Did your business just walk out of the door?
Date: Saturday , March 31, 2007
For years, organizations’ security efforts focused on shoring up network perimeters. These days, the focus has expanded to protecting sensitive corporate data from insiders—trusted employees and business partners—who might either maliciously steal or inadvertently leak information.
Think about all the ways we move and store data on mobile devices: USB ports, which support a multitude of portable storage devices, including flash drives, portable hard drives, printers, and music and video players; FireWire, PCMCIA, serial and parallel ports, CDs/DVDs, tape drives and even the lowly floppy drive. Add unprotected WiFi, Bluetooth and Infrared (IrDA) connections. Portable storage media is indeed an end user’s dream, but a security manager’s nightmare.
With increase in number of devices within the enterprise network, the number of ways in which information can leave an organization, has increased dramatically. There are many ways, not just the email, through which data can be leaked. Today’s mobile workforce can steal or lose sensitive data quickly and without detection, from a software developer sneaking out gigabytes of valuable source code on his iPod or USB or he can setup a secure http session and take out the data in an encrypted format.
There are several instances where data is flowing out of the network without anyone’s intent. The spyware, which an executive downloaded without knowledge, might be shipping sensitive data out of the enterprise. “Extrusion Detection or information leakage is one of the prime security concerns,” says Anil Chakravarthy, Vice President, India Technical Operations, Symantec Corporation.
More than ever before, employees are plugging laptops into networks remotely, putting companies at risk for viruses, worms and spyware. Guests, consultants and suppliers running unmanaged PCs compound the risk. The rise of the mobile workforce has put the spotlight on endpoint protection.
Hayath Mohammed, Business Development Manager-Security, Cisco India & SAARC talks about the overarching embedded security, wherein the host will not be permitted into the network unless there is a right posture. Cisco’s Network Admission Control ensures that the threat is contained and remediated before providing admission into the network.
Like Cisco’s solution, there are dozens of products that claim to solve this problem by making sure laptops and other endpoints are virus-free and otherwise secure before allowing them onto the network. Without a doubt, endpoint security is one of the top challenges facing the enterprise today. In fact, strengthening endpoint security is one of the top identity and access management-related challenge.
There are instances when genuinely data has to be shipped out. To that end, many place a priority on identity and access management issues in 2007.
In the past, Identity and Access Management solutions facilitated in providing only one identity for a given person for all things in the enterprise. There were no consolidated products that could do the identity management for all the resources in the enterprise. Today, the same individual plays different roles in the organization across different types of business workflows. “Today’s identity solutions need to capture enough information about the individual and then provision that information for different types of business workflows in the enterprise,” says Rajeev Shukla, head of Security Business Practice at CA India.
It’s hard to get a good snapshot of an organization’s security posture when you’ve got to pore through countless logs from disparate sources and then make sense of it all. That’s why security information management (SIM) has become increasingly popular. In a nutshell, these systems automate the process of looking through logs. They normalize and store data, correlate it, help produce effective reports, issue alerts, and do forensics.
And in this age of regulation, organizations need this added visibility into network, systems and application activity. The aftermath of corporate scandals and data breaches has spawned a host of regulations such as Sarbanes-Oxley, GLBA and HIPAA with which organizations must comply. Compliance is one of the biggest drivers of the SIM market.
However, the SIM products which are there currently give you enough visibility in terms of what sequence of events are happening. They don’t give you information about how certain security policies are getting violated or not complied to and how do you act upon those events. The next generations of SIM products are focused on facilitating policy enforcement and actionable information provision for users. “The earlier the customers get an understanding of security violations, the faster they can transform these violations into actionable information,” says Shukla.
While SIM evolves, hackers, those trying to gain unauthorized access to computers and computer networks, are busy finding new hacking techniques. Attackers today are not going for the old style programme where they would write a program to wipe out your REGISTRY keys or breakdown one section of your hard drive. Today, hackers release malicious code, which is a combination of computer viruses and worms, working in tandem. Current computer threats are capable of significant damage to systems and data, but are often hard to place in a single category, such as a virus, Trojan or even hacker exploit. Thus, these threats are combining to create a new type of computer security concern experts are calling “blended threats.”
Inter Playing Remedies
Blended threats use multiple methods and techniques to propagate or attack, often combining attributes from hacking, computer-worm and denial-of-service attacks to exploit known vulnerabilities. As a result, blended threats can spread to large numbers of systems in a very short time, causing widespread damage very quickly.
The fact is that, you cannot isolate the threat using antivirus, anti-spam, anti-spyware, or anti-phishing as stand alone products. Let’s say, you receive an email, which directs you to a bank website. Upon confirming your account, a piece of spyware automatically gets downloaded into your system. It opens a new port and establishes contact with a remote server. The firewall in place could not catch this action because the port was opened from the inside. “Look at where it started and where it ended. You cannot distinguish spam from phishing to spyware to zombie—that is what we call blended threat,” says Chakravarthy. “Earlier for the attackers it was all about destruction or vandalism. Today it is about targeted attacks.”
Since blended threats use multiple methods and techniques to propagate and attack, businesses need to employ integrated, multi-tier solutions that offer protection at the gateway, server and client tiers and incorporate antivirus, intrusion protection and firewall capabilities. Most major security vendors offer integrated security solutions that are designed and tested to work together, minimizing potential gaps in security coverage.
To put it explicitly, for traditional and established threats, it was sufficient for the IT executive to focus on perimeter security. Protection against advanced intrusion and hidden type of intrusion is considered to be critical. Today, we see that at the enterprise network level anti-spyware, internal traffic monitoring, and network forensic tools have taken dominance over simple security products. In future many of these areas (firewall, anti-spyware, anti-phishing) need to inter play.
Today, all these pieces operate fairly isolated. If you have one product for network forensic and other for intrusion detection, these two products don’t necessarily talk. “There are not many vendor shops left to offer single unified protection platform against complete threat. Over a period that consolidation has to happen. Customers buying number of point products buying is going down,” Shukla observes.
Birth of New Security
Jefferey Berger, Vice President of Engineering at RSA Security agrees that it is not about securing the end points. It is about securing the information. “There is shift from just deploying point solutions to look at information as the primary focus to be secured,” he says.
Niranjan Maka, Director - RSA Security’s India Development Center observes that security is becoming part of the infrastructure. “This is where the merger of EMC and RSA Security makes sense,” he argues. Security as a function does not operate in isolation. The security solution should work in conjunction with the infrastructure. At the end of the day, IT management from infrastructure or security point of view would be seamless for the customer.
“The approach we have today of point solutions will not be there two or three years down the lane,” reiterates Shukla. Eventually, customers will not believe that there is perceptible value in those point solutions. Market quickly figures out acquiring those point solutions is expensive proposition from maintenance and, sustenance point of view.
Going forward, it appears that there will not be any stand alone security company. With customers demand integrated solutions, we will see more of IT infrastructure players providing security solution.
Symantec’s decision to merge with Veritas two years ago may have been unexpected, but the strategy has been ratified. Symantec’s decision to merge with Veritas was made once it became clear that consumers wanted more than a “straight security solution”. We are seeing key players in the industry following the Symantec strategy and starting to bring storage, availability and security together as an offering: EMC and RSA, IBM and ISS, NetApp and Decru.
The IBM-ISS deal and others, including EMC’s purchase of RSA Security and the Symantec/Veritas merger, says Sarah Gates, Sun’s vice president of identity management and Web services, show how IT vendors are realizing the importance of serving their customers and demonstrating that they can do this in the most secure way possible.
“People think cars have brakes so you can stop, but they have brakes so you can go fast,” Gates says. “We used to have security so you could lock things down, but now we have security so companies can open things up and move more things online in a way that’s appropriate for them.”
Today, PCI, Sarbanes-Oxley, HIPAA, SB 1386 or other regulatory mandates have made it obvious that the cost of weak data security is greater than the implementation of strong controls.
IT systems are deeply embedded in initiating, authorizing, recording, processing and reporting of financial transactions. Hence almost all financial reporting processes in an organization are driven by IT systems. As a result of their tight linkage to the overall financial reporting process, IT systems need to be assessed for their compliance with the Sarbanes-Oxley Act (SOX). Most organizations regularly test the internal controls within their IT organization to ensure secure and continuous operation of their entire information systems in order to mitigate risks with financial reporting. Such controls are typically derived from COBIT control processes and when implemented, not only reduce IT related risks in financial reporting, but also form the basis for good IT Governance. In many industries, companies also need to assess their IT systems against security frameworks such as ISO17799 to ensure compliance with federal regulations such as GLBA, and HIPAA.
“Most companies have implemented limited bottom-up automation infrastructure for control test automation through point solutions. However lack of top-down approach to IT Audit and Compliance, along with lack of a single system of record, makes the entire process very Disorganized,” says Shankar Bhaskaran of Metric Stream.
While complying with stringent regulations, the organization has to ensure that access to all sensitive data lie with core group of people. OS every organization needs to come up with access control policy and leverage security tools to comply with internal policies.