Bring-your-own-device (BYOD) quickly made the jump from industry trend to business imperative, and organizations are now feeling the pressure to open their networks to employee-owned devices. Unlike corporate-issued devices that are well-managed and under IT's control, this new BYOD initiative introduces a unique set of security challenges that require a balance of flexibility, visibility and security. Looking for a turnkey solution to BYOD, many organizations are turning to vendors that don't necessarily offer complete security, leaving sensitive corporate data vulnerable to attack.

In order to ensure holistic network security with a BYOD policy, organizations need to consider all parts of the BYOD ecosystem, including mobile device application development, mobile device management (MDM) and network access control (NAC):

Mobile device application development

Simply put, organizations need to make sure the apps people use on their mobile devices come from a trusted reliable source, such as an app store. While not perfect, app stores and the like are one of the safest places to download apps – you know the apps have been tested, have integrity and are of high quality. Taking this step ensures a strong building block for the rest of the blueprint.

Mobile device management (MDM)

MDM provides IT with the ability to monitor the activity of each device deployed across mobile operators, service providers and enterprises by tracking and managing the data and applications of each individual phone and/or tablet. MDM solutions can provide the following:

• Remote device management, using encryption and passwords
• Remote OS patching and/or upgrades
• Remote install or removal of applications
• Full-disk or folder-level encryption
• Remote locking or wiping of lost/stolen devices

Network access control (NAC)

NAC tracks and secures network access of all endpoint devices that try to access a corporate network. These endpoints include (but are not limited to) PCs, laptops, servers, printers, IP phones, medical devices, POS devices and in a BYOD environment, smartphones and tablets. In a BYOD environment, NAC technology can automatically identify and profile all devices and all users on a network, providing complete visibility and control. NAC can also enable IT departments to automatically differentiate between corporate and personal assets and provision network access accordingly to ensure the correct access policy is applied to each device. In a hospital setting, for example, a doctor's personal iPad may be able to access patient data, but devices used by the administration staff to check patients in and out may have limited access to the network.

In order to fully embrace BYOD, IT managers need to consider all facets of the BYOD blueprint, as successful BYOD strategies will use a combination of these technologies to enforce the overall policy. With all three technologies, devices are protected and network access is determined by device (and/or by user) based on corporate policy. IT gains a holistic view of devices and users across the network as well as the ability to automatically provision access accordingly – giving control back to IT managers and freedom of choice to employees. 

Complete endpoint security can no longer be ignored and a “good enough” security strategy is no longer good enough. Historically, building a complete and integrated endpoint security program was too often at the bottom of an IT manager's list, or something that was viewed as too costly or “a project for next year.” But in today's world, we are constantly reminded of the criticality of endpoint security as more companies are breached and hacker groups announce their latest ploys on a daily basis.

The nature of threats is changing too. No longer are hackers simply targeting random individuals just for fun with a mischievous attack. Instead, hackers are now part of organized initiatives (or even foreign governments) working to exploit your company's and its customers' data for financial gain and to wreak havoc on your business. In addition, attack vectors are more complex than ever – often employing multiple types/styles of malicious code to attack end-user systems.

In short, today's threat environment is extremely daunting – whether you're a small start-up or a large enterprise. And the myriad of point products and odd security vendor solution mash-ups in the marketplace doesn't make matters any easier. However, there are several pieces of functionality that you should look for in order to arm yourself with a unified threat management strategy. 

1. Know who/what/where. Your security policy should be fluid based on the type of end-user and their environment. The ability to adjust security settings based on users' job functions and environment (i.e., the corporate network, an end-user's office or an airport) is a basic concept every security policy should employ.
2. Couple AV. Contrary to popular opinion, AV is not dead, but if you use it as a standalone defense, your reputation could be. You must couple AV with additional functionality because as your only defense against malware, AV is wholly ineffective. Rather, it must be integrated with additional, more proactive threat protection solutions.
3. Patch, patch, patch. Simple in theory, but you'd be surprised how few IT technicians actually follow the process and use the tools needed to be successful here. Perhaps it's due to the fact that while patching is simple in theory, it can become overwhelming if you're talking about doing it on a machine-by-machine basis. Not to mention the fact that complexity can escalate quickly if you have multiple types of platforms and a wide range of applications. But bringing software into the mix changes everything. With an integrated patch management tool, this process is made exponentially easier with far fewer points of redundancy. You can deploy patches to thousands of machines with more efficiency and significantly higher success rates.
4. Black, White and Grey. Many solutions report to have blacklisting capabilities. But attempting to continuously block every potential threat/application is not realistic in this day in age. You're better off permitting only the good stuff – i.e., pre-approving which applications can run or whitelisting. You then can monitor application behavior. By looking for potentially harmful activity and pre-approving known applications, you'll achieve a grey area. And in this case, that's a good thing. Better yet, tie the approval to trusted deployment systems and make your life even easier.
5. It's all in the HIPS. A host-based intrusion prevention system monitors your systems for sketchy activity. It then logs information about this activity, attempts to prevent it, and records the incident. The capability to not only track malicious activity, but to log it enables you to better secure your network and take a more proactive stance in safeguarding in the future – by identifying types of bugs and patterns.

It's a safe bet that your organization will be the target of a breach at some point. You should prepare for the “when” to reduce the “if,” and focus on eliminating the endpoint as an attack vector. While these five basic steps are by no means comprehensive, they will serve as a proper foundation for any IT security policy – be it big or small – and will help safeguard your organization from today's ever-increasing threatscape.

For many years, complying with government standards and industry regulations was seen as an obligatory check box in the lengthy list of IT security tasks. However, recent changes in the security ecosystem are leading to a rethinking of this approach.

2011 saw a record number of cyber security attacks and associated breaches with very public disclosures including Citigroup, the International Monetary Fund, RSA (the security division of EMC), Lockheed Martin, Google, Sony, ADP and NASDAQ. These attacks are just the tip of the iceberg. Government networks, critical infrastructure operators and the private sector are facing an increasing frequency and sophistication of cyber attacks and breaches of information security – often with discovery after the fact.

Risk-based security

The 2012 Global State of Information Security Survey, which was conducted by PwC surveying more than 9,600 security executives from 138 countries, reveals that only 16 percent of respondents believe their organizations are prepared and have security policies in place that are able to confront an advanced persistent threat (APT). This does not come as a surprise, considering three years of budget constraints that led to degradation in core security capabilities

Considering the current economic climate and impasse in Congress, a dramatic change in prior years' budget limitations across the commercial and public sectors appears unrealistic; however, the increased threat levels will lead to a budget realignment toward security. Security professionals will be asked not to deploy additional security solutions, but instead to find better ways to leverage existing investments in security tools. The revised objective of many organizations today is to develop a risk-based rather than compliance-driven approach to determining the business' investment decisions.

According to a 2011 survey, more organizations are focusing on managing risk, not just security. In fact, 57 percent of survey respondents had already shifted to a risk-based approach, employing a formal enterprise risk management process or methodology. 61 percent of respondents indicated that they will put even more value on a risk-driven strategy going forward.

This data is complemented by independent market research studies, which show that more organizations recognize that instead of looking at governance, risk, and compliance (GRC) from a centralized perspective, it is more efficient to let business operations drive these efforts as that's where the organization's risk knowledge resides. In this context, the market sees the emergence of the role of the business information security officer (BISO) to reflect the fact that regional resources are the real subject matter experts when it comes to risk associated to particular business units.

Making risk visible, measurable, and actionable

The dilemma that organizations are facing is that their current security and vulnerability measures are unable to keep up with evolving threats, including perimeter intrusion detection, signature-based malware and anti-virus solutions. Often, these security tools operate in a silo-based approach and are not integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of vulnerability programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the business. Thus, it is often impossible to make risk visible, measurable, and actionable.

However, as mentioned before, using real time risk analysis is essential to optimize business performance and make better investment decisions. Therefore, organizations should explore software tools that are able to aggregate data from existing security tools and information management applications. These tools not only provide advanced reporting capabilities, but interconnectivity to ensure that remediation actions can be triggered and followed through easily. At the same time, the tools are tying compliance and security automation together, thereby extending the traditional GRC capabilities. Leveraging these tools allows organizations to implement a holistic view of security, while pursuing automation of the GRC process. This approach is being labeled “security risk management,” rather than “GRC” and yields the following benefits:

• Reduces risk by making threats and vulnerabilities visible and actionable; enables organizations to prioritize and address high-risk security vulnerabilities before breaches occur
• Reduces cost by streamlining processes to leverage automation and reduce redundant, manual efforts
• Provides reports and metrics to measure effectiveness and efficiency

Patch management can prevent most of the malware currently exploiting software vulnerabilities, so why isn't the technology being used everywhere?

Part of the problem is the misconception that if you run your anti-virus (AV) software regularly and update the operating system, you are covered. Reality begs to differ. While AV software derails a lot of potentially harmful attacks, it is only one component of a comprehensive security solution. Updating the OS is important, but it doesn't cover holes in applications and browsers that hackers, cyber criminals and other assorted IT malefactors are adept at exploiting.

Simply put, a truly comprehensive security strategy includes automated, centralized patch management software designed to handle a multitude of patches issued by multiple vendors at different times; a system to perform the necessary tests before applying patches; and the tools to conduct software audits on a regular basis. The execution of which, for far too long, has been a challenge for many small and midsized businesses, and completely out of reach for your average home user.

This needs to change.

The software patching function could be accomplished much more easily for most home and business users if security hardware and software vendors (including AV, firewall, gateway appliance and PC utility companies) integrated patch management into their solutions. It's hard to think of a better fit between complementary technologies, but even though patch management has been available for the better part of a decade, most security vendors still don't offer it among their growing slate of features.

For their part, service-focused companies such as ISPs (internet service providers), MSPs (managed service providers) and RMM (remote monitoring and management) vendors have been successfully integrating patch management into their offerings, thereby taking pressure off their customers to keep systems safe, while also establishing incremental service revenue opportunities for themselves.

Managing a stream of patches

Keeping up with the stream of patches in the course of year is a daunting task for any IT administrator, let alone your average home user. Vendors follow their own schedules, issuing patches monthly, quarterly or as needed. Microsoft alone issued close to 100 updates last year.

Most software applications and systems nowadays do come with auto-update mechanisms for downloadable patches. However, updaters operate independently of each other, taking up resources and bogging down systems, and require users to run them manually. They are time-consuming, requiring application shutdowns and system restarts, so it's easy to see why many users put them off.

“Automated patch management...prevents upward of 90 percent of software attacks.”

Automated patch management solves this problem, and in so doing, prevents upward of 90 percent of software attacks, mostly affecting home computers. Consider that most bots – responsible for untold spam, DDOS and phishing attacks targeting corporate networks – are essentially thousands of infected home PCs, and it becomes clear how increasingly intertwined corporate security is to the security of the average home user.

There's not only an industry imperative to address here, but there's also a tremendous market opportunity for security vendors to seize.

Six pack of trouble

Think of patch management as a flu shot. Like the flu, computer viruses and malware evolve constantly. Just as your body has to adapt to fight off infection, so does your IT environment. A vaccine helps your body adjust, and that is what a patch management system does for your network.

A recent Center for Strategic and International Studies (CSIS) study made a strong case for patch management. The study, conducted over a three-month period, found that simply applying the most recent patches to six software packages on Windows machines could prevent 99.8 percent of malware infections. The six packages are Java JRE (responsible for 37 percent), Adobe Reader/Acrobat (32 percent), Adobe Flash (16 percent), Microsoft internet Explorer (10 percent), Windows HCP (three percent) and Apple Quicktime (two percent).

For anybody using a computer or managing an entire network, automated patch management is clearly a tremendous benefit, protecting their systems and data while saving them money. A network free of viruses is, of course, more cost-effective than one requiring remediation after an infection.

Patch management should be a fundamental component of any comprehensive security solution. It's something ISPs, MSPs and RMM vendors understand, though we can't yet say the same for a broad array of other security vendors, who should proactively strengthen their products with integrated patch management to better protect their business and consumer customers.

If they don't, users and service providers should pressure them to do so. If they succeed, it would be a win for everyone.

---

Scott Hagenus is vice president of strategic relationships at GFI Software. Learn more at www.gfi.com or by sending email to atg@gfi.com.

In the past two years, two rogue traders, Jerome Kerviel at Société Générale, and then just recently, Kweku Adoboli at UBS, cost their respective financial institutions more than $9B by making unauthorized trades.

And let's not forget Julian Assange. WikiLeaks gave new meaning to the concept of insider threat by providing a convenient vehicle to empower staff at government agencies and public/private corporations to quickly and instantly hand over their privileged information to the world.

Insider threats are becoming a global phenomenon. Every company in every part of the world is subject to some level of insider threat. And guess what? Insider villains are just as unidentifiable in the U.K. as they are in the United States. They appear just as innocuous in Poughkeepsie as they do in Perth.

Yet despite these costly, high-profile breaches, hacker attacks are far more publicized than insider attacks. Last summer Anonymous and LulzSec attacks splashed news headlines, and undoubtedly more people could name Anonymous than they could Kweku Adoboli.

As I meet with executives of large corporations, they have one request of our company: Keep us out of the Wall Street Journal. Don't let me be the CEO who lost all of my customer's credit card data.

The richness and sensitivity of this information, much of it personal to the consumer, has led to a series of legislative efforts to ensure it is secured. The enactments of Sarbanes –Oxley, PCI-DSS, Basel II and a host of standards throughout the world have emphasized the importance, and indeed require us to secure the assets of our customers.

Billions of dollars have been spent over the last few decades on corporate information technology security in order to “keep the bad guys out,” but it turns out the bigger threat was and always has been, found within the network perimeter. The so-called “insider threat,” the trusted employee, contractor or partner, that can cost an organization more on a daily and/or per-incident basis than any outside hacker could hope for.

Whether we like it or not, “good people can do bad things” intentionally, accidentally, or indirectly.

If you have employees with excessive privileges or access to sensitive data, then they are at risk of intentionally, accidentally or indirectly misusing that privilege and potentially stealing, deleting or modifying the data. There is a very fine line between intent and action, especially when excessive privileges on IT resources are involved.

In April 2011, a former network security engineer at Gucci America was indicted on charges that he illegally accessed the company's network and deleted documents shortly after he was fired, costing Gucci nearly $200,000 in damages. Using an account he secretly created while working at the company, the former employee allegedly later accessed Gucci's network and deleted virtual servers, shut down storage areas and wiped corporate mailboxes.

Employee terminations are, unfortunately, a necessary evil for corporations. The Gucci America case, and many others like it, calls attention to the importance of having policies and procedures in place to ensure terminated employees no longer have access to company information and resources. Email, network and application accounts must be swiftly deactivated. Employees granted administrative privileges while at the company could also pose an even greater threat. 

Human nature is the weakest link when it comes to the intersection of people, processes and technology. And, all too often it's the tendency of almost the entire IT industry – vendors, analysts and press – to ignore this.

You can't rely on everyone being a saint or competent all of the time. It's not just malicious malcontents intent on destroying the system who can cause havoc, but also the negligent, misinformed and downright nosey who can compromise sensitive data. In most situations it's more often than not the case that such people have way too much privilege access – admin rights on the desktop, root password on server – for the role they are required to play.

It would be nice if every villain inside your organization walked around wearing a big sign that broadcasts "bad guy looking to do bad things," but alas it is only in cartoons and movies where you can always find the stereotypical bad guy.

In real-life enterprises, insiders look like you and me – just regular employees doing their job and collecting their paycheck. That's why securing the perimeter within is so important.

---

Brian Anderson is CMO at BeyondTrust. Brian co-authored the first definitive book on insider threat mitigation with BeyondTrust CEO John Mutch, called Preventing Good People from Doing Bad Things.

Mobile devices have infiltrated nearly every aspect of people's lives. The amount of personal and corporate data stored on these devices makes securing the information on the tool a priority.

A survey conducted in January 2012 by Dimensional Research explored the impact of mobile devices on information security in corporate environments, noting that 94 percent of companies have seen an increased number of personal mobile devices, such as smartphones or tablets, connecting to corporate networks. Increased employee productivity and mobility are the main benefits for organizations that allow these devices in the workplace, but those benefits come with their own set of risks.

The threats associated with mobile devices can come in many forms, including:

• Mobile operating system – Every OS, including Android, iOS, BlackBerry and Windows, comes with its own set of security challenges. Threats can originate from mobile apps, the mobile browser, as well as insecure Bluetooth and Wi-Fi hotspot usage.
• Employees – The lack of security awareness among employees is often the leading factor impacting the security of mobile data. Many employees simply aren't aware of the mobile security risks and corporate policies associated with mobile devices, such as storing corporate data, customer information or access to business applications.
• Personal mobile devices – The consumerization of IT brings another layer of complexity as more employees want to leverage their personal mobile device for business purposes. While companies begin to accept the “BYOD” (bring your own device) trend, there are significant concerns about the privacy of sensitive data stored on the devices that IT must handle.

The first step businesses should consider when safeguarding against these security challenges is to develop and enforce best practices and corporate policies for the mobile enterprise. This should include a list of approved devices that can access corporate data, the types of data that can be stored on mobile devices and taken out of a corporate environment, which types of mobile apps can be downloaded onto devices, procedure for theft or loss of a device, a routine for updating operating systems patches, requiring mobile passwords, as well as having the capability to wipe a lost or stolen device.

Mobile device usage in the workplace is a trend that has staying power because it un-tethers employees from their offices, allowing them to work more efficiently while on the go. As with any emerging trend, organizations will need to be careful about striking the right balance between mobility that empowers employees and the new security concerns that arise from it.

As an information security professional, there are two security issues that I continually hear about when talking to IT organizations today: protecting against malware and advanced persistent threats (APTs), and securing data in virtual and cloud environments.

Advanced persistent threats

Hackers and computer criminals have shown an ongoing ability to stay one step ahead of the security professional. This is occurring in large part because security is often not treated as a sustained effort, and too many organizations take a check-box approach to implementing security or meeting compliance objectives.

As a result, long-term coordinated attacks can often exploit inadequate defenses over a period of time. In many cases, these attacks are well disguised and designed to undermine typical security controls deployed within many organizations. Often these attackers are well-funded, financially motivated and in some cases nationally sponsored (by China, in particular).

These entities have changed the game by leveraging new types of attacks that traditional systems can't easily detect. With APT, we require a fundamental change in mindset by IT professionals to a state of sustained vigilance. There are no “quick fixes” for APTs and no single product is a cure-all.

Organizations need skills and tools to find patterns, correlate activities across applications and infrastructure, and conduct forensic analysis to find the clues that you may be compromised or that you are about to be compromised. They need to be able to do this in real time, and most organizations do not have the visibility, solutions or skill sets to best protect themselves against these kinds of sophisticated attackers. The information needed to detect attacks exists within the enterprise regardless of whether the attack is by an external party or an insider. Organizations that are not proactively collecting and analyzing this information lack the visibility needed to detect and respond to threats.

Virtual and cloud computing

Securing data, both personal and corporate, within virtual and cloud environments without the ability to implement and monitor controls presents a significant challenge for IT security personnel. As virtualization and cloud technologies continue to expand – due largely to the need to lower costs in IT – this trend has required us to grow, and in some cases, change our approach to security monitoring.

Not all virtual and cloud environments offer customers the ability to implement and manage effective security controls, and this can pose tremendous risk, particularly as many service providers do not guarantee the security of data stored within their environment, and the owner of the data generally retains liability if a breach does occur.

Organizations must understand that outsourcing IT does not transfer responsibility for data or liability associated with its security. Companies can mitigate the risks somewhat here through carefully structured contracts with clear SLAs, but that is not a failsafe by any means.

It may be difficult to implement parallel security controls so that confidential data accessed on the network is treated in the same fashion outside of your organization. End-users cannot be expected to know the location of an application or how to avoid placing sensitive data in a virtual or outsourced repository that may not have adequate controls in place. So, while there is no question about the ease and convenience of virtualization, these services may prevent IT from applying needed security controls, allow end-users to unintentionally expose confidential personal and corporate data, and ultimately put the business at risk of liability.

IT cannot stop this trend of business users contracting discreet services to support their objectives. IT needs to enforce protection at the data level, regardless of where it is located. Whether this is infrastructure or platform as a service and the organization maintains control of the systems, this can be addressed as an extension to current enterprise monitoring. Where the organization gives up control of the infrastructure for the benefits of SaaS, the risks must be addressed through a carefully structured contractual agreement, which includes terms for auditing and reporting. Without such protection, the organization is exposed as employees move critical information to cloud services.

Considerations for any security program

As new threats and deployment models increasingly impact organizations' security strategies, it is important to formulate a security model that accounts for these changes.

Ultimately we need to change our view of “trusted” users and focus on the behavior rather than the user. For that reason, a “zero trust” model is the most appropriate approach if organizations are to fully protect data and systems. In this context, no user is blindly trusted. Activity must be continuously monitored and identity continuously verified. The approach of controlling rights through an overall identity/role lifecycle, and the monitoring of those rights through continuous monitoring will ultimately help better ensure that corporate data is protected against new threats that routinely impact organizations worldwide.

Verdasys believes global enterprises will most probably face the following data security challenges in 2012, listed in the order of most difficulty to manage:

1. Targeted cyber attacks
2. Insider threats
3. Intellectual property containment

As this list refers to data threats with a proven potential to severely impact a business's bottom line if left unaddressed, the relatively benign “threat” of failing a compliance audit did not make the cut.

These potentially existential threats are not only prioritized by how hard they are to solve, but are also in order of their urgency to be solved. This is based on the “top down” theory of data security that says the most difficult threat requires a solution that will, by definition, mitigate all other risks of lesser complexity. For instance, to prevent insider threats one must have found a practical solution for auditing and controlling enterprise uses of intellectual property (presuming that is the primary data target of a malicious insider). Likewise, to protect intellectual property, one must have found a practical solution to audit and control all data types, and so on. A “bottom up” model does little good if it requires implementing layers of disparate technology to solve progressively harder problems, as this simply incurs greater costs without making you any safer.

If you agree with the logic of top-down defense, then you must defeat the apex predator of corporate data. In 2012, this is undoubtedly targeted cyber threats – aka the advanced persistent threat (APT).

It used to be that stopping a malicious insider from stealing trade secrets was the hardest data security challenge to solve, but APT trumps that threat by being, in effect, an invisible malicious insider. So, if you haven't found a way to identify and track how IP is used, then you wouldn't be able to monitor or enforce how a trusted employee uses that IP, which means you wouldn't be able to detect when a trusted “user” account controlled by APT is stealing it, and so on.

What are APT threats and why are they so dangerous to companies? To start, if your organization has intellectual property (IP) that can be exploited by a global competitor, there's a good chance a purpose-built APT mission to steal it is already under way. Perpetrators of APT attacks are hackers and programmers with world-class skills that are backed by “investors” with essentially unlimited resources (i.e., nation-states) which will not stop until they gain an economic or political edge with your proprietary data.

But what makes APT so challenging to solve is that a successful attack requires it to operate freely within a network forever, so it must be highly customized (at great expense) to be undetectable by typical signature-based security technologies. Unfortunately, this means that virtually all traditional signature-based anti-virus and firewall products, along with most web/email security, intrusion prevention and disk encryption technologies that companies have implemented over the last 20 years are effectively useless to stop an APT attack. Companies targeted by APT will need to upgrade their defenses strategy to include multiple, integrated layers of extremely sensitive anomaly detection and mitigation.

How do you stop an APT attack? First, you must be able to continuously track any intellectual property over its entire lifecycle. This means tagging files in such a way that it cannot be tampered with or lost, no matter how the content may be manipulated, shared or transformed. Then, you must be able to identify your privileged users and categorize them by their right to handle data of certain sensitivity (e.g., IT administrator). This means having a policy management system enforced independently of a user's other network privileges. Next, your data protection technology must be able to recognize IP by policy, and control it based on each user's data handling privileges.

At that point, you can be assured of mitigating two key APT risks, even if the attack has not been previously detected. The first one ensures that tagged IP will remain protected if APT attempts to access it with a hijacked account (regardless of system privileges) with insufficient data usage rights. The second is that even IP accessed by an account with sufficient rights could still be contained by policy (e.g., encryption or blocking) if an attempt is made to export the data to an unauthorized destination. In either case, a reporting system which continuously audits all user account activities allows you to know exactly when and how anyone – or anything – attempts to handle IP, and could be an effective tripwire if your network has been compromised.

Finally, you must be able to merge enterprise anomaly detection on workstations, servers and network traffic using policy rules created to identify specific and subtle APT tactics. This trove of enterprise event telemetry should ideally conform within an integrated policy management/data mining system that can sift through legitimate “noise” to isolate and manage multiple anomalous or threatening events (either connected or separate) simultaneously. They key to an APT security strategy is that you only need to stop one stage of an APT attack to thwart the entire mission. If a particular security layer fails to detect something, you'll still be OK as long as the another layer sees it.  

Nobody said tackling these issues was going to be easy, but the threats are only getting worse (search “cyber attack” to see why). The good news is that the technical pieces exist from which to create a security mesh woven tightly enough to trap APT before it can complete its mission, and thus also solve insider threats and IP protection challenges without affecting the business process. Will the best defense be 100 percent effective? No, but it prevents you from being a constant victim. Besides, it is 100 percent certain that doing nothing will cause one or more of these security challenges to inflict serious – maybe permanent – harm to your business.

The sun rising tomorrow morning is almost as inevitable as the cloud's integration within every enterprise in 2012. Now that the “if” portion of the cloud question has been answered, the populace is now moving onto the next stage when discussing migrating to a cloud collaboration platform like Google Apps or Office 365: Is it secure?

The ensuing conversation is usually focused around the vulnerabilities and strengths of the infrastructure, whether or not the cloud application provider can see customer data and whether hackers can attain access to all of the information a cloud provider manages. Once those fears have been allayed, the cloud security conversation is over. The only problem is that these discussions overlook one critical fact: cloud security isn't really about the cloud. It's about people.

The complexities of the cloud bank

Think of the cloud as a bank. Banks have security guards, video cameras and high-tech intrusion prevention systems to keep your money safe. However, all of these systems won't be able to keep a penny in your account if you give your debit card number and PIN out to everyone. This illustrates the user's small, but essential, role in security.

The cloud operates in much the same way. Google, for example, has a stellar track record for protecting data stored in Google Apps. How many times have they lost customer data? Exactly zero. Information that has been lost within Google Apps is always due to a company or user's failure to comprehend the platform's collaboration intricacies. It's not about the security of the infrastructure, it's about how users share data both internally and externally. All the security certifications in the world are irrelevant if an employee shares the salary spreadsheet with everyone in the company or customer credit card info with anyone on the Internet.

Prior to the cloud, IT departments spent a huge amount of time, effort and money on controlling access to data on-premise for things like e-Discovery, governance, risk management and compliance (eGRC). IT staffs used a host of solutions like data leakage prevention, enterprise risk management or network access control to control how information flowed into and out of the corporate architecture. There was a defined border that could be guarded to prevent hackers and insider threats alike. But the public cloud doesn't come equipped with any such point that can be fortified which makes cloud data security an altogether different animal.

Cloud data security = secure collaboration

Collaboration is one of the cloud's primary benefits for enterprises. Unfortunately, it's also one of the major security vulnerabilities as access and usage rights permissions for files are largely left to the users. IT administrators who have long wielded the power in the data security equation now find themselves in a reactionary position. Like on-premise, fundamental cloud eGRC best practices start with understanding how information is flowing throughout the organization, both internally and externally.

Data security traditionally has been viewed as a Wild West movie: the “white hats” attempt to keep confidential information secure while “black hats” try to take it away by any cunning and nefarious means necessary. The cloud makes that viewpoint obsolete. Cloud platforms' high level of security allows enterprises to focus on the finer points of data security. In other words, organizations have to guard the money, not the bank itself. This is a much easier proposition as IT administrators can now focus on access and usage rights for specific documents rather than securing every endpoint and server.

Focusing on implementing the same IT controls for data in Google Apps and Office 365 as the data that used to sit on on-premise file servers is the gateway to experiencing the cost savings and collaboration benefits of the cloud.The best part is that this strategy will equal the level of security of your on-premise infrastructure, if not surpass it.

Virtualization is changing the way IT is delivered today and the implications of this transition are endless. Virtualization is essentially taking a physical server and dividing it into multiple simulated or “virtual” servers – aka virtual machines (VMs) running on a single physical server. Now you have fewer boxes that are better used, with lower operational costs and conserved resources. As with many new and less tested methods of computing, there are often data thieves, cyber lurkers and hackers looking for undiscovered vulnerabilities in networks. With organizations deploying virtualization and increasingly moving toward the cloud, security becomes a greater concern.  

With that in mind, CIOs have to make security a priority. Recent breaches, like the Wi-Fi network hack[SS1]  in the Seattle area, where an open wireless network was hacked and sensitive data was stolen, and Sony's PS3 data hack, illustrate that large data centers using virtualization are just as susceptible to an attack as traditional physical data centers.

The reality is that migrating to virtual environments poses equal security risks to physical environments for several reasons:

• Virtualization software can contain vulnerabilities and require patching just like any other application. This means patching another layer of software in addition to the pre-existing operating system (e.g., Microsoft).
• Cyber criminals are employing VM-aware malware that can spread unnoticed and unchecked among VMs due to lack of visibility into the vast amount of traffic between machines on the same server – where they often co-exist. They are like self-contained “black boxes,” which allows VM-aware malware to unknowingly spread to physical servers when moving VMs or applications.
• As VMs are added to the network, most do not automatically have security policies applied to them. In fact, many IT organizations may be unaware of the rogue VMs popping up across their environment that ultimately put their business at increased risk.

The virtual environment is very different from the “physical” data center where networks, servers and applications can be easily secured and monitored. Because of these concerns, companies are implementing security software designed for the physical environment and integrating the software into the VMs (also called virtual appliances), hoping they are protected in the “virtual world.” This approach may not effectively address malware and attacks that are VM-aware because it provides no visibility into VM movement and security policies that aren't portable.

Create a more secure environment by keeping the following best practices in mind:

• Implement comprehensive security policies for safeguarding networks and applications mean that protection is the same for both physical and virtual resources. That is the only way to have the same degree of protection for sensitive data and resources. No one wants to take a step backward when attacks are becoming more complex.
• Avoid reliance on virtual appliances as they do not always offer viable protection. They are not able to travel with VMs throughout the network and are too bare to provide protection that adequately preserves server resources. The ultimate goal of integrating VMs is to make better use of resources, so why use a virtual appliance and lose out on all the savings of virtualization?
• Integrating full virtual network asset and configuration tracking solutions allows security administrators to configure comprehensive security policies and obtain vital information comparable to that of a physical network. In order to effectively secure VMs, visibility into how they are connected and their communication paths are needed, just like in a physical network between two servers.
• Running a comprehensive, deep-packet inspection outside of the VMs preserves computing resources for applications without sacrificing security. The procedure also allows security administrators to focus on security, while at the same time allowing server administrators to focus on VMs.
• Deploying an automated security solution allows the network to adapt to changes in virtual environments, such as introducing a new virtual machine, thus creating continuous protection of both the physical and virtual landscape.

Day in and day out, security is becoming a critical consideration for CIOs. However, comprehensive protection can be achieved if the time is taken to integrate security from the beginning.