66
informationweek march 2013
www.informationweek.in
Edit
Will the future of security be without passwords? he goal posts in information security are constantly changing and what is considered safe today is most likely to be compromised tomorrow. Every known security mechanism designed to protect or authenticate users and transactions has been broken. Consider passwords first. Deloitte has predicted that in 2013, more than 90 percent of user-generated passwords — even those considered strong by IT departments, will be vulnerable to hacking. The firm says that a dedicated password-cracking machine employing readily available virtualization software and high-powered graphics processing units can crack any eight-character password in 5.5 hours. While two-factor authentication adds another layer of security, it has been susceptible to fraud. If a hacker succeeds in getting access to the user name and password, and in obtaining a fraudulent SIM card by reporting the SIM card as stolen, it has easy access to the one-time passwords that are generated by the bank. This method allows fraudsters to bypass the commonly used two-factor authentication in the form of mobile messages provided by banks. Even digital certificates, which guarantee the authenticity of a file signed by a firm, and provided by authorized certificate authorities, have been known to be compromised. This year, security researchers were alarmed to discover a banking Trojan that came with its own built-in digital certificate. The banking password sniffer was signed with a valid digital certificate. The CCSS (Common Computing Security Standards) forum reports 16 legitimate digital certificates that are associated with malware. In the face of sophisticated attacks, global firms are adding more layers of security. For example, recognizing that stolen passwords are put on sale on underground websites, Google’s security system does more than just check if a password is correct. The search engine giant uses more than 120 variables to detect fraud. Twitter recently announced that it will offer an SMS option as a second factor of user authentication. Globally, there have also been efforts to create a future where passwords will never have to be used. Google for example, is doing research on a slim USB key that proves the user’s validity when plugged into a computer. The FIDO Alliance, a consortium, which includes giants like PayPal and Lenovo, has launched a set of standards that will reduce reliance on passwords. This could be in the form of a security chip installed in a PC, or a fingerprint scanner. PayTango, a startup, has launched a solution, which links your cards to your fingerprints. If successful, PayTango can solve the hassle of carrying multiple cards. You could just walk out of your home, and pay for a transaction without carrying anything. Ultimately, even with the greatest advances in technology, humans are and will remain the weakest link in security. If organizations succeed in creating a robust security culture by spreading more awareness, the greatest of attacks can be prevented and foiled.
T
Globally, there have been efforts to create a future where passwords will never have to be used
u Srikanth RP is Executive Editor of InformationWeek India. srikanth.rp@ubm.com
6
informationweek june 2013
www.informationweek.in
contents Vo l u m e
2
|
I ss u e
0 8
|
J u n e
20 1 3
14 Cover Story How SoCloMo is changing the enterprise security landscape The enterprise mobility wave, coupled with emerging public cloud computing solutions and rise in the usage of social media consumption has knocked open the traditional, closed on-premise enterprise IT infrastructure and is making it vulnerable to different kinds of security threat vectors
20
22
Security awareness: How India’s leading CISOs are tackling the weakest link Human beings are and will always remain the weakest security link. Given this fact, how do CISOs ensure that employees are always clued on to security? InformationWeek’s Jasmine Kohli spoke to India’s leading CISOs who share their perspectives and experiences on some of the projects and measures undertaken by them to ensure a robust security culture
Cover Design : Deepjyoti Bhowmik
27
Manish Dave Group CISO, Essar Group
28
Ashish Chandra Mishra CISO, Tesco HSC
29
Colonel (Retd) AK Anand VP & CISO, NIIT Technologies
A peek into the personality of a CISO
30
Sesanka Pemmaraju CISO, Hitachi Consulting Software Services India
Leading Indian CISOs from across industry verticals reveal their personal sides and discuss their most challenging security initiatives, strategies they adopt for countering evolving threats and security projects in pipeline
32
Dr. Onkar Nath CISO, Central Bank of India
33
N D Kundu Assistant General Manager (IT Projects & Security), Bank of Baroda
34
Burgess Cooper CTSO, Vodafone India
How Big Data security analytics is set to transform the security landscape By using analytics to understand the big picture by analyzing and drawing connections between disparate sources of information, Big Data security analytics can completely transform the ecosystem of security
CISO Profiles
26 26
Sameer Ratolikar CTO, Bank of India
Do you Twitter? Follow us at http://www.twitter.com/iweekindia
8
informationweek june 2013
Find us on Facebook at http://www.facebook. com/informationweekindia
If you’re on LinkedIN, reach us at http://www.linkedin.com/ groups?gid=2249272
www.informationweek.in
THE BUSINESS VALUE OF TECHNOLOGY
interview 35 Dell Global CIO on how IT must adapt as business priorities change
40 interview ‘Cybercriminal activity in APAC set to grow exponentially’
Adriana Karaboutis Global CIO, Dell
Michael Sentonas VP & CTO, APAC, McAfee
interview 36
42 interview
Facebook CSO Joe Sullivan on protecting a billion people from spam, malware and hackers
‘Security should be the goal, not compliance’ Bikash Barai CEO, iViZ Security
Joe Sullivan Chief Security Officer, Facebook
opinion
EDITORIAL ������������������������������������������������������������� 6
44
Top 5 ground-zero challenges Indian CISOs face today
46 48 49
Best practices for IP protection
51 52
Stepping up SMB security
54
Certification for certification’s sake: Following the letter sans the spirit
55 56
Addressing the hacking dilemma Policy-driven network configuration management critical to security
global cio �������������������������������������������������������� 70
58
Policy formulation a must for secure enterprise mobility
down to business ������������������������������������������� 71
Big Data : The future of info security?
INDEX ���������������������������������������������������������������������10
news ��������������������������������������������������������������������� 12
6 Steps for a successful data security control implementation
How NFC-enabled phones can offer frictionless access control experience
feature ��������������������������������������������������������������60
event �������������������������������������������������������������������64
analyst angle ������������������������������������������������68
june 2013 i n f o r m at i o n w e e k 9
Imprint
VOLUME 2 No. 08 n June 2013
Managing Director : Joji George Printer & Publisher : Kailash Pandurang Shirodkar Associate Publisher & Director : Anees Ahmed Editor-in-Chief : Brian Pereira Executive Editor : Srikanth RP Principal Correspondents : Ayushman Baruah (Bengaluru) Jasmine Kohli (Mumbai) Senior Correspondent : Amrita Premrajan (New Delhi) Correspondent : Varun Haran Copy Editor : Shweta Nanda Design Art Director Senior Visualiser Senior Graphic Designer Graphic Designer
: : : :
Marketing Marketing Head
: Samta Datta
online Manager—Product Dev. & Mktg. Deputy Manager—Online Web Designer Sr. User Interface Designer
: : : :
Deepjyoti Bhowmik Yogesh Naik Shailesh Vaidya Jinal Chheda, Sameer Surve
Viraj Mehta Nilesh Mungekar Nitin Lahare Aditi Kanade
Operations Head—Finance Director—Operations & Administration
: Yogesh Mudras : Satyendra Mehra
Management Service
: Jagruti Kudalkar
Sales Mumbai Manager- Sales : Ranabir Das ranabir.das@ubm.com (M) +91 9820097606 Marvin Dalmeida marvin.dalmeida@ubm.com (M) +91 8898022365 Bengaluru Manager—Sales : Kangkan Mahanta kangkan.mahanta@ubm.com (M) +91 89712 32344 Sudhir K sudhir.k@ubm.com (M) +91 9740776749 Delhi Manager—Sales : Rajeev Chauhan rajeev.chauhan@ubm.com (M) +91 98118 20301 Sanjay Khandelwal sanjay.khandelwal@ubm.com (M) +91 9811764515 Production Production Manager
: Prakash (Sanjay) Adsul
Circulation & Logistics Deputy Manager
: Bajrang Shinde
Subscriptions & Database Senior Manager Database : Manoj Ambardekar manoj.ambardekar@ubm.com Assistant Manager : Deepanjali Chaurasia deepanjali.chaurasia@ubm.com
print online newsletters events research Head Office UBM India Pvt Ltd, 1st floor, 119, Sagar Tech Plaza A, Andheri-Kurla Road, Saki Naka Junction, Andheri (E), Mumbai 400072, India. Tel: 022 6769 2400; Fax: 022 6769 2426 International Associate Offices USA Huson International Media (West) Tiffany DeBie, Tiffany.debie@husonmedia.com Tel: +1 408 879 6666, Fax: +1 408 879 6669 (East) Dan Manioci, dan.manioci@husonmedia.com Tel: +1 212 268 3344, Fax: +1 212 268 3355
IBM Dell Seagate IBM VitalSmarts eScan Trendmicro Quick Heal Interop CloudConnect TFM&A NGO India ICSC FTS Emerson Microsoft
Adriana Karaboutis, Dell ............................................35 AK Anand, NIIT Technologies....................................29 Amit Pradhan, Cipla .....................................................46 Amit Saha, Infosys.........................................................16 Anand Naik, Symantec................................................15 Ashish Chandra Mishra, Tesco HSC .......................28 Bikash Barai, iViZ Security..........................................42 Burgess Cooper, Vodafone India ............................34 Dinesh Bareja, Open Security Alliance ................54
EMEA Huson International Media Gerry Rhoades Brown, gerry.rhoadesbrown@husonmedia.com Tel: +44 19325 64999, Fax: + 44 19325 64998
Diwakar Dayal, Cisco....................................................18
Japan Pacific Business (PBI) Shigenori Nagatomo, nagatomo-pbi@gol.com Tel: +81 3366 16138, Fax: +81 3366 16139
John Hines, Verizon .....................................................55
South Korea Young Media Young Baek, ymedia@chol.com Tel: +82 2227 34819; Fax : +82 2227 34866
Jagdish Mahapatra, McAfee......................................24 Joe Sullivan, Facebook................................................36
Kartik Shahani, RSA India...........................................24 Manish Dave, Essar Group ........................................27 Michael Sentonas, McAfee........................................40 N D Kundu, Bank of Baroda ......................................33 Neil Thacker, Websense...............................................49 Onkar Nath, Central Bank of India .........................32
Printed and Published by Kailash Pandurang Shirodkar on behalf of UBM India Pvt Ltd, 6th floor, 615-617, Sagar Tech Plaza A, Andheri-Kurla Road, Saki Naka Junction, Andheri (E), Mumbai 400072, India. Executive Editor: Srikanth RP Printed at Indigo Press (India) Pvt Ltd, Plot No 1c/716, Off Dadaji Konddeo Cross Road, Byculla (E), Mumbai 400027. RNI NO. MAH ENG/2011/39874
Ranjit Nambiar, HID Global........................................52 Robbie Upcroft, McAfee.............................................51 Sajan Paul, Juniper Networks .................................18 Sameer Ratolikar, Bank of India ..............................26 Sanjay Katkar, Quick Heal Technologies...............15 Sesanka Pemmaraju, Hitachi Consulting Software Services India...............................................30
ADVERTISERS’ INDEX Company name Page No.
Editorial index Person & Organization
Website Sales Contact
02 & 03 www.ibm.com ibm.com/systems/no_compromise/in 4 www.dell.co.in www.dell.co.in/domore 5 www.seagate.com www.seagate.com/goflexsatellite 7 www.ibm.com ibm.com/decisionmanagement/in 11 www.vitalsmartsindia.com info@vitalsmarts-India.com 13 www.escanav.com enterprise@escanav.com 19 www.trendmicro.co.in marketing_in@trendmicro.com 25 www.quickheal.com info@quickheal.co.in 31 www.interop.in salil.warior@ubm.com 38-39 www.cloudconnectevent.in salil.warior@ubm.com 47 www.tfmaindia.com.in salil.warior@ubm.com 53 www.india-ngo.org 59 www.icse.in anees.ahmed@ubm.com 67 http://fts.informationweek.in anees.ahmed@ubm.com 73 emersonnetworkpower.com marketing.india@emerson.com 74 www.windowsserver2012.in microsoft.in/readynow
Srinivas S Tadigadapa, Intel.......................................17 Srinivasa Boggaram, McAfee....................................16 Steve Durbin, Information Security Forum.........48 Sundar Ram, Oracle Corporation............................18 Sunil Lalwani, BlackBerry............................................58 V Balasubramanian, ManageEngine......................56 Vaidyanathan R Iyer, IBM ...........................................23
Important Every effort has been taken to avoid errors or omissions in this magazine. In spite of this, errors may creep in. Any mistake, error or discrepancy noted may be brought to our notice immediately. It is notified that neither the publisher, the editor or the seller will be responsible in respect of anything and the consequence of anything done or omitted to be done by any person in reliance upon the content herein. This disclaimer applies to all, whether subscriber to the magazine or not. For binding mistakes, misprints, missing pages, etc., the publisher’s liability is limited to replacement within one month of purchase. © All rights are reserved. No part of this magazine may be reproduced or copied in any form or by any means without the prior written permission of the publisher. All disputes are subject to the exclusive jurisdiction of competent courts and forums in Mumbai only. Whilst care is taken prior to acceptance of advertising copy, it is not possible to verify its contents. UBM India Pvt Ltd. cannot be held responsible for such contents, nor for any loss or damages incurred as a result of transactions with companies, associations or individuals advertising in its newspapers or publications. We therefore recommend that readers make necessary inquiries before sending any monies or entering into any agreements with advertisers or otherwise acting on an advertisement in any manner whatsoever.
10
informationweek june 2013
www.informationweek.in
To read the entire magazine
Download the present issue of
at www.informationweek.in