Infosecurity preview: Knowledge is power

The keynote sessions at Infosecurity Europe will cover many of the most pressing strategic and technical issues facing IT professionals

Information security has been raised up the corporate agenda once again due to TJX, the parent company of cut-price clothing retailer TK Maxx. TJX suffered the biggest breach of personal data so far, with its US Securities and Exchange Commission filing revealing that more than 45 million credit and debit card numbers were stolen.

It is not yet clear exactly how so many details were obtained, but it is a clear warning to organisations of all sizes to check that security is adequate to prevent a similar occurrence.

Infosecurity Europe is the event where they can do exactly that, as the information security industry gathers at the Grand Hall, Olympia, London, from 24-26 April for the show. The free education programme addresses both strategic and technical issues and gives visitors the benefit of the skills and experience of senior end-users.

This year's show will be busier than ever, with more than 330 exhibitors showcasing innovative products and services and 100 suppliers launching new products.

The keynote sessions are the highlight of the education programme, and bring together the industry's leading independent experts, government officials and end-users from high profile corporations. The sessions will also take an in-depth look at some of the hottest ideas in information security.

The opening address by Lord Broers, chairman of the House of Lords science and technology committee, will examine some of the issues explored by the committee's inquiry into internet security, and what has been learned from the experience of other countries.

In his special address, Derek Wyatt, chairman of the All Party Parliamentary Internet Group, will highlight some of the key security measures associated with the 2012 Olympic Games.

Identity management

Lord Erroll will lead a panel debate on identity management, examining how to pick the right tools for the job. The panellists will include Toby Stevens, vice-chairman of the BCS security forum, Andy Kellett, senior research analyst at Butler Group, and Maury Shenk, partner at law firm Steptoe and Johnson and head of the Sans European legal programme.

"Identity management is one of the most misused and abused expressions in modern computing," says Stevens.

"The vested interests behind identity cards, biometric technologies and single sign-on systems have created an environment where it is almost impossible to distinguish between technological fact, science fiction and commercial propaganda.

"The heated debate around these issues is eroding public confidence in the industry's trustworthiness. It is high time that we adopted a more transparent dialogue about system capabilities - and shortcomings - so that we can create identity assurance systems that serve providers and users alike," says Stevens.

He adds, "I think it is unrealistic of central government to believe it can use ID management to control the bad citizen or visitor. People should have the right to assume a different persona in different aspects of their lives and to be allowed some privacy."

According to Shenk, "There is increasing recognition that different identity management solutions are appropriate to different applications to enable businesses to deal with the commercial and legal risks of particular situations."

Kellett says, "End-to-end projects that have been put forward to deal with all identity management and access control issues have often proved to be unrealistic, and indeed, for some, far too difficult to achieve.

"However, organisations that have taken a more structured and prioritised approach to the identity and access management service delivery model, have and do, achieve better results in the long run."

Wireless security

Phil Cracknell, UK president of the Information Systems Security Association, will lead a panel on wireless security with John Meakin, group head of information security at Standard Chartered Bank.

"With recent surveys showing more than 80% of UK businesses now have a wireless policy or a statement regarding the use of wireless equipment, you would think that is was a case of job done as the message is coming through loud and clear," says Cracknell.

"However, on closer scrutiny it would appear that corporate wireless users have only scratched the surface. Little, if any, provision is present for the important and increasing issues of wireless scanning, rogue hotspots, evil twins and drifting clients."

John Riley, managing editor of Computer Weekly, will lead a debate entitled, "Is network security dead?" Panellists will include Paul Simmonds, global information security director at ICI Jason Creasey, head of research at the Information Security Forum Stuart Okin, a senior executive at Accenture and John Reece, CEO of consultancy John C Reece & Associates.

As applications move towards architectures that have components running on multiple hosts and local units, there is a blurring of the edges of systems.

"Essentially, applications are becoming a cloud that end-users have an interface with, rather than a controlled black box, and IT staff may not control all of the elements of the system, especially with an internet backbone.

"With the additional corporate trends of shared and outsourced services, these clouds of applications are also found within a traditional enterprise environment," says Okin.

"The result is that the perimeter is no longer well defined, and the challenge for organisations today is identifying who is connecting with these application clouds and establishing their intent."

With myriad qualifications available, the single biggest questions for IT directors remain: how can appropriate qualifications be recognised? And what are the right educational tools for the job that your personnel are doing?

These will be evaluated in the keynote address chaired by Nick Coleman, chief executive of the Institute of Information Security Professionals entitled, "Professionalism: Where are we in 2007?". Panellists will include Jeremy Beale, head of the Confederation of British Industry's e-business group Chris Ensor, head of profession at CESG, the UK government's authority on information assurance and Robert Coles, director EMEA and head of information security and privacy at Merrill Lynch

New threats

The keynote "Are you even remotely secure?" will examine new threats in the wake of the change in working habits, and explore ways in which organisations can mitigate them.

The presentation will be led by Brian McKenna, editor of Computer Weekly, with Steven Furnell, professor of information systems security at the University of Plymouth, Steve Robinson, head of IT security Europe at investment bank Lehman Brothers, and David Perry, principal analyst at Freeform Dynamics.

Research by Freeform Dynamics indicates that mobile e-mail - and now mobile applications - are initially deployed in many cases in an ad hoc way, typically for senior managers.

"The pressure to 'get me the data, now' from a senior level can lead to rapid deployment of mobile data, without a sufficient security framework. Even taking a company laptop home to do extra work can risk disclosure of sensitive company and customer data," says Perry.

The clear danger with mobile devices is that data is being stored in an inherently more vulnerable location, with less protection than it would receive in the workplace.

"If we specifically consider devices such as smartphones and PDAs, then not only does the size and mobility of the devices render them far more susceptible to loss and theft, but they are also more limited in the security options that are available," Furnell says.

"In addition, the usage of the devices affects the security that will be tolerable. Although we might be happy enough entering a 10 character password to access a laptop, this would be less acceptable on a PDA that is frequently used for short periods. Indeed, such devices are often left entirely unprotected against unauthorised access."

When it comes to remote working, IT security is not just important, it is essential. Steve Robinson, European head of information security at Lehman Brothers, says, "An organisation's IT security group needs to assess each specific risk and implement solutions to enable the business to take full advantage of today's technology to maximise their remote working capabilities."

Marika Konings, director of European affairs for the Cyber Security Industry Alliance, will lead a panel on how to secure the latest telecoms technologies. She will be joined by Cate McGregor, DFN, director OGDs and agencies, Defence Communications Services Agency and Roger Cumming, head of advice and delivery, at the Centre for the Protection of National Infrastructure.

The convergence of communications networks, devices and content has enabled service providers to deliver newer, faster and more advanced services, including voice, data, video and applications - all over a single IP network.

Konings says, "While these rapid technology advancements have tremendous benefits, they have raised questions from policy makers about whether security can keep up."

Subject to crime

Every business is subject to crime every day - but at what point does it become sensible for you to report it? The keynote presentation, "Should you always report crime?" will be chaired by Geoff Smith, head of information security policy at the Department of Trade and Industry, with Tony Neate, managing director of GetSafeOnline, Philip Virgo, secretary general of Eurim, and Jonathan Coad, partner, law firm Swan Turton.

According to Neate, "We need to become more aware and educated against these new threats - from the home user to the multinational, the computer and technology industry to government and law enforcement."

Bruce Schneier will debate the psychology of security in his keynote session, and Bob Ayers, associate fellow of Chatham House information security programme, will lead a panel on insider threats. Jon Fell, partner at law firm Pinsent Masons, will chair the hackers' panel.

In addition to the keynote programme, there are also more than 60 free seminar sessions split into business and technical streams which explore the key issues facing organisations and the technologies available to address them.

This year sees the return of "The Lion's Den", the toughest arena for seven leading product specialists to put their products on the line before a panel of experts.

There is also the new implementation forum, an educational and networking event designed to address the key inhibitors faced when implementing information security products.

Infosecurity preview: Building blocks of trust >>

Infosecurity preview: Mobilising single sign-on >>

Infosecurity preview: Bridging the reality gap >>

Infosecurity preview: When a year is a lifetime >>

More information on the show, including free entry >>

Infosecurity Europe keynote sessions >>

David Lacey’s security blog >>
The latest ideas, best practices, and business issues associated with managing security

Stuart King’s risk management blog >>
Dealing with the operational challenges of information security and risk management

Comment on this article: [email protected]

Read more on IT risk management