RSS Alerts

Related Links

Related Stories

  • What’s in store for 2010?
    The Noughties are behind us now, but memories of a decade of data breaches will continue to haunt the infosec professional. If only there was a way of knowing what the threat landscape would look like in the months to come. Well you’re in luck as Davey Winder has dusted off the crystal ball and spoken to a broad church of infosec professionals to get some informed predictions for 2010
  • Technical Theatre Agenda
    Covering Information Security issues and technical advances.
  • Information security goes green
    Green IT has gone mainstream. The last year has seen corporations such as Citigroup establishing their environmental credentials by opening green data centres. But how do the separate disciplines of green IT and information security come together? Robin Arnfield reports
  • Business Strategy Theatre Agenda
    Focussing on the challenges and issues facing management, CEO's and other board level directors.
  • RSA: Microsoft reveal plans for a safer internet
    In his keynote address at the RSA Conference 2010 in San Francisco, Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing Group, outlined how Microsoft will apply its end to end trust vision to cloud computing.

News

Companies leap to new web and mobile technologies leaving security behind

17 June 2009

Companies are embracing new web and mobile technologies such as cloud computing, virtualisation, social networking and mobile communication at a faster rate than their information security strategies are updated.

In a survey released by RSA, the security division of EMC, more than 80% of security leaders said risks are being overlooked as cost and revenue pressure rises. The study, which was conducted by IDG Research Services has revealed “a significant gap between the speed at which … organisations are adopting new connectivity, collaboration and communication technologies and their readiness to deploy them security.”

The IDG Research survey As Hyper-Extended Enterprises Grow, So do Security Risks, among 100 top security executives at companies with revenues >$1 billion, showed that over 70% believe escalating levels of connectivity and information exchange powered by new web and communication technologies, such as cloud computing and virtualisation, are transforming their organisations into hyper-extended enterprises.

While the majority have increased the use of virtualisation, mobility and social networking and a third having increased the use of cloud computing, many of the respondents admitted to not having adequate strategies to assess the risks involved in adopting these technologies.

For example, less than half have developed security policies for employees regarding the use of social networking tools and sites.

Another major finding is that over 80% were concerned that pressure to cut costs and generate revenue has increased their exposure to security risk, with over 70% having experienced a security incident in the last 18 months.

News security strategies needed

RSA has also published a study from its Security for Business Innovation Council on how to adopt new strategies for making the leap to new web and mobile technologies without compromising information security.

Charting the Path: Enabling the “Hyper-Extended” Enterprise in the Face of Unprecedented Risk is based on in-depth conversations with the Security or Business Innovation Council, and offers seven steps to face the information security challenges that come with these new technologies:

  • Protect data more efficiently by taking a risk management assessment approach;
  • Security teams must focus on the quality and efficiency of their services and be able to articulate the value they provide – i.e. make sure they are competitive with external security providers;
  • In stead of blocking the use of new technologies, security teams should enable secure use through establishing a roadmap for the business to adopt new technologies;
  • Shift from protecting the container to rather protecting the data itself;
  • Adopt advanced security monitoring techniques moving away from techniques such as signature-based anti-virus and blacklisting to more “accurate techniques such as behaviour-based monitoring and whitelisting”;
  • Collaborate to create industry standards; and
  • Share risk intelligence.

Is the security industry complacent about the new risks?

Andrew Moloney, EMEA marketing director at RSA, told Infosecurity it is not necessarily about complacency: “It’s more just a factor of the times we find ourselves in.”

“We’re going through an unprecedented level of change in the economy and in demands being placed on businesses to find more efficient methods of working. And at the same time, there’s an emergence of new technologies, which offer the ability to do that. The issue at the moment is that we have got out of step, from a security perspective, with the demands of the business. So less complacency and more business pressures driving us toward adopting these new technologies perhaps faster than otherwise done, because rather than these technologies being about technology for technology’s sake, they offer very clear returns on the bottom line and business is driving adoption of technology.”

The security implications of not keeping up to date with the use of new technologies could be severe, and the risk landscape is not a straightforward one.

Moloney said the security is being affected by a combination of an exponential growth in the amount of digital data being created at the same time as that data is no longer necessarily stored within the four walls of a company, but in the cloud, on a personal device or with a business partner.

“This leads to heightened risk around information and fundamentally a new strategy is required in order to protect that information”, Moloney commented.

Asked how companies can protect their data, Moloney told Infosecurity that a relatively new type of security technology can identify and classify data.

“Using data loss prevention technologies, we can now make the process of seeking out the information we care about and then apply a policy to that information in real time. That policy could be around restricting access, it could be monitoring its flow, it could be around enforcing encryption policy, for example, or even enforcing deletion after a certain period of time, so you’re not holding on to information you don’t need.”

“It is about holding policies on the information you care about as opposed to form a strategy of trying to secure everything”, he added.

Moloney believes a behaviour-based monitoring approach could be an important part of a security strategy: “If you monitor behaviour, it’s very difficult for fraudsters and criminals to evade that, because behaviour will always catch you out.”

Commenting on the call for an industry standard on securing new web and mobile technologies, Moloney mentioned ISO 27001 and ISO 27002.

“Those standards prescribe a risk-based approach to defining security strategy and security control, and risk analysis is at the crux of an effective security strategy because risk is a fluid concept. Attack vectors change, and fraud techniques change, and so your risk assessment will constantly change and evolve as well. The standards would say do the risk assessment, but it’s the risk assessment hat prescribes the right strategy – it’s having a comprehensive and common strategy around, for example, risk assessment.”

The RSA report also called for sharing of risk intelligence. Infosecurity notes that stock-listed companies could be reluctant to share such information openly, but Moloney said there are already such systems in place that do not expose the victim’s identity:

“We run something called the e-fraud network, and the e-fraud network is essentially an anonymous information sharing service which interconnects all the fraud detection systems that we operate in financial institutions around the world. It’s the software that’s sharing the information with the counter parts around the world, but it’s doing it anonymously.”

For example, if the Bank of America is attacked, Barclay knows within minutes that there is a potential threat out there.

Moloney stressed, however, that the underlying message of the reports is not about deploying the right security technology, but to have appropriate strategies, which again have to be linked with the businesses’ strategies.

As Roland Cloutier, vice president CSO, at EMC Corporation, was quoted as saying in the RSA report: “Security officers have to be out there explaining to other executives and senior people in the company how they’re going to approach the move to the cloud, and the risks associated with moving faster than they’re able. And if the business wants to move faster, you better have an answer about what resources you’ll need to get it done faster, because if the business asks you ‘Well, how we can get it done faster?’ and you say, ‘I don’t know’, you’re going to be a former CISO.”

 

This article is featured in:
Application Security Business Continuity and Disaster Recovery Compliance and Policy Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water