Larry Taylor Ph.D., profile picture
Uploaded byLarry Taylor Ph.D.
430 views

2010 6 Things u need 2 know in 2010 Whitepaper Final

The document discusses six major IT security issues that CEOs and CIOs should discuss in 2010: 1) cyber crime, 2) the insider threat, 3) the post-recession exodus of IT staff, 4) social media in the workplace, 5) security in the cloud, and 6) enterprise cloud use. It provides an overview of each issue and practical guidance for addressing them, noting that effective security requires a combination of good policy and technology. Overall, the document aims to help CEOs and CIOs better understand and address growing security challenges in the coming year.

Embed presentation

Download to read offline
February 2010 IT Security Six things you need to know in 2010
Contents 1 Executive summary Page 2 2 Introduction Page 3 3 Cyber crime Pages 4-5 4 The insider threat Pages 6-7 5 Post-recession exodus Page 8 6 Social media in the workplace Pages 9-11 7 Security in the cloud Pages 12-13 8 Enterprise cloud use Pages 14-15 9 The BT offer Pages 16-17
2 Security concerns are at the heart of pretty much every aspect of networked IT services today, but are the real security questions being addressed? Do CIOs and CEOs suffer from a translation problem when assessing and developing solutions for the potential threat? And has the incentive during the recession been to sweep the big issues under the carpet? This white paper looks at the six things a CEO should be asking his CIO in 2010, and the answers he should be looking for to ensure his enterprise capitalises on any easing of the global economic downturn. It also turns each of the six issues on its head and defines what the CIO needs to be saying to the CEO to ensure the IT function performs optimally in the year ahead. This paper offers practical guidance to both audiences on the security issues likely to be making headlines in 2010. It should be a vital desk companion to CEOs and CIOs looking to foster better understanding of how data and network security affects their organisation. 1 Executive summary
3 For all that information security is one of the most critical issues facing organisations today, be they a financial institution holding customers’ banking details or a government body holding electoral, health, criminal, employment or immigration data, too often an inability to translate the issue from a technical to a business one gets in the way. Vital facts are lost, as it were, in translation. This paper presents six of the biggest security topics that CIOs, CSOs and CEOs should be discussing – urgently – in 2010. And it does so in an attempt to break down this barrier, acting as a straightforward guide to the problem, the situation as it stands and the solutions available. BT Global Services has decades of experience helping major international organisations protect themselves and their customers from the ever-present threat of information loss or attack. This paper is aimed at spreading just some of that experience around. We hope it is useful and that you get in touch if you have any questions at all. In 2010, three things, at least, are certain. One: information security will be better than last year, which was better than the year before, and so on, because the technologies to counter threats are evolving every day. Two: conversely, the security of information – corporate, commercial and personal – will come under more threat than ever before as the increasing importance of data makes it the battleground over which an ongoing fight between those who would steal or misuse it and those who would protect it is becoming ever more fraught. This ‘arms race’ between hackers and IT security professionals can only escalate. Three: the issue of information security will become more and more of a mainstream topic, discussed in mainstream newspapers and on mainstream television channels. Already, Google’s decision to cease its censorship in China due to suspicious attacks on data held on its servers has been one of the biggest news stories of the year. Against this backdrop of increasing complexity and a rising public profile, CIOs, CSOs and CEOs will meet around the board table to discuss the security issues facing their organisations: issues that have never been more important, or more challenging to understand, let alone to address. Yet they will meet around those tables hampered by a simple yet very real barrier: language and awareness, or lack of it. 2 Introduction
1. http://transcripts.cnn.com 2. http://www.conservatives.com 3. http://www.alp.org.au 4. http://technology.inquirer.net 5. Datamonitor research commissioned by BT: Threatening Skies: Risk in the Global Economy, 2008 And the war is escalating. Why is this? Firstly, the world, and particularly the business world, is more globalised than ever before. Secondly, that same world is more networked than ever before. It is more reliant on technology, partly because so much business is now conducted over huge distances and partly because so much business is now data-driven and computer-dependent. The result is a very modern transmutation of the age-old phenomenon of “industrial espionage”, which has been around since the dawn of commerce. Spying on, stealing or sabotaging the data of another organisation – be it a commercial enterprise or a national government – gives you anything from competitive advantage to economic and military superiority. And there is a worrying acceptance of the problem. More than half of executives in developing regions themselves admit that the threat of international cyber-espionage, hacking or web fraud is more likely to come from a source located in a developing economy such as (but not limited to) Russia, India, Brazil or China.5 What’s the problem? Globalisation is leading to a new “cyber cold war”. Google’s decision to cease its censorship of content in China after attempts to hack into its servers was just the latest in a series of similar events in recent years. Issues such as this have long been considered at a serious political and diplomatic level. As far back as 2002, in fact, the FBI announced its “number three” priority was protecting the United States “against cyber-based attacks and high-technology crimes.”1 Since that time, the problem has grown exponentially. In May 2009, US President Barack Obama announced he would create a new White House office of cyber security, with that cyber czar reporting to the National Security Council as well as to the National Economic Council. Other countries have been quick to follow suit. According to a policy paper on national security published in January 2010, the Conservative Party, widely expected to form the next UK Government, plans to establish2 a Cyber Threat and Assessment Centre to counter online attacks against the UK. In the same month, Australia opened the Cyber Security Operations Centre3 following a year in which its defence computer networks were attacked by about 220 “security incidents” every month, with another 220 targeting other government systems. In the Philippines, a new cybercrime Bill has been passed this year4 . Together, all this paints a picture of a very modern battlefield, one that itself exists “in the cloud”, with skirmishes being fought daily over data carried via the internet and networks. 4 3 Cyber crime 100 % 80 60 40 20 0 Brazil China India South Africa Yes No Don’t know Do you believe that the threat of international cyber-espionage (hacking, web fraud etc.) is more likely to come from a source located in a developing economy such as (but not limited to) Russia, India, Brazil or China? Is cyber crime a real danger for this organisation?  CEO
5 The very language we use is also a problem. The term, “cyber-crime”, leads us to forget that the data still starts and ends with a physical machine, and so the physical threat is frequently overlooked. You can have the best technology in the world, but it won’t help if your office cleaners are easily able to smuggle information out of your building on a data stick. Ultimately, what is needed is a combination of good corporate policy, married to effective technology. Far too often, we see one without the other and, in 2010, this is not good enough. Practical advice 1. Check physical security. Ensure that your technology, facilities management and human resources departments, at the very least, are talking to each other. Any external suppliers with access to your building should be properly vetted. 2. Ensure you have the appropriate technology in place and that it is set up correctly: software-based anomaly detection, located in the network, coupled with solid firewalls at your data centre end. 3. Link this up with effective policy adherence – rigorous testing, monitoring, recording – such as is demanded by ISO 27001 (BS7799) the Information Security Management System (‘ISMS’) 4. Ensure that policy is in place for follow-through: detecting and countering an attack is one thing. You need to be able to trace it and build up the chain of evidence so that, should you ever need to take someone to court, there is a proper chain of evidence. This means your IT people need to be trained to log dates and times properly, and your legal department will need to be involved to ensure your policies adhere to privacy laws. Can we protect ourselves? The question being asked in boardrooms is “can we truly protect ourselves against the next generation of hacking? Or is damage- limitation the best we can hope for?” Providing reassurance is a tricky thing, because companies involved in providing security solutions need to be transparent and responsible with their claims. So let us be very clear, here, from the outset: there is no easy panacea to this problem. There is no single product or service that can be plugged in and means your data is safe. It means companies need to sit up and take this problem seriously at a senior level and not relegate it to a nuts-and- bolts IT services issue. Yes, but don’t expect technology to solve the problem on its own Firstly, it is vital to recognise how the very nature of globalisation has altered the challenge. Once upon a time, a virus detection programme could easily check IP addresses linked to a PC or server, spot any beginning 85.xxx, recognise that this was going to China, for example, and block the address. Today, of course, most international companies will be sending and receiving legitimate data packets to and from China daily – suppliers’ details, product data, order information. So modern software has to learn what activity is legitimate and what is not before it begins to run effectively. This is hugely powerful, but the understanding of the process is not always there. Too many organisations, erroneously, think they have this activity covered as soon as they’ve installed the new kit. Just because suspicious activity has not been detected does not mean that it’s not going on. It’s a growing threat, and one we must confront  CIO
6. http://www.softcat.com/files/pdfs/TheThreatsEnglish.1.pdf What’s the problem? The ‘insider threat’ is, unfortunately, a growing one. According to research from McAfee, 75% of website defacement is the result of an internal job and 68% of data theft is internal.6 The threat from within covers three main areas: • Genuine mistakes – people leaving a machine unencrypted and vulnerable (see cyber crime, above), or sending the wrong email, possibly with sensitive data attached • Lack of awareness of security policies – people naively allowing leakage of sensitive data • Deliberate – someone unhappy with the company, maybe having been made redundant, and taking revenge: deleting billing records, for example, or stealing information that can be sold to competitors or used to gain advantage in his next job. Can we protect ourselves? Again, the problem arises less from technology and more from policy and, often, simple human error and forgetfulness. Most organisations today simply could not exist without computerised data and the internet and private networks that allow it to be shared. Data is everywhere, in digital form, and the proliferation of easy ways to store and transport it, from laptops and USB sticks to iPhones, iPods and just sending it via personal email, makes keeping it within your building a daunting task. Source: McAfee, ‘The Threat From Within’ 6 4 The insider threat Security Softie: European League Table Do employees let friends/family use their work computer to access the internet at work or home? European Average: 21% Italian employees: 42% Most Lax French employees: 23% British employees: 21% Spanish employees: 16% Dutch employees: 14% German employees: 12% Least Lax Is our information safe in the hands of our people?  CEO
7 use or plugging personal iPods into computers, for example? If you manage a call centre, do you have a policy on cameras? People can just as easily take photos of customer data on screens as download to a stick. Policy is nothing if people don’t know about it. You must communicate with your employees, be transparent about your rules on the above and why they are there. This means ongoing training and awareness, so that line managers know how to keep their teams adhering to policy. At the heart of that policy should be access rights: who has access to what data? You need to get the balance right, giving people the access to the information they need, with enough leeway to be able to innovate and do their job. But full administration rights to all data are rarely appropriate for the entire workforce. And, above all, remember to cancel outgoing employees’ access rights, which includes their key fobs, passwords remote log in usernames and so on. Follow this up with change management controls. If a new item of software, a new database, for example, or a new security patch is being installed, don’t let any one programmer have the right to unilaterally change the code or the application. The change should be verified by two or more people. Finally, encrypt your data. It is incredible how many organisations in 2010 do not save sensitive data in an encrypted format. Most software applications – even mainstream ones, such as Microsoft Office, support strong encryption. Practical advice Simple – remember PEACE: Policy, Education, Access, Change management and Encryption. Yes, if you remember PEACE Accessing all that data can be as simple as logging on to a computer and browsing a directory or folder structure on the server or as complex as entering multiple usernames and passwords, some static and others dynamic, generated in realtime by technologies that are now part of everyday working life, such as key fobs and remote login tokens. Countering the insider threat starts with policy. What is your organisation’s policy for information security, personal email Gadget Geek European League Table What percentage of employees admit to owning at least one personal gadget to connect to the office PC? European Average: 51% French employees: 56% Most Lax Spanish employees: 54% British employees: 51% Italian employees: 49% Dutch employees: 48% German employees: 48% Least Lax What percentage of employees connect devices at least once a week to the office PC? European Average: 52% Italian employees: 56% Most Lax Spanish employees: 53% Dutch/French employees: 52% British employees: 47% German employees: 46% Least Lax With the right internal policies and practices, we can ensure it is safe  CIO
8 7. http://www.reuters.com/article/idUSTRE57Q0OA20090827 8. http://bit.ly/5F9XGS; http://bit.ly/6o1SFL; http://bit.ly/5URQQ5 Yes, but exit management strategy is key The solution requires that you implement the steps discussed above, without delay. If you think your organisation is vulnerable to a sudden and simultaneous exodus of employees, you must put an immediate focus on getting your exit management processes up to date – there is no way of knowing when this dam might burst. Practical advice 1. Ensure that everyone leaving is individually aware of his or her responsibilities. 2. Involve your HR department now, so that they are able to provide a double check (along with your technology people) that physical access tokens and key fobs have been returned and deactivated or reset. 3. Your tech department should, of course, make sure that all usernames, logins and passwords to company data are cancelled. What is it? Research from a variety of countries and sectors indicates that a considerable number of employees are waiting for the global recession to end before moving jobs. In the US, one in five workers plans a switch when the economy improves, according to a December 2009 survey.7 In the UK, similar surveys predict that anything from one in three to half of employees will move once the economy stabilises.8 Many people, runs the argument, have stayed in the same position for the past two years, with no promotion, pay rise or bonus and possibly with pay cuts or reduced hours. Whatever the true figures, the notion that there is a dam waiting to burst seems valid. Can we protect ourselves? Essentially, this is the same question as the previous one – just on a bigger, simultaneous scale, and therefore with a sense of urgency that relates to the current economic environment. If and when these people begin their exodus en masse, they will pose a unique form of insider threat (see insider threats, above), potentially removing commercially sensitive (for you) and useful (for them) information from your organisation, on an unprecedented scale. 5 Post-recession exodus Are we protected when people leave the organisation?  CEO Exit management is critically important for information security  CIO
9 9. http://journals.naspa.org/cgi/viewcontent.cgi?article=1953&context=jsarp What’s the problem? The internet phenomenon that is social networking has been one of the most talked-about security topics of the past two or three years. As soon as it became apparent that people were using their work as well as their personal internet connections to log on to external sites to share information – and, potentially, data – organisations began voicing their concerns. The worry was, and still is, that sites such as Facebook and Twitter might at best reduce people’s productivity and at worst pose a threat to information integrity. Of particular concern has been the theory that the incoming generation of employees, reared on the internet and potentially blasé about security, will pose a major challenge for management. Generation Y refers to a specific cohort of individuals born from 1981 to 2000 (according to Harvard Business School), while others mark the beginning of Generation Y in 1978 or 1981 (Wikipedia). All sources agree, however, that the majority of Generation Y free time is spent living an online lifestyle. They are sometimes referred to as ‘Digital Natives’ (as well as Generation Z or the iGeneration). Fig 1. Which generation are you? In a survey of university students in the US by Junco and Mastrodicasa (2007)9 , still the most up to date study of its scope in this age group: • 97% own a computer • 94% own a mobile phone • 76% use Instant Messaging (15% logged on 24/7) • 34% use websites as their primary source of news • 28% author a blog and 44% read blogs • 49% download music using peer-to-peer file sharing • 75% of university students have a Facebook account • 60% own some type of portable music and/or video device such as an iPod 6 Social media in the workplace 1981-2000: Generation Y 1965-1980: Generation X 1946-1964: Baby Boomers 1922-1945: The Veterans
10 Fig 2. Where does Generation Y spend its time? Source: Ewan McIntosh (http://edu.blogs.com/) So, is there a risk? This stems from a fear of the unknown. Generation Y uses a different vocabulary, follows a different culture, has different demands, demonstrates a high speed of learning and has different expectations. They push the boundaries of older management. But is this a threat? The pace of change in terms of new media and social networking tools will frequently continue to outstrip our ability to check for technical security threats and counter them. The convergence of external and internal applications will proceed at pace and, certainly, the risk of data leakage is a very real one as people (of all generations, but particularly younger employees) increasingly blur the boundaries between their public/private and personal/professional lives. That said, the longer organisations spend debating the threats, the higher the danger that they will fall behind the curve when it comes to exploiting opportunities Maybe, but the benefits outweigh the dangers The social web is a driver of change and change can be scary. There are challenges – and solutions – for implementing social networking tools and using them safely in the workplace while demonstrating business value and creating an environment for young talent to grow and want to stay with your organisation. Are organisations being hypocritical? For example, many businesses exploit Facebook for recruitment and looking at individuals, advertise on Second Life to sell to the younger generation and use Twitter to research trends and social patterns to exploit for marketing opportunities. The trick is to help people manage the fuzzy boundaries between their public/private and personal/professional lives. It is a challenge – but not a threat. Secret Spaces Mobile, SMS, IM Participation Spaces Marches, Meetings, Markets, Events, etc Publishing Spaces Livejournal, Blogger, Flickr, Photobucket, etc Group Spaces Bebo, Facebook, Tagged, etc Watching Spaces Television, Gigs, Theatre, etc Performing Spaces Second Life, World of Warcraft, Home, etc Should we stop people using Facebook and Twitter?  CEO 6
Fig 3. Manage the fuzzy boundaries At their heart, social networking sites are about collaboration and sharing ideas. Both of these things are the very lifeblood of innovation and organisations must find a way of embracing rather than banning them. 11 Properly managed, these new ways of communicating present an opportunity  CIO Practical advice 1. Make the tools available. You can’t – or at least will find it increasingly difficult and counter-productive to – stop people using tools that they have grown up with, that are so ingrained into their way of life. 2. Divorce management issues from the equation. For example, worrying about whether employees will ‘waste time’ chatting on Facebook is only a modern incarnation of worrying if they’ll ‘waste time’ chatting at the water cooler. Motivating people and optimising productivity is a management issue, not a security one. 3. It is possible to make any web-based tool secure, with the right technology, the right training and the right level of awareness among the workforce. And so, again, education is key: • Make your security policy on social networking usage relevant to your Generation Y employees. Listen to them, engage, and participate. • Never say no! They will just go round you. • Embrace the younger generation’s needs – it will accelerate innovation. • As with any other application, layer up the technology to ensure that data is encrypted and secure, and that access controls to sensitive information are appropriate to the user. Public Personal Private Political/ professional
12 10. Gartner Inc. Press Release, “Gartner EXP Worldwide Survey of Nearly 1,600 CIOs Shows IT Budgets in 2010 to be at 2005 Levels”, 19 January 2010 The delivery of services via the cloud has been one of the most talked- about subjects in IT circles for the past twelve months, but only in 2010 has it made it onto the boardroom agenda. After a slew of articles on the cloud in the worldwide business press in 2009, the business implications of the cloud are beginning to filter through to non- technical experts. And CIOs are responding to this growing awareness of the importance of the cloud. According to the Gartner Executive Programmes’ 2010 CIO survey10 , the top three technology priorities cited by CIOs are virtualisation, cloud computing and web 2.0, while the top business priorities are business process improvement and reducing enterprise costs. In the current climate, the ability to deliver better IT services for less chimes with business leaders’ own objectives. The idea of upgrading technology without significant capital expenditure is finding fans both among CIOs, but also CEOs and CFOs. BT Global Services’ recent Enterprise Intelligence research reveals an interesting disconnect between CIOs and CEOs, with nearly half CIOs (44%) saying they believe they deal with information that is too sensitive for the cloud, but only a third of senior executives saying the same. The implication is that it could be CEOs urging a move to the cloud in 2010, with CIOs offering a note of caution. Do cloud benefits outweigh risks? Many of the risks associated with cloud services are grounded in who controls what. The ability, or lack thereof, to transfer control and risk relating to data to third parties is critical. Recent research by the EU Network and Information Security Agency (ENISA), to which a crack team of BT’s security experts contributed, reveals that the biggest security concerns associated with the cloud are corporate data confidentiality, privacy and the integrity of services and/or data. These three issues are major ‘deal-breakers’, and if they cannot be addressed completely, enterprises will find it difficult to move to cloud architecture. On the other hand, the benefits of moving to cloud architecture are potentially huge: significantly reduced capital expenditure and fixed costs; increased agility thanks to the rapid provisioning and de-provisioning of resource; faster return on investment thanks to pay-as-you-use commercial models; the availability of services to a mobile workforce; unlocking business opportunities by removing previous barriers to entry; theoretically more robust business continuity (see the next section for a more detailed discussion of business continuity in the cloud). Cloud security requires strict policies and planning Cloud services are extraordinarily diverse, and there can be no one- size-fits-all approach to security. Just look at the software-as-a- service offered by major names like Microsoft, Google and Salesforce. com, and compare them to infrastructure-as-a-service from Amazon, IBM or BT. These are very different propositions and require different security policies and controls. The solutions that are most likely to provide enterprise-level stability, security and usability will comprise federations of best-in-class 7 Security in the cloud Is it safe to move into the cloud?  CEO Agreeorstronglyagree 500 5 10 15 20 25 30 35 40 45 CIO caution: “Our information is too sensitive for the cloud”
13 solutions provided via a mixture of in-house ‘private’ clouds and third-party ‘public’ clouds. Such a ‘hybrid’ approach has the potential to confer huge benefits on enterprises in 2010, while ensuring the specific risks are mitigated. Thus, data covered by Sarbanes-Oxley or other legislation can be retained and delivered to end IT systems users within private clouds. Similarly, publicly accessible material, such as marketing material that can be downloaded from websites, can be stored and delivered at minimal cost via a third-party public software- as-a-service solution in a public cloud. The best advice is to lock horns commercially with multiple cloud service providers and ensure your security policy and requirements are built into their offerings. Practical advice 1. Research the market. All the providers of cloud services, whether delivering software, infrastructure or platform solutions offer different services with different service level agreements and security features. Selection of the right services is an essential first step. 2. Federated solutions may be more bespoke and robust. Using a selection of different services – including a self-managed private cloud – to build a bespoke solution can ensure cloud services are more aligned with your business needs. Increasingly, federation will become an essential part of building bespoke cloud services, meeting security and risk demands, adding transparency and increasingly providing secure collaboration between trusted parties. 3. Prepare for cloud culture. The automated interface of many cloud services can feel alien to IT departments used to dealing with people within supplier organisations. Procurement, legal or commercial teams can also find the pay-as-you-go contracting model of cloud services demanding. Take these teams with you if you opt to strategically source services from the public cloud, otherwise they may become strategic barriers. 4. Regularly seek independent audits of cloud operators’ offerings, to ensure they are still the best in class and best fit for your needs. The cloud can be safe, secure… and financially attractive  CIO Legislation Covering Data Data protection legislation often prevents the transfer of risk from one corporate entity to another. For example, both Sarbanes-Oxley and the UK’s Data Protection Act require the company looking after data to remain entirely responsible for it. Legislation also presents jurisdictional challenges. For example, cloud providers are typically forced to locate data within a specific territory, usually the client’s own country, which hinders the benefits and flexibility of their service offerings. Under such stringent conditions, the data-owning party would need so much control over how the data is stored and used, that the benefits of cloud storage of data or computing resource could be lost.
14 Availability – at the heart of security A sophisticated service that delivers significant value to its users remains worthless if it is not consistently available. When considering the security of cloud services, availability is one of the biggest single issues. There are multiple challenges here: how does cloud architecture impact availability levels during periods of normal service; how much can the cloud help or hinder availability when an organisation needs to rapidly scale up or down key services; and what impact does the cloud have on an organisation’s business continuity strategy? The bottom line for most organisations today is that non-availability of services costs money through impacted productivity and sales, lost customers and damaged reputation. The strategic challenge for cloud providers is how to transfer the risk of downtime from enterprises seeking to adopt cloud architecture. We have already shown that some risks cannot be transferred, for legislative reasons (see the previous section). But it is, theoretically at least, possible to offset some of the concerns of enterprises by committing to strict service level agreements. How can we maintain service levels in the cloud? This is where federators of cloud services can add value, not only by bolting together services to create bespoke solutions, but providing security wraps and service level guarantees that potentially exceed those of the third party cloud provider alone. The lessons learned in the design and deployment of high availability infrastructures is critically important for cloud providers, and there is evidence that some are not yet applying sound engineering design. Those with an infrastructure heritage are leading the way here. While elasticity of service is one of the core features of cloud architecture, and scaling up and down does not affect availability, business continuity – in particular, disaster recovery – offers its own challenges in the cloud. Under a traditional business continuity model, all data stored on dedicated – and probably self-managed – servers is routinely duplicated and stored on a mirror server at a distinct location, in case of a disaster. Under cloud architecture, however, the location of servers is not necessarily a fundamental aspect of service provision, which makes ensuring data is copied to a remote location a challenge. This is mitigated by the fact that, increasingly – mainly for reasons of data protection legislation – cloud providers’ customers stipulate in which region or territory servers, and therefore data will be physically located. 8 Enterprise cloud use Can we guarantee our customers world-class service in the cloud?  CEO
15 Practical advice 1. Understand how resource sharing occurs within your cloud provider – if you require significant scaling-up of provision at the same time as other users of the same cloud, it may risk breaching the capacity of the cloud provider, and therefore affect availability. 2. For infrastructure-as-a-service and platform-as-a-service in particular, a cloud provider’s patch management policies and procedures have significant security impact so ensure the patching policy is documented. 3. The cloud provider’s technology architecture may use new and unproven methods for failover, so verify what they use for disaster recovery. 4. Understand how your cloud provider deletes ‘old’ data, particularly on the cessation of a contract. This is an area that requires greater transparency. The cloud can boost business continuity The cloud architecture should theoretically be more resilient than the traditional model, because with proper planning, instances of failover – automatically switching to an alternative network upon failure – should become more integrated. By intelligently backing-up data, access to a cloud service can be maintained, even with parts of the infrastructure out of action. Getting this right – and demonstrating they have done so – is the challenge for cloud providers. Accidental data deletion may become a thing of the past if automatic data retention policies – currently adopted by of some of the major cloud service providers – become standard. At present, some providers say they will never erase any data at all, but merely archive it. It will be interesting to see what recovery techniques are developed over the years, as the volume of data grows, and maintaining data catalogues becomes increasingly complex. It is also important that deletion of data upon cessation of contract remains a major technical challenge and even more so in the infrastructure re-use model being adopted by cloud providers. Correctly deployed, we can drive customer and employee benefits from the cloud  CIO
16 Managed Vulnerability Scanning, powered by BT Counterpane BT MSSG offers two levels of Managed Vulnerability Scanning service to meet customer needs. BT partners with Qualys for service delivery. • The Full Service option is for companies interested in leveraging BT’s expertise and experience to manage their scans and tightly integrate them with BT’s infrastructure. BT’s scans can be scheduled to suit your needs on a weekly, monthly, or unlimited basis. • The Self Service option is for companies preferring to self-administer their scans and wishing to take advantage of additional features of the service, including asset classification and remediation management. Both service options provide flexibility in scheduling scans and defining internal and external targets including address-specific or address- range coverage options, and conditional start-stop time boundaries. All scan reports are correlated across data from vendors as well as data from BT MSSG’s proprietary correlation engine. Executive summaries and detailed scan reports are available 24x7 via the BT MSSG Portal. Managed Log Retention, powered by BT Counterpane Managed Log Retention frees customers from the log and security management burden while enabling them to achieve federal and industry compliance, reduce total cost of ownership, and benefit from best practice guidance on risk management with swift responses to security incidents, compliance inquiries, and internal threats. As the authority on enterprise security, BT’s Managed Security Solutions assure customers’ business continuity, improved compliance, and protection from financial loss. Leveraging our experienced professionals and state-of-the-art security solutions, BT delivers comprehensive protection and real economies of scale and efficiencies of cost. BT’s Managed Security Solutions Group’s (MSSG) portfolio of managed security solutions provides customers with the industry’s most complete, single-source enterprise security solution. Our rich heritage in Managed Security has earned us the trust of customers. Our foundation in real-time internal network and host-level protection is augmented by managed internal and external network protection services, including: Managed Security Monitoring, powered by BT Counterpane BT’s managed security monitoring service combines a team of disciplined security experts, a rigorous process for incident detection and response, and best-of-breed technologies to provide information- driven organisations with immediate feedback regarding the efficacy of their network’s security – in real-time. Our security monitoring is the business solution that empowers enterprises to reduce liability, improve information safety, and facilitate audits. Device Management, powered by BT Counterpane Device management focuses on proactively implementing configurations in the best interests of the customer so that devices are always providing maximum protection and surveillance. That’s why BT’s MSSG SLA offers unlimited changes to devices when they are initiated by BT. This includes new signatures and updates from the vendor and configuration changes BT MSSG recommends based on observations from hundreds of networks and thousands of devices around the world. 9 The BT offer
17 Ethical Hacking BT’s Ethical Hacking services enable customers to protect their networks, information assets, and corporate reputations by identifying vulnerabilities before they can be exploited. Our security experts will identify vulnerabilities, provide recommendations to remediate identified issues, and help improve their security posture. BT proprietary testing methodologies and techniques yield high quality results that will help customers optimise their security infrastructure. • Application Testing – Reviews the logic structure, code, methods of access and authentication mechanisms of your web-based applications • Network Testing – Provides external and internal vulnerability and penetration assessments, VPN vulnerability and penetration tests and an analysis of VoIP within your environment • Wireless Security – Identifies weaknesses and vulnerabilities specific to your wireless infrastructure • System Hardening – Tests for over 1,000 network-level vulnerabilities within your current network configuration • War Dialing – Identifies unauthorised modems that provide access to your network and then attempts to exploit your network through illicit devices For more information on BT Managed Security Services and how they can make your organisation and your customers more secure and risk-resilient, please visit bt.com/globalservices or contact Ray Stanton (ray.stanton@bt.com)
Offices worldwide The services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract. © British Telecommunications plc 2010 Registered office: 81 Newgate Street, London. EC1A 7AJ Registered in England No. 1800000. PHME: 59516

More Related Content

PDF
Information Security - Hiring Trends and Trends for the Future PDF
byAlexander Goodwin
 
PDF
Volume2 chapter1 security
byat MicroFocus Italy ❖✔
 
PDF
Input on threat images against information society
bySomerco Research
 
PPTX
Online security – an assessment of the new
bysunnyjoshi88
 
PDF
Frukostseminarium om molntjänster
byTranscendent Group
 
PDF
sc_can0315_28373
byKatherine Thompson
 
PDF
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
byKROTOASA FOUNDATION
 
PDF
July 2010 Cover Story
byPatrick Spencer
 
Information Security - Hiring Trends and Trends for the Future PDF
byAlexander Goodwin
 
Volume2 chapter1 security
byat MicroFocus Italy ❖✔
 
Input on threat images against information society
bySomerco Research
 
Online security – an assessment of the new
bysunnyjoshi88
 
Frukostseminarium om molntjänster
byTranscendent Group
 
sc_can0315_28373
byKatherine Thompson
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
byKROTOASA FOUNDATION
 
July 2010 Cover Story
byPatrick Spencer
 

What's hot

PDF
The TOP 10 tech trends of 2011
bydvasilyev
 
PDF
Cyber Warfare
byJason Fernandes
 
DOCX
B susser researchpaper (3)
byBradley Susser
 
PPT
Security in Web 2.0, Social Web and Cloud
byITDogadjaji.com
 
PPT
Gebm os presentation final
bysunnyjoshi88
 
PDF
IMC 618 - Public Relations Campaign
byStephanie Holman
 
PDF
iStart feature: Protect and serve how safe is your personal data?
byHayden McCall
 
PPT
Online security – an assessment of the new
bysunnyjoshi88
 
PDF
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...
byCreus Moreira Carlos
 
PDF
Securing mobile devices_in_the_business_environment
byK Singh
 
PDF
Sept 2012 data security & cyber liability
byDFickett
 
PDF
Need for Improved Critical Industrial Infrastructure Protection
byWilliam McBorrough
 
PDF
The 10 most influential leaders in security, 2021
byMerry D'souza
 
DOCX
B susser researchpaper (2)
byBradley Susser
 
PDF
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
byInformation Security Awareness Group
 
PDF
INFOMAGAZINE 8 by REAL security
bySamo Zavašnik
 
PDF
cybersecurity-250
byChris Crowe
 
PDF
Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...
byTania Mushtaq
 
The TOP 10 tech trends of 2011
bydvasilyev
 
Cyber Warfare
byJason Fernandes
 
B susser researchpaper (3)
byBradley Susser
 
Security in Web 2.0, Social Web and Cloud
byITDogadjaji.com
 
Gebm os presentation final
bysunnyjoshi88
 
IMC 618 - Public Relations Campaign
byStephanie Holman
 
iStart feature: Protect and serve how safe is your personal data?
byHayden McCall
 
Online security – an assessment of the new
bysunnyjoshi88
 
Carlos Moreira Cyber Security Round-table Moderation in NY 2014 M&A Advisory ...
byCreus Moreira Carlos
 
Securing mobile devices_in_the_business_environment
byK Singh
 
Sept 2012 data security & cyber liability
byDFickett
 
Need for Improved Critical Industrial Infrastructure Protection
byWilliam McBorrough
 
The 10 most influential leaders in security, 2021
byMerry D'souza
 
B susser researchpaper (2)
byBradley Susser
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
byInformation Security Awareness Group
 
INFOMAGAZINE 8 by REAL security
bySamo Zavašnik
 
cybersecurity-250
byChris Crowe
 
Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...
byTania Mushtaq
 

Similar to 2010 6 Things u need 2 know in 2010 Whitepaper Final

PDF
iStart - Cybercrime scene investigation
byHayden McCall
 
PDF
1. security 20 20 - ebook-vol2
byAdela Cocic
 
PDF
Staying Ahead in the Cybersecurity Game: What Matters Now
byCapgemini
 
PDF
Staying ahead in the cyber security game - Sogeti + IBM
byRick Bouter
 
PDF
20101012 isa larry_clinton
byCIONET
 
PDF
Ten Security Essentials for CIOs
byIBM Security
 
PDF
40 under 40 in Cybersecurity year 2022.pdf
byDr. Ludmila Morozova-Buss
 
PDF
40 under 40 in Cybersecurity 2022. Top Cyber News MAGAZINE
byTopCyberNewsMAGAZINE
 
PDF
40 under 40 in cybersecurity. top cyber news magazine
byBradford Sims
 
PDF
European Cyber Security Perspectives 2016
byOmer Coskun
 
PPTX
CRI "Lessons From The Front Lines" March 26th Dublin
byOCTF Industry Engagement
 
PDF
Norman Broadbent Cybersecurity Report - How should boards respond
byLydia Shepherd
 
PPTX
Showreel ICSA Technology Conference
byInstitute of Chartered Secretaries and Administrators
 
PDF
10 security problems unique to it
byIT-Toolkits.org
 
PDF
10 security problems unique to it
byIT-Toolkits.org
 
PDF
INFORMATION ASSURANCE AND SECURITY 1.pdf
byEarlvonDeiparine1
 
PDF
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
byStéphane Nappo
 
PDF
Top 3 security concerns for enterprises
byTaranggg11
 
PPTX
220715_Cybersecurity: What's at stake?
bySpire Research and Consulting
 
PDF
The Evolving Landscape on Information Security
bySimoun Ung
 
iStart - Cybercrime scene investigation
byHayden McCall
 
1. security 20 20 - ebook-vol2
byAdela Cocic
 
Staying Ahead in the Cybersecurity Game: What Matters Now
byCapgemini
 
Staying ahead in the cyber security game - Sogeti + IBM
byRick Bouter
 
20101012 isa larry_clinton
byCIONET
 
Ten Security Essentials for CIOs
byIBM Security
 
40 under 40 in Cybersecurity year 2022.pdf
byDr. Ludmila Morozova-Buss
 
40 under 40 in Cybersecurity 2022. Top Cyber News MAGAZINE
byTopCyberNewsMAGAZINE
 
40 under 40 in cybersecurity. top cyber news magazine
byBradford Sims
 
European Cyber Security Perspectives 2016
byOmer Coskun
 
CRI "Lessons From The Front Lines" March 26th Dublin
byOCTF Industry Engagement
 
Norman Broadbent Cybersecurity Report - How should boards respond
byLydia Shepherd
 
Showreel ICSA Technology Conference
byInstitute of Chartered Secretaries and Administrators
 
10 security problems unique to it
byIT-Toolkits.org
 
10 security problems unique to it
byIT-Toolkits.org
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
byEarlvonDeiparine1
 
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
byStéphane Nappo
 
Top 3 security concerns for enterprises
byTaranggg11
 
220715_Cybersecurity: What's at stake?
bySpire Research and Consulting
 
The Evolving Landscape on Information Security
bySimoun Ung
 

More from Larry Taylor Ph.D.

PPTX
Fundraising social media masterclass
byLarry Taylor Ph.D.
 
PPTX
Social Media Overview
byLarry Taylor Ph.D.
 
PPT
IPA (Inst Public Admin) Annual General Meeting 2010
byLarry Taylor Ph.D.
 
PPT
Social media academy larry taylor
byLarry Taylor Ph.D.
 
PDF
2010 Bt Innovation Case Study
byLarry Taylor Ph.D.
 
PDF
2011 07 12 Mc Kinsey Were All Marketers Now
byLarry Taylor Ph.D.
 
PDF
2011 03 Bt Avaya The Autonomous Customer Report[1]
byLarry Taylor Ph.D.
 
PDF
2011 07 12 Mc Kinsey The Future Of Marketing
byLarry Taylor Ph.D.
 
PDF
Social Impact Of BT in UK and NI
byLarry Taylor Ph.D.
 
PDF
BT Transfromation: Crisis Or Catalyst White Paper
byLarry Taylor Ph.D.
 
PDF
Clouds, Crowds And Customers
byLarry Taylor Ph.D.
 
PDF
Nicola Millard - Futurologist
byLarry Taylor Ph.D.
 
PPTX
Dublin Web Summit - Social Marketing
byLarry Taylor Ph.D.
 
PDF
Csarn 19 May 2010
byLarry Taylor Ph.D.
 
PDF
Security And The Future Generation Presentation Ciso Orlando April 2010
byLarry Taylor Ph.D.
 
PDF
The Psychology Of Security Bruce Schneier
byLarry Taylor Ph.D.
 
PPT
Social Media cascade
byLarry Taylor Ph.D.
 
Fundraising social media masterclass
byLarry Taylor Ph.D.
 
Social Media Overview
byLarry Taylor Ph.D.
 
IPA (Inst Public Admin) Annual General Meeting 2010
byLarry Taylor Ph.D.
 
Social media academy larry taylor
byLarry Taylor Ph.D.
 
2010 Bt Innovation Case Study
byLarry Taylor Ph.D.
 
2011 07 12 Mc Kinsey Were All Marketers Now
byLarry Taylor Ph.D.
 
2011 03 Bt Avaya The Autonomous Customer Report[1]
byLarry Taylor Ph.D.
 
2011 07 12 Mc Kinsey The Future Of Marketing
byLarry Taylor Ph.D.
 
Social Impact Of BT in UK and NI
byLarry Taylor Ph.D.
 
BT Transfromation: Crisis Or Catalyst White Paper
byLarry Taylor Ph.D.
 
Clouds, Crowds And Customers
byLarry Taylor Ph.D.
 
Nicola Millard - Futurologist
byLarry Taylor Ph.D.
 
Dublin Web Summit - Social Marketing
byLarry Taylor Ph.D.
 
Csarn 19 May 2010
byLarry Taylor Ph.D.
 
Security And The Future Generation Presentation Ciso Orlando April 2010
byLarry Taylor Ph.D.
 
The Psychology Of Security Bruce Schneier
byLarry Taylor Ph.D.
 
Social Media cascade
byLarry Taylor Ph.D.
 

2010 6 Things u need 2 know in 2010 Whitepaper Final

  • 1.
    February 2010 IT Security Sixthings you need to know in 2010
  • 3.
    Contents 1 Executive summary Page2 2 Introduction Page 3 3 Cyber crime Pages 4-5 4 The insider threat Pages 6-7 5 Post-recession exodus Page 8 6 Social media in the workplace Pages 9-11 7 Security in the cloud Pages 12-13 8 Enterprise cloud use Pages 14-15 9 The BT offer Pages 16-17
  • 4.
    2 Security concerns areat the heart of pretty much every aspect of networked IT services today, but are the real security questions being addressed? Do CIOs and CEOs suffer from a translation problem when assessing and developing solutions for the potential threat? And has the incentive during the recession been to sweep the big issues under the carpet? This white paper looks at the six things a CEO should be asking his CIO in 2010, and the answers he should be looking for to ensure his enterprise capitalises on any easing of the global economic downturn. It also turns each of the six issues on its head and defines what the CIO needs to be saying to the CEO to ensure the IT function performs optimally in the year ahead. This paper offers practical guidance to both audiences on the security issues likely to be making headlines in 2010. It should be a vital desk companion to CEOs and CIOs looking to foster better understanding of how data and network security affects their organisation. 1 Executive summary
  • 5.
    3 For all thatinformation security is one of the most critical issues facing organisations today, be they a financial institution holding customers’ banking details or a government body holding electoral, health, criminal, employment or immigration data, too often an inability to translate the issue from a technical to a business one gets in the way. Vital facts are lost, as it were, in translation. This paper presents six of the biggest security topics that CIOs, CSOs and CEOs should be discussing – urgently – in 2010. And it does so in an attempt to break down this barrier, acting as a straightforward guide to the problem, the situation as it stands and the solutions available. BT Global Services has decades of experience helping major international organisations protect themselves and their customers from the ever-present threat of information loss or attack. This paper is aimed at spreading just some of that experience around. We hope it is useful and that you get in touch if you have any questions at all. In 2010, three things, at least, are certain. One: information security will be better than last year, which was better than the year before, and so on, because the technologies to counter threats are evolving every day. Two: conversely, the security of information – corporate, commercial and personal – will come under more threat than ever before as the increasing importance of data makes it the battleground over which an ongoing fight between those who would steal or misuse it and those who would protect it is becoming ever more fraught. This ‘arms race’ between hackers and IT security professionals can only escalate. Three: the issue of information security will become more and more of a mainstream topic, discussed in mainstream newspapers and on mainstream television channels. Already, Google’s decision to cease its censorship in China due to suspicious attacks on data held on its servers has been one of the biggest news stories of the year. Against this backdrop of increasing complexity and a rising public profile, CIOs, CSOs and CEOs will meet around the board table to discuss the security issues facing their organisations: issues that have never been more important, or more challenging to understand, let alone to address. Yet they will meet around those tables hampered by a simple yet very real barrier: language and awareness, or lack of it. 2 Introduction
  • 6.
    1. http://transcripts.cnn.com 2. http://www.conservatives.com 3. http://www.alp.org.au 4. http://technology.inquirer.net 5. Datamonitor research commissioned by BT: Threatening Skies: Risk in the Global Economy, 2008 And the war is escalating. Why is this? Firstly, the world, and particularly the business world, is more globalised than ever before. Secondly, that same world is more networked than ever before. It is more reliant on technology, partly because so much business is now conducted over huge distances and partly because so much business is now data-driven and computer-dependent. The result is a very modern transmutation of the age-old phenomenon of “industrial espionage”, which has been around since the dawn of commerce. Spying on, stealing or sabotaging the data of another organisation – be it a commercial enterprise or a national government – gives you anything from competitive advantage to economic and military superiority. And there is a worrying acceptance of the problem. More than half of executives in developing regions themselves admit that the threat of international cyber-espionage, hacking or web fraud is more likely to come from a source located in a developing economy such as (but not limited to) Russia, India, Brazil or China.5 What’s the problem? Globalisation is leading to a new “cyber cold war”. Google’s decision to cease its censorship of content in China after attempts to hack into its servers was just the latest in a series of similar events in recent years. Issues such as this have long been considered at a serious political and diplomatic level. As far back as 2002, in fact, the FBI announced its “number three” priority was protecting the United States “against cyber-based attacks and high-technology crimes.”1 Since that time, the problem has grown exponentially. In May 2009, US President Barack Obama announced he would create a new White House office of cyber security, with that cyber czar reporting to the National Security Council as well as to the National Economic Council. Other countries have been quick to follow suit. According to a policy paper on national security published in January 2010, the Conservative Party, widely expected to form the next UK Government, plans to establish2 a Cyber Threat and Assessment Centre to counter online attacks against the UK. In the same month, Australia opened the Cyber Security Operations Centre3 following a year in which its defence computer networks were attacked by about 220 “security incidents” every month, with another 220 targeting other government systems. In the Philippines, a new cybercrime Bill has been passed this year4 . Together, all this paints a picture of a very modern battlefield, one that itself exists “in the cloud”, with skirmishes being fought daily over data carried via the internet and networks. 4 3 Cyber crime 100 % 80 60 40 20 0 Brazil China India South Africa Yes No Don’t know Do you believe that the threat of international cyber-espionage (hacking, web fraud etc.) is more likely to come from a source located in a developing economy such as (but not limited to) Russia, India, Brazil or China? Is cyber crime a real danger for this organisation?  CEO
  • 7.
    5 The very languagewe use is also a problem. The term, “cyber-crime”, leads us to forget that the data still starts and ends with a physical machine, and so the physical threat is frequently overlooked. You can have the best technology in the world, but it won’t help if your office cleaners are easily able to smuggle information out of your building on a data stick. Ultimately, what is needed is a combination of good corporate policy, married to effective technology. Far too often, we see one without the other and, in 2010, this is not good enough. Practical advice 1. Check physical security. Ensure that your technology, facilities management and human resources departments, at the very least, are talking to each other. Any external suppliers with access to your building should be properly vetted. 2. Ensure you have the appropriate technology in place and that it is set up correctly: software-based anomaly detection, located in the network, coupled with solid firewalls at your data centre end. 3. Link this up with effective policy adherence – rigorous testing, monitoring, recording – such as is demanded by ISO 27001 (BS7799) the Information Security Management System (‘ISMS’) 4. Ensure that policy is in place for follow-through: detecting and countering an attack is one thing. You need to be able to trace it and build up the chain of evidence so that, should you ever need to take someone to court, there is a proper chain of evidence. This means your IT people need to be trained to log dates and times properly, and your legal department will need to be involved to ensure your policies adhere to privacy laws. Can we protect ourselves? The question being asked in boardrooms is “can we truly protect ourselves against the next generation of hacking? Or is damage- limitation the best we can hope for?” Providing reassurance is a tricky thing, because companies involved in providing security solutions need to be transparent and responsible with their claims. So let us be very clear, here, from the outset: there is no easy panacea to this problem. There is no single product or service that can be plugged in and means your data is safe. It means companies need to sit up and take this problem seriously at a senior level and not relegate it to a nuts-and- bolts IT services issue. Yes, but don’t expect technology to solve the problem on its own Firstly, it is vital to recognise how the very nature of globalisation has altered the challenge. Once upon a time, a virus detection programme could easily check IP addresses linked to a PC or server, spot any beginning 85.xxx, recognise that this was going to China, for example, and block the address. Today, of course, most international companies will be sending and receiving legitimate data packets to and from China daily – suppliers’ details, product data, order information. So modern software has to learn what activity is legitimate and what is not before it begins to run effectively. This is hugely powerful, but the understanding of the process is not always there. Too many organisations, erroneously, think they have this activity covered as soon as they’ve installed the new kit. Just because suspicious activity has not been detected does not mean that it’s not going on. It’s a growing threat, and one we must confront  CIO
  • 8.
    6. http://www.softcat.com/files/pdfs/TheThreatsEnglish.1.pdf What’s theproblem? The ‘insider threat’ is, unfortunately, a growing one. According to research from McAfee, 75% of website defacement is the result of an internal job and 68% of data theft is internal.6 The threat from within covers three main areas: • Genuine mistakes – people leaving a machine unencrypted and vulnerable (see cyber crime, above), or sending the wrong email, possibly with sensitive data attached • Lack of awareness of security policies – people naively allowing leakage of sensitive data • Deliberate – someone unhappy with the company, maybe having been made redundant, and taking revenge: deleting billing records, for example, or stealing information that can be sold to competitors or used to gain advantage in his next job. Can we protect ourselves? Again, the problem arises less from technology and more from policy and, often, simple human error and forgetfulness. Most organisations today simply could not exist without computerised data and the internet and private networks that allow it to be shared. Data is everywhere, in digital form, and the proliferation of easy ways to store and transport it, from laptops and USB sticks to iPhones, iPods and just sending it via personal email, makes keeping it within your building a daunting task. Source: McAfee, ‘The Threat From Within’ 6 4 The insider threat Security Softie: European League Table Do employees let friends/family use their work computer to access the internet at work or home? European Average: 21% Italian employees: 42% Most Lax French employees: 23% British employees: 21% Spanish employees: 16% Dutch employees: 14% German employees: 12% Least Lax Is our information safe in the hands of our people?  CEO
  • 9.
    7 use or pluggingpersonal iPods into computers, for example? If you manage a call centre, do you have a policy on cameras? People can just as easily take photos of customer data on screens as download to a stick. Policy is nothing if people don’t know about it. You must communicate with your employees, be transparent about your rules on the above and why they are there. This means ongoing training and awareness, so that line managers know how to keep their teams adhering to policy. At the heart of that policy should be access rights: who has access to what data? You need to get the balance right, giving people the access to the information they need, with enough leeway to be able to innovate and do their job. But full administration rights to all data are rarely appropriate for the entire workforce. And, above all, remember to cancel outgoing employees’ access rights, which includes their key fobs, passwords remote log in usernames and so on. Follow this up with change management controls. If a new item of software, a new database, for example, or a new security patch is being installed, don’t let any one programmer have the right to unilaterally change the code or the application. The change should be verified by two or more people. Finally, encrypt your data. It is incredible how many organisations in 2010 do not save sensitive data in an encrypted format. Most software applications – even mainstream ones, such as Microsoft Office, support strong encryption. Practical advice Simple – remember PEACE: Policy, Education, Access, Change management and Encryption. Yes, if you remember PEACE Accessing all that data can be as simple as logging on to a computer and browsing a directory or folder structure on the server or as complex as entering multiple usernames and passwords, some static and others dynamic, generated in realtime by technologies that are now part of everyday working life, such as key fobs and remote login tokens. Countering the insider threat starts with policy. What is your organisation’s policy for information security, personal email Gadget Geek European League Table What percentage of employees admit to owning at least one personal gadget to connect to the office PC? European Average: 51% French employees: 56% Most Lax Spanish employees: 54% British employees: 51% Italian employees: 49% Dutch employees: 48% German employees: 48% Least Lax What percentage of employees connect devices at least once a week to the office PC? European Average: 52% Italian employees: 56% Most Lax Spanish employees: 53% Dutch/French employees: 52% British employees: 47% German employees: 46% Least Lax With the right internal policies and practices, we can ensure it is safe  CIO
  • 10.
    8 7. http://www.reuters.com/article/idUSTRE57Q0OA20090827 8. http://bit.ly/5F9XGS;http://bit.ly/6o1SFL; http://bit.ly/5URQQ5 Yes, but exit management strategy is key The solution requires that you implement the steps discussed above, without delay. If you think your organisation is vulnerable to a sudden and simultaneous exodus of employees, you must put an immediate focus on getting your exit management processes up to date – there is no way of knowing when this dam might burst. Practical advice 1. Ensure that everyone leaving is individually aware of his or her responsibilities. 2. Involve your HR department now, so that they are able to provide a double check (along with your technology people) that physical access tokens and key fobs have been returned and deactivated or reset. 3. Your tech department should, of course, make sure that all usernames, logins and passwords to company data are cancelled. What is it? Research from a variety of countries and sectors indicates that a considerable number of employees are waiting for the global recession to end before moving jobs. In the US, one in five workers plans a switch when the economy improves, according to a December 2009 survey.7 In the UK, similar surveys predict that anything from one in three to half of employees will move once the economy stabilises.8 Many people, runs the argument, have stayed in the same position for the past two years, with no promotion, pay rise or bonus and possibly with pay cuts or reduced hours. Whatever the true figures, the notion that there is a dam waiting to burst seems valid. Can we protect ourselves? Essentially, this is the same question as the previous one – just on a bigger, simultaneous scale, and therefore with a sense of urgency that relates to the current economic environment. If and when these people begin their exodus en masse, they will pose a unique form of insider threat (see insider threats, above), potentially removing commercially sensitive (for you) and useful (for them) information from your organisation, on an unprecedented scale. 5 Post-recession exodus Are we protected when people leave the organisation?  CEO Exit management is critically important for information security  CIO
  • 11.
    9 9. http://journals.naspa.org/cgi/viewcontent.cgi?article=1953&context=jsarp What’s theproblem? The internet phenomenon that is social networking has been one of the most talked-about security topics of the past two or three years. As soon as it became apparent that people were using their work as well as their personal internet connections to log on to external sites to share information – and, potentially, data – organisations began voicing their concerns. The worry was, and still is, that sites such as Facebook and Twitter might at best reduce people’s productivity and at worst pose a threat to information integrity. Of particular concern has been the theory that the incoming generation of employees, reared on the internet and potentially blasé about security, will pose a major challenge for management. Generation Y refers to a specific cohort of individuals born from 1981 to 2000 (according to Harvard Business School), while others mark the beginning of Generation Y in 1978 or 1981 (Wikipedia). All sources agree, however, that the majority of Generation Y free time is spent living an online lifestyle. They are sometimes referred to as ‘Digital Natives’ (as well as Generation Z or the iGeneration). Fig 1. Which generation are you? In a survey of university students in the US by Junco and Mastrodicasa (2007)9 , still the most up to date study of its scope in this age group: • 97% own a computer • 94% own a mobile phone • 76% use Instant Messaging (15% logged on 24/7) • 34% use websites as their primary source of news • 28% author a blog and 44% read blogs • 49% download music using peer-to-peer file sharing • 75% of university students have a Facebook account • 60% own some type of portable music and/or video device such as an iPod 6 Social media in the workplace 1981-2000: Generation Y 1965-1980: Generation X 1946-1964: Baby Boomers 1922-1945: The Veterans
  • 12.
    10 Fig 2. Wheredoes Generation Y spend its time? Source: Ewan McIntosh (http://edu.blogs.com/) So, is there a risk? This stems from a fear of the unknown. Generation Y uses a different vocabulary, follows a different culture, has different demands, demonstrates a high speed of learning and has different expectations. They push the boundaries of older management. But is this a threat? The pace of change in terms of new media and social networking tools will frequently continue to outstrip our ability to check for technical security threats and counter them. The convergence of external and internal applications will proceed at pace and, certainly, the risk of data leakage is a very real one as people (of all generations, but particularly younger employees) increasingly blur the boundaries between their public/private and personal/professional lives. That said, the longer organisations spend debating the threats, the higher the danger that they will fall behind the curve when it comes to exploiting opportunities Maybe, but the benefits outweigh the dangers The social web is a driver of change and change can be scary. There are challenges – and solutions – for implementing social networking tools and using them safely in the workplace while demonstrating business value and creating an environment for young talent to grow and want to stay with your organisation. Are organisations being hypocritical? For example, many businesses exploit Facebook for recruitment and looking at individuals, advertise on Second Life to sell to the younger generation and use Twitter to research trends and social patterns to exploit for marketing opportunities. The trick is to help people manage the fuzzy boundaries between their public/private and personal/professional lives. It is a challenge – but not a threat. Secret Spaces Mobile, SMS, IM Participation Spaces Marches, Meetings, Markets, Events, etc Publishing Spaces Livejournal, Blogger, Flickr, Photobucket, etc Group Spaces Bebo, Facebook, Tagged, etc Watching Spaces Television, Gigs, Theatre, etc Performing Spaces Second Life, World of Warcraft, Home, etc Should we stop people using Facebook and Twitter?  CEO 6
  • 13.
    Fig 3. Managethe fuzzy boundaries At their heart, social networking sites are about collaboration and sharing ideas. Both of these things are the very lifeblood of innovation and organisations must find a way of embracing rather than banning them. 11 Properly managed, these new ways of communicating present an opportunity  CIO Practical advice 1. Make the tools available. You can’t – or at least will find it increasingly difficult and counter-productive to – stop people using tools that they have grown up with, that are so ingrained into their way of life. 2. Divorce management issues from the equation. For example, worrying about whether employees will ‘waste time’ chatting on Facebook is only a modern incarnation of worrying if they’ll ‘waste time’ chatting at the water cooler. Motivating people and optimising productivity is a management issue, not a security one. 3. It is possible to make any web-based tool secure, with the right technology, the right training and the right level of awareness among the workforce. And so, again, education is key: • Make your security policy on social networking usage relevant to your Generation Y employees. Listen to them, engage, and participate. • Never say no! They will just go round you. • Embrace the younger generation’s needs – it will accelerate innovation. • As with any other application, layer up the technology to ensure that data is encrypted and secure, and that access controls to sensitive information are appropriate to the user. Public Personal Private Political/ professional
  • 14.
    12 10. Gartner Inc. PressRelease, “Gartner EXP Worldwide Survey of Nearly 1,600 CIOs Shows IT Budgets in 2010 to be at 2005 Levels”, 19 January 2010 The delivery of services via the cloud has been one of the most talked- about subjects in IT circles for the past twelve months, but only in 2010 has it made it onto the boardroom agenda. After a slew of articles on the cloud in the worldwide business press in 2009, the business implications of the cloud are beginning to filter through to non- technical experts. And CIOs are responding to this growing awareness of the importance of the cloud. According to the Gartner Executive Programmes’ 2010 CIO survey10 , the top three technology priorities cited by CIOs are virtualisation, cloud computing and web 2.0, while the top business priorities are business process improvement and reducing enterprise costs. In the current climate, the ability to deliver better IT services for less chimes with business leaders’ own objectives. The idea of upgrading technology without significant capital expenditure is finding fans both among CIOs, but also CEOs and CFOs. BT Global Services’ recent Enterprise Intelligence research reveals an interesting disconnect between CIOs and CEOs, with nearly half CIOs (44%) saying they believe they deal with information that is too sensitive for the cloud, but only a third of senior executives saying the same. The implication is that it could be CEOs urging a move to the cloud in 2010, with CIOs offering a note of caution. Do cloud benefits outweigh risks? Many of the risks associated with cloud services are grounded in who controls what. The ability, or lack thereof, to transfer control and risk relating to data to third parties is critical. Recent research by the EU Network and Information Security Agency (ENISA), to which a crack team of BT’s security experts contributed, reveals that the biggest security concerns associated with the cloud are corporate data confidentiality, privacy and the integrity of services and/or data. These three issues are major ‘deal-breakers’, and if they cannot be addressed completely, enterprises will find it difficult to move to cloud architecture. On the other hand, the benefits of moving to cloud architecture are potentially huge: significantly reduced capital expenditure and fixed costs; increased agility thanks to the rapid provisioning and de-provisioning of resource; faster return on investment thanks to pay-as-you-use commercial models; the availability of services to a mobile workforce; unlocking business opportunities by removing previous barriers to entry; theoretically more robust business continuity (see the next section for a more detailed discussion of business continuity in the cloud). Cloud security requires strict policies and planning Cloud services are extraordinarily diverse, and there can be no one- size-fits-all approach to security. Just look at the software-as-a- service offered by major names like Microsoft, Google and Salesforce. com, and compare them to infrastructure-as-a-service from Amazon, IBM or BT. These are very different propositions and require different security policies and controls. The solutions that are most likely to provide enterprise-level stability, security and usability will comprise federations of best-in-class 7 Security in the cloud Is it safe to move into the cloud?  CEO Agreeorstronglyagree 500 5 10 15 20 25 30 35 40 45 CIO caution: “Our information is too sensitive for the cloud”
  • 15.
    13 solutions provided viaa mixture of in-house ‘private’ clouds and third-party ‘public’ clouds. Such a ‘hybrid’ approach has the potential to confer huge benefits on enterprises in 2010, while ensuring the specific risks are mitigated. Thus, data covered by Sarbanes-Oxley or other legislation can be retained and delivered to end IT systems users within private clouds. Similarly, publicly accessible material, such as marketing material that can be downloaded from websites, can be stored and delivered at minimal cost via a third-party public software- as-a-service solution in a public cloud. The best advice is to lock horns commercially with multiple cloud service providers and ensure your security policy and requirements are built into their offerings. Practical advice 1. Research the market. All the providers of cloud services, whether delivering software, infrastructure or platform solutions offer different services with different service level agreements and security features. Selection of the right services is an essential first step. 2. Federated solutions may be more bespoke and robust. Using a selection of different services – including a self-managed private cloud – to build a bespoke solution can ensure cloud services are more aligned with your business needs. Increasingly, federation will become an essential part of building bespoke cloud services, meeting security and risk demands, adding transparency and increasingly providing secure collaboration between trusted parties. 3. Prepare for cloud culture. The automated interface of many cloud services can feel alien to IT departments used to dealing with people within supplier organisations. Procurement, legal or commercial teams can also find the pay-as-you-go contracting model of cloud services demanding. Take these teams with you if you opt to strategically source services from the public cloud, otherwise they may become strategic barriers. 4. Regularly seek independent audits of cloud operators’ offerings, to ensure they are still the best in class and best fit for your needs. The cloud can be safe, secure… and financially attractive  CIO Legislation Covering Data Data protection legislation often prevents the transfer of risk from one corporate entity to another. For example, both Sarbanes-Oxley and the UK’s Data Protection Act require the company looking after data to remain entirely responsible for it. Legislation also presents jurisdictional challenges. For example, cloud providers are typically forced to locate data within a specific territory, usually the client’s own country, which hinders the benefits and flexibility of their service offerings. Under such stringent conditions, the data-owning party would need so much control over how the data is stored and used, that the benefits of cloud storage of data or computing resource could be lost.
  • 16.
    14 Availability – atthe heart of security A sophisticated service that delivers significant value to its users remains worthless if it is not consistently available. When considering the security of cloud services, availability is one of the biggest single issues. There are multiple challenges here: how does cloud architecture impact availability levels during periods of normal service; how much can the cloud help or hinder availability when an organisation needs to rapidly scale up or down key services; and what impact does the cloud have on an organisation’s business continuity strategy? The bottom line for most organisations today is that non-availability of services costs money through impacted productivity and sales, lost customers and damaged reputation. The strategic challenge for cloud providers is how to transfer the risk of downtime from enterprises seeking to adopt cloud architecture. We have already shown that some risks cannot be transferred, for legislative reasons (see the previous section). But it is, theoretically at least, possible to offset some of the concerns of enterprises by committing to strict service level agreements. How can we maintain service levels in the cloud? This is where federators of cloud services can add value, not only by bolting together services to create bespoke solutions, but providing security wraps and service level guarantees that potentially exceed those of the third party cloud provider alone. The lessons learned in the design and deployment of high availability infrastructures is critically important for cloud providers, and there is evidence that some are not yet applying sound engineering design. Those with an infrastructure heritage are leading the way here. While elasticity of service is one of the core features of cloud architecture, and scaling up and down does not affect availability, business continuity – in particular, disaster recovery – offers its own challenges in the cloud. Under a traditional business continuity model, all data stored on dedicated – and probably self-managed – servers is routinely duplicated and stored on a mirror server at a distinct location, in case of a disaster. Under cloud architecture, however, the location of servers is not necessarily a fundamental aspect of service provision, which makes ensuring data is copied to a remote location a challenge. This is mitigated by the fact that, increasingly – mainly for reasons of data protection legislation – cloud providers’ customers stipulate in which region or territory servers, and therefore data will be physically located. 8 Enterprise cloud use Can we guarantee our customers world-class service in the cloud?  CEO
  • 17.
    15 Practical advice 1. Understandhow resource sharing occurs within your cloud provider – if you require significant scaling-up of provision at the same time as other users of the same cloud, it may risk breaching the capacity of the cloud provider, and therefore affect availability. 2. For infrastructure-as-a-service and platform-as-a-service in particular, a cloud provider’s patch management policies and procedures have significant security impact so ensure the patching policy is documented. 3. The cloud provider’s technology architecture may use new and unproven methods for failover, so verify what they use for disaster recovery. 4. Understand how your cloud provider deletes ‘old’ data, particularly on the cessation of a contract. This is an area that requires greater transparency. The cloud can boost business continuity The cloud architecture should theoretically be more resilient than the traditional model, because with proper planning, instances of failover – automatically switching to an alternative network upon failure – should become more integrated. By intelligently backing-up data, access to a cloud service can be maintained, even with parts of the infrastructure out of action. Getting this right – and demonstrating they have done so – is the challenge for cloud providers. Accidental data deletion may become a thing of the past if automatic data retention policies – currently adopted by of some of the major cloud service providers – become standard. At present, some providers say they will never erase any data at all, but merely archive it. It will be interesting to see what recovery techniques are developed over the years, as the volume of data grows, and maintaining data catalogues becomes increasingly complex. It is also important that deletion of data upon cessation of contract remains a major technical challenge and even more so in the infrastructure re-use model being adopted by cloud providers. Correctly deployed, we can drive customer and employee benefits from the cloud  CIO
  • 18.
    16 Managed Vulnerability Scanning,powered by BT Counterpane BT MSSG offers two levels of Managed Vulnerability Scanning service to meet customer needs. BT partners with Qualys for service delivery. • The Full Service option is for companies interested in leveraging BT’s expertise and experience to manage their scans and tightly integrate them with BT’s infrastructure. BT’s scans can be scheduled to suit your needs on a weekly, monthly, or unlimited basis. • The Self Service option is for companies preferring to self-administer their scans and wishing to take advantage of additional features of the service, including asset classification and remediation management. Both service options provide flexibility in scheduling scans and defining internal and external targets including address-specific or address- range coverage options, and conditional start-stop time boundaries. All scan reports are correlated across data from vendors as well as data from BT MSSG’s proprietary correlation engine. Executive summaries and detailed scan reports are available 24x7 via the BT MSSG Portal. Managed Log Retention, powered by BT Counterpane Managed Log Retention frees customers from the log and security management burden while enabling them to achieve federal and industry compliance, reduce total cost of ownership, and benefit from best practice guidance on risk management with swift responses to security incidents, compliance inquiries, and internal threats. As the authority on enterprise security, BT’s Managed Security Solutions assure customers’ business continuity, improved compliance, and protection from financial loss. Leveraging our experienced professionals and state-of-the-art security solutions, BT delivers comprehensive protection and real economies of scale and efficiencies of cost. BT’s Managed Security Solutions Group’s (MSSG) portfolio of managed security solutions provides customers with the industry’s most complete, single-source enterprise security solution. Our rich heritage in Managed Security has earned us the trust of customers. Our foundation in real-time internal network and host-level protection is augmented by managed internal and external network protection services, including: Managed Security Monitoring, powered by BT Counterpane BT’s managed security monitoring service combines a team of disciplined security experts, a rigorous process for incident detection and response, and best-of-breed technologies to provide information- driven organisations with immediate feedback regarding the efficacy of their network’s security – in real-time. Our security monitoring is the business solution that empowers enterprises to reduce liability, improve information safety, and facilitate audits. Device Management, powered by BT Counterpane Device management focuses on proactively implementing configurations in the best interests of the customer so that devices are always providing maximum protection and surveillance. That’s why BT’s MSSG SLA offers unlimited changes to devices when they are initiated by BT. This includes new signatures and updates from the vendor and configuration changes BT MSSG recommends based on observations from hundreds of networks and thousands of devices around the world. 9 The BT offer
  • 19.
    17 Ethical Hacking BT’s EthicalHacking services enable customers to protect their networks, information assets, and corporate reputations by identifying vulnerabilities before they can be exploited. Our security experts will identify vulnerabilities, provide recommendations to remediate identified issues, and help improve their security posture. BT proprietary testing methodologies and techniques yield high quality results that will help customers optimise their security infrastructure. • Application Testing – Reviews the logic structure, code, methods of access and authentication mechanisms of your web-based applications • Network Testing – Provides external and internal vulnerability and penetration assessments, VPN vulnerability and penetration tests and an analysis of VoIP within your environment • Wireless Security – Identifies weaknesses and vulnerabilities specific to your wireless infrastructure • System Hardening – Tests for over 1,000 network-level vulnerabilities within your current network configuration • War Dialing – Identifies unauthorised modems that provide access to your network and then attempts to exploit your network through illicit devices For more information on BT Managed Security Services and how they can make your organisation and your customers more secure and risk-resilient, please visit bt.com/globalservices or contact Ray Stanton (ray.stanton@bt.com)
  • 20.
    Offices worldwide The servicesdescribed in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract. © British Telecommunications plc 2010 Registered office: 81 Newgate Street, London. EC1A 7AJ Registered in England No. 1800000. PHME: 59516