Aujas US

An IDG Ventures Company

Security Breaches Continue to Grow

Identity TheftWhat do Tulane University, South Carolina State Employee Insurance Program, National Guard Headquarters – Santa Fe NM, BlueCross/BlueShield –Michigan, Seacoast Radiology, and University of Connecticut -HuskyDirect.com have in common?  They were just a few of the companies that reported security breaches in January 2011.

Information management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

In prior issues of Risky Business, I posted this brief article and supporting statistics about security breaches.  I was curious to see how the data changed.  You can see for yourself below in the last line.

The following data was collected from Identity Theft Resource Center® website idtheftcenter.org and refers to the number of total data breaches that were reported with an estimate of how many records were exposed:

2005 Breach List: Breaches: 157 Exposed: 66,853,201
2006 Breach List: Breaches: 321 Exposed: 19,137,844
2007 Breach List: Breaches: 446 Exposed: 127,717,024
2008 Breach List: Breaches: 656 Exposed: 35,691,255
2009 Breach List: Breaches: 498 Exposed: 222,477,043

2010 Breach List: Breaches: 662 Exposed: 16,167,542

You must understand that the majority of the reported breaches do not reveal the actual number of exposed records so therefore the number is MUCH larger than what is listed here.

Your call to action is to ensure your Information Risk Management Program is as secure as you think it is and as secure as your stakeholders, customers, Board of Director’s believe it to be.  Aujas is helping organizations manage risk and enhance information value with practical, innovative solutions!

Advertisements

January 31, 2011 Posted by | Data Losss Prevention, Identity Theft, IT security | , , | Leave a comment

Effective Data Protection Requires More than Technology

Data protectionMore companies are finding that despite their technology investments, effective data protection remains elusive. Data protection technology has become as commonplace as anti-malware technologies and most organizations implement it as a standard desktop endpoint and gateway security. The technology works using a combination of document ‘fingerprinting’, key words, and policies defined around what is allowed and what is not. The technology has matured to support endpoints and email data leakage risks as well as social networking risks. However, even with a mature technology and rigorous implementation, organizations often can find their data protection is ineffective.  

IT departments are able to quickly implement a data protection technology, but struggle with effectiveness. They are unable to bridge the gap between implementation and effectiveness, and end up with large numbers of data leakage ‘incidents’, which usually turn out to be false positives.  In many cases, organizations end up operating DLP tools in ‘audit only’ mode which completely defeats the tools’ purpose. 

This gap is usually due to the approach taken to data protection and not to the organization itself. Most organizations identify data protection as a risk and IT/IS department choose a vendor for implementation. The vendor usually ‘scans’ the file stores for ‘important’ files and policies are created to safeguard those files deemed important. While this approach seems simple enough, it is the root of the problem. IT organizations are basing policies on their own interpretation, rather than on what is important or appropriate for the business. 

Data, even if critical, may need to be exchanged with outsiders for valid business reasons. The challenge is to establish policies that allow the business to operate seamlessly while stemming the data leakage.  Another challenge is to build an ecosystem that supports this on an ongoing basis. The solution ideally integrates technology, process and a governance framework.  

 The first step is a data classification policy that clearly establishes how to classify data within the organization; the users should be made aware of how the classification policy applies. Next, the data flow within business processes should be understood to identify the type and nature of data, its classification and authorized data movement of ‘important’ data across organizational boundaries. Also, the important files, templates and data base structures that were identified during this exercise should be ‘fingerprinted’. The policies should then be configured and applied based on the authorized movement of data.

 Taking these two steps will help improve data protection technology effectiveness because it incorporates business rules for data. However, it still is a point-in-time exercise that does not address the fluid business data environment. To sustain the data protection, a governance process is required. One approach is to integrate with the data governance framework if one exists within the organization. If a data governance framework does not exist, a similar structure can be created. An additional benefit of this approach is close integration with data governance when such a framework is actually created. 

The governance function should be responsible at a high level for both the strategic and operational management of data protection. At a strategic level, the function should look at how data flows and is managed and its impact on data protection technology employed.  At an operational level, the function should look at how data protection incidents are managed, false positives reduced, user awareness on classification and protection improved.  Many organizations also employ active data protection with the use of data/digital/information rights management tools which require users to ‘protect’ based on allowed rights, time limits and expiry dates. Though the above approach remains the same for these technologies too, organizations have to spend more efforts on user awareness as their cooperation defines the success or failure of the technology. 

Though data protection technologies have changed the data confidentiality playing field completely, effective data protection cannot be achieved by the technology alone. It requires a focused lifecycle management approach for it to be more effective and sustainable.

January 24, 2011 Posted by | Data Leak Prevention, Data Losss Prevention, Risk management | , , | Leave a comment

What Is Needed for Data Protection?

Data protectionA more holistic approach is needed for protecting data that goes beyond individual tools and addresses data at its source: the business. The principles of data governance, data classification and the DLP tool need to work as one solution to effectively protect data in an organization.

Approach

  • Develop a strategy – Start by developing an organization-wide data protection strategy
  • Set up a data classification policy and a program – Individual business processes should identify and document all forms of data, its classification and its authorized movement.
  • Create a governance program – Establish accountability, roles and responsibilities for data protection and data ownership.
  • Create and ensure awareness and training for business users – To ensure that the data protection remains a strong focus within the organization, management should ensure users are made aware of their roles and responsibilities around data protection.

The Aujas Data Protection Service helps organizations extract maximum value from their investment in security technology and solutions. We build the governance framework, data protection strategy and data protection program. Then we assist organizations with data flow analysis to identify data movement within and between processes, the forms data takes, and user awareness levels. Our data flow analysis results in effective DLP policies while the governance framework and strategy translates into continuous data protection for the organization.

To learn more about the Aujas Data Protection Service, and our complete portfolio of services, please contact Karl Kispert, our VP of Sales at karl.kispert@aujas.com or at 201.633.4745.

January 24, 2011 Posted by | Data Leak Prevention, Enterprise Security, IT security, Risk management | , , , | 1 Comment

5 Hot Topics in Information Security for 2011

Hot topics in information securityAccording to the Aujas information security experts, these are the five crucial security topics that should be on the radar for business executives in 2011:

Data Governance and Data Leakage Prevention (DLP) – Some executives believe their employees know exactly what data should be protected and what data can be shared via website, conversation or social media.  These executives have a false sense of security. Many companies still do not have a strong data classification program or policy in place to educate employees on what is critical to an organization and what is not.  Some execs may also think that having a DLP tool and plugging it in is the answer. That’s like plugging in a power saw and saying you can build a house! Having a tool and knowing how to use it effectively are two different things.

Tip: Find a champion to drive your data governance and loss prevention initiative.  If your company has a CISO, this person is the most logical one to take on this role. If not, you can assemble a small team of stakeholders to work with guidance from a third party who specializes in information risk management.

Application Security – With so many applications being developed and used in companies of all sizes, some are being created without security in mind.  Some technology companies have a need to be the first on the street with a new application and are bypassing Security Development Lifecycle (SDL) protocol. They are thinking about security after the application is released and, sadly, are finding that they are spending more money to fix the application.

Tip: First perform a penetration assessment on your company’s critical applications to identify vulnerabilities. Then be proactive!  Create a framework in which security is part of the SDL.

 Social Media – The intentional and unintentional release of sensitive information via Facebook, Twitter, etc. can affect your company’s bottom line.  Your intellectual property may wind up on an underground website or, if your secrets are shared with the world, you may not be first to market with your new product or service. 

Tip: You don’t need to declare social media off limits to your employees. It is an important business tool that is not going away.  You do, however, need to understand the risks of social media, and make users aware.

 Cyber Security – Over the past year, more organizations have come to understand that there is a very real cyber security threat in the US and that the US Government cannot take care of every threat-related issue. Your company needs to develop a strong internal and external security programs to protect it.

Tip: Putting in place a robust information risk management (IRM) program is essential so that your stakeholders understand the people, process and technology risks and how they can affect your access, availability, and agility to conduct business.

Phishing – Hackers continue to use phishing, a type of social engineering, to solicit information from individuals.  Though the incidents of phishing were down in the second half of 2010, the attacks continue to get more and more sophisticated. 

 Tip: Perform a phishing diagnostic so that you are aware of the threat, specifically who in your organization is susceptible to this type of attack.

Aujas can help your company manage risk from these threats. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

January 24, 2011 Posted by | Data Leak Prevention, IT security, Phishing, Risk management, SDL, Social Engineering | , , , , , , | Leave a comment

Aujas and RSA 2011 – Come by Our Booth

Visit Aujas at RSA

Aujas is exhibiting at the upcoming RSA Conference on February 14 – 18, 2011 in San Francisco. This is an opportunity for Aujas to expand its knowledge and increase its network of industry peers and influencers. 

Please stop by booth number 343 to say hello and discuss Information Risk Management topics with Aujas co-founder Sameer Shelke and Vice President of Sales Karl Kispert.

January 24, 2011 Posted by | Enterprise Security, IT security, Risk management | , | Leave a comment

Service Oriented Architecture (SOA) Security in the Cloud

Privacy and security in the CloudAccording to Gartner, cloud computing is “a style of computing where massively scalable IT-related capabilities are provided ‘as a service’ across the Internet to multiple external customers”. Service-oriented architecture (SOA), on the other hand, is a collection of services that communicate with each other. Says David Linthicum, a widely acknowledged SOA expert, “SOA is an architectural pattern, while cloud computing is a set of enabling technologies as a potential target platform or technological approach for that architecture.” Therefore, SOA and cloud computing are complementary and not mutually exclusive.

For a while now, companies and business leaders have been interested in moving to a cloud environment to enable growth at lower costs. By combining SOA and cloud computing, it becomes possible to reduce the time taken to implement technology, enhance business performance and expose the existing legacy application over the Internet.

Clouds enable outsourcing of many or all IT functions, making regulatory, operational and baseline compliance difficult. Moreover, the complexity involved in combining data, applications and infrastructure with the cloud requires securing the underlying architecture.

The role of SOA in cloud computing is important because a successful cloud solution requires an in-depth understanding of the architecture, the services offered and how to leverage them. Finally, cloud computing becomes part of the architectural arsenal to create a successful SOA.

Security Considerations for SOA

The most common security considerations involving cloud-based services include the following:

Governance control – In a governance-free environment, coordinated cloud service planning and monitoring mechanisms, which are needed to meet security standards, become difficult. In addition, rogue cloud services could wreak havoc on the delicate trust between providers and businesses. Concerns here include not knowing where data resides, what happens to the data if a decision is made to change services, and how the service provider guards customer privacy. Contracts must outline the service provider responsibility in case of a breach. The cloud is still evolving and as a result, processes do not yet have a standard format. Quality-of-service terms, mechanisms for security and privacy are developing, business continuity issues around failed providers are not well established and regulatory issues raise many questions. 

Infrastructure Security – As the cloud’s infrastructure and resource pool are shared among multiple users, unified monitoring and control has become almost impossible. Relying on the host’s security controls might compromise data, especially as the service provider cannot separate data. The data and the service provider’s hosting process are executed and managed in shared environments. This requires extending trust to external services and permitting secure data residing on company servers to be moved into a less-secure environment. With a heterogeneous infrastructure, the more individual technologies and processes in play, the harder it gets to ensure control and consistency. If the service is hosted on a heterogeneous cloud-based platform, managing security or even changing vendors becomes difficult.

Communication Security – As the cloud inherently provides an elastic platform for providing services, there is a need for these services to communicate with each other to perform various tasks. SOA is moving us from User-to-Business communication to Business-to-Business communication. This new way of communicating brings in many decoupled software components to interact with each other in a standard format. The lack of trusted authorities and lack of security in communication protocols could create havoc for the services.

Software Security – Most of the services today are enabled as stateless machines providing optimized solutions for B2B interactions. This has inherent security issues that have to be addressed through the entire software life cycle, starting from specification through to the release stage.

Service Integration – In an SOA, services integration is often overlooked. “Silo” services have to interact with each other to provide end user solutions. Hence there is high need for security in the SOA integration stage. 

Summary

Contrary to the popular notion that cloud computing will make SOA redundant, they actually complement each other. In fact, having a strong SOA can make the transfer to cloud-based services easier, less complicated and more secure. Cloud-based SOA is all about delivering services with increased agility and efficiency keeping companies competitive and contemporary. To keep up with the new technology, improved security measures, a strong understanding of the cloud plus selection of the right vendor are critical.

January 11, 2011 Posted by | Cloud Security, Service oriented architecture | , , , , | Leave a comment

Secure Code Development Is in Your Future

Microsoft SDL Pro Network Is at the Forefront – and Aujas Is There

SDLSecure code development will become a standard in the near future, according to industry experts at Network World. As the Federal Government continues to require cyber supply chain assurance, you won’t be able to sell any technology products to the government unless you adhere to a Secure  Development Lifecycle (SDL) model. Other critical infrastructure industries such as financial services, utilities and telecommunications are adopting these requirements as well.

The Microsoft SDL is a security assurance process that combines holistic and practical approaches, and introduces security and privacy throughout all phases of the development process. Microsoft made its own SDL public as part of its commitment to protecting customers and enabling a more trusted computing experience.

Member of the Microsoft SDL Pro Network

Aujas is now a member of the Microsoft SDL Pro Network. As a Network member, we are part of a group of security consultants, training companies, and tool providers that specialize in application security.  Network members have substantial experience and expertise with the Microsoft SDL methodology and technologies.

According to David Ladd, Principal Security Program Manager at Microsoft, “We are very happy to have Aujas join the SDL Pro Network.  As an IDG company with a global presence, Aujas will help organizations around the world improve their software security process to overcome security and privacy issues.”

Adds Karl Kispert, Aujas Vice President of Sales, “Our vision is to manage risk and enhance information value for our clients. By implementing the SDL framework, we can help our clients manage their software risk, meet compliance requirements, improve software quality and enhance information value.”

The services Aujas offers as a Network member are designed to span the entire lifecycle and make security and privacy an integral part of how software is developed. Specific capabilities include:

  • Training, Policy and Organizational Capabilities, including security training and advice on how to implement the SDL
  • Requirements and Design, including risk analysis, functional requirements and threat modeling
  • Implementation, including use of banned APIs, code analysis and code review
  • Verification, including fuzzing and Web application scanning
  • Release and Response, including final security review (FSR), penetration testing, and response planning and execution

Aujas’ Secure Development Life Cycle Services assists in recognizing and avoiding security pitfalls during the software development lifecycle, and also corrects security problems once they arise. It is the transformation of Software Development Lifecycle into a Secure Development Life Cycle.

Our Strategy and Planning help organizations to categorize the applications according to the risk the application presents to the business and formalize the security requirements for the same.

The Aujas Application Architecture and Design Review services check if all the security elements have been considered during the design phase and provide feedback for the architects to adjust the design for maximum security and privacy.

To find out how Aujas can help you implement Microsoft SDL, contact Karl Kispert, our VP of Sales.

January 4, 2011 Posted by | IT security, Risk management, SDL, Secure code development | , , , , | Leave a comment

Ephemeral Borders: Privacy and Security of Data in the Cloud

Privacy and security in the CloudBusiness is expanding across national borders at an accelerating rate.  Most corporations of significant size have facilities in many countries.  Cloud applications and storage offer savings and efficiencies, such as 24/7 availability of data and applications, enhanced access and elimination of costs associated with server maintenance.  Multinational corporations considering implementation or expansion of Cloud use should, however, tread cautiously, and obtain guidance on applicable privacy and security issues.

For example, litigation or government oversight proceedings involving such companies may result in demands for data originating in, say, France, yet stored in Cloud repositories in other countries  The servers will, for the most part, be located beyond the borders of France.  Personal data, which includes emails by definition, are subject to the European Union Privacy Directives and local enabling law, which hold that the personal data of an individual may not be sent outside the European Economic Area (the E.U. member states plus Norway, Switzerland, Iceland and Liechtenstein) without the individual’s consent.  Appropriately informed consent documents, then, must be drafted.  Additionally, no data of any kind may be sent outside France, pursuant to the Blocking Statute, for use in a foreign judicial proceeding.  Other states, such as Switzerland, have similar statutes.  Criminal penalties lie for violation of these provisions.  Data sent to Cloud repositories, then, with the intent of onward transfer for litigation, may run afoul of these laws.  In addition, The Data Protection Authority of the German state of Schlewsig-Holstein recently opined that it is a violation of German law to send data to Cloud repositories for which the servers are located outside the European Union.

Those companies registered with the U.S. Safe Harbor Program would require amendment to comprise personal data in the Cloud repositories. The Service Level Agreements with the Cloud providers must contain provisions for E.U. levels of security and privacy in the Cloud repositories (other countries where the company does business will have similar provisions) or, perhaps, provisions that the data will not be transferred to or stored in locations outside the country in which the data were created.

Finally, multinationals considering the significant economic and security advantages the Cloud offers would need documented protocols for Legal Holds for data in Cloud repositories.  Legal Holds are considered “processing” of data in the E.U., and must be done in a manner consistent with the Privacy Directives and for retrieval and production of such data to governmental agencies and courts.  

Security consultants, working closely with U.S.-based counsel experienced in cross-border data disclosure conflicts, can assist in navigating the byways of this new and complicated area of information governance.  This is where Aujas can help.

This article provided by Kenneth N. Rashbaum, Esq.     Rashbaum Associates, LLC

January 4, 2011 Posted by | Cloud Security, Data Leak Prevention, Risk management | , , | Leave a comment

Operating in the Cloud – Sunny with a Chance of RISK!

Cloud computing riskHere is a list of some of the most important risks of operating in the cloud today: 

  • Loss of governance
  • Data protection
  • Service provider lock-in
  • Compliance risks
  • e-Discovery and litigation support
  • Management interface compromise
  • Network management failure
  • Isolation Failure
  • Insecure/incomplete data deletion
  • Malicious insider

A risk-based approach is the only way to assess a cloud computing deployment decision.

Establish detective and preventive controls specific to each cloud deployment model:

  • SaaS – Browser patching, endpoint security, access reports
  • PaaS – Browser patching, hardening, endpoint security, access reports and vulnerability scanning
  • IaaS – VPN, configuration and patch management, host IDS/IPS, VirtSec appliance, access reports, vulnerability scanning, logging & event management

Identity management is a key area of preventive control focus for all service models.For more information on how Team Aujas is assisting clients with Security Risks in the Cloud please email me at karl.kispert@aujas.com

January 4, 2011 Posted by | Cloud Security, Data Losss Prevention, Enterprise Security, IT security | , , | Leave a comment