Your SlideShare is downloading. ×
A quarterly, IT strategy special report
from the experts at IT Pro
IT PRO
THE
REPORT
AN
PUBLICATION
In association with
SP...
www.itpro.co.ukhttp://www.juniper.net/uk/en/BIG BROTHER
About our sponsor
Juniper Networks is the industry leader
in netwo...
www.itpro.co.ukBIG BROTHER3
T
he NSA’s PRISM surveillance
programme has changed the world
as we know it. Yes, we’ve always...
BIG BROTHER5 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
I
s digital privacy dead?
When  former NSA analy...
BIG BROTHER6 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
and Article 8 guarantees a right to
respect for ...
BIG BROTHER7 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature What’s happening to my data?
behind the closure are uncl...
BIG BROTHER8 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature What’s happening to my data?
Cisco and Google claim the ...
BIG BROTHER9 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
T
echnology is a wonderful
thing. When used to
m...
BIG BROTHER10 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
enforcers must forge closer ties with
industry ...
BIG BROTHER11 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature Fear and loathing in the enterprise
issue as we move fo...
BIG BROTHER12 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature Fear and loathing in the enterprise
Eugene Kaspersky, C...
BIG BROTHER13 www.itpro.co.ukwww.itpro.co.uk
I
n George Orwell’s novel
Nineteen Eighty-Four, the
people of Great Britain a...
BIG BROTHER14 www.itpro.co.ukwww.itpro.co.uk
The reality is that, irrespective of
what industry you are in, whether
regula...
BIG BROTHER15 www.itpro.co.uk
Feature Monitoring: The employer’s view
greatest parts of the risk to the
organisation? Who ...
BIG BROTHER16 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
“If you’ve done nothing wrong, you
have nothing...
BIG BROTHER17 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
monitoring, particularly if the way it is
expre...
BIG BROTHER18 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature Monitoring: The employee viewpoint
sites to write dispa...
BIG BROTHER19 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
S
ince Edward Snowden’s
revelations, discussion...
BIG BROTHER20 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
log files and other system data across
devices ...
BIG BROTHER21 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature Monitoring: IT department’s view
Ultimately, this canno...
BIG BROTHER22 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
O
ne of the most-quoted
fears about moving to
c...
BIG BROTHER23 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk
Feature Cloud: Friend or foe?
yet, crucially, h...
BIG BROTHER24 www.itpro.co.ukhttp://www.juniper.net/uk/en/
Feature Cloud: Friend or foe?
has been analysed, how accurate i...
www.itpro.co.ukwww.itpro.co.uk
Case study: Mozzart Bet www.juniper.net.uk/en
1
CASE STUDY
Mozzart Bet is a European leader...
www.itpro.co.ukBIG BROTHER26 www.itpro.co.uk
2
3520492-001-EN Nov 2013
Copyright 2013 Juniper Networks, Inc. All rights re...
www.itpro.co.ukBIG BROTHER27 http://www.juniper.net/uk/en/ www.itpro.co.uk
What topics dominate the
conversations you have...
www.itpro.co.ukBIG BROTHER http://www.juniper.net/uk/en/28
financial assets. AIIM provides
education and skills developmen...
www.itpro.co.ukBIG BROTHER29 http://www.juniper.net/uk/en/ www.itpro.co.uk
What topics dominate the
conversations you have...
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks
Upcoming SlideShare
Loading in...5
×

Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks

739

Published on

This fascinating read into the security challenges facing companies and individuals globally and daily, are highlighted in this strategic report from IT Pro and supported by Juniper Networks, who demonstrate the technology and the business advantage that can be taken today, to combat the ever increasing security challenges faced in a digital age.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
739
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Is Big Brother watching you? IT Pro Strategic Security Report in Association with Juniper Networks"

  1. 1. A quarterly, IT strategy special report from the experts at IT Pro IT PRO THE REPORT AN PUBLICATION In association with SPRING 2014 Is Big Brother watching you? The big eye in the sky has us all worried. Should we be fearful or thankful it’s watching over us?
  2. 2. www.itpro.co.ukhttp://www.juniper.net/uk/en/BIG BROTHER About our sponsor Juniper Networks is the industry leader in network innovation. Our silicon, systems and software transform the economics and experience of networking for service providers and enterprises worldwide. Juniper enables high-performance networks that combine scale and performance with agility and efficiency, so customers can build the best networks for their businesses. For more information, please visit: http://www.juniper.net/ uk/en/ BIG BROTHER 33 www.itpro.co.uk www.itpro.co.uk T here is one CCTV camera for every 11 people in Britain. Add to that the human element in the form of special agents, security guards, police and military and it’s safe to say you are being watched wherever you are. There’s nothing new about any of that though. Businesses – whether commercial organisations watching over employees to ensure they don’t trade secrets or fiddle the books or retailers clamping down on shoplifters – have always protected their interests. Now, however, the game has changed. And not everyone is playing fair. You know what you know The NSA PRISM debacle shone a spotlight on surveillance and monitoring. Those that we should trust (government) implicitly have ultimately betrayed us. They’ve done things they pretended they didn’t do, shouldn’t do, we thought they never would do. The trust is forever broken. Yes, there are the numerous arguments it’s for the greater good. Many people won’t dispute this is fact. Indeed, many feel it’s not what has been done, in terms of monitoring, that’s the issue. It’s the deceit that hurts the most. “Transparency and openness are certainly paramount objectives for any processing of information, “ says Sally Annereau, data protection specialist at law firm Taylor Wessing. “People are generally prepared to accept that for law and order purposes, it will be appropriate to allow law enforcement bodies to access certain types of records. However, effective democracy rests on an electorate being kept informed so public bodies and governments can be held to account if their actions step beyond what are viewed as the boundaries of acceptable use.” While the number of cameras and monitoring tools around us are growing, we shouldn’t always blame the government. Indeed, research published by the British Security Industry Association (BSIA) claimed that privately owned CCTV systems outnumber those of local authorities and police by around 70:1. “There is a popular misconception that the camera population in the UK is owned by the government. The BSIA statistics set the record straight once and for all. It is private businesses who own the material camera population, not the government. Day to day, these cameras are not available to the government and law enforcement agencies, they are busy working to protect their owner’s premises,” said Pauline Norstrom, vice chair of the BSIA’s CCTV section. Welome to the future: We are watching you Are we headed for a future where our every moment is watched and analysed? Should that dictate our behaviour or should we just get on with things and relax? Feature The surveillance state: Fact or fiction? MaggieHolland hasbeenajournalist since1999,startingas editorialassistanton Computingmagazine. Sheisnowgroupeditor ofCloudProandITPro. BIG BROTHER 19 www.itpro.co.uk http://www.juniper.net/uk/en/ www.itpro.co.uk S ince Edward Snowden’s revelations, discussions on surveillance have understandably focused on government monitoring.  But, used correctly, monitoring is a valuable resource for IT departments, both in the battle against hacking and cyber crime, and also for improving IT operations.  Monitoring, though, is not without restrictions. Laws, especially data protection laws, employment laws, HR practices and privacy norms all limit some types of surveillance.  This applies, in particular, to monitoring employee behaviour and their use of data and applications.  At the same time, better use of monitoring, and instrumentation, can give IT departments a much better view of the way networks and applications are performing.  Application performance management, but also business process management, rely on activity monitoring to work – although it need not go down to the level of monitoring who is doing what on the network.   A watchful eye Monitoring can also provide a vital early warning both against cyber attacks, and of data leakage or theft.  Data loss prevention (DLP) tools again rely on monitoring, both of data flows and user behaviour. A DLP application, for example, will flag if an employee, who normally accesses half a dozen customer records in a day, suddenly starts to download thousands.  Active monitoring is also a key weapon for defending against advanced persistent threats, or APTs. APTs, unlike other forms of malware, are designed to be stealthy. Monitoring for unusual network activity, or data exfiltration, may be the only way to spot an APT at work.  “There are plenty of good reasons to monitor IT and network usage. Security: obviously understanding what is going on in a network is the mainstay of preventing the ingress of malware and the egress of sensitive data. By linking the latter to users, [firms can] spot and correct careless behaviour and root out malicious users,” says Bob Tarzey, analyst and director at Quocirca.  “But it’s also about user experience. The way the network performs is a key part of understanding the end-to-end user experience. This is especially necessary for organisations that provide on-demand services to consumers, other businesses and partners, which is two-thirds of all business in Europe. (see Quocirca research report here)  He adds: “Then there is business process monitoring: making sure business processes are as efficient and secure as possible. But companies can also gain operational intelligence. This goes beyond security and into commercial insights. For example a call centre can monitor actual call volumes or waiting times and see if these correlate with other data, such as customer type or Keeping tabs without compromising privacy or security There’s a fine line between protecting company interests and overly snooping on employees and what they get up to as Stephen Pritchard discovers… Feature Monitoring: The IT department’s view StephenPritchard hasbeenajournalistsince 1990.Todayhismain specialismsarebusiness, technologyandfinance.He writesforanumberof nationalandinternational titles,andisacontributing editorandcolumnistforITPro. Contents Spring 2014 Contents Prologue P3 A foreword by Cloud Pro and IT Pro group editor Maggie Holland. What’s happening to my data? P5 Khidr Suleman puts the case for and against surveillance and monitoring. What are we scared of? P9 We take a look at the key enterprise fears when it comes to access and security. Monitoring: The employer’s viewpoint P13 We look at how employers should approach security and monitoring. Monitoring: The employee’s viewpoint P16 We look at security and monitoring from the individual user’s perspective. Monitoring: The IT department’s viewpoint P19 How can the IT department monitor and maintain security without invading privacy or locking everything down? Cloud: Friend or foe? P22 What role does cloud play in this new world filled with fear, uncertainty and doubt? Case study: Mozzart Bet P25 The European betting firm worked with Juniper Networks to enhance security and uptime and achieve 99.9% availability. QA: John Mancini, AIIM P27 He stresses the importance of protecting your company’s biggest asset. QA: Rodney Joffe, Neustar P29 We talk to the security advisor about the challenges ahead. QA: Henrik Davidsson, Juniper Networks P31 We discuss the fears and uncertainty surrounding security and monitoring issues in the enterprise world. Are we headed towards a surveillance state? P33 Will George Orwell’s predictions of the future come true? Where next? P36 Rene Millman ponders what the future holds when it comes to monitoring. SPRING 2014 www.itpro.co.uk EDITORIAL Editor Maggie Holland maggie_holland@dennis.co.uk 020 7907 6837 Contributors Steve Cassidy, Max Cooter, Caroline Donnelly, Clare Hopping, Jane McCallion, Rene Millman, Stephen  Pritchard, Khidr Suleman Design and layout Sarah Ratcliffe Editorial Director Tim Danton Publisher Paul Franklin ADVERTISING REPRINTS Advertising Manager Paul Lazarra paul_lazarra@dennis.co.uk 020 7907 6857 LICENSING SYNDICATION International Licensing Dharmesh Mistry +44 20 7907 6100 MANAGEMENT Group Managing Director Ian Westwood Managing Director John Garewal Managing Director John Garewal MD of Advertising Julian Lloyd-Evans Chief Operating Officer Brett Reynolds Group Finance Director Ian Leggett Chief Executive James Tye Chairman Felix Dennis All material © Dennis Publishing Ltd, licensed by Felden 2013, and may not be reproduced in whole or part without the consent of the publishers. Liability While every care has been taken in the preparation of this magazine, the publishers cannot be held responsible for the accuracy of the information herein, or any consequence arising from it. Dennis Publishing Ltd 2
  3. 3. www.itpro.co.ukBIG BROTHER3 T he NSA’s PRISM surveillance programme has changed the world as we know it. Yes, we’ve always suspected that the government is watching over certain people and certain activities, but we never suspected just how far such monitoring went. Some people feel really uneasy about what they believe is a large and worrying invasion of their privacy. They don’t agree that a blanket, just in case, approach to monitoring is justification enough to snoop on innocent people. Others feel that if you’ve done nothing wrong you have nothing to be worried about and that such actions are necessary for the greater good. The debate is likely to rumble on for some time to come about whether the NSA’s programme was an acceptable use or abuse of power. However, it has also shone a spotlight on wider concerns relating to monitoring and security. In a The NSA’s PRISM surveillance programme has changed the world as we know it. Prologue Maggie Holland Maggie Holland Editor, IT Pro No-one likes being watched: Or do they? For further insight on security, visit www.itpro.co.uk/security Let us know your thoughts... We’re keen to hear your feedback on this report and find out what you’d like to see included in the next one. Get in touch at report@itpro.co.uk world where data volumes continue to grow and we’re offering up personal information to the  internet and connected devices on a daily basis, how can we be sure that only those that need to see it actually do? What are the key fears in an enterprise context? How can business and IT decision makers protect their company’s most-prized assets, while at the same time avoiding crossing the creepy and intrusive line? Khidr Suleman puts forward the arguments for and against surveillance operations like PRISM, while Jane McCallion offers advice for businesses on how to effectively monitor without being a creep. Caroline Donnelly looks at things from the employee’s viewpoint and warns individuals to be wary of workplace monitoring, while Stephen Pritchard approaches the issue from the IT department’s perspective. We also look at the role cloud plays in all this and try to decide whether its reputation has been damaged by operation PRISM. In addition to some great QA pieces with industry experts, we also take a look into what the future holds and ponder whether George Orwell’s 1984 has moved from fiction to fact. The novel depicted a scary future surveillance state - are we headed in that very direction? We hope you find this special report informative and useful as you navigate the important but danger-filled world of monitoring. As always, we welcome your feedback on what you enjoyed about this report and what you’d like to see in future issues. Thanks for reading. http://www.juniper.net/uk/en/
  4. 4. BIG BROTHER5 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk I s digital privacy dead? When  former NSA analyst and whistle blower Edward Snowden outed Project PRISM during the summer of 2013, he presented a convincing case that the US government is watching us. Following the revelations, the NSA admitted that it “touches” 1.6 per cent of data which passes through the internet every day. However, it claims the collection is the equivalent of putting a dime on a basketball court and that just 0.025 per cent of data is reviewed by analysts. This may not sound like a lot but it still means the NSA processes around 29PB of data per day - more data than the 20PB web giant Google handles on a daily basis. Is this form of indiscriminately monitoring on such a global scale simply the price we have to pay for all the technology we can use in the modern world? Or is it a giant leap too far? And can the positives of such surveillance ever outweigh the negatives? Pro surveillance: Sacrifice for the greater good   Isn’t the whole point of the data collection to make the world a safer place? The internet is now critical to our daily lives. It’s not only the primary source of information for us most of the time, it’s also the cornerstone of our economies - providing jobs and facilitating the transfer of goods and services. Unfortunately, the internet is also heavily abused. The web is used not only to plan, but to promote and execute atrocious actions including paedophilia and terrorist attacks. If there is even a remote possibility that such heinous crimes can be prevented via some form of monitoring, isn’t it the duty of law-abiding citizens to comply? Even if that means sacrificing digital privacy? Look across Capitol Hill and you’ll find plenty of people who will argue this to be the case. The NSA claims its surveillance programmes and solutions, such as What’s happening to my data? NSA PRISM surveillance: Necessary evil or a misuse of power? Khidr Suleman takes a look at the facts and ponders whether monitoring has taken a step too far... Feature What’s happening to my data? Khidr Suleman KhidrSulemanis technicaleditoratITPro andhasbeenintherole sinceMarch2012.Prior tothatheworkedfor fellowB2Btech publicationV3asa reporter.
  5. 5. BIG BROTHER6 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk and Article 8 guarantees a right to respect for private and family life – a law which at times is so liberally applied that it even protects the rights of known criminals. By collecting information from US citizens and foreigners, the NSA is ignoring fundamental laws that the US and its allies are built on. And with the US Congress and secret FISA Court green lighting this without input from citizens, who’s to say that further down the line these bodies may not choose to restrict other Constitutional rights. Freedom of Speech, Freedom of Religion and even Freedom of the Press may be curtailed in the future - all in the name of safety. In fact, the limiting of Freedom of Speech already appears to have started. Google has already tried to use the first amendment to challenge bodies such as the DoJ and allow it to reveal information about data collection - unsuccessfully, so far. And the web giant isn’t the only one to have been silenced. Ladar Levison, owner of encrypted email site Lavabit, made the decision to shutdown the service after apparent pressure to grant access to customer information. The exact reasons Feature What’s happening to my data? its XKEYSCORE analytics tool, are necessary. The agency claims to have captured 300 terrorists using intelligence generated in this way.  In his testimony to a Standing Committee on Intelligence in June 2013, NSA chief General Keith Alexander claimed more than 50 terror plots have been foiled since 9/11 because of the programmes in place. These include plans to attack the New York Stock Exchange and the New York City subway system with possibly devastating consequences.  So is having emails scanned and  meta data collected from phone calls really that big a deal, if there’s a possibility that it could help save just one life? In that context, a reasonable person would likely respond in the affirmative, especially when you consider that most emails are spam, the content of phone calls are not disclosed and there is no proven impact on the daily life of innocent people. You could go further and say that society has already willingly consented to monitoring on a daily basis. We’ve all got smartphones that can track our locations to within metres, ISPs have access to our internet browsing habits and, if you live in an urban area like London, the chances are your face is plastered over CCTV walls on a daily basis. With wearable technology such as Google Glass on the horizon, the arrival of smart rubbish bins, and encrypted email services run by Lavabit in addition to Silent Mail being shut down, the lack of digital privacy is perhaps something we’re going to just have to get used to. Against surveillance: It’s a gross misuse of power   Data collection isn’t always illegal. And many questions most definitely remain over the effectiveness of this method. On the face of it, it seems the NSA can’t be trusted with the great responsibility of the powers it has been granted.  In the US, the 4th amendment in the Constitution protects civilians from unreasonable searches and seizures and sets out requirements for search warrants based on probable cause. Almost all other countries have similar laws, which aim to protect the rights of citizens. The Human Rights Act 1998 is used by European member states Albert Einstein: The world is a dangerous place to live; not because of the people who are evil, but because of the people who don’t do anything about it.
  6. 6. BIG BROTHER7 www.itpro.co.ukhttp://www.juniper.net/uk/en/ Feature What’s happening to my data? behind the closure are unclear as Levison explained. “I feel you deserve to know what’s going on - the first amendment is supposed to guarantee me the freedom to speak out in situations like this,” he said. “Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests,” he noted on the site. Not enough Despite the NSA claiming to have foiled 50 attacks, questions remain over how and why some of the world’s deadliest attacks such as 9/11 and the Boston bombing slipped through the net. In the case of 9/11, reports suggest the NSA started collecting  data in some form around seven months prior to the attack and that other agencies, including the FBI and CIA, knew of a substantial threat and even the identities of the hijackers. It would seem all parties involved failed to co-operate and act. Certainly not in time anyway. Perhaps, more worryingly, was the failure to prevent the Boston bombings given the length of time Dianne Feinstein, the head of the US Senate intelligence committee, has switched sides on the NSA spying scandal, calling for a total surveillance review. Feinstein had been one of the NSA’s strongest supporters in the face of criticism over reports it monitored internet and telephone communications as part of PRISM. She had been quoted as saying the mass collection of data did not constitute surveillance, as “it does not collect the content of any communication, nor do the records include names or locations”. However, allegations that the agency has been spying on leaders of allied countries has prompted an about face on Feinstein’s part. “Unless the United States is engaged in hostilities against a country or there is an emergency need for this type of surveillance, I do not believe the United States should be collecting phone calls or emails of friendly presidents and prime ministers,” Feinstein said in a statement.  “With respect to NSA collection of intelligence on leaders of US allies – including France, Spain, Mexico and Germany – let me state unequivocally: I am totally opposed.” Feinstein also said it was “abundantly clear that a total review of all intelligence programs is necessary”. In relation to the revelations, that German chancellor Angela Merkel may have had her phone monitored by the NSA for over 10 years, Feinstein claimed US president Barack Obama had no knowledge of such actions. She added she had been assured such monitoring would not continue. On 29 October 2013, in the US, the author of the 2001 Patriot Act introduced proposed legislation that looks to curtail the NSA’s powers, including the warrantless collection of bulk phone meta data. The 118-page bill, dubbed the USA Freedom Act, was put forward by Congressman Jim Sensenbrenner and Senate Judiciary Committee Chairman Patrick Leahy. “Modest transparency and oversight provisions are not enough. We need real reform, which is why I join today with Congressman Sensenbrenner, as well as a bipartisan group of 15 Senators, to introduce the USA FREEDOM Act,” said Leahy. The two most senior intelligence leaders, James Clapper and General Keith Alexander were due to appear in front of the House intelligence committee the same day. Credit: Jane McCallion US Intelligence head slams NSA PRISM monitoring Benjamin Franklin: They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
  7. 7. BIG BROTHER8 www.itpro.co.ukhttp://www.juniper.net/uk/en/ Feature What’s happening to my data? Cisco and Google claim the PRISM programme has not only damaged trust but could also be harmful to American businesses. Cisco made the claim in November 2013, as it warned revenue would shrink by up to 10 per cent in its then most recent quarter, claiming demand in China had caused a backlash against American communications firms. Indeed, rivals EMC, IBM and Oracle, were reported to be facing an official investigation by the Chinese government that August following revelations that the NSA had been carrying out wide-scale monitoring of global electronic communications. According to an earnings results call transcribed by Seeking Alpha, Rob Lloyd, president of development and sales at Cisco, said: “This issue has caused, increasingly, customers to pause and [it is] another issue for them to evaluate...it’s certainly causing people to stop and then rethink decisions and that is I think reflected in our results.” Meanwhile, Google’s law enforcement and information security director Richard Salgado became the first representative of a major technology company to testify before the US Congress following the revelations. Salgado said: “The current lack of transparency about the nature of government surveillance in democratic countries undermines the freedom and the trust most citizens cherish, it also has a negative impact on our economic growth and security and on the promise of an internet as a platform for openness and free expression.” Echoing comments made by Box’s CEO at a conference in London also in November 2013, Salgado warned the scandal could lead to the creation of a “splinter-net” by putting up barriers. Post hearing, Salgado told Reuters: “You can certainly look at the reaction, both inside the United States and outside of the United States to these disclosures, to see the potential of the closing of the markets through data location requirements. “This is a very real business issue, but it is also a very real issue for the people who are considering using the cloud and for those who currently use the cloud and may have their trust in it rocked by the disclosures.” PRISM fallout could damage business, claim Cisco and Google the NSA has had its surveillance procedures in place. Dzhokhar Tsarnaev, the surviving suspect, told federal investigators he downloaded extremist materials from the internet, including instructions on how to make home-made pressure cooker bombs. Yet, what appeared to be a primary source of suspicious activity was not picked up in the day-to-day NSA data sweeps. And no explanation has been forthcoming. Justification or an excuse? Even if we take into account all the good the NSA does, can it really be trusted with the information it gathers? The answer, in the opinion of many people, is no. A leaked internal audit conducted by the NSA from May 2012 appears to confirm a gross misuse of power. The audit uncovered 2,776 incidents of unauthorised collection, storage and distribution of legally protected  communications over a  12-month period. Serious breaches included a violation of a court order and unauthorised use of data of around 3,000 Americans and green-card holders. Is this evidence that absolute power corrupts?  Acquiesce or object? It’s a polarising subject, but whatever your views on data collection, the NSA leak did us all a favour by getting it out in the open and generating debate. After all, you can’t change something if you  don’t know it’s happening in the first place. People now have two options. Most will choose to do nothing. They’ll simply carry on with life, which will remain unaffected, for now. Or they may sign up to one of  the many petitions that are trying to push through reform and take steps to restore some semblance of privacy. Those tasked with dealing with sensitive information will certainly have a vested interest in ensuring they can do their jobs without invading privacy or breaking laws. With the closure of encrypted email services Lavabit and Silent Mail, and assertion by Google that users have “no legitimate expectation of privacy”, email appears to be the most vulnerable type of communication. But it’s still possible to encrypt instant messages and phone calls using services. The Pirate Bay co-founder has also secured funding for an anti-snooping app called Hemlis in response to the NSA’s data collection. No doubt more services like this will also pop-up in the future, so maybe there is still hope for privacy yet.
  8. 8. BIG BROTHER9 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk T echnology is a wonderful thing. When used to make working and personal lives easier, reduce effort and human error and speed everyday processes up, while costing less, it’s a glorious asset to behold. That’s one side of it. But, there’s a darker, less happy side too. As IT becomes ever-more sophisticated in what it can do for us as workers and consumers, the number of bad guys and gals out there ready, willing and able to make use of it for ill intentions grows. In other areas of the IT sphere, we move forward by sharing use cases and deployment methodologies. Without giving away our secrets, we’re happy to share - on a generic level at least - the good, bad and ugly of projects gone by. We’re certainly not shy about showing our battle scars when it comes to bog standard desktop or cloud deployments. Money talks, security stays quiet However, when it comes to security, we’re often rendered speechless with no-one willing to say anything until they’ve been outed as having been hacked. “As the profile of cyber security continues to rise in the media, organisations are more wary of the bad publicity that goes alongside a security breach.  Many sectors are intensely competitive and customers who lack confidence in the ability of an organisation to protect their information will not struggle to find an alternative source of supply. Enterprises are increasingly aware of the impact of a security breach on their bottom line,” says Lee Newcombe, an expert in information security at Capgemini. “At the same time as the profile of cyber crime and cyber security is on the rise, enterprises are being offered new opportunities to deliver their IT in more flexible and innovative ways through cloud services or the adoption of agile development methodologies. The challenge for the enterprise decision makers is to find, Fear and loathing in the enterprise: What are we scared of? For every bit of good technology does, there is someone out there trying to exploit it for less philanthropic intentions. We look at the key fears and issues... Feature Fear and loathing in the enterprise
  9. 9. BIG BROTHER10 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk enforcers must forge closer ties with industry to plug an IT skills gap that has the potential to hamper their investigative powers. That’s according to Andy Archibald, head of the Government’s National Cyber Crime Unit (NCU), who used his address at the E-Crime Congress event in central London in March 2014, to highlight the need for skilled IT workers to help in the fight against cyber crime. “The world and environment we’re policing is changing and there is an absolute need to respond,” he said. To emphasise this point he cited the different skills law enforcers must draw on today to tackle bank robberies that rely on technology to be carried out, rather than weapons and getaway cars. “You can be in a room anywhere in the world, with access to malware and the ability to hack into and intrude into businesses in the financial sector, and you can commit crime and fraud and make millions of pounds,” he added. During his address, Archibald admitted the skills law enforcers need to successfully clamp down on cyber criminals are in short supply, though. “We need still to retain the ability, skills, experience and knowledge about how to investigate and engage with the Criminal Justice system, but the skills we need to recover evidence and recover intelligence from the internet are high-end skills and technical skills that aren’t in high abundance in law enforcement,” he said. In particular, coders, programmers and people with skills in reverse engineering are highly valued by law enforcers. But, it can be a challenge to attract and retain them, admitted Archibald. “It’s a tough marketplace...Not only does the public sector [and] law enforcement need these skills, but so does the private sector,” he said. “[In] the private sector, traditionally, the salary packages have been more attractive. I think that’s a challenge for law enforcers. How do you begin to address that particular Feature Fear and loathing in the enterprise and then implement, the balance between innovative IT delivery and appropriate information risk management.” When it comes to security, it would seem the average enterprise is stuck between a rock and a hard place. They do want to up their game in terms of protection, but they’re not willing to speak out and necessarily ask for help from their peers. Newcombe offers some sage advice to help businesses who want to go it alone to mitigate current risks. “Know your real-world threats and concentrate your efforts on the threats most likely to cause you harm,” he says. “Identify the data and services that your business relies upon and protect them appropriately.” He continues: “Adopt an architectural approach to information risk management so as to make sure you get a traceable, consistent and comprehensive set of security solutions... Focus on your detection and incident response mechanisms.  Prevention is a laudable aim, but you are unlikely to be able to prevent all potential attack vectors whilst providing a service that can be used by your staff or your customers.” He concludes: “Make sure you know when you have been compromised and how you will handle that scenario.” Another skills crisis? Some organisations have recruited people to the role of chief security officer (CSO) so they have a more focused stance on protecting their most important assets. However, such skills are often hard to come by as it remains a field shrouded in secrecy. The solution? Cyber crime law Getting security right and protecting businesses, government and the general public against cyber attacks is vitally important.
  10. 10. BIG BROTHER11 www.itpro.co.ukhttp://www.juniper.net/uk/en/ Feature Fear and loathing in the enterprise issue as we move forward so we can attract the best, retain the best and ensure we continue to develop and protect our environment?” One way would be for law enforcers to engage more with the private sector to gain access to the skills they need, he said. This is something the NCU is already doing. Forging close ties with businesses in the private sector will also make it easier to share knowledge about cyber attacks, he added, which in turn will make it easier for law enforcers to gauge the scale of threats. “My ambition in the coming months and coming years is, when we begin an investigation and try to work out what’s the best strategy, I don’t want to just be sitting in a room with colleagues from law enforcement having that discussion,” he said. “I want to be in the room with people perhaps from intelligence services, perhaps from the private sector,  from the banks and from the retail sector and from the ISPs and from a multi-national global institution who can advise us on how best to take on that investigation.” Preparing for the worst The recent Cyber Security Challenge looked to address skills and expertise shortages by setting up fake scenarios to see how people reacted. Computer student Will Shackleton was crowned the winner this year. The event, hosted by intelligence and security organisation GCHQ in March 2014, aimed to find skilled cyber defenders capable of protecting the country against a serious cyber attack. Kevin Williams, partnership engagement and national cyber crime capabilities manager at the National Crime Agency (NCA), explained how important it is for new experts to be recruited to deal with high-level cyber attacks. “As the UK’s lead on tackling cyber crime, the National Crime Agency needs to be in the minds of those wishing to pursue a career within this sector. Events such as the Cyber Security Challenge provide a fantastic opportunity for us to not only test the skills of those taking part but also provide them with pathways which allow them to exploit their sought- When we begin an investigation and try to work out what’s the best strategy, I don’t want to just be sitting in a room with colleagues from law enforcement having that discussion. One of the biggest security risks for businesses is tail-gating. This is when an employee holds the door open for the person behind them, who hasn’t needed to use a security device to gain access. This very common practice compromises security. It exposes the building and, more importantly, the people in it, to everything from petty theft to computer hacking and terrorism. It also puts the tailgater at risk as there is no record of them being in the building (should it need to be evacuated). The best way of preventing this practice is to integrate the security systems with the management systems of the company. By integrating systems, only people who have properly checked into a building can gain access to any of its facilities, whether that’s lights or computers. As soon as you introduce the system everyone has to check in properly and anyone who doesn’t would immediately be viewed as suspicious. It also means I can give my clients an accurate list of people in their building within minutes. In addition to increasing employee safety it also reduces energy costs, which can be as high as 30 per cent [of overall spend].” Chris Percy, founder and president, DSI Tail-gating: The security problem not many of us know about after cyber skills,” Williams said. Some 42 people took part in the two-day competition at the Cabinet War Rooms in Whitehall. They were kept on their toes throughout with challenges simulating real-life attack situations. The challenge opened with a breaking news report describing a cyber attack on London’s financial district that brought down online banking platforms. This meant new stock market flotations could not be completed and BACS systems were compromised. The challenges were conjured up by cyber security experts from BT, GCHQ, the NCA, Juniper Networks and Lockheed Martin. “Getting security right and protecting businesses, government and the general public against cyber attacks is vitally important,” said Mark Hughes, CEO of BT Security. “We at BT understand just how critical it is to ensure the right people are found, trained and ready to take on key roles in the cyber security profession.” Credit: Caroline Donnelly, Maggie Holland and Clare Hopping
  11. 11. BIG BROTHER12 www.itpro.co.ukhttp://www.juniper.net/uk/en/ Feature Fear and loathing in the enterprise Eugene Kaspersky, CEO of Kaspersky Lab. You’d be hard pushed to find a more bubbly, cheerful and occasionally explosive presenter on the depressing, inescapable and often implausible field of cyber security. Then again, I guess he should be pretty jolly, since he’s in the business of plugging the leaks, Wiki or otherwise, in company and home-user computer networks. Kaspersky presented at the 2014 CeBIT exhibition in Hannover in early 2014. The event is something of an annual barometer for trends in computing and, in line with other shows, there’s a distinct flavour here of the recession being well and truly over and done with. Lots of crazy robots with little tethers running back to massive racks of controlling servers: lots of people of a rather older sort, who disappear with great regularity into the apparently infinite series of private meeting rooms. All change One of the sponsors enlightened me as to some of the changes that have occurred. In the old days, it used to be delegated techies who attended, let out of their basement offices for a once-a-year jolly. Now, it’s the CEO and the CTO walking the halls, very often arriving so they can sign off a deal with a supplier that’s been in the pipeline for months. It was this audience that Kaspersky had in mind. He didn’t dive in especially deep to his topic - not one slide gave any hard numbers behind any of his assertions. What he provided was a rapid-fire tour of the motivations behind the attacks e wanted the room full of CXO types to sit back in shock and think “wait, this isn’t some crazy nerd talking here  – it’s a chief exec, just like me, who knows the limits of my beliefs.” While stories of hackers making their own petrol station discount cards by hacking the sales system of the chain of garages didn’t get much attention (they were caught within a month, apparently), the story of a heist lasting five years, of coal from Russian automatic loading systems for coal trains, clearly had a bigger impact. An engaging presentation Incredulity management didn’t appear  on his big screen, or on the cutesy cartoon board being drawn off to one side of the stage as he spoke. But it ran through his whole presentation. As techies, we all have a responsibility to figure out what the bosses are going to understand, given that they probably won’t want to dive into the deep details of what makes an attack work or fail. And, at a certain level, the attack that gets through is the one that someone is too incredulous to spend money protecting against. With a room full of CXOs, Kaspersky wasn’t going to move much below appeals for international standardisation and cooperation to talk specifics about risks to net neutrality. Nor was he going to go into the differences between having to protect a vulnerable machine against its own security holes, or putting imperfect machines behind restricting traffic chokes of some kind. He wanted other people – largely, regulators and various forces for social change – to shoulder the burden of improving cyber security, mostly by way of very non-technical initiatives like education and legal changes to regulation. He even had a section on the nature of cyber espionage, though at this point I suspect he realised he was treading on thin ice against his own preferred fixes for the lower-level criminals – it’s very hard to co-operate internationally when your co- operators are also spying on you. Right at the end, the master of Ceremonies blindsided him with a final question: “Who worries you more – the cyber criminals, or the NSA?” Kaspersky hedged his bets with a 90 per cent non-verbal answer. He spread his arms wide and eventually shook the MC by the hand, limiting his words to a carefully non-committal “Thank you very much” before going on to say “Every time I use a computer, I am aware of the possibility that someone – government, or criminal – could be watching.” Credit: Steve Cassidy Eugene Kaspersky on the cyber jungle
  12. 12. BIG BROTHER13 www.itpro.co.ukwww.itpro.co.uk I n George Orwell’s novel Nineteen Eighty-Four, the people of Great Britain are under constant surveillance. ‘Telescreens’ in their homes and workplaces allow them to be monitored round the clock, constantly, lest they do or say anything untoward. Their post is opened and read before being passed on. The powers that be know everything about them. The book has had such an effect on us as a society that its themes and even some of its language – thoughtcrime, newspeak and Big Brother – have entered into every day usage. Against this background, how is it possible for organisations to carry out any form of monitoring without being perceived as some kind of dystopian tyrant? Can it ever be done ethically and is it possible to persuade employees, partners and clients that it is necessary? The good news is yes. All these things are possible. However, companies need to be careful how they tread, because there are plenty of bear traps to fall into. Who are you looking at? Before getting into ‘how’, though, you first need to answer ‘why’ – why do you want to carry out any kind of monitoring activity? According to George Tziahanas, vice president of legal and compliance solutions at HP Autonomy, the primary reason companies carry out surveillance is because they are obliged to do so. “In certain industries – certainly financial services and, to a lesser degree, in the pharmaceutical sector – the employer is obliged to provide a layer of supervision or surveillance over their employees,” Tziahanas says. Alan Delany, an associate at law firm Maclay Murray Spens, who specialises in privacy and monitoring, explains that in the UK this would apply to businesses such as those regulated by the Financial Standards Authority (FSA). “Often for them, there will be a requirement as to the recording of electronic communications inside and outside the organisation,” he says. Outside of regulated industries, there are other reasons companies may wish to introduce monitoring technology, such as protecting confidential information or trade secrets, or ensuring certain levels of customer service. These are all valid reasons, but if organisations want to avoid any programme coming back to bite them, there are some serious legal considerations to take into account as well. Breakin’ the law When it comes to the legal aspects of carrying out monitoring activities it can be a bit of a minefield, according to Delany. “There are several different legal restrictions, ranging from the Data Protection Act to the Regulation of Investigatory Powers Act (RIPA) to, potentially, human rights considerations,” he says. Striking a balance – how to monitor without being a creep Monitoring in the workplace can be helpful and constructive, but it can also potentially damage workplace relationships and sow the seeds of mistrust. Feature Monitoring: The employer’s view http://www.juniper.net/uk/en/ JaneMcCallion isstaffwriteratCloud ProandITPro, followingthe completionofanMAin journalism.Priorto that,JaneworkedinPR andwasafreelance journalist.
  13. 13. BIG BROTHER14 www.itpro.co.ukwww.itpro.co.uk The reality is that, irrespective of what industry you are in, whether regulated or unregulated, you are almost certainly not going to need to monitor every single employee in your business. Some businesses - particularly those in heavily regulated and scrutinised industries such as the financial sector - are specifically concerned about what users are getting up to on social media sites, according to Andy Holmes, business development director at IT compliance and security firm Actiance. “Similarly there are some that want to look inside their organisation to find out who are the bad apples. Frankly, we’re not interested in that conversation because, ultimately, there is no point. It’s just more big data, and organisations already have enough of that to deal with. It also breaks the bond of trust between the individual and the organisation,” he says. “The key, then, is a measured, targeted approach that can be explained to employees, partners, customersandregulatorsalike,without causingalienationorsuspicion.” Tziahanas adds: “You have to do some sort of up front analysis before you start dropping technology in to go looking for stuff. “For example, where are the Feature Monitoring: The employer’s view “Also, you could run the more general risk of constructive dismissal claims if you are snooping on employees and covertly checking their emails,” he adds. So what is to be done? Helpfully, there are a set of regulations that fall under RIPA known as the UK Lawful Business Practice Regulation, which set out examples of why an employer might want to monitor electronic communications. According to Delany, if organisations comply with those regulations and tell employees monitoring is going to take place, they will largely be in the clear. There are sector-by-sector variations as well. For example, for businesses regulated by the FSA, there will often be a requirement to record all communications, both internal and external, and retain them for a certain period. However, for many businesses, this kind of regulation will not apply. “It comes down to business needs and transparency, and those are the themes that run through this whole area,” says Delany. Choose your target Once you have established ‘why?’ you need to establish ‘who?’. You could run the more general risk of constructive dismissal claims if you are snooping on employees and covertly checking their emails. http://www.juniper.net/uk/en/
  14. 14. BIG BROTHER15 www.itpro.co.uk Feature Monitoring: The employer’s view greatest parts of the risk to the organisation? Who are the key parties I might be working with that present risk? Then keep the surveillance activities to the minimum necessary to identify those risks.” Winning hearts and minds Ultimately, a successful monitoring strategy is one that promotes buy-in from those who will potentially be under surveillance, rather than If you take a hearts and minds approach and show employees that it’s to protect both the business and employees, you should be on solid ground. breeding suspicion and resentment. “We try to encourage our customers to think ‘Who do we need to help? Who do we need to manage? And how can we do that positively?’,” says Holmes. “Then it becomes a much more limited environment where you are monitoring individuals,” he says. One way of encouraging acceptance of new practices, as well as avoiding blanket coverage, is engaging HR to promote the technology as a protection of the  individual. “We have had a couple of instances where, because we are able to determine what kind of activities people have been engaged in, we can demonstrate that negative or damaging things our clients or their employees have been accused of are untrue,” says Tziahanas. Delany adds that there are also additional third-party considerations to take into account. “If you are an employer that has recognised trade unions, they are going to want to be consulted and may well have their own perspective,” he explains. “But, ultimately, if you take a hearts and minds approach and show employees that it’s to protect both the business and employees, you should be on solid ground,” he concludes. Keep these regulations in mind to stay on the right side of the law. RIPA: A UK law that came into force in 2000, RIPA governs the interception of phone and email conversations. You must inform users inside and outside the company their communications may be monitored. Lawful Business Practice Regulations: A subsection of RIPA, these guidelines are specific to businesses, giving examples of how you can carry out monitoring within the law. EU Data Protection Directive: A European law dating from 1995, this regulates the processing of personal data within the EU. However by the end of 2014 it will be superseded by... General Data Protection Regulation (GDPR): The Data Protection Directive’s successor. Companies processing more than 5,000 data subjects in 12 months and all public authorities must appoint a Data Protection Officer. Explicit consent must be given for data collection and the purpose of collection made clear. Consent can be withdrawn at any time. Data breaches must be reported to the new Data Protection Authority within 72 hours and any adversely affected individuals notified. ECHR: One of the best known pieces of EU legislation, the European Convention on Human Rights 1953 provides for the right to privacy (Article 8). Sufficient effort should be made to comply with Article 8, although much of the previously mentioned legislation covers similar ground. Computer Misuse Act: A piece of UK legislation dating back to 1990, it forbids anyone from accessing another person’s computer even if that person has previously given you their password and consent. Ownership of the computer, account and data should be considered, as well as ongoing consent. The seven monitoring virtues http://www.juniper.net/uk/en/
  15. 15. BIG BROTHER16 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk “If you’ve done nothing wrong, you have nothing to hide,” is a phrase often uttered by pro-surveillance types to ease the concerns of people alarmed at the prospect of having their actions monitored.   In the workplace, it is commonplace for employers to keep tabs on the internet browsing habits of their staff, and - in some cases - the content of the emails they send to others outside the organisation. After all, employees are often cited as a major source of cyber security mishaps within the enterprise. They are regularly targeted by hackers looking for a way into the company’s network, and it’s not unheard of for disgruntled staff to purposefully leak data. For these reasons, Bill Windle, people and cyber risk expert at PA Consulting Group, says it’s hardly surprising companies like to keep a close eye on what their staff are up to. “Employers have obligations to the law, business partners, shareholders and customers as well as to the employees themselves to protect the data they hold (as well as other valuable assets),” says Windle. “Monitoring can play an important part in helping meet these obligations as part of a coherent, integrated, defence-in-depth approach to an organisation’s protective security.” From a productivity standpoint, employee monitoring makes sense to ensure they’re not whiling away the hours until clocking off time on social networking sites, for example. Or, as Leon Deakin, senior associate at employment law specialist Thomas Eggar LLP, points out, engaging in other activities that could possibly damage the company’s reputation. “The potential for employees to cause their employer embarrassment and harm their reputation is probably justification enough to monitor their use of the internet and email facilities,” Deakin says. “However, when you toss into the mix the various legal liabilities which can arise from misuse including, but not limited to, defamation, breach of confidentiality, negligence, and discrimination, it could be seen as a dereliction of duty [by the company] to not monitor [staff] to some extent.”   Explaining the risk Keeping a watchful eye on staff is all well and good, but it could backfire on organisations that haven’t taken the time to explain to their employees why it’s happening, warns Windle. As part of this, he says staff should be made fully aware of how valuable the data they have access to is, and how important their role is in keeping it safe. Training can only cover so much, Keeping watch: Why you should be wary of workplace monitoring Monitoring employees for cyber security and productivity purposes is considered essential by some firms. But what if it goes too far? Feature Monitoring: The employee viewpoint CarolineDonnelly hasbeenatechnology journalistforseveral yearsandjoinedtheIT Proteamasnews editorinMarch2012.
  16. 16. BIG BROTHER17 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk monitoring, particularly if the way it is expressed is seen as being negative or critical of the organisation or its leaders,” he explains. “Nevertheless, with careful handling there are a number of practical steps open to employees if they feel the level of monitoring is bordering on the intrusive.” Deakin says the first step for employees should be to ask their employer for explicit clarification about how their time at work will be  monitored. “Even if the employer has informed the employee that certain aspects of their work will be monitored and has a clear policy on this, it’s is not always apparent what this actually means in practice,” Deakin explains. “For example, how many of us are actually aware of what our IT team can and can’t see? As such, it is not surprising that some employees may be left feeling rather helpless or just  bemused.” Employees may also feel their company has crossed a privacy line by monitoring the content of their private posts on social networking sites, such as Facebook and Twitter. This is usually done to clampdown on employees that might use these Feature Monitoring: The employee viewpoint though, and there is always a risk that employees may not realise their actions could have dire consequences for the company later down the line. As an example, Windle cites employees that take classified data off-site on removable storage devices or by emailing it to a personal web address in order to meet an urgent work deadline.   In that situation, the employee may not realise the risks they’re taking because making sure their work is in on time takes precedence. “This is where monitoring can play a constructive and supportive part in helping spot where employees take well-intentioned initiatives without understanding the real risks involved, nor thinking through who owns those risks,” he adds. Employee education Taking the time to explain to staff why they’re being monitored can also help allay any fears they may have about how workplace surveillance procedures square with their own rights to privacy. However, if employees start to feel their company’s monitoring processes are bordering on the intrusive, they are well within their rights to speak up. That being said, Sol Cates, chief security officer at infosecurity vendor Vormetric, admits this is an issue that’s not always easy for staff to raise with the powers that be. “It can be tricky for an employee to voice concern about employee If you’ve done nothing wrong, you have nothing to hide.
  17. 17. BIG BROTHER18 www.itpro.co.ukhttp://www.juniper.net/uk/en/ Feature Monitoring: The employee viewpoint sites to write disparaging comments about their place of work or co- workers. Deborah West, an employment law partner at legal firm Temple Bright, says this type of monitoring might put people’s noses out of joint but there are legitimate business reasons for doing it. “Employees must appreciate that things they post on such sites can be damaging to employers, both in terms of exposure Monitoring can play a constructive and supportive part in helping spot where employees take well-intentioned initiatives without understanding the real risks involved. to claims from colleagues of discrimination,” she says. “In the event an employer undertakes any such monitoring, this can only be lawfully done within certain limits. The difficulty is that as the use of different web-based platforms develops so quickly, the law is not always as quick to react to the evolving use of technology as it should be.” If employees want to lodge a formal complaint about their workplace’s monitoring procedures, Windle recommends they swot up on the latest guidance first. “Assemble the facts on specific areas of concern and benchmark these against published best practice,” he says, advising employees to seek out a copy of the Holistic Management of Employee Risk (HoMER) guidance. The document details how employees can check their own organisation’s approach to monitoring. It also provides guidance as to who and what may be legitimately monitored. “By placing any concerns they have in the context of national best practice, employees can place their questions or challenge in a positive frame, seeking improvements for the organisations,” Windle concludes.  In light of the fact some employees have been caught using company resources to ‘mine’ for Bitcoins, perhaps employers should be paying more attention to what employees do... Changes taking place in the underground market operated by cyber criminals, such as the increasing use of new technologies like Bitcoin, are making hacking attacks more dangerous than ever before. The investigation, carried out on behalf of Juniper Networks, found the cyber crime black market is steadily growing in sophistication. Online crime has become increasingly sophisticated to the point where it now mirrors very closely the type of organised crime seen offline, the research found. “Historically, 80 per cent of hackers were ‘freelance’ and just 20 per cent were part of organised crime,” says Mark Quartermaine, Juniper Network’s vice president of the UK and Ireland. “Now, that has been flipped on its head as this hacking market matures and 80 per cent are working as part of organised groups.” The researchers found a distinct hierarchy operating in these groups with ‘mules’, who carry out most of the groundwork, ‘vendors’, who provide services such as botnets for hire or money laundering, through to highly skilled ‘administrators’, who develop malware and exploit kits. The members of this elite top level are also the ones who make the most profit from the cyber crime economy. The research also discovered the use of crypto currencies is increasing. While some transactions can still be carried out using traditional means, many criminal sites now only accept payment in the form of Bitcoin, Litecoin or Pecunix, because of their anonymity and security characteristics. However, Quartermaine does not believe that cracking down on these types of digital currencies would destroy the cyber crime black market. “If they disappeared, these criminals would find some other way of transacting,” he says. The ability to carry out attacks is likely to outstrip our ability to defend very quickly, particularly as the number of everyday transactions carried out online increases, according to the research. “By 2020, the number of connected devices is predicted to be greater than the population of the world,” adds Quartermaine. “Every way you look at it, networking is going to increase so vulnerabilities are also going to increase, which means it is something we have to get our head around now.” Credit: Jane McCallion Professionalisation of cyber crime poses new risks
  18. 18. BIG BROTHER19 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk S ince Edward Snowden’s revelations, discussions on surveillance have understandably focused on government monitoring.  But, used correctly, monitoring is a valuable resource for IT departments, both in the battle against hacking and cyber crime, and also for improving IT operations.  Monitoring, though, is not without restrictions. Laws, especially data protection laws, employment laws, HR practices and privacy norms all limit some types of surveillance.  This applies, in particular, to monitoring employee behaviour and their use of data and applications.  At the same time, better use of monitoring, and instrumentation, can give IT departments a much better view of the way networks and applications are performing.  Application performance management, but also business process management, rely on activity monitoring to work – although it need not go down to the level of monitoring who is doing what on the network.   A watchful eye Monitoring can also provide a vital early warning both against cyber attacks, and of data leakage or theft.  Data loss prevention (DLP) tools again rely on monitoring, both of data flows and user behaviour. A DLP application, for example, will flag if an employee, who normally accesses half a dozen customer records in a day, suddenly starts to download thousands.  Active monitoring is also a key weapon for defending against advanced persistent threats, or APTs. APTs, unlike other forms of malware, are designed to be stealthy. Monitoring for unusual network activity, or data exfiltration, may be the only way to spot an APT at work.  “There are plenty of good reasons to monitor IT and network usage. Security: obviously understanding what is going on in a network is the mainstay of preventing the ingress of malware and the egress of sensitive data. By linking the latter to users, [firms can] spot and correct careless behaviour and root out malicious users,” says Bob Tarzey, analyst and director at Quocirca.  “But it’s also about user experience. The way the network performs is a key part of understanding the end-to-end user experience. This is especially necessary for organisations that provide on-demand services to consumers, other businesses and partners, which is two-thirds of all business in Europe. (see Quocirca research report here)  He adds: “Then there is business process monitoring: making sure business processes are as efficient and secure as possible. But companies can also gain operational intelligence. This goes beyond security and into commercial insights. For example a call centre can monitor actual call volumes or waiting times and see if these correlate with other data, such as customer type or Keeping tabs without compromising privacy or security There’s a fine line between protecting company interests and overly snooping on employees and what they get up to as Stephen Pritchard discovers… Feature Monitoring: The IT department’s view StephenPritchard hasbeenajournalistsince 1990.Todayhismain specialismsarebusiness, technologyandfinance.He writesforanumberof nationalandinternational titles,andisacontributing editorandcolumnistforITPro.
  19. 19. BIG BROTHER20 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk log files and other system data across devices and sources, including applications, servers, PCs, mobile devices, or websites,” she says.   “Capturing and analysing data provides the basis for more efficient management of the infrastructure. That’s because you’re looking at all your systems data on a single console, rather than trying to make sense of the content of separate log files… More importantly, it allows for faster identification of root causes, and hence [it takes] less time to fix them.” Issues remain unresolved  Two challenges, though, remain: security and privacy. There’s also the proliferation of data sources in the business. In particular, the growth in the number of mobile devices needs to be monitored as such devices are often personal in origin.   “Increasingly IT is not in complete control of the endpoints: they are increasingly diverse,” says Quocirca analyst Rob Bamforth. “Most of these devices are multiply wireless - Bluetooth, Wi-Fi, cellular and NFC - and increasingly seamlessly connecting. Wearables only add to the challenge. They will all be carried together. This means that having more smarts in the network to monitor will be even more important.” Feature Monitoring: The IT department’s view geographic location.”  This is another example, Tarzey says, of monitoring acting as an early warning system. But extracting business value from a wealth of data remains a challenge. In fact, some IT teams might view the ever-growing volume of operational statistics a burden, rather than a source of intelligence that can improve enterprise operations overall.  “Most clients are already performing basic networking monitoring but are struggling with correlation and analysis,” cautions William Beer, managing director for cyber security at consulting firm Alvarez Marsal.  “Clients who have managed to set up comprehensive monitoring often fail to see its value as their incident response and crisis management processes are weak. While monitoring definitely adds value, it becomes much more compelling when data is combined with [tools such as] threat intelligence. If not, all you are seeing is the aftermath of the problem.”  Although security is a key focus for monitoring – and some areas remain controversial – improvements in analytics technologies are helping IT teams to extract more information from operational data.  “Using analytics, IT professionals can support, or even improve, the smooth running of an organisation,” says Martha Bennett, principal analyst at Forrester Research.  “Going beyond traditional log management, there are tools available that support the capture of There are plenty of good reasons to monitor IT and network usage.
  20. 20. BIG BROTHER21 www.itpro.co.ukhttp://www.juniper.net/uk/en/ Feature Monitoring: IT department’s view Ultimately, this cannot be separated from the privacy challenges around monitoring – and anything that might be seen as surveillance.  “Monitoring, logging and event management is a vital part of any network and computer system,” says Kai Roer, partner in consulting firm The Roer Group. The reason is simple: it allows for detecting anomalies which then can be dealt with.  “Logging system access is particularly useful in systems where a lot of different users are handling sensitive data, such as in a bank, or in health care. But from an ethical perspective, it is important to consider what information you collect, and for what purpose, “ says Roer. “You should only use the data you collect for that purpose, and you should delete it when it is no longer being used.”  This, Roer says, needs to be tied into a thorough risk assessment, as well as ensuring that monitoring is legal. “Logging your systems is great. Logging people is not,” he says.  And, although monitoring can help IT departments with both security and performance, automation also has its limits. A human mind will still need to evaluate the information, and decide if any ethical or legal lines are being crossed.  “It’s important that the right tools are deployed. There’s way too much data for humans to process, which is where advanced analytics software comes in,” says Bennett. “But human expertise will always be required to separate signal from noise. If a tool detects a new pattern, the human expert will know whether this is something worth investigating, or simply a variant of ‘normal’. “ Sensitive business data is being put at risk by the thoughtless behaviour of employees, a report by Trend Micro has found. The survey of 2,500 UK adults, published in a report entitled Britain’s culture of carelessness with mobile devices, found over a quarter of smartphone users have had up to three work devices lost or stolen, and 63 per cent have no password protection on their phone at all. The Tube is the most likely place for a phone to be lost or stolen in London (26 per cent), with the District and Circle lines proving to be particular black spots. A bar is the second most likely place for a smartphone to disappear (22 per cent), followed by a cafe (11 per cent) and a restaurant (8 per cent), according to the report. At a roundtable to discuss the report’s findings, representatives from Trend Micro, information security consultancy First Base, and law firm Taylor Wessing said the implications were clear for business. James Walker, a security specialist at Trend Micro, said: “We talk about a watering hole from the point of view of compromising a website, [but if I were a criminal] I could know a bar where a certain target organisation would drink in after work, I could steal a mobile phone that’s not password protected, send out a lot of phishing emails to lots of contacts within the organisation... and compromise a lot of people.” Vinod Bange, a partner at Taylor Wessing, added: “[Imagine] if you have an employee within an organisation who kept going to the accounts team and saying ‘can I have £300 from petty cash please?’ and came back the following day saying ‘I lost it, can I have another £300?’ and then the next day said ‘sorry, I did it again, can I have another [£300]?’  – Who would do that? “That is because cash is treated in a very particular way and it is about time organisations drew that link to treat information assets, whether it’s personal data, confidential IP, or whatever it happens to be with the same degree of [restrictions].” The report also examined the potential for data loss when using public Wi-Fi hotspots. A team of ethical hackers from First Base used apps that were openly available on Google Play to clone a recognised Wi-Fi network, which volunteers’ devices then connected to automatically. A hacker using this type of attack, known as an ‘evil twin’, is then able to see all the data, including sensitive information and things that would normally be encrypted. The volunteer ‘victims’ involved in these experiments said they felt scared that such an attacking method exists and that their privacy had been violated, even though it was just a simulation. Credit: Jane McCallion Employee carelessness poses security risk to businesses From an ethical perspective, it is important to consider what information you collect, and for what purpose. You should only use the data you collect for that purpose, and you should delete it when it is no longer being used.
  21. 21. BIG BROTHER22 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk O ne of the most-quoted fears about moving to cloud is that the data is not secure. For many companies, the idea that vital customer data is held in an unspecified place, available for access by unknown people is a big inhibitor to the idea of cloud computing. Cloud service providers have always been aware of that fear. They have made reassuring noises about the safety of their data and claimed that no unwelcome visitors could help themselves to their customers’ own data. What they didn’t say is that when it came to the US government, they’d roll out a welcome mat and make them a cuppa while the spooks sifted through what they wanted. PRISM ramifications continue That’s the shocking implication of reports by both the Washington Post and Guardian relating to the US security services’ access of data from nine IT companies as part of operation PRISM.    The denial of the nine companies is almost irrelevant and has been the subject to much speculation. Does Google’s talk of ‘no back door’ mean the NSA is coming through the front door instead? When Apple said it hadn’t heard of PRISM did that just mean that it wasn’t aware of the operation name the NSA was using? Given the nature of these revelations, these stories must have been checked and double-checked. And then checked and checked again. The other option is that the security services have had access to the providers’ customer data without the providers knowing about it. Scary stuff indeed. Though that would seem unlikely given that we know, from reports, the dates when companies allegedly gave permission. Furthermore, James Clapper, the director of National Intelligence, published a statement,  saying that some parts of the newspaper reporting were “inaccurate” – but, Operation PRISM: effect on cloud industry could be good or bad The revelations about the US security services snooping will have a profound impact on the cloud industry, according to Max Cooter. Feature Cloud: Friend or foe? Cloud service providers have made reassuring noises about the safety of their data. MaxCooter iseditorofCloudPro. Hehasseenprofound changestotheIT landscapeduringhis20 yearsasajournalist,but believescloud computingcouldbethe biggestofthemall.
  22. 22. BIG BROTHER23 www.itpro.co.ukhttp://www.juniper.net/uk/en/ www.itpro.co.uk Feature Cloud: Friend or foe? yet, crucially, he did not deny the reporting as being completely without fact. He claimed that the revelations could also damage security operations. “The unauthorised disclosure of a top secret US court document threatens potentially long-lasting and irreversible harm to our ability to identify and respond to the many threats facing our nation,” he said. He dismissed concerns from privacy campaigners in the statement though. “The article omits key information regarding how a classified intelligence collection program is used to prevent terrorist attacks and the numerous safeguards that protect privacy and civil liberties,” he said. Excessive or wholly justified? However, it’s not just privacy campaigners who have been alarmed by the implications of all this. The author of the Patriot Act, James Sensenbrenner, wrote an open letter to the US Attorney General protesting that the FBI’s action in calling for the Verizon phone records were excessive – and that’s before news of the trawl of customer data from the nine big providers was revealed. Clapper’s general response to people like Sensenbrenner and other protestors is that there’s nothing to worry about. Everything is seemingly alright because it’s only non-US citizens living outside the US who will be affected.  But that’s precisely what is worrying many people over this side of the pond. And we just don’t know who to believe anymore. Effectiveness vs reactiveness The other aspect of this whole shooting match is how effective this type of process will be at actually catching the bad guys.  If you’re trawling through the customer records of the likes of Facebook and Google, you’re going to have billions of interactions to deal with. That’s not just a big data problem, that’s a massive data problem.  And even when the data The PRISM government spying scandal, in which the US National Security Agency monitored electronic communications, must not be allowed to break up the cloud and restrict data flow. This was the opinion expressed by the Aaron Levie, the CEO of Box, regarding propositions from the European Commission to alter data protection requirements in a way that could require data to be kept either within the European Union or within the originating countries. Similar proposals have also been put forward by Brazil. Speaking to journalists at the organisation’s Business Without Boundaries event in Central London, in November 2013, Levie said: “It is obviously incredibly bad and inappropriate what the NSA has been doing ... it’s not only bad the actions they have taken but it’s also the inaction of not actually creating any transparency or any visibility into what is actually happening.” However, Levie added: “On the [subject of] EU privacy and data [regulation], the biggest thing that we are worried about ... we want to avoid some of the noise about the balkanisation of the cloud, that would be a very bad outcome – this idea of regionally specific or government specific or country specific clouds. Not only does it not make technological sense, it’s also bad from an economy standpoint.” Most of Box’s customers need to collaborate and share information across international boundaries, Levie said. He added that the only way to do so effectively was with an open platform.  Levie also touched on the topic again during his keynote following a question from a delegate. “We don’t think the current [surveillance] situation is tenable ... and we are optimistic that there will have to be more transparency, have to be more processes created for how this works. We don’t think the internet could blossom and evolve in the appropriate ways if this fear [were to] remain,” he said. “Fortunately, we are a little bit outside of the whole issue and distanced from it, because the biggest issue has been national security and those are generally ... consumer communication services on the internet. We tend not to fall into the space that is of interest, but we care a lot from a technology company standpoint. We have to have a world that allows us to securely communicate and work and share on a global basis, so that is obviously something that we care about and that we are pushing on,” he concluded. Credit: Jane McCallion Monitoring scandals must not lead to balkanisation of the cloud, says Box CEO
  23. 23. BIG BROTHER24 www.itpro.co.ukhttp://www.juniper.net/uk/en/ Feature Cloud: Friend or foe? has been analysed, how accurate is it going to be? Not very accurate at all, according to some researchers. There would likely be more understanding about the endeavours of the security forces if these efforts were guaranteed to catch the bad guys. Instead, there’s a general understanding that this is not going to be the case. One side-effect of these goings- on is that we won’t be able to look at cloud computing in the same light. We now know that assurances about data being safe from prying eyes are meaningless. That’s not to say that cloud providers will suffer. There will be some companies who won’t be at all fussed that the NSA has access to their data. They’ll happily live with the intrusion as long as they can benefit from the economies of scale, the flexibility and, yes, the security of the large US-based providers. It’s was also noticeable, at the time of the original revelations, that Amazon wasn’t part of the PRISM programme. The reasons behind this can be speculated endlessly, but certainly the revelations should not prevent potential Amazon customers going down that route. Nevertheless, there will be some companies who just won’t be able to view cloud in the way they did before. Just as victims of burglaries complain that the invasion of privacy is worse than the items being taken, so there will be companies unhappy with this level of intrusion. If you’re one of these companies, you won’t be happy that someone has been snooping in your metaphorical underwear drawer, whether it’s the CIA, FBI or Harry the Hacker. The question is: what will these companies do? Are they going stick with on-premise for all its applications and computing needs for ever and a day? Or are they going to go with a European provider? You can bet that if there’s one group of people rejoicing at this news, it’s the European service provider community. They will now have a genuine selling point when it comes to taking on the American giants: data held in Europe, run by Europe and accessed only by Europeans - which appears to be exactly what has happened. With pressure building to tighten up, not loosen, the security rules, the cloud game just got a whole lot more interesting.                 A new cloud-based email and social networking site promising better security and less intrusive commercial practices has been launched in Iceland. Named Vivaldi.net, the service was set up by Opera Software co-founder Jon von Tetzchner and fellow Opera veteran Tatsuki Tomita as an alternative to other cloud-based email services such as Gmail and Outlook. com. The service claims to offer ad-free email, something that Gmail in particular has been criticised for in the past, and also incorporates social elements such as blogs, cloud-based photo sharing, forums and live chat. Iceland was selected as its base because many of the people behind the project are Icelanders. “For the people of Iceland, the rights to freedom of speech and strong consumer protection laws are most important,” according to Tomita. Iceland is recognised as having some of the strongest privacy and freedom of speech laws in the world and is home to the International Modern Media Institute. The institute is, according to its website, a “foundation working towards rethinking media regulation, securing free speech and defining new operating principles for the global media in the digital age.” Tetzchner elaborated on this point in an interview with Reuters, saying: “There has been a lot of focus on safety lately, and it has mainly been focused on governments. But I think this is just as much an issue for the companies in this business.” He added: “Our initial focus is on the computer geeks because they usually have higher demands for functionality, safety and privacy. But a lot of ordinary people also worry about these things and we will welcome everyone.” Commenting on the NSA surveillance scandal, which has caused some disquiet with regard to the cloud, Tetzchnersaid he cannot promise to keep the US spy agency away, but claimed that Vivaldi is “without a doubt” the safest option out there, adding “this is one of the reasons we have chosen to do it from Iceland.” Credit: Jane Mccallion Secure cloud email service erupts from Iceland Just as victims of burglaries complain that the invasion of privacy is worse than the items being taken, there will be companies unhappy with this level of intrusion.
  24. 24. www.itpro.co.ukwww.itpro.co.uk Case study: Mozzart Bet www.juniper.net.uk/en 1 CASE STUDY Mozzart Bet is a European leader in the sport betting and gaming industry. Recently, it grew its ground operations to over 900 retail betting shops and has seen exponential growth in its online operations. The combination of these two areas of growth created a “new playing field” for Mozzart Bet, one where the focus turned to network stability, availability, and above all a high level of security. Challenge With retail growth increasing the demands on the network infrastructure, and online traffic increasing exponentially, security was becoming a major concern, and this posed a major challenge to Mozzart Bet’s network team as well as its business partners and vendors. Mozzart Bet needed a data center solution that could grow organically to accommodate expansion of both its retail footprint and Web operations, without the need for constant replacing of existing infrastructure. It also needed a network solution that would provide 99.9999% uptime, be easy to manage day-to-day, and ensure a high level of security. Selection Criteria Mozzart Bet required a high-performance solution that was reliable and would ensure a network that was always available for both its retail stores and online properties. In addition, security, particularly of the online properties, was vital, and Mozzart Bet sought out solutions to add security to its websites and Web applications. The third requirement was for products that were easy to manage and use, to make the every day operations as simple as possible. Once the decision to re-architect its data centers was made, Mozzart Bet undertook a thorough review of its existing vendors and evaluated many other products. These new products were examined using exhaustive proof-of-concept testing and evaluation criteria and took months to complete. There were five key selection criteria used during the evaluation: • Stability • Scalability • Flexibility • Security • Operational effectiveness In addition to these five selection criteria, Mozzart Bet was looking for the vendor willing to work hand-in-hand with its inside team on design to create a “best fit” solution. It was also looking for the solution with the best ROI performance. Solution After 4-5 months of extensive lab testing, Mozzart Bet chose to install Juniper Networks® MX80 3D Universal Edge Router because nothing compared to its performance. The company also liked the fact that MX Series routers could grow in capability based on software without changing the chassis. Juniper’s EX Series switches were selected based on performance, operational simplicity and rich feature sets. To further streamline MOZZART BET DEPLOYS DATA CENTER SOLUTION TO SUPPORT ONLINE EXPANSION ACHIEVING 99.9999% UPTIME Summary Company: Mozzart Bet Industry: Retail and Online Gaming and Betting Challenges: • Growth placed greater demands on the network infrastructure, while exponential increase in online traffic was a major security concern. • Data center solution needed to grow organically and accommodate the expansion of both retail footprint and Web operations, without the need for constantly replacing existing infrastructure. • Requirement for creating a stable and secure network was uptime of 99.9999%. Selection Criteria: Mozzart Bet selected Juniper to replace its existing vendor for ease of management and ability to expand with the organization’s changing needs and enhanced security requirements. Network Solution: • WebApp Secure • Spotlight Secure • SRX Series Services Gateways • MX Series 3D Universal Edge Routers • EX Series Ethernet Switches • Juniper wireless LAN solutions • MAG Series Junos Pulse Gateways Results: • Since deployment of the Juniper end- to-end solution, there has not been any downtime in network services. • During a 30-day period, Mozzart Bet detected 2,296 attackers on its Web applications using WebApp Secure, and was able to stop them. http://www.juniper.net/uk/en/BIG BROTHER25
  25. 25. www.itpro.co.ukBIG BROTHER26 www.itpro.co.uk 2 3520492-001-EN Nov 2013 Copyright 2013 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: +31.0.207.125.700 Fax: +31.0.207.125.701 Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or +1.408.745.2000 Fax: +1.408.745.2100 www.juniper.net Printed on recycled paper To purchase Juniper Networks solutions, please contact your Juniper Networks representative at +1-866-298-6428 or authorized reseller. network operations, Mozzart Bet deployed multiple EX4200s in a Virtual Chassis configuration, enabling the switches to be managed as a single logical device. Then the Juniper Networks SRX Series Services Gateways were added to enhance security based on their performance against comparable competitor firewalls. The performance of the new network suffered no downtime, which compared favorably against the previous vendor. Improving the security of Mozzart Bet’s Web applications was also a key requirement, and the information security team was intrigued by the innovative technique of intrusion deception used by Juniper Networks WebApp Secure. During another three month comparison, an evaluation of three Web Application Firewall (WAF) vendors was completed, and at the end of this test, Mozzart Bet selected WebApp Secure because nothing else compared with the innovative approach of using deception to detect attackers. During the test, the information security team attacked all the solutions themselves and, interestingly, all the WAFs either crashed or were penetrated, while WebApp Secure just kept working. Another major reason why WebApp Secure was chosen was the prevalence of a large amount of false positives encountered while testing the WAFs, compared with WebApp Secure, where false positives were extremely low. The unique difference of not blocking just IP addresses within WebApp Secure was another factor in Mozzart Bet’s choice. There was concern that blocking IP addresses would end up blocking many real customers behind a shared IP address. Because of this “beyond the IP” address device identification, the ability to customize a response to a detected attacker was also seen as a key differentiator of WebApp Secure. Allied with an easy to use GUI and dashboard, Mozzart Bet selected WebApp Secure and Spotlight Secure to protect its website. “Juniper was willing to partner with us on creating an end-to-end data center solution that would expand to support our growing business, and the security innovation from products like WebApp Secure and Spotlight Secure was in a league of its own. No other vendor offers a similar solution to protecting Web infrastructure.” - Cedomir Novakovic Senior System/Network Engineer, Mozzart Bet Results Prior to deploying the Juniper solutions, Mozzart Bet had been experiencing network downtime and this was causing a loss of real revenue. In the first months after deployment of Juniper’s end-to- end solution, Mozzart Bet has not encountered any downtime on its network, and this has helped maximize revenues. In addition, 2,643 attackers have been detected by WebApp Secure during six weeks of live deployment. This means 0.3% of Mozzart Bet’s Web traffic was identified as malicious and stopped before any damage could be done. As summed up by Cedomir Novakovic, senior system/network engineer, “Juniper was willing to partner with us on creating an end-to-end data center solution that would expand to support our growing business, and the security innovation from products like WebApp Secure and Spotlight Secure was in a league of its own. No other vendor offers a similar solution to protecting Web infrastructure.” Next Steps and Lessons Learned Mozzart Bet is continuing to expand its network, and Juniper is a valued partner in helping it maintain the critical infrastructure and enhanced security needed to power its popular online gaming and betting services. For More Information To find out more about Juniper Networks products and solutions, please visit www.juniper.net. About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net. http://www.juniper.net/uk/en/ Case study: Mozzart Bet www.juniper.net.uk/en
  26. 26. www.itpro.co.ukBIG BROTHER27 http://www.juniper.net/uk/en/ www.itpro.co.uk What topics dominate the conversations you have with organisations around information management and monitoring? Why do you think these concerns remain front of mind? The good news is that there is more information in more forms available to help organisations understand what is in the heads of their customers and satisfy their needs than ever before. Unfortunately, this is also the bad news, because the volume, velocity and variety of this information is on the verge of eclipsing the ability of organisations to effectively manage it. What are the main fears enterprises face from a privacy, security and monitoring perspective? Organisations are worried that their old “Maginot Line” approaches to privacy and security (set up barriers around the perimeter) are proving woefully inadequate in a mobile and cloud era. The very nature of mobile means that information is leaking out of the organisation at every turn, on devices that are so portable they are lost or stolen in tens of thousands every week. Organisations have seen that often the threat can come from the inside - from a “trusted” employee armed with something no more sophisticated than a USB stick.  Fortress approaches to security do not match the current threats. What is driving these fears and have they changed in recent times? If so why? QA: John Mancini, AIIM The quantity of personally attributable information generated merely by mobile or web data “exhaust”, coupled with new and sophisticated analytic techniques creates enormous opportunities - but also enormous risk. Think of it this way - lots more data, plus way better analytic techniques is increasingly blurring the line between what is cool and convenient for customers - and what is just plain creepy for them. This line will be increasingly difficult to navigate in the next few years. What role does AIIM play in both keeping data safe and secure and putting customers’ minds at rest? At the core, organisations need to think seriously and strategically about information governance.   Information governance has been viewed for too long by the C-suite as a tactical nuisance promulgated by Chicken Little records managers and legal types. It’s time to make the management of information assets just as important as the management of John Mancini, AIIM We speak to the CEO of AIIM about the importance of information management against the backdrop of increased threats and end user and business fears. Profile John Mancini is an author, speaker and respected leader of the AIIM global community of information professionals. As a visionary, his predictions include that we will see more change in the way enterprise technologies – and who we trust with that task - are deployed in the next few years than ever before. www.aiim.org The volume, velocity and variety of information is on the verge of eclipsing the ability of organisations to effectively manage it.
  27. 27. www.itpro.co.ukBIG BROTHER http://www.juniper.net/uk/en/28 financial assets. AIIM provides education and skills development to help organisations meet this challenge. What advice can you offer businesses to mitigate those risks Similarly what advice can you offer IT decision makers and managers? This is not just a legal issue. This is not just an IT issue. This is not just a records management issue. This is a business issue and should be treated accordingly. What are the key rules and regulations to bear in mind? The number and variety of rules, regulations and directives related to information is going to continue to grow, especially relative to the management of information in the cloud. It’s hard enough to meet these QA: John Mancini, AIIM challenges when information management is automated. Organisations that insist on manually managing this ever-increasing volume and variety will find it impossible to do so and will put their organisation at risk. Is the threat landscape likely to become a scarier and more dangerous place in the future? Are we all doomed? We’re not doomed, but we do need to dramatically and realistically reassess what we are trying to protect and why. It’s time to make the managementofinformationassets just as important as the management of financial assets.
  28. 28. www.itpro.co.ukBIG BROTHER29 http://www.juniper.net/uk/en/ www.itpro.co.uk What topics dominate the conversations you have with customers? Why do you think these concerns remain front of mind? First and foremost is the issue of breaches and compromises of customer information, especially in light of the Target events. Second is the issue of DDoS. Third is Intellectual Property theft. You work very closely with the US government in an advisory capacity to help protect against cyber crime and cyber terrorism. Certain levels of monitoring (PRISM et al) is considered a necessity to protect the majority. What would you say to those who feel the lines have been blurred or worried their every move is being monitored? I have to say that people forget a fundamental fact - the Intelligence Community (IC), who are the branch of government being held responsible, have absolutely no interest in watching and looking at the private lives of the public. They couldn’t care less if you sunbathed in the nude, viewed pornography, used foul language, or exercised all of your constitutional rights. To a man, or woman, their mission is the defence of the sanctity of the US from foreign attackers. That is more than a full time job. But if data exists that will allow the IC to identify those foreign attackers, they want to find a way to get that data without violating US citizens’ constitutional rights. And, if that data is tied up with a US citizen’s unsavoury online habits, the same thing holds - they don’t care QA: Rodney Joffe, Neustar about the habits or what the citizen’s activities are. They want to get the bad guys. Additionally, if data can be found in two places, and one of them does not involve personal information about an innocent US citizen, they will go to extraordinary lengths to use an alternative source that does not involve the US citizen. So I would say: Your life is not that interesting compared to what goes on with the real enemy. The IC realises that, and so they are long past the point where they want to look at you. If you turn out to be part of the foreign misbehaviour, then that’s a different story. But they’ll identify from specifically developed information, not general snooping. What are the main fears enterprises face from a privacy, security and monitoring perspective? First, I think enterprises fear lawsuits from employees or customers who believe that an enterprise assisted in the snooping. Second, fears may also come from a concern that the monitoring may identify inappropriate activity that the company itself was unaware of, but which may actually result in sanctions against them. Third, concerns that the systems that may be monitoring may be usurped by malicious actors, who then choose to use the capabilities against the company. What is driving these fears and have they changed in recent times? If so why? I think that current events related a) to Snowden and WikiLeaks and b) Target type breaches are driving it. I think that over time, logic will prevail and fears will lessen and become more realistic. What role does Neustar play in both keeping data safe and secure Rodney Joffe, Neustar We speak to the SVP of Neustar who also serves as a US government security and industry advisor about whether people should be worried about being watched. Profile Rodney Joffe is a senior vice president and senior technologist at Neustar. He has been a sought-after cyber security expert who, among other notable accomplishments, leads the Conficker Working Group to protect the world from the Conficker worm. www.neustar.biz Your life is not that interesting compared to what goes on with the real enemy.

×