Thursday, October 29, 2015

Endpoint device management: Protecting the enterprise front door

Mobility and cloud computing have combined to obliterate any so-called network security perimeter. Corporate data has now been let loose to roam in a world of cyber thieves, manipulators and untrusted infrastructure. What is a security professional to do?

According to Bill Odell, the Dell Vice President of Marketing for Endpoint Device Management, you need to protect the enterprise front door. Since devices are the network’s gateways, endpoint device management is now the key to protecting your enterprise data. That is why I was truly excited to speak with Bill at Dell Peak Performance in Las Vegas earlier this year.

Bill Odell, VP of Endpoint Device Management marketing

Kevin Jackson: Bill, I am really honored to get some time on your schedule today. Could you please explain to my readers your role at Dell?

Bill Odell: First Kevin, thank you for interviewing me today. I run marketing for Dell end-point device management. We provide solutions that help our customers manage and secure anything from a laptop or a PC to their servers, mobile devices and smartphones. With the explosion of different networking devices our solutions have now expanded to include printers, IP phones, network switches or anything else that may come online in the future.

Jackson: Sounds like your day job is the Internet of Things. With the advent of this new vision of the Internet what has changed with respect to security on these new types of end points? I imagine the proliferation of network-connected devices is really driving new cybersecurity challenges.

Odell: That’s exactly right, Kevin. Some have predicted that 50 billion devices and objects will be connected to the Internet by 2020. That type of environment absolutely changes the way companies deal with security. Trying to lockdown a windows PC is bad enough, but now you need to worry about other operating systems. This realization has changed our opinion on what Dell needs to do. Today our solutions help customers securely operate in this new world by identifying and profiling devices when they join your network. Through a single pane of glass, our solution will tell you what

Friday, October 23, 2015

20 hybrid cloud insights from top industry experts

One cloud does not fit all organizations.

That’s true whether it is a public or private cloud. A hybrid cloud option allows your business to create  a custom solution that fits your organizational needs.

However, there are always questions with new solutions. We reached out to industry thought leaders to answer some of the marketplace’s most pressing questions on hybrid cloud.

In this eBook, you’ll learn why thought leaders like Kevin Jackson, founder and CEO GovCloud Network, look at hybrid cloud from the viewpoint of hybrid IT. You’ll also hear from Shelly Kramer, co-CEO, V3+Broadsuite, on what CIOs need to consider when adopting hybrid cloud.

Data security is also top of mind for today’s IT professionals. Eric Vanderburg, director of information systems and security, Jurinov, Ltd., and Bev Robb, publications manager, Norse Corporation, use this project to address security when moving to a hybrid cloud option.

More on hybrid cloud.

(Dell sponsored this article)

Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2015)

Tuesday, October 13, 2015

Security requires long haul planning

On Tuesday, October 6th, the European Court of Justice (ECJ), invalidated the U.S./EU Safe Harbor Framework. This framework, in place since 2000, gave blanket permission to data transfers from the European Union to the United States. The ruling means that national data protection authorities can now review such data transfers on an individual basis. It also complicates many aspects of data security for any enterprises doing business across the Atlantic Ocean.

This recent ruling highlights the value of having a strong security partner shepherding your enterprise through these types of perturbations. Luckily during Dell Peak Performance in Las Vegas, I had the opportunity to discuss the importance of such a partnership with Bill Evans, senior director of product marketing for Dell’s Identity and Access Management businesses.

Photo courtesy of Bill Evans
Kevin: Bill, thank you joining use today. What is your role at Dell?

Bill: Thank you for the invitation, Kevin. I work in the product marketing group within Dell Security. Specifically I support the Identity and Access Management product portfolio.

Kevin: Identity and Access Management is a very important aspect of cloud security. What has changed in the IDAM (identity and access management) marketplace over the past 12 months? The proliferation of devices seems to be the Achilles heel to having secure IT.

Bill: Historically, when it came to IT, everything was centralized. The mainframe, the client-server model and desktop computers were all contained within a company’s network perimeter. That perimeter is now gone and organizations are now trying to deal with an IT world that has no boundaries. A recent analyst report actually stated that identity is now the new perimeter. Protecting the network from intrusion, malware and other threats is still as important as ever. Additionally though, companies need to work harder to control access to data and applications. The focus is not only on outside hackers trying to get in but on the malicious insider as well.

Kevin: With identity and access management as the new boundary for now and into the foreseeable future, how do your customers step up to this formidable challenge?

Bill: Above all, leaders and managers need to be intelligent about the investments they make in this area. This also means avoiding reflexive “knee-jerk” reactions. The first step of the process is conducting an inventory of their current infrastructure. It’s actually impossible to protect every piece of data and frankly, they don’t need to waste money and effort trying to do so. Companies do, however, need to categorize and strongly protect data that is important. Things like personally identifiable information (PII) or healthcare records need to be isolated and surrounded with strong access controls. We call this process prioritizing the need which means developing plans that protect the most sensitive data by using the strongest operationally practical protections. Organizations are then in a position to assess available tools for implementing the needed protections. Dell’s portfolio not only provides solutions for today’s problems, but it also delivers a platform that can address future needs and challenges. Security is not a one-time project so we partner with our customers over the long haul. Making intelligent business decisions across all available technologies is key.

Kevin: You’ve outlined an approach that includes infrastructure deployment decisions in combination with a sort of data triage process. I’ve also been impressed with the breadth and depth of Dell’s security portfolio. With that said, what issues are top of mind for you and the Dell security team. Which of these issues are you planning to address over the next twelve months?

Bill: That’s really a great question. The thing we’re looking at very closely right now is the impact that security has on user productivity. To be honest, on a scale from one to 10, a security and risk professional wants to turn the security dial up to 11. They want to secure everything with multiple credentials that all have very long passwords. Users don’t tend to like that approach, so if you go down that implementation path, people will generally avoid the issue by going around what they perceive as a “security hurdle”. This isn’t good for anybody, including the company.

So what we’re doing is applying some new technology that we refer to as the Dell Security Analytics Engine. Though the use of Dell’s uniquely broad security portfolio, the security analytics engine can enable context-aware security. This capability collects data in real-time from multiple security assets deployed across an enterprise. We can pull information from the Dell laptop as a managed or unmanaged device. We also extract data from the Sonicwall firewall on who is accessing what type of data from where. Data from Dell Secureworks also compares the scenario with blacklists and known threat signatures. All this information is then combined to deliver a context derived risk score to the Dell One Identity Cloud Access Manager. The access manager can then make a real-time decision on that connection.

Let me give you an example. If I log in on a Monday morning at 8:30 a.m. from the office with correct credentials, it’s a pretty safe bet that I am who I claim to be. On the other hand, this week I’m in Las Vegas at Peak Performance and will probably log in from my hotel room tonight at 9:00 p.m. The security analytic engine would flag that as being an unusual occurrence and Cloud Access Manager would interpret the higher risk score as a cue for stepping up authentication requirements. This, for instance, may mean using a one-time authentication token. If my credentials were subsequently used to login at on a Sunday at 2 a.m. from North Korea, the system would read that as a probable attack and block the transaction. The challenge is in finding that right balance between tight security and user productivity. Nine times out of 10, username and password is good enough. That tenth time, however, a little extra precaution is warranted. Users are generally willing to accept a security related inconvenience every once in a while so they won’t try to circumvent the controls. So in effect, the security team can adjust the security dials in real time.
Kevin: This seems to be a more balanced approach to security. At Dell Peak Performance we heard that enterprises have suffered over $600B in cybersecurity losses this year against just a $200B investment to protect against these losses. That doesn’t sound like a balance at all. What should senior decision makers and IT professionals learn from this statistic?

Bill: This really indicates how tough security decisions can be. While enterprises today are spending more money on security, they are also feeling worse about their security posture. Knee-jerk reactions contribute to this dichotomy. Executives, with the best of intentions but focused on addressing singular security issues, serially purchase disparate security products. These types of actions eventually lead to a patchwork of siloed security solutions. Between each of these perfectly effective solutions, however, you will find security gaps through which threats can invalidate a security strategy. As discussed earlier, we strongly recommend targeting a long-term goal with the understanding that the company cannot solve every security problem in one day. Success in this game requires partnering with a vendor that can not only address today’s issues, but also work with you to leverage a coordinated investments over time.

Kevin: With respect to identity and access management, are any specific industry verticals better positioned for this type of balanced approach? Are there any industry specific insights that you can share with us?
Bill: There is an interesting dynamic in play when it comes to user behavior and industry related expectations. While no one industry is easier or harder when it comes to data protection, they all have specific requirements related to their industry’s business model. While the requirements within industries like banking and finance are certainly different than those in healthcare, they all deal with the challenge of balancing security with the desired consumer community experience. In private, management will demand two-factor authentication throughout their respective user communities, but why hasn’t this proven control been broadly implemented? Multifactor authentication isn’t being widely used in the consumer space because of its intrusive impact on the consumer experience. A prospective customer’s decision to bank with Company A or Company B may ultimately be driven by how easy it is to get account information through a smartphone application. Daily decisions of this type forces a constant balancing between security and business needs. As consumers, we decide with our buying actions whether to accept the cost of improved security. Eventually, those same consumers will need to stand-up and state through their buying actions a willingness to pay for more robust security. We advise organizations to act smart by optionally offering enhanced security, now, because over time, all organizations will be moving in that direction.

Kevin: Do you have any final recommendations for the CEO dealing with this dilemma?

Bill: I would counsel all CEOs to start with research. You need to understand your infrastructure, thoroughly understand your threats and attack surfaces and plan for the long term. This will pay high dividends when selecting a security partner that can serve your needs as they morph and change over the long haul.

Kevin: Thank you, Bill, for your words of wisdom.

Bill: You’re welcome Kevin.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.


Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2015)

Tuesday, October 6, 2015

Cybersecurity through enterprise risk management

Cybersecurity is top of mind for corporations around the world. The quantity of recent data breaches and the dollar loss associated with some of them indicates either an underinvestment in cybersecurity or a failure to properly invest in people, security training or technology. While breaches are very costly to the companies concerned, they also represent major consequences for individual privacy and a business’s short-term and long-term viability.

With this as a backdrop, I spoke with Curtis Hutcheson, VP and GM, Dell Security, at Dell Peak Performance. During the conversation, he shared his views and insight about enterprise risk management and how an integrated cybersecurity fabric could be used to better protect a company’s information and reputation.

Kevin: Hello Curtis. Thank you for agreeing to be interviewed today. To start off, could you please tell me your role at Dell?

Curtis: Sure, Kevin. Happy to speak with you today. I manage the Dell Security business unit, which encompasses everything from engineering to sales.

Kevin: With all the things that are changing in cybersecurity, you certainly need pretty broad shoulders to carry all that responsibility. From your viewpoint, what are the most important trends?

Curtis: The impact of data breaches is only getting larger. People have more information stored about themselves and about their organization outside of the organization itself. People are pushing more and more information online and the risk of having a breach is just going up. This is actually very logical because security was an afterthought for most organizations five years ago. Now, however, it’s the forefront of conversations at the board of directors level. One of the toughest conversations board members now have revolves around the adequacy of data protection. Data about customers, employees and the business itself.

Kevin: The whole idea of security encompasses so many facets. Technology cannot prevent an authorized person from stealing classified data. Physical security is also an important element and at this event, cybersecurity is the central topic. Among all these security areas, what is the number one challenge faced by your customers today?

Curtis: I’ve always viewed technology as an enabler for what the business needs to do. I would also argue that simple technologies available to businesses today can help prevent many security breach activities. Things like corporate key encryption can make data unusable if it leaves the corporate network or storage facilities. This remains true even if the data leaves the company through the use of a thumb drive or a network gateway. The only way to defeat this relatively simple control mechanism would be through the theft of the corporate keys themselves. Controls like this are mainstream now but were unheard of just a few years ago. Other protections like Dell privileged account management removes the need to give employees permanent access to key systems. There is no longer a need to give super admin access. Administrative privileges can now be reserved, limited, recorded and temporary.

Kevin: Since all of these things are already part of Dell’s data security protection portfolio, what are you focused on for the next 12 months? What is the number one goal for your business unit moving forward?

Curtis: We will continue evolving our products in a way that meets the threats our customers see every day. We will also continue to raise our investment in the application of world-class engineering talents to these challenges. In addition, Dell will partner with leading cybersecurity pure plays in order to deliver unique solutions that address the ever changing security threats. This constantly changing landscape also creates a lot of excitement. The more we can leverage that entire landscape to bring customers a security platform, the more we can change their world and enhance their ability to protect the business and leverage technology to grow and enable that business.

Kevin: During the Dell Peak Performance keynote, you said that enterprises have suffered more than $600B in cybersecurity losses this year against just a $200B investment to protect against these losses. What should senior decision makers and IT professionals learn from this statistic?

Curtis Hutcheson, VP & GM Dell Security Solutions at Dell

Curtis: This shows a massive value gap between protecting against cybersecurity risks and the value lost in a cybersecurity breach. This also indicates that decision makers either don’t believe that the risk actually exists or they just don’t know how to control the risk. I believe that most decision makers would spend the money for protection if they believed it would control the risk. While this is a very immature space, some incredible technologies are now coming together that are capable of delivering a protection fabric instead of a bunch of security point products. In a majority of the key breaches that have happened, the affected organizations had substantial investments in security technology. Buying the right tools doesn’t necessarily protect you from a catastrophic security event. Our goal is to make sure your investments not only deliver the capability that you are looking for but also delivers an integrated cybersecurity fabric.

Kevin: This seems to argue for a focused end-to-end approach to security. Are industries taking that to heart? What insight can you provide that counters the notion of just buying security products?

Curtis: Great question Kevin. First, we use the NIST Risk Management Framework internally and when we work with customers during deployments. Ensuring that you are properly protected starts with a security assessment and identifying key risks. This methodology is used to understand what needs protection, the right ways to provide protection, the most effective means for monitoring the protection process and the most appropriate remedies should protection fail.

Figure 1- NIST risk management framework

Second, key applications and data need to be evaluated, not only from the viewpoint of the corporate core, but also from the viewpoint of an edge user. In properly employing a security framework, companies need to address user management and user security. Ultimately, it also requires an awareness and enforcement layer coupled with a set of perimeter controls. This forms the security platform I mentioned earlier. Customers can choose to deploy this by using different security vendors or they can go with a platform vendor like Dell. We believe platform vendors will pull away from the pack due to the assurances we will be able to deliver.

Kevin: This sounds like a hybrid IT approach. How should security professionals implement end-to-end security across a hybrid environment?

Curtis: Customers are trying to do this anyway by self-integrating separate pieces on their own. Banks and other high-security organizations have been dealing with specific and known risks for a long time. Other industries like retail are just now looking at security from a holistic aspect. The big takeaway for customers is that you no longer need to do this alone. You can now implement a security framework with an engineered security platform. You should also evaluate each layer of the platform and make sure that they each stand independently as world-class. This is where Dell provides real value. We deliver an excellent firewall solution and world-class endpoint encryption capabilities. Our application management solutions are also very good. The goal is to work with customers on a comprehensive security platform view while simultaneously providing specific solutions for their most important security pain points.

Figure 2- Best-in-class security solutions

Kevin: Thank you very much for spending time with me today.

Curtis: I appreciated it, Kevin. Thanks for being here.

Kevin: My pleasure.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2015)

Saturday, October 3, 2015

Cloud computing: A data-centric business model

According to the National Institute of Standards and Technology:

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management.”

While this definition is broadly accepted and has, in fact, been my adopted standard for years, it only describes technical aspects of cloud computing.

The amalgamation of technologies used to deliver cloud services is not even half the story. Above all else, the successful employment requires a tight linkage to the economic and business models of the enterprise. Critical components for any transition to cloud include:
  •         Enterprise economic model
  •         Organizational goals (financial and operational)
  •         Enterprise operational model
  •         Relevant operational processes
  •         Relevant operational resources
  •         Process relevant data
  •         Data classification (e.g. severity of enterprise damage if the data is used improperly)
  •         Risk identification and management
  •         Security controls
  •         Process automation
Taking all of these components in total, cloud computing is a business model for propelling an enterprise towards its economic and operational goals. This is why cloud computing transitions cannot be left as a task for the information technology team.

The most central aspect of any business is data because data is the fuel for all business processes. The custodian of this data is the business owner. The technical aspects of cloud computing are only tools for the provisioning, manipulating and storing of data. Decisions on all aspects of any cloud computing deployment must therefore be purposely driven by business process owners. The IT Team acts as the trusted technology advisor to and the technology execution arm of the business process owners. On the flip side, the business process owner must act as the trusted business advisor to and business execution arm of the IT Team. This defines why collaboration is essential in the delivery of a cloud computing solution. It also explains why the object of this collaboration must be business data.

Data-centric collaboration explicitly addresses how an organization handles each business data-type throughout its lifecycle. In recommending industry best practices for security, the International Information System Security Certification Consortium, would recommend the use of the data security lifecycle:

Figure 1- Secure data lifecycle, Official (ISC)2 Guide to the CCSP, Domain 2
  • Create: The generation of new digital content or the alteration/updating/modifying of existing content. This phase can happen internally in the cloud or externally and then the data is imported into the cloud. The creation phase where data classification and encryption is implemented. During this lifecycle phase, data can be vulnerable to attackers if access control list are not well implemented or enforced. Correct threat scanning processes and data classification are also critical.
  • Store: The act of committing digital data to a storage repository typically occurs nearly simultaneously with creation. Controls such as encryption, access policy and backups should be implemented to avoid data threats.
  • Use: Data is viewed, processed, or otherwise used in some sort of activity, not including modification. Data in use is most vulnerable because it is might be transported into unsecure location. Controls such as DLP (digital loss prevention), IRM (information rights management) and database and file access monitors should be implemented in order to audit data access and prevent unauthorized access.
  • Share: Information is made accessible to others. Not all data should be shared, and not all sharing should present a threat. Since shared data is no longer in control of the organization, this is a very challenging phase to perform securely. Technologies such as DLP can be used to detect unauthorized sharing, and IRM technologies can be used to maintain control over the information.
  • Archive: Data leaves active use and enters long-term storage. Cost vs. availability trades based on business considerations must drive data access procedures. Regulatory requirements must also be addressed.
  • Destroy: The data is removed from the cloud provider. Destruction options are driven by usage, data content and applications. Data destruction can mean logical erase of pointers or permanently data destruction using physical or digital means.
The handling of each datatype should also be defined in terms of:
  • The actors that potentially have access to the data;
  • Potential locations for the data;
  • The types of security controls present in each potential location; and
Allowable functions in each potential location include:

Figure 2-  Identifying the functions, Official (ISC)2 Guide to the CCSP, Domain 2
  • Access: View/access the data, including copying, file transfers, and other exchanges of information;
  • Process: Perform a transaction on the data: update it, use it in a business processing transaction, etc.; and
  • Store: Store the data (in a file, database, etc.).

Figure 3- Mapping key data functions to the data security lifecycle. Official (ISC)2 Guide to the CCSP, Domain 2 

The data-centric approach is crucial as more enterprises adopt the hybrid cloud model. According to Gartner, nearly half of all large enterprises will have hybrid cloud deployments by the end of 2017.  Dell, in fact, lists security and management as one of five essential consideration for hybrid cloud saying that, “Customers can now manage their own encryption keys when using a public cloud data store, and vendors like Dropbox, OneDrive and others can integrate with IT systems so that data is transparently encrypted on its way from users’ workstations to public cloud services without any additional steps on the part of the end user.”

A data-centric business model abandons the typical infrastructure-centric security model by adopting an explicit assumption that the IT infrastructure cannot be trusted to protect business data. Embedded in that assumption are also requirements for the encryption of all data-at-rest, data-in-motion and, if possible, data-in-use. An effective transition to cloud computing demands the adoption of a data-centric business model and the equally important broad use of encryption technologies.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2015)