Unisys Disruptive Technology & Trend Point of View

Whitepaper Series CyberSecurity

Tackling CyberSecurity in the Enterprise
By having a logical framework for understanding CyberSecurity, and the major domains
it represents, enterprises can implement their Cyber strategies and develop specific
plans tailored for each domain. The challenge is far broader than simply addressing
one issue such as securing mobile devices or securing cloud computing environments,
so by ensuring the CyberSecurity strategy and logical framework addresses all of these
inter-related trends, business leaders can be confident of a comprehensive approach.

Abstract
In todays business environment, disruptive technologies such
as cloud computing, social computing, and next-generation
mobile computing are fundamentally changing how
organizations utilize information technology for sharing
information and conducting commerce online. This wave
of technology innovation, often driven by consumer trends
which are being rapidly adopted across the enterprise, has
created unparalleled levels of access and connectivity
across people, information, systems and assets worldwide
and has transformed todays network-delivered society. In
the CyberSecurity arena, the increasing sophistication,
frequency and scale of cyber-crime as a rapid result of this
open and network-oriented society, coupled with the recent
explosion in the use of edge devices and cloud-based
applications, and increasing regulatory and compliance
requirements, has created an urgent need for organizations
to rapidly advance their security counter-measures and
re-think traditional approaches. On a more global level, due
to the compelling and pressing nature of the issues involved,
many countries have elevated CyberSecurity to a top-tier
priority within their national security strategies.

To keep pace and stay ahead of escalating risk levels while

at the same time efficiently managing costs, business
leaders need to rethink their CyberSecurity postures in the
context of a broader risk management strategy and adopt
a new strategic framework that addresses these numerous
disruptive trends across the IT landscape. By having a logical
framework for understanding CyberSecurity, and the major
domains it represents, enterprises can implement their Cyber
strategies and develop specific plans tailored for each domain
and exposure area in a holistic manner. Key focus areas
should include governance, risk and compliance, users
(identity assurance regardless of location or device type),
data (sensitive data protection no matter where it resides),
applications (application security modernization), infrastructure
(securing the borderless enterprise including cloud
computing) and assets (cyber supply chain). The challenge
is far broader than simply addressing one issue such as
securing mobile devices or securing cloud computing
environments, so by ensuring the CyberSecurity strategy
addresses all of these inter-related trends, business leaders
can be confident of a defense-in-depth approach.

For businesses and governments alike, getting the CyberSecurity posture right across all its
elements will be vital for future growth, innovation and competitive advantage in order to truly
exploit the business and economic opportunities provided by technologies such as cloud,
mobile and social computing as well as smart computing and IT appliances. A CyberSecurityrelated mis-step in any of these rapidly emerging areas can lead to lost productivity and
potentially serious damage to brand reputation. There is no single answer for success, but
by working across public- and private sector partnerships and by advancing security measures
particularly with regard to mission-critical systems, processes and applications that are
connected into cyberspace, businesses will be able to work towards a future environment
that is both open and secure and prosperous.

Market Trends, Challenges & Opportunities

While traditional information security has always included practice areas related to the
security of information and systems, the cyber-world that we live in today has become
increasingly connected and by its nature increasingly mission-critical due to our networkdelivered society. Whats more, the traditional enterprise boundaries that formed the basis
for securing the perimeter from the outside world have, by necessity, become increasingly
porous in order to support this new, routinely wireless and ubiquitous always-on connectivity.
The major challenge for organizations today is determining how to embrace disruptive
technologies and trends such as cloud, mobile and social computing that provide significant
productivity gains ultimately increasing revenue while at the same time managing the inherent
risks that conducting business in cyberspace embodies.
Before studying the business drivers and challenges related to CyberSecurity, its important
to understand the general definition and scope of the term and how it relates within the
broader context of security. A useful definition comes from the Cyber Security Strategy of
the UK1:
Cyber Security embraces the protection of both private and public sector interest in cyber
space and their dependency on digital networks and also the protection of exploitation
of opportunities commercial or public policy that cyber space offers.
While there are many definitions, the key point to note is that the scope of CyberSecurity
extends not only to the security of IT systems within the enterprise, but also to the broader
digital networks upon which they rely including cyber space itself and critical infrastructures.
On a national level, many governments have deemed CyberSecurity as a tier one priority
within their national security strategies, recognizing the likelihood and impact of potential
attacks2. Some figures clearly illustrate the magnitude of the problem. In less than 15 years,
the number of global web users has exploded by more than a hundred-fold, from 16 million
in 1995 to more than 1.7 billion today. By 2015, there will be more interconnected devices
on the planet than humans. As this fourth utility (after electricity, water and the telephone
system) as it is sometimes called has grown, cyber-crime has grown significantly as well. In
fact, the cost of cyber-crime has been estimated at over $1 trillion per year globally3.

One of the key implications of this definition of CyberSecurity is that we now have a society
dependent on network delivered services. Protecting this new dependency is what we call
CyberSecurity. It spans both the logical world of IT, bits and bytes, and computers as well as
the real world of going about our business as usual in CyberSpace. Everything we do
is network delivered, even crime. One of the imperatives for any CyberSecurity strategy is
therefore to take a more holistic approach to how we defend and protect our organizations, and
even our society, and to help recover when things go wrong.

Business Drivers & Challenges

Today, some of the major CyberSecurity business drivers impacting the enterprise include
the increasing sophistication, frequency and scale of cyber-crime, the malicious and inadvertent
leakage of sensitive data, the increasing regulatory environment and the vulnerabilities
introduced by the rise of cloud computing, mobile devices and Web 2.0 applications in use
within the enterprise (figure 1). Each of these business drivers creates unique challenges
for CIOs and Chief Information Security Officers (CISOs) within both the public and private
sectors. While these are not the only drivers, they are of a magnitude that is requiring serious
attention in order to compete in the CyberSecurity arms-race by managing risk and protecting
assets. Well now examine each of these topics individually and address some of the challenges
they raise for business leaders.

Figure 1 The CyberSecurity Challenge

Increasing Sophistication of CyberCrime

The increasing sophistication, frequency and scale of cyber-crime means that the public
and private sectors need to scale up their levels of protection across their operations and
become more predictive in order to avoid becoming the next headline. One such
illustration of this increasing sophistication was the Stuxnet worm which was discovered in
June 2010 and which infected computer systems around the world. This worm was thought
to have more than 4,000 functions comparable to some commercial software4. While
Stuxnet may or may not have been government-sponsored, the example does serve to
highlight the complexity of some of these worms. In terms of frequency, cyber attacks have
become common occurrences with companies in a recent Ponemon Institute study
experiencing more than one successful attack per company per week5. A related Ponemon
study6 found that the average cost to the enterprise for a data breach was $3.4 million
when factoring in detection and escalation, notification, response, and lost business.
Whats more, this study excluded catastrophic data breach incidents to avoid skewing
overall findings. All this adds to the challenge for business leaders to raise protection levels
against cyber-crime while reducing or maintaining costs.

Cloud Computing
As organizations move towards cloud computing for the inherent agility and economic
benefits this IT delivery model entails, they are increasingly moving towards hybrid enterprise
environments that consist of a mix of cloud, non-cloud, internal and external IT service
delivery models. This is due to the fact that not all application workloads, whether they are
business-as-usual, mission-critical or highly innovative, are suited to cloud deployments
and may need to remain within a more traditional footprint for reasons as varied as
architecture, regulatory compliance, and location where data is stored. This hybrid enterprise
environment is more than just a hybrid cloud model consisting of two or more cloud-based
entities, but is a composition of cloud, non-cloud, internal and external IT service delivery
models that remain unique entities, but are bound together by an integrated management
environment, and common technology, processes and policies. The CyberSecurity
challenge for cloud computing is therefore to not only protect data within public clouds and
hosted private clouds, but to ensure governance, risk and compliance is addressed
across this full, integrated environment where applications and data may be highly virtualized
across the end-to-end infrastructure.

Rise of Mobile Devices & Applications

The consumerization of IT effect, as noted by recent Unisys and IDC research7, exposes that
there are a broader array of end user or consumer devices in use within the enterprise,
many of which are personally owned. There is also an ever increasing use of social computing
technologies and platforms for internal and external collaboration. Unisys-sponsored
research revealed that information workers are using an average of four consumer devices
and multiple third-party applications, such as social networking sites, in the course of their
day. In addition, from 2009 to 2014, the number of information workers using smartphones
to conduct business is expected to nearly double, according to IDC8. The challenge for
security practitioners is how to secure this increasingly porous and seemingly borderless
enterprise, manage the risks of lost or stolen devices, inadequate authentication of mobile
workers, and un-authorized disclosures of confidential and sensitive data via social networks.

Leakage of Sensitive Data

The leakage of sensitive data is another area that has been highly publicized. One of the
most recent examples being the WikiLeaks saga related to the exposure of stolen classified
U.S. diplomatic documents. WikiLeaks shared these classified documents with newspapers
such as The New York Times, Le Monde, Der Spiegel, and The Guardian. This highlights the
increasingly complex issue of protecting intellectual capital and maintaining privacy. The U.S.
alone has 48 states with a multitude of data breach laws and differing data protection
practices. This sensitive data protection has to be addressed along with privacy all whilst
organizations move to the cloud, add more mobile devices, and adopt social computing
paradigms. Business leaders need to address how to secure and protect sensitive data
no matter where it resides including real-time detection and prevention of un-authorized
disclosures and how to strike the right balance between need to know and need to share.

Increasing Regulatory Environment

Organizations are also grappling with the expected impact of new security legislation and
mandates applicable to the protection of critical infrastructure and key resources (CIKR)
across all sectors. International committees have been wrestling with protecting the Internet
without regulating it. There has been a significant amount of international discussion about
what constitutes cyber war and what treaties need to be enacted. The dynamic has swung
the pendulum from historically reactive monitoring to pro-active, continuous monitoring for
situational awareness. Another requirement is the migration to trust-based systems with
built-in, end-to-end, security.

Unisys CyberSecurity Point of View

Tackling CyberSecurity in the Enterprise
Since CyberSecurity and overall security, which includes physical or real world security,
are so intricately linked, we believe it is important to have integrated strategies within the
enterprise for both. The strategy for prevention, detection and reaction should take a more
holistic approach and be built upon the concept of a common operating picture and situational
awareness across all fronts both cyber and non-cyber. This supports a defense-in-depth
approach where each layer of security, whether physical or logical, helps support the overall
security posture of the organization.

Establishing a CyberSecurity Framework

In the context of this overall security strategy, it is important however to understand the
gaps and overlaps between CyberSecurity and the other security domains. By having a
logical framework for understanding CyberSecurity, and the major domains it represents,
enterprises can implement their Cyber strategies and develop specific plans tailored
for each domain. The challenge is far broader than simply addressing one issue such as
securing mobile devices or securing cloud computing environments, so by ensuring the
CyberSecurity strategy and logical framework addresses all of these inter-related trends,
business leaders can be confident of a comprehensive approach. Additionally, a logical
framework and technical architecture for addressing CyberSecurity can help to migrate from
tactical, point solutions to a more coordinated set of tools and techniques for a system of
systems approach by seeing the big picture.
The CyberSecurity framework you choose, or may already have in place, will likely depend
upon your specific industry and the countries in which you conduct business. While they can
range from simple to complex, the main goal is to help in categorizing the CyberSecurity
areas that should be secured and integrated as part of your approach. This, of course,
should be in addition to standards and compliance-based approaches and requirements
such as ISO 27000 series which provides best practice recommendations on information
security management. In fact ISO 27032 is an upcoming standard specifically around
CyberSecurity which is presently under development. As part of this work, figure 2 illustrates
the UK contribution for the relationship between CyberSecurity and other security domains
used by ISO.

INFORMATION GOVERNANCE
INFORMATION ASSURANCE
IA RISK
MANAGEMENT

BUSINESS CONTINUITY
MANAGEMENT
RESILIENCE,
DIVERSITY
REDUNDANCY

ADEQUACY OF
CONTROLS

ISO/IEC 27037
(Cybersecurity)
Section 5.3 Figure 1
UK Contribution for
Relationship between
Cybersecurity and other
security domains

INFORMATION
RECOVERY

INVESTIGATIONS,
incl. FORENSICS
DOCUMENT
SECURITY

INFOSEC
RADSEC
(TEMPTEST + EMI, ELSEC,
RFSEC)

COMPUSEC
SECURE
DEVELOPMENT

CERTIFICATION &
ACCREDITATION

SECURITY

COMPLIANCE & AUDIT

COMSEC
and
TRANSEC
EMIP
(EM Interference
Protection: EMC,
HEMP/HERF)

COMPUTER
NETWORK ATTACK

COMPUTER NETWORK
DEFENSE
ANALYSIS
NETWORK
MONITORING &
PROTECTION

PHYSICAL
SECURITY

CND RISK
MANAGEMENT

PERSONNEL
SECURITY

SYSTEMS RECOVERY

COMPUTER NETWORK
OPERATIONS

COMPUTER
NETWORK
EXPLOITATION

eCNI
PROTECTION

CYBER-SECURITY

Figure 2 - UK contribution for the relationship between CyberSecurity and other security domains.

A simple CyberSecurity logical framework is illustrated in figure 3. Here we have simply

broken out CyberSecurity into eight logical domains covering users, data, applications,
infrastructure and assets together with horizontal functions such as governance, risk and
compliance, situational awareness, and security operations.

Governance, Risk & Compliance

Users

Data

Identity
& Access
Management

Applications

Sensitive
Data
Protection

Application
Security
Modernization

Infrastructure

Secure
Infrastructure
Engineering

Assets

Cyber
Supply
Chain

Common Operational Picture /Situational Awareness

Security Operations Services
Figure 3 Logical framework for CyberSecurity.
Well now look at a representative number of these logical areas within figure 3 specifically
as they relate to the market drivers, challenges and opportunities previously discussed
related to cybercrime, cloud computing, mobile devices, sensitive data protection, and the
increasing regulatory environment.

Governance, Risk and Compliance

With recent cyber attacks resulting in highly publicized server outages and attacks within
both government and the private sector, enterprises need to revisit their business continuity
plans as a defense against cyber attacks. As an example of a potential enhancement, they
should evaluate alternative communication paths for critical business operations, in the
event of an Internet outage, including automatic re-routing from voice-over-IP to traditional
POTS (plain old telephone service), cellular or satellite.
In compliance, it is also important to shift the paradigm from reactive monitoring to pro-active,
continuous monitoring for situational awareness across the physical and logical security
landscape. With the large volumes of security event-related data coming in every second
within a typical enterprise, techniques such as visual analytics can help security practitioners
cut through the clutter to find real security-related events that need immediate analysis or
attention. As part of your CyberSecurity strategy, it will be important to apply techniques such
as visual analytics simply to be able to detect and react to events which would otherwise be
un-noticed and to cut down on the number of false-positives.

Identity Assurance
Given the almost universal access to enterprise systems and data through mobile devices, it
is more important than ever to manage user identities and entitlements in a comprehensive
integrated approach that reflects the unique cyber security challenges.

Centralized Identity and Access Management applications that integrate user system access
with user device management are the key to protecting cyber assets in a mobile environment.
For example, when an employee leaves the organization, the access de-provisioning process
should include the purging of organizational data from the mobile devices.
This assumes that all mobile devices organization- or employee-owned - and the associated
organizational applications are part of an overall managed process that links devices to an
individual user identity which can be verified through multi-factor authentication techniques.
The authentication techniques may include biometrics and PKI. The same multi-factor
authentication techniques can be leveraged in the case a mobile device is lost or stolen
to prevent opportunistic cyber access to organizational data whether stored on the device
or in the cloud.

Sensitive Data Protection

Within your CyberSecurity strategy, it is important to take a coordinated approach to sensitive
data protection as opposed to a piecemeal one which is the current technique within most
enterprises today. It is critical to determine what data is being processed in order to determine
the level of access control and security that needs to be provided. By selecting the proper
level of security needed for the data, organizations can determine the technical solution that
will meet their protection requirements.
There are a number of new techniques available to help secure sensitive data including
dynamic data masking and the afore-mentioned location-based security. Dynamic data masking
can be particularly valuable to deal with in-house threats such as masking personally identifiable
information from call center workers or developers where necessary. Your sensitive data
protection plan should encompass a broad array of scenarios including secure document
access and delivery, encryption of data at rest and data in motion, data masking, digital
rights management, and overall data loss prevention. It should also be crafted to address
new areas such as cloud computing and internal or external use of social networks where
sensitive data can be particularly at-risk.

Application Security Modernization

Another important area is application security modernization. As mission-critical business
applications are modernized to be web-enabled, SOA-enabled or even mobile-enabled to
support the latest 4G smartphones, it is important to also ensure these applications are
modernized from an application security perspective. Many of these business applications
are custom-coded and may have relatively weak levels of security relative to their importance
in running the core operations of the business.
As applications are extended to be accessed via more and more device types over diverse
networks and delivery models including traditional and cloud-based infrastructures, it is
important to review and potentially upgrade their security levels as well. Security modernization
techniques may, and often should, include strong authentication with biometrics or smartcards,
use of encryption, and use of web service security standards to secure SOA-based applications.

Cyber Supply (Value) Chain

A key area where the physical and logical aspects of CyberSecurity converge is the Cyber
Supply Chain or Value Chain. The Cyber Supply Chain includes all the people, processes
and technology that are involved in conducting business in cyberspace. For the typical
enterprise or government agency this obviously includes servers, personal computers,
laptops and mobile devices, but also network elements such as appliances, firewalls and
8

routers. Just as supply chains such as those in the pharmaceutical industry need to protect
against counterfeits and ensure the integrity of their operations, the same is true within the
cyber supply chain. This is a particularly important issue for government and the financial
services industry where any compromise in software or hardware within their IT supply
chains can potentially lead to theft of confidential information, financial crimes, or even
cyber-terrorism. Recent examples of real-world incidents have included counterfeit hardware
such as routers with malware built-in and also brand-name manufacturers who have
inadvertently shipped pre-owned laptops, hard drives, and other devices with viruses, worms,
and Trojans on them9. The problem can also occur at the chip level where it is very difficult
to tell the difference between a compromised chip and a real one. To address this issue,
enterprises need to build a trusted relationship with their suppliers at all levels in the supply
chain and additionally adopt best practices across their systems and processes. Some
guidelines from the U.S. National Institute of Standards and Technology (NIST) state this
may include the use of trusted suppliers, service-level agreements related to quality
and security during the manufacturing stage, vetting of software updates, use of secure
distribution channels, and secure destruction of media after use.

Securing Mobile Devices & Applications

The consumerization of IT effect is a revolution spearheaded by workers, often from the
executive ranks, who are investing their own resources to buy, learn, and use a broad range
of popular consumer technologies and application tools to get things done in the workplace.
By using the same powerful, widely available tools and applications found in the consumer
world from smartphones and iPads to social networks and instant messaging information
workers are able to stay informed, connected and productive in their professional as well as
their personal lives.
The challenge for business leaders is to determine how to enable these devices and
applications giving employees the tools to be more efficient while managing risk from data
loss or leaks. According to recent results from the Unisys Security Index, only slightly more
than a third of Internet users in the U.S. regularly use and update passwords on their mobile
devices. As part of your CyberSecurity strategy, it is important to have a well-crafted governance
approach around these devices which includes not only device usage policies, and device
management and support for situations such as lost or stolen devices, but also appropriate
levels of strong authentication where applications and transactions dictate. Fortunately, in
many cases, you can leverage the built-in features of the device to provide this strong, twofactor, authentication as opposed to having to invest in expensive add-on hardware. Some
examples include biometric authentication via voice, signature or even facial recognition.
Security can also be enhanced by utilizing the GPS functionality within many devices to
validate employee location. In addition, many smartphones today have built in hardware to
support fingerprint-based biometrics. Based on the organizations risk management strategy
there may be a need for additional third party security capabilities and determining the level
of risk which is acceptable will determine the appropriate level of security needed.
Whats more, securing mobile devices and users to address this consumerization of IT effect
will have the added benefit of allowing these disruptive technologies to be adopted more
rapidly and successfully within your organization. This may help to provide you with a first
mover advantage while your peers take longer to adopt and overcome the security challenges
these disruptive technologies present.

Summary & Recommendations

Establish a logical framework for CyberSecurity - The challenge is far broader than simply
addressing one issue such as securing mobile devices or securing cloud computing
environments, so by ensuring your CyberSecurity framework addresses all of these
inter-related trends, business leaders can be confident of a comprehensive approach.
Re-visit plans related to Governance, Risk and Compliance Conduct a security assessment
and re-visit business continuity plans as a defense against cyber attacks and determine
alternate communication paths for critical business operations.
Manage User Identities and entitlements in a comprehensive, integrated approach Centralized Identity and Access Management applications that integrate user system
access with user device management are the key to protecting cyber assets in a mobile
environment. Develop a strategy for trusted identities that includes identity enablement
and biometric authentication across multiple platforms that are interoperable and resilient.
Take a coordinated approach to Sensitive Data Protection Your plan should encompass
a broad array of scenarios including secure document access and delivery, encryption of
data at rest and data in motion, data masking, and digital rights management, as well as
more recent areas such as cloud computing and use of social networks where sensitive
data can be particularly at-risk.
Incorporate CyberSecurity enhancements as an integral part of Application Modernization
initiatives As mission-critical business applications are modernized in areas such as
web-, cloud- and mobile-enablement, it is important to review and potentially upgrade their
security levels as well.
Re-assess the integrity of your Cyber Supply (Value) Chain Build a trusted relationship
with suppliers at all levels in the supply chain and adopt best practices across systems
and processes to protect against counterfeits and ensure the integrity of your end-to-end
cyber value chain operations.
Take advantage of the built-in capabilities of todays next generation devices to better
secure mobile users, devices and applications In many cases, Biometric techniques
via voice, signature or even facial recognition can be used to provide strong, two-factor,
authentication as opposed to having to invest in expensive add-on hardware.
CyberSecurity is clearly much more than simply another name for IT Security. In fact, it has
been elevated by many governments such as those in the United States and the United
Kingdom, to the level of a top-tier priority for economic and national security. These governments
also recognize that cyberspace is woven into the fabric of our societies. In the civilian world
it has been named the fourth utility alongside telecommunications, electricity and water and
in the military world it is a strategic asset to be protected alongside land, sea, air and space.
For businesses and governments alike, getting the CyberSecurity posture right across all its
elements will be vital for future growth, innovation and competitive advantage. There is no
single answer for success, but by working across public- and private sector partnerships and
by advancing security measures particularly with regard to mission-critical systems, processes
and applications that are connected into cyberspace, businesses will be able to work towards
a future environment that is both open and secure and prosperous.

10

References
1

Cyber Security Strategy of the United Kingdom, June 2009,

http://www.computerweekly.com/blogs/read-all-about-it/Cabinet%20Office%20Cybersecurity%
20review%2009.pdf

A Strong Britain in an Age of Uncertainty: The National Security Strategy, October 2010,
http://www.cabinetoffice.gov.uk/sites/default/files/resources/national-security-strategy.pdf

Ditto

Top 10 Security Stories of 2010, Information Week, December 2010,

http://www.informationweek.com/news/galleries/security/management/showArticle.jhtml?articl
eID=228800665&pgno=1&isPrev=

First Annual Cost of CyberCrime Study, Ponemon Institute, July 2010,

http://www.arcsight.com/collateral/whitepapers/Ponemon_Cost_of_Cyber_Crime_study_2010
.pdf

Five Countries: Cost of Data Breach, Ponemon Institute, April 2010,

http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%20Global%20CODB
.pdf

A Consumer Revolution in the Enterprise, IDC, June 2010,

http://www.unisys.com/unisys/ri/report/detail.jsp?id=1120000970003910071&pid=&sid=310
0002

Ditto

Securing the Cyber Supply Chain, Information Week, November 2009,

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=2216
00499&pgno=1&queryText=&isPrev=#

11

For more information visit www.unisys.com

2011 Unisys Corporation. All rights reserved.
Unisys and the Unisys logo are registered trademarks of Unisys Corporation. All other brands and products
referenced herein are acknowledged to be trademarks or registered trademarks of their respective holders.

Printed in the United States of America

05/11

11-0116