Security May Update

MAY 2012 Volume 14 No.
I N F O R M A T I O N
S
ECURITY
VMware is
revamping its
security partner
program after
hitting some
bumps
Four Keys
to DLP
Success
REGAIN
CONTROL
Mobile device
management can
help you get a grip
on the BYOD trend
and reduce risks.
FROM OUR SPONSORS
4 INFORMATION SECURITY
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
EDITOR S DESK
I
N THE INFORMATION security industry, were always hearing about cybercrimi-
nals becoming more sophisticated, developing increasingly insidious ways
to break into corporate networks. And of course, theres always a new prod-
uct out there that will solve the latest threat.
While theres no doubt criminals are developing some pretty sneaky at-
tack techniquesespecially against certain organizations like defense contrac-
torsit turns out that the majority of cyberattacks are far from sophisticated.
According to the 2012 Verizon Data Breach Investigations Report, 96 percent
of all attacks werent tremendously difcult, and 79 percent of victims were
targets of opportunity.
So despite all the hand wringing over emerging threats, what happened
most often was the old style crime of opportunity: Criminals seized on easily
exploitable vulnerabilities to victimize organizations more than specically tar-
geting a company.
While it was too early in April to say how attackers were able to break into
Global Payments servers, the March 30 breach involving Utah Department of
Health records underscores the Verizon nding. According to an Associated
Press report, criminals were able to steal personal data of 780,000 people be-
cause a technician installed a weak password on a server. Nothing tricky there;
the East European hackers suspected in the attack simply found the low-hang-
ing fruit and now thousands of people have to worry about identity theft. So
much for HIPAA improving health care data security.
Why is this kind of lax security happening? Password security is fundamental.
Forgotten Fundamentals
Verizon data breach report illustrates need for
organizations to get back to basics. BY MARCIA SAVAGE
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
EDITOR S DESK
Are organizations getting so sidetracked defending themselves against the so-
phisticated threats that theyre forgetting computer security basics? Are they
getting so sucked into the latest and greatest products that theyre overlooking
the basics? Or is it a case of organizations simply not making data security a
priority?
The Verizon DBIR report explains that small and midsize businesses are
most often the targets of opportunity, as criminals exploit vulnerabilities with
large-scale automated attacks. Point-of-sale (POS) or remote administration
systems that lack rewalls or use default or simple passwords are favorite tar-
gets for attackers, according to the report. SMBs often dont have the resources
for major security but a strong password isnt rocket science.
The DBIR doesnt let big companies off the hook, though. So what about
larger organizations? Surely, theyre a lot more difcult to inltrate, right?
Verizon writes. Sadly, our data seems to suggest otherwise; it does not appear
that cybercriminals have to work much harder to compromise larger organiza-
tions than they do for smaller ones.
Big companies are often falling down in the area of log monitoring and ad-
herence to standards like the PCI DSS, according to the DBIR. Once inside an
organization, criminals pull out the more sophisticated stuff.
So large or small, it seems weve taken our eye off of computer security ba-
sics. As Verizon notes, the most effective and efcient approach to preventing
attacks is almost always to stop assailants before they get in the door. Most op-
portunistic criminals, it adds, will not expend their resources on a hardened
target while a softer one of similar perceived value is available.
Its easy to get caught up in the latest intrigue on the threat horizon and
cutting edge technology. But while its important to keep an eye on evolving
threats, we cant lose sight of fundamental best practices. n
MARCIA SAVAGE is editor of Information Security magazine. Send comments on this column to feed-
back@infosecuritymag.com.
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
PERSPECTIVES
A
S YOU LOOK to improve yourself as a cybersecurity profes-
sional, you often need help from an outside source to in-
crease your knowledge. Security is a broad topic encom-
passing many disciplines, and cybersecurity is no different.
There are technical, procedural, and managerial aspects to
be considered to grow your knowledge of cybersecurity; you need to be proac-
tive or you could be left behind. Plus, there are often many different ways to
solve the same security problem. Knowing what to do and how to do it requires
both knowledge and experience, but how do you gain this expertise?
The answer is cybersecurity training and education, but which is more im-
portant? Where should you focus your limited time? Some consider security
training and education to be the same thing, but there is a difference between
the two. Consider them two sides of the same coin. Both training and educa-
tion play a part in overcoming knowledge gaps. You need to be aware of your
needs, wants, and goals before proceeding. This includes knowing where you
want to go with your career and then mapping out a path to get there.
Cybersecurity education provides a more general background on the fun-
damental philosophies and concepts behind cybersecurity. Education allows
you to understand the context for security tools, techniques, and technologies.
With security education, you understand why its important to have particu-
lar protection methodologies in place. Focused at the strategic level of think-
ing, its not a one-week course that leads to a certication. Cybersecurity edu-
cation emphasizes principles of risk management and how security ts into
Security Education vs. Training
Understand the difference and plan appropriately
to meet your goals. BY RON WOERNER
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
PERSPECTIVES
an organizational culture and structure. Acquired through both formal studies
and experience, it is a long-term endeavor that can take many months, if not
years to acquire.. Finally, education teaches critical thinking and allows the
student to learn how to learn, which is crucial for new subjects or technologies.
In contrast, cybersecurity training is more specic to a technology, proce-
dure, or skill; its tactical or operational, rather than strategic. Training empha-
sizes the building of explicit skills and applying what you know to a particular
situation. Its directed toward a topic, which
can be used to solve dened problems. When
you attend cybersecurity training, you are
learning about a specic technology or prac-
tice that can meet an immediate need. Lastly,
training is short term and can often be accom-
plished in days or weeks.
Theres also awareness, which is neither
education nor training. We want our users to
have awareness of security issues and solu-
tions. Awareness is not teaching a skill or technology, but rather seeks to in-
crease high-level knowledge or consciousness of an issue. This should be viewed
as both long-term education and short-term training. Its a continual process
that often requires repetition for the material to sink in.
Im not trying to sway your thoughts as to whether education or training is
better, because both are important for expanding your cybersecurity knowl-
edge and abilities. You need to decide for yourself the method you want to take
in order to meet your career goals. Whats important is that you keep growing
and increasing your knowledge: Dont stop learning! n
RON WOERNER is a cybersecurity professor at Bellevue University and security analyst at a large ar-
chitecture and engineering rm in the Midwest. Send comments on this column to feedback@infosecu-
ritymag.com.
Training emphasizes
the building of explicit
skills and applying
what you know to a
particular situation.
Get recognized
our members do.
In a sea of IT professionals,
ISACA members get noticed.
www.isaca.org/benets-ISM
Many IT and information systems professionals worldwide consider
membership in ISACA

essential to their career advancement.
As a nonprot, global association, ISACA connects exceptional
people with exceptional knowledge to provide members with a
robust offering of professional resources.
ISMonlineFISH1 8.5x11.indd 1 4/17/12 12:59 PM
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
Solving the BYOD Problem
Start with a formal mobile security policy, experts say.
BY ROBERT WESTERVELT
SCAN: SECURITY COMMENTARY, ANALYSIS AND NEWS
I
T SECURITY PROS mulling over an investment in a new mobile device man-
agement (MDM) system in order to reduce BYOD risks should rst con-
duct a thorough review of their mobile device security policies to get a
better understanding of how they plan to use the MDM technology.
That was the message from a variety of security experts at InfoSec
World Conference and Expo 2012 held in April. Far too many enterprises are
selecting and implementing MDM technology and then failing to understand
how to use its capabilities to the fullest, says Diana Kelley, founder and princi-
pal analyst at consulting rm Security Curve.
Once they get it deployed, they quickly realize they dont know how to
manage the tool and theyre not using it effectively, Kelley says.
In fact, a variety of businesses can use security features already native to
most Google Android and Apple iOS devices, Kelley says. Both mobile plat-
forms provide remote lock and wipe capabilities as well as support for password
management for mitigating BYOD risks. Although its capabilities are limited,
Microsofts Exchange ActiveSync (EAS) provides some mobile device manage-
ment and policy control. It works for organizations that limit corporate data on
devices to email, contacts, calendar, tasks and notes.
Its about managing the corporate assets on the device, not necessarily the
device itself, said Lisa Phifer, owner of Core Competence, a consulting rm.
The problem is organizations arent doing a good job at creating a formal
set of security policies for mobile devices, and those that do are not effectively
communicating them to employees, says Darrin Reynolds, vice president of
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
SCAN: SECURITY COMMENTARY, ANALYSIS AND NEWS
information security at New York City-based marketing and communications
rm Diversied Agency Services, a division of the Omnicon Group. Reynolds
says his rm was a bit late to the game with its policies; the security-aware cul-
ture around corporate data had been fostered so much over the years that em-
ployees were the rst to ask about a security policy around mobile devices.
Thinking about security is something that has been evolving over time
among the user base, Reynolds said. That aspect is top of mind for anything
they do now.
The companys formal policy states that employees can buy any smartphone
they want, but those devices must support a PIN/passcode, remote auto lock-
out, encryption and remote wipe capabilities. Reynolds says having the formal
policy in place has helped the company realize that it can enforce its guide-
lines without the need of an MDM platform. The company uses a combination
of BES server for Blackberrys and Microsoft EAS to enforce its restrictions on
other types of devices.
BYOD allows us from a corporate standpoint to save money on the devices
we were purchasing by allowing users to purchase them themselves, Reynolds
says. From our standpoint, it didnt make sense to then take that savings and
buy an MDM platform.
If a business need requires more sensitive data on corporate devices, Reyn-
olds says his team would consider MDM software in the future. MDM can help
manage additional security capabilities by isolating corporate data and enforce-
ment of more restrictive policies, he says.
If you can limit that exposure to corporate data into a vault or a sandbox,
then the user knows a remote wipe will not hit their personal dataits a real
feel-good feature for the employee, Reynolds says. Thats why for now we see
MDM as providing more capabilities in managing the mobile environment and
not really to be a cost-savings piece. n
ROBERT WESTERVELT is the news director of the Security Media Group. Send comments on this article
to feedback@infosecuritymag.com
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
Why Information Security
Positions Go Unfilled
Be aware of potential roadblocks and adjust your
recruiting process accordingly. BY LEE KUSHNER
CAREERS
W
HILE THE NATIONAL unemployment rate has been steady-
ing between eight and nine percent, information se-
curity professionals have been enjoying newfound
prosperity. Until recently, the information secu-
rity function primarily held importance to indus-
tries whose success and market perception were tied directly to their custom-
ers trust, like nancial services, and the federal government. Today, though,
a unique combination of technological innovation, increased regulatory scru-
tiny, external threats, and social activism is forcing a shift. Corporations in in-
dustries that have traditionally ignored information security are realizing that
the development of a competent information security function is a worthwhile
and necessary investment.
When companies recognize they are going to make this type of organiza-
tional commitment, their rst order of business is to nd competent informa-
tion security talent to bridge their talent gap. However, nding and attracting
competent information security professionals to a new position is a lot more
difcult than it appears. Companies quickly learn that the same strategies and
processes they apply to lling more generic business and technology roles do
not necessarily translate to the recruitment of information security profession-
als. Its important for organizations and information security leaders to un-
derstand why information security positions go unlled, so they can make the
proper adjustments to attract and hire talent in a reasonable time frame. Here
are three potential information security stafng roadblocks:
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
CAREERS
1. GEOGRAPHY
A major impediment to lling information security positions is geography. In
many cases, the talent and skills alone would be difcult to nd, however, the
need for an employee to be based in a certain location signicantly impacts the
depth of the candidate pool. In the past, companies were much more amenable
to relocating candidates to ll positions, but economic events and the housing
bubble have greatly reduced the ability for people to relocate and of compa-
nies willing to subsidize these costs. In general, companies relocation pack-
ages have become less encompassing, saddling the candidate with additional
expenses if he or she decides to accept an opportunity. In some cases, the can-
didate simply cannot afford to accept the position, even though it aligns with
his or her career plan and professional development.
2. COMPENSATION
The next major roadblock in the recruitment process is in the area of com-
pensation. When corporations are determining compensation, they tradition-
ally consult specialized market research rms. This compensation information
generally equates to what the candidate with the skills already in the position
should be paid. While this should serve as a good baseline, it doesnt take into
consideration the recruitment premium an information security professional
currently performing a similar role at a similar organization would need in or-
der to leave the comfort of his or her existing environment.
For example, if a senior information security architect is earning X in his
or her current role, the market data may be correct and instruct you to price
the position at X. However, in order to be successful in attracting that per-
son to your team, you will need to price that position at X + 10- 20 percent.
In addition, many compensation packages neglect to address existing nancial
and non-nancial benets associated with tenure at a current employer. Infor-
mation security professionals can place greater value on vacation time, exible
work hours, and telecommuting, and may be unwilling to relinquish these ben-
ets. Corporate human resource policies may not allow you the exibility to
provide alternatives for these privileges.
An additional compensation-based reason information security positions go
unlled is due to internal equity: The belief that any new employees compen-
sation cannot be signicantly more than his or her functional or organizational
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
CAREERS
peers. It is the information security leaders responsibility to both address this
within their teams and to educate their human resources staff about the unique-
ness of the skill combinations they are attempting to recruit.
Before any major recruitment initiative, information security leaders must
partner with human resources and perform a market-based assessment of the
skills and functions already performed
by current information security team
members. The question they should
ask is, If I had to replace that person,
what would I have to pay them? In
addition, information security leaders
should be aware of the value of their
employees skills in the market place,
and be proactive in their approach to
aligning their compensation with both
their internal contributions and external value.
Its also commonplace for human resources teams to align information se-
curity compensation with other technical functions like network engineers,
systems administrators, or software developers. Consequently, information se-
curity leadership needs to sit down with human resource team members and
articulate to them why the skill combinations associated with the roles they
are attempting to ll are more complex and scarce than these technical func-
tions. The information security leader should have a great deal of incentive to
win this argument, because if the compensation packages are insufcient, po-
sitions will remain open for a long period of time or will be lled with substan-
dard talent.
3. FAILURE TO THINK LIKE A JOB CANDIDATE
While geography and compensation issues contribute to unsuccessful recruit-
ment processes, the primary reason positions go unlled is the failure of in-
formation security leaders to think like the candidate they are attempting to
attract. All information security leaders at one time had to interview for a
job. It can be assumed when they contemplated their last job change, they cre-
ated a list of criteria that became key factors in their decision-making process.
Some of these factors will include the commitment of the organization, the
Its commonplace for human
resources teams to align
information security
compensation with other
technical functions.
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
CAREERS
level of responsibility associated with the role, the career path for the position,
professional development opportunities, title, and compensation. In summary,
most likely they changed positions because the new opportunity represented
increased opportunity and personal satisfaction. Oftentimes, information se-
curity leaders forget their own motivations, and ignore the fact that their appli-
cant pool is driven by similar forces.
One of the biggest mistakes is hiring managers only focusing on their orga-
nizational need, as opposed to taking into consideration what the applicant
wants. When information security leaders begin designing their job descrip-
tions, its essential they understand the appeal of the opportunity and what
types of candidates it will attract. When they conduct their interview process,
they should take into consideration the candidates point of view, and deter-
mine if the position and the environment can serve as the framework for the
candidate to accomplish his or her professional goals. By viewing the position
from the candidates perspective, information security leaders will nd them-
selves prepared to communicate the merits of the position during a recruit-
ment process.
One of the best ways to evaluate leadership is by the caliber of the peo-
ple with whom they surround themselves. Attracting top information security
talent to your team can be both time consuming and frustrating. Building an
effective recruitment strategy, addressing potential obstacles, building orga-
nizational partnerships and understanding the motivations of your future em-
ployees are key ingredients to efciently lling your information security open-
ings. n
LEE KUSHNER is the president of LJ Kushner and Associates an information security recruitment rm
and co-founder of InfoSecLeaders.com, an information security career content website. Send comments
on this column to feedback@infosecuritymag.com.
2012 ESET. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET.
All other names and brands are registered trademarks of their respective companies.
www.eset.com
ESET created one of the first antivirus solutions
in the world, and holds the world record of
consecutive VB100 awards with 72 wins to-date.
Your final security destination
ESET,
A PIONEER OF
THE ANTIVIRUS
INDUSTRY
ESET solutions mean you can confidently keep
systems and users online, mitigate risks even those
that are unknown today, and maximize ROI quickly
and easily. Our business solutions include multi-
layered protection for your endpoints, data access
and control, integrated web controls, management
reporting and more. And ESET Remote Administrator
gives you complete control of endpoint security
from a single console.
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
COVER STORY: MOBILE SECURITY
MULTI-PLATFORM mobile device management systems are gaining a foothold in
enterprises anxious to meet the needs of todays expanding mobile workforce.
While no silver bullet, MDM technology can give IT centralized, scalable vis-
ibility and control over the unruly bring-your-own device (BYOD) trend.
In a recent study by Ponemon Institute, most organizations agreed that mo-
bile devices created business risk but were important to achieving business ob-
jectives. However, just 39 percent had deployed security controls needed to ad-
dress that risk; fewer than half of those could enforce mobile security policies.
Unfortunately, this lax governance has already resulted in non-compliance
By Lisa Phifer
BYOD: TAMING
THE TIDE
Mobile device management
technology can help control the
onslaught of employee-owned
devices in the enterprise.
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
and data breaches. In Ponemons survey, 59 percent said employees disengaged
fundamental measures such as passwords; another 12 percent were unsure. It
should therefore come as no surprise that half of those organizations had expe-
rienced mobile data loss during the past year.
Given the rash of employee-owned smartphones and tablets now nding
their way into the workplace, IT simply must nd a way to manage mobile ap-
plication and system access while keeping corporate data secure. Fortunately,
a new crop of multi-platform MDM products and services stand ready to help
IT achieve these objectives and mitigate BYOD risks. However, organizations
need to understand the benets, nuances and limitations of this emerging tech-
nology before taking the plunge.
THE RISE OF MULTI-PLATFORM MDM
Mobile device management systems are not a recent phenomenon. Enterprises
have long managed company-issued BlackBerries and Windows Mobiles via
BlackBerry Enterprise Server and Microsoft Exchange Active Sync (EAS). But
yesterdays narrowly focused MDMs could not handle the consumer smart-
phones and tablets that ooded the workplace following Apples iPhone release
in 2007. As handset procurement rapidly shifted from employer to employee,
driven by budget cuts and workforce de-
mands, IT groups were left scrambling for
more extensible tools.
Initially, IT had little choice but to re-
duce iPhone risk by applying EAS policies
to prevent corporate email access by non-
passcoded phones and remotely wipe those
that were lost. But these basic measures fell
short of governance needs. Certainly, they
did not satisfy compliance mandates to en-
crypt data at rest, nor could they deliver proof of continuous enforcement or
meet access tracking and audit requirements. Although EAS support in newer
devices continues to expand, this messaging-centric approach is plagued by in-
consistency and cannot meet broader mobility management requirements.
By early 2010, iPhones had been joined by iPads and Androids, fueling growth
of the multi-platform MDM market. Niche multi-platform MDMs previously
As handset procurement
rapidly shifted from
employer to employee,
IT groups were left
scrambling for more
extensible tools.
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
used by cellular companies and highly mobile verticals such as retail quickly
expanded to embrace iOS 4, followed by Android 2.2. Today, multi-platform
MDMs are viable alternatives to BES or EAS, giving enterprises a single pane
of glass through which to monitor and manage an increasingly diverse array of
corporate and bring-your-own phones and tablets.
MDM BREADTH AND DEPTH
Unlike BES, which uses a proprietary approach to manage only RIM devices
running the BlackBerry OS, multi-platform MDMs are third-party products
that use open APIs to tap the native interfaces and capabilities offered by many
different devices. Today, it is common for MDMs to manage Apple devices run-
ning iOS 4+, Samsung/Motorola/HTC/LG devices running Android 2.2+, and
an array of handheld and embedded devices running WinCE and Windows Mo-
bile. Limited MDM support can also be found for Windows Phone and WebOS
devices. However, the degree of monitoring and control delivered for each
managed device varies by make/model and OS version.
For example, MDMs can usually enforce device-level access controls on iOS
and Android devices. On iOS, IT may require alphanumeric passcodes with
minimum length and special characters and limit passcode age, reuse, idle
time, or failed entry attempts. On Android 3+, IT can enforce all of this, plus
require upper/lowercase letters, digits, and symbols. Every MDM that supports
iOS and Android exhibits this difference because it reects native OS capabili-
ties. However, the extent to which each MDM tries to hide such differences
under unied consoles with a consistent look and feel varies widely.
In other cases, mobile device management systems can do little to mask un-
derlying diversity. For example, IT can use any MDM on the market to request
a full-device wipe. Because all Apple iPhones and iPads now support full-device
encryption, remote wipe easily renders data inaccessible. However, wiping
most Android phones simply resets them to factory default, leaving cleartext
behind on removable storage. MDMs cannot eliminate this native shortcom-
ingdoing so falls to device manufacturers. But MDMs can provide tools to
centrally invoke remote wipe, conrm a requested wipe has been completed,
report on all wiped devices (including ownership and last known location), and
clearly describe the consequences for each wiped device.
This is where MDM depth comes into play. Some MDMs stick to managing
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
hardware, software and policies. Other MDMs pile on value-added security
measures. For example, some MDMs create their own authenticated, encrypted
data containers on managed devices. Any enterprise data stored in those con-
tainers can be reliably wiped, even on phones and tablets that do not support
native full-device encryption. Moreover, this approach lets IT wipe data con-
sistently across all MDM-supported platforms. However, MDMs that include
these value-adds tend to have more device-specic dependencies and limita-
tions than MDMs that focus on management.
LIFECYCLE MANAGEMENT
Enterprises ocking to multi-platform MDM technology to gain IT visibility
and control over personally owned devices may nd it hard to directly com-
pare products. Heritage plays a role: Some MDMs historically focused on mo-
bile expense management, others started with mobile application management
and still others specialized in mobile security. Yet most of these MDMs deliver
foundational capabilities such as inventory and policy management that cause
them to appear supercially similar. Drilling beyond functional comparison
can also reveal signicant differences in automation, usability, scalability and
integration.
One way to reduce confusion is to preface MDM product selection with an
inventory of business mobility needs and use cases. When IDC surveyed busi-
nesses about their ability to support consumer devices in the workplace, four
out of ve respondents identied policy compliance and data security/access as
top concerns. However, nearly the same percentage cited ensuring IT support
and resource availability, readying mobile applications and setting employees
up with multiple devices as major issues. In other words, choosing an MDM
based on its ability to meet security needs alone may be shortsighted.
Instead, begin with lifecycle management. Even if the employer does not
own an employees mobile device, it owns the business data and applications
stored on that device. Start by establishing a process for tracking and managing
those assets through each devices lifetime. Doing so creates an essential foun-
dation for not just security management, but expense tracking, user assistance,
application and data deployment and more.
MDMs can enable lifecycle management by automating device enroll-
ment, monitoring and de-enrollment, independent of ownership. Most MDMs
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
support IT-initiated enrollment; some also offer user-initiated enrollment. Ei-
ther way, users follow links to a self-help enrollment portal where they are
prompted to enter credentials. Behind the scenes, the MDM typically authen-
ticates the user and compares user and device to IT-dened policies. If this
user is permitted to enroll this device, based on make/model, OS, ownership
and group membership, access may be authorized. MDMs may display an ac-
ceptable use policy and issue a device certicate before continuing on to pro-
vision the device over-the-air, applying device settings, security policies and
applications.
By automating enrollment, IT can deliver scalable support for many per-
sonally owned devices while placing well-dened limits on acceptable use. De-
vices that pass muster can be outtted for safe productive business use, leaving
IT well-positioned to continually monitor activity and enforce security policy
compliance. If an enrolled device should be lost or stolen or become non-com-
pliant, IT can use MDM to remotely nd, lock or wipe it.
In addition, MDM may be used to invoke temporary stop-loss actions such
as removing settings that permit corporate email, VPN or application access.
Eventually, when the employee leaves the company or the device is replaced,
MDM can easily de-enroll it while wiping corporate assets. Many MDMs can
now differentiate between full-device and enterprise wipe, letting IT decom-
mission an employees device without harming personal data.
MITIGATING BYOD RISKS
With MDM in place to shepherd every corporate and personal smartphone and
tablet used for business, IT can deploy, audit and enforce appropriate security
controls.
Typically, IT can use MDM to remotely congure native device settings to
reect security policies, including: requiring a PIN or password; enabling auto-
lock and auto-wipe features; encrypting data at rest on the device, removable
media or in the cloud; protecting data-in-motion over email, VPN or Wi-Fi;
and selectively disabling hardware and OS features such as integrated cameras.
When properly congured, these native settings deliver most (but not all) mo-
bile security best practices for personal smartphones and tablets.
As previously noted, supported policies do vary by device make/model and
OS. However, mobile device management systems generally try to maximize
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
IT access to native settings. For example, any MDM that supports iOS device
management lets IT set every Apple-supported Conguration Prole attri-
bute. MDM-congured controls for Android are more varied because the de-
vices themselves are more diverse. Notably, manufacturers such as Samsung
and Motorola have extended native APIs with proprietary attributes to give IT
greater visibility, control and exibility.
Ultimately, mobile security management requires careful analysis of native
device and OS features needed to implement policies and conrmation that
any MDM under consideration can deliver visibility and control over those fea-
tures. Where native capabilities are insufcient, MDMs can also help by de-
ploying, conguring and enforcing third-party security measures.
For example, health care organizations often use MDM to centrally deploy
two-factor authentication, VPN clients and virtual desktop applications. En-
terprises concerned about mobile malware can use MDM to push sandboxed
browsers and antimalware. To an MDM, these are simply applications that
must be installed and maintained. For this reason, organizations focused on
MDM to enable security should also evaluate each products application man-
agement capabilities.
ENFORCING COMPLIANCE
For small mobile workforces, IT could enroll devices one by one, manually in-
stalling required security and business applications, but that does not scale nor
does it enable continuous monitoring and enforcement. This is where MDM
technology can yield return on investment through logging, auditing and com-
pliance enforcement.
Mobile device management systems can capitalize on their over-the-air ac-
cess to enrolled smartphones and tablets. Even if devices never return to the
ofce, MDMs can poll them to verify settings and detect events such as PIN
disablement or blacklisted application installation. Some mobile devices and
settings can be monitored from afar using nothing more than native APIsno-
tably Apple iPads and iPhones. Deeper than EAS insight on other devices (e.g.,
Android, Windows Mobile) usually requires installing a device-resident MDM
agent.
Today, MDM vendors publish their agents at the Google Android Market or
the Apple AppStore where users can freely download them. Upon installation,
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
agents connect to a corporate MDM server that may be installed on-premises,
hosted by a managed service provider, or operated as a cloud service. Thereaf-
ter, MDM agents can serve as ITs eyes and ears, logging activities, reporting
on events, and carrying out MDM requests that go beyond native capabilities.
For example, it has become common for MDM agents to offer jailbreak or
root detection. Jailbreaking or rooting pose business risks because they render
the underlying OS unreliable and raise concerns about device integrity. Jail-
broken Apple devices are vulnerable to mobile malware downloaded from non-
Apple websites. Rooted Android devices are even more vulnerable because ap-
plications can access normally privileged features.
By immediately detecting such activity, MDM agents can notify administra-
tors and users. IT can even install enforcement policies that automatically take
actions such as disabling email or VPN access or removing enterprise applica-
tions or even wiping an offending device. Although available actions are lim-
ited by the mobile OS, they can still go a long way towards reducing business
risk and encouraging voluntary compliance.
TEST DRIVE BEFORE BUYING
Like any other technology designed to assist IT with security enforcement,
MDM is a means to an end. Organizations should not expect MDMs to magi-
cally keep a mobile workforce secure any more than a rewall can be expected
to keep a corporate network safe. MDMs require careful selection, based on
ability to meet business needs, implement desired policies, integrate with ex-
isting infrastructure and support workows.
Those workows and related IT processes should not be left as a post-de-
ployment exercise. Diversity within the multi-platform MDM market becomes
most apparent when organizations begin to use products to manage real-world
devices. For best results, pilot a few MDM products by attempting to assert
and enforce an acceptable use policy on various devices of importance to your
workforce.
LISA PHIFER owns Core Competence, a consulting rm specializing in business use of emerging net-
work and security technology. She has been involved in the design, implementation and evaluation of
internetworking, security and management products for 30 years. Send comments on this article to
feedback@infosecuritymag.com.
Your One Stop Shop for All Things Security
Nowhere else will you nd such a highly
targeted combination of resources
specically dedicated to the success of
todays IT-security professional. Free.
IT security pro's turn to the TechTarget Security Media Group for the information they require to keep
their corporate data, systems and assets secure. Were the only information resource that provides
immediate access to breaking industry news, virus alerts, new hacker threats and attacks, security
standard compliance, videos, webcasts, white papers, podcasts, a selection of highly focused security
newsletters and more all at no cost.
Feature stories and analysis designed to meet
the ever-changing need for information on
security technologies and best practices.
Learning materials geared towards ensuring
security in high-risk nancial environments.
UK-focused case studies and technical advice on
the hottest topics in the UK Security industry.
Information Security strategies for the
Midmarket IT professional.
www.SearchSecurity.com www.SearchSecurity.com
www.SearchSecurity.co.UK
www.SearchFinancialSecurity.com
www.SearchSecurityChannel.com www.SearchMidmarketSecurity.com
Technical guidance AND business advice
specialized for VARs, IT resellers and
systems integrators.
Breaking news, technical tips, security schools
and more for enterprise IT professionals.
sSec Fullpg Ad:Layout 1 2/5/09 11:39 AM Page 1
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
By Marcia Savage
TAKE TWO
VMware is revamping
its security partner program
after hitting some bumps
in the road.
VIRTUALIZATION SECURITY
VMWARES ANNOUNCEMENT OF its VMsafe initiative four years ago was big news for
the security industry. The virtualization giants plan to provide security ven-
dors with APIs to develop products that would integrate with its software ap-
peared ambitious but promising. Security concerns with virtualization technol-
ogy were growing and VMware was responding. It touted 20 security vendor
partners as embracing the new VMsafe technology and building products to
secure virtual environments.
But it didnt take long before industry analysts and observers began noting a
lack of results. It took over a year for the company to release the VMsafe APIs
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
and with a few exceptions, security vendors seemed to talk more about plans
and prototypes than actual products.
Today, the VMsafe program is effectively in mothballs as the company re-
works its playbook based on APIs for its vShield security technology. Despite
the re-shufing, VMware remains intent on supplying its security partners
with the means to provide integrated products. Its a strategy thats becoming
more urgent as companies move their mission-critical applications into virtu-
alized environments and private clouds, making security and compliance re-
quirements more pressing.
Our security strategy is to do what it takes to enable people to make this
journey to the cloud, says Jonathan Gohstand, director of product marketing
for the networking and security groups at Palo Alto, Calif.-based VMware.
Yet while VMware continues to plug away on the security front and more
security vendors have released integrated products, its own security products
appear to put it at competitive odds with security partners. Lets take a closer
look at the VMware security strategy, the bumps along the way, and the comap-
nys plans for the future.
VIRTUALIZATION SECURITY: AN INCONVENIENT TRUTH
A few years ago, security wasnt something virtualization vendors wanted to
deal with, says Paula Musich, senior analyst at research rm Current Analysis.
There was a reluctance on the part of the hypervisor providers to acknowledge
that security was an issue. They were thinking that by ignoring it, it wouldnt
be an issue, she says. VMware was the rst to acknowledge that you cant
just ignore it, that you have to put some effort behind making the environment
secure.
VMware started its foray into security by acquiring Determina, a provider of
host-based intrusion prevention technology, in 2007. It followed up that deal
with its VMsafe technology in early 2008. The VMsafe APIs werent released
until April 2009, but eventually a handful of vendors released products based
on them, including Check Point Software Technologies, Reex Systems and
Altor Networks (later acquired by Juniper Networks). Other big name security
vendors such as Symantec and McAfee were noticeably quiet.
The problem, says Musichwho wrote an in-depth report on VMwares se-
curity efforts last fallis that the VMsafe APIs were so low level, so far down
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
in the weeds for most of the security vendors to really get a handle on them.
They proved too difcult for security companies to use, she says.
Avoiding AV Storms
ANTIVIRUS SUPPLIERS WORK WITH VMWARE
TO COUNTER PERFORMANCE ISSUES
In April, McAfee launched an agentless deployment option for its Manage-
ment for Optimized Virtual Environments (MOVE) antivirus product that in-
tegrates with VMware vShield Endpoint. The software is designed to allow
users to secure virtual desktop infrastructure (VDI) and virtual server envi-
ronments without running into the dreaded AV storm problem and sacri-
ficing performance.
Any host-based security tool requires installation of an agent into the
system and every single agent requires resources, says Dave Shackleford,
owner and principal consultant at Voodoo Security and a virtualization se-
curity expert. In a virtualized platform, all those VMs share resources. If
you have 20 or 30 VMs sucking the memory and everything else dry be-
cause their antivirus agent spun up, it becomes an availability problem.
Working with VMware, Trend Micro pioneered the agentless approach to
tackling AV storms. Kaspersky Lab announced in February that it will sup-
port vShield Endpoint with an agentless product later this year.
Symantec also plans to leverage vShield Endpoint with new endpoint
security software scheduled for release in the second half of this year. Todd
Zambrovitz, global marketing manager for virtualization at Symantec, says
the technology uses a variety of methods, including cloud-based antivirus
scanning and scan de-duplication to prevent performance issues like AV
storms while also improving antivirus effectiveness. Security analysis will
be offloaded to a dedicated virtual appliance.
This in the near-term will be an agent-based approach, he says. Were
continuing to look at where it makes sense to leverage agentless capabili-
ties. MARCIA SAVAGE
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
A security expert who works closely with VMware says the partners in the
VMsafe program got deep dive access to VMware APIs and kernel capabili-
tiesaccess that VMware eventually pulled back on. The general impression
is they completely opened the kimono early on, but they didnt really need to,
he says.
Gohstand readily acknowledges the VMsafe program wasnt the best
model. The idea was to allow partners to write kernel-level code to fulll se-
curity requirements, but that can lead to incompatibility issues, management
difculties and doesnt scale well, he says.
NEW PROGRAM IN THE WORKS
VMwares security APIs are currently focused mostly on vShield Endpoint,
which ofoads antivirus scanning to a virtual appliance provided by VMware
partners. It also includes a driver for virtual machines to ofoad le events, and
VMware technology to link the components at the hypervisor layer. Two years
ago when vShield Endpoint was announced, Trend Micro was the lone vendor
to produce a product based on the APIsDeep Securityand has been highly
successful with the server security software, according to Musich.
This year, other antivirus suppliers have
announced products based on the vShield
Endpoint APIs, including Symantec, McAfee,
and Bitdefender.
Gohstand, who came to VMware last year
with the companys acquisition of security
monitoring company PacketMotion, says
VMware plans to release more APIs that will
provide access to a data owsa piece thats
been missing. Lets say my requirement is Web application rewalling or da-
tabase monitoring in front of a workload, he says. How can I do that in a
scalable manner and provision it quickly? Its impossible using the usual tech-
niques. Thats what these APIs will enable.
The APIs address one of the overarching issues in virtualization security:
With more servers consolidated on a single host, the traditional security model
of putting agents on each machine wont work, he says. Later this year, VM-
ware plans to announce a new program around the APIs, which Gohstand says
VMware plans to
release more APIs
that will provide
access to data flows.
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
will be a better t for security partners than VMsafe.
The drive toward virtualizing critical business applications has put a sharper
focus on virtualization security in the enterprise, Gohstand says. Companies
initially virtualized just their development and testing systems without paying
much attention to security. Now were seeing more critical applications get-
ting moved over. You cant play fast and loose with security anymore, he says.
VMware also is trying to address the growing enterprise interest in building
private clouds as well as increased adoption of virtual desktop infrastructure.
Gohstand says VMware wants to help its security partners not just create vir-
tual versions of their products, but also to build truly integrated products that
Security Buy-In
A LOOK AT VMWARES SECURITY ACQUISITIONS.
VMware has been building up its security capabilities with a series of secu-
rity acquisitions over the past five years.
2007: VMware quietly stepped into the security space in with its purchase
of Determina, a Redwood City, Calif.-based provider of host-based intrusion
prevention products.
2008: In another deal, VMware went about without fanfare, the company
acquired Cupertino, Calif.-based Blue Lane Technologies. The company made
VirtualShield, which provided inline threat protection for virtual machines.
2010: VMware bought TriCipher, a Los Gatos, Calif.-based supplier of iden-
tity and access management services.
2011: VMware acquired PacketMotion, a Sunnyvale, Calif.-based provider of
security monitoring technology for virtual and physical environments. The
company also bought New Brighton, Minn.-based Shavlik Technologies, a
supplier of patch and configuration management software that can be con-
figured to work in virtual environments. MARCIA SAVAGE
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
provide better security based on the context provided by VMware infrastructure.
In the past, security was such a bolt on thingnot well integrated, not
much context, he says. For example, an organization might have a database ac-
tivity monitoring tool but not even know where all their databases are. Thats
where VMware, working with its partners, is going to change the game; we
have context.
IMAGE PROBLEMS
VMware is bullish on its security partnerships but the backpedaling on VM-
safe combined with the emergence of VMwares own security products hasnt
helped VMwares image with security vendors, says Dave Shackleford, virtual-
ization security expert and owner and principal consultant at Voodoo Security.
In 2009, VMware rolled out vShield Zones, based on its acquisition of vir-
tualization security provider Blue Lane Technologies. VMwares vShield line
now includes vShield Edge, which provides rewall, VPN, Web load balancer,
NAT, and DHCP services as a virtual appliance, and vShield App, a hypervi-
sor-based rewall. VMware also continued to acquire security vendors with its
PacketMotion and Shavlik Technologies purchases.
Theyre making a PR effort about embracing partners, but theres a lot of
speculation now because they have their own product line, Shackleford says.
People see it as cannibalizing their own partners.
In her report last fall, Musich noted that VMware was sending mixed signals
to potential partners by acquiring or developing specic security functions
that compete with products from those same partners.
For its part, VMware says its only focusing on key areas where it feels it
needs to have a direct security offering, not the broader security space. If you
created virtual data centers, you need some way to get out of the data center
into the rest of the environment. That is typically a rewall, gateway function,
Gohstand says. We felt it was important for us to have some level of edge re-
wall capability to build out the virtual data center and not completely depend
on partners.
vShield App is essentially a rewall tightly coupled to the workload, he says.
The real idea is that those capabilities are focused on enabling those few criti-
cal things were working on now in terms of getting people to the cloud, the
virtual data center and [virtual] desktops. Those are the pieces were focusing
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
on, not the general security space. The whole security space is so diverse and
dynamictheres always a place for focused players, he says.
A COMPLICATED EVOLUTION
Industry experts say they dont begrudge VMwares need to have its own secu-
rity technology. At the same time, they say the company needs to work care-
fully with its partners.
I understand why they would continue to drive their own technology. They
have a self interest in making their platform as secure as possible, says Jon
Oltsik, senior principal analyst at Enterprise Strategy Group. To the extent
they need to enhance that with additional products, I understand that. Micro-
soft does the same thing with Windows.
But what I would recommend is working with as many partners as you can
and understand that the right thing to do is make sure security people can man-
age virtual and physical workloads in a common kind of method. No one has
virtualized their whole environment, he adds.
VMware has to have those productsit needs to be able to stand alone
regardless of the existing [security] ecosystem, says Chris Hoff, chief secu-
rity architect at Juniper Networks and virtualization security expert. But what
needs to happen is the way in which the ecosystem can engage needs to be a
level playing eld. In addition, VMware needs to make it possible for products
brought into its environment to be as stable and resilient as its own, he adds.
The new APIs will allow for better and easier integration, Hoff says. Thats
largely driven by customer demand for better integration with the security ca-
pabilities of other vendors. Theyve already invested heavily in security tech-
nologies and dont want the operational burden of retraining the security team
on new security capabilities that may or may not integrate well, he says.
Hoff says there is a natural tension between the platform owner, VMware,
and a security ecosystem thats trying to adapt to the disruption brought by the
new platform and virtualization and cloud in general. The security industry is
used to delivering things with a box wrapped around it. On the VMware side,
it has the unenviable task of needing to deliver a high-quality product, the plat-
form itself, and trying to deal with a well-established ecosystem thats kind of
set in its ways.
Theres difculty on both sides to gure out how to deal with new threats,
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
these new operational methodologies, as well as an evolving and disruptive
platform.
BUILDING SECURITY ASSURANCE IN THE CLOUD
With its focus on reworking and expanding its APIs, VMware is clearly deter-
mined to succeed at building a large network of security partners that will help
customers virtualize mission-critical applications with condence those appli-
cations will be secure and compliant, according to Musich.
Virtualization has become mainstream, she says, with more production ap-
plications being virtualized. In the next year, well see more issues arise out
of that, Musich says. Theres some real potential wealth worth stealing thats
moving into virtualized environments. Its only a matter of time before mal-
ware writers gure out how to go after that wealth.
The security industry needs to take a proactive stance when it comes to
Citrixs Security Efforts
COMPANY FOCUSES ON SECURE CODE DEVELOPMENT, ANALYST SAYS
VMware rival Citrix Systems takes a different approach on the security front,
according to Paula Musich, senior analyst at research firm Current Analysis.
Citrix sets itself apart from VMware in emphasizing greater security in
its code development process, she wrote in a report last fall. While VM-
wares ESX and ESXi servers require customers to harden the hypervisor,
using a standard set of guidelines, XenServer ships with such hardening
built in.
Citrix also has built an ecosystem of security partners, which have vary-
ing levels of involvement under the Citrix Ready label, she wrote. McAfee
was among those offering deeper integration with its Management for Op-
timized Virtualized Environments Antivirus, according to Musich.
A Citrix representative wasnt available for an interview for this article.
MARCIA SAVAGE
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
securing the hypervisor, despite the lack of actual attacks on the hypervisor,
says Rishi Bhargava, senior director of product management, data center and
server security at McAfee. You cant play ostrich just because it hasnt hap-
pened, he says.
Organizations need assurance before moving their mission-critical applica-
tions to virtual and cloud environments, he says. They want to know if they can
get the same security and compliance metrics in those environments as they do
their internal physical ones. Most of the cloud providers arent exposing those
metrics. It will be an interesting challenge for us in the industry to solve
how to get customers that visibility back, Bhargava says.
Symantec is working on an expanded set of technologies and use case sce-
narios to understand the unique scenarios that can occur as an organizations
move into virtualization and the cloud, says Todd Zambrovitz, the companys
global marketing manager for virtualization. VMware has been astute in help-
ing us identify these new scenarios of the future, he says.
At RSA Conference 2012 in February, Symantec and VMware announced
ve integrations, covering data loss prevention, hypervisor protection, end-
point security, security information management and compliance. All are
scheduled for release this year.
Its not just about elementary antivirus scanning. The industry has been
a little complacent in its focus there, Zambrovitz says. The integrations an-
nounced at RSA take a broader view of security, taking advantage of the plat-
form, the applications, the data and users, he says.
Gohstand says he likes how some of the Symantec integrations arent tech-
nically complex. Customers will see integration with additional security part-
ners soon, he says.
Well see the ball rolling a lot faster than it has before.
MARCIA SAVAGE is editor of Information Security magazine. Send comments on this article to feed-
back@infosecuritymag.com.
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
By Crystal Bedell
FOUR KEYS
TO DLP SUCCESS
Plan your data loss
prevention project carefully
to avoid missteps.
STRATEGY
DATA LOSS PREVENTION technology is garnering a lot of attention these days thanks
to publicized data leaks and increasingly stringent regulatory compliance man-
dates concerning data protection. While the technology itself is not a regula-
tory requirement, the ability to identify sensitive or private data, secure it (by
rendering it illegible to unauthorized parties via encryption), and prevent its
unauthorized disclosureall objectives of DLP systemscan help organiza-
tions stay out of the headlines and meet their compliance and data security
goals.
However, technology is only one small part of a full-blown DLP implemen-
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
STRATEGY
tation. It also requires a signicant amount of effort dedicated to strategy, peo-
ple and process. When DLP deployment projects go wrong, it is usually due to
common mistakes that arise in relation to these other non-technical compo-
nents. Here are four DLP best practices to help ensure your organizations data
loss prevention initiative is a success.
1. UNDERSTAND YOUR REQUIREMENTS
The most critical DLP deployment mistakes are made before the technology
is evaluated and acquired. According to Rich Mogull, analyst and CEO of re-
search rm Securosis, one common mistake is failing to understand the tech-
nology and what its capable of. People dont set up their needs or require-
ments well enough, then when they go to deploy [DLP] they start running into
trouble, he says.
Andrew Engelbert, director of infrastructure and IT risk management at
Oxford Consulting Group, agrees: Its important to have an understanding of
what it is thats driving your desire for DLP technology. What are you trying
to solve? Whats driving the need for this technology? A lot of customers dont
have a DLP strategy in place before making the decision to purchase technol-
ogy, and that gets them into a lot of trouble.
Nine times out of ten, Engelbert says, his clients are considering DLP be-
cause theyve been approached by a vendor that has used FUD (fear, uncer-
tainty and doubt) to raise concerns about data protection.
Dont let the vendor dene what your business needs are. Theyre going to
tell you everything they want to sell you. . . [DLP] is by no means a silver-bullet
technology. It provides a cohesive solution to manage data loss activities, but
its not bulletproof, Engelbert says.
The term DLP describes a product set that includes different modules,
usually one each to protect data in motion, data at rest and data in use (at the
endpoint). These different modules are managed under a centralized manage-
ment console. Vendors sell each module separately, enabling organizations to
focus on high-risk areas. For example, Broadcom, an Irvine, Calif.-based maker
of semiconductors for wired and wireless communications, began its DLP de-
ployment with endpoint protection. We deployed endpoint agents when we
recognized that our biggest security gap was at the endpoint where we had pro-
prietary data leaking, says Geoffrey Aranoff, CISO at Broadcom.
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
STRATEGY
Determining your organizations DLP is the more onerous part of a DLP
deployment, says Tony Meholic, CISO at Philadelphia-based Republic Bank.
You need to know what data you want to protect and where its residing, he
says.
Experts agree that understanding what you need from a DLP technology
begins with understanding your data. Before you run out and engage vendors
and start proof of concepts, have a good understanding of what you need to pro-
tect and how you need to protect it, says Mogull.
Once you get into the technical details, you will have the information you
need to make a decision, explains Mogull. It will become clear which product
will best suit your needs just based on your requirements. For example, if you
need the ability to monitor SSL, youll need to look for a product that has the
appropriate technical pieces in place to enable that capability. Then you might
consider which product(s) offer that capability natively versus those that tie in
with another product.
Split Market
DLP TECHNOLOGY EITHER TARGETS BASIC REQUIREMENTS
OR TRIES TO DO IT ALL, ANALYST SAYS
Data loss protection technology is fairly mature. According to Paula Musich,
senior analyst at market research firm Current Analysis, the market has
split into two. The low-hanging fruit, if you will, is using DLP within a prod-
uct or service to protect mostly structured data; less so unstructured,
she says. These vendors have integrated DLP capabilities into pre-existing
products like email and Web security gateways.
Then theres full-blown DLP implementation where youre trying to
boil the ocean to provide protection for both structured and unstructured
dataanything thats valuable, says Musich.
Such a deployment can be a significant undertaking. Its a very involved
implementation to make that kind of capability a reality in many enter-
prises. It takes a long time, she adds. CRYSTAL BEDELL
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
STRATEGY
Similarly, organizations need to decide which applications will be inte-
grated with the DLP system. Its expected that youre going to have conicts.
Not all the applications will play nicely in the sandbox, says Aranoff. If I have
to lter out an application to make my DLP work, thats a good short-term x,
but I wont know if proprietary data is going through that app.
2. WORK WITH THE BUSINESS
The success of a DLP deployment also hinges on getting broad support across
the organization from all data owners. Managerial levels and above should be
engaged in a DLP project for several reasons. Of course, their cooperation is
necessary since the deployment will impact a great number of users. These
stakeholders should be educated on DLP technology, why its important for the
business and how its going to impact users.
Once you have business stakeholders on board, you can conduct interviews
with data owners to understand the data they have access to, their responsibili-
ties for various data types, how and with whom it is shared, etc. In this manner
you can begin to determine how the data should be protected.
Support from business stakeholders is also important to ensure the DLP im-
plementation does not unnecessarily disrupt existing business processes. They
have to be involved because ultimately theyre the ones that use that informa-
tion on a day-to-day basis. If you lock things off and dont let users get the data
they need, processes will get in a crunch, says Allen Zuk, president and CEO
of Sierra Management Consulting. For example, the marketing department
may attempt to send a marketing plan for an upcoming product release to the
organizations PR agency. IT might stop this transmission because the market-
ing plan is sensitive information, not aware that this is a legitimate sharing of
information.
On the other hand, false positives generated by DLP software may uncover
broken business processes. Youre going to have false positives, but you as the
security practitioner cant say, This is a false positive, says Engelbert. Security
needs to work with the business owner to identify why a specic business pro-
cess is generating an alert. Together, security and the business owner can look
at the business process, uncover the aw and identify steps that can be put in
place for remediation.
As an example of a broken business process, Engelbert describes a situation
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
STRATEGY
where, rather than using a secure le transfer solution, someone in the payroll
department transfers spreadsheets with payroll information to a third party via
email. The third party may have a legitimate need for that information, but it
should be sent using an approved third-party solution or something like TLS to
encrypt the data between organizations, explains Engelbert.
3. GET LEGAL INVOLVED
Another people problem associated with DLP deployments is failing to get
legal and compliance stakeholders involved. Like understanding your data pro-
tection needs, legal should be pulled into the discussion before anyone touches
the technology. Its not too uncommon for tech folks to say, Were going to
deploy this tool, but they havent necessarily sat down with legal and thought
about: Are there compliance issues were contending with? What will we uti-
lize the tools for? What practices will we put into place to make sure legal and
compliance arent blindsided? says Zuk.
Legal stakeholders have a multifaceted
role in a DLP deployment. Legal is the au-
thoritative source on what we need to do to
keep ourselves out of hot water in the event
something happens. Theyre the subject
matter experts on the regulatory changes
and the direct implications across the U.S.
They are the authoritative body on how we need to respond in the event that
we conrm an incident has occurred, explains Engelbert.
Legal should be involved, along with HR, when an incident has occurred
that involves an employee. They need to be involved so theres clarity and con-
sistency in the actions taken, he adds.
Equally important is the legal departments involvement to ensure the or-
ganization is adhering to regulatory mandates, like HIPAA and PCI DSS. Simi-
larly, global organizations are likely subject to differing regional restrictions
when it comes to employee monitoring. The legal department can clarify
those restrictions and help ensure the DLP product is operating within legal
boundaries.
In the event of data loss, the legal department also serves as secondary
stakeholders, says Engelbert. As such, they can help with the overall escalation
Legal stakeholders
have a multifaceted role
in a DLP deployment.
n
MAY 2012
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
STRATEGY
process of how an event will unfold. Legal plays a critical role in helping de-
ne the thresholds for matches of credit card numbers going out in a spread-
sheet. How many do we really care about? Well treat one or two differently
than 500 or more, he says.
4. UNDERTAKE A PHASED ROLLOUT
You have the proper people on board, you know what data you are going to pro-
tect and how, and you have the technology to do so. Now youre ready to deploy
your DLP solution, right? Not so fast. Another common DLP deployment mis-
take, say experts, is deploying everything at once instead of taking a calculated
approach in which components are deployed incrementally. If you plan on de-
ploying a complete DLP solution that covers data in motion, data at rest and
data in use, start with just one of those components. You might also consider
rolling it out to just one business unit to start.
With a phased deployment, you have consumable portions that you can ef-
fectively monitor and manage all the way through, says Engelbert. If you try
to eat the elephant all at once, it is a very large undertaking.
A phased rollout offers several benets, including the opportunity to ac-
quire experience and lessons learned that can be applied to future phases. And
with a successful rollout of one phase, both IT and business stakeholders will
feel more condent delving into the next phase. This success can also translate
into additional funding, if needed, for future phases because, for some organi-
zations, the cost of acquiring an entire DLP package upfront simply isnt viable,
according to Engelbert. But even those organizations that acquire a complete
DLP product still see the benet of rolling it out in a phased approach.
A deployment is usually straightforward, says Mogull, if its done incre-
mentally. It can be easy, if youre smart about it.
CRYSTAL BEDELL is a freelance writer specializing in security, networking and cloud computing. Send
comments on this article to feedback@infosecuritymag.com.
EDITORS DESK
PERSPECTIVES
SCAN
CAREERS
MOBILE SECURITY:
BYOD: TAMING
THE TIDE
VIRTUALIZATION
SECURITY:
TAKE TWO
STRATEGY:
FOUR KEYS TO
DLP SUCCESS
EDITORIAL DIRECTOR
Michael S. Mimoso
EDITOR
Marcia Savage
SENIOR SITE EDITOR
Eric Parizo
SENIOR MANAGING EDITOR
Kara Gattine
DIRECTOR OF ONLINE DESIGN
Linda Koury
COLUMNISTS
Marcus Ranum,
Lee Kushner
CONTRIBUTING EDITORS
Michael Cobb, Scott Crawford,
Peter Giannoulis, Ernest N. Hayden,
Jennifer Jabbusch, David Jacobs,
Diana Kelley, Nick Lewis,
Kevin McDonald, Sandra Kay Miller,
Ed Moyle, Lisa Phifer,
Ben Rothke, Anand Sastry,
Dave Shackleford, Joel Snyder,
Lenny Zeltser
USER ADVISORY BOARD
Phil Agcaoili, Cox Communications
Richard Bejtlich, GE
Seth Bromberger, Energy Sector Consortium
Chris Ipsen, State of Nevada
Diana Kelley, Security Curve
Nick Lewis, Saint Louis University
Rich Mogull, Securosis
Craig Shumard, CIGNA CISO Retired
Marc Sokol, Guardian Life
Gene Spafford, Purdue University
Tony Spinelli, Equifax
VICE PRESIDENT/GROUP PUBLISHER
Doug Olender
dolender@techtarget.com
ASSOCIATE PUBLISHER
Peter Larkin
plarkin@techtarget.com
TECHTARGET
275 Grove Street, Newton, MA 02466
www.techtarget.com
2012 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or
by any means without written permission from the publisher. For permissions information, please
contact The YGS Group.
About TechTarget:
TechTarget publishes media for information technology professionals. More than 100 focused
Web sites enable quick access to a deep store of news, advice and analysis about the technologies,
products and processes crucial to your job. Our live and virtual events give you direct access to
independent expert commentary and advice. At IT Knowledge Exchange, our social community, you
can get advice and share solutions with peers and experts.
Illustration on cover and page 16: Pixel Embargo/Fotolia

Security May Update

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Security May Update

Hochgeladen von

Copyright:

Verfügbare Formate

MAY 2012 Volume 14 No.

Das könnte Ihnen auch gefallen