CIO Magazine August Security Special Issue 2012 by Sreekanth Sastry

LEADERSHIP

VOL/07 | ISSUE/10

BUSINESS

TECHNOLOGY

ASISH KARUNAKARAN, CIO, SBI Capital Markets, is combatting mobile insecurity with VDI.

The six key battles IT leaders are going to have to win if they want to protect their enterprises. Page 38

AUGUST 15, 2012 | `100.00 WWW.C IO.IN

Cover_August2012_Security_Big_Wars.indd 84

BIG DATA VIEW FROM CHOICES THE TOP Make the right Jagdish Saxena on SURVEY CIO-P WC SECURITY storage decisions howdata IT drives Indian fromElder the world’s largest for big data. Pharma’s business. security survey reveals how CIOs are coping with Page new66technologies. Page 77 8/16/2012 9:47:47 AM

Þ Inbound Response Management Priya Sharma v:1800 209 3062 f:022 66765553

THE NEW NETWORK IS SECURE Today’s users have gone through a rapid shift in expectations. Now they want to connect to your network with any device – be it their laptop, smartphone or tablet. Being able to support more types of mobile devices while providing secure, pervasive connectivity, with the right mix of wired and wireless access that’s right for your business has quickly become critical for success. Juniper Networks builds the new network that can help you solve the connectivity conundrum by managing security without having to control the device, with a simple, single client that works on almost all devices. Find out about moving to the new network that is built for present and future demands. Get the story at juniper.net

JN_India_CIO_V1.1.indd 7

7/23/2012 11:57:11 AM

FROM THE EDITOR-IN-CHIEF

PUBLISHER, PRESIDENT & CEO Louis D’Mello ASSOCIATE PUBLISHER Rupesh Sreedharan E D I TO R I A L

Hold Your Nerve

Events that test a CIO's mettle, skill and ability to remain calm are great opportunities for survival and learning. "If you can keep your head when all about you, Are losing theirs and blaming it on you,... you'll be a Man, my son!" —'If' by Rudyard Kipling Have you ever come across this equation: Crisis = danger + opportunity? If you have, it would typically have been followed by an explanation about the Chinese ideogram for crisis (wieji) having two parts—one that stands for danger and the other for opportunity. Then comes a bit of seemingly oriental wisdom: In a crisis, be aware of the danger but look for the opportunity. Profound? Absolutely. Smart strategy? For sure. Except that it isn't so really. Wieji actually breaks down as danger + crucial point. What it really stands for is that in a crisis, you need to stay alert because you are at a critical juncture that can potentially break you. Color me cynical but an unstable state of affairs is hardly the time to be looking out for how to 'benefit' from them. Survival? Undeniably. Business Continuity? Entirely. Learning? You bet. But converting catastrophe into opportunity? Not really. These are the bits about a crisis that make it interesting. Business crises test the best of executives and CIOs are no exception. It's remarkable the shapes and forms business crises can take these days, apart from the uncertainty that our economic landscape is witnessing. I’ve heard horror tales of structured cabling in hospitals being chewed through by rodents to whole kilometers of optic fibre being stolen overnight to a server farm getting fried when the power polarity reversed to even 70 percent of an IT team quitting en masse. It's these low-frequency, yet high-impact events that test a CIO's mettle, his skill and ability to remain calm and look for the way forward. Amongst the immortal lines of Kipling's If are also these: "If you can force your heart and nerve and sinew, To serve your turn long after they are gone, And so hold on when there is nothing in you, Except the Will which says to them: 'Hold on!' "

EDITOR-IN-CHIEF Vijay Ramachandran EXECUTIVE EDITOR Gunjan Trivedi DEPUTY EDITOR Sunil Shah ASSISTANT EDITOR ONLINE Varsha Chidambaram CHIEF COPY EDITOR Shardha Subramanian SENIOR COPY EDITOR Nanda Padmanabhan COPY EDITOR Vinay Kumaar PRINCIPAL CORRESPONDENTS Gopal Kishore SENIOR CORRESPONDENT Sneha Jha CORRESPONDENTS Debarati Roy, Shweta Rao, Shubhra Rishi, Ankita Mitra, Kartik Sharma DESIGN LEAD DESIGNERS Jinan K.V., Vikas Kapoor, Jitesh C.C SENIOR DESIGNER Unnikrishnan A.V DESIGNERS Amrita C. Roy, Sabrina Naresh, Lalita Ramakrishna SALES & MARKETING PRESIDENT SALES & MARKETING VP SALES GM MARKETING MANAGER KEY ACCOUNTS

Sudhir Kamath Parul Singh Siddharth Singh Jaideep Marlur, Sakshee Bagri, Varun Dev MANAGER- SALES SUPPORT Nadira Hyder MARKETING ASSOCIATES Anuradha Iyer, Benjamin Jeevanraj CUSTO M SO LU T I O N S & AU D I E N C E DEVELOPMENT SR. MANAGERS PROJECTS Ajay Adhikari, Chetan Acharya, Pooja Chhabra, Ajay Chakravarthy MANAGER Tharuna Paul SENIOR EXECUTIVE Shwetha M PROJECT COORDINATORS Archana Ganapathy, Saurabh Pradeep Patil, Rima Biswas F I N A N C E & O P E R AT I O N S FINANCIAL CONTROLLER SR. MANAGER ACCOUNTS SR. ACCOUNTS EXECUTIVE MANAGER CREDIT CONTROL SR. MANAGER PRODUCTS ASSISTANT MANAGER PRODUCTS SR. MANAGER PRODUCTION SR. MANAGER IT

Sivaramakrishnan T. P Sasi Kumar V Poornima Prachi Gupta Sreekanth Sastry Dinesh P T.K.Karunakaran Satish Apagundi

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.

Vijay Ramachandran, Editor-in-Chief vijay_r@cio.in 2

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.

IDG Offices in India are listed on the next page

Networks are complex. Your network performance management shouldnâ&#x20AC;&#x2122;t be. Decomplexify it with Riverbed Cascade.

Go to www.Riverbed.com/Cascade to see how Riverbed is Decomplexifying network performance management by enabling end-to-end visibility into the performance and troubleshooting of critical business applications. For any queries, please contact marketingindia@riverbed.com or +91 9845652826, +91 80 40300567

FROM THE GOVERNING BOARD

GOV E RN IN G BOA R D ALOK KUMAR VP & Global Head-Internal IT& Shared Services, TCS

Beat the Economy Blues The uncertain economy is an opportunity for CIOs to rise above troubled waters. Here’s how. Challenges bring a plethora of opportunities along with them. The current economic uncertainty is helping CIOs accelerate plans for the future. And, believe me, it’s easy to capitalize on them. The answer lies in focus. One great approach with regard to this is to have a triangular union of the following action elements: Economize, empower, and build IT. The first element focuses on identifying areas to purge; the second on selecting projects to invest on, and the third is to focus on training programs to build skills and keep IT morale up. Here are some pointers that may come handy: Take Stock: CIOs must take periodic stock of their organizations' financial situation themselves. They must ensure that IT expenditure has the same importance it had a few months ago. Otherwise, CIOs are likely to lose touch with the dynamic economic reality. Predict: CIOs need to keep their teams focused on two main areas for effective preemptive planning: Marrying IT and business priorities, and being lithe enough to keep IT steady when priorities change. For example, one can maintain a dashboard of all projects that calculate priorities on the basis of capital investment, time required, and risk factors. It will help make the available alternatives clearer as conditions change. Communicate: It’s a great practice to spend time with business to gauge its sensitivity. There is a fine line between authoritative and “mother-may-I?” attitude. One stops being a CIO in the realm of both the extremes. CIOs will have to judicially balance the two without jeopardizing critical business functionalities. Train: A leader is known by his team. We often forget that the staff that constitutes the IT team needs emotional training apart from technical expertise. Companies may not cut costs, but it is the CIO’s duty to prepare his IT team for that possibility. Also, avoid indulging in unnecessary resource spends. Fine-tune: CIOs might want to edge back some cash spends, pushing to the next year. Begin to bias new-project selection towards short-term, and low-risk. This will augment the team’s response time.

AMRITA GANGOTRA Director-IT (India & South Asia), Bharti Airtel ANIL KHOPKAR VP-MIS, Bajaj Auto ATUL JAYAWANT President Corporate IT & Group CIO, Aditya Birla Group C.N. RAM Group CIO, Essar Group DEVESH MATHUR COO, HSBC GOPAL SHUKLA VP-Business Systems, Hindustan Coca-Cola MANISH CHOKSI Chief-Corporate Strategy & CIO, Asian Paints MURALI KRISHNA K SVP & Group Head CCD, Infosys Technologies NAVIN CHADHA IT Director, Vodafone Essar PRAVIR VOHRA Group Chief Technology Officer, ICICI Bank RAJEEV BATRA CIO, Sistema Shyam Teleservices (MTS India) RAJESH UPPAL Executive Officer IT & CIO, Maruti Suzuki India S. ANANTHA SAYANA Head-Corporate IT, L&T SANJAY JAIN CIO & Head Global Transformation Practice, WNS Global Services SUNIL MEHTA Sr. VP & Area Systems Director (Central Asia), JWT V.V.R. BABU Group CIO, ITC

Rajeev Batra is CIO, Sistema Shyam Teleservices (MTS India) Bangalore: Geetha Building, 49, 3rd Cross, Mission Road, Bangalore 560 027, Phone: 080-3053 0300, Fax: 3058 6065 Delhi: New Bridge Buisness Centers, 5th and 6th Floor, Tower-B, Technolopolis. Golf Course Road, Sector 54 Gurgaon- 122002, Haryana Phone: 0124-4626256, Fax: 0124-4375888 Mumbai: 201, Madhava, Bandra Kurla Complex,Bandra (E), Mumbai 400 051, Phone: 022-3068 5000, Fax: 2659 2708

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Now, align your data centre architecture to your business needs in just seconds 5 4

1 3

2 Management 1 Cooling 3 Physical security End-to-end monitoring Rack-, row-, and A single-seat view and management room-based cooling for monitoring and software for greater options for greater surveillance. efficiency and availability. efficiency.

4 Power Modular power distribution and paralleling capabilities on UPS for loads from 10 kW to 2 MW.

Only InfraStruxure adapts quickly to your specific business needs Introducing Next Generation InfraStruxure

Whether you have just acquired a new company or must increase its ever-expanding customer or inventory database capacity, you’re most likely facing pressing demands on your company’s IT infrastructure. Your existing data centre infrastructure may not be able to handle these up-to-the-minute changes. That’s where Schneider Electric™ steps in with its proven high-performance, scalable data centre infrastructure. As the industry’s one-of-a-kind, truly modular, adaptable, and ‘on-demand’ data centre system, only InfraStruxure™ ensures that your data centre can adapt effectively, efficiently, and, perhaps most important, quickly, to business changes.

InfraStruxure data centres mean business!

A data centre means business when it is available 24/7/365 and performs at the highest level at all times, is able to adapt at breakneck speed, lets you add capacity without waiting on logistical delays (e.g., work orders), enables IT and facilities to keep pace with the business in a synchronised way, continues to achieve greater and greater energy efficiency — from planning through operations — and is able to grow with the business itself. What’s more, our comprehensive life cycle services help InfraStruxure data centres retain business value at all times.

The triple promise of InfraStruxure deployment

InfraStruxure fulfils our triple promise of superior quality, which ensures highest availability; speed, which ensures easy and quick alignment of IT to business needs; and cost savings based on energy efficiency. What better way to mean business than to enable quality, speed, and cost savings — simultaneously?

Business-wise, Future-driven.™

Discover which physical infrastructure management tools you need to operate your data centre. Download White Paper #104 today and 10 lucky respondents can WIN a free telescope.

5 Racks systems ‘Any-IT’ vendor-compatible rack enclosures and accessories for high densities.

The flexibility of the InfraStruxure architecture: Turn any room into a world-class data centre. InfraStruxure can be deployed on its own as a modular, scalable, customised solution that’s easy to design, build, and install for small firsttime data centre environments.

Extend the life of your data centre. Existing data centres can add on InfraStruxure components to existing architecture and, for increased value, use our management software.

Scale up with step-and-repeat modular architecture for large data centres. Medium/large environments can deploy InfraStruxure as a zoned, ‘pay-asyou-grow’, scalable architecture solution. APCTM by Schneider Electric is the pioneer of modular data centre infrastructure and innovative cooling technology. Its products and solutions, including InfraStruxure, are an integral part of the Schneider Electric IT portfolio.

Visit www.SEreply.com Key Code 45504y Call 1800-4254-272/877 ©2012 Schneider Electric. All Rights Reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies. email: esupport@apc.com • Schneider Electric India Pvt Ltd, 9th Floor, DLF Building No. 10, Tower C, DLF Cyber City, Phase 2, Gurgaon – 122002 • 998-5037_A_IN-GB

CIO_magazine_0801_45504y_IN.indd 1

2012-7-23 14:29:29

contents AUGUST 15, 2012 | VOL/7 | ISSUE/10

48 | Firing a Round for BYOD MOBILITY Enterprise IT is targeting personal devices and maximizing their ROI potential. By Tom Kaneshige

52 | The Cloud Under Attack CLOUD COMPUTING Gaping holes in the cloud are making it easier for hackers to launch their missiles. And a lack of security awareness isn't helping. By Jeff Vance

56 | Defensive Lines APPLICATIONS Securing your apps has never been more important, and there are lots of ways to do that.

SECURITY SPECIAL

By Michael Fitzgerald

60 | Assault on Noncompliance GOVERNANCE, RISK, COMPLIANCE GRC can be a complex undertaking. But for Fiserv, the alternative was even more complicated. By Bob Violino

3 8

64 | Dynamiting Data GOVERNANCE, RISK, COMPLIANCE A critical part of securing IP is the timely elimination of data you no longer need.

COVER: PHOTOGRAP H BY KAPIL SH RO FF / COVER IMAGING BY UNN IK RIS HNAN AV

By Bob Violino

38 | Security’s Big Wars COVER STORY | SECURITY In the battle to secure their enterprises CIOs are fighting a six-front war. And CIOs seem to be winning. Find out how. Feature by Team CIO

40 | The Three-cornered Fight for Mobile Supremacy MOBILITY Four Indian CIOs take on BYOD’s security threats with the three different strategies. Here are the pros and cons of each.

68 | For Your Eyes Only GOVERNANCE, RISK, COMPLIANCE IP is the new hot target, under attack by hackers and inadequately secured. Here’s how to protect it. By Lauren Gibbons Paul

71 | Security’s Buy-in Obstacle PEOPLE SKILLS Even well-run organizations can be resistant to new ideas. Nine ways to cross this hurdle. By Mary Brandel

By Debarati Roy

76 | Militants of the Web World

44 | Beating the Guerillas at Their Game

CRIME If your employees are using the corporate network to transact in the online black market, your organization is in severe trouble.

MOBILITY How to ensure that your enterprise isn’t blindsided by consumer devices. By Serdar Yegulalp

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

By Brandon Gregg

VOL/7 | ISSUE/10

10 10101 10100010 10101001101 10111010010000 10101000101111101 0 00101010101000101 11 0 0 10111001101010101 00 010 00 10 01 00 10 01 10 11 10 01 11 01 10 10 10 00 10 00 10 01 00 01 11 1 01 01 00 01 10 01 00 00 01 10 10 10 10 1 11 01 10 01 11 01 11 00 11 01 00 01 01 00 10 1 01 01 10 01 01 01 11 00 10 0 01 01 01 0

00 1

11 0

01 0

No More Data Lost in transit Our Zero Data Loss Solution ensures that your business doesnâ&#x20AC;&#x2122;t lose even a single byte of data or precious minutes getting your service back on track in the event of a downtime.

Zero Data Loss

DR solution

Data lost in transit during a downtime is irretrievable. Traditional Disaster recovery services take at least 4 to 5 hours to initiate the recovery process, putting a great deal of data at risk. Which is why a Zero Data Loss Solution makes perfect business sense.

To know more, Write to us: marketing@ctrls.com | Call us: 040-42030583

Visit www.ctrls.in/mumbai-data-center

CtrlS Business Solutions DR on demand | MyCloud - Private cloud on-demand | Managed Services | Messaging Solutions

contents

(cont.)

2 12 12 THE NEW

BATTLE BA B AT A TTLE FRONTS FR RO ON O NTS

DEPARTMENTS 2 | From the Editor-in-Chief Hold Your Nerve By Vijay Ramachandran

4 | From the Governing Board IT Strategy| Beating the Economy Blues By Rajeev Batra, Sistema Shyam Teleservices (MTS)

20 | Alert

2012: The New Battle Fronts SURVEY | GLOBAL INFORMATION SECURITY SURVEY Cloud computing, social media, and mobility: They are all yesterday’s emerging technologies—and today’s emerging threats. find out how Indian organizations are countering this multi-front attack.

98 | Essential Technology Security | The New Perimeter Social Media | Social Insecurity

104 | 5 Things I've Learnt

By Sunil Shah and Shardha Subramanian

Columns

Data Privacy | One ID Card, Many Pockets People | Generation Gap = Security Abyss?

The Voice of Experience | Sundaram Krishnan, Former CIO, Universal Sompo General Insurance

26 | Crossing the Cloud Security’s I’s and T’s CLOUD COMPUTING As organizations migrate more and more critical functions to the cloud, it's becoming crucial for IT—in conjunction with business and cloud providers—to ensure that security's i's are dotted and it's t's crossed. Column by Pallavi Anand

| A CIO’s Guide to the World

UNDERCOVER OFFICER Is it possible to adhere to local business customs without compromising security? Yes, but only if the CSO has a little creativity and a lot of trust. Column by Anonymous

30 | Security Bootcamp STRATEGIC CIO Skip the boring lectures and understand how people really learn new information and habits. Column byJoe Ferrera

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

3 2

ALTERNATIVE VIEWS: Should CIOs KISS? Security policies are long-winding and hard to read. Would simpler versions encourage compliance? Two CISOs debate.

VOL/7 | ISSUE/10

CIO Online

.in CIO ADVERTISER INDEX

Bharti Airtel

[ CI O HO MEPAGE ]

Boston Limited(India)

CIO.in Revamps!

Ctrl S Datacenters

23 1

Check Point Software Technologies

Eaton Power Quality

To serve your needs better, we've redesigned cio.in. Now you'll be able to navigate content more easily, and quickly see the stories that demand your attention. We also have more surveys and more case studies!

EMC Data Storage

34,35,36 & 37

Fortinet

Galaxy Business Solutions

Gartner India Research & Advisory Services

9 + Flap

HID India

IBM India

Juniper Networks India

IFC

Lenovo India

IBC

McAfee India Sales

Security Survey

Nelco

[ CI O DEBAT ES ]

Should CIOs KISS?

We invited two CISOs to kick-start a debate on whether making user security policies simpler would encourage compliance. Read all about it in Alternative Views (page 32). Which side are you on? We also have more debates for you on www.cio.in Is the Economy Pushing for New Models of Funding IT? Ayes Vs Nays Job Rotation: Harmful or Helpful? Ayes Vs Nays >> www.cio.in/cio-debates

[ BOO K C LUB ] Conversation Starter

Oracle India

Panasonic India

Riverbed Technology India

SAS Institute (India)

Schneider Electric India

Trend Micro India

Books have been known to spark conversations and on our website you can find the genesis of one. Learn what your peers think of a book and then visit the all new CIO Book Club section online and join the conversation with your peers.

Verizon Communications India

VMWare Software India

>> www.cio.in/bookclub

[ Cove r S t or y ] Security's Big Wars

A fierce battle between CIOs and the six most potential threats—mobility, cloud, apps, GRC, people and crime—is on. And looks like CIOs are winning this one. Find out how.

>> www.cio.in Must Read @ cio.in 10

>> Alert: Generation Gap = Security Abyss? >> Column: Cloud Security’s I’s and T’s >> Feature: Bombarded: The Cloud Under Attack

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

VOL/7 | ISSUE/10

EDITED BY SHARDHA SUBRAMANIAN

NEW

HOT

UNEXPECTED

British Airways Stalks Passengers Online We’ve all Googled ourselves from time to time, but British Airways has crossed the creepy line for looking up its own passengers on Google Image Search. The airline is rolling out a new program, called Know Me, that tries to improve passenger recognition through Google search and other methods. British Airways will create dossiers on passengers, and will use the profile data to offer 4,500 personal recognition messages by the end of the year, the London Evening Standard reports. For instance, flight attendants may reference Google image results to greet a high-profile, first-class passenger when he or she boards the plane. British Airways will also dig into its own passenger data, so if a regular customer experienced a delay on a previous flight, airline staff can offer a personal apology. Not surprisingly, some privacy advocates are upset. “Since when has buying a flight ticket meant giving your airline permission to start hunting for information about you on

P R I VA C Y

Taking Rogue IT Down

Take one look at the Batman Rogues Gallery and you will be able to recognize the Mad Hatter, Bane, Clayface and the Joker. All real, visible rivals. Unfortunately for CIOs, the IT Rogues Gallery still remains in the shadows. Rogue IT is gradually making its presence felt in enterprises. Gopal Kishore spoke to Rohan Deshpande, CIO, Ogilvy & Mather, to find out how to combat it.

I N S I D E R T H R E AT

How serious is the threat of rogue IT? Call it rogue IT or shadow IT or by any other name, but when users try to circumvent the IT department, it is definitely a matter of concern. Today, anybody with a credit card can get access to cloud services. We try to prevent this trend by making it mandatory for employees to get all IT reimbursement cleared by the IT department. Is it fueling the cloud or is the opposite true? It‘s not just rogue IT users, but SMEs and entrepreneurs who are fuelling the cloud. The growth of shadow IT

VOL/7 | ISSUE/10

has been facilitated by a range of feature-rich tools such as project management, online backup, and other valuable services that are available through the ubiquitous Web browser. These can be procured and integrated into current business practices without IT’s involvement. However, we see that this is usually done by tech savvy users within the organization for their personal requirements.

Would it be easier to prevent rogue IT if IT adheres to user needs? The role of IT is that we understand the business need and we understand technology. As long as the requested service fits into the company’s IT policy, we don’t reject it. We do deny certain requests, as there is a very thin line between official and personal. Some employees take advantage of this and charge the organization for some service which was used for personal benefits. IT refuses to oblige only because it has to safeguard the company’s interest. So, keeping these considerations into account, we either reject or oblige to user requests. Rohan Deshpande REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

ILLUST RATION BY VIK AS K AP OOR

QUICK TAKE:

the Internet?” Nick Pickles, director of Big Brother Watch, told the Standard. Some customers just don’t want to be bothered— especially famous ones—so it’s presumptuous for the airline to think no one will mind being stalked on Google for the purpose of a greeting. A better way might be to let people opt-in to such a service through Facebook. That way, the information would be more reliable and less creepy, and would only affect willing participants. Using Google for image search is also a slippery slope that could lead to broader Internet data mining. British Airways should draw the line at image recognition, and think of smarter ways to provide personalized service that doesn’t revolve around Internet stalking. —By Jared Newman

IS BIOMETRIC AUTHENTICATION FEASIBLE? VOICES:

B R E A C H Passwords are essentially the root of all data breach evils. Strong passwords with random capital letters, numbers and special characters confuse people and they resort to creating a passwords file, which is the first thing hackers look for. Is it time to move away from traditional password protected identification to biometric identification? Debarati Roy asked some of your peers and here’s what they had to say:

French Faux Pas Costs it €10,000 A French company must pay a €10,000 (about Rs 6.8 lakh) fine for failing to provide an employee with GPS data tracking the movements of his company vehicle, according to the French National Commission on Computing and Liberty (CNIL). The man wanted the data in order to prove that a traffic accident in which he had been involved took place while he was on business for Equipements Nord Picardie, a regional water utility. France has strict laws governing what personal data businesses may store on a computer, and provides that anyone may request a copy of data relating to them. Typically, access requests are made by persons wishing to correct or delete personal data held about them, two other rights enshrined in French law. However, in this case, the man hoped to use the tracking data gathered by his employer to convince a court that he had been the victim of a workplace accident. Eleven weeks after his initial request to his former employer, he complained to the CNIL, which asked the company to turn over the data four times over the following six months. Another month passed, still with no reply. The CNIL gave the company formal notice to turn over the data within two weeks, but it refused, saying the employee could consult the data in its office. “Through its stalling tactics, the company took the risk of depriving the plaintiff of the possibility of accessing data, the storage of which was only guaranteed for six months after its recording,” the CNIL said in its ruling. That could have left the employee without the means to prove to his health insurance provider that the accident had been sustained on company business. In view of th e company’s procrastination, and its refusal to provide the copy of the data required by law, the CNIL decided to impose a €10,000 fine.

RAMNATH IYER Director-IT, CRISIL

TRENDLINES

“Single factor authentication isn’t adequately secure and is not preferred outside a gated environment. SAML (security assertion markup language) combined with biometric authentication on local host is promising. But my bet will be on biometrics as the long-term solution for data privacy.”

KALPANA MANIAR Head-Business Solutions & IT , Edelweiss Capital “Biometric is still evolving. We are yet to see effective biometric readers that provide quality results. Though work-arounds are available, security threats pertaining to biometric implementations remain contentious.”

SANKARANARAYANAN RAGHAVAN Director-IT, Aegon Religare Life Insurance “The future of password protection and authentication lies in biometric validation. Currently, it can be implemented on laptops and ATMs, but it would be expensive and complex to deploy on online apps and portals. However, I do believe that when both the complexity and the cost to implement reduce, biometrics will be the future of password protection and security.”

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

—By Peter Sayer

VOL/7 | ISSUE/10

IMAGIN G BY VIKAS KAPOO R

COMPLIANCE

Ads Spy on Mobile Users Some ads inside free apps for smartphones pose a threat to consumer privacy, according to a company that makes security software for mobiles. More than 50 percent of free apps embed ads in their offerings provided by ad networks, according to Lookout Mobile Security. Some of those networks access personal information on the phones they’re running on without clearly explaining what they’re doing to users, research by Lookout revealed. It also noted that 5 percent of the apps on smartphones, which represent 80 million downloads, are embedded with “aggressive” ad networks that perform “non-kosher” acts on a smartphone, such as changing bookmark settings and delivering ads outside the context of the app they are embedded in. An analysis of free apps in GooglePlay showed that the leading user of aggressive ad networks was wallpaper apps (17 percent), followed by entertainment (8 percent) and games (7 percent). The security vendor has also released a set of comprehensive guidelines for mobile advertisers. They outline “best practices” for the pitch firms to follow and govern transparency and clarity, individual control, ad delivery behavior, data collection and other topics. In addition to collecting personal data from smartphones, ad networks have also been reported to push “scareware,” such as battery upgrade warnings, and shove marketing icons onto a phone’s start screen. —By John P. Mello Jr.

TRENDLINES

DEVICES

Enemy at the Gates The good news: Unknown attacks have come down. The bad news: Employees are still the biggest source of security breaches.

INTRUSION

Estimated Likely Source of Incidents

2012

2011

Employees (current and former)

86%

76%

Hacker

33%

32%

Competitors

28%

…..

Customers

26%

15%

Service providers/ consultants/contractors

21%

20%

Unknown

12%

27%

Source: Indian Information Security Survey

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Anti-Social Networking I N T E R N E T Yet another criminal has managed to get himself caught after posting on Facebook. Convicted robber James Tindell skipped out of Oregon earlier this year to avoid court-ordered drug treatment and other conditions he had accepted so as to avoid prison. But instead of flying under the radar, Tindell made Facebook posts that taunted his probation officer, complained about the judge who sentenced him, and ranted about the criminal justice system. Not only that, he also posted things such as “I’m in Alabama,” and a sonogram of his unborn child that showed the name of the hospital in Alabama where it was taken. His probation officer spotted the posts and asked prosecutors to issue a nationwide arrest warrant. Tindell was then apprehended after getting pulled over for speeding—another genius move by someone running from the law. In the end, the clueless criminal was ordered to reimburse the state $2600 (about Rs 1.4 lakh) for flying him back to Oregon and sent to prison for two-and-a-half years. It’s far from an isolated case. Last year, a thief in Georgia used a cell phone he found in a stolen purse to post a picture of himself on the victim’s Facebook page. He likely didn’t know the phone’s owner had it set up to automatically post photos to the social network. And in April, a dim-witted British crook was busted after a friend posted a photo of him on Facebook with a TV he’d stolen. Charles Holden stole a plasma TV, a PlayStation, and some games from a house in which he formerly had roomed. He then sold the goods right outside the door while one of his friends snapped a picture of the transaction. The victim, suspecting Holden, snooped around on his Facebook page as well as those of his friends and spotted the incriminating photo, which led to an arrest. And this one is classic: A Pennsylvania man, back in 2009, stopped to check his Facebook account on a computer in the home he was in the process of robbing. He forgot to log out before taking off with his loot. Of course, the victim later noticed his mistake and gave police identifying information to make a speedy arrest. Although you’d think enough of these stories have surfaced that malefactors would wise up, apparently stupidity is perennial. If nothing else, they’re good for chuckles. —By Christina DesMarais

VOL/7 | ISSUE/10

Runs Oracle

10x Faster

The World’s Fastest Database Machine •

Hardware by Sun

•

Software by Oracle

* But you have to be willing to

spend 50% less on hardware.

10x faster based on comparing Oracle data warehouses on customer systems vs. Oracle Exadata Database Machines. Potential savings based on total hardware costs. Oracle Database and options licenses not included. Actual results and savings may vary.

Print Ad Resize

22.23 x 27.6cm CIO (1st Right Hand Page Ad)

PUB NOTE: Please use center marks to align page. Job No.: Headline: Date: Project: Type: Live: Trim: Bleed:

312M_EXD_10xFaster_CIO Runs Oracle 10x Faster* 01/24/2012 APAC Regional Fulfillment Magazine 20.32cm x 25.72cm 22.23cm x 27.6cm 22.86cm x 28.26cm

Fonts: Univers LT Std. 75 Black, 65 Bold, 55 Roman, 45 Light, 67 Bold Condensed, 57 Condensed

PRODUCTION NOTES

READER

LASER%

RELEASED

1/24 2012

Please examine these publication materials carefully. Any questions regarding the materials, please contact Darci Terlizzi (650) 506-9775

Access (Not) Denied

TRENDLINES

M A L W A R E The security vendor Trusteer is warning banks to look out for a sophisticated Trojan that can empty the account of online users. The criminal scheme perpetrated through the Tatanga Trojan has already attacked the sites of several German banks, and Trusteer expects it to be reconfigured in time for banks in other countries, including the US. “Many [US and Indian banks] are using the exact same framework as German banks, so they should care,” Oren Kedem, director of product marketing for Trusteer. The cyber-criminals are taking advantage of the text messaging German and Indian banks use to authenticate an online transaction. When a person transfers funds, the bank first sends a transaction authorization number (TAN or an Online Authentication Code in India) to the customer’s mobile phone. That

number has to be typed into a Web form before the transfer is completed. When a victim logs into his banks’ site, the malware displays a screen saying the bank is performing a security check and asks that at a TAN or OAC be punched into a form on

the page. Behind the scene, the Trojan checks the victim’s accounts for the one with the most money and then requests an OAC from the bank, so the money can be transferred to the hackers’ account. From the victim’s perspective, the bogus page says the amount of money and the receiving account are only test data and nothing will actually happen. However, once the OAC is inputted into the form, the unsuspecting bank immediately completes the transfer to the fraudulent account. To cover its tracks, the malware changes the account balance report in the online banking application to hide the transaction. The malware creators still have some work to do to improve the effectiveness of the scam. The fraudulent page is littered with grammar and spelling mistakes, which should be a tip off for many victims. —By Antone Gonsalves

Religious and ideological websites can carry three times more malware threats than pornography sites, according to research from security firm Symantec. The firm’s annual Internet Security Threat Report also found that threats to mobile devices continue to grow, almost exclusively for Google’s Android mobile OS. Internet security reports from companies that also sell anti-virus solutions should be taken with a pinch of salt, given the potential of conflict of interest, but Symantec’s authoritative findings are nevertheless interesting. Symantec found that the average number of security threats on religious sites was around 115, while adult sites only carried around 25 threats per site—a particularly notable discrepancy considering that there are vastly more pornographic sites than religious ones. Also, only 2.4 percent of adult sites were found to be infected with malware, compared to 20 percent of blogs. “We hypothesize that this is because pornographic website owners already make money from the Internet and, as a result, have a vested interest in keeping their sites malwarefree—it’s not good for repeat business,” said the report.

INTERNET

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Be it as it may, malware threats are only increasing. Symantec measured an increase of more than 81 percent in malware in 2011 over 2010, while the number of malware variants increased by 41 percent. On the flip side, spam volumes have decreased from 88.5 percent of all e-mail in 2010 to 75.1 percent in 2011— thanks to law enforcement action which shut down the Rustock worldwide botnet that was responsible for sending out large amounts of spam. Android smartphone users should also be wary of malware, as Symantec says mobile vulnerabilities, almost exclusive to Google’s open mobile OS, increased by more than 93 percent. The report found more than half of all Android threats do two things: Collect device data or track users’ activities. A quarter of the mobile threats identified were designed to make money by sending premium SMS messages from infected phones, which could be even more lucrative than stealing your credit card details. — By Daniel Ionescu

VOL/7 | ISSUE/10

IMAGE BY P HOTOS.COM

God More Harmful Than Porn

Passwords Farce: It’s the Default’s Fault Businesses’ user names consist of their zip code and street number, said KPN spokesman Steven Hufton. And a list of KPN’s corporate customers could easily be obtained by querying the database of the regional Internet registry, Webwereld reported. With access to an account on the portal, it is possible to change a customer’s contact e-mail address and connection speed and turn services on and off, Hufton said. Besides that, the portal also contains bank account numbers and it is possible to change the password, giving malicious persons the opportunity to take over the account, Webwereld wrote. “This is unacceptable,” said Eddy Willems, security evangelist at G Data. KPN should have made it mandatory for users to change the default password when the account was activated.” KPN’s problem was probably a historical one, Willems said, adding that at the time of the implementation probably nobody thought about the consequences. While this is an easy problem to solve, companies should think of good security before they implement a system, he said.

TRENDLINES

PA S S W O R D S KPN, a Dutch telecom company, closed a self-service portal for corporate ADSL customers recently after it discovered that 120,000 of its 180,000 business clients were still using default passwords, all variants of ‘welkom01’, demonstrating once again how lax security can get. The security vulnerability could have given unauthorized persons easy access to the corporate accounts, for which the corresponding usernames could be easily derived from the businesses’ street addresses. KPN said it was unaware that the vast majority of its 180,000 ADSL business clients were still using a default password for the online Customer Self Care portal. Dutch IT news site Webwereld alerted KPN about the trend after a tip from Robert Schagen of Robert 4U IT, who discovered the security leak. By continuing to use default passwords such as “welkom01,” “welkom1” or “welkom001”, customers risked unauthorized persons gaining access to their accounts, KPN said. Corporate clients were provided with a default password to gain access to the online self care portal as a standard practice, but KPN did not make it mandatory to change the password, and so a lot of their customers never did.

—By Loek Essers

Google’s Schmidt Takes On China After carefully working with China for the past two years, Google Chairman Eric Schmidt bluntly predicted the fall of the Great Firewall of China. “I believe that ultimately censorship fails,” Schmidt said in an interview with Foreign Policy magazine. “China’s the only government that’s engaged in active, dynamic censorship. They’re not shy about it.” In the interview, Schmidt predicted that once China’s Internet censorship policies fall, an influx of free-flowing information could cause great political and social changes in the country. “I personally believe that you cannot build a modern knowledge society with that kind of behavior. That is my opinion,” said Schmidt. “I think most people at Google would agree with that,” he added. “The natural

CENSORSHIP

VOL/7 | ISSUE/10

next question is when [will China change], and no one knows the answer to that question. [But] in a long enough time period, do I think that this kind of regime approach will end? Absolutely.” Schmidt’s comments about the Chinese government and its efforts to keep its citizens from reading or viewing information on specific subjects come after Google has spent

more than two years in talks with the Chinese government. In March of 2010, Google announced that it would no longer censor search results as the government requested. At the time, Google’s chief legal officer, David Drummond, said the company stopped censoring on multiple Google. cn sites. Google rethought its agreement to censor search results inside China’s walls after a major attack against its network was launch in late 2009 from inside the country. The attack was aimed at exposing the Gmail accounts of Chinese human rights activists. However, Google executives at the time also continued talks with Chinese officials in an attempt to maintain a link to the country’s vast business potential. —By Sharon Gaudin REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

C O M P I L E D B Y G O PA L K I S H O R E

Best Practices

Beefing Up Online Security To encourage e-commerce and social media sites to adopt best practices to protect consumer data, the Online Trust Alliance introduced the Online Trust Honor Roll.

IMPLEMENT e-mail authentication to reduce the incidence of spoofed and forged e-mail, which may lead to identity theft.

PREVENT cybercriminals from snooping and eavesdropping on public wireless connections. Always-on SSL (AOSSL) ensures this by encrypting all communication.

ENCRYPT all data files containing customer profiles, e-mail address and PII, which are transmitted externally or stored on portable devices or media including flash and USB drives.

A Web of Security Threats The increase in the number of online breaches have made organizations more security-aware but not cautious.

75% OF ONLINE RETAILERS are still failing to adopt online security best practices

Online Attacks Shot Up in 2011 2010

2011

Hacking

81%

50%

40% INCREASE in the number of social media companies making the Honor Roll in 2012

Malware

49%

$2.1 BILLION Estimated cost of breach in 2011 855 INCIDENTS of breaches across 36 countries

Physical Attacks 29%

69% 10%

SOURCE: VERIZON 2012 DATA BREACH REPORT AND ONLINE TRUST ALLIANCE

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

VOL/7 | ISSUE/10

TRENDLINES

The year 2011 has become known as the Year of the Breach. According to the Verizon 2012 Data Breach Investigations Report, 2011 saw 855 online data breach incidents and 174 million compromised records across 36 countries. The trend continued into 2012, starting in January with Zappos, which experienced a breach of 24 million records. To combat this trend, the Online Trust Alliance (OTA), a member-based non-profit representing the global Internet ecosystem reviewed over 1,200 sites. The OTA’s aim was to create a progress report—and include organizations in its Online Trust Honor Roll & Online Trust Index—on best practices to help protect online consumers from security and privacy threats. Of the companies evaluated by the OTA, less than 30 percent were named in the Honor Roll for successfully implementing several key best practices. Social media showed the greatest increase in percentage of companies making theHonor Roll (from 12 percent in 2011 to 52 percent in 2012). Their adoption of e-mail authentication protocols and robust SSL implementations have contributed to their high scores. But 75 percent of online retailers are still failing to adopt best practices, exposing users to security, privacy and social engineering threats.

CUSTOM SOLUTIONS GROUP VMWARE

CLOUD CORNER Thought Leadership on

Evolving to the Cloud Without Endangering Your Enterprise SACHIN JAIN CIO & CISO, Evalueserve

Evalueserve is moving fast on its cloud journey and Jain says that other CIOs— even those without the in-house skills—can too, if they get help from vendors. Business priorities entail that we constantly strive to reduce turnaround time to set up IT space for our clients, and lower costs while ensuring agility. Our journey to achieve these goals led us to the adoption of a hybrid cloud, one that is secure, scalable and agile. Our main datacenter already has over 100 virtualized servers. The next step is to virtualize our co-located datacenters. The aim is to create selfservice environment for our users and clients. We handle a lot of sensitive client data, so cloud security will always demand that additional effort. There are concerns around some applications we want to put up which process highly-sensitive data.

However, the technology is evolving and managing security for standard applications on the cloud is not a big hindrance anymore. That said, moving mission-critical apps is largely dependent on industry vertical, organizational risk appetite, and industry compliances, among others. The cloud is not a new concept; and most CIOs have a fair idea of it. CIOs who don’t have the inhouse skills might face some challenges like delays in execution, manageability, day-to-day support or deriving maximum value from their investments, but these hurdles can be overcome with the help of solution architects from vendor organizations.

T. SRINIVASAN Managing Director, VMware India & SAARC

The hybrid cloud is the way forward, says Srinivasan, because it allows CIOs to address security and availability concerns and leverage existing IT investments. Virtualization is an essential catalyst for cloud computing. It abstracts complexity and creates an elastic pool of compute, storage, and networking resources, all of which accelerate an organization’s transition to the cloud. Using VMware’s three-tiered approach, CIOs can gradually acclimatize their organizations to the technology. They begin by virtualizing tier-II and tier-III applications. Then they virtualize missioncritical applications and start saving a lot of money. The third phase is what we call the agility phase, which is about speed and responsiveness.

About the cloud itself, we believe that a one-cloudfits-all approach won’t work. No single cloud can provide all the answers to an organization’s dynamically changing IT needs and also alleviate concerns around data privacy, loss of control over data, vendor lock-in, lack of interoperability, and latency. To deliver a competitive advantage, cloud computing must be tailored to an organization’s needs. We believe that a hybrid cloud is the way ahead because it allows CIOs to address some of their security and availability concerns, while leveraging existing IT investments.

alert

ENTERPRISE RISK MANAGEMENT

One ID Card, Many Pockets M

I MAGES BY PHOTOS.COM

ake no mistake, your personal data isn’t your own. When you update your Facebook page, “Like” something on a website, apply for a credit card, click on an ad, listen to an MP3, or comment on a YouTube video, you are feeding a huge and growing beast with an insatiable appetite for your personal data, a beast that always craves more. Virtually every piece of personal information that you provide online will end up being bought and sold, segmented, packaged, analyzed, repackaged, and sold again. The “personal data economy” comprises a menagerie of advertisers, marketers, ad networks, data brokers, website publishers, social networks, and online tracking and targeting companies, for all of which the main currency—what they buy, sell, and trade—is personal data. And the databases that collect this information are increasingly

hyperconnected—they can trade data about you in milliseconds.

Data Beeline, Online and Offline

Personal data has become far easier to access and aggregate than it used to be. Long before we started cataloging our lives on the Internet, much of the information about us lived in hardcopy public records documents at the city hall or the county courthouse. Those public records, which include birth data, real estate records, criminal records, political affiliation and voting records, and more, have in recent years been scanned, digitized, and otherwise fed into databases. That data is now being combined with our online personal data.

Uninvited Guests FINDINGS

A whole industry of public records data companies has sprung up to aggregate public records data from every city, county, and state in the union, and to make the data easily available online (for a price). Some of these firms, such as Intelius.com and Spokeo, are combining public records data with online data such as personal data from social networks.

According to a US survey, nearly 65 percent of the respondents estimate that an average firm experiences three or more IT security breaches annually.

24%

The number of CIOs who said their topmost worry is data security and protection.

Not Really a Private Affair What may be a dark side to this mashup of public records and social networking data is this: Public records sites such as Intelius, Spokeo, and PeopleFinders. com distribute the kind of data that landlords, insurers, employers, or creditors could easily use to screen applicants—but the sites insist that their content is not intended for such uses.

The Number of Security Breaches in US Enterprises in a Year 10%

12%

1-2

21%

3-5

17%

6 - 10 11 - 15 16 - 20 over 21 Don’t know

6% 7% 14% 13%

SOURCE: The CIO Insomnia Project - Robert Half

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

VO L/7 | ISSUE/10

Ranked #1 in Server Security* yet again.

As businesses continue their journey to the cloud, analysts and security experts agree that risk management practices must change. Trend Micro leads the way in protecting businesses against today’s sophisticated cyber attacks by providing real-time, actionable threat intelligence and network-wide visibility and control. With our solutions you gain the ceratinty that your data is always secure across all environments-physical, virtual and cloud.

trendmicro.com/journey Scan to download IDC Analyst Connection: Server Security for Today’s Datacenters

For more information Call : 1800 103 6778 email : marketing_in@trendmicro.com Delhi : 91-11-42699000 Mumbai : 91-22-26573023 Bangalore : 91-80-40965068

*IDC, Worldwide Endpoint Security 2011-2015 Forecast and 2010 Vendor Shares ©2012 Trend Micro, Inc. All rights reserved. Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro, Inc.

www.trendmicro.co.in

alert

ENTERPRISE RISK MANAGEMENT

“The use of our service to screen potential employees, tenants, or for any other purpose that’s restricted by the Fair Credit Reporting Act is in violation of our Terms & Conditions,” Intelius’s Adler says. But many people suspect that personal data offered at public records sites is being used for exactly such purposes. And in truth, the public records sites would have no way of knowing if this happened—and may not want to know.

way to reach its customers and pump up sales. No problem, right? Wrong, say privacy advocates. The warehousing and analysis of so much data, and so many types of data, might lead the curators of the databases to infer things about us that we never intended to share with anybody. Experts say that in the future, predictive analysis will advance to the point where it can tease out information about people’s lives and preferences using far more, and far more subtle, data points than were used in the Target case.

Big Data, Bigger Impact So-called Big Data is one of the few big concepts that will define technology and culture in the first part of the 21st century. The term refers to the capture, storage, and analysis of large amounts of data. Among people involved in the personal data economy in one way or another, one anecdote—“Target pregnancy prediction”—comes up over and over again, and beautifully demonstrates both the possibilities and the dangers of Big Data.

Observation and Inference In the Target case, future parents were served with highly relevant ads and offers, and the retailer found a new

Clear as a Crystal Lack of transparency may be the single biggest objection to consumer tracking and targeting today. Advertisers are spending millions to combine, transmit, and analyze personal data to help them infer things about consumers that they would not ask directly. Their practices with regard to personal data remain hidden, and they’re acceptable only because people don’t know about them. Such tracking and targeting also feels arrogant. Consumers may not mind being marketed to, but they don’t want to be treated as if they were faceless numbers to be manipulated by uncaring marketers. Even the term “targeting” betrays a not-sofriendly attitude toward consumers.

Grow up, Internet! Still, many people—on both the privacy and advertising sides of the fence— believe there is room both for consumer privacy and for Web advertisements and content targeting using personal data. But the veil of secrecy around the use of personal data would have to be lifted. For that to happen, many believe, everybody in the personal data economy must be more realistic about the economics of the Internet. The online advertising industry needs to become much more transparent about the ways it collects and uses our personal data. If it did so, we might be more inclined to believe its claim that carefully targeted ads actually help us by making Web content more relevant and less spammy. The challenge now is for everyone involved—consumers, advertisers, Internet companies, and regulators—to understand how the personal data economy really works. Only then can we start getting busy developing some rules of the road that balance the business needs of advertisers with the privacy needs of consumers. CIO

Mark Sullivan writes for PCWorld (CIO’s sister publication). Send feedback to editor@cio.in

[ONE :: LINER]

“Today, oday, social media sites have toolbars plugged into Internet nternet browsers. It is evident that these tool operators are interested in tracking ‘what we do when’. To o control what gets uploaded and who gets access to social media sites, CIOs Os should implement rights management and DLP.” —SESANKA PEMMARAJU, IT DIRECTOR CTOR & CISO, HITACHI CONSULTI CONSULTING UL NG ULTI

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

VO L/7 | ISSUE/10

alert

ENTERPRISE RISK MANAGEMENT

Generation Gap = Security Abyss?

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

breaches in the last two years, compared to 42percent of Baby Boomers. “Gen Y people are sophisticated, technically savvy online users,” said Bari Abdul, vice president and head of ZoneAlarm. “We expected them to have figured out security. What really came as a surprise to us is that Baby Boomers are doing better than Gen Y.” Most of the Gen Y participants in the survey said that entertainment and social media interactions are more important issues for them than security, he said. The younger people often turn off security tools such as antivirus products and firewalls if they believe the tools are hampering online gaming or social media activities. Bari said IT executives should be aware that many younger employees bring their

Print. Repeat. Print.

oung, tech-savvy people pay substantially less attention to online security risks, and are, therefore, more likely to experience security problems than older people. That’s the surprising finding of a survey conducted by ZoneAlarm, a unit of security vendor Check Point Software Technologies. ZoneAlarm polled 1,245 young and older tech users from the US, Canada, United Kingdom, Germany, and Australia to find generational differences in attitudes towards computer security. About 40percent of the participants were between 18 and 35 years old, while about 20percent were between 56 and 65 years old. The rest ranged in age from 36 to 55. The survey found that respondents aged 18 to 25 generally tend to overestimate their knowledge about computer security, spend less than other age groups on security products, and do less than Baby Boomers (those who were born during the post-World War II baby boom from 1946 to 1964) to protect themselves online. While more than one out of three Baby Boomers admit being “very concerned” about security and privacy issues, only one in five younger users felt the same way. Similarly, only 31percent of the younger respondents ranked security as the most important tech consideration, compared to 58percent of Baby Boomers. The survey also found that the younger respondents were less likely than the older ones to pay for antivirus products, third-party firewalls, or integrated security suites. In general, older Internet users appeared to be more concerned about email-borne attacks, while younger users were concerned about threats emanating from social media channels and filesharing networks. However, when it came to actual security incidents, about 50percent of Gen Y respondents said they had experienced virus infections and other security

security beliefs to work as well. Companies should also make sure to secure the increasing social networking use of the latest generation of workers, he added. Securosis analyst Rich Mogull, questioned the validity of such surveys and the conclusions reached by ZoneAlarm. “User behavior studies are usually skewed [depending on] the questions asked,” he said, adding that survey questions often don’t correlate to real behavior, or don’t tie to behavior that reflects real security risks. He added that security technologies such as firewalls are built into and turned on by default in every operating system. CIO Lucian Constantin is a news reporter for IDG News. Send feedback to editor@cio.in.

A computer worm that propagates by exploiting a 2010 Windows vulnerability is responsible for some of the recent incidents involving network printers suddenly printing useless data, according to security researchers from Symantec. On June 21, Symantec reported that the rogue printouts were the result of computers being infected with a Trojan program called Trojan.Milicenso. However, the company’s researchers have since determined that the propagation routine of a separate piece of malware, a worm called W32. Printlove, can cause similar problems, Symantec researcher Jeet Morparia mentioned in a blog post. W32.Printlove infects other computers on the local network by exploiting a remote code execution vulnerability in the Microsoft Windows Print Spooler service. The rogue printing behavior can occur when W32.Printlove unsuccessfully attempts to infect a Windows XP computer connected to a shared network printer. Fortunately, the failed infection attempts leave behind .shd files in the printer spool directory that contain details about printing jobs, including the names of computers that initiated them. Administrators can inspect SHD files with a free tool called SPLViewer after shutting down the Print Spooler service, Morparia said.

— By Lucian Constantin

VO L/7 | ISSUE/10

How Secure is Your Network?

Pallavi Anand

CLOUD COMPUTING

CloudSecurity's I'sandT's

he adoption of cloud computing Mitigate Against Disaster As organizations migrate is rapidly gathering momentum. When choosing a provider, make sure they have more and more critical However as cloud computing data continuity and data recovery plans in place functions to the cloud, it's becomes more mainstream, in case the worst case scenario happens and their becoming crucial for IT—in security concerns are being raised. systems crash, which could render all of your conjunction with business A recent Robert Half survey of 150 CIOs and data inaccessible and, in rare case, unrecoverable. and cloud providers—to CTOs in APAC revealed that security was the The same rings true for any applications used most prevalent concern among the respondents in the cloud. A company can survive if a nonensure that security's i's are when migrating to the cloud. mission-critical application goes offline, but what dotted and its t's crossed. In fact 44 percent of those surveyed in Hong happens if a mission-critical one does? Kong were concerned most about security. Other concerns included data integrity (26 percent), lack of internal Hire the Right Staff knowledge on cloud computing (18 percent) and migration cost (8 When hiring IT staff, it is essential that they understand the percent). (According to CIO research, 53 percent of Indian CIOs say security models and security technology needed to manage in a security is their top concern with the cloud.) cloud environment. Depending on the size of the organization, While cloud computing is deemed to improve business it may be possible to hire a cloud security specialist whose main processes and increase company competitiveness, security in the responsibility is to keep the company's operations in the cloud as cloud continues to remain a global challenge, particularly as more secure as possible. (About 40 percent of Indian CIOs say that they and more critical functions are migrated. So what can be done? do not have staff dedicated to their cloud computing initiatives, Here are some tips on dealing with security issues in a cloudaccording to CIO research.) enabled organization. Along with the requisite technical expertise, we see more employers looking for candidates with strong management and communication skills. These candidates are in demand as they Ensure Your Data is Secure will be able to collaborate and communicate effectively with nonMake sure your cloud computing provider takes proper measures technical business managers. to secure your company data and any applications that are used in In addition, your organization should create a security policy the cloud. While providers have an obligation to do this for their for all in-house staff to follow when accessing and working in the clients, a review should be done to confirm that your expectations cloud. Best practices should be shared broadly and continuously on cloud security are being met. reinforced. All staff should also be encouraged to keep up with any Companies and providers need to ensure that all critical changes in technology advancements within cloud computing. company data is masked and that only authorized users have This will allow them to more effectively work with, and monitor, access to it. They also need to ensure that individual identities and the service provider. credentials are protected. At the same time, they must comply with Whilst cloud computing is deemed to improve business company compliance procedures, as well as laws relating to data processes and increase company competitiveness, security in the protection in the markets they operate in. cloud remains a challenge. In order to remain competitive, the IT Apps that are accessed via function—in partnership with management and providers—needs the cloud also need to be Cloud Compliance to continue to work closely to identify, assess, monitor and mitigate secure. Companies need to For more on cloud security read these new and emerging risks appropriately. CIO work with their providers Cloud Computing: You Can't to make sure computers that Outsource Your Compliance are used to access data in the Pallavi Anand is director at specialized recruitment firm Robert Half. Send feedback on Obligations on www.cio.in c o.in cloud are secure. this column to editor@cio.in 26

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Coloumn_Cloud_Security.indd 27

VOL/7 | ISSUE/10

8/13/2012 2:54:04 PM

Undercover Officer

ANONYMOUS

A CSO’s Guide to the World Is it possible to adhere to local business customs without compromising security? Yes, but only if the CSO has a little creativity and a lot of trust.

’m usually not one who gets into bumper sticker logic, but I like the idea of a CSO acting globally but thinking locally. By that I mean a CSO needs to devise and enforce global security policies, but also put some thought into how those policies will be implemented locally around the world. Otherwise, variations in national customs and culture can short-circuit even the most well-intentioned security policies.I found that out the hard way. I once tried to standardize the global procedures for the forms of identification that visitors to our facilities had to show. Based on my experience in the US, I thought that a policy requiring a driver’s license, government-issued picture ID or passport would be sufficient. Surely, most visitors—no matter the country—would have at least one of these forms of identification. Not so. In Tokyo, some visitors never carry government-issued picture ID cards. Not only that, the Japanese routinely rely on business cards as a means of identifying themselves. This custom works very well within the culture of the Japanese business world, because it would be unthinkable for someone to print a false business card. The last time I checked, al-Qaida was not listed in the Japanese business directory. This procedure would never do. After much discussion with the Japanese security guards and the receptionists, I compromised and altered the policy so that if a government-issued picture ID was not available, VOL/7 | ISSUE/10

Anonymous_Column_August2012.indd 3

then business cards could be used to identify visitors. However, those visitors were not allowed into the building until the employees whom they wished to see came to the lobby and physically escorted them inside. The policy thus adhered to local business customs without compromising security. Then there was the issue of the guard force. Security guards in Japan are taught to be deferential toward visitors, and it is actually illegal for them to use force or try to restrain people in any way. I discovered this when I did a penetration test on the physical security of my company’s Tokyo office. I pretended to be someone off the street and then sneaked past the guards and into the building. As the guards spotted me, they called out “sumimasen, sumimasen” (excuse me, excuse me), but when I didn’t stop, they remained at their posts and took no further action. Needless to say, we retrained the guards to react by keeping contact with the intruder and simultaneously reporting the intrusion to police. REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

8/13/2012 4:48:07 PM

Undercover Officer

ANONYMOUS

World Culture Of the countries where I’ve been responsible for security, Japan easily has the most trusting society—so much so that I simultaneously admire them and fear for their safety. But it wasn’t the only country where I had something to learn. Many other cultures, while considerably less trusting than the Japanese, have markedly different views of security than our own. In China and Singapore, for example, civil liberties are not considered sacrosanct, and law enforcement will not hesitate to arrest and indefinitely imprison, without trial, people who are suspected of being terrorists. In Indonesia, following several high-profile bombings from an al-Qaida-linked group called Jemaah Islamiyah, the security in office buildings has been beefed up to levels far surpassing those of most American and European companies. While Australia is much less militant, there I found the local police to be much more involved in anti-terrorism programs with local building security guards than almost any other country where I’ve worked. I’m not sure why. Perhaps it is because most of Australia’s population is located in six major cities, making co-ordination easier. Europe’s history raises its own set of issues. Citizens there tend to have much stricter notions of privacy than Americans, probably because Europeans suffered through the abuses of Nazi and Communist regimes and therefore have higher standards for how personal data can be collected and for what purpose. To be sure, most

Take on the World To know more about what it means to be a global CSO, read So You Want to be a Global CSO? Visit www.cio.in

c o.in

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Anonymous_Column_August2012.indd 4

The native country’s cultural norms do not apply to foreign offices as well. It is best to cultivate close relationships with individuals around the world and to listen to their advice. Americans value privacy, but they also view themselves as a nation of business. They are therefore more ready to compromise privacy in the interest of business or security. Different cultural attitudes, of course, translate into different regulatory environments. In Europe, both information and physical security are very much influenced by a privacy regulation known as the European Data Protection Act (DPA). Most Americans are under the impression that in Europe there is only one DPA, but that’s not the entire story. Under European Union laws, the European Commission and European Parliament pass legislation such as the DPA, but it is then up to the member states to enact national legislation that implements, and does not conflict with, the overarching EU legislation. The member states are also tasked with enforcing their own national DPA. As a result, regulations and their enforcement can vary widely. Asian countries have typically passed legislation that is very close in nature to the EU’s Data Protection Act. However, enforcement of the laws can vary widely. Japan, Hong Kong, Singapore and Australia all have DPA laws on the books, but I’ve found that companies are very rarely taken to task for violating those regulations.

No Standard for Standards Outside of data protection issues, there tend to be far fewer differences in information security, primarily because there are few differences in technical

systems. After all, a Windows 2003 server in one country is just about the same as in any other. Where I did find differences, though, is in the method of implementing an information security program. Europeans are much more likely to follow an international standard than are Americans. I’m sure an entire book could be written about this phenomenon, but it probably stems from the fact that Europe is composed of many countries that, historically, have had to cooperate in order to ensure that their technical systems worked with one another. The telegraph and gauge of railroad tracks are two examples of European nations agreeing on and building a common standard. If they hadn’t, then imagine having to stop at each border and board a different train. Americans, by contrast, tend to view themselves as rugged individualists. We often place priority on getting to market. Just think back to the introduction of video cassette recorders. In the late 1970s and early 1980s, there were two competing standards, VHS and Betamax. Rather than compromise on a common standard, American companies slugged it out in the marketplace. Eventually, VHS gained the upper hand, and Betamax died out– ah, American Darwinian capitalism at its finest. In the field of information security, these cultural differences play themselves out with Europeans being much stronger proponents of ISO 20000 than are Americans. If an American VOL/7 | ISSUE/10

8/13/2012 4:48:08 PM

Undercover Officer

ANONYMOUS

company goes for any type of thirdparty certification, it is more likely to be a Statement on Auditing Standards (SAS) 70. Unlike ISO 20000, however, the SAS 70 is not a “best practices” standard. Instead, it documents the controls in place that satisfy the company’s internal control objectives. The company defines its own control objectives, and the auditor checks to see if the controls the company has implemented are sufficient to achieve its objectives. Once again, we see the American practice of “going it your own way.”

A Difference of Control The major cultural differences in information security that I have seen between Asian countries and Western countries arises over the documentation of controls. Many times, I have met with my Asian counterparts to go over the controls they have in place. Yet,

Anonymous_Column_August2012.indd 5

upon auditing the systems, I will find major discrepancies between what is written and what is actually implemented eventually. I can only ascribe this difference to the practice of “saving face,” which is prevalent in the Chinese and Japanese cultures. Japanese and Chinese IT professionals are sometimes so eager to please me, the global CSO, that they tell me what they think I want to hear rather than bring up actual problems. It takes some time to read between the subtleties of language and the culture of maintaining respect. After discussing the issue with several of my Japanese and Chinese IT colleagues, I found that the best way is to encourage participants to practice self-examination (that is, criticize themselves but not colleagues) and seek ways upon which their job performance might be improved. Also, I publicly praise the

groups when they bring up problems and propose solutions. This way, I make it clear that I welcome critical analysis and am not just looking to hear that everything is going swimmingly well. A global CSO who assumes that his native country’s cultural norms apply to his foreign offices will quickly learn that they do not translate well. Instead, it is best to cultivate close relationships with individuals around the world and to listen to their advice. If a CSO understands a culture and trusts the professionals working in that culture, he will find it easier to implement policies that meet the spirit of the company’s control objectives, and that hold true the world over. CIO

This column is written anonymously by a real CSO. Send feedback on this column to editor@cio.in

8/13/2012 4:48:08 PM

Joe Ferrara

STRATEGIC CIO

SecurityBootCamp

nformation security people think that in many contexts and expressed in different Skip the boring lectures simply making users aware of security ways. Security training that presents a and understand how issues will make them change their concept to a user multiple times and in people really learn new behavior. But security pros are learning the different phrasing makes the trainee more information and habits. hard way that awareness rarely equals change. likely to relate it to past experiences and forge One fundamental problem is that most new connections. awareness programs are created and run by security professionals, people who were not hired or trained to be educators. These Involve Your Students training sessions often consist of long lectures and boring slidesâ&#x20AC;&#x201D; It's obvious that when we are actively involved in the learning with no thought or research put into what material should be process, we remember things better. If a trainee can practice taught and how to teach it. As a result, organizations are not getting identifying phishing schemes and creating good passwords, their desired results and there's no overall progress. improvement can be dramatic. Sadly, hands-on learning still It's important to step back and understand how people most takes a backseat to old-school instructional models, including effectively learn subject matter of any type. Applied to security the dreaded lecture. training, these techniques can provide immediate, tangible, long-term results in educating employees and improving your Give Immediate Feedback company's overall security posture. If you've ever played sports, it's easy to understand this one. "Calling it at the point of the foul" creates teachable moments and greatly increases their impact. If a user falls for a companyServe Small Bites generated attack and gets training on the spot, it's highly People learn better when they can focus on small pieces of unlikely they'll fall for that trick again. information that the mind can digest easily. It's unreasonable to cover 55 different topics in 15 minutes of security training and expect someone to remember it all and then change their behavior. Tell a Story Short bursts of training are always more effective. When people are introduced to characters and narrative development, they often form subtle emotional ties to the material that helps keep them engaged. Rather than listing facts Reinforce Lessons and data, use storytelling techniques. People learn by repeating elements over timeâ&#x20AC;&#x201D;without frequent feedback and opportunities for practice, even welllearned abilities go away. Security training should be an Make Them Think ongoing event, not a one-off seminar. People need an opportunity to evaluate and process their performance before they can improve. Security awareness training should challenge people to examine the information Train in Context presented, question its validity, and draw their own conclusions. People tend to remember context more than content. In security training, it's important to present lessons in the same context as the one in Let Them Set the Pace which the person is most It may sound clichĂŠd, but everyone really does learn at their own Security Conditioning likely to be attacked. pace. A one-size-fits-all security training program is doomed to To learn more about security fail because it does not allow users to progress at the best speed workshops, read Security Training for them. CIO Vary the Message 101 on www.cio.in Concepts are best learned c o.in when they are encountered Send feedback on this column to editor@cio.in 30

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Coloumn_Ten_Commandments.indd 26

VOL/7 | ISSUE/10

8/13/2012 3:02:21 PM

CUSTOM SOLUTIONS GROUP VERIZON

EXECUTIVE VIEWPOINT CLOUD COMPUTING AND BYOD:

STAYING SAFE AND SOUND John Samuel, Director–India & SAARC Region, Verizon Enterprise Solutions, on how enterprises can harness the powers of the cloud and mobility while effectively addressing security concerns. How can CIOs who want to leverage the cloud effectively secure data? Data security has always been a key consideration among CIOs who want to move to the cloud—and rightly so. A cloud provider with proven security expertise can make the cloud a safer place to conduct business. The right cloud provider makes security its business, so that enterprises focus on ways to make the best use of the cloud to gain an edge over rivals. CIOs need to stay abreast with the latest security threats, and devote powerful tools as well as expertise to maintain the safety of data in the cloud. To support this, CIOs should back their strategies with stringent SLAs for availability, and define liability for unplanned outages. They would do well to ask for high levels of real-time visibility into systems that reside in the cloud and ensure that the solutions they buy into offer a high degree of reliability. Revamping security infrastructure can be expensive. Is there a more cost-effective alternative? Building an enterprise’s infrastructure can be expensive. Yet most businesses deliberately over-engineer their infrastructure because they have suffered from unexpected system failures and unavailable applications, resulting from unplanned usage spikes. From a security perspective, overengineering makes sense, but it can lead to cost implications. It is essential for enterprises to strike a balance between initial investments in security infrastructure and budgeting for disaster recovery. While cloud computing offers the potential to solve these challenges, CIOs need to

choose the right fit for their businesses from an array of solutions. IT capabilities offered through cloud computing such as PaaS, SaaS, and IaaS can help organizations deploy Webbased applications without purchasing, installing, and managing supporting hardware. It can help them gain efficiencies by standardizing certain functions, like CRM, and providing them access to a shared pool of resources that can be allocated on demand to any application, thus enabling a pay per use model. Many organizations are taking advantage of Web-enabled business applications. However, these aren’t without risks. How can CIOs improve Web application security? Yes, the benefits of Web-enabled applications aren’t risk-free. In fact, the 2012 Verizon Data Breach Investigations Report found that 94 percent of data compromised were from servers. So clearly, the security of Web-applications must be taken seriously. Thankfully, improvements in technology and methodologies have helped organizations identify Webapplication vulnerabilities. CIOs can improve Web application security by quickly identifying and fixing vulnerabilities. Dynamic protection, timely remediation, and continuous monitoring are required to maintain the security of business critical Web-applications. How can CIOs manage employee devices using the cloud? Enterprises now want to use the cloud to enhance their BYOD capabilities and drive organizational productivity. However, managing remote devices can be a challenge for IT administrators. They have to take into account a wide range of new security and

John Samuel Director–India & SAARC Region, Verizon Enterprise Solutions With over 20 years of management and sales experience behind him, Samuel’s responsibilities at Verizon include growing the company’s customer base and revenues in India and the SAARC region, and ensuring significant market presence. Prior to joining VES, Samuel was country manager, India, at BT Infonet India.

management features, which they have to build into applications so that employees can safely access company data. It is vital for enterprises to put strict security policies in place and employ encryption technologies to restrict business-sensitive data from being stolen or misused. Also, a business continuity plan ensures the availability of key IT infrastructure. CIOs should ensure that their employees have a strong understanding of the risks involved by working within a mobile environment. These risk factors should be addressed continually as the organization’s mobility strategy evolves.

This interview is brought to you by the IDG Custom Solutions Group in association with

Alternative Views

USER COMPLIANCE

Should CIOs KISS? Employee security policies are long-winding, bulky, and hard to read. Would making it simple encourage user compliance? Two CISOs debate.

e need to consider the human psyche while designing rules. It is a fact that nobody has the time or inclination to read a policy or manual that runs into several pages. The attention span of employees is quite short, and we need to engage them in that short span of time. We need to provide a do’s and don’ts list which is crisp and easy to understand. When we take various requirements such as regulatory compliances, industry standards, best practices and client specifications into consideration, the security policy does tend to become bulky. It is important that the policy is comprehensive and covers all musthaves, but is also easy to read at the same time. Otherwise following these policies will become just another check-box for

users. It is extremely important to ensure that the security policies created are commensurate to the risk—sometimes we tend to deploy security policies based on standards even though they are not applicable to the business context. At Bharti AXA, we have divided the security policy into three levels. First is the main policy which covers the intent and high-level objectives. This is a crisp document which everyone can read. Next is the detailed procedure aimed at specific group of users such that different user groups need to read only the specific procedures applicable to their work area. Finally, we have the templates, which are detailed guides for specific products and technology—again targeted at specific users only. To ensure that the security policies are deployed and implemented, my mantra is to educate, engage, and enforce.

“The attention span of employees is short and CIOs need to engage them in that short span of time. So, policies should be crisp and easy to understand.” —Parag Deodhar, Chief Risk Officer & VP, Bharti AXA General Insurance 32

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Alternative_Views_August2012.indd 34

VOL/7 | ISSUE/10

8/13/2012 3:07:57 PM

Alternative Views

USER COMPLIANCE

oday, organizations face a roller-coaster of unpredictable security threats. From hackers accessing sensitive data, to sophisticated cyber attacks and state-funded APTs, these threats can cause irreparable damage to businesses. The increasing business complexity coupled with thousands of employees in hundreds of locations and various outsourcing partners—who have access to critical data—isn’t making life any easier. Businesses that operate in highly regulated domains require strict compliance monitoring and have to adhere to international regulations if they have a footprint outside India. This calls for a security policy which addresses all the above components to make the system work like a well-oiled machine. The policy also needs to be adequate and precise for all domains, else the aspects left out while trying to make it short would be subject to interpretation by users. The solution for enhancing compliance lies in a structured measurable compliance program, which is likely to be complex, but will bring clarity. For instance, the program may include validating artifacts for hundreds of controls in a business function at one

“To enhance user compliance, CIOs need a structured, measurable compliance policy, which would be complex, but clear.” —Pankaj Agrawal, Head-Tech Governance & CISO,Aircel location or conducting on-site audit of a high-risk outsourced partner location. Ignorance is often the cause for policy non-compliance. It’s important to create security awareness through regular advisories, self-paced multimedia learning programs with reallife scenarios for illustration. This program should be made mandatory for all employees and partners, and be a component of HR induction for new employees. It is also important to create top management visibility and awareness through steering committees. Security is really a business concern, not just a problem for IT or the security team to handle. Hence, compliance should be driven by business functions rather than the security team alone. SMART (specific, measurable, achievable, relevant, and time-bound) dashboards with risk index and precise gaps should be owned by business, with target closure timelines. CIO As told to Gopal Kishore Gopal Kishore is principal correspondent. Send feedback to gopal_kishore@idgindia.com

THE HARD MATH BEHIND

34 | INDIABULLS FORGES AHEAD WITH EMC

STORAGE INVESTMENTS In This Issue

Growing at an incredible pace, Indiabulls’ success began catching up with it. It turned to EMC to consolidate and make itself nimbler.

37| FIGHTING DATA DELUGE Sunil Brid, Director, Mid-Tier BusinessIndia & SAARC, EMC, underscores the enterprise need for scale-out storage systems to tackle data growth.

An IDG Custom Solutions Initiative

Alternative_Views_August2012.indd 35

8/13/2012 3:08:01 PM

BULLISH ON GROWTH: INDIABULLS FORGES AHEAD WITH EMC Growing at an incredible pace, Indiabulls’ success began catching up with it. When the 13 storage silos and the multiple applications that depended on them began to slow Indiabulls down, it turned to EMC to consolidate and make itself nimbler.

Company

Indiabulls Group

Industry Conglomerate

Offering

Has interests in power, financial services, real estate and IT services

Sir Winston Churchill once said: “A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.” If Churchill is anything to go by, Tejinderpal Singh Miglani is definitely an optimist. As the CIO of the Indiabulls Group and the CEO of IB Technology Solutions (the group’s IT services arm), Miglani has seen the conglomerate grow explosively since 2000. But as it scaled both vertically and horizontally, it’s growth began to burden its underlying IT infrastructure. At the time, Indiabulls’ infrastructure, especially its storage subsystem, addressed the needs of business adequately. But Miglani recalls thinking that it was only a matter before problems of manageability, scalability, performance, and costs crept up on the organization. To complicate matters, the clock was ticking on the warranties of the company’s storage systems. And when they expired, costs would balloon. In this haze of challenges, Miglani saw an opportunity. Seizing the moment, he led his team and refreshed, re-organized and re-aligned the underpinnings of the company’s storage subsystems. He migrated

CUSTOM SOLUTIONS GROUP EMC

Our team has achieved a great implementation, migration and consolidation experience; one that necessitated moving several app projects from different models of storage into three VNX systems uninterruptedly, and without any downtime.” TEJINDERPAL SINGH MIGLANI CIO, Indiabulls Group

the group from 13 storage silos to a consolidated, unified platform of three storage systems of EMC, a set up that could effectively handle the entire load of its wide-spread IT landscape.

CHARGED UP ON GROWTH In 1999, when e-commerce was kicking off in the country, Indiabulls decided to build one of India’s first online brokerage services platforms. Soon, demand for its services made Indiabulls a leading business house with interests in power, financial services, real estate and infrastructure. Over the last decade, the group has raked in a combined net worth of over Rs 19,000 crore. “In the last 12 years, we have grown phenomenally. We now cater to over a million users on our online brokerage trading platform, hundreds of thousands of

loan accounts of various kinds, and several thousands of real estate customers,” says Miglani. A company-owned datacenter at Gurgaon, and a collocated one in Mumbai, housed all the company’s IT systems as well as the fundamental infrastructure to support business-critical communications, connectivity, and collaboration across the group. In addition to its flagship online trading platform, the group owned several enterprise applications that addressed the needs of its multiple businesses. An endto-end loan management system managed the loan business unit. An elaborate SAP landscape catered to HR, financial accounting and controls, payroll, etcetera. The ERP also handled the transactional part of the real estate business including project planning and monitoring. Several other niche systems for the power business also lived and breathed in this mass of software.

“Much of our growth took place post 2003-2004. In the meanwhile, a lot of applications and systems were added to our landscape. Up until 2008, we procured many storage systems intermittently, to address the different requirements of different apps,” says Miglani. Between the inability to consolidate multiple storage technologies into a single—or two tiers—and a refusal to put all their all eggs in one basket, the group witnessed a proliferation of multiple storage subsystems.

STORAGE INSECURITIES Over time and as the business grew even further, Miglani sensed the company’s storage system creaking under pressure and it began to show signs of being unable to take the load of new business requirements. By this time, the storage systems were older than five years, and were about to run out of their warranties. This would have increased the company’s AMC costs, and added the pain of continuously managing and upgrading the firmware on individual storage silos. Worse it would create a rash of concerns around availability and constant visibility as a lot of applications depended on the storage system. As structured and unstructured data grew substantially and the group lacked a centralized file storage system, I/O requirements for various systems began emerging as a challenge. Few applications, for instance, required excellent response times of nearly 3 to 4 milliseconds from the underlying storage. But with the increase in the user base and data size, response time slowed to over 10 milliseconds. This proved

The new system not only introduced NL-SAS disks to the enterprise, but also a host of new features like thin

provisioning, auto-tiering, solid state disk-based cache, compression, and de-duplication. It also helped in achieving bi-directional disaster recovery.

detrimental to business-critical applications such as online transaction processing (OLTP) systems. Clearly, lower response times meant a loss of revenue. Moreover, systems couldn’t scale-out as there was a limitation to support different kinds of hard disks. This meant procuring higher cost Fiber Channel (FC) hard disks only, even for requirements where a low-cost, high-capacity Near Line - Serial Attached SCSI (NLSAS) disk could have sufficed. In terms of scalability, the RAID group expansion within the systems emerged as a major pain point. Only 16 disks of the same size, speed and number could be accommodated in a single RAID group. If this symmetry was not maintained, the overall performance was impacted significantly. Second, older storage systems were based on Fiber Channel Arbitrated Loop (FC-AL). This meant that as the number of disks increased on the one-way loop on ring topology, the backend Input/Output Operations Per Second (IOPS) got delayed.

OPPORTUNITY IN STORE Miglani knew what had to be done to effectively mitigate all of these challenges. He got his team of storage and managed infrastructure experts at IB Technology Solutions to come up with an efficient migration path as the storage ecosystem had to be refreshed. After due consideration to reduce costs without compromising performance, it was decided to consolidate the group’s 13 storage silos and migrate to an ecosystem of three systems of EMC’s latest unified product range called the VNX series. The IB Technology team spent a lot of time analyzing the current setup and preparing a comprehensive project plan. Required buy-in from project owners, other stakeholders, and EMC experts was gathered. Risks were accessed and impacts analyzed. Most probable risks were mitigated and fall-back plans were made ready. The new system not only introduced the much required NL-SAS disks to the enterprise, but also a host of new features such as thin provisioning, Fully Automated Storage Tiering (FAST), solid state diskbased cache, compression, and de-duplication. It also helped in achieving bi-directional disaster recovery, with the help of EMC’s RecoverPoint, between the Gurgaon and Mumbai datacenters with minimum Recovery Point Objective (RPO) on a minimum bandwidth link. With the VNX series, the group got much-required hard disk and storage controller scalability along with the latest processor, 64-bit architecture, 10 Gbps iSCSI and 8 Gbps FC ports to effectively address data growth. Though the IOPS of NL-SAS hard disks is lower than that of FC, these inexpensive disks replaced dearer FC disks as the required number of IOPS was effortlessly met with the

CUSTOM SOLUTIONS GROUP EMC

help of flash drive-based fast cache mechanism. In case there’s an unexpected load or a sudden growth in data size, a controller can be replaced without any disruption. Thanks to thin provisioning, the enterprise uses disk space prudently. By leveraging de-duplication, it has been able to save humongous disk space on its NAS platform. The centralized management console is also helping to better manage storage, NAS and EMC’s RecoverPoint. With the help of RecoverPoint, the group is maintaining RPO of nearly five minutes for most of its production environment. Interestingly, because of an earlier hostbased DR framework, Indiabulls had to be content with much higher RPO, and next business day Recovery Time Objective (RTO). The features of bandwidth compression and de-duplication in RecoverPoint have helped to reduce the RPO and RTO significantly. “The IB Technology team has achieved a great implementation, migration and consolidation experience;

one that necessitated moving several app projects from different models of storage into three VNX systems uninterruptedly, and without any downtime,” Miglani says. Post the migration, and armed with the latest storage ecosystem, the Indiabulls Group now plans to virtualize its server and desktop footprint extensively. Plans to use Virtual Tape Library and organizationwide NAS are also on the anvil. “We anticipate an investment protection for next five years in terms of saving cost of maintenance, ability to extend number of hard disks, front-end and back-end IOPS serving capability, load on processor. Our TCO has also reduced significantly as we have opted for a fiveyear warranty,” says Miglani. Miglani’s perceived goals—to reduce operational cost and have the latest technology with future investment protection—have been met. A proactive optimist, indeed.

Dealing with Data Deluge Sunil Brid, Director, Mid-Tier Business-India & SAARC, EMC, underscores the enterprise need for scale-out storage systems that can keep pace with today’s rapid and real-time data growth. Traditional file systems cannot keep up with most big data apps. How can this be addressed? Data explosion pushes the need for customers to mine data as it is created, and traditional file systems are unable to keep pace with this rapid data growth. Organizations need scale-out storage systems, that match today’s need of storing petabytes of data on a real-time basis. Organizations should go for scale-out architecture, which allows them to scale without disrupting their IT environments.

Scaling up for big data means either large monolithic acquisitions or smaller systems with discrete data silos. How different is the modular scale-out architecture? Scale-out NAS systems are designed in a way that the software layer allows multiple nodes to behave like a single and larger file system. For instance, EMC Isilon’s scale-out storage solutions run on our OneFS operating system that allows the system to grow symmetrically or independently. This is to address the requirements for more space or processing power, giv-

Today, it’s important that businesses that have critical needs such as data concurrency and high performance access to data sets implement scaleout NAS solutions.” SUNIL BRID

Director, Mid-Tier Business-India & SAARC, EMC

ing the ability to scale-out as the business grows. The solution enables independent and linear scalability of performance to over 100 gigabytes per second of throughput and more than 15 petabytes of capacity in a single file system. It becomes a single point of management for large and rapidly growing repositories of data, and offers mission-critical reliability with a state-ofthe-art data protection solution. Scaling up storage in terms of performance and capacity without disruption is hard. What can CIOs do? Scaling up and scaling-out are different strategies altogether. In a scale-out storage infrastructure, nodes are added whenever business demands scale, thereby increasing the processing power and storage bandwidth only when required. Scale-out expansion by adding nodes means granular enhancements in the business, and do not disrupt business operations or pose the risk of overbuying capex. This is particularly a strong feature in EMC Isilon’s OneFS operating system.

SECURITY SPECIAL odds e h t , O l CI The Generlaook good. y ur donâ&#x20AC;&#x2122;t is making ro ous, clouders more po ia l bord lity and socng mobi a are drawi medi

S â&#x20AC;&#x2122; Y T I R U SEC

G I B ensese f e d r u out yoxpanding thed and etory you ne YOD terri fend, and B llas to de owing gueri s. is all n your wall ys withihere are wa ont But t at a multi-frme. to be Here are so war.

t ered Figh n r o C e e r y 40 Th upremac S e il b o M for

nocked n CIOs k y ia d n I r rit Fou D’s secu e O Y B n w re do ith the th threats w lar mobile pu most po trategies. s security

ing the 44 Beat their Game at Guerillas

your ure that sided s n e o t nd How e isn’t bli enterpris er devices. m by consu

g a Round 48 Firin Security for BYOD

prise ow enter sonal h ’s e r e H er geting p IT is tar d maximizing an devices otential of the p I . t h e RO ovement m BYOD

he barded: T m o B 2 5 k der Attac Cloud Un

loud s in the c le o h g in Gap ers to ing hack are invit ir missiles. he launch t urity ck of sec And a la isn’t helping. ss awarene

S R A W 56

Lines Defensive

s your app Securing been more r has neve , and there t n a t r do impo ways to f o s t s a are lo g —as lon just that mind using ’t you don fenses. de d e r laye

or idential: F 68 Conf nly O Your Eyes

rty is al prope nder u t c e ll e t In t, u hot targe the new ackers and h attack by ely secured. t a inadequ tect it. w to pro o h ’s e r e H

ult on 6 0 Assa a n ce pli N o n - co m

tingly e a daun g. b n a c C GR kin underta complex erv, the is But for F e was even alternativ plicated. more com

-in rity’s Buy 7 1 S e c u u rs e Co Obstacle ll-run Even we ns can be tio organiza flexible, and in l, a ic eas. polit to new id t. t n a t a resis h t ys to fix Nine wa

ur miting Yo a n y D 4 6 curity Way to Se

uring art of sec is the p l a ic it r Ac erty ual prop of data intellect n io t limina timely e ger need. Here’s n you no lo that. o how to d

a n ts of 76 Milit rld o the Web W

s are mployee If your e corporate e using th o transact in the t k r o w t, then net k marke in c la b e n onli n is anizatio your org uble. o severe tr

Four Indian CIOs counterpunched BYOD’s security threats and knocked them down with the three most popular strategies. Here are the pros and cons of each. By Debarati Roy

In 2012, when mobiles invaded India Inc… That’s probably how History books would read a hundred years from now. And that’s because of the impact of the BYOD bombshell on enterprises—no less than a Pearl Harbor. And its after-effects. It has inflamed user-IT bonds and burnt the border between private and corporate. It has made enterprises a warzone, and security a nightmare. Caught in this war, CIOs and CISOs have no choice but to fight—not with employees that demand BYOD, but security threats that accompany it. “In the past twelve months, we have witnessed a transition towards technology which is more pervasive. The influx of consumer devices in the enterprise is further pushing the need for CIOs to create a comprehensive and secure mobility roadmap, which is in-sync with business goals,” says Nicholas McQuire, research director-Enterprise Reader ROI: Mobility, IDC. The most popular mobile But that’s exactly what CIOs aren’t doing. security approaches According to the Indian Information Security The pros and cons of each Survey 2012, 80 percent of Indian CIOs say they How to build a long-term already allow or plan to allow employees to use mobile strategy their personal devices to access corporate data,

E E THR ERED N R e l i b CiO o M r o f t gh F y c a m e r Sup

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

VOL/7 | ISSUE/10

Mobile

SECURITY SPECIAL

but only 29 percent include mobiles in their security policies. But those that take mobile security more seriously have found a way around BYOD’s ring of fire. Four IT leaders weigh the pros and cons of the three most popular mobile security strategies: MDM, VDI, and the Web.

Leaning on native apps in mobile devices has been one of the strongest camouflages for CIOs fighting mobile threats. It’s still one of the most preferred approaches toward securing data exchange over mobiles. But today’s smartphones have tilted the scales in favor of hybrid apps: Apps that combine the elements of both native and Web apps. This has ushered in the need for Mobile Application Management (MAM) and Mobile Device Management (MDM). Vilakshan Jakhu, SVP and CIO at BPTP, vouches for a comprehensive MAM policy coupled with MDM. With over 125 BlackBerry and a hundred Android and iOS devices running in his enterprise, Jhaku should know. “At BPTP, native business apps on mobiles are designed to encrypt data within the perimeter of the application code and access is secured through a verified login. And since the phone is a part of an MDM policy, you already have the facility to set basic device-level encryption, DLP, and remote wipe for additional layers of security,” says Jakhu. But if the data in the application is secure, why do you need device level protection? That’s because, Jhaku says, these devices can easily download third-party applications and software that makes corporate data vulnerable and penetrable. “When we started looking at e-mail security, we realized that even if our e-mail access is inherently secure, there could be a situation when employees try viewing e-mail attachments using Dropbox to open and save them. By the time one realizes, sensitive data has already left the organization,” he says. Another problem is connector apps. For instance, devices running on Ice Cream Sandwich Andriod OS have reported problems of Microsoft Exchange (Outlook) activesync. As a workaround, employees download other, unsecure connector apps. “These connector apps are made by small time app developers

VOL/7 | ISSUE/10

Of all the devices running on his enterprise network, Asish Karunakaran, AVP-IT, SBI Capital Markets, has deployed VDI just to secure mobile devices, “and the response has been fabulous,” he says.

who quite often don’t adhere to specific security standards,” says Jakhu. This shifts controls to the hands of third-party app developers like True Caller. The moment this app is downloaded, it automatically uploads the device’s address book contacts on to the server hosting the app and saves that data in True Caller’s network. “It might be okay if one is using it from a consumer standpoint but it can be risky when it comes to corporates. So, these kind of apps need to be blocked,” says Jakhu. This is where device-level security takes center stage. Jakhu says that with MDM and app-level REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

PH OTO BY KAP IL SHROFF

ILLUSTRATIONS COMPILED BY VIKAS KAPOOR

Armed with MDM and MAM

PHOTO BY SRIVATSA SHA NDI LI YA

Security Special

Mobility

security, he can ensure that ‘evils’ like Dropbox and True Caller are prohibited. Joydeep Dutta, CTO, ICICI Securities, subscribes to the same school of thought. His resident applications—designed for the sales team to access brochures, financial calculators, and make presentations—can be accessed via company-owned Android tablets with 7-inch screens. However, he believes that organizations can’t stop users from downloading third-party apps. “There is no solution which can effectively stop or prevent downloads,” says Dutta. But Dutta also feels that teaming up with mobile vendors could help. Organizations can avail discounts and IT can preload the phones with apps, files and security tools, and anti-virus software. This move could provide a shield for enterprises.

VDI’s Got Your Back BYOD and VDI are the new BFFs. In a battlefield, BYOD

CIO Vilakshan Jakhu, SVP and a by ars swe he s say at BPTP, coupled cy poli M MA ive ens preh com 125 r with MDM to secure ove Android BlackBerry and a hundred A U G U S T 1 5 , 2 0 1 2 | REAL in CIO WORLD se. rpri ente his devices

can blindly trust VDI to wear-off mobile threats. Ask Asish Karunakaran, AVP-IT, SBI Capital Markets, who swears by VDI. Karunakaran runs VDI in his 500-strong organization. “Ninety percent of employees have BlackBerry and 10 percent have tablets. We have deployed VDI solely for mobile devices and the response has been fabulous,” says Karunakaran. The nature of VDI makes it the most secure and preferred way to safeguard enterprise data. Karunakaran says VDI keeps corporate data within the boundaries of the enterprise, or even better, at a central location of the datacenter. “It helps to isolate corporate data from the end-user’s personal environment and enables the organization to deliver existing applications without making major upgrades,” says Karunakaran. IDC’s McQuire believes VDI is great for organizations in the BFSI sector. “Since mobility is inevitable, industry verticals like BFSI which are heavily regulated can place their bets on VDI,” says McQuire. And Karunakaran fits right into that category. “The business impact of any reputation loss and legal implications are way too high for me. I can afford productivity loss with a lag of five minutes but I can’t risk security,” he says. Karunakaran’s small IT team makes it a good match for VDI because resident applications involve huge development cost. If one decides to go with an in-house development then it demands significant expertise and skill sets. “For a 500-employee organization, my application cost per employee would be very high. VDI was a one time investment but if I have to develop individual apps for each platform and tweak them to suit changing needs, my costs will spiral over a period of time,” he says. But ICICI’s Dutta feels VDI is inherently expensive. He says VDI makes sense for extremely large migrations and might become a huge cost burden for the organization. Moreover, its not just capex but recurring bandwidth cost as well. “VDI for the mobile workforce will add to almost three to four times more than the current telecom cost, besides licensing cost,” says Dutta. Cost aside, VDI comes in the way of the two benefits that lie at the heart of any enterprise mobility strategy: Productivity and user experience. “VDI technologies are not very effective on a small mobile screen. Also, inconsistent networks and time lag in app delivery might hamper user productivity on the whole,” says Jakhu. Another benefit of VDI that comes with a catch is the potential of working offline. But this involves running a client side hypervisor, that needs fairly robust clients to run the hypervisor. “CIOs trying the VDI model should also beware of the fact that many of these VDI technologies and hypervisors don’t tie back well with back-end systems,” says Karunakaran. Industry experts also argue that VDI limits innovation for mobility because any small upgrade or add-on has to be made at the core app running on the back-end. This could be

VOL/7 | ISSUE/10

Cover Story

According to the IISS 2012, 80 percent of Indian CIOs allow or plan to allow employees to use their personal devices to access corporate data. But only 29 percent include mobiles in their security policies.

time-consuming and constant upgrades can potentially upset the system.

At the Browser’s Bunker It’s arguably the least complicated option for mobile security: The Web. Consider this: Native applications coupled with MAM and MDM require a lot of in-house skills, VDI is expensive and not extremely user friendly. The Web dodges both bullets. For Mayurakshi Ray, CSO-APAC and chief risk officer, Aditya Birla Minacs Worldwide, the Web option works like a charm. Ray is bound by the nature of her business to not allow external devices to enter her organization. “Being in the BPO services space, Minacs deals with a lot of client data that is bound with a non-disclosure agreement. So, security becomes our biggest challenge,” says Ray. But Minacs does allow its employees to use e-mail Web hosting services. The company has a BlackBerry Enterprise Server—in which a group policy has been enforced defining the apps, and services such as e-mails—that employees can access. “There’s only so much that I can allow my users to access and those limitations make technologies like VDI or developing apps for mobile devices redundant.” Dutta, who uses the hybrid approach to mobility at ICICI Securities, allows basic applications like e-mail to be accessed over a Web browser. “The approach to security is no different than the security levels needed when users access applications from their home PC or laptops provided by the company. We have also enabled secure login through SSL and incorporated factors like browser session-timeouts which ensure basic levels of security,” says Dutta. The browser-based approach is cost effective as there is negligible incremental cost of developing separate applications for the mobile platforms. However, this strategy does little justice to the concept of anytime, anywhere, access. The browser approach doesn’t allow one to work offline and with erratic connectivity across the

VOL/7 | ISSUE/10

Mobility

country, organizations would have to deal with productivity loss while trying to reconnect. SBI’s Karunakaran points out a major security flaw with this approach. He says the Web opens the enterprise up to the world. This means anyone can access applications from any device as long as they have connectivity. If an employee’s login credentials are compromised, there is no way the IT team can figure out if it’s an employee or a hacker trying to gain access to corporate data. But there are ways around it. “When an authorized device enters the corporate network, we register the IP address of the device and can trace it every time it connects to the network. That an employee will lose his/her device and compromise their login credentials is a remote possibility,” says Karunakaran.

Assorted Missiles Apart from these popular weapons to fight mobile threats, smart use of technology can also minimize the security risks attached to mobility strategies. Katyayan Gupta, telecom and networking analyst, Forrester, feels that the flaw lies in the fact that enterprises don’t have a fixed long-term strategy for mobility. “Most of the enterprises I consult with are trying to deal with the problem on an ad-hoc, point solutions basis.” Tying all those diverse pieces together becomes a huge security challenge, he says. McQuire agrees. He says CIOs should also look for some form of central governance, like a Center of Excellence, which incorporates cross-functional interests across the mobile workforce, and involves senior management and functions from HR, Legal and Operations. “This will help CIOs set governance standards, and because the business side is closely associated with the process, it will understand the need for data security better,” says McQuire. Gupta suggests that CIOs work more closely with vendors to incorporate device-level password authentication. He predicts that with emerging technologies like Multifunctional Embedded Application Platform (MEAP) and HTML5, CIOs can work towards a more cost effective yet secure way to approach enterprise mobility. “There is nothing called absolute security. Why build so much fear around enterprise mobility? Even the most secure infrastructures have fallen victims. Fear doesn’t force people to shut shops, does it?” asks Gupta. Does it? CIO

Debarati Roy is correspondent. Send feedback on this feature to debarati_roy@ idgindia.com

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

How to ensure that your enterprise isn’t blindsided by consumer devices. By Serdar Yegulalp Reader ROI: The challenges of securing consumer devices in the enterprise Different approaches to device security What device-makers have in store

The analysts have a term for it: BYOD, or bring your own device. CIOs have their own term for it: Trouble. Once, mobile devices were exclusively issued—and managed—by a company’s IT department. With the broadening of the mobile device market—and with stylish, powerful smartphones and tablets becoming commodity products—can you blame anyone for wanting to use theirs for work? The whole question of how to secure those devices in the first place is a spur for both innovation and controversy. The good news: The most recent wave of mobile devices for the consumer reveals that device makers are conscious of this issue, and turning more attention towards adding enterprise security features. The bad news: There are still plenty of devices in circulation without such security.

The Problems of Device Security The most common problem with consumer-grade devices in the enterprise is how to secure sensitive data. In fact, the process is a crapshoot.

G N I T A E B The

e m a G r i at the

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

VOL/7 | ISSUE/10

Mobility

Leslie Fiering, a research vice president at Gartner covering mobile computing, says, “In the past, the user would be provisioned a device by the enterprise, and you could assume there was endpoint security. But now we can no longer make assumptions about the user’s device.” In her opinion, the enterprise needs to do two things to achieve proper device security. The first is to perform network access control “that not only checks the user’s credentials, but also interrogates the devices, ‘Are you a trusted device?’” When people bring their own phones and tablets, she explains, “You can no longer assume such security resides there.”

Enterprise-ready Devices That leads into Fiering’s second point: Figure out what devices are privileged to have offline access to data. “Since user data cannot mingle with enterprise data, we start to think in terms of containers that are leak-proof, that separate the user data from the enterprise data.” An unprivileged device can be shunted to a different network segment or allowed to read data only as a browser, with no persistent local storage. Devices that work as both personal-use and corporate-use devices also become test cases for privacy issues. Frank Sickinger, vice president of business sales for T-Mobile, sums it up this way: “Whether you are looking at BYOD from the perspective of the enterprise or from the device manufacturer, one of the primary challenges is addressing and balancing security of corporate information and privacy of the employee.”

SECURITY SPECIAL

information with the other. This makes policing a personal device less problematic: The work facet can be managed (or erased) independently from the personal facet. Powerful as this approach is, it’s still limited. Because of its hardware requirements, it works well only on the most recent generation of mobile devices. “There haven’t been mass rollouts of that technology yet—it’s very new, it hasn’t been broadly available,” says Stacy K. Crook, senior research analyst, mobile enterprise at IDC. She also questions whether the user experience on such a device will be satisfactory, given the need to flip back and forth between facets. And there’s another problem. “It’s only available for Android devices right now,” Crook says, “and from an IT perspective: Do I want to have a different solution on my Android devices than on my other devices?”

The most recent wave of mobile devices for the consumer reveals that device makers are conscious of security. But there are still plenty of devices in circulation without such security.

Many Paths to Security The ways that device makers and third-party mobile device management (MDM) software vendors have approached the implementation of enterprise security on phones and tablets are as diverse as the devices themselves. It’s a reflection of both the complexity of the problem and the various clever ways it’s being solved. The first approach is the “container,” or “sandbox,” approach. In this model, “nothing can get in or out without express permission from the group policy [governing the device],” says Fiering. This covers every kind of input and output: “If you want to hook up a projector to show your PowerPoint slides, there has to be express permission to show video out. “Sandboxing on mobile devices is kind of ugly,” says Fiering— meaning it can be jarring for the user who suddenly needs permission to work with her own device—”but it works well enough to get the job done, and over time as we get more competition [between types of app sandboxing] we’ll see that area improve.” Another approach is to turn the whole device into a sandbox via virtualization—using virtual-machine technology to compartmentalize the device into personal and work “facets.” Each facet runs in its own virtual machine on a hypervisor (also called a virtual machine manager); neither facet can exchange

VOL/7 | ISSUE/10

A third approach, according to Crook, is “app-wrapping.” “This is applying a policy to specific applications,” she explains, “but you’re not sticking them in a sandbox. Instead, you have the ability on the server side to put policies around apps that govern how it can interact with other applications. This allows you to revoke access to that app on demand, or declare that a given app cannot interact with other apps, or can only interact with a given app.” The exact approach varies depending on the vendor, she says.

The Walled Garden Any talk of device makers would be incomplete without mentioning Apple. Its approach to security has been the “walled garden”—a sealed environment that accepts only Apple-approved software and where users never root their devices. This goes a long way toward explaining Apple’s appeal to CIOs: It’s not because of the breadth of device-management options on board, but because Apple hardware meets what Girard calls “the predictability test.” “IT departments want devices that are predictable,” he asserts, and the Apple ecosystem encourages this. “Most Apple users don’t jailbreak their devices and keep up to date on their OS, because there are good reasons to do so. First, you get the updates directly REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

Security Special

Mobility

Time to Ditch Security’s Stateful Model? The IT security model that has admins tending mobile devices such as laptops and smartphones using fixed security firewall and gateway infrastructure is obsolete and should be replaced by a new ‘stateless’ approach, a Forrester report has suggested. According to Prepare For Anywhere, Anytime, AnyDevice Engagement With A Stateless Mobile Architecture, the stateful model made sense when computers sat in defined locations and could be managed using conventional network infrastructure, but mobility has changed the game. This ‘stateful’ approach is management-heavy, expensive and inconvenient, propped

up by quick fixes such as inefficient mobile VPNs, the report said. Worse, a growing band of devices—the BYOD dimension—were sneaking past management altogether, creating holes in the security posture of organizations. In Forrester’s use of the term, ‘stateless’ means not making any assumptions about the device based on its type, location, apparent privileges to demand services and application access; these parameters should always be assessed anew each time the device is connected, said Forrester. In a sense, then, management is abolished to be replaced by device inspection, based on

through Apple. Second, it isn’t hard. Third, if you want the latest features [both for security and functionality], you have to be on the latest OS.” On the other hand, Android, despite its success with handset and tablet makers (and users), is seen as being tougher to secure because of its patchwork nature. Girard explains it this way: “When you buy an Android device, you’re really buying a device manufacturer’s version of Android. The devices that display the Google logo went through Google’s compatibility test, but even then there’s no guarantee that everything is implemented consistently. Official Google compatibility does not guarantee that the device has encryption.” In the same way, he says, while Google provides an Exchange client for Android, the device maker has to pay the licensing fee to Microsoft for it and implement manually on the client. Also, he asserts, the rooting of Android phones creates a security hole all by itself. A rooted device is one that by definition has had its most crucial protection against attack stripped away—the one that prevents the user from casually running apps 46

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

dynamic device inspection and ‘zero trust’. Where such assessment happened was also worth looking at, with cloud security services such as single sign-on (SSO) a good option as these approach authentication in a stateless manner that made no assumptions about such trust. If this sounds abstract, the premise of the analysis is essentially plausible; security architectures must take account of mobility because eventually almost all business devices will to some extent be mobile. “Mobility holds the promise of fostering new innovations, reaching new audiences, and most importantly, creating never-before-seen user

experiences and business opportunities,” said report author, Chenxi Wang. “A stateless architecture will engender big changes in IT operations and expectations of control, but the end result will be a coherent strategy that allows IT to provision services to any device dynamically.” The reality is that for today’s networks and admins the attractive vision of abandoning device management for a more dynamic security model is still some way off—networks encompass generations of legacy systems so ditching the stateful model is a longterm issue. —By John E. Dunn

as administrator, rather than an unprivileged (and therefore protected) user.

The Way Forward The explosion of personal devices in the corporate world has created a strange new world for everyone, especially device makers. As Crook says, device makers now “have to be both more consumer-oriented and build relationships with the enterprise.” She remains optimistic, though: “I think it’s taking a bit of time, but I do see them out there trying.” Whether the race will end with variants on Apple’s walledgarden approach or more granular and flexible systems is still up in the air. But no one questions that there’s a need for both ITpleasing and user-pleasing ways to secure the gadgets we’re all growing very used to bringing to work with us. CIO

Send feedback on this feature to editor@cio.in

VOL/7 | ISSUE/10

CUSTOM SOLUTIONS GROUP NELCO

ADVERTORIAL

KEEPING A WATCH ON

ENTERPRISE SECURITY

Monitoring IT systems and non-IT electronic devices is a Herculean task for CIOs. But Nelco’s managed services could lend a hand in making enterprise infrastructure monitoring easier to handle.

oday, the need to monitor the deployment of critical assets in an organization, and ensure that they are secured is an imperative. With the pressure to innovate and keep the lights on at the same time, IT departments find it hard to make security a priority. While there are hundreds of devices in an organization that can be monitored or managed remotely as well, but—because of dynamic business needs, shrinking IT teams, and rapid technology and application changes— CIOs aren’t able to dedicate enough time and attention to such security needs. So, managing non-IT—but critical—devices shifts to the back-burner. And this exposes organizations to a plethora of security threats. To strengthen security, and shield organizations from these threats,

Almost all organizations that are investing in electronic assets, are concerned about tracking the effectiveness of these assets. They need solutions to ensure that these assets are tracked and monitored, and put to use when the need arises.”

P.J. NATH, ED & CEO, NELCO

Nelco offers systems integration expertise and managed services to both corporate houses and public sector companies. Nelco’s managed services provide organizations with access to leading network technologies, managed integrated security and surveillance tools, and management expertise to deliver the reliability, availability, and efficiency that any effective infrastructure requires. It also offers organizations the ability to monitor and manage critical assets like IT systems and non-IT electronic devices. In any organization, IT systems include datacenter equipment, servers, and core networking gear. Non-IT devices include: Security and Surveillance: Systems like video surveillance cameras, recorders, motion detectors, baggage and vehicle scanners, fire/smoke/explosive detectors, access systems, entry barriers, and electronic fencing. Energy Management: Diesel generators, power transformers, electronic distribution units, wind turbines, solar power equipment. Environment Control: Devices like lighting, pressure, temperature, humidity controllers. Tracking the deployment of these assets is a Herculean task. Imagine installing over 100 cameras and intrusion sensors across a large manufacturing campus, and deploying guards to monitor them centrally as well as for physical checks. Take the example of brown label ATM service providers (where hardware and the lease of the ATM machine is owned by a service provider, but cash management and connectivity to banking networks is provided by a sponsor bank whose brand is used on the ATM) who manage thousands of ATMs, attempting to switch ACs to warmer settings in the offpeak hours to save on utility bills. Or a bank that wants to monitor access to locker rooms

Benefits of Monitoring Critical Infrastructure: Operational Efficiency Incident management Benchmark metrics and SLA adherence Reduced employee cost Reduced downtime beyond banking hours, and wants to click a picture and e-mail it to its security team for compliance needs. In all these scenarios, dedicated solutions are required to centrally monitor and alert respective stakeholders of any threats, both for compliance and prevention needs. Here’s where Nelco can help. Over the past few decades, Nelco has integrated large projects in security and surveillance for the defence sector and PSUs. The company now brings this expertise to the private enterprise space. In addition to system integration, Nelco also provides a host of remote infrastructure management services. Nelco offers its managed services from its 24x7x365 Network Operations Center in Navi Mumbai.

This feature is brought to you by IDG Custom Solutions Group in association with

Mobility

SECURITY SPECIAL

G N I R I F r o f d n u o aR

It’s hard to pindown security in a BYOD program. Here’s how enterprise IT is targeting personal devices and maximizing the ROI potential of the BYOD movement.

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Security By Tom Kaneshige A few months ago, a Hungarian man got hold of a business executive’s personal mobile device containing corporate customer data. The man called up the company asking for $50,000 (Rs 27.5 lakh) to not expose the information. What did the company do? It called Websense, an enterprise security company. “We were so impressed, we offered him a nice paying job,” says CSO Jason Clark at Websense. But that job offer was a ruse to catch a thief. “Then we helped track down the guy, and he got arrested.” Clark related this story during a broader discussion about security risks and costs related to the latest wave crashing on the enterprise: Bring-your-own-device, or BYOD, whereby employees want personally-owned tech gadgets hooking up to the corporate network Reader ROI: and trafficking in confidential data. How to secure Companies with BYOD policies personal-enterprise see some upsides. For starters, BYOD devices makes employees happy because The cost implications of BYOD they can now use technology of their

VOL/7 | ISSUE/10

Security Special

Mobility

choosing, blending personal and work lives in a single device— and happy employees are productive employees. BYOD also takes companies out of the hardware purchasing game, or at least offsets it, because employees now use their hard-earned money to pay for work-related computers and mobile devices. The downside is the risk of receiving a call from a Hungarian man trying to extort $50,000. There are other issues, too, such as management headaches and hidden costs to support BYOD employees. In other words, BYOD is not a free lunch.

BYOD Invasion Without question, BYOD is spreading quickly in the enterprise. Mozy, an online backup service provider, and Compass Partners conducted a survey that found a growing number of professionals working remotely and relying on personal devices. Cisco Systems has seen its BYOD program grow 52 percent in 12 months, with employees collectively carrying 8,144 iPads and 20,581 iPhones. Nevertheless, Cisco is a behemoth company that lives on the bleeding edge of technology; most companies are in the early throes of BYOD, which usually begins life in the enterprise as part of a larger mobile strategy. Giant pharmaceutical company AmerisourceBergen, for instance, recently kicked off its

That said, many organizations are gearing up to increase security on personal devices in the enterprise. Consider Bank of the Ozarks, a 100-year-old community bank headquartered in Little Rock, Arkansas, which is working to shore up security on the iPad before following through on a BYOD program. Along these lines, Virginia Commerce Bank is using a system to make sure remote access for BYOD employees is secure. Some 60 Virginia Commmerce Bank employees remotely access the network, with the heaviest users being sales people on their own mobile devices and laptops. By allowing BYOD, Virginia Commerce Bank is partially getting out of the hardware procurement business. “Instead of providing staff with laptops to work outside the office, they’ll use trusted access with their own personal computers to use the bank’s public and private cloud apps,” says Sharon Moynihan, senior vice president of IT and project management at Virginia Commerce Bank. Moynihan credits the cloud component of the system for delivering cost savings. But cost savings can be tricky, another moving target in the BYOD space. For instance, if a CIO chooses to deploy a virtual desktop infrastructure (VDI) model to deliver apps and data

BYOD makes employees happy—and happy employees are productive employees. But BYOD puts control into the hands of employees who don’t really care about security until it’s too late.

BYOD program for employees in its corporate and drug business units. “It’s really a combination of technology and policy,” says John DeMartino, vice president of IT infrastructure and technology at AmerisourceBergen. For CIOs, BYOD can be a nightmare. Avanade, a business technology services firm, which surveyed more than 600 IT decision makers late last year, discovered something rather alarming: More than half of companies reported experiencing a security breach as a result of consumer gadgets. Truth is, BYOD puts control into the hands of employees who don’t really care about security until it’s too late. The Mozy survey found that 78 percent of lawyers, for instance, were either not at all concerned or only somewhat concerned about the security of their company or client data they carry on their devices. It’s important to note that BYOD is often used synonymously with “consumerization of IT” and even mobility. But BYOD differs because of its “personal use” nature. That is, employees own the devices and thus feel empowered to download and visit whatever apps and Websites they choose. 50

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

securely on BYOD computers, then he is really just shuffling costs. Instead of spending money on endpoint hardware, the CIO is buying servers and network upgrades and hiring staff to maintain and monitor VDI. One often overlooked cost is in the area of help desks. While BYOD employees are usually on their own to fix their broken devices, a CIO will need to provide some level of support. A CIO simply cannot expect executives to run to Apple or Samsung whenever their phone is malfunctioning, especially when there’s a mission-critical task on the BYOD device that needs to get done. AmerisourceBergen doesn’t let all employees into the BYOD program, mainly because there is a cost associated with every device. “It’s a nominal cost but still a cost,” DeMartino says. “If you’re looking for a hardware return on investment, you’ll be really hard pressed to see that benefit. It’s more of the intangible, [such as] having end users feel that they can drive their own destiny.” CIO

Send feedback on this feature to editor@cio.in

VOL/7 | ISSUE/10

The

Logical Choice for Security

Convenience meets Security at the desktop. Whether your organization needs a contact smart card for secure log-in, digital signature or secure remote access, or you require the most convenient two-factor authentication solution, HID Global’s OMNIKEY® contact and contactless smart card readers provide a fast and reliable solution. Compliant with industry standards, OMNIKEY contact and contactless readers are compatible with virtually any smart card, any operating system and a variety of applications. Available in numerous form factors, OMNIKEY readers offer a risk-appropriate choice for any organization. For information on HID Global’s innovative line of smart card readers, visit hidglobal.com/smartcard/CIO

HID_Omnikey_CORP_CIO.indd 1

5/3/11 9:15 AM

A multitude of gaping holes in the cloud are making it easier for hackers and cyber criminals to launch their missiles. And a lack of security awareness is providing fodder to enemy cavalry.

: D E R BOMBA d The Clou k c a t t A r e d Un

By Jeff Vance Reader ROI: Why the cloud is vulnerable How to fix security issues in the cloud What to ask your cloud provider

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Despite all of the hand wringing over cloud security, major cloud security breaches haven’t been grabbing headlines. The last year has seen major breaches, such as the ones that hit Sony and Epsilon, but we haven’t heard much of an emphasis about the cloud being a weakness. Part of this, of course, could be a simple matter of semantics. Some have emphasized Epsilon’s role as a provider of e-mail marketing services—in other words, it’s a SaaS company— but the breach was a traditional spear-phishing attack used to gain access to e-mail servers, not, say, an assault on hypervisor vulnerabilities.

VOL/7 | ISSUE/10

Cloud Computing

Cloud providers, such as Dropbox and Google, have had their issues, but the major cloud-related problems have involved outages, not data being breached. As more enterprise resources move to the cloud, it’s inevitable that we will start hearing more about cloud incidents. Minor breaches have already hit GoGrid and the Microsoft Business Productivity Online Suite, but we’ve yet to see anything on the scale of TJX, the VA, RSA or any number of other on-premise breaches. That doesn’t mean that cloud-invested businesses can breathe easy. “Attacks that work now work so well that you don’t have to come up with a new, complex attack methodology,” says Chris Eng, vice president of research for Veracode, a provider of cloudbased application security testing services. “Cyber-criminals aren’t going to spend a lot of time to come up with a new zero-day attack if they can just use the same old SQL injection attacks that have worked for years.”

Cloud is a Resource, Not a Target One troubling trend uncovered in the Sony breach is that hackers view the cloud not necessarily as a target, but as a resource. Hackers used stolen credit cards to rent Amazon EC2 servers and launch the crippling attack on Sony. “Everything the cloud offers to legitimate businesses it offers to criminals as well,” says Scott Roberts, senior intelligence specialist at Vigilant, a security monitoring company. “It’s becoming common for cyber-criminals to rent cloud infrastructure to set up spambots or to build out a malware command and control infrastructure. At $50 (Rs 2,750) or $60 (Rs 3,300) a month, attackers can take advantage of resources that a few years ago would be too difficult and too expensive to build on their own.” Add cheap infrastructure to low-cost, automated malware kits, botnets that can be rented for a single attack, and the ability to outsource such things as the decoding of CAPTCHAS for spammers, and you have a toxic arsenal that can make even simpleton hackers highly dangerous. Yet, even if hackers don’t specifically target the cloud right now, most experts believe that they will start to soon, if for no other reason than the fact that more and more resources are being moved to the cloud. “The cloud is already a tempting target,” says Eng. “Data is centralized and you can target one provider to attack multiple companies.” When asked why he robbed banks, Willie Sutton—a notorious American bank robber—once supposedly said (although he later disavowed this quote), “Because that’s where the money is.” Today,

SECURITY SPECIAL

FAQ Your Cloud Vendor When it’s time to evaluate cloud service providers, be sure to ask these 10 security questions: 1. Were your services developed using a secure development lifecycle? 2. Can you prove it and provide, say, penetration testing overviews? 3. What data protection policies do you have in place? 4. What are your data privacy policies? 5. How do you enforce those various policies? 6. Is security covered in your SLAs? If not, why not? 7. How do you back up and recover data? 8. How do you encrypt data, both in motion and at rest? 9. How do you segregate my data from others? 10. What kind of visibility will I have into your logs?

the most important corporate assets still reside behind the firewall. Tomorrow? The “money” may well be in the cloud.

The Weak Links One advantage of the cloud is that for the major providers it is in their interest to secure their environments. If Amazon or Google is responsible for the next Heartland-scale data breach, their business will suffer. Major providers know this, and are taking steps to prevent it. “Networks long ago ceased to be isolated physical islands. As companies found the need to connect to other companies, and then the Internet, their networks became connected with public infrastructure,” says Amazon Web Services spokeswoman Rena Lunak. To mitigate the risks, many organizations took steps to isolate their traffic, such as using MPLS links and encryption. “Amazon’s approach to networking in its cloud is the same: We maintain packet-level isolation of network traffic and support industrystandard encryption,” she says.

53% Of Indian CIOs say security is the top concern surrounding cloud adoption. VOL/7 | ISSUE/10

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

Security Special

Cloud Computing

“Because Amazon Web Services’ Virtual Private Cloud allows a customer to establish their own IP address space, customers can use the same tools and software infrastructure they’re already familiar with to monitor and control their cloud networks.” That’s all well and good, but common mistakes, such as weak authentication methods can undo all of the work providers did. “One problem with moving to the cloud is that you have to manage your resources remotely,” says Carson Sweet, CEO of CloudPassage, a cloud security provider. “Many, many companies leave management ports open to the world. Fraudsters are waking up to this.”

Cloud Infections on the Network The big worry Sweet says is that poor security practices in the cloud could lead to infections back in the on-premise network.

Many companies, wary of cloud threats, simply will not move the most sensitive data into the cloud. While 82 percent of companies surveyed by CompTIA believe in cloud providers’ capability to deliver a secure environment, 58 percent will not put confidential corporate financial information in the cloud. 56 percent keep credit card data out of the cloud, and nearly half refuse to put sensitive intellectual property, trade secrets or HR records in the cloud. The logic is clear: Keep sensitive data behind the corporate firewall where it is more secure. Unfortunately, that logic has a fatal flaw. Sweet says a client CloudPassage worked with (who prefers to remain anonymous) had development servers in the cloud. A hacker placed a rootkit onto one of the virtual servers. When the developers noticed something was

Your End of the Deal The main focus of a cloud computing contract is on vendor responsibilities, but it’s appropriate to consider what the client remains responsible for, says Thomas Trappler, a recognized expert on cloud risk mitigation and vendor management.

When I was a guest on CIO Talk Radio recently, a question came up about which client responsibilities are appropriate to include in a cloud computing contract. It’s a good question, and one that I haven’t really talked about. So what are some client responsibilities that are reasonably addressed in a cloud computing contract? While they vary depending upon type of cloud service and use case, the most common examples involve client IT governance, including the following:

Client Access When choosing a cloud provider, it’s important to follow best practices in determining that the vendor’s security practices align with your needs. But that’s only one side of the security coin. As with most things in IT, access to a cloud service typically requires a login ID and password. When a client enterprise acquires a cloud service, it should be the client’s responsibility to figure out which end user should be given access. But to thoroughly address this responsibility, the client should define when access should be taken away from the user--for example, upon separation from employment or upon a change in duties or responsibilities.

Password Security Responsibility for the security of each individual login ID and password lies with the client’s end users. The recent alleged hack of Mitt Romney’s e-mail and Dropbox passwords, in which the hacker was able to easily answer ‘secret’ security challenges and gain access, illustrates the risks. Even though there are many commonly available best practices in password security and widely

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

VOL/7 | ISSUE/10

Cloud Computing

off with their servers, they brought them back behind the corporate firewall to re-image them. Unfortunately, they brought the rootkit in with them, infecting their entire network. “Virtual machines can serve as Trojan horses if you’re not careful,” says Sweet.

Secure Those API Keys The most common cloud worry that security professionals have, one repeated over and over again, is about API keys. Most organizations use API keys to access their cloud services, and they represent the keys to the kingdom. “API keys are a huge issue,” says Sweet. “If I know where to look on the server for your API keys, and I manage to get them, I own your cloud deployment.”

publicized examples of these hacks (Sarah Palin was also hacked a few years ago), human nature tends to make it difficult to maintain focus on these efforts, so diligence is necessary. This isn’t to say that cloud vendors don’t retain some responsibilities related to password security. Because the cloud is a new market, vendors focused on growth can neglect security basics.

Data In an initial evaluation of a cloud service, you try to project the use case. You think about the business criticality of the function being moved to the cloud and the type of data that would be processed or stored by the cloud service. Ideally, though, once the cloud is operational, it takes off with your end users who begin to think of all kinds of ways to use the service. There’s a good chance that these new uses involve new categories of data that may be subject to other regulations and/or security requirements. If so, they may not align with your initial risk assessment of the cloud vendor’s infrastructure and security. To protect against this, the client’s IT governance processes should include end-user training regarding the appropriate use of the cloud service, as well as how to formally communicate approved changes as use cases evolve.

SECURITY SPECIAL

API keys must be protected. It’s not uncommon for IT administrators to do such risky things as e-mail them to one another or store them in a configuration file that’s not terribly difficult to uncover. API keys must be protected, kept in a secure, encrypted location, inventoried regularly and must only be given out to those who have a valid reason to access them. Alternatively, cloud brokers can handle API keys for you, but just be aware that you are outsourcing a critical piece of your cloud security to a third-party. CIO

Jeff Vance is a Los Angeles-based freelance writer who writes on next-gen technology trends. Send feedback on this feature to editor@cio.in.

adopt will also have an impact on your responsibilities. With IaaS, for example, the client tends to have more responsibilities, because the vendor typically provides only the raw, underlying computing infrastructure. Under the IaaS model, the client is expected to assume responsibility for selection and management of everything that runs on top of that raw infrastructure, including the operating system and associated updates and patches, applications software, and some security configuration such as firewalls. In some cases, such as with Amazon Web Services, the client may also have the ability, and associated responsibility, to select the geographic location of the vendor datacenter storing or processing the client’s data.

In an initial evaluation of a cloud service, you try to project use cases, but once it’s operational, end users use it in all kinds of ways. You need to train staffers regarding the appropriate use of cloud services.

Shared Responsibilities The service model (infrastructure-as-a-service, platform-asa-service, software-as-a-service) of the cloud service that you

VOL/7 | ISSUE/10

As I said, these are just some of the areas that the client can appropriately take responsibility for in a cloud computing contract. Understanding which client responsibilities are appropriate to include in the contract, as well as how the client can most effectively fulfill those responsibilities, remains an important element in the effective adoption of a cloud computing service. —By Thomas Trappler

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

DEFE SI LINES L I NES N ES

Securing your applications has never been more important, and there are lots of ways to do just that—as long as you don’t mind using layered defenses.

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

By Michael Fitzgerald What do application security programs and onions have in common? Layers, says Ken Pfeil, global security officer at Pioneer Asset Management. Securing corporate applications is a top priority for most security executives. Application vulnerability was the most feared threat for 73 percent of respondents of a 2011 study by (ISC)2, topping mobile devices, viruses and worms, and internal employees. But while some companies might try to secure applications by investing in a tool—such as penetration testing or Web application firewalls—a robust application security program should take a multi-layered approach that addresses the operating system, the network layer and the development of the code itself. Pfeil, for instance, aims his application security efforts at a variety of targets, from business executives to developers. His

VOL/7 | ISSUE/10

Applications

SECURITY SPECIAL

the problem doesn’t solve the problem, and penetration tests also don’t reveal all your code gaps. At Akamai, for instance, after a defect was revealed through penetration testing, “we had a security researcher look in the [code] library, and lo and behold, we had 20 other defects,” Ellis says. Jennifer Bayuk, a security consultant and program director of the Systems Security Engineering program at the Stevens Institute of Technology, is similarly skeptical of ‘bolt-ons’ that sit on the application and check how secure it is, such as Web application firewalls. “You use a Web application firewall because your code is buggy and you know it,” she says.

VE program includes developing business-risk-analysis reports, scheduling training sessions with development leads to gain their buy-in (and hopefully turn them into security advocates), and running a “How to Hack Web Apps” class twice a year. These classes, he says, encourage developers to build security techniques into their code from the start. Ultimately, Pfeil says, his team uses 47 application security checks, from basics such as cross-site scripting to less-obvious measures that he says are proprietary and can’t be shared.

No Silver Bullet

Due for a Change The Ponemon Institute’s 2011 State of Web Application Security Survey suggests companies barely have a handle on their applications, never mind on their application security. A quarter of respondents could not estimate the number of apps their firm had, and a fifth did not test app security at all. At those firms that did test, 40 percent tested only 5 percent of their apps, and two-thirds tested less than 25 percent of their apps. In addition, the (ISC)2 study found that expenditure on app vulnerability management was just under 11 percent of network infrastructure spend. And despite the concern about application security, that number is actually projected to fall to about 10 percent by 2015. Rob Ayoub, author of the (ISC)2 report, notes that over the last five years, three changes have occurred in security vulnerabilities: Operating system vulnerabilities dropped while application vulnerabilities rose, specialized systems became bigger targets, and remote exploitation of critical vulnerabilities increased. Despite these changes, “many organizations continue to address security the same way they have for years,” writes Ayoub, who was program manager at Frost and Sullivan at the time of the study. “It is imperative for CXOs to balance their existing budgets and security postures with the latest trends.”

Getting to the Code

While IT leaders can certainly make smart product purchases to improve app security, it would be better to spend more effort on Such a nuanced approach is necessary to address today’s developing better software and testing. continuously changing threat landscape and complex application Companies should also consider building code inventories, she environments, including mobile apps, Web 2.0, custom code, says, so they know which code corresponds to which business process. commercial software, and outsourced applications. The rise of the Web has made coding standards With every code update, a new risk can be created, more important, in part because browsers are more and interactions between apps can cause security Reader ROI: forgiving of code errors, Bayuk says. If each developer problems. This complexity explains why application The need for application can independently determine what a backslash security requires a disciplined effort that involves security to catch up with the times represents, it could result in a code base in which time, money and people. Why convincing a single command takes on multiple meanings. If a Relying on tools alone—such as penetration tests management that the vulnerability is due to that, it will be difficult to tell that simulate attacks on networks and applications— security vs time-towhich instance of that command is at fault. is a bit like playing whack-a-mole, according to Andy market trade off is worth it Companies may be more secure if they write Ellis, CSO at Akamai Technologies. “They only How there is no short-cut their own applications, assuming they have the show you how bad your code is,” he says. Finding to application security VOL/7 | ISSUE/10

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

Security Special

Applications

resources to do so, Bayuk says. At Bear Stearns, where she was CISO until 2008, one group wrote its own Web server. “[It] never had a finding in our penetration studies,” she says, and it was faster than off-the-shelf offerings. That sort of specialized application will, as a rule, be harder to hack than commercial software. But it takes more expertise and time than buying off-the-shelf products.

The Time Trade-Off Adding security to the beginning of the application development processes, of course, will often slow down code development. As a result, CSOs may face push-back if they do their jobs, which makes it harder to increase vulnerability testing during development, Pfeil says.

Security Pros Under Friendly Fire Application developers take on their security colleagues, disagreeing on how secure applications really are. A recent study by the Ponemon Institute of more than 800 IT executives found a striking disconnect between perceptions of security controls between developers and security professionals. Developers largely say apps run by their enterprise are not secure, while security professionals are much more optimistic about the security of their apps. Seven in 10 developers say security is not adequately addressed in their apps, but only half of security officers believe that. Almost 80 percent of developers said they have no process, or simply an ad hoc process, for building security controls into their apps. But, 64 percent of security personnel said they have no formal process for building security into their enterprise apps. Ponemon says the disconnect can be costly for businesses:

Nearly 68 percent of developers say their apps have been compromised because of a security breach. “Gaps in perceptions between security practitioners and developers indicate why many organizations’ critical apps are at risk,” the study says. “A lack of collaboration between the security and development teams makes it difficult to make app security part of an enterprisewide strategy and to address serious threats.” Beyond a lack of collaboration between these two groups, the Ponemon Institute points to a lack of security training, noting that just over half of developers say they have no formal training in application security. Ponemon recommends that enterprises take a closer look at their app security guidelines.

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

— By Brandon Butler

Projects have fixed costs and delivery dates, which can make business units reluctant to spend a few extra days testing for vulnerabilities. Many software teams build code first and then “retroactively ask security if they have a problem with it,” Pfeil says. Few companies set up a framework that builds security controls into their software development lifecycle, he says. Such push-back is the reason Pfeil and other forward-thinking CSOs do the extra politicking required to ensure buy-in from other executives. “As business security people, the problem is, we impact time-to-market and cost of goods sold,” says Roland Cloutier, vice president and CSO at ADP. As a result, he says, CSOs have to build the case that it’s worth it to build security testing into every step of the development process, because ultimately it will mean better code at the end, with less complexity and less re-engineering costs. Cloutier also advocates taking a multi-layered approach. “It’s time to start looking at the whole delivery architecture,” he says, from the back-end inventory database to the front end where a payment method is specified. “We have to test the application’s relationship with the rest of the system.” Of course, for large organizations with thousands of developers working on hundreds of products, looking at the entire application environment is no small effort. One practice that can make it easier is to integrate a scanning tool into the developer’s toolset. “Give them an option that says, ‘I would like my code scanned tonight.’ Then when they come in the morning, their code is tested.” Similar options are included in any number of toolkits from big and small vendors. “They all have great toolsets that integrate into developer environments,” says Cloutier.

Communication Is Key Even more complexity is added when business departments hire or outsource development without IT involvement. In those cases, CSOs need to ensure that all developers understand basic security concepts such as encrypting credit card and personal information. This is often a matter of developing relationships with executives in all business departments to keep tabs on what’s being developed, says Parag Patel, CTO at AutoAnything. At the online automotive retailer, C-level execs regularly discuss new projects to ensure that, for instance, if marketing hires a firm to build a mobile website, Patel is aware of it and can ensure that the effort complies with security and management policies. In many ways, organizational understanding and awareness of application security is maturing, especially as application portfolios grow more complex, thanks to mobile apps and the Web. Akamai CTO Ellis notes that it’s a relatively new concern to build security into the application. SSL and SSH, he notes, did not exist when the Web was first created. As applications have become more complex and encrypted protocols have spread, “we do a lot more work to defend the application,” he says. CIO Send feedback on this feature to editor@cio.in

VOL/7 | ISSUE/10

CUSTOM SOLUTIONS GROUP PANASONIC

EXECUTIVE VIEWPOINT

THE TOUGH GET GOING Businesses have begun to realize that processes, productivity, and customer experience can be dramatically improved by giving their workers access to IT in challenging—and rugged—environments. battery life, is light-weight and shock resisRugged computers are mostly used by tant. Mobile users need devices that promise field workers operating in ‘naturally tough’ them, to put it simply, tension-free usage. environments. Will we see conventional Enter the rugged computer systems. office workers using rugged computers? Currently, Panasonic offers two product Definitely. Rugged computing was no doubt categories for Toughbooks: Field mobile PC, in vogue with industries that throve in exand business mobile PC. The field mobile treme conditions. But gradually the demands PC is designed for extrinsic environments grew in conventional domains. This became and is rugged, while the latter is designed apparent first in the advanced countries and for businessmen. Naturally, business mobile more recently in the manpower-intensive dePCs were designed mainly because we saw veloping countries like China, India, and Rusa rising demand for outdoor computing. sia among others. The Indian laptop market Today, users want to be ‘forever connected’ is in sync with the global market, and growno matter what. ing at a faster rate owing to the dynamics of businesses and work life of consumers. Could you give us some examples of the Panasonic’s Toughbook has expanded tokind of development that goes into making ward a wider audience in recent years—startthe Toughbook rugged? ing from the manufacturing industry to a variToughbook offers its users a combination of ety of other verticals. Businesses have begun benefits through applicato realize that processes, tions, great performance, productivity, and customer “Rugged reliability easy remote access, and experience can be dramatiand low cost of security, without comcally improved by giving ownership are just promising on battery their workers access to a few of the reasons life. It is the best buy for IT in challenging environwhy Toughbook people—whose producments. We are now aiming wins over the world’s tivity is influenced by to capture more than 50 toughest users.” their surroundings—like percent market share in workers at warehouses, each target vertical in India. engineers at construction sites, and technicians at car dealers. Why is the rugged computer segment The device is water-resistant, and functions growing faster than other conventional well even after falling from a height. computer segments today? We started with our first rugged mobile PC The answer to that in one word is mobility. in 1996, and today, have a 60 percent market For example, Japanese commuters in Bulshare globally. That’s largely because we lislet trains, or businessmen in flights want to ten to our customers. Customers have conwork during their travel, irrespective of the tinued to show us the way to product innolocation. That’s when a businessman needs vation. Panasonic reiterates its commitment a reliable mobile PC that has a long-lasting

SATOSHI MIZOBATA Director, Panasonic Toughbook-Asia Pacific, Panasonic Mizobata joined Panasonic in 1990 and has been in charge of the Toughbook since 1998. He currently heads Panasonic’s Asia Pacific region for the Toughbook business and is based out of Singapore.

towards its customers by understanding and catering to their specific needs through technological innovation. Technical support is critical for organizations that work under severe constraints. How does Panasonic’s tech support match up to the end-user expectation? As a technologically innovative company, we continue to perceive market requirements, understand markets, and respond with products. We have shifted our focus from developed to developing nations. In order to stay relevant in a developing economy, and match up to competition in a new market, Panasonic needs a quality IT support infrastructure, and we have developed just that.

This Interview is brought to you by IDG Custom Solutions Group in association with

T L U A SONAOS NN E C N A I COMPL

Governance, risk and compliance can be a dauntingly complex undertaking. But for Fiserv, the alternative was even more complicated. By Bob Violino

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Does governance, risk and compliance (GRC) really pay off? It’s a valid question for any organization that’s looking to formulate a corporate strategy and implement software for managing GRC. Leaders at financial services company Fiserv say the answer for their organization is an emphatic “yes,” citing a number of concrete benefits. Let’s dig into the details of their GRC business case.

Fiserv’s Environment Fiserv was founded in 1984 and currently has about 19,000 employees operating out of some 200 locations worldwide. Fiserv is a global provider of information management and electronic commerce systems for the financial services industry, and offers integrated technology and services for clients. It provides technology solutions in five areas: Payments, processing services, risk Reader ROI: and compliance, customer and channel Why it’s important to base a GRC program on process— management, and transforming data into not software actionable business insights. The benefits of GRC The company has more than 16,000 implementation clients worldwide, including banks, Overcoming GRC hurdles credit unions, mortgage lenders and

VOL/7 | ISSUE/10

GRC

leasing companies, brokerage and investment firms, and other businesses. Fiserv helps these clients address challenges such as attracting and retaining customers, preventing fraud and meeting regulatory requirements. In 2008, Fiserv decided to embrace a formal GRC strategy “because it was the best way to manage through a thicket of simultaneously occurring changes in our business and regulatory environment,” says Murray Walton, senior vice president and chief risk officer. The company’s business strategy has evolved in recent years from a holding company to an integrated operating model, creating greater complexity in the organization and the solutions it provides to clients, Walton says. “The external environment has also changed, and today we face more government regulation and nongovernment standards.” “Navigating all these challenges at the same time required a much more structured approach to governance, risk and compliance than our previous spreadsheet-driven methods.” Before deploying an off-the-shelf GRC software, “I would have characterized our environment as diversity on steroids,” Walton says. “We had diversity of understanding about what risk assessment and monitoring means. We had diversity of understanding about what was required or expected, and diversity of methods and practices. As a result, we had an absolutely enormous challenge to try to develop a picture of our enterprise risk and enterprise compliance.” There was no common understanding or vocabulary or process related to risk, Walton says. “The good news is that, with enough effort, we were able to manage risk, but there was a challenge of being able to document that to our board of directors or regulators, and to look beyond the horizon. All of a sudden, our diversity had become a risk itself.”

Upgrading Risk Management Processes Today, the company’s GRC focus is on risk assessment, compliance monitoring, policy management and remediation tracking. Because Fiserv provides technology solutions to the financial services industry, it is regulated as if it were a bank itself. Since the 2008 market collapse, “it has been critical to our regulators and clients that we have rigorous processes in place to identify, understand, control, remediate and monitor our risk and compliance posture,” says Raji Ganesh, vice president of risk and compliance at Fiserv. To meet that challenge, the company realized it had to upgrade its processes and tools, and it standardized its approach to GRC across an enterprise where decentralization formerly ruled. Fiserv began its program upgrade knowing that it needed a technology solution to support its initiatives. “But we were concerned that the technology solution could drive the program rather than the other way around,” Walton says. “There are some solutions in the market that, in my view, appear to be dogma-driven. Someone thinks they know the answers and have

VOL/7 | ISSUE/10

SECURITY SPECIAL

Fiserv Debrief Lessons from Fiserv’s GRC project. The more decentralized the enterprise, the more complex the GRC implementation will be. Do not underestimate basics such as technical project management and behind-the-scenes network readiness. Your existing risk-management team might fear that adopting GRC software will eliminate their jobs, or change their job functions in ways that take them outside their comfort zones or skill sets. Work with your GRC software provider and its user community to help your team understand the opportunities for professional growth the new system will provide. Don’t try to use every bell and whistle available in your GRC solution on day one. Start small, simple and focused, with a clear idea of the outcome you want. Grow into your system. Think of your GRC system as a flashlight, shining into the dark cupboards of your organization. You will be surprised how much better your risk and compliance fact base and reporting capabilities are immediately after you get your new system up and running. You will also be surprised by how hard it is to determine how to most effectively use the increased insight to improve risk management in your organization. —B.V.

a one-size-fits-all approach to how risk and compliance monitoring ought to occur.” The company wanted software that addressed the widest possible range of regulatory and third-party standards. “If we only needed to be compliant with Gramm-Leach-Bliley or with HIPAA or with some other single regulation,” then flexibility wouldn’t be as much of a concern, Walton says. “But all those [regulations], and more, matter to us.” First, Fiserv carefully built its GRC program to meet the organization’s needs, and then it selected the technology to support that program. Managers decided on a GRC product after exploring many alternatives in the market. “In the past, our team spent a disproportionate share of its time manually collecting and manipulating data. Just getting to a baseline understanding of our risk profile consumed most of our available horsepower, leaving far too little time for analysis and problemsolving,” Walton says. REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

Security Special

GRC

The software has enabled Fiserv “to turn our paradigm on its head,” says Ganesh, and to shift her team of former risk tacticians and number crunchers into enhanced roles as risk strategists, allowing them to have a much greater effect on the organization. “It allows us to get beyond that almost clerical use of people,” she says. “The system does that [number crunching] really well. It has taken our people from being focused on minutia to focusing on the big picture.”

Benefits Captured The software automates the tasks that were consuming the majority of this team’s time, including data collection, aggregation, workflow, and reporting. Now, armed with useful, organized output from the

GRC Intel Dave Notch, CISO, Thomson Reuters and Kristen Knight, Privacy Director, NA Philips Electronics North America, offer you insights that will help you pull off a GRC implementation of your own. Don’t try to get it perfect, even though you may know what you want. Take an iterative approach. This lets you make progress and learn what yours and others’ requirements really are. Expect to throw away some of your work. As you learn what the different audiences need, you will have to throw away some of your work. Don’t take it personally, it’s just part of the learning process. Build a team that spans legal, HR, product, IT, and security. Work together regularly. This will help keep all of you from duplicating each other’s work, such as policy development. Also, this makes it easier when you step on each other’s toes. Make sure you understand the operational impacts of the product before you commit to it. GRC products are all-encompassing by nature. Even your company’s top executives will be impacted by a GRC implementation, so make sure they are willing to go through training and to adapt to the new system. It takes a mature organization with well-defined processes to deal with the workflow capability that a GRC tool provides. The workflow aspect of some solutions may require everyone in the organization to understand how to use it. Recognize that implementations can take much longer than expected. At the same time, don’t be afraid to pull the plug if the implementation isn’t going well. — Joan Goodchild 62

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

system, “they can primarily focus on deeper analysis and engagement that leads to more effective remediation and control of the risk in our organization,” says Ganesh. Fiserv is also benefiting from the workflow and configuration management components of the GRC software. “In a complex enterprise like ours, inputs and approvals may be needed from multiple units within the company to complete a single assessment,” Ganesh says. Producing a risk profile via the older method would have required seven to 10 more staff members and would have cost Fiserv an additional half-million dollars. Reporting is also simplified by the GRC system’s standard reports and its data export feature, which allows the firm to create reports using tools of its own choosing, Ganesh says. The software allows Fiserv to produce a dashboard for managers, which shows them a color-coded picture of exactly where risk resides in the organization. “It makes it abundantly clear that this is where you ought to be focusing on remediation efforts, investments, policy, people issues,” Walton says. “Rather than spending all that time figuring out where the risk is, we now get that intelligence from the system, and can spend more time addressing what we’ve found.” The company estimates that to produce the type of detailed risk profile it gets from the software over a three-month period now, it would previously have taken about six months using Fiserv’s old manual process. The older method would also have required seven to 10 more staff members and would have cost Fiserv an additional half-million dollars. Another benefit is the increased credibility the enterprise risk management team has gained in its interactions with management, regulators and members of the board of directors. “We have much broader, deeper and better-presented data than ever before,” Walton says. “I can now engage with any of my team’s constituencies with greater authority and confidence, and this has strengthened all of these key relationships.” Because it has contacts with other corporate users of the software, Fiserv has benefited by learning about how others have successfully handled GRC processes. Ganesh is a member of an advisory group for users of the product, and she and Walton have taken advantage of formal and informal opportunities to interact with other companies using the same vendor. “Although every company is different, the journey to maturing the risk management function has common elements, whatever your business,” Ganesh says. “We have appreciated the opportunity to interact with others who are at different points on the maturity curve, and who have already figured out how to meet a challenge that is new to us.”

Overcoming Hurdles Exchanging best practices and getting advice from experienced GRC practitioners was especially useful for Fiserv because the company faced a number of challenges during its GRC implementation.

VOL/7 | ISSUE/10

GRC

For example, when the enterprise set up a new comprehensive information security standards program about a year-and-a-half ago, that created another rule set for GRC. “So now we were adding another layer to our control policies, and we needed to learn how to build that” into the software, Walton says. “This was a need we didn’t anticipate, but we had the ability to talk to others and our advisers at [the vendor end], who recommended a policy-management module that links directly with content that exists” on their GRC software. It saved us many months and at least a couple hundred thousand dollars of exploratory work.” It’s important to remember that GRC is a process supported by technology, and companies should avoid focusing only on the software. An even bigger challenge for Fiserv was creating a common understanding of the logic, discipline and vocabulary of professional risk management, Walton says. “Fiserv was formed through the acquisition of more than 140 companies over the past 26 years, and until a few years ago most of our business

SECURITY SPECIAL

The most challenging aspect of the GRC implementation was security. “Because we have so many business units and a complex hierarchy, the ability to set user permissions at a granular level is very important to us,” Walton says. “We utilize a ‘least privilege’ security model, and it has taken time for us and [the vendor] to fully develop this functionality.” Walton thinks two related trends are conspiring to make having a robust GRC strategy and software implementation more of a necessity for many companies. “First, we seem to be in an era of re-regulation, and every new regulation brings new compliance obligations,” he says. “Second, contract and vendor-management processes are being used more frequently to shift the onus of compliance obligations onto vendors.” From a vendor’s perspective, sometimes there is a business reason to consider accepting contract provisions from a prospective client that create unusual or incremental risk. “We believe that the better we understand our existing risk profile, the more intelligently we can evaluate non-standard client terms,”

The GRC software allows Fiserv to create a detailed risk profile from just a three-month period; previously it would have required six months, about 10 more staffers, and an additional half-million dollars. units operated with considerable autonomy,” Walton says. “They managed risk the way they always had, and their practices pre-2007 reflected varying degrees of maturity and sophistication. Lacking common systems and processes across our enterprise, we achieved diverse results.” The value of a packaged solution is that it doesn’t skip steps, Walton says, “It enforces a rigorous, process-driven approach to risk management that is inherently missing in the kind of homegrown, paper-based processes we used before.” The GRC implementation has been successful largely due to the comprehensive training of users within the company, and because the tool itself anticipates that users will approach the system with varying levels of understanding. “Essentially, there’s a lot of help built into the tools, and the user interface is solid,” Ganesh says. “In fact, [the vendor] was willing to take our suggestions and incorporate them as core product functionality.” Because the software was new for everyone, “we chose an implementation path that included a lot of professional services support,” Ganesh says. “This allowed us to stage our roll-out on time, with no surprises, and excellent user support. Usability was one of our most heavily weighted selection criteria, and we feel like we hit a home run with our choice of product.”

VOL/7 | ISSUE/10

Walton says. “When we do agree to unusual requests, we also need the capability to monitor our own compliance. This is a huge advantage of our GRC implementation. It allows us to accept risks that would be unthinkable if we were flying blind.” Like a number of industry experts, Walton thinks it’s important to remember that GRC is a process supported by technology, and companies should avoid focusing only on the software. “An effective risk-managemenzt program is part of an organization’s quest for self-awareness,” Walton says. “To begin with technology rather than process is to risk letting the tool define the program rather than support it. Before you can decide which tool meets your needs, you need an overarching process that helps assess your business and its assets, vulnerabilities and risk appetite.” Only when a company understands these baseline concepts can it really know how a GRC software solution will fit into its riskmanagement program. CIO

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

G N I T I DYNAM to Your Way Security

A critical part of securing intellectual property is the timely elimination of data you no longer need. Here’s how to do that. By Bob Violino

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

A key part of any information security strategy is disposing of data once it’s no longer needed. Failure to do so can lead to serious breaches of data-protection and privacy policies, compliance problems and added costs. When it comes to selecting ways to destroy data, organizations have a short menu. There are basically three options: Over-writing, which is covering up old data with information; degaussing, which erases the magnetic field of the storage media; and physical destruction, which employs techniques such as disk shredding. Each of these techniques has benefits and drawbacks, experts say. Some organizations use more than one method. For example, microprocessor maker Intel uses all three, “depending on what we’re trying to do and for what purpose,” says Malcolm Harkins, CISO and vice president of the IT group. The data destruction market hasn’t Reader ROI: changed much in the past few years, says Three ways to Ben Rothke, an information security eliminate data professional with extensive experience in The pros and cons data destruction. “If there is any trend, it is of each that more firms are aware of the importance Data destruction and of data destruction,” Rothke says. cloud services VOL/7 | ISSUE/10

GRC

Still, some organizations, particularly smaller ones, need more education about data destruction, according to Jay Heiser, an analyst at research firm Gartner. “We consider this a very important topic, but it is not one that Gartner clients spend a lot of time asking us about,” Heiser says. “Enterprise clients generally have a pretty good idea of how to deal with this; the practices have been relatively consistent over a period of years, and it doesn’t generate a good deal of attention.” Unfortunately, Heiser says, there are still many small-tomidsize businesses that haven’t fully thought through the risks of undestroyed data. There are also persistent questions among all types of companies about how to handle data that’s in the hands of cloud computing providers. “The concern that I am most often asked about by Gartner clients involves the treatment of data on the part of service vendors, especially software as a service [SaaS],” Heiser says. While a traditionally outsourced datacenter provider will typically commit to destroying data at the end of a contract and confirm this destruction in writing, that type of policy is rare to non-existent for SaaS, Heiser says. “Although the storage architecture of most SaaS services probably means that data from former customers will quickly be written over and soon become virtually impossible to recover, there’s no good way to know if this is the case,” he says. “The SaaS market also has little or no convention surrounding the treatment of former client data on backup media.” Cloud services will likely increasingly shape how data destruction is perceived and performed in the coming years, says Ariel Silverstone, vice president and CISO at online travel services provider Expedia. “With the massive herd heading toward cloud, most vestigial physical destruction remnants are being killed off,” Silverstone says. “In other words, logical destruction, for all but truly classified data, is further entrenched as the norm. The problem is not destruction as much as it is discovery of the data. How do we find the data that we need to destroy?” As for on-premise data, organizations need to consider several factors before choosing a method of destruction, says Jeff Misrahi, an independent information security consultant and former CISO. The first is the time spent on data destruction. For example, is this something the company does a lot, or does it have a lot of disks to go through? The second is cost. Can the company afford to destroy disks or do they need to be reused to lower expenses, and can it afford specialized destruction hardware? Finally, think about validation and certification. Is data destruction a regulatory compliance requirement? How will you prove to regulators or auditors that you have met the requirements? Here’s a look at some of the advantages and disadvantages of the three main methods of data destruction.

SECURITY SPECIAL

Over-writing One of the most common ways to address data remanence—the residual representation of data that remains on storage media after attempts to erase it—is to overwrite the media with new data. Because over-writing can be done by software and can be used selectively on part or all of a storage medium, it’s a relatively easy, lowcost option for some applications, experts say. Among the biggest advantages of this method, Rothke says, is that a single pass is adequate for data removal, as long as all data storage regions are addressed. Software can also be configured to clear specific data, files, partitions or just the free space on storage media. Over-writing erases all remnants of deleted data to maintain security, Rothke says, and it’s an environmentally-friendly option. On the downside, Rothke notes, it takes a long time to over-write an entire high-capacity drive. This process might not be able to sanitize data from inaccessible regions such as host-protected areas. In addition, there is no security protection during the erasure process, and it is subject to intentional or accidental parameter changes. Overwriting might require a separate license for every hard drive, and the process is ineffective without good quality assurance processes.

Outsourced datacenter providers will typically commit to destroying data at the end of a contract and confirm this in writing. But that type of policy is rare to non-existent for SaaS.

VOL/7 | ISSUE/10

Another factor to consider is that over-writing works only when the storage media is not damaged and is still writable, says Vivian Tero, program director for governance, risk and compliance infrastructure at research firm IDC (a sister company to CIO’s publisher). “Media degradation will render this [method] ineffective,” Tero says. Nor will over-writing work on disks with advanced storagemanagement features, she says. “For example, the use of RAID means that data is written to multiple locations for fault tolerance, which means that remnants of the data are scattered in the enterprise storage architecture,” Tero says. Security practitioners point out that while over-writing is cost effective, it’s not free. “Over-writing is definitely cheaper [than other methods], but you still have to have the headcount to manage it, so there are costs there,” Harkins says. By following standards created by the Department of Defense and the National Institute of Standards and Technology, “you can be pretty sure the [over-written] data will be unreadable and unusable,” Harkins says. “There are studies I’ve seen where people will prove that they can find stuff on drives that are over-written. But I think if REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

Security Special

GRC

you follow the standards you greatly minimize the likelihood that that would be the case.” Still, Harkins says, over-writing is by no means foolproof. There are areas where errors might occur and the data might not be fully overwritten. “In the wrong hands, someone might still be able to recover the data,” he says.

Strategy Analysis Before going off on a data destruction crusade, figure out what strategy works best for your company. To do that you need to decide which of these are more important:

to go to lunch so put it in for five minutes instead. You could have breakdowns like that.” But he concedes that all three methods are susceptible to human error.

Physical Destruction

Organizations can physically destroy data in a number of ways, such as disk Time shredding, melting or any other method Degaussing is the removal or reduction of the Ask Yourself: Is this something the that renders physical storage media magnetic field of a storage disk or drive. It’s company does a lot? Does it have a lot of unusable and unreadable. done using a device called a degausser, which disks to go through? One of the biggest advantages of this is specifically designed for the medium being method is that it provides the highest erased. When applied to magnetic storage media Cost assurance of absolute destruction of the such as hard disks, magnetic tape or floppy Ask Yourself: Can the company afford data. There’s no likelihood that someone disks, the process of degaussing can quickly and to destroy disks or do they need to be will be able to reconstruct or recover effectively purge an entire storage medium. reused, and can it afford specialized the data from a disk or drive that’s been A key advantage to degaussing is that it makes destruction hardware? physically destroyed. data completely unrecoverable, making this On the down side, physical destruction method of destruction particularly appealing Validation and Certification can be a costly way to get rid of data, given for dealing with highly sensitive data. Ask Yourself: Is data destruction a the high capital expenses involved. On the negative side, Rothke says, strong deregulatory compliance requirement? How “Physical destruction [is] an expensive gausser products can be expensive and heavy, will you prove to regulators or auditors and not a fiscally sustainable long-term and they can have especially strong electromagthat you have met the requirements? strategy,” Tero says. “The approach also netic fields that can produce collateral damage to contravenes an organization’s green and vulnerable equipment nearby. sustainability programs.” In addition, degaussing can create irreversible But Intel has found that physical damage to hard drives. It destroys the special destruction is an efficient method of getting rid of data when servo control data on the drive, which is meant to be permanently transporting storage media for degaussing is not practical or secure. embedded. Once the servo is damaged, the drive is unusable. For example, when the company needed to wipe data from “Degaussing makes data unrecoverable, but it can damage certain thousands of drives in multiple locations, its choices were to either media types so that they are no longer usable,” Harkins says. “So if degauss at multiple sites, which would have been costly, or ship the you’re reusing [those media] this may not be the right method.” drives to a single location, which would have been risky if the drives Once disks are rendered inoperable by degaussing, manufacturers got into the wrong hands. may not be able to fix drives or honor replacement warranties and The company ended up stockpiling thousands of old drives while service contracts, Tero says. pondering how to destroy them in a way that was not prohibitively There’s also the issue of securing media during the process of expensive but that still resulted in the complete destruction of the degaussing. “If there are strict requirements that prevent exit of data. Intel had been working with scrap contractors that melt down failed and decommissioned media from the data center, then the and reclaim precious metals, and someone came up with idea of organization must assign physical space in the datacenter to secure having them melt down the hard drives and recycle the metal. the media and equipment for the disk eradication” process, Tero says. “There was no cost impact to the IT budget, and it was also green The effectiveness of degaussing can depend on the density of because the metals were getting recycled,” Harkins says. drives, Harkins says. “We encountered that issue three or four years However, Harkins points out that the effectiveness of physical ago with hard drives in laptops,” he says. destruction methods depends on how much of the medium was “Because of [technology] changes in hard drives and the size actually destroyed. “I might still worry about drilling holes in a hard of them, we found that some of the degaussing capabilities [were] drive,” which might render the drive unusable but not destroy the diminishing over time.” data that’s left in unaffected spaces, he says. CIO How effective the method is also depends on the people doing the degaussing. “If people make mistakes, then your control gets diminished,” Harkins says. “Let’s say the person responsible for degaussing drives was supposed to do it for 15 minutes, but they have Send feedback on this feature to editor@cio.in

Degaussing

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

VOL/7 | ISSUE/10

CUSTOM SOLUTIONS GROUP GALAXY

EXECUTIVE VIEWPOINT

Responsive IT Infrastructure: The Future The dynamic nature of the market today requires enterprises to be equally dynamic. The only way businesses can match the pace of the market is by having a robust, and highly responsive IT infrastructure. SANJAY CEO, Galaxy Office Automation An industry veteran, Sanjay is responsible for strategic leadership and supporting the overall performance of Galaxy Office Automation.

Another vital factor is data management. The amount of data generated by any enterprise in a day is nothing short of staggering. With the capability of now being able to analyse this ‘big data’, the IT infrastructure needs to be able to store and manage this data through its useful lifecycle.

their usage, it would have been impossible to arrive at the right solution. There are a lot of next-gen technologies—that are applicationaware, content-aware, user-aware, and context-aware—which can be integrated to build a responsive IT infrastructure.

What, according to you, is the ideal approach to IT infrastructure provisioning? For the past 25 years, we have been building IT infrastructure for large enterprises across industries. Organizations need a cluster of applications to meet their business objectives. It is important to understand that the only purpose of the infrastructure is to host these applications. The need of the hour is to facilitate the use of these applications from different locations by different kinds of users with different kinds of devices, without compromising performance and security. Another aspect that organizations should consider while building their IT infrastructure is the availability and scalability of these applications.

What is unique about Galaxy? Over the years, Galaxy has been closely asCan you give us an example of an infrasociated with market leaders in the next-gen structure designed with the applicationtechnology space. We clearly understand centric approach? customer pain points, and have the ability to The most common instance of this would be articulate business needs, the cloud or on-demand virand map them to what IT has tualized servers. For exam“The applicationto offer. From storage to servple, one of our customers centric approach ers, and from networks to sehas an application to mainhelps enterprises curity, we have been helping tain a weekly timesheet. At build a robust customers set up their basic the end of every week, each person in that company has and responsive IT infrastructure. Adding more intelligence to this infrastructo fill in their timesheet. As infrastructure.” ture, and aligning the same to a result, the load on the netthe business is what we bring work and the servers was to the table. Our customers can also try their extremely high on Fridays, but low on other applications in our customized responsive IT days. They also have a reporting applicainfrastructure at our innovation center located tion that is used extensively on Mondays in the heart of Mumbai. and Tuesdays, but again very little on other days. The application-centric approach, lets them use the same resources for both This interview is brought to you by the applications as and when required withIDG Custom Solutions Group in association with out compromising performance.

As a part of this approach, what should be a CIO’s top priority while designing the IT infrastructure? Scalability is very important to future-proof the infrastructure without over-provisioning. In fact, one outcome of this application-centric approach of infrastructure provisioning has been the rapid growth of virtualization and the cloud.

Do you believe that there is one single product or solution that will help customers build a responsive IT infrastructure? Contrary to popular belief, there is no single solution that can do this. This has to be achieved through a combination of products, and would solely depend on the usage pattern of the applications. In the previous example, without studying the applications and

Sanjay can be reached at: sanjay@goapl.com Website: www.goapl.com Phone: (022) 42187777

: L A I T N E D I F N O C yes Only E r u o Y r Fo

Intellectual property is the new hot target, under attack by hackers and inadequately secured. Here’s how to protect it. By Lauren Gibbons Paul

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Global healthcare provider Best Doctors employs the most robust technologies and practices available to protect the privacy of its members’ personal data—but that’s just a part of doing business in this industry. Less obvious but equally important is the degree of vigilance with which the company protects its brand name, which is trademarked in dozens of countries worldwide. “Our distinctive name and logo, those two words connote the high quality of our doctors and hospitals. Something very simple can be very powerful,” says Tom Seaman, SVP and general counsel for the company, which provides health insurance as well as health advisory services. Though Best Doctors has a small portfolio of patReader ROI: ents (including a business process patent it received in the 1990s when such things were in vogue), it’s Why IP is becoming a hotter target focus when it comes to intellectual property (IP) The result of not protection is its brand, which is trademarked. “We protecting it take extreme measures to protect it,” says Seaman. Steps to safeguard IP His vigilance is entirely appropriate.

VOL/7 | ISSUE/10

GRC

This is no time to blink. Many now see IP as one of the most important corporate assets—worthy of protection, electronic and otherwise. “Targeting of IP is increasing,” says Gary Loveland, partner at PricewaterhouseCoopers. “We’re seeing an evolution from a hacking perspective. Before, [breaking in] was just a trophy to show you could get access to the data. Then there was identity theft. Now, there’s a focus on IP because of the profit motive.” Accessing a company’s proprietary information provides a quick path to stealing its business. Daily headlines detail attacks on corporate IP, especially when the assaults are launched from emerging economies such as China. For example, security software vendor Symantec recently announced its discovery that hackers had targeted the IP of about 50 organizations, including chemical and defense companies, in a global wave of cyberespionage. These attacks were thought to be the work of a Chinese man. Symantec competitor McAfee also reported that it detected that 72 organizations had been subject to cyberattacks on IP last summer. Google disclosed its Aurora attacks in 2010. The Wall Street Journal recently reported that the Chamber of Commerce suffered a major theft of information, also believed to have been conducted by someone in China. The full extent of the damage from these incidents won’t be understood for years, say experts. But as scary as these stories are, they shouldn’t eclipse your concern over a host of more mundane but potentially equally damaging threats to your company’s IP. The most common scenario, alas, is that an employee unwittingly shares a trade secret or a confidential idea, or that your business partner forgets about a nondisclosure agreement signed long ago. Social networks make this scenario exponentially more likely. The problem is, most companies have a broad range of information that can be considered IP—though many have not taken the time to properly identify it all—and protecting all of it from myriad threats is a daunting prospect. A number of CISOs contacted for this article say their corporate IP is adequately protected by the standard data security practices they already have in place. That could be true, but consider: Much of the attention in recent years has focused on protection of transactional data and personally identifiable information (PII), such as customer names and credit card numbers. IP is much squishier and may live in different parts of your network—and of your filing cabinets and whiteboards and so on—from PII. And it is sometimes subject to a different set of legal protections. Here’s expert advice on connecting all the dots and creating a more robust IP protection program.

SECURITY SPECIAL

This is no easy feat, as IP can be deceptively chameleon-like, taking multiple forms: Structured and unstructured, amorphous and concrete, small shreds of things or entire databases, thoughts in someone’s head or captured in a document. You need to explain to employees and business partners what your IP is, because if you don’t, you can be sure they will share the information and thereby reduce its value (at best) or jeopardize the company (at worst). Nuance Communications, a $1.3 billion (about Rs 7,200 crore) software company, recently embarked on a major effort to understand and rationalize its IP, says CSO Stan Black. This was necessary in the wake of Nuance’s massive acquisition spree over the past five years, in which it bought up 50 companies. “We have gone through a significant effort to understand what we have in-house, what’s commercial, where it resides,” says Black. “Due to the speed at which we iterate, it’s quite an effort.” After you’ve completed your IP inventory, the next step is to map the data, according to Gary Lynch, global head of strategic consulting for Marsh, a security advisory company. “How does it get created, where does it get created, what happens to it? You have to look at all the stages of data formation and use all the way through to disposal, access, storage and transmission,” says Lynch. Your IP data map then becomes your footprint for applying controls. Electronic protection of IP is different from protecting many other types of information. Often referred to as the “corporate jewels,” IP is so precious it needs to be protected at a data and document level, as opposed to just at the level of the system on which it resides. Unfortunately, more draconian protections make it difficult to share the data, which is the order of the day in today’s collaborative environments. “Public key infrastructure and general encryption are

IP is highly perishable. Once the secret is out, it’s out. And the consequences can be dire. One small high-tech company hit by the Operation Aurora attacks in 2010 lost IP and was forced to shut down.

Taking Stock of IP Unless you have already done this, and recently, the first thing you have to do is identify what your IP consists of and where it resides.

VOL/7 | ISSUE/10

not very usable in an enterprise,” says Ryan Kalember, who recently became chief marketing officer of WatchDox. “Users will find their way around the controls.” On the other hand, when you have a small amount of ultra-secret, non-shared information to protect from prying eyes, the task is fairly straightforward: Encryption or data masking, two- or three-factor authentication and embedded access controls. “The protections must be embedded in the IP in a frictionless way for the users. Otherwise, it’s just the whack-a-mole routine we’ve been doing for years,” says says Kalember These decisions—what to count as IP and how and to what degree to protect it—should flow from your business objectives, according to REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

Security Special

GRC

The IP Landscape

Your company’s IP may encompass a wider range of items than you’ve considered, including: Patents. This is usually fairly straightforward. If your firm was granted one or more patents, you or your legal department will be charged with defending it (that is, detecting and suing over possible infringement). Less clear-cut: When other companies or patent trolls claim your firm is infringing their patents. It happens every day. In industries like high tech, companies routinely infringe each other’s patents via reverse-engineering, says to an industry insider, and then negotiate to decide a reasonable licensing fee post-facto. Copyrighted material. When an author creates a written work, a natural copyright (that is, the right to exclude others from copying that work) arises. This natural copyright exists even without registering a formal copyright and using the © symbol, but if the document or work is important, you should take the time to register its copyright.

Trademarked names or logos. If your corporate name or logo carries a trademark, create usage policies for employees and business partners to follow or risk diluting the value of your IP. Ideas. These are amorphous and generally exist in unstructured form (often in people’s heads) and so can be difficult to protect. Most important here is to have a written agreement in place from the beginning of the person’s employment or the start of the partnership so all parties understand who owns what in the case of a later claim. Trade secrets (including recipes, ideas, transcripts, notes, presentations). This category covers any manifestation of value to the corporation for which you prefer not to seek formal IP protection, due to competitive or other reasons. The object here is to make sure the secret remains

Evan Falchuk, chief strategy officer for Best Doctors. “The way you focus those efforts has to fit into your business. We ask, ‘What does it take for our business to win?’ Our strategies flow from that,” he says. So Best Doctors focuses on supporting its brand name with its IP protection, though it uses comprehensive IT security technologies and practices, including requiring all new employees to sign a nondisclosure agreement. And everyone has to leave behind a clean desk when they go home for the night, part of Best Doctors’ attention to seemingly minor details. Many companies turn to the experts—lawyers, generally—to educate staff and getting their commitment to protect IP. Jeff Feldman of Feldman Gale is often called in to do IP counseling for employees. Seminars covering IP basics can help companies immunize itself against the virus of IP leakage, which can take benign-looking forms. An in-house patent lawyer at a healthcare company laments the collegial way doctors tend to share data. “It’s like an academic environment—they’re just trying to further the cause of medicine. But they don’t understand that the company has shareholders, and the company has to make investment decisions for its shareholders,” he says. This attorney does training based on real-life scenarios, telling people, “Don’t let this be you.” Feldman’s bugaboo is idea misappropriation. He has seen too many instances where a former employee tries to claim credit for the idea behind a product or service. He also cringes when content and entertainment companies have no clear-cut idea-submission policy. 70

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

safe from prying eyes. You should seek the highest information security for this type of information, including encryption and multi-factor authentication. And don’t skimp on the employee and partner education and security policies. Mark Itri, a patent attorney with law firm McDermott Will and Emery, was on a plane going to visit a major airplane manufacturer when he overhead a conversation, apparently among employees, about the schematics for the next generation of jet engines. “They were talking really loud. Everyone could hear. All over the schematics were the words ‘confidential and proprietary,’” says Itri. He promptly walked into the airplane maker’s offices and said, “This is how you lose your trade secrets.”

—By Lauren Gibbons Paul

“Follow the lead of Google and Facebook and have a policy: ‘You send me an idea, it’s mine,’” he advises. Eliminate the implied duty of confidentiality right out of the box, and avoid claims down the road.

A Cautionary Tale Virtually everyone interviewed for this story warned that IP is highly perishable. Once the secret is out, it’s out. And the consequences can be dire. Prescott Winter, CTO of the public sector for HP Enterprise Security Products, was advising a small high-tech company that was hit by the Google Aurora attacks in 2010. This company spent a significant portion of its revenue on research and development. “They only had about nine months of profit on their new products, about a 35 percent to 40 percent return on investment,” says Winter. After that, the return rates dropped off. “The advantage they had dissipated immediately. They had overlapping nine- to 12-month bumps in revenue. If three of those high-revenue product cycles in a row were to be damaged or destroyed because a competitor gets the information, game over.” Post-Aurora, the company was forced to shut down. “They were unable to respond before their future was stolen,” says Winter. “So many companies are hanging by a thread.” In the words of the patent lawyer, don’t let this be you. CIO Send feedback on this feature to editor@cio.in

VOL/7 | ISSUE/10

People Skills Even well-run organizations can be political, inflexible, and resistant to new ideas. Here are nine ways to cross these hurdles and achieve your security goals. By Mary Brandel

SECURITY SPECIAL

Security may be a hot-button issue for business executives, but in an environment of ongoing economic uncertainty, support for security initiatives isn’t always easy to come by. Whatever’s standing in the way—be it politics or personal agendas, inflexible budgets or outright adversaries—security professionals need to work hard to loosen the purse strings and get funding for the programs they believe in. “There’s no carte blanche for security,” says Roland Cloutier, CSO at ADP, a $10 billion (about Rs 55,000 crore) business solutions outsourcer. Reader ROI: “It’s an ongoing chore to prioritize our How to get buy-in spend, align with business priorities for your project and promote our requirements so we Strategies to make security can get that extra dollar to protect the everybody’s problem company,” he says. Why playing politics is important

S ’ Y T I R U C E SBuy-In Obstacle Course

Security Special

People Skills

Dave Cullinane, CISO at online auction giant eBay, agrees. “Where we’re spending, what’s the risk and what the appropriate expenditure is—all these things put together are making it more challenging to get things approved,” he says. We asked several CSOs to tell us their best getting-it-done tips, and we distilled them into nine tactics for getting your security initiatives moving despite numerous obstacles.

1. Do the Math With funding tighter than ever, it’s crucial to present hard numbers on why your project or initiative is important. “If it’s just marginally improving the level of security, that’s probably not enough,” says Richard Gunthner, CSO at Mastercard Worldwide. “There needs to be an ROI that makes sense.” With so many potential exposures—malware, system threats, new regulations—Cullinane says a big part of his job is calculating a risk picture and quantifying it to show the residual risk and the ROI of your intended fix. “If I can demonstrate that a $6 million (about Rs 33 crore) investment will result in a $300 million (about Rs 1,650 crore) risk reduction, the CFO gets that,” Cullinane says. Then, follow up with the results. “It’s showing [them], here’s where we started, and here’s where we came to in a short period of time,” Cullinane says. Once you build credibility, the money will

2. Show the Business Link Even if you can’t get hard numbers, be sure to request funding only for initiatives that align with current business concerns, Cloutier says. For instance, if the current business concern is top-line revenue, how can you help do that faster? If it’s closing the sales cycle faster, what program can you initiate to speed that up? If the concern is expense reduction, what can security do to reduce fraud and waste? “If you can articulate that and show a direct link—not just a speech that points to something, but actually show a link—that gets corporate leaders behind your efforts to support them in reaching their goals.”

3. Watch Your Language You won’t get far in your spending requests if you don’t tune your message to the audience, whether you’re presenting your case to the executive board, the IT group or the mailroom staff. “You should constantly be shifting gears in the way you talk to various prospective customers,” says Jason Clark, chief security and strategy officer at Websense, a security solutions provider. “IT cares about operational details, but that’s not the same conversation you should have in the boardroom.”

It’s also a good move to surround yourself with people who hold power in the organization, such as top money-making business areas. come more easily. “I’m giving [the CFO] back $5 (about Rs 275) for every dollar he gives me, so he’s willing to give me more—one of the nice things about security is you can demonstrate that,” Cullinane says. One example is a recent investment Cullinane’s organization made in advanced malware-detection tools. When Cullinane asked his investigative team to conduct a pilot test to detect any major issues with employee laptops used to work from home, “we found we had a much more significant malware problem than we thought we had, especially targeting people in HR and finance,” he says. This could have resulted in leaked information on organizational changes or planned acquisitions, but by making a small investment in a malware product, the exposure could be drastically reduced, he says. Cullinane also recently made a large investment in intelligence information to focus on major sources of fraud. “It was essential in arresting individual fraudsters and kept our fraud rate down 100 percent more than the investments we made,” he says. Ideally, you should show the investment will close a hole you have in your organization that has resulted in a security lapse tied to a financial loss. 72

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Alan Nutes, senior manager of security and incident management at Newell Rubbermaid, echoes this advice. “If you’re talking to senior management, use C-level words,” he says. “A security professional might say ‘loss prevention,’ where a C-level [executive] will understand ‘asset management.’” In an executive-level pitch for more firewalls, you might use the metaphor of needing brakes on a car, not for stopping but to go faster safely, Clark suggests. “Or if executives want to bring iPads in, you don’t want to be the guy saying, ‘No iPads’; it’s ‘Yes, iPads, but here’s an extra piece of software on the network to secure it.” The fact is, most business executives only become concerned about security violations when it’s clear how the exposure will affect the top or bottom lines, and it’s your job to make that connection for them. When Cloutier’s team recently conducted a review of business-process risk, for instance, it discovered its datamonitoring controls were no longer optimal for one unit because of a change in the way the unit was transferring data. To make the case for the technology upgrade that would fix the issue, the team made the link between the security weakness and the unit’s ability to get certifications that would allow it to win more contracts. “We put it in terms the unit would understand,” Cloutier says. “They weren’t so concerned about the actual security violations,

VOL/7 | ISSUE/10

People

but how it would impact their ability to generate new revenue because certain certifications would not be available to them otherwise.” As a result, “they became our number-one business supporter in deploying new technology to remediate it,” he says.

4. Make It Personal If you want to get someone’s attention, lay an issue right in their front yard. Once people are made to feel accountable, they will take interest in—and hopefully become advocates for—your proposal. For instance, Cloutier makes a habit of identifying which business leaders “own” which risks and then publicizes these assignments. “That’s powerful—people don’t want to be seen as responsible for risk, so they become supporters in helping to mitigate it,” Cloutier says. “It’s not about fear and uncertainty, it’s about feeling accountable for a problem in their area and deciding they’re going to help resolve it.” The technique encourages a partnership approach, which drives the needed resources. Clark similarly believes in the power of publicizing ownership. He uses a device that he created earlier in his career, which he calls the “Good, Bad and Ugly” chart. The diagram depicts where each division stands in its progress on current security initiatives. At one company, Clark shared this chart with the CEO and requested that the CEO voice his support for the initiative in his quarterly address. Not only did the CEO promote the project, but he also called out the president of one division that had fallen far behind in achieving project milestones, saying that failing to catch up would result in termination. “Suddenly, everyone was coming to me, asking what they needed to do to catch up,” Clark says. In large companies, it can take some educating to get certain divisions to feel ownership. For instance, at a global manufacturer that Clark worked for, the oil refinery division had lots of interest in security, but a manufacturing division was more tuned in to keeping its factories operational. “We had to show them that regardless of what they’re protecting, they’re part of the overall corporate risk,” Clark says. “You’re only as good as your weakest link. That is a conversation I’ve had multiple times because different areas didn’t want to spend the funds.”

SECURITY SPECIAL

3 Tips to Win the Metrics Conquest Here are some do’s and don’ts for using numbers to make a case for security—from finding the right metrics to dressing them up real pretty. Make the most of what you’ve got. It’s not just what you’ve got, as they say, but how you work it. Suppose half a million dollars’ worth of products gets stolen on the way to customers each year. In the greater scheme of things, other executives might not care much about $500,000 (about Rs 275 lakh) worth of goods. But point out that the company has invested hundreds of millions of dollars in its supply chain and that customers aren’t getting their orders on time for security reasons. They’ll sit up. Don’t get too creative. Be careful about the numbers you begin with or you’ll gain a rep as a FUD-meister (fear, uncertainty and doubt). A lot of the vendor-driven research has its own game plan: Getting you in the door and your

pocketbook open. A lot of [studies publicized by vendors] may be scare tactics and things that are trying to draw a revenue, but there are also some solid facts behind that. A good rule of thumb is the old adage: Believe half of what you see and none of what you hear. Don’t leave something eyecatching behind. A better bet is numbers that people can take away. Hand out an annual wallet card that summarizes what the security department had accomplished in the previous year, compared with what it had done in the past. Focus on yearto-year changes in the number of attempted virus attacks and successful virus attacks, and highlighted the cost per hour of a full-time security employee versus a consultant. — Sarah D. Scalet calet

5. Preview Your Plans You usually only get one shot when you request funding, so Gunthner suggests practicing your pitch before showtime. “When I set out to sell a new initiative, I’m looking at three things: Does it make financial sense, what is the business value, and does it support the business strategy,” he says. “So after doing all my homework, before officially presenting it, I present it informally to various key stakeholders so I’m not taking something out of the box they’ve never seen or heard of before.” By the time you make the formal presentation, you have a number of people in your corner who understand the value of what you’re trying to do, he says. And if there’s a lot of pushback,

VOL/7 | ISSUE/10

you need to evaluate whether it’s time to move forward or go back to the drawing board. “You typically only have one chance of getting a yes, and if you get a no, you can’t go back for several years,” Gunthner says. The stakeholders you gather don’t need to be part of the ultimate group making the decision, he says. They just need to be people in divisions who may be affected, for example, facilities, a particular business unit, finance, legal or HR. “I try to rally as many of those people in my corner as I can so that when the day comes—whether they’re in the room or not as part of the official REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

Security Special

People Skills

decision making—I can say I consulted with XYZ and they’re in support of it,” he says. Even if it takes weeks or months, Gunthner says he doesn’t move forward with his funding requests until he gains consensus. “All it takes is one stakeholder to say, ‘I don’t agree,’ and the thing is dead in the water,” he says. “Let them shoot holes in it—you would rather know beforehand versus when you get turned down altogether.”

Tune your message to the audience. In an executive-level pitch for more firewalls, you might use the metaphor of needing brakes on a car, not for stopping but to go faster safely.

6. Play Politics It’s also a good move to surround yourself with people who hold power in the organization, such as top money-making business areas, Clark says. “If you get them bought in, everyone else will say, ‘If it’s good enough for them, it’s good enough for us,’” he says. Does that sound cynical to security do-gooders? “That’s how the business world works,” says Clark. Additionally, when communicating to the company about the security organization’s activities, it’s not a bad idea to piggyback newsletters or articles onto communiques that a high-level executive is already sending out. At a previous employer, Clark contributed a monthly column to a weekly newsletter that the number three executive in the company sent out. At another company, he paired up with the CIO’s ongoing communications. “I ask the highest-level person I have a relationship with to send it out,” he says. These missives are also a good way to build a campaign for an initiative for which you’re trying to gain support.

9. Show, Don’t Tell

created a mash-up of the company’s Web security tools and a spinning globe. He showed a rain cloud advancing over certain cities to show where the risk was highest. “The CEO asked if I could guarantee we wouldn’t get hacked, and I said, ‘Can you make it stop raining?’ No, but you can prepare for the storm to reduce your risk,” Clark says. At eBay, Cullinane has developed a dynamic “risk curve” visual that illustrates the relationship between spending and risk levels. “It tends to get pushed up to the right as new exposures are found and moves down when we take actions to reduce exposure,” he says. Clark also believes in the power of storytelling as a vibrant way to enliven security exposures and successes. He has gone so far as to hire a security marketing analyst, who spends one-third of his time storytelling, whether it’s to secure funding or report on ROI. This person is a creative communicator and natural salesperson who, for instance, tells executives what they got for their money, beyond standard ROI, and puts relevant context around news stories of security mishaps and explains what could reduce that kind of risk. Beyond visuals and storytelling, Cloutier has occasionally turned to the power of the hack to illustrate a technology-related risk. “Especially on the cyber side, we show them how easy it would be to get hacked,” Cloutier says. “It’s hard to argue.” Similarly, Clark has set up hacking challenges that determine whether he gets funding. At one company with a large number of external-facing websites, the developers firmly believed they had battened down all the hatches and were balking at putting up the money for a particular security initiative. Clark issued a challenge: If he could hack into five of the websites, they would allocate the funds. They agreed, and he was successful. “It was a gamble, but I was pretty confident,” he says. Doing something attentiongrabbing is sometimes key, he says. “To be a change agent, you have to be creative and convey things in interesting ways they haven’t heard of before,” Clark says. “Often, people have their objections already lined up, so you have to think two steps ahead and come at it a completely different way.” CIO

When presenting to the C-suite, visuals can express your ideas more clearly and quickly than words. When Clark wanted to convey risk exposure to executives at a former employer, he

Send feedback on this feature to editor@cio.in

7. Read Their Minds It doesn’t take a psychic to forecast the concerns and questions certain stakeholders will have—all it takes is a quick study in human behavior. “Certain individuals have hot-button issues they particularly want to dig into,” Gunthner says. For instance, HR may have a particular sensitivity to certain employee relations issues, while facilities may be concerned about misplaced assets. “To know what those are and address them in advance gives you a much better opportunity to get your proposal through,” he says.

8. Watch Your Timing Timing is not always something you can control, but it’s important to keep in mind that it’s “key, key, key,” Gunthner says. Even great projects that clearly support business strategy and promise a great return can get turned down if the decision maker is, for whatever reason, having a bad day. “You have one opportunity to get a ‘yes,’ so timing is crucial,” he says. “If you have the ability to pick the right time to present your project, do so. This will increase your chances of getting a ‘yes.’”

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

VOL/7 | ISSUE/10

What would you do with an extra 92 hours?

High-performance analytics from SAS® helped a financial services firm reduce loan default calculation time from 96 hours to just 4 Early detection of high-risk accounts is crucial to determining the likelihood of defaults, loss forecasting and how to hedge risks most effectively. Now, SAS can help you speed that time to decisions from days to literally minutes and seconds –transforming your big data into relevant business value.

high-performance A real analytics game changer. High-Performance Computing Grid Computing In-Database Analytics In-Memory Analytics Big Data

sas.com/92

to learn more

For more information please contact Jaydeep.Deshpande@sas.com

Each SAS customer’s experience is unique. Actual results vary depending on the customer’s individual conditions. SAS does not guarantee results, and nothing herein should be construed as constituting an additional warranty. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. © 2012 SAS Institute Inc. All rights reserved. S90309US.0412

S T N MItLheIT Web World of

If your employees are using the corporate network to transact in the online black market, they are exposing your organization to severe security and legal risks. By Brandon Gregg

The Internet is no stranger to crime. From counterfeit and stolen products, to illegal drugs, stolen identities and weapons, nearly anything can be purchased online with a few clicks of the mouse. The online black market can not only be accessed by anyone with an Internet connection, but the whole process of ordering illicit goods and services is alarmingly easy and anonymous, with multiple marketplaces to buy or sell anything you want. Understanding how the market thrives—unregulated and untraceable—can give you a better sense of the threats (or resources) that affect you and your business. In our scenario we are going to legally transfer $1,000 (about Rs 55,000) out of a regular bank account and into a mathematical system of binary codes, and then enter a neighborhood of the Internet largely used by criminals. This hidden world lets anyone purchase bulk downloads of stolen credit cards, as well as a credit card writer, blank cards, some “on stage” fake identities—and maybe even a grenade launcher they’ve had their eyes on. A journey into the darker side of the Internet starts with two open-source programs: Bitcoin and the Tor Bundle.

Moving Money Reader ROI: How the online underworld works The risks of black market transactions How to protect your organization

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Bitcoin is a system tool that will act as a personal bank for storing and investing digital currency on your computer. Once it’s installed on your system, it sits empty like a piggy bank, waiting to be filled with untraceable digital cash. Getting it filled is the tricky part. The digital monetary system online is predominately operated by the likes of Paypal, Western Union, and banking companies that try to follow government regulations to prevent fraud and

VOL/7 | ISSUE/10

Crime

money laundering. There are two steps to legally take money and have it converted at the current Bitcoin rate into BTCs in our digital and anonymous bank. Start by opening a Dwolla banking account with no fees. You can use your real information—you aren’t doing anything illegal. In about three days, you will be given a fraud test and have to identify small transfers in your Dwolla and personal bank account. Once your account is confirmed, wire any amount from your personal bank to Dwolla from a lump sum or the estimated price of your purchase you have in mind. After you confirm the transfers, your legit money will now be stored in a new global bank with less restriction than US banks. Next you need to set up an account with the largest bitcoin exchanger, MtGox. Due to fraud concerns, MtGox will only allow transfers from banks like Dwolla. After your Dwolla transfer moves to MtGox, you can use the money to purchase Bitcoins on the open market for a small percentage-based fee. Once this sale is complete, your bitcoins are

SECURITY SPECIAL

Hidden Tor Servers are now the norm for storing, accessing and hiding illicit activity such as child pornography. The level of protection provided by Tor makes law enforcement’s job tracking such activities next to impossible. (Interestingly, the hacktivist group Anonymous has recently brought attention to such evil servers by controlling them as DDOS servers against some of their targets, including law enforcement and government groups.) Hidden Tor Servers are likewise home to much black market activity. Where does one find “the black market”? What does it look like? Of course, Google search answers these questions easily. Using your Tor browser (which, yes, is much slower than a standard browser) search for “Tor Directories”. These websites offer a collection of Tor’s hidden Web pages for all kinds of storefronts. Here you will find websites similar to Yahoo’s early days, categorizing storefronts including drugs, weapons and other illegal goods and activities. If the directory (or store) is listed with a standard.com or .org domain, it will open in your standard

58% Of Indian organizations say they

have people dedicated to monitoring employee use of the Internet. best stored in your own bank account that is residing digitally on your computer. The whole process can be completed in less than a week, and the $1,000 (about Rs 55,000) is now exchanged to $191 BTC. Now you are ready to go shopping on the black market.

Finding Markets The conversion of dollars to Bitcoins was legal and relatively safe. Actually engaging in black market shopping, though, connects you to various kinds of illegal activities. This information can help security professionals understand how stolen identities and credit cards are used, how products are fenced or distributed illegally, and more. Clearly anyone engaging in black market activity wants to remain anonymous. So the next step in black market shopping is to download and open the Tor Bundle Pack. Tor protects your identity while online, but Tor includes other functions. Developed by the US Navy for secret communications and now used to circumvent blocked websites at offices across the country and to inspire Arab Springs, TOR has a darker cousin: Hidden Tor Servers. The same random spider-web routing of Internet traffic that hides an end user’s IP and location from any prying eyes can hide server locations too.

VOL/7 | ISSUE/10

browser; if it ends in .onion then it means it’s a hidden server only viewable on the Tor browser. One example is the Nobody@Zerodays website, which offers reviews and direct links to current Hidden Tor sites. In our scenario we are going to check out the Black Market Reloaded and look for the current price of some credit cards and tools. Using Tor you can quickly jump to the Black Market Reloaded website, register (no real information needed), and start shopping. As on Amazon, sellers show off their products with details, pictures and pricing, including feedback collected from past buyers. Say you are buying credit cards in bulk, one seller advertises: “All of our products are coming with full given Information. That means: All needed information like cardnumber, security code, expiration date, name, address, city, state, zipcode, country, phone, DOB, security question etcetera is given. All CCs are checked and have a minimum balance of $1000 (about Rs 55,000), and most of them are from an EU-country. We also have US-Cards, but it’s easier to cashout the money at ATMs (buy virtual money online/link the CC to PayPal) with European ones.” A ‘credit card reader/writer, HiCo/LoCo, all ISO complete’ is going for 76.6 BTC (or $366.63, about Rs 20,130). There are also a handful of unregistered handguns, including a brand new M9 Tactical handgun with an illegal silencer, unregistered of course, for 225 BTC or $1,076.87 (about Rs 59,180). REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

Security Special

Crime

On Sale: Stolen Credit Cards

Criminals now have intricate pricing systems to sell other crooks bank information and botnets at bargain prices. Botnets for hire to launch your own spam campaign and stolen credit card information sold at the rock bottom price of $2 (about Rs 110) are just two of the commodities easily found on the cyber-crime black market today, according to a report released by Panda Security. The report, which was conducted by PandaLabs researchers who posed as cyber criminals, details a vast criminal network selling stolen bank account information in forums and dedicated online stores. “This is a rapidly growing industry and cyber-criminals are aiding and abetting each other’s efforts to steal personal information for financial profit,” Panda Security officials note in a release on the findings. “The cyber-crime black market, which has traditionally centered on distributing bank and credit

card details stolen from users around the world, diversified its business model in 2010, and now sells a much broader range of hacked confidential information including bank credentials, log-ins, passwords, fake credit cards and more.” The report also delves into a detailed pricing system and the digital black market prices for various types of stolen information. However, PandaLabs discovered that while the information may be available, it can only be accessed by personally contacting the hackers who are promoting their information for sale on forums and in chat rooms. Once the information is in a criminal’s hands they can easily defraud any bank or credit card account long before the hack is discovered, the report claims.

Anyone who executes these purchases via anonymous bitcoins will leave no trace of the transaction. All users can send data via Hidden Tor e-mail servers, or ship physical items like drugs and weapons with the postal service to prevent any searches without a warrant. When shipments come from within the US, the illegal goods are likely to arrive at the right mailbox without incident. For those who want an added layer of protection—say in the event that goods are being shipped from outside the US—many people in the “Services” section of this site will buy and/or receive items on your behalf using their own bitcoins and addresses, and then re-mail the goods to you, for a small fee. (Also, some users of these sites will offer to sell you bitcoins via Paypal so you can skip the two banking steps above and jump right into buying your goods; there is of course no guarantee that you will receive your bitcoins after giving up your cash.) Tor’s Hidden Servers provide a real insight to an underground world that once was limited to dark alleys, shady places, and dangerous criminals. Much like the Internet has expanded our 78

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

The data can be purchased for as little as $2 per card. But $2 will not provide the buyer with additional information or verification of the account balance available. “If the buyer wants a guarantee for the available credit line or bank balance, the price increases to $80 (about Rs 4,400) for smaller bank balances and upwards of $700 (about Rs 39,200) to access accounts with a guaranteed balance of $82,000 (about Rs 45 lakh),” said researchers. The report also details an intricate price structure for accounts with a history of online shopping or use of payment platforms such as PayPal. If stolen credit card numbers aren’t your thing, prices are also available for botnet rental to launch a spam campaign. The

price range varies depending on the number of computers used and the frequency of the spam, or the rental period, the report reveals. Prices start at $15 and rise to $20 (about Rs 825 to Rs 1,100) for the rental of a SMTP server or VPN to guarantee anonymity. One can also hire cyber criminals to assist with the set up of a fake online store to use rogueware techniques for stealing user details and profiting off unsuspecting victims who pay for fake antivirus products. “There are also teams available to deliver turnkey projects, design, develop and publish the complete store, even positioning it in search engines,” the report states. “In this case, the price depends on the project.” — By Joan Goodchild

e-commerce into a borderless global market, bitcoins and Tor have made shopping for illicit goods and services almost as easy as ordering an iTunes song on your computer. As a reminder, most of the purchases described here are illegal and dangerous. While it’s extremely difficult to identify the individuals involved without additional intel, law enforcement personnel and corporate investigators can use these processes to keep tabs on the flow of stolen, counterfeit, or diverted goods. If these transactions are being executed on your corporate network, that activity can expose your organization to legal and other risks. While network logs will not show the Tor websites, software audits for programs like TOR, network sniffing of actual traffic, computer monitoring and computer forensics can show employers who is using TOR sites and what they are doing. CIO

Brandon Gregg is a corporate investigations manager. Send feedback on this feature to editor@cio.in

VOL/7 | ISSUE/10

CUSTOM SOLUTIONS GROUP WIPRO

EXECUTIVE VIEWPOINT

Making the Most

of Managed Services The current economic flux is forcing enterprises to look for cost-effective yet efficient ways to sustain growth. Managed services seem to be on top of the list for many CIOs. KIRAN DESAI,

VP & Business Head-Managed Services Business, GIS, Wipro Infotech Desai has over 25 years of experience in the IT industry and has been with Wipro for the last 14 years. He has served in various departments ranging from sales, practice, and service delivery to heading a business unit. As head of Managed Services, Desai is responsible for India and the Middle East for Wipro Infotech.

How can enterprises get the maximum out of their existing IT infrastructure while leveraging it for business growth? Enterprises can get the maximum out of their existing IT infrastructures if they leverage it for cost optimization, and improved employee productivity. This cannot be achieved in a single step, and companies must follow a multi-pronged approach to make this happen. Encouraging users to utilize communication tools instead of traveling for meetings, enabling remote access for critical users to support the business, allowing BYOD in a secure way to access enterprise applications, and using the available IT infrastructure effectively to meet business requirements are some simple, yet, effective steps in this direction. Managed services are driven by compliance demands, not business needs. How can CIOs create a synergy between the two? Managed security services and solutions are primarily offered to address business and technology risks. A synergy between the two can be achieved only if the security incidents and vulnerabilities are aligned to the technology and business services by the SOC

team. Each and every security incident and vulnerability should be seen and handled in accordance with the business service impact by the SOC team. Currently, not many MSSPs are taking this approach, which is a key to making the business know that this service is critical for running a risk-free business. How can managed services help CIOs overcome issues created by trends like BYOD, mobility, and social media? Managed services partners who have adopted a BYOD strategy within their organizations, and helped other enterprises on successful implementations and management of the services can only help other organizations overcome BYOD issues and risks. There are various ways to ensure that the issues and risks are handled without compromising any of the features of usersâ&#x20AC;&#x2122; devices. Enterprises can expect the following deliverables from MSPs: BYOD device management, patch management, data encryption, device compliance management, behavior-based traffic analysis of BYOD communications, BYOD application management, BYOD communication wireless architecture, data loss prevention, and meeting compliance requirements. How can IT infrastructure management help businesses be more agile and scalable in an uncertain economic environment? Tools, technology, people, and processes are the pillars of IT infrastructure management. It is very crucial to select the IT infrastructure management partner, or have an inhouse team which is very strong in these areas. IT infra management team should work on automating some of the tasks to reduce business impact, and improve the productivity as per the business requirement

apart from leveraging on OEM-provided tools and capabilities. By having the right skilled resources and the IT service management processes in place, all the IT infra management needs can be handled at either on-site or hybrid or remote delivery models as per the business requirement including the technology transformation and capacity planning. Increasing efficiency through cost optimization has been the major objective of outsourcing IT infrastructure. Is this changing? Yes, it is changing. Nowadays, IT infrastructure outsource partners are expected to have the business knowledge of the enterprises they cater to and help these enterprises achieve business goals. As IT is seen as strategic partner for business, the outsource partner should be capable of helping the business to create differentiation in the market, ensure that the business and technology related vulnerabilities are handled proactively and brand image is protected. Overall, IT outsourcing is seen as a crucial step in growing the business and to improve revenue for organizations besides cost optimization. This Interview is brought to you by IDG Custom Solutions Group in association with Wipro

EVENT REPORT

Delhi

Ramping Up

Backup Recovery Conventional wisdom has it that storage isn’t on the CIO radar. That was proved wrong during a three-city roundtable series by EMC and CIO magazine as Indian IT leaders shared their backup and recovery challenges. “The volume of data in Indian enterprises is growing at twice the pace of the other parts of the world. ” P.K. GUPTA,

Director of Backup Recovery Systems and Chief Architect, EMC APJ

“We are scrambling to find a meaningful, cost-effective, timeeffective technique for data archival. Unstructured archiving is a pain point.” VIJAY DODDAVARAMI,

GM-ITS(I), Texas Instruments (India)

f you thought that the torrent of data zipping around enterprises was a challenge everyone faces, you’re right—and wrong. The truth is some people have it worse than others. During a three-city roundtable series titled, From Disaster to Recovery: What’s Driving Backup Modernization? held by EMC and CIO magazine, P.K. Gupta, director of Backup Recovery Systems and Chief Architect, EMC APJ, pointed out that the data deluge challenge was felt more severely by Indian enterprises. “Indian enterprises are handling vast amounts of data. The volume of data in Indian enterprises is growing at twice the pace of the other parts of the world,” he said. Vijay Doddavarami, GM-ITS(I), Texas Instruments (India), admits that data archiving has been a challenge over the last few years. “We are scrambling to find a meaningful, cost-effective, time-effective technique for data archival. In the case of our organization, archival is application-specific and unstructured archiving is a pain point,” he said.

Bangalore

For other CIOs, the challenge stems from the amount of change both in regulation and their own strategies. “As data grows our backup strategy should also evolve but in most business scenarios it doesn’t evolve fast enough. That’s where the problem lies. It’s a catch up game all the way,” said Sachin Jain, head-IT, Evalueserve. At candy maker Perfetti Van Melle, head of IT, Basant Chaturvedi, has a similar challenge. “All our mail applications are centralized. There is a retention policy for everything. But the technology we are using for retention is also changing,” he said. Rohan Deshpande, CTO, Ogilvy & Mather, revealed that in the advertising industry the volume of unstructured data is humongous. “Client data has to be backed up for future use. Finding out what has to be saved—and what not—is critical. Hence, search tagging of data becomes a critical factor,” he said. All of these challenges make this a good time for Indian CIOs to take a long hard look at their backup strategy. And EMC can help. By delivering a capability-rich, next generation backup and recovery platform that builds in unprecedented levels of performance, integration, and management, EMC frees customers from the complexities of protecting IT environments that are changing and expanding. This gives customers flexibility and choice in how they attack their most pressing data protection challenges.“With organizations spending 1015 percent of their IT budgets on backup recovery, there is a need to revamp and modernize the entire backup infrastructure,” said EMC’s Gupta.

CUSTOM SOLUTIONS GROUP EMC

Mumbai

“As data grows our backup strategy should evolve but in most business scenarios it doesn’t evolve fast enough. That’s where the problem lies.” SACHIN JAIN, Head-IT, Evalueserve

“All our mail applications are centralized. There is a retention policy for everything. But the technology we are using for retention is also changing.” BASANT CHATURVEDI,

Head-IT, Perfetti Van Melle

“Client data has to be backed up for future use. Finding out what has to be saved—and what not—is critical. Hence search tagging of data is crucial. ” ROHAN DESHPANDE,

CTO, Ogilvy & Mather

This event report is brought to you by IDG Custom Solutions Group in association with

CIO CONVERSATIONS POWERED BY

HYDERABAD MARRIOTT | 6-7 SEPTEMBER, 2012

CELEBRATING

EXCELLENCE

& THOUGHT

LEADERSHIP ASSOCIATE PARTNERS

KEYNOTE SESSIONS PRESENTER

SPECIAL AWARDS’ PARTNERS

EVENT BY

CURTAIN RAISER 2012

HOSTED BY

CIO100|KEYNOTE SPEAKERS

The answer lies in the realisation that innovation is NOT about the big steps. Rather, it lies in the small daily steps the very small elements and culture that create the environment that governs our actions.” Why do organizations find the innovation journey so difficult? Innovation cannot flourish if we just gather around and think hard. Don’t bother with earth-shattering innovations, because our management system is not geared to embrace big ideas. If we try to outwit our system, it will over-power us. Having the desire to innovate, is not good enough, because the urgencies and emergencies of our daily workload will distract us and force us to obey the system we have created. The answer lies in the realisation that innovation is NOT about the big steps. Rather, it lies in the small daily steps— the very small elements and culture that create the environment that governs our actions.

JONAR NADER Jonar Nader, is an accomplished author of a range of technical and management books, alongwith publications about leadership, relationships and career development, from Australia. Jonar is also a lecturer, broadcaster, journalist and a novelist.

The brand new way of doing business is to understand that when it comes to excellence, it’s definitely not ‘what gets rewarded gets done’; it’s ‘what is rewarding gets done.”

How can innovation be embedded into an organization’s culture? The best way to innovate is to start by asking each stake-holder to complete the phrase, ‘It would be great if...’. And allow them to tell us what they would like to see from us. This approach to innovation starts with real questions in mind. By knowing what the challenge is, we are more likely to find innovative solutions. Innovation is best achieved by starting with a problem or an obstacle, which could be highlighted by one of the stakeholders. In this way, we are seeking solutions to small problems. The small building-blocks ultimately shape how we handle daily obstacles.

PAUL DUNN Paul Dunn is at the forefront of management and marketing action on a global basis. He helps create successful businesses around the world and is passionate about giving back to Social Causes. In a heartbeat, audiences get why he is known around the world as ‘the Wizard of WOW’. He always moves his audience to new levels of understanding and action.

PRESENTED BY

What are some of the key highlights of your session at CIO100? The main focus of my session will be on the fact that: Simple ideas simply expressed are easier to understand, ideas that are easier to understand are repeated & ideas that are repeated change the world. You profess that there is a ‘brand new way’ of doing business – what is it? The brand new way of doing business is to understand that when it comes to excellence, it’s definitely not “what gets

rewarded gets done”; it’s “what is rewarding gets done.” How will your session benefit CIOs in this competitive environment? CIOs are completing more projects in far less time — in fact, the number of projects have tripled and yet the time window has shrunk to perhaps something like “it has to be done now” or, at best, “it has to be done inside the next 2 quarters”. In this session CIOs will learn how to respond to that dramatic increase in speed and yet remain sane doing it!

The role of CIO is not so much about technology but how technology can be used strategically for competitive, business advantage” How can organizations keep their eyes peeled for the next big innovation? An 18 year old decimated the profitability of a $40 billion/year industry: Sean Fanning with the release of Napster changed music distribution forever. And why was it Apple, not any of the major record labels, that created the new business model in the age of digital music downloads?

JIM HARRIS Jim lends his services as a business speaker to over 40 conferences worldwide annually, speaking on a wide variety of topics. He’s advised CEOs and executives from a vast range of industries, and his consulting processes have resulted in proven bottomline benefit. Association Magazine has ranked him as one of the top ten business speakers in North America, while Soundview Executive Summaries selected his book ‘Blindsided’ as one of the best business books of the year.

My book, ‘Blindsided’ asks the questions: why are organizations and whole industries blindsided? What are the laws that guarantee this phenomenon will not only continue but accelerate? How can you identify early warning signs of when you are about to be blindsided? Innovation is the key to thriving in the 21st century. More than 80% of CEOs know that innovation is key to their success but only 30% feel they are succeeding in their innovation efforts. How do you think CIOs can build consensus within their organizations as they cope with the tumultuous market situation? Pareto’s 80/20 rule applies to most areas of life: on a personal level CIOs – and all corporate executives for that matter – need to be asking themselves: “What one activity if I were to consistently perform would make more difference to my career than anything else?” CIOs need to ask themselves: “What are the highest leverage activities that I can engage in?” It could be meeting with clients, prospects, strategic planning with the IT team, strategic planning with fellow executives or mentoring key individuals on your IT team. Whatever it is, where will the time come from to invest in these activities? The answer is by dropping, delegating the lowest leverage activities that you are engaged in. How will your session help CIOs? CIOs that understand laws that are relentlessly driving change in the corporate world can align their organizations with them, to take advantage of the shifts, rather than being crushed by them. Blindsided will give session participants tools and strategies to drive innovation.

PRESENTED BY

CIO100|CIO CONVERSATIONS

Is an OPEX approach viable?

Given the current economic climate, an increasing number of enterprises are trending toward outsourcing and managed services. According to the CIO Mid Year Review Study, this trend seems fueled by multiple factors—mid-tier attrition and skillset gaps; the need for faster rollouts; the requirement to build in more agility and flexibility in delivering IT services and the need to increase efficiencies and bring in more variable costs into how business processes are enabled. Are organizations really comfortable with switching to a more OPEX and services model? What are CIOs doing to understand the economics of sourcing, and what skills need to be upgraded?

Why has Canon has aligned with CIO100? This platform shares the best practices in technology and newer IT services to drive higher cost-efficiencies and organizational effectiveness. Canon strongly believes that for organizations to achieve IT excellence, integration of Canon Managed Document Services with the current IT infrastructure is an important step and what better avenue to deliberate this than CIO100.

toward converting the CAPEX to Opex. Besides, Operational Excellence is a systematic approach that is being used to drive an organization towards world-class execution.

How is Canon positioned to assist CIOs in migrating towards an Opex model? Owing to the current economic climate, an increasing number of enterprises are trending

At Canon, we are witnessing significant traction in the OPEX model, and an impressive percentage of our business is moving towards the OPEX requirement model.

The basic proposition that is contained in the ‘managed document services’ concept is that fragmented printingwithout any framework of architecture, control and close monitoring, adds to chaos 65 large enterprises in printing and document have signed up for Canon’s management in large managed document services organizations. Furthermore, by outsourcing their entire fleet management with print architecture planning and multiple vendors is highly execution to Canon and are counterproductive. Canon benefiting on costs reductions. India’s Managed Document Many of these organisations Services (MDS) help ALOK BHARADWAJ attend CIO100 and through companies eliminate this Senior Vice President, this platform, the successful unstructured approach and Canon India case studies reach out to a gain high cost-reductionslarge number of CIOs in the as high as 30%, with other country so that they understand the importance benefits like security, audit trail, convenience, and benefits of managed services. low wastage and environmental care.

PRESENTS

A CIO CONVERSATION ON

SUSTAINABLE IT

Join Schneider’s Datacenter Specialist, David Blumanis - Advisor & Expert-Datacenter Solutions, APJ Level, as he discusses sustainable and efficient energy strategies with practicing CIOs across industries. Hear them deliberate the practical challenges in energy management in India, the cost trade-offs and the justification, especially in today’s economic environment in a focused panel discussion.

Come Join The Conversation! EVENT BY

HOSTED BY

www.cio100.in

PRESENTED BY

CIO100|CIO CONVERSATIONS

Making the cloud rain business: what will it take?

Our State of Cloud Computing Survey reveals that IT is in disruptive thought, caused by the rise of cloud computing and the pressures that arise with economic uncertainty. As per the CIO Mid Year Review Study, most organizations have been rapidly moving toward private cloud environments in the recent past. As with any transition, maintaining the current while moving ahead is going to be the order of the day. This session will answer queries on the materialization of Cloud computing, adding in agility while cutting costs, mapping business priorities to a cloud-based service model, organizations’ handling of the current gaps in governance and security and charting the roadmap to the cloud and the post-cloud future.

Why has VMware aligned with CIO100? CIO100 recognizes excellence and innovation and as a company that closely identifies with these values, we are proud to partner with IDG to honor the best in Indian IT. CIO100 is a great opportunity for vendors like us to engage with our customers through meaningful conversations.

private and public cloud models. The cloud should be flexible enough to securely use both on and off premise resources - and the move should be incremental.

The entire journey to cloud consists of 3 layers, which VMware addresses as the 3-layer strategy. We widely use this particular How is VMware best strategy to build greater positioned to assist CIOs understanding among the migrating to the cloud? masses about Cloud computing At VMware, we do not believe in and what VMware offers in a “one-cloud-fits-all” approach. these three layers. The first The cloud needs to be designed layer is the infrastructure where for the specific needs of each virtualization forms the basis organization – the “Your Cloud”. of the cloud infrastructure. It should be uniquely aligned to Virtualization provides the each organization’s business organization the ability to create and its approach to IT, and a pool of IT resources that can T SRINIVASAN be able to leverage existing be provisioned dynamically. The Managing Director, investments in IT resources. next layer is the application layer VMware India & SAARC wherein the organization can Given our experience with develop and deploy applications cloud computing we are uniquely positioned designed to suit its requirement and can work to help organizations with our offerings. Many seamlessly on the virtual infrastructure. The final organizations debate on whether to adopt a private layer is the end-user computing layer. or a public cloud. We believe that a hybrid cloud is the way ahead as it would help them address some At each of these individual layers, we work with of their concerns on security and availability, while different partners who offer VMware solutions to letting them take advantage of the best of both the help customers on their journey to the cloud.

PRESENTS

A CIO CONVERSATION ON

DELIVERING THE FUTURE OF WORK Join Sukumar Rajagopal, CIO & Head of Innovation, Cognizant, in a panel discussion with other CIOs to discover how embracing the ‘Future of Work’ can help them drive organizations forward. CIOs will also be able to understand how to take advantage of Social, Mobile, Analytics and Cloud Computing to enable real-time collaboration within organizations.

Come Join The Conversation!

EVENT BY

HOSTED BY

www.cio100.in

PRESENTED BY

CIO100|INFORMATION MASTERMIND AWARDS

Exceptional information management by exceptional organizations CIO, in association with EMC, is honored to announce the 7th edition of the Information Mastermind Awards to recognize those businesses that handle rising storage challenges exceptionally. The Information Mastermind Special Awards are designed to reward the five enterprises that have blazed new trails in taking information and transforming its bits and bytes into usable, actionable insights. Honorees in this special awards category drove business growth by reducing customer churn and speeding up goto-market by providing a 360-degree view of enterprise data; eased

recovery by improving data availability; scaled up both- storage performance and capacity; put in place on-demand analytics; harmonized business process across a group to improve responsiveness; blueprinted an enterprisewide warehouse that integrated multiple transactional and operational data sources; and created a foolproof method of digital content transfer that created new business opportunities.

RAJESH JANEY President - India & SAARC, EMC

Fostering Role Models in Information Management EMC’s continued support of the Information Mastermind Awards since their inception is deep rooted in our endeavor to honor CIOs-the information masterminds, who are role models. EMC is proud to be

associated with an award that recognizes champion CIOs who are setting new benchmarks in the industry through innovative information infrastructure deployments to transform their IT operations. Furthermore, EMC assits CIOs with their storage challenges by offering the industry’s most-comprehensive, market-leading information infrastructure portfolio that helps customers drive down costs while implementing more agile IT environments. In fact, in May 2012, EMC introduced its largest-ever wave of new transformative products and technologies—42 in total. Our transformative portfolio allows customers to invest more resources in advancing their business—versus keeping the lights on—enabling IT to become more responsive to business needs.

PRESENTED BY

CIO100|INNOVATION ARCHITECT AWARDS

Breakthrough innovations by forward-looking enterprises CIO, in association with Wipro, is proud to present the Innovation Architect Awards. Instituted to honor pathbreaking innovations in IT implementation, the awards are now in their 5th year. The Innovation Architect Special Awards identify the five organizations that have leveraged IT supremely to beat the competition and shaken up the way their industries operate. Winners in this category have all believed in experimenting, in questioning the status quo, and in often applying technology not as it might have been intended. How else would you describe a tractor that automatically summons a mechanic before

a part fails? Or, taking training to an entirely different level till a talent pool emerged across 19 countries? Or, cooking up a mini-ERP in-house to allow a greenfield division to hit the ground running, while concurrently rolling out the main ERP app? Or, using RFID to shrink the cost of cattle insurance? Or, building a reverse auction mechanism to beat a truckers’ cartel? Or, even convincing a competitor to do business worth over Rs 35,000 crore from a single, linked platform?

that have successfully mastered the art of innovation. We are proud to be associated with the Innovation Architect Awards as, over time, they have emerged as the most coveted recognition for organizations that have created significant value by leveraging the tenets of imagination, technology, and discipline, effectively.

ANAND SANKARAN

SVP & Business Head - India, Middle East & Global Business Head - Infrastructure & Services, Wipro

Innovation Is At The Core Of Our DNA At Wipro, we believe that innovation is the quintessential ingredient to successfully differentiate and outperform the competition, and it is at the core of our DNA - a discipline to be mastered and managed. We revere CIOs and organizations

Additionally, Wipro assists CIOs in their innovative endeavors through cuttingedge technologies such as mobility, web-sciences, nanotechnology that help organizations reduce their consumption and dependence on the constrained ‘resources’. Our passion to maximize IT‘s potential for clients has led to an increased focus on new models of technology and business variabalization, which enables CIOs to differentiate their IT investments.

PRESENTED BY

CIO100|INFRASTRUCTURE AWARDS

Extraordinary framework implementations by extraordinary organizations CIO, in collaboration with Tulip, is pleased to present the 6th edition of the Infrastructure Awards that felicitate extraordinary framework implementations that have revolutionized IT. The Infrastructure Special Awards seek to put the spotlight on those five organizations that have taken the building blocks— the nuts and bolts of IT within an enterprise—and deployed them to great effect and impact, to increase flexibility and productivity; and taken their organizations to new heights. The past winners of this special awards have taken app consolidation and

integration to new levels; re-architected IT’s very foundations for speed and scale; ensured bullet-proof business responsiveness; made operations more cost-effective; taken collaboration to new levels; broken down silos; transformed app delivery; improved IT manageability for higher profit; built agile and efficient platforms for collaboration; and pitchforked mobility to new levels of enterprise use.

DEEPINDER SINGH BEDI Executive Director, Tulip Telecom Ltd.

A Solid Foundation For Success Tulip provides infrastructure that enables mission-critical applications for most midsize and large companies across India. It is India’s largest MPLS VPN provider, as per Frost & Sullivan, with a network that reaches over

2000 cities across India. With over 20,000 kms of fiber across India, Tulip is the largest Indian owner of last mile infrastructure and also India’s largest datacenter provider with over 1 million sq ft of datacenter space across India. This includes Tulip Data City in Bangalore, which is the world’s third largest datacenter and has set new benchmarks globally with regard to datacenter build quality and power efficiency. Tulip partners with 80 percent of India’s top 500 companies to smoothly run their business infrastructure. Realising the importance of quality and efficient IT infrastructure, CIO100 Infrastructure Awards provide us with the right platform to identify and felicitate IT implementations which are aimed at maximizing returns from their IT infrastructure.

PRESENTED BY

CIO100|GREEN CRUSADER AWARDS

Saving the earth, one IT project at a time

CIO, in collaboration with Schneider Electric, takes pleasure in announcing the 5th edition of the Green Crusader Awards that will reward successful green implementations that have rendered IT sustainable and eco-friendly. The Green Crusader Special Awards honor the five finest Indian enterprises that have implemented smart, efficient strategies to achieve “green, sustainable IT”. Strategies that benefit the environment while adding to an organization’s business value. Honorees in this special awards category have taken varied paths towards sustainable computing and reducing carbon footprintfrom revamping IT purchase

and disposal policies, creating intelligent energy management systems to reducing power and cooling cost for IT, installing energy-efficient devices, and cutting datacenter energy use through virtualization and greening business operations through automation and analytics to slash fuel use; helping reduce corporate travel bills, promoting paperless offices, and even seeking out alternate sources of energy to fuel IT growth.

and efficiently such that it is both profitable and better for the environment. There are many CIOs who subscribe to this philosophy and with the CIO100 Green Crusader Award, Schneider aims to recognize and highlight the Green initiatives of these CIOs. Also, IT is at the heart of every successful, modern business and yet it has had significant, SHRINIVAS CHEBBI unintended side-effects. The CGM & President - India & SAARC, awareness of these side-effects, APC by Schneider Electric though somewhat belated, has led some successful companies to turn to a sustainable practice Sustainable IT For A known as “IT greening” that is all Greener Tomorrow about using IT more efficiently to achieve reductions in energy The world’s energy consumption has risen by 45% consumption, and turning since 1980, and it is projected to towards energy-efficient IT solutions. Schneider Electric be 70% higher by 2030! At the provides goals and direction to heart of Schneider’s strategy improve the energy efficiency is a simple and powerful and sustainability of datacenters idea: using natural resources thus, enabling a greener IT. much more productively

PRESENTED BY

CIO100|SECURITY SUPREMO AWARDS

Impregnable security implementations by futuristic organizations CIO, in association with Websense, is proud to acknowledge impregnable security implementations with its 5th edition of Security Supremo Awards at CIO100 2012. The Security Supremo Special Awards acknowledge the five, outstanding Indian enterprises that have best addressed the enterprise IT security, risk, governance and compliance landscape to keep business value high. Rolled out an app security testing framework across 550 applications? Developed a holistic model to ensure better operational threat visibility? Envisaged

a data confidentiality strategy to minimize data loss? Effectively protected sensitive, customer information? Created a multi-layered security architecture that keeps enterprise content highly available? Fostered a robust process for staying in sync with the fast-changing regulatory environment? All the past winners of this special award category have done all this and more.

innovating and protecting themselves from advanced threats and preventing data thefts and loss. With the Security Supremo Special Awards at CIO100, Websense extends its commitment to support CIOs who go that extra mile to secure their business environment.

JOHN McCORMACK President, Websense

Raising the Bar on Enterprise Security Websense is constantly raising the bar on security defenses and constantly proving its effectiveness against the toughest security threats. This is in line with what CIOs are doing to enable their networks and people, by constantly

Websense allows businesses to take advantage of the transformative technologiesmobility, cloud and social computing, that are redefining the nature of work and the definition of the network as well as exposing the weaknesses of traditional legacy security systems that organizations have in place today. Itâ&#x20AC;&#x2122;s creating a vulnerability, and organisations must find ways to counter it. Thus, Websense helps organisations keep their data safe from threats.

PRESENTED BY

CIO100|NETWORKING PIONEER AWARDS

Pioneering networking initiatives by forward-looking organizations CIO, in collaboration with Juniper, is pleased to announce the 2nd edition of the Networking Pioneer Awards to appreciate pioneering networking initiatives that have changed the face of IT. The Networking Pioneer Special Awards honors those five organizations that have created the impeccable underlying connections and frameworks to keep enterprise data flowing while addressing issues of growth, scale, and cost-optimization. Made users happy by diminishing the impact of application latency? Built an efficient collaboration architecture spanning group companies? Used mobility to push information down and

back from your sales force? Empowered your sales team to visually collaborate on the move? Improved efficiency across the extended enterprise to deliver higher sales and an enhanced customer experience? Used cloud computing to help dealers maintain lean inventory levels? Built a redundant, self-healing platform across 42 countries? These are just a few of the initiatives championed by former winners in this special award category.

RAVI CHAUHAN Managing Director, Juniper Networks

Leading the Charge to Architect the New Network Networks are becoming more relevant in the world we live in today, and at Juniper Networks we believe the network can create a connected planet that unleashes a great wealth of possibility, innovation, and

discovery that cannot be measured. With the Networking Pioneer Awards, Juniper aims to recognize the exceptional work done by CIOs in India to create the network of the future. Juniper is, also, leading the charge to architect the new network. At the heart of the new network is our promise to transform the economics and experience of networking. We offer a high-performance network infrastructure. We are innovating in ways that empower our customers and partners. As a pure play, high-performance networking company, we offer a broad product portfolio that spans routing, switching, security, application acceleration, identity policy and control, and management designed to provide unmatched performance, true flexibility, while reducing overall total cost of ownership.

PRESENTED BY

CIO100|EFFICIENT ENTERPRISE AWARDS

Efficient technology practices by efficient enterprises CIO, in association with Dell, is privileged to honor those businesses that have surpassed their IT goals using simple, but efficient technology practices, with the 2nd edition of the Efficient Enterprise Awards. The Efficient Enterprise Special Awards aim to recognize the five prominent Indian organizations that have demonstrated a seriousness to switch budgets from mere ‘lights on’ to innovation by significantly transforming IT operations to keep them lean and competitive. We’re looking to spot organizations that have taken initiatives to manage TCO, while driving innovation; that have leveraged the

efficiencies of business process automation, cloud computing, virtualization, mobility and outsourcing, while securing future business growth. Last year, for instance, the winners in this special award category aggressively deployed virtualization in the datacenter and beyond; built private clouds; improved scalability; drastically pruned software licensing; and increased business agility, while reducing operational costs significantly.

most of their resources on operations and legacy system management. Efficiency is the name of the game in situations like these. Dell has been helping organizations do more with less. We have partnered with the Efficient Enterprise Special Awards at CIO100 because it fits in with our agenda perfectly.

SAMEER GARDE President and MD, Dell India

Efficiency is the Name of the Game in Today’s Business Environment The need to control costs, operate with less money and respond quickly to the needs of the business is necessary to remain competitive in today’s global market. Yet, most organizations spend

Furthermore, Dell offers open, capable and affordable solutions to help users gain the IT agility that they need. Dell’s enterprise solutions approach, with industry-leading servers and the world’s longestshipping and most advanced virtual provisioning and tiering storage solutions, puts us in a unique position to provide an integrated, end-to-end solution for our customers. We believe our approach has addressed the limitations that the industry is recognizing.

PRESENTED BY

CIO100|HALL OF FAME AWARDS

Relentless pursuit of excellence

HP is proud to announce the 4th edition of the CIO Hall of Fame awards, instituted to felicitate those enterprises that have won the CIO100 Awards four times in recent years while being with the same organization. The Hall of Fame identifies those forward-looking organizations that have raised the bar by setting exceptionally high IT standards consistently, year after year, in the recent past.

practical leadership in information technology. All honorees have had significant accomplishments in the innovative use of IT while consistently demonstrating business impact.

The CIO Hall of Fame honors those men and women whose work has profoundly shaped the Indian technology-enabled business landscape, demonstrating both creative vision and

Each CIO Hall of Fame honoree has won the CIO100 Award four times, being associated with the same organization on each occasion—a feat only a few mavericks can boast of.

delivering products, services and solutions of the highest quality for decades. With the CIO100 Hall of Fame, HP recognizes those CIOs who have withstood the test of time and made significant contributions to their organizations year after year. CIOs constantly face challenges in ensuring that the IT infrastructure in their organizations is energyNEELAM DHAWAN efficient, secure, robust, Managing Director, and scalable. HP has done HP India pioneering work in areas like green IT, carbon footprint, hybrid cloud computing Average is No Good. delivery models, security, Play to Win and big data analytics among other areas. Today, HP’s major Excellence and consistency product lines include personal are what the Hall of Fame is computing devices, enterprise all about. At HP we live by the and industry standard servers, code: ‘to be average in the marketplace is not good enough, storage devices, networking products, software, and a we play to win’. And we have diverse range of printers, and managed to hold on to our other imaging products. market leadership position by

ESSENTIAL

technology

VOL/7 | ISSUE/10

Essential_Tech_August2012.indd 81

The New Perimeter BY ELISABETH HORWITT

SECURITY | Back in 2008, guarding Motorola's perimeter was a lot simpler than it is today, recalls Paul Carugati, the company's information security architect. But with the rapid growth of Web 2.0 applications, e-commerce environments and cloud services, he adds, "in 2010, that wasn't so true; in 2011, it wasn't true at all." Management was continually questioning Carugati about the risk exposure related to a critical service or a social media environment, and the possibility of infiltration of the company's data through social media. To address the issue, Motorola's security department added a next-generation firewall (NGFW) to its perimeter defense mix. In addition to traditional Level 3 and 4 firewall security, the platform can track outgoing and incoming traffic at the application level. This has brought huge gains in visibility, control and enforcement, Carugati reports. That visibility enables the security team to enforce far more granular security policies at the application level, rather than at the network protocol and port levels. Furthermore, management can now draw a far more accurate picture of the company's social network presence and interactions, for risk assessment and compliance with regulations, Carugati says. NGFWs are just one way in which companies are revamping their defenses in response to new threat vectors that have grown out of businesses' growing use of and REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

IMAGE BY PHOTOS.COM

CIOs are mixing an assortment of technologies, approaches, and policies to shore up defenses on the changing corporate boundary.

A CLOSER LOOK AT RISK MANAGEMENT

8/13/2012 5:36:52 PM

ESSENTIAL technology

dependency on Web apps, social media, cloud computing, virtualization, wireless networks and mobile devices. These technologies continue to change the fundamental nature of business computing and communications. As a result, the corporate boundary has become increasingly porous and difficult to define—some would even contend that it's nonexistent—rendering traditional notions of "protecting the perimeter" obsolete. Not that companies like Motorola have jettisoned traditional defenses. Rather, they have started looking at perimeter defense in a more multi-leveled, multi-layered way.

Multi-layered Defense Industry experts advise CSOs to take a defense-in-depth approach that deploys multiple layers of security, so that malware and other threats that slip by the first line of defense get caught by the second or third. That means going well beyond

malware that may be riding on top of a trusted link, as well as app-level end-user activities that are inappropriate, risky, or prohibited. WAFs specifically monitor traffic between web clients and servers. Polk, a leading provider of data and marketing services for the auto industry, has supplemented its traditional firewall with a WAF. This WAF protects web servers from common app-level attacks such as SQL injection, says Ethan Steiger, the company's CSO. This has saved the company from the expense of redeveloping a number of Web apps with known coderelated vulnerabilities. NGFWs and WAFs can also help with one of the biggest headaches for CSOs: The threat of hackers using social engineering and other techniques to exploit trusted sources such as employees, partners and customers who have access rights to sensitive portions of the corporate network. The growing use of mobile devices and the social Web for business purposes

Smart CSOs are bolstering their first line of defense with NGFWs and Web application firewalls. traditional perimeter defenses—namely, network firewalls—which monitor and control traffic on the basis of source and destination IP addresses, network protocols, and port numbers. That leaves them incapable of defending against the 60 to 70 percent of attacks that now occur at the application level, according to Jon Oltsik, senior principal analyst at Enterprise Strategies Group. Smart CSOs are bolstering this first line of defense with technologies such as NGFWs and web application firewalls (WAFs), which can perform deep-packet inspection and identify known hacker signatures and abnormal behavior. NGFWs typically monitor inbound and outbound enterprise traffic, identifying 98

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Essential_Tech_August2012.indd 82

has greatly exacerbated this problem, industry experts agree. Once a hacker gains access to an employee's client device, "all of a sudden you've got malware or a bot trying to communicate via an established connection, back out through your perimeter" to the hacker's control center, says Andrew McCullough, manager of information security for hotel chain operator Accor North America. Accor's security team deployed an NGFW five years ago, when application-level attacks first started showing up, McCullough says. While such attacks were infrequent back then, their number "has gone through the roof" in the past year or two, he says. An NGFW's ability to enforce security policies on a granular level is critical, given

18% Of Indian CIOs

say business has increased focus on security in the last six months. Source: CIO Mid Year Review Survey 2012

business users' growing dependence on the Web, and social networking in particular, Oltsik says. Rather than deny, say, the marketing group all access to Facebook, companies can use an NGFW to limit access to those apps that business users consider to be critical to their jobs, Oltsik says. "That's a perfect intersection of supporting and protecting business."

Single or Multiple Vendors? Most leading NGFW vendors combine traditional stateful firewall capabilities with a range of other functions, such as applicationaware traffic monitoring, intrusion prevention and data loss prevention. These multi-functional security gateways are considered either synonymous with or a subset of unified threat mitigation (UTM), depending on whom you ask. The basic concept is the same: Instead of purchasing, deploying and managing various perimeter defense mechanisms on separate appliances, a company can deploy a multi-layered security strategy on a single hardware platform. However, holding some CSOs back from taking the plunge is the cost of writing off legacy perimeter security devices. "Our infrastructure is incredibly expensive; it doesn't make business sense to replace it wholesale," says McCullough. Rather,

VOL/7 | ISSUE/10

8/13/2012 5:36:52 PM

ESSENTIAL technology

Security Rules Management Keeping up with the ever-changing threat landscape is another major issue. While leading NGFW platforms come with tools for auditing and updating security rules, and monitoring security events from a central console, most businesses currently have a mix of perimeter security products, which can make administering those policies a major headache. Adding app awareness to the mix makes the task that much more complex and arduous, industry experts agree. "You want the ability to make granular access decisions on an app-by-app basis," says Oltsik. Furthermore, policies have to be regularly updated in order to keep up with major new social media services and apps, which show up on a daily basis. CIO

Send feedback on this feature to editor@cio.in.

100

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Essential_Tech_August2012.indd 84

BYOD Shakes Up the Cloud BYOD | The dangers of using consumer cloud storage systems became clearer earlier this month when a hacker claimed that he accessed US presidential candidate Mitt Romney's Dropbox storage and e-mail accounts using an easily cracked password. The apparent hack of Romney's accounts came on the heels of IBM's rollout of a bringyour-own-device (BYOD) policy that bans the use of Dropbox due to concerns that hackers could easily access sensitive information stored there. "IBM has the world's biggest BYOD program, and they just locked down Evernote and Dropbox because they discovered their future product plans and all sorts of really sensitive data was being beamed automatically out to these services," says Dion Hinchcliffe, an executive vice president at IT consulting firm Dachis Group. Though companies are increasingly tightening their BYOD policies, most have yet to address the use of consumer apps and services such as cloud storage on mobile devices. "Cloud datacenters are becoming high-value targets" of data thieves, says Hinchcliffe, raising the possibility that "someone inside the company with the keys to the castle" could be bribed to share data with hackers. "There's a lot of temptation," he adds. Dave Malcom, CISO at Hyatt Hotels, says he's keenly aware that employees are using consumer-grade cloud storage services with mobile devices on the job, and he's taking steps to address the situation. For instance, the hotel chain is surveying employee workstations to determine whether cloud storage apps like Dropbox have been downloaded and, if so, what data is stored on them. If a cloud storage app has been downloaded, "there's probably a corresponding machine they're placing documents on that we don't own," says Malcom. "We're starting to get in front of it [and] we're trying to provide a corporately blessed service." Malcom says that he hopes to start pushing employees toward using a corporate SharePoint system for content-sharing, though he acknowledges that it's not user-friendly on an iPad. â&#x20AC;&#x201D; By Lucas Mearian

ILLUST RATION BY PHOTOS.CO M

his team is taking it slow, testing devices and planning to replace one existing set of firewalls with a more advanced product over the next year. Going with one vendor's all-in-one solution often means sacrificing functionality for cost savings, McCullough adds. "You don't get the best in class, in my opinion," he says. Furthermore, once the device starts looking into the actual content of packets, "you need a beefier box," says Eric Maiwald, a research vice president at Gartner. "Add anti-malware and attack signatures, then DLP, and you need even more power." That's why UTM devices work best in locations where throughput requirements are lower, such as small companies and branch offices, he adds. Consequently, Accor is likely to remain a multi-vendor shop for the foreseeable future, according to McCullough. "We never want to get to the point of using a single perimeter security device; we want a mesh of products." While this means complexity, and potentially more administrative headaches, the benefits include increased assurance and risk reduction. "A hacker that bypasses firewall vendor A gets stopped by vendor B," he says.

VOL/7 | ISSUE/10

8/13/2012 5:36:53 PM

ESSENTIAL technology

Social Insecurity Man is inherently a social animal, and that explains employeesâ&#x20AC;&#x2122;affinity to social media. But, it is important for them to beware of its threats. BY GARY LOVELAND

SOCIAL MEDIA | At any given moment today, on-the-clock employees are updating their social media status, reading feeds and networking on business media sites. Moments can stretch to minutes: A recent study by the Ponemon Institute found that 60 percent of social media users spend at least 30 minutes a day on these sites while at work. Social media has become the preferred channel of communication, and while companies initially resisted on-the-job use of social media, many now embrace it as good for business. They understand that enterprise social media tools can spark collaboration among co-workers, strengthen employee productivity and improve communications. Social media sites may help an organization attract customers and employees, improve customer service and manage its brand image. The inherent risks of social media, however, can be very bad for business. Chief

continuous employee training on acceptable use of social media. A first step in creating a social media security strategy is classification of business data so that employees understand precisely what isâ&#x20AC;&#x201D;and is notâ&#x20AC;&#x201D;sensitive information. This process also should specifically delineate who is authorized to access corporate content, and how that information can be used. Policies will vary by employee role and by social media site. For instance, a worker may be permitted to include employer affiliation and job title on a public profile on a business media site, but not on a personal one; HR staff may be allowed to provide more company information because doing so is essential to recruiting. Remember that hackers now target mobile devices. Businesses should specify whether employees are permitted to access

Social media can be a very effective on-ramp for malware attacks.Other threats include network breaches,IP theft and leakage of sensitive data. among them: Social media can be a very effective on-ramp for malware attacks. Other threats include network breaches, intellectual property theft, leakage of sensitive business data, and hijacking of social media accounts. Containing these risks requires a security strategy that fuses policies governing the use of social media with technology that monitors and protects the corporate network. It is essential to reinforce policies and technology with thorough and

VOL/7 | ISSUE/10

Essential_Tech_August2012.indd 85

social media sites from these devices and which apps may be used to do so. Once policies are established, it may be necessary to reinforce them with a carefully considered combination of network monitoring and data protection tools.

Taming Employee Behavior With social media, even a carefully planned mix of policies and technology may not be wholly effective. That's because you cannot

stop employees from posting data on social media when they go home at night; people will do what they want, regardless of corporate policy. What can you do? Implement a rigorous and continuous employee education program on acceptable use of social media. A business should proactively train employees and be very clear about what it considers proper use of company information. Be specific. Employees should understand that posting corporate data is absolutely forbidden. Tailor the education program to meet the security knowledge level of your employees. The risks of malware, data loss, and other threats should be described in very real scenarios that explain impacts to the individual and the business. Show employees how to recognize current scams used in social media attacks, and how to identify a phishing website. Training should demonstrate how these threats propagate on social media. Education should not be exclusively technical, however. For many employees, sharing via social media has become so reflexive that they may not realize how information innocently posted on a social network can harm a business. Workers also should understand that when they identify themselves as an employee, they are representing the company to the digital world. Finally, fully explain the consequences of failure to follow company policies on use of social media. Be very clear: Jobs are at risk for those who violate the corporate code of conduct for privacy, client confidentiality, and intellectual property. CIO Gary Loveland is a principal in PwC's Security Advisory practice. Send your feedback to editor@cio.in.

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2

101

8/13/2012 5:36:53 PM

EVENT REPORT

MOBILITY: PUSHING THE CASE FOR BYOD The constant need to stay mobile and connected is increasingly forcing organizations to embrace BYOD. But securing devices and enterprise

data is an imperative.

his millennium would probably go down in history as the mobile-age. Look around and you’ll know why. From your maid, to your driver, from your boss to your employees everybody is under its influence. And why not? A mobile phone—or even a laptop or an iPad—is portable, keeps people connected, and negates distances, letting enterprises go about their business. That’s precisely why it’s feeding another revolution in organizations today: BYOD. There’s no doubt that user-friendly mobile computing devices are quickly making their way into the enterprise space. But it’s hard to ignore the security threats that accompany personal devices. And if there’s anyone who needs to define the guardrails on the mobility highway, it’s the CIO. In a three-city roundtable conducted by CIO in association with Cisco, IT leaders from some of India’s prestigious organizations gathered to discuss how

CUSTOM SOLUTIONS GROUP CUSTOM SOLUTIONS GROUP ACCENTURE CISCO

mobility is pushing organizations towards BYOD, and how to tighten security. “Today, enterprises are faced with a challenge to provide flexibility to their employees by enabling them to access internal networks from personal devices. The influx of mobiles brings a variety of challenges, security being the biggest,” says Mahesh Gupta, VPBorderless Networks-SAARC, Cisco.

The Push for BYOD Ajay Meher, VP-IT and New Media, MultiScreen Media, says that IT departments are under tremendous pressure as employees are increasingly demanding organizations to let them use their personal devices at work. “It’s not just senior management that wants BYOD, the younger generation feels it’s a necessity today,” says Meher. And that’s why organizations should find a way to

In many respects, the goal of security is to make networks more resilient by making them more flexible.”

MAHESH GUPTA,

Vice President, Borderless Networks-SAARC, Cisco

accommodate BYOD Gupta says. “The goal of IT and security is to have an infrastructure to create systems that can detect and protect against unauthorized access. But simply denying access in the face of an attack is no longer acceptable. Today’s networks must be able to respond to attacks in ways that maintain network availability and reliability, and allow businesses to continue to function. In many respects, the goal of security is to make networks more resilient by making them more flexible.” Several organizations have embraced the browser as the medium to empower employees. For instance, Sebastian Joseph, EVP and head-technology, Mudra Communications, says that they have had a successful BYOD program in place for about two years, and have enabled most of the business apps on the browser. “We have also used VDI to reduce the burden on the hardware. Desktops which are almost seven years old run on Ubuntu and access the central server. However, the challenge is with the computers running Macintosh since we cannot virtualize them,” he adds.

Getting on the Mobility Highway One step ahead of the browser is the app store. An organization that develops its own apps and distributes them through an internal app store can achieve great results. A good example is ICICI Lombard General Insurance’s app store. The insurance company has several customer facing apps on Google Play, which can help them check consolidated insurance policies, make payments and raise claims. Using the same functionality, ICICI Lombard has enabled employees, partners, and other external stakeholders to interact with the organization and its infrastructure. “The productivity of a claims surveyor has increased by 40 percent. This has dovetailed nicely with our internal BYOD initiative,” says Ram Medury, VP-IT, ICICI Lombard General Insurance. To help organizations improve security, Cisco has created a secure network.“Cisco has developed a secure BYOD architecture that will help IT adapt to rapid changes arising from trends like mobility and BYOD. This is applicable to both physical devices and VDI type of BYOD considerations.

The architecture delivers secure mobility, better wired and wireless management, reliable performance and provides a great user experience to employees,” says Gupta. Most CIOs were of the opinion that while BYOD is the way to go, governance models for mobile apps along with security concerns are holding them back. However, almost all CIOs, across the three cities, believe that mobile may be a greater game-changer than the Internet. This event report is brought to you by IDG Custom Solutions Group in association with

Things I've Learned

Sundaram Krishnan, former CIO of Universal Sompo General Insurance, says effective communication is as important and valuable as technical brilliance for a CIO.

THE VOICE OF EXPERIENCE

Communicate Your Way to Success Effective communication is the manifestation of the leadership competence of a CIO. As a CIO, I communicated across a wide spectrum of people ranging from top management, my peers, team members, LOBs, business users, vendors, and consultants. I employed different styles of communication while dealing with each of these groups. When engaging with management, I spoke the business lingo. With peers, I exchanged knowledge and encouraged a cross-pollination of ideas. In an organizational setup, I acted as a change leader, and here my communication skills were put to test. I needed to communicate strategically with the LOBs and business users, and translate key business objectives into terms which my co-workers could understand. This helped me engage users and work towards driving change. Hence, communication skills go a long way in permeating the

business vision to the bottom of the pyramid. Also, a CIO needs to communicate effectively through various types of written media. Hence, it is very important to master the subtleties of careful communication by writing concise and cogent e-mails, for instance. Any slip in communication could be fatal. Narrow Down on Negotiation Good communication skills are followed by sharp negotiation skills. As a CIO, I needed to be a skilled negotiator because I faced negotiating scenarios with meteoric frequency, steering through crises, seeking solutions, countering conflicts, and veering away from project delays. The reality is that in the CIO role, pretty much every conversation is a negotiation. I negotiated budget with management, deadlines with implementation partners, SLAs with service providers, project resources with LOB heads, and desirable price points with vendors. One should be wellversed in the art of negotiation. Be an Eternal Student The business and technology landscape are in a state of constant flux, so as a CIO, I never let the learning process stall. I surveyed this dynamic landscape to stay on the ball. CIOs should be eternal students, learning from all the forums, platforms, and

104

A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

5Things_I_Learned_August2012.indd 56

A S TO L D TO S N E H A J H A

situations that face them. They should be involved with business in understanding their customers and business users. Learning is a sure fire recipe for success. Earn Trust CIOs should strive to win credibility in the eyes of business. Trust is not demanded, it is commanded. Therefore, it is important to focus your efforts on driving positive results to win the trust of your business peers. If you donâ&#x20AC;&#x2122;t win the credibility of the management, you donâ&#x20AC;&#x2122;t get anywhere. You should be a trusted ally to business; only then can you inch your way up the corporate ladder. Put Business First It is the business that engages you as a technologist; not the other way round. So understanding business needs is an imperative for the CIO. IT is a support function, and it's a CIO's responsibility to fulfill the needs of business users. CIOs should go out of their way to understand them. CIO

Sundaram Krishnan is the former CIO of Universal Sompo General Insurance, and is currently operating as an independent IT consultant. In a career spanning 30 years, he has acquired a breadth of experience in the IT industry.

VOL/7 | ISSUE/10

8/13/2012 5:39:13 PM

Lenovo® recommends Windows® 7 Professional.

INTRODUCING

THE WORLD’S SMALLEST DESKTOP. 1

LENOVO THINKCENTRE® M92p TINY. 5% SIZE. 100% PERFORMANCE.

ThinkCentre M92p powered by 3rd Generation Intel® Core™ i5 vPro™ processor.

40% LESS ENERGY

CONSUMPTION.

"IT MAY BE AWESOMELY SMALL, BUT IT PACKS SOME OF TODAY'S HOTTEST TECH."

INDIA’S

NO.1

PC VENDOR*

Source: IDC Asia/Pacific Quarterly PC Tracker, Q1 2012.

1800 3000 9990 | corpsales@lenovo.com Intel® Core™ i vPro™ enabled



In unit shipments for Jan 2012 – March 2012

© Lenovo 2012. All rights reserved. Lenovo, the Lenovo logo, For Those Who Do and ThinkCentre are trademarks or registered trademarks of Lenovo. Intel, the Intel logo, Intel Inside, Intel Core, Core Inside, vPro and vPro Inside are trademarks of Intel Corporation in the U.S. and other countries. Microsoft and Windows are registered trademarks of Microsoft Corporation. Lenovo reserves the right to alter product offering and is not responsible for photographic or typographic errors. Product images are just for reference and might not resemble the actual products.