The Jury’s Still Out on Google+ for B2B

The role of social networks in business is nothing new but when Google+ came on the scene, I know what you were thinking. The same thing I was: Another social platform?

Like any good marketer, we at CenturyLink Business, created a presence on Google + right away but really only to secure our name. We have not created a full-blown presence at this point because, frankly, we have been going back and forth internally on the value of the platform in our space.

Comments (0)

Banking in Bed

It’s pretty clear that banking as we know it is changing. Rapidly. With the Occupy Wall Street movement and the recent Bank Transfer Day initiative, banks are coming to terms with the fact that the old way of doing business simply won’t work.

This represents an opportunity for banks to take a hard look at their businesses and to figure out what they can offer their customers to provide a superior customer experience.

Comments (0)

5 Free Security Tools Every Cloud User Should Know About

blog-cloud-keyboardWhen it comes to cloud, planning is everything. This is the case when it comes to every aspect of a cloud migration, and includes in no small measure security as well. However (surprisingly, given the importance of security in a cloud migration), sometimes security and economic goals clash in a cloud deployment.

This happens because many cloud migration efforts are economically driven – and security isn’t free: either from a planning standpoint or from a control deployment standpoint. So the addition of controls can eat away at projected cost savings – especially when security parameters are not understood fully at the project outset. Because of this, security teams sometimes find themselves in a situation where they need to add controls to meet regulatory requirements or address risk areas, but because a migration is already “in flight,” those controls aren’t budgeted. Oops.

This leaves security organizations with two alternatives: 1) Do nothing and drop the control on the ground, or 2) Do something at minimal cost.

Doing nothing isn’t usually a recipe for success, so option 2 – doing something on the cheap – can be a lifesaver. Fortunately, there are a plethora of free tools – software and resources – that organizations can look to in a pinch to fill in gaps. Note that I’m not addressing soft costs here – staff time is staff time … and that’s never free (well, unless you have interns, I guess). I’m just talking about what you can do to meet controls without having to go back to the budgetary well.

I’ve tried to outline a few – that you can get up and running quickly – to address particular situations as they arise. These aren’t the only ones by any means. I’ve tried to pick out short term “gap fillers” for this list. There are literally hundreds (if not thousands) of excellent free tools out there that let you do everything from log correlation to asset management to monitoring in the cloud (and out of it for that matter). The difference is that not all of them are “spin up/spin down.” For example, you can use a tool like GroundWork (monitoring) or snort (IDS) that are every bit as feature rich as commercial counterparts – but once you have it up and running, are you going to want to spin it down again in three months? Probably not. So while those tools are great (can’t stress this enough), I didn’t include them on the list.

What I did include were tools that you can get up and running quickly, that fill an immediate need, and that doesn’t commit you long term. Meaning, you don’t lose (much) data or have to retool the environment (much) should you decide to stop using them later.

Free Data Discovery
Finding out where your confidential and/or regulated data is prior to (and let’s not forget during and after) a cloud move is always useful. You’d be surprised what data is located where in a large or even medium-size enterprise. There are a number of free tools out there that help you search assets and locate certain types of (usually regulated) data. MyDLP, OpenDLP and the cardholder-data focused ccsrch can help data in automated fashion. All of these tools have merit. Although I personally found the step-by-step installation instructions for MyDLP to be particularly helpful in getting up and running quickly – and the ccsrch tool’s simplicity and efficiency make it a good choice if you want to focus just on credit cards.

Free Compliance Tookits
Evaluating a vendor’s security posture and control deployment sometimes gets done prior to picking a vendor; but sometimes (like when security or IT isn’t consulted in that process), it doesn’t. But many regulatory requirements require specific validation of vendors. In that case, it’s on us to do that after the fact. Now sure, general-purpose information-gathering materials like the Shared Assessments (formerly FISAP) Standardized Information Gathering questionnaire are great, but let’s face it, they’re cumbersome when applied to a hosting provider. That’s why the Cloud Security Alliance’s GRC Stack – specifically the Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative (CAI) can help. Why redo the work when you can reuse what’s already done for you?

Free Two-Factor
Many organizations require two-factor access as part of remote access policy. Although it’s one of those things that many times organizations overlook in the planning process. WikID – an open source two-factor authentication platform might be something you can look to for meeting the requirement short-term. It’s easy to set up, and doesn’t require per-user hardware to provision in order to get up and running.

Free Network Analysis
Most folks probably already know about wireshark … you knew it was coming, right? Sometimes you just have to know what’s going on over the wire.

Free AV
Fungible as many organizations perceive it, people are sometimes surprised when it comes to AV during a move. Why? Because many commercial AV platforms are licensed per client. A physical-to-virtual move many not result in a one-to-one mapping between existing physical hosts and virtual images. Particularly in the interim period while you stand up the virtual infrastructure. This means (sometimes) that you need more AV licenses – depending on your licensing arrangements with your current vendor.

What happens when you discover this mid-effort? Going off to secure funding for more AV licenses in the middle of a move isn’t a fun conversation – and because it’s a regulatory requirement (for example under the PCI DSS), just making do without isn’t a good idea. One solution is to leverage free AV tools like ClamAV in the interim. Yes, long-term management is an issue in supporting another product over/above commercial tools you might be using on-prem. But to fill a short-term need while you sort out the licensing? Why not?

Maybe some of these might be helpful – particularly in Q4 when budgets are frozen anyway.

Comments (0)

Are You PCI-Ready for the Peak Holiday Shopping Season?

With Black Friday and Cyber Monday under our belts, it’s officially peak shopping season for millions of American consumers. Retailers will be working overtime to meet demand and earn much-needed revenue—but if they’re not careful, each credit card transaction they handle could expose both their customers and their business to risk.

The Payment Card Industry Data Security Standard (PCI DSS) is designed to protect consumers and increase trust in retailers. Without these measures, it would be all too simple for a hacker to break into a retailer’s systems and steal consumers’ payment card numbers.

Comments (0)

Beyond the App Store: iPads in the Enterprise

In an earlier post, we discussed whether businesses should really care about the iPad, and suggested that the answer is now yes. Today, let’s take a deeper look at the role mobile tablets can play in your endpoint environment. It goes a lot further than email and calendaring.

Comments (0)

iPad for Business? We’re Not Sold

There has been a lot of discussion about the viability of iPads in the enterprise. iPads have become so pervasive in consumers’ lives, it begs the question: Will it follow the path of laptops, smart phones, instant messaging and social media that got their start in our personal lives and then made their way into “must-haves” in our business lives?

Comments (9)

The “Yes” Model: Five Tips for Keeping your Business Safe

Data security is a hot topic these days and is being discussed everywhere from the boardroom to the server room.

We’ve recently covered the fundamentals of data security as well as commonly overlooked risks here on ThinkGig. Today we want to take a look at business strategies for establishing a culture that protects data and minimizes vulnerabilities. It’s what we like to call the “yes” model.

Comments (0)

What is Enterprise Security?

enterprise-cybersecurityWhile I know that some practitioners are going to scoff when I ask the question “What is enterprise security?,” I’m going to ask it anyway.

You see, great leaps forward very often start with questioned assumptions. Ptolemy assumed (based on a set of perfectly logical assumptions) that the sun rotated around the earth. It was only when subsequent thinkers questioned his universally held theory (in many cases at great personal cost to themselves) that a cataclysmic advance in humankind’s understanding of the solar system became possible.

The point is, if we don’t stop every once in a while to question what we believe, we can hold on to outmoded assumptions way past their “sell by” date. And when it comes to the security of the information we steward in our organizations, outmoded assumptions create risk. In other words, if you assume things about your environment that (maybe) were true once – but aren’t now – you put yourself in a situation where conclusions you base on those assumptions may very well be false.

Take an assumption like this one: “Two devices on the same isolated network segment communicate more-or-less privately.” Maybe that’s true. But if you’re wrong – like if the segment doesn’t stay isolated or someone moves one of the devices off that segment? Risk.

The answer to the question “What is enterprise security?” is neither static nor a given. And while many organizations on the edge of change are rethinking and embracing what “enterprise security” means and adjusting accordingly, just as many are clinging to outmoded definitions about what’s “inside” vs. “outside” the enterprise and what’s “security’s job” vs. not. These boundaries just aren’t as meaningful as they used to be.

“Enterprise” and “security” are borderless

First, it’s important for security practitioners in today’s IT shops to realize that the definition of “enterprise” is changing. A few years ago we in security talked casually about the “disappearing perimeter” (remember that?), but for today’s security practitioner an appropriate question might be, “What perimeter?”

If it wasn’t true before, it’s certainly true now: Enterprise security and location of resources are unrelated. From a location-of-access standpoint, take the trend of mobility to its ultimate conclusion: Users employ an array of mobile platforms to send email, modify documents and close deals – or they access critical applications from home machines not provisioned by the organization. But the data we hold needs to be protected just the same. Just because devices accessing critical resources aren’t coming from some arbitrarily drawn geographical border doesn’t mean that the security of those resources is any less relevant.

On the other hand, “enterprise” isn’t defined by location of computing resources either. This time, take cloud to its conclusion: Critical business applications sit on dormant virtual machine images in redundant, geographically distributed data centers. These images and are spun-up on demand in response to user requests, live just long enough to service the request, and then are spun down to conserve energy, bandwidth and CPU cycles. Enterprises reallocate storage and processor resources on the fly across the globe in response to user demand, business volume, time of day or any number of other factors specific to their business. Are you free from the need to care about security because your data is hosted outside your data centers? No.

In both cases, security is still a critical factor of supporting the organizational mission. But the temptation – particularly when we’re strapped for resources or under the gun to deliver a critical task – can be to draw a line in the sand and decide that certain technologies are outside the boundary of our security plan because they’re implemented by a vendor or because they leverage devices we didn’t provision. But nothing could be further from the truth. In fact, this just makes security more important rather than less.

“Enterprise” is defined by data; “security” by relationship

So if geographic location doesn’t define what’s in the enterprise, what does? In my opinion, it has to be the data. When geographical boundaries no longer define what’s “inside” vs. “outside” and security isn’t tethered to particular systems or applications, the answer has to be to focus on what we’re ultimately trying to protect: the mission of the organization. And the embodiment of the organizational mission is the data the organization creates, processes and stores.

Said another way, information systems used by an organization process and store data for a particular purpose; so the data those systems operate on are the raw materials that the organization uses to complete that purpose. Everything that goes into the processing and storage of that data – no matter where it’s located or at what third party – is in scope from a security standpoint and therefore must be included “enterprise security.”

This is true even when the data is outside of your organization’s direct control. Say for example your hospital outsources storage of your medical records. If your medical records get exposed inappropriately, do you honestly care whether it was the hospital that accidentally lost them or whether it was a service provider? I don’t. I have a relationship with the entity that I trusted with my data. And I trust them to only share that data with trustworthy organizations. So when someone violates that trust and puts users at risk, users are going to hold accountable the entity they trusted in the first place.

Just like the data defines what the enterprise is, so also is “security” defined by the chain of relationships along which that data travels. If the data is compromised, the responsibility for failure to protect that data rests with the organization with the relationship to the data owner. If confidentiality, integrity or availability of that data are keys to supporting the organizational mission, the organization is the one that takes the hit. If the organization is acting as a steward of that data on behalf of someone else, they are the ones with the relationship to the data owner and are therefore the one to take the hit when security fails to protect it.

Click on the link to learn more about Enterprise Security.

Ed Moyle is senior security strategist at CenturyLink.

Comments (0)