| What CISOs, Compliance Officers and IT Operations need from a mobile security offering |
 Clearly more and more information workers are following the BYOD (“Bring Your Own Device”) trend and accessing critical corporation information from their mobile devices. Given the ease in which a device can be lost or stolen, and the often inconsistent security policies that are applied to mobile devices (if even applied at all), there is a significant demand by IT organizations to lock down and secure mobile devices accessing their corporate networks. These challenges are compounded by the fact that users have their own device preferences - heterogeneity will certainly exist with mobile devices as it does today for systems in the data center. READ THE FULL INTERVIEW...
|
| What’s the future for cloud security and why enterprises will be willing to outsource their security requirements |
 We are seeing great investment by cloud providers and security vendors, and the direction is promising. In some ways, because it allows better management and flexible control of resources, cloud computing can be more secure than traditional IT. This was recently recognized by the NSA director and U.S. Cyber Command commander, Gen. Keith Alexander. In other ways, fundamental breakthroughs in technology are still needed. We see these coming from the fields of key-splitting technology and homomorphic encryption. If these are properly implemented, they allow you to be in the cloud without losing control, because sensitive data or keys are encrypted even when in use in the cloud, which means cloud providers cannot know them, and even security vendors never know them. READ THE FULL INTERVIEW...
|
| What an organization should consider before making the move to next-generation security devices |
 In today’s environment and with NGFWs, IT must understand what applications are needed by what users and provide access. Without careful design and maintenance, a poorly optimized NGFW policy could take what was a single rule allowing http, and become a policy that includes 10,000 new rules, one per application – creating more opportunity for error and risk. It is clear that at least for certain parts of the network, next-generation firewalls make a whole lot of sense. However, generally speaking, more granular network security policies equal more complexity. So the big question becomes, how can organizations take advantage of the clear benefits of NGFWs while minimizing the complexity, administrative burden and risk from improper configurations? READ THE FULL INTERVIEW...
|
| How identity management has evolved over the years and what is cloud-based identity management |
 Cloud-based identity management offers a lot of promise for global organizations. It can provide them with pay-as-you-go options that reduce capital expense and the ability to scale the solution on demand as the environment grows. Using cloud-based identity management is easier for small companies who have fewer applications and systems to manage, because this minimizes the cost and complexity of integration. For larger organizations (with 100’s-1000’s of resources), cloud-based identity management can present greater challenges. Many organizations consider identity data to be confidential data, so the right security measures must be in place to ensure secure communications. READ THE FULL INTERVIEW...
|
| How social networks, online communities and multiple devices are increasing the possibilities of uncharted security threats to enterprises |
 What many business executives are overlooking who are encouraging the “BYOD” model is the fact that personal devices like smart-phones, iPods, iPads and even digital cameras are easily concealable, mass-storage devices capable of copying and taking many gigabytes of private company data outside of the company’s premises. When an employee walks through security and upstairs to their workstation, they’re free to connect these devices and download whatever they have the credentials to see on their screen. These incidents happen all the time and aren’t just limited to malicious, disgruntled employees, but can be innocent inadvertent mistakes made by well-meaning employees who are using their own devices for personal Facebook postings as well as work-related projects. This creates a very dangerous risk of data leakage from the company to the outside world. READ THE FULL INTERVIEW...
|
| How prevalent are social engineering attacks and what can be done to combat them |
 Social Engineering attacks are very prevalent today, however it’s difficult to generate statistics on exactly how widespread they are. This is because when an attack is executed correctly, the victim is unaware that they’ve been taken advantage of. In addition, these attacks are difficult to investigate because we are dealing with human and not hardware interaction. If an attacker bypasses an organization’s physical security via a technique such as “piggy backing”, there will most likely be evidence of that security breech in the form of video surveillance data. However, there are no logs or security reports to review if an attacker scours the Internet searching for information related to the victim organization such as: employee names, phone numbers or the networking equipment that is used. READ THE FULL INTERVIEW...
|
| Biggest threat in the coming year for enterprises adopting cloud infrastructure |
 Every conversation about current or impending strategies for information assets almost universally contains some mention of a public, private or hybrid cloud deployment. A more interesting observation of these conversations is that the lure of liberating ourselves from the burden of managing applications and data shouldn’t mean we stop having high expectations about how those applications and data are managed. Unfortunately, moving infrastructure and/or applications into public or private clouds doesn't necessarily make you more secure, compliant or risk-free. READ THE FULL INTERVIEW...
|
| Level of IT security protection provided by removing administrative rights as compared to other forms of endpoint protection, such as antivirus |
 Antivirus will stop known threats, while the principle of least privilege via the removal of administrative privileges can help to combat risks that are presently unknown to antivirus software that can threaten to exploit administration rights. It’s the same protection principle as anti-virus, just with a different approach. Companies wouldn’t go without antivirus – so why would they give administrative rights to users when there is a way for properly managing privileges without exposing the company to unnecessary security risks? READ THE FULL INTERVIEW...
|
| Why security breaches are still happening and what really is a tailored authentication approach |
 Self-service password reset strategies are static and do not take into consideration the events surrounding the reset request, such as what device the user is on or what their location is. Risk-based authentication provides the framework to be able to adjust the self-service password reset method based on either the user’s real-time events, including time, location, network, device and application, and/or defined by a particular user, group or organization. The Tailored Authentication approach is for those customers who have a unique user base, organizational complexities, specific security and compliance requirements or multiple and diverse applications, our expert professional services and development team will develop a solution adapted to their environment and delivered within the framework of our standard PortalGuard software product. READ THE FULL INTERVIEW...
|
| Global operational challenges and developing cost-effective crisis management and business continuity programs |
 Risks vary enormously by location. In some locations, physical risks are the greatest concerns. Over my career, I’ve been involved with protecting employees in locations as varied as Angola, Algeria, Yemen, the Congo, and Papua New Guinea, among other locations. In such operations, standard physical security measures are essential, but are only as good as the employees onsite. Employing experienced professionals who understand the precautions and are willing to “stay within the security envelope” is essential. On a few occasions over my career with different employers, we had to send expatriates home because they were unwilling to abide by our security guidelines. That type of behavior poses unacceptable risks not only to the employees themselves, but to the operation as a whole. READ THE FULL INTERVIEW...
|
| Critical mistakes still happening in IT security and the threats most enterprises are least prepared to subvert |
 Everything is put online and networked, and this is a mistake because it makes everything potentially accessible and vulnerable to attack. Along with this, everything is put on common platforms to make it cheaper and simpler to manage – and often sharing the same vulnerabilities. There is no overall plan for security based on risk and sensitivity. Not everything needs to be protected the same way or at the same level of intensity; defenses should be focused where the need (and potential loss) are greatest. READ THE FULL INTERVIEW...
|
| What is mobile risk management (MRM) and how to implement a BYOD policy |
 A risk-focused approach to BYOD starts by looking at the inherent security threats, vulnerabilities and compliance risks that may be introduced by allowing personal-liable devices to store confidential corporate data and connect to the corporate network. With BYOD, organizations can no longer dictate which devices and operating systems are permitted on the network, and they don’t have the luxury of forcing users to upgrade their software or deploy security patches when new vulnerabilities are discovered. They are not typically permitted to wipe a personal-liable device in the event that it is lost or stolen, and may have limited controls over data encryption and device-level user authentication. READ THE FULL INTERVIEW...
|
| Threats most enterprises are least prepared to subvert and the overall security landscape |
 Many recent serious breaches were the result of the unhealthy and risky practice of removing isolated silos of information and combining them into single large databases which are then connected or accessible to the Internet or via systems that are subject to compromise. The concept of isolated silos of information with their own security and access is a time proven approach to security. Unfortunately, in an attempt to reduce costs and improve convenience, systems that should never have been connected to the Internet, or accessible by systems connected to the Internet, have been compromised -- leading to large and embarrassing data losses. Silos are good and air-gapped silos are sometimes the only way to secure some data. They are inconvenient, but so is the loss to the company of a compromise. READ THE FULL INTERVIEW...
|
| What companies can do to ensure success from a security and privacy perspective with cloud-based initiatives |
 Cloud-based initiatives are more complex from a security and privacy perspective than legacy IT implementations for a myriad of reasons. When evaluating Cloud service models including public, private, hybrid and community Clouds, it is necessary to engage the audit and compliance functions within your organization. From an IT operations perspective, you may be leaning towards a public Cloud model based on efficiencies gained which favorably impact your organizations bottom line. However, once you understand the required risk mitigation controls needed to comply with industry standards and legislation (PCI, HIPAA, GLBA) state and national legislation (breach notification, SOX), organizational sensitive information and customer requirements (SSAE 16 SOC 1, ISO 27001), it may turn out that a hybrid or private Cloud model is most prudent based on your organizations risk appetite. READ THE FULL INTERVIEW...
|
| Incentives for enterprises to migrate to a cloud-based security solution even if they have already invested heavily in classic products and services |
 Classic solutions are expensive, difficult to deploy, and require in-house administration and maintenance. In addition, they require scarce security resources that can understand compliance and regulatory requirements and quickly adjust setup and configuration as needed. However, this is not a core competency for most organizations. Cloud-based, by design, is multi-tenant and scalable. This allows the cost of development and administration to be spread across multiple customers and therefore significantly reduce the overall cost for any one customer. Furthermore, CloudAccess’ focus on security means we continuously upgrade and update our systems to meet regulatory and compliance requirements. We are constantly improving our databases with the latest threat and risks knowledge so that we can prevent and mitigate any challenge and serve as our client’s best line of defense. READ THE FULL INTERVIEW...
|
| New security threats that may threaten enterprises and rethinking security strategies from scratch again |
 Security is too often viewed as the application of the latest doo-dad that the industry produces. Gartner tracks these things through something called a hype-cycle. So we see a recurring theme that someone thinks up a new tool that can protect people from "X" and the industry gets behind it and pushes it as the latest greatest must have, organizations buy the item, attempt to implement it and all too often we hear 9 months later that it's a failure - didn't deliver on its promises. Really successful CSOs are viewed by their organization as enabling the business to achieve higher revenues and lower costs. They are a trusted partner in the business. Selecting solutions or providers that will map to your needs and organization (not the other way around) and that will adapt to your changes over time is where long-term benefits can be realized. READ THE FULL INTERVIEW...
|
| Why most businesses are not truly secured yet in spite of already having invested in security appliances and services |
 Most antimalware products are well able to address the threat of malware that has been "in the wild" for more than a few weeks or months. However it is the newest pieces of malware that represent the greatest risk. So called "zero day" threats are literally so new that no signatures exist to protect against them. This problem has driven a tremendous amount of innovation and new thinking in the security industry, of which cloud scanning is just one example. Moving the "heavy lifting" of malware detection from the endpoint to the cloud has resulted in three key benefits: firstly, it significantly reduces the tax on the endpoint device by pushing the compute cycles to massively scalable cloud infrastructures. Secondly – leveraging multiple technologies and large amounts of computing power enables vendors to provide their customers with substantially greater coverage than would be possible with endpoint-based approaches alone. READ THE FULL INTERVIEW...
|
| What makes Wisegate different from other social networks and what popular information security topics are being discussed right now |
 We in this industry are accustomed to the risk of making decisions without knowledge from experienced peers, which in fact can reduce the decision risk significantly. The risk of sharing our questions to get better information and to be better informed is a good idea. Wisegate is a new breed of information security sharing forum that keeps vendors out to enable senior IT professionals to openly, yet securely, tap the collective wisdom of their peers to quickly solve some of the industry’s most pressing issues. Some of the hot topics being discussed on Wisegate right now include "bring your own device" (BYOD) policies, cyber security collaboration, navigating the global compliance maze, employee access to social media, and lessons learned on security product implementations such as Threat Management, GRC, SIEM, Identity & Access Management, DLP/Data Security and more. READ THE FULL INTERVIEW...
|
| Guy Churchward gives security predictions for 2012 |
 In 2012, we will see the first major public cloud security breach. The development and launch of public cloud services has occurred so rapidly that cloud service providers now hold an immense amount of customer data. Also the European Union’s Privacy and Electronic Communications Directive will get much tighter with regulations around web user privacy. From a global perspective, lawmakers will put more pressure on companies by increasing penalties for breaches and holding them more accountable for consumer data. READ THE FULL INTERVIEW...
|
A different approach to training end-users, justifying the ROI and defending against cyber security attacks |
 Chief information security officers (CISO’s) quickly abandon their old training methodologies after learning about a new method that is scalable software, engages the user in practicing what they are learning, and takes less than ten minutes for each lesson. They also love the fact that they gather actionable and measureable data about their employee population to be able to address weaknesses instead of the “check the box” training of the past. Wombat’s cyber security training is different because of its application of learning science principles, coupled with cyber security expertise and engaging software techniques. READ THE FULL INTERVIEW...
|
What are Next Generation Firewalls and why has it become critical to detect application-specific attacks |
 A next-generation firewall is a gateway device that looks at a packet from more than just a simple Layer-3 perspective to determine whether it should be allowed through a port. It looks at Layers 3 through 7 and gains an application-level and identity based understanding of the connection, allowing it to make more sophisticated decisions. This changes the inherent structure of a firewall rule, which is what we at Tufin are concerned with. Instead of writing a generic rule such as “Allow server A to connect to server B over port 80,” firewall administrators can write laser-focused rules: “Allow Joe to use LinkedIn, but block him from using Facebook if he’s within the corporate network. READ THE FULL INTERVIEW...
|
