet, few companies encrypt the data stored on mobile devices.

The 3rd Party Challenge

It is not just mobile employees who can put a strain on an organisation’s security. An increasing number of organisations are inviting third parties into their corporate environments and providing them with company services, such as email, web portals and business applications. In security terms, third parties introduce an unknown quantity into the organisation—their devices may not be secured and could potentially introduce malware into the network, or they may not be properly identified and inadvertently given access to confidential information.

The Remote Site Challenge

It is at smaller sites where the risk is most pronounced. Many multinationals have moved away from having a handful of very large sites and offices to a decentralised infrastructure with many smaller offices, depots, sites or outlets. Centralised delivery of enterprise applications over the corporate WAN is empowering this change, however, this often means that there is very little IT resource needed at smaller sites. Although this centralised delivery is an efficient use of resources for application delivery, it leaves smaller locations exposed with little to know IT security onsite.

The Trusted Zone Challenge

Essentially, the corporate network cannot be relied on to be the “trusted zone” that it once was. Organisations need to become “de-perimeterised”. There is no point in having an enterprise perimeter if workers need to access corporate information when they are outside of it. To protect the de-perimeterised organisation, it is important to have security embedded throughout the business.

Enterprises need to have consistent and comprehensive security from the edge of the enterprise through the local area network to the end user. All assets and sites need to be protected as security is only as strong as the weakest link. Automatic preventative devices, which can automatically take action based on what the device has detected, should be embedded throughout the organisation at all layers. Security controls need to be embedded in the infrastructure layer, the transport layer and the application layer in order to ensure that the entire organisation is secure from threats.

For example, user authentication needs to be embedded within the application layer to control access to company resources. The level of accreditation needs to be automatically calculated based on the user’s personal security level and the device and network from which he or she wishes to access the resource.

Embedded network security Opportunity

The de-perimeterisation of an organisation means that security breaches don’t just happen outside a nominal boundary that is protected by a firewall, they can happen just as easily inside. For this reason it is essential to also embed security in the transport layer so that all communications within the business are protected from security breaches.

For too many businesses, security is still seen as merely an expense, when in fact good security offers many business advantages. Security must be seen as an essential element to growing the business, as it not only protects users, but it also enhances productivity by making sure the right people access the right resources at the right time. Embedded network security can ensure that an organisation is secured from top to bottom, providing invaluable peace of mind.

Original Publication

Steps to mastering identity and access management

As the workforce becomes increasingly mobile and dispersed, identity and access management becomes more important in ensuring organisational security. While managing user identities and controlling access are separate tasks, they are closely related. Identity and access management (IAM) needs to be a key part of business security strategy, particularly as organisations grow and IT architectures become more complex. Here are five things to consider when planning your IAM strategy.

1. Identity data infrastructure

It is not possible to manage user identities without having an appropriate data infrastructure in place to store user information. This generally involves the use of directory and metadirectory systems, usually based on lightweight directory access protocol (LDAP), industry standard for accessing directory data.

Decision makers should consider federated identity as part of the underlying data structure. This allows systems to automatically grant access to users of other systems. Federated identity systems assign permissions to each other, creating a secure web of trusted applications. However, enterprises need to tread carefully when designing these systems—complexity can create more headaches than necessary and increase management overhead, while also limiting the flexibility to change application specifications or relationships.

While federated identity can be used to integrate disparate systems together (including those inside a single organisation), it is also necessary to assign the appropriate level of expertise to the design and maintenance of such a solution.

2. Define roles and entitlements

Two important, but still nascent, techniques that have a significant effect on access control are entitlement management and role-based access control. Systems that carry out these functions allow administrators to define multiple roles in an organisation, along with a granular set of entitlements to allow system access. When combined, they allow for very tight control of user access. For example, someone in a junior accounting role could access a particular database, but only until 6pm.

Defining and maintaining these roles and entitlements requires significant input from business management, which can potentially lead to complications if organisational requirements change. Business management needs to carefully monitor entitlements and roles in order to ensure operational security.

3. Automate the provisioning process

Identity management helps improve company-wide productivity and security, while also lowering the cost of managing users and their identities, attributes and credentials. This requires automation, but it also contains hidden challenges, as just setting up a user name and a password is often simply not enough. Instead, multiple steps must be included in the provisioning process. For example, users might be assigned a sales region, enrolled into a different number of organisational teams or given a list of company resources to which they have access.

4. Simplify access control

Controlling access to systems is a separate but related task to managing identity. The user can only be authenticated if their identity is in the system, but the task of authentication poses another challenge. Users must be able to access the system relatively easily to avoid illicit circumvention of security settings, and yet their credentials must be secure enough to stop attackers simply waltzing through the gate. Enterprise sign-on systems can provide users with access to multiple enterprise applications using just one set of credentials. For added security, hardware-based tokens can also be issued as part of a two-step authentication process.

5. Audit

Any identity and access management system is not complete without a robust reporting capability to meet the needs of auditors facing compliance regulations. Organisations should be able to provide audit trails showing which users had access to what resources, and what was done with those resources. With increasing levels of compliance required from organisations, it is wise to ensure that evidence can be provided when needed.

Summary

Any comprehensive IAM effort is complex, but cloud-based services can help to reduce deployment times. A competent and experienced IT operator can not only host the infrastructure necessary for managing both identity and access control, but can also provide consulting services to help integrate it effectively into a customer’s existing IT architecture. When the time and due consideration is taken, IAM can prove to be a valuable asset to any organisation.

Original Publication

IP voice security: are you susceptible or strong?

Undoubtedly, corporations are realising the benefits of IP voice systems. Voice over internet protocol (VoIP) can bring substantial cost savings and productivity enhancements to a business by transforming its circuit-switched networks to IP packet switching networks and running voice and data applications over a single infrastructure. However, businesses need to be aware that there are potential risks involved, they need to take some necessary steps to protect their interests.

When voice and data are merged onto a single network, voice becomes an application on the network and is, therefore, exposed to the same threats as data applications. These threats include infrastructure and application-based attacks, denial-of-service (DoS) attacks, eavesdropping, toll fraud and protocol-specific attacks. However, with the right procedures in place, VoIP security risks and threats can be managed and mitigated—maximising the benefits of VoIP while minimising exposure.

Infrastructure and application-based attacks

In VoIP, voice is essentially an application on the data network, fine-tuned to maintain voice-quality performance. VoIP equipment and end-point devices such as IP phones are becoming standardised and commoditised just like other data components such as PCs—meaning that VoIP is just as vulnerable to cyber-attacks. Hackers can exploit voice devices and disrupt the network from normal service and/or perform criminal actions such as data theft.

IT managers need to maintain current patch levels on all IT and network equipment and applications, and have appropriate anti-virus software installed and up-to-date. Virtual local area networks (VLANs) can also be implemented and used to protect voice traffic from data network attacks. By implementing application gateways between trusted and untrusted zones of the network, a VLAN will complement the protection offered by corporate firewalls.

Denial-of-service (DoS) attacks

A DoS attack occurs when someone deliberately floods a particular network with so much illegitimate traffic that it blocks legitimate traffic. Obviously, if your voice traffic is being transmitted over the same network, a DoS attack will have significant impact on business operations.

DoS attacks are difficult to stop and prevent, but proper intrusion prevention practices, special network devices and proper patch updates can minimise the risk of exposure. In order to prevent data network problems from affecting voice traffic, voice and data traffic should logically be separated from administrative traffic. Traffic shaping can also provide another layer of protection and control for the network.

Eavesdropping

Intercepting data traffic is a trivial endeavour for most hackers so it stands to reason that with voice and data convergence, the same can be said for voice traffic over the network. Many tools are freely available to collect packets associated with VoIP conversations and reassemble them for illicit purposes. Two measures that can be taken to prevent eavesdropping include isolating VoIP traffic using virtual private networks (VPNs) and applying encryption on voice packets. However, IT managers need to carefully evaluate the use of encryption of VoIP as it can increase latency in the network. Encryption of voice data could be selectively applied based on business requirements, for example, encryption and decryption can be used only for those conversations over untrusted networks. When choosing a managed service provider, companies should ensure that appropriate security protocols are actively used by the potential provider to ensure secure conversations within the network.

Toll fraud

Just as with traditional voice systems, toll fraud cannot be ignored when considering VoIP systems. Using toll fraud, attackers gain unauthorised access to a private branch exchange (PBX) call-control system to make long-distance or international calls, which can mean significant financial impact to the business. Poor implementation of authentication processes could allow calls from unauthorised IP phones and/or allow unauthorised use of the VoIP network. Companies need to impose proper control for access to VoIP systems, including gateways and switches, in order to avoid the occurrence or toll fraud. Centralisation of management and configuration control is also recommended.

Protocol-specific threats

Since VoIP was developed on an open standard, the protocols that support communications are well known and thus vulnerable to probing for their weaknesses and security flaws. Session initiation protocol (SIP) is gaining popularity – SIP is a session and call-control protocol, components of which are used by standards-based IP PBX and IP telephony systems. In addition to the standard IP vulnerabilities, SIP brings additional risks.

SIP is a text-based protocol, like the common HTTP and SMTP. Therefore attackers can easily monitor and analyse traffic and then transition into various application-level attacks. Attacks can include impersonation of registration for system access, unauthorised access to corporate directory information, taking control of calls to disrupt business and also placing unsolicited calls and voice messages. Obviously, in a malicious attack, this could be highly detrimental to a business. It managers need to be aware of these vulnerabilities and thus implement strong authentication and authorisation processes.

IP voice security

While convergence and VoIP implementations are fast becoming mainstream among multinational corporations, they are, at the same time, posing serious security challenges. Whether you are planning to build your own converged network or utilise the services of a managed service provider, the primary goal should be the implementation of VoIP security that is properly built and validated, with ongoing management support. Security has to be managed through proactive monitoring, event management, remediation and regular follow-up to ensure a stable and reliable corporate communications infrastructure. However, with the right security in place, VoIP can be a valuable asset to a company.

Original Publication

Safeguard security with gateway consolidation

Just like the doors to your house, your internet gateways are the one point where you can see (and decide) what comes in and out. The gateway is exposed to all sorts of security threats, from hacking attempts, to spam, phishing and viruses. It’s critical that you define clear security rules for your gateways and deploy corresponding processes to keep them up to date.

Every company has increasing numbers of employees needing to work remotely while maintaining access to corporate information and communication. It’s a security issue, one of escalating importance.

Despite the serious cyber risks, many companies and multinationals still apply a local internet access policy, with local offices individually managing access to the internet and their corporate network, as well as the security related to that access. The lack of standardised security across a company can cause serious security issues with high potential for exploitation of loopholes. The more points of contact that exist between the internet and a corporate WAN, the greater the risk of attack and impact on business operations – it can take just a few days or even hours for a hacker to exploit a known vulnerability.

It is important to be aware of your network vulnerabilities so that patches can be implemented rapidly when necessary. Such capabilities require time and skilled resources, and expert security specialists can be hard to find, as well as expensive to retain. Having local internet access points also requires hardware and software implemented at each location, with the right management systems in place. It is important to remember that the more local gateways you have the greater your initial capital expenditure, operational costs and security risk will be.

Traditional thinking dictates that there must be strict barriers between the internet and corporate intranets. Over the years, these barriers have become increasingly complex, leading to numerous perimeter loopholes and a huge variety of gateways – and so a greater potential for a loss of network control. The best way to regain control is to consolidate these gateways. Fewer gateways mean lower costs, better consistency and increased compliance with security policy. The concept of consolidating multiple gateways is simple: instead of many points of entry to the internet, only major gateways are retained. Information flows are redirected through the private corporate network to secure, highly available, consolidated internet gateways.

While this may sound simple it is vital that specialists handle the consolidation process to manage and control business risks. A thorough analysis must be undertaken to determine security risks and the associated costs. It should include assessments of IT risk, technical security and vulnerability, and a total cost analysis detailing all expenses such as hardware, software, maintenance, network capacity and staffing costs.

It’s important to realise the benefits of consolidated gateways aren’t just cost-related. By redirecting traffic over your corporate WAN, you can prioritise company internet traffic through different classes of service, ensuring continuity of service for your critical applications and/or customer traffic. You can also choose to host your web, messaging and application servers in the gateway’s demilitarised zone, a separate and protected area of the gateway. You can then (potentially) transfer administration of this area to specialists who can monitor, upgrade, troubleshoot and patch traffic around the clock, ensuring that customers and employees have access to business services at all times.

Consolidating your internet gateways reduces the number of loopholes that cybercriminals can squeeze through, increases efficiency and raises compliance with security policies. Fewer gateways mean fewer complications, reducing the need for multiple layers of security for different devices, portals and locations which can potentially conflict with each other.

Better security and performance at your gateways, lowers the risk to your business and most importantly, your customers.

Original Publication