As a snapshot of the state of our industry, the Infosecurity Europe conference in April underlined the extraordinary pace of change that enterprises are facing.
In 2010, the security implications of smartphones and cloud computing were just coming on the agenda; a year later, these threat vectors took centre stage. Successive debates and panel discussions at this year’s conference revealed a growing concern over these twin trends that apparently seem unstoppable since cloud computing is cheap, and smartphones are sexy.
In both cases, it seems organisations are falling over themselves to adopt these technologies without letting security considerations get in the way.
The economics of cloud computing make it hard to resist, especially for companies struggling to cope with the long recession. As many Infosec exhibitors reported, organisations are desperate to reduce both their capital expenditure and their operational overheads. Cloud services can fulfil both those aims, and they may even improve security by applying a level of discipline and professionalism that organisations would struggle to achieve on their own.
In the case of smartphones and tablets, demand is fuelled by senior managers who buy good looking products, such as the Apple iPad, and demand to have them connected to the corporate network. Again, the general consensus from CISOs involved in conference discussions was that, if the boss wants an iPad, then IT has to find a way to make it happen.
However, both phenomena have security pros scratching their heads on how to minimise the risks. Some technological solutions were on display, mainly antivirus products adapted for smartphone platforms, but, on the whole, the industry is still looking for answers.
The biggest question mark hanging over cloud services is: How can an organisation know the provider will protect its data? A service-level agreement does not guarantee or verify security policies are followed to the letter.
It seems organisations are falling over themselves to adopt these technologies without letting security considerations get in the way.
Some kind of auditing regime is required, but the cloud providers rightly argue they cannot be expected to let every customer do an audit. Some professional bodies, notably the Cloud Security Alliance, have come up with a standard questionnaire to ease the process. But, as several CISOs reported from personal experience, the cloud service providers have so much business at the moment that they can afford to say, “Take it or leave it” to prospective clients. They will not answer questionnaires, asserting their security is fine: Just take their word for it.
Some companies accept those assurances at face value. But, as the recent breaches at RSA, Epsilon and Sony have shown that big systems holding valuable data, no matter how well defended, will always act as a magnet for the criminally inclined. And, a big cloud service provider would certainly fall into that category.
Under the circumstances, information security professionals said they are trying to confine the use of the cloud to non-sensitive data. Regulatory compliance may also limit its use, especially if the service provider cannot guarantee personal data will stay within the EU. Even cost cutting bosses want to stay inside the law.
In the case of smartphones, security professionals are also focusing on risk limitation. Several CISOs seemed relaxed about allowing iPhones and iPads because of Apple’s ‘walled garden’ approach to its App Store. The reliability of the apps, plus some of the features built into the IOS operating system, have persuaded many that Apple devices can be accommodated alongside the more traditionally accepted BlackBerry. But, most draw the line at giving network connections to Android, which they see as an uncontrollable and dangerous device that may harbour malware.
Securing Web 2.0
While users pondered how to handle upcoming problems, security vendors have finally caught up with a problem first raised two or three years ago: What to do about Web 2.0 and social networking applications?
As with the cloud and smartphones, a sudden wave of demand from employees and businesses presented security personnel with a huge challenge. Outright blocking was unpopular and difficult to achieve, and few firewall vendors were able to distinguish between harmless HTTP traffic (Web access) and other Web-based applications, such as Facebook, Twitter or Skype.
Furthermore, companies needed to regulate who used what aspects of social networking. For instance, they might permit Facebook, but not the uploading of sensitive files, or they might allow Skype phone calls and instant messaging, but not the sending of attachments.
That level of granular control has been hard to come by. For a while, Palo Alto Networks had the application-aware firewall space to itself, although its pricing excluded all but the larger organisations. Over time, however, other manufacturers have updated their products. At Infosec, firewall manufacturer Watchguard announced support for application control, and SonicWall introduced similar features on its UTM appliances, with even more granular control to come later in the year. Sourcefire, a maker of intrusion prevention systems, also announced greater application control in its systems. Those announcements and others will allow smaller organisations to finally to regain control over Web 2.0 applications, which are increasingly being used by hackers to deliver malware.
Death of the password?
Some problems in security never change, one of the most enduring being what to do about passwords. The well-publicised breach of the system supporting RSA’s SecurID one-time password infrastructure, just a couple of weeks before Infosecurity, provided rival vendors of two-factor authentication with a rare opportunity to promote their products as an urgent and viable alternative.
A string of information security vendors, including Swivel, GridSure, Signify, SecurEnvoy, CryptoCard and Winfrasoft, promoted a range of products with and without tokens. Some relied on delivering a simple code while others used a pattern-based method to deliver one-time codes. Most reported brisk interest on their exhibition stands, but whether that turns into business is another matter.
Thus, as continues to be the case, reports of the death of the password may be a little premature.