2010 6 things u need 2 know in 2010 whitepaper final
DESCRIPTION
TRANSCRIPT
February 2010
IT Security
Six things you need to know in 2010
Contents
1 Executive summary
Page 2
2 Introduction
Page 3
3 Cyber crime
Pages 4-5
4 The insider threat
Pages 6-7
5 Post-recession exodus
Page 8
6 Social media in the workplace
Pages 9-11
7 Security in the cloud
Pages 12-13
8 Enterprise cloud use
Pages 14-15
9 The BT offer
Pages 16-17
2
Security concerns are at the heart of pretty much every aspect of networked IT services today, but are the real security questions being addressed? Do CIOs and CEOs suffer from a translation problem when assessing and developing solutions for the potential threat? And has the incentive during the recession been to sweep the big issues under the carpet? This white paper looks at the six things a CEO should be asking his CIO in 2010, and the answers he should be looking for to ensure his enterprise capitalises on any easing of the global economic downturn. It also turns each of the six issues on its head and defines what the CIO needs to be saying to the CEO to ensure the IT function performs optimally in the year ahead.
This paper offers practical guidance to both audiences on the security issues likely to be making headlines in 2010. It should be a vital desk companion to CEOs and CIOs looking to foster better understanding of how data and network security affects their organisation.
1Executive summary
3
For all that information security is one of the most critical issues facing organisations today, be they a financial institution holding customers’ banking details or a government body holding electoral, health, criminal, employment or immigration data, too often an inability to translate the issue from a technical to a business one gets in the way. Vital facts are lost, as it were, in translation.
This paper presents six of the biggest security topics that CIOs, CSOs and CEOs should be discussing – urgently – in 2010. And it does so in an attempt to break down this barrier, acting as a straightforward guide to the problem, the situation as it stands and the solutions available. BT Global Services has decades of experience helping major international organisations protect themselves and their customers from the ever-present threat of information loss or attack. This paper is aimed at spreading just some of that experience around. We hope it is useful and that you get in touch if you have any questions at all.
In 2010, three things, at least, are certain.
One: information security will be better than last year, which was better than the year before, and so on, because the technologies to counter threats are evolving every day.
Two: conversely, the security of information – corporate, commercial and personal – will come under more threat than ever before as the increasing importance of data makes it the battleground over which an ongoing fight between those who would steal or misuse it and those who would protect it is becoming ever more fraught. This ‘arms race’ between hackers and IT security professionals can only escalate.
Three: the issue of information security will become more and more of a mainstream topic, discussed in mainstream newspapers and on mainstream television channels. Already, Google’s decision to cease its censorship in China due to suspicious attacks on data held on its servers has been one of the biggest news stories of the year.
Against this backdrop of increasing complexity and a rising public profile, CIOs, CSOs and CEOs will meet around the board table to discuss the security issues facing their organisations: issues that have never been more important, or more challenging to understand, let alone to address. Yet they will meet around those tables hampered by a simple yet very real barrier: language and awareness, or lack of it.
2Introduction
1. http://transcripts.cnn.com
2. http://www.conservatives.com
3. http://www.alp.org.au
4. http://technology.inquirer.net
5. Datamonitor research commissioned by BT: Threatening Skies: Risk in the Global Economy, 2008
And the war is escalating. Why is this? Firstly, the world, and particularly the business world, is more globalised than ever before. Secondly, that same world is more networked than ever before. It is more reliant on technology, partly because so much business is now conducted over huge distances and partly because so much business is now data-driven and computer-dependent.
The result is a very modern transmutation of the age-old phenomenon of “industrial espionage”, which has been around since the dawn of commerce. Spying on, stealing or sabotaging the data of another organisation – be it a commercial enterprise or a national government – gives you anything from competitive advantage to economic and military superiority.
And there is a worrying acceptance of the problem. More than half of executives in developing regions themselves admit that the threat of international cyber-espionage, hacking or web fraud is more likely to come from a source located in a developing economy such as (but not limited to) Russia, India, Brazil or China.5
What’s the problem?Globalisation is leading to a new “cyber cold war”. Google’s decision to cease its censorship of content in China after attempts to hack into its servers was just the latest in a series of similar events in recent years.
Issues such as this have long been considered at a serious political and diplomatic level. As far back as 2002, in fact, the FBI announced its “number three” priority was protecting the United States “against cyber-based attacks and high-technology crimes.”1 Since that time, the problem has grown exponentially. In May 2009, US President Barack Obama announced he would create a new White House office of cyber security, with that cyber czar reporting to the National Security Council as well as to the National Economic Council.
Other countries have been quick to follow suit. According to a policy paper on national security published in January 2010, the Conservative Party, widely expected to form the next UK Government, plans to establish2 a Cyber Threat and Assessment Centre to counter online attacks against the UK. In the same month, Australia opened the Cyber Security Operations Centre3 following a year in which its defence computer networks were attacked by about 220 “security incidents” every month, with another 220 targeting other government systems. In the Philippines, a new cybercrime Bill has been passed this year4.
Together, all this paints a picture of a very modern battlefield, one that itself exists “in the cloud”, with skirmishes being fought daily over data carried via the internet and networks.
4
3Cyber crime
100%
80
60
40
20
0Brazil China India South Africa
Yes
No
Don’t know
Do you believe that the threat of international cyber-espionage (hacking, web fraud etc.) is more likely to come from a source located in a developing economy such as (but not limited to) Russia, India, Brazil or China?
Is cyber crime a real danger for this organisation? CEO
5
The very language we use is also a problem. The term, “cyber-crime”, leads us to forget that the data still starts and ends with a physical machine, and so the physical threat is frequently overlooked. You can have the best technology in the world, but it won’t help if your office cleaners are easily able to smuggle information out of your building on a data stick.
Ultimately, what is needed is a combination of good corporate policy, married to effective technology. Far too often, we see one without the other and, in 2010, this is not good enough.
Practical advice1. Check physical security. Ensure that your technology, facilities
management and human resources departments, at the very least, are talking to each other. Any external suppliers with access to your building should be properly vetted.
2. Ensure you have the appropriate technology in place and that it is set up correctly: software-based anomaly detection, located in the network, coupled with solid firewalls at your data centre end.
3. Link this up with effective policy adherence – rigorous testing, monitoring, recording – such as is demanded by ISO 27001 (BS7799) the Information Security Management System (‘ISMS’)
4. Ensure that policy is in place for follow-through: detecting and countering an attack is one thing. You need to be able to trace it and build up the chain of evidence so that, should you ever need to take someone to court, there is a proper chain of evidence. This means your IT people need to be trained to log dates and times properly, and your legal department will need to be involved to ensure your policies adhere to privacy laws.
Can we protect ourselves?The question being asked in boardrooms is “can we truly protect ourselves against the next generation of hacking? Or is damage-limitation the best we can hope for?” Providing reassurance is a tricky thing, because companies involved in providing security solutions need to be transparent and responsible with their claims. So let us be very clear, here, from the outset: there is no easy panacea to this problem. There is no single product or service that can be plugged in and means your data is safe. It means companies need to sit up and take this problem seriously at a senior level and not relegate it to a nuts-and-bolts IT services issue.
Yes, but don’t expect technology to solve the problem on its ownFirstly, it is vital to recognise how the very nature of globalisation has altered the challenge. Once upon a time, a virus detection programme could easily check IP addresses linked to a PC or server, spot any beginning 85.xxx, recognise that this was going to China, for example, and block the address. Today, of course, most international companies will be sending and receiving legitimate data packets to and from China daily – suppliers’ details, product data, order information. So modern software has to learn what activity is legitimate and what is not before it begins to run effectively. This is hugely powerful, but the understanding of the process is not always there. Too many organisations, erroneously, think they have this activity covered as soon as they’ve installed the new kit. Just because suspicious activity has not been detected does not mean that it’s not going on.
It’s a growing threat, and one we must confront CIO
6. http://www.softcat.com/files/pdfs/TheThreatsEnglish.1.pdf
What’s the problem?The ‘insider threat’ is, unfortunately, a growing one. According to research from McAfee, 75% of website defacement is the result of an internal job and 68% of data theft is internal.6 The threat from within covers three main areas:
• Genuine mistakes – people leaving a machine unencrypted and vulnerable (see cyber crime, above), or sending the wrong email, possibly with sensitive data attached
• Lack of awareness of security policies – people naively allowing leakage of sensitive data
• Deliberate – someone unhappy with the company, maybe having been made redundant, and taking revenge: deleting billing records, for example, or stealing information that can be sold to competitors or used to gain advantage in his next job.
Can we protect ourselves?Again, the problem arises less from technology and more from policy and, often, simple human error and forgetfulness.
Most organisations today simply could not exist without computerised data and the internet and private networks that allow it to be shared. Data is everywhere, in digital form, and the proliferation of easy ways to store and transport it, from laptops and USB sticks to iPhones, iPods and just sending it via personal email, makes keeping it within your building a daunting task.
Source: McAfee, ‘The Threat From Within’
6
4The insider threat
Security Softie: European League Table
Do employees let friends/family use their work computer to access the internet at work or home?
European Average: 21%
Italian employees: 42% Most Lax
French employees: 23%
British employees: 21%
Spanish employees: 16%
Dutch employees: 14%
German employees: 12% Least Lax
Is our information safe in the hands of our people? CEO
7
use or plugging personal iPods into computers, for example? If you manage a call centre, do you have a policy on cameras? People can just as easily take photos of customer data on screens as download to a stick.
Policy is nothing if people don’t know about it. You must communicate with your employees, be transparent about your rules on the above and why they are there. This means ongoing training and awareness, so that line managers know how to keep their teams adhering to policy.
At the heart of that policy should be access rights: who has access to what data? You need to get the balance right, giving people the access to the information they need, with enough leeway to be able to innovate and do their job. But full administration rights to all data are rarely appropriate for the entire workforce. And, above all, remember to cancel outgoing employees’ access rights, which includes their key fobs, passwords remote log in usernames and so on.
Follow this up with change management controls. If a new item of software, a new database, for example, or a new security patch is being installed, don’t let any one programmer have the right to unilaterally change the code or the application. The change should be verified by two or more people.
Finally, encrypt your data. It is incredible how many organisations in 2010 do not save sensitive data in an encrypted format. Most software applications – even mainstream ones, such as Microsoft Office, support strong encryption.
Practical adviceSimple – remember PEACE: Policy, Education, Access, Change management and Encryption.
Yes, if you remember PEACE Accessing all that data can be as simple as logging on to a computer and browsing a directory or folder structure on the server or as complex as entering multiple usernames and passwords, some static and others dynamic, generated in realtime by technologies that are now part of everyday working life, such as key fobs and remote login tokens.
Countering the insider threat starts with policy. What is your organisation’s policy for information security, personal email
Gadget Geek European League Table
What percentage of employees admit to owning at least one personal gadget to connect to the office PC?
European Average: 51%
French employees: 56% Most Lax
Spanish employees: 54%
British employees: 51%
Italian employees: 49%
Dutch employees: 48%
German employees: 48% Least Lax
What percentage of employees connect devices at least once a week to the office PC?
European Average: 52%
Italian employees: 56% Most Lax
Spanish employees: 53%
Dutch/French employees: 52%
British employees: 47%
German employees: 46% Least Lax
With the right internal policies and practices, we can ensure it is safe CIO
8
7. http://www.reuters.com/article/idUSTRE57Q0OA20090827
8. http://bit.ly/5F9XGS; http://bit.ly/6o1SFL; http://bit.ly/5URQQ5
Yes, but exit management strategy is keyThe solution requires that you implement the steps discussed above, without delay. If you think your organisation is vulnerable to a sudden and simultaneous exodus of employees, you must put an immediate focus on getting your exit management processes up to date – there is no way of knowing when this dam might burst.
Practical advice1. Ensure that everyone leaving is individually aware of his or
her responsibilities.
2. Involve your HR department now, so that they are able to provide a double check (along with your technology people) that physical access tokens and key fobs have been returned and deactivated or reset.
3. Your tech department should, of course, make sure that all usernames, logins and passwords to company data are cancelled.
What is it?Research from a variety of countries and sectors indicates that a considerable number of employees are waiting for the global recession to end before moving jobs. In the US, one in five workers plans a switch when the economy improves, according to a December 2009 survey.7 In the UK, similar surveys predict that anything from one in three to half of employees will move once the economy stabilises.8
Many people, runs the argument, have stayed in the same position for the past two years, with no promotion, pay rise or bonus and possibly with pay cuts or reduced hours. Whatever the true figures, the notion that there is a dam waiting to burst seems valid.
Can we protect ourselves?Essentially, this is the same question as the previous one – just on a bigger, simultaneous scale, and therefore with a sense of urgency that relates to the current economic environment.
If and when these people begin their exodus en masse, they will pose a unique form of insider threat (see insider threats, above), potentially removing commercially sensitive (for you) and useful (for them) information from your organisation, on an unprecedented scale.
5Post-recession exodus
Are we protected when people leave the organisation? CEO
Exit management is critically important for information security CIO
9
9. http://journals.naspa.org/cgi/viewcontent.cgi?article=1953&context=jsarp
What’s the problem?The internet phenomenon that is social networking has been one of the most talked-about security topics of the past two or three years. As soon as it became apparent that people were using their work as well as their personal internet connections to log on to external sites to share information – and, potentially, data – organisations began voicing their concerns. The worry was, and still is, that sites such as Facebook and Twitter might at best reduce people’s productivity and at worst pose a threat to information integrity.
Of particular concern has been the theory that the incoming generation of employees, reared on the internet and potentially blasé about security, will pose a major challenge for management.
Generation Y refers to a specific cohort of individuals born from 1981 to 2000 (according to Harvard Business School), while others mark the beginning of Generation Y in 1978 or 1981 (Wikipedia). All sources agree, however, that the majority of Generation Y free time is spent living an online lifestyle. They are sometimes referred to as ‘Digital Natives’ (as well as Generation Z or the iGeneration).
Fig 1. Which generation are you?
In a survey of university students in the US by Junco and Mastrodicasa (2007)9, still the most up to date study of its scope in this age group:
• 97% own a computer
• 94% own a mobile phone
• 76% use Instant Messaging (15% logged on 24/7)
• 34% use websites as their primary source of news
• 28% author a blog and 44% read blogs
• 49% download music using peer-to-peer file sharing
• 75% of university students have a Facebook account
• 60% own some type of portable music and/or video device such as an iPod
6Social media in the workplace
1981-2000:Generation Y
1965-1980:Generation X
1946-1964:Baby Boomers
1922-1945:The Veterans
10
Fig 2. Where does Generation Y spend its time?
Source: Ewan McIntosh (http://edu.blogs.com/)
So, is there a risk?This stems from a fear of the unknown. Generation Y uses a different vocabulary, follows a different culture, has different demands, demonstrates a high speed of learning and has different expectations. They push the boundaries of older management.
But is this a threat? The pace of change in terms of new media and social networking tools will frequently continue to outstrip our ability to check for technical security threats and counter them. The convergence of external and internal applications will proceed at pace and, certainly, the risk of data leakage is a very real one as people (of all generations, but particularly younger employees) increasingly blur the boundaries between their public/private and personal/professional lives.
That said, the longer organisations spend debating the threats, the higher the danger that they will fall behind the curve when it comes to exploiting opportunities
Maybe, but the benefits outweigh the dangersThe social web is a driver of change and change can be scary. There are challenges – and solutions – for implementing social networking tools and using them safely in the workplace while demonstrating business value and creating an environment for young talent to grow and want to stay with your organisation.
Are organisations being hypocritical? For example, many businesses exploit Facebook for recruitment and looking at individuals, advertise on Second Life to sell to the younger generation and use Twitter to research trends and social patterns to exploit for marketing opportunities.
The trick is to help people manage the fuzzy boundaries between their public/private and personal/professional lives. It is a challenge – but not a threat.
Secret SpacesMobile, SMS, IM
Participation SpacesMarches, Meetings, Markets, Events, etc
Publishing SpacesLivejournal, Blogger, Flickr, Photobucket, etc
Group SpacesBebo, Facebook, Tagged, etc
Watching SpacesTelevision, Gigs, Theatre, etc
Performing SpacesSecond Life, World of Warcraft, Home, etc
Should we stop people using Facebook and Twitter? CEO
6
Fig 3. Manage the fuzzy boundaries
At their heart, social networking sites are about collaboration and sharing ideas. Both of these things are the very lifeblood of innovation and organisations must find a way of embracing rather than banning them.
11
Properly managed, these new ways of communicating present an opportunity CIO
Practical advice1. Make the tools available. You can’t – or at least will find it
increasingly difficult and counter-productive to – stop people using tools that they have grown up with, that are so ingrained into their way of life.
2. Divorce management issues from the equation. For example, worrying about whether employees will ‘waste time’ chatting on Facebook is only a modern incarnation of worrying if they’ll ‘waste time’ chatting at the water cooler. Motivating people and optimising productivity is a management issue, not a security one.
3. It is possible to make any web-based tool secure, with the right technology, the right training and the right level of awareness among the workforce. And so, again, education is key:
• Make your security policy on social networking usage relevant to your Generation Y employees. Listen to them, engage, and participate.
• Never say no! They will just go round you.
• Embrace the younger generation’s needs – it will accelerate innovation.
• As with any other application, layer up the technology to ensure that data is encrypted and secure, and that access controls to sensitive information are appropriate to the user.
Public
Personal
Private
Political/professional
12
10. Gartner Inc. Press Release, “Gartner EXP Worldwide Survey of Nearly 1,600 CIOs Shows IT Budgets in 2010 to be at 2005 Levels”, 19 January 2010
The delivery of services via the cloud has been one of the most talked-about subjects in IT circles for the past twelve months, but only in 2010 has it made it onto the boardroom agenda. After a slew of articles on the cloud in the worldwide business press in 2009, the business implications of the cloud are beginning to filter through to non-technical experts.
And CIOs are responding to this growing awareness of the importance of the cloud. According to the Gartner Executive Programmes’ 2010 CIO survey10, the top three technology priorities cited by CIOs are virtualisation, cloud computing and web 2.0, while the top business priorities are business process improvement and reducing enterprise costs. In the current climate, the ability to deliver better IT services for less chimes with business leaders’ own objectives. The idea of upgrading technology without significant capital expenditure is finding fans both among CIOs, but also CEOs and CFOs.
BT Global Services’ recent Enterprise Intelligence research reveals an interesting disconnect between CIOs and CEOs, with nearly half CIOs (44%) saying they believe they deal with information that is too sensitive for the cloud, but only a third of senior executives saying the same. The implication is that it could be CEOs urging a move to the cloud in 2010, with CIOs offering a note of caution.
Do cloud benefits outweigh risks?Many of the risks associated with cloud services are grounded in who controls what. The ability, or lack thereof, to transfer control and risk relating to data to third parties is critical. Recent research by the EU Network and Information Security Agency (ENISA), to which a crack team of BT’s security experts contributed, reveals that the biggest security concerns associated with the cloud are corporate data confidentiality, privacy and the integrity of services and/or data. These three issues are major ‘deal-breakers’, and if they cannot be addressed completely, enterprises will find it difficult to move to cloud architecture.
On the other hand, the benefits of moving to cloud architecture are potentially huge: significantly reduced capital expenditure and fixed costs; increased agility thanks to the rapid provisioning and de-provisioning of resource; faster return on investment thanks to pay-as-you-use commercial models; the availability of services to a mobile workforce; unlocking business opportunities by removing previous barriers to entry; theoretically more robust business continuity (see the next section for a more detailed discussion of business continuity in the cloud).
Cloud security requires strict policies and planningCloud services are extraordinarily diverse, and there can be no one-size-fits-all approach to security. Just look at the software-as-a-service offered by major names like Microsoft, Google and Salesforce.com, and compare them to infrastructure-as-a-service from Amazon, IBM or BT. These are very different propositions and require different security policies and controls.
The solutions that are most likely to provide enterprise-level stability, security and usability will comprise federations of best-in-class
7Security in the cloud
Is it safe to move into the cloud? CEO
Agre
e or
stro
ngly
agr
ee
500 5 10 15 20 25 30 35 40 45
CIO caution: “Our information is too sensitive for the cloud”
13
solutions provided via a mixture of in-house ‘private’ clouds and third-party ‘public’ clouds. Such a ‘hybrid’ approach has the potential to confer huge benefits on enterprises in 2010, while ensuring the specific risks are mitigated. Thus, data covered by Sarbanes-Oxley or other legislation can be retained and delivered to end IT systems users within private clouds. Similarly, publicly accessible material, such as marketing material that can be downloaded from websites, can be stored and delivered at minimal cost via a third-party public software-as-a-service solution in a public cloud. The best advice is to lock horns commercially with multiple cloud service providers and ensure your security policy and requirements are built into their offerings.
Practical advice1. Research the market. All the providers of cloud services, whether
delivering software, infrastructure or platform solutions offer different services with different service level agreements and security features. Selection of the right services is an essential first step.
2. Federated solutions may be more bespoke and robust. Using a selection of different services – including a self-managed private cloud – to build a bespoke solution can ensure cloud services are more aligned with your business needs. Increasingly, federation will become an essential part of building bespoke cloud services, meeting security and risk demands, adding transparency and increasingly providing secure collaboration between trusted parties.
3. Prepare for cloud culture. The automated interface of many cloud services can feel alien to IT departments used to dealing with people within supplier organisations. Procurement, legal or commercial teams can also find the pay-as-you-go contracting model of cloud services demanding. Take these teams with you if you opt to strategically source services from the public cloud, otherwise they may become strategic barriers.
4. Regularly seek independent audits of cloud operators’ offerings, to ensure they are still the best in class and best fit for your needs.
The cloud can be safe, secure… and financially attractive CIO
Legislation Covering Data
Data protection legislation often prevents the transfer of risk from one corporate entity to another. For example, both Sarbanes-Oxley and the UK’s Data Protection Act require the company looking after data to remain entirely responsible for it. Legislation also presents jurisdictional challenges. For example, cloud providers are typically forced to locate data within a specific territory, usually the client’s own country, which hinders the benefits and flexibility of their service offerings. Under such stringent conditions, the data-owning party would need so much control over how the data is stored and used, that the benefits of cloud storage of data or computing resource could be lost.
14
Availability – at the heart of securityA sophisticated service that delivers significant value to its users remains worthless if it is not consistently available. When considering the security of cloud services, availability is one of the biggest single issues. There are multiple challenges here: how does cloud architecture impact availability levels during periods of normal service; how much can the cloud help or hinder availability when an organisation needs to rapidly scale up or down key services; and what impact does the cloud have on an organisation’s business continuity strategy?
The bottom line for most organisations today is that non-availability of services costs money through impacted productivity and sales, lost customers and damaged reputation. The strategic challenge for cloud providers is how to transfer the risk of downtime from enterprises seeking to adopt cloud architecture. We have already shown that some risks cannot be transferred, for legislative reasons (see the previous section). But it is, theoretically at least, possible to offset some of the concerns of enterprises by committing to strict service level agreements.
How can we maintain service levels in the cloud?This is where federators of cloud services can add value, not only by bolting together services to create bespoke solutions, but providing security wraps and service level guarantees that potentially exceed those of the third party cloud provider alone. The lessons learned in the design and deployment of high availability infrastructures is critically important for cloud providers, and there is evidence that some are not yet applying sound engineering design. Those with an infrastructure heritage are leading the way here.
While elasticity of service is one of the core features of cloud architecture, and scaling up and down does not affect availability, business continuity – in particular, disaster recovery – offers its own challenges in the cloud.
Under a traditional business continuity model, all data stored on dedicated – and probably self-managed – servers is routinely duplicated and stored on a mirror server at a distinct location, in case of a disaster. Under cloud architecture, however, the location of servers is not necessarily a fundamental aspect of service provision, which makes ensuring data is copied to a remote location a challenge. This is mitigated by the fact that, increasingly – mainly for reasons of data protection legislation – cloud providers’ customers stipulate in which region or territory servers, and therefore data will be physically located.
8Enterprise cloud use
Can we guarantee our customers world-class service in the cloud? CEO
15
Practical advice1. Understand how resource sharing occurs within your cloud provider
– if you require significant scaling-up of provision at the same time as other users of the same cloud, it may risk breaching the capacity of the cloud provider, and therefore affect availability.
2. For infrastructure-as-a-service and platform-as-a-service in particular, a cloud provider’s patch management policies and procedures have significant security impact so ensure the patching policy is documented.
3. The cloud provider’s technology architecture may use new and unproven methods for failover, so verify what they use for disaster recovery.
4. Understand how your cloud provider deletes ‘old’ data, particularly on the cessation of a contract. This is an area that requires greater transparency.
The cloud can boost business continuityThe cloud architecture should theoretically be more resilient than the traditional model, because with proper planning, instances of failover – automatically switching to an alternative network upon failure – should become more integrated. By intelligently backing-up data, access to a cloud service can be maintained, even with parts of the infrastructure out of action. Getting this right – and demonstrating they have done so – is the challenge for cloud providers.
Accidental data deletion may become a thing of the past if automatic data retention policies – currently adopted by of some of the major cloud service providers – become standard. At present, some providers say they will never erase any data at all, but merely archive it. It will be interesting to see what recovery techniques are developed over the years, as the volume of data grows, and maintaining data catalogues becomes increasingly complex. It is also important that deletion of data upon cessation of contract remains a major technical challenge and even more so in the infrastructure re-use model being adopted by cloud providers.
Correctly deployed, we can drive customer and employee benefits from the cloud CIO
16
Managed Vulnerability Scanning, powered by BT Counterpane
BT MSSG offers two levels of Managed Vulnerability Scanning service to meet customer needs. BT partners with Qualys for service delivery.
• The Full Service option is for companies interested in leveraging BT’s expertise and experience to manage their scans and tightly integrate them with BT’s infrastructure. BT’s scans can be scheduled to suit your needs on a weekly, monthly, or unlimited basis.
• The Self Service option is for companies preferring to self-administer their scans and wishing to take advantage of additional features of the service, including asset classification and remediation management.
Both service options provide flexibility in scheduling scans and defining internal and external targets including address-specific or address-range coverage options, and conditional start-stop time boundaries. All scan reports are correlated across data from vendors as well as data from BT MSSG’s proprietary correlation engine. Executive summaries and detailed scan reports are available 24x7 via the BT MSSG Portal.
Managed Log Retention, powered by BT Counterpane
Managed Log Retention frees customers from the log and security management burden while enabling them to achieve federal and industry compliance, reduce total cost of ownership, and benefit from best practice guidance on risk management with swift responses to security incidents, compliance inquiries, and internal threats.
As the authority on enterprise security, BT’s Managed Security Solutions assure customers’ business continuity, improved compliance, and protection from financial loss. Leveraging our experienced professionals and state-of-the-art security solutions, BT delivers comprehensive protection and real economies of scale and efficiencies of cost.
BT’s Managed Security Solutions Group’s (MSSG) portfolio of managed security solutions provides customers with the industry’s most complete, single-source enterprise security solution. Our rich heritage in Managed Security has earned us the trust of customers. Our foundation in real-time internal network and host-level protection is augmented by managed internal and external network protection services, including:
Managed Security Monitoring, powered by BT Counterpane
BT’s managed security monitoring service combines a team of disciplined security experts, a rigorous process for incident detection and response, and best-of-breed technologies to provide information-driven organisations with immediate feedback regarding the efficacy of their network’s security – in real-time. Our security monitoring is the business solution that empowers enterprises to reduce liability, improve information safety, and facilitate audits.
Device Management, powered by BT Counterpane
Device management focuses on proactively implementing configurations in the best interests of the customer so that devices are always providing maximum protection and surveillance. That’s why BT’s MSSG SLA offers unlimited changes to devices when they are initiated by BT. This includes new signatures and updates from the vendor and configuration changes BT MSSG recommends based on observations from hundreds of networks and thousands of devices around the world.
9The BT offer
17
Ethical Hacking
BT’s Ethical Hacking services enable customers to protect their networks, information assets, and corporate reputations by identifying vulnerabilities before they can be exploited. Our security experts will identify vulnerabilities, provide recommendations to remediate identified issues, and help improve their security posture. BT proprietary testing methodologies and techniques yield high quality results that will help customers optimise their security infrastructure.
• Application Testing – Reviews the logic structure, code, methods of access and authentication mechanisms of your web-based applications
• Network Testing – Provides external and internal vulnerability and penetration assessments, VPN vulnerability and penetration tests and an analysis of VoIP within your environment
• Wireless Security – Identifies weaknesses and vulnerabilities specific to your wireless infrastructure
• System Hardening – Tests for over 1,000 network-level vulnerabilities within your current network configuration
• War Dialing – Identifies unauthorised modems that provide access to your network and then attempts to exploit your network through illicit devices
For more information on BT Managed Security Services and how they can make your organisation and your customers more secure and risk-resilient, please visit bt.com/globalservices or contact Ray Stanton ([email protected])
Offices worldwide
The services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract.
© British Telecommunications plc 2010 Registered office: 81 Newgate Street, London. EC1A 7AJ Registered in England No. 1800000.
PHME: 59516