Posts from ‘Frank Kenney’
Data Breach Primer – What Does it all Mean?
Hey SEC, it’s Frank Kenney at Ipswitch. I don’t mean to rock the boat but I had a few quick questions regarding your recent announcement that you are requiring companies to notify their customers of a breach or risk of breach.
- What’s a “breach”? Does it mean the bad guys came in and took the data? Or maybe the data was left unencrypted? Or perhaps an executive lost his or her BlackBerry? Wikipedia talks about breaches of confidence, breaches of contract and breaches of faith. Is it all or none of the above?
- What does “notify” mean? Email? Snail mail? SMS? Press release? Facebook status update? Tweet? We just don’t know. And when do they need to send that out? When it happens (or it happened?) When it was discovered? When it was fixed? This is key and I say this because the breaches that happened were reported months after they actually happened. So when?
- And by “customers”, do you mean people who pay for my services? What if my services are free like social networks? Does free = exempt? What if I give you my email and contact info, does that make me a customer?
- What in the world is “risk of breach” and why shouldn’t I just fix it instead of telling my customers?
If you don’t mind I’d like to give the public in general my 2 cents…
The real story is this: we should all take these breaches seriously because at some point they will impact us individually. We must make it crystal clear to our service providers, our Internet providers and in some cases our employers that there needs to be policies and enforcement around the proper use and retention of our private information. We must also make clear that these same providers must put processes in place to better communicate and resolve any future data breaches. In much the same way we now see consumers making purchase decisions based on the carbon footprint of their suppliers/providers, the same approach will be taken when it comes to private confidential information. We at Ipswitch believe putting a secure managed file transfer solution in place will allow these suppliers to stem breaches by giving them visibility into how data is being accessed and for what purpose BEFORE these breaches happen.
Recently, Cisco published a blog post on an interview with a former Anonymous hacker who offered his top security tips for the enterprise. Some of the suggestions were fairly obvious, while others were intuitive and absolutely on point. For example:
#5: Teach your staff about information security
Take note, he didn’t refer to just security staff; he was referring to the entire staff – from the administrative assistants to the most critical of security analysts. In fact, a recent Ipswitch survey shows that even the most stringent security professionals break protocol when it comes to the transfer and collaboration of information. And these folks have tons of acronyms behind their names!
What chance does the layman have? Establishing the groundwork for the dissemination and adherence to corporate policies around information security is a positive set of actions to better protect companies.
There needs to be a general awareness around information security and data and a clear understanding of the security and risk issues associated with physical media, such as DVDs and memory sticks, and outside services, like Gmail, which allows employees to ‘easily’ send large files. This combination can be the best deterrent to data breaches.
#6: Teach your staff about social engineering
The use of technology to interact and collaborate – and how that collaboration can involve unknown third parties – is the very reason your staff should have an understanding around social engineering. Let’s face it, anyone can get an e-mail address and register on any social site. Hackers, thieves, con artists, and scammers aren’t the only ones that want access to
your personal information.
Employees who use shareware or free cloud service are exposing sensitive information and risking an unintentional data breach. Employees who work from home, on a personal machine late at night or on an unapproved smart phone (at any hour) are the biggest targets for hackers and breaches. How many corporate iPhone users are there anyway?
#13: Keep an eye on what information you are letting out into the public domain
In many cases, all information about major IT purchases and deployments by publically traded companies is public record. A move to incorporate MySQL databases, a content management system based on open source technology or even portal technologies can give a hacker everything they need to exploit your system.
Again, this is an issue of determining risk associated with information and mitigating that risk. Laying out your architecture and your infrastructure blueprints for the world to see may not be the best idea for your company…
#14: Use good physical security. What good is all the [security] software if someone could just walk in and take your “secure” system?
Stop everything you’re doing and walk from the front entrance of your office to the mailroom.
Is that door of the mailroom locked? How hard is it to just pick up a backup tape or CD and slip it into a bag? For that matter, how hard is it to just walk into the office without proper credentials? And when you walk into your office, are there secure terminals? Maybe someone in human resources went to the break room for coffee and neglected to lock their computer?
A simple, misplaced memory stick or an unsecured PC are potential recipes for disaster. There is never any excuse for leaving a terminal unsecured in a public or semipublic setting. My rule of thumb: if you can’t leave your purse or wallet opened with hundred dollar bills in plain view, you cannot keep your desktop, laptop, smart phone or a terminal unsecured.
All in all, I think the suggestions make sense. Looking at a few of the tips allows you to take a few steps in the mind of a hacker. A few seconds of non-diligence equals a career of regret.
Over the last few weeks, we’ve been putting the final touches on our next generation of services that will be delivered via the cloud. As with any product or service release, there comes a fair amount of planning including ensuring that one has the best site into competitors, forecast and of course customers. We’ve worked closely with industry analysts, our end-users and prospects and our own internal resources to best understand how and where we should position our cloud services. In presentation after presentation and in conversation after conversation, we were presented market slides showing the enormous growth and opportunity within the overall software as a service (SaaS) markets. The natural reaction is to get excited about all the money we can make in this space; before we did, I issued a strong warning to our team:
“In very much the same way that software is analogous to infrastructure, software as a service is not analogous to infrastructure as a service. That includes integration as a service. The profile of the consumer of SaaS will more than likely expect that things like integration, interoperability, transformation and governance will be part of the service subscription.”
In a nutshell what I was saying was… do not look at forecasts for SaaS and assume that the opportunities for IaaS follow the same trends. If users create content by using services that are delivered via the cloud, they have a reasonable expectation that this content can be shared with other services delivered via the cloud (not necessarily by the same vendor). For example, creating content via salesforce.com and sharing that content with gooddata.com should be as simple as granting the necessary permissions. After all, my Facebook, Twitter and Google+ information is shared by clicking a few buttons. Make no mistake, integration and interoperability are nontrivial, but part of the expectation of using cloud services is that the consumer is shielded from these complexities. As more and more cloud service platforms and providers build in integration and governance technologies the need for a separate IaaS provider will likely diminish.
Don’t get me wrong, I still believe that there is a place for technologies such as managed file transfer and business-to-business integration and collaboration; I definitely believe that Ipswitch will play a significant role in the evolution of those markets. Expect the role of Ipswitch to be evolve as well; not only will we provide the best mechanisms for moving content of any size but we will also govern (or let you govern) that movement and the entire experience around it. This is the centerpiece of Ipswitch’s Cloud strategy.
Ipswitch has been cautioning companies about the dangers of private/confidential information being sent through Google (and other hosted and person-to-person services), both from a security and a responsibility perspective.
Last week’s GMail hack further drives home the point that organizations must proactively manage and have visibility into what information is being shared with service providers and how information is being sent between people.
Don’t let your guard down and simply treat the cloud as just another internal resource…. They need to be properly managed and governed just like any other third-party.
Ipswitch’s Frank Kenney recently concluded a 4-part webcast series on integration. It’s not too late to watch a replay of it. In parts 3 and 4, Frank talks through the issue of relying on cloud providers and provides tips for managing and governing cloud and person-to-person interactions.
