Security Assurances are Challenge for CIO’s

December 1, 2009 by ADMIN

Share |

Tom Clare cautions CIO’s about the ignorance towards the growing web-based security threats and prescribes simple remedies to prevent from damages.

In an exclusive interview with the CTO Forum, Tom Clare, Sr. Director Product Marketing Blue Coat Systems, cautions CIO’s about the ignorance towards the growing web-based security threats and prescribes simple remedies to prevent from damages.

Q:How will you classify the web-based threats? How do they impact enterprises?

A:I’ll respond to this question from two perspectives.

First, if by ‘classify’ you were referring to how Web filtering solutions categorise and classify different URLs and Web-based IP addresses for blocking and tracking purpose, most Web filtering solutions can block malware, phishing, and spyware related URLs as well as provide filtering of sites that can waste productivity or could create legal or compliance liabilities for the organisation.

In a broader sense, Web threats would be the number one threat facing organisations today. As more applications embrace Web 2.0 features, such as SaaS and others, Web-based services become an integral part of an organisation’s operations, and as employees are empowered in ways that enable them to both intentionally and accidentally leak confidential information through the Internet, IT needs to re-evaluate its security measures.

Q:With the focus on Web services, enterprises are facing multiple challenges at application security front? What are those challenges that a CIO should be aware of and how shall s/he safeguard the enterprise?

A:Many companies have had minimal exposure to Web threats until recently simply because their users lacked more than minimal Web access.

All of their applications have been internal, many employees did not need even use the Internet other than, indirectly, through email. But over the last year, online services have finally matured to the point where they can offer competitive features and capabilities at an affordable level.

Many job roles require increasingly greater Web access. And with the added benefits to the enterprise of an application that can grow or shrink without the need to consider things like equipment investments, server room space, etc. interest in such services is growing rapidly. However, CIOs should pay more attention to the security infrastructure and procedures of the service provider.

If data about employees, customers, or company secrets become compromised, few countries, industries or companies will accept a CIO defense of “It was the providers’ job”.

Q:What are the ways of improving Web Application security? How can an enterprise create a roadmap on threats and counter measures?

A:Introducing a new application should involve sufficient ‘user education’.

This is another area where companies often take shortcuts. But the vast majority of security breaches involve a mistake by a user.

Part of the reason for ‘education’ is to make sure the users understand the power of what they have been provided and to help them think through all of the potential for abuse and the consequences.

For example, a story earlier this year related how a US Senator, traveling with the President of the US, sent out an update on his Twitter feed that said “Landing in Bagdad” innocently violating the security of the President’s travel plans in what is obviously one of the most dangerous places he could be.

Too many of these technologies are being adopted without really thinking it through. All the users know is that it is ‘cool’, and they need one to be seen as ‘technology savvy’ so they do it.

Also, some of the risks come when different solutions ‘interact’.

For example, some browsers can ‘remember’ login information, so a user doesn’t have to type it in every time. Anyone in that office can walk up to their PC and access that new application.

Or what if their laptop is stolen? Overall, for any company providing increasing Web access for employees needs to update its security plans.

The importance of patching cannot be understated. Continued use of firewall and antivirus solutions is critical.

Q:Application platforms such as blogs, wikis, and other social networks are in vogue in the enterprises. What kind of security breaches are possible using these platforms?

A:There are two main areas of risk with most of these technologies:Data leakage prevention – Most of these tools are designed to create a ‘casual’atmosphere, which may cause users to get careless.

Things they wouldn’t say to just any customer visiting their office may find themselves posted on Twitter. Malicious links – Till date, the malware threat primarily spreads by finding ways to embed links to malware content in legitimate sites.

A full Secure Web Gateway strategy needs to encompass technologies to block these malicious links. CIOs/CISOs need to consider more complete Secure Web Gateway strategies, including security for their mobile clients.

As noted before, firewalls and AV alone are simply insufficient particularly for a mobile client which may become infected remotely and, literally, ‘walk a threat right around the firewall.’

Q:Proliferation of highly-portable computing platforms, such as “netbooks” and Web-enabled mobile phones is a trend with a threat element. What could be the security concerns and how can a CIO be proactive in protecting his company?

A:As noted above, Web filtering needs to be distributed and managed on the end-point which operates outside of the gateway.

Particularly when you keep in mind that many infections are designed to spread in multiple ways.

Once they get onto an under-protected mobile perhaps at an airport or hotel, they may spread from that one system to other when they reconnect to the network leveraging peer-to-peer or network worm technologies, or even USB drives (Conficker is one such example).

However Smartphones are not yet the malware threat, people fear.

Traditional ‘risk analysis’ says you need to balance ‘what’ can happen with ‘how likely’ something is to happen.

Is it possible for malware to penetrate your Smartphone? Probably! Is it likely that anyone would try? Not very! Mainly because there are easier targets.

* * *

Stay Informed With ISR News Alerts:

* * *

The CTO Forum is India’s leading fortnightly magazine for technology decision makers. It promotes the exchange of informed perspectives and insights on trends, management techniques and new IT business strategies, between CIOs and other stakeholders. The CTO Forum is acknowledged as a ‘trusted source’ of knowledge for top management responsible for balancing the demands on technology for ‘growth and governance’.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.