The challenge of Mobility and Enterprise Security

First it was laptop computers, now its tablets. The enterprise is getting more mobile and IT groups have to find ways to ensure security can keep up.

This mobile world has always brought challenges to the IT group. While IT worries about security and management of these mobile devices, the business is concerned with productivity and efficiency. The IT group is looking for methods to make sure security isn’t comprised while the business is looking for ways to make sure the travel schedules of its employees don’t compromise their productivity.

While the IT group’s focus and the business’ focus may seem completely opposite, they really aren’t. Most organizations have some form of security suite in place that helps manage mobile device security and which covers everything from physical security to data security via anti-theft technologies to managing enterprise security with mobility in mind.

To address security in the mobile world, multiple aspects of security must be considered. Everything from physical security to data security must be planned for and managed. This planning starts at the machine level with the right technologies to help manage and protect computers using technologies like Intel® vPro™ Technology, which adds chip-level security and management technology to computers. Additionally, using management software like Dell’s Management Console, which is closely integrated with Intel® vPro™ Technology, IT groups can implement even more secure and manageable mobile devices.

If a device is lost or stolen, the first line of defense against data theft and improper access is ensuring proper authentication procedures exist on the stolen device. These could be as simple as proper password processes or as complex as physical security devices that randomly select tokens for employees to use to login to the system. These types of systems are well known and well used…but there are other approaches that are less well known.

Dell provides multiple authentication options on their business class laptops using technology like their ControlVault technology for authentication, laser etching on systems for identification and management systems that provide options of remote data deletion if a machine is lost or stolen. These help IT groups ensure proper security is in place on mobile devices.

Being more mobile doesn’t have to mean less secure. On the contrary actually. The move to a more mobile world has forced IT, vendors and suppliers, to find new and unique methods of ensuring security is front-and-center on mobile devices. This allows IT groups to keep their focus on security and allows the business to keep their focus on allowing employees to get their job done regardless of where they are.

Mobility and Security can go hand-in-hand if approached with proper planning, the right management applications/systems and the right partners in place like Dell and Intel®. Having partners like Dell and Intel® allow organizations to ensure security protocols and systems are as embedded as far down into the systems as possible using technology’s like Intel® vPro™ Technology and Dell’s ControlVault technology.

This is a paid post in conjunction with IDG, Dell and Intel®.






Staying flexible in a complex world

This post sponsored by the Enterprise CIO Forum and HP.

Complex can be good. Processes can be complex and still work just fine.

Complex is often the answer.

But staying flexible in a complex world is one of the toughest things a CIO and IT Professional can do.

Enterprise Security is complex…as it should be.  Take a look at a Risk Model from the Enterprise CIO Forum in a post tilted Information Security Risk Model: Switch Lensesby Gideon T. Rasmussen.   In that post, Gideon provides a very complex model for risk.  He defines a risk model as:

…a useful tool for defining how a security function identifies and mitigates risk. This article explains how to document your current risk model, evaluate its effectiveness and plan for changes to better mitigate risk moving forward.

Go read that article and you’ll see complex…but its complex because it has to be.  Security is complex. Risk Management is complex.

The key is to take that risk model (or any risk model) and implement it so that this complex model and process has flexibility for new services/data.

The ability to remain flexible is key.  We in IT know our jobs are complex. We tend to tell everyone that will listen that our jobs are complex.  But…we usually have a hard time being flexible  We tend to say ‘no’ very quickly because we know that saying ‘yes’ will lead to more work and more complexity.

In the realm of Enterprise Security, processes and systems are complex for a reason.  They have to be…there are a ton of working parts to get right.  That said, while focusing on the complex, those responsible for Security must also be cognizant of the ability to remain flexible and ready for change. We see new platforms, new data, new products come around daily…and we need to remain flexible enough to incorporate the ‘new’ into the complex.

As IT professionals today’s, we have to stay flexible for these changes.   We can’t just say ‘no’ to new data and platforms in the era of data.

The key question…how do we provide our complex services and processes in a world where flexibility is key?  How do we secure our data platforms when we have new data and platforms created daily?

Image Credit: flexible wooden sheets by SNIJLAB on flickr

This post sponsored by the Enterprise CIO Forum and HP.

Education – the key for Enterprise Security

This post sponsored by the Enterprise CIO Forum and HP.

You’ve spent years and millions of dollars on your IT Security systems, processes and people.

Your systems are as impenetrable as you, your team and your partners can make them.

Your processes are amazing.  They follow all the industry standards and your audits always come back 100% ‘secure’.

You and your team sleep easy at night knowing you’ve done everything you can to keep the boogeyman out.

But…in the blink of an eye — and against all odds it seems– you find a hacker sitting smack dab in the middle of your organization’s systems.

What happened?

Your systems were perfect.  Your processes were perfect. Its inconceivable that penetration could occur on your watch. Right?

Well…anyone thats been in the IT business for more than a few months knows that no system/process is perfect and there’s always risk. Our job is to mitigate risk. We’ll never be able to eliminate risk completely, but we can do our best to minimize it.

While we in IT spend many hours/days/weeks/years thinking and dealing with security issues, we rarely go outside our ‘realm’ to talk to the rest of the organization about the importance of security. Sure, we build a document / webpage describing how important security is but do we really educate the rest of the organization on what it really means to be ‘secure’?

Do we go out of our way to talk to everyone about the importance of security? Do we train people on the dangers of Social Engineering?   Have we educated ourselves on the dangers of security in the social world?

In today’s world where being ‘social’ is the new norm, social engineering is even more of a threat today than it ever has been.   With the ability to interact in real-time with people from all over the world, enterprise security has become even more at-risk than ever.

Imagine your company has a Facebook page.

Someone sends a message to your marketing intern that says “hey…this is Bill from the London office…I’ve lost access to the Facebook page…can you add me again as an administrator?”

Your intern, trying to be helpful…and knowing full-well who “Bill” is and that he is supposed to have access to the Facebook page, immediately responds with and adds “Bill” to the Facebook page.

Ten minutes later, the intern tries to access the Facebook page but no longer has access.   He contacts “Bill” via company email and finds out that he is on vacation for the next month.

Looks like your Facebook page just got taken over.

This is a pretty simple example but one that can easily happen. A hacker targets an organization and finds a way in….it doesn’t take much to do this.  Sure, in this example, the hacker isn’t “inside” but they do have access to a very important piece of your organization’s marketing platform.

Social engineer

Christian Verstraete recently wrote a post titled Keeping Cloud in mind when you look at your security where he wrote:

As our world is getting increasingly integrated, and as social media is used by enterprises to reach their customers and prospects, we need to train our people to ensure they are watchful for social engineering. According to Wikipedia Social engineering, in the context of security, is understood to mean the “art of manipulating people into performing actions or divulging confidential information.” While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim

Emphasis mine.

Social Engineering comes in all forms. Email, Instant Message, Social Networking, Phone and in-person.  Have you ever found someone walking around the hallways of your organization without proper ID or notification of their arrival? I have….and its unsettling to know that they could have found an open computer and starting plugging away at your systems.

Security policies will always help with all approaches hackers take…if those hackers take on the IT group head-on, but rarely do hackers hit the IT systems head-on.

Jim Harris points to a a book titled Social Engineering: The Art of Human Hacking (amazon affiliate link) by Christoper Hadnagy as an example of what people are doing in the Social Engineering space.  Jim quotes Hadnagy as saying:

“While software companies are learning how to strengthen their programs,” Hadnagy explained, “hackers and malicious social engineers are turning to the weakest part of the infrastructure — the people.  The motivation is all about return on investment.  No self-respecting hacker is going to spend 100 hours to get the same results from a simple attack that takes one hour, or less.

Emphasis mine.

No amount of money or technology will stop social engineering. It can slow things down for sure. But…education will go just as far (or further) to help put the brakes on social engineering attacks.

Christian Verstraete finishes up his post by writing:

Pro-actively define your security strategy. Decide what an acceptable risk level is. Choose and implement tools and procedures accordingly and train, train, train your employees. Believe me, this may cost you money, but it will be a factor less than if your security is breached. Just think about the damage to your brand if you are compromised.

Emphasis mine.

Train your employees. Not just the IT employees…but everyone. Teach them what Social Engineering means. Teach them that just because someone asks for something, it doesn’t mean they should get it.  Finally…one of the best methods to combat Social Engineering attacks is to teach your people these three words: Trust but Verify.

That intern in the above story…he could have trusted ‘Bill” but a quick email to “Bill’s” work email address would have easily stopped the Facebook attack.

Educate everyone in the organization to Trust but Verify.  Education is expensive but should be looked at as another line-item toward securing the organization.  You’ve spent millions on the technology…spend a little bit more to educate your people.

Image Credit: the no-wall door By ghirson on Flickr

This post sponsored by the Enterprise CIO Forum and HP.

Xendow – Overcoming Cloud Storage Security Concerns?

I’ve been a long time user of Dropbox…I love that service.

That said, I don’t put anything in my Dropbox folder that I wouldn’t mind other people seeing…because I really don’t know who is on the other end of Dropbox and what they may do with my data. Mind you…I don’t think Dropbox or their employees would actually do anything without reason…but the ability to do ‘something’ bothers me a bit.

With that in mind, it did bother me to see reports about stalkers, and subpoenas but again…I’m not too worried about that, but everyone should know that these issues exist. For more on these issues…take a look at this post: 7 Scary Things About Dropbox, Google Docs and the Cloud at Large….some good points there.

With these issues in mind, I was happy to see a new project named Xendow.   Normally, I’d overlook things like this until I could find more details, but in this particular instance I’m friends with Magnus – one of the gurus driving this project – and I’m excited to see what this turns into.

A description of the new service is:

Xendow will let you simply and easily use cloud services like Dropbox to store, sync and share your data but you will stay in control of who can read your data. Xendow will safely encrypt your data in the cloud but keep the encryption key in your control. With Xendow, none of the employees of Dropbox or their partners or even Xendow will be able to view your data. With Xendow, you’ll be able to share data with confidence knowing that at any time you can remove access to read the data.

If they can deliver on this and deliver it really well, this will be an awesome service.  In addition to Magnus‘ driving this, its also backed by Credant…a big name in the Data Protection space.

Things are looking interesting. Now…if I can just get an invite…

2011 State of the CSO

This post sponsored by the Enterprise CIO Forum and HP.

Security By edleckert on flickrThe 8th Annual CSO Magazine State of the CSO report was released last month – I finally got my hands on a copy.  Thanks Colin!

Sidenote: Nice timing on finding this report since October is Cyber Security Month….read more on getting prepared for Cyber Security Month in Jerry Bishop’s recent Enterprise CIO Forum post.

The 2011 State of the CSO report outlines the results gathered from 229 respondents during a survey in March 2011.

Some key highlights from the survey:

  • Fewer than 2/3’s of security professionals believe their organization’s employees are trained on security related topics
  • Only 35% of respondents believe their organization’s employees consider security to be party of their daily responsibilities
  • Nearly 1/3 of respondents plan to add staff to the security function of the organization
  • Roughly 38% of respondents are planning an increase in security in the coming year
  • 64% of respondents agree that senior management view security and the security leaders as important, permanent and strategic
  • More than 60% of respondents believe that senior leadership is placing more value on security and risk management

Some interested responses but not surprising to me.  I’m not a Security pro at all but I would think that most organizations are focusing a good deal of effort and budget on ensuring both IT and Physical Security are improved throughout the enterprise.

One aspect that I found interesting is the area  focused on current and future trends that will most affect the security profession.  The responses were interesting…they are:

  • 26% of respondents pointing to ‘ubiquitous data’ as having the largest impact on the security profession
  • 21% of respondents believing technology as a service as having a large impact.
  • 20% believe that  Gen Y & Millennials entering the workplace will have a considerable impact on the security profession.

Some interesting results there. Ubiquitous Data, defined by the survey as the ability for users to have constant access to data and services, is getting closer to being a reality for all organizations.

To grab a copy of the 2011 State of the CSO Report, jump over to CSO Magazine and sign up for access.

Image Credit: Security By edleckert on flickr

This post sponsored by the Enterprise CIO Forum and HP.

Enterprise Risk Management Survey

I recently ran across a survey by Accretive Solutions (formerly Horn Murdock Cole, Dickson Allan, BF Consultants, and CFO Service) discussing the results of an Enterprise Risk Management Survey commissioned by Accretive Solutions and conducted by Harris Interactive.  The results aren’t necessarily surprising but are interesting.

Before we get to the results, for those that aren’t sure what Enterprise Risk Management (ERM) is, it is defined by Accretive Solutions as:

Enterprise Risk Management is an ongoing, company-wide process designed to identify, communicate, evaluate, analyze, address and monitor risks. It extends far beyond financial statements and accounting policies to include strategic, operational and compliance risks. A partial list of risks that fall under the purview of an effective ERM plan includes fraud, supply chain and business continuity plans, changes in the competitive landscape, IT security, changing compliance and regulatory requirements and personnel risks, including the potential for unethical behavior.

Some interesting results from the survey are (emphasis mine):

  • Thirty-nine percent of respondents to this survey of Executive-level decision-makers at Fortune 1000 companies labeled IT Security as their number one worry over the coming twelve months
  • Among IT Security threats, breaches via compromised wireless connections were chosen by 14 percent of respondents, while 12 percent chose hackers, and 10 percent chose stolen hardware.
  • At the same time that IT topped the list of likely headaches, it was also the number one functional area where executives reported seeing a shortage of talent, far outpacing needs in accounting, finance and taxation.

Interesting results…especially the third one. Perhaps this is good news for good IT folks out there?

Zemanta Pixie

If you'd like to receive updates when new posts are published, signup for my mailing list. I won't sell or share your email.