• Cognizant 20-20 InsightsOvercoming Security Shortcomings:Why Tech Companies Must Embracea 360-Degree Perspective   Execu...
Forms of attack have evolved distinctly over the            years. In the ‘80s, attacks were primarily targeted           ...
ceptible to various forms of security incursions.          threats from an end-to-end perspective. This(Ask yourself, “why...
Challenges in Protecting Enterprise Assets                                                    Fiscal plans,     Customer c...
Enterprise Security Enablement Methodology                  Security as a                                             Diff...
A Managed Services Security Framework                                                             Risk Management & Compli...
Looking Ahead                                             Paying attention to and providing comprehensive                 ...
About CognizantCognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process ...
Upcoming SlideShare
Loading in …5

Overcoming Security Shortcomings: Why Tech Companies Must Embrace a 360-Degree Perspective


Published on

Technology company leaders face a unique security challenge, as breaches not only impact their products and services but also their enterprise assets. Here is how they can take a comprehensive approach to addressing these challenges.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Overcoming Security Shortcomings: Why Tech Companies Must Embrace a 360-Degree Perspective

  1. 1. • Cognizant 20-20 InsightsOvercoming Security Shortcomings:Why Tech Companies Must Embracea 360-Degree Perspective Executive Summary Security Attacks Persist Companies across industries depend on products According to the Digital Forensics Association, created by technology vendors to run their between 2005 and 2011 U.S. businesses have infrastructure, enable communications, deliver publicly reported 3,765 security breach incidents, business and consumer applications, power costing more than $156 billion.1 mobile devices and facilitate social experiences. In many ways, these products have become the Each time a security breach is revealed by the nerve center for business, which makes them media, business leaders become more concerned highly visible targets for security threats — inten- about the vulnerabilities of their own organiza- tional or otherwise. tions in today’s always connected and available digital enterprise. Unauthorized sharing of digital Technology companies face security challenges information by Wikileaks and Anonymous made like any other business. But what makes it a sig- this abundantly clear. 2 Security breaches, whether nificant business concern is that security issues through security failure of an organization’s imple- also directly impact their products and services. mentation of its security or through a security This unique double whammy not only places their flaw within the technology company’s products enterprise assets at risk (including customer data, and services themselves, can result in millions in transaction data and intellectual property, etc.), financial losses. On top of the monetary impact, but also threatens the integrity of their products. negative publicity can have a serious impact on All this sets off painful and expensive reputa- brand and customer trust — not to mention the tional damage control exercises around patching potential to undermine competitive advantage, vulnerabilities, delivering product revisions and particularly if confidential corporate trade secrets restoring customer confidence. This white paper and intellectual property are exposed to rivals. discusses the unique challenges technology And if security glitches are not identified and industry business leaders must address to keep remediated quickly, companies are susceptible to their companies ahead of the game. It also further exploitation. Moving forward, technology provides a perspective on how a more compre- companies are expected to become a higher value hensive approach can help technology companies target for organized crime activities as infiltration address these challenges. of their Web-enabled products and services offers a potential windfall in illegally gained profits. cognizant 20-20 insights | november 2011
  2. 2. Forms of attack have evolved distinctly over the years. In the ‘80s, attacks were primarily targeted Tech Companies Hit by Security at the physical infrastructure layer where data Vulnerabilities since 2009 was stored on archival tapes. With the rise of the Internet and online communications in the ’90s, • Security failure in EDS’ RSA product networks became the target asset. At this time, cost customers an estimated $100 the concepts of security and compliance were an million. after-thought at best. Since • Hackers stole personal information The naïve view that 2000,and services, along with tions as Web-based applica- of 77 million members of the Sony “it won’t happen email, gained widespread Playstation Network in multiple waves, costing Sony $20 million in lost to us” needs to popularity, business vulner- revenue and much more in settlements. be jettisoned, and abilities virtual concentrated in the were environment. • A major data security breach atquickly, and replaced Finally, in the current decade, Monster.com led to the theft of with a clarion call to with the rise of social media usernames, passwords, and contact and personal information, and resulted action: “How do we and online private data personal and transactions, in the company spending $80 million stop it happening are the primary target asset to repair and improve its platform. to us?” of hackers seeking to exploit • Adobe Systems investigated incidents security vulnerabilities. involving sophisticated, coordinated attacks against corporate networks. Moreover, the primary threat of single hacker attacks on corporate data has shifted to concern over organized attacks from criminal elements or even from more sophisticated foreign powers. Your organization is a target, whether you know it or not. Today, technology companies must focus Technology companies face potential external on both the security and safety of their enterprise and internal security threats. Unsecured activities as well as the security and safety of their products such as email attachments, uncertified software and services. Proactive assessment of emerging downloads, Wi-Fi computing through mobile technologies and a forward vision of adoption devices, etc. can be just as lethal as intentional are vital to building robust security features. malicious attacks like SQL injections, cross-site The naïve view that “it won’t happen to us” scripting, brute force cryptography and unau- needs to be jettisoned, and quickly, and replaced thorized access. Traditional information systems with a clarion call to action: “How do we stop it and infrastructure relying on Web applications/ happening to us?” services, encryption, etc. are extremely sus- Security Risk Matrix Enterprise Internal Enterprise Risks Internal External Examples: Email Servers, Employee Enterprise Enterprise Mobile Phones. Risks Risks External Enterprise Risks External Internal Examples: Social Networks, B2B Network. Internal Product Risks Internal External Examples: Stolen Hardware, Stolen Code. Product Product Risks Risks External Product Risks Examples: Hacked Customer Accounts, SaaS Product Security. Product Figure 1 cognizant 20-20 insights 2 1
  3. 3. ceptible to various forms of security incursions. threats from an end-to-end perspective. This(Ask yourself, “why do organizations still use means creating a comprehensive threat and riskpasswords to protect corporate assets” or “why landscape. Technology companies should notaren’t security policies strictly enforced?” The be overconfident that they have ensured thatanswer reflects how serious an organization is no security vulnerability has been introducedwith protecting the assets under its control.) into their infrastructure or products, either byAdoption of new business virtualization models accident or on purpose.like SaaS, outsourcing, online transactions andmobile computing are based on on-demand and Challenges in Protectingubiquitous provisioning of services and multi- Enterprise Assetstenancy/shared access to data and to application Security threats can extend beyond network/services. These attributes greatly amplify vulnera- application outages or reputational defacement.bilities due to increased transactional, operational Many attacks are specifically targeted to stealand technical interconnectivities. If your security information. An enterprise is rich in valuableorganization is struggling today, how effectively information assets that contribute to the strategy,can it adapt to the mounting challenges of these operations and delivery of its products andevolving technologies? services. Some information assets like customer account and personal details can have severeFurthermore, technology companies face threats legal and financial implications for the enterprise.that originate from security gaps in the very Leakage of assets such as confidential keynotes,products and services their companies create. fiscal plans, product road maps, leads and oppor-Vendors often give higher priority to product tunities, etc. can wipe out substantial revenue andfeatures, customer experience, usability and share price in the short term; leakage of otheraesthetics compared with security capabilities. assets such as intellectual property could crippleThis results in hackers who exploit this security long-term viability.vulnerability. For technology vendors to fullyassess vulnerabilities and potential threats, they As briefly covered in the previous section, existingmust address all external and internal touchstoneSecurity Vulnerabilities Within the Enterprise External Technology External Touchpoints Offerings & Channels Touchpoints Cloud-based Internal users Customer Portals products, services & infrastructure Sales Partner Portals Product Marketing/ Mobile services & Management/PR infrastructure Social Media Customer Support B2B Partners, Traditional Wikis, Content Distributors, products, services Management Supply Chain & infrastructure Areas of vulnerabilityFigure 2 cognizant 20-20 insights 3
  4. 4. Challenges in Protecting Enterprise Assets Fiscal plans, Customer credit/ Cloud Computing strategic bank details, Current Infrastructure � Virtualization introduces initiatives transaction data � Web applications, many interconnectivities Web services, encryption & vulnerabilities. highly prone to security attacks. Sales leads, Intellectual opportunities, property deals, discounts Partner list, Employee payroll, Mobile Computing partner profile, Regulations personal data � Devices capable of buying patterns � Dynamic regulations dictate running malwares. compliance to data structure, � Ability to avoid intrusion storage, security policies etc. detection systems. Product catalog, Enterprise content/ price lists knowledge baseFigure 3infrastructure technologies are extremely Securing the Enterprise withvulnerable. Most enterprises are connected to a Framework-based Approachthe outside world through the Internet, VPNs, Security must be approached using a holisticB2B networks, etc. and unfortunately all of these perspective — both for the enterprise itself, aschannels are susceptible to unauthorized and well as for the well-being of customers. Thereunauthenticated access. Virtual environments are two key aspects to consider when building aepitomized by cloud and mobile computing add to solution framework. One is to approach securitythese security challenges. as an enterprise asset feature; the other is toAs a result of these challenges, enterprises are approach it from a product feature point of viewimpacted in three major areas (see Figure 4). (see Figure 5).Security Attacks’ Impact Brand and Operational Financial Impact Customer Impact Model Impact • Lost time in product devel- • Customer service issues • Impact to customer facing opment due to insufficient crop up, leading to issues in portals, newer business security assessments(s). customer satisfaction. models around SaaS deployment, etc. • Direct revenue impact due to • Branding suffers due to low lost product opportunities. customer satisfaction and • Security issues directly customer retention issues. impact scalability of Web • Impact due to delays in sites and could possibly lead product development. to blacklisting, etc.Figure 4 cognizant 20-20 insights 4
  5. 5. Enterprise Security Enablement Methodology Security as a Differentiators ‘key product feature’ � Security should be the central theme to both Security as a enterprise asset protection and product management. ‘key enterprise asset feature’ Methodology � Charter for enterprise & product security office. Organization Process � Clear criteria for confidentiality, authorization, authentication and non-repudiation. � Scalability and flexibility to new business models Policy Technology and emerging technologies. � Continuous vulnerability assessment & risk monitoring. Benefits � Robust enterprise brand, security and trust, growth. � Healthy and successful customer ecosystem.Figure 5Foremost, clear policies and standards must be tingency planning and response, collaborativedefined for security. These must consider the product lifecycle management, etc. must be builtclassification of information and the respective into the information systems environment. Fur-degree of their confidentiality. Furthermore, these thermore, these processes must be both flexibleprocedures should describe the set of personnel and scalable to ensure that security is deliveredwho may have access to the specific information even for new and disruptiveand what procedures to follow when authenti- business models. To a large In order to ensurecating for access. In order to ensure executive extent, similar concepts of flex-oversight over enterprise and product security, ibility and scalability apply to executive oversighta dedicated organization with a specific security the adopted technologies as over enterprise andcharter must be enabled. The organization should well. Emerging technologies product security,also be responsible for building the required must be constantly analyzedbusiness process and technology capabilities and their current state must a dedicatedto ensure security is a key requirement in every be dynamically assessed for organization withstage of operations. Most technology companies vulnerabilities. As the threat a specific securitytoday have this group in place, but the emphasis landscape has continuouslyplaced on the importance of this group varies. evolved, ask yourself if or how charter must beThe emphasis usually changes after a security your organization’s approach enabled.attack or mishap. to security has changed in response to changing vulnerabilities. Is your orga-SMEs with appropriate domain expertise, nization ready for these new threats?program managers and analysts should ownand have direct responsibility for the delivery We provide a security solution based on a provenof comprehensive security within their spheres framework that offers capabilities specific to anof influence. Specific processes, like continuous organization’s needs (see Figure 6).risk monitoring, vulnerability assessment, con- cognizant 20-20 insights 5
  6. 6. A Managed Services Security Framework Risk Management & Compliance ITIL, ISO 27001 Based Service Delivery Managed Security Services Framework Enterprise Monitor Assess Manage Security Information & Vulnerability Assessment Identity & Access Workflow & Reporting Event Management Penetration Testing Management plicat lica Application Business Continuity End-Point and Third-Party Enterprise Data Disaster Recovery Access Analysis Protection Services Incident Infrastructure/Config Network Security & System st System Incident Management Health Checks End Point Content Support Compliance and Security DR Configuration SDLC Security Program Monitoring Management & Testing Network etwor Network Emerging Technologies/ Use/Misuse Case Security as a New Business Model Analysis Analysis and Testing Requirement/Feature du Products Security Operations CenterFigure 6Why Cognizant? security design, security organization and industry certified service delivery models.We can provide a customized security solutionbased on our Managed Security Services Remember, there is no one answer for solvingframework which can assist with discover- security vulneratibilities. There is no magic bulleting areas of vulnerabilities in your enterprise for security! Securing an organization againstacross products/offerings, applications, networks today’s substained threats requires a diligent,and infrastructure that if gone unnoticed may well-thought-out and comprehensive securitydirectly affect your business. Our global security program. Without a proper security program, anyoperations center can supplement your security organization is liable to become another negativemonitoring and employ new technologies to help statistic. By improving your organization’s securitymaintain a watchful eye over your key assets. We posture, substantial internal and external benefitscan help design, build, or improve your enterprise can be realized (see Figure 7).A Managed Services Security Framework Benefits for Technology Enterprises Benefits for Technology Customers • Increased brand value and reduced negative • Worry-free transactions protecting customer PR due to reduced impact of thwarted sensitive data like identity, credit/bank security attacks. details, buying patterns etc. • Reduced data theft, legal implications and • Increased profitability and branding due to financial loss. robust operations and thwarted security attacks. • Increased revenue due to robust and secure products. • Reduced impact to business operations.Figure 7 cognizant 20-20 insights 6
  7. 7. Looking Ahead Paying attention to and providing comprehensive security will separate leaders from laggards in theDynamic and disruptive business models and software, high-tech and online industries.technologies will continue to emerge and it isimperative that technology enterprises acknowl- Start Todayedge and embrace them. Unfortunately, the samepowerful technologies are available to antisocial For more information on how to drive yourelements as well and the online ecosystem business results, contact us at inquiry@cognizant.makes almost any enterprise — and specifically com or visit our website at: www.cognizant.com.technology enterprises — a vulnerable target.Footnotes1 Digital Forensics Association, “The Leaking Vault - Six Years of Data Breaches,” August 2011.2 http://en.wikipedia.org/wiki/Anonymous_(group)ReferencesOnline Trust AllianceCustomer Trust Online — Examining the role of experience with WebsitesForrester Research, Inc.Web Hacking Incident Database (WHID)ReutersPR NewswireHP 2011 Cyber Security Risks ReportDigital Forensics AssociationAbout the AuthorsAbhijeet Khadilkar is a Director with Cognizant Business Consulting, where he advises technologycompanies on sales enablement and business transformation. Abhijeet can be reached atAbhijeet.Khadilkar@cognizant.com.Tom Pai is a Manager with Cognizant Business Consulting and is focused on helping technology companieswith customer experience, customer support strategy and enterprise technology business challenges.Tom can be reached at Tom.Pai@cognizant.com.Shabbir Ghadiali is a Manager with the Cognizant Business Consulting Practice and is focused onoperations enablement of new business models, including cloud and mobile computing. He also spe-cializes in online retail, channels strategy, sales and service operations. Shabbir can be reached atShabbir.Ghadiali@cognizant.com.ContributorsThe authors would like to recognize the contributions of Sriram Sundararajan, a Manager with CognizantBusiness Consulting, Ananthakrishnan Sitarama, Director, Technology Vertical, and Jim Kates, whoheads Cognizant’s IT Security Consulting Practice. cognizant 20-20 insights 7
  8. 8. About CognizantCognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered inTeaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industryand business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50delivery centers worldwide and approximately 130,000 employees as of September 30, 2011, Cognizant is a member ofthe NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performingand fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. 1 Kingdom Street #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA Paddington Central Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London W2 6BD Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060 Email: inquiry@cognizant.com Email: infouk@cognizant.com Email: inquiryindia@cognizant.com© Copyright 2011, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by anymeans, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein issubject to change without notice. All other trademarks mentioned herein are the property of their respective owners.