Leverage unmanaged devices

Many enterprises are now working to enable secure access from employee-liable smartphones – especially iPhones. But in his session on trusted portable personalities, Gartner analyst John Girard noted that many business activities require a larger screen and better data entry to edit documents. To support such activities in a secure, but cost effective manner, IT must provide a trusted environment (safe, private, and auditable) that is portable (available when and where needed, from a wide range of hardware) and embodies each employee's personality (files, applications, settings).

Portable personality approaches to enable corporate data access from unmanaged desktops and laptops fall into two broad categories: device-based and portal-based. Device-based offerings include workstation-on-a-stick (e.g., vDesk, IronKey) and virtual machines (e.g., Citrix, VMware). Portal-based approaches include virtualized desktops (e.g., terminal services, Citrix), SSL VPN with quarantine (e.g., Juniper, F5), and cloud application services (e.g., Google, Nivio).

Each approach has distinct benefits, but can be stymied by limitations, such as trusted agents that lack permission to run or enforce policy, hosts that cannot boot from USB, and cloud services that cannot support offline use.

"No single solution satisfies every dimension," said Girard. "You may need more than one." He then described nearly a dozen case studies in which large security-sensitive organizations had successfully used one or more portable personality solutions to support a wide range of business activities, including the US Navy and FEMA.

Girard recommended that each company establish a decision framework with which to evaluate manageability, compatibility, and supportability for each portable use case. To maximize local defense, consider portable personality devices; to maximize versatility, consider portable personality portals. When deploying solutions, bear in mind that each will be used in a potentially hostile environment.

"The equipment they're using could be lost; the data they're working with could be placed at risk. You'll need to know what the user was carrying when they lost it, what they were doing when compromised, and that means audit capability," cautioned Girard.

Avoid audit fatigue

Each Gartner summit includes solution provider sessions during which vendors and their customers describe challenges and how they were addressed. During one, Tripwire CTO Gene Kim shared his research on audit performance and recommended nine practical steps to overcome the audit blame cycle.

Kim and colleague Jennifer Bayuk benchmarked audit performance for over 1500 organizations, examining prep practices and measuring associated costs. "We wanted to codify how [high-performing] organizations were different. One way they were different was in how they played the audit blame game," said Kim. Audit readiness is usually over-stated until immediately before the audit, at which time there is a mad scramble to right all the wrongs. With security accounting for 15 percent of total IT spend, compliance and audits are starving other projects.

This occurs when organizations focus on the wrong goal – passing the audit, rather than ensuring that business assets and processes were properly secured all along.

"When all of your time is spent getting ready for audits, businesses start implementing controls as part of one-time audit prep," explained Kim.

Kim found that organizations that performed well in audits shared several characteristics. In addition to spending one-third the time prepping for audits and having fewer repeat failure findings, they were five times more likely to detect a breach by automated controls, fives times less likely to have breaches resulting in loss, and experienced half as many change implementation failures. In short, whatever these organizations were doing to pass audits more easily also had real business value.

"It turns out that three controls predicted 60 percent of performance," said Kim: the extent to which an organization defines, monitors, and enforces (1) a standard configuration strategy, (2) process discipline, and (3) controlled access to production systems.

Based on these findings, Kim outlined steps that attendees could take to emulate these top-performers, starting with aligning tone at the top and creating a merged set of infosec and compliance goals.

"Put goals into business context, identify controls to meet those goals, and define what business process owners must do to support them," said Kim.

Next, map goals onto indicators that demonstrate success and apply them to business processes. Using inputs, outputs, and systems identified during process analysis, establish control ownership roles and responsibilities and define tests that demonstrate whether compliance goals are being met. Conduct tests frequently enough to rely on results, independent of audit timing or scope. Track metrics and remediation reports, and maintain situational awareness to determine business change impact on defined goals.

"If you take these steps, you'll have a culture that doesn't tolerate [unplanned] change, that makes decisions based on data, and that tracks data so that fixes can be made quickly, before problems have business impact," said Kim. Oh – and you'll be more likely to pass your next audit with less waste, lost sleep, and finger pointing.

Seek innovative solutions

Nearly 100 companies exhibited in this event's "solutions showcase," including premier sponsors Google (Postini), RSA (Archer), Qualys, Symantec, Websense, and Verizon Business. Products on display ranged from DLP, endpoint protection, data encryption, patch management, Web security, and IT security controls to e-discovery, fraud detection, SEIM, GRC, audit management, risk assessment, and IT disaster recovery management.

Gartner showcases are not loud glitzy extravaganzas. This is not an event where dozens of companies stage major product announcements. Instead, booths are modest, providing attendees quiet opportunities to chat with existing suppliers and learn about new solutions. Here is just a small sampling of what we found there.

  • IronKey CMO Dave Tripier demonstrated Trusted Access for Banking, which builds on IronKey's ruggedized, encrypted USB storage. According to Tripier, 20-30 percent of users have experienced online fraud; Zeus is a major threat. To mitigate this risk, some banks are giving select business customers an IronKey Trusted Access for Banking stick. During the demo, the stick's virtual keyboard defeated an implanted keylogger, while its trusted DNS resolver bypassed /etc/hosts redirection to a phishing site.

  • "Our virtualized secure environment provides a secure browser session that launches to a bank-defined portal page," explained Tripier. "The secure session prevents snooping at transactions, which are proxied through IronKey's cloud."

  • We sat down with CEO Ron Brittain to learn about AuthenWare, a second factor biometric authentication solution that requires no hardware. As users log into Web apps in their normal manner, server-side AuthenWare measures the cadence and rhythm of keystrokes, combined with environmental characteristics. The result is a Singularity Pattern that can be used for transparent secondary authentication. Brittain said that AuthenWare 2.0 was certified by the International Biometric Group (IBG) as having low false acceptance and rejection rates, depending on a configurable sensitivity. 2.0 also adds support for iPhones and BlackBerries, and an anti-replay Javascript to mitigate browser-based capture/replay attacks.
  • CORE Security, known for its IMPACT Pro penetration test tools, chose the summit to announce INSIGHT Enterprise, an appliance that continuously verifies a network's security posture and defenses.

    "INSIGHT does not replace human intuition; there is still a need for pentest tools and experienced testers," explained senior director Michael Yaffe. "INSIGHT automates common tests, focusing on the data exposed (rather than exploits and vulnerabilities that cause exposure). It is designed to better inform the business."

    Application owners can use INSIGHT to run their own first-line and regression tests on systems for which they have credentials and access. Security staff can use INSIGHT to trend test results and evaluate the effectiveness of controls.

  • We chatted with Proofpoint CMO Peter Galvin about e-mail archival in the cloud. Proofpoint has a long history of delivering anti-spam and anti-malware, initially using software, then an appliance, and now SaaS. Over time, Proofpoint added e-mail encryption, data loss prevention, and archival, administered through a common policy engine.

    "Compliance and retention drove our recent move into archival," explained Galvin. "We leveraged cloud delivery to provide capabilities similar to what large enterprises can achieve, but at a low cost per user. Using grid computing and commodity storage, we can journal a copy of every message for archival, retrieving those messages in under 20 second search time."

    A cloud service like this can implement a 7-10-year retention policy far more economically than a forensic e-mail search ever could, said Galvin.

  • Many companies focus on e-mail and messaging security, but Indorse CEO Rob Marano says this leaves a hidden crisis – electronic files.

    "Like a foundation that's solid, but has a few cracks, what we do is to complement Sharepoint, WebDav, DRM, and other network file sharing systems by applying file format and processing expertise to catch whatever slips through," said Marano.

    Indorse manipulates files to track their movement, even beyond a secure IT environment. For example, video game manufacturers use Indorse to track pre-release screenshots shared with authorized reviewers.

    "The file leaves the administrative domain, but the domain doesn't leave the file," said Marano. "We protect files in a way that doesn't require licensing software to all of the parties that need access."

  • Senior Security VP Tom Gillis spoke to us about Cisco's Secure Borderless Networking initiative. At the summit, Cisco announced new Cisco ASA and Cisco Security Manager releases. Gillis said there will be always be a place for "heavy" endpoint security, but that smartphones need lighter-weight solutions that dovetail with network defenses.

    "We put a small software NIC on each device – iPhone/iPad, Palm Pre, Windows Mobile, Nokia/Symbian – to make policy-based routing decisions," explained Gillis.

    E-mail might be sent to a ScanSafe cloud, Web traffic might be redirected to the nearest proxy, SIP traffic could be routed to a VoIP call manager, and all other traffic tunneled to an ASA. However, when the smartphone is inside the firewall, different rules could be applied – transparently to the end-user.

    "We want to provide secure, seamless access for wired, wireless, and mobile Internet," said Gillis. "A BlackBerry-like experience, but for all traffic types and devices."

So many sessions, so many sponsors, so little time. Like cyber-threats themselves, we could not come close to exhaustively covering everything of interest at Gartner's Security and Risk Management Summit 2010.

In the end, we left with a sense that security staff simply cannot learn about, much less defend against, every possible risk. Given finite resources, security planning has become a matter of triage – identify areas that require the most immediate attention and pose the greatest potential, focusing your resources without losing sight of the bigger picture.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.