security is changing dramatically
introduction Safeguarding data and computing resources has never been more complex. Security officials are responsible for protecting a network of people and information that extends beyond their control. Workforces rely on multiple network-connected devices - many of them easily portable and extremely powerful to go about their daily business. Organisations share data with a multifaceted web of internal and third-party partners. At the same time, the threat landscape is changing. Virus attacks have gone underground as their perpetrators, no longer interested in fame, go after confidential data that can lead to financial gain. Theft of sensitive identity and financial information now is a serious criminal enterprise, with a corresponding increase in the sophistication of cyber-attacks. In this environment, public-sector organisations and corporate enterprises must constantly be vigilant about protecting their networks and data to maintain daily operations and public confidence.
02 | best practice guide to business security
In this guide, we identify key security challenges and provide
solutions and best practices to address them.
Mobile Security Management
On the following pages, youâ€™ll find
Data Loss Prevention
Network & Infrastructure Security
IT Policy & Compliance
Managed Security Services
practical advice on preventing data loss, addressing policy compliance, securing network endpoints, controlling network access, improving mobile security, strengthening messaging security and choosing a managed security provider. Our aim is to keep you informed with up-to-date information on the current threat landscape, plus other trends affecting security. Knowledge is power. The first step in improving security is to understand the risks and vulnerabilities. In these fast-changing times, that means gaining knowledge and implementing the right solutions today.
BYTES 020 8786 1500 | 03
security is changing dramatically Data and Application Security • Encryption • Data Loss Prevention (DLP) • Application Control • Alerts Performance and Infrastructure • Load Balancing • WAN Acceleration Messaging Security • Email Filtering • Web Filtering
04 | best practice guide to business security
Network Security • Firewalls • Intrusion Detection Prevention / System (IDP / IDS) • Network Access Control • Wi-Fi • Network Access Control (NAC) Endpoint Security
• Authentication and Tokens • Single Sign-On • Secure Sockets Layer Virtual Private Network (SSL VPN) • Endpoint Suite (Anti Virus, Spyware, Malware, etc)
• Monitoring and Data Capture • Policy Management • Dashboards • Reporting Tools • Log Correlation
BYTES 020 8786 1500 | 05
mobile security & management More organisations are allowing employees to use their personal devices to be more productive on the job. Todayâ€™s smartphones provide robust connections and computing power so are essentially a floating version of the organisation itself. So how do you keep this environment secure? Organisations must develop new policies that cover such questions as, â€œWhich apps and services are allowed? What does the organisation pay for? Which operating systems will the organisation support?â€?
06 | best practice guide to business security
best practices Create a Unified Policy for Wired and Wireless You should avoid having different policies for various devices, such as laptops, desktops and smartphones. Having one consistent policy across devices and operating systems simplifies management of security and also reduces the chances of a breach. Use Mobile Device Management (MDM) Management tools are essential for control over the integrity of smartphones, downloaded applications, and data accessed and stored on mobile devices. MDM software monitors and secures mobile devices, giving an organisation greater control over smartphones, laptops, tablets and more. Control Applications A growing number of stores are providing applications for mobile devices. This is another opportunity for malware to be distributed. You should have the ability to inventory the applications on devices. You must also ensure that security data from devices can be fed into a correlation system. Generate security logs just like you do for traditional IT equipment.
Centralise Network Traffic Have IP traffic from smartphone devices ﬂow into one centralised location for inspection and cleanup. You can also better monitor compliance with requirements for things such as the Health Insurance Portability and Accountability Act (HIPAA) for electronic health records and the Payment Card Industry Data Security Standard (PCI DSS) for credit, debit and other payment cards. Think about Standardisation One approach might be to let employees bring their own devices only if they choose from a small list of devices the organisation is willing to support and allow onto the network. Consider a Consultant Because today’s mobility landscape is fairly new and changing so rapidly, it might be beneficial to bring in an expert who’s steeped in the latest security methodologies for mobility. Prepare for 4G and LTE The higher bandwidth that comes with the next generation of wireless technologies will speed the ﬂow of information. But it will also attract hackers. Be ready for new challenges.
Chris Swani Head of Public Sector, Bytes
www.bytes.co.uk | 07
mobile security & management Vendor: Symantec
Mobile Management 7.1 Helping enterpises to confidentally enable mobile productivitiy Mobile Management provides comprehensive visibility and control over all the popular mobile devices such as iPhone®, iPad®, Android™, Windows® Phone, Symbian®, and BlackBerry®. Capability
Connect mobile devices to the enterprise network with the on-device agent. Allow/deny access to users based on directory groups.
Deploy mobile applications over-the-air or recommend apps from the public AppStore with your organisation specific app repository.
Distribute active content like documents and multi-media videos to end-users in the field. Provides a secure enterprise container with near-real-time update and prioritised views.
Configuration Management Allows automated configuration of device settings around email, VPN and Wi-Fi. Eliminates user-errors and costs associated with large-scale deployments. Security Settings
Advanced security on devices irrespective of ownership. Set, deploy and update settings like passwords, wipe and application/resource restrictions without any user intervention.
Securely wipe the corporate data from a personal device, without touching the personal data, music and apps. Also delete the documents from Content Library.
Comply with corporate and regulatory requirements around encryption, jailbreak detection and policy updates at all times. Allow/deny access to devices based on status.
Extend strong authentication to mobile devices by integrating with PKI infrastructure. Enable secure access to corporate email, web-based applications, VPN and Wi-Fi.
Helpdesk w/Alerts & Notifications
Asset reporting about devices, users and apps arms the IT teams with near-realtime information. Pre-canned reports along with Alerts and Notifications enable efficient operations management.
Create and implement automated processes that link together people, process and technology. Automate regular tasks like device registration and lost devices.
Unified Endpoint Management
Manage all forms of computing devices from desktops laptops, servers to smartphones and tablets from a single console with integrated endpoint management. Works as an add-on to CMS 7.1
Delivers MDM functionality in a variety of enterprise environments including Microsoft Exchange 2003/2007/2010, Lotus Notes and Gmail.
Integrated mobile devices with existing investments in infrastructure, processes and personnel for strategic alignment and long-term success.
08 | best practice guide to business security
Endpoint Security 8 for Smartphone A powerful and reliable solution for protecting corporate users Kaspersky Endpoint Security 8 for Smartphone protects confidential data on corporate mobile devices from loss, theft, unauthorised access and mobile malware. A powerful and reliable solution for protecting corporate mobile users from malicious programmes, SMS spam and Internet attacks that target mobile platforms. This edition provides protection for confidential data stored on a smartphone if the device is lost or stolen. Easy to deploy: can be installed from one point by a single system administrator regardless of the number of mobile device users or their location Flexible administration: if affected or threatened by a virus epidemic, mobile device security parameters can be changed for all users or specific user groups regardless of their location
Anti-theft protection: lock, wipe, locate and SIM control Anti-virus and firewall protection: providing real-time anti-malware scanning of all incoming files and connections, keeping you free of malicious programmes depending on the IP firewall protection level assigned Anti-spam for calls & SMS: where there are known spam sources, unwanted names, words and phrases can be added to a blacklist blocking their access Automatic updates: antivirus databases are updated automatically via WAP/HTTP or via a PC Supported Operating Systems: Android™ 1.5 – 2.3, Symbian S60 9.1 - 9.4, Symbian^3 (Nokia®), BlackBerry® 4.5 - 6.0, Windows Mobile® 5.0 - 6.5.
Complete control: wherever the user might be, they always have total control over their mobile security along with the system administrator
Remote Lock & Wipe
Centralised Deployment and Management
Anti-Virus + Firewall
Anti-Spam for Calls & SMSs
BYTES 020 8786 1500 | 09
mobile security & management Vendor: Good
Good for enterprise™ Built on a proven security architecture Good for Enterprise™ is a powerful, easy-to-use mobility suite that supports mobile collaboration with a great end-user experience on popular handhelds – like the iPhone, iPad, and Android devices – without compromising IT security and control. Good for Enterprise is built on a proven security architecture that has been adopted by top Fortune 500 companies and government agencies. Good for Enterprise includes: Good Mobile Control - All the mobile devices are managed through a single web-based portal, from here IT administrators can lock down device functionality, control application access and remote wipe mobile units. Good Mobile Messaging - An award-winning user interface combined with a secure, easy to manage mobile messaging solution makes employees more productive and IT more efficient, all with a low total cost of ownership. Good Mobile Access - Good’s proven and secure architecture can be used to support and track mobile connections to critical data, allowing the mobile workforce to access the information they need. Good for Enterprise supports a wide range of industry-leading devices across platforms such as iPhone, Android, Windows Mobile, Symbian, and PalmOS and devices from all major manufacturers including Apple, HTC, Motorola, Nokia, Palm, and Samsung. “Managing these devices will help, but companies should also consider the roles of other technologies and application practices that reduce data exposure and leakage.” Gartner. Four Architectural Approaches to Limit Business Risk on Consumer Smartphones and Tablets – Dec 2010, John Girard, Ken Dulaney
10 | best practice guide to business security
McAfee Enterprise Mobility Management Platform Simplified mobile networking McAfee ePolicy Orchestrator (McAfee ePO) integration • Offers centralised visibility and control • Displays data within the McAfee ePO dashboard using charts, tables, and other graphics • McAfee EMM Device Agent data can be presented with data from other McAfee-secured endpoints and mobile devices within a McAfee ePO dashboard for enterprise-wide visibility, with direct drill down for more details.
McAfee EMM features:McAfee EMM Device Management • Enables OTA provisioning for users and reduces IT workload • Allows real-time device access and provides asset information • Reports mobile device information, including audit logs, device status, and pending actions. McAfee EMM Audit and Compliance Service • Visualises mobile assets • Identifies and blocks rogue devices • Silent OTA remediation • Reports compliance status and activity. McAfee EMM Device Agents • Password, PKI, and two-factor authentication and remote wipe functions • Leverages native device encryption • Supports Wi-Fi and VPN configuration/ management.
The McAfee EMM solution simplifies mobile networking. It blends mobile device management with policy-managed endpoint security, network access control, and compliance reporting in a seamless system. This platform integrates smartphones and tablets into enterprise networks and security management with the same level of security protection, convenience, and scale enjoyed by laptops and desktops.
McAfee Device Agents
Email McAfee EMM Audit and Compliance Service
McAfee EMM Device Management Gateway McAfee EMM Self-Service Portal
Other McAfee EMM Server Components • Policy Management • Help Desk • System Management • Reporting
BYTES 020 8786 1500 | 11
cloudsecurity The cloud is a unique environment and organisations must have a solid security plan in place before venturing into it. Cloud resources are available via the Internet, so the ports into them can become a pathway for attackers. The fact that your resources and data are in a virtual environment thatâ€™s shared with others is a potential concern. Cloud computing provides pooled resources that are accessible over a network on a self-service, on-demand basis, with rapid elasticity. Cloud computing is often enabled by virtualisation technologies. The flexibility of these two technologies allows for very quick scaling up and down as needed.
12 | best practice guide to business security
best practices Practice Risk Management Look at the risks based on what you will do in the cloud. Consider What Belongs and the Security Required A lot of things can work really well in the cloud, including applications, backup systems, storage, e-mail and Web serving. But not everything belongs there. Consider security concerns when deciding what to put in the cloud. Encrypt Sensitive Data Because the cloud is a shared space, you may want to be extra careful with sensitive information. The cloud is potentially accessible to a lot of different entities. Encryption gives you more confidence that your data is secure. Think About Location If your cloud services provider is in another country, make sure the provider is observing your local laws when it comes to securing sensitive data. Put Security Requirements Into Cloud Contracts Make sure the cloud service provider can demonstrate compliance and will keep security up to the levels you require. Make sure it’s all in the contract.
Ask a Lot of Questions How is data protected? How separate are you from other entities in the same environment? Analyse the security posture of your cloud provider from an application/data-centric view. Use a cloud provider that has solid application security in place, including application life cycle management. Add Additional Layers as Needed Some organisations choose to add layers of security for extra protection. These can include more stringent authentication methods or stronger encryption. Connect the Clouds With more elements moving to the cloud, eventually clouds will need to connect to other clouds. Perhaps you’ll have an internal cloud for core operations, and a backup cloud through an outside provider. Find out whether cloud technologies will be compatible with one another. Look into security risks that could result from connecting. Consider a Consultant Any good cloud service provider will want to ensure that the cloud works well for you. If the provider has a consulting division to help you make the most of the cloud solution you’re purchasing, it may be helpful to include consulting support.
John Dwyer Account Director, Bytes
www.bytes.co.uk | 13
It has somehow become the norm to pass the burden of security from company to customers. Installing, maintaining, downloading and updating is somehow your job, while finger pointing, blaming and looking the other way is theirs. We think it’s time for a change. It’s time for security to be the service it is sold as, instead of the burden it becomes. It’s time to prevent problems instead of scrambling to fix them. It’s time for Webroot.
We work for you, not the other way around. To find out more about Webroot services, please contact your Bytes account manager. 14 | best practice guide to business security
Mimecast Email Security Protecting your business with a cloud based security solution An always-on, cloud-based email security solution that reduces the complexity of protecting your organisation from malware, spam and data leakage. Always-on security Anti-spam and anti-virus protection, data leak prevention, secure communication and email routing are all delivered as part of a single unified solution. Mimecastâ€™s team of skilled threat experts, and auto-learning technology, ensures that you remain protected against the latest threats. Increased protection Mimecastâ€™s massively scalable MTA becomes your email bridgehead in the cloud. Email related threats such as malware, spam, phishing attacks, denial of service and directory harvest attacks are all stopped before they reach your network. This not only reduces risk to your network but also improves the performance of your Exchange server. Enhanced visibility and control Organisation-wide email security policies are managed from a single interface and can be applied with immediate effect, enabling you to respond rapidly to evolving situations. Advanced monitoring functionality gives you real-time views of your SMTP traffic and offers online queue management and advanced routing capability, to ensure that you stay in control. Unified Email Management Mimecast Email Security is just one component of Mimecastâ€™s suite of services for email management- you have the flexibility to easily add email continuity and archiving services either now or in the future, all managed from a single administration console.
BYTES 020 8786 1500 | 15
data loss prevention Data loss prevention is still a hot topic these days. With security breaches being widely reported in the media, increasing numbers of endpoints and increasing information sharing among workers, the need to secure all kinds of data is becoming more important. With the rapidly growing number of mobile devices being used, people have become the endpoints. The workers themselves, not the computers, are the new security perimeter.
16 | best practice guide to business security
best practices Protect All Data That is data stored on USBs and smartphones, and within e-mails and instant messages. Employees use many tools and devices, and they all should be addressed. It’s about protecting the data, wherever it’s stored or used. Always Go for Accuracy Organisations need to accurately detect every possible threat to their data. There should be no false positives. The security system should accurately monitor and detect issues for all data types, data endpoints and network protocols. Have Solid Reporting in Place Reporting is very important. It’s a valuable tool for finding broken business processes. It helps educate both higher-level managers and employees in general. Good reporting can ultimately reduce the number of security incidents. Some organisations have seen risk reduced by 90 percent after turning on automated notification. Designate Various Classifications of Data All data should be categorised to designate what type of data it is, where it is, how it can be used and where it can be sent.
Control Data at the Endpoint Organisations should be able to discover sensitive data stored on endpoints and then prevent the data from being inappropriately used, sent out or copied to storage devices, such as USB drives, CDs or DVDs. Maximise Encryption It’s best to use encryption only when necessary, for sensitive data. It can be wasteful and costly to encrypt everything. A lot of information is fine just the way it is. Secure All Databases Analyse all data accessed from databases, and check for unauthorised access to sensitive data. Have an audit trail in place for database activities. Look for anomalous database activity from both authorised and unauthorised users. Scan and Monitor Laptop Data This can be a challenge because laptops are ofﬂine much of the time. That can be done, however, by automatically scanning e-mail archives and disk backup files to find confidential data that was previously pulled from the network to a laptop.
Emma Yates Operations Support Manager, Bytes
www.bytes.co.uk | 17
data loss prevention Vendor: RSA
RSA Data Loss Prevention (DLP) Suite • Comprehensive coverage - RSA DLP prevents loss of sensitive data through many risk vectors. It covers email, webmail, social media, FTP, web, Web 2.0, PCs, virtual machines, smartphones, SharePoint, file servers, NAS/SAN, databases, USB devices and more • Accurate Classification - RSA DLP offers the highest accuracy in identifying sensitive data, achieved through a combination of cognitive sciences-based content classification, machine-based fingerprinting, rich metadata analysis, and purpose-built expert policies • User education - RSA DLP monitors the actions performed by users on sensitive data and educates them in real-time on policy violations. This improves risk awareness among end users influencing their behavior in dealing with sensitive data •D LP Ecosystem - RSA DLP is deeply integrated with many enterprise platforms to maximise utilisation of your current infrastructure for DLP projects. These include platforms from vendors such as Microsoft, Cisco, EMC, VMware, Citrix, McAfee, Symantec, and Blue Coat • People- and Process-Centric - RSA DLP offers automated workflow for policy management, incident remediation, and reports management. This automation is highly people- and process-centric and enables better DLP project management for enterprises.
Websense Data Security Suite Websense Data Security Suite includes four integrated modules, managed under a single policy framework: • Websense Data Monitor: Monitors for data loss on network (Web, email, FTP, other) • Websense Data Protect: (includes Websense Data Monitor) Enforces automated, policybased controls to block, quarantine, route to encryption gateway, audit and log, or notify users of violations • Websense Data Endpoint: Monitors and enforces automated, policy-based controls for data in use via applications and peripheral devices on endpoints; local discovery and classification of confidential data • Websense Data Discover: Discovers and classifies confidential data stored in enterprise repositories, with customisable remediation action including file removal. Websense Data Security Suite is the only solution with native enforcement of Web (HTTP), secure Web (HTTPS), and email (SMTP) traffic, eliminating the need for additional expensive third-party proxy solutions.
18 | best practice guide to business security
Symantec™ Data Loss Prevention 11 Simplify the protection of unstructured data and streamline the process of data clean up Data Loss Prevention 11 builds on Symantec’s experience of making data loss prevention work – additional new features across the entire suite help you stay ahead of threats to your customers, brand and information assets with the most advanced solution available.
Better endpoint protection • Application File Access Control monitors and blocks sensitive files accessed by any application, including encrypted protocols. Now you can protect sensitive data without restricting access to applications like iTunes®, Skype™ and WebEx™
Simplify the implementation of Data Loss Prevention • Vector Machine Learning (VML) is a new detection technology for unstructured data that learns how to recognise sensitive data based on samples. Creating policies using VML to protect unstructured data like source code, product formulas and other intellectual property is more accurate than describing the data, and is less time consuming than fingerprinting all your sensitive data.
• Trusted Devices support ensures that sensitive data can be copied to approved external storage devices, while nonsensitive data can be copied to other devices. Leverage the convenience of USB devices that automatically encrypt files
Streamline remediation of data at rest • Risk Scoring assesses each network folder and highlights those at greatest risk based on the amount of sensitive data in the folder and who has access to it. With risk scoring, Symantec gives you a way to zero in on where to start your data clean-up efforts • Data Owner Remediation leverages Symantec™ Data Insight to identify the most frequent user of a file and automatically sends them a notification that their data may be at risk. Data Owner Remediation helps change the way people think about managing their sensitive information.
• FlexResponse automatically protects sensitive data stored on PCs with encryption and Enterprise Rights Management. Protect email and Web in the cloud • Hybrid Network Prevent lets you co-locate Data Loss Prevention with your hosted service provider. Now you can extend the leading enterprise Data Loss Prevention capability into the cloud to lower your risk of data loss.
BYTES 020 8786 1500 | 19
messagingsecurity With e-mail, instant messaging (IM) and Web collaboration rapidly gaining importance in the daily work world, itâ€™s more vital than ever for organisations to keep the data within these messages secure. Much of an organisationâ€™s critical information travels through e-mail. IM is increasingly used for business. Online collaboration too is becoming more popular. These messaging tools have become essential for day-to-day operations.
20 | best practice guide to business security
best practices Take a Multi-Tiered Approach It’s crucial to have security in several tiers throughout a network. This works well because it attacks the security problem in several different places. The perimeter is just as important as the inner workings. From endpoints through gateways and into servers, there should be security at every point. Fit Messaging Security Into the Big Picture It is best to have a holistic security system that seamlessly fits messaging security within the larger protection system. The big picture should cover antispam, antivirus and compliance for all messaging, not just e-mail. Integration Is Best With just one interface, administrators can go in and easily create policies that will be consistent over e-mail, IM and the Web. This saves time in managing messaging security, which results in lower costs. Accurate Intelligence Is a Must Attackers have their own SMTP servers, they create bots to do their bidding, and are smarter about staying “under the radar” and not causing suspicious traffic peaks. It’s more important than ever for
organisations to have an accurate view of the current threat landscape at all times. Use IP Reputation Analysis Analysis of IP reputation is a powerful aid. Security experts can determine whether the reputation of an e-mail’s source is good or bad. If a particular sender has a bad reputation, its attempts to connect to a network should be rejected at an early stage. Have Solid Compliance Policies In addition to cutting down on viruses, spyware and spam, solid security will also help tremendously with enforcing compliance policies. Organisations should stop unauthorised data exchanges, both internally and externally. The system should have numerous options for how to deal with each instance. Create Internal Content Filters Internal issues should be addressed by messaging security. Content filters can be set up to eliminate employees’ exposure to objectionable content, such as racially insensitive or other inﬂammatory material, blocking negative content from reaching employees and going beyond its boundaries.
Matt Compton Symantec Business Manager, Bytes
www.bytes.co.uk | 21
22 | best practice guide to business security
Symantec™ Protection Suite Enterprise Edition Trusted protection for endpoint, messaging and web environments Endpoint security More than antivirus, with new built-in software-based network access control
Symantec™ Protection Suite Enterprise Edition creates a protected endpoint, messaging, and Web environment that is secure against today’s complex malware, data loss and spam threats, and is quickly recoverable in the event of failure. Reduce the cost of securing your environment using Symantec™ Protection Center, a single sign-on Web console, and more effectively manage the inherent risks of today’s IT infrastructures with proven Symantec endpoint security, messaging security, and system recovery technologies.
Messaging and Web security Antispam, messaging, and Web security protection Backup and recovery Full system and data recovery Protection Suite Enterprise Edition is an unparalleled combination of award-winning technologies from the world leader in security and data protection that enables you to completely protect, easily manage, and automatically control the assets most crucial to your business.
Premium Mail Security
Protection for Sophisticated IT Network Access Control
Desktop Backup & Recovery Endpoint Protection
Web 2.0 Security
SymantecTM Protection Suite Enterprise Edition
BYTES 020 8786 1500 | 23
endpoint security The number of endpoints has exploded. That, combined with increased data sharing and more mobile devices, makes endpoint security more important and more difficult, than ever before. The challenge now is to allow more workers, even those outside organisational boundaries, to have more access to information while providing greater security. As the threat landscape continues to become more complex, managing endpoint security becomes more expensive and time-consuming. Endpoints include servers, desktops, laptops and other mobile devices, such as smartphones and PDAs. To protect those endpoints, organisations need a solid framework of security measures. This should include antivirus, antispyware, desktop firewall, intrusion prevention and application and device control.
24 | best practice guide to business security
best practices Look to Consolidate It’s best to consolidate your endpoint security where possible. With several different solutions, management becomes inefficient and timeconsuming. And the increased complexity leads to higher costs.
Advanced Threat Prevention It’s important to have advanced tools that can protect against the most sophisticated attacks that evade traditional security measures, such as rootkits, zero-day attacks and mutating spyware.
Look for a Solution That Combines Core Technologies Antivirus, antispyware, firewall, intrusion detection and intrusion prevention as well as device and application control ideally managed from a single console allowing enforcement of security policies across the business.
Deny Specific Activities An organisation’s endpoint protection should allow it to deny specific high-risk device and application activities with the ability to block certain actions based on the user’s location.
Use Behavioural-Based Methods Security techniques are always evolving, and this new method studies and reacts to the behaviour of potential threats.
Take a Proactive Approach Overall With the increasing number of endpoints and attackers finding more complex ways of getting into a system, it’s vital to have proactive security. This is the best defence against new attacks.
Adam Thornton Sales Manager, Mid Market, Bytes
www.bytes.co.uk | 25
endpoint security Vendor:
Trend Microâ„˘ Deep Security 8.0 Comprehensive security platform for physical, virtual, & cloud servers Key Features Accelerate Virtualisation, VDI, and Cloud ROI - Provides a lighter, more manageable way to secure VMs with the industryâ€™s first and only agentless security platform - anti-malware, intrusion prevention, and integrity monitoring built for VMware environments - NEW! Offers agentless integrity monitoring for greater virtual server security without added footprint - Delivers 11X more efficient resource utilisation and supports 3X the VM densities of traditional anti-malware solutions - Improves the manageability of security in VMware environments - Secures VMware View virtual desktops while in local mode with an optional agent - Coordinates protection with virtual appliance and agents to allow continuous and optimised protection of virtual servers as they move between data center and public cloud. Maximise Operational Cost Reductions - Optimises the savings of virtualisation or cloud computing by allowing greater virtual machine consolidation - Reduces complexity with tight integrations to management consoles from Trend Micro, VMware, and enterprise directories - Provides vulnerability protection to prioritise secure coding and cost-effective implementation of unscheduled patching - Eliminates the cost of deploying multiple software clients with a centrally managed, multipurpose software agent or virtual appliance - Reduces management costs by automating repetitive and resource intensive security tasks, reducing false-positive security alerts, and enabling workflow of security incident response - NEW! Significantly reduces the complexity of managing file integrity monitoring with cloudbased event white listing and trusted events. Prevent Data Breaches and Business Disruptions - Detects and removes malware from virtual servers in real time with minimal impact - Blocks malware that attempts to evade detection - Shields known and unknown vulnerabilities in web and enterprise applications and operating systems - Detects and alerts suspicious or malicious activity to trigger proactive, preventative actions - NEW! Leverages the web reputation capabilities of one of the largest domain-reputation databasesin the world to track credibility of websites and protect users from accessing infected sites - NEW! Provides hypervisor integrity monitoring for VMware vSphere utilising Intel TPM/TXT technology.
26 | best practice guide to business security
Endpoint Security and Data Protection A fast and effective single scanning engine Get what you need to stop malware on all your users’ computers and prevent data loss. Our single scanning engine is the fastest and most effective in the business - and it won’t stretch your budget. Key features Antivirus Our tools scan your systems fast - now up to 15% faster. And practical intrusion prevention comes standard. Live protection We use cloud technology to block threats and infected URLs. Management You can protect Windows, Mac, Linux, UNIX and virtualised platforms - all from one console. Reporting Get the detailed security information you need, whenever you need it, using whatever tools you like. And now we’ve made it even easier to find computers that need to be scanned and that aren’t reporting status.
Data Loss Prevention (DLP) We’ll help you monitor data transfers so you can control what users do with sensitive data. Encryption We make compliance easier. Our SafeGuard encryption secures your computers and removable media. Network Access Control (NAC) We’ll help you keep your managed and guest computers in line with your security policies and patches. Support Industry leading tech support and automatic updates, now up to 41% faster, are part of the package. Learn more and request a free trial at www.sophos.com/endpoint
Application control We’ll help block the use of unauthorised applications. You’ll cut down on infection and data loss, plus help user productivity. Device control Get a handle on removable storage devices with policies to reduce your risks of malware and data loss.
BYTES 020 8786 1500 | 27
network & infrastructure security With the significant increase in the numbers and types of endpoints accessing an organisationâ€™s network, providing security for the entire network has never been more challenging than it is today. Networks consist of an organisationâ€™s managed systems, in addition to contractor systems, guest systems, public kiosks and partner systems.
28 | best practice guide to business security
best practices Define Correct User Rights for the Correct Task Ensure that your users have the appropriate privilege level for the task at hand, and limit the number of users that have administrator usernames and passwords. Download Files from Trusted Sites Only Ensure your users only download from trusted sites, which are often main source websites rather than file-sharing or generic websites. Also consider who in the company needs to download files and applications from a website. Undertake an Audit of Network Shares A lot of malware can spread via networks. This is commonly due to there being little or no security on network shares. Remove unnecessary shares and secure the others and their contents. Control Network Connections Consider restricting users from connecting computers to unapproved domains or networks - in most instances, most users need only connect to the main corporate network. Change the Default IP Range for Your Network Networks often use standard IP ranges, such as 10.1.x.x or 192.168.x.x. This standardisation means machines configured to look for this range may accidentally connect to a network outside your control.
Audit the Open Ports on Your Network Regularly and Block Unused Ones Ports are like windows in a house. If you leave them open for long periods of time without surveying them, you increase the chance of letting in uninvited intruders. Disable unused USB ports. Regularly Audit the Entry Points into Your Network Networks change shape and size all the time, so it is important to look into all the routes into your organisation on a regular basis. Be aware of all entry points. Consider how to best secure the routes to stop unwanted files and applications entering undetected or sensitive information leaking out. Consider Placing Business Critical Systems on a Different Network When business critical systems are affected, they can slow business processes significantly. To help protect them, consider having them on a different network from the one used for day-to-day activities. Test New Software on a Virtual Network before you Deploy To ensure that a new installation or update does not cause any problems, test it on a virtual system and check its effects before deploying to the real live network.
Teja Dinning Sales Executive, Bytes
www.bytes.co.uk | 29
network & infrastructure security Vendor:
Security Appliances The Ins and Outs of Securing Your Network No matter where a security attack comes from, it’s still a threat to your network and data. So you need to protect against both external threats – hacking attempts, phishing, malware, unpatched vulnerabilities – and internal issues, such as accidental data loss, managing use of Web and social media resources, and more. Securing against this growing range of threats can mean having to use multiple different products, multiplying management complexity and overheads. The solution to this issue is an integrated security appliance, which can include the key elements needed to secure your network against the widest range of threats, in a single device that also scales to suit your needs. This means you can apply 3D Security across your network, combining policies and enforcement to all your users. To choose the right appliance for your business, you should look for features beyond the ones needed to maintain basic security – for example, you may need firewalling, IPS, VPN, anti-virus and anti-malware, URL filtering, antispam and email security software. Also make sure the appliance includes a centralised management console - this will make keeping control over all the components, and updating them, easier as networks expand.
30 | best practice guide to business security
Next-generation appliances support downloading of security signature updates, and administer them across the network with the click of a button. These can also dispatch updates across the network, ensuring that every corner of the corporate computing environment has the latest protection against threats. In many cases, the gateways automatically keep endpoints (laptops etc) up to date, forcing downloads of the latest protections by quarantining users until they comply. This makes life for administrators easier. While appliances used to be perceived as a compromise between security and ease-of-use, the latest generation of solutions mix proven, best-of-breed security with a variety of flexible features. These features enable you to integrate the 3 critical dimensions of security – policies, enforcement and users – to help you protect your businesses assets.
A comprehensive family of highly effective security products Microsoft Forefront delivers comprehensive, end-to-end solutions, both on-premises and in the cloud, to help protect users and enable secure access virtually anywhere. With an integrated portfolio of protection, identity, and access products, you can help secure your environment and manage access across data, users, and systems. Multi-layered Protection Across endpoints, messaging and collaboration application servers, and the network edge. • Forefront Endpoint Protection 2010 • Forefront Protection 2010 for Exchange Server • Forefront Online Protection for Exchange • Forefront Protection 2010 for SharePoint • Forefront Threat Management Gateway 2010.
Forefront helps make your network more secure - the configurations are correct, security is deployed where it is needed, and management and reporting are simplified. Microsoft offers Forefront security products individually, as well as in four different licensing suites: • The Forefront Protection Suite • The Core Client Access License (CAL) Suite • The Enterprise Client Access License (CAL) Suite • The Exchange Enterprise Client Access License (CAL) with Services Suite. For further details on licensing Microsoft Forefront contact your Bytes account manager.
Identity-based Access Built upon Active Directory’s infrastructure to enable policy-based user access to applications, devices, and information. • Microsoft Forefront Identity Manager 2010 • Forefront Unified Access Gateway 2010. Simplified Management Integrating with your existing environment to make it easier to deploy and manage your enterprise protections and maintain compliance. • Forefront Protection Server Management Console 2010.
BYTES 020 8786 1500 | 31
it policy & compliance By practicing good policy compliance, organisations adhere to both internal policies and external regulations set up to keep networks and data secure. Proper compliance results in a more secure, better-managed IT environment. Policy compliance involves creating and managing IT policies, assessing controls and looking for vulnerabilities. It also deals with prioritising, monitoring and responding to security events properly, and reporting on security and compliance status. Compliance is about measuring overall security against internal and external standards.
32 | best practice guide to business security
best practices Have a Compliance Mindset Policies don’t enforce themselves. Everyone involved must do his or her part and realise the value of good compliance practices that go well beyond minimum requirements. The result can be a more secure environment and more control of the organisation’s assets. Link Compliance to Delivery on Your Mission The organisations most successful with compliance are those that find a way to tie compliance directives to their business goals. Keeping these closely linked improves the chances for successful projects and in getting more funding for future projects. Have Infrastructure That Lets You Automate Try to drive the human cost out of compliance efforts. They should try to automate as many tasks as possible. That can lead to more efficiency and lower costs.
Know Which Regulatory Mandates Relate to Your Organisation There are numerous laws requiring IT security compliance. Do you know which apply to your organisation? Be Able to Demonstrate Compliancee Some find that although they’re complying with everything in the proper manner, they don’t really have the data to prove it. There are three key parts to demonstrating compliance: 1) show you have a good, thorough policy in place; 2) collect data over time to show you’re complying uniformly and regularly; and 3) demonstrate that the policy is effective. Constantly Evaluate Risks to Your Mission Threats are always evolving. Hackers never stop trying new ways to get around security. Every organisation should be aware of the latest trends within the threat landscape and have a process that’s constantly evaluating the risks to its particular mission.
Mike Winkworth Operations Manager, Bytes
www.bytes.co.uk | 33
it policy security & management Vendor: Becrypt
Trusted Client is a self contained encrypted environment Trusted Client is a self contained encrypted environment that allows employees to connect to an organisation’s network and data whilst preventing data loss and leakage. This secure isolated environment provides access to a corporation’s existing VPN infrastructure as well as backend applications such as Windows desktops and Microsoft applications. Trusted Client is fully configurable to each organisation’s individual requirements and works with your existing corporate environment with little to no modification to existing systems - this is achieved through support for multiple third party remote access technologies. It can also be used in
Business Continuity scenarios, making it an invaluable tool that supports and enforces a comprehensive Information Assurance strategy. Trusted Client Bootable (Secure access from an ‘unmanaged’ home PC) Trusted Client Portable (Secure low cost access from a managed device) Under CESG guidelines, Trusted Client Portable is classified as a managed device.
Protect your confidential data and reduce the risk of a data breach More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments. SafeNet’s technology secures your confidential data, enabling you to: • Protect your customers’ Personal Identifiable Information (PII) stored in Microsoft and Oracle databases • Secure online payments and transactions • Maintain authorised access to corporate resources on laptops, servers and in the Cloud. SafeNet’s team of experts provide practical advice and guidelines to address your top data security concerns across: • The authentication and defining of role based authorisation of Smartphone and tablets within your organisation • How to centrally secure and manage your cryptographic keys for data control and encryption throughout your entire enterprise • How to maintain corporate security policies and achieve regulatory compliance whilst moving your data to the Cloud.
34 | best practice guide to business security
RSA will help you build your solution with the following products & services RSA Archer eGRC Platform Provide a repository of threat and securityrisk data and a platform for managing security incidents. Enable VMware securitypolicy implementation and management, security and compliance measurement, issue remediation, and reporting all based on the RSA Archer eGRC Platform.
RSA Data Loss Prevention (DLP) Monitor and respond to suspicious activity tied to sensitive data.
RSA enVision Provide security information and event management (SIEM). RSA enVision collects, analyses, and reports on log data, and issues alerts, in the context of threats, vulnerabilities, IT assets, and other data.
Security Operations Analysis and Design Combine requirements gathering and analysis with a design and operational framework. Our lead, fixed-price offering.
RSA NetWitness Provide precise networking monitoring with understanding of everything happening on the network.
Security Operations Strategy Provide a strategic assessment and recommendations based on best practices and use cases.
Security Operations Management Focus on operational requirements, including data integration, process workflows, and operational run book.
Managing security, risk and compliance
BYTES 020 8786 1500 | 35
managed security services Bytes Security Partnerships is dedicated to delivering network security services that meet the needs of our customers. At all stages in the relationship our account managers and engineers focus on understanding our customersâ€™ underlying business drivers and objectives to ensure that we provide the appropriate solution to meet these needs. Our experienced IT engineers act as an extension of our clientsâ€™ IT teams providing security project planning, audit and healthcheck services, 24x7 on call technical support and knowledge transfer and training services.
36 | best practice guide to business security
We pride ourselves on providing IT consultancy, advice & support which enables our clients to get the most out of every security solution we recommend. Our services include:
• Sparc Support – a direct-to-engineer telephone support service designed to offer clients quick response times and fast resolution of technical issues. • Sparc Monitor – an early warning and alerting service to notify clients of potential system outages ahead of downtime. • Sparc Implement – on-site and remote implementation services that cater for all design, policy development, deployment and documentation requirements.
• Sparc Audit – a selection of health check and assessment services to assist with compliance, general system improvement, performance enhancement and security best practices. • Sparc Training – “real world” based training services around market leading security technologies. Service offerings specifically cater for the client’s environment and background experience levels of the IT team. • Sparc Strategy – business focused workshops to assist the IT organisation in aligning the security strategy to the overall IT and business strategies.
Aatish Pattni Sales Manager, Bytes
www.bytes.co.uk | 37
managed security sevices
We offer a wide-ranging portfolio of connectivity, security, communications, governance, risk, and compliance solutions. Instead of supplying an out-of-the-box solution, we consult with clients to understand their current & future security needs and business objectives. We combine this information with our long-standing market expertise to recommend and implement the most appropriate technologies from the most respected and effective technology partners on the market to deliver on both the business and security needs of our customers. Our implementation and support sets us apart from other suppliers, from training internal IT teams on systems, to providing 24x7 technical support, to providing market and security information and updates to clients. Our solutions are based around these 5 key areas:
38 | best practice guide to business security
Email and Web Security Web and email content security solutions provide policy-based controls designed to secure, monitor, filter, and block threats from messaging (email & instant messaging) and Web traffic. In doing so, organisations can protect against inbound threats such as spam, fraudulent emails (phishing attacks), viruses, worms, trojans, spyware, and offensive material. Our web and email solutions are also designed to protect against outbound threats such as loss of confidential data, customer records, intellectual property, and offensive content leaving an organisation. We provide market leading content security solutions for email, Web and instant messaging usage either as inhouse appliance based solutions or as a fully managed service. Network Security Network Security is all about securing the perimeter, which appears to grow into ever increasing circles as the boundary of a network is constantly changing. You need to control access to your valuable data assets and resources, whilst implementing a network security policy that enables the business to compete.
Every Bytes Security Partnerships network security client can count upon direct contact with highly trained engineers, 24x7 security solutions support both via telephone and online, complete neutrality from us in seeking the best technology partner for their needs and the most cost-efficient, speedy and smooth rollout of IT products and services possible. Data Security IT Security has traditionally been focused on the perimeter, however most modern networks have no discernible perimeter and the security focus has now shifted to understanding an organisation’s data and how best to secure it. We can aid in the implementation of an End Point strategy that will ensure the application of unified security controls on every endpoint whilst simplifying management and costs across the organisation. Mobile Security To remain competitive organisations need to access information, applications and data from anywhere in the world at any time and increasingly from
multiple devices. Bytes Security Partnerships’ mobile security solutions can help you do all of this securely. We offer a range of mobile security solutions including clientless VPN’s with all of the benefits opening up the enterprise whilst still retaining stringent policy control. We will identify what solution fits with your feature, security and infrastructure needs, and build a project plan to roll out, manage and support you smoothly and cost efficiently. Audit and Compliance Whether you require a full security audit, want to look at your processes or policy, infrastructure technology, potential leakage points or just an audit to streamline your firewall rulebase, we can design an audit programme and deliverables to meet your needs. Choose from an array of services that are tailored to meet your individual requirements: • Infrastructure Audit • Vulnerability Assesment • Policy & Procedure Audit • Technology Healthcheck • Granular Firewall Rulebase Audit.
Call us on 0118 936 4650 for a no obligation discussion about your security services requirements Dominique Hudson, Internal Sales Team, Bytes
www.bytes.co.uk | 39
Gold Competency: Volume Licensing, Software Asset Management
Affinity One Partner
UK Head Office 15-17 Chessington Road Ewell, Surrey, KT17 1TS phone - 020 8786 1500 fax - 020 8393 6622
Surrey 6-7 Market Parade, Ewell Surrey, KT17 1SL phone - 020 8786 1500 fax - 020 8393 6622
York Suite G5, Apollo House Heworth Green York, YO31 7RE phone - 01904 428 730
OREGA Manchester 3 Piccadilly Place Manchester, M1 3BN phone - 0161 242 1290 fax - 0161 662 7733
Ireland Douglas Business Centre Old Carrigaline Road, Douglas Cork, Ireland phone - +353 21 4367090 fax - +353 21 4898636
Security Partnerships Unit 5, Winnersh Fields, Gazelle Close, Winnersh, Reading RG41 5QS phone - 0118 936 4650 fax - 0870 238 6312