Page 1

Security Practices Knowledge Circle Vol 1 Issue 1

Essar: Enhancing Business Opportunity While Managing Security Risks N. Jayantha Prabhu, Chief Technology Officer, Essar Group

Supported by


Essar: Enhancing Business Opportunity While Managing Security Risks

Securing the Social Network

Messaging and Web Security

Business and Security: Two Sides of a Coin

N. Jayantha Prabhu of Essar Group, shares the secrets of his organizations success at managing web and data security.

Excerpts from a whitepaper on embracing emerging technologies without putting critical

An Osterman Research report throws light on the future of spam and malware problems in

data at risk.

2011.

The article elucidates how security teams can work in tandem with business to achieve organizational goals and secure a firm place in the enterprise.

3

6

9

11

Contents Editorial

From the Team at SPKC

Information Security is one of the top priorities for CIOs all over the world. Therefore, we, at the CIO Association of India, endeavor to present insights in this area as well as demystify the challenges for CIOs, through the Security Practices Knowledge Circle (SPKC). Bringing you real-life examples of how CIOs are tackling this all-important challenge, we also uncover facets of security, such as web security in todays’ connected world. Further, this publication showcases interesting workshops and security secrets from those working in the field. We hope you find the first edition of the SPKC helpful. Please write to us about what you’d like us to feature in this publication. For further information, feedback, and suggestions on the SPKC please mail spkc@cioindia.org


CIO Insights

Essar: Enhancing Business Opportunity While Managing Security Risks When your job entails heading the systems, network, and security of a large and diversified group, you can be sure there is never a dull day at work! From ensuring IT availability to battling threats resulting from an open internet culture, N. Jayantha Prabhu, Chief Technology Officer, Essar Group, tells us how he has managed it all for his enterprise.

3

As big as it gets As one of India’s premier business houses, with diverse interests in steel, energy, power, communication, shipping and logistics, and construction, the Essar Group has rich and varied IT needs. The organization employs 30,000 people across the world and has a widespread presence, with operations in more than 20 countries in five continents, and remote offices across the country. The resulting IT infrastructure is naturally expansive and managing IT security then, a seemingly mammoth task! Consolidating such wide-spread operations with a large user base and rich diversity, required a carefully drawn IT strategy. “Every group-company’s IT department is headed by a dedicated CIO, and in turn all these CIOs forward their business requirements to be driven by the corporate IT team. Catering to such vast scale of business, needed a waterfall approach i.e. top down consolidation methodology,” informs Jayantha, who heads the corporate IT team. One of the key objectives of Essar group was to provide secure web access to employees for business use, including mobile workers and ensure data security, meeting regulatory compliance. Thus, the challenges were to secure the Internet access, address the organization’s risks pertaining to IT security and Internet policies, identify critical data in sensitive business units, monitor data movement, understand the


4

nature of data leakage, and ensure secure access to data for large organization. Reality check As a large, distributed, and connected organization with the existing IT setup, Essar needed to look beyond, as a distributed network can be both, a boon and a bane for the IT team. Explains Jayantha, “There was sufficient exposure of sensitive information residing in the corporate network. As a business practice, we needed to control data leaks over the network and at the end points, but there were no forensics for data leaks and often, no tools for erasing moveable media. This exposed the enterprise to the risk of confidential information being open and untracked.” Besides the end user, corporate information in any organization is virtually transparent to the Internet Service Provider (ISP). Organizations have no control over the integrity of people and processes at the ISP’s end, making it imperative to secure the privacy of the corporate information. Essar’s own web security too had limited capabilities – a basic web filtering mechanism was finding it difficult to secure thousands of users from the myriad web threats – the latest malware, phishing, and virus attacks. Additionally, pure keyword filtering was inadequate because it was not accompanied by true content filtering, and the manual maintenance of URL filtering lists for every location, was becoming next to impossible. Essar group required a web and data security solution that would protect endusers against accessing inappropriate websites, and losing data or downloading malicious content via the web and other network protocols. Websense: smooth and easy The panacea lay in a single, centrally-managed solution (the Websense solution). The solution identified included Websense Web Security Gateway and Websense Data Security Suite. Websense Web Security Gateway would allow the enforcement of internet usage policies comprehensively. Real time scanning and categorization capabilities of the solution would further enable access to social networking and other Web 2.0 content, without compromising security or legal liability risks. Websense Data Security suite would help the enterprise discover, monitor, and protect the sensitive information. Both,

Other significant benefits of the Websense solution: l DLP and content-filtering policies through a single console. l Correlation of the information loss incidents – greater visibility and addressal. l Mobile platform support for incorporating mobile devices into security control. l Ability to discover, monitor, and protect sensitive data in rest, motion, and in use. l Data identification and protection based on keywords, patterns, file types, and finger-printed information. l Enforcement of policies based on several predefined policy templates. l Comprehensive reporting metrics and incident management workflows. l Encouragement to customers to share data in a transparent manner.

network and endpoint DLP were identified, thereby ensuring the monitoring of all possible channels through which information could leak – email, web, and desktop/laptop. “We needed a solution that would work well with our existing one. The old one could continue to handle the authorization, while content filtering could be handled by a complementary solution. We also felt the need for a centralized policy server, which would enable better compliance for us, as all Internet communication would go through a common gateway,” said Jayantha. Critical data within sensitive business units was identified, along with the users who have access to that data. The team also analyzed the processes and channels, which allow the data to flow outside the network and then implemented data protection strategies for those business units. This included access to social networking and other Web 2.0 sites.


5

“Given our huge global footprint, we implemented the solution in a phased manner to ensure continuity. We carefully implemented, measured impact, and then rolled out at the next location, says Jayantha, “It was also important to segregate critical areas and treat them separately. For example, we had to have differing levels of user access, which we now use to good effect, to provide unrestricted, but safe, web access to our senior management.” “The Websense solution deployment was very easy and the first one just took fifteen days,” says Jayantha, clearly thrilled with the seamless integration of Websense with other technologies (AD, network device, etc.) Essar completed the entire project in 4 phases in for 4 different locations each lasting 10 days. The pilot took only 7 days to implement and measure the impact. The entire project was rolled out in 2 months from concept stage. Essar plans to continue deploying the solution as required, per the growing ranks. The Websense advantage The benefits have been varied and have positively impacted the group’s efficiency in very real terms. For starters, the solution has enhanced the enterprise’s ability to monitor and assess the risk of critical data getting leaked through corporate networks. Using the solution, Essar managed to reduce the less critical incidents to less than 5% of the total incidents captured. The solution has been deployed to prevent data leaks even when users are roaming. With Websense Web Security Gateway solution, Essar has been able to enable social networking sites and Web 2.0 content for the employees, as it observed that more and more user communities within the organization wanted access to the sites for business use. “We have been further able to minimize security threats like botnets, phishing, and malware, etc. and provide protection from malicious threats at Edge Network, eliminating reaching endpoint,” says Jayantha. Essar was able to deal with non-compliance to statutory or regulatory laws enforced by international regulatory bodies. “After the deployment, we didn’t observe any noncompliance during the recent audit done by our consultants with respect to data leaks,” say Jayantha. Apart from helping create awareness amongst the employees, the solution boosted the productivity by controlling the user Internet

behavior. “Where previously, it was difficult to gauge just how productive web usage was within the group, we now have detailed, authoritative reporting,” beams Jayantha, clearly pleased with Essar’s solution for the web security issues. “Our web usage is now secure, productive, and in line with corporate policy. This has ensured compliance as well, as errant users are now aware of their web usage.” As an additional gain, Essar has saved almost Rs 50 lakh in bandwidth requirements alone, where earlier they were struggling under user demand. This has resulted from the boost in productivity as a result of better network utilization. The solution further helped in obtaining forensic details in case of an incident. “We have a log retention for a specific period and can derive all forensic details to analyze specific incidents if required,” informs Jayantha. Despite the apparent benefits, CIOs today perceive large transaction overheads such as data classification to segregate the sensitive and confidential data; and securing of buy-ins from the employees and top management. We are keen to know what advice Jayantha would like to offer to CIOs facing this dilemma, “Well, it is critical to analyse the impact before rolling out any security solution. Please anticipate and plan remedial actions against any post-implementation crisis. But at the end of the day, business continuity and benefits are paramount – if you have a solution ensuring that, why not go for it?”


Security Files

6

Summary Social media isn’t coming to banking institutions—it’s here. For banks and their customers, social networks such as Facebook, LinkedIn, and Twitter have become an integral part of everyday life.

Securing the Social Network How to embrace emerging technologies without putting critical data at risk. (Excerpts from a Websense whitepaper)

This paper details the risks, the rewards of social networking; and the emerging solutions to enable secure, controlled activity. Social networking sites are the 21st Century phenomena. Facebook alone touts over 500 million active users that spend in excess of 700 billion minutes per month on the site and share 30 billion pieces of content—from web links and blog posts to notes and photo albums. What’s more, the Facebook platform houses over 5,50,000 active applications and is integrated with more than one million websites. And it’s not just for friends and family anymore. Banking institutions have their own corporate presence on sites like Facebook. It’s certainly no wonder with social networking promises new levels of productivity for employees, infinite marketing opportunities for institutions and a favorable way for customers to engage their financial services partners.


7

“Banking is a trust relationship,” says one IT executive at a top 20 U.S. bank (that prefers to stay anonymous in this discussion). “Social media is an incredible opportunity to deepen the relationship.” And the trust.

Best Practices for Success When it comes to maximizing the potential of social networking—and minimizing the risk—industry experts offer these words of wisdom: 1) Just Say “Yes.”—but with due caution. 2) Understand. Talk to your users and business units to gain a full understanding of how social media are being used. 3) Re-examine/rethink all your policies. 4) Audit enforcement and modify policies as need dictates. 5) Assign Roles. Make sure someone is accountable for implementing and monitoring social networking policy. 6) Unify Your Security Strategy. Putting  everything—including web, email and data security—under one umbrella streamlines management and reduces complexity.

New media, new opportunity “Web 2.0” is a topic at every water cooler these days— especially in financial institutions. The term is commonly associated with web applications that facilitate active information sharing and collaboration over the Internet in a virtual community. This differs from traditional websites for which users are limited to passive viewing. In addition to blogs, wikis, and video-sharing sties, social networking sites are arguably among the most popular of Web 2.0 applications. Social media offer an intuitive new way for people to interact from the convenience of their computers and mobile devices. They can connect from virtually anywhere, at anytime. In so doing, they are able to touch base and share ideas. The most visited sites include Facebook, MySpace, LinkedIn, and, of course, Twitter. Social media adoption has surged to staggering heights. While Facebook has over 500 million users (July 2010),

A unified approach to security is the best way to ensure 360degree protection against everything social networking can throw at an institution, from preventing downloads of malicious content to blocking leakage of private data. MySpace has nearly 70 million in the U.S. (June 2010) and LinkedIn has around 75 million worldwide (August 2010). As for Twitter, 105,779,710 registered users (April 2010) account for approximately 750 tweets each second, according to Twitter. Many see social networking as a huge business opportunity and have readily embraced both Facebook and Twitter as prime avenues of outreach and interaction.

Indeed, social media represent a target-rich environment to engage new and existing customers. Business units are eager to embrace the innovation. Employees want to use it for communication and collaboration. But more importantly, public relations, marketing, sales programs now hinge on this creative media to convey key messages. In fact, social networking represents not just a competitive edge, but rather a competitive necessity. The risks Some of the most prominent challenges include: l Lack

l

of visibility and control Many institutions are limited in their control of social networking. They use URL filters to either allow complete access to a site—and every bit of content therein—or fully restrict access. The problem lies in identifying and controlling what users access once they get onto the site, including inappropriate material and compromised documents. Widening attack surface Malicious code is not just coming from the dark corners of the web, like pornography, gaming and pharmaceutical sites. Advanced persistent threats, web exploits and drive-by attacks can slip through gaps in traditional security mechanisms, like antivirus and URL filters. This may lead to malware-infected applications being downloaded or trade secrets being disclosed to fake identities.


8

l

Data loss potential Social networking sites are all about collaboration and sharing—potentially even of sensitive data. Today, there is little control over data loss in social media arenas because policies do not typically cover what users contribute. So confidential or regulated data could very well be uploaded, taking an institution out of its compliance state at a time when oversight is so strong.

Unified approach to risk management Institutions need to find new ways to leverage the power of Web 2.0 without worrying about malware, inappropriate content or disclosure of sensitive information.

l Web

defense Today’s malware is purposely built to avoid legacy controls. New appropriate use policies must be in place to block access to sites and content associated with spyware, phishing and key logging, as well as unwanted applications like P2P and IM. And real time security scanning to protect against legacy file based attacks, web scripts, and dynamic threats that evade traditional antivirus is key, as is content classification to remove inappropriate content.

l Email

protection Email protection is also important because of the increased number of blended email and Web 2.0 threats. Indeed, traditional antispam and antivirus

technology is critical, but institutions need to increase email protection with real-time inspection that goes beyond virus and reputation analysis. Granular policy control and content filtering can help institutions secure confidential data within email and its attachments.

l Data

security Institutions need to enhance data loss prevention strategies with the right controls to enable outbound communications to destinations like social networks while meeting compliance mandates that govern disclosure of sensitive data. Providing visibility into where data resides, where it is sent and by whom, such strategies can secure

sensitive information and intellectual property, as well as manage and enforce regulatory requirements.

A unified approach to security is the best way to ensure 360-degree protection against everything social networking can throw at an institution from preventing downloads of malicious content to blocking leakage of private data. With traditional point solutions that rely on redundant multi-vendor management tools, institutions are often saddled with three or more separate systems to manage. By controlling web, email, and data security through the same interface, organizations can reduce the number of appliances and management systems and thus cut both capital and operational expenses.

Websense unifies security Websense’s Web Security Gateway classifies content on-the-fly, providing acceptable user policy controls for the social web, while real-time security scanning looks for both traditional attacks and modern threats like advance persistent threats, script-based attacks, and Web exploits. Additionally, TruWeb DLP allows institutions to monitor and protect confidential information from being posted to blogs, wikis, and social networking platforms. This kind of content-level protection enables institutions to leverage new communication and collaboration tools—like social networking—to thrive in today’s competitive marketplace. For more information, visit www.bankinfosecurity.com/whitepapers.php?wp_id=347


Bits & Bytes

9

Messaging and Web Security Best Practices for 2011 and Beyond (Excerpts from an Osterman Research report.)

1% 4% 20% 15% 32%

53% 74%

Spam Malware Will be less of a problem by YE2011 Will be more of a problem by YE2011 There will be no change No idea

Executive summary In an Osterman Research survey conducted during January 2011, decision makers and influencers demonstrated that they are decidedly pessimistic about the future of spam and malware problems for 2011, as shown in the alongside figure. Predictions about global spam and malware problems in 2011 They have little reason to be optimistic: despite recent, albeit temporary, good news – such as reductions in the number of spam messages traversing the Internet – there has been relatively little good news in the context of threats directed against messaging and Web users. Further, while many decision makers are taking messaging and Web security threats quite seriously, a soft economy coupled with threats that are rapidly increasing in sophistication and severity, means that many organizations are not keeping pace with the threats they face. For example: l Symantec.cloud reported that 41.1% of all of the malicious domains they blocked during January 2011 were new, representing an increase of 7.9% from the month before. l The Rustock botnet was more or less shut down during the 2010 Holiday season. However, GFI Software reports that in January 2011 Rustock was reactivated and its spam volume increased by 98% almost overnight. As of late March 2011, Rustock has been silenced once again, but has the potential for coming back online. l SpamTitan reported results from a 2010 survey that found that 49% of small- to mid-sized businesses had not taken even basic steps toward crafting a social media policy. l Edgewave reported that during the month ending February 23, 2011, there were anywhere from 49 to 352 new spam campaigns launched every day. l In 2010, Websense Security Labs found that 61% of all data stealing attacks occurred over the Web or email. Key takeaways There are five key points that readers of this white paper should understand and appreciate: l

Spam is still a major problem Despite some recent good news on the spam front, spam volumes continue to increase and are expected to do so for many years to come. Because it saps storage, bandwidth and employee productivity; and is increasingly used as part of malware-distribution campaigns, spam continues to be a very serious problem.


10

l

Malware is a rapidly growing threat Malware infiltration continues to be a vexing issue for IT management because of a) the increasing sophistication of the threats, b) the financial and other damage they can cause, and c) the sheer volume of new malware that is being distributed across the Internet.

There are more places for spam and malware to enter an organization The number of venues for unwanted content to enter an organization is growing. In addition to the normal email channel, this content now increasingly enters an organization through social media tools like Twitter and Facebook, personal Webmail

accounts used for work-related applications, Web enabled smartphones, other mobile devices like iPads, the growing number of cloud-based applications used in the workplace, voice-over-IP systems, real time communication tools like instant messaging, flash drives, applications that users

l

download that are not sanctioned by IT, and normal Web surfing to legitimate Web sites. l

The network perimeter is disappearing, making organizations more vulnerable The network perimeter is rapidly disappearing. Where there used to be a clear distinction between the corporate network and the outside world, the growing number of employees who work from home, coupled with the increasing number of mobile devices used for both work and personal applications, means that the network perimeter often does not exist.

Data loss is becoming a greater risk The granularity and thoroughness of the policies to manage messaging and Web applications have not kept pace with the threats that organizations face. This makes organizations more

vulnerable to data loss, financial loss, damage to corporate reputation, higher remediation costs and other problems. The risk of data loss through the Web has been exacerbated dramatically with the rapid growth of social media and other Web 2.0 applications.

l

Data Loss Risk Assessment Workshop In the light of the new IT Amendment Act 2008, organizations seek to ensure confidentiality of information while providing necessary access to employees. CIOs in-charge look to comply with the stringent regulations, paying even greater attention to their organisations’ security needs. Websense, in association with Deloitte, is happy to announce a workshop detailing the pertaining data security concerns and risk management issues. The workshop will demonstrate how to perform a successful Data Loss Risk Assessment (DLRA) to meet compliance requirements, protect data, and provide secure access to data.

Limited seats only!

Topics: How to adopt risk management principles and security practices? (By Deloitte) How to develop a comprehensive DLP strategy to protect confidential data? (By Websense) Dates: Delhi – 15th June | Mumbai – 16th June | Bengaluru – 17th June Please note: A pre-registration is mandatory for the workshop. Please send your registration to mbansal@websense.com (+91 9819688007). Once confirmed, you’ll receive confirmation of registration with venue details and agenda.


Author Speak

11

Business and Security: Two Sides of a Coin Mr. Faraz Ahmed, CISO & HeadRegional IT at Reliance Life Insurance

A CISO/security professional should: l Always look for win-win solutions l Understand that the security team exists for the purpose of supporting business l Be clear about what you are trying to protect l Accept that there is no 100% security l Educate the management so they are your security brand ambassadors l Lead by example because good security flows from top to bottom l Understand the business, because you can’t secure what you don’t understand l Be flexible to business requirements, but never loose sight of security objectives l Balance security and convenience l Recognize that good security requires significant investments in people, process, and technology

“With great power comes great responsibility” – this adage rings true for security heads across organizations, big and small. The power to stop business from carrying out activities perceived as business threats, comes with the great responsibility of educating the business with doing things in the right, read secure way. User education has always been a challenging area for security professionals. Organizations use CBTs, games, quizzes, puzzles, prizes, and what have you to keep users in check. However, I believe the best way to bring about user education is to enable them to achieve their goals in a more efficient manner; as a result, they are able to appreciate the value that the security processes add to the organization. Robust risk assessment and business impact analysis are the stepping stones to having a good security practice. Business users should be deeply involved in both these – this enables them to understand both, business and security concerns; and jointly come up with solutions that meet the business objectives and helps establish a security framework. Infact, these activities should be driven by business, with IT & security being the facilitators and expert solution providers to understand business concerns, optimize processes, and secure the business. After all, you can’t secure what you don’t understand! As information security matures, more and more security professionals realize that they need to change gears from being the techies to being business leaders first – without losing a sight of the people, process and technology framework. Further, in today’s information age, data is the fodder that fuels the business. Increasingly we have seen that current and up-to-date information helps organizations in decision-making. Business demands that information be made available in real-time, out of the office boundaries, on mobile and hand-held devices. This is one of the most critical elements in today’s economy and is increasingly acknowledged by one and all. Depending on how this is addressed, this could be a security professional’s worst nightmare, or a once-in-a-lifetime opportunity to demonstrate to the business that technology can address their demands, and yet secure corporate data, while complying with regulatory standards. However, the question still remains – how do you secure access to information that you don’t know will


12

be accessed where and via what medium, and most importantly by whom? Also, to make the matters more difficult, you have a new generation work force, which demands access not only to internet but also to social networking and blogs, which were traditionally blocked by security professionals due to the inherent risks of Web 2.0 and the risk of data leakage. I strongly believe that the answer lies in keeping it simple and focusing on the root cause – the people and data – and puting in controls where they matter the most. Data should be classified and protected, with an appropriate framework in place for governing who has access to what information and what they can do with that information. Location-based access to data is still on my wish list and I suspect will become increasingly important as the penetration of 3G mobile phones and tablets increase with time. Having dealt with the issue of data, we come to the more tricky issues of people. And I must admit, there is no one-stop solution for this. You can tell them, till the cows come home, but you cannot control gaming and chatting by families of senior executives. Therefore, building social awareness is an integral part of this job profile and educating your customers in a manner that conveys the responsibility they share, of keeping organizational information safe, will go a long way in achieving the same.

This by no means undermines the importance of traditional security approach of hardening the systems, installing and updating antivirus and patches, firewalls and IPS etc., as they are an important and necessary part of a sane and secure operating environment. After all, security is always multilayered and should cover all systems and networks with data, not withstanding the extended organization boundaries. A good framework not only covers the end-user devices and data center, but also covers the applications, databases, third-party entities, and individuals who have access to data. This flow should ideally be documented and reviewed periodically to keep a track of any new touch-points that are introduced into the ecosystem by virtue of process change or new relationships. The ability to continue doing business through incidents/disasters, and the capability of supporting business in such an event, is extremely important today. BCP & DR allow us to do that. Here again, the security team must partner with the business to understand their risk appetite and help implement a framework and solutions that are in line with the business requirements. At the end of the day, security exists for the purpose of supporting business; if business does not exist, security will cease to exist. So, even at the most vulnerable times, rise up to the occasion and bring out the best. Being prepared is the key!

Tapan Garg Founder and CEO World CIO Council and CIO Association of India E: tapan@cioindia.org | W: www.cioindia.org

Supported by

Security Practices Knowledge Circle  

Security Practices Knowledge Circle for CIOs

Advertisement