If you work in information technology and you passed through the city of London over the last week it would have been hard not to notice the InfoSec IT security conference being held at the Earl’s Court exhibition centre.
Logically of course, certain themes and trends came out of this event, which (at a macroeconomic level at least) may provide some insight for chief information officers trying to analyse the state of their current security operation as they try to quantify the vulnerabilities that they may be harbouring within their firm’s operational structure.
Whether we are all genuinely on the same page technologically, or whether our social media streams are now so inextricably interconnected is hard to say -- but the industry as a whole does seem to have formed a rough consensus as to what our top security priorities are now.
Let us try and summarise…
Cloud based risks -- As any cloud vendor/hosting provider will tell you, the cloud itself is not inherently insecure, the risk factor here is simply a question of what type of data you decide to host inside a virtualised hosted environment (i.e. mission critical or less sensitive) and what encryption mechanisms you place over it.
Despite this “essential truism” there is disquiet, discord and discomfort among many companies considering cloud migration procedures stemming from security fears real or perceived.
Privacy-related risks -- Sir Tim Berners-Lee has called for web companies like Facebook and Google to stop profiteering (as he puts it) from selling information people don’t even know these companies have. At the same time, business interaction networks company Axway has revealed findings which show that since April 2010, 35 per cent of complaints to the Information Commissioner Office (ICO) involved disclosure of personal data and security breaches despite Data Protection Act (DPA) penalties and the threat of prosecution that corporations face.
According to Axway’s John Thielens, “Alarming as that figure is, it comes as no surprise that consumers in the UK are uniting in voicing their concerns about how their personal identifiable information is being leaked by trusted private and public organisations without their knowledge. Conversely, and of heightened concern, is that the average data breach costs UK companies £79 per record, of which £37 equates to indirect costs -- such as loyal customer defection and brand erosion.”
Mobile related risks -- OK so who wants to say it first? Bring Your Own Device is the most pertinent mobile-related IT security risk and threat at the moment. This is of course brought about by the so-called consumerisation of IT where users takes their own high-end smartphones, tablets and laptops into the work environment and connect them (wired or wirelessly) to the corporate network in an unsecured and unmanaged manner.
You can expect to see more and more “solutions” directly addressing this issue, especially as users need to use these devices to remotely synchronise data with the corporate network when they are on the move.
Advanced persistent threats -- Common understanding of the problem of advanced persistent threats is that a wide range of attack techniques and vectors (advanced) will be used for a period of consistent activity focused on a specific target (persistent) to produce an attack to compromise and damage (threaten) a commercial firm’s or a public body’s data stack.
Security intelligence and deep analytics – Some (but not all) of the problem here is at the application development level as we start to drill down into exactly what data sources individual application use to execute. HP Fortify Software security consultant Lucas von Stockhausen has said that with HP Fortify Solutions developers have the possibility to test their code for security vulnerabilities before going live. This can be carried out either locally on their desktops, centrally on a build server, or in the cloud.
“With this approach developers get all the information to fix the issues and deliver secure code for desktop, server, web and mobile applications. Together with the industry proven Software Security Assurance (SSA) methodology, HP can integrate this seamlessly into the existing development processes without security becoming a burden for the developer,” said Stockhausen.
So if April was the month for security awareness, then let us hope that May and onwards are the months of security competency for companies in all verticals and of all shapes and sizes.