This article can also be found in the Premium Editorial Download "Information Security magazine: Cloud initiatives are changing roles for information security managers."
Download it now to read this article plus other related content.
Cloud computing is too attractive for organizations to ignore and Caritas Christi Health Care System is no exception. The Boston-based health care organization, which provides health services to patients in eastern Massachusetts, southern New Hampshire and Rhode Island, is contemplating moving some data storage and possibly email to the cloud. Throughout the vendor evaluation process, Jim Murphy, information security officer at CCHC, is making sure critical security issues -- such as encryption of data in transit and at rest -- are addressed.
"I'm working closely with the systems engineering group to plug myself into those projects and conversations," he says. "Before we sign a contract, I'm trying to get security to have a seat at the table to address the risk."
In their rush to move IT services and applications to the cloud, organizations have often left security out of the decision process. But Murphy's work reflects a shifting tide, as more businesses are giving security management some degree of authority over cloud initiatives. According to Information Security's 2011 Priorities survey, 34 percent of 776 respondents said they have the ability to reject or delay
"Businesses are savvy enough to involve security [in cloud evaluations] if they have compliance requirements or if there is sensitive data," says Khalid Kark, vice president and research director at Forrester Research.
This year's Priorities survey also revealed that information security pros will be helping to evaluate enterprise mobile devices projects, spending more on network security monitoring, and ramping up disaster recovery planning. They'll also continue a shift from a technical role to a heavier focus on policy and regulations.
ENSURING CLOUD SECURITY
Oftentimes with new technology, enterprises push ahead and security is an afterthought, says Lee Kushner, president of LJ Kushner and Associates, an information security recruitment firm, and co-founder of InfoSecLeaders.com. But information security job candidates are getting asked about their knowledge of cloud computing, indicating that companies are thinking about security at the architectural stage of cloud initiatives, he says.
Ron Woerner, a cybersecurity professor at Bellevue University and security analyst at a large architecture and engineering firm in the Midwest, says the role security plays in enterprise cloud initiatives depends on the relationship a security officer has with his or her business counterparts and whether the industry he or she is in is highly regulated.
"Those in high-risk areas or with good relationships will have more involvement in the decision-making process and thus have a greater ability to influence appropriate security controls for cloud infrastructure," he says.
In contrast to the 34 percent of survey participants who can put cloud projects on hold due to security concerns, 30 percent say they have an advisory role only.
Tony Meholic, CISO at Philadelphia-based Republic Bank, says an informal poll at after a recent conference session he attended this fall showed that the size of a company has a lot of impact on security's role in cloud projects.
At smaller companies, where the information security manager wears a lot of different hats, the role was more passive than at a midsize company, where security managers tended to have more leverage to delay projects due to security issues. Infosecurity executives at large enterprises appeared to have the most influence on cloud projects, he says. None, however, could kill a project outright.
"Cloud computing is going to happen. It's not going to stop," Meholic says. "The best an information security professional can do is make sure you're part of the process as early as possible and participate as much as you can to make sure things go in the right direction."
Some organizations are planning to devote more resources to cloud security this year: 17 percent of survey respondents say their organization will spend more on securing the cloud in 2011.
CONTROLLING MOBILE DEVICES
While security professionals wrestle with the security implications of cloud computing projects, they also are contending with the proliferation of mobile devices in the enterprise. More and more employees are bringing their iPhones, iPads, and other devices into the workplace and senior executives are eager to use the latest technology.
When it comes to their role in enterprise evaluation of mobile devices, 45 percent of survey respondents say they recommend or specify products. Thirty-two percent say they have the authority to reject or delay mobile device projects based risk/threats. Thirty-one percent have an advisory role only.
Senior executives are making security a priority in their adoption of mobile devices and telling security teams to figure out how the company can use the devices securely, says Phil Cox, principal consultant at security consulting firm SystemExperts. "Unlike many years ago, when security was an afterthought, it's an initial thought," he says.
Indeed, Kark says he was having a conversation with a CISO when the CISO got a call from his company's CEO who said the board had decided to use iPads and wanted the CISO to figure out how to secure them.
However, Kark says he sees security being pushed more to the backseat on mobile device projects. The pressure from higher ups to support various devices is high while mobile use is so ubiquitous across an organization that it's hard to manage, he adds.
Mobile devices are tricky because many don't have adequate security protections as part of their basic infrastructure, Woerner notes.
"Mobile devices are just handheld computers that can access many of the same services that you do with a standard computer. The problem is that most users have admin privileges on these devices, so they can do what they want with them," he says. "Additionally, there's little malware protection or DLP available on mobile devices. On top of that people are using their personal devices for work. This is a huge dilemma for security that will only become more prevalent in 2011."
At CCHC, a group uses iPod Touches to work with non-English speaking patients and Murphy says work is underway to figure out how to provide a secure wireless connection so the group can securely transfer information.
Also, the organization uses BlackBerry Enterprise Server but needs to be able to address unsupported devices like iPhones, Murphy says. The Massachusetts data protection law makes it especially critical that the organization secure mobile devices, he adds.
|Full Steam Ahead|
Many organizations are making the shift to Windows 7 and its security features
The migration to Microsoft Windows 7 -- and its enhanced security -- appears to be in full swing this year. Sixty percent of respondents to Information Security's 2011 Priorities survey say their organization is either planning or in the middle of migrating to Windows 7.
Of the operating system's security features, 46 percent of readers said User Access Control was the most attractive to their organization. Thirty-six percent like the security isolation for services and applications that Windows 7 provides while 35 percent are impressed with the BitLocker encryption feature.
By sunsetting many of its older operating systems, Microsoft is basically forcing organizations to embrace Windows 7, says Ron Woerner, a cybersecurity professor at Bellevue University and security analyst at a large architecture and engineering firm in the Midwest. "That's not necessarily a bad thing, since Windows 7 has security features not available in Windows XP or Vista," he adds.
Microsoft UAC allows users to run with minimal privileges and only use admin or advanced privileges when necessary, Woerner says. "That will reduce one of the most common vulnerabilities: user error."
With Windows 7, Microsoft made BitLocker robust enough for the enterprise, he says, and easy to implement and support with minimal user interference. Plus, it's free with the operating system.
"For smaller companies that need some type of encryption solution, it's a bonus having this [BitLocker] built into the operating system rather than having to buy a solution," says Tony Meholic, CISO at Philadelphia-based Republic Bank.
However, Windows 7's hardware requirements are hefty, which could hold some companies back from migrating, he adds.
Due to the hardware requirements, some companies are looking to utilize desktop virtualization as a way to move to Windows 7.
The best way for us to get there is with desktop virtualization," says Lyndon Brown, IT director at pet supply retailer PETCO. "We're pretty integrated with virtualization technologies today, so it wouldn't be a huge investment to build that out."
NETWORK SECURITY MONITORING
Cloud computing and the explosion of mobile devices are pushing corporate boundaries far beyond the traditional network perimeter, but many companies plan to step up their network security vigilance in 2011. Almost a quarter of readers surveyed say their organization will increase spending on network security monitoring over the next year.
Rich Popson, information security manager at a health care organization, says traditional "block and tackle" firewall and intrusion prevention tools aren't cutting it. "There are too many false positives with traditional monitoring tools that cause headaches for us," he says. The organization recently bought a network security monitoring product from NetWitness to complement its security information management system and application-aware firewall.
Having additional visibility into network events enables the security team to focus on high-risk incidents, he says. "Visibility gives you the proof," Popson says. "You can say, 'This is exactly what happened'."
Forrester's Kark says the buzz around the advanced persistent threat (APT) and federal compliance requirements are driving companies to spend more on network security monitoring. Changes in Federal Information Security Management Act (FISMA) requirements emphasize the need for more frequent security reporting, leading to a continuous monitoring mantra, he says. That spawned off a subcategory in the security industry in which vendors tout network security monitoring and APT detection.
"Some of that [monitoring] is necessary, but if I'm a CISO, I wouldn't necessarily put a lot of my focus on the network," Kark says. "Much more risk lies in the application layer."
Beyond FISMA, other regulations are leading companies to spend more on network security monitoring, says Jonathan Gossels, president and CEO of SystemExperts. Most regulations like the PCI Data Security Standard and HIPAA include monitoring requirements, he says.
"It was one of those things that kept falling off the plate and now it can't fall off the plate," he says.
At the same time, some enterprises plan to spend more on antivirus and antimalware technology, a trend Gossels says makes perfect sense in an environment where threats are multiplying. Nineteen percent of survey respondents say they plan to spend more on such products in 2011.
Murphy says antimalware was a big priority for CCHC last year, when it replaced an underperforming system with Sophos Endpoint Security and Data Protection, which he says has been proactive in catching malware.
Retailer makes the switch to cloud-based email security to reduce costs and maintenance burden
PETCO was looking to cut data center costs when its in-house email security supplier Proofpoint approached the company about its cloud-based service. The idea of switching from on-premise email security appliances to a software-as-a-service suite made a lot of sense, says Lyndon Brown, IT director at PETCO.
"If we can start moving to the cloud, we can shrink our footprint in our data centers and shrink the costs associated with that as well as maintenance costs," he says. Also, IT can better focus on serving core business needs, he adds.
So after taking a hard look at Proofpoint's SaaS offering, PETCO moved ahead and transitioned from its on-premise anti-spam and antivirus email protection systems, which were integrated with email encryption appliances, to the cloud-based Proofpoint Enterprise Protection and Proofpoint Encryption services. The services provide inbound email security and outbound email encryption for PETCO's email system at the network edge.
Proofpoint offered flexibility that other vendors couldn't, Brown says: "Because each business has its different needs, end user flexibility is key in these solutions."
SaaS-based email security isn't new, Brown says. He was familiar with the technology before cloud became the buzz word of the day. Email security is a natural fit for a cloud environment, he says.
"In my experience, it's one of the easier things to decide on moving to the cloud, especially if you're just trying to get your feet wet," he says. "It's a good opportunity to get used to how something works in a software-as-a-service model."
DISASTER RECOVERY AND DATA SECURITY
While compliance drives a lot of security initiatives, it's also is a major factor behind organizations' efforts to boost their disaster recovery planning this year, security experts said. Twenty-six percent of survey respondents said their organization would spend more on disaster recovery.
"Every regulation has a business continuity component to it," SystemExpert's Gossels says. "It's not that companies didn't have plans, but often they weren't formalized. Now it's required that they're formalized and practiced. It takes money to formalize things."
Meholic says disaster recovery planning is an onerous task that not a lot of people really enjoy but must be done. "There's a big push from regulatory agencies to have completed disaster recovery plans," he adds.
For CCHC, though, having a robust disaster recovery plan is more about best practices than compliance. "Since we are a hospital, we have to provide 24x7 availability to our applications," Murphy says.
Securing data at rest -- in storage, databases, servers, and mainframes -- was ranked as a priority by 19 percent of survey respondents. Meholic says securing data at rest is one of his top concerns. Some of the big security breaches have involved attackers accessing unsecured stored data, he notes.
"Whenever I do a security review, one of my first questions is about whether the data is secure at rest," he says.
Encrypting stored data costs money and business executives may be concerned about its impact on the user experience, but the time added is milliseconds, Meholic says. "If it's seven seconds instead of five, you're not going to notice," he says.
ONGOING ROLE SHIFT
As information security professionals juggle multiple security initiatives and compliance mandates, their role in the enterprise continues to shift from technical operations to strategic, policy-oriented responsibilities.
Fifty-five percent of survey respondents say their role has shifted from a highly technical and implementation focused one to having a heavier focus on policy, regulations and legal issues. The role shift is a trend that's been ongoing for several years, security experts say.
"Instead of people being dedicated to hands-on security work, most security professionals are in charge of setting policy, evaluating technologies and dealing with regulations," Gossels says. "The day-to-day security operations have been increasingly rolled into other IT operations."
Woerner says he noted the need for security to focus on risk management and operate at the strategic level in Information Security five years ago.
"This trend continues today as more security professionals realize the necessity to understand and utilize risk management practices in their day-to-day activities… Security must collaborate with business partners in order to effectively manage risks and provide the appropriate levels of security controls," he says.
For many organizations, it's more cost effective to outsource the nuts and bolts of specific security implementations, such as an identity and access management project, instead of hiring the expertise in house, says Kushner.
"It's almost expected that security programs are dealing with more strategic, business, policy and legal types of problems," he says.
When he started at CCHC 15 months ago, Murphy was focused on building a robust information security program and performed assessments and operational security. But he expects his role will change this year after a reorganization and a new CTO at the helm (CCHC was recently bought by Steward Health Care System, an affiliate of equity firm Cerberus Capital Management.) The organization has a lot of compliance requirements, including HIPAA, PCI and the Massachusetts data protection law, he notes.
"I will be working more on strategic, governance, and risk management issues rather than day-to-day operations," Murphy says.Marcia Savage is editor of Information Security magazine.
This was first published in February 2011