Download PDF edition (opens in new window)

h41085.www4.hp.com

Download PDF edition (opens in new window)

issue 9 | 2012

from HP Enterprise Security

Is it a good idea

to get your head

in the clouds

As business turns to the

cloud, we look at the major

security issues.

The CIO’s guide

to the cloud

Why a risk-based

approach is now

essential

// Page 6

Consumerization

How Europe’s

top CISOs are

dealing with this

IT megatrend

// Page 10

This month’s issue features

the changing role of the CISO,

insider threats, an interview

with Canon, and more.

How vulnerable are you

Why the traditional approach to threat and

vulnerability management is not enough

// Page 8

The three-headed monster

The motives behind cyber

crime, hacktivism, and cyber

warfare // Page 14


Inform

Issue 9 | 2012

Published by HP Enterprise Security Services

Web: www.hp.com/enterprise/security

For enquiries about Inform, please contact

hpinform@hp.com

Produced by: www.otmcreate.com

Edited by: www.pfanda.co.uk

If you would like to subscribe to Inform

Magazine, please contact us at

hpinform@hp.com

Inform magazine is a quarterly publication

designed to give you a wealth of insight

into current topics from key industry

figures. It features contributors from all

over the globe, covering many different

industries and sectors.

Regular features in each issue include:

– Key thought leadership interviews with

senior IT security professionals

– Current news and hot topics

– Practical “how to” guides

– Latest technology updates

And much more

To view past issues, please visit issuu.com/hpenterprisesecurity

Subscriptions are complimentary for CIO, CISOs, and IT

security professionals. To subscribe please email hpinform@hp.com

with your name, title, company, email address, and country location.

Please include your postal address if you would like to receive a hard

copy of the publication.


04 Insight // 06 How CIOs should approach cloud security // 08 How vulnerable is

your business // 10 The CISO view: dealing with consumerization // 12 Working on the

inside // 14 Beware the three-headed cyber dragon // 16 The changing of the guard

// 18 A security man who means business // 22 Access management in the new

information age // 24 Creating clouds that protect your business // 26 Dealing with disaster

Welcome

Summer passes into autumn, and the glorious memories of the Olympic and Paralympic

Games start to fade. Yet for anyone lucky enough to have attended any of the events in

London, I am sure the memory will live long in the mind.

It wasn’t just the superb display of sport and endeavor that the Games will be remembered

for, however. Those attending were struck by the superb organization, friendly army of

volunteers, and quiet efficiency of the security procedures to get through the perimeter into

the Olympic Park itself. Although hundreds of thousands of people were processed each day,

it all passed off cheerfully and quickly, with none of that sense of frustration you get

at airport security lines.

CIO guide to the cloud

Why a risk-based

approach is just the start

// Page 6

Of course, behind the scenes was a vast array of technology and specialists keeping all those

inside the Olympic Park and Village safe. There was also the highly visible show of deterrence

on the River Thames of the Royal Navy’s largest battleship just to back this all up.

Overall, this was a great model for security that unobtrusively and quietly does what it is

supposed to in addition to being people-friendly. That should be the goal for all of us trying

to design business-focused security into our enterprises. I think it’s a lesson for us here at

HP Enterprise Security Services as we constantly look to innovate and enhance our security

offering with our partners and on to our customers.

I believe this latest issue of Inform demonstrates our commitment to that goal with a mix

of articles and features based on latest information security theory. We take a look at how

threat and vulnerability management (TMV) systems need to evolve if they are to meet the

complex operating environment that faces modern enterprises.

Our feature (page 8) makes it clear that TVM needs to take into account the growing tide

of consumer devices, the pressure from big data stacks, and reliance on cloud-based data.

These systems need to do more than just passively monitor: They need to be proactive and

operate in real time.

The changing of the guard

As super mobility dominates business, can the CIO and

CISO evolve to meet the challenge // Page 16

Related to TVM is the “insider threat”. Our feature (page 12) looks at how employees are

prime examples of “smart people doing dumb things” when in the course of their daily jobs,

they sometimes put the security of the business in danger. It outlines four smart ways to deal

with insider threats, and looks at the rise of social media pressures and malicious insiders.

No issue of Inform would be complete without our in-depth CISO interviews. In this issue

we are delighted to share with you the thoughts of one of the UK’s most lively information

security professionals. Quentyn Taylor is the director of information security, governance,

and risk at Canon Europe. He explains how progressive security thinking brings unexpected

rewards – it helps sell secure products to customers and improve internal security at the

same time. Read more insight from Quentyn Taylor, starting on page 18.

We also look at how the roles of the CIO and CISO may well have

to radically evolve if they are to survive in the new age of business

computing – in what we have dubbed the “super mobile” age.

Find out what the future is on page 16.

Dan Turner

VP Enterprise Security Services

Access management

The complexity of the

modern enterprise

means that new IAM

solutions are needed

// Page 22

If you would like to subscribe to Inform magazine

please contact us at hpinform@hp.com

The third-party views expressed in this magazine are those of the

contributors, for which HP Enterprise Security accepts no responsibility.

Readers should take appropriate professional advice before acting on any

issue raised. Reproduction in whole or in part without permission is strictly

prohibited. © 2012, Hewlett-Packard Development Company,

L.P. All Rights Reserved.


4 HP Inform

HP Insights

Shifts in IT security remain a major

concern for business executives.

A proactive response is needed.

According to a new study from Coleman

Parkes Research, commissioned by

HP, nearly two-thirds of business and

technology executives worry about

understanding security requirements

for cloud services as well as how to

secure and consume big data.

However, the findings suggest that the

problem is an education issue rather than a

technology one. The majority of respondents

said the biggest challenges regarding cloud

stem from a lack of understanding of security

requirements (62%) or procuring services

without screening the service provider (55%).

Looking ahead, two-thirds of respondents

believe that cloud services can ultimately be

as secure as their on-premises data centers.

The study also indicated that more focus is

still placed on reactive security measures

than on the more important area of

proactive security measures. For example,

more than half of respondents said time and

budget spent on reactive security outweighs

investments in proactive measures.

But organizations are at least moving in the

right direction, with nearly three-quarters

(71%) of senior business and technology

executives surveyed reporting that their

organization’s security leadership has a seat

at the table with other C-suite executives.

Additionally, security intelligence is on

the rise, with 82% of respondents

indicating that they are exploring Security

Information and Event Management

(SIEM) measures.

Additionally, security intelligence is on the

rise, with 82% of respondents indicating

that they are exploring Security Information

and Event Management (SIEM) measure;

however, less than half (45%) currently have

an information risk- management strategy

in place, and 53% manually consolidate

information risk-management reports or do

not measure risk at all, which hinders their

ability to proactively anticipate threats.

“Cybersecurity threats are growing

exponentially, and without a proactive

information risk management strategy,

enterprise growth, innovation, and

efficiencies are hindered,” says George

Kadifa, executive vice president,

Software, HP. i

Download the full report

http://bit.ly/Pa8EpY


Issue number 9

5

HP Labs research

looks to develop

a federated cloud.

For the last two years, a team of

engineers from HP’s Cloud and Security

laboratory have been addressing the

challenge of moving from a world of

large but mostly independent cloud

networks to a system that enables all

those networks to easily, securely,

and automatically interconnect.

The project, known as Scalable & Adaptive

Internet Solutions (SAIL), is part of a

consortium of 25 leading European

telecommunication operators, technology

vendors, and research institution. It is funded

by a €13m grant from the European Union.

“It’s a question both of

creating new infrastructure

models that work better

than before, and at the

same time making sure

that old systems will still

work with the new.

“A lot of technology in cloud computing was

created by quickly establishing something

that works. That’s great, but it means

we’ve often bypassed or avoided the hard

problems,” says HP Labs lead researcher

Paul Murray.

“Think of how telephony works. You dial

a phone number with your local provider,

and they automatically route it through all

the providers needed to set up the call.

We want to be able to do the same for cloud

networks. Today, though, it’s as if I still

had to first call every telecom provider

between Bristol and China in order to have

a conversation with one of my colleagues

in Beijing,” says Murray.

As a result, cloud computing isn’t working

nearly as well as it could, say the researchers.

For example, enterprises might be able to

connect to an external cloud provider such

as Amazon to integrate a virtual private

cloud, but they can’t do it automatically with

flexibility or at scale – thus missing out on

the efficiencies that a truly integrated cloud

would offer businesses.

A major focus of the SAIL project has,

therefore, been to research how different

cloud systems can talk with each other, then

seamlessly and safely connect, and then

connect again to other networks in the

same way.

“It’s a question of creating new infrastructure

models that work better than before, and at

the same time making sure that old systems

will still work with the new. We call it cloud

federation,” says Murray.

Download full report

http://bit.ly/SkvG1Uw2v

HP’s engineers have been

moving toward a world of

interconnected clouds

Global cloud coverage

will benefit from this

interconnectivity


6 HP Inform

How CIOs

should approach

cloud security

The promise of the cloud is

undoubtedly appealing, but it does

have inherent security risks.

Reduced costs and enhanced flexibility

and scalability help meet the demands of

an accelerated market and competitively

position your enterprise.

It is up to CISOs to

implement effective

cloud security measures

At the same time, your IT organization

recognizes that cloud introduces a number

of issues regarding security, data integrity,

compliance, service-level agreements, and

data architecture that must be addressed.

Therefore, the adoption of cloud services

is being tempered by a significant level

of uncertainty/Enterprises are looking for

assurances that they’re not adding risk to the

business by leveraging the cloud. For many,

moving to the cloud is still a leap of faith.

However, cloud security is not what you

might think. Despite what is commonly

reported in the industry press and other

media, many cloud security incidents are

actually previously known issues with web

applications and data-hosting – but at a

greater scale and frequency due to early

adoption of new cloud services. This is not

to say that these incidents are not “real” or

important – they are. The point here is that

there is nothing inherently cloud-related that

caused these incidents to occur.

It should be noted, however, that most

clouds are shared, whether between

programs, organizations, or communities.

Companies using cloud need to understand

that they are consuming a shared resource

and must, therefore, select the service that

provides the levels of security and service

that they need.

As with most security challenges, technical

solutions are only part of the puzzle. What

is needed is a well-rounded approach. HP

recommends the following broad steps

as part of a cloud security program:

– Establish a risk-based approach

– Design (or convert) applications

to securely run in the cloud

– Implement ongoing auditing

and management

– Assess infrastructure (and platform)

security during service sourcing

First, a risk-based approach is necessary to

fully understand the risk impact of moving

chosen applications and data (assets)

to a particular cloud deployment model

and service model. This assessment must

be undertaken from a viewpoint of how it

affects the entire enterprise.

HP believes that the primary objective of a

risk-based approach is to help an enterprise

move from a reactive to a proactive stance

for enterprise security, with the end goal

of measurably reducing business risk. HP

has developed a risk-based methodology

– assess, transform, optimize, manage, or

“ATOM” – which helps enable enterprises to

achieve these goals:

First, we assess your risk tolerance profile,

compliance requirements, operational

requirements, organizational capabilities,

and resources. We typically do this within

short HP Cloud and HP Security

Discovery Workshops.


Issue number 9

7

There is no doubt that security is a

growing challenge, especially as enterprises

make the move to cloud-based options.

But security can also be a promising

technology tool by which enterprises

will achieve end results. To make the

most of it, you can’t go it alone.

We then look to transform your

environments. We structure and prioritize

security issues and undertake remediation

projects with you.

Next, we optimize the environment and also

broaden your level of security awareness.

Our experts proactively recommend

operational and process improvements

that can deliver an optimized security

and risk posture.

Finally, we manage security transformation

programs that deliver security in the most

effective way for the enterprise, adopting

proven security technologies and flexible

sourcing models.

Second, many existing applications were

not designed to run in a potentially hostile

environment. The dynamic behavior and

public environment of cloud implicitly

require that data and applications be selfdefending

in other words, they need to

be able to protect themselves. This means

that application developers need to adopt

an information-centric approach to securing

critical applications and data by focusing on

the “CIA triad” of confidentiality, integrity,

and availability. Ideally, the best time to

architect this is during the requirements

and design phase of a new system.

Developing applications with security already

designed in dramatically reduces the risk of

vulnerabilities and produces solutions that

have greater security assurance at lower

cost. By addressing new attack surfaces

early in the design cycle with a security

requirements analysis, security maintenance

and remediation needs are reduced during

the testing and operational phases.

Third, a dynamic cloud-based services

environment needs continual and ongoing

audit and compliance management.

A traditional regime of annual or monthly

audits becomes meaningless in an

environment that changes completely

on a daily or hourly basis. The dynamic

provisioning and deprovisioning of resources

is a key part of the cloud value proposition

and business model. This makes automation

of operational monitoring, continuous

audit, and compliance reporting essential

in this dynamic environment. To comply

with policy and legislation such as the EU

Data Protection Directive, GLBA, HIPAA, and

export compliance controls such as ITAR –

enterprises require continuously running

audit and compliance monitoring.

Continuous monitoring is also crucial for

enabling forensic examination and analysis

if a security breach or disclosure occurs. This

information must be available in real time

to facilitate rapid response, notification and

containment measures. We recommend

our HP Secure Boardroom, which provides a

single, graphical executive-level dashboard

of enterprise security status that aligns

information security at a corporate level.

This tool provides real-time views of current

security events and improves control

of security projects, audits, budgets,

and performance.

Finally, the use of cloud services significantly

alters an enterprise’s ability to exert strict

controls over infrastructure, storage and

network security measures. Enterprises

should conduct rigorous due-diligence

assessments of the selected service

providers’ infrastructure security policies

as part of service sourcing and contract

negotiations. This shouldn’t deter you from

seeking a security partner; you simply need

to assure that they take the time to hear

what you have to say, can deliver the full

package you need, and want you to succeed.

There is no doubt that security is a growing

challenge, especially as enterprises make the

move to cloud-based options. But security

can also be a promising technology tool by

which enterprises will achieve end results.

To make the most of it, you can’t go it alone.

HP experts work with your leadership team

to build a multi-year plan for success, and

help develop a better line of sight between

IT security investments and your business

results. Done right, enterprise security can

play a major role in enabling enhanced

growth, increased productivity, and practical

innovation – the primary business outcomes

that today’s CIOs want to achieve. i


8 HP Inform

How vulnerable is

your organization

Effective threat and vulnerability management lies

at the heart of an information security strategy.

But what are the best practices and strategies

And does the industry sector make a difference

to how you apply those strategies

Inventory

Analysis

Strategy

Without an effective threat and vulnerability

management strategy, it’s hard to deliver

efficient and business-focused security. To

establish such efficiencies, business leaders

need to engage three elements: a complete

asset inventory, a threat and vulnerability

analysis, and then a (revised or modified)

vulnerability management strategy.

Data lies at the heart of any organization;

in fact, analysts such as Forrester refer

to “data architecture” rather than more

traditional IT architectures. To undertake

a robust and coherent data asset inventory,

you need to determine where your

information and data assets reside across

the business.

In the age of virtualization and cloud

computing, this is not as easy as it used to

be as. Business-critical data can be spread

far and wide and is sometimes duplicated or

residing on unauthorized virtual machines.

The challenge is finding the tools and

expertise to audit this disparate data, and

assess its vulnerability and threat exposure

through a risk-based inventory process.

However, any inventory also needs to look at

infrastructure and architecture, as well as the

data residing across it. And the process can –

and should – be intelligent and automated as

much as possible.

Contemporary threats

Today, a threat to the sustainability

of the enterprise can consist of a mixture

of threats. It is important that a threat

and vulnerability audit and subsequent

management strategy takes account of

the rapidly changing nature of threats to

the enterprise. This is on top of more

traditional and more controllable threats

such as careless insiders, compliance

demands, vulnerable and aging IT

infrastructures, or “conventional” malware.

A CIO must take into account the growth of

sophisticated phishing techniques, targeted

attacks, and the emergence of advanced

persistent threats (APT). APTs are where

malware can lie undetected (for months) and

is able to steal IP and other sensitive data

streams directly from the most sensitive

parts of the enterprise. At the same time,

there is the growth of “hacktivism”. This is

where businesses are attacked by politically

motivated hackers intent on damaging a

business for a particular cause.

Different business sectors need

different approaches

Business threats exposed by vulnerabilities

in information architectures are no longer

a matter just for the CIO or CISO of an

enterprise – and certainly not just for the IT

department. Threats are detectable right

across the business and involve people and

policies as much as technology, and this is

fundamental to any TVM audit exercise.


Issue number 9

9

Hacktivisim is an

increasing threat in

any company today

TVM intelligence should be gathered through

independent discussions with senior business

managers, departmental heads, regulatory

bodies, and third-party stakeholders. It should

take a range of factors into account, such

as competitor analysis, geopolitical threats,

and information security strengths and

weaknesses across the business. The needs

of different business sectors and company

cultures must also be considered when

performing a TVM business audit.

The enterprise threat model

There are more sophisticated TVM tools

that can detail and break down the different

threats facing the business, target of attack,

and monitoring/mitigation techniques. These

threat models will differ by vertical industry

and also potentially by business unit for

larger, multisite enterprises.

These threat models should be shared

between enterprises (collaboration is

key) and with suppliers to align all of the

intelligence and resources needed to help

make critical assets more secure. The goal

is to be able to confidently answer the CEO

questions: “Who is attacking us Why

And how can we defend against this”

Some questions to consider

Does the business condone the use of social

media for employee use and/or business

use, such as marketing By engaging social

media, CISOs need to ensure that policies

and rules are agreed so that data and

information does not slip out unauthorized

through these channels.

Does the business have an effective Bring Your

Own Device policy Effective BYOD policies

should include efficient measures to protect

corporate data and must include checks

to verify that opportunities for information

leakage or damage are controlled.

Do employees bring in their own devices

regardless of any policy If they do, the

business must have detection controls in

place to ensure data is protected and the

use of personal equipment is controlled

to acceptable levels.

Does the business hold

large amounts of personal

data such as customer

financial details

Bulletproof controls and

policies are needed to

protect this most sensitive

of information against

theft and leakage.

Does the business use the cloud for data

storage and services provision, – for

example, cloud-based sales tools

Does the business need to comply absolutely

with national and international governance

laws Fines and other penalties make rigid

adherence to such laws compulsory through

policies and TVM solutions.

Employees that bring

in their own devices

can put company data

security at risk

Could the business be deemed at risk

from politically motivated hackers because

of its sector or line of business or even

its customers’ line of business A risk

assessment across the business may

determine this and needs ongoing review.

Does the business play a role in national

infrastructure or defense services Although

such businesses should already be well

policed, regular risk assessments are needed

to determine ongoing vulnerabilities. i

Resources

HP Enterprise Security Services Threat & Vulnerability

Management Fact Sheet

http://bit.ly/v2/GetPDF.aspx/4AA4-0799ENW.pdf


10 HP Inform

The CISO view: dealing

with consumerization

As part of our commitment to listening and responding

to the business security concerns of European enterprises,

we have hosted a number of dinners where CISOs are able

to discuss these concerns with their peers in a relaxed

and open manner.

Here we report on some of the findings

and recommendations from recent

gatherings in London, Frankfurt, Zurich,

and Stockholm, where consumerization

was on the agenda.

An overriding conclusion from the

discussions is that consumerization remains

firmly at the top of the CISO’s agenda and

is relevant to all businesses independent

of size and industry – and it’s not going

away. However, the extent to which they

are dealing with it varies considerably, and

responses suffer from lack of focus and

scarcity of robust intelligence on the subject.

CISOs find themselves under pressure

from other business leaders who, attracted

by the cost benefits, are keen to adopt

consumerization as fast as possible.

Businesses across Europe have

consumerization driven from the top and

bottom of the enterprise as employees

and business leaders seek to bring their

own devices into the workplace.

Within some markets, consumerization

brings unexpected complications as workers’

councils and trade unions can legally

demand that strict regulations be applied to

the introduction of any new IT services. The

challenge here is for consumerization and

BYOD to be implemented to comply with

legislation that, for example, stipulates that

workers only work during defined working

hours. Some manufacturers have to

block employee use of email during

non-working hours.

Meanwhile, SMBs have so little in the way

of IT resources that they simply have

to focus on keeping the infrastructure

functioning rather than regulating

consumerization and BYOD. The result is that

it happens by accident rather than design.

Are you losing the battle with

your employees

We have known for some time that consumerization

is a very real threat to the security and stability

of businesses. Yet there remains a concern

that some CISOs are failing to grasp the urgency

and importance of this and have not put in

place systems to effectively manage data.

But this is a major shift in computing, and it’s

not surprising to learn that CISOs feel unable to

keep up with the pace of technology change.

They feel that the proliferation of tablet

devices (Android, iOS, Windows 8) and the

lack of real business intelligence about new

technology trends are making accurate riskbased

decisions increasingly difficult.

There are some short-term solutions. Third-party

suppliers of mobile device management

(MDM) solutions are likely to be popular as

CISOs look for off-the-shelf solutions. But in

the long term, risk-based data intelligence

tools are also needed.

It is clear that more sophisticated and

organic technical solutions, as well as secure

business policies, are needed across the

board. One such area is security analytics,

something that HP is investing heavily in to

assist CISOs dealing with consumerization

and other technology shifts.

With enterprise data spread far and wide and

held on consumer devices, knowing where

that data is and what is happening to it in

real time is crucial. Security analytics are

risk-based and able to address the

two key challenges of consumerization

in the enterprise:

– Vulnerability and threat management

– Identity and access management (IAM)

There is concern that viable technical

solutions for consumer devices themselves

are still some way off. Sand-boxing, where

data is separated on the devices, provides

a degree of protection for business data. But

there remains a fear that savvy users will

find a way to circumnavigate the sandbox

if they feel their experience is skewed or

hindered, according to some CISOs.

Getting the security message across

As mentioned, many CEOs and CFOs are

keen to adopt consumerization and BYOD

policies for the business advantages they

perceive they can deliver: lower purchase

and support costs, happier employees less

likely to lose devices they have invested in,

and a more attractive place to work.

CISOs need to do two things

– Understand the business case and

position themselves to lead the

implementation of consumerization

– Drive forward the security message

so that the business understands the

data and access management risks of

consumerization and plans accordingly

for the implementation


Issue number 9

11

CISOs need to be proactive and ensure

they are seen as business enablers who

can deliver on the desired commercial

advantages of consumerization. But

they also need to make plain that

consumerization brings with it a number

of challenges that may affect the actual

level of budgetary advantages.

Some questions to consider

– Although the business can escape the

device purchase costs, what are the

actual liabilities of employee-purchased

devices used for the business

– What about support costs – does the

employee take ownership of this, too

– Traditional lifecycle management models

are redundant – so how do you manage

upgrades and replacement of employeeowned

devices

– What are the legal implications of data

losses incurred in a consumer device

Would the business be liable for damages

if third-party data was lost

The six steps to managing

consumerization

CISOs are under huge pressure to deliver

on consumerization, and we don’t yet know

the full implications for business. However,

to repeat, it’s a trend that will only increase

exponentially – which is why CISOs cannot

ignore it. The six steps below are a guide

to preparing for adoption in the enterprise.

1 Accept that it is happening

A head-in-the-sand approach won’t

cut it. You have to accept that this is

happening even if you don’t yet see

significant numbers of devices in

the workplace.

2 Plan for adoption

This is crucial to the successful adoption

of consumerization. You need to liaise

with other parts of the business if this

is going to work. This will include other

C-suite members, especially the CIO and

HR director.

3 Know your sector and costs

Your industry sector greatly affects

the speed and acceptance of

consumerization, as does job type and

role. Factor this in when planning for

consumerization.

4

Put policies in place – decide who gets

what, when, and how

You need to rewrite the security

and IT policies to accommodate

consumerization. This means

developing a set of policies that

define those devices, applications,

and working practices.

5 Consider security analytics

to protect consumerized data

Consumerization is largely a shift in

technology ownership and processes.

But at its heart remains the need to

protect data at rest and in transit, and to

know what is happening to it in real time.

6 Embrace change

Don’t try and fight social trends – the

merging of personal and work functions

and the disruptive pattern of work is here

to stay and is a global trend. Be open to

new ideas, new technologies,

and applications. i

Resources

Video: Sukhi Gill, Fellow and EMEA chief technologist,

HP Enterprise Service, discusses the topic of

“Consumerization & the Enterprise.”

http://bit.ly/KBXO6Q

HP Security Analytics

http://bit.ly/personal/mcm/

SecurityAnalyticsDataSheetFINAL.pdf

The cost and benefits of BYOD

http://bit.ly/PA4oQf

White paper: How to plan for consumerization:

the seven steps

http://bit.ly/NeZHuk

A secure approach to consumerization

http://bit.ly/V2/GetPDF.aspx/c03229083.pdf


12 HP Inform

Working on

the inside

Security threats often come from

outside sources, but there are a

growing number of threats from

within the organisation, too.

Security threats often come from outside

sources, but there are a growing number of

threats from the inside, too. These include

careless handling of data by employees

right up to malicious insiders seeking to

damage the business from the inside. How

security-conscious is your workforce

The phrase “know your enemy” is particularly

appropriate for information security. The

more you know about the motives and

actions of those that seek to harm your

business through cyber attacks, the better

prepared you can be.

However, insider threat is potentially the most

damaging and hardest to defend against.

It demands that enterprises look beyond the

traditional technology controls to process

behavior and motivation. Classifying employees

and partners is as important as classifying

data. Searching for and monitoring

anomalous behavioral patterns is where

enlightened organizations are investing.

There are the tools available to do this.

There is no patch for people

Although IT hardware can be made as

watertight as possible through software

patches and hardware updates, those using

the systems are far harder to modify. Your

employees are prime examples of “smart

people doing dumb things.” For example,

they can be relied upon to take short cuts,

download data they shouldn’t, create

unauthorized virtual machines, or click on

malicious links in emails – to name but a few.


Issue number 9

13

Your employees are prime

examples of “smart people

doing dumb things”

More worrying is the malicious insider.

These can be categorized as a disgruntled

employee seeking to harm the business,

a criminally motivated employee, or one

secretly working on behalf of a criminal gang

or competitors. Today you can add to that

list the “politically” motivated employee

seeking to expose the business for what they

singularly judge to be unethical behavior by

leaking assets to the press or social media.

These are all very real threats.

A recent case involving two of South

Korea’s high-tech giants illustrates how

employees are also quite capable of stealing

intellectual property the crown jewels of

most businesses. According to news reports,

Samsung accused its rival LG of using

insiders working on its behalf at Samsung to

steal details of OLED technology – said to be

the future for flat screen TVs. According to

the reports, 11 people, including executives

from LG, were indicted on charges of

leaking or taking core display technology

from Samsung. Six other suspects involved

in the incident were former or current

researchers at Samsung Mobile. LG denies

any wrongdoing.

The rise of business-focused services

such as LinkedIn present new and

surprising dangers. A recent case in the UK

demonstrates this. A court ordered that a

former employee who resigned to start his

own consulting business turn over all his

LinkedIn contacts to his former employer,

along with proof that he did not use them

as clients. The case suggested that LinkedIn

contacts belong to the company, not the

employee, although this remains a point

of legal dispute. However, the potential for

damage is there: How do you monitor how

employees use LinkedIn and other social

media, particularly after employment is

terminated Employers need to realize

the impact of the fully open nature of such

networks – where individual details and

information are routinely shared – and put in

place enforceable policies and controls.

Managing the insider threat with security

intelligence tools

There are four key steps to mitigate insider

threats. Driving all these is the need for

effective monitoring of employee activity

and data flows, and the ability to create

alerts for suspicious activity.

1 Manage data assets

You cannot begin to protect the business

from insider (and external) threats if you

do not understand the importance and

topology of your data sets across the

business. These include any data sets

held outside in cloud clusters or other

third parties. Therefore, a 100% audit

of data assets is required, using data

management and auditing tools.

2 Monitor employee activity

To protect against employee error and

malicious activity, systems need to be

incorporated that can identify employee

and data interaction. These actions need

to be recorded: identity of employees,

and time spent with data and volume

of data transactions. For example, if an

employee was spending large amounts

of time accessing data that was out of

his or her normal sphere, this would

raise an alarm. Advanced access

management should be able to provide

context to behavior. For example, it

should allow for special projects or

temporary shifts in employee roles

and prevent false positives.

3

Integrate employee risk management

into the business

Employees are the key asset of any

business and employee behavior

is not just a matter for the security

function. Any systems and subsequent

behaviorial data need to be shared with

the board and key staff such as the

COO and HR director. Although effective

access management and employee

4

risk programs should prevent incidents,

the wider human function would be to

understand why employees behave

the way they do. Why do they seek

shortcuts, and why do they download

data to USB sticks Looking at the

patterns from employee risk programs

and monitoring should help secure a

more efficient data usage. Employees

generally just want to get their job

done. By integrating people risk into

the business and analysing historical

behavior, risk profiles can be applied

to employees across the enterprise.

Focus on the malicious insider

Although employee error can cause

unwanted data incidents, the malicious

insider presents the more dangerous

risk to the organization. If the first three

steps are taken, malicious activity will

be rendered transparent. Those accessing

data assets without any technical or

role justification borne out by step two

will instantly raise a red flag. After malicious

activity is defined, security leaders

can monitor activity to learn potential

motives or shut down access and

activity instantly. i

Resources

UK court orders ex-employee to hand

over LinkedIn contacts

http://bit.ly/PLoaU

HP Arcsight Security Intelligence

http://bit.ly/OpJd6L

HP Intelligent Management Center User

Access Management Software

http://bit.ly/Q1X9jk

HP Security Intelligence and Risk Management

http://bit.ly/QPBKZB


14 HP Inform

Beware the threeheaded

monster

Businesses face three

significant threats

to the security of

corporate data and

information, but the

attacks, methods, and

motives vary widely.

Cyber attacks against businesses are a

fact of life, and the number of attacks are

increasing. What not so long ago might have

been considered a nuisance level of attacks

against businesses has grown into a threat

to national security. In June 2012, Jonathan

Evans, the head of the UK’s intelligence

service MI5, said that attacks against UK

industry had reached “astonishing” levels.

“There are industrial-scale processes

involving many thousands of people

lying behind both state-sponsored cyber

espionage and organized cyber crime.

Vulnerabilities in the Internet are being

exploited aggressively not just by criminals

but also by states,” he said.

The same can be said for other major

economies across the world. So who is

behind these attacks and what drives them

1 Cyber crime

By far and away, the biggest threat to any

business is from hackers working alone,

although – there is an increasing threat

posed by organized crime groups simply

interested in stealing information and data

for monetary gain. While it is hard to quantify

exactly how much money is lost globally by

businesses and consumers, a number of

reports have been compiled, discussing the

effect on the bottom line of businesses. One

such report, produced by ArcSight, an HP

company, uses an annual survey of the

cost of cyber crime to US business. In the

most recent survey (2011), its three key

findings were:

“Cyber crimes can do serious harm to an

organization’s bottom line. The median

annualized cost of cyber crime for 50

organizations in the study is $5.9 million

per year, with a range of $1.5 million to

$36.5 million each year per company.

This represents an increase in median

cost of 56% from the first cyber

cost study (2010).”

Cyber attacks have become common

occurrences. The companies in the study

experienced 72 successful attacks per week,

and there was more than one successful

attack per company per week. This

represents an increase of 44% from

last year’s successful attack experience.

The most costly cyber crimes are those

caused by malicious code, denial of service,

stolen devices, and web-based attacks.

Mitigating of such attacks requires enabling

technologies such as SIEM and enterprise

governance, risk management, and

compliance (GRC) solutions.

Elsewhere, Group-IB, a Russian cyber crime

investigation and computer forensics firm,

put the global cybercrime market at $12.5

billion in 2011 – $2.3 billion of which it said

came from the Russian national cyber crime

market, up from $1.2 billion in 2010.

Source of cyber crime

The majority of organized cyber crime

gangs originate in the US, Eastern Europe,

and China, although most nations will now

have some level of cyber crime. There is

little research available as to how these

groups operate in detail, but there are some

patterns. Eastern European gangs tend to

favor targeting financial information and

Western financial organizations. Chinese

gangs seem to be more interested in stealing

intellectual property. But that doesn’t mean

that both parties are not involved.

The actual structure of such gangs is thought

to be loose but represents an online version

of how street gangs and “foot soldiers”

operate in the real world. Junior members

do the dirty work on the streets and pass the

profits up the chain. The difference is that

online criminals tend to work alone and may

never encounter their “affiliates” or bosses

or even be aware that they are working for

a gang.

It is known that the “street” concept works

in illegal online forums where credit card

details and other financial data are actively

traded among cyber criminals – complete

with recommendations and descriptions

of the personal details for sale. Law

enforcement agencies such as the FBI

infiltrate these sites by posing as cyber

criminals. In 2008, the FBI even set up

its own forum called Darkmarket,

a sting operation to snare thousands

of cyber criminals.


Issue number 9

15

Lone hackers are the

biggest single threat

to businesses.

Cyber crime gangs

originated in the US,

Europe, and China but

are now global.

2

Hacktivism

The kind of people who operate at the sharp

end of malicious cyber activity tend to be

drawn from the same social group – young,

male outsiders who happen to be attracted

to computers and hacking in particular.

A trawl of the Internet will reveal a maze of

underground hacking groups whose motives

are hard to determine behind a rash of semirevolutionary

slogans and calls to action.

According to Wikipedia, “Hackers could also

gain credibility by being affiliated with an

elite group. The names of hacker groups

parody large corporations, governments,

police, and criminals and often used

specialized orthography.”

Some of these groups exist to encourage

malicious activity as a way of proving hacker

credentials among the hacking community.

Others see hacking as a means to keep

the Internet “free” from big business and

government. It’s from this that a new cyber

threat has emerged in recent years – the

so-called “hactivist” groups, the most

famous of which are the groups Anonymous

and LulzSec.

These groups see themselves as kind of

online freedom fighters and will attack

businesses not for financial gain but to right

some perceived wrong – thereby attracting

young, idealistic, and impressionable people.

And while they may not want financial gain,

they can do a lot of damage. For example,

Anonymous led a series denial-of-service

attacks against Visa, MasterCard,

and PayPal after the payment services

withdrew services from the whistleblowing

site WikiLeaks.

Those behind Anonymous will often claim

that their actions are justified and that they

are only interested in Internet freedom and

democracy. But the tactics and methods they

use are the same as cyber criminals – just as

illegal and just as destabilizing to business.

Their self-determination, unwavering

commitment, and self-righteous stance put

them not far from the modus operandi of

terrorist groups – and to many businesses,

this makes them almost as much of a threat.

Although a string of arrests among

Anonymous and LulzSec members seemed

to stem attacks in 2012, new groups have

recently sprung up vowing to carry out

further attacks.

3 Cyber warfare

The emergence of cyber warfare represents

perhaps the most disturbing trend for

information security experts to deal

with in recent years. It involves powerful

state actors willing to develop and use

highly sophisticated cyber weapons in

acts of warfare and as part of clandestine

operations to destabilize nations and critical

businesses such as banking

in peacetime.

Defense experts see cyber as the “fifth front”

in future wars. US government security

expert Richard A. Clarke, in his book Cyber

War, defines “cyber warfare” as “actions by

a nation-state to penetrate another nation’s

computers or networks for the purposes of

causing damage or disruption.”

This rapidly moved from concept to reality

when the Stuxnet computer worm was

discovered in 2010. Its sole purpose was to

disrupt the Siemens machinery used by Iran

as part of its nuclear development program.

The damage that Stuxnet did was enough

to set back the program by at least a year.

Though never officially admitted, security

experts believed that the US and Israel

were behind the development of the worm.

Although this was a targeted attack, the

worm escaped into the wild and damaged

Siemens machinery in other parts of the

world, including India.

Although the Stuxnet incident may have

not been a threat to most businesses, the

willingness of nation-states to develop

and use cyber weapons means that all

businesses are now threatened.

To underline the point, 2012 saw the

emergence of the Flame virus, which was

seemingly designed to damage the Iranian

oil industry but could also pose a threat

to other industries around the world. Like

Stuxnet, Flame is believed to have been

created by state actors.

Hostile states will use cyber weapons for

industrial espionage and, in the event

of full hostilities, to potentially disable

critical infrastructure. This means targeting,

for example, supermarket supply chains,

transport networks, and telecommunications.

CISOs working in these industries need to

be aware that hostile actors will already

be probing their networks looking for

vulnerabilities and attack routes. Cyber

warfare may be in its infancy, but there

is no doubt that it has arrived. i

Resources

ArcSight Cost of Cyber Crime Survey

http://bit.ly/pftNlW

Anonymous and LulzSec

http://cnet.co/KElpE9

The Darkmarket

http://bit.ly/3y5ZSB

The Flame virus

http://bbc.in/McYYaj


16 HP Inform

The changing

of the guard

As the world enters the age of super mobility,

some businesses are having to adjust

strategy and security policies accordingly.

One response is to appoint information

leaders into new roles to manage mobility

and other trends as an integral part of

a secure business. Paul Fisher reports

on how the CISO may evolve into chief

mobility operating officer and chief

business security officer.

According to analyst firm Forrester, by 2016,

around 1 billion consumers will own smart

phones or other smart mobile devices and

most of those are likely to be connected to

business networks in some way.

Now consider just how advanced and

capable today’s smart devices are: Think

iPhone 5, iPad, or the myriad of Android

and Windows 8-powered devices, and then

consider how much more capable the same

devices will be in another four years.

We may even be seeing the first 5G devices, as

mobile networks look to maximize returns on

bandwidth investment and usher in a new

age of mobile services, super-connectivity

and usability.

The rise of ubiquitous mobile computing

and always-on connectivity have huge social

implications for the way we live, interact with

information, and access business services.

It also has huge implications for you as

a CISO and the information you seek to

protect. Most importantly, this trend could

very well mean rethinking the entire role

and job description.

For some time, CISOs have felt under

pressure to integrate with the business

and stop thinking simply about technical

solutions to security and locking down

architecture. Now the architecture

they seek to protect is changing in front of

their eyes, and the pressure is increasing.

The business is spread far beyond the

traditional enterprise barriers, and this is

the business that they need to protect.

Rafal Los, one of HP Software’s security

evangelists, has blogged on this theme.

He endorses Forrester’s prediction that CISOs

may have to reinvent themselves as chief

business security officers (CBSO). He says:

“I will admit that I am warming up to the idea

of the CBSO. Is it a replacement for a CISO

I don’t believe so, but that’s going to depend

on the company size. In an enterprise

environment, just as the role of the CIO and

CTO have been split, the roles of the CISO

and CBSO will likely be split in the future.”

Forrester also says in the report: “To make

this transition, CISOs must demonstrate a

traceable alignment to business objectives

and bring greater financial and risk

management discipline to security strategy

and decision making.” Thus it is not enough

for CISOs to be business minded: They need

to be business aligned.

But if we need CBSOs to deal with overall

business security, do some CISOs need

to think about changing to or appointing

another hybrid role to deal with the

staggering growth of mobility Could we

also see the emergence of the chief mobility

operating officer (CMOO)

Consider what is happening to the enterprise.

We are seeing a shift from IT departments to

“personal information spaces,” from desktop

PCs to the “anywhere desktop,” and from IT

architectures to “data architectures.”

Behind these shifts, we see technologies

such as the cloud, virtualization, and webbased

applications powering the business

revolution. And this will all mean shifting

budgets to mobility projects.

According to Forrester, “The shift will reinvent

the business: 350 million employees will

use smartphones, and business spending on

mobile projects will have grown by 100% to

over $20 billion per year [by 2016].”

It also expects spending on mobile apps

to hit a staggering $55 billion in 2016.

This is much more than changing employee

work patterns and behaviors: Consumer

interaction with businesses is shifting via

social media, instant feedback, and personal

marketing opportunities – all available across

ever-present, hugely capable mobile devices.

Advantages of the super mobile

enterprise

– It puts you closer to your customer

than ever before.

– It speeds up business transactions

like never before.

– Employees can own their own data

and their own architecture on the

anywhere desktop.

– It speeds up the gap between social

media activity and business action.


Issue number 9

17

CISOs must, above all, be a strategic

thinker. They must be able to traverse

and communicate across the whole

business and use the onset of super

mobility for business advantage.

– Applications need not sit on expensive

and mostly redundant desktop devices.

– Employees can work from anywhere,

anytime, at reduced cost.

– Secure and thin code apps will become the

business tools of the super mobility age.

– Next-generation networks (4G, 5G)

will enable business-class video

conferencing from mobile devices.

But all these advantages will not be enabled

unless a new mindset is put in charge of the

mobility strategy. The CMOO need not be

burdened with traditional IT and information

security thinking: They need to be leaders

and visionaries for the business, and

re-engage with the original promise of IT –

that it can be a driver for business and not a

hindrance – which has sadly failed with the

billions of dollars worth of legacy IT around

the globe. The CMOO must be a business’

advantage reformer and usher in new

systems of engagement with technology.

Challenges of the super mobile enterprise

– Super mobility data flows render

traditional data management tools

redundant.

– Data must be risk assessed like never

before – new tools are needed.

– Employee, user, customer, and

consumer roles will blur across

the mobility landscape, proving

a challenge for existing IAM tools.

– Choice of business technology will be

driven by consumer-focused companies:

such as Apple, Google, and Samsung.

– The “old” IT department is not in control.

– The speed of development across

mobility far outstrips traditional

desktop PC-based business.

– Other business departments will push

for – and more likely win approval for –

mobility options faster than a traditional

CISO can adapt.

To become either a CMOO or CBSO (or

even simply an “enlightened” CISO that

encompasses CMOO and CBSO thinking) goes

beyond the realm of traditional CISO thinking

and strategy. This is much more than an

IT role. To meet the business and security

challenges of the new digital business

environment where industry, suppliers,

customers, partners, and consumers all

meet, the reformed CISO must be a strategic

thinker. They must be able to traverse and

communicate across the whole business

and use the onset of super mobility to the

business. They need the following skills:

– The social awareness to anticipate

trends before they happen and respond

– The ability to speak across the business

to enable adoption of new market

models in a “business first” manner

– The ability to remove from their thinking

the lockdown security mindset and focus

on the advantages of super mobility

– Embrace the data architecture and work

with advanced partners to find data

solutions that embrace the new

business world

Unfortunately, there isn’t much time to find

or learn these new skills. As Rafal Los says,

organizational and cultural change, resource

management, and time are the enemies

now. It should be clear that the CISO who

does not evolve is the CISO who will struggle

and possibly wither in the super mobile

business operating environment that is

emerging in your market right now. i

Resources

Is it time to reinvent the CISO

http://bit.ly/RngZbu

Changing of the guard – a perspective on the changing

CISO role

http://bit.ly/OtgSwC

Four key requirements to address the needs

of the super mobile worker

http://bit.ly/ybaevd

Changing your data

http://bit.ly/KWxENa


18 HP Inform

A security man who

means business

Quentyn Taylor is the

director of information

security, governance, and risk

at Canon Europe. He is known

in the industry for being one of

its most progressive security

professionals. Inform went to

meet him and discovered

that his thinking is matched by

acute business sense.


Issue number 9

19

“And that’s the nasty little fact.

Consumerization can be cheaper because

the company isn’t paying for certain

things, but someone is. That’s the key

challenge, and you need to work that

out in order to manage consumerization,

because ultimately it is unstoppable.”

Quentin Taylor (opposite)

is this month’s cover story

In person, Quentyn Taylor is charming,

engaging and obviously committed

to his chosen business as much as his

profession. He talks passionately and

knowledgeably about Canon’s products,

including its class-leading digital cameras,

of which he is a huge fan. He can’t wait for

the just-announced new EOS M mirrorless

cameras, he says. You feel he could happily

talk all day about Canon, but we are here

to find out about his particular approach

to information security for the Japanese

electronics giant and how CISOs are adapting

to being seen as business leaders and

enablers. Should they be aiming for the

board Yes, but perhaps not in the way many

people perceive, according to Taylor.

“I think there are a lot of people who go by

the title CISO who are not actually CISOs

– certainly not chiefs. A chief sits in the

board as far as I am concerned, but I don’t

see many security people who actually sit

on the board. At a conference someone

asked me, ‘What metrics do you need to

get on the board’ I said, ‘That probably

shouldn’t be your goal.’ The board has lots

of things to talk about – business decisions,

financials, the world economy. In reality, the

information security processes that you are

putting in place should influence the board,

so this nirvana of standing in front of the

board and presenting is only going to happen

when something has gone badly wrong. If

you stand and say everything is perfect, the

board is just going to think ‘we’ve got better

things to discuss’,” he says.

But wouldn’t others argue that CISOs should

do precisely that as part of business, given

the complexity of risks and threats that face

most businesses today Taylor refuses to

see this as the information security officer’s

role by default, but rather that of those

responsible for managing risk. He argues

that the person responsible for overall risk

should sit on the board, but that it also

depends on the type of business.

“Perhaps if the company that it is a pure play

risk business, for example financial services

that manage risk, but a lot of companies

are making risk decisions all the time. But

there is a disconnect between those and the

actual line of business. Here the CISO is not

appropriate,” he says.

So, board member or not, does he feel he

is a business enabler at Canon Europe

“Yes, because being a business enabler also

means saying yes when your gut instinct is

to say no. People say that the CISO carries

no risk, that he or she just quantifies the risk

and passes it on – that’s incorrect,” he says.

“You cannot hold the business risk, but you

do carry risk in any advice you give. People

say in a perfect world that you shouldn’t

give advice – just quantify the risk and leave

the decision to a ‘business’ person. But

the business person will say to you, ‘Why

should I do this and not that’ And that’s

the difference – you are making the risk

decision for the business. You are enabling

the business.”


20 HP Inform

There has been a huge

rise in information

security questions

coming in on tender,

especially printers

Quentyn Taylor

has been with Canon

Europe since 2003

His team now covers the information

security needs of the company’s entire

Europe Middle East and Africa ( EMEA)

operation. He also led the creation

of an ICT academy that provided

structured training plans for more

than 350 staff based all around EMEA.

Prior to joining Canon Europe, Quentyn

was the IT security manager at Fotango,

the online photo service that was

subsequently taken over by Canon. Before

that he was with Internet startup group

Netscalibur as NOC team leader. Quentyn

has an honours degree in biological

sciences from the University of Brighton.

He writes his own blog, “Security in a

Modern Age,” at:

http://www.quentyn.com/.

Taylor is sanguine about the prospect of

security professionals breaking out of

the IT silo – from which most still start

their careers – and emerging as vanguard

business leaders such as the CEO. His

proactive approach, however, should serve

as inspiration to others, and it comes down

to that old maxim: get involved.

“The typical business executive comes up

through the company stack having worked

in marketing, sales, finance, and other

departments. To be a CEO, you will have

worked through the company or done your

time at others. In infosecurity and IT, it is

much harder to do that, and siloed security

is not good for the business,” he says.

“A siloed security team is a non functioning

team. Here I have had opportunities to talk

to business people where I have suggested

adding security to products as a selling

point. And they said, ‘Really’ And then we

started having discussions with my opposite

numbers in other companies, and my people

would say, ‘Why are they asking this’ And

the answer is because that’s what they want:

Why don’t we offer it to them If I was head

of security at the other company, this is how I

would want things sold to me.”

Taylor explains that in his day-to-day

business he spends 60% of his time not

doing “infosecurity stuff,” as he puts it.

Instead he spends it with customers, with

the business people, developing bits and

pieces to help salespeople responding to

tenders. He says there has been a huge rise

in information security questions

coming in on tenders, especially on printers.

He also finds time for some product testing,

assessments, and penetration testing, and

produced a business guideline on secure

documentation and printing. He argues that

focusing on the sales advantage of security

has a positive impact on the internal security

aspect of his role.

“This is the great thing: Now that you

are using security to reinforce the sales

message, you suddenly have an advantage

when it comes to selling internal security.

You are no longer just standing there

shouting about viruses, blah blah blah.

You are actually saying, ‘This is why you

need security to benefit the business.’ And

because of the credibility you have built up

with the salespeople, suddenly the internal

sell becomes much easier.”

No interview with any leading CISO would

be complete without a discussion about

the impact of consumerization, and

Taylor is happy to oblige. Being a major

consumer brand itself, is Canon an

enthusiastic adopter

“We are very much embracing it here at

Canon, yes. Unless you work in an industry

that remains highly regulated–public

services, for example consumerization is

a direction you are going to have to go in.

It’s an advantage, it’s a benefit. No longer

having to worry about the device but the

data. And that’s important. It’s not popular

with the vendors, but it’s not about the


Issue number 9

21

“You are no longer just standing there

shouting about viruses, blah blah blah.

You are actually saying, this is why you

need security to benefit the business.”

technology anymore. It’s about talking to

HR more than anything,” he says.

He likens the onset of consumerization to

the process that happened with company

cars, where once employees had to drive

what they were told – even fill up at the

company petrol station, as happened at

one of Taylor’s first companies. Now they

choose their own car.

“A lot of people think consumerization is

about bringing in your own iPhone. No, that’s

not consumerization – consumerization is

saying that we are going to allow anything,

and you have to remember that. What’s

the difference between an iPad and a

laptop None. So if you are going for

consumerization, then you are going

for bringing your own endpoint

computing device.”

While enthusiastic about consumerization,

Taylor concedes that making a business case

for consumerization can be challenging, and

there is more to consider than just making

employees happier.

“It’s not just about the upfront savings on

the device, but about how much that service

costs in the long term. Somebody will

eventually work that out. If you took 10,000

employees and asked them all to get mobile

phone contracts, they would all come back

with 10,000 individual data contracts. If you

went to a carrier and said, ‘I would like a

10,000 seat contract,’ you are likely to get

a good deal. And that’s the nasty little fact.

Yes, it can be cheaper because the company

isn’t paying for certain things, but someone

is and that may well get passed on – so

overall, does it make financial sense That’s

the key challenge, and you need to work that

out in order to manage consumerization,

because ultimately, it is unstoppable,”

he says.

“The blending marketing

and IT into one role – now

that’s interesting.”

Another hot topic is the changing roles of

the CISO and the CIO, even to the extent

of merging to a degree. Taylor sees

some sense in this and in learning from

enlightened CISOs who have worked out

how, as he says, “to monetize information.”

He believes too many CIOs are locked into

the IT part, the infrastructure rather than the

process of moving information whether it is

on consumer devices, printers, or any

other device. He’s dismissive of Forrester’s

concept of a chief mobility officer, although

he likes the concept of a chief social

media officer that he’s heard about. “The

blending marketing and IT into one role –

now that’s interesting.”

Taylor’s more revolutionary ideas revolve

around the future of IT, which he believes

will be totally outsourced and leased. Some

might believe that this is a step too far, one

that brings with it untold danger and risk.

Taylor is quite relaxed about the prospect.

“It doesn’t bring any new dangers. To me

it’s like old wine in new bottles. From the

CISO’s point of view, it’s like a change in risk,

a consolidation of risk – so it’s actually a

good idea. I think we will have a time where

you will get all your IT from an external

company. In fact it’s already happening with

identity services. When you start at a new

company, your information will be picked

up by the company from some federated

business sitting on the Internet. Corporates

are moving away from services that are not

core to them, leaving it to other specialist

companies to get on with it,” he says.

Quentyn Taylor, then: a CISO prepared to

think differently, to pose difficult questions

about current and future security questions,

and to keep looking for the answers to

those questions. At the same time, he is

truly integrating security into the business

by influencing the marketing of Canon’s

products. Perhaps he will be CEO one day. i


22 HP Inform

Access

management

in the new

information age

At the heart of any business,

whatever its size, are two

fundamental drivers:

data and people.

One cannot function without

the other, and the enterprise

cannot function without the

two interacting.

At the nexus of data and people lie identity

and access management (IAM). The need

for efficient and secure IAM has only

increased. But will new IAM solutions

emerge to meet the challenge

Business data flows and access needs shift

rapidly. This means that CIOs and CISOs

need to think more creatively about

deploying IAM – not just in terms of software

but also through people-focused and

business-first policies.

For example, access and identity systems for

employees may need extending to authorize

partners and even customers as businesses

evolve to meet the challenges of four computing

megatrends: cloud, mobile, social, and big

data. These pressures only emphasize the

need to deliver on a fundamental task of

any IAM system: give people the access they

need, ONLY that level of access, and with

zero latency.

Getting the right data to the right people

Data classification now takes center stage,

with data lifecycles and content classification

forming the heart of IAM policies and systems

in the new operating environment of the four

megatrends. Up until recently, controlling

access to data was relatively simple, but

today’s “extended enterprise” – created

by exponentially increasing numbers of

endpoints (employees often have more

than one endpoint device), virtualization

and cloud environments – have rendered

old IAM models redundant.

More flexibility is needed. Trust needs to

be extended right across the business and

access rights granted to the right people

when they need it. If a key employee,

data owner, or partner is denied access

incorrectly, that transaction is interrupted

with consequent impact on costs, projects,

and efficiencies.

Worse, if the wrong people gain access

(hackers, malicious insiders) resulting

in denial of service, malware, targeted

attacks, or IP theft, then the whole business

is damaged. So how to marry the urgent

need for efficient access in this new world

to security


Issue number 9

23

IAM needs to deliver

secure access – but at the

speed that contemporary

business demands.

New IAM options

In this context, we need better IAM systems

to deliver secure authentication from some

of the very trends and technologies that are

challenging current IAM solutions. According

to analysts, Forrester IAM projects are 70%

people, process, politics, communication,

and training, and only 30% technology.

A part of that 30% that could help build

better IAM is already in the hands of millions

of employees: the smartphone. Given that

the endpoint is where IAM systems often

fail due to poor password management,

unreliable biometrics, and false positives,

a device that easily recognizes a unique

individual is key to new IAM efficiency.

The latest generation of smartphones

feature advanced face recognition, allowing

only the registered owner to use that device.

IAM systems already are being developed

that can take advantage of these.

The emergence of big data can also be

exploited by new generation IAM. We all

now contribute personal and unique data

to the big data stack. By mining this, IAM

can provide authentication to the new

world of partner and customer access

and prove the validity of the person at

the end point looking for entry. The key is

the management system and its ability to

process authentication data in real time

and provide access to the right people and

the right data. By using personal smart

devices that the users already know and

feel comfortable with (because they

chose it), authentication could potentially

become transparent.

up and manage these directories to enable

authorized users wherever they are and

however they access the enterprise data.

The challenge for future IAM systems

The current market solutions aren’t flexible

enough to adapt to changing and fluid

workforces operating in a complex operating

environment of cloud, social media, and

big data stacks as employees access and

process data from multiple endpoints.

IT needs to be a business process enabler

(faster provisioning/deprovisioning) and to

deliver a central view of who operates within

the organization, and how they operate –

whether on mobile devices or accessing

cloud environments. In the new information

age, CIOs will demand IAM systems that tell

them what their data assets are and who can

access them, and that provide efficient and

secure access to the right people. It is up to

the industry to innovate and deliver futureproof

IAM solutions.

Old systems will fade away

René J. Aerdts, chief technologist of

automation and HP Fellow, sums up the

challenges that secure IAM faces. In his

blog he says: “Organizational structures are

rapidly shifting from systems of records to

systems of engagement. Owned assets,

reactive “sense-and-respond” mindsets,

periodic change, applications focused on

transactions, and a dependence on historic

data characterize systems of records.

Systems of engagement feature virtual

assets, continuous change, proactive causeand-effect

mindsets, applications focused

on interaction, and real time analytics.” i

We’ll invent adaptive

and inventive dynamic

security systems

Security topics that’ll keep us up at night:

The top security and risk management

concerns of senior IT executives in 2020

Extremely concerned

Somewhat concerned

Not very concerned

Data privacy and

information breaches

Risk associated with

increased consumption

of application and IT

services across public,

private, and hybrid cloud

Lack of skilled resources

to effectively manage

security

Intermingling of personal

and business technology

Directory management

and federation is key

Legacy IAM systems will increasingly

struggle in the new data environment

described in the paragraphs above. New

generation IAM must focus on the data

and directories of user information that

will be critical to properly identifying

users and determining their access rights.

Business-focused IAM must be able to set

Resources

HP Labs PPT: Economics of Identity and Access

Management: Providing Decision Support for Investments

http://bit.ly/MLhQ40

HP identity and access management services

http://bit.ly/t6GIAJ

Shifting innovation to ‘always on’, by René J. Aerdts

(HP Enterprise Services blog)

http://bit.ly/nLWGc1

Disruption caused by

natural or man-made

disasters

Failure to seize on the

latest technology to

protect systems and data


24 HP Inform

Creating clouds

that protect

your business

In our 2011 Insight piece on cloud

computing, we quoted a call to action

from analyst group Gartner. It stated:

“The significant benefits of agility and

cost savings delivered by cloud computing

are too compelling to ignore. Forwardthinking

enterprises are answering the

questions of cloud computing not with

an if, but with a when.”

One year on and that statement is, if

anything, more compelling and more urgent.

The economic arguments for cloud have

intensified as the Eurozone crisis continues

to strangle recovery, particularly in Europe

but also across the world. Embattled

CIOs are feeling the impact of the global

downturn through squeezed budgets

and the expectation to deliver tighter IT

efficiencies within those budgets. And the

solution is increasingly found in the cloud –

but not necessarily by those with security

in mind. This remains the main challenge

of cloud computing: how to ensure that

the use of the cloud is secure, especially

when functions are outsourced to third-party

cloud providers.

According to a survey by analyst group

IDG, more than one-third of IT budgets

are now spent on cloud-based computing.

However, the report makes clear that the

decision to move to the cloud isn’t about

cost alone; it’s part of a shift in overall

IT strategy.

According to the survey, one-fourth of

respondents believe cloud will play a critical

role in shaping future business strategy. It

also says that cloud computing is likely to

grab a larger slice of IT budgets in the next

few years, stating: “Close to two-thirds

of companies expect to increase cloud

spending in the next 12 months. On average,

organizations will increase cloud computing

spending by 16%.”

However, while the business and economic

imperatives for cloud are stronger than ever

(and driven by anxious CEOs), the security

concerns that we highlighted last year

have not gone away for the CIO or CISO. If

anything, they have increased. This is due to

the global increase in cyber criminal activity

and the introduction of new data compliance

laws around the world, such as the EU

Privacy Laws governing the use of cookies

on websites (see resources below).

To reiterate, the prime security concerns

are mostly around loss of control and

visibility – something CISOs tend not to like.

This manifests itself in:

– Lack of clear data ownership

– Unauthorized data uploads and

downloads to and from the cloud

– Lack of compliance with various

governance laws across different regions

– Basic trust issues with partners and

customers using cloud to store and

transmit business data

Another security concern often overlooked

in discussions about the cloud is the

emergence of cloud-based consumer apps

such as Google Docs, DropBox, and others.

Employees are increasingly using these to

process corporate data on mobile devices

– often without authorization. This is where

consumerization and the cloud meet.

Even within the enterprise, another cloud

risk has started to pose problems. The

availability of cheap “off-the-shelf” cloud

resources such as Amazon Web Services

has given rise to employees setting up

unauthorized and temporary private clouds

for special projects, often with little thought

for security policy or processes.

As IDG has found, more and more

corporations are turning to the cloud by

increasing the proportion of their IT budgets

spent on cloud infrastructure.

It is then imperative that the CIO and CISO

focus on this shift and position themselves

at the head of the revolution and not at

the back chasing, desperately plugging the

security gaps afterwards. One year on and

the advice on getting ahead on cloud security

remains the same – but the processes

urgently need to be put in place.

So there still has to be an intelligent

and sequential shift to the cloud. Many

enterprises are thus experimenting with a

“hybrid” delivery model that engages with


Issue number 9

25

So the message to information

leaders in 2012 is that it is now virtually

impossible to resist the shift to the cloud.

It is the future for both technological

and budgetary reasons.

external cloud providers, internal private

clouds, and existing IT architectures.

Any reputable cloud providers or consultancy

should fundamentally recognise this and be

able to provide the support and knowledge

to enable the customer to perform a cloud

risk assessment, either in partnership or via

in-house resources.

The importance of a riskassessed

and quantified

shift to an ongoing

existence in the cloud

cannot be over-emphasized.

HP has a new cloud readiness tool that

enables CISOs and CIOs to determine their

own roadmap for adopting and securing the

cloud (see Resources below).

It is vital that individual enterprises get

the cloud services that are appropriate to

the market sector, existing IT policies, and

the kind of data central to the business.

Financial services and retail public sector

organizations such as hospitals, for example,

need more stringent controls on the use of

cloud than other industry sectors.

Such risk-averse organizations need a cloud

delivery model that meets its risk position

head on. In the push to the cloud, a “one

size” cloud does not fit all, and working with

a trusted and experienced provider should

factor in this equation. Gradually the industry

is starting to classify and accredit cloudbased

services to deliver such trust. One

such device is the Cloud Security Alliance

Security, Trust, and Assurance Registry (CSA

STAR). CSA STAR is designed to index the

security features of cloud providers using a

170-point questionnaire that users are then

able to peruse (see Resources below). HP is

fully committed to supporting this initiative

for its cloud-based services. Even if a chosen

provider has not yet joined this initiative, the

questionnaire serves as a useful device to

challenge and rate potential cloud providers.

If a cloud provider cannot guarantee its

security framework across its services, then

it would be better to look elsewhere.

The advantages of the cloud are too good

to ignore – cost efficiencies, faster ways

of working and business agility – but the

security of enterprise data is too important

to ignore if businesses are to avoid brand

damage and financial penalties via data loss

in the cloud. A joined up and trusted partner

approach to adoption of cloud remains the

only way to marry these two.

Like any advanced secure business thinking,

cloud can only deliver its commercial

advantages when adoption follows a riskbased

approach that delivers the technical

and business solutions that will benefit the

enterprise. This is an important message

to take to the board.

And finally, like any IT model, cloud

computing must ultimately serve the

enterprise, its employees, its partners and

most of all its customers within a secure

business environment. i

Resources

ICO Guidelines on EU Privacy Laws

http://bit.ly/eQZtln

HP Cloud Readiness Scorecard

http://bit.ly/bnkq4z

CSA STAR

https://cloudsecurityalliance.org/star/

HP Converged Cloud Management and Security

http://bit.ly/UxXlbm


26 HP Inform

Dealing with disaster

Business-focused CISOs spend much of their working lives trying to

prevent a security breach occurring, but the odds are that such an

incident will one day happen. How can they prepare themselves, and

what procedures should they put in place when the worst happens

The thought of a major or even a minor

breach happening in their business

is enough to bring most CISOs out in

goosebumps. After all, this is exactly

what they are supposed to prevent.

However, given the level of threats and

number of malicious actors willing to

attack businesses – as well as the danger

of employee negligence – the chances

of a breach are higher than ever.

If a breach happens, it’s important not to

get into a blame game and start looking for

scapegoats. An investigation into what went

wrong and what failed can wait until the

immediate effects of the breach have

been mitigated.

As most types of attack can be anticipated –

for example a denial of service or malware

attack – the security leaders should have

contingency plans written and ready in

advance. The actual details of any such

plan will differ depending on the severity of

the attack, the type of business, and, most

importantly, whether third parties such as

customers or partners are affected.

However, any contingency and continuity

(C&C) plan should contain the following

basic elements for when a breach or security

incident has been discovered.

1

C&C plan first step

A pre-appointed emergency C&C team

consisting of the CISO, CIO, and all other

relevant stakeholders should convene when

news of a breach or incident is reported.

From here they need to determine urgently

what has happened – but not at this stage

how – and move to assess the damage.

The number, timing, and scope of future

meetings will be determined by the

seriousness of the breach and how long

the immediate breach crisis lasts. This

stage should also be able to weed out the

possibility of false positives (which will still

need a report on how they occurred and

any damage to the business).

2

C&C plan second step

Detailed reports need to be compiled on the

exact nature of the attack or accidental data

loss. An appointed risk assessor, as part of

the C&C team, will analyze and report on

the potential cost and the level of risk to

business continuity. If it is clear that third

parties are at risk of exposure, then the PR,

Comms, and legal teams need to be alerted

to prepare a media response. This is a critical

part of the process. Effectively managing

communications to affected parties – as the

effective management of communication to

affected parties – data owners, consumers,

or government – will influence the final

percentage of damage to brand and

company reputation.

At this point, the CEO, the CMO, PR, and

Comms teams should collectively decide if

and when to go public with the news. This

will be entirely dependent on whether the

C&C team can determine precisely the risk

of data being released into the wild. But this

needs to be balanced against the risk of the

media finding out about the breach anyway,

which may leave the business looking

incompetent or trying to hide. Key customers

and partners need to be reassured as soon

as possible that their data is secure.

3 C&C plan third step

When identified, affected systems and

architecture need to be locked down and

isolated. This will prevent any malwareborne

attack from spreading. Once these are

locked down and quarantined, hygiene and

repair processes can be applied to systems.

This step may take longer than expected,

however, as modern malware can be

persistent, and malware detected may have

planted further malware as “sleepers.”

4 C&C plan fourth step

Once the immediate steps have been

taken, the C&C team can start planning

for the forensic investigation into what

happened – whether an external malware

attack, malicious insider, or employee error.

This will be a highly technical exercise

involving examination of log files, data flows,

access records, and firewall management

records. Time is of the essence, however,

as the media and legal teams will need

to be briefed on the damage – as will the

CISO and CIO. They will need to take the

necessary steps to rebuild affected systems

and potentially reconfigure defenses and

policies. This step should thus ensure that

the risk of further structural damage to the

organization is eliminated.

5 C&C plan fifth step

Any incident, while damaging and a drain on

resources, does at least provide a learning

exercise. If handled correctly, it can lead

to tighter security and preparedness for

future attacks. Therefore, once the incident

has been “closed,” all stakeholders should

contribute to an incident response report

(IRR), led by the CISO or CIO, that details the

full findings of steps 1-4, what went wrong,

and what was needed to mitigate this attack.

Its summary should detail recommendations

for systemic and policy improvements to

prevent future attacks. If the breach went

public, then the report should also detail the

media response and any negative impact on

the organization and how this was mitigated.

These five steps are obviously high level,

and any actual contingency plan would be

much more detailed and vary depending on

the organization and industry sector.

Resources

HP and netForensics – Security Information

Management solutions

http://bit.ly/UxXP0Z


Issue number 9

27

© 1994-2012 Hewlett-Packard Company. All rights reserved. All product and

company names referenced herein are trademarks of their respective owners.

This document is provided for informational purposes only. Information provided

in this document is provided as is without warranty of any kind, either expressed

or implied. Registered Office: Cain Road, Bracknell, Berkshire RG12 1HN

Registered in England number: 690597


We can protect

what matters.

Together.

The cloud, mobile technologies and social networking offer

new business opportunities – but also create some of your

biggest security challenges. HP’s proven and innovative

security solutions can help you manage risk, be compliant

and maximize your investments. You can confidently open

up your enterprise to compete, share and progress – whilst

protecting the information that matters.

hp.com/enterprise/security

More magazines by this user
Similar magazines