Download PDF edition (opens in new window)
Download PDF edition (opens in new window)
Download PDF edition (opens in new window)
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
issue 9 | 2012
from HP Enterprise Security
Is it a good idea
to get your head
in the clouds
As business turns to the
cloud, we look at the major
security issues.
The CIO’s guide
to the cloud
Why a risk-based
approach is now
essential
// Page 6
Consumerization
How Europe’s
top CISOs are
dealing with this
IT megatrend
// Page 10
This month’s issue features
the changing role of the CISO,
insider threats, an interview
with Canon, and more.
How vulnerable are you
Why the traditional approach to threat and
vulnerability management is not enough
// Page 8
The three-headed monster
The motives behind cyber
crime, hacktivism, and cyber
warfare // Page 14
Inform
Issue 9 | 2012
Published by HP Enterprise Security Services
Web: www.hp.com/enterprise/security
For enquiries about Inform, please contact
hpinform@hp.com
Produced by: www.otmcreate.com
Edited by: www.pfanda.co.uk
If you would like to subscribe to Inform
Magazine, please contact us at
hpinform@hp.com
Inform magazine is a quarterly publication
designed to give you a wealth of insight
into current topics from key industry
figures. It features contributors from all
over the globe, covering many different
industries and sectors.
Regular features in each issue include:
– Key thought leadership interviews with
senior IT security professionals
– Current news and hot topics
– Practical “how to” guides
– Latest technology updates
And much more
To view past issues, please visit issuu.com/hpenterprisesecurity
Subscriptions are complimentary for CIO, CISOs, and IT
security professionals. To subscribe please email hpinform@hp.com
with your name, title, company, email address, and country location.
Please include your postal address if you would like to receive a hard
copy of the publication.
04 Insight // 06 How CIOs should approach cloud security // 08 How vulnerable is
your business // 10 The CISO view: dealing with consumerization // 12 Working on the
inside // 14 Beware the three-headed cyber dragon // 16 The changing of the guard
// 18 A security man who means business // 22 Access management in the new
information age // 24 Creating clouds that protect your business // 26 Dealing with disaster
Welcome
Summer passes into autumn, and the glorious memories of the Olympic and Paralympic
Games start to fade. Yet for anyone lucky enough to have attended any of the events in
London, I am sure the memory will live long in the mind.
It wasn’t just the superb display of sport and endeavor that the Games will be remembered
for, however. Those attending were struck by the superb organization, friendly army of
volunteers, and quiet efficiency of the security procedures to get through the perimeter into
the Olympic Park itself. Although hundreds of thousands of people were processed each day,
it all passed off cheerfully and quickly, with none of that sense of frustration you get
at airport security lines.
CIO guide to the cloud
Why a risk-based
approach is just the start
// Page 6
Of course, behind the scenes was a vast array of technology and specialists keeping all those
inside the Olympic Park and Village safe. There was also the highly visible show of deterrence
on the River Thames of the Royal Navy’s largest battleship just to back this all up.
Overall, this was a great model for security that unobtrusively and quietly does what it is
supposed to in addition to being people-friendly. That should be the goal for all of us trying
to design business-focused security into our enterprises. I think it’s a lesson for us here at
HP Enterprise Security Services as we constantly look to innovate and enhance our security
offering with our partners and on to our customers.
I believe this latest issue of Inform demonstrates our commitment to that goal with a mix
of articles and features based on latest information security theory. We take a look at how
threat and vulnerability management (TMV) systems need to evolve if they are to meet the
complex operating environment that faces modern enterprises.
Our feature (page 8) makes it clear that TVM needs to take into account the growing tide
of consumer devices, the pressure from big data stacks, and reliance on cloud-based data.
These systems need to do more than just passively monitor: They need to be proactive and
operate in real time.
The changing of the guard
As super mobility dominates business, can the CIO and
CISO evolve to meet the challenge // Page 16
Related to TVM is the “insider threat”. Our feature (page 12) looks at how employees are
prime examples of “smart people doing dumb things” when in the course of their daily jobs,
they sometimes put the security of the business in danger. It outlines four smart ways to deal
with insider threats, and looks at the rise of social media pressures and malicious insiders.
No issue of Inform would be complete without our in-depth CISO interviews. In this issue
we are delighted to share with you the thoughts of one of the UK’s most lively information
security professionals. Quentyn Taylor is the director of information security, governance,
and risk at Canon Europe. He explains how progressive security thinking brings unexpected
rewards – it helps sell secure products to customers and improve internal security at the
same time. Read more insight from Quentyn Taylor, starting on page 18.
We also look at how the roles of the CIO and CISO may well have
to radically evolve if they are to survive in the new age of business
computing – in what we have dubbed the “super mobile” age.
Find out what the future is on page 16.
Dan Turner
VP Enterprise Security Services
Access management
The complexity of the
modern enterprise
means that new IAM
solutions are needed
// Page 22
If you would like to subscribe to Inform magazine
please contact us at hpinform@hp.com
The third-party views expressed in this magazine are those of the
contributors, for which HP Enterprise Security accepts no responsibility.
Readers should take appropriate professional advice before acting on any
issue raised. Reproduction in whole or in part without permission is strictly
prohibited. © 2012, Hewlett-Packard Development Company,
L.P. All Rights Reserved.
4 HP Inform
HP Insights
Shifts in IT security remain a major
concern for business executives.
A proactive response is needed.
According to a new study from Coleman
Parkes Research, commissioned by
HP, nearly two-thirds of business and
technology executives worry about
understanding security requirements
for cloud services as well as how to
secure and consume big data.
However, the findings suggest that the
problem is an education issue rather than a
technology one. The majority of respondents
said the biggest challenges regarding cloud
stem from a lack of understanding of security
requirements (62%) or procuring services
without screening the service provider (55%).
Looking ahead, two-thirds of respondents
believe that cloud services can ultimately be
as secure as their on-premises data centers.
The study also indicated that more focus is
still placed on reactive security measures
than on the more important area of
proactive security measures. For example,
more than half of respondents said time and
budget spent on reactive security outweighs
investments in proactive measures.
But organizations are at least moving in the
right direction, with nearly three-quarters
(71%) of senior business and technology
executives surveyed reporting that their
organization’s security leadership has a seat
at the table with other C-suite executives.
Additionally, security intelligence is on
the rise, with 82% of respondents
indicating that they are exploring Security
Information and Event Management
(SIEM) measures.
Additionally, security intelligence is on the
rise, with 82% of respondents indicating
that they are exploring Security Information
and Event Management (SIEM) measure;
however, less than half (45%) currently have
an information risk- management strategy
in place, and 53% manually consolidate
information risk-management reports or do
not measure risk at all, which hinders their
ability to proactively anticipate threats.
“Cybersecurity threats are growing
exponentially, and without a proactive
information risk management strategy,
enterprise growth, innovation, and
efficiencies are hindered,” says George
Kadifa, executive vice president,
Software, HP. i
Download the full report
http://bit.ly/Pa8EpY
Issue number 9
5
HP Labs research
looks to develop
a federated cloud.
For the last two years, a team of
engineers from HP’s Cloud and Security
laboratory have been addressing the
challenge of moving from a world of
large but mostly independent cloud
networks to a system that enables all
those networks to easily, securely,
and automatically interconnect.
The project, known as Scalable & Adaptive
Internet Solutions (SAIL), is part of a
consortium of 25 leading European
telecommunication operators, technology
vendors, and research institution. It is funded
by a €13m grant from the European Union.
“It’s a question both of
creating new infrastructure
models that work better
than before, and at the
same time making sure
that old systems will still
work with the new.
“A lot of technology in cloud computing was
created by quickly establishing something
that works. That’s great, but it means
we’ve often bypassed or avoided the hard
problems,” says HP Labs lead researcher
Paul Murray.
“Think of how telephony works. You dial
a phone number with your local provider,
and they automatically route it through all
the providers needed to set up the call.
We want to be able to do the same for cloud
networks. Today, though, it’s as if I still
had to first call every telecom provider
between Bristol and China in order to have
a conversation with one of my colleagues
in Beijing,” says Murray.
As a result, cloud computing isn’t working
nearly as well as it could, say the researchers.
For example, enterprises might be able to
connect to an external cloud provider such
as Amazon to integrate a virtual private
cloud, but they can’t do it automatically with
flexibility or at scale – thus missing out on
the efficiencies that a truly integrated cloud
would offer businesses.
A major focus of the SAIL project has,
therefore, been to research how different
cloud systems can talk with each other, then
seamlessly and safely connect, and then
connect again to other networks in the
same way.
“It’s a question of creating new infrastructure
models that work better than before, and at
the same time making sure that old systems
will still work with the new. We call it cloud
federation,” says Murray.
Download full report
http://bit.ly/SkvG1Uw2v
HP’s engineers have been
moving toward a world of
interconnected clouds
Global cloud coverage
will benefit from this
interconnectivity
6 HP Inform
How CIOs
should approach
cloud security
The promise of the cloud is
undoubtedly appealing, but it does
have inherent security risks.
Reduced costs and enhanced flexibility
and scalability help meet the demands of
an accelerated market and competitively
position your enterprise.
It is up to CISOs to
implement effective
cloud security measures
At the same time, your IT organization
recognizes that cloud introduces a number
of issues regarding security, data integrity,
compliance, service-level agreements, and
data architecture that must be addressed.
Therefore, the adoption of cloud services
is being tempered by a significant level
of uncertainty/Enterprises are looking for
assurances that they’re not adding risk to the
business by leveraging the cloud. For many,
moving to the cloud is still a leap of faith.
However, cloud security is not what you
might think. Despite what is commonly
reported in the industry press and other
media, many cloud security incidents are
actually previously known issues with web
applications and data-hosting – but at a
greater scale and frequency due to early
adoption of new cloud services. This is not
to say that these incidents are not “real” or
important – they are. The point here is that
there is nothing inherently cloud-related that
caused these incidents to occur.
It should be noted, however, that most
clouds are shared, whether between
programs, organizations, or communities.
Companies using cloud need to understand
that they are consuming a shared resource
and must, therefore, select the service that
provides the levels of security and service
that they need.
As with most security challenges, technical
solutions are only part of the puzzle. What
is needed is a well-rounded approach. HP
recommends the following broad steps
as part of a cloud security program:
– Establish a risk-based approach
– Design (or convert) applications
to securely run in the cloud
– Implement ongoing auditing
and management
– Assess infrastructure (and platform)
security during service sourcing
First, a risk-based approach is necessary to
fully understand the risk impact of moving
chosen applications and data (assets)
to a particular cloud deployment model
and service model. This assessment must
be undertaken from a viewpoint of how it
affects the entire enterprise.
HP believes that the primary objective of a
risk-based approach is to help an enterprise
move from a reactive to a proactive stance
for enterprise security, with the end goal
of measurably reducing business risk. HP
has developed a risk-based methodology
– assess, transform, optimize, manage, or
“ATOM” – which helps enable enterprises to
achieve these goals:
First, we assess your risk tolerance profile,
compliance requirements, operational
requirements, organizational capabilities,
and resources. We typically do this within
short HP Cloud and HP Security
Discovery Workshops.
Issue number 9
7
There is no doubt that security is a
growing challenge, especially as enterprises
make the move to cloud-based options.
But security can also be a promising
technology tool by which enterprises
will achieve end results. To make the
most of it, you can’t go it alone.
We then look to transform your
environments. We structure and prioritize
security issues and undertake remediation
projects with you.
Next, we optimize the environment and also
broaden your level of security awareness.
Our experts proactively recommend
operational and process improvements
that can deliver an optimized security
and risk posture.
Finally, we manage security transformation
programs that deliver security in the most
effective way for the enterprise, adopting
proven security technologies and flexible
sourcing models.
Second, many existing applications were
not designed to run in a potentially hostile
environment. The dynamic behavior and
public environment of cloud implicitly
require that data and applications be selfdefending
– in other words, they need to
be able to protect themselves. This means
that application developers need to adopt
an information-centric approach to securing
critical applications and data by focusing on
the “CIA triad” of confidentiality, integrity,
and availability. Ideally, the best time to
architect this is during the requirements
and design phase of a new system.
Developing applications with security already
designed in dramatically reduces the risk of
vulnerabilities and produces solutions that
have greater security assurance at lower
cost. By addressing new attack surfaces
early in the design cycle with a security
requirements analysis, security maintenance
and remediation needs are reduced during
the testing and operational phases.
Third, a dynamic cloud-based services
environment needs continual and ongoing
audit and compliance management.
A traditional regime of annual or monthly
audits becomes meaningless in an
environment that changes completely
on a daily or hourly basis. The dynamic
provisioning and deprovisioning of resources
is a key part of the cloud value proposition
and business model. This makes automation
of operational monitoring, continuous
audit, and compliance reporting essential
in this dynamic environment. To comply
with policy and legislation such as the EU
Data Protection Directive, GLBA, HIPAA, and
export compliance controls such as ITAR –
enterprises require continuously running
audit and compliance monitoring.
Continuous monitoring is also crucial for
enabling forensic examination and analysis
if a security breach or disclosure occurs. This
information must be available in real time
to facilitate rapid response, notification and
containment measures. We recommend
our HP Secure Boardroom, which provides a
single, graphical executive-level dashboard
of enterprise security status that aligns
information security at a corporate level.
This tool provides real-time views of current
security events and improves control
of security projects, audits, budgets,
and performance.
Finally, the use of cloud services significantly
alters an enterprise’s ability to exert strict
controls over infrastructure, storage and
network security measures. Enterprises
should conduct rigorous due-diligence
assessments of the selected service
providers’ infrastructure security policies
as part of service sourcing and contract
negotiations. This shouldn’t deter you from
seeking a security partner; you simply need
to assure that they take the time to hear
what you have to say, can deliver the full
package you need, and want you to succeed.
There is no doubt that security is a growing
challenge, especially as enterprises make the
move to cloud-based options. But security
can also be a promising technology tool by
which enterprises will achieve end results.
To make the most of it, you can’t go it alone.
HP experts work with your leadership team
to build a multi-year plan for success, and
help develop a better line of sight between
IT security investments and your business
results. Done right, enterprise security can
play a major role in enabling enhanced
growth, increased productivity, and practical
innovation – the primary business outcomes
that today’s CIOs want to achieve. i
8 HP Inform
How vulnerable is
your organization
Effective threat and vulnerability management lies
at the heart of an information security strategy.
But what are the best practices and strategies
And does the industry sector make a difference
to how you apply those strategies
Inventory
Analysis
Strategy
Without an effective threat and vulnerability
management strategy, it’s hard to deliver
efficient and business-focused security. To
establish such efficiencies, business leaders
need to engage three elements: a complete
asset inventory, a threat and vulnerability
analysis, and then a (revised or modified)
vulnerability management strategy.
Data lies at the heart of any organization;
in fact, analysts such as Forrester refer
to “data architecture” rather than more
traditional IT architectures. To undertake
a robust and coherent data asset inventory,
you need to determine where your
information and data assets reside across
the business.
In the age of virtualization and cloud
computing, this is not as easy as it used to
be as. Business-critical data can be spread
far and wide and is sometimes duplicated or
residing on unauthorized virtual machines.
The challenge is finding the tools and
expertise to audit this disparate data, and
assess its vulnerability and threat exposure
through a risk-based inventory process.
However, any inventory also needs to look at
infrastructure and architecture, as well as the
data residing across it. And the process can –
and should – be intelligent and automated as
much as possible.
Contemporary threats
Today, a threat to the sustainability
of the enterprise can consist of a mixture
of threats. It is important that a threat
and vulnerability audit and subsequent
management strategy takes account of
the rapidly changing nature of threats to
the enterprise. This is on top of more
traditional and more controllable threats
such as careless insiders, compliance
demands, vulnerable and aging IT
infrastructures, or “conventional” malware.
A CIO must take into account the growth of
sophisticated phishing techniques, targeted
attacks, and the emergence of advanced
persistent threats (APT). APTs are where
malware can lie undetected (for months) and
is able to steal IP and other sensitive data
streams directly from the most sensitive
parts of the enterprise. At the same time,
there is the growth of “hacktivism”. This is
where businesses are attacked by politically
motivated hackers intent on damaging a
business for a particular cause.
Different business sectors need
different approaches
Business threats exposed by vulnerabilities
in information architectures are no longer
a matter just for the CIO or CISO of an
enterprise – and certainly not just for the IT
department. Threats are detectable right
across the business and involve people and
policies as much as technology, and this is
fundamental to any TVM audit exercise.
Issue number 9
9
Hacktivisim is an
increasing threat in
any company today
TVM intelligence should be gathered through
independent discussions with senior business
managers, departmental heads, regulatory
bodies, and third-party stakeholders. It should
take a range of factors into account, such
as competitor analysis, geopolitical threats,
and information security strengths and
weaknesses across the business. The needs
of different business sectors and company
cultures must also be considered when
performing a TVM business audit.
The enterprise threat model
There are more sophisticated TVM tools
that can detail and break down the different
threats facing the business, target of attack,
and monitoring/mitigation techniques. These
threat models will differ by vertical industry
and also potentially by business unit for
larger, multisite enterprises.
These threat models should be shared
between enterprises (collaboration is
key) and with suppliers to align all of the
intelligence and resources needed to help
make critical assets more secure. The goal
is to be able to confidently answer the CEO
questions: “Who is attacking us Why
And how can we defend against this”
Some questions to consider
Does the business condone the use of social
media for employee use and/or business
use, such as marketing By engaging social
media, CISOs need to ensure that policies
and rules are agreed so that data and
information does not slip out unauthorized
through these channels.
Does the business have an effective Bring Your
Own Device policy Effective BYOD policies
should include efficient measures to protect
corporate data and must include checks
to verify that opportunities for information
leakage or damage are controlled.
Do employees bring in their own devices
regardless of any policy If they do, the
business must have detection controls in
place to ensure data is protected and the
use of personal equipment is controlled
to acceptable levels.
Does the business hold
large amounts of personal
data such as customer
financial details
Bulletproof controls and
policies are needed to
protect this most sensitive
of information against
theft and leakage.
Does the business use the cloud for data
storage and services provision, – for
example, cloud-based sales tools
Does the business need to comply absolutely
with national and international governance
laws Fines and other penalties make rigid
adherence to such laws compulsory through
policies and TVM solutions.
Employees that bring
in their own devices
can put company data
security at risk
Could the business be deemed at risk
from politically motivated hackers because
of its sector or line of business or even
its customers’ line of business A risk
assessment across the business may
determine this and needs ongoing review.
Does the business play a role in national
infrastructure or defense services Although
such businesses should already be well
policed, regular risk assessments are needed
to determine ongoing vulnerabilities. i
Resources
HP Enterprise Security Services Threat & Vulnerability
Management Fact Sheet
http://bit.ly/v2/GetPDF.aspx/4AA4-0799ENW.pdf
10 HP Inform
The CISO view: dealing
with consumerization
As part of our commitment to listening and responding
to the business security concerns of European enterprises,
we have hosted a number of dinners where CISOs are able
to discuss these concerns with their peers in a relaxed
and open manner.
Here we report on some of the findings
and recommendations from recent
gatherings in London, Frankfurt, Zurich,
and Stockholm, where consumerization
was on the agenda.
An overriding conclusion from the
discussions is that consumerization remains
firmly at the top of the CISO’s agenda and
is relevant to all businesses independent
of size and industry – and it’s not going
away. However, the extent to which they
are dealing with it varies considerably, and
responses suffer from lack of focus and
scarcity of robust intelligence on the subject.
CISOs find themselves under pressure
from other business leaders who, attracted
by the cost benefits, are keen to adopt
consumerization as fast as possible.
Businesses across Europe have
consumerization driven from the top and
bottom of the enterprise as employees
and business leaders seek to bring their
own devices into the workplace.
Within some markets, consumerization
brings unexpected complications as workers’
councils and trade unions can legally
demand that strict regulations be applied to
the introduction of any new IT services. The
challenge here is for consumerization and
BYOD to be implemented to comply with
legislation that, for example, stipulates that
workers only work during defined working
hours. Some manufacturers have to
block employee use of email during
non-working hours.
Meanwhile, SMBs have so little in the way
of IT resources that they simply have
to focus on keeping the infrastructure
functioning rather than regulating
consumerization and BYOD. The result is that
it happens by accident rather than design.
Are you losing the battle with
your employees
We have known for some time that consumerization
is a very real threat to the security and stability
of businesses. Yet there remains a concern
that some CISOs are failing to grasp the urgency
and importance of this and have not put in
place systems to effectively manage data.
But this is a major shift in computing, and it’s
not surprising to learn that CISOs feel unable to
keep up with the pace of technology change.
They feel that the proliferation of tablet
devices (Android, iOS, Windows 8) and the
lack of real business intelligence about new
technology trends are making accurate riskbased
decisions increasingly difficult.
There are some short-term solutions. Third-party
suppliers of mobile device management
(MDM) solutions are likely to be popular as
CISOs look for off-the-shelf solutions. But in
the long term, risk-based data intelligence
tools are also needed.
It is clear that more sophisticated and
organic technical solutions, as well as secure
business policies, are needed across the
board. One such area is security analytics,
something that HP is investing heavily in to
assist CISOs dealing with consumerization
and other technology shifts.
With enterprise data spread far and wide and
held on consumer devices, knowing where
that data is and what is happening to it in
real time is crucial. Security analytics are
risk-based and able to address the
two key challenges of consumerization
in the enterprise:
– Vulnerability and threat management
– Identity and access management (IAM)
There is concern that viable technical
solutions for consumer devices themselves
are still some way off. Sand-boxing, where
data is separated on the devices, provides
a degree of protection for business data. But
there remains a fear that savvy users will
find a way to circumnavigate the sandbox
if they feel their experience is skewed or
hindered, according to some CISOs.
Getting the security message across
As mentioned, many CEOs and CFOs are
keen to adopt consumerization and BYOD
policies for the business advantages they
perceive they can deliver: lower purchase
and support costs, happier employees less
likely to lose devices they have invested in,
and a more attractive place to work.
CISOs need to do two things
– Understand the business case and
position themselves to lead the
implementation of consumerization
– Drive forward the security message
so that the business understands the
data and access management risks of
consumerization and plans accordingly
for the implementation
Issue number 9
11
CISOs need to be proactive and ensure
they are seen as business enablers who
can deliver on the desired commercial
advantages of consumerization. But
they also need to make plain that
consumerization brings with it a number
of challenges that may affect the actual
level of budgetary advantages.
Some questions to consider
– Although the business can escape the
device purchase costs, what are the
actual liabilities of employee-purchased
devices used for the business
– What about support costs – does the
employee take ownership of this, too
– Traditional lifecycle management models
are redundant – so how do you manage
upgrades and replacement of employeeowned
devices
– What are the legal implications of data
losses incurred in a consumer device
Would the business be liable for damages
if third-party data was lost
The six steps to managing
consumerization
CISOs are under huge pressure to deliver
on consumerization, and we don’t yet know
the full implications for business. However,
to repeat, it’s a trend that will only increase
exponentially – which is why CISOs cannot
ignore it. The six steps below are a guide
to preparing for adoption in the enterprise.
1 Accept that it is happening
A head-in-the-sand approach won’t
cut it. You have to accept that this is
happening even if you don’t yet see
significant numbers of devices in
the workplace.
2 Plan for adoption
This is crucial to the successful adoption
of consumerization. You need to liaise
with other parts of the business if this
is going to work. This will include other
C-suite members, especially the CIO and
HR director.
3 Know your sector and costs
Your industry sector greatly affects
the speed and acceptance of
consumerization, as does job type and
role. Factor this in when planning for
consumerization.
4
Put policies in place – decide who gets
what, when, and how
You need to rewrite the security
and IT policies to accommodate
consumerization. This means
developing a set of policies that
define those devices, applications,
and working practices.
5 Consider security analytics
to protect consumerized data
Consumerization is largely a shift in
technology ownership and processes.
But at its heart remains the need to
protect data at rest and in transit, and to
know what is happening to it in real time.
6 Embrace change
Don’t try and fight social trends – the
merging of personal and work functions
and the disruptive pattern of work is here
to stay and is a global trend. Be open to
new ideas, new technologies,
and applications. i
Resources
Video: Sukhi Gill, Fellow and EMEA chief technologist,
HP Enterprise Service, discusses the topic of
“Consumerization & the Enterprise.”
http://bit.ly/KBXO6Q
HP Security Analytics
http://bit.ly/personal/mcm/
SecurityAnalyticsDataSheetFINAL.pdf
The cost and benefits of BYOD
http://bit.ly/PA4oQf
White paper: How to plan for consumerization:
the seven steps
http://bit.ly/NeZHuk
A secure approach to consumerization
http://bit.ly/V2/GetPDF.aspx/c03229083.pdf
12 HP Inform
Working on
the inside
Security threats often come from
outside sources, but there are a
growing number of threats from
within the organisation, too.
Security threats often come from outside
sources, but there are a growing number of
threats from the inside, too. These include
careless handling of data by employees
right up to malicious insiders seeking to
damage the business from the inside. How
security-conscious is your workforce
The phrase “know your enemy” is particularly
appropriate for information security. The
more you know about the motives and
actions of those that seek to harm your
business through cyber attacks, the better
prepared you can be.
However, insider threat is potentially the most
damaging and hardest to defend against.
It demands that enterprises look beyond the
traditional technology controls to process
behavior and motivation. Classifying employees
and partners is as important as classifying
data. Searching for and monitoring
anomalous behavioral patterns is where
enlightened organizations are investing.
There are the tools available to do this.
There is no patch for people
Although IT hardware can be made as
watertight as possible through software
patches and hardware updates, those using
the systems are far harder to modify. Your
employees are prime examples of “smart
people doing dumb things.” For example,
they can be relied upon to take short cuts,
download data they shouldn’t, create
unauthorized virtual machines, or click on
malicious links in emails – to name but a few.
Issue number 9
13
Your employees are prime
examples of “smart people
doing dumb things”
More worrying is the malicious insider.
These can be categorized as a disgruntled
employee seeking to harm the business,
a criminally motivated employee, or one
secretly working on behalf of a criminal gang
or competitors. Today you can add to that
list the “politically” motivated employee
seeking to expose the business for what they
singularly judge to be unethical behavior by
leaking assets to the press or social media.
These are all very real threats.
A recent case involving two of South
Korea’s high-tech giants illustrates how
employees are also quite capable of stealing
intellectual property the crown jewels of
most businesses. According to news reports,
Samsung accused its rival LG of using
insiders working on its behalf at Samsung to
steal details of OLED technology – said to be
the future for flat screen TVs. According to
the reports, 11 people, including executives
from LG, were indicted on charges of
leaking or taking core display technology
from Samsung. Six other suspects involved
in the incident were former or current
researchers at Samsung Mobile. LG denies
any wrongdoing.
The rise of business-focused services
such as LinkedIn present new and
surprising dangers. A recent case in the UK
demonstrates this. A court ordered that a
former employee who resigned to start his
own consulting business turn over all his
LinkedIn contacts to his former employer,
along with proof that he did not use them
as clients. The case suggested that LinkedIn
contacts belong to the company, not the
employee, although this remains a point
of legal dispute. However, the potential for
damage is there: How do you monitor how
employees use LinkedIn and other social
media, particularly after employment is
terminated Employers need to realize
the impact of the fully open nature of such
networks – where individual details and
information are routinely shared – and put in
place enforceable policies and controls.
Managing the insider threat with security
intelligence tools
There are four key steps to mitigate insider
threats. Driving all these is the need for
effective monitoring of employee activity
and data flows, and the ability to create
alerts for suspicious activity.
1 Manage data assets
You cannot begin to protect the business
from insider (and external) threats if you
do not understand the importance and
topology of your data sets across the
business. These include any data sets
held outside in cloud clusters or other
third parties. Therefore, a 100% audit
of data assets is required, using data
management and auditing tools.
2 Monitor employee activity
To protect against employee error and
malicious activity, systems need to be
incorporated that can identify employee
and data interaction. These actions need
to be recorded: identity of employees,
and time spent with data and volume
of data transactions. For example, if an
employee was spending large amounts
of time accessing data that was out of
his or her normal sphere, this would
raise an alarm. Advanced access
management should be able to provide
context to behavior. For example, it
should allow for special projects or
temporary shifts in employee roles
and prevent false positives.
3
Integrate employee risk management
into the business
Employees are the key asset of any
business and employee behavior
is not just a matter for the security
function. Any systems and subsequent
behaviorial data need to be shared with
the board and key staff such as the
COO and HR director. Although effective
access management and employee
4
risk programs should prevent incidents,
the wider human function would be to
understand why employees behave
the way they do. Why do they seek
shortcuts, and why do they download
data to USB sticks Looking at the
patterns from employee risk programs
and monitoring should help secure a
more efficient data usage. Employees
generally just want to get their job
done. By integrating people risk into
the business and analysing historical
behavior, risk profiles can be applied
to employees across the enterprise.
Focus on the malicious insider
Although employee error can cause
unwanted data incidents, the malicious
insider presents the more dangerous
risk to the organization. If the first three
steps are taken, malicious activity will
be rendered transparent. Those accessing
data assets without any technical or
role justification borne out by step two
will instantly raise a red flag. After malicious
activity is defined, security leaders
can monitor activity to learn potential
motives or shut down access and
activity instantly. i
Resources
UK court orders ex-employee to hand
over LinkedIn contacts
http://bit.ly/PLoaU
HP Arcsight Security Intelligence
http://bit.ly/OpJd6L
HP Intelligent Management Center User
Access Management Software
http://bit.ly/Q1X9jk
HP Security Intelligence and Risk Management
http://bit.ly/QPBKZB
14 HP Inform
Beware the threeheaded
monster
Businesses face three
significant threats
to the security of
corporate data and
information, but the
attacks, methods, and
motives vary widely.
Cyber attacks against businesses are a
fact of life, and the number of attacks are
increasing. What not so long ago might have
been considered a nuisance level of attacks
against businesses has grown into a threat
to national security. In June 2012, Jonathan
Evans, the head of the UK’s intelligence
service MI5, said that attacks against UK
industry had reached “astonishing” levels.
“There are industrial-scale processes
involving many thousands of people
lying behind both state-sponsored cyber
espionage and organized cyber crime.
Vulnerabilities in the Internet are being
exploited aggressively not just by criminals
but also by states,” he said.
The same can be said for other major
economies across the world. So who is
behind these attacks and what drives them
1 Cyber crime
By far and away, the biggest threat to any
business is from hackers working alone,
although – there is an increasing threat
posed by organized crime groups simply
interested in stealing information and data
for monetary gain. While it is hard to quantify
exactly how much money is lost globally by
businesses and consumers, a number of
reports have been compiled, discussing the
effect on the bottom line of businesses. One
such report, produced by ArcSight, an HP
company, uses an annual survey of the
cost of cyber crime to US business. In the
most recent survey (2011), its three key
findings were:
“Cyber crimes can do serious harm to an
organization’s bottom line. The median
annualized cost of cyber crime for 50
organizations in the study is $5.9 million
per year, with a range of $1.5 million to
$36.5 million each year per company.
This represents an increase in median
cost of 56% from the first cyber
cost study (2010).”
Cyber attacks have become common
occurrences. The companies in the study
experienced 72 successful attacks per week,
and there was more than one successful
attack per company per week. This
represents an increase of 44% from
last year’s successful attack experience.
The most costly cyber crimes are those
caused by malicious code, denial of service,
stolen devices, and web-based attacks.
Mitigating of such attacks requires enabling
technologies such as SIEM and enterprise
governance, risk management, and
compliance (GRC) solutions.
Elsewhere, Group-IB, a Russian cyber crime
investigation and computer forensics firm,
put the global cybercrime market at $12.5
billion in 2011 – $2.3 billion of which it said
came from the Russian national cyber crime
market, up from $1.2 billion in 2010.
Source of cyber crime
The majority of organized cyber crime
gangs originate in the US, Eastern Europe,
and China, although most nations will now
have some level of cyber crime. There is
little research available as to how these
groups operate in detail, but there are some
patterns. Eastern European gangs tend to
favor targeting financial information and
Western financial organizations. Chinese
gangs seem to be more interested in stealing
intellectual property. But that doesn’t mean
that both parties are not involved.
The actual structure of such gangs is thought
to be loose but represents an online version
of how street gangs and “foot soldiers”
operate in the real world. Junior members
do the dirty work on the streets and pass the
profits up the chain. The difference is that
online criminals tend to work alone and may
never encounter their “affiliates” or bosses
or even be aware that they are working for
a gang.
It is known that the “street” concept works
in illegal online forums where credit card
details and other financial data are actively
traded among cyber criminals – complete
with recommendations and descriptions
of the personal details for sale. Law
enforcement agencies such as the FBI
infiltrate these sites by posing as cyber
criminals. In 2008, the FBI even set up
its own forum called Darkmarket,
a sting operation to snare thousands
of cyber criminals.
Issue number 9
15
Lone hackers are the
biggest single threat
to businesses.
Cyber crime gangs
originated in the US,
Europe, and China but
are now global.
2
Hacktivism
The kind of people who operate at the sharp
end of malicious cyber activity tend to be
drawn from the same social group – young,
male outsiders who happen to be attracted
to computers and hacking in particular.
A trawl of the Internet will reveal a maze of
underground hacking groups whose motives
are hard to determine behind a rash of semirevolutionary
slogans and calls to action.
According to Wikipedia, “Hackers could also
gain credibility by being affiliated with an
elite group. The names of hacker groups
parody large corporations, governments,
police, and criminals and often used
specialized orthography.”
Some of these groups exist to encourage
malicious activity as a way of proving hacker
credentials among the hacking community.
Others see hacking as a means to keep
the Internet “free” from big business and
government. It’s from this that a new cyber
threat has emerged in recent years – the
so-called “hactivist” groups, the most
famous of which are the groups Anonymous
and LulzSec.
These groups see themselves as kind of
online freedom fighters and will attack
businesses not for financial gain but to right
some perceived wrong – thereby attracting
young, idealistic, and impressionable people.
And while they may not want financial gain,
they can do a lot of damage. For example,
Anonymous led a series denial-of-service
attacks against Visa, MasterCard,
and PayPal after the payment services
withdrew services from the whistleblowing
site WikiLeaks.
Those behind Anonymous will often claim
that their actions are justified and that they
are only interested in Internet freedom and
democracy. But the tactics and methods they
use are the same as cyber criminals – just as
illegal and just as destabilizing to business.
Their self-determination, unwavering
commitment, and self-righteous stance put
them not far from the modus operandi of
terrorist groups – and to many businesses,
this makes them almost as much of a threat.
Although a string of arrests among
Anonymous and LulzSec members seemed
to stem attacks in 2012, new groups have
recently sprung up vowing to carry out
further attacks.
3 Cyber warfare
The emergence of cyber warfare represents
perhaps the most disturbing trend for
information security experts to deal
with in recent years. It involves powerful
state actors willing to develop and use
highly sophisticated cyber weapons in
acts of warfare and as part of clandestine
operations to destabilize nations and critical
businesses such as banking
in peacetime.
Defense experts see cyber as the “fifth front”
in future wars. US government security
expert Richard A. Clarke, in his book Cyber
War, defines “cyber warfare” as “actions by
a nation-state to penetrate another nation’s
computers or networks for the purposes of
causing damage or disruption.”
This rapidly moved from concept to reality
when the Stuxnet computer worm was
discovered in 2010. Its sole purpose was to
disrupt the Siemens machinery used by Iran
as part of its nuclear development program.
The damage that Stuxnet did was enough
to set back the program by at least a year.
Though never officially admitted, security
experts believed that the US and Israel
were behind the development of the worm.
Although this was a targeted attack, the
worm escaped into the wild and damaged
Siemens machinery in other parts of the
world, including India.
Although the Stuxnet incident may have
not been a threat to most businesses, the
willingness of nation-states to develop
and use cyber weapons means that all
businesses are now threatened.
To underline the point, 2012 saw the
emergence of the Flame virus, which was
seemingly designed to damage the Iranian
oil industry but could also pose a threat
to other industries around the world. Like
Stuxnet, Flame is believed to have been
created by state actors.
Hostile states will use cyber weapons for
industrial espionage and, in the event
of full hostilities, to potentially disable
critical infrastructure. This means targeting,
for example, supermarket supply chains,
transport networks, and telecommunications.
CISOs working in these industries need to
be aware that hostile actors will already
be probing their networks looking for
vulnerabilities and attack routes. Cyber
warfare may be in its infancy, but there
is no doubt that it has arrived. i
Resources
ArcSight Cost of Cyber Crime Survey
http://bit.ly/pftNlW
Anonymous and LulzSec
http://cnet.co/KElpE9
The Darkmarket
http://bit.ly/3y5ZSB
The Flame virus
http://bbc.in/McYYaj
16 HP Inform
The changing
of the guard
As the world enters the age of super mobility,
some businesses are having to adjust
strategy and security policies accordingly.
One response is to appoint information
leaders into new roles to manage mobility
and other trends as an integral part of
a secure business. Paul Fisher reports
on how the CISO may evolve into chief
mobility operating officer and chief
business security officer.
According to analyst firm Forrester, by 2016,
around 1 billion consumers will own smart
phones or other smart mobile devices and
most of those are likely to be connected to
business networks in some way.
Now consider just how advanced and
capable today’s smart devices are: Think
iPhone 5, iPad, or the myriad of Android
and Windows 8-powered devices, and then
consider how much more capable the same
devices will be in another four years.
We may even be seeing the first 5G devices, as
mobile networks look to maximize returns on
bandwidth investment and usher in a new
age of mobile services, super-connectivity
and usability.
The rise of ubiquitous mobile computing
and always-on connectivity have huge social
implications for the way we live, interact with
information, and access business services.
It also has huge implications for you as
a CISO and the information you seek to
protect. Most importantly, this trend could
very well mean rethinking the entire role
and job description.
For some time, CISOs have felt under
pressure to integrate with the business
and stop thinking simply about technical
solutions to security and locking down
architecture. Now the architecture
they seek to protect is changing in front of
their eyes, and the pressure is increasing.
The business is spread far beyond the
traditional enterprise barriers, and this is
the business that they need to protect.
Rafal Los, one of HP Software’s security
evangelists, has blogged on this theme.
He endorses Forrester’s prediction that CISOs
may have to reinvent themselves as chief
business security officers (CBSO). He says:
“I will admit that I am warming up to the idea
of the CBSO. Is it a replacement for a CISO
I don’t believe so, but that’s going to depend
on the company size. In an enterprise
environment, just as the role of the CIO and
CTO have been split, the roles of the CISO
and CBSO will likely be split in the future.”
Forrester also says in the report: “To make
this transition, CISOs must demonstrate a
traceable alignment to business objectives
and bring greater financial and risk
management discipline to security strategy
and decision making.” Thus it is not enough
for CISOs to be business minded: They need
to be business aligned.
But if we need CBSOs to deal with overall
business security, do some CISOs need
to think about changing to or appointing
another hybrid role to deal with the
staggering growth of mobility Could we
also see the emergence of the chief mobility
operating officer (CMOO)
Consider what is happening to the enterprise.
We are seeing a shift from IT departments to
“personal information spaces,” from desktop
PCs to the “anywhere desktop,” and from IT
architectures to “data architectures.”
Behind these shifts, we see technologies
such as the cloud, virtualization, and webbased
applications powering the business
revolution. And this will all mean shifting
budgets to mobility projects.
According to Forrester, “The shift will reinvent
the business: 350 million employees will
use smartphones, and business spending on
mobile projects will have grown by 100% to
over $20 billion per year [by 2016].”
It also expects spending on mobile apps
to hit a staggering $55 billion in 2016.
This is much more than changing employee
work patterns and behaviors: Consumer
interaction with businesses is shifting via
social media, instant feedback, and personal
marketing opportunities – all available across
ever-present, hugely capable mobile devices.
Advantages of the super mobile
enterprise
– It puts you closer to your customer
than ever before.
– It speeds up business transactions
like never before.
– Employees can own their own data
and their own architecture on the
anywhere desktop.
– It speeds up the gap between social
media activity and business action.
Issue number 9
17
CISOs must, above all, be a strategic
thinker. They must be able to traverse
and communicate across the whole
business and use the onset of super
mobility for business advantage.
– Applications need not sit on expensive
and mostly redundant desktop devices.
– Employees can work from anywhere,
anytime, at reduced cost.
– Secure and thin code apps will become the
business tools of the super mobility age.
– Next-generation networks (4G, 5G)
will enable business-class video
conferencing from mobile devices.
But all these advantages will not be enabled
unless a new mindset is put in charge of the
mobility strategy. The CMOO need not be
burdened with traditional IT and information
security thinking: They need to be leaders
and visionaries for the business, and
re-engage with the original promise of IT –
that it can be a driver for business and not a
hindrance – which has sadly failed with the
billions of dollars worth of legacy IT around
the globe. The CMOO must be a business’
advantage reformer and usher in new
systems of engagement with technology.
Challenges of the super mobile enterprise
– Super mobility data flows render
traditional data management tools
redundant.
– Data must be risk assessed like never
before – new tools are needed.
– Employee, user, customer, and
consumer roles will blur across
the mobility landscape, proving
a challenge for existing IAM tools.
– Choice of business technology will be
driven by consumer-focused companies:
such as Apple, Google, and Samsung.
– The “old” IT department is not in control.
– The speed of development across
mobility far outstrips traditional
desktop PC-based business.
– Other business departments will push
for – and more likely win approval for –
mobility options faster than a traditional
CISO can adapt.
To become either a CMOO or CBSO (or
even simply an “enlightened” CISO that
encompasses CMOO and CBSO thinking) goes
beyond the realm of traditional CISO thinking
and strategy. This is much more than an
IT role. To meet the business and security
challenges of the new digital business
environment where industry, suppliers,
customers, partners, and consumers all
meet, the reformed CISO must be a strategic
thinker. They must be able to traverse and
communicate across the whole business
and use the onset of super mobility to the
business. They need the following skills:
– The social awareness to anticipate
trends before they happen and respond
– The ability to speak across the business
to enable adoption of new market
models in a “business first” manner
– The ability to remove from their thinking
the lockdown security mindset and focus
on the advantages of super mobility
– Embrace the data architecture and work
with advanced partners to find data
solutions that embrace the new
business world
Unfortunately, there isn’t much time to find
or learn these new skills. As Rafal Los says,
organizational and cultural change, resource
management, and time are the enemies
now. It should be clear that the CISO who
does not evolve is the CISO who will struggle
and possibly wither in the super mobile
business operating environment that is
emerging in your market right now. i
Resources
Is it time to reinvent the CISO
http://bit.ly/RngZbu
Changing of the guard – a perspective on the changing
CISO role
http://bit.ly/OtgSwC
Four key requirements to address the needs
of the super mobile worker
http://bit.ly/ybaevd
Changing your data
http://bit.ly/KWxENa
18 HP Inform
A security man who
means business
Quentyn Taylor is the
director of information
security, governance, and risk
at Canon Europe. He is known
in the industry for being one of
its most progressive security
professionals. Inform went to
meet him and discovered
that his thinking is matched by
acute business sense.
Issue number 9
19
“And that’s the nasty little fact.
Consumerization can be cheaper because
the company isn’t paying for certain
things, but someone is. That’s the key
challenge, and you need to work that
out in order to manage consumerization,
because ultimately it is unstoppable.”
Quentin Taylor (opposite)
is this month’s cover story
In person, Quentyn Taylor is charming,
engaging and obviously committed
to his chosen business as much as his
profession. He talks passionately and
knowledgeably about Canon’s products,
including its class-leading digital cameras,
of which he is a huge fan. He can’t wait for
the just-announced new EOS M mirrorless
cameras, he says. You feel he could happily
talk all day about Canon, but we are here
to find out about his particular approach
to information security for the Japanese
electronics giant and how CISOs are adapting
to being seen as business leaders and
enablers. Should they be aiming for the
board Yes, but perhaps not in the way many
people perceive, according to Taylor.
“I think there are a lot of people who go by
the title CISO who are not actually CISOs
– certainly not chiefs. A chief sits in the
board as far as I am concerned, but I don’t
see many security people who actually sit
on the board. At a conference someone
asked me, ‘What metrics do you need to
get on the board’ I said, ‘That probably
shouldn’t be your goal.’ The board has lots
of things to talk about – business decisions,
financials, the world economy. In reality, the
information security processes that you are
putting in place should influence the board,
so this nirvana of standing in front of the
board and presenting is only going to happen
when something has gone badly wrong. If
you stand and say everything is perfect, the
board is just going to think ‘we’ve got better
things to discuss’,” he says.
But wouldn’t others argue that CISOs should
do precisely that as part of business, given
the complexity of risks and threats that face
most businesses today Taylor refuses to
see this as the information security officer’s
role by default, but rather that of those
responsible for managing risk. He argues
that the person responsible for overall risk
should sit on the board, but that it also
depends on the type of business.
“Perhaps if the company that it is a pure play
risk business, for example financial services
that manage risk, but a lot of companies
are making risk decisions all the time. But
there is a disconnect between those and the
actual line of business. Here the CISO is not
appropriate,” he says.
So, board member or not, does he feel he
is a business enabler at Canon Europe
“Yes, because being a business enabler also
means saying yes when your gut instinct is
to say no. People say that the CISO carries
no risk, that he or she just quantifies the risk
and passes it on – that’s incorrect,” he says.
“You cannot hold the business risk, but you
do carry risk in any advice you give. People
say in a perfect world that you shouldn’t
give advice – just quantify the risk and leave
the decision to a ‘business’ person. But
the business person will say to you, ‘Why
should I do this and not that’ And that’s
the difference – you are making the risk
decision for the business. You are enabling
the business.”
20 HP Inform
There has been a huge
rise in information
security questions
coming in on tender,
especially printers
Quentyn Taylor
has been with Canon
Europe since 2003
His team now covers the information
security needs of the company’s entire
Europe Middle East and Africa ( EMEA)
operation. He also led the creation
of an ICT academy that provided
structured training plans for more
than 350 staff based all around EMEA.
Prior to joining Canon Europe, Quentyn
was the IT security manager at Fotango,
the online photo service that was
subsequently taken over by Canon. Before
that he was with Internet startup group
Netscalibur as NOC team leader. Quentyn
has an honours degree in biological
sciences from the University of Brighton.
He writes his own blog, “Security in a
Modern Age,” at:
http://www.quentyn.com/.
Taylor is sanguine about the prospect of
security professionals breaking out of
the IT silo – from which most still start
their careers – and emerging as vanguard
business leaders such as the CEO. His
proactive approach, however, should serve
as inspiration to others, and it comes down
to that old maxim: get involved.
“The typical business executive comes up
through the company stack having worked
in marketing, sales, finance, and other
departments. To be a CEO, you will have
worked through the company or done your
time at others. In infosecurity and IT, it is
much harder to do that, and siloed security
is not good for the business,” he says.
“A siloed security team is a non functioning
team. Here I have had opportunities to talk
to business people where I have suggested
adding security to products as a selling
point. And they said, ‘Really’ And then we
started having discussions with my opposite
numbers in other companies, and my people
would say, ‘Why are they asking this’ And
the answer is because that’s what they want:
Why don’t we offer it to them If I was head
of security at the other company, this is how I
would want things sold to me.”
Taylor explains that in his day-to-day
business he spends 60% of his time not
doing “infosecurity stuff,” as he puts it.
Instead he spends it with customers, with
the business people, developing bits and
pieces to help salespeople responding to
tenders. He says there has been a huge rise
in information security questions
coming in on tenders, especially on printers.
He also finds time for some product testing,
assessments, and penetration testing, and
produced a business guideline on secure
documentation and printing. He argues that
focusing on the sales advantage of security
has a positive impact on the internal security
aspect of his role.
“This is the great thing: Now that you
are using security to reinforce the sales
message, you suddenly have an advantage
when it comes to selling internal security.
You are no longer just standing there
shouting about viruses, blah blah blah.
You are actually saying, ‘This is why you
need security to benefit the business.’ And
because of the credibility you have built up
with the salespeople, suddenly the internal
sell becomes much easier.”
No interview with any leading CISO would
be complete without a discussion about
the impact of consumerization, and
Taylor is happy to oblige. Being a major
consumer brand itself, is Canon an
enthusiastic adopter
“We are very much embracing it here at
Canon, yes. Unless you work in an industry
that remains highly regulated–public
services, for example consumerization is
a direction you are going to have to go in.
It’s an advantage, it’s a benefit. No longer
having to worry about the device but the
data. And that’s important. It’s not popular
with the vendors, but it’s not about the
Issue number 9
21
“You are no longer just standing there
shouting about viruses, blah blah blah.
You are actually saying, this is why you
need security to benefit the business.”
technology anymore. It’s about talking to
HR more than anything,” he says.
He likens the onset of consumerization to
the process that happened with company
cars, where once employees had to drive
what they were told – even fill up at the
company petrol station, as happened at
one of Taylor’s first companies. Now they
choose their own car.
“A lot of people think consumerization is
about bringing in your own iPhone. No, that’s
not consumerization – consumerization is
saying that we are going to allow anything,
and you have to remember that. What’s
the difference between an iPad and a
laptop None. So if you are going for
consumerization, then you are going
for bringing your own endpoint
computing device.”
While enthusiastic about consumerization,
Taylor concedes that making a business case
for consumerization can be challenging, and
there is more to consider than just making
employees happier.
“It’s not just about the upfront savings on
the device, but about how much that service
costs in the long term. Somebody will
eventually work that out. If you took 10,000
employees and asked them all to get mobile
phone contracts, they would all come back
with 10,000 individual data contracts. If you
went to a carrier and said, ‘I would like a
10,000 seat contract,’ you are likely to get
a good deal. And that’s the nasty little fact.
Yes, it can be cheaper because the company
isn’t paying for certain things, but someone
is and that may well get passed on – so
overall, does it make financial sense That’s
the key challenge, and you need to work that
out in order to manage consumerization,
because ultimately, it is unstoppable,”
he says.
“The blending marketing
and IT into one role – now
that’s interesting.”
Another hot topic is the changing roles of
the CISO and the CIO, even to the extent
of merging to a degree. Taylor sees
some sense in this and in learning from
enlightened CISOs who have worked out
how, as he says, “to monetize information.”
He believes too many CIOs are locked into
the IT part, the infrastructure rather than the
process of moving information whether it is
on consumer devices, printers, or any
other device. He’s dismissive of Forrester’s
concept of a chief mobility officer, although
he likes the concept of a chief social
media officer that he’s heard about. “The
blending marketing and IT into one role –
now that’s interesting.”
Taylor’s more revolutionary ideas revolve
around the future of IT, which he believes
will be totally outsourced and leased. Some
might believe that this is a step too far, one
that brings with it untold danger and risk.
Taylor is quite relaxed about the prospect.
“It doesn’t bring any new dangers. To me
it’s like old wine in new bottles. From the
CISO’s point of view, it’s like a change in risk,
a consolidation of risk – so it’s actually a
good idea. I think we will have a time where
you will get all your IT from an external
company. In fact it’s already happening with
identity services. When you start at a new
company, your information will be picked
up by the company from some federated
business sitting on the Internet. Corporates
are moving away from services that are not
core to them, leaving it to other specialist
companies to get on with it,” he says.
Quentyn Taylor, then: a CISO prepared to
think differently, to pose difficult questions
about current and future security questions,
and to keep looking for the answers to
those questions. At the same time, he is
truly integrating security into the business
by influencing the marketing of Canon’s
products. Perhaps he will be CEO one day. i
22 HP Inform
Access
management
in the new
information age
At the heart of any business,
whatever its size, are two
fundamental drivers:
data and people.
One cannot function without
the other, and the enterprise
cannot function without the
two interacting.
At the nexus of data and people lie identity
and access management (IAM). The need
for efficient and secure IAM has only
increased. But will new IAM solutions
emerge to meet the challenge
Business data flows and access needs shift
rapidly. This means that CIOs and CISOs
need to think more creatively about
deploying IAM – not just in terms of software
but also through people-focused and
business-first policies.
For example, access and identity systems for
employees may need extending to authorize
partners and even customers as businesses
evolve to meet the challenges of four computing
megatrends: cloud, mobile, social, and big
data. These pressures only emphasize the
need to deliver on a fundamental task of
any IAM system: give people the access they
need, ONLY that level of access, and with
zero latency.
Getting the right data to the right people
Data classification now takes center stage,
with data lifecycles and content classification
forming the heart of IAM policies and systems
in the new operating environment of the four
megatrends. Up until recently, controlling
access to data was relatively simple, but
today’s “extended enterprise” – created
by exponentially increasing numbers of
endpoints (employees often have more
than one endpoint device), virtualization
and cloud environments – have rendered
old IAM models redundant.
More flexibility is needed. Trust needs to
be extended right across the business and
access rights granted to the right people
when they need it. If a key employee,
data owner, or partner is denied access
incorrectly, that transaction is interrupted
with consequent impact on costs, projects,
and efficiencies.
Worse, if the wrong people gain access
(hackers, malicious insiders) resulting
in denial of service, malware, targeted
attacks, or IP theft, then the whole business
is damaged. So how to marry the urgent
need for efficient access in this new world
to security
Issue number 9
23
IAM needs to deliver
secure access – but at the
speed that contemporary
business demands.
New IAM options
In this context, we need better IAM systems
to deliver secure authentication from some
of the very trends and technologies that are
challenging current IAM solutions. According
to analysts, Forrester IAM projects are 70%
people, process, politics, communication,
and training, and only 30% technology.
A part of that 30% that could help build
better IAM is already in the hands of millions
of employees: the smartphone. Given that
the endpoint is where IAM systems often
fail due to poor password management,
unreliable biometrics, and false positives,
a device that easily recognizes a unique
individual is key to new IAM efficiency.
The latest generation of smartphones
feature advanced face recognition, allowing
only the registered owner to use that device.
IAM systems already are being developed
that can take advantage of these.
The emergence of big data can also be
exploited by new generation IAM. We all
now contribute personal and unique data
to the big data stack. By mining this, IAM
can provide authentication to the new
world of partner and customer access
and prove the validity of the person at
the end point looking for entry. The key is
the management system and its ability to
process authentication data in real time
and provide access to the right people and
the right data. By using personal smart
devices that the users already know and
feel comfortable with (because they
chose it), authentication could potentially
become transparent.
up and manage these directories to enable
authorized users wherever they are and
however they access the enterprise data.
The challenge for future IAM systems
The current market solutions aren’t flexible
enough to adapt to changing and fluid
workforces operating in a complex operating
environment of cloud, social media, and
big data stacks as employees access and
process data from multiple endpoints.
IT needs to be a business process enabler
(faster provisioning/deprovisioning) and to
deliver a central view of who operates within
the organization, and how they operate –
whether on mobile devices or accessing
cloud environments. In the new information
age, CIOs will demand IAM systems that tell
them what their data assets are and who can
access them, and that provide efficient and
secure access to the right people. It is up to
the industry to innovate and deliver futureproof
IAM solutions.
Old systems will fade away
René J. Aerdts, chief technologist of
automation and HP Fellow, sums up the
challenges that secure IAM faces. In his
blog he says: “Organizational structures are
rapidly shifting from systems of records to
systems of engagement. Owned assets,
reactive “sense-and-respond” mindsets,
periodic change, applications focused on
transactions, and a dependence on historic
data characterize systems of records.
Systems of engagement feature virtual
assets, continuous change, proactive causeand-effect
mindsets, applications focused
on interaction, and real time analytics.” i
We’ll invent adaptive
and inventive dynamic
security systems
Security topics that’ll keep us up at night:
The top security and risk management
concerns of senior IT executives in 2020
Extremely concerned
Somewhat concerned
Not very concerned
Data privacy and
information breaches
Risk associated with
increased consumption
of application and IT
services across public,
private, and hybrid cloud
Lack of skilled resources
to effectively manage
security
Intermingling of personal
and business technology
Directory management
and federation is key
Legacy IAM systems will increasingly
struggle in the new data environment
described in the paragraphs above. New
generation IAM must focus on the data
and directories of user information that
will be critical to properly identifying
users and determining their access rights.
Business-focused IAM must be able to set
Resources
HP Labs PPT: Economics of Identity and Access
Management: Providing Decision Support for Investments
http://bit.ly/MLhQ40
HP identity and access management services
http://bit.ly/t6GIAJ
Shifting innovation to ‘always on’, by René J. Aerdts
(HP Enterprise Services blog)
http://bit.ly/nLWGc1
Disruption caused by
natural or man-made
disasters
Failure to seize on the
latest technology to
protect systems and data
24 HP Inform
Creating clouds
that protect
your business
In our 2011 Insight piece on cloud
computing, we quoted a call to action
from analyst group Gartner. It stated:
“The significant benefits of agility and
cost savings delivered by cloud computing
are too compelling to ignore. Forwardthinking
enterprises are answering the
questions of cloud computing not with
an if, but with a when.”
One year on and that statement is, if
anything, more compelling and more urgent.
The economic arguments for cloud have
intensified as the Eurozone crisis continues
to strangle recovery, particularly in Europe
but also across the world. Embattled
CIOs are feeling the impact of the global
downturn through squeezed budgets
and the expectation to deliver tighter IT
efficiencies within those budgets. And the
solution is increasingly found in the cloud –
but not necessarily by those with security
in mind. This remains the main challenge
of cloud computing: how to ensure that
the use of the cloud is secure, especially
when functions are outsourced to third-party
cloud providers.
According to a survey by analyst group
IDG, more than one-third of IT budgets
are now spent on cloud-based computing.
However, the report makes clear that the
decision to move to the cloud isn’t about
cost alone; it’s part of a shift in overall
IT strategy.
According to the survey, one-fourth of
respondents believe cloud will play a critical
role in shaping future business strategy. It
also says that cloud computing is likely to
grab a larger slice of IT budgets in the next
few years, stating: “Close to two-thirds
of companies expect to increase cloud
spending in the next 12 months. On average,
organizations will increase cloud computing
spending by 16%.”
However, while the business and economic
imperatives for cloud are stronger than ever
(and driven by anxious CEOs), the security
concerns that we highlighted last year
have not gone away for the CIO or CISO. If
anything, they have increased. This is due to
the global increase in cyber criminal activity
and the introduction of new data compliance
laws around the world, such as the EU
Privacy Laws governing the use of cookies
on websites (see resources below).
To reiterate, the prime security concerns
are mostly around loss of control and
visibility – something CISOs tend not to like.
This manifests itself in:
– Lack of clear data ownership
– Unauthorized data uploads and
downloads to and from the cloud
– Lack of compliance with various
governance laws across different regions
– Basic trust issues with partners and
customers using cloud to store and
transmit business data
Another security concern often overlooked
in discussions about the cloud is the
emergence of cloud-based consumer apps
such as Google Docs, DropBox, and others.
Employees are increasingly using these to
process corporate data on mobile devices
– often without authorization. This is where
consumerization and the cloud meet.
Even within the enterprise, another cloud
risk has started to pose problems. The
availability of cheap “off-the-shelf” cloud
resources such as Amazon Web Services
has given rise to employees setting up
unauthorized and temporary private clouds
for special projects, often with little thought
for security policy or processes.
As IDG has found, more and more
corporations are turning to the cloud by
increasing the proportion of their IT budgets
spent on cloud infrastructure.
It is then imperative that the CIO and CISO
focus on this shift and position themselves
at the head of the revolution and not at
the back chasing, desperately plugging the
security gaps afterwards. One year on and
the advice on getting ahead on cloud security
remains the same – but the processes
urgently need to be put in place.
So there still has to be an intelligent
and sequential shift to the cloud. Many
enterprises are thus experimenting with a
“hybrid” delivery model that engages with
Issue number 9
25
So the message to information
leaders in 2012 is that it is now virtually
impossible to resist the shift to the cloud.
It is the future for both technological
and budgetary reasons.
external cloud providers, internal private
clouds, and existing IT architectures.
Any reputable cloud providers or consultancy
should fundamentally recognise this and be
able to provide the support and knowledge
to enable the customer to perform a cloud
risk assessment, either in partnership or via
in-house resources.
The importance of a riskassessed
and quantified
shift to an ongoing
existence in the cloud
cannot be over-emphasized.
HP has a new cloud readiness tool that
enables CISOs and CIOs to determine their
own roadmap for adopting and securing the
cloud (see Resources below).
It is vital that individual enterprises get
the cloud services that are appropriate to
the market sector, existing IT policies, and
the kind of data central to the business.
Financial services and retail public sector
organizations such as hospitals, for example,
need more stringent controls on the use of
cloud than other industry sectors.
Such risk-averse organizations need a cloud
delivery model that meets its risk position
head on. In the push to the cloud, a “one
size” cloud does not fit all, and working with
a trusted and experienced provider should
factor in this equation. Gradually the industry
is starting to classify and accredit cloudbased
services to deliver such trust. One
such device is the Cloud Security Alliance
Security, Trust, and Assurance Registry (CSA
STAR). CSA STAR is designed to index the
security features of cloud providers using a
170-point questionnaire that users are then
able to peruse (see Resources below). HP is
fully committed to supporting this initiative
for its cloud-based services. Even if a chosen
provider has not yet joined this initiative, the
questionnaire serves as a useful device to
challenge and rate potential cloud providers.
If a cloud provider cannot guarantee its
security framework across its services, then
it would be better to look elsewhere.
The advantages of the cloud are too good
to ignore – cost efficiencies, faster ways
of working and business agility – but the
security of enterprise data is too important
to ignore if businesses are to avoid brand
damage and financial penalties via data loss
in the cloud. A joined up and trusted partner
approach to adoption of cloud remains the
only way to marry these two.
Like any advanced secure business thinking,
cloud can only deliver its commercial
advantages when adoption follows a riskbased
approach that delivers the technical
and business solutions that will benefit the
enterprise. This is an important message
to take to the board.
And finally, like any IT model, cloud
computing must ultimately serve the
enterprise, its employees, its partners and
most of all its customers within a secure
business environment. i
Resources
ICO Guidelines on EU Privacy Laws
http://bit.ly/eQZtln
HP Cloud Readiness Scorecard
http://bit.ly/bnkq4z
CSA STAR
https://cloudsecurityalliance.org/star/
HP Converged Cloud Management and Security
http://bit.ly/UxXlbm
26 HP Inform
Dealing with disaster
Business-focused CISOs spend much of their working lives trying to
prevent a security breach occurring, but the odds are that such an
incident will one day happen. How can they prepare themselves, and
what procedures should they put in place when the worst happens
The thought of a major or even a minor
breach happening in their business
is enough to bring most CISOs out in
goosebumps. After all, this is exactly
what they are supposed to prevent.
However, given the level of threats and
number of malicious actors willing to
attack businesses – as well as the danger
of employee negligence – the chances
of a breach are higher than ever.
If a breach happens, it’s important not to
get into a blame game and start looking for
scapegoats. An investigation into what went
wrong and what failed can wait until the
immediate effects of the breach have
been mitigated.
As most types of attack can be anticipated –
for example a denial of service or malware
attack – the security leaders should have
contingency plans written and ready in
advance. The actual details of any such
plan will differ depending on the severity of
the attack, the type of business, and, most
importantly, whether third parties such as
customers or partners are affected.
However, any contingency and continuity
(C&C) plan should contain the following
basic elements for when a breach or security
incident has been discovered.
1
C&C plan first step
A pre-appointed emergency C&C team
consisting of the CISO, CIO, and all other
relevant stakeholders should convene when
news of a breach or incident is reported.
From here they need to determine urgently
what has happened – but not at this stage
how – and move to assess the damage.
The number, timing, and scope of future
meetings will be determined by the
seriousness of the breach and how long
the immediate breach crisis lasts. This
stage should also be able to weed out the
possibility of false positives (which will still
need a report on how they occurred and
any damage to the business).
2
C&C plan second step
Detailed reports need to be compiled on the
exact nature of the attack or accidental data
loss. An appointed risk assessor, as part of
the C&C team, will analyze and report on
the potential cost and the level of risk to
business continuity. If it is clear that third
parties are at risk of exposure, then the PR,
Comms, and legal teams need to be alerted
to prepare a media response. This is a critical
part of the process. Effectively managing
communications to affected parties – as the
effective management of communication to
affected parties – data owners, consumers,
or government – will influence the final
percentage of damage to brand and
company reputation.
At this point, the CEO, the CMO, PR, and
Comms teams should collectively decide if
and when to go public with the news. This
will be entirely dependent on whether the
C&C team can determine precisely the risk
of data being released into the wild. But this
needs to be balanced against the risk of the
media finding out about the breach anyway,
which may leave the business looking
incompetent or trying to hide. Key customers
and partners need to be reassured as soon
as possible that their data is secure.
3 C&C plan third step
When identified, affected systems and
architecture need to be locked down and
isolated. This will prevent any malwareborne
attack from spreading. Once these are
locked down and quarantined, hygiene and
repair processes can be applied to systems.
This step may take longer than expected,
however, as modern malware can be
persistent, and malware detected may have
planted further malware as “sleepers.”
4 C&C plan fourth step
Once the immediate steps have been
taken, the C&C team can start planning
for the forensic investigation into what
happened – whether an external malware
attack, malicious insider, or employee error.
This will be a highly technical exercise
involving examination of log files, data flows,
access records, and firewall management
records. Time is of the essence, however,
as the media and legal teams will need
to be briefed on the damage – as will the
CISO and CIO. They will need to take the
necessary steps to rebuild affected systems
and potentially reconfigure defenses and
policies. This step should thus ensure that
the risk of further structural damage to the
organization is eliminated.
5 C&C plan fifth step
Any incident, while damaging and a drain on
resources, does at least provide a learning
exercise. If handled correctly, it can lead
to tighter security and preparedness for
future attacks. Therefore, once the incident
has been “closed,” all stakeholders should
contribute to an incident response report
(IRR), led by the CISO or CIO, that details the
full findings of steps 1-4, what went wrong,
and what was needed to mitigate this attack.
Its summary should detail recommendations
for systemic and policy improvements to
prevent future attacks. If the breach went
public, then the report should also detail the
media response and any negative impact on
the organization and how this was mitigated.
These five steps are obviously high level,
and any actual contingency plan would be
much more detailed and vary depending on
the organization and industry sector.
Resources
HP and netForensics – Security Information
Management solutions
http://bit.ly/UxXP0Z
Issue number 9
27
© 1994-2012 Hewlett-Packard Company. All rights reserved. All product and
company names referenced herein are trademarks of their respective owners.
This document is provided for informational purposes only. Information provided
in this document is provided as is without warranty of any kind, either expressed
or implied. Registered Office: Cain Road, Bracknell, Berkshire RG12 1HN
Registered in England number: 690597
We can protect
what matters.
Together.
The cloud, mobile technologies and social networking offer
new business opportunities – but also create some of your
biggest security challenges. HP’s proven and innovative
security solutions can help you manage risk, be compliant
and maximize your investments. You can confidently open
up your enterprise to compete, share and progress – whilst
protecting the information that matters.
hp.com/enterprise/security