When a major global bank tells you that it is managing over 2,000 firewalls, you realise that the bank doesn’t just have a security problem – it has a network problem.  Over the decades it has built up a legacy of private network and VPN connections not only to deliver its services to its offices and branches and customers but also to receive services from market infrastructures and service providers.  Being a bank, security is hyper-critical.  For a bank, all of that is “business as usual.”

The economic crisis has resulted in banks not having enough cash to carry on doing business as usual: today they need all of their cash and more to meet the new and tougher regulatory requirements for capital adequacy.  That means that their business model is changing, and that in turn means that their IT solutions have to change to support that different business model.

One way of reducing the cost of security and the added-cost of failed security is to reduce the number of access points through which security breaches can occur.  Rationalising network usage can ram down those costs, and that’s one area where a private managed cloud approach can help. 

For example, one financial institution had a separate network connection to each of 300 firms – each connection dualled-up for redundancy, of course.  We found that over 60 percent of those firms already shared the same BT private managed cloud service.  By linking the financial institution to that same cloud we could convert 180 separate connections to a single redundant and secure connection.  That also started to reduce the number of firewalls that needed to be managed.

A  50-percent reduction in TCO of communications with a reduced cost of security – helping to put cash back into the business of making money.

I would suspect your answer is that your MSSP has provided you with top flight protection against attacks, enabled your company to meet its compliance goals, kept your device signatures up to date and delivered reports that contain information that’s relevant to your IT team up through your Board of Directors.  After all, that’s what you pay them for, right?

But what if you had the opportunity to peek at what your security colleagues were getting from their MSSP?  Would you feel like the guy in the middle seat of coach, when they found out that their colleague flying in business class paid the same amount for their ticket?

Without trying to create ‘FUD’, are you checking up on your service provider and are you validating the components and service levels? After all, the best security services at many times are ones you don’t know are there because they are catching, preventing and defending against attacks before you know about them.  So is your MSSP doing all they should? Are they supporting and proactively preventing mischief in your enterprise and driving along your corporate mission to ensure that you are well paired? For starters, if you’re not a BT customer and you’re reading SecureThinking, is it because your MSSP isn’t investing in thought leadership or because their blog is a simply a series of intelligence summaries that you already pay for in your monitoring contract?

And, if you’re reading this blog today and you’re a BT customer, you didn’t have the opportunity to attend BT’s annual Security Leaders’ Conference this September.  It’s one of the events I look forward to throughout the year; the 3 days when we bring our customers together with our in-house security rock stars, industry analysts and partners to share, connect, and collaborate.

When we first put together this concept 6 years ago we made certain to keep the sales pitches at bay and focus on developing the conference as a vehicle for thought leadership.  We offer our customers unfettered access to our senior leadership team to ask the hard questions about road maps, technology development and service delivery and, in return, to offer their input into those key areas.   Then, there are the roundtables, keynotes, and track sessions where our customers can take a step back from the tactical responsibilities of their day job to focus on the bigger picture and hear many different, yet well-informed, perspectives.

Being a security practitioner is a tough job.  Amidst the constant changes, new risks and threats, how do you keep up with it all and sleep well at night? While BT’s customers still face these challenges on a daily basis, they do so in a collaborative environment; not only with their teams at work, but with also with their teams at BT whose passion it is to protect our customers, their people, reputations, and intellectual capital.

Nowhere is this more the case than in the security sector. So whether it is highlighting a new wave of phishing attacks or particularly aggressive virus, security journalism is playing an increasingly vital role in raising awareness among businesses and the public about the issues surrounding security and the solutions they can implement to remain secure.

To reflect the important role that security journalists play, BT’s business continuity, security and governance practice has, for the last four years, been honoring IT security journalism in the UK. And nominations for the 2011 awards are now open for all UK-based journalists, and cover categories including: Best information security news story of the year; Best overall information security feature article of the year; Best privacy feature of the year; Best cybercrime feature of the year; and Best business continuity feature of the year.

The deadline for submissions is 15^th July 2011 and all articles submitted must have been published during the calendar year 2010. The entries will be judged by a panel of leading independent figures from the security industry, and the winners will be announced at an awards lunch to be held in London in October 2011.

You can follow this year’s awards online @btviewpoint on Twitter and #BTISJA is the hash tag for the awards. Regular updates will be posted on the BT Viewpoint blog, Facebook and LinkedIn. And if you want any more information you can email BTSecurityAwards@porternovelli.co.uk.

Do you trust people?

Who?

And why?

What makes you confident you can depend on them?

Searching questions, perhaps, but ones everyone involved in IT security is going to have to answer pretty soon.

The fact is that CIOs have less control than they used to – not just of the IT systems their organisations use but of the data they contain.

Take consumerisation – the increasing use of employees’ own devices in the workplace – for example. As it develops, IT managers will have less control of the platforms to which they deliver applications and services.

Or cloud services. To use them, IT managers have to put their organisations’ data in others’ hands.

To add to the problem, there’s the increasing use of closed operating systems, like iOS, that provide security on a ‘take it or leave it’ basis.

And the widespread adoption of social networking. Now it’s built into applications like salesforce.com, it’s getting very hard to limit who can send or say what to whom.

But before you panic, remember this: there never was a golden age when you had complete control. Even when you owned all your organisation’s computers and controlled all its data, you had to trust all sorts of individuals and organisations. Hardware and software vendors.  Communication service providers. Outsourcers and other business partners. Suppliers. Governments – they have rights of access, after all. And your fellow employees – the people who work in the organisations it’s your job to protect.

All we’re seeing now is a move to the next stage.

The IT business is maturing – fast.

There are far fewer opportunities to profit by doing things yourself. Consumer platforms are hard to beat. Cloud service providers achieve economies of scale their customers stand no chance of matching in house.

And the fact that you no longer have to deal with every aspect of security at every level is a good thing. If the people in and around your organisation can be trusted to do the right things, you can delegate responsibility to them. And if you can do that, you’ll get more time to focus on what matters most to your CEO – on helping your organisation apply information and communication technologies in ways that give it competitive edge.

So what about that first if? Now you need more trust, how can you build it at the ‘volume’ you need?

The answer is to focus on people and processes.

Starting with your workforce, you’ll need higher levels of security literacy than you may have got away with in the past. People will encounter new situations – situations that aren’t covered by standard rules and solutions. And when that happens, it will be their general understanding of how to work securely you’ll depend on – not their ability to follow rules.

Moving on to outsiders, it’s the way you outsource responsibility that makes the difference. And given there are few organisations that do absolutely everything themselves, there’s a wealth of standard tools you can use to do outsourcing properly and protect your organisation against risks. Consider contracts, governance frameworks, due diligence procedures and insurance policies, for example.

So don’t let the illusion that you’re in control today stop you taking advantage of the great innovations the IT business is coming up with. Don’t freak out when the time comes to delegate responsibility to someone else. Just make sure your people are ready, willing and able and the way you outsource responsibility is in great shape.

Members of BT Security Think Tank include Ray Stanton (Executive Global Head of Business Continuity, Security and Governance), Bruce Schneier (Chief Security Technology Officer), Peter Scott (Director EUT, BT Security), Martin Brown (General Manager, Security Technology & Strategy), Steve Benton (BT Security – Head of Business Operations), Jim Tiller (VP – Operations and General Manager, BT US & Canada) and Theo Dimitrakos (Head of Security Architectures Research, BT Innovate & Design).

Cloud computing is all the rage today, even though many people are still confused about what it is.

Simply put, cloud is about using computing as a utility service with a pay-per-use model, with the ability to rapidly provision more or less compute and storage resources as needed.  Cloud aligns the cost of computing with its usage.  The primary value of cloud is not the obvious cost savings, but the agility to transform ideas into IT-enabled services in hours or days, versus taking months or years to do the same tasks with traditional IT.

However, the primary barrier to the adoption of any new information technology is the concern over security and trustworthiness, particularly a computer service that may be shared with many other organizations.

To that end, the Cloud Security Alliance was established in late 2008, with a mission to promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing.  CSA is a global, non-profit association with over 20,000 members in over 40 chapters around the world.

CSA is focused on the rapid development of best practices to secure the cloud, educating the community on the latest research and encouraging innovation to secure the cloud of the future.  We view our mandate as requiring a broad perspective, addressing governance, compliance and legal issues, as well as many different operational and technical concerns, including information lifecycle management, interoperability, identity management, encryption and virtualization.

We provide our research in the form of a wealth of free whitepapers and tools to simplify the architecture, adoption and assessment of secure cloud services.  We also have a user certification, the Certificate of Cloud Security Knowledge (CCSK), an online examination to demonstrate one’s proficiency in cloud computing security issues and best practices.  You can find out more at www.cloudsecurityalliance.org.

I recently wrote a piece in celebration of the Royal Wedding of Prince William and Kate.  In the midst of wedding celebrations, I felt compelled to write about the glorious unions in the technology world that have changed our lives forever.  Of course, now with the wedding celebrations over, and the world going back to normal, my mind has shifted to the biggest break-ups.

So what top technology unions have been ripped apart? My list includes:

• Sybase and Microsoft. Sybase worked with Microsoft to create Microsoft SQL server, but they separated ways and both companies produced their own database products for Windows.
• Floppy disks and data. Remember the days when we saved all of our data on a big floppy?  No more.  Data has turned to a newer, slimmer, flashier model of data storage with USB devices.
• NetBEUI and Windows. Remember this? NetBEUI was developed by IBM for its LAN Manager product and was adopted by Microsoft for its Windows NT, LAN Manager, and Windows for Workgroups products.
• The Internet and IPv4. This is clearly a case of just running out of space and growing apart.  IPv4 is making way for IPv6 now that most addresses have been allocated.
• Privacy and Human Beings. Let’s face it.  In this world of social media and the Internet, privacy has left the building.  Technology has enabled us to share information with anyone and everyone.  It has also made it possible for every email and posting of content, to live online forever.

What have I missed?  I’d be interested to see what other readers think as they take a trip down memory lane.  Share your list of major technology break-ups in the comment section below.

This week we’ve posted two pieces by Jill Knesek, BT’s CSO on why personal mobile devices do not foreshadow the downfall of corporate network integrity.   The bottom line as Jill sees it is that the benefits of having an empowered and educated workforce who can respond to a business need or a client request instantly far outweigh the potential threats posed by supporting personal devices on the network.  In fact, when her team conducted the risk analysis the threat posed by personal devices was no greater than by company-approved devices.

It seems like the topic of mobile device and application security and privacy is one of the hot topics at the moment, just ask the folks over at Apple and Google.  Bruce Schneier, BT’s CSTO, alerted us to the Develop for Privacy challenge being run by the ACLU and the Tor Porect.  In much the same way that Jill’s team seeks to educate BT’s employees about issues related security and privacy, this competition asks entrants to develop applications that will educate users about privacy issues related to mobile device use.

Are you interested in taking the challenge?  The competition closes on May 31^st, 2011.

Good luck!

While many security threats are very real for business, I don’t think most business leaders should allow their IT security people to be drama queens, offering knee-jerk responses to every new scare that comes along.  If you are prepared and understand the types of risks to which your business is susceptible, you should lose very little sleep over new risks and threats.

Most risks can be summed up using the acronym “COMIC,” but believe me, security isn’t a joke.

• Commercial: are you a cutting-edge business that’s at risk from intellectual property theft or might unscrupulous rivals deliberately sabotage you?
• Opportunist: could data thieves infiltrate your network because it lacks basic access controls? Would a fire put you out of business because you don’t have proper business continuity plans?
• Monetary: could you be held to ransom because any downtime on your systems would lose you money?
• Idealist: might your website be targeted by activists because you’re perceived as being unethical?
• Can-do: could anyone hack into your systems just for the hell of it?

Most business leaders should be aware of what security risks are significant for their business and align security activities against this.

If you are participating in an activity that doesn’t directly contribute to securing areas where risks are, then stop. If activities aren’t aligned to risk, then the last laugh may actually be on your IT team and your company.

The recent “LizaMoon” attack started small and grew quickly. LizaMoon is an SQL injection attack campaign that adds “script src=hxxp://lizamoon.com/ur.php” along with other code into a website’s source code. This is causing the affected website to redirect a user to another website containing a Trojan.

Typically, web applications have filters that are designed to prevent rogue commands from passing through, but as seen with this attack, many don’t have these filters in place.

At first, the number of unique URLs affected by it was at 28,000, but that number has risen quickly, and more than 1.5 million websites have been hit.

Interestingly, one of them was iTunes, which has more users and more potential damage from this type of attack than most websites. Apple designed iTunes to automatically neutralize threats such as LizaMoon, but some conjecture that this attempt at hacking iTunes might “constitute an exploratory attack vector, designed to be part of a more sophisticated blended attack that could seek to exploit weakness within the iTunes client/software which would yield a far greater exploitation threshold of millions of infections in a matter of minutes/hours.”

Given that more than 220 million iPods have been sold across the globe, this scenario could become devastating quite quickly.

LizaMoon and like threats make it even more critical that organizations are proactively monitoring networks and remaining vigilant to possible threats, particularly given how many employees telecommute and use personal computing devices to access company networks.

The tablet war is heating up with Google’s announcement of an operating system for the Honeycomb tablet.  Meanwhile, Apple is predicted to release a new iPad in April.

The difference in business models is fascinating — Google does not make its own devices, but gives its operating system, Android, to manufacturers for nothing; whereas Apple has complete control over its devices, refusing to allow them to run on anything but its own hardware.

The war between Apple and Google seems destined to be exciting.  In its latest survey of the U.S. mobile phone industry, comScore reported that while RIM continued to lead among Smartphone platforms with 33.5 percent market share, Android charged past the iPhone to take second place with 26 percent of U.S. Smartphone subscribers.  Currently, Apple leads in the tablet market war, but with the release of Honeycomb and the absence of Steve Jobs from Apple’s helm, it remains to be seen if Apple will maintain that lead.  Independent of who wins the tablet war, there is no doubt that tablets are here to stay.  As a corporate tool, or as a consumer device, the tablet needs to be taken seriously.

Organizations that assume that the tablet market is simply a consumer product should think again.  Gartner predicts that by 2013, 80 percent of the workforce will be using tablet devices.  The portability and low cost of tablet devices, complemented by the improvement of 3G and 4G networks, make these mobile products very attractive to corporations looking to keep workforces connected while cutting costs.

As well, these smart devices that fit well with cloud-style, centralized environments point to a new type of corporate infrastructure.  Couple smart devices with the growing BYOC (bring your own computer) models being run by organizations such as Kraft, Microsoft, Intel and Citrix, to name a few, and we see opening up in front of us a very exciting but difficult to secure network.

The advent of smart devices that plug into a corporation’s network will not completely oust desktops any more than secretaries really vanished with the advent of computers.  There is, however, no doubt that a significant proportion of that network will be accessed by untrusted end points.  Already being fought is the battle between network access control, which enforces a minimum of controls required before end points can access networks, and implementation of controls so the smart devices can only access untrusted parts of our network. 

We are likely to end up with some kind of blend.  For now, the battle has highlighted that flat networks are pretty much dead and that not only does information need to be classified according to risk, but also that end points need to be classified by risk.  Corporate data storage on untrusted end points must be very heavily weighed and controlled.  There must always be a preference for corporate data to remain on corporate assets, and for this data to be accessed through remote access style applications which encrypt and secure that information according to risk.

The bottom line is that organizations need to bring tablets into their environment in a controlled fashion.  If organizations haven’t already started doing so – the time is now to start the process to analyze and develop policies, procedures and guidelines around smart devices — because by all predictions, a tablet is coming to your network soon.