Table of ContentsExecutive Summary 2

2011 was a Wake-up Year for Security 2

CISOs Focus on Virtualisation/Cloud Security and Mobile Security 5

Cloud Computing and its Security Needs to Mature 6

Mobile Computing Raises a Whole New Set of Security Issues 6

Managed Security Services: Work with a partner that you trust 7

Appendix A: Methodology 8

© 2012, Tech:Touchstone Ltd and Phil Sayer Associates. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

About Tech:Touchstone

Tech:Touchstone creates business-to-business events for the IT sector where face-to-face communication is paramount to fully understand complex issues, solutions and value propositions. The company’s portfolio of events focuses on areas of strategic industry debate and growth market sectors, with the aim of creating a collaborative learning environment for time-poor IT executives and to facilitate high value, quality interactions between all participants.

For more information, visit http://www.techtouchstone.com/

About Phil Sayer Associates

Phil Sayer Associates is an independent IT and telecoms consultant, specialising in advising both major enterprises as well as service providers.

For more information, visit http://www.linkedin.com/company/1148015?trk=tyah

The Future is Cloudy, Mobile and Insecure March, 2012

TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure

02

Executive Summary It is generally accepted that cloud computing technology is the future of IT: Cloud technology makes it possible for IT to deliver new servers in minutes rather than months and to purchase computing and storage only when they are needed and to pay for only what is used. However, cloud services are not without risk: they must be planned and implemented with due care. Mobility is also completely changing the way firms use IT; it is predicted that by 2015 there will be more tablets in use than there are smartphones today. Mobile computing brings with it a whole new set of challenges for the IT security department; it upsets the traditional security approach of maintaining a secure perimeter and requires a completely new approach to securing corporate data. Tech:Touchstone carried out an on-line survey in advance of the Executive Summit on Information Security, which was held on 28 and 29 February 2012 at Richmond Hill hotel. Respondents to the survey reported that cloud and mobile security were the topics that concerned them the most; however, the hot topic at the 9th Cloud Expo held in Santa Clara in November 2011 was not stand-alone cloud computing or mobility: it was the convergence of mobile, cloud and social media. Industry experts predicted that by the end of 2012, cloud apps that are not “socially aware” and without mobile support will be looked down as “legacy apps”. There is however a downside to this Nirvana: the convergence of cloud and mobility has the potential to significantly increase business risk, with Lauren States, VP and CTO of Cloud Computing at IBM predicting that “there will be a security breach in 2012 that will force organizations to rethink how they secure their data and applications.”

2011 was a Wake-up Year for Security 2011 was the year when Internet Security issues became centre-stage. In January stock exchanges turned to the security services for help after discovering they were the victims of terrorist plots and attempted cyber attacks designed to spread panic in the markets. In May Sony revealed that its PlayStation Network had been hacked and 100 million customers’ data had been stolen and in June Citigroup said that a hacker had accessed personal information on more than 200,000 card holders. According to Infoworld, “Cyber crooks raided networks, pillaged data and wreaked havoc in 2011, thanks to our persistently shoddy IT security practices”. Advanced persistent threats remained a huge problem in 2011: Infoworld said it had documented coordinated, long-term, successful attacks against much of our critical infrastructure, including central government, military targets, nuclear labs and the chemical sector and energy and water utilities. It reported that hackers were focusing on breaking into applications, helped by the weakness that end-users often have the same password for most of their websites. Attackers were eagerly compromising the weakest websites to swipe credentials for breaking in to into the more secure, more popular websites. Unfortunately, traditional network security tools like firewalls and network vulnerability scanning can’t detect application level vulnerabilities.

How much does cyber crime cost businesses? According to PricewaterhouseCoopers, as reported in their study “(The) Global State of Information Security Survey 2010”, the losses from each security incident average $833,000. But the damage is not just financial: the firms surveyed reported that 30% of security incidents had impacted their brand or reputation, and 29% had involved the theft of intellectual property.

Security budgets are in the spotlightChief information Security Officers (CISOs) have always found it difficult to justify any proposed increase to their IT security budgets. Spending money on IT security is a bit like taking out insurance; it is often hard to see what benefit you get from, until there is an incident. It is an old saying in the IT security industry that the best time to ask for a budget increase is just after a major security breach. It is always difficult to answer the question “how much should we spend on IT security?”, but one way is to compare your spending with that of other comparable firms. In 2008 Forrester Research surveyed decision makers in the US and Europe and asked them how much of the IT operations budget they would spend on IT security in 2009; the response was 12.6%, against reported spend levels of 7.2% in 2007. In December 2011, however, Forrester was less bullish, and stated that “The global

TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure

downturn has negatively affected security budgets for several years now, and chief information security officers (CISOs) have become accustomed to accommodating increasing responsibilities with minimal change to resource levels.” Gartner Inc on the other hand announced the results of a survey showing increasing budgets, albeit from a lower historical level: “...Last year’s budget expectations were for a 6 per cent share of the total IT budget expenditure to be allocated to the security function. In this year’s survey, that allocation has increased to a mean of 10.5 per cent.”

Tech:Touchstone carried out its own survey in advance of the Executive Summit on Information Security, which was held on 28 and 29 February 2012. Respondents answered the question “What percentage of the IT operations budget will you spend on IT security in 2012?” The average percentage spend on security was 7%, but there was huge variation:

• 39% were in the range 0 to 5%. And that was after we removed the responses that said their security spend was 0% of their IT budget, in the hopeful belief that these responses were in error.

• 28% were in the range 5 – 7.5%

• 17% were in the range 10 – 12.5%

• 14% were above 15%

We also asked respondents about the direction of spend. 7.5% said the security budget was falling as a percentage, 45% said no change and 28% said it was increasing. Last year none of the respondents reported falling budgets, so we conclude that budgets are generally getting tighter.

It is clear that the tough times we are in demand heightened security. We are seeing more insider theft, a greater cyber threat and a higher risk associated with loss of reputation. At the same time business demands on the security function are growing, with an increased focus on business priorities, more reporting and coordination with business leaders, together with growing compliance and legal obligations around privacy & data protection. To make matters worse, the security baseline keeps moving as threats evolve, so that without new initiatives, security effectiveness decreases.

How are firms coping with the need to increase security effectiveness without increasing budgets? We hear that they are:

• Extending their efforts to operationalize repeatable aspects of security

• Opening up to outsourcing tasks that are not strategic or where they lack the skills in-house

• Seeking to justify projects and measure the security program itself in business terms

• Finding business sponsors that are prepared to fund security work from their own budgets

Data Security and Business Continuity are Top of MindTo help us to decide of the key themes for the Summit, we asked survey respondents about their security priorities for 2012. We gave them a list of topics and asked them to put them in priority order with 1 indicating their top priority, 2 indicating their second most important priority and so on. If an item was not important at all to them they were asked to leave it blank: We then added the scores up and divided the total by the number of responses to each, so the lowest average score indicated the highest priority. (See Figure 1). We found that the top two priorities were Data Security and Business Continuity/ Disaster Recovery, with Regulatory Compliance a close third. All three of these priorities are related to legal and regulatory compliance in one form or another; it should come as no surprise that CISOs are focusing first on the issues that the business needs them to address in order to operate legally.

We also compared this year’s answers with those obtained last year in a survey of delegates for the comparable event this time last year. We found that ‘Business Continuity/ Disaster Recovery’, ‘Regulatory Compliance’, ‘Mobile Security’, and ‘Cloud Computing Security’ were up in priority, and ‘Application Security’, ‘Aligning IT security with the Business’,’ External Threats’, and ‘Identity and Access Management’ were down.

03

TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure

How do these reported priorities align with what the analysts recommend? According to Gartner, 75 percent of security breaches are now facilitated by applications. The National Institute of Standards and Technology raises that estimate to 92 percent. So we were somewhat surprised to see application security down in priority in our survey. Computer Weekly recently carried an article predicting that this year promises to be one that will be remembered as the year that outsourcing to the cloud gained significant momentum. But it could also be the year that cyber-attackers target the cloud and send shockwaves through corporations by causing a huge cloud security breach. Hence increased focus on cloud security is clearly no surprise. The CIO Custom Solutions Group notes that the increased use of mobile devices, such as laptops and handhelds, and removable media, such as USB memory sticks and iPods, has also made it easier for rogue insiders to walk away with large amounts of corporate data. So an increased focus on mobile security makes sense, but it seems to be anomalous that the bottom three priorities were Identity and Access Management, IT security staff recruitment and training, and user security training and awareness; staff issues and policies are at least as important as the deployment of security technology.

Data Security 2.00*Business Continuity / Disaster Recovery 2.22Regulatory Compliance 2.24Application Security 2.45Aligning IT security with the Business 2.50Mobile Security 2.53External Threats 2.60Cloud Computing Security 2.62Identity and Access Management 2.62IT Security Staff Recruitment, Training, etc 3.14User Security Training and Awareness 3.14

Figure 1

Top Security Priorities for 2012

* Delegates scored each item on a scale of 1 – 5; these are average scores

Base: UK CISO’s/ IT Executives

Source: Survey for Tech:Touchstone Executive Summit on Information Security, January 2012

04

TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure

CISOs Focus on Virtualisation/Cloud Security and Mobile SecurityHowever, current departmental priorities are not the same thing as topics that will have the most impact in the future. We asked respondents about their main areas of interest. Mobile security topped the poll, followed by virtual infrastructure/ cloud security (see Figure 2).

05

“What are your main areas of interest? (Please indicate all those that apply)”

Figure 2

CISOs’ top areas of interest

Base: UK CISO’s/ IT Executives

Source: Survey for Tech:Touchstone Executive Summit on Information Security, January 2012

In November 2011 we surveyed delegates attending the Tech:Touchstone November 2011 Virtualisation/ Cloud Computing Executive Summit; they told us that security concerns are a major barrier that hinders and delays firms from entering the cloud world; the survey also confirmed that cloud security is an issue for those already spending IT budget on cloud services. In fact security is the top topic about which both existing adopters and firms new to cloud computing firms seek information and help. So why are CISOs so concerned about cloud? The fundamental issue is that Cloud is more risky than traditional IT outsourcing, because:

Traditional outsourcing/managed services are static and bounded. You know exactly where your data/host is, and multitenancy does not usually come into play.

Cloud computing decouples data from infrastructure. It obscures operational details (e.g., location, replication). It emphasizes APIs, and multitenancy is frequently used.

Many industry leaders consider that getting security right is the key issue for cloud adoption. In September 2011, Intel’s IT Center Cloud Security Insights for IT Strategic Planning reported that 80% of respondents in a survey they carried out reported that the security component offered by the Cloud Service Provider was extremely important or very important in their vendor selection decision. In our own January 2012 survey for the Tech:Touchstone Executive Summit on Information Security we asked about the main inhibitor that they faced in extending the business to the cloud. 26% were concerned about ensuring that critical information was only accessed by authorised individuals. 21% were worried about maintaining compliance requirements in a cloud environment. IDC agrees. They say that “Security is top of mind for the vast majority of IT organisations looking into public cloud delivery models”.

TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure

Cloud Computing and its Security Needs to MatureCloud computing services today are immature. User firms need to be confident that cloud service providers will deliver a service that meets their needs for security, performance, and availability. Many services today offer ‘best-efforts’ performance and availability, rather than backed by a contractual SLA with financial penalties. Customers for such services will be taking a business risk that they will need to weigh against the potential cost savings. However, in addressing security, there can be no best efforts where legal and regulatory compliance is concerned or potential damage to brand and reputation. In December 2010, the Ponemon Institute asked a number of cloud service providers about their own confidence in whether the cloud applications and resources supplied by their organisation were secure. The results were not encouraging; only 43% of vendors surveyed were confident that their private services were secure; for public cloud services their confidence was even lower, at 29%. Users will not want to rely on vendors assurances, however confidently voiced. We conclude that:

• There will be increasing demand for third-party, unbiased cloud security evaluation. An external independent audit is the only tool that will give potential customers confidence in cloud service providers’ security arrangements.

• Specialist Cloud evaluators, aggregators, and integrators will emerge. Hyperic: (now part of VMware) Cloud status measures performance, throughput, latency, and HP has a “cloud assurance” service.

• The industry needs to have a series of standards that govern key performance parameters. Including SLAs, auditing procedures, Cloud performance and service metrics, and operational interfaces.

• Firms need to buy cloud services with the due diligence they would apply to outsourcing. This will involve a change of mindset; Cloud service purchasing will be subject to all the same disciplines that apply to any other major IT purchase, including the formal involvement of the procurement and legal department, and probably the finance department as well to assist in the construction of a business case and financial model.

Mobile Computing Raises a Whole New Set of Security IssuesTraditionally, CISOs and their security teams thought about how best to defend security perimeters using such tools as firewalls, network intrusion detection systems and intrusion prevention systems (IDS and IPS). The approach was to keep the crown jewels – the company’s proprietary data and applications – protected inside the perimeter. Mobile computing busts this concept wide open. Mobile users will be outside the perimeter, will be accessing data and applications over the Internet and often from a device over which the CISO has no control, such as a ‘bring your own device’ (BYOD) laptop, tablet, or smart phone; a PC in an Internet cafe, or an Internet TV in a hotel bedroom. In our survey for the Summit we asked respondents: “By 2015 there will be more tablets in use than there are smartphones now, so do you have a policy in place to manage the corporate data stored on tablets and personal devices without compromising the security of your network?” They responded as follows:

• 18% said “We have a comprehensive DLP policy in place that addresses all devices including tablets”. These firms are ready for the mobile working revolution.

• 11% said “We have a DLP policy in place but do not allow the use of tablets” and 20% said “We do not allow the use of tablets in our network”. We wonder how long that will last; it is usually the CEO or another board member that brings his iPad to work and demands immediate access to email and company data.

06

TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure

• 51% said “We are working on a policy and plan to allow the use of tablets within 12 months”. Sounds fine in theory, but the longer it takes, the more risk the company is exposed to.

Several companies have said to us that they do not currently allow the use of tablets or home working. However, these policies are increasingly out of line with staff expectations and risky behaviour often is the result. For example:

• Staff wishing to work at home will often send confidential material to their personal email accounts. They often know it is against company policy, but justify it to themselves because they will be more productive if they can work at home.

• Staff wishing to work on a device they own will transfer confidential material using USB stick or other media. Quite apart from the risk of the media being lost or stolen, it may be installed on a device with inadequate anti-virus protection and be subject to attack.

Whether or not your organisation has a comprehensive DLP policy in place, the policy cannot prevent user error, whether careless or fraudulent, in ignorance or deliberately done. The following checklist is based on one produced by Symantec to put in place the basic requirements for a mobile security policy:

• Policy management around passwords, remote wipe and application blacklisting. At the summit a speaker talked about a senior manager in his IT department that had an iPad with no password protection active. To reduce risk, strong passwords should be forcibly changed regularly, company devices should be remotely managed with remote data wiping, and best policy limits app downloads to an approved white list.

• Personal-Corporate data separation on end-user devices. Reasonable personal use of mobile devices is the norm. Data partitioning on laptops will keep the corporate data away from private email accounts.

• Minimise corporate data on devices – zero is best. The use of VDI tools like Citrix will remove the need to store any corporate data on the device. It is true that this security is not perfect – it will not prevent users taking and storing screen shots, but that requires the deliberate breaking of company policy.

• Graduate user access rights based on trust, need, and device. Basing access rights on the “need-to-know” will reduce risk. Many firms limit access based on the type of device: a fully managed smartphone may have access to the data the user requires; a BYOD smartphone, over which the firm has no management access and control, should have no corporate data access at all.

• Widespread use of encryption and managed PKI. Hard disk encryption is no longer restricted to regulated parts of firms like finance departments; best practice is to encrypt the hard disks on all devices and extend encryption to USB sticks. Encryption security is only as good key management; start with a managed PKI policy.

Managed Security Services: Work with a partner that you trustIn Tech:Touchstone’s survey for the Security Summit, respondents indicated that their top choice for a provider of security services was a global specialist provider of security consulting & managed security services (MSS). Second choice was a Local Specialist Provider of security consulting & MSS. Last year Summit delegates put a global Systems Integrator such as IBM or HP in second place; this year they are in third place, behind the local security specialist. Global telcos such as Orange or Verizon were in fourth place, up from fifth last year. Both these latter types of vendor certainly have the in-depth skills and services, including security services, to meet end-user needs across multiple countries; however they may not always be the most cost-effective or most flexible in a

07

TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure

single country, where local specialist security firms may have the edge. Whichever type of supplier they choose, firms should purchase security consulting and managed security services with exactly the same diligence and skills that they would apply to negotiating an IT outsource contract. In particular they should:

• Carry out due diligence on the proposed cloud vendor’s security policy and defences. The general test is to ask whether the policy and defences are at least as good as the user firm already has in place.

• Audit the cloud vendor’s security. Words in a contract or SLA are not proof. They may be a statement of intent, or they may be more marketing fluff than solid process. An external independent audit will establish the reality. Leading vendors are investing in third party audit assurance themselves. For suggestions on best practice: see the cloud security alliance http://cloud-security.org.uk/

Appendix A: MethodologyFor this study, Tech:Touchstone conducted an online survey of senior IT executive respondents in advance of its February 2012 Information Security Executive Summit, held at the Richmond Hill Hotel. Respondents included UK- and Netherlands-based CISOs and other IT security decision-makers directly involved in their organization’s security architecture, management, and/or operations strategy decisions, in national and global organizations in both the private and public sectors. The online survey provided to participants included questions about their strategy, priorities, adoption, budgets, and preferred suppliers for security products and services.

08

TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure

Join the Techtouchstone Group to keep updated on the latest industry news, white papers and events.

Follow us on

If you are involved in infrastructure / enterprise communication & collaboration initiatives for your organisation you might be interested in a VIP invitation to attend

our Virtualisation and Cloud Computing Executive Summit being held in Richmond, Surrey on 23rd-24th May 2012 or one of our other summits.

Or our other Executive summits: