CA Community






This Blog
Syndication

April 2010 - Posts

You sent what? - Linking identity & data loss prevention to avoid damage to brand, reputation & competitiveness

Published: April 29 2010, 03:09 AM | 3 Comment(s)
by Shirief Nosseir

Few European Organisations Have Deployed Data Loss Prevention Tools, Jeopardising IT Security and Compliance, Survey Reveals


We today announced the results of a European study entitled "You sent what? -  Linking identity and data loss prevention to avoid damage to brand, reputation and competitiveness" (Report). The study focuses on how well European businesses understand today’s information security risks and what steps they have taken to address them.  It also looks at the issues of information governance and the benefits of linking Data Loss Prevention to identity management.

What does data loss in this sense mean?

Every organisation processes data that can be classified as sensitive. This sensitive information takes many forms, including product designs, technical specifications, software code, or employee personal data, like credit card and account numbers, medical-related information, and national identification numbers. Businesses also need to regularly share data with each other outside the perimeter, driving the cross-organisational business processes that enable suppliers to trade and governments to provide joined-up services to citizens.

While engaging in the day-to-day sharing of sensitive data, businesses need to ensure they are protected from a threat that - either by accident or design - the data is lost/leaked and end up in the wrong hands. When it does, this failure to protect data is costly, not least because of the level of fines now being imposed by regulators. On top of this there is the reputational damage and loss of competitive advantage that usually ensues - as the numerous high profile data breaches reported in recent years demonstrate.

Paradox between low adoption rates of data loss prevention technologies and tighter data privacy regulations?

The Study reveals that only 28% of organisations in Europe have deployed Data Loss Prevention (DLP) technology. As mentioned data compromise is costly and new regulations are expected to exacerbate this in coming years. For Example in the UK, new data loss fines now in force since earlier this month (6th April 2010 to be exact) mean that organisations that recklessly lose data could be fined up to £500,000.

According to the study, IT departments are struggling to deal with compliance issues, such as the Payment Card Industry Data Security Standard (PCI DSS) and the ISO 27001 information security standard. Surprisingly, they are unaware of how technology could help and many are unable to convince the business of the inherent risks to justify the required investment. This is despite the fact many organisations expect data privacy to be the area of regulation that will impact them the most in the next 5 years.

As the survey highlights, many serious cases have emerged which highlight the dangers of data loss - as the survey states lack of time and resources, followed by numerous manual processes mean that IT managers find it difficult to address many compliance issues. Some of these data losses also went big in public.

Sounds scary?

There are some recommendations to avoid these breaches. A compliance-oriented architecture (COA) would help alleviate the problem of data loss and misuse. An effective COA requires (i) an identity and access management solution (only 24% of European organisations have deployed this); (ii) the ability to locate and classify data (more than 50% claim to have such a system in place); and (iii) the ability to link people’s roles to the different types of data and enforce security policies that accordingly control sensitive information.  The second and third requirements are provided by today's DLP solutions.

Interestingly enough it was found out that almost 90% of organisations that have deployed DLP state they are well prepared to protect intellectual property and personal data - and ensure compliance with security mandates. For those without DLP the figure is 26%. A clear statement.

Identity-centric DLP

Security and compliance efforts have been thwarted until recently because they didn't consider the identities of individuals involved in various activities.  For example, without knowing the identity of an email's sender and recipient, organisations have been forced to implement one-size-fits-all, enterprise-wide policies.   This means the decision to block intellectual property, customer details or any other sensitive data from being sent or used must apply equally to all employees.

BUT in reality, employee bases are varied, consisting of many levels of roles and rights. In many organisations identity management and information protection/governance are separate silos and do not work in concert so they are missing on the benefits of a combined approach.

Incorporating identity is only effective if the solution accurately models the various roles that individuals carry out within an organisation. All too often that's not the case.

Even when a DLP system has the capacity to understand the notion of identity, the task of modelling the organisation's structure, responsibilities and entitlements takes time. Organisations frequently group individual employees into so many roles that it becomes hard to manage. For most companies, this undertaking requires concerted efforts and dedicated identity management tools to be effective. Unless properly managed and supported, rationalizing a model from tens of thousands of roles to several hundred can easily take many people-months and result in errors.

This is why it's so important for DLP systems to seamlessly integrate with identity management tools that automate the modelling of the organisation's user roles and entitlements.  This allows DLP to simply inherit all of that intelligence for contextually accurate data loss detection and prevention.

An identity-centric DLP approach improves security by ensuring that individuals have only the appropriate and intended level of access to information.  Also, when compared to content-only DLP solutions, it provides more accurate results, reduces false positives, and saves on incident management costs amongst many other benefits.

Interested?

You can find the full report as well as additional information here: www.ca.com/gb/mediaresourcecentre

Share this post:  
Tags: , , , , , , ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

Google Security Breach a Warning Sign for Cloud Security?

Published: April 21 2010, 01:04 PM | no comments
by Matthew Gardiner

A recent New York Times article on the Google security breach raises important cloud security issues.  While it is still difficult to piece together completely what really happened in this situation, as information continues to dribble out, what this article brings out is that at least part of what was attacked was the Google shared security system known as Gaia.  Gaia controls the log-in process for Google's applications and as such provides SSO to Google's applications.  So what does this mean for cloud security?  It graphically highlights some of the risks of the cloud, namely that your security is dependent on their systems and processes.   And it follows that their breach can become your breach.

It also raises some of the age old questions about systems which provide SSO - such as:  Doesn't a single sign-on system risk giving up the "keys to the kingdom"?  In the early days of the Web access management market (Web SSO), I would often get the question around that "keys to the kingdom" concern.  Unfortunately the alternative to SSO is many log-ins for users, thus transferring a large part of the security burden to the users themselves.  This is not a good tradeoff, as the common user is almost always the weak link in any security system.  It is much better - and this has been shown over the years in the Web access management - to use a proven security system and to watch things closely.

So what are some takeaways from this breach for cloud security? 

  • First organizations such as Google must make (or buy) a great access management/SSO system -one that is constantly tested against all types of internal and external threats. 
  • Second, the use of federated log-in systems with strong, multi-factor authentications must be increased.  It is better for users to log-into fewer stronger Web sites than more, weaker ones.  The cloud, strong authentication, and identity federation are a great combination. 
  • Third and perhaps most importantly, organizations and even consumers need to care more about the security systems and practices of their cloud providers.  Organizations need to demand reasonable transparency and cloud providers need to offer it. If you allow your cloud provider to manage their security systems and practices as a "black box," you don't know what you are getting from a security point of view.   You don't know if you are trading the good (yours) for the bad (theirs), the bad (yours) for the good (theirs), or the mediocre for the mediocre.
  • Finally, cloud providers should consider imitating the formal collaboration used by traditional anti-virus vendors around systemic attacks.  The sharing of this information has helped curtail widespread breaches in the traditional security world and could also serve the cloud industry well.

I welcome any comments to this view.

Share this post:  
Tags: , ,
Leave a comment

 

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

If It Is Tuesday, It Must Be Another Survey

Published: April 20 2010, 08:50 AM | no comments
by Merritt Maxim

The title for this blog was inspired by a classic and favorite movie of mine, If it's Tuesday, This Must be Belgium.  I use it without cynicism; the IT industry has no shortage of market surveys on various trends and findings, many of which are very insightful and helpful to vendors and users alike.

 I am pleased to announce another cybersecurity market survey from Lockheed Martin that is available here (you can read the news release about the survey here).  This survey was conducted in conjunction with The Cloud Security Alliance of which CA is a member.  Cloud computing is now a mainstream IT theme and there is no shortage of benefits that can be realized from organizations utilizing cloud computing.  That does not mean that cloud computing is not without its issues, especially around security and privacy.

This Lockheed Survey possesses some very good findings around cloud adoption within the US Federal government.  And while over 70% of the respondents were concerned about data security, privacy and integrity in the cloud, survey respondents still displayed high interest in cloud computing.  I interpret this finding very positively--it means that individuals understand the risks imposed by cloud computing, but are confident the security standards and solutions exist that can alleviate and mitigate those risks. 

Stay tuned for more surveys in the coming weeks!

Share this post:  
Tags: , , , , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

Attitudes Toward IT Security Posture: Job Role and Title Make a Difference

Published: April 14 2010, 11:55 AM | no comments
by Merritt Maxim

Today we announced the release of a new security survey that we conducted with the Ponemon Institute. This new survey, "Security in the Trenches:  Comparative Study of IT practitioners and Executives in the U.S. Federal Government," is the second phase of a research project that we undertook in the fall of 2009.  The first phase of the project was focused on attitudes of federal IT executives and resulted in this study; we have now followed it with a survey that compares the IT security attitudes of IT executives and IT staff workers at various agencies in the U.S. federal government.

The study results indicate considerable gaps exist between the IT executives and IT staff regarding perceptions about the state of security in government.  For instance, on the issue of privileged user password management, 62% of IT staff employees deemed it very important, vs. only 31% of IT executives, a 31% gap.  This is concerning because a privileged user or IT administrator account should be considered the most vulnerable of all accounts because of the extended access it grants to its users. If this type of account were breached, it could feasibly hand over the "keys to the kingdom" if not properly managed and controlled. This gap on privileged user password management can also be partially attributed to the fact that this security issue still has very low awareness outside the rank and file staff workers, a trend which needs to change.

On the issue of confidence in the organizational ability to achieve security and compliance objectives, 63% of executives felt confident they could comply with all legal requirements and the same percentage felt certain they could ensure the security program was adequately managed. In contrast, only 45% and 43% of rank and file staff were confident in those areas.

While the initial reaction to these survey results might be, "This just proves IT security is different in the public sector than in my company," it would wise to ponder these findings first.  If you posed these same questions in your organization, would the likely outcome be significantly different than what was reported in this survey?  Would there be a big difference in opinion around IT security among execs and rank-and-file employees in your organization?

The reality is that there are differing levels of optimism around IT security in all organizations.  While this Ponemon study shows a lower level of optimism among rank-and-file workers, these IT staffers are usually the people who address and solve operational IT security issues.  So the good news is that these individuals are aware of the ongoing IT security challenges and will thus be motivated to lobby executives to support funding for deploying solutions and people to fix these problems.  And since new cyber threats are constantly emerging, no organization should ever get over-confident on IT security issues.

 

Share this post:  
Tags: , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

Trust and the cloud – Identities are critical

Published: April 14 2010, 09:01 AM | no comments
by CA Community

Yesterday I participated in the first of two Business Software Alliance Cyber Security Forums taking place in April. This one was held in Brussels, Belgium and was the EU's third annual Cyber Security Awareness Day. Government officials from across Europe attended.

One of the hottest topics of the day was cloud security, and that was what my panel discussion focused on - Securing Cloud Identity and Infrastructure. This is a key focus for CA as we extend our enterprise identity and access management technologies to support cloud platforms.

Trust is one of the biggest factors when it comes to cloud security. It encompasses everything from a choosing a trusted cloud provider to establishing trust that you are who you say you are.

I could go on and discuss this issue for page after blog page, but for brevity sake, here are a few key thoughts about trust and cloud security. You also can find a few slides from the conference here.

How to choose a provider? This is a key challenge and there are multiple things to consider here - everything from the provider's security posture to where the data is stored. A cloud provider review or "consumer report" for cloud would help.

Embrace and Enable - The business needs will win out and cloud applications and infrastructure will be adopted. To ensure that security is not an afterthought, security professionals should embrace the cloud and enable the organization to securely use the cloud.

Identities are critical - On premises rules for identity management carry over to cloud and potentially become even more critical depending on the cloud environment.

  • User ID and Password are not enough
  • Strong authentication is needed
  • Claims based identity models could help, such as InfoCards, Open ID, etc.
  • Federation is a must to simplify and secure
  • Auditing and tracking - Proving compliance doesn't go away because you're using the cloud - it becomes more complex.

I'm interested in other's thoughts on trust and the cloud. Comments welcome on this blog, or if you're in Washington, D.C., on April 29 at the BSA Cyber Security Forum, we could catch up there.

Share this post:  
Tags: , , ,
Leave a comment

 

By: CA Community
CA Community is the blog manager’s account used to post general updates and news items.
Read More..

More Posts Next page »