Archive for the ‘security’ Category

« Older Entries

The Machines May Be Virtual, But The Security Problem Is Real

Monday, October 26th, 2009

Photo CreditVirtual Machines Pose Real Security Threats

Virtual Machines Pose Real Security Threats

When you become CIO, you already know that IT security is going to be one of your biggest and least rewarding challenges. If you do a great job at it, then nobody will ever know and you’ll get no credit for it. If you do a poor job, then everyone will know and you’ll get all the blame. That just goes with the CIO job.

In the future, CIOs are going to have a whole new set of security issues that come along with the popularity of virtual machines. The rules for how best to secure these boxes that really aren’t boxes have not been established yet. What can you do to make yourself ready to take on this new challenge?

Just What Is A Virtual Machine?

Before we dive in and start talking about security, let’s make sure that we’re all onboard when it comes to just exactly what a virtual machine is. Awhile back, some very smart folks (a lot of who happened to work at a company called Vmware) realized that most companies were deploying one application per server in their data centers. One for email, one for web hosting, etc.

It turns out that as servers got more powerful, this was incredibly ineffective – most of the server’s processing power was not being used. The smart people created what they called a virtual machine (or VM) – software that sat on the server between the actual server hardware and the operating system that was running on the server. You can sorta think of it as a lower level operating system

Once this VM was in place, they discovered that they could run multiple operating systems (and then of course multiple applications on top of those operating systems) on each individual server. When they did this everything was isolated – if one operating system crashed, it didn’t interfere with the other operating systems / applications running on the same box.

As you can well imagine, this has turned out to be an incredibly popular way to reduce the number of servers that have to be deployed and maintained within a data center. However, it has also opened the door to some nasty security problems…

The Problem With Virtualization Security

Oh sure, you THINK that you know how to secure a data center – lock down all of the network ports going in and out, and then take steps to make sure that you know which staff are allowed to enter and leave. Oh oh, when your servers stop being real physical boxes and start to become virtual images, now you’ve going to have a whole new set of problems to deal with.

Cameron Sturdevant has been looking into just how we can go about securing the brave new future of virtual machines and he’s uncovered ten new issues that you are going to have to be able to deal with:

  1. Moving Too Fast: since virtual machines can be set up and put into operation much quicker than a real server can, you’re going to have to set up some sort of review process in order to keep things under control.
  2. Redefine Your Boundaries: it used to be simple to be able to keep the important things inside the data center and the threats outside when everything needed a physical box. Now that things are going virtual, these boundaries are getting more murky and you will have to spend the time to redraw them.
  3. Killed By Quantity: since it’s so easy to set up a new virtual machine, you’re going to be facing an explosion of them. This means that you’re going to have to establish a policy to determine when a new virtual machine needs to be deployed and when it needs to be turned off.
  4. Moving Day Is Everyday: since virtual machines can easily move from box to box, you’re going to have to lay down the law in order to make sure that the new server has the appropriate security policies in place in order to support the applications that will be running on it.
  5. Not The Same As The Old Boss: both the tools and the policies that used to work in the world of “real” servers won’t necessarily work in the new world of virtual servers. You’re going to have to find / make new ones.
  6. Virtual Tools: in order to police your virtual machines, you are going to want your security tools to run on virtual machines also – makes sense, doesn’t it?
  7. Cutting Costs: how many CPU cycles your virtual security tools take up will be a huge deal very quickly. The rule of thumb is for them to take less than 2-3% of the CPU’s cycles.
  8. Policy Update Time: not only will you need fancy new tools, but you are also going to need to update your staff on just how one goes about securing virtual boxes. Can you say special training?
  9. Where To Focus?: the experts suggest that you spend your time securing both the virtual machine and its applications and don’t worry so much about the underlying virtual machines. The thinking is that virtual machines are by design isolated from everything else so they are more secure.
  10. Get Some Relief: look for virtual machine management tools that will allow your staff to automate the processes of configuring and deploying virtual machines as much as possible in order to minimize security slipups.

Final Thoughts

Like it or not, when you become CIO you’re going to be living in a virtual world. All of the clever security tools and policies that we’ve created in an attempt to secure the world of physical servers that we now live in are not going to work in the future.

Your challenge will be to find ways to secure the virtual data center while at the same time keeping your IT staff’s workload at a manageable level. The good news is that this can be done, the bad news is that you’re going to be in uncharted territory. Good luck future CIO…!

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Everybody wants their IT services for free. When you become the CIO, you’ve got to find an answer to the ugly question of just who’s going to pay you for all of those fancy IT services that your department can provide.

Tags: , , , , , , , , ,
Posted in security | No Comments »

Poisonous Snakes, Sharp Knives, And Angry Natives: How Much Risk Can You Handle?

Monday, October 19th, 2009
CIOs Know That Security Threats Can Strike At Any Time

CIOs Know That Security Threats Can Strike At Any Time

Ok CIO wannabe, we’re right in the middle of a global financial crisis and your IT budget has gotten slashed so much it looks like Freddie Krueger has come back and had his way with it. What are you going to do about your spending on security programs: cut ‘em, hold the line, or spend more. Whoops – that was a trick question: all of the answers will get you in trouble.

What The Other Guys Are Doing

Before making any big spending decision, any self-respecting CIO will do what all leaders do – try to find out what the other guys are doing in the hopes that you can just copy them. Well, in this case you’ll be getting mixed signals.

A survey done by Information Week magazine revealed that 19% of CIOs are cutting their security spending. On top of that, only 27% of the surveyed CIOs are planning on increasing their security budgets – that leaves roughly 50% doing the same old thing.

Its starting to look as though the final remaining sacred cow of IT budgets, spending on securing the enterprise’s IT assets, has finally fallen under the budget trimming axe. This is an excellent opportunity to learn how to be a better CIO: cut too little and the company goes under, cut too much and the company may get sued when your defenses are breached.

What’s Worse: Poisonous Snakes or Sharp Knives?

Here’s another part of your CIO quiz: when your security budget comes under fire and you know that you’re not going to be able to save the whole platoon, who do you pick to live and who do you let die? Tough call eh? That Information Week CIO survey revealed that most CIOs have decided that any security program that deals with compliance in some way, shape, or form needs to be saved.

In the end, CIOs are finally starting to realize that an effective corporate IT security policy consists of just two things:

  • Managing Risk
  • Protecting Data

Don’t Forget About The Angry Natives -
How CIOs Prioritize

If the job was easy, then anyone could be a CIO. The CIOs who get it, those who understand what effective IT security is really trying to do, know that the first thing that they have to do is to determine the company’s overall appetite for risk. If the company has an appetite for a lot of risk, then the CIO can trim the IT security budget to the bone. Otherwise, cut with care!

Successful CIOs realize that the right way to go about setting up an IT security program is to start by realizing that you can’t protect everything to the same level and so you need to identify what IT assets are the most valuable to the company. Once you know this, you need to take the next step and estimate the likelihood that those assets might be lost.

Only after you have both of these pieces of information can a CIO have the IT team start to create security programs and put systems of controls in place to protect what needs to be protected. Although compliance programs are on everyone’s minds in these tough economic times, CIOs need to keep in mind that such programs are not always in line with security best practices.

Final Thoughts

If you want to have any hope of ever being a successful CIO, you’ve got to learn to be able to make the tough calls when it comes to funding corporate IT security programs. Although putting measures in place in order to make sure that the company remains complaint with regulations is good, it’s not nearly enough.

Taking the time to properly value your corporate IT assets and identifying what kinds of risks this data faces is the critical first step that too many CIOs skip over. Take the time to do this correctly and you’ll be well positioned to deal with poisonous snakes, sharp knives, and angry natives. Now if we could just find some way to deal with those pesky rampaging elephants…

What do you think should be a CIO’s #1 security concern: remaining in compliance or dealing with the security threat that comes from outside?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Ok all you CIOs wannabes, guess what one of your first problems is going to be once you assume control of the IT department? No, not that innovation thing. Nor will it be finding new ways to cut costs. Somewhat amazingly considering that we are living in the enlightened 21st Century — you will need to find more women

http://www.theaccidentalsuccessfulcio.com/wp-admin/

Tags: , , , , , , , , , , , ,
Posted in security | 1 Comment »

The Insider Threat: What CIOs Need To Know

Monday, October 12th, 2009
CIOs Know That Insiders Represent The Biggest Threat (c) - 2004

CIOs Know That Insiders Represent The Biggest Threat (c) - 2004

When you think about someone trying to make off with your company’s private data, what comes to mind? Some wily Russian hacker who sneaks into your company’s network through the backdoor? Perhaps you need to update your thinking. A recent report from Cisco revealed that the real threat is coming from insiders. What’s a CIO to do?

Identifying The Threat

By now all CIOs realize that their corporate networks and data are under almost constant assault. However, most of the steps that CIOs have taken to secure their networks have been designed to defend themselves against the attacker who comes from the outside.

Information that was revealed in the Cisco report included that workers are sharing corporate information with outsiders for a variety of reasons. These include sharing data simply in order to get an outsider’s opinion on something, to show off work that they’ve done to others, etc.

On top of the active taking of corporate data, Cisco’s report revealed that some 66% of those who responded admitted to engaging in activities that would allow someone else to access corporate data (things like not logging off and then leaving their computers on at work overnight!)

Data Loss Prevention

If a CIO ever wants to get to sleep again, something has to be done to solve the data loss threat that insiders pose to the firm. There is no magic bullet, but one approach to dealing with this problem is to deploy a data loss prevention (DLP) suite of tools.

In true “big brother” fashion, a DLP suite generally consists of a network scanner coupled with multiple tools that allow an IT department to collect information on what data is being used and by whom.

Before moving forward with implementing a DLP solution, CIOs need to take the time to prepare to use this new set of tools. The steps involved include:

  • Secure The Important Stuff: before you go worrying about trying to secure how data is used throughout the enterprise, first identify the most important data and ensure that it is locked down.
  • Close Your (Network) Doors: before you can worry about insiders doing you harm, you need to make sure that outsiders can’t get in. This requires analyzing both your network ports and the protocols that the company’s network is using to make sure that they are secure.
  • Create A Baseline: in order to detect when the wrong things are being done, you need some way to detect them. Creating baselines such as point-in-time content signatures for sensitive data stores is a first step in doing this.
  • Start Inspecting Traffic: the way that you can prevent information from going to internal sources that don’t have a need to know is by installing automated network traffic inspectors. Setting parameters so that notifications of data breeches are flagged will do a great deal to prevent data loss by internal threats.

Final Thoughts

The value that a CIO brings to a firm is that he / she is able to harness IT resources in order to help the company succeed. As part of this task, the CIO is also responsible to make sure that sensitive corporate data remains secure from both external and internal threats.

CIOs that learn how to deploy DLP solutions in order to protect against the data loss threat from insiders will be better at finding ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Since most firms have no idea about what to do with their corporate research facilities, responsibility for the labs often falls under the control of the CIO (because most firms don’t know what to do with IT either). Great. So what’s a CIO to do when he/she is responsible for a corporate R&D lab?

Tags: , , , , , , , , , , ,
Posted in security | 1 Comment »

Halt – Who Goes There? CIOs Need Good Identity Management

Monday, August 24th, 2009
CIOs Need To Solve Their ID Management Crisis<p>(c) 2007</p>

CIOs Need To Solve Their ID Management Crisis(c) 2007

As though keeping all of those servers up, applications running, and end users happy seems like enough to make being CIO a full-time job, now CIOs also have to take on the role of data cop? The answer to this question is “yes”, in all honesty, they really should already be doing it. Most company’s most valuable asset, after their employees, is their corporate data. CIOs need to find a way to make sure that they know who is accessing it and why.

Just What Is Identity Management?

Identity management is how an organization controls access to its information based on an individual’s rights and responsibilities. It turns out that most IT shops have been doing a pretty poor job of this.

All too often most of us rely on our old friends Mr. Username and Mr. Password. How many dictionary based cracking events do we need to see in the movies in order to convince us that this is a very poor way to secure our data?

The right way to start to authenticate identities better is to use a second-factor authentication system such as biometrics, tokens, etc. Additionally, using single sign-on technologies can help you bring disparate systems together and save the end users from having to carry around lists of usernames/passwords.

What’s The Best Way To Do Identity Management?

The first step to creating a workable identity management solution is to establish some policies. These policies need to lay out just who is allowed to access what information. Clearly, if you’re not allowed to use some piece of information as a part of your job, then you shouldn’t have access to it.

One of the biggest pitfalls that is found in IT departments today is the existence of multiple different “silos” of data that end up creating a confusing and mixed up environment for access control. Once again, implementing a single-signon solution can solve this problem.

Final Thoughts

Taking the time to design and implement a good identity management solution is very much like buying insurance for your IT department. You hope that you don’t really need it, but you know that you probably do and it’s the grown-up thing to do.

Taking the time to solve your identity management issues once and for all will allow a CIOs to have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

More firms are committing to implementing those really BIG process digitization projects. More often than not the CIO will find himself / herself in charge of not only the implementation of the new software application, but also the overall success of the project. How do you go about doing that?

Tags: , , , , , , , , , , , , , , ,
Posted in security | No Comments »

Application Whitelisting Only Works Sometimes – CIOs Need To Know The Facts

Wednesday, August 19th, 2009
Application Whitelisting Offers CIOs Another Way To Protect Their Networks

Application Whitelisting Offers CIOs Another Way To Protect Their Networks

It’s a battle out there: hackers and organized crime groups vs. your company. Whereas you have to worry about keeping the company successful and lowering costs, all they have to worry about is finding ways to break into your network. Doesn’t seem very fair, does it? There is some good news for CIOs: application whitelisting has arrived.

What is Whitelisting?

The problem with trying to protect your company’s network is that the bad guys are always trying new and innovative things. In order to block them, you have to stay on top of what the latest attach vector is and install defenses against it throughout your network. This can be a real time waster – it’s critical to do, but it contributes nothing to the company’s bottom line.

Whitelisting applications takes a 180-degree different approach to securing your network. Instead of trying to identify and block all of the bad malware variants that are trying to get into your network, whitelisting focuses on identifying all of the applications that SHOULD be allowed to access your network.

This of course means that you need to block everything that is not whitelisted. The theory is that all that malware that shows up will find the door to your network slammed shut on them.

Whitelisting Is Not For Everyone

In some enterprise IT environments, whitelisting is the wrong way to go. In these environments, using application whitelisting can actually drive up operational costs so high that things quickly get out of hand. Ill-suited IT environments are those in which workers need to be constantly installing new and changed applications on the fly in order to complete their tasks.

Where Whitelisting Works Well

That being said, there are IT environments in which application whitelisting works very well. These environments tend to be very static with very few application changes. A great example of this is call centers.

Another example where whitelisting has worked well is in the retail sector where cash register environments are very static and only need to be updated ever six months. Some companies have discovered that they have been able to do away with anti-virus protection (and the associated cost of maintaining it) on those machines.

Final Thoughts

The fight to secure the company’s network from the forces that would do bad things to it is never-ending for CIOs. However, this is not what CIOs should be spending their time on – there is not a bottom line benefit.

Whitelisting of applications provides yet another way to secure the firm’s network by taking a novel approach to security – don’t worry about identifying the bad guys, just worry about identifying the good guys.

Whitelisting won’t work for every environment, but in certain static IT environments it can work wonders. CIOs who can identify the right IT environments in which to use application whitelisting will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Most company’s most valuable asset, after their employees, is their corporate data. CIOs need to find a way to make sure that they know who is accessing it and why.

Tags: , , , , , , , , , , , , ,
Posted in security | 2 Comments »

« Older Entries