InformationWeek India March 2012 - Enterprise Security by Viraj Mehta

Edit

How information security has evolved s I move around meeting CIOs and attending numerous conferences, I observe two distinct trends. These trends are sure to enhance productivity and increase innovation in the enterprise. But there is a flip side to this too: CIOs, CISOs and IT managers have new reasons to worry about the security, integrity and privacy of their information assets.

Trend #1: Organization’s architecture turning inside-out

The dark world of hackers and viruses have also kept up with these trends and the threat landscape has indeed evolved

Follow me on Twitter

@brian9p

informationweek march 2012

Not long ago, an organization’s digitized information assets were safely ensconced in a ‘server room’ behind a firewall. Travelling workers (usually from sales or very senior executives) would “VPN into” the corporate firewall through a “secure tunnel” and get access to corporate information. Well that’s changed now; information assets are everywhere — on the cloud, in company-issued laptops, in tablets and in smartphones. In that respect, the architecture of IT systems is turned inside-out. So IT managers are also addressing security and privacy of information on the cloud, and in a plethora of endpoint devices.

Trend #2: Young workers and changing workplace dynamics

The workforce is getting younger. As one CIO put it to me the other day, “the mainframe-COBOL guys are on their way out.” The average age of the workforce in many organizations is between 26-28 years. And this generation is very comfortable using their own personal devices. Social networks, instant messaging and micro-blogging are a way of life for them. Earlier, most employees would report to an office and do a 9-to-5 routine. Today, employees work from anywhere and anytime. Fixed office timings have given way to flexi-time and shifts. Meetings and ‘con calls’ are planned around differences in time zones, and the availability of executives. The dark world of hackers has also kept up with these trends and the threat landscape has indeed evolved. In his story ‘IT pays to be secure’ Verghese Joseph says the old methods of protecting information assets will no longer work in today’s scenario. The story prescribes new methods to secure assets in a collaborative environment, and yet offer remote access to information. In ‘Cyber warriors going social’ Ayushman Baruah tells of new threats that organizations face as they introduce social media for business communications and collaboration. New terms like ‘tab-jacking,’‘evil twin phishing’ and ‘whaling’ are serious causes for concern. Heard about them? Well, in this story you can learn how to counter these new threats. In her story on BYOD (Bring Your Own Device) and the Consumerization of IT, Amrita Premrajan takes you into organizations like Essar and Wipro to show how they have successfully secured their environments and encourage employees to use their own devices. Hope you find new information in these stories and in the case studies related around the Security theme. u Brian Pereira is Editor of InformationWeek India. brian.pereira@ubm.com

www.informationweek.in

contents Volume

Issue

March

2012

22 cover story IT pays to be Secure As the threat landscape evolves, enterprises must find newer ways to protect data, improve business processes while enabling access to data across multiple end-user devices

26 33

Cyber warriors going social As social media continues to pose new security threats, enterprises are faced with the challenge of going social in a secure way

BYOD: It’s time to re-think enterprise security strategy The growing trend of enterprise users bringing their own devices within the organization and demanding access to relevant corporate apps is raising serious concerns with respect to the security of sensitive corporate data. This is creating a pressing need for CIOs to re-think the security strategy traditionally in place

feature

case study

Managed security services enables iYogi to deliver better services By outsourcing its IT security requirements to Verizon, iYogi has gained the capability to accurately manage thousands of incidents on a daily basis

Cloud cover shields Dewan Housing from spam thunderstorms A cloud-based security solution from Symantec has given Dewan Housing Finance Corporation the ability to eliminate spam and reduce virus-related issues by a significant percentage

Do you Twitter? Follow us at http://www.twitter.com/iweekindia

informationweek march 2012

Cover Design : Deepjyoti Bhowmik

Find us on Facebook at http://www.facebook. com/informationweekindia

When good apps go bad

Big Data could create compliance issues

Whose job is virtualization security?

Experts warn that many otherwise non-malicious mobile apps are trampling privacy with overgenerous device permissions

The bigger data sets grow, the harder compliance could become

The adage “When everyone’s in charge, no one’s in charge” applies all too well to private cloudified networks

If you’re on LinkedIN, reach us at http://www.linkedin.com/ groups?gid=2249272

www.informationweek.in

THE BUSINESS VALUE OF TECHNOLOGY

News Analysis 14 A quarter with the sunny side up Aided by a depreciating rupee, Q3 FY12 has been a strong quarter for Indian IT services providers but given the weak macros, what’s the future on the other side?

interview 42 ‘To defeat APTs, we need to better understand our opponents’ Arthur Coviello Jr. Executive VP, EMC Corporation and Executive Chairman, RSA

56 Case Study Right people, right skills, right time! A workforce solution fosters high quality medical services and saves lives, by ensuring the availability of people with the right skills, at the right time

57 Interview ‘CIOs must leverage social media to increase their presence in the boardroom’ Arun Sundararajan NEC Faculty Fellow and Associate Professor at New York University’s Stern School of Business

News

EDITORIAL.........................................................4

iCreate sees strong traction for BI in the banking sector

INDEX..................................................................8

Geometric explores opportunities in emerging sectors IBM sees big potential for cloud based recovery services in India

news analysis..............................................17 cio voice....................................................... 44 event: IBM..................................................... 58 event: nasscom......................................... 60

46 47

opinion

cio profile................................................... 64

How to defend yourself against APTs

analyst angle........................................... 66

Humans and Heuristics: Making people part of information security solutions

technology & risks.................................67 global cio................................................... 68

48 49

Compromising a PCI compliant network CISO watchtower 2012

practical analysis................................. 69 down to business..................................... 70

march 2012 i n f o r m at i o n w e e k 7

Imprint

VOLUME 1 No. 05 n March 2012

print online newsletters events research

Managing Director : Sanjeev Khaira Printer & Publisher : Sajid Yusuf Desai Director : Kailash Shirodkar Associate Publisher & Director : Anees Ahmed Editor : Brian Pereira Senior Associate Editor : Srikanth RP Principal Correspondent : Vinita Gupta Principal Correspondent : Ayushman Baruah (Bengaluru) Senior Correspondent : Amrita Premrajan (New Delhi) Copy Editor : Shweta Nanda

Head Office UBM India Pvt Ltd, 1st floor, 119, Sagar Tech Plaza A, Andheri-Kurla Road, Saki Naka Junction, Andheri (E), Mumbai 400072, India. Tel: 022 6769 2400; Fax: 022 6769 2426

Design Art Director Senior Visualiser Senior Designer Designer

: Deepjyoti Bhowmik : Yogesh Naik : Shailesh Vaidya : Jinal Chheda, Sameer Surve

Marketing Deputy Manager Advertising Co-ordinator

: Sanket Karode : Jagruti Kudalkar

online Manager—Product Dev. & Mktg. Deputy Manager—Online Web Designer Sr. User Interface Designer Operations Head—Finance Director—Operations & Administration

: : : :

Viraj Mehta Nilesh Mungekar Nitin Lahare Aditi Kanade

: Yogesh Mudras : Satyendra Mehra

Sales Bengaluru Manager—Sales : Kangkan Mahanta kangkan.mahanta@ubm.com (M) +91 89712 32344 Delhi Manager—Sales : Rajeev Chauhan rajeev.chauhan@ubm.com (M) +91 98118 20301 Production Deputy Manager : Prakash (Sanjay) Adsul Circulation & Logistics Assistant Manager : Bajrang Shinde Subscriptions & Database Manager Database : Manoj Ambardekar manoj.ambardekar@ubm.com Senior Executive : Deepanjali Chaurasia deepa.chaurasia@ubm.com

associate office- pune Jagdish Khaladkar, Sahayog Apartment 508 Narayan Peth, Patrya Maruti Chowk, Pune 411 030 Tel: 91 (020) 2445 1574 (M) 98230 38315 e-mail: jagdishk@vsnl.com International Associate Offices USA Huson International Media (West) Tiffany DeBie, Tiffany.debie@husonmedia.com Tel: +1 408 879 6666, Fax: +1 408 879 6669 (East) Dan Manioci, dan.manioci@husonmedia.com Tel: +1 212 268 3344, Fax: +1 212 268 3355 EMEA Huson International Media Gerry Rhoades Brown, gerry.rhoadesbrown@husonmedia.com Tel: +44 19325 64999, Fax: + 44 19325 64998 Japan Pacific Business (PBI) Shigenori Nagatomo, nagatomo-pbi@gol.com Tel: +81 3366 16138, Fax: +81 3366 16139 South Korea Young Media Young Baek, ymedia@chol.com Tel: +82 2227 34819; Fax : +82 2227 34866

Editorial index Person & Organization Amit Nath, Trend Micro �� 28 Arthur Coviello, EMC Corporation �� 42 Arun Datta, Medanta Medicity �� 56 Arun Sundararajan, New York University’s Stern School of Business �� 57 Avinash Kadam, MIEL e-Security �� 25 Carl Leonard, Websense Security Labs �� 27 Dr Kamlesh Bajaj, DSCI �� 23 Hitesh Arora, Max New York Life Insurance �� 30 Jayanta Prabhu, Essar �� 38 Karthik Ananth, Zinnov �� 14 Kartik Shahani, RSA �� 18 Katyayan Gupta, Forrester Research �� 34 Kevin LeBlanc, McAfee �� 30 Kumar Parakala, KPMG �� 62 Michael Sentonas, McAfee �� 36 Nilesh Goradia, Citrix �� 37 Padmasree Warrior, Cisco Systems �� 61 Parvinder Singh, Max New York Life Insurance �� 38 Pradeep Udhas, KPMG �� 63 Prashant Anaskure, Geometric Limited �� 13 Pratibha Advani, NIIT Technologies �� 16 Rajendra Pawar, NASSCOM �� 60

Printed and Published by Sajid Yusuf Desai on behalf of UBM India Pvt Ltd, 6th floor, 615-617, Sagar Tech Plaza A, Andheri-Kurla Road, Saki Naka Junction, Andheri (E), Mumbai 400072, India. Editor: Brian Pereira, Printed at Indigo Press (India) Pvt Ltd, Plot No 1c/716, Off Dadaji Konddeo Cross Road, Byculla (E), Mumbai 400027.

Sandeep Godbole, ISACA India Growth Task Force �� 25

RNI NO. MAH ENG/2011/39874

Satish Warrier, Godrej Industries �� 44

S Ramasamy, IndianOil Corporation �� 64

Satish Das, Cognizant �� 30 Satish Kotian, DHFL �� 41 SD Shibulal, Infosys �� 14

ADVERTISERS’ INDEX

Shantanu Ghosh, Symantec �� 27

Company name Page No. EMC Zoho Kyocera IBM Biz Secure Schneider Trendmicro Juniper Novell Cloud Connect Interop Dell Microsoft

Website Sales Contact

2 www.india.emc.com india_mktg@emc.com 3 www.ManageEngien.com/it360 india-sales@ManageEngien.com 5 www.kyoceramita.co.in smartsolutions@kyoceramita.co.in 9 www.ibm.com ibm.com/personalize/in 13 www.indiaantivirus.com sales@indiaantivirus.com 15 www.schneider-electric.com in-care@schneider-electric.com 19 www.trendmicro.co.in marketing_in@trendmicro.com 31 www.juniper.net www.juniper.net/pulse 39 www.novell.com Lmiranda@novell.com 45 www.cloudconnectevent.in surajit.bit@ubm.com 59 www.interop.in surajit.bit@ubm.com 71 www.dell.com amit_belani@dell.com 72 www.microsoft.in microsoft.in/readynow

Som Mittal, NASSCOM �� 60 Sunil Lalvani, RIM �� 36 Suresh A Shan, Mahindra & Mahindra Financial Services �� 30 V Balakrishnan, Infosys �� 16 VC Gopalratnam, Cisco �� 30 Vinod Krishnan,VMware �� 37 Vishal Dhar, iYogi �� 40 Vishal Salvi, HDFC Bank �� 18 Vivek Subramanyam, iCreate Software �� 12

Important Every effort has been taken to avoid errors or omissions in this magazine. In spite of this, errors may creep in. Any mistake, error or discrepancy noted may be brought to our notice immediately. It is notified that neither the publisher, the editor or the seller will be responsible in respect of anything and the consequence of anything done or omitted to be done by any person in reliance upon the content herein. This disclaimer applies to all, whether subscriber to the magazine or not. For binding mistakes, misprints, missing pages, etc., the publisher’s liability is limited to replacement within one month of purchase. © All rights are reserved. No part of this magazine may be reproduced or copied in any form or by any means without the prior written permission of the publisher. All disputes are subject to the exclusive jurisdiction of competent courts and forums in Mumbai only. Whilst care is taken prior to acceptance of advertising copy, it is not possible to verify its contents. UBM India Pvt Ltd. cannot be held responsible for such contents, nor for any loss or damages incurred as a result of transactions with companies, associations or individuals advertising in its newspapers or publications. We therefore recommend that readers make necessary inquiries before sending any monies or entering into any agreements with advertisers or otherwise acting on an advertisement in any manner whatsoever.

informationweek march 2012

www.informationweek.in

Cisco CTO: Networks are becoming more intelligent Delivering a keynote titled ‘Zero to Zetta’ at Nasscom India Leadership Forum 2012, Cisco CTO Padmasree Warrior said networks will need to evolve as the explosion of connected devices on the Internet will lead to Zettabyte level traffic by 2020

http://bit.ly/wvOcIS

J.M. Auron tweeted:

India is a strategic market for us: LogMeIn CEO With large managed services providers and technical support organizations deploying its solution at a large scale, LogMeIn sees incredible potential in the Indian market. Michael Simon, Founder and CEO of LogMeIn, shares company’s future plans to target markets in India http://bit.ly/wjrSOw

Strategy View tweeted:

#Cisco #CTO: #Networks are becoming more intelligent

http://t.co/5zbe4Okq

Strategy News - ‘India is a strategic market for us’: LogMeIn CEO - InformationWeek India ht.ly/1hvm8t

Eric Lundquist tweeted:

iPad fans tweeted:

InformationWeek – Internet > Cisco CTO: Networks are becoming more intelligent http://t.co/eVwCgRDE via @iweekindia

BYOD and beyond With work moving outside the confined area of office premise, corporate data is moving far and beyond the confined boundaries, says Abhijit Tannu of Seclore http://bit.ly/xFw3qC

Barbara Bober tweeted:

BYOD and beyond via Mobile Downloads - When a customer decides to take up a policy, he registers a case in... tinyurl.com/7lsltc6

Vishal Gupta tweeted:

InformationWeek – Mobile > BYOD and beyond informationweek.in/Mobile/12-02-2… via @iweekindia

iPad news: ‘India is a strategic market for us’: LogMeIn CEO - InformationWeek India goo.gl/fb/UKnw0

‘At LinkedIn, features and development are data driven’ From approximately 3 million members in 2009 to more than 13 million members today, LinkedIn India is clearly on a roll. As India’s largest professional network, it relies heavily on using business insights from the huge amount of data that it has at its disposal. Ganesh Krishnan, Head- India Technology Center, LinkedIn, tells InformationWeek, how LinkedIn uses analytics to provide users with information relevant to them in a professional context http://bit.ly/yfbuEg

Googlyfish India tweeted:

#googlyfish ‘At LinkedIn, features and development are data driven’ ow.ly/1hwIqx

Allison Cain tweeted:

BYOD and beyond bit.ly/wCfUyY

Bring Your Own Device or BYOD has become a buzzword for a lot of IT managers... bit.ly/ybCCXy

informationweek march 2012

Follow us on Twitter @iweekindia to get news on the latest trends and happenings in the world of IT & Technology with specific focus on India.

www.informationweek.in

Social Sphere Join us on facebook/informationweekindia

Home

Profile

Friends

Inbox

Wall Info Photos Boxes Discussions

InformationWeek India Share:

Post

Photo

Write something... Share

InformationWeek India India’s total population – 1,170,938,000 (2010) India’s Internet Population – 100,000,000 Like Ahzaz Nagad and 13 others like this

Comment

5 Share

Fan of March Sandipan Chakraborty is a Support Engineer at Wipro. In his previous role, he was a Support Associate with Capgemini. Sandipan has completed his education from Meghnad Saha Institute of Technology. He lives in Mumbai and is an avid reader of stories related to technology.

Wall Info Friend Activity Photos Events

Like Comment

Tag Photo Like

Comment

Website

About

We have reached 2000!

InformationWeek is the leading news and information source for information...

We would like to thank all the Informationweek India fans for their continued support! Keep reading!

283 People Reached • 9 People Talking About This Like Nitin Lahare and 8 others like this

Like, Tag and Share us on Facebook Get links to the latest news and information from the world of IT & Technology with specific focus to India. Read analysis, technology trends, interviews, case studies whitepapers, videos and blogs and much more…

Participate in quizzes and contests and win prizes!

Comment

InformationWeek India One Google search produces about 0.2g of CO2. But since you hardly get an answer from one search, a typical search session produces about the same amount of CO2 as does boiling a kettle. Did you know that? 379 People Reached • 11 People Talking About This Like Swati Chauhan and 8 others like this

Comment

1 Share

march 2012 i n f o r m at i o n w e e k 11

News S 0 f t wa r e

iCreate sees strong traction for BI in the banking sector Bangalore-based iCreate Software, which specifically focuses on BI for the banking sector, is witnessing a steep growth in its business in the back of a growing domestic demand. The market for BI software in India is forecast to reach revenue of USD 81.5 million in 2012, a 15.6 percent increase over 2011, according to research firm Gartner. According to Vivek Subramanyam, CEO, iCreate Software, customers are moving from a build mode to a buy mode, wherein they look for a packaged solution that offers flexibility. “We don’t want to be a specialized tailor but a ready-made shop. The demand for readymade BI shops is coming up in a big way.” iCreate’s Biz$core, its flagship packaged analytics product, has gained rapid traction among banks. The strong domestic demand stems from RBI’s Automated Data Flow (ADF) compliance directive last year, which forced many Indian banks to adopt their solution that helps in enabling a straight-through processing of data directly from the bank to RBI. The company’s clientele base is a mix — of which about 30 percent are based in India and 70 percent based outside of the country. In India, the three large customers include IndusInd Bank, HDFC Bank and Dhanlaxmi Bank. The other customers are from geographies such as Philippines, Middle East, Europe and Africa. As part of its geographic expansion, iCreate plans to increase its footprint to about 25 countries in the next few years. iCreate aims to achieve its interestingly coined mission of “5:50:250” by FY 2015, which means to be the top five in BI for banking solutions with 50 strategic clients and ` 250 crore of revenue. The company plans to make investments in areas such as packaged intelligence, cloud offering, and extending its focus from just banking to capital markets and insurance. Given that India is a price-sensitive market, the company is already re-working its pricing strategy for the future. “We are planning to come up with a lighter version of our products with reduced price points to suit some of the specific customer requirements,” says Subramanyam. —Ayushman Baruah

informationweek march 2012

FORM IV Statement about ownership and other particulars about newspaper/Magazine informationweek to be published in the first issue every year after the last day of February 1. PLACE OF PUBLICATION MUMBAI 2. PERIODICITY OF ITS PUBLICATION/ language monthly/english 3. PRINTERS NAME sajid yusuf desai NATIONALITY INDIAN 1[(a) WHETHER A CITIZEN OF INDIA? YES (b) IF A FOREIGNER, THE COUNTRY OF ORIGIN NOT APPLICABLE ADDRESS Sagar Tech Plaza, A 615-617, 6th floor, Andheri Kurla Road, Saki Naka Junction, Andheri (E), Mumbai 400 072, India 4. Publisher’s Name sajid yusuf desai NATIONALITY INDIAN 1[(a) WHETHER A CITIZEN OF INDIA? YES (b) IF A FOREIGNER, THE COUNTRY OF ORIGIN] NOT APPLICABLE Sagar Tech Plaza, A 615-617, ADDRESS 6th floor, Andheri Kurla Road, Saki Naka Junction, Andheri (E), Mumbai 400 072, India brian pereira 5. EDITOR’S NAME NATIONALITY INDIAN 1[(a) WHETHER CITIZEN OF INDIA YES (b) IF A FOREIGNER, THE COUNTRY OF ORIGIN] NOT APPLICABLE Sagar Tech Plaza, A 615-617, ADDRESS 6th floor, Andheri Kurla Road, Saki Naka Junction, Andheri (E), Mumbai 400 072, India 6. Names and Addresses of ubm india pvt ltd., individuals who own the Sagar Tech Plaza, A 615-617, newspaper and partners or 6th floor, Andheri Kurla Road, shareholders holding more Saki Naka Junction, Andheri (E), than one per cent of the Mumbai 400 072, India total capital Stormcliff limited Julia House, 3, Themistocles Dervis Street, 1o66, Nicosia Cyprus I sajid yusuf desai, HEREBY DECLARE THAT THE PARTICULARS GIVEN ABOVE ARE TRUE AND TO THE BEST OF MY KNOWLEDGE AND BELIEF.

SIGNATURE OF PUBLISHER DATED: march 2012

www.informationweek.in

S o f t wa r e

Geometric explores opportunities in emerging sectors Traditionally, the usage of CAD/ CAM/ PLM software has been prevalent in the manufacturing industry. However, with growing competition, sectors which used software sparingly are now using software to drive product differentiation. Companies in sectors such as machine tools, medical devices, apparel and ship building are facing challenges due to the shift in the design and manufacturing process. PLM specialist, Geometric is eyeing a huge opportunity in this space by providing its expertise to companies in these sectors through its offering called NextGEN CAx. “There are huge opportunities for players like us, as we can leverage our CAD/CAM/PLM expertise to develop and customize solutions for companies in nonengineering sectors,” says Prashant Anaskure, Practice Head – Software Engineering and CAx, Geometric. A case in point is a leading U.S.

provider of custom orthodontic appliances, which has used Geometric’s expertise to design high quality custom braces. The firm has managed to reduce treatment time by 30 percent and improved its capability to better predict the stages of treatment. Similarly, an apparel processing machines firm was unable to support contemporary user expectations with outdated architecture. Geometric created a NextGEN CAD app to support 3D visualization, which enabled the firm to reduce the design cycle time. Geometric has already signed 10 customers using this strategy, and believes that the NextGEN CAx will deliver a distinctly higher CAGR of around 15-20 percent — much more than the traditional PLM market, which is expected to grow at a CAGR of 10 percent over the next five years. —Srikanth RP

Cloud Computing

IBM sees big potential for cloud based recovery services in India In an always on environment, enterprises in the banking and telecom domain cannot afford to have even a single moment of downtime. In addition, regulations (such as the one stipulated by the RBI), are acting as catalysts to spur Indian organizations to go in for DR plans. As a growing number of Indian enterprises are virtualizing their infrastructure, they are also looking at options to back up their virtual machines. IBM wants to address this market with its SmartCloud Virtualized Server Recovery service, which makes it easier for an enterprise to recover a virtual machine or a server after disruption. As it leverages the cloud, the TCO is much lower. To encourage adoption, IBM is providing customers with a range of

options such as always available virtual machine, virtual machine available only for use during disaster and test and virtual machine to backup data from storage media. Should disaster strike, users can directly access their data on the cloud via a portal, eliminating the need for travel to the offsite location. Charles Woods, Director, IBM Business Continuity and Resiliency Services, Asia Pacific says that the cloud gives IBM the flexibility to rollout solutions at a faster pace. “The cloud enables us to create more business value for customers, as we can leverage our global best practices and do the same things in India. We see huge potential for services such as data vaulting and enterprise backup.” —Srikanth RP

march 2012 i n f o r m at i o n w e e k 13

News Analysis

Aided by a depreciating rupee, Q3 FY12 has been a strong quarter for Indian IT services providers but given the weak macros, what’s the future on the other side? By Ayushman Baruah

A quarter with the sunny side up The third quarter of FY12 was interesting and unique for the Indian IT companies as the rupee hit a record low of 54.30 against the dollar on December 15, 2011. Given that every 1 percent change in rupee has a 40-50 basis points (bps) impact on IT companies’ profitability, media and analysts closely watched the earnings season with an eagle’s eye on the implications of currency volatility. At the same time, the macroeconomic uncertainties continued to haunt the industry as a result of which most companies projected a tepid guidance. According to a report from Kotak Institutional Securities, for the third quarter ended December 2011, the tier-I Indian IT services players grew at 3.7-4.5 percent in constant currency terms in a seasonally weak period. Margins expanded, aided by a weak rupee. However, Infosys’ weak guidance and TCS’ weak commentary on discretionary spending dampened sentiment even as strong lateral hiring trends and deal pipeline gave comfort on achieving/exceeding the

informationweek march 2012

Street’s lowered expectations. Even mid-sized companies reported strong performance with MindTree, KPIT and Polaris growing 3.1-6 percent quarter on quarter (q-o-q) in constant currency. The report states that currency benefits helped tier-I firms expand margins by 60-265 bps q-o-q. The pricing improved q-o-q for Infosys and TCS. In terms of growth metrics, verticals like BFSI, manufacturing and retail showed good growth across players. In terms of geography, strong revenue growth in Europe came as a positive surprise amid the ongoing concerns of the eurozone crisis affecting IT spends. Cautioning the market against the eurozone crisis, SD Shibulal, CEO of Infosys told media persons during the company’s Q3 results that one quarter’s numbers are not good enough to indicate a trend. “You need to look at a secular trend that will take little more time. You need to watch European growth over the next few quarters.” Karthik Ananth, Director-Zinnov justifies the growth in Europe asserting that the eurozone crisis does not mean it’s the end of business there. He tells

InformationWeek that Indian IT services companies are still managing to get good business out there because of two main reasons. First, most large companies in Europe, except the BFSI vertical which is more localized, have majority of their revenues coming in from geographies outside the region, which includes India and other emerging economies. So, they are largely immune to any crisis in the region. Second, 70 percent of the nondiscretionary spending still remains unaffected and that has been off-shored to Indian IT services providers in the recent past. The guidance for the coming quarter remained lukewarm across the industry. IT bellwether Infosys revised its dollar revenue growth guidance for fiscal ending March 31, 2012 down to 16.4 percent from 17-19 percent indicating flat revenue growth of 0-0.2 percent for Q4 FY12, which clearly disappointed the Street. Wipro guided a 1-3 percent growth in Q4 FY12 better than cross-town rival Infosys. The country’s largest software exporter TCS does not give guidance numbers for the

www.informationweek.in

News Analysis future quarters.

“We are not changing the strategy on hedging and will continue with our hedging position for the next two quarters ”

SHIELDING AGAINST VOLATILITY

As a strategy to contain the impact of rupee volatility, most companies have adopted strategic hedging policies — an attempt to de-risk their profits from vast fluctuations in different currencies, IT companies, like other exporters, hedge their cash-flows. Simply put, they lock in the exchange rate for their receivables in order to have a better visibility of revenues and profits. According to reports, TCS, Infosys, Cognizant, Wipro and HCL Technologies have together hedged close to USD 5 billion mostly at around ` 45-49 to a dollar, which also prevents them from expecting a windfall gain. Infosys’ operating margins for the quarter went up by 3 percent while its hedging position stood at USD 847 million at the end of the quarter. “We will continue with our hedging position for the next two quarters at any point of time. We are not going beyond that because we believe in a volatile environment, it’s better to take a short-term view than a long-time view and it helped us all along, so we are not changing the strategy on hedging,” Infosys CFO V Balakrishnan said during their company’s Q3 results. Wipro’s operating margins could not benefit much from a depreciating rupee due to a higher hedging position that stood at USD 1.8 billion for the quarter. Wipro has reported an improvement of 80 basis points in its operating margins to 20.8 percent as compared to 10 percent sequentially. According to a TCS spokesperson, the company’s hedging policy has two parts to it. “First, we have a 100 percent hedging on the receivables so that the

V Balakrishnan CFO, Infosys

balance sheet is protected against the rupee. As far as the second part or the revenue hedging is concerned, TCS has discontinued its long-term hedging strategy and adopted a more short-term policy of hedging for two quarters,” the spokesperson told InformationWeek over a telephonic interview. The company currently has total hedges of USD 1.7 billion out of which its hedged position for Q4 is USD 1.3 billion. In the mid-tier segment, MindTree posted a forex loss of ` 25 crore this quarter as against a forex gain of ` 17 crore in Q2. Its peer NIIT Technologies has hedge coverage for the next two quarters similar to that of Infosys. “We have a firm hedge policy and do not have any speculative hedge. We incurred a hedge loss of USD 85 million for Q3 and a net gain of USD 335 million due to hedges,” says Pratibha Advani, CFO of NIIT Technologies. Despite the margin gains due to rupee volatility, the industry is unanimous that the gain is only short term. “Any kind of instability in the market is not good for business. The problem may arise when customers start demanding the benefit of such gains and negotiate on the pricing,” adds Advani. Fitch Ratings, global rating and research agency, also affirms

“We incurred a hedge loss of USD 85 million for Q3 and a net gain of USD 335 million due to hedges”

Pratibha Advani

CFO, NIIT Technologies

that the depreciating Indian rupee, which lost around 15 percent of its value against the U.S. dollar during January-December 2011, is likely to provide some relief to the margins over the short-term as about 60 percent of Indian IT export contracts are USDdenominated. Overall, Q3 has certainly been a quarter with the sunny side up as companies reported good numbers in dollar terms and even better numbers in rupee terms on the back of a depreciating rupee. Evidently, the rupee depreciation in the OctoberDecember quarter has not equally benefitted all companies as it depends upon their individual hedging policies and ability to manage their finances. The tier-I firms showed strong growth in Europe despite the sovereign debt crisis as they focused on tapping the non-discretionary budget required to keep the ‘lights on.’ The industry is likely to meet NASSCOM’s forecast of 16-18 percent growth for the current fiscal. Going forward, the revenue growth for most IT companies may show some decline in the coming fiscal as clients are cutting back or postponing discretionary spending amid the macroeconomic concerns. Fitch Ratings however indicate that despite an expected moderation in revenue growth in 2012 from 2011 levels, the outlook for the Indian IT services sector is stable on the back of its strong liquidity position. Most analysts have pegged the industry to grow in broadranged double digits in FY13, indicating some uncertainty but assuring not all is gloomy outside the window. u Ayushman Baruah

ayushman.baruah@ubm.com

informationweek march 2012

www.informationweek.in

News Analysis

APTs have made information security a boardroom discussion Recent security breaches and nation style attacks have elevated security to a boardroom discussion By Srikanth RP The year 2011 was clearly a year where the industry woke up to a new reality. Despite the best defenses and security mechanisms at their disposal, many large companies such as Sony, Epsilon and Google were hacked. Every high profile hack bore a pattern that was highly similar, but extremely difficult to detect by standard security mechanisms. Most hacking attempts were made successful using a technique called Advanced Persistent Threats (APTs). While security was important, APTs changed the perception completely, as they threatened a company’s

survival. Sony is a perfect example of how APTs can impact the business revenues of a company. The estimated loss from the hack of its PlayStation Network is valued at a massive USD 171 million. This includes the estimated costs related to identify theft protection, customer support, legal and consulting fees, and most importantly — the financial hit due to loss of future revenue. In the wake of this phenomenon, CEOs and corporate boards are taking a keen, increased interest in security. “Last year, we saw the landscape change dramatically with respect to APTs. Till now, information security was a function that was part of IT. APTs have altered the

march 2012 i n f o r m at i o n w e e k 17

News Analysis perception completely, and information security is now a boardroom discussion,” says Kartik Shahani, Country Manager, RSA India & SAARC. The only silver lining in the wave of attacks is the fact that organizations are now aware of the threats poised by APTs. This is also corroborated by a recent report by RSAsponsored Security for Business Innovation Council (SBIC), which states that security professionals will bridge the boardroom gap this year. The Security for Business Innovation Council is a group of Global 1,000 security executives committed to advancing information security worldwide. From India, the council has reputed CISOs such as Felix Mohan, Senior Vice President and Chief Information Security Officer, Airtel and Vishal Salvi, Chief Information Security Officer and Senior Vice President, HDFC Bank. The SBIC report calls for a fresh and comprehensive approach to information security, and highlights the fact that traditional defense mechanisms are inadequate against sophisticated attacks, such as APTs. For example, data is available from a range of sources, including information available on social networks and other public sources. The same information can be harvested by a hacker to target enterprises or individuals with highly personalized information. This problem is more acute in the case of firms in the BFSI industry, as they hold a large database of customers, and hence are one of the highly targeted groups for attacks by hackers. In India, the RBI has been taking a leading role by providing a comprehensive list of guidelines related to information security for banks. Besides standard guidelines, the RBI made recommendations in broad areas such as IT governance, IT operations, IT services outsourcing and business continuity planning. RBI’s proactive stance has raised the issue of information security to a different level. For example, RBI’s guidelines make it clear that banks are required to conduct a formal gap analysis between their current status and stipulations, and put in place a time-bound plan to address the gap and comply with the guidelines. This has helped in catalyzing security-led initiatives. Agrees Vishal Salvi, CISO, HDFC Bank, “Due to guidelines by regulatory bodies, there is a lot of visibility, interest and expectation related to information security. Across the industry, there is also interest among board members who are keen to understand their responsibilities related to information security.” As the whole paradigm of security has changed today, Salvi says that it is extremely important for enterprises to formulate their own response mechanism. For example, unlike traditional attacks, APTs are highly targeted, thoroughly researched, amply funded, and tailored to a particular organization — employing multiple vectors

informationweek march 2012

and using low and slow techniques to evade detection. This calls for deploying tools that find patterns from a series of small attacks and show the real big picture to the organization.

Raising security awareness

While banks will keep on evolving their security infrastructure, they cannot mandate or control assets that are not owned by the bank. For example, phishing attacks target innocent users by impersonating leading banks. While technically banks cannot be held responsible for actions taken by their users, banks such as HDFC Bank have taken the lead in preventing fraudsters from sending out

“Board members are keen to understand their responsibilities related to information security”

Vishal Salvi

Chief Information Security Officer & Senior Vice President, HDFC Bank

malicious e-mails impersonating the bank. For example, HDFC Bank uses a service from RSA, which detects a suspicious e-mail or Trojan emerging from a server, initiates steps to take down the server, and prevents it from further propagating messages. To better educate its employees against phishing attacks, HDFC Bank is also innovatively testing its employees by sending them mails which are cleverly designed as phishing e-mails. If unsuspecting employees click these e-mails, then the IT team takes the users into confidence, and points to them the key differences between a genuine e-mail and a malicious e-mail. “From our experience, we have found out that over time, employees will start making a distinction between a real e-mail and a phishing e-mail. As more employees become aware, our security posture will improve considerably,” opines Salvi. To counter APTs, organizations must have a broad view of security. While sophisticated tools do help, it is the human aspect that is most vulnerable — and also, a significant and successful component of APTs. For CISOs, APTs represent a massive challenge, as well as a huge opportunity. They can take advantage of the growing level of interest in APTs, and raise their organization’s security to a new level, by investing in relevant tools and driving a huge change in attitude towards information security.

u Srikanth RP srikanth.rp@ubm.com

www.informationweek.in

Security Facts

Source: Gartner 20

informationweek march 2012

www.informationweek.in

march 2012 i n f o r m at i o n w e e k 21

Cover Story

activity

Authentication

pop up window

pays to be Secure

As the threat landscape evolves, enterprises must find newer ways to protect data, improve business processes while enabling access to data across multiple end-user devices By Verghese V Joseph

T security plays a central role in protecting brand, shielding data and assets, enabling end-user access and usability, and managing internal and external threats. Due to an increase in online e-commerce transactions, greater broadband penetration, increasing data thefts, and maturing attacks, security solutions such as data encryption, data loss prevention (DLP), and endpoint security are turning up as the need of the hour. It is therefore no surprise that the Indian industry too is increasingly turning to adopting best practices, training and certification to counter these attacks, with information security emerging as a major business concern for enterprises. The Indian industry has reached a good level of maturity when it comes to information security; and IT/BPO and banking sectors are the leaders. This has been validated by a recent report from Gartner, which rates India ‘good’ in data and intellectual property security and privacy. India’s image as secure destination is

informationweek march 2012

extremely important for it to become an economic superpower. In fact, data protection has been a key enabler in the phenomenal growth of the Indian outsourcing industry. And if we envisage making India the global hub for R&D, knowledge and innovation, data protection will continue to be a critical success factor.

IMPROVE BUSINESS PROCESSES

Data Security Council of India (DSCI), set up by NASSCOM, strives to ensure that the best global practices are strictly followed by the industry. According to Dr Kamlesh Bajaj, CEO, DSCI, “As a preferred destination for outsourcing, India faces a huge challenge of ensuring that it is a secure destination for outsourcing, where privacy and protection of customer data are enshrined in the best global practices and are strictly followed by the industry.” With regards to best practices policy, Dr Bajaj believes that India needs to (not limit to) — create the right policy and legal environment for data protection, build capacity, develop and

implement best practices and ensure ongoing end-user education and awareness. Avinash Kadam, Director, COO and Head of Delivery at MIEL e-Security, feels that Indian companies have a reactive approach to security. “We need to change this and become more proactive. Information security expenditure is treated as an overhead and not a business enabler. Many companies are certified for ISO 27001 but there is no security culture. There should be transparency in how the information security issues are handled. Security breaches and the remedial actions should be well publicized. These will act as guidance on what to avoid as well as deterrents for those who are inclined to commit cyber crimes,” says Kadam. The IT/BPO is expected to reach a significant milestone this financial year despite the slowdown. The industry would achieve USD 100 billion revenue. However, we cannot rest on these laurels if we are to achieve or surpass USD 225 billion by 2020.

www.informationweek.in

Sandeep Godbole, Member, ISACA India Growth Task Force, lays stress on the importance of data security. “If we look at the growth, it would come from new industry verticals, new technologies and demographic factors that provide a boost to this industry. An ageing population in many parts of the developed world would spur services related to healthcare, insurance and banking to be outsourced to places where these could be delivered effectively and at lower cost. Mobile technologies, near field communication and the like are some of the technologies that can be visualized at this juncture. What is common across these developments, opportunities or technologies is that these areas are very sensitive in matters related to security and privacy. Thus, data security and privacy become mandatory factors for the growth to materialize,” says Godbole. NASSCOM predicts that 2012 will see a rise in protectionism, legislation and anti-offshoring sentiment in the developed world. Without adequate security and privacy, it would be almost impossible to operate in such an environment. There is, however, no silver bullet that can transform things and work magic. It would be a slew of initiatives that can however enhance maturity and help reach the goal. “These include regulations, industry initiatives, reaching out to apex bodies, as well as an enhanced focus on awareness and education. Some thoughts are due on establishing a kind of safe harbor provisions with key countries similar to what has been achieved for U.S. organizations to meet the EU requirements. Such a mechanism can help our organizations get accredited so that they measure up on to the global expectations,” opines Godbole.

Data security issues trending for 2012 l

Increased number of vulnerabilities with fewer widespread attacks but greater numbers of smaller, more focused attacks (spear phishing)

India to have a higher percentage of spam volume

Mobile devices, along with cloud infrastructure hacking, on the rise

Growing security threats posed by the next generation of employees who ignore IT security policies, entering the workforce

EDUCATION AND AWARENESS

Dr Bajaj believes that while organizations are deploying state-of-the-art technology solutions and processes for safeguarding information against hackers and fraudsters, the most critical factor remains the ongoing education and awareness on information security and privacy among individuals, especially end customers who are increasingly transacting online. Organizations, particularly those in banking and finance sector, are taking a lot of initiatives to spread awareness among their end customers. If the end customer has a good awareness level, a lot of phishing and social engineering incidents can be avoided. They need to be aware of the basics of security when transacting online such as checking authenticity of sites, not saving and sharing passwords, not installing suspicious software and applications, etc. Secondly, as organizations increasingly expose their applications to the Internet, they should develop

“Security is a journey, and an organization must keep assessing its capability against evolving and perennial threats”

Dr Kamlesh Bajaj CEO, DSCI

‘threat intelligence’ capabilities to align their security programs to mitigate perennial and evolving threats, thus bringing dynamism in their security programs. Very importantly, the organizations should collaborate and share information about attacks, breaches, incidents, etc. They should follow industry best practices and benchmark against peers and the latest security developments. Kadam strikes a note of caution, “There is a general lack of awareness for information security measures and serious lack of well-trained information security professionals. Most security professionals are selftrained or have undergone short courses. There are no full-time, longterm courses covering all aspects of information security. This lacuna can seriously affect the three sectors which have large dependence on IT.”

EFFECTIVE REGULATIONS And LEGISLATIONS

Regulations are an important component for ensuring security. At the same time, the strengths and limitations of regulations need to be recognized. Regulations and legislations can be effective in laying out the basic expectations and approach. It cannot, however, address specifics associated with the implementation and operations of diverse technology

march 2012 i n f o r m at i o n w e e k 23

Cover Story executed by DSCI to create awareness on security by organizing events across different cities in India, assess the preparedness of Indian industry against security threats, promote interaction of security experts and bring together the industry, academia and government. NASSCOM and DSCI have also partnered with LEAs to conduct Cyber Safe programs in different cities every year. Similar efforts need to be strengthened and enhanced,” advocates Dr Bajaj. Kadam is forthright in his observations. According to him, “End users must be vividly explained the dangers of any irresponsible actions or non-compliance with information security policies. Multiple channels should be used to deliver the message. Instructor-led trainings should be DSCI’s supplemented by online video best practices clips and quizzes. Anyone not for data security scoring passing marks should be debarred from accessing l Create a visibility at the central security function over the data that is the information till the situation is being gathered, received, accessed, processed, transferred, and archived in the corrected. The end-user training organization should be extended to all the l Data classification guidelines should be defined and the organization’s units and levels of management, especially functions should strictly follow the guidelines in the operational life cycle the senior management without l Ensure that there exists a mechanism that tracks the compliance requirements making any exception. Training associated with each data type should not be treated as a l The business heads, support functions and executive management should be aware one-time activity but a periodic of the key compliance requirements with respect to the processes, relationships reinforcement and re-evaluation and functions under their respective supervision should be part of an overall approach towards maintaining l Any significant changes in the information associated with each data item, capable constant state of alertness.” of impacting its security posture should undergo a change management process Godbole makes a startling l Ensure that there exists a mechanism that tests the effectiveness of the controls observation. He says, “Before we against the perennial and evolving security threats even touch measures related to l An organization should have a complete understanding of the possible data end users, let me seek to dispel leakage scenarios. An inventory of such scenarios helps the organization an inherent assumption — IT folks in concentrating its efforts to avoid any data leakages understand privacy and security. l Ensure that there exists a mechanism to manage the security threats There are hardly any formal inputs around this area as part of their to all participatory and underlying elements —network, server formal education. If this is the status systems, endpoints, applications, databases, etc. — that have the around awareness and education potential to compromise the security of data for IT folks who are enablers and l Security incidents that can lead to a breach should be custodians of information, I leave it managed effectively to you to extrapolate the readiness l An organization should possess forensics of the common end-user.” Godbole capability, either in-house or sourced, to believes that like most of the initiatives, investigate the data security breaches awareness and education calls for l Ensure that HR and legal functions participation from various entities and are involved in the data enablers in society. “Basic inputs around security initiatives security and privacy should be included as part of the formal education — not ecosystem and multiple organizations. Controls are not isolated islands but are layers of processes, activities and technologies that together provide a level of assurance. Considering the complexity, regulations can provide directions but may not be able to micromanage this complexity. “Industry good practices, such as the COBIT framework, and security and privacy policies of the organizations are other components that need to be included in the security landscape. However, the most important factor is user awareness that would drive demands and expectations around security and privacy. The

informationweek march 2012

demands and anticipation of the end users will be a key to effective practices around security and privacy,” feels Godbole. Among various measures that are advocated to build a security culture in India, particularly the education of end users, Dr Bajaj is of the opinion that public-private partnership would go a long way in developing adequate resources and ecosystem. “Government and industry need to leverage each other’s strengths to build and implement effective programs. A good example here is the Cyber Security Awareness Program of DIT and NASSCOM, which was

www.informationweek.in

just for ITs folks — but for all the streams including arts, commerce, science and technology. The academic community has therefore an important part to play,” says Godbole. He believes that professional bodies can also play an important part in reaching out to society at large and beyond their core constituency of their membership base. They must undertake this as a type of ‘social responsibility initiative.’ Such organizations can leverage their qualified members to be ambassadors and reach out to the common public. Global IT association ISACA, for example, offers resources for security professionals, including the Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) certification programs.

People Training

In his appeal, Dr Bajaj says that no organization can be 100 percent secure, however an organization can take ‘reasonable’ measures, which are proportionate to the value of information assets that need to be protected. An organization should keep benchmarking itself on a regular basis against the industry best practices and standards in order to identify gaps and keep increasing its maturity in security. Security is a journey, and an organization must keep assessing its capability against evolving and perennial threats. It should not wait for something to happen to it; instead it should learn from the attacks happening globally, understand the techniques used/vulnerabilities exploited and determine whether it would have been able to avoid such an attack in its environment. Organizations should be able to assess their maturity in implementing security in different areas with a view

“New technologies, which will drive growth, are sensitive in matters related to security. Thus, data security become mandatory for the growth to materialize”

Sandeep Godbole

Member, ISACA India Growth Task Force to continually improve the same. Such an assessment should further help organizations draw a strategic plan based on the evolution of different disciplines of security, and their interdependencies with continuous focus on protecting data. Compliance should be the outcome along with dynamic and vibrant security that enables quick response to threats, vulnerabilities and actual cyber attacks. Kadam lays importance on people. He says people should be extremely well trained to detect any attacks. Companies can even simulate such attacks and retrain people who failed to detect such attempts. This may force them to learn the hard way but the lessons learnt will not be easily forgotten. He points out an alarming but neglected scenario, “We have been mostly concerned about security of commercial information systems. BPOs, banks, financial organizations and telecom companies figure at very high priority. However, the major emerging threat is to our infrastructure. Most of the power and water distribution, oil and gas companies and even railways use SCADA systems that are IP-enabled. Some of these are even visible on the Internet. The attacks on these systems will be catastrophic. We do not seem to have paid much attention to this requirement. Once again, this requires serious investment in training people to

“There is a general lack of awareness for information security measures and serious lack of well-trained information security professionals”

Avinash Kadam

Director, COO and Head of Delivery, MIEL

protect us from these emerging threats.” Godbole feels that enablers and deterrents are essential elements to ensure compliance and reduce risks and threats. “Most mature organizations have woven security training and deterrents as part of training initiatives and acceptable usage and policy as part of disciplinary actions. Many organizations put employees through a mandatory Compute Based Training (CBT) on security prior to enabling access. Short audio visual capsules in my personal experience have a greater impact and effectiveness in communicating the message,” he says. Drawing a parallel, Godbole further states that, “In my view, banks do provide interesting case studies of how organizations can seize the initiative against phishing attacks. Whether phishing is generic or focused (spear phishing) — organizations must take proactive initiatives. They should concentrate on user awareness and effective use of out of band communication channels like SMSes, e-mails, phones etc.” Given today’s strict regulatory and ultra-competitive environment, data security is one of the most critical issues that CIOs, CSOs and CISOs are facing. Enterprises must find new ways to protect data, improve business processes and increase return on the data. However, many challenges can impede these efforts. In this context, it is imperative that organizations use training and certification to maximize the performance and closely align them with their overall business strategy. Organizations must leverage security solutions for preventing leaks, enforcing compliance and protecting the company’s brand value and reputation.

march 2012 i n f o r m at i o n w e e k 25

Cover Story

As social media continues to pose new security threats, enterprises are faced with the challenge of going social in a secure way By Ayushman Baruah

alentine’s Day was round the corner when this article was being written and it appeared as if malware attackers were more prepared for the day than any of the lovers. Recently, Trend Micro researchers came across a scam in Facebook that leverages the Cupid’s Day. The attack begins with a post on affected users’ wall inviting other users to install a Valentine’s theme onto their Facebook profile. As soon as a user clicks the wall post, he is redirected to a page where he is prompted to install the theme. This installs a malware file, which once run, displays ads from other websites. It also downloads an extension that monitors web activities and redirects sessions to survey pages that request sensitive information like phone numbers.

informationweek march 2012

Undoubtedly, social media presents myriad opportunities for attackers to find personal information that can be used in social engineering to target specific individuals. “Attackers can track social media activity to study personal information such as friends, hobbies, and location information. Whether it’s a mass attack or targeted, when users are surrounded by friends, it’s simple to carry out social engineering attacks by getting them to click on seemingly legitimate links,” says Shantanu Ghosh, VP and MD, India Product Operations, Symantec. “The other threat is the possibility of the site itself getting compromised. If an attacker compromises the social networking site with malicious code, any visitor to the site would be susceptible to attack.” A recent Symantec survey

indicates a growing trend among enterprises engaging in social media and falling victim to various related incidents. Top three social media incidents that enterprises experienced over the last year are: l Employees sharing too much information in public forums (46 percent) l The loss or exposure of confidential information (41 percent) l Increased exposure to litigation (37 percent) Over the years, attackers have gone beyond traditional methods of abusing the web. Search engine optimization (SEO) poisoning, which refers to manipulation of online information by pushing malicious links up in the search results, is one such attack emerging in a big way. “Cyber criminals pay great attention

www.informationweek.in

to what topics and keywords are most searched for on search engines. And tools like Google trends are of great help to them. Cyber criminals create malicious web pages seemingly related to the most searched topics or they exploit vulnerabilities in existing legitimate websites/pages that relate to the topic and insert malware in them,” says Amit Nath, Country Manager, India and SAARC, Trend Micro. SQL injection is another relatively new type of security exploit in which the attacker adds Structured Query Language (SQL) code to a web form input box to gain access to resources or make changes to data. According to Barclaycard, 97 percent of data breaches worldwide are still due to an SQL injection somewhere along the line. Apart from this, some popular attacks have evolved into new forms, for example, phishing, which is an e-mail/web-based attack wherein perpetrators try to steal sensitive personal information by sending users to fake but legitimate looking sites. According to Antiphishing.org, phishing attacks remained at record high levels of 25,000 unique phishing campaigns recorded monthly through the first half of 2011. Spear phishing, for example, is a more sinister form of phishing attack, which is increasingly gaining popularity among the attackers. Spear phishing or ‘Whaling’ refers to highly targeted and personalized phishing attempts directed against specific individuals. “A technique called data mining is typically leveraged to gain this knowledge. Think for a moment the breadth of information that is available through web 2.0 sites

such as Linkedin.com or Facebook. com. Spending a short amount of time on LinkedIn can be an easy way to understand who an intended target has in their network of trusted contacts or who’s who within an organization,” says Kevin LeBlanc, Senior Director of Product Marketing at McAfee. Websense Security Labs recently conducted a research on how data that might be considered private can be exposed via Twitter. The research focused on shared data, in particular e-mail addresses that can potentially be used against the one who shared it. During the research, Websense monitored Twitter over a 24-hour period and found that users were publicly sharing e-mail addresses connected with their inboxes, social media identities and bank accounts. This leaves them open to advanced ‘social spear phishing’ attacks and spam campaigns. “Businesses employing social media to communicate with customers need to consider ways to ensure that employees are protected from these new threats. Employers should re-evaluate acceptable use policies to discourage staff from sharing e-mail addresses on Twitter. Once the policies are in place, it’s also equally important to ensure a mechanism to enforce those policies,” says Carl Leonard, Senior Security Research Manager (EMEA), Websense Security Labs. Another emerging form of phishing technique is Tabnabbing, also known as Tabjacking, which persuades users to submit their login credentials for websites or webbased applications by impersonating legitimate sites. LeBlanc of McAfee

“It’s simple to carry out social engineering attacks, as users are surrounded by friends and can be made to click on seemingly legitimate links”

Shantanu Ghosh

VP and MD, India Product Operations, Symantec

march 2012 i n f o r m at i o n w e e k 27

Cover Story says that Tabnabbing essentially operates in the reverse of most phishing attacks. It doesn’t ask users to click on an obfuscated link, rather loads a fake page on one of the already opened tabs in the user’s browser. A user who returns to the web link tab after a while and sees the rewritten page may be induced to believe the page is legitimate and enters his login, password and other details, which are then used for improper purposes. Also, increased usage of mobile devices such as smartphones and tablets has resulted in rising popularity of another phishing attack, Evil Twin, which has the ability to tether to Wi-Fi access points. Evil Twin appears as a legitimate Wi-Fi access point being offered onpremises but it is actually set up by a hacker to eavesdrop on wireless

“Today, cyber criminals create malicious web pages seemingly related to the most searched topics on search engines”

Amit Nath

Country Manager, India & SAARC,Trend Micro

communications among Internet surfers. This sort of attack can be used by hackers to steal passwords of unsuspecting users by either snooping the communication link or by setting up a fraudulent website and luring people there.

REAL-TIME PROTECTION

As social media is updated real-time, security vendors are increasingly leveraging the cloud to offer real-time

protection against malware. Symantec observed 286 million new, distinct threats last year, equivalent to nine new threats every second of every day. Clearly, traditional approaches are no longer good enough. For instance, Symantec Insight, a reputation-based technology that is available in the latest Symantec Endpoint Protection 12, leverages data on multiple parameters like age, download source and prevalence

Best practices to prevent web/social media security threats: l l l l l l l

Begin with a formal and well-understood policy for employees’ use of public sites like popular social networking portals Monitor managed and unmanaged endpoints, on or off the network Notify employees when they try to send confidential data outside the company Like all corporate communications, define how to use social media and train employees regarding appropriate content to post Identify and understand legal or regulatory requirements specific to your industry, and implement policies to address regulations that call for retention of social media content Consider deploying an archiving solution that enables the automatic capture and retention of social media content, especially if your industry is highly regulated Implement a data loss prevention solution to provide another layer of protection to prevent confidential and proprietary information from bleeding out of the company onto social networks Have controls in place to capture social information to comply with open records requests, industry regulations such as the supervision requirements and the eventuality of an e-discovery request (Source: Symantec)

informationweek march 2012

www.informationweek.in

to calculate a reputation score for nearly every file on the Internet, without having to scan the file itself. “In fact, reputation also contributes to stopping threats in real-time, before they cause any real harm, since it does not require a signature to identify a threat as a bad file. These reputation ratings are then made available to all Symantec users through a large cloudbased infrastructure of Symantec servers,” says Ghosh. McAfee leverages the power of the cloud to collect, correlate and drive real-time intelligence concerning the threat landscape and countermeasure defences. McAfee Global Threat Intelligence (GTI) notices the anomalous behaviour and predictively adjusts the website’s reputation so that McAfee web security products can block access and protect customers. Websense has implemented a partnership with Facebook to better protect users against malicious links leading to malware-embedded websites and fraud. For instance, when a user clicks on a URL that has been posted within Facebook, that link is sent to Websense for security classification. The Websense ThreatSeeker Cloud, an advanced classification and malware identification platform, then analyzes the link in real time. If the destination site is considered unsafe, the user is presented with a warning page that offers the choice to continue at his/ her own risk, return to the previous screen, or get more information on why it was flagged as suspicious, explains Leonard of Websense Security Labs.

SECURING THE ENTERPRISE

With attackers waiting to pounce on any loophole in the web, how are enterprises tackling the situation? Given the immense power of the web and social media, enterprises today are caught in the dilemma of completely blocking the use of social media and losing out on the tremendous productivity benefits, or allowing them to use it at the cost of risking data security.

x Emerging web attack techniques

Drive-by download: In this method, just browsing to a website allows executable content to be automatically downloaded onto a user’s computer. When a user visits a website, his browser silently and automatically pulls malicious content without his knowledge or permission. The ‘bad’ site is then able to determine what operating system, web browser and vulnerable plug-ins are running on the user’s computer. The vulnerabilities are then exploited to install malware files or collect private data. Hijacking web pages or “Clickjacking”: This is a new technique where the attacker is able to hijack clicks on a website by putting an invisible layer over the page. When the users clicks what appears to be an innocuous button or link (e.g., a game button or video), the attacker’s code is automatically executed, often leading to a malicious website or another misleading application. SQL injection attacks: Today, many larger, high-traffic websites serve up content that is dynamically constructed from information held in databases. In many cases, a poorly validated input field in a web input form (e.g. a login form or an account query form) allows an attacker to insert additional SQL instructions, which may then be passed directly into the backend database. Typically, this added content contains hidden links to a malicious website that has already been set up to serve malware attacks. Malicious advertisements: Many sites display advertisements hosted by third-party advertising sites. Due to both — the sheer volume of online ads published every day and the automated nature of the publishing mechanisms — it is inevitable that some malicious content slips through and is inadvertently hosted on entirely legitimate websites. Although the hosting website is clean, the ad on the website may redirect the user to a malicious page hosting web attacks. Server-side polymorphic threats: The attacker operates a web server, which hosts malware files and has special “polymorphing” software running on the web server that dynamically generates a new variant of the malware (each with its unique signature) every few minutes or hours. Thus, every time a new unsuspecting user visits the malicious website, he gets a different malware file, resulting in potentially hundreds of new malware variants every day. Social networks: Social networking enables a piece of information to go viral: post it once and all your friends will see it, click it and in turn, share it on their walls. SEO poisoning: SEO (Search Engine Optimization) poisoning is a technique of injecting malicious websites into the top of legitimate search results, knowing that users usually click on the top links.

Source: Symantec

march 2012 i n f o r m at i o n w e e k 29

Cover Story Most companies have definite web and social media policies to protect themselves against the online devil. For instance, Max New York life Insurance has two types of policies. “First, we have an Internet policy that already blocks most social media sites like Twitter, Facebook and Google plus. In addition, we have a separate social media policy (under process), which will have defined guidelines for using the social media — like which employees are authorized to make public comments on what issues, etc,” says Hitesh Arora, Head-IT, Max New York Life Insurance. The company however gives selective access (less than 1 percent) to some people in the sales and operations department where they need to leverage the social media to generate new customer leads. “Most of the problems arise because people are unaware of the implications of certain messages. So, we have rolled out a detailed information security (IS) policy with clear guidelines. In

“By spending a short amount of time on social media, attackers can easily understand who are trusted contacts in the network of an intended target”

Kevin LeBlanc

Senior Director - Product Marketing, McAfee

work details. Mahindra & Mahindra Financial Services (MMFS) too has a welldefined social media strategy, wherein employees are restricted from publishing pictures beyond a certain size limit or posting confidential company information. The company makes selective use of social media such that it allows Facebook and Twitter but blocks LinkedIn as people may use it as a job-searching opportunity. “But this is mostly an HR initiative than an IT initiative,” says Suresh A Shan, Head-Business - Information Technology Solutions

Most enterprises today are striving to strike a fine balance between social media freedom and restriction

addition to this, we are spreading a culture of awareness among the employees,” says Arora. Likewise, IT services company Cognizant has two types of IS policies. The first one is known as the acceptable user policy, which defines the various dos and don’ts of using IT, with web being one of the IT resources. The second one is the social media policy, which outlines specific guidelines for using social media. Satish Das, Chief Security Officer at Cognizant cites the example of a situation wherein if an employee is in the company’s network, he is allowed to use social media only for business purposes. If he is using it personally, he must not reveal information about the company’s internal activities and

informationweek march 2012

at MMFS. “Social media can be both good and bad for an organization. It’s good because it allows people to express their ideas and grievances. It’s bad as it can be misused, which in our company is about 2 percent mostly due to unawareness.” Networking major Cisco too has been vocal about social media security in its Annual Security Report 2011. In terms of monitoring content, Cisco does not have any policies/restrictions on visiting any particular social media sites. “We recognize that social media and collaboration technologies have positive potential. These are new methods that help us communicate faster and more effectively while getting instant gratification for what

is being communicated — because the turnaround time is shorter and the level of impact can be much larger. Companies can use social media to improve communication to and between employees, and also to interact with customers,” says VC Gopalratnam, VP-IT and CIO, Globalization, Cisco. Despite allowing their employees a free hand, Cisco does have legitimate concerns. “The major concern is regarding security against IP loss. The impact of social media can be major because information sharing can get indiscriminate — with little or no concern about intellectual property rights and discretion. The appropriate employee use of social media is really a supervisory issue more than a technology issue,” adds Gopalratnam. There is no doubt about the fact that web and social media offers immense productivity benefits, but they come with their own share of risks. Traditionally, security has been more reactive than proactive and cyber criminals have made the most of it. Most CISOs today opine that technology needs to be accompanied with strong policies, procedures and education in order to be effective. Although, most enterprises already have well-defined security policies in place, but are striving to strike a fine balance between freedom and restriction. While freedom to use social media offers greater efficiency, it also brings in an element of threat, which security chiefs have to battle out on an ongoing basis. Clearly, they have to walk two steps ahead of the cyber goons to win the battle. u Ayushman Baruah

ayushman.baruah@ubm.com

www.informationweek.in

Security Facts

Mobile malware threats on the rise There has been a

472% increase in Android malware samples since July 2011 Source: Juniper Networks

99%

of all detected threats targeting mobile platforms are malicious programs that are after one and the same goal: Mobile threats successfully stole more than

1 MILLION $

generating money unlawfully, either directly or indirectly Source: Kaspersky Lab

from Android users in 2011 Source: Lookout

In 2012

Malware writers could secretly integrate thousands of mobile devices into extensive botnet-like networks to distribute spam, steal private info, and install other malware Source: Lookout spoof

spoof

informationweek march 2012

www.informationweek.in

Cover Story

BYOD:

Itâ&#x20AC;&#x2122;s time to re-think enterprise security strategy

The growing trend of enterprise users bringing their own devices within the organization and demanding access to relevant corporate apps is raising serious concerns with respect to the security of sensitive corporate data. This is creating a pressing need for CIOs to re-think the security strategy traditionally in place By Amrita Premrajan

recent survey on enterprise mobility by the CIO Association of India highlights that 94 percent of the surveyed CIOs believe that enterprise mobility will be an important part of their organizationâ&#x20AC;&#x2122;s IT strategy within the next one year. But the same survey also reports that 75 percent of these CIOs say that security and compliance issues are

the biggest challenges in enterprise mobility adoption. Employee-owned devices, which are not fully controlled by IT administrators, entering the enterprise network and accessing and storing corporate data, is increasingly becoming one of the biggest challenges for the CIOs to deal with. To manage these security challenges, CIOs across the globe are

evaluating various key technologies ranging from leveraging their desktop virtualization environment to support employee-owned devices, adopting dual persona phones that have two logical partitions â&#x20AC;&#x201D; one for professional and other for personal usage to implementing centralized remote locate, track, lock, wipe, backup and restore facilities to retrieve and restore corporate data on

march 2012 i n f o r m at i o n w e e k 33

Cover Story “Loss of data is one of the biggest security issues, with respect to usage of mobile devices in enterprise space”

Katyayan Gupta

Analyst, Connectivity Lead Asia Pacific & Emerging Markets, Forrester Research

a lost or stolen mobile device. In this article, we explore some of the top security threats linked to the mobile platforms, new challenges it is posing to the IT team of enterprises and some of the emerging technologies that would help organizations resolve these challenges.

Enterprise Mobility and Security Issues

According to InformationWeek Analytics 2011 Strategic Security Survey, by InformationWeek, USA, the most significant security concern about mobile devices in an enterprise environment is loss of data that has sensitive information. Loss of confidential corporate information to an end-user who is not on the corporate premise, and the possibility of it being passed on to other users/ competitors is definitely one of the biggest security risks linked to enterprise mobility. Katyayan Gupta, Analyst, Connectivity Lead Asia Pacific and Emerging Markets at Forrester Research emphasizing on this says, “If a C-level person looses his/ her smartphone or tablet which has e-mail synched into it, anyone who gets access to that device will be able to read all e-mails and communications. The e-mails might include strategic level talks or plans, leading to leak of sensitive corporate data. This in turn can lead to huge losses, which might not be just in terms of business but could also be in terms of brand image and even revenue, depending on the criticality of information which is lost. So, one of the biggest security issues today, with respect to usage of mobile devices

informationweek march 2012

in the enterprise space is, what if my device gets lost and what if the data gets lost.” Another major threat linked to the usage of mobile devices in an enterprise environment is malware attacks on mobile devices. A recent McAfee report talks about how smartphones and tablets have eclipsed unit sales of desktop and laptop PCs. This is acting as a driver for cyber criminals to set their sights on mobile devices. Additionally, maliciously modified apps are becoming a popular vector for infecting these devices. Highlighting this fact, Shantanu Ghosh, VP and MD, India Product Operations, Symantec says, “In the past year, malware attacks on mobile devices have become more frequent

and prevalent. The latest Symantec Internet Security Threat Report documented a 42 percent increase in mobile vulnerabilities, identifying over 163 that could be used to gain partial or complete control over devices running popular mobile platforms. Some of the methods used in mobilespecific attacks include web-based and network-based attacks, malware, social engineering attacks, resource and service-availability abuse, malicious and unintentional data loss and attacks on the integrity of the data.” Security challenges linked to enterprise mobility are forcing CIOs across the globe to brainstorm with their IT teams to come up with a fresh security strategy that addresses these new set of challenges. Organizations are now working on an ‘informationcentric’ security strategy that would enable securing of the sensitive corporate data irrespective of the device it is being accessed from. They are keenly focusing on protecting data by defining who should access what data and defining rights management for viewing and manipulating that data. “The infrastructure or device

Mobile device security concerns What are your most significant security concerns about mobile devices? Loss of a device that has sensitive information

64% An infected personal device connecting to the corporate network

59% Malicious apps downloaded by a user

37% Theft of data via uploading to a personal device

36% A user suffering a personal loss, such as identity or bank theft, via coporate-issued devicce

26% Mobile email-based malware downloaded by a user

22% Web-based malware downloaded by a user

19% Other

1% Note: Three responses allowed Data: InformationWeek Analytics 2011 Stragegic security survey of 1,084 business technology and security professionals, March 2011

Source: InformationWeek USA

www.informationweek.in

is becoming nearly irrelevant in the mobile, BYOD era. Rather, it is information that is the most critical asset and security needs to be information-centric too. In this scenario, enterprises need a security strategy that is risk-based and policy-driven, information-centric and operationalized across a wellmanaged infrastructure,” says Ghosh of Symantec. Talking about the necessity of refreshing the legacy security and compliance policies with the coming of mobile devices into enterprises, Kevin LeBlanc, Sr Director of Product Marketing, McAfee says, “Legacy security policies and processes certainly need to be pulled out and reviewed as the important point to note is that consumer devices are already accessing data on nearly all networks and have been doing so for some time. Examples include users’ e-mail sent from a corporate account to a POP e-mail address can be downloaded onto a personal device, or the standard scenario of the executive management team adding their new iPad/tablet type device and the IT team supporting these handful of units.” He further says that compliance policies and controls, which have been developed to manage traditional endpoint systems need to be enhanced to accommodate and support the new endpoint, which includes all mobile technology (smartphones to tablet devices), as well as corporate deployed devices and devices brought in from home. “Visibility is required to know what connects to your network, are these devices compliant and how do we ensure that they are as safe as the rest of the corporate infrastructure.”

“BlackBerry Balance technology bifurcates user data into personal and corporate data and IT team can take total control of the corporate partition”

Sunil Lalvani

Director, Enterprise Sales India, RIM Need for Cooperative effort between users and IT

Along with developing a security strategy, it has become extremely important to create awareness amongst employees about security threats that mobile computing devices are susceptible to. It is also essential to educate them about what should be kept in mind while using mobile devices — whether employee owned or company owned — while accessing and storing sensitive corporate data. Highlighting the importance of workforce training and awareness, Michael Sentonas, VP, CTO, APAC, McAfee, says, “If you do a survey and ask people, ‘Do you use a tablet or a smartphone?’, You are almost going to almost get a 100 percent ‘Yes.’ But if you ask them, ‘Do you use the same type of security technology that you use on your laptop?’, you would get almost a 100 percent ‘No.’ And I think that is where we have an exposure — we have got these mobile devices that are out there that have zero security technologies installed. So the issues that could happen could be as simple as — someone has not leveraged the onboard security feature like a pincode. If the person looses his iPad /Android mobile device and it’s not locked and not secure, unfortunately

“Mobile virtualization allows to monitor and manage a virtual phone running inside a physical phone”

Vinod Krishnan

Country Manager - Advanced Technologies, VMware

there could be a data loss incident.” Employees can definitely prove crucial in protecting a company’s data and systems, and they can do so just by following recommended security best practices. According to Juniper Networks 2011 Mobile Threats Report, some of the ways through which individuals can secure their mobile devices against security threats are installing an on-device anti-malware solution, utilizing password protections for mobile device access, being cautious while downloading apps, avoiding thirdparty application stores whenever possible, downloading applications from officially sanctioned sources and using anti-spam software to protect against unwanted SMS or MMS. Juniper Networks 2011 Mobile Threat report also elaborates about the steps to be taken within an enteprise to ensure secure access of data through mobile devices by employees. Glance through the table ‘How can you ensure mobile security within your enterprise’ on page 36 to know how can you ensure secure access of corporate data on a mobile device.

Dual Persona Mobile Devices: An emerging trend

Observing the security challenges that enterprise mobility is set to bring along with it, technology vendors are honing some new technologies to ensure smooth functioning of the mobile workforce along with ensuring that there are no compromises in security of sensitive corporate assets. A new trend emerging around enterprise mobility is enabling ‘dualpersona’ phones where two logical partitions are created in the mobile device brought by the employee

march 2012 i n f o r m at i o n w e e k 35

Cover Story

How can you ensure mobile security within your enterprise Juniper Networks 2011 Mobile Threats Report talks about the components to be implemented in order to ensure mobile security in an enterprise environment. Connect An SSL VPN client to effortlessly protect data in transit, and to ensure secure and appropriate network access and authorization A solution that integrates with network-based technologies, such as network access control (NAC), to determine appropriate access rights based on user identity and device security posture Defend Support for all major mobile platforms, including Google Android, RIM BlackBerry, Apple iOS , Microsoft Windows Mobile and Nokia Symbian On-device anti-malware to protect against malicious applications, spyware, infected SD cards and malware-based attacks on the mobile device Centralized remote locate, track, lock, wipe, backup and restore facilities to retrieve, protect or restore a lost or stolen mobile device and the corporate data on that device On-device host checking to assess device security posture including device, OS version and malware status, patch and jailbreak/rooted status On-device firewall to protect mobile device interfaces Manage Centralized administration to enforce and report on security policies across the entire mobile device population Device monitoring and control, such as the monitoring of messages (SMS and MMS), and control over installed applications and the installation of new apps Management capabilities to enforce security policies, such as mandating the use of PINs/passcodes, as well as defining and enforcing device passcode strength, expiry, maximum passcode age, number of passcode attempts before initiating remote device wipe, and more Ability for an administrator to monitor device activity for data leakage and/or inappropriate use

informationweek march 2012

into the enterprise environment â&#x20AC;&#x201D; one for personal usage and other for corporate usage. The IT team exercises full control over the corporate partition, with the ability to remotely manage, monitor and even wipe off the data (if the need be), while keeping the personal partition untouched. A case in point is BlackBerry Balance Technology, which enables BlackBerry smartphones to be used for business and personal purposes without compromise. Elaborating on this technology Sunil Lalvani, Director - Enterprise Sales India, RIM says, â&#x20AC;&#x153;The BlackBerry Balance technology bifurcates user data into personal and corporate data. For example, you could be using Facebook, Twitter, Gmail etc., on the same smartphone and in the organization you would want access to corporate e-mail, corporate calendar or any kind of Intranet application on the same device. What BlackBerry Balance will do is logically partition both these into a personal partition and a corporate partition and the IT team can take total control of the corporate partition so much so that if a user tries to cut-paste any data from the corporate partition into his/her Facebook or Gmail account, an alarm is generated for the IT team prohibiting him/her from transmitting data from one partition to the other. Also, if an employee leaves the organization, the IT team has the ability to wipe clean the entire corporate partition but at the same time keep all his personal data related to social networking or e-mails intact.â&#x20AC;? A similar solution enabling creation of dual-persona phone was released last year by Enterproid, a mobile startup, which launched a mobile platform called Divide that enabled professionals to maintain completely separate professional and personal profiles on a single Android device. The professional profile on a Divide device includes deep security, access control, and a set of enterprise-grade versions of applications like e-mail, web browser, instant messaging,

www.informationweek.in

and SMS, while the personal side is kept completely private to the user. With the touch of a button, the user can switch back and forth between their professional and personal profiles with no crossover of data between these profiles. The solution also includes ARC, a cloud-based device management platform that both companies and individuals can use to manage their Divide phones and tablets. Virtualizing the mobile device and creating different virtual partitions is another technology that opens up the possibility of the same phone to be used for corporate and personal usage. VMware is a company that has technologies in this space namely — VMware Mobile Virtualization Platfrom and VMware Horizon Application Manager. Throwing light on this technology, Vinod Krishnan, Country Manager - Advanced Technologies, VMware, says, “We developed a thin

layer of software — VMware Mobile Virtualization Platfrom, which is embedded on a mobile phone. What it essentially allows is to have multiple virtual machines on the same phone. So you could have potentially one personal phone and one professional phone — both of them being virtual on the same physical phone. And VMware Horizon Application Manager allows an IT administrator to manage such virtual machines on the phone. It essentially allows an IT administrator to create provision, monitor, manage or even wipe off a virtual phone running inside a physical phone. In a scenario where a employee brings his/ her own device, corporate IT can over the air push the virtual corporate phone on to the physical phone and manage and monitor the security of the phone.”

Surviving the BYOD revolution

While most organizations are still

contemplating on taking a stand on whether to roll out a BYOD policy or not, some organizations have already taken giant leaps in this area and are even adopting steps to ensure security of the corporate data being accessed and stored on the mobile devices. An example of a company using BYOD to its advantage is Essar, which is using Junos Pulse Mobile Security Suite from Juniper to enable a secure, multi-platform remote network access solution. Using the Junos solution, Essar can locate any mobile device with a GSM tracker, and connect it with its enterprise network. It can also take backups, wipe information remotely, and control and monitor usage to prevent the leakage of corporate information. Additionally, Essar can allow access to enterprise applications for employees from any mobile phone, which has helped in increasing employee productivity.

Desktop Virtualization enabling secure Enterprise Mobility virtualization technology can ensure secure According to Citrix Bring-Your-Own (BYO) access of corporate data through mobile Index, based on 100 IT professionals devices, says, “In cases when information is surveyed in each of seven markets directly accessed through smartphones and including: Australia, Canada, Germany, tablets, it can be very difficult to trace the India, Netherlands, United States and violation. Here, Citrix serves as a medium to United Kingdom, 62 percent of surveyed deliver a secure corporate desktop on any organizations indicated that they have device. As the corporate’s virtual desktop already invested or plan to invest in desktop virtualization. It is a technology that allows is equipped with an audit system, this organizations to manage Windows-based further extends to endpoint devices such as desktops centrally in the data center, then smartphones or tablets as well. The Citrix deliver them to all types of users across the Nilesh Goradia, Manager tool does not allow any data to be copied or enterprise. moved from the data center, which secures Systems Engineering – India Eighty percent of those organizations the end systems. In this case, the user only Sub Continent, Citrix intend to leverage their desktop transmits keyboard strokes and mouse clicks virtualization investment to support employee-owned to the server, and screen updates are received back from devices and BYO.D According to the survey, this trend is the other end. While accessing data from smartphones, driven by the fact that desktop virtualization addresses Citrix can enable a 128-bit encryption, i.e. data can be two key challenges cited by survey participants — accessed through SSL (Secure Sockets Layer), which will security and device management. Since desktop make the transfer completely secure.” virtualization enables the IT to centrally manage and He informs that one of the largest banks in India has secure desktops, applications, and data in the data deployed Citrix’s desktop virtualization solution. The center, sensitive business data is always secure. The bank has adopted ‘Executive Mobility,’ wherein tablets technology enables the IT department to even remotely have been given to top executives. These executives erase the data, in case data is stored on the endpoint are accessing the corporate information very securely device and this the device is lost or stolen. through a 128-bit encryption from the virtual desktop Nilesh Goradia, Manager Systems Engineering – that has been hosted in the data center. India Sub Continent, Citrix, elaborating on how desktop

march 2012 i n f o r m at i o n w e e k 37

Cover Story “The need is to bring a control that safeguards a company’s interest, but at the same time leaves the flexibility to the user to use the device they want”

stolen this device no one can hack that information. Barring the BES, as of now control is very limited on other mobile platforms and we are right now in exploration phase for good security solutions.”

Parvinder Singh

CONCLUSION

Corporate VP & Head - IT Services, MNYLI “Besides providing access to the Intranet and other business applications, we have been able to customize the experience and access for diverse user groups across a range of devices such as smartphones, laptops or kiosks,” explains Jayanta Prabhu, CTO, Essar. Wipro is another company, which is enabling its employees to access corporate e-mails and web applications both from the Internet and Intranet with the choice of their own device, in a secure manner. Before rolling out the BYOD policy, Wipro ensured that policy acceptance (such as remote policy, password policy), authentication and authorization were in place. To ensure security and compliance, Wipro laid the framework on how users, with their own security compliant devices, could access the applications seamlessly and securely. Likewise, Citrix has a BYOD policy in place — employees are given an option to avail for BYOD while joining and are given a fixed allowance with which they can purchase any device of their choice. Elaborating on security measures taken by the firm Nilesh Goradia, Manager Systems Engineering – India Sub Continent, Citrix, says, “Citrix provisions a full virtual desktop to the employees, i.e. the Citrix Corporate Virtual Desktop, which comprises all the enterprise applications. Our employees use applications such as SAB, Exchange, OCS, CRM, MS Office and other Internet portals. There are no limitations in terms of availability of these apps.” In case of Citrix Virtual Desktops, the requisite security has already been imposed as a part of the corporate virtual desktop, which is delivered to

INFORMATIONWEEK MARCH 2012

the end-user. There is also no need for any additional configurations at the endpoint. Once the employee gets his own device, he has to configure the Citrix receiver that is connected to the Citrix Virtual Desktop. After this is completed, the employee can connect to the device through the Corporate LAN, Internet or Wi-Fi, Goradia informs. The corporate desktops that are delivered from the data center are already protected, as the security is enforced from the data center and not the endpoint. All the information is kept in the data center and then encryption levels are used to deliver the information safely to the enduser. “Citrix Virtual Desktops only deliver the screen displays; there is no transfer of data from the data center, making the process completely secure,” explains Goradia. Max New York Life Insurance (MNYLI) is another company that is working on building a strong security strategy to facilitate the BYOD trend. The company’s Corporate Vice President and Head - IT Services & Technical Control Unit, Parvinder Singh refers to BYOD as a “growing phenomenon that we can’t avoid.” Elaborating on how company ensures security with respect to BYOD policy, Singh says, “Right now in MNYLI, BYOD is limited to mobile devices, like BlackBerry, iPhone or iPad, but these devices are mainly used for e-mail purposes. Though we support all devices, people in the senior management are using BlackBerry devices and these are well controlled through the BlackBerry Enterprise Server (BES). We have implemented data encryption on endpoint devices, which ensures that even though someone has taken or

With a variety of powerful mobile computing devices available in the market at affordable price points, it is but inevitable that consumers will get accustomed to these devices over the traditional desktops. The trend of BYOD is already emerging amongst enterprises and most of the times IT administrators do not even realize that unauthorized devices are accessing the corporate network. Soon, along with the C-level personnel, employees across different job roles in an organization would start demanding access to relevant enterprise apps over their mobile devices and IT would have to sooner or later revamp their security strategy to address rising issues — like data loss and mobile malware — linked to mobile devices. Before this deluge of employeedemands to bring their own devices hits the enterprise with a full force, CIOs should actively start evaluating emerging security technologies and chart out a strong security strategy to mitigate challenges that mobile devices bring. Parallely, organizations should also take steps to create awareness amongst employees about potential security threats associated with using a mobile device for accessing corporate data and steps to maintain the sanctity of corporate data. The security mechanism developed should be such that it completely secures the corporate data, irrespective of the device it is accessed from. The mechanism should make sure that it does not rob away employees’ flexibility to use a mobile device they are comfortable using.

u Amrita Premrajan

Amrita.Premrajan@ubm.com

www.informationweek.in

Case Study

or a company, whose business model relies heavily on the Internet, iYogi was facing a challenging time in ensuring security for processing thousands of daily electronic payments. The firm, which provides subscription-based tech support for PCs, connected devices and peripherals, is the largest subscription remote help service in the U.S. As the firm grew, it realized the importance of building and demonstrating anti-fraud processes and compliance with the international Payment Card Industry Data Security Standard (PCI DSS). This was critical as the only mode of payment for each support transaction was via a credit card/debit card using a third-party payment clearance house. iYogi decided to partner with Verizon for enhancing protection of its network and online payment system. Today, Verizon is involved in providing iYogi with a range of managed security services such as compliance to PCI DSS and ISO/IEC 27002, vulnerability assessment and investigative

Managed security service from Verizon has l

Helped iYogi in achieving PCI DSS compliance, which in turn has helped the company in identifying and putting in the right controls to ensure a secure environment Enabled iYogi to securely scale from 32 people to more than 6,000 technology experts Enabled iYogi to put in place a dashboard for monitoring and managing incidents proactively

informationweek march 2012

“Managed security services agreement with Verizon helps us in continuously testing the system for vulnerabilities to protect our customers from data theft”

Vishal Dhar

Co-founder, iYogi

response services. Verizon’s integrated IP networking and applications management solution also connects iYogi’s global operations with its core business application servers, co-located in Verizon’s Los Angeles data center. “Our business has grown to hundreds of thousands of subscribers and a large volume of electronic payment transactions are managed every day. The managed security services agreement with Verizon helps us in continuously testing the system for vulnerabilities or threats to protect our customers from any data theft,” says Vishal Dhar, Co-founder, iYogi. Dhar informs that the engagement with Verizon Business has also helped in enhancing the security of iYogi’s delivery platform, iMantra, which connects over 5,500 global tech experts across multiple service centers.

Improved capability to handle threats

To keep up with its growing subscriber base and service offerings, iYogi has expanded to seven delivery centers across India, which increases the chances of security being compromised. With the help of Verizon, the firm has addressed this threat. Through the managed security framework, iYogi has implemented a set of tools and a 24/7 monitoring system that is available

anytime through a dashboard. As a result of this proactive monitoring, Verizon has reduced the number of threat incidents by a significant percentage. “As we scale to manage tens of thousands of incidents on a daily basis, we continuously improve both the efficiency of managing these incidents and the precision of how they are resolved. A managed secure infrastructure benefits us by restricting any potential downtime caused by security incidents,” states Dhar. The improvement in processes to meet PCI DSS requirements has helped iYogi to put in appropriate business controls in place. The certification has also resulted in improved customer confidence. “With our current pool of 6,000 technology experts to support our various campaigns and geographies, we have come a long way from being a start-up team of 32 people five years ago. At this scale of operations, uptime and efficiency provided by managed security becomes critical for growth,” explains Dhar. iYogi’s experience proves that managed security services can not only lower down the costs of maintaining security, but also provide companies the capability to have better insights into evolving security threats. u Srikanth RP srikanth.rp@ubm.com

www.informationweek.in

Case Study

ewan Housing Finance Corporation Limited (DHFL) has grown rapidly by taking a road less travelled. When most large banks were averse to lending to low- and middle-income groups, DHFL took a bold approach and offered loans to this segment. As a result of this innovative approach, DHFL is now one of India’s largest housing finance companies. To cater effectively to its customers, the firm has an extensive network of 105 branches, 67 service centers, 26 camps and seven regional processing offices spread across the length and breadth of the country. The firm, with its corporate office in Mumbai, communicates with its branch offices primarily through e-mails. Over time, as its business dependence on e-mail increased, the firm also faced the growing menace of spam e-mails. For example, the firm was dealing with more than 6 lakh e-mails per month, of which 20 percent were spam.

Highlights l

Cloud-based service has almost eliminated more than 120,000 spam e-mails each month along with hundreds of virus attacks Saved approximately two man-hours per week allocated to operational duties related to security DHFL has been able to reallocate its limited internal resources to other critical IT missions such as risk management and regulatory compliance

“The cloud-based security solution removes 99 percent of spam off-site, even before it reaches our network”

Satish Kotian Head-IT, DHFL

“On an average, our users were getting around 8-10 spam e-mails per day. Our IT team soon became inundated with calls from frustrated users as spam mails continually clogged up the company’s e-mail bandwidth. Our IT team also found that resources were being over-burdened with approximately two man-hours per week allocated to operational duties dealing with security issues,” states Satish Kotian, Head-IT, DHFL. For a fast expanding firm, this issue was not only restricting the IT team from focusing on innovating in IT, but was also proving to be a highly expensive activity for the firm.

Cloud advantage

DHFL scouted for solutions and finally decided to go for a cloud-based solution. The reasoning was simple — the firm wanted a solution that required little or no management on their part, and at the same time, provided comprehensive protection for its network. “We discovered that traditional solutions in the market required extensive investment on hardware, appliances and licenses, including costs related to management,” says Kotian. Thus, the firm turned to Symantec for availing its cloud-based security solution.

The cloud-based service has given DHFL the capability to tackle huge number of spam e-mails and virus attacks. For example, before DHFL started using Symantec’s services, it was receiving nearly 120,000 spam e-mails each month along with hundreds of virus attacks. Today, the cloud-based service detects and identifies all viruses, spam and phishing attacks. “The service removes 99 percent of spam off-site, even before it reaches our network. It has also reduced our administrative overheads as the latest updates on the spam mails and antivirus are managed by Symantec. We are least bothered about the availability since we do not have to maintain any hardware, which was the case earlier,” explains Kotian. The DHFL IT team now saves valuable time as it no longer has to go through hundreds of spam messages to fish out legitimate e-mails from clients, colleagues and partners. As a result, DHFL has been able to reallocate its limited internal resources to other critical IT missions such as risk management and regulatory compliance. The incidence of spam and virus arriving through e-mail has since dropped to almost zero. u Srikanth RP srikanth.rp@ubm.com

march 2012 i n f o r m at i o n w e e k 41

Interview

‘To defeat APTs, we need to better understand our opponents’ Stuxnet, Duqu are some of the most prominent threats that the industry faces today. How do you think we can prevent the next Stuxnet or Duqu to make inroads? The answer to this lies in redefining the challenge and our response to it. This isn’t about what tools or controls

we have to surrender to information compromise. We need to build security into our tools (instead of bolting them on) and use more intelligent and adaptive methodologies. We need to instrument different things and drive investigations differently and we need to focus on leveraging communities

our opponents. When APTs target your organization, they will find ways in; and when that happens, it becomes a race to the information. Knowing who they are and what they want is critical and no one organization can have that knowledge — it depends on a community and information sharing.

The year 2011 clearly showed every enterprise that irrespective of the size and the best processes — every company can be hacked and broken into. In this age of stealth attacks, how can enterprises guard themselves against advanced and persistent threats? To delve deeper into this topic, InformationWeek’s Srikanth RP caught up with Arthur Coviello, Jr. Executive VP, EMC Corporation and Executive Chairman, RSA, The Security Division of EMC to find out his views on APTs, hardwareenabled security, and the steps RSA is taking internally to make its processes stronger will “solve” the problem, and it isn’t about following a new checklist. This is about understanding the nature of the human opponent and that they will find ways around static defenses. We need to leverage new technologies more effectively and not resign ourselves to existing techniques. We need to re-think how we triage and response and focus on a new set of priorities. We live in a state of constant and inevitable infrastructure compromise, but that doesn’t mean

informationweek march 2012

and more effective information sharing. Advanced Persistent Threats are notoriously difficult to detect. How do you think security information and event management tools are shaping up to fight this threat? APT is really a term to define a class of attacker, and not a particular trick or piece of malware. To really defeat APTs, we need to better understand

When the race starts, we have to think about time and about intelligence. The idea is to isolate the data from the attacker before they get to it, so tools and techniques that either slow them down or speed up your response are good. Intelligence helps improve effectiveness and improve response times. Once you’ve isolated the data, the mission becomes to eject the APT with prejudice and to learn from them and frankly to then help other potential victims to learn

www.informationweek.in

from what you’ve learnt. The next generation of tools are machine learning tools, information sharing tools, full packet capture and analysis tools and automating the right responses in the right ways, with people and processes tied into them for control and risk management optimized around time and intelligence. Your views on hardware enabled security — a trend that could accelerate with Intel’s acquisition of McAfee. Hardware has a role. Software does too. For instance, some things need an HSM or physical separation in spite of the inconveniences introduced.

exploitable avenue for compromise. We need to take this into account and plan around it, and realize as well that there will always be a “path of least resistance” no matter what system we build. We also can’t take people out of the systems we’re trying to protect, so let’s build our systems to take that into account. What processes has RSA put in place to ensure something like the RSA breach doesn’t have the possibility of happening again? There are almost too many to name. We have changes forced upon us in some ways, such as cultural changes

We need to take into account that people side of the equation will always be a relatively easily exploitable avenue for compromise The problem with hardware is that it’s expensive to deploy and maintain and fix without defeating the very things that you hope to leverage: make the hardware updatable, and you’re back in a software world. However, the ideal systems from a security perspective would use software, leveraging a “hardware root of trust,” as we demonstrated with VMware and Intel in our securing the cloud initiative. The ultimate answer will be to use hardware, software and hybrid solutions as needed for the use case and tradeoffs among ease of use, ease of maintenance and cost to break (i.e. security). Despite advanced technologies, are humans still the weakest security link? Absolutely. Bad guys seek the path of least resistance and cost, and for the time being that is a person. It’s a fair bet that inspite of being our greatest assets, the people side of the equation will always be a relatively easily

that ironically have wound up being very healthy for RSA. And we’ve aggressively made changes ourselves to minimize the likelihood that will every happen again: we’ve changed IT operations, security operations, R&D practices, manufacturing, governance processes and more. From a security perspective, we now start with a notion of the threat landscape. Instead of just doing a risk assessment, we also look at what we protect downstream by virtue of our position as a vendor: what do people want to steal from our customer for which we are gatekeepers? Who are our customers’ enemies? We also look at ways that our partners and employees could be used to break into RSA, and we actively test against those. This is of course in addition to the specific learning and new methodologies that we have tactically taken in the wake of the incident.

u Srikanth RP srikanth.rp@ubm.com

march 2012 i n f o r m at i o n w e e k 43

CIO Voice

Prevent any security breach by just following 10 best practices On a daily basis, hundreds of organizations get their networks compromised and their confidential data is leaked. When some of the best names in the industry with formidable security policies have got hacked, what can organizations do to prevent themselves from being hacked? Satish Warrier, CISO, Godrej Industries, shares a list of ten best practices that every organization must follow to minimize their chances of getting hacked

t goes without saying that it is impossible to completely eliminate all types of security breaches. However, by following some good, time-tested practices, we can thwart majority of the attempts; especially those that are not sustained and targeted/focused. A robber is likely to attempt robbing a house that has no security guard, rather than one that has a security guard. Likewise, if a password is strong and complex, and the passwordcracking tool indicates that it would need about 5,000 hours to crack it, the hacker is likely to move on to some other softer target. There are several security solutions in the market that cater to different types of threats. These security solutions are “de-facto” required to secure an organization and must be chosen depending upon the nature of business and the value of assets that need to be protected. Some base level, cost-effective and simple steps to secure an enterprise are: 1. Information security policies and procedures should be in place, which should be signed off by all employees. The policies should also cover acceptable use of information assets, with clear ‘Dos and Don’ts’ and appropriate punitive action for noncompliance. 2. Regular awareness and training sessions can facilitate the creation of a safe and secure organization. The “human factor” plays a very important role, which no amount of technology can compensate.

informationweek march 2012

3. Enforce a strong password policy with history of three to five passwords. Initially, there might be some resistance from a few users; but later it will be accepted. 4. Default passwords in all the devices need to be changed. Many system administrators tend to retain the default password that was used during the initial installation by the vendor. Once the systems are live, there is an apprehension amongst many system administrators that changing the password might lead to some business interruptions. As a result, most default passwords are never changed. 5. Deactivate/Disable user accounts when the employee leaves. There have been instances where such accounts were misused for entering fraudulent transactions — at times by insiders as well. 6. Apply patches and updates regularly after critically reviewing them for applicability. Many a time, security breaches result from known vulnerabilities on unpatched systems being exploited by intelligent hackers. 7. Monitor and review security logs regularly. Such logs can become a reference guide to all untoward incidents and attempts. For instance, unsuccessful login attempts can indicate unauthorized user/s trying to access the system. 8. Conduct in-depth network scans, vulnerability assessments and ethical hacking exercises. Such exercises done by reputed consultants at periodic intervals can ensure a reasonably robust enterprise that

Satish Warrier, Chief Information Security Officer, Godrej Industries

can withstand most of the hacking attempts. Care must be taken to utilize the services of different consultants on each occasion. 9. Encryption of mobile computing devices like laptops, tablets, mobile phones, etc. is important. We often ignore to protect such devices that contain a significant amount of sensitive data. Lost and stolen devices pose a serious data security risk, which can be addressed only through encryption. 10. Backup of data residing on all the systems at frequent intervals is imperative to minimize the risk of business interruptions on account of device failure/malfunctioning, etc. Though this may not strictly qualify as a security breach, the business impact of such incidents can be significantly reduced. —As told to Srikanth RP

www.informationweek.in

Opinion

How to defend yourself against APTs

ver since RSA got hacked, it is now commonly accepted that no security conference is complete until someone has presented on the topic of Advanced Persistent Threats (APTs). So what really are these APTs? Well, an APT is basically nothing but old wine in a new bottle. APTs represent a shift in the motives of the attackers, but they don’t represent any significantly new attack techniques or vectors. An APT is simply known attack techniques being used in conjunction with some good old-fashioned homework to steal corporate data and make a lot of money. So what can enterprises do to protect themselves from APTs? Surprisingly, the security controls for an APT turn out to be nothing different from what security consultants — nay evangelists — have been preaching from the turn of time. Let’s explore these. An APT attack is epitomized by the compromise of one or more PCs belonging to system or network administrators (remember how Google got hacked in China?) So let’s first focus on protecting our system administrators and putting controls around how they access our critical servers. The high level of privileges with which an administrator connects to the network is exactly what the attackers leverage to penetrate deep into the enterprise. By installing sniffers and key-loggers on these systems, the attackers are able to gain access to servers and pivot from even one compromised server to others within the network using techniques such as ‘pass-the-hash’ or simpler still finding the mother-lode — the administrator’s password file. What did I just say — an administrator’s password file? Surely, our administrators are not foolish enough to store their passwords on a file. Well, think again. If you’re the administrator of a mid-sized network with say, 100 servers of which 35 are databases, then you’ve got to deal with a minimum of 2-3 administrator account passwords for these 35 databases. That totals up to more than a 100 database

informationweek march 2012

passwords, which are not linked to your active directory. Now, if as a result of an audit, you’ve actually implemented password complexity on your databases, it means the administrator has to change passwords of almost 100 accounts every 30 or 40 days and make sure they’re complex and not similar to his previous 10 passwords. And what about the accounts needed to manage the anti-virus server, the anti-spam Gateway, the endpoint protection server and the vulnerability management system you just installed after the most recent audit. Let’s say somehow the whole privileged user password problem was somehow resolved. What visibility do you have on the activities of your administrators? Even with a super-star security event/incident management system in place, Windows logs are so mysterious that tracking the activities of a Windows administrator simply via the logs is almost impossible. So, let’s come to dealing with this issue — privileged user IDs and the power they hold over our network. The solutions involve a three-pronged approach — the right philosophy, the right policies and the right product.

Philosophy

We need to stop thinking of administrators as demi-gods whom we must not offend lest they bring our systems to their knees. We need to ensure stronger controls around privileged IDs, password management for these IDs, monitoring of their activities, and the measures we take when privileged users leave the organization.

misuse of their elevated privileges either by attackers or by other rogue administrators.

Products

Selecting the right product for privileged ID password management, access rights management of these privileged IDs and session monitoring including those of Windows RDP sessions is the next critical step. Key factors to look out for are scalability of the product, capability to support all the technologies you have in use — or at least as many as possible, ability to integrate with your environment and disaster recovery features. While privileged IDs represent a major factor in APTs, we must not forget that the attacker needs to only compromise one system successfully to potentially attack critical servers. The National Security Agency has recently documented an approach using existing capabilities of Windows operating systems — specifically application whitelisting using software restriction policies to prevent the installation of malware on user systems. There are quite a few under-wraps projects going on to develop unique methods to counteract the unintentional backdooring of user systems inside the enterprise network.

Policies

Once we have the right philosophy in place, putting policies is the next step. Educating the administrators and taking them along on this initiative is equally important. We need our administrators to understand that this isn’t about trust issues, but rather about protecting systems not just from administrators as people, but rather from the

KK Mookhey u KK Mookhey is Principal Consultant and Founder, Network Intelligence India

www.informationweek.in

Opinion

Humans and Heuristics: Making people part of information security solutions

he roll call of information security challenges seems to get longer every year. Protecting your organization’s data and systems from attacks and abuse can feel like an impossible task when you are faced with mounting internal and external pressures. Your employees want to use all kinds of new devices, apps and services. Management wants to reap cost-savings from cloud computing while pursuing aggressive social media marketing strategies. External pressures include emerging sophisticated malware attacks, wellfunded criminals and state-sponsored spies — not to mention a new wave of hacking fueled by an unpredictable mix of righteous indignation, anarchy and opportunism. Fortunately, there are some well-tested strategies for addressing the current information security challenges and these begin with a reminder that the root cause of these challenges is not technology but people who abuse technology. Likewise, people are also the key to overcome these challenges — people armed with good technology and sound technological skills. Let us consider how this works with reference to a specific category of threat: malicious software. In recent years, an entire industry has evolved to monetize the ability to compromise your computing devices — from servers, laptops, tablets to smartphones. Computer viruses, worms and Trojan codes are no longer dabbled by amateurs and experimenters. What we have today can be thought of as “Malware Incorporated,” a diversified business served by an increasingly specialized network of vendors and workers. Anti-malware technology has been evolving to defend against the increasingly sophisticated code that “Malware Incorporated” deploys. The

basic strategy of detecting malware is by comparing incoming code to a list of “known bad code.” An alternative strategy often employed in parallel is heuristic detection — identifying code as potentially malicious based on everything that malware experts know about current and future malware. Well-written heuristic detection systems have a good track record of preventing infections by previously unknown malware, even malware that seeks to exploit zeroday vulnerabilities. That is software heuristics, but how can this be applied to human beings?

Employees: First line of defense

Consider your employees and their role in protecting your data and systems. Think of giving your staff some training about things they are supposed to do — something as basic as using strong passwords. Think of that level of training as basic protection against known threats. In addition, you may coach your employees about the importance of avoiding disclosure of account credentials to unaccredited websites and not opening suspicious attachments. Now you are stepping into the realm of human heuristics. If websites or attachments are known to be malicious, then users are unlikely to encounter them; they will be blocked by a securely configured system, based on blacklisting and signature matching, technologies implemented through browsers, memory-resident antimalware, firewalls and filters. But how do we protect against threats that remain after the deployment of this technology — the websites and attachments that are not yet known to be malicious? The answer is heuristics and while this heuristic protection may exist in code, it also needs to exist in your employees. Some companies recognize this

and do a good job of educating employees about threats to the organization’s data and systems. The reward for this effort is an added layer of defense against malware, plus the whole range of current threats, and even new threats. Do you need to turn all of your employees into security experts? No, but if all your employees have some level of security awareness you will be much more likely to ward off new and emerging threats. A malware scanner that merely compares incoming code against a database of known bad code is just doing as it is told. And while that is helpful to a certain degree, it is clearly limited as a strategy to prevent malware infections. Your anti-malware software needs heuristic capability, and so does your workforce. Like most organizations, yours is probably highly dependent upon the confidentiality, integrity, and availability of its data and systems. You need employees to understand that, and the behavior required of them to successfully defend data and systems, behavior that help ensure the ongoing success of the organization.

Stephen Cobb u Stephen Cobb is CISSP and security evangelist for ESET

march 2012 i n f o r m at i o n w e e k 47

Opinion

Compromising a PCI compliant network

aced with increasingly common and serious compromises of payment card data, the major payment card brands worked together to establish the Payment Card Industry Data Security Standard (PCI-DSS). The standard is made up of 12 high-level requirements that go on to define over 200 specific information security controls. Companies that store, process or transmit payment card data are obliged to be PCI-DSS compliant. In technical circles, the PCI-DSS is controversial. It is very specific in some areas, and provides room for interpretation in other areas. Many criticize its “one size fits all” approach and its requirements for the deployment of specific security technologies. Regardless of the controversy, there is evidence to suggest that the PCIDSS has effectively changed attacker behaviour and reduced the impact of compromises. In Trustwave’s Global Security Report, we use data from payment card forensic investigations to show that as fewer companies maintain large stores of historic transaction data, attackers are increasingly forced to focus on capturing payment card data in transit. Compromises that would historically have captured in excess of 18 months of transactional data on an average now capture just over three months of data.

PCI DSS compliance has its limits

The PCI-DSS is certainly not perfect and organizations that are working towards compliance must not consider it a silver bullet. Through our penetration testing services, we have a long history of compromising networks of customers who are seeking to achieve compliance with the PCI-DSS, and of helping them resolve issues uncovered during these tests. To understand limitations of the PCI-DSS, we should first understand how a PCI-DSS assessment is scoped. Systems that store, process or transmit

informationweek march 2012

cardholder data, as well as systems connected to those that store, process or transmit data are said to be in scope for PCI. This means that an organization can draw a box around a segment of their network and say that anything outside of that box need not abide by the security requirements enforced by the PCI-DSS. A smaller scope means fewer controls, which in turn equals less cost. The result of this is that many compliant organizations have a well-controlled PCI-DSS segment, sandwiched between the networking equivalent of the “Wild West.” Experience has shown that it is magical thinking to believe that it is possible to create a secure zone in an otherwise unsecured environment. No (useful) network is an island and regardless of the segmentation controls in place, someone, somewhere on one of those “Wild West” networks will have access to administer the secure network. Herein lays the key to compromising a PCI complaint network. Why would an attacker attempt to breach the controls of a network that is clearly well protected when a neighbouring network was a much simpler target? Majority of attackers will compromise the network without security controls, identify a network user that has legitimate access into the “secure” network, then make use of this user’s privileges to effortlessly dance past the hundreds of PCI-DSS-mandated security controls. Getting an initial foothold into the out of scope network can be done in many ways. Attacks that are often successful in Trustwave’s experience are poorly secured database servers, poor default password policies and man-inthe-middle attacks. Man-in-the-middle attacks are often considered “too old” or “too dangerous” to be included in information security testing plans. In our experience they can be conducted safely and often lead to compromise. Attackers do not place artificial limits on the methods they use — why should we? Once the initial foothold has

been gained, attackers have a range of options to elevate their privileges on the network. The goal is to gain higher levels of privilege and to identify information that may help with future attacks. Many of the PCI-DSS requirements involve documentation controls. This documentation is often an invaluable source of information for attackers looking for network systems and network user accounts of interest. Of the many methods of privilege escalation available, success is most commonly achieved through shared local administrative passwords, the use of weak password hashing algorithms and a lack of regard for the “principle of least privilege” (i.e. putting everyone in the “domain admins” group). Thus, PCI-DSS compliance is important and helpful, but we should ensure that our out of scope networks aren’t left to go to ruin. Remember that if an administrator can work from an out of scope network, an attacker targeting that administrator can do the same. Naturally, we should be intelligent and use a risk management approach to decide on effective, cost effective controls. We must never assume that the PCI-DSS network is completely safe from attack simply because there is a “PCI-DSS Certified” certificate hanging in the lobby.

Mark Brown u Marc Bown is Managing Consultant, Trustwave SpiderLabs APAC

www.informationweek.in

Opinion

CISO watchtower 2012

ith expanding personal digital domains like smartphones and tablets and increasing BYOD trend, the year 2012 will require deeper understanding on techno-legal aspects of cyber security. This year much of the CISO’s focus should be beyond product and at the backstage: on the procedures deployed, people behind the procedure and most importantly to find out if all three put together are yielding results. As Bruce Schneier puts it, “Security is a not a product, but a process. It’s more than designing strong cryptography into a system; it’s designing the entire system such that all security measures, including cryptography, work together.” To ensure security in 2012, follow this 5-step program:

A Reality test

Gartner estimates that organizations are spending up to USD 525 per user for information security measures. So you decide how much it was per user at your company — the effectiveness of the same needs to be tested. The question to be answered this year (if not already) is how recent was this stress tested and is it recent enough? Stress test the ecosystem — the system includes people, processes and the technology backbone and of course all the processes involved in streamlining the same. CISOs should adopt somewhat offensive capabilities to test their information ecosystem in entirety. Remember to stress test the entire system (not in silos) to check if all your time, money and energy are yielding desired results. This, when done well, would give you an unbiased output and a clear indication as to where your money and effort has to be further streamlined.

Streamline your organization structure

Check if inputs include information from HR, risk, IT, legal, physical, incident management, audit & compliance, knowledge/awareness, policies/ documents etc., and what have been

the inputs you received from each of them. Quantify them. Ensure to re-visit the risk assessment approach and the result of 2011. Check with the Business Risk Manager on threats/vulnerabilities he foresees and capture and include in your assessment.

Initiate, improve and prioritize

Initiate something new, improve on existing controls and prioritize your spending. The cohesiveness in employee awareness and the policies governing them is extremely critical. For example, BYOD is becoming a way of life and we see an increasing number of corporates accepting this. They come with their own set of issues to CIOs/ CISOs, which makes it harder for the IT Security team to apply controls. Educate employees to understand the risk the company faces and their responsibility in risk management. Physical security: In many companies, admin takes up this role with the management. In my opinion, CISOs could be involved in understanding the requirement on physical security as well. You should know how one comes in and goes out and what controls him physically when inside. IT security: Focus on initiating IT DR and strengthening your infra and app security. Also, prioritize IT security spend and decide where you need to spend to upgrade/ initiate. People awareness: Most importantly, devise programs that involve your employees to appreciate security as a discipline. It’s senior management that needs to display awareness levels — from where other employees could infer on its importance. This year devise an Awareness Management Framework.

and/or combat one. I have seen the best of companies faltering on this one. The identification and response to a breach (physical or IT) is as important as prevention and maintenance. Begin populating emerging threats in your risk assessment sheets and constantly upgrade to see how prepared you are to mitigate and gear for any eventuality. Centralize incident management with local responsibilities.

Engage in Techno-legal Framework

The time is here when the CISO is expected to seek inputs from legal team and make them understand the local IT Act etc. This is to check if your IT security manual/ policy is streamlined to capture IT Act and its amendments. Are your employees aware that there are laws in our country and hence the policy? Educate employees (including IT team) on the importance of maintaining logs and importance of configuration. I have also seen that the skill was not an issue in some companies; it was the intent or ignorance to understand that had to be addressed. This year the biggest investment would be to re-define your goals and address the ones that suit you best.

Incident Management

The biggest justice in this year will be to institute an appropriate incident monitoring and response team. As a CISO you must clearly spell out what an incident means to your business and put together a plan to identify, contain

Manikandan Natarajan u Manikandan Natarajan is Consultant - Information Security, Mahindra SSG

march 2012 i n f o r m at i o n w e e k 49

Feature

When

good apps

News

Security

Help

Settings

Internet

bad Experts warn that many otherwise non-malicious mobile apps are trampling privacy with overgenerous device permissions By Ericka Chickowski,

ven though the splashy headlines around mobile security revolve around mobile malware, some security and privacy advocates warn that it might actually be the mundane apps people willingly download that introduce the most risk to their devices. That’s because many otherwise wellintentioned apps are asking for so much access to so many phone features that they’re impinging the privacy of users — and potentially putting enterprise data at risk.

informationweek march 2012

“We’re not seeing a lot of malware so much ... but we are seeing a lot of privacy concerns from apps that are sharing information that people aren’t aware of, or apps that have not been built securely,” says Michael Sutton, Vice President - Security Research at Zscaler ThreatLabZ. For example, he says that several months back when his researchers were doing work in the mobile space, they ran into certain iOS apps that would ask for passwords to popular services, like Google Docs. “They would

communicate with services, like Google Docs or Dropbox, and upload things and store backups,” Sutton says. “All of those authentication credentials were just stored in clear text on the backup of the file, and so anybody who got a backup of your phone could go through that in plain text.” According to Sutton, the mobile space is such a “land grab” right now that businesses are desperate to have mobile apps and are willing to outsource to developers who might not be very competent at their jobs, or who

www.informationweek.in

just aren’t given enough time to do a security review. “I think the worst part is people think, ‘I downloaded it from the store. It’s safe,’” he says. “But that’s not necessarily the case, and the end users mistakenly think that the gatekeepers are watching their backs.” In fact, in many cases it might not even be in the developer’s best interest to keep users’ privacy intact. “One of the big reasons that there’s a privacy issue is that mobile apps are monetized differently than traditional software,” says Chris Wysopal, CTO of Veracode. “Usually they’re low-cost, or they’re free and ad-supported. What that means is they’re going to need to market efficiently to the people who are using these ad-supported apps, so one aspect is getting the individual’s profile, finding out things like sex, age, where they live, and so on. All those things are hugely important for targeting advertising.” The way that these ad-supported apps work is that the developer receives money from an advertising company that supplies a library the developer will link to within the app. “The app developers might not really even be aware of what the ad libraries they’re linking to are doing; they don’t have the source code of what that ad library is doing. It is just a black box to them,” Wysopal says. “It’s just given as a requirement to install, but it turns out that the ad libraries piggyback on the permissions that the apps ask for and try to exploit whatever permission they have.” Further exacerbating the problem is the fact that most developers tend to ask for more permissions than they need. According to Wysopal’s colleague at Veracode, Chris Eng, Vice President Research, they’ll frequently see simple games of tic tac toe asking for every permission under the sun. Obviously a game like that doesn’t need access to the phone’s microphone, but it’s still asking for it. And many times the users don’t even realize what permissions they’re granting upon installation. According to Chet Wisniewski, Senior Security Adviser at Sophos, users usually operate either under the Apple model, where the company’s app store overseers determine for the user

whether permissions are appropriate, or the Android model, where there’s an open-door policy, but the user is asked whether they wish to grant certain permissions. The verbiage for this is so obscure, and there’s no way to tick or untick policies and still run the app, so more than likely the user is going to just say “yes” to everything. Wysopal agrees, saying that if someone sees that an app wants to communicate over the Internet, they’re instinct is to say, ‘OK, fine.’“They don’t realize that that means your flashlight app could be communicating with some server somewhere,” he says. Where all of these unchecked permissions become scary is when they get to the point where an app could not only profile you, but potentially put together your real identity. “When you sign up for something, you give an e-mail address or your Facebook login, and you can tie all of this profile information to a real individual, now you have databases that can be created of this individual,” Wysopal says. “We know where they live because of their GPS information, where they sleep at night, where they work, and where and when they go shopping. It can start to build a pretty detailed view of your life because you always have your phone with you, and if you’re always interacting with social networking and messaging and e-mail on the phone. So basically your whole life is out there.” What’s more, when enterprise data mingles with personal data, that information is at risk, as well. Wisniewski says that with Android, it is possible to hook into the Google API and create rules that deny or allow app downloads based on the permissions. But iPhones are a harder nut to crack. “If I were an IT manager, I would like to be able to say, ‘Sure, allow things that can tell what the phone state is, but don’t allow things that can record from the microphone or don’t allow things that can read from this particular partition where sensitive data is stored,” he says. “But Apple doesn’t allow that today. There’s a lot of power there, and if Apple were to embrace it, that could be one of the best roads forward.”

Most mobile app developers tend to ask for more permissions than they need.These permissions become scary when they get to the point where an app could not only profile you, but potentially put together your real identity

Source: Dark Reading

march 2012 i n f o r m at i o n w e e k 51

Feature

Big Data could create

compliance issues

The bigger data sets grow, the harder compliance could become By Ericka Chickowski

ust like “the cloud” of 2009 and 2010, this year’s red-hot buzz term bandied about by executives who may or may not have clue what it means is ‘Big Data.’ But just as 2011 saw the world wrap its head around the cloud, the time is coming when technology around Big Data will gain traction, understanding and deployments. And when it does, infosec professionals need to be ready for the security and compliance complications that it could potentially introduce. So what exactly is Big Data? In a nutshell, it’s a data set that’s too big to be crunched by traditional database tools. Whether it is from scientific or environmental sensors spewing out a cascade of data, financial systems producing a mounting cavalcade of information or web and social media apps that create a snowballing mass of records, Big Data is typically classed as such if it maintains three essential dimensions. They’re what Gartner’s Doug Landoll, then of META Group, back in 2001 called the 3Vs of data management: volume, variety and velocity. The first one’s obvious, clearly something wouldn’t be called Big Data if there wasn’t a heck of a lot

informationweek march 2012

of it. But Big Data is also a swarm of unstructured data that has got to be fast to store, fast to recover and, most importantly, fast to analyze. “While many analysts were talking about, many clients were lamenting, and many vendors were seizing the opportunity of these fast-growing data stores, I also realized that something else was going on,” Landoll wrote recently in a retrospective on that first report. “Sea changes in the speed at which data was flowing mainly due to electronic commerce, along with the increasing breadth of data sources, structures and formats due to the post Y2K-ERP application boom were as or more challenging to data management teams than was the increasing quantity of data.” When Landoll first wrote about the 3Vs 11 years ago, it was mostly addressing the data management challenges that had contributed to the evolution of data warehousing. These types of data stores gain their value mainly through analysis — which is why data warehousing and business intelligence had gone hand-in-hand for years before ‘Big Data’ became common parlance. Speculatively speaking, the benefits of analyzing Big

Data include the ability to make better business decisions and reduce waste in vertical markets such as the public and healthcare sectors. According to a study by MGI, even retailers properly utilizing Big Data can increase their operating margin by a whopping 60 percent. Whether Big Data is going to reside in the data warehouse or some other more scalable data store still remains up in the air. One thing is for certain, though, Big Data is not easily handled by the relational databases that the typical DBA is used to wrangling within the traditional enterprise database server environment. “What’s emerging is a new world of horizontally scaling, unstructured databases that are better at solving some old problems. More importantly, they’re prompting us to think of new problems to solve whose resolution was never attempted before, because it just couldn’t be done,” say the authors of the Accenture Technology Vision 2012 report released last week. “We foresee a rebalancing of the database landscape as data architects embrace the fact that relational databases are no longer the only tool in the toolkit.”

www.informationweek.in

The question for security professionals, of course, is if this growing mass of data is becoming increasingly unstructured and accessed from an ever-distributed cloud of users and applications looking to slice and dice it in a million and one ways, how can they be sure they’re keeping tabs on the regulated information in all that mix? “Organizations aren’t realizing the importance of such areas as PCI or PHI and failing to take necessary steps because it is flowing with other basic data,” says Jon Heimerl, Director of Strategic Security for Solutionary. “Mainly, Big Data stores are leading organizations to not worry enough about very specific pieces of information.” Joe Gottlieb, President and CEO of Sensage, says that the healthcare example is one of the most important for compliance executives as they examine how Big Data creation, storage and flow works in their organizations. “The move to electronic health record (EHR) systems driven by HIPAA/ HITECH is causing a dramatic increase in the accumulation, access and interenterprise exchange of PII,” he says. “For the largest healthcare providers and payers, this has already become a Big Data problem that must be solved to maintain compliance.” While the prospect of proving compliance even within massively muddled Big Data stores, the slow development of laws and regulations may work in favor of CISOs trying to get a bead on Big Data. “From a compliance perspective, many of the laws and regulations have not addressed the unique challenges of data warehousing. Many of the regulations don’t address the rules around protecting data from different customers at different levels,” says Tom McAndrew, Executive Vice President of Professional Services at Coalfire. “For example, if a database has credit card data and healthcare data, does PCI and HIPAA apply to the entire data store, or only the parts of the data store that have the data. The answer is highly dependent on your interpretation of the requirements and the way you have

implemented the technology.” Similarly, social media applications that are collecting tons of unregulated, yet potentially sensitive data, may not yet be a compliance concern. But they are still a security problem that if not properly addressed now may be regulated in the future. “Social networks are accumulating massive amounts of unstructured data —a primary fuel for the Big Data problem, but they are not yet regulated so this is not a compliance concern but remains as a security concern,” Gottlieb says. According to McAndrew, security professionals concerned about how things like Hadoop and NoSQL deployments are going to affect their compliance efforts need to take a deep breath and remember that the general principles of data security still apply. “It really starts with knowing where you data resides. The good news is that with the newer database solutions, there are automated ways of detecting data and triaging systems that appear to have data they shouldn’t,” he says. “As you get your organization to map and understand your data, look for opportunities to automate and monitor compliance and security through data warehouse technologies. Automation has the ability to decrease compliance and security costs and get higher levels of assurance that you know where your data is and where it is going.” In addition to understanding where the important data sits, organizations also need to think about finding ways to segregate, which will make the deployment of security measures such as encryption and monitoring more manageable. “After organizations better understand their data, they need to take important steps to segregate it. The more data you silo as highlevel, the easier it will be to protect and control it,” Heimerl says. “Smaller sample sizes are easier to protect and can be monitored separately for specific necessary controls.”

The question for security professionals is if this growing mass of data is becoming increasingly unstructured and accessed from an ever-distributed cloud of users and applications, how can they be sure they’re keeping tabs on the regulated information?

Source: Dark Reading

u Ericka Chickowski is Contributing Editor Dark Reading

march 2012 i n f o r m at i o n w e e k 53

Feature

Whose job is virtualization security? The adage “When everyone’s in charge, no one’s in charge” applies all too well to private cloudified networks By Richard Dreger

s network boundaries blur and longstanding design paradigms fall by the wayside, how do we assign accountability for security? It’s a pressing question: Because virtualization gives us so much power and flexibility, we’re moving ahead at a breakneck pace, often without looking closely at whether security-assurance levels remain as the services delivery model morphs. Whether adding virtualization will break security depends on how you

informationweek march 2012

do IT. A unified organization, where network, storage, application, and security groups work well together, communicate openly, and follow a documented security program can take the added complexity of multi-site virtualization in stride. Sure, processes will need to be expanded and new standards developed, but as a whole, the team approach can extend. But what if your IT “department” comprises independent silos that not only don’t integrate, but have clear, perhaps formally designated,

boundaries? How does that work in a highly virtualized environment, where you can easily have dozens of complete ecosystems residing within a single rack of equipment? It doesn’t. Not only can we not physically examine system perimeters anymore, the whole concept of providing adequate segmentation or defining an accreditation boundary demands work from multiple teams. If one group fails or even makes a simple configuration error, the whole system could become unreachable or open to unauthorized access.

www.informationweek.in

Say you have three major customers, all requiring different security-assurance levels. Maybe one’s a large retailer, another is in healthcare, and another is a federal contractor. To make the most of your hardware investment and maximize performance, you use a shared SAN that connects back to multiple blade servers. Since things are virtualized, you’ve configured the appropriate virtual networks and provided connectivity out of the virtual world via high-speed links to core network equipment and beyond. The goal: to ensure that each customer gets the resources it needs while maintaining an audit-ready security posture. To provide segmentation, you need the physical hardware team, and maybe the systems team, to configure the SAN disk arrays to balance performance, storage, and access requirements. Sure, you could physically carve up the disks and give different slices to each customer to provide a physical boundary, but this concept is anathema to performance-minded shops and the private cloud model. Storage, regardless of how we choose to divvy it up, is then made available to our system infrastructure, in which we’re creating various securely configured virtual machines for each customer. These VMs are then provided with network connectivity, access controls, and perhaps firewalling to permit approved communication with other resources. Communication will ultimately terminate on a strong segmentation boundary, such as a next-generation application firewall with intrusion prevention, data loss prevention, and the like, to limit intracustomer traffic. Even this relatively simple setup requires the skills of system, project, network, and security teams, at a minimum, plus careful coordination, planning, and documentation (there, we said it) to ensure proper client isolation. If audits are required, then the due diligence bar is raised even higher, as segmentation must be shown all the way through the layers from physical disk partitioning up through multiple network and application access levels.

Clearly, even a monolithic security team can’t perform all of these duties effectively. It’s tempting to just say, “Security is now everyone’s responsibility,” but that’s not the whole story, either. You need to do some re-structuring. The InformationWeek Virtualization Management Survey asked about this. Of 396 IT pros from larger companies, 33 percent have or are re-organizing, and 18 percent see the need.

So what’s the right structure?

The security team, led by a chief security officer or chief information security office, still bears the ultimate accountability for ensuring data protection, defining the security program vision, and managing various

Define your requirements: I find myself repeating this like a mantra. If you haven’t defined your requirements then you don’t know if your team can do what you need it to do. Virtualization comes with a slew of new tools, toys, and technologies to choose from, and requirements, once defined, should lead you to select the correct controls and products — not vice versa. It can be easy to get lost in technical minutia and forget what the goals are or where the “minimum sufficient” level is. Clear requirements help define and achieve success in complex projects. Communicate openly and often: Hard as it can be, teams must really communicate, not just talk at one another. As discussed earlier, each group is not only responsible for

As virtualization gives us so much flexibility, we’re moving ahead at a breakneck pace, without looking at security-assurance levels

security resources. In a private cloud, everyone has a security job to do, but no one has free rein. Rather, the security team, whether an army of one or a larger group, must liaise with the other teams to craft a multitiered strategy. In this model, security systems are developed jointly, with the security team responsible for the overarching assurance requirements and the appropriate technical teams helping with the controls they know best. A CISSP will never be as good at Active Directory architecture design as the Microsoft guru, so don’t try to be. Instead, work to guide the AD architecture design and ensure that it provides sufficient protections and can stand up to objective scrutiny — an audit by an outside firm. A decentralized but interlinked organizational structure will extend well into the virtual environment. Consider a few take-home guidelines as you segue into a heavily virtualized world:

excelling at its own area of expertise. These skills must be guided and coordinated to ensure that the IT organization operates as an effective whole. The only way to do that is to sanity check the virtualization plan as a whole in terms of business and security requirement. Mid-level IT managers can prove most crucial to make this happen. They know their team the best and can communicate both at the individual technical level and up the chain to management. Someone must still be in charge: Remember the way we started this out? If no one person or group has ultimate accountability for a client or resource, then nobody does. Even when we have each layer of the IT team supporting our security initiatives, the security team (and CISO) must be confident that risk has been properly managed and the appropriate controls deployed and regularly checked. Trust but verify. Source: InformationWeek USA

march 2012 i n f o r m at i o n w e e k 55

Case Study

Right people, right skills, right time! A workforce solution fosters high quality medical services and saves lives, by ensuring the availability of people with the right skills, at the right time By Brian Pereira

edanta – The Medicity is one of India’s largest multi-super specialty institutes, located in Gurgaon. Founded by eminent cardiac surgeon, Dr Naresh Trehan, the institution has been envisioned with the aim of bringing to India the highest standards of medical care along with clinical research, education and training. Spread across 43 acres, the institute includes a research center, medical and nursing school; it has six centers of excellence. In the healthcare sector employees are the most critical assets and also one of the largest components of costs. Hence, right since its inception, Medanta realized the importance of having a real-time visibility into the workforce that needs to work 24x7. For Medanta, it was critical to make sure that the right set of people were available at the right place and the right time. The typical manpower ratio in a hospital is 1:5 or 1:6 (five to six employees per bed) but at Medanta it is 1: 8. There are 5,600 employees working from a single location, and after commissioning the remaining beds this number is expected to touch 9,000 to 10,000. “We realized that people, their skills and knowledge are crucial to offer medical care services. In healthcare there is no tomorrow — if a person has a heart attack you need to attend to that person immediately. In order to offer people real-time services, it was crucial to offer the right skills at the right point of time in all corners of the hospital, in all specialties and modalities. That called for a very productive system. Since people in India are not willing to spend for quality healthcare, we also wanted

informationweek march 2012

to keep our costs to the minimum,” said Arun Datta, Senior Vice President-HR, Medanta Medicity. A little over two years ago, Medanta began scouting for a workforce solution that was robust (low failure rate), scalable and cost effective. The solution had to ensure the availability of people with the right skills, at the right time (24 hours), in any corner of the hospital. Medanta was looking for a real-time attendance system that fulfilled all these needs. And it opted for the Workforce

terminals into three groups. Details of say 2,000 staff lie on a particular group of terminals. But there is restricted access to some information. “Since employee data is spread over different terminals, it reduces the queuing. Secondly, it enables an employee to check his data from a particular terminal. So an employee does not have to go to HR or use an employee selfservice (portal) to figure out if his punch has registered. This can be verified on the terminal itself,” said Datta.

Business Benefits

management system from Kronos. “We opted for Kronos as it is an end-to-end solution. Other solutions either did not have analytics or did not offer hardwaresoftware integration. We were looking for a solution that could withstand very intensive use. When you have 4,000 employees checking-in, imagine the chaos caused due to system failure,” said Datta.

Implementation

The system was implemented in eight weeks and Medanta claims there were no major issues. The institute is using Kronos 4500 terminals. The ATM-like terminals act as an employee login and enable staff to avail employee self-services. To keep the load factor in check, Medanta classified all the

Post implementation, the benefits realized are largely qualitative and it is largely about skills optimization. Kronos HR officials feel the objective of streamlining the availability of people with the right skills, at the right time has been met. “One of the advantages of this system is that it addresses a variety of skills, multiple levels of people, and it also offers real-time attendance data,” said Datta. “We have information about how many nurses, technicians and doctors are working in a particular ward at any point of time. This enables us to provide the highest quality of services.” Datta informed us that Medanta has also implemented the Kronos Workforce Scheduling tool and will next implement the Advanced Scheduling tool. Well, this is a lesson in quality assurance from the healthcare industry. Here’s a single end-to-end solution that can ensure a high degree of service (and save many more lives too) — just by ensuring that people with the right skills are available at the right place and at the right time. u Brian Pereira brian.pereira@ubm.com

www.informationweek.in

Interview

‘CIOs must leverage social media to increase their presence in the boardroom’ Does social media make ‘IT savvy’ more or less important to an organization and its leadership team? An organization that better understands the importance of IT has an advantage in grasping the strategic importance of social media. As a consequence, organizations that are leaders in IT or use IT effectively will also be able to better anticipate and take advantage of changes in social media. When an organization is IT savvy, it takes a broader view. With social media, IT-savvy organizations have an opportunity to broaden the scope of IT’s impact — much more than what the traditional IT function influences. Unlike historical enterprise IT, where consumers were more of an afterthought, social media is an example of the opposite trend — the consumerization of IT — wherein adoption is not based on the product release cycles of big organizations, but is driven by consumers and then adapted for business use. As IT gets consumerized, the pace of change is more rapid and unpredictable, thus IT savvy becomes even more critical. As the adoption of social media grows, should CIOs sit on the sidelines, or should they make social media as part of their charter? CIOs must definitely not sit on the sidelines, but instead use social media to increase their presence in the executive conversation. IT is central to the organization, and if CIOs show that they create a comprehensive framework for governing social media data within their own organization, they can put their organizations in a vantage position. A smart CIO will encourage and facilitate social media in the organization, thereby enhancing his or her value to the organization. Instead of trying to suppress social media at

the fringes, CIOs must embrace it, expand their charter to include it, and show their organizations how to use it to create business opportunities for their organizations, thus further strengthening their role as a bridge between IT and the business side. What is the strategic importance of social media and the role of the CIO, CMO and the CEO in articulating it? Until recently, communication between an enterprise and the consumer has been largely one way, from the firm to the consumer. Social media is changing this by opening up a new conversations with consumers, and taking the role of the firm beyond articulating product features, or telling people about your R&D or manufacturing capabilities. Hence, organizations have to make the transition from “broadcasting” to being the mediators of a conversation. Technologically savvy CIOs have a natural advantage in spotting trends and grasping the nuances of social media, but organizations still need to make sure their CMOs are technologically geared up, since marketing and communications strategy needs to be interwoven carefully with the use of this new medium. How does social media change the online-offline mix? The online experience has to be matched by a quality offline experience. For example, if a company provides poor quality customer service offline, then it is bound to be amplified by social media reactions, spreading across the customer base rather than being isolated to one person. u Srikanth RP

srikanth.rp@ubm.com

The rapid rise in popularity of social media is posing unique security challenges for CIOs. To discuss how CIOs must handle social media, InformationWeek’s Srikanth RP caught up with Arun Sundararajan, NEC Faculty Fellow and Associate Professor at New York University’s Stern School of Business. Some edited excerpts march 2012 i n f o r m at i o n w e e k 57

Event

Unlocking innovation through collaborative technologies At the Converged Enterprise Mobility Forum, technology experts from IBM and Cisco, interacted with business users and IT heads from leading companies, to explore cutting-edge collaborative technologies for delivering business growth and improving productivity

n a dynamic business environment, geographically distributed teams need to collaborate in real-time to deliver business results. Employees need to be empowered with information anytime, anywhere — regardless of the device they use. As old devices come up for a refresh, and the pent-up demand for functionality increases, IT departments everywhere will be forced to seriously consider opening the doors to true mobility. How can enterprises integrate silos of information and independent communications systems into a single communications network? How can businesses take advantage of the growing trend of consumerization of IT without losing control? A group of IT Heads met to discuss this at the Converged Enterprise Mobility Forum in Mumbai on 8th February 2012. At this forum, technology experts from IBM and Cisco, interacted with business users and IT heads from leading companies, to explore cutting-edge collaborative technologies for delivering business growth and improving productivity. InformationWeek Editor, Brian Pereira opened the forum by discussing current trends in the enterprise. These trends revolve around organizational structures and workforce dynamics. We are witnessing a change in organizational structures — moving from a departmental structure with physical demarcations — to one that is resource-centric, with consultants and experts offering services irrespective of location. Project teams never meet

informationweek march 2012

in the physical world, but meet and collaborate in the virtual one. And in many instances, half the number of employees, perhaps more, work from outside. The second trend is the revolutionary change in workforce or at the workplace. A young generation — one that is Internet and gadget-savvy — is coming into organizations. This generation is comfortable using all the latest technologies and insist on using their high-end smartphones and tablets in the workplace. They want to make

the technology choices. IT heads discussed the security implications in organizations that encouraged BYOD (bring your own devices), with experts in the audience sharing their best practices for risk assessment. There were also discussions on the benefits of using pervasive video for collaboration at all levels in the enterprise. Many user organizations who participated in this forum shared their experiences with video technologies and how they benefit.

www.informationweek.in

Event

celebrates industry growth at 20th India Leadership Forum Business seems to be better than the mood and industry is on track to achieve USD 100 billion target this fiscal InformationWeek News Network

here was a mix of optimism and caution in the air at the press conference a day before the NASSCOM India Leadership Forum (NILF 2012) began on 14th February, 2012. As a senior NASSCOM executive puts it, “There are headwinds, but there are tailwinds too!” And there were enough reasons to celebrate. For one, growth has been amazing. The IT-BPO industry is on track to touch USD 100 billion this financial year; two decades ago the industry was valued at USD 100 million. The CAGR in the last five years was 17 percent. Secondly, growth brings in more jobs. NASSCOM estimates 230,000 jobs will be added in fiscal 2012, notwithstanding the downturn. Thirdly, revenues are coming in faster and there is a shift towards non-linearity in revenues. The core theme of NILF 2012 was ‘hyperspecialization’ and it marks the world’s journey from simple and stable to complex and complicated. Essentially, a task that was earlier done by one person or one party can now be broken up into more specialized pieces done by several people with specialized skills — resulting in quality, speed and cost benefits. “It is not just the simple models of business, which we started the industry with, that are propelling growth. There’s a substantial amount of internal change, and (that’s why) the theme for this year’s event is hyperspecialzation,” said Rajendra Pawar, Chairman, NASSCOM. Pawar said M&As are an example of this change with M&As increasing 77 percent in the last two years. He later spoke of disruptive technologies like Cloud, Virtualization and Analytics that are also causing change. “The industry is becoming more

informationweek march 2012

global with 5–6 percent of companies having their workforce outside (India). The diversification of the industry is becoming richer and we see that as a necessity for growth in the future,” said Pawar. “In terms of employment we added 2.3 lakh jobs contributing to a total workforce of 2.8 million.” Apart from hyperspecialization, the agenda of NILF was structured around three additional themes: Global Uncertainties — is business better than the mood; Leadership in Uncertain Times; and Emerging Opportunities. NILF 2012 was held in Mumbai between 14-16 February. The forum had over 45 sessions with over 120 speakers, more than 1,600 delegates with representation from over 25 countries. Some of the countries that participated were New Zealand, Japan, China and Germany. Sharing his views, Som Mittal, President, NASSCOM said, “NILF is a platform where global leaders congregate every year to discuss key changes in the industry, opportunities ahead, creating partnerships and addressing challenges. For us at NASSCOM, the discussions at this forum provide the strategic thrust and direction for our activities to enable the industry’s growth and development.” This year the forum had new sessions like Gurukul — enabling mentorship for young companies; Analysts’ Corner — where research firms Gartner and Forrester will address issues pertaining to the global sourcing sector. In addition, there were special breakaway sessions such as Leader2Leader, Master Class, Idea Incubator, and power roundtables focused towards bringing together industry experts to discuss the nuances of business, technology, management, leadership and other

Rajendra Pawar, Chairman, Nasscom

Som Mittal, President, Nasscom

topics. Some of the leading speakers at NILF 2012 were Pranav Mistry (MIT), Venkatesh Prasad (Ford), Darcy Antonellis (Warner Brothers), Padmasree Warrior (Cisco systems), Abhishek Bachan, Shekhar Kapoor, and Sir Richard Hadlee (Former Cricketer) among others (read our reports on their sessions in this section). NASSCOM is the premier trade body of the IT-BPO industries in India. It is a global trade body with more than 1,200 members, that include both Indian and multi-national companies. NASSCOM’s membership base constitutes over 95 percent of the industry revenues in India and employs over 2.5 million professionals.

www.informationweek.in

Cisco CTO: Networks are becoming more intelligent

he volume of traffic on the Internet will cross one Zettabyte (10 raised to 21 bytes) by 2020 and a large part of this will be unstructured data and video traffic. There will be new applications and services and hence more content on the Internet. That will put a huge load on public networks, which will need to evolve and become more intelligent. This was the basis of a technology keynote titled ‘Zero to Zetta’ delivered by Padmasree Warrior, CTO, SVP Engineering and GM Enterprise Segment, Cisco Systems at the Nasscom India Leadership Forum on 14 Feb in Mumbai. “Today there are 13 billion devices connected to the Internet. By 2020 there will be roughly 50 billion devices connected. Along with that, there are more applications and services being created. That means the content on the Internet is going to increase. So by 2020

there will be a Zettabyte of information traversing through the Internet,” said Warrior. She suggested that the network will not be only about connectivity — rather it will be about experiences and collaboration. Warrior also predicted that video traffic will quadruple by 2014 and in fact two-thirds of mobile traffic will be video. “That means we will soon be doing conferences like this (NASSCOM) virtually (using video). At Cisco we do our annual sales conference virtually, and so we cut down on travel and save costs,” added Warrior. Analysts have said the explosion of devices will lead to increased adoption of the cloud. Warrior regards cloud technology as a “consumption model” for delivering IT as a service. “With the explosion of devices cloud is taking off much faster than people thought, and by the end of this year, roughly 70 percent of enterprises will be consuming cloud in some form,” suggested Warrior.

Padmasree Warrior, CTO, SVP Engineering and GM Enterprise Segment, Cisco Systems

While many data centers are being virtualized today, the other trend that Cisco observes is desktop virtualization. While this makes it easier and more cost effective to provision and manage desktops, it becomes a challenge to deliver rich media on virtualized desktops for technical reasons. But Cisco is working towards delivering streaming media applications on virtualised desktops, informed Warrior. —Brian Pereira

MIT’s Pranav Mistry amazes audience at NILF

PhD student in the Fluid Interfaces Group at MIT’s Media Lab, Pranav Mistry, has always amazed the world through a series of inventions that have challenged the traditional notion of technology. At the 20th NASSCOM India Leadership Forum, Mistry showed the audience why the IT world needs to look beyond technology limitations, by demonstrating some of his innovations. Mistry showcased his previous projects at MIT which includes intelligent sticky notes and TeleTouch — a technology that lets you touch and control objects from far. For example, you can use your smartphone to switch off your lamp or AC. As every device is IP-enabled and recognized, you can control the devices by just viewing it on your smartphone and clicking the image of the device on your phone. Mistry showcased another technology called SPARSH that lets one

conceptually transfer media from one digital device to his body and pass it to the other digital device by simple touch gestures. Mistry clicked a photograph of a person on the stage, and transferred it to his laptop by just using his hand. You just need to touch whatever you need to copy, and then touch the device where you want to paste the content. Some more quotable quotes from the speech given by Mistry at NILF 2012: l We are on the verge of an era where information is going to change its medium again — the same way, static mediums such as books gave away to dynamic mediums such as computers. l Every industry at its maturity looks for the humane touch. We are now in an era where human aspects are extremely important. For example, if I put a coffee cup on a table, can it suggest nearby coffee places for me? l I believe that every problem may

Pranav Mistry

not necessarily have a technological solution. For example, is a tablet really necessary when the people may not even know how to use it? l Technology can only make sense if it benefits the masses l Technology is never the limiting factor, it is the human factor. For example, devices can be made extremely small, but can humans use it properly? —Srikanth RP

march 2012 i n f o r m at i o n w e e k 61

Event

How the Indian IT-BPO industry can accomplish USD 500 billion At the NASSCOM India Leadership Forum 2012, Kumar Parakala, COO, Advisory, KPMG and Pradeep Udhas, Partner - Advisory Services, Head - IT/BPO, KPMG told InformationWeek what it would take for India to become a global hub and increase its share in global outsourcing By Brian Pereira

he Indian IT-BPO industry has grown tremendously in the last two decades from USD 100 million to USD 100 billion. Leveraging on cost arbitrage and quality work, India commands 50-55 percent offshore market share. But with more countries or contenders in the fray for offshore services, this can no longer be India’s trump card; to continue the growth momentum India needs to become a global hub for IT-BPO. And the hub and spoke model is the key to increasing its current market share, which is currently 5-6 percent. By getting a few things right, India can increase this market share to 15 percent in the next 10 years. KPMG recently released a report titled ‘Hub and Spoke operating model — a new business paradigm for the Indian IT-BPO industry’. The report explains the hub and spoke model, its key benefits, and suggests imperatives for India to leverage on this model to become a leader in global outsourcing. The report also envisages India as an established brand for global outsourcing, managing global supply chains with its skilled workforce. Kumar Parakala, COO, Advisory,

it would take for India to become a global hub and increase its share in global outsourcing. What are the objectives of this report? What does is set out to accomplish? Kumar: We are now the global leaders in the (outsourcing) space, we should think about how we should leverage this standing to further add value to our clients, to further expand the businesses that we have in India and also to adopt a more collaborative approach with other countries where our clients exist. So this report is all about leveraging the brand that the IT industry has created. It’s about brand India being leveraged as a provider of services for the rest of the world, by being a hub in the hub and spoke model. With 560 delivery centers in 70 countries across the world, India has already established itself in the global arena. So what more will it take for India to become a Global hub? Kumar: We have come a long way and achieved USD 100 billion. But we just have 5-6 percent of the global business

Kumar Parakala, COO, Advisory, KPMG

We need to have a vision for this, a plan that is agreed by all stakeholders, and we need to take the hub and spoke approach to deliver services. We

We have 5-6 percent of the global business coming to India. Over the next 10 years, if we aim for 10-15 percent of global business, then we would have a USD 500 billion industry KPMG and Pradeep Udhas, Partner Advisory Services, Head - IT/BPO, KPMG told InformationWeek, at the NASSCOM India Leadership Forum 2012, what

informationweek march 2012

coming to India. Over the next 10 years, if we aim for 10-15 percent of that global business, then we would have a USD 500 billion industry.

also need companies to innovate and see their future business coming out with these changes. We cannot continue to do what

www.informationweek.in

we do best (outsourcing) — our services will become obsolete. The cost arbitrage will become lesser and services will become commoditized. There will be too many players and no value proposition. This (global business) provides us with an opportunity to expand beyond India in a global environment. Rather than have something delivered by an Indian company, as a service provider, it should be delivered by Indian talent all over the world. So it is about Indian know-how compared to Indian labor. Udhas: Becoming a USD 100 billion industry in two decades is a tremendous achievement. Commanding 55 percent in offshore services is no mean achievement. We had a CEO panel at the NASSCOM India Leadership Forum. What came out there was that India has reached an inflection point. We can command 10-15 percent of the market in the next 10 years if we re-position our brand now. We need to become a hub and go to point for IT-enabled transformation in the world. We will use technology and people from anywhere in the world to transform global business models. And we can manage the spokes that go to other countries like Sri Lanka, Philippines, Eastern Europe etc. It’s what the Americans did in the last five decades and what the Japanese did ‘80s onwards. So everyone on the panel agreed that we need a mindset change. The other point that came out in the panel is there should be professional respect — it should not be based on one’s nationality. We should leverage each other’s skills and work together in a collaborative fashion. It’s also about adapting to cultures and Indians are naturally good at this. There will be more sensitivity towards other cultures when Indians are managing global supply chains. But we’ve got to start thinking global. We need a level of sophistication in management and governance structures. And then there are other aspects like quality management etc. How has global outsourcing evolved since the 80s? What were customers asking for then and

what do they expect today? Kumar: There were three layers to global outsourcing: transactionoriented work done onshore or onsite. The second phase (last 12-15 years) was offshoring — moving the complete work and parts of the businesses to offshore locations, based on cost arbitrage. The next wave (started 3-4 years ago) was near shoring. The fourth stage is the hub and spoke model. Ed: This has been explained in detail in the KPMG report. What are the benefits of the hub and spoke model and what are the critical success factors for us here? Kumar: We are using Indian talent in the ITES sector to increase the requirements in a local environment. So if a customer wants us to set up a BPO in say, Canada, we can leverage the India brand and use our talent pool to set up a world-class BPO in Canada. So we can use our brand to set up the service delivery centers to increase the value-add that they can bring to various companies. Secondly, the work can be done anywhere, not necessarily only in India — as long as it is delivered in the Indian way, with the Indian talent and expertise. Thirdly, the BPO industry is going through a lot of challenges in terms of growth rates and meeting margins. So this is an opportunity for the industry to expand all over the world. The fourth benefit is that you can go up the value chain. Are there any untapped industries for us in outsourcing? Kumar: I think healthcare and education (content development) are big areas. The financial services sector also has huge potential, even though we are doing a fair amount of work in this sector. What can our Government do to help India become a global

hub? Udhas: The government has to reflect

on what made the software industry tick 15 years ago. It should not kill the goose that lays the golden eggs. Today, the tax holiday is gone and the government has put (18.5 percent) MAT (Minimum Alternate Tax) on SEZs (Special Economic Zones), making these irrelevant. Yes, the industry has matured now and everyone pays taxes, but this (industry) is also a great asset for the country. This is the only sunrise industry in perhaps the last 400

Pradeep Udhas, Partner - Advisory Services, Head - IT/BPO, KPMG

years and it is making India a global economic power. So the government needs to think about ways to give this industry a boost for the next 10 years, and one way is tax incentives. Secondly, there is a lot of confusion on transfer pricing and it’s creating a lot of negativity in the industry, and discouraging investment from global players. India can become a global hub if it doesn’t get constrained in rules and regulations. We need to have double taxation treaties with more countries.

march 2012 i n f o r m at i o n w e e k 63

CIO Profile Career Track

How long at the current company? I have been working with IndianOil Corporation Limited for the past 32 years. Most important career influencer: Steve Jobs, the multifaceted genius. His creative prudence and out-of-box thinking inspires me to grab creative opportunities whenever possible.

S Ramasamy Executive Director (IS), IndianOil Corporation Ltd

Enhancing business value through emerging technologies like Big Data, BI, mobile and cloud is the next big thing for my industry

Decision I wish I could do over: I believe in valuing myself in everything I do.

Vision

The next big thing for my industry will be… l Delving into the depths of Alternate Energy Sector and meeting the energy security of India by providing economic stability to the country. l Expanding outreach to rural segments by building relationships. l Enhancing business value through emerging technologies like Big Data, BI, mobile and cloud. Advice for future CIOs: l Be a good leader to inspire and influence all IT stakeholders l Align IT with organization’s vision and mission l Identify new business enhancements, which are impossible without IT l Transform organization from knowledge-hoarding to knowledgesharing

On The Job

Top three initiatives (in your entire career-in detail) l SAP R/3 Implementation: Customization and implementation of SAP R/3 across all the operating units of the corporation (numbering around 797) and achieving a record simultaneous rollout on a single day at 45 units. This necessitated in completing a major change management initiative. At the final stage, upgradation of SAP R/3 to SAP ECC 6.0 with a database of 8 TB and over 1,500 enhancements,

informationweek march 2012

without any business disruption. Automating B2B process: This project is one of the largest oil exchange platform in the world. An attempt by India’s three largest organizations IndianOil, BPCL and HPCL to leverage their investment in ERP software and build robust cross company business processes with new dimension middleware technology. l HCM Restructuring & Talent management implementation: Initiative was to carry out HCM restructuring process as the first step for HCM across IndianOil. Unification of rules and process harmonization for carrying out unified integrated HCM project is the first of its kind in India.

Favorite project Most notable project in my career was re-structuring SAP HCM employee’s database structure from the historical status since the inception of IOCL to the current stage of employees for planning a robust HR future for the corporation. This initiative required aligning and restructuring non-uniform scattered SAP HCM data to standard definitions and uniform coding for enterprise, personal and organizational structure across IOCL. The project took 122 days with zero production business downtime. Based on the restructuring process, IOCL is able to implement payroll across the company. How I measure IT effectiveness l Difference between value creation and value delivery l Customer Satisfaction Index l End-user ease

Personal

Leisure activities: Listening Indian classical music and folk songs Best book read recently: Great by Choice by Jim Collins Unknown talents (singing, painting etc): Low light photography If I weren’t a CIO, I’d be... A Petroleum Scientist focussing on Fluid Catalytic Cracking! u As told to Amrita Premrajan

www.informationweek.in

Analyst Angle

Critical security questions to ask a cloud service provider

John Pescatore

Security should be a highly weighted evaluation factor in selecting a cloud service provider when critical customer and business information is involved

http://www.on the web Tough Questions To Ask Cloud Service Providers Read article at: http://bit.ly/wweGcu

informationweek march 2012

loud services can provide business advantages, but often lack transparency as far as security levels are concerned. Even more critically, many cloud services require businesses to modify their processes in order to take advantage of the shared-services nature of the cloud. This can lead to disconnects in business processes that can result in exposure of sensitive business and customer data. As a result, security must be a key criterion in any decision to use external cloud service providers when critical customer and business information is involved. Security managers and other stakeholders considering cloud services must establish a minimum acceptable level of security that cloud service providers must demonstrate, then balance cost against additional security for those providers that exceed the minimum. Some industries have developed their own sets of critical security questions, and we are beginning to see some nascent cloud service security standards. Gartner does not expect cloud security standards to be agreed upon before the second half of 2012. Until that time, organizations should ask cloud service providers to detail security practices in these key areas: configuration management and change control; separation of duties and privileged user management; vulnerability assessment and management; identity and access management federation; denial of service prevention; and backup, recovery and continuity. Specifically, some pertinent questions to ask are below: l Does the cloud service provider require the use of twofactor authentication for the administrative control of servers, routers, switches and firewalls? l Does it support IPsec or Secure Sockets Layer with Extended Validation certificates and two-

factor authentication for connecting to the service? l Does it contract for, or provide protection against denial-ofservice attacks against its Internet presence? l Can it demonstrate established procedures for vulnerability management, intrusion prevention, incident response, and incident escalation and investigation? l Can it show documented identity management and help desk procedures for authenticating callers and resetting access controls, as well as for establishing and deleting accounts? Any candidate that answers â&#x20AC;&#x2DC;Noâ&#x20AC;&#x2122; to two or more questions should be eliminated if the cloud service will involve customer data or otherwise sensitive or business-critical data, because of the costs that will be incurred if such data is compromised. An additional consideration is that many cloud providers use globally distributed data centers by design, and those data centers may be located in countries with varying national regulations. Organizations that decide not to place geographic restrictions should require an out-of-jurisdiction cloud provider to offer written contractually binding assurances about what level of cooperation it will give its local government and law enforcement agencies. While contractual assurances cannot protect organizations against local government coercion, they can be used as the basis for terminating service without penalty. Cloud services can certainly be used to gain business advantage, but the cost of a single security incident can wipe out the savings. Businesses need to extend their vendor management and security processes to cloud providers to gain the benefits while still living up to customer trust. u John Pescatore is is Vice President

and Distinguished Analyst at Gartner

www.informationweek.in

Technology & Risks

Can we rely on biometric authentication?

Avinash Kadam

Biometrics, being directly linked to or derived from an individual, is a strong identification mechanism. But is it really foolproof?

http://www.on the web Biometrics demystified: what you need to know Read article at: http://bit.ly/AkhpgU

n today’s online world, our identification revolves around three things — what you know, what you have and who you are. The first one is exemplified by a number of things that we can recall from our memory like password, mother’s maiden name, place of birth and so on. The second factor of identification is usually based on a token, smart card or any such artifact whose possession could prove our identity. The third factor is provided by biometrics, which is a methodology to identify humans using their behavioral or physiological characteristics. Physiological characteristics include the identification of fingerprints, retina or iris structure, palm geometry DNA, etc. Behavioral characteristics include voice, handwriting and typing rhythm. Biometrics is regarded as a powerful solution for individual identification and is used by the Unique Identification Authority of India (UIDAI) for providing unique identification to all Indians and US-VISIT for identifying all visitors to the U.S. However, biometric authentication is not really foolproof. While biometrics, being directly linked to or derived from an individual, is a strong identification mechanism, one of its limitations is that once stolen, it permanently loses its confidentiality and can never be replaced with another sample. You can change the password or replace the token, but if a fingerprint is stolen there is no way that it can be changed or replaced. Apart from this, if a biometric sample is inadvertently or deliberately exchanged with a criminal’s record, it can result in identity theft. The first stage, which involves the collection and storage of a biometric sample in biometric authentication is enrollment. This is a stage where a fraudulent entry could be inserted if adequate controls to verify the subject are not introduced. Another threat in the process is — the sample may remain on the collection device for considerable time till it’s transmitted to

a more secure location, which gives an opportunity to replace or tamper with the sample. The next stage in biometric authentication is the transmission for further processing. If the transmission media is not secure, it may give another opportunity to a miscreant. Typically, the biometric sample undergoes preprocessing to remove the background noise and then a template is created. The template includes all the main characteristics and is used for all future verification of the samples. One of the main concerns in a central database of biometric samples is the existence of duplicate entries. These could be a result of erroneous data collection or frauds where fake entries carrying identical biometric samples are created. To reduce the possibility of duplicate records, as well as to improve the accuracy of identification, multi-modal biometric verification is done. For this, a combination of finger print, iris scan and photographic image could be used. This is a formidable task as the number of records against which the matching is done for finding duplicate record is very large. Another major concern related to biometric system is the sensitivity of the sensor for capturing the sample so that it can be compared with the stored template. A highly sensitive sensor may give rise to higher false rejection rate (FRR) as it will flag every variation as an error. If the sensitivity is lowered, it may give rise to higher false acceptance rate (FAR) which may be dangerous from a security point of view. An equal error rate (EER) is when the FAR and FRR are equal. In general, a device with lowest EER is more accurate. The sensor itself should not store the sample data and the transmission of samples for comparing with the template stored on a central computer should be always through secure communication links. u Avinash Kadam is at MIEL e-Security Pvt. Ltd. He can be contacted via e-mail awkadam@mielesecurity.com

march 2012 i n f o r m at i o n w e e k 67

Global CIO

Yahoo’s new chief: A CIO to CEO story

Chris Murphy

The IT nation is quick to claim new Yahoo CEO Scott Thompson as its own

LOGS Chris Murphy blogs at InformationWeek. Check out his blogs at: http://www.informationweek. com/authors/1115

informationweek march 2012

ahoo’s search for leadership has gone down many familiar roads: industry outsider (Terry Semel), return of founder (Jerry Yang), and proven operator (Carol Bartz). But with Scott Thompson, Yahoo is taking one of the least-traveled paths to a CEO, by picking a former CIO. Thompson has other executive experience, of course, most importantly running eBay’s highly successful PayPal business, which doubled revenue to more than USD 4 billion under his four-year leadership. But it’s a sign of how rare the CIO-to-CEO career path is that, minutes after the news broke on Twitter about Thompson’s appointment, someone chimed in to claim Thompson as part of the IT nation. Thompson’s enterprise IT chops are legit: He was CTO at PayPal, Executive VP of Technology at Visa’s tech subsidiary, Inovant, and CIO at Barclays Global Investors. And he worked in the trenches delivering IT projects at Coopers & Lybrand. Some doubt that Thompson’s tech-heavy experience is right for the huge turnaround Yahoo faces, but Wells Fargo equity analyst Jason Maynard likes Thompson’s background: “While some may have been hoping for an executive with pure media/advertising experience, we think the hire signals a much needed focus on product and customer experience,” he writes in his coverage of the announcement. Much has been written about why more CIOs don’t become CEOs. They’re often pandering cliches, like CIOs aren’t good communicators. True, a CIO likely needs P&L responsibility before getting the CEO nod, but that’s not a huge leap given the importance of e-commerce, data-driven marketing, supply chains, and technology-embedded products today. So instead of more of that, I’ll point you to a unique perspective: “What I’ve Learned As A CEO Working

For A CIO.” It’s a blog post by Adam Brotman, Senior VP and Managing Director of Starbucks’ digital venture business unit, which directs Starbucks initiatives in areas such as digital content, mobile platforms, and mobile payments. Brotman was CEO of several startups before joining Starbucks, where he now reports to CIO Stephen Gillett, who also oversees digital ventures. Brotman notes the skills a CIO brings to an executive role: a focus on scale, organizational design, and solving problems, as the CIO must tap new business opportunities while dealing with legacy systems and processes. As a CEO, Brotman focused on vision, customers, and the tenacity to lead initiatives past problems. Here’s how Brotman sums up how understanding CIO skills has made him a better executive: Now, built into my vision for an innovative product, platform or customer experience, I am more apt to layer into that vision a point of view around how to implement, scale and maintain a competitive differentiation. Usually CEOs have to confront these realities around implementation and scale a bit down the road after they have used their sheer passion, vision and leadership to get investors and employees to invest money, time and effort in their initial vision. And many would say that if the CEO wasn’t a little “naive,” the original idea may never have been presented quite as passionately. Many times that’s true. But after working for a CIO for two years, I’m here to tell you that when you can combine the CEO-like raw vision and passion with CIO-like detailed planning around implementation, scale and design, it’s a much more powerful initial vision and one that’s more likely to succeed. u Chris Murphy is Editor of

InformationWeek. Write to Chris at cjmurphy@techweb.com

www.informationweek.in

Practical Analysis

There’s no app for that, and that’s good

Art Wittmann

Developing custom apps for tablets and smartphones has become the cool thing to do. Just make sure you aren’t opening a can of budgetbusting worms long term

LOGS Art Wittmann blogs at InformationWeek. Check out his blogs at: http://www.informationweek. com/authors/6044

s tablets and smartphones become everyday business tools, smart IT leaders are moving from just accepting them to devising ways to fully support mobile business applications. For many IT organizations, that means jumping into the deep end of the pool by creating custom apps for both internal and external users. After all, if there’s more than half a million apps on Apple’s App Store, then most IT organizations should be up to the task of creating their own, right? Maybe. But just because you can do something doesn’t mean you should. The bar for developing custom apps for smartphones and tablets should be high, at least as high as it was for creating them on PCs. Here’s a good rule of thumb: web when you can; custom apps when you must. It’s easy to convince yourself to develop a custom app. Your organization may, for instance, support only iOS tablets and smartphones, so resorting to browsers and depending on HTML5 and JavaScript rather than native development tools seems unnecessary. Even if you envision supporting Windows 8 or Android mobile devices at some point, certainly the promise of “write once, run anywhere” development tools will solve that problem. Unfortunately, none of the OS vendors is particularly interested in the success of WORA tools, so they’ll make changes that will force both your chosen tool developer and your organization to make an update on the new platform. Users will expect your app to work like all the rest. Apps on Apple devices can be a challenge, but Android significantly ups that challenge, as those releases are more regular and there’s less guidance from Google on how the UI should look and feel. The more frequent OS updates and differences in implementation from manufacturer to manufacturer have

given WORA tools a less-than-stellar reputation. They’re often dubbed “write once, debug everywhere.” The short-term investment in creating those first pristine apps is likely to be the tip of the iceberg in terms of people and capital costs. Whether you’re using internal teams for development or contracting with coding houses (a practice that brings its own set of challenges), you’ll need to make a sober assessment of the short- and long-term costs of supporting the practice. Sometimes, the basic nature of the app you envision will require that it access resources that only a custom application can get at. If you need the app to access the device’s accelerometer or near-field communications system, you’ll probably need to write a custom app. As these features become standard in phones, you’ll eventually be able to use them from web applications. A bigger challenge comes around notifications. It’s reasonable to envision pushing notifications to devices based on all sorts of things (inventory levels, orders shipping, hundreds of others). Web-based apps typically rely on e-mail notification. HTML5 and JavaScript aren’t without their own challenges. Adherence to the HTML5 spec is by no means consistent everywhere, though you have a fighting chance across Apple and Android devices, as their web browsers at least start from the same WebKit. But there’s a lot to be said for creating one team that uses one set of technologies to field apps on everything from desktops to laptops to tablets to smartphones. For the vast majority of businesses, the mantra should be: web when you can; apps when you must. u Art Wittmann is Director of

InformationWeek Analytics, a portfolio of decision-support tools and analyst reports. You can write to him at awittmann@techweb.com.

march 2012 i n f o r m at i o n w e e k 69

Down to Business

5 areas that will drive IT spending

Rob Preston

We’re a bit more bullish about 2012 than Gartner, which recently revised its spending forecast downward

LOGS Rob Preston blogs at InformationWeek. Check out his blogs at: http://www.informationweek. com/authors/showAuthor. jhtml?authorID=1026

informationweek march 2012

artner is getting cold feet on its original forecast for worldwide IT spending, ratcheting it back to 3.7 percent growth in 2012 from its earlier forecast of 4.6 percent growth. Gartner’s reasons: slowing global economic growth, the eurozone crisis, and the impact of Thailand’s floods on the production of hard disk drives. When assessing IT spending, doesn’t anyone ask the folks who manage IT budgets anymore? InformationWeek did, for our Outlook 2012 report, for which we surveyed 605 IT professionals. In our survey, 18 percent said their companies will increase their IT spending by more than 10 percent in 2012, compared with 15 percent who said that last year, while the percentage of companies looking to spend between 5 percent and 10 percent more this year was down, to 24 percent from 27 percent. Companies looking to spend more on IT this year — but less than 5 percent more — is up slightly, to 14 percent of respondents this year from 13 percent last year. Overall, 56 percent of the respondents to our recent survey said they expect their companies to spend more on IT this year than they did last year, while only 16 percent expect their IT spending to decline. They expect to do some IT hiring as well: 25 percent of respondents to our Outlook 2012 survey said their companies plan to hire more IT pros this year, while only 9 percent expect cutbacks. Still, 30 percent of respondents expect their companies to freeze IT hiring this year, while 36 percent are hiring only to fill vacated positions. One big difference between Gartner’s outlook and ours: Theirs is global; ours is U.S.-oriented. And while Gartner and other IT spending prognosticators rely heavily on economic trends and the financials of bellwether companies, we stick close to the source of IT spending: the people who actually manage those budgets. And what they’re telling us, as part of our extensive surveys and reporting,

is that five core areas will drive their companies’ IT spending higher in 2012: 1) Mobile. Just since the beginning of the year, two highprofile organizations — Walmart and the Financial Times — have acquired application development companies to bolster their mobile expertise specifically, as customers increasingly access their products from smartphones and tablets. Plenty of other companies are scurrying to access mobile talent by hiring specialists or working with contractors — or doing both. 2) Big Data. As CKE Restaurants CIO Jeff Chasney says Big Data analytics isn’t an out-of-the-box software “solution.” Companies will need to hire or contract people with chops in math and statistics, in addition to buying the latest software tools. 3) Cloud Computing. Most companies aren’t leaping into the cloud, but they are spending more on select software and infrastructure services. The real enterprise spending will happen when companies re-architect their data centers for cloud-like private services. 4) Data Center Infrastructure. Virtualizing servers and storage and updating data centers to be more redundant, energy efficient, and automated will require companies to spend more money to save money. And the growth of both public and private cloud services will force providers to make Big Data center investments. 5) Social. Through 2012, Gartner predicts, more than 70 percent of IT-dominated social initiatives will fail as IT pros “struggle with shifting from providing a platform to delivering a solution.” Nonetheless, the stakes are high, especially for retail and other companies whose customers practically live on social media. Even B2B companies must come to grips with the fact that their customers are talking about them and their products on some form of social media. u Rob Preston is VP and Editor in Chief of InformationWeek. You can write to Rob at rpreston@techweb.com.