Improving Security Through A Self-Assessment Scheme

By Guy Bunker | March 15, 2010 | Leave a Comment 

Guy Bunker

The Jericho Forum has just released it’s Self-Assessment Scheme (SAS) which will help both vendors and customers check the effectiveness of an IT security product – and that it will be properly installed and deployed.

The way this is done is relatively simple – with eleven thought provoking questions based on the downloadable template which will help match requirements to product (or service) offered. The template describes best practice as well as what is acceptable.

The Jericho Forum, part of The Open Group, is made up of experts from all areas, customers, vendors and independent consultants all working together. It has led the way in creating a practical approach to securing the new ways in which business is done, with the de-perimiterization of business models being the focal point back in 2004. Cloud computing has been the focus of the group for the past 18+ months and the SAS template is the latest deliverable. Take a look – it doesn’t take long to read, and it will give you some thoughts on what you should be asking in this new cloudy world.

Guy Bunker

Securing The Cloud

By Guy Bunker | February 4, 2009 | Leave a Comment 

Guy Bunker

The ‘Cloud’, it seems to be the buzzword for 2009 with everybody looking to offer services in the cloud to enable you to do more for less. But… there are a couple of things that really need to be sorted out before we all rush off and put everything we own out there in the cloud.

The first is availability, does your cloud service offer appropriate availability – if it stops, will your business also stop? We know that Service Level Agreements are there to make lawyers rich, if email is down or your web store is down then you won’t have access to your customers and neither will they have access to you – but this has always been the case. So… before rushing to put business critical processes in the cloud, check on availability, and while you are there see how easy it would be to move from one cloud service provider to another… just in case…

The second and more importantly is security. Business in the cloud will be different, your sensitive and/or confidential data will potentially be handled by more people and therefore introduce more risk. If not secured your data could go missing and cause a data leak incident, or perhaps it could be sold to your competitors by the service administrator. Business in the cloud can be quick, perhaps ‘renting’ a service for only a few hours to process some data, or maybe using a service for many years, the point is that the cloud provides greater flexibility – but it needs your data to run. But what about the data – will it be properly secured, will it be looked after in the same way that you would look after it? The answer is… probably not, and that’s where The Jericho Forum comes in.

This week Jericho has announced its latest version of the Collaborative Open Architecture materials – which has been expanded to include many more detailed white papers and it also announced its next phase – securing the cloud. I have worked with the Jericho Forum for a few years now and it is a unique forum in that it has customers, IT vendors and systems integrators all meeting together regularly – hashing out the security problems that arise in the new ways of working and then collaborating on solutions. From my perspective its amazing to see how far some of the customers want to push the bounds of new work processes with cloud computing top of the list. That’s what makes it exciting. I’m quite sure that the majority of companies today would look at some of this and say “wow, that’s way too complex for me” or “no, it seems like something specific to such-and-such industry” or “we’re way too small to consider that”… but the truth is that we will all move towards it in 3-5 years, this is the bleeding edge of business today, which means it will be the defacto standard way of doing things tomorrow. Just look at how Internet shopping has evolved or the way most companies handle CRM today.

Security in the cloud and in collaboration architectures has yet to be solved in a rigorous manner and without it the new business processes will never succeed – so even if you don’t think this is of interest yet – but you think ‘the cloud’ is for you – then take a look, it will provide you with some thought provoking questions you can ask your cloud or any other service providers.

15 Million And Counting…

By Guy Bunker | January 26, 2009 | Leave a Comment 

Guy Bunker

So, the Downadup / Conficker worm has now infected 15 million systems – that’s pretty impressive considering that there was a fix last October to prevent it. What it does show is just how infrequently a significant number of users actually update their systems – even though they probably have a link to the Internet.

While the vast majority of the infections are in Asia, it now seems that there are outbreaks occurring closer to home – and within local government and business. This is more worrying – is the trend for patching vulnerabilities getting worse? Or are we seeing something different going on here? There is an increasing trend towards something call ‘consumerization of IT’. In essence, this is where you are allowed to use your own IT equipment for work – in some cases you get an allowance to purchase a system. The reason behind it is money – on a number of different levels and efficiency. However, what happens if there is a problem with the device, or it gets infected with a virus or worm. Who is responsible for sorting it out – the company, after all, if you have a worm like Downadup spread through your organization it is very expensive to resolve – or the individual, who might not be so worried or even know about the problems they are creating. Either way, these sorts of issues need to be resolved – as the problem is only going to get worse.

How’s it going to get worse? Well, connectivity is increasing, especially with the advent of Software as a Service and cloud computing, so more systems which are out of the IT department’s control will be attaching to the corporate network, furthermore consultants and other 3rd parties will also create this increased risk. The good news is… firstly, a lot of this can be prevented by regularly patching vulnerabilities in applications and the OS – so check your policy today. Secondly by using an anti-malware application for anti-virus, phishing, worms, rootkits etc you can be protected, but, again, only if they are kept up-to-date. Finally, there is a set of guidelines created by The Jericho Forumwhich will help in this new deperimiterised world… watch out for more on this next week!