2008--(None).gif){kind=logo} |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
In this issue: Feeling secure and compliant? |
October 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
A letter from the executive officeTackle your vulnerabilities – get secure and compliant
This is by no means a far-fetched scenario. We regularly see headlines about organizations who believed they were compliant and secure but learned the hard way what happens when they are not. In order to protect your information in today’s environment, not only do you need a secure network, you also need to constantly update your security policies and ensure your process development standards are compliant. The complex nature of today’s infrastructures can make this a challenge, but effective approaches and solutions are emerging. One such solution involves taking a more strategic approach to service automation and the deployment of virtualization technologies. An often-overlooked truth is that the overwhelming majority of fundamental security problems are caused by basic systems operations. In fact, as noted by Gartner analyst John Pescatore in 2007, when it comes to attacks on information networks: “65 percent of attacks exploit misconfigured systems... 30 percent exploit known vulnerabilities where there's a patch out... only 5 percent exploit things we didn't know where there was a problem.” So if you can get your systems configured properly and your patch management up to date, you can eliminate 95 percent of your vulnerabilities. Bell security expert Peter Cresswell discusses how service automation and virtualization can help you do this in this month’s Expert Q&A. You’ll also want to read about the Top 10 security and compliance issues for 2009 developed by our top security experts. Also in this issue, as part of our look at securing the information network, we’ve got a comprehensive compliance and security situation assessment tool that will help you get a better picture of the strength of your existing programs. If you want to know more about how you can make your information network fully compliant and secure, contact us today for an overview or an audit on your environment. As always, we welcome your feedback on the tools and resources we offer you in Impact and on any other aspect of our services. Best regards, Stéphane Boisvert President, Bell Enterprise ... The top 10 security and privacy issues for 2009 – and what you can do about them
Read on to find out which issues the top security experts at Bell see dominating the IT, security and privacy landscape, dictating policy and budgets in 2009. 1. Data breaches What you can do about it: Ensure systems are configured properly, install patches promptly to eliminate vulnerabilities and consider investing in a formal data loss prevention program. 2. The dissolving network perimeter The increasing corporate use of smartphones and other network perimeter wireless devices, in addition to employees working from home computers, has extended the technology reach of the enterprise, but it has also made it more vulnerable. What you can do about it: Centrally managed security solutions such as firewalls for wireless and remote devices can help protect sensitive data. 3. Web applications What you can do about it: Ensure that applications have had source code penetration tests and sweep Web servers with vulnerability scanners. 4. Encryption for data at rest What you can do about it: Implementing whole-disk encryption to protect your data at rest. 5. Leakage of data-in-use What you can do about it: File-shadowing technology will track files moved to any form of removable media, while an encrypted virtual private network (VPN) can help secure remote access. 6. Security information overload What you can do about it: Security information and event management tools (SIEMs) can capture information on data breaches to help you see patterns of malicious behaviour in the data and save time. 7. More sophisticated malware What you can do about it: The most recent generation of endpoint protection platforms aggregate malware data from all platform customers. 8. Information access awareness What you can do about it: Make sure that security policy is set on all systems and applications and invest in identity and access management software. 9. Wireless vulnerabilities What you can do about it: Build encrypted tunnels for non-secure applications while leveraging existing authentication and authorization methods. 10. Virtualization security issues What you can do about it: Partition virtual machines in resource clusters while building an automated patch management strategy for virtual machines. Faced with so many threats and a mountain of policies, how can administrators and users recognize risk and know what to do? Education is key Informing employees of the real threats facing enterprise IT and encouraging safe behaviour go a long way towards keeping sensitive information where it belongs. Administrators also make better decisions when they understand the interaction between IT, security, privacy and the increasingly regulated environment with which enterprises are coming to terms. Review your plans and processes and get help where you need it Bell’s expert security solutions teams can help guide the way. We can help you develop governance standards and policies and implement practices and solutions that will help you:
To get started, contact your Bell representative, or click here to have a Bell representative contact you. ... Solve your compliance and security issues with IT service automation – Q&A with Bell security expert Peter Cresswell
Impact: Hello Peter, and thanks for joining us. Let’s begin by defining these terms. When we talk about strategic IT service automation and virtualization, what do we mean? Peter: Virtualization is a broad term that refers to the decoupling of components of the IT architecture in order to allow them to be more flexibly assembled to solve business problems. Provisioning tools allow these virtualized components to be deployed dynamically in the IT environment. The management and change control functions of these components are strategically automated through processes such as runbook automation and change control management, thereby increasing reliability and governance control of the process. Impact: How does taking a strategic approach to service automation reduce vulnerability from a risk management perspective? Peter: In a completely virtualized environment you can quickly put hardware and software components together in different ways. The reuse of standardized components means that a key component need only be patched and configured once (or very few times) in one place – not every time you need to put resources together. Couple this with the automation of rote tasks and you have less room for error. Monitor these processes with tools that are now available, and you have an ability to automate a significant amount of your organization’s compliance and reporting requirements. Impact: How specifically does strategic automation help with compliance? Peter: Tools in the operations marketplace today are increasingly focused on provisioning: how reusable components are deployed in an operations environment. As examples, runbook automation and automated change control tools allow an organization to definitively track the promotion of standardized components to production, noting the critical details of changes made, including location, time and author. This makes anomaly detection and root cause analysis much more automated. Additionally, compliance can more easily be demonstrated through reports from these automated systems. Impact: Is it true that two thirds of the problem when it comes to security is maintenance and patch related? Peter: It’s closer to 95 percent. A truth that’s too often forgotten is that the fundamental problems are still brought on by basic systems operations. In 2007 Gartner analyst John Pescatore noted that “65 percent of attacks exploit misconfigured systems... 30 percent exploit known vulnerabilities where there's a patch out... only 5 percent exploit things we didn't know where there was a problem.” So if your systems are configured properly and patch management is up to date, you’re most of the way there. Impact: So virtualization and strategic service automation reduce risk because individual components are properly configured at the outset and core processes are automated. But does the new system entail a rethinking of IT infrastructure? Peter: Security and operations teams are looking at how traditional tools and techniques can be adapted to the newly virtualized and automated environment. However, the real opportunity is for security teams to take an application and information-centric approach to developing security controls instead. It demands a different way of thinking about IT security. Impact: What are the security implications of a virtualized environment? Peter: Virtualization adds its own particular challenges to the traditional security landscape. The picture is no longer static – it is possible to have critical systems and applications appearing anywhere in a virtual pool. In addition, significant portions of the architecture are themselves virtualized – each physical system can represent several systems and the network that connects them. Finally, both systems and applications are represented as files stored on disk – applications and servers which may not be running at a given particular time, yet all need to be tracked, patched and audited. Impact: How is this done? Peter: This is precisely why automated IT service infrastructures are so important. There are a multitude of service and change events across these architectures, all of which should be tracked and documented. Sustaining operations, not to mention compliance, requires an unprecedented degree of automation – an IT team will never keep up. From a security perspective, an unmanaged virtual environment would cost a fortune to re-document to support an audit scenario. Impact: What are the benefits of automating the service infrastructure of IT departments? Peter: There are three benefits – availability, security and compliance:
Impact: Can you give us an example of strategic automation from the front line? Peter: We have customers from many different industries solving issues and creating efficiencies with strategic automation. We have had clients adopting various components of the automated IT service suite to assist in achieving payment card industry (PCI) compliance. We’ve seen customers using these techniques to enforce point-of-sale (POS) security and to achieve ITIL standards in their datacenters. As we move toward virtualization and cloud service solutions, automation of these processes will become even more compelling. Security can benefit – I highly recommend that IT administrators get involved in the selection and deployment of these tools. They will make your life simpler. About Peter Cresswell ... Assessment tool: Does your compliance and security program fully protect your enterprise?How well are your security and compliance program protecting your enterprise? The constantly changing requirements of the security and compliance landscape can make enterprises vulnerable from a risk management perspective. Answering the questions in this tool will help you assess your current situation. Download now! ... Finance sector alert: Are you prepared for the proposed compliance legislation impacting record retention?Next year, tough new electronic records storage and retrieval rules are expected to be in place requiring Canadian financial services firms to store records for up to seven years. National Instrument 31-103: what is it and how will it affect you? The Canadian Securities Administrators (CSA), a forum of provincial securities regulators, has proposed new regulatory rules under National Instrument 31-103. The proposed legislation – expected to be effective in 2009 – will mandate financial services firms to store their records, including emails, up to seven years in a durable form that can be “promptly” provided to regulators. Non-compliance may result in financial fines and/or criminal indictments. What other compliance rules exist? In addition to the proposed legislation, other regulations exist that require strict electronic records retention practices across commercial enterprises and publicly-traded companies, including:
How can you prepare? Bell is uniquely positioned to help clients with their record retention and archiving needs. The Data Archiving Storage Utility (DASU) from Bell is a managed service that provides online, secured, regulatory compliant and future-proof archival storage in a utility model. Complementing the DASU service, Professional Services from Bell offer archiving consulting and integration services. To learn more, please contact your Bell representative, or click here to have a Bell representative contact you. ... Webinar with Forrester analyst Brownlee Thomas: Guidance for your voice evolution planningLooking to evolve your voice communications and finding the service and technology options bewildering? Forrester Research studies show that large organizations are increasingly migrating to VoIP and unified communications (UC). But a successful implementation depends on understanding the appropriate direction, timing, and use of existing resources. Join this Webinar to learn:
Register today, and you’ll come away with a better understanding of where your organization stands on the path to UC – and insights to help guide your planning. Date: October 28, 2008
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
.jpg)
You get a call saying that your network has been breached by intruders, putting the personal information of all of your customers at risk: driver’s licence numbers, credit card numbers, transaction records – all that data is compromised. In the wake of the breach, you also discover that your data collection methods were not compliant. The media gets hold of the story and suddenly your enterprise is in the press. Aside from the potential loss of revenue, the damage to your brand and to your customers’ confidence in your organization could be huge.
In the face of an increasingly stringent regulatory environment, security and privacy challenges are on the rise. From the professionalization of cyber crime to the proliferation of wireless devices, sensitive corporate information is becoming more difficult to secure. While internet-borne threats were once simply malicious, they are now being designed for the sole purpose of stealing sensitive business information. 
Impact caught up with Peter Cresswell, National Practice Manager – Virtualization, Bell, to talk about achieving security and compliance goals through the strategic use of IT service automation and the deployment of virtualization technologies. Find out what to anticipate and how you can gain from the deployment of automation, provisioning and virtualization tools in your organizations. 
