3 Imperatives For Rock-Solid Information Security Compliance In The Enterprise

Tanmoy Adak — Mon, 24 Aug 2015 12:24:00 +0000

1. Opportunities for Improvement

As the years are progressing, the volume of data is increasing. Attacks and threats are becoming more sophisticated.

The traditional approach was mostly reactive in nature (i.e. when the incident would take place, the appropriate controls will be applied). Organizations should take a proactive approach where the technology environment eliminates the possibility of an incident. Imagine building an application that has inbuilt security rather than applying separate software to protect the application. On similar lines, I can think of a couple of good examples which I observed during my internal audits at Bitwise. The most important of them was MAC binding of devices on the network. This eliminates the possibility of an unknown or a rogue device getting connected with the network.

Another solution applied to many clients of Bitwise is a combination of solutions that have significantly eliminated the risks related to malicious activity by users. The desktop solution to users is a combination of zero compute thin client and virtualization. This solution has ensured that all compliance requirements of BFSI clients are met. The beauty of this is that there is no possibility of any manual oversights in the policies and no malicious activity is possible at the user end. Apart from security, this solution has also reduced the cost on electricity bills by 60%

These proactive approaches ensure that the information security team focuses not only on known risks but also on unknown risks. Another advantage of this proactive approach is that it significantly decreases internal audit costs as the scope is limited and centralized. Adapting to solutions like preventing data leakage and virtualization are efforts towards this direction. The advent of Big Data will play a significant role in this approach as analysis of information security data will help organizations understand the hidden vulnerabilities and addressing them in a timely fashion.

2. Vision for the Future

Cost plays a vital role in information security solutions. Surveys allude to the fact that there is always a gap between the current level of information security and the necessary level of information security. This gap will depend how closely information security goals are aligned with business goals.

New digital forces like social networking and wireless devices are business priorities for most organizations. The vulnerabilities and risks associated with these forces are best handled when security teams are involved at the conceptualization stage of these initiatives. This way the team is provided a sufficient window to include these risks in their existing plans; working with infrastructure teams to create a roadmap that will set the foundation for safe implementation of these modern-day concepts. Rather than a one-time investment in the security of these apps and tools, the cost is spread across many years and often are “piggybacked” onto other capital investments.

Hardware refresh or upgrade is a very common practice for an IT organization and the decision for the new hardware dictates the future of the environment for at least the next 3-4 years until the next refresh takes place. This standard practice by itself is a good example of how information security can be included in decision-making and future planning. By drawing up the business vision along with the Information security team the associated risks from the envisioned environment can be included in the process of decision making while working with the infrastructure team during hardware refresh policies. The same applies for physical security where business goals like new facilities, data centers can be included while deciding the capacity of new equipment.

3. Innovativeness in the Security Model

With social networking sites and blogs, enough personal and corporate information is moving to the internet to act as fodder for cybercriminals. Standard security features with standard options are implemented to reduce the associated risks. This at times can be the weak link in the cat and mouse race with the bad guys who often tend to observe and exploit vulnerabilities. An organization can allocate certain efforts for security in its innovation center which will allow a certain degree of uniqueness in the security setup of the organization. It could be a simple training or a tweak in the process which will make things more efficient.

For example, while dealing with a unique compliance requirement from a client who did not want RSA tokens to move outside Bitwise premises there was a lengthy workflow associated to keep a track of a single key. The innovation center suggested attaching a wooden block to each RSA stub and label it. The size of the block was in itself a discouragement for people to carry the RSA token with them. Moreover, even if they carry it outside the floor area, there were CCTV cameras can clearly capture the event.

In another training initiative, the information security team conducted an event on security incidents where users of social networking sites were impacted. This resulted in wide acceptance of locking down these sites on certain sensitive terminals. The effect was so prominent that the security team received responses coming back from employees on terminals where these sites were not blocked and were missed.

Conclusion

A proactive approach towards information security with a vision for the future will ensure that an organization is capable of meeting the security requirements associated with emerging and future technologies. A breach in security can cause the reputation of the entire company to be at stake. Small innovations can go a long way in making security processes effective and streamlined. Bitwise provides innovative solutions to clients in meeting their information security compliance requirements. The solutions are tailored to ensure clients information assets are secured in the Bitwise environment.

The post 3 Imperatives For Rock-Solid Information Security Compliance In The Enterprise appeared first on Bitwise.

Unwiring Enterprise Mobility

Tanmoy Adak — Mon, 24 Aug 2015 11:15:00 +0000

Mobility and Information Security

Enterprise mobility is striving to provide ‘anytime, anywhere’ access to corporate applications and data. Being wireless and portable are the biggest advantages of mobile devices. These same merits are also potent information security risks. When corporate information is available on a personal device that moves in and out of the corporate environment, suddenly data is at stake as these devices are highly vulnerable from loss and unauthorized access.

Effective Enterprise Mobility Management (EMM)

An effective EMM strategy should factor in business advantages and goals while devising policies for secure access to corporate network and data. Overall the strategy should focus on:

Easy maintenance and central management of all devices
A controlled access and authorization system
Consistent user experience
Increase in productivity
Minimized attack surface

The rate at which new mobile devices are entering the retail market makes it essential that companies keep an updated list of approved devices and share it with employees. However, the best way to ensure application and data security is to make sure that all data resides on the server. There are several products on the market (Citrix, Vmware) that ensure the actual data residing on the server is fully controlled by the administrator. This validates that the mobile solution, whether BYOD or a corporate-issued device, is always secure.

With virtualization being the mantra for attaining efficiencies, it is also an important parameter in considering workforce virtualization. Allowing users to access IT infrastructure from remote locations may not be sufficient if they are provided a separate environment for each type of connectivity. A seamless and consistent user experience is necessary to get the right amount of productivity from the users, otherwise, considerable time is spent on getting acquainted with the new user interface.

The central theme of going mobile is to further productivity and efficiency. At Bitwise, we helped one of our financial services clients to design a mobile app which would allow their customers to use their cellphones as a credit card at points of sale. This saved them from carrying their cards and by using NFC technology, it was ensured that all transactions were secure.

Similarly, we implemented a security solution for one of our clients where their team members were blocked from using a camera in their work areas by using a combination of geo-locking and NFC. Both of these solutions took mobility to the next level where production innovation helped businesses achieve their goals.

Focusing on security

There are several mobile device management solutions (MDM) available on the market and each has its own niche set of tools and security framework. These solutions have a standard implementation, which will block the security deviations or provide reactive security alerts. The outputs from these tools and other security logs can be used to build a proactive security solution. In addition to giving security alerts, they will also provide inputs on improving the implemented mobility solution.

These analytic solutions have to be built by the organizations to passively and actively to monitor the behavior of users and their mobile devices. These analytic solutions should have the intelligence to report on:

1.Location
2.Application and information access
3.User access and authentication

The Bitwise DART team has created a solution which helps our clients identify potential weakness in this mobility policy framework. It also provides feedback on ways to improve the existing mobility policies and attain higher efficiencies.

To learn more about how Bitwise can help your mobility strategy, click here.

The post Unwiring Enterprise Mobility appeared first on Bitwise.

Tanmoy Adak, Author at Bitwise