Security on a shoestring: How to get more for less in a recession

According to the PricewaterhouseCoopers 2010 Global State of Information Security Survey, despite the recession, “global leaders appear to be ‘protecting’ the information function from budget cuts – but [are] also placing it under intensive pressure to ‘perform’ ”. So the problem is not that there is massively less money for security, but that there is massively more pressure to get greater benefit from the same money.

The primary drivers for this are increasing legal, compliance and regulatory demands on the one hand, and the increasing sophistication of cybercriminals on the other. Put simply, business is being forced to get more value out of its security department; and that’s what we’re going to discuss here: how to get increased security without increasing costs.

For ease, we’re dividing our cost-saving options into three categories: basic measures (that should be available to everyone); intermediate measures (that might be suitable for SMEs); and radical measures (that might be more suitable for corporations and government).

Basic measures

Ask your vendors for a discount: Don’t rely on getting one; but you might strike lucky if you look around. Top tier companies are likely to be unsympathetic, but second-tier companies need to try harder.

Cloud vendors will be more flexible because they don’t have fixed hardware and packaging costs to pass on. Optenet is an example. “What we’re doing”, says Omar Aguirre, general manager of Optenet, an integrated SaaS provider, “is keeping our prices at the same level they were last year, but adding extra functionality to the products, such as IDS/IPS, additional web filtering features, an agent for end point anti-malware, and bandwidth management. It means our customers are effectively getting the new features for free”. This is important, he says, because although user budgets are holding up, they are certainly not increasing.

“Repeat business is OK, but we’re having to try harder for new business”, says Aguirre. “Because of the recession, we’re offering discounts for multi-year deals.”

Explore free software options: If relevant, use the free versions of AVG and Zone Alarm, Spybot and Ad-Aware to protect your desktops. Evaluate GPG (a free version of PGP) for email encryption; look at TrueCrypt for disk encryption. For the network, explore the Snort IDS (but bear in mind you will need in-house technical security skills to configure it well).

Webmasters should look at the new free service from Qualys − QualysGuard Malware Detection − which trawls websites looking for malware. “Website poisoning [and concomitant drive-by hacking] is becoming such a dominant issue on the web that we decided to offer this as a free service to help the industry”, explains Qualys CEO Philipe Courtot. This won’t stop your website from being poisoned, but it will let you know very quickly if you have been. Early remedial action will then stop you from infecting your visitors; and since it’s free, you have no excuse not to use it.

Expand your security awareness programmes: “I am convinced”, says William Beer, a director in the OneSecurity practice at PricewaterhouseCoopers LLP, “that security awareness hasn’t had enough recognition within the industry in terms of the value it can give. A good awareness programme can offer a very significant amount of value – good bangs for the buck, if you like – and could theoretically turn your entire workforce into part of your security team.”

“Humans are the best hacking tools”, adds Garry Sidaway, director of security strategy at Integralis. “We still open emails, we still click on links.” It is the purpose and effect of a security awareness programme to blunt that hacking tool.

This is a view also shared by Richard Harrison and Rupert Chapman of PA Consulting, who view the challenge of compliance as an opportunity for change. “Security awareness”, they say, “shouldn’t be just about the staff.” You must demonstrate to the marketing manager that brands can be destroyed, and to the legal department that fines will be levied over security failings. “When you’re educating the Board in security awareness, don’t talk about security. Talk about risk management, which is something they understand and are concerned about.” When the Board is security aware, the company will be security aware – and you haven’t spent a penny.

Check your configurations: Make sure you are fully patched, and always upgrade to the latest versions. Patching will close existing vulnerabilities, while new versions are invariably and inherently safer than older versions. “Users need to maximise the value of their existing infrastructure”, says PwC’s Beer. “Are all the features turned on? Are there any available upgrades? Are the different systems working together? Use your logs to see where improvements can be made.”

Ed Rowley of M86 Security, a web gateway and email content security company, has an example. “We have some clients who bought and still use the old Marshal products, principally for anti-virus and anti-spam detection. But many don’t realise that just by turning on some of the existing default rules they could give themselves PCI compliance, and block a load of zero-day threats without spending any more money.”

Intermediate measures

There are two routes that could be taken to save money. The savings would not be immediate, but could be achieved within 12 months; that is, within a single budgetary period. These routes could be combined, or taken individually. They are cloud computing and virtualisation, and they apply best to mid-range SMEs (they are not really relevant to micro businesses), with large corporations most likely being already well advanced in these areas.

Use the cloud: “Our view”, says PA Consulting’s Harrison, “is that cloud computing is useful in four areas: where you’ve got an on-and-off demand, such as big batch jobs that need a lot of computing grunt but for a finite time; when you’re growing quickly; when you need the agility and flexibility of the cloud to handle unexpected peaks; and for the predictable peaks such as seasonal sales.” In these areas, using the cloud can save substantially on costs, but many people worry about security.

“[This is] unfounded”, adds Chapman. “I take the view that these cloud companies are concerned about security day in and day out. They have greater experience and expertise, and are more secure than most enterprises. Concern about cloud security is really just FUD (fear, uncertainty, and doubt)”, he explains.

There are other areas where cloud services are specifically aimed at providing greater security at less cost. These are SaaS (Software as a Service), or Security as a Service. One such vendor is Webroot. “The advantage of SaaS in a recession”, says EMEA managing director of Webroot, Mark Tickle, “is that you get a reduced cost of ownership with an SLA-guaranteed level of service: no viruses at less cost, for example.”

Virtualise: Virtualisation is the second option in this category. Without going into the technology involved, it allows you to consolidate multiple separate servers into a much smaller group of integrated servers. This is where the cost savings occur: less floor space, fewer physical machines to own and operate, lower power costs and easier maintenance.

Rhys Sharp, chief technology officer at SCC UK Services is an enthusiast. “If you start at the beginning of a budgetary cycle, you should achieve cost savings before the end of the year”, he claims. He sees two particular areas where security is likely to improve.

“Firstly, it allows you to improve security through a greater level of containment around the virtualised systems. And secondly, since all VM technologies on the market provide better disaster recovery and high availability capabilities, virtualisation provides greater security of service as a free by-product of the process.”

Radical measures

In the final analysis, it doesn’t matter what security steps you take: firewalls can be and are breached, passwords are hacked, and data is lost. Ultimately there is only one security device that carries any certainty of being effective in this regard: high-grade encryption. But taking this route requires a paradigm shift in attitude.

The greater part of the security industry is currently built on the basis of protecting the territory on which information resides: ring fencing the servers, patrolling the disc drives, defending the communications channels. Encryption is virtually unique in defending the data itself. And if the data is secure, it is no longer so important where it resides or how many, if any, walls are built around it. “Encryption”, says Integralis’ Sidaway, means that “data is the new perimeter. It doesn’t matter where the data is so long as you have the two principles of obscurity around it and strong access into it.”

This is a principle that is actively being developed by several major security vendors, and the most advanced product currently on the market is probably the Unisys Stealth Solution. The idea is that all data is encrypted and that access to different security levels is provided by different workgroup keys. Access is thus controlled by who you are rather than where the data is, which then becomes effectively irrelevant (meaning you can consolidate multiple separate networks into a single network).

Additional security is provided for data in motion by using the Shamir (the ‘S’ of the original RSA) key-splitting technique. The effect of this is to split data in motion into separate slices and move them across the network by different paths. The overall result is that you achieve greater security at less cost within a single budgetary year – which is exactly what we set out to demonstrate in this article.