SaaS, APTs and asymmetric risk take spotlight at Security Threats 2012

I had the opportunity to speak at a new security conference last week, Security Threats 2012. I presented on the topic of balancing business benefits with risks in the cloud (more on that later), but the event touched on a wide range of pertinent IT topics, provoking stimulating discussions of some of the most pressing challenges business leaders are facing.

I have to give a tip of my hat to the organizers of the conference. Not only did the event have an outstanding agenda with a bevy of top-notch speakers, but the attendees also brought a lot of value based on their varied backgrounds and senior roles in their companies.

Here are a few of the prime topics and perspectives I took away from the event:

The March of SaaS

Several speakers described the aggressive moves their companies are making toward the adoption of SaaS solutions. In many cases, it is the business units that make these decisions, with little notification to IT, let alone the security group. The motivations for moving to SaaS are about what you'd expect: time to value, cost-effectiveness, avoiding the IT organization.

Justin Kwong, senior director if IT operations and security with 24 Hour Fitness, described his company's rapid growth and concomitant reluctance to purchase and implement on-premises solutions. With such quick expansion and rapid change in its business opportunities, 24 Hour Fitness saw SaaS as an opportunity to achieve enterprise functionality at SMB pricing.

Given that Kwong's group isn't going to be implementing on-site CRM, what have they chosen to focus on instead? Kwong outlined their move to federated identity management, leveraging Active Directory as a way of supporting SSO for the user base. Not only does this increase user satisfaction by removing the need to log in repeatedly, it also ensures that one central change can remove login privileges from all of the SaaS applications once an employee leaves the company. So one could say that Kwong's group works on central infrastructure to support the SaaS-forward strategy. But lest you conclude that such a move is the province of the SMB market, Gene Fredrickson, chief information security officer of Tyco, a Fortune 500 perennial, said that his company is also backing a user-led, SaaS-forward strategy.

So how can security become aware of various SaaS initiatives throughout a company? Chet Loveland, global information security and privacy officer at MeadWestvaco, a packaging solutions company, summed up his strategy as "have friends in other places." By cultivating relationships with employees in human resources and procurement, Loveland can learn about SaaS decisions through the company grapevine. As a result, he can involve himself in SaaS initiatives and help ensure that contracts with vendors address items that are critical to the company.

Your Perimeter Is Swiss Cheese

At a conference devoted to evolving security threats, many presenters argued that the traditional strategy of hardening the perimeter of the data center is outmoded. They explained that external threats can almost certainly penetrate your defenses and set up persistent software agents that can rifle through your files at will. These so-called advanced persistent threats (APT) are commonly sponsored by criminal enterprises and foreign states.

Larry Clinton, CEO of the Internet Security Alliance, gave a sobering talk on APTs, emphatically stating that the threats are a menace to every kind of company. Moreover, most companies aren't doing much about them. In a recent survey, only 16 percent of respondents said their companies are taking steps to mitigate APTs.

Clinton recommends that security shift from a technical/operational discussion within the company to an economic/strategic concern. Essentially, he attributed the lack of investment in security to a misguided view of what risk represents. It's not about protecting the systems, by this reasoning. Rather, it's about protecting the business itself, which should involve every group in the company, from finance to legal, human resources to IT.

Kwong of 24 Hour Fitness also addressed the perimeter issue, offering a strategy based on an old joke: When a bear breaks into a camp, one camper sits down and laces up his running shoes. "Why are you doing that?" his fellow camper asks. "You can't possibly outrun a bear." The first camper responds, "I don't have to outrun the bear, I just need to outrun you."

So it follows that companies should consider a strategy of investing in security to the point where breaking into the system becomes sufficiently difficult that the bear (sorry, hacker) will move on to a slower (that is, more vulnerable) target.

The discussions on APTs were unsettling. My sense is that the risks are real, the security threats present, and no one has a really good answer for the situation. Which brings me to the next takeaway.

The Dilemma of Asymmetric Risk

Clinton and Kamil Farshchi, Visa's senior business leader of strategy, planning and initiatives, addressed the security difficulty of balancing risk against business opportunity. Another way of putting this is that the current practice of IT security creates a situation of asymmetric risk: the financial benefits associated with a computing initiative accrue to the business unit, while the risk responsibility lives with the security group. As we've seen repeatedly in our economy over the past two decades, allowing one group to achieve benefits while placing costs with another almost guarantees that risk measures will be downplayed and overaggressive initiatives pursued. Asymmetric risk placement is quite dangerous - it creates an environment in which one group can ignore risk signals by assuming that someone else is going to address the problem.

After the conference, a blog post commenting on a speech given by the CIO of an insurance company called Markel helped remind me of the importance of associating risk with benefit. Markel insures unusual situations like remote summer camps, miles from the nearest medical facilities and largely managed by teenagers. CIO Tom Gaynor explained that the company can profitably insure these sorts of endeavors by basing its underwriting insight on long experience - qualitative experience, essentially, since the individual situations Markel deals with are so distinct that the "law of large numbers" underwriting approach typical of most insurance practices is unworkable.

The blogger concluded that the same kind of qualitative judgment is necessary for IT security professionals, though it must be balanced with objective quantitative measures as well. So logging analysis is critical, but the decision of what to look at is born out of experience and knowledge. I think this is largely correct, but my larger lesson is that any situation that involves asymmetric risk bodes poorly for long-term outcomes. Markel deals with this by tying the underwriting process closely to the pricing process, thereby ensuring that every decision has a level of balance.

Speaking of which, what about cyber-insurance, the oft-bruited solution of laying risk off on an insurer in the hope of reducing a company's risk exposure to security lapses? As it happens, another attendee at the conference, a lawyer at a large international firm, had recently given a Webinar on the topic. His summary: it isn't really available at a reasonable price. It seems insurance companies are quite aware of the drawbacks of asymmetric risk.

Cloud Computing: Still in Its Infancy

As I mentioned, my presentation at the Security Threats conference was on the topic of balancing business benefits with associated risks in the area of cloud computing. My theme was that there are three risks, but traditional security approaches are preparing for only one. This is found in the conventional thinking that follows, "Let's use security products and practices against hacking attempts and malware." There's nothing wrong with that - far from it - but it fails to address two future security challenges.

The second risk is what I refer to as the " cloud boomerang." I've mentioned this several times in this blog - it refers to the likelihood of shadow IT applications eventually being delivered back to IT when the developers tire of operating them or realize their operational expertise falls short of what's necessary to run a production app. Here is a YouTube video I put together on the topic.

This cloud boomerang is a very real prospect for IT groups and, in particular, for security groups. Appropriate security measures are often bypassed or ignored for these types of applications, sometimes due to agility requirements and sometimes out of sheer ignorance of those measures. In my talk at the conference, I recommended the preparation of a checklist of appropriate security measures to be applied during initial takeover to mitigate problems and implement a consistent set of security practices.

The third threat is that security practices are still rooted in outdated assumptions about the scale and growth of computing. As I have discussed many times, the future of computing is going to be several orders of magnitude larger than what we have historically experienced. Failing to recognize that shift, while maintaining practices designed for slow rollouts and such a small number of applications that they can be handled by manual processes, is a failure of imagination. If security groups aren't thinking about this bigger and faster future, there will be enormous disruption - and risk - in IT infrastructures.

I will acknowledge that the audience response to my presentation was muted. Perhaps I presented the material poorly and failed to engage the attendees. But I also ascribe the lack of engagement to the fact that most security practitioners still aren't really aware of what's going on in the cloud. While our company sees many instances of cloud computing applications and understands their implications, many security groups seem to be unacquainted with the pace of cloud adoption. This makes sense: in my presentation I cited a Forrester estimate that five out of six cloud deployments occur without any knowledge on the part of IT - they're truly shadow IT. I expect a rude awakening over the next 18 months as security groups specifically, and IT organizations generally, begin to grapple with the new IT realities that have sprung up like Gold Rush boomtowns - quickly built, poorly policed, prone to chaos, but also sources of great wealth. I believe that the next 18 months will be among the most interesting in the history of IT.

Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date. Follow Bernard Golden on Twitter @bernardgolden. Follow everything from on Twitter @CIOonline

Read more about cloud computing in CIO's Cloud Computing Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

More about BoomerangInternet Security AllianceStratusTycoVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bernard Golden

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place