Information security has been raised up the corporate
agenda once again due to TJX, the parent company of cut-price
clothing retailer TK Maxx. TJX suffered the biggest breach of
personal data so far, with its
US Securities and Exchange Commission filing
revealing that more than 45 million credit and debit card
numbers were stolen.
It is not yet clear exactly how so many details were obtained,
but it is a clear warning to organisations of all sizes to check
that security is adequate to prevent a similar occurrence.
Infosecurity Europe is the event where they can
do exactly that, as the information security industry gathers at
the Grand Hall, Olympia, London, from 24-26 April for the show. The
free education programme addresses both strategic and technical
issues and gives visitors the benefit of the skills and experience
of senior end-users.
This year's show will be busier than ever, with more than 330
exhibitors showcasing innovative products and services and 100
suppliers launching new products.
The keynote sessions are the highlight of
the education programme, and bring together the industry's
leading independent experts, government officials and end-users
from high profile corporations. The sessions will also take an
in-depth look at some of the hottest ideas in information
security.
The opening address by Lord Broers, chairman of
the House of Lords science and technology committee, will
examine some of the issues explored by the committee's inquiry
into internet security, and what has been learned from the
experience of other countries.
In his special address, Derek Wyatt, chairman of
the All Party Parliamentary Internet Group, will highlight
some of the key security measures associated with the 2012
Olympic Games.
Identity management
Lord Erroll will lead a panel debate on identity
management, examining how to pick the right tools for the
job. The panellists will include Toby Stevens, vice-chairman of
the BCS security forum, Andy Kellett, senior research analyst at
Butler Group, and Maury Shenk, partner at law firm Steptoe and
Johnson and head of the Sans European legal programme.
"Identity management is one of the most misused and abused
expressions in modern computing," says Stevens.
"The vested interests behind identity cards, biometric
technologies and single sign-on systems have created an environment
where it is almost impossible to distinguish between technological
fact, science fiction and commercial propaganda.
"The heated debate around these issues is eroding public
confidence in the industry's trustworthiness. It is high time that
we adopted a more transparent dialogue about system capabilities -
and shortcomings - so that we can create identity assurance systems
that serve providers and users alike," says Stevens.
He adds, "I think it is unrealistic of central government to
believe it can use ID management to control the bad citizen or
visitor. People should have the right to assume a different persona
in different aspects of their lives and to be allowed some
privacy."
According to Shenk, "There is increasing recognition that
different identity management solutions are appropriate to
different applications to enable businesses to deal with the
commercial and legal risks of particular situations."
Kellett says, "End-to-end projects that have been put forward to
deal with all identity management and access control issues have
often proved to be unrealistic, and indeed, for some, far too
difficult to achieve.
"However, organisations that have taken a more structured and
prioritised approach to the identity and access management service
delivery model, have and do, achieve better results in the long
run."
Wireless security
Phil Cracknell, UK president of the Information
Systems Security Association, will lead a panel on wireless
security with John Meakin, group head of information
security at Standard Chartered Bank.
"With recent surveys showing more than 80% of UK businesses now
have a wireless policy or a statement regarding the use of wireless
equipment, you would think that is was a case of job done as the
message is coming through loud and clear," says Cracknell.
"However, on closer scrutiny it would appear that corporate
wireless users have only scratched the surface. Little, if any,
provision is present for the important and increasing issues of
wireless scanning, rogue hotspots, evil twins and drifting
clients."
John Riley, managing editor of Computer Weekly,
will lead a debate entitled, "Is network security dead?"
Panellists will include Paul Simmonds, global information
security director at ICI Jason Creasey, head of research at the
Information Security Forum Stuart Okin, a senior executive at
Accenture and John Reece, CEO of consultancy John C Reece &
Associates.
As applications move towards architectures that have components
running on multiple hosts and local units, there is a blurring of
the edges of systems.
"Essentially, applications are becoming a cloud that end-users
have an interface with, rather than a controlled black box, and IT
staff may not control all of the elements of the system, especially
with an internet backbone.
"With the additional corporate trends of shared and outsourced
services, these clouds of applications are also found within a
traditional enterprise environment," says Okin.
"The result is that the perimeter is no longer well defined, and
the challenge for organisations today is identifying who is
connecting with these application clouds and establishing their
intent."
With myriad qualifications available, the single biggest
questions for IT directors remain: how can appropriate
qualifications be recognised? And what are the right educational
tools for the job that your personnel are doing?
These will be evaluated in the keynote address
chaired by Nick Coleman, chief executive of the Institute of
Information Security Professionals entitled,
"Professionalism: Where are we in 2007?". Panellists will
include Jeremy Beale, head of the Confederation of British
Industry's e-business group Chris Ensor, head of profession at
CESG, the UK government's authority on information assurance and
Robert Coles, director EMEA and head of information security and
privacy at Merrill Lynch
New threats
The keynote "Are you even remotely secure?" will examine new
threats in the wake of the change in working habits, and explore
ways in which organisations can mitigate them.
The presentation will be led by Brian McKenna,
editor of Computer Weekly, with Steven Furnell, professor of
information systems security at the University of Plymouth,
Steve Robinson, head of IT security Europe at investment bank
Lehman Brothers, and David Perry, principal analyst at Freeform
Dynamics.
Research by Freeform Dynamics indicates that mobile e-mail - and
now mobile applications - are initially deployed in many cases in
an ad hoc way, typically for senior managers.
"The pressure to 'get me the data, now' from a senior level can
lead to rapid deployment of mobile data, without a sufficient
security framework. Even taking a company laptop home to do extra
work can risk disclosure of sensitive company and customer data,"
says Perry.
The clear danger with mobile devices is that data is being
stored in an inherently more vulnerable location, with less
protection than it would receive in the workplace.
"If we specifically consider devices such as smartphones and
PDAs, then not only does the size and mobility of the devices
render them far more susceptible to loss and theft, but they are
also more limited in the security options that are available,"
Furnell says.
"In addition, the usage of the devices affects the security that
will be tolerable. Although we might be happy enough entering a 10
character password to access a laptop, this would be less
acceptable on a PDA that is frequently used for short periods.
Indeed, such devices are often left entirely unprotected against
unauthorised access."
When it comes to remote working, IT security is not just
important, it is essential. Steve Robinson, European head of
information security at Lehman Brothers, says, "An organisation's
IT security group needs to assess each specific risk and implement
solutions to enable the business to take full advantage of today's
technology to maximise their remote working capabilities."
Marika Konings, director of European affairs for
the Cyber Security Industry Alliance, will lead a panel on how
to secure the latest telecoms technologies. She will be
joined by Cate McGregor, DFN, director OGDs and agencies,
Defence Communications Services Agency and Roger Cumming, head
of advice and delivery, at the Centre for the Protection of
National Infrastructure.
The convergence of communications networks, devices and content
has enabled service providers to deliver newer, faster and more
advanced services, including voice, data, video and applications -
all over a single IP network.
Konings says, "While these rapid technology advancements have
tremendous benefits, they have raised questions from policy makers
about whether security can keep up."
Subject to crime
Every business is subject to crime every day - but at what point
does it become sensible for you to report it?
The keynote presentation, "Should you always
report crime?" will be chaired by Geoff Smith, head of
information security policy at the Department of Trade and
Industry, with Tony Neate, managing director of
GetSafeOnline, Philip Virgo, secretary general of Eurim, and
Jonathan Coad, partner, law firm Swan Turton.
According to Neate, "We need to become more aware and educated
against these new threats - from the home user to the
multinational, the computer and technology industry to government
and law enforcement."
Bruce Schneier will debate the psychology of
security in his keynote session, and
Bob Ayers, associate fellow of Chatham House
information security programme, will lead a panel on insider
threats.
Jon Fell, partner at law firm Pinsent Masons,
will chair the hackers' panel.
In addition to the keynote programme, there are also more than
60 free seminar sessions split into business and technical streams
which explore the key issues facing organisations and the
technologies available to address them.
This year sees the return of "The Lion's Den", the toughest
arena for seven leading product specialists to put their products
on the line before a panel of experts.
There is also the new implementation forum, an educational and
networking event designed to address the key inhibitors faced when
implementing information security products.
Infosecurity preview: Building blocks of trust
>>
Infosecurity preview: Mobilising single sign-on
>>
Infosecurity preview: Bridging the reality gap
>>
Infosecurity preview: When a year is a lifetime
>>
More
information on the show, including free entry >>
Infosecurity Europe keynote sessions
>>
David Lacey’s security blog >>The
latest ideas, best practices, and business issues associated with
managing security
Stuart King’s risk management blog
>>
Dealing with the operational challenges of information security and
risk management
Comment on this article:
computer.weekly@rbi.co.uk