October 31, 2012 | Leave a Comment
Adapt, accept and manage: a BYOD mantra for corporate IT
RIM and Apple: two firms with more contrasting current fortunes you could not wish to imagine. The once high-flying Canadian BlackBerry-maker, for so long the darling of IT managers and beloved of time-starved execs the world over, has lost its way as rivals from the consumer space start to eat into its core enterprise business. Then there’s the phenomenon that is Apple, the Cupertino giant molded into the slick, stylish consumer success story it is today by the late Steve Jobs. You’re probably as likely in many organizations to see staff using an iPhone for work as a BlackBerry today, which makes two recent announcements from the tech giants all the more interesting for what they say about the firms’ respective strategies and what it all means for IT managers caught in the middle.Let’s take Apple first. A company whose primary aim is to make beautiful products at high margins, it was 100 per cent focused on the consumer when its iOS-based iPhone burst onto the scene back in 2007. Since then, the Cupertino firm has released several more models, as well as market leading tablet the iPad and slowly appears to be rolling more enterprise-friendly features into the platform.
Take, for example, volume purchases for businesses via the App Store – recently added capabilities designed to streamline the large-scale buying of applications for corporate users. Or how about the iPhone in Business and the iPad in Business web sites? Both are designed to attract the business user and showcase features which could appeal to those looking for a new corporate device. The latest much-touted announcement was the launch of the iPad Configurator: a new Mac app which enables administrators to configure up to 30 devices at a time according to corporate requirements – but not to manage them remotely.
Sounds great, but don’t let this slow creeping of iOS functionality into the enterprise fool you into thinking Apple has suddenly become a business-friendly company. Sure, it is providing more capabilities now in its devices to make them easier to use and manage in the corporate sphere, but it will always be a consumer-focused firm. It’s just that it has made its products so user-friendly that everyone who buys one now also wants to use it at work.
If you’re in any doubt as to Apple’s primary focus, consider the iPad Configurator. It enables management of only up to 30 devices – not practical for any but the smallest of organizations – and is primarily designed for the IT department which has purchased its devices and has yet to dole them out, rather than one faced with the problem of managing existing user-bought devices. Then let’s think about Apple the company. Does it have enterprise sales and support staff? An enterprise sales platform? Does it clearly communicate its product roadmap so large scale and long-term purchasing plans can be drawn up by its business customers? The answer to all of these questions is not really, although sources indicate that Apple may be acquiring some enterprise sales staff from a well-known corporate tech vendor.
Yet despite the lack of Apple’s business credentials, IT managers must evolve to meet the increasingly demanding needs of their users and the changing requirements of the role. Put simply, this means that they can no longer procure from a single enterprise vendor – they need to open up to multiple providers and be ready to accept and manage consumer devices. The good news is that there are vendors who can help fill the growing security and management holes that have appeared in this new mobile computing environment. One of them, perhaps surprisingly, is that old friend of the IT department, Research In Motion.
Now RIM has seen its business stall thanks in a large part to the success of the iPhone as well as the obvious challenge from Android. Recent Forrester research in fact place the three as having a roughly equal share of the workplace market. Unfortunately, instead of sticking to what it does best – providing highly secure hardware and sophisticated management software – it tried to beat Google and Apple at their own game and entered the consumer space. The strategy hasn’t worked and the company lurches from one bad launch to another with profits and share price plummeting. However, it did something very smart in April – it launched an update to its BlackBerry Mobile Fusion server software which will allow admins to manage iOS and Android devices as well as BlackBerry.
Unlike Apple, which is resolutely homogenous – you won’t be able to use the iPad Configurator for any non-Apple device, for example – RIM has taken the bold step of admitting not everyone in the enterprise will use a BlackBerry. This is a genuine move in the right direction – not only is a focus on the software side of its business better for its margins but it also plays to the firm’s biggest strength, its market leading security and mobile device management capabilities.
It should also serve as a firm reminder to any IT managers still not sure how to respond to the disruptive force of consumerization. If RIM can open itself up to interoperability with rival platforms, maybe they too should adopt a more open mindset when revising their corporate mobile device strategy.
The sands are rapidly shifting in enterprise IT but the quick witted IT professionals will understand that they are no longer a provider of technology for their company but a broker. It’s not for them to decide what mobile platforms to use but for their execs, line of business owners and end users to decide. IT’s new role is to engage as fully as possible with the requirements of the end users, find out where potential vulnerabilities lie and make it happen.
Adapt, accept and manage is the new Consumerization mantra for corporate IT.
As Vice President of Mobile Security at Trend Micro, Cesare Garlati serves as the evangelist for the
enterprise mobility product line. Cesare is responsible for raising awareness of Trend Micro’s vision for
security solutions in an increasingly consumerized IT world, as well as ensuring that customer insights are
incorporated into Trend solutions. Prior to Trend Micro, Mr. Garlati held director positions within leading
mobility companies such as iPass, Smith Micro and WaveMarket. Prior to this, he was senior manager of
product development at Oracle, where he led the development of Oracle’s first cloud application and
many other modules of the Oracle E-Business Suite.
Cesare has been frequently quoted in the press, including such media outlets as The Economist,
Financial Times, The Register, The Guardian, Le Figaro, El Pais, Il Sole 24 Ore, ZD Net, SC Magazine,
Computing and CBS News. An accomplished public speaker, Cesare also has delivered presentations
and highlighted speeches at many events, including the Mobile World Congress, Gartner Security
Summits, IDC CIO Forums, CTIA Applications and the RSA Conference.
Cesare holds a Berkeley MBA, a BS in Computer Science and numerous professional certifications from
Microsoft, Cisco and Sun. Cesare is the chair of the Consumerization Advisory Board at Trend Micro and
co-chair of the CSA Mobile Working Group – Cloud Security Alliance.
October 26, 2012 | Leave a Comment
Authored by: Dan Dagnall, Chief Technology Strategist at Fischer International Identity
Identity Management is well down the path of a mature market space. But I believe there is still one final, fundamental disconnect which is driving up your cost of deploying and maintaining an identity management solution, and that is programming and customization.
For example, one can appreciate the need to tailor your user’s experience within your organization to be the way that you want it, but the question begs to be asked, to what end? Do you believe that identity management solutions should require your staff to write programming code in order to connect to your systems or for the purposes of maintaining custom user interfaces? Should your IdM solution require a strategy for maintaining a code base, or simply a strategy to secure user access and their identifiers
while increasing efficiencies across your organization? These questions are important, because when we get down to brass tacks, these questions represent the primary drivers that can lead to insurmountable costs associated with maintaining & supporting your IdM solution.
“Fun factor” (and personal preference) aside, there is no reason why multiple industries should not be able to adopt similar identity management practices. I’m able to validate that personally, as I’ve worked with multiple customers, in multiple industries, and all of them have many requirements in common. Your identity management requirements are not as unique or “custom” as you might think. Specifically, you need password management, you need user provisioning, you need approvals, etc. The fundamentals of deploying such services do not change across industries (or IdM vendors). It is the mechanics that change. And certain mechanisms that enable IdM just simply cost more (i.e., programming your way to a solution costs much more than simply configuring the solution without requiring a single programmer (yes, it’s possible, and available right now).
The cloud serves as that mechanism to enable configuring as opposed to programmer-driven customization to provide each and every industry with a predictable cost, a predictable path (with a real light at the end of the tunnel!) and a predictable result for solving identity management problems. In order to justify how a cloud service model can drastically reduce your overhead associated with identity management, I must first define what identity management IS and what it IS NOT.
What is Identity Management?
Identity management (IdM) describes the management of individual identifiers, their authentication, authorization, and privileges/permissions within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks (http://en.wikipedia.org/wiki/Identity_management ). This is the definition provided by Wikipedia, and for the most part, it is accurate; however, it is the last half of the sentence that I’d like to focus on.
“…with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks”
Perfect. That’s exactly what everyone who ever decided they needed an identity management solution hoped to achieve. Unfortunately the reality in many cases is the exact opposite effect, specifically for on-premise deployments where consultants stand up your solution and turn over the keys when the project is complete. If you’ve procured a solution that requires constant care and feeding, that consultant may be needed again to ensure your solution continues to serve its purpose and doesn’t lag behind and eventually fall short of securing your identities into the future.
Sure, all identity management solutions should “increase security” (if they don’t, then what’s the point?), they should all “increase productivity” (if repetitive processes are automated, productivity by default will increase), which on the surface appears to lead to “decreased cost.” But the cost decreases gained from efficiencies are quickly overtaken by the cost required to support the solution itself. This is a direct result of the mechanism chosen to manage your solution (i.e., holding the customer hostage to programming code, as well as the responsibility to maintain programming code post-production deployment).
What is NOT Identity Management?
First and foremost, writing programming code is NOT identity management. Frankly, from a customer perspective, it should not enter into the equation, ever. In order to call yourself an identity management provider, you must provide full-scale end-to-end identity management capabilities, provide them in a way that enables customers to input their local policy, define their workflow(s), connect to their downstream target applications, and include out-of-the-box end-user interfaces that are directly connected to those same policies and resources that are distinct to each organization, and without the requirement to write “glue code” to make it happen. And by this I mean managing users’
identities, not managing and editing programming code that then leads to managing user identities. I’m speaking of programming, and debugging, and more programming, and more waiting to leverage new functionality or new process, and more… I could go on.
As an organization, the second you have to write programming code so your “solution” can actually provide value, you’ve lit the fuse that will eventually result in an explosion in overhead; specifically, the costs associated with maintaining what essentially will become a programmer’s playground and signal the end to your “increased security,” “increased productivity,” and most importantly, the end to your “decreased cost.” When your identity management “solution” starts to take on attributes of a
software company, rest assured that is NOT the intent of identity management; in fact, the result will be the exact opposite. Identity management products must enable you to focus on your policy, your data, and your business rules. They shouldn’t force you to focus on how to connect to your downstream target systems, or force you to be an expert computer programmer in order to solve your identity- related problems. Managing identities does not have to be that way. You have other options to realize “increased security,” “increased productivity,” and “decreased cost” without programming, at all.
So how can “the cloud” decrease my identity-related costs and overhead?
If your primary driver for procuring identity management is to “increase security,” “increase productivity,” and “decrease cost,” the cloud should be a strong contender as you vet potential solutions. “The cloud,” as it has been coined, is definitely more than a potential cost-saving option at
this point. It is THE most impactful method to lower your operating costs while maintaining or improving
service levels to your user community.
First, let’s talk security…
Cloud–based identity management can be more secure than conventional, on-premise deployments. Storing sensitive user data in the cloud is the single biggest point of contention when we discuss cloud- based IdM, followed closely by questions about identity-related data being sent over the public internet to get from the customer’s network to the cloud provider. For starters, data sent across the web is protected by web-services security, including PKI, so it’s secure. Second, we must consider the unpopular truth that in many cases, a local datacenter is less secure than those of service providers. Also, most data breaches are caused by internal, often disgruntled, users. Externalizing the data center from the local premise helps address the issue of employees conspiring to remove sensitive information
from the datacenter, while introducing a third party into the process directly correlates to a greater level of data storage security.
Finally, decreasing cost…
First, it’s a service, so it includes the entire software stack, which may include automated provisioning, role management, self-service portals, self-service [automated] password reset, as well as audit/compliance & governance controls. Second, because it’s a service, you only have to subscribe the services you want, as opposed to licensing an entire product suite when you only require a fraction of it to address your specific needs. Simply outsourcing the administration around such a large stack of services can save you 1 to 2 FTE (including help desk, as well as server administrators like DBAs, etc.). Once you consider the laundry list of infrastructure requirements to support the IdM stack as well as the operational hours associated with managing and supporting the platform, you can begin to realize the significant amount of cost savings your organization can achieve if you choose to secure your identities via an Identity as a Service model. And let’s never forget the expensive staffing requirements to maintain any “glue code” that is required to actually provide value to your organization. ALL OF IT goes away in the IaaS® model.
In closing, identity management is just not scalable for your organization when finances are a factor and the mechanism in use requires you and your staff to maintain extensive “glue code” in order to keep your solution afloat and growing to meet your demands.
October 24, 2012 | Leave a Comment
The inaugural EMEA Congress in Amsterdam was an unqualified success, with hundreds of security visionaries in attendance and featuring presentations from some of the leading voices from across the cloud security landscape. What follows are just a sample of the discussions and some of the key takeaways from the two-day event:
EMEA Congress Presenters
- Monica Josi, Microsoft’s Chief Security Adviser EMEA presented on Microsoft’s compliance strategy, emphasizing the importance of a common mapping strategy to define compliance standards. Microsoft has mapped over 600 controls and 1500 audit obligations onto the ISO27001 framework and are using CSA’s CCM and ISO27001 to certify their Dynamic CRM, Azure and Office365 platforms. They have also published all relevant documentation on the CSA’s STAR repository.
- Chad Woolf, Global Risk and Compliance Leader for Amazon Web Services highlighted the difference between security IN the cloud as opposed to security OF the cloud. According to Chad, security IN the cloud presents a much greater risk and discussed some of the different assurance mechanisms provided by AWS.
- Data security and privacy expert Stewart Room provided an update on some of the more pressing legal issues facing cloud security, including a plea for more realistic legislation (e.g. subcontractor recommendations of Art 29 WP)
- Mark O’Neill, CTO for Vordel gave an update on IDM standards, including oAuth 2.0 and OpenID Connect and how they fit into the cloud ecosystem. oAuth 2.0 is now a stable standard which can be used to give granular, revocable access control. It is lighter than SAML and therefore more suitable for mobile/REST scenarios.
- Phil Dunkelberger made an impassioned call to arms for the industry to create a standard authentication protocol which would allow for the integration of appropriate authentication mechanisms into diverse services.
- Jean-François Audenard, Cloud Security Advisor, for Orange Business Services presented their Secure Development Lifecycle that covers security and legal obligations, mitigation plans, security reviews and on-going operational security and the roles of their security Advisors, Architects and Managers in the lifecycle.
Panel Discussion Takeaways:
- While Gartner has some 26 definitions for Cloud, according to Bruce Schneier it can be boiled down to the fact that it’s simply your data on somebody else’s hard disk that you access over the Internet!
- Cloud provider specialization and reputation means better security in many respects. As to the question of what can be more difficult in the cloud, forensics is a major issue (e.g., ‘freezing the crime scene’, confiscation of hardware, etc)
- As a customer, there is a lot you can and should do to monitor the cloud service provider (either independently and/or via executive dashboards). This also allows you to establish trust in smaller companies with less history.
- Internal IT teams are not redundant . There are lots of security-related tasks still need to be taken care of. This is especially true for IaaS providers ( e.g. credential management ). The cloud provides opportunities for many of these individuals to perform higher value tasks (i.e., security training of staff, service monitoring, etc).
- Business is consuming technology quicker than IT can provide it; as a result more internal business users are utilising external third party and cloud vendors to process their information. For example, MARS Information Services is using a modified version of ISO27001 (ISO++) and the CSA’s CCM to risk assess their third party vendors. As engagement move from Iaas to Paas and SaaS the level of risks increase as the controls are given to the service provider.
- Historically, organizations have been largely concerned with securing the network, not the information that resides on it. We need to now protect information based on the risk associated with the compromise of that data. As such, a risk based approach to security requires data to be “high level” classified.
- Once data has migrated to the Cloud, access and authentication becomes key. Authentication is currently taken for granted (passport, room key, ID badge, airline ticket, cards), except online where credentials are often re-used. If they are compromised, all systems using those credentials are vulnerable.
- As data moves to the Cloud, there will situations that will require the data to be recovered, in a forensically sound way. The use of multi-tenant environments across multi-jurisdictions introduces numerous e-disclose and chain of custody challenges that are yet to be solved.
“Great conference with a number of speakers that really provided up to date, timely and in-depth information” – Peter Demmink, Merck / MSD
“The CSA delivered an excellent intro to all the aspects of cloud security and compliance” – Albert Brouwer, AEGON
October 17, 2012 | Leave a Comment
Data [dey-tuh] noun: individual facts or statistics
Information [in-fer-mey-shuhn] noun: knowledge concerning a particular fact or circumstance
When does data become consumable information? When we correctly manage security, we integrate security devices into our infrastructure in a manner designed to support our privacy, security, and regulatory requirements. The problem is that good security can generate a lot of data. This is exacerbated by the desire to ensure that the data is actually consumable information – stuff we can use.
African or European?
Data is just “stuff,” while information is what that stuff means. Is “42” simply 6×7, or is it really the answer to life, the universe and everything? Are “African or European” just words to you, or do they have something to do with the airspeed of an unladen swallow?. To make sense of these, do you need the context of Douglas Adams and Monty Python? That is not your fault. It just is.
Your management of security data follows the same rules. Data is more valuable if viewed in context. If you have an IDS reporting a port scan on IP 220.127.116.11, that is simply a piece of data. You still have to figure out what that data means to you. Is it important or is it noise?
Your organization uses data, and the security parts of your organization use security relevant data.
For a non-security example, let’s use a 3000-piece puzzle. You have to put it together without looking at the picture on the box. You can look at a piece, and add context to that piece. Is it a corner piece, a side piece, or a middle piece? Does the piece have a part sticking out or does it have a hole? Is that something red and round on the piece? Is that something shiny? All of these observations add context to the pieces, as well as the puzzle as a whole.
When you add context to security information, it helps tell you how to build your entire security program. You go from supporting “data” to supporting “PCI data,” along with all that it means to be PCI compliant. You know that the environment that supports PCI data at BigBlueBank is going to receive more advanced security controls than the inventory control system at Joe’s Hat, Boot and Shoe Company. While the two data sets are both important to their respective companies, the specific regulatory requirements placed on the PCI data should result in enhanced controls at BigBlueBank. Even staff at Joe’s would agree that the number of size 10 boots in stock is not as sensitive as credit card data. PCI has elevated requirements for a variety of technical controls, including data segregation and encryption, as well as incident response, policy, procedure, and training. If you add St. Mary’s Hospital to the mix, you can imagine that their trauma center has stronger availability/resiliency requirements than they do at Joe’s Hat, Boot and Shoe Company. The context within which the data works shapes the entire environment.
The supporting information adds context to the raw security data. Your IDS alert that was previously just “data” gets a whole new meaning if you have the context to know whether 18.104.22.168 is the system that holds your credit card database, or is an internal website that has limited value. Without security context, you might know that you have an alert, and that you are being attacked. But with good context, you can tell that the server being attacked is named “Mordor,” and is a Windows Server 2008, R2 SP1, running Oracle 11g Enterprise, that sits in the Princeton, N.J., data center in row 3, rack A12, and it holds all of your clinical patient records, so it falls under HIPAA and HITECH. That information, and context, should make a huge difference in how you manage and protect the information, as well as threats to it.
Adding context to data gives you information. Analytics adds even more information by evaluating relationships between the various pieces.
You started sorting the puzzle pieces, adding context where you could. You might group pieces that have red on them, as well as pieces that are shiny, to see if you can find anything in common or see a pattern. You start assembling the frame of the puzzle by looking at the sides and corners.
When you look at how the pieces fit together, you are looking at the relationships between those pieces. That is analytics. Next, you look at the red pieces, and see how they fit together. After you assemble three or four pieces, you recognize that the red is a clown nose. Analytics gives you even more data since now you know that the puzzle has a clown in it. That piece of information improves the context which you had previously assigned to every other puzzle piece. Then you assemble some shiny pieces and realize it is a shiny hubcap on a wheel. Analytics.
Better yet, you can match those larger pieces of information together and realize that the puzzle probably includes a clown car, which automatically adds new context to all of the other pieces in the puzzle. Analytics helps you to recognize the giant daisy that squirts water, and the huge green shoe sticking out of the trunk. You utilize analytics to assemble multiple clowns, and the car. Contextual information enabled you to start building, but it was analytics that actually let you make progress and eventually finish the puzzle.
Of course, the same rules apply with information security. The context is invaluable, and lets you understand what your event and alert information means. But the analytics applied to those events forms a bigger picture of what is happening in your environment, and is even more important.
Context and Analytics in Practice
How does this work in real life?
Joe’s Hat, Boot and Shoe Company has a relatively immature security management practice. They generally ignore an external port scan. When they get a series of login failures on an internal system, they probably ignore that also, unless a systems/security admin happens to realize that those failures came from a known “important” system. They effectively ignore a privileged database login since they probably lacked context to see how important the system was and their level of security paranoia was relatively low. If Joe’s sees the elevated traffic levels, it may be cause for concern, but for the most part it is simply one more in a flood of other events. Keep in mind that Joe’s did not get just these five events. Joe’s got these five events along with another 3,000 or so events that evening. Chances are that the IT staff at Joe’s is not alerted to anything.
Bob’s Big Box store could probably care less about the 17th port scan they saw that week. BBB may also not be terribly worried about a series of external login failures, but when those failures are immediately followed by a success, analytics kicks into action. Was this a user mistyping a username and/or password, or was this a successfully guessed password? At the very least, good analytics has this marked as “curious.” This is probably marked even “curiouser and curiouser” when analytics checks back in time and sees BBB had been port scanned 10 minutes earlier. Suddenly, the port scan is not “just another port scan.” Can good analytics be applied to anything else interesting about the events? For example, did the port scan and login attempts come from the same IP address? This could lend additional context to the events.
BBB sees a series of internal login failures. Given that this followed shortly after the suspicious external logins, this is now marked with an elevated concern more like “interesting.” Their internal systems report the privileged account logon as a matter of due course, and it is only really interesting if it falls in a reasonable time sequence in the series of events that are undergoing analytics. Elevated outbound traffic volume would be the last straw. Analytics considered 3,000 events, and picked out a series of five that it decided were related – that they fit together like the corner of a puzzle.
What happens next depends on how BBB has defined their security profile. At the very least, an internal alert is issued, and if they are prepared, they would probably terminate outbound traffic at the firewall when the extra traffic was detected.
The five events are a dramatic oversimplification. So is the “five out of 3,000.” In reality, this could be thousands and potentially millions, of events, depending on your environment. If your environment consists of six systems, and one IT guy knows them all, he may be able to accomplish all of your analytics. But if yours is an organization of any size, doing meaningful analytics in a manual manner is going to be more a matter of luck than skill.
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl’s consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.
October 17, 2012 | Leave a Comment
By: Cloud Computing Team
That user concerns about security and related matters are part and parcel of how and when cloud computing—whether on-premise, in public clouds or a hybrid—gets adopted isn’t news. Even if the risks are sometimes more about perception than reality, the fact remains that survey after survey puts “security” at or near the top of inhibitors to cloud adoption. And that makes understanding how to mitigate these risks an industry priority given the flexibility, agility and cost benefits that cloud computing can bring.
Many companies and groups are working to address security challenges in various ways. The Cloud Security Alliance (CSA), founded in 2009, is one of the most important of such initiatives because it’s arguably the organization taking the broadest view of the problem. It’s a not-for-profit organization whose mission is to promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure additional forms of computing.
Red Hat has been participating in the CSA community for nearly two years, and has been working to bring awareness and utilization to the tools built by the CSA to provide security to physical, virtual and hybrid cloud environments. Now, as an official corporate member of CSA, Red Hat will continue to drive a focus around open standards and security to protect enterprise workloads in the cloud.
The CSA has a broad membership with over 130 corporate members. This includes IT vendors like Red Hat who sell to a wide range of industries. But it also includes companies, such as healthcare technology supplier McKesson, that specifically work in industries that are highly regulated and significantly affected by data privacy requirements. It includes professional services firms with an interest in security and compliance issues, such as Ernst & Young and PwC. It includes government agencies such as the Department of Defense and suppliers to those agencies such as Raytheon. And it includes large technology end users such as eBay. The CSA also has a whopping almost 40,000 individual members in its LinkedIn group.
One specific CSA initiative is its Cloud Security Alliance Cloud Controls Matrix (CCM). CCM is designed to provide fundamental security principles “to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.” The goal here is essentially to provide structure so that security can be evaluated in a systematic way. Specifically, in the CSA’s words, to provide:
“…organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.”
It’s important to be systematic in this way because security isn’t one thing. In fact, the CCM considers 98 distinct areas of control across 13 different domains; such as compliance, resiliency and information security. Each of these areas of control is then mapped to the area of IT architecture where it plays (e.g., networking, data or compute), its relevance to different cloud service delivery models (IaaS, PaaS and SaaS), and its relationship to a wide range of regulations. Even a quick scan of the detailed matrix gives a sense of the degree to which the CCM provides a very specific practical framework that organizations can use. (A 2009 study by the European Network and Information Security Agency (ENISA) provides a framework that’s in a somewhat similar vein.)
The CCM (or an alternative document called the Consensus Assessments Initiative Questionnaire) can be used by cloud users to structure their own evaluations of cloud providers. However, these documents are also inputs to another CSA initiative called the CSA Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry that “documents the security controls provided by various cloud computing offerings.” Cloud providers can submit self-assessment reports that document their compliance to CSA-published best practices. The CSA’s goal is to make it easier and faster for cloud users to do their due diligence and generally move to an environment where security practices are more transparent and even used as a differentiator among different cloud providers.
The CSA also conducts research into cloud computing. Most recently, on September 27, it released the results of a Cloud Market Maturity study, a collaborative project with ISACA, intended to provide business and IT leaders with insights into the maturity of cloud computing. While the report found many positive indicators, it also identified a number of areas in which the survey respondents had less confidence in cloud computing. We were particularly interested to note that a number of these—such as exit strategies, longevity and credibility of suppliers, integration with internal systems and contract lock-in—very much talk to the need for an open, hybrid approach to cloud computing. That’s why we at Red Hat firmly believe that open and hybrid are essential elements of a cloud strategy, as we discuss in this whitepaper.
You might not always know it from the predictable breathless headlines one sees whenever there are reports of a provider’s service outage or security breach, but cloud security discussions are moving beyond the naïve “is it safe?” stage. They always have been, really, among knowledgeable security practitioners. They understand that cloud security is part of a broader IT governance discussion and that security exists in the context of the many tradeoffs that are always being made with IT systems. But those nuanced analyses are becoming more mainstream. And one of the important reasons this is happening is that organizations such as the CSA are helping to codify best practices and make them easier to consume.
Learn more about Red Hat’s work in the cloud computing space here.
October 10, 2012 | Leave a Comment
No one is immune to the ever-changing technology forecast, but one constant (at least for the near future) appears to be global cloud cover. Cloud computing is arguably the most dominant theme on every enterprise’s IT list, but in Europe, it’s being met with some key challenges. The European Commission acknowledges that Europe must become more “cloud active” to stay competitive in the global economy, but public cloud adoption is fragmented and lags behind the US by some three to five years.
So what’s stopping cloud adoption in Europe? Major cumulative barriers to adoption include concerns surrounding legal jurisdiction and data security. Cloud computing and IT security companies know all too well that data privacy laws vary greatly around the world – a key challenge for global enterprises as they seek to adopt the cloud. Each country/geography they operate in has specific data regulations that must be met. And each country/geography in which they store and process data, which may be different from where they physically operate, also has specific data laws that must be followed. To complicate matters, these rules and regulations are very likely to change over time, particularly as technological advances emerge and government regulators fine tune their policies.
In a recent study entitled “Cloud in Europe: Uptake, Benefits, Barriers, and Market Estimates” research firm IDC surveyed European business users and consumers. IDC’s research uncovered 12 key obstacles ranging from cloud data residency and security issues to slow performance and limited tax incentives for capital spending. But the majority of survey respondents (62.2 percent) cited four specific barriers, primarily related to data control:
- 1. Legal jurisdiction: Where the does the service reside? Where does the data reside? What if I don’t want my data stored in a specific country?
- 2. Security and data protection: Who is responsible for security, data protection, and backups? What happens if something goes wrong?
- 3. Trust: How do I tell which services are reliable? Who guarantees data integrity and availability?
- 4. Data access and portability: Once I sign a contract, how much interoperability will I have? Can I interact with different services and move my data from one service provider to another?
Data control is the common denominator, and Europe must take steps to empower data controllers if it wants to maximize cloud adoption benefits. Those surveyed offer clear guidance on what the EU could do, including enacting specific rules on service provider accountability; guaranteeing application and data portability between services; implementing an EU-wide cloud security certification program; clarifying and harmonizing data residency and legal jurisdiction regulations; and fostering EU-wide standardization of cloud services.
These are great suggestions. But aside from regulatory policy changes that could take a long time to deliver, the group also states that demonstrated current success by peers and strong evidence of cloud benefits would greatly enhance adoption. A solution to these challenges that gives companies downstream flexibility is critical. This type of success is possible today with a cloud data protection gateway that allows European cloud users to control their data completely when using cloud SaaS applications – regardless of geographic location of the cloud service provider’s data centers. When researching gateways, keep the right questions about your data at top of mind:
- What sensitive data needs to remain private and protected?
- What level of protection is required?
- Who needs access to the data?
- What laws and jurisdiction govern information and are they likely to change over time?
Be sure to look for a solution that allows data controllers to configure their cloud systems with the appropriate data protection protocols that overcome the primary residency and security obstacles holding Europe back.
David Stott is senior director, product management, at PerspecSys where he leads efforts to ensure products and services meet market requirements.
October 9, 2012 | Leave a Comment
by John Howie, COO, CSA
In many conversations with IT leaders today we discovered a common problem: they need a simple way to understand systems, processes, current policies and procedures and be able to evaluate how the cloud may help them realize lower IT security costs, improve best practices, and perhaps most importantly -communicate that to their management team. After all, a move to the cloud needs to be a strategic one.
Today at RSA Europe Microsoft announced a new free Cloud Security Readiness Tool that helps organizations better understand and improve their IT state, identify relevant industry regulations based on selected industries, and evaluate whether cloud adoption will meet their business needs. The tool can speed the assessment process of anyone considering cloud services.
The CSA Security, Trust and Assurance registry (STAR) is our publicly accessible registry that documents the security controls provided by cloud service offerings. CSA STAR is open to all cloud providers, and allows them to submit self assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator. CSA STAR currently contains 13 entries from 11 vendors. I encourage companies to go check out this tool to help assess the benefits of adopting a STAR service.
October 7, 2012 | Leave a Comment
Rather than resist it, organizations should embrace Consumerization to unlock its business potential. This requires a strategic approach, flexible policies and appropriate security and management tools.
The Consumerization of IT is the single most influential technology trend of this decade. Companies are already well aware of it, as they wrestle with the growing influx and influence of smartphones, tablets, Facebook, Twitter and on and on. This “Bring Your Own Device” (BYOD) movement is very reminiscent of the early days of PCs in the late 1970’s-early 1980’s, when workers bought and brought their own Apple II or IBM PC to work to handle spreadsheets (using Visicalc or Lotus 1-2-3 respectively) so they could get data processed immediately rather than wait in line for the IS department to process punchcards, tapes, or whatever else the I/O was. Ultimately, IS heads had to stop resisting and start accepting the PC wave, and you know the rest of that story.
While this new BYOD growth does bring risks, too many companies make the mistake of trying to resist the influx of consumer IT. So what are the solutions and best practices for a company to turn Consumerization into a competitive advantage?
One: Have a plan. Take a strategic approach to Consumerization and develop a cross-organizational plan. IT cannot do this in a vacuum and will have to engage executives, line of business owners (marketing, sales, HR, product development) as well as customers, partners, and internal early adopters. While planning to adopt new consumer technology, IT managers should survey their most innovative users to discover what devices and applications they like and what they find most useful in their work activities. In this way IT will pull from users’ experience rather than pushing IT views to their base.
Two: Say yes – but not to everything for everyone. Develop a set of policies that clearly define what devices and applications are considered corporate-standard (fully supported by IT) vs. tolerated (jointly supported with the user) vs. deprecated (full user liability). In addition, IT should profile the global workforce based on relevant attributes such as role, line of business and location. And then map technologies to user profiles and define SLAs for each intersection.
Three: Put the right infrastructure in place. Deploy appropriate IT tools specifically designed to secure and manage consumer technology in the enterprise. Be aware that while some solutions have already materialized along the lines of specific product segments – i.e. Mobile Device Management, no single vendor can provide one single solution covering all functional requirements across all platforms. As vendors enter the Consumerization space with solutions initially developed for adjacent product segments, most solutions tend to offer overlapping core functionality and tend to lack the cross-platform support critical to protect and manage the full spectrum of consumer technologies. Therefore, IT will have to integrate multiple offerings across different product categories: security solutions for Internet content security, mobile anti-malware and mobile data protection, Mobile Device Management tools for system provisioning and application management, and Telecom Expense Management providers for procurement, support and cost control of voice and data services.
Companies that are questioning whether or not to allow workers to bring personal devices into the workplace should just stop asking: It’s clear that you can get a competitive edge when you put the right precautions in place. The BYOD phenomenon gives companies that allow it a competitive advantage as it enhances innovation and creativity in the workplace while reducing overall costs for the entire organization. The key to not being overwhelmed by this trend is that all these devices need to be secured by implementing the proper BYOD policies and procedures.
The lack of a strategic approach to Consumerization creates security risks, financial exposure and a management nightmare for IT. Rather than resist it, organizations should embrace Consumerization to unlock its business potential. This requires a strategic approach, flexible policies and appropriate security and management tools.
Consumerization and BYOD are disruptive and inevitable. But many IT leaders are slow to realize it. Like dinosaurs of a previous IT era, they are headed for extinction.
[BIO] As Vice President of Mobile Security at Trend Micro, Cesare Garlati serves as the evangelist for the enterprise mobility product line. Cesare is responsible for raising awareness of Trend Micro’s vision for security solutions in an increasingly consumerized IT world, as well as ensuring that customer insights are incorporated into Trend solutions. Prior to Trend Micro, Mr. Garlati held director positions within leading mobility companies such as iPass, Smith Micro and WaveMarket. Prior to this, he was senior manager of product development at Oracle, where he led the development of Oracle’s first cloud application and many other modules of the Oracle E-Business Suite.
Cesare has been frequently quoted in the press, including such media outlets as The Economist, Financial Times, The Register, The Guardian, Le Figaro, El Pais, Il Sole 24 Ore, ZD Net, SC Magazine, Computing and CBS News. An accomplished public speaker, Cesare also has delivered presentations and highlighted speeches at many events, including the Mobile World Congress, Gartner Security Summits, IDC CIO Forums, CTIA Applications and the RSA Conference.
Cesare holds a Berkeley MBA, a BS in Computer Science and numerous professional certifications from Microsoft, Cisco and Sun. Cesare is the chair of the Consumerization Advisory Board at Trend Micro and co-chair of the CSA Mobile Working Group – Cloud Security Alliance.
*** Nominated “Top 10 Consumerization Thought Leaders” 2011 http://blog.matrix42.com/content/top-10-consumerization-thought-leaders-part-two
Cesare Garlati – Cesare’s daily duties as Senior Director of Consumerization at Trend Micro might have been enough to get him on this list, but his blog leaves no doubt. At BringYourOwnIT.com, Cesare writes about consumerization and everything else that’s causing disruption in IT. In a SC Magazine article earlier this year, Cesare suggested organizations approach consumerization in a tactical way: “(Embracing CoIT) is the optimal approach. Create a plan that spans the whole organization; say yes for some but not for everyone by determining a group of users and figure out what technology is allowed; and figure out what tools are needed and put the right infrastructure in place.”
- RSA Conference Europe 2012
October 9-11, 2012 – London, UK “Smartphone Security Winners & Losers”
- Mobile 2.0 Conference
September 11, 2012 – San Francisco, CA “Mobile Enterprise/Consumerizaton of IT”
- RSA Conference China 2012
August 28-29, 2012 – Chengdu, CN “Smartphone Security Winners & Losers”
- DIRECTION EXPO 2012
August 7-8, 2012 – Tokyo, JP “Mobile Security”
- European Association for e-Identity and Security
July 5, 2012 – Slough, UK “Securing Mobile Devices”
- IET – Mobile Security Summit June 20, 2012 – London, UK “Security for Mobile Devices”
- Ingram Micro Cloud Summit
June 4, 2012 – Phoenix, AZ
“How secure is your smartphone?”
- BCS – The Chartered Institute for IT May 16, 2012 – London, UK
“Consumer Mobile Technology in the Enterprise: A leap of faith?”
- Mobile Convention Amsterdam
May 8, 2012 – Amsterdam, NL
“Consumer Mobile Technology in the Enterprise”
- Tablet Strategy Conference April 27, 2012 – New York, NY “Secrets of a good corporate app”
- ISSA/AIPSI – Associazione Italiana Professionisti Sicurezza Informatica
April 5, 2012 – Milano, Italy
“Roundtable: Consumerization, Millenials and Mobile”
- Information Assurance Advisory Council
March 13, 2012 – London, UK
“Education and training in security awareness”
- Mobile World Congress 2012
February 27 – March 1, 2012 – Barcelona, Spain
Mobile Security Forum “Consumer Mobile Technology in the Enterprise: A Leap of Faith?”
- IDC Enterprise mobileNext Forum, November 30 – December 1 2011, San Francisco, USA Mobility Management & Security – A Customer Panel
- CTIA Enterprise Mobility Boot Camp, October 10 – 13, 2011, San Diego, USA “Consumerization Report 2011”
- Gartner Security & Risk Management Summit 2011, September 19–20, London UK “Embrace Consumerization. Unlock Opportunity”
- Channel Link 2011, September 14-16, Los Angeles USA “Embrace Consumerization. Unlock Opportunity”
- IDC CIO Summit 2011, July 28-29, Singapore
“The Consumerization of IT: Embrace Consumerization, Unlock Opportunity”
- Mobile Computing Summit 2011, June 28-30, San Francisco USA “Mobile Landscape Security Risks and Opportunities”
- Gartner Security & Risk Management Summit 2011, June 20–23, Washington DC USA “Virtualization, Consumerization, Security Three Worlds Collide?”
VIDEOS/PODCASTS – http://www.youtube.com/user/BringYourOwnIT
- RSA Conference 2012 – Podcast
- Mobile Convention Amsterdam 2012
- Mobile World Congress 2012 – Mobile Security Forum
- Consumerization and BYOD – What are the Security Risks?
- BYOD and Mobile Security: Remote working during the Olympics
- Video interview at CITE 2012 – Consumerization of IT in the enterprise
- Video interview at Mobile Word Congress 2012 – Barcelona
- Financial Times Podcast – The downsides of bringing your own device to work
- Consumerization 101: How to bypass the iPad password in 5 seconds
- Embracing Consumerization in the Enterprise
- The Consumerization of IT – Trailer. Full video available upon request
“Mobile security fact: Android is the #1 mobile platform in the world. It is also the most vulnerable to attack
– and in fact the most exploited.”
“Contrary to common perception, Apple mobile devices are not immune to security flaws. And in fact less secure than Android if users “jail break” their devices – a jailbroken iPhone is not a secure phone.”
“[Mobile] Consumer technology is sexy, convenient and easy to use. When it comes to security and data protection however, consumer technology still has a long way to go.”
“[There is a] total lack of education out there, especially in the consumer sector. The consumers need to be told that there is a real and serious threat in terms of security on your mobile phone and it’s an economical threat.”
“No matter what type of smartphone you own, you are in danger. Every single platform is exposed to this, no platform is immune. Some are safer than others, but none are immune.”
“The [security] problem [with mobile devices] is not with the phone itself breaking or being stolen, but with the data on the phone getting into the wrong hands – including bank details and passwords. By exposing your personal information, you are exposing yourself, your financial situation and your family situation.”
“[BYOD Bring Your Own Device] Besides preserving data security and managing a myriad of personal devices, companies must also consider a new set of legal and ethical issues that may arise when employees are using their own devices for work.”
“[BYOD Bring Your Own Device] Many employees don’t understand the implications of using their personal devices for work. Many companies don’t understand that they are in fact liable for the consequences.”
“Consumerization and Cloud are in fact two faces of the same coin: the epochal change of the role of corporate IT – from technology provider to technology broker.
“Consumerization, BYOD and Cloud are disruptive and inevitable. But many IT leaders are slow to realize it. Like dinosaurs of a previous IT era, they are headed for extinction.”
“The lack of a strategic approach to Consumerization creates security risks, financial exposure and a management nightmare for IT.”
“Rather than resist it, organizations should embrace Consumerization to unlock its business potential. This requires a strategic approach, flexible policies and appropriate security and management tools.”
“My advice for organizations facing an increasingly consumerized IT world is to realize that Consumerization is happening and they can’t stop it – and in fact they shouldn’t. I strongly recommend our customers to embrace Consumerization to unlock its business potential.
“Embrace [Consumerization] is the optimal approach. Create a plan that spans the whole organization; say yes for some but not for everyone by determining a group of users and figure out what technology is allowed; and figure out what tools are needed and put the right infrastructure in place.”
“Companies that are questioning whether or not to allow workers to bring personal devices into the workplace should just stop asking: It’s clear that you can get a competitive edge when you put the right precautions in place. The BYOD phenomenon gives companies that allow it a competitive advantage as it enhances innovation and creativity in the workplace while reducing overall costs for the entire organization. The key to not being overwhelmed by this trend is that all these devices need to be secured by implementing the proper BYOD policies and procedures.”
PRESS TALKING POINTS / CONTROVERSIAL STATEMENTS:
The dark side of BYOD: privacy, personal data loss and other bad things. Many employees don’t understand the implications of using their personal devices for work. Many companies don’t understand that they are in fact liable for the consequences. The things you always wanted to know about BYOD but were too afraid to ask.
How secure is your smartphone? Mobile Security facts: Android is the #1 mobile platform in the world. It is also the most vulnerable to attack and in fact the most exploited. Contrary to common perception, Apple mobile devices are not immune to security flaws. And in fact less secure than Android if users “jail break” their devices – to escape Apple’s suffocating control.
Consumerization is happening to corporate IT, rather than being driven by corporate IT. The business and the employees are dictating the IT agenda. Consumerization is therefore inevitable, but many IT leaders are slow to embrace it. Like dinosaurs of a previous IT era, they are headed for extinction.