This summer Actimize found that nearly 80 percent of financial institutions worldwide say the insider threat problem has increased in the wake of the economic downturn, with only 28 percent of the banks surveyed not suffering an insider breach. Surprisingly, the majority of the breaches are coming from what the industry calls “trusted insiders,” full-time employees with access to data. Interesting also is the fact that the recession has caused many employees to cross the line. Some are in financial need, and others are resentful of longer hours or expanded job responsibilities due to lay-offs.
The typical response – reduce access to sensitive data – is difficult to do in the financial services industry, in which access to customer and company information is a necessity to do most jobs. The answer needs to be broader and needs an accompanying change in attitude. Banks, like any organization, should assume that their data is under threat from insiders and should take steps to ensure their protection measures are in line with this thinking. Some examples would be blocking large amount of data downloads, stopping downloads during off-hours, and preventing certain types of changes. The technology is there and, unfortunately, today’s threat environment demands this level of protection.
In these tight economic times, organizations must not take extra risks by reducing IT security budgets.
Showing posts with label cloud security. Show all posts
Showing posts with label cloud security. Show all posts
Wednesday, 7 October 2009
Wednesday, 30 September 2009
Are Clouds Compliant?
Today I was part of a panel where we debated whether Clouds are compliant. The session was part of the BrightTalk online Cloud Computing Summit and was hosted by Peter Judge, UK Editor, eWeek Europe. I was joined by IBM's James Rendall, and Paul Roberts of The 451 Group and we participated in a lively session.
The questions we worked through were:
Q1. Do you trust the cloud?
Q2. Are clouds compliant?
Q3. Is compliant a barrier to adoption?
Q4. How should we make clouds compliant?
There was online polling of the audience with clear majority responses being as follows: Q1 – No; Q2 -No, and Q3 - Yes.
Question 4 was the most interesting for me. We actually debated two courses of action. First, "Change clouds to accommodate regulation". Alternatively, "Change regulations to accommodate clouds". A cheeky 25% of the audience voted for the latter! This is like raising the speed limit on the roads because it is impossible to stop motorists from speeding. Is this a good idea?
I cynically pointed out that the underlying context is not peculiar to cloud -- and is commonly observed in other computing architectures. IT is a business enabler – and businesses want to make profits. Once a profit making system is in place, it is only then that organizations get concerned about compliance and security issues. Alas, the elasticity and remote nature of cloud infrastructures make retro-fitting security devices (e.g. firewalls) nearly impossible. The only way to achieve the retrofitting of security into the cloud is if you can make the security technology ‘cloud hostable’ and have it inserted seamlessly into the underlying fabric. Perhaps a DataWall for the cloud – watch this space.
The questions we worked through were:
Q1. Do you trust the cloud?
Q2. Are clouds compliant?
Q3. Is compliant a barrier to adoption?
Q4. How should we make clouds compliant?
There was online polling of the audience with clear majority responses being as follows: Q1 – No; Q2 -No, and Q3 - Yes.
Question 4 was the most interesting for me. We actually debated two courses of action. First, "Change clouds to accommodate regulation". Alternatively, "Change regulations to accommodate clouds". A cheeky 25% of the audience voted for the latter! This is like raising the speed limit on the roads because it is impossible to stop motorists from speeding. Is this a good idea?
I cynically pointed out that the underlying context is not peculiar to cloud -- and is commonly observed in other computing architectures. IT is a business enabler – and businesses want to make profits. Once a profit making system is in place, it is only then that organizations get concerned about compliance and security issues. Alas, the elasticity and remote nature of cloud infrastructures make retro-fitting security devices (e.g. firewalls) nearly impossible. The only way to achieve the retrofitting of security into the cloud is if you can make the security technology ‘cloud hostable’ and have it inserted seamlessly into the underlying fabric. Perhaps a DataWall for the cloud – watch this space.
Monday, 12 January 2009
Is data security an Inverse-Square law?
We are all taught at school that many physical processes follow an inverse-square law. For instance, the force of gravity between two masses becomes four times weaker if the distance between them doubles. Similarly, the electric force between two charges also obeys such a law. I am beginning to wonder whether the effectiveness of data security also diminishes with the distance the owner is from the data.
The report produced by PwC shows that the data protection habits of hundreds of financial services firms are deteriorating. Around a half of those companies surveyed said that the data hygiene required of their out-source providers was not at the same level that the companies require internally.
Although it seems that the effectiveness of data security diminishes if the data is outsourced, the original data owners believe otherwise. It is amazing that even without performing any due diligence around 80% of firms were “somewhat” or “very” confident in the security practices of their outsourcer.
How many links are there between the personally identifiable data you collect about customers and where it is held? Consider the SI who now owns and operates the data center. What about the data kept in the emerging “cloud”? Don’t forget to add an extra amount of “data distance” for where the backups are held.
What is the true effectiveness of the data security now?
The report produced by PwC shows that the data protection habits of hundreds of financial services firms are deteriorating. Around a half of those companies surveyed said that the data hygiene required of their out-source providers was not at the same level that the companies require internally.
Although it seems that the effectiveness of data security diminishes if the data is outsourced, the original data owners believe otherwise. It is amazing that even without performing any due diligence around 80% of firms were “somewhat” or “very” confident in the security practices of their outsourcer.
How many links are there between the personally identifiable data you collect about customers and where it is held? Consider the SI who now owns and operates the data center. What about the data kept in the emerging “cloud”? Don’t forget to add an extra amount of “data distance” for where the backups are held.
What is the true effectiveness of the data security now?
Subscribe to:
Posts (Atom)
