Cybertactix's Enterprise InfoSec Blog

February 18, 2013

What Keeps This Information Security Professional Awake at Night?

Filed under: Awareness,BYOD,Cloud — cybertactix @ 9:33 PM

Late last week I was talking with the CISO of a firm that provides support services, in the form of data manipulation and management, to financial services organizations (among others) and he asked me what information security issues kept me awake at night.

Two issues immediately sprang to mind;

  1. BYOD (Bring Your Own Device)
  2. The increasing use of Internet (Cloud) Services/Applications

The common thread with these issues is that they take security out of the direct control of the organization and place it into hands of other parties, and not necessarily the parties you are aware of.    With pressure from boards and senior management to continually cut costs in order to raise profits many companies are looking to shed/transfer the cost of technology and infrastructure outside of their organization and that transfer is increasingly taking the form of employee provided technology (BYOD) and the use of services hosted outside of the corporate data center.  This calls for  new review processes to ensure that external parties associated with these services have appropriate and contractually obligated controls in place which meet the needs and standards of their clients, as well as the implementation of new controls and processes related to how these services are used by the company.  Without the right processes and controls and a clear communication to all employees regarding them, the increasing use of these services can send a message to employees that the use of such services without reviews and controls is sanctioned by the company.   

BYOD

Many of us now carry in our pockets more raw computing power and storage than was housed in a permanent, not mobile, data center watched over by professional physical security staff 30 years ago.  And every user of these devices has a preferred device and set of applications which may not be the ones that are your corporate standard.  The relatively low cost of modern computing devices means that most corporate executives have gotten used to carrying them for personal use and as a result of have instant, on the go,  access to their key personal data and productivity tools.  This leads them to wonder, why they can’t have similar access work data and use these same tools in their work life, just think how much easier and productive they could be if they had instant access to their work files during the commute home, if they could carry and access work related information on an instant on, Internet connected 1.5 lb. tablet with 10 hours of useful battery life rather than lug around a 5 lb. laptop that takes minutes to boot and forces them to search for a power outlet after 5 hours of use.  And of course its counterproductive to have to carry one device for personal use and another for work, so let’s use the same device for both.  Fortunately there are a growing number of products to manage the security of these devices, providing password protection, remote wipe capabilities, encryption and preventing co-mingling  of personal and work data.  Now if only you could figure out how to prevent a user from leaving all that data in the back of a cab (try that with a datacenter)!

Securing the hardware is only part of the solution however.  Now that companies are giving users the option of using their preferred hardware solution users also want to be able to use their preferred software solution as well since there is a good chance that the corporate software solution intended to run on the corporate provided PC doesn’t likely run on the users choice of mobile device.   And even if it did how does it access the data safely stored in the secure “sandbox” created and managed by your corporate device management software?  Don’t look now but your user has probably figured out a way to make your corporate data accessible to their preferred software solution, and if they can’t make the data available to application son the device itself there is always the web/cloud.

Web Services/Applications

The use of Internet sites by staff to support business related functions and products without the proper review/approvals of legal/compliance/InfoSec/risk organizations is becoming increasingly commonplace nowadays.  As Bruce Schneier wrote in the January 15th edition of the Crypto-Gram newsletter (http://www.schneier.com/crypto-gram-1301.html#4), end user acceptance of these sites terms of service/use can created unknown/unwanted issues related to intellectual property and data security for the user’s organization.   Someone in the organization decides that the tools provided by the organization aren’t the ones they want/need to get their job done and they sign up for the hot new website on the Internet that provides a “better” tool.  As part of that signup they check the little box that says they agree to the terms of service for the site.  If they happen to be high enough in the organization (and in many organization it’s not as high up as you might think) they have just bound the organization to those terms without any sort of review by the organizational functions (legal, compliance, information security, risk management)that would review a contract if there were financial payments being made.  Many new software startups do not have their own datacenter or even their own systems, and even if they did their datacenter could be in someone’s basement or a convenient closet.   Instead it is common practice to host a startups website in the cloud where initial costs are negligible and scaling up the infrastructure is quick and easy.  And how many startups have the organizational structure in place to ensure the contract they signed with a service provider has adequate review from knowledgeable legal, compliance, information security, risk management professionals?  How concerned are they with the backup, security, availability of the data and services your business may grow to rely on, not to mention patching and vulnerability management?

I recently ran across a case where it was discovered that a company’s staff were using a third party for a key project deliverable.  Communication between the corporate staff and the third party were occurring via a 4th party application being used to store and manage the key deliverable.  When the companies information security staff asked the third party about their contact with the fourth party they were directed to the site/application’s Terms of Service, no contact had been negotiated, the third party had simply used a credit card to pay for the service and therefor accepted the terms which laid out a “best effort” basis for protecting and backing up the data, without the benefit of a legal/compliance or risk review.  A review of the 4th party site indicated that the site/application was managed by a fifth party who did not indicate whether  it was hosted in their own data center or on a sixth party’s service.  You can see how quickly this whole project was headed down a rabbit hole. 

How can Information Security Professionals Worry Less and Sleep Better?

No matter how much technology a corporation puts in place to protect data, it’s always going to be possible that the data protected by that technology will be made insecure.  The problem with current technology solutions is that they are designed to protect data under a specific set of parameters, and the ingenuity of the company’s employees will always come up with ways to defeat the technology solution.  In many cases the reason that security/controls are bypassed isn’t because of a hacker with malicious intent, its due to an employee with good intentions but a lack of understanding as to why security controls exist and the implications of their actions to defeat those controls and make systems and data available so that the employee can be, at least in their mind, more effective and productive.  A good “security education” program that helps to embed an understanding of the necessity for including good information security practices in everyday processes and procedures so that information security awareness becomes part of the corporate culture can be one of the most effective tools in an information security professionals tool box.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: