September 21, 2012 | Leave a Comment
Advanced technology is a beautiful thing. Not only has it enabled the creation of new, more efficient methods of application delivery and data storage (the Cloud is a prime example), but it’s also helped propel the development of more sophisticated solutions for data protection as well (think tokenization, encryption). That said, there is a challenge that accompanies this evolution of technology – the savvy cybercriminal. Determined to keep pace with, or even ahead of, each advance in data protection, these criminals are posing a huge threat to corporations and governments worldwide. Professor Fred Piper, a renowned cryptographer from Britain’s Royal Holloway University, recently shared his views regarding the issue and they included a sobering assertion: cybercriminals – with the assistance of anticipated future breakthroughs in computing (known as quantum computing) – could theoretically be able to decipher encryption algorithms. Imagine the consequences.
But since quantum computing is not a reality yet, and it will take a bit longer for it to get into the hands of cyber criminals, so why worry, right? It turns out that while Piper was focused on the impact of quantum computing, he was actually helping shine a light on another threat: the increased access to supercomputing, made possible by the cloud. While evangelists of cloud-based supercomputer access tout the ease with which Small and Medium Enterprises (SMEs) can now utilize computing power to run things such as models for fluid dynamics, this computing power can also now be used to attack computer security systems, and weak cryptography in particular. Just knowing that cybercriminals will be able to harness this sort of computing power creates yet another reason for enterprises to make sure they use the strongest cryptographic approaches available when encrypting their most sensitive levels of data. Any sub-standard encryption is much more likely to be cracked using the tools now available via the cloud.
This strong security approach needs to be applied to data that is being transferred (“in flight”) to the cloud, being processed in the cloud or being stored (“at rest”) in the cloud. To help the industry stay ahead of these issues, organizations such as National Institute of Standards and Technology (NIST) have issued standards such as the Federal Information Processing Standards (FIPS) for use across the Federal government in the United States. The FIPS 140-2 standard is an information technology security accreditation program for validating that the cryptographic modules produced by private sector companies meet well-defined security standards. FIPS 140-2 has also been adopted as a minimum standard within many industries including finance and healthcare.
Case closed, right? Wrong. While standards are extremely valuable they have to be applied correctly. And, regrettably, confusion has been caused in the market by some players using terms such as “military grade encryption” attached to a technique known as “Functionality Preserving Encryption” (which has lesser validation than FIPS 140-2). Organizations should carefully consider the strength of the encryption being used to safeguard their information and avoid proprietary,” closed” approaches that have not been published or peer reviewed. There may also be industry or regulatory mandates to use a certain type of encryption depending on the business realm(s) in which the organization operates. And if the preservation of functionality of their SaaS applications, such as Searching and Sorting, is important to the organization, ensure this is possible when implementing the level of encryption that the enterprise wants (or is required) to use.
The challenge with encryption is that once attackers obtain the key, it is effectively broken because they can decipher all the data encrypted with that key. Weak cryptography that can be broken using newly available supercomputing power poses a serious risk to organizations that face criminal charges, civil liabilities, and brand damage should a data breach occur. It is therefore imperative that organizations use the strongest encryption they can to prevent accusations that slipshod security, especially when tied to cost-saving efforts, contributed to the breach.
Enterprises should also strongly consider tokenization as an option for obfuscating sensitive information. Tokenization is a process by which a data field, such as a primary account number (PAN) from a credit or debit card, is replaced with a surrogate value called a token. Only the token value is transmitted to the cloud, and the real value is securely stored inside the enterprise network. (De-tokenization is the reverse process of redeeming a token for its associated original value, and the process must occur within the enterprise firewall.)
While there are various approaches to creating tokens, they typically are simply randomly generated values that have no mathematical relation to the original data field. Herein lies the inherent security of the approach – it is practically impossible to determine the original value of the sensitive data field by knowing only the surrogate token value. The best you can do is guess. This means that if a criminal got access to the token in the cloud, they could not even use a supercomputer to “reverse” the token into its original value, because there is simply no path back to the original. (Even a “quantum computer” could not decipher it back into its original form.) The true data value never leaves the safety from behind an organizations firewall.
Some companies determine that they don’t even have a choice in the matter since legal requirements in certain jurisdictions mandate that data physically resides within country borders at all times. Even with strong encryption, these restrictions had previously blocked cloud computing solutions from even being considered. But tokenization technology provides a workable solution in these instances and overcomes the strict data residency rules enforced in many countries, satisfying both the need to capitalize on the latest breakthroughs in cloud computing, as well as ensuring the security and compliance of any sensitive information.
So, while advanced technology and computing models – coupled with increasing threats from hackers, code-breakers and cyber criminals – are forcing the creation of new innovations in cloud security, companies should know they have solid options here and now. Strong encryption is a requirement for any organization putting sensitive data in the cloud. Tokenization – often overlooked as a data protection method – offers one of the most compelling options to secure sensitive data, ensure application functionality, and enable regulatory compliance.
Eric Hay is PerspecSys’ worldwide director, field engineering. Eric and his team are responsible for deploying PerspecSys solutions for enterprise customers needing to secure sensitive information when using Cloud applications. A software industry veteran, Eric has specialized in computer security throughout his career at companies like Netegrity, Credant Technologies and Invincea.
Managing consumer technology in the enterprise – Why IT needs to change mindset to better support the business.
September 19, 2012 | Leave a Comment
Talking regularly about the consumerization of IT can often make one sound like a broken record, but the economic, security and management challenges it throws up for enterprises are too important to ignore.
The problems boil down to a lack of control, which can be described in two key ways. IT departments of course are built on policies, planning and predictability, but the introduction of technology from the consumer sphere, even when purchased centrally by IT teams for use in the enterprise, creates its own problems. It’s sexy and easy-to-use but it’s certainly not built with security and manageability in mind and will usually fall short of IT’s typical expectations. Products from the likes of Google and Apple, for example, whose respective mobile platforms iOS and Android now account for the lion’s share of the market, are great at serving the needs of consumers but have been extremely slow at embracing enterprise requirements. There is no enterprise sales or support culture with these vendors and there is little transparency with product roadmaps, which takes corporate IT managers completely out of their comfort zone.
The second problem is that, whether consumer-focused tech or not, applications and devices are being brought into the corporate world via the individual employee rather than being mandated from IT, which is the complete opposite of what normally happens. Most IT teams simply aren’t set up to work in this way, and it will require a fundamental change of thinking to ensure consumerization is handled properly.
Rather than adopt the classic head-in-the-sand approach of old, CIOs and IT bosses need to embrace consumerization and take a proactive, strategic approach built around flexible policies and the right security and management tools. Firstly, BYOD policies can’t be created in a vacuum – IT leaders need to sit down with line of business managers in all parts of the organization to figure out what their employees would like to use and how to make that possible. Thus IT is taking the initiative and reaching out in an inclusive, proactive manner.
Secondly, policies must be drawn up to be more flexible and fluid. In a world where everyone in the organization from the CEO down needs to be managed, there can’t be a one-size-fits-all approach to policy making. IT needs to think carefully and map technology and policies to the various user groups. Finally, they need the right infrastructure technologies to help enable all of this.
Companies that are questioning whether or not to allow workers to bring personal devices into the workplace should just stop asking: It’s clear that you can get a competitive edge when you put the right precautions in place. The Consumerization phenomenon gives companies that allow it a competitive advantage as it enhances innovation and creativity in the workplace while reducing overall costs for the entire organization. The key to not being overwhelmed by this trend is that all these devices need to be secured by implementing the proper BYOD policies and procedures.
Consumerization of IT is disruptive and inevitable. But many IT leaders are slow to realize it. Like dinosaurs of a previous IT era, they are headed for extinction.
Post based on a podcast produced by the Financial Times featuring Cesare Garlati, head of Mobile Security at Trend Micro, on some of the downsides of bringing your own device to work. Listen to the FT Connected Business podcast at http://podcast.ft.com/index.php?pid=1398
More on Consumerization, BYOD and Mobile Security at http://BringYourOwnIT.com
Cesare Garlati, Vice President Consumerization and Mobile Security, Trend Micro
As Vice President of Consumerization and Mobile Security at Trend Micro, Cesare Garlati serves as the evangelist for the enterprise mobility product line. Cesare is responsible for raising awareness of Trend Micro’s vision for security solutions in an increasingly consumerized IT world, as well as ensuring that customer insights are incorporated into Trend solutions. Prior to Trend Micro, Mr. Garlati held director positions within leading mobility companies such as iPass, Smith Micro and WaveMarket. Prior to this, he was senior manager of product development at Oracle, where he led the development of Oracle’s first cloud application and many other modules of the Oracle E-Business Suite.
Cesare has been frequently quoted in the press, including such media outlets as The Economist, Financial Times, The Register, The Guardian, Le Figaro, El Pais, Il Sole 24 Ore, ZD Net, SC Magazine, Computing and CBS News. An accomplished public speaker, Cesare also has delivered presentations and highlighted speeches at many events, including the Mobile World Congress, Gartner Security Summits, IDC CIO Forums, CTIA Applications and the RSA Conference.
Cesare holds a Berkeley MBA, a BS in Computer Science and numerous professional certifications from Microsoft, Cisco and Sun. Cesare is the chair of the Consumerization Advisory Board at Trend Micro and co-chair of the CSA Mobile Working Group.
September 10, 2012 | Leave a Comment
By David Grimes, Chief Technology Officer, NaviSite
In IT, the easiest way to stop a new technology or solution from being implemented is to raise a security red flag. As soon as someone mentions concerns around a new IT solution not being “secure” the project can come to a screeching halt. So as cloud infrastructure and cloud computing has begun to enter enterprise IT conversations, concerns around the security of cloud quickly became the biggest barrier to adoption.
Just like security for any other technology solution being used – past, present, or future – creating a security strategy and plan must be one of the first considerations for enterprise IT organizations. And while partnering with a service provider with strong security procedures and services in cloud computing is an important step, enterprises need to continue to take an active role in their own security and risk management. With that in mind, NaviSite has compiled 7 basic steps based on our experiences helping hundreds of companies secure enterprise resources. By following these steps any business can rely on a proven methodology for cost-effectively and securely leveraging cloud services and gain the cost and business advantages of cloud services without compromising the security of enterprise applications.
- Review Your Business Goals: It is important that any cloud security plan begins with the basic understanding of your specific business goals. Security is not a one-size-fits all proposition and should focus on enabling – technologies, processes, and people. Additionally gaining executive input is not only essential to ensure that assets are protected with the proper safeguards, but also to ensure that all parties understand the strategic goals.
- Maintain a Risk Management Program: Develop and maintain a risk management program centrally, and view it holistically. An effective cloud computing risk management program is important for reducing overall risk to the organization. It is also key for prioritizing the utilization of resources and for providing the business with a long-term strategy.
- Create a Security Plan that Supports Your Business Goals: Develop goals with measurable results that are consistent with providing support for the growth and stability of the company. These goals should include – specification date for completion, verification of achievement, and a measurable expected result. Security professionals are encouraged to regularly conduct careful analysis to develop responsible programs and build in the necessary controls and auditing capabilities to mitigate threats and maintain a reasonable security program that protects organizational assets.
- Establish Corporate Wide Support: Gain the approval of your cloud computing security plan from not only executive management but also the general workforce. Organizations need to establish levels of security that meet business goals and comply with regulatory requirements and risk management policies, but that can be centrally managed and conveniently implemented across the organization with minimal negative impact to productivity. Gaining this acceptance streamlines adoption throughout the organization.
- Create Security Policies, Procedures With input from a variety of business units establish a set of guidelines to ensure that all compliance measures are identified. Cloud services are a major advantage for growing organizations that have not yet embedded established policies and procedures into the company. The enterprise can rely on the best practices the service provider has developed over years of experience in similar environments.
- Audit and Review Often: Review the security plan on a regular basis, report on achievements of goals, and audit the compliance of the organization to the security policies and procedures. Understanding the auditing requirements for your business and the frequency of your audits is essential not only for ensuring compliance but also for maintaining best practices for securing enterprise resources.
- Continuously Improve: Annually review your cloud computing security plan with senior management and your cloud services provider. Many companies believe that once they have solid policies and procedures in place they do not need to revisit them—but your industry and your business will change over time, and the technology available to support your security plan will evolve. Understanding the dynamic nature of your business and constantly evaluating your security requirements are the foundation for implementing a successful continuous improvement strategy.
Cloud computing provides compelling cost and strategic benefits, including: scalability with reduced capital expenditure; more efficient use of IT resources; and the ability for an organization to focus on their core competency. Many well established security technologies and procedures can be applied to cloud computing to provide enterprise-class security. The steps outlined above will help organizations structure security and compliance programs to take advantage of the economic advantages of managed cloud services while meeting organizational security and compliance objectives.
Properly managed cloud infrastructure provides better security than most enterprise data centers, applications, and IT infrastructure. It allows companies to more efficiently deploy scarce technical personnel. Obviously, enterprise security should not be taken lightly, including cloud security, but it also doesn’t have to be a major roadblock either. These seven steps are meant to serve as a framework to guide companies as they develop a secure cloud-computing plan. For the complete checklist of the above seven steps download the white paper titled 7 Steps to Developing a Cloud Security Plan.