IT vendors must get perscriptive about Security - Ovum's perspective
IBM delivered its annual review of IT security issues to industry analysts last week, and unsurprisingly the related areas of cloud computing and virtualization topped the list of concerns from IBM clients. Both compound an already complex issue. As most lay people understand security only as a black box, the challenge for IBM – and other solution and service providers – is to be prescriptive. While business people may not understand the basic workings of IT infrastructure and software, most know even less about security, or what issues to attack first.
The cloud and virtualization add new potential attack areas
One would have to live under a rock to remain unaware of all the security issues that the web introduced to enterprise software. The cloud adds a new layer of complexity to the equation. To the challenges of exposing applications outside the firewall add the challenge of running them. Businesses face the need to scrutinize their cloud providers; for instance, insisting that third-party providers pass audits such as SAS 70 (covering IT controls), ISO 27001 (for security management) or PCI (for payments processing) are simply the first steps to vetting your provider, as they only reflect documentation of past practice. Going forward, cloud customers must be vigilant in monitoring cloud providers’ practices in areas such as change or incident management, identity and access management, data segregation, secure development and test practices, and isolation between tenant domains.
Virtualization in turn provides a potential housekeeping problem that extends well beyond security. Blind proliferation of virtual machines (VMs) opens the possibility that supposedly inactive VMs could be hijacked. Additionally, the hypervisor that spawns VMs and the management layer above it each present potential single points of failure.
Security problems could become the darker side of the ‘Smarter Planet’ that IBM has been promoting
Just as the Internet, the cloud, and virtualization have opened up potential attack surfaces, the same will happen as the world becomes more instrumented. RFID tags along with other smart sensors and controllers that are increasingly populating civil infrastructure and everyday products have the potential of improving quality of life by making products and systems more adaptable. The dark side, however, is that they open plenty of new paths for attack that researchers are only beginning to understand.
For enterprises, the answer is not to stop progress
Naturally, one cannot eliminate all risk. The fact that the Internet has opened new pathways of attack has not stopped the business world from profiting from the new global connectivity. Neither has fear of privacy violations restrained the growing popularity of social networks.
The answer for enterprises is not to bury their heads in the sand. IBM offered good examples from its privacy policy: on one extreme, IBM prohibits use of genetic data about its employees. On the other, it encourages employees to use social media to help promote the IBM brand and better connect the company with its customers. Its guidelines recognize that while social media carries risks such as inappropriate exposure of personal details or leakage of company IP, similar damage could occur through traditional channels such as emails or phone calls. Existing employee conduct policies should be perfectly adequate for addressing new risks.
For IT vendors, the answer is to provide clear advice on where to start
To most people outside the security profession, this issue is one big complicated, intimidating black box. The lack of awareness is not just on the business side, but also in software development. Yet, the pervasive nature of security issues now makes security management everyone’s job. For instance, software developers must now incorporate vulnerability checks into the QA process, even if they lack a full understanding of what exploits they are trying to isolate.
It is therefore the vendor’s job to be prescriptive: develop high-level business scenarios that tell customers where to start, and how to prioritize the management of security risks. IBM has written volumes in its technical Redbooks explaining its enterprise security framework. The next step is to take that to high-level scenarios that explain exactly what actions businesses should take as they implement key objectives of that framework.
With Thanks to Ovum (www.ovum.com)