The complex information security landscape

In this interview, Latha Maripuri, Director, IBM Security Services and Marc van Zadelhoff, Director of Strategy, IBM Security Solutions, discuss the increasingly complex information security landscape by addressing budget strategies, cloud computing security, mobile devices and more.

We live in complex times. The black hats have seemingly endless resources while the good guys have to get management approval for all their tools. What can a large organization do to stay on top of the fast-paced threat landscape while fighting on a limited budget?
The threat landscape is changing rapidly with new software vulnerabilities, malware, phishing methods and web-based attacks coming out daily. In addition, as the 2010 X-Force Trend & Risk Report points out, cyberattacks are getting more sophisticated, targeted, organized and harder to detect. Not to mention that as the planet becomes more interconnected, instrumented and intelligent, it is also creating emerging complexities and security risks that businesses must address.

Corporations should focus on running their businesses and use service providers for security expertise in order to mitigate their risk of being impacted. Sophisticated security analytics, such as leveraging IP reputation data, can help protect a company, but these skills are often not found in-house.

Organizations should consider a lifecycle based approach for security that ensures the environment is regularly assessed against current and relevant threats. This proven approach generally begins with assessment and flows into design, deployment, management, and continual education. The nature of the evolving threat requires this level of maturity; else the organization may deploy technology without a full understanding of the most critical needs.

Consideration should also be given to outsourcing and software as a service (SaaS) solutions. These service based offerings are generally geared towards reducing cost and complexity while improving the organization’s overall security capability. These solutions bring together the shared security expertise of certified resources around the world, and this can contribute to reducing the staffing requirements for in-house security teams.

Despite significant technological innovations in the last decade, the overall security architecture is constantly growing to accommodate more software and hardware. The growing complexity of managing large deployments sometimes takes a toll on the patching procedures while keeping up with new attack vectors is a daunting task. Are we ever going to see a protection infrastructure that is much smaller and way more efficient than what we see deployed today?
For most companies, security has traditionally been an afterthought – a bolt on to infrastructures that are already built or applications which are already widely deployed. This often creates an extremely complex and costly environment to manage and maintain.

We are seeing more of a shift towards embedding security early in the development cycles. New applications should take into account secure engineering principles from the beginning. Also, as companies look at server consolidation, virtualization or cloud computing, they have an opportunity to incorporate security from the start and be more efficient.

As an example, we recently helped a large hotel chain meet a series of PCI requirements across their various properties by deploying cloud based services for security event and log management. This solution offered a short time to value, had virtually no overhead, and didn’t require the costly purchase or implementation of an off the shelf security information and event management (SIEM) application.

With an increasingly mobile workforce and the expansion of teleworking, organizations are doing more with less. At the same time, they introduce a variety of new risks that are mostly difficult to identify and manage. What advice would you give to IT security managers trying to oversee a flood of new mobile devices and home computers used for company work? Is the cost trade-off of allowing employees to use their own machines worth the security implications?
Allowing employees to use mobile and smart devices for business purposes offers many benefits such as improved productivity, increased collaboration and better client service. The concept of “bring your own” technology seems to be an unavoidable trend which companies need to proactively prepare for from a security standpoint – especially given that C-level executives are usually the first to want the latest technology gadgets.

In fact, in a recent study conducted by Zogby International, on behalf of IBM, 73 percent of business leaders surveyed currently allow nontraditional endpoints, such as mobile devices or tablets, to connect to their corporate networks; but 36 percent feel that these devices are not adequately protected and would like to see their companies invest more in managing the security of smartphones, POS systems and other smart devices. For that reason, security managers should develop and communicate a policy for mobile devices covering which ones are allowed, what business data can be stored on them and how best to protect it.

Mobile devices can easily be lost or stolen and are also increasingly targeted with spam/malware through mobile applications. Leveraging technologies such as mobile device management platforms, encryption, VPNs or remote wipe can help protect intellectual property.

Organizations should begin to explore the possibility of endpoint security installations on both corporate and employee owned mobile devices to ensure that resources accessing sensitive data have met a minimum set of security standards. With a proactive approach towards securing these systems, businesses can benefit from the ubiquitous connectivity and productivity that these devices enable.

For the past few years, everyone has been talking about cloud computing and the benefits of migrating, despite a growing number of security risks that remain unsolved. The recent GMail outage that wiped large chuncks of e-mail from 150,000 users put cloud drawbacks into the spotlight. What precautions should a company take when assessing the possibility of migrating their operations into the cloud? Is the cloud secure as it should be? What are the missing ingredients?
Companies should do a thorough risk assessment of the business workloads they are moving to the cloud and ensure they understand the security requirements of those workloads. These requirements form the basis of a governance model that defines provider requirements for securing the workloads and their respective data while residing in the cloud. Once the governance model has been agreed upon by both parties, an enablement process must take place where all controls identified within the model are thoroughly implemented and tested. Lastly, an assessment must be performed at periodic and agreed upon intervals to ensure that all controls continue to properly function as the environment changes and systems are updated / replaced.

For example, companies need to consider how identity management will be handled especially for privileged user accounts. In addition, they will need to know what protection is available on the cloud management interfaces and what reporting is available for compliance purposes. These are just a few points to consider and companies should ensure a sound security SLA is in place at all times with any cloud provider.

Depending on the state of today’s infrastructure, moving to the cloud might actually provide corporations with better security than they currently have. This can be a result of cloud environments often being purpose built to deliver a particular solution. Compare this to the traditional network environment that is a mixture of heterogeneous systems loosely stitched together to accomplish the broad and ever changing needs of the business.

We’ve seen a lot of large companies buying out smaller players in the security market, especially in the last few years. Do you think fewer players with large security portfolios can produce better security? Will this trend of mergers and acquisitions that consolidates a significant number of products bring more innovation or eventually slow down new development?
Given the evolving nature of security, large companies must continue to innovate even if they make acquisitions and as new smaller companies emerge. At IBM, we leverage our nine security research centers worldwide to develop industry leading, innovative solutions. Over just the past year, advancements have been made in numerous areas such as authentication, encryption, cryptography, secure hypervisors and endpoint security. We recently announced integration of our application scanning capabilities with network protection.

Larger companies actually have an edge when it comes to looking at multiple, complex layers of security management. Further, large companies are in the unique position to integrate these security technologies with the various systems and infrastructure they’re intended to protect. These secure, integrated solutions are a step in the right direction for simplifying the security landscape and reducing the overhead of IT security.