Free with your copy of Chief Technology Officer Forum
The Convergence of
Physical Security
Merging logical security is a costsaving step and a natural evolution for facilities maintenance. PAGE PAGE 05 05
IN-SHORT
International Court for
Cyber Crimes PAGE 02
A 9.9 Media Publication
IN-PERSON
EPIC Ways
OPINION
to Browse
Search for a Silver Bullet: DLP
PAGE 04
PAGE 08
IN-SHORT WNS Completes 3rd Cyber Security Session for Mumbai Police
W
Set Up International Court for Cyber Crimes: ASSOCHAM IN VIEW of fast increasing threat to national secuIn addition, it called for constitution of International Court of Cyber Justice since cyber crimes rity, a day long conference on ‘Cyber Security & have no borders for which India should take a lead Cyber Law’ has unanimously recommended forbecause it happens to be one of the leaders in the mation of international court for cyber crimes and field of Information Technology in the world. independent cyber police department in India. The consensus view amongst the experts was The conference organised by ASSSOCHAM was that in view of increasing cyber crimes, Indian addressed by P.K. Malhotra, Additional Secretary, government needs to evolve a National Security Ministry of Law & Justice; Dr. N.S. Kalsi, Joint SecPolicy which should be implemented in all govretary (Centre States), Ministry of Home Affairs; ernment departments with perfect harmony and Nitraj Singh, Head Government Verticals, Sysawareness. The cyber crimes cannot be tematic India; Pavan Duggal, Chairman, effectively handled unless the proposed ASSOCHAM Cyber Law committee and policy is put in place said, Malhotra. D S Rawat, its Secretary General. Police The experts also felt that Cyber Appelofficials of over a dozen states were also late Tribunal currently lacks sufficient present on the occasion. teeth as its judgments can be questioned It has also recommended that Cyber believe their even in High Courts. What is needed is Appellate Tribunal should also be Infosec more legal and judicial empowerment empowered with more teeth to ensure professionals for this tribunal to make sure that its that all its judgments can only be chalare missing pronouncements can be referred only to lenged in the supreme court of India and not referred to High Courts as is the competencies Supreme Court. SOURCE: DELOITTE GLOBAL practice as of now. SECURITY REPORT 2010
PHOTO IMAGING BY SRISTI MAURYA
DATA BRIEFING
32%
2
CSO FORUM 21 AUGUST 2010
NS concluded the third batch of ‘Cyber security’ and ‘know your BPO’ awareness program for over 50 Mumbai Police officers on Saturday, 3rd July at the WNS head quarters in Mumbai. The training program is focused at providing exposure to new technologies and processes to combat online fraud and cyber crime. A group of 50 to 60 police officers from across Mumbai attended the prior cyber security training and BPO awareness session held on 12th June. “We are committed to take this initiative to its maximum coverage in months to come in collaboration with Mumbai Police and NASSCOM.” Said, lead trainer, Arup Chatterjee, Chief Information Security Officer, WNS Global Services. “We are pleased to see our partnership with WNS taking a positive step towards the cyber security awareness initiative and look forward to provide maximum participation from Mumbai Police, way forward.” Said – Devan Bharti, Additional Commissioner of Police, Cyber Crime, Mumbai.
INTERNATIONAL CRIME thrillers make it seem so simple: espionage agencies work together to help James Bond or the Mission Impossible team catch the bad guy and solve the crime. All in about 90 minutes. If only it were that easy. Consuelo B. Carver, assistant legal attaché for Legat Moscow—the FBI’s sub-office in Moscow, knows better. Speaking at the International Conference on Cyber Security at Fordham, Carver discussed the obstacles and solutions that are part of combating cyber crime with the Russian Federation. Legat Moscow works primarily with two Russian agencies: the Ministry of Internal Affairs (MVD) tackles child pornography, software piracy and smaller hacker cases, while the Federal Security Service (FSB) investigates hacker cases of about $1 million or more. Key to their involvement is the need for a Russian victim; without a Russian individual, group or corporation affected by the crime, the MVD and FSB will not step in. In cases of child pornography, Carver said, the MVD works quickly to shut down sites. In fact, the Moscow city police force sent a team to the United States for a month to work on child pornography issues. “That was a good indication they wanted to work with us,” Carver said. “Child pornography is a borderless crime that can happen anywhere.”
Other types of cyber investigations present more barriers. For example, Carver said, the MVD will alert the FBI to a YouTube video based in the United States that shows someone spewing hate speech. The Russians will assume it can be removed immediately. “We’ll have to tell them about freedom of speech and unlawful search and seizure,” Carver said. “They’ll say, ‘But you don’t understand. Human lives can be at stake because of these extremist views.’ And we’ll have to say, ‘You don’t understand. We have a Constitution to abide by.” Other obstacles that slow down cyber crime investigations in Moscow include sluggish exchange of information and visa hold-ups that delay in-person meetings. Perhaps the biggest needs are Mutual Legal Assistance Treaties (MLATs)— agreements between two countries for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws. “We’re getting better at knowing what they need,” Carver said, adding that there have been a few “very good” MLAT cases involving multimillion-dollar, multinational hacker cases. Practices that are contributing to a better working relationship between the FBI and Russian agencies include quarterly “Russian Organized Cyber Crime Threat Focus Cell” meetings with participants from the FSB, FBI, NASA, U.S. Secret Service and Department of Justice.
OSF offers Clearing House for Cloud Security Resources THE OPEN Security Foundation (OSF), providing independent, accurate, detailed, current, and unbiased security information to professionals around the world announced that it has launched Cloutage (cloutage.org) that will bring enhanced visibility and transparency to Cloud security. The name Cloutage comes from a play on two words, Cloud and Outage, that combine to describe what the new website offers: a destination for organisations to learn about cloud security issues as well as a complete list of any problems around the globe among cloud service providers. The new website is aimed at empowering organisations by providing cloud security knowledge and resources so that they may properly assess information security risks related to the cloud. Cloutage documents known and reported incidents with cloud services while also providing a one-stop shop for cloud security news and resources.
“People either love or hate the cloud,” says Jake Kouns, Chairman, Open Security Foundation. “Our goal with Cloutage is to bring grounded data and facts to the conversation so we can have more meaningful discussions about the risks and how to improve cloud security controls.” Cloutage captures data about incidents affecting cloud services in several forms including vulnerabilities that affect the confidentiality and integrity of customer data, automatic update failures, data loss, hacks and outages that impact service availability. Data is acquired from verifiable media resources and is also open for community participation based on anonymous user submissions. Cloud solution providers are listed on the website and the community can provide comments and ratings based on their experiences. Cloutage also features an extensive news service, mailing lists and links to organisations focused on the secure advancement of cloud computing.
CSO FORUM 21 AUGUST 2010
3
ILLUSTRATION BY SRISTI MAURYA
FBI Attache Discusses Collaboration with Russians on Cyber Crime
IN-PERSON “We’re recruiting a network of college and other representatives to spread Epic and teach Indians how to use it.”
EPIC Ways to Browse India’s first browser Epic was launched by Bangalore based Hidden Reflex and is based on Mozilla and is available for free. Alok Bhardwaj, Founder and CEO spoke to Dominic K. What inspired and motivated you to launch a Web browser. The Web browser is increasingly the most important piece of software on your system and it usage is high and going higher. The user experience and interface of the browser, however, hasn’t changed in 15 years since the initial browsers Mosaic and Spyglass. We felt that your Web browser should do more for you—that was our inspiration. One key inspiration for India was to develop a tool that could help Indian language conversa-
4
CSO FORUM 21 AUGUST 2010
tion and discourse move online. At present, almost all Indian internet activity has been in English but with Epic, Hindi and regional language speakers can share their thoughts and ideas online in Indian languages as effortlessly as English speakers. Considering the market is already cluttered with multiple Web browsers how will Epic distinguish itself form others? Indian language support is pervasive in Epic. We support 12 Indian languages in our
Alok Bhardwaj
Founder and CEO of Hidden Reflex
built-in, free word processor as well as in text boxes on almost all Websites. Users can chat, send e-mails, search, post comments and do anything else in Epic in Indian languages in an instant.1500+ Indian themes and wallpapers representing every Indian state and every aspect of Indian culture and society. It also includes India content sidebar with the latest news from all over the world and the nation from multiple publications, regional news in regional languages and English, live cricket scores and commentary, top music albums, live tv and more. Epic includes on-demand anti-virus scanning which can scan your whole computer system for viruses and malware as well as automated scanning of downloaded files. Epic provides anti-phishing protection through a bigger address bar with a bold domain name. This can instantly determine if the user is at citibank.com or citiphishingsite.com. Epic also warns users when they’re about to visit a potentially dangerous Website via a database of ratings on nearly 30 million Websites from our partner the Web of Trust. Epic has a one-click private data deletion button which also deletes Flash cookies (the only browser that does so!) and finally it holds about 20 pre-installed communication (email, Orkut, Facebook, Twitter), productivity (Write a word processor, File Backup) and entertainment (Games, Video Sidebar) apps built-in, and over 1500+ user-installable free apps. These apps enable users to multitask or accomplish simple tasks quickly and represent a new, simpler way to engage the net! Brief us on the Epic browser and its key security features. Anti-Virus and Anti-Spyware: Epic offers on-demand scanning of your system powered by ESET. Epic also automatically scans files downloaded in Epic. Epic has a bigger address bar with the url in a big font with the domain name in bold so that users can in an instant know what Website they’re on.
COVER STORY
The Convergence of
Physical Security with Infosec Today enterprises realise that converging their physical and logical security systems will help strengthen their Information security and better protect their company, employee and customer data.
PHOTO BY PHOTOS.COM
By Dominic K
I
n today’s environment, analysis of the physical security of facilities and properties has become a critical aspect of an organisation’s information security and business continuity planning. During an onsite assessment, every enterprise should perform physical inspections of facilities and operations. This process begins with physical security review by gaining an understanding of the resources being protected and the perceived threat environment. This includes interviewing and reviews of local policies and procedures covering physical security operations.
Evolution over the Years Physical security has become more important and critical. It plays significant risk in terms of people and equipment movement, access to enterprise premises and external threats to organisation such as vehicles movement. It has evolved with automation systems such as surveillance systems, intelligent access management, IP based campus automation systems to mitigate risks to name a few. Says BLV Rao, CISO, Infotech Enterprises, “Physical Security is one of high risk factor in enterprise risk management, lot more monitoring and controls are being demanded by organisations and customers today.”
CSO FORUM 21 AUGUST 2010
5
COVER STORY
Compared to the experiences in the past there are many shorter, smaller and better gadgets available which might be misused to take information assets out such as phones with cameras, better memory and Bluetooth tools, which can used to transfer information or pass critical messages. Though we cannot control everything using physical controls, we can stop some of them being misused from our premises for sensitive work areas such as BPO and other intellectual property driven work environment. This is of-course used in conjunction with logical controls.
Evolving Role of CISOs Physical security is an extremely important factor. ISO 27001 and PCI-DSS standards also recognise this and has formed a separate domain on physical security. Typically most of the enterprises have physical security head or Chief Security Officer. Sameer Ratolikar CISO, Bank of India (BoI) says “CISO’s need to work with them in tandem for all security related issues came out as part of risk assessment and Audit exercises . For all information security related meetings physical security officers should be involved right from beginning.” Since today’s physical security devices are IT enabled, CISO has to ensure that logs generated out of CCTV and access control are well monitored, logs are properly backup and archived, checked on sample basis . CISO are now also being called as “Corporate Security” managers so as to take additional responsibilities of physical security, auditing of law of the land from security perspective. This includes auditing and managing third party vendors like transport people for safety, especially of female employees, managing physical access control system, working closely with admin department to ensure contracts are in place and working effectively for fire control, safety and also assisting in conducting safety audits. “In the coming years, I see physical security to be embedded to the roles and responsibilities of every CISOs across verticals. Currently it looks more of a technical and management roles to include physical security too.” Says Chandra Prakash Suryawanshi, Partner, iRisk Advisors. “Physical security is also part of total
6
CSO FORUM 21 AUGUST 2010
Benefits of Convergence The creation of one system for managing all physical and logical security, including a streamlined workflow for creating, deleting and modifying user identities; A unified network policy for both local network and remote access that leverages location and status information from physical access systems; Improves user access and helps solve privacy concerns; A practical and affordable second authentication factor; Greater ROI from existing infrastructure; Better coordination of security resources in critical and emergency situations; An identity-based reporting system for use in forensic investigations; and Assists with company-wide compliance efforts.
enterprise security and CISO’s are very much involved and responsible in the risk assessment, governance of information security adherence. The changes are with the controls to physical security, access to secure areas, computing areas like data centers logs, event correlation and management reviews.” Adds Rao. Disaster recovery (DR) planning and periodic drills related to DR and facilities evacuation is also gaining importance.
Converging Physical Security with Infosec The future of enterprise security has long been summed up in one word: convergence. For years, pundits, analysts and others have predicted that at some point in the future, companies will begin to take a holistic view of their security operations. The enterprise security you encounter at the front desk when you swipe your card each morning will no longer be a separate system from the security you encounter when you sit down at your desk and log-on to your computer. When converged, these typically disparate systems will be connected and will communicate as a way to validate your identity when you access your office or your company’s corporate network. “The interdependence of physical security and information security makes it absolutely essential that they must be well co-ordinated. They will be neither effective nor efficient otherwise.” Says Prabhakar D. Mallya, Head,
Security Audit & Architecture, Infosys. Merging the cultures of these two areas is not an overnight process. Ever since the buzz started about convergence, companies felt that merging physical and logical access systems could take even longer. But this is starting to change with new, more intelligent solutions that help companies add these capabilities while maintaining the operation of their existing security systems. Deepak Rout, CISO, Uninor says “Dependence of physical security controls on data which is central to every organisation has been on the rise, hence the inter-dependence. This is observed primarily in the access control domain.” He further adds “Man-guarding and electronic surveillance do not have much dependence as such but for centralised management and security of the surveillance platforms and data. Moreover, as information security as a function matures, it makes eminent sense to integrate PS into it not least because PS is a domain of IS as per standards.”
Building for the Future With all of the benefits that converged security solutions can bring to an enterprise --better protection for sensitive corporate information, employee and customer data; improved cost savings; enhanced risk reduction and compliance assistance-- enterprises of all sizes and CISOs from all industries and verticals should make this one of their priorities .
OPINION BY DOMINIC K dominic.k@9dot9.in
THE AUTHOR IS Associate Editor, CSO Forum
The Illegality of Exporting Personal Data into the Cloud The Cloud is not ‘Geo-Sensitive” so data may reside anywhere. Take the EU definition of “Personal Data” for instance (which is the specie of data which can only be exported to certain jurisdictions in the world). In (very) general terms “Personal Data” in the EU is “data which relate to a living individual who can be identified: (a) from that data; or (b) from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller;” My understanding that a small cloud service provider would not spend its own capital on data centres; but sub-contract to small data centres around the world. Isn’t the point of the cloud that processing and storage may take place on a server anywhere? Thinking from another perspective, as the data owner, if I were to implement such a service, will I actually go and negotiate with multiple small cloud service providers or tie up with a big cloud service provider and ask him to implement this model. This is exactly where cloud brokers pitch in and provide value services to the end customer, such as these end-to-end security layers at the edge,
while integrating several cloud providers transparently at the other side. Otherwise, the costs and complexities of implementation would stay at the customer’s side and the cost advantages of using on-cloud services would dilute for companies demanding this level of security or requiring at least some way around data export/import restrictions without breaking local regulations. A high level of assurance is needed that the proposed technology renders the data inaccessible as personal data in the cloud. The personal data can only be re-formed at the edge of the cloud where that edge is in an authorised country as defined by the EU. For example: the technology should not allow any person get access to personal data controlled by their organisation from Iraq - a country that does not have ‘adequate levels of protection’ per EU (assuming other legal ways of access are not employed). This second point complicates the solution. You need a control environment to ensure that the data conversion (un-anonymised or re-formed etc.) to personal data can only be carried out in specific countries.
The Cloud will probably look more like a mesh than a tree of nodes in the near future, just like the Internet.
Is there anybody out there with any experience or expertise in, say “Secret Splitting” or the “Cauchy Reed-Solomon Algorithms” (or any other thechnology) whereby personal or private data can be ‘de-integrated’, distributed through a number of nodes or servers in this anonymised form and then ‘re-integrated’ only by the authorised ‘Data Owner/Controller”? I would like to add that just splitting data does not ensure by itself confidentiality since it is not a selfcontained control. You would need to share in detail to each customer where you store each piece of data, so that they can be sure that they do not run into any risks. Moreover, if some of the cloud providers where you store these pieces of information find out this at some point, they may collude to recreate the data. Therefore, I would say that the first requirement to cover the needs being discussed is that the control is selfcontained, and that the control itself is enough to demonstrate to the customer that the information is secure (i.e. be internationally accepted as a reasonably secure control), no matter where you store it and who participates as a provider.
CSO FORUM 21 AUGUST 2010
7
OPINION DEEPAK ROUT
THE AUTHOR IS is the CISO of Uninor
Data Loss Prevention The search for a Silver Bullet
THOUGH the deployment of a comprehensive DLP solution should be a risk mitigation measure which emerges from a systematic risk assessment based on business and security objectives; the reality is that it is resorted to mostly as a remedial measure in the aftermath of a particularly nasty incident. Sometimes, a DLP comes about when business does well and security officers gets an opportunity to push through a big security investment. One does not see too many instances of DLP implementation from pure selling either; despite aggressive selling from DLP solution providers. The practical experience is consistent across industry sectors; and the essence is that while data loss concerns are mostly real, remedial measures are mostly reactive and almost always ineffective. Management wakes up to data loss threats almost always after significant data to management has been lost or a major incident has resulted from an instance of data loss. While the lost data itself may not have been very important in the perception of management, the incident may have caused grave concerns which are unacceptable to management from strategic perspective. On the other
8
CSO FORUM 21 AUGUST 2010
hand, information security function/ department is typically engaged with more immediate concerns; and when it gets alive to the threat of data loss, it gets entangled with a silver bullet DLP solution. However, DLPs cost big; and in the absence of a sensitised and informed environment, the idea of a full blown DLP solution does not find much favour. So security has to wait for a bad incident or a good revenue year! Management wants DLP to do mail filtering with a view to analyse content and prevent undesirable mail from going out. For some reasons, management believes that mail is the most potent and viable medium through which data can be leaked. Many operational departments including IT, sometimes even Information Security, concur with this thought. As a result, the DLP that gets deployed with such mindset ends up doing email/content filtering. It’s a different thing that even the full blown DLP solution eventually ends up with similar restricted usage, more of this later. When a DLP is eventually deployed, we expect a miracle solution and we could not be further from the truth. It has a steep learning curve, a long gestation period
Implementing a compressive and effective DLP program may be a long term solution but there is a lot that can be done before that and a lot needs to be done.
including setting up policies with contextual content which does not come from business very easily. Once we have it deployed, it detects more nuisance than data loss; tweaking them to reduce false positives takes forever. Unintentional data loss gets detected while planned data theft can be one step ahead of the policies set up in the DLP to detect the same. A deeper analysis of data loss leads to the understanding that there could be several data leakage avenues, beyond emails. Mass storage devices are a big concern. They are either not disabled, or if disabled (through group policy or end point solutions), a lot of exceptions are provided with no expiry and with tracking through exception management. Also, there are a lot of holy cows with admin privileges who then are free to work around such disabling. As one can easily guess, the big boys comprising of senior management, IT administrators, marketing & sales stars etc, are all exempted. Admin rights provisioning itself is another big culprit. It not only lets the person enable use of mass storage, if disabled; it also permits a whole lot of policy reversals, silencing end point, initiating P2P traffic, enabling execution of exe files and downloading software.