Banging the drum for security

#IBM #Infosec — IBM recently opened its Institute for Advanced Security, based in Brussels, with the avowed aim of helping companies and academics better understand cyber-threats and how to deal with them. IBM believes there is a need for a new conduit to help information flow between the public and private sectors. It also wants to provide easier access to its own research, services, products and experts.

At the recent Infosec show in London, I got a chance to catch up with the Institute’s director, Martin Borrett. Having spent the previous day at Security BSides, I was feeling a tad jaded about the progress we’re making in computer security (something I wrote about here), and wondered if he feels the same.

“We certainly spend a lot of time telling people it’s about people, process and technology,” he says, “that you may have the best cryptographic algorithms in the world, but if your people aren’t educated about security and take some responsibility, it won’t be enough. And I probably talk about this every year … But it just seems like it’s an endless conversation, that we keep having again and again.”

He sees parallels with health education, and thinks that IT security professionals might learn something from the way that governments have tackled major health issues with literature, alerts and healthchecks. “There’s a lot of discussion in Europe about how we educate citizens,” he says, “about how we make them aware: should we have a kind of health programme for security?”

Borrett says he is constantly banging the drum for more education. “I think everyone needs to be a stakeholder in this at some level,” he says. “I don’t think we can burden every citizen with every problem, but everyone has to take some responsibility. In real life we know how to take risks, like crossing the road, whether to do business with someone, whether to get on the plane, all these normal things. We need to get to that situation in the cyber world, where it’s just another normal part of life and people make the appropriate decisions.”

It’s possibly a generational thing, too, he says. While we make progress in some areas, new generations of employees are accustomed to new generations of technology and have different attitudes to go with them. And so the strides that have been made in educating people about security are lost in the change.

Consumerisation

This, of course, brings us to consumerisation, the buzzword of this year’s Infosec.

“The work/life balance is shifting, the boundaries are shifting, it’s less clear when you’re at work and at home, when you’re dealing with corporate data and personal data,” says Borrett. “I think that makes it very difficult for people to understand what sensible security practices are for themselves, both for their personal data and the companies they’re working for.”

He sees organisations falling into three camps. Perhaps 20% have simply acquiesced to consumer devices in the workplace because they accept that they can’t stop employees using them.

“Probably the majority, say 60%, see it as absolutely inevitable but they’re trying to hold back the floodgates,” he says. “They recognise the need and are trying to put measures in place, trying to slow it up while they put in appropriate controls, trying to understand what the risks are, and so on. And there’s probably 20%, maybe less, saying ‘no, you can’t do that — it’s not acceptable’.”

But how tenable a position is that last one, long term? Not very, thinks Borrett, because the demand for these devices is coming from the top — C-level execs. “They’re not necessarily security literate, so they don’t see the risk, they just want to make their life better, more efficient,” he says. “So the people at the very top of these organisations, who are very hard to say no to, because they run the business, are asking for it.”

So how do you deal with this issue? Borrett points to IBM’s own approach which is to draw up a matrix. Along one axis are all the various devices, from servers and desktops through to iPhones and BlackBerrys (listed separately, rather than being bundled under ‘smartphones’ — a reasonable level of granularity is needed here). Along the other axis are the various functions you might perform with these devices. If there’s a tick in the box where device and function coincide, you can use the device for that task. Some devices — such as servers and BlackBerrys — get ticks all the way across. Some, like iPhones, are more restricted in what you’re allowed to do with them — until the firm can find a solution to deal with the perceived risks (for example, it’s using Juniper software on some phones to detect malware and make them safe for emailing).

Defence in depth

Borrett agrees that this issue is giving a boost to the old concept of defence in depth, and to encryption. “Over the past two years, I’ve seen a rise in encryption,” he says. “You could say it’s a foundational control. As it’s become more available, easier to do, with fewer performance issues, more and more people are encrypting data.”

As for defence in depth: “That’s an interesting one. It’s something we believe in. I certainly believe that you need a series of controls at different layers, not relying on any one protection mechanism. There are people who think that the network is so perforated that there’s no point in defence in depth, that the defence needs to be really close to the asset, that you have to put things around the data because everyone’s inside the network anyway. I’m a very pragmatic sort of person — I think you need a range of measures, and you have to educate the people and have the right policies and processes that are not too arduous, not too overbearing, but just right and fit for purpose.”

Risk analysis

One of the key hurdles is how poorly we understand risk when it comes to IT or information. While many firms now employ risk managers, who perfectly understand the risk of the building burning down (and how to quantify that), when they get to IT, everything goes a little fuzzy.

“I agree,” says Borrett. “I think it’s because it’s very hard to measure. This is one of the things we struggle with. It leads to questions around how much should we spend on security, how much is enough, how effective is my security, what’s the business impact if I don’t do this?”

A major challenge is developing the tools and techniques to measure and quantify the risk. Borrett believes that regulation has probably made it somewhat easier because it provides a kind of bar against which firms must measure themselves. But for too many companies, it’s still just a box-ticking exercise.

“I still come back to the idea that the most effective organisations are those that do security from the ground up, security by design, who understand the risk and put in the appropriate controls,” he says. “They’re best placed, but generally I think people are struggling with this issue. And there’s a strong desire in companies to have a real-time view of it. You meet CISOs and other senior executives across industry wanting this better view — ideally real-time — of what their risks are, and that’s quite difficult.”

With other business risks, and in the compliance domain, there are plenty of tools that allow firms to say, ‘fine, we’ve done our risk work, we understand it and it’s gets signed off. “But on the IT side,” says Borrett, “I don’t think we’re there.”

Cloudy issues

Like everyone else, Borrett sees continuing, and unresolved, issues around cloud security. The general feeling I got at Infosec was, ‘oh yeah, cloud, that’s a problem’ before moving the conversation on to this year’s hot topic, consumerisation.

Of course, IBM sells cloud services, and Borrett says they’ve seen a big uptake recently, so you might expect Borrett to be a little more upbeat. Indeed, he seems to feel that cloud security issues can be addressed, but he stops well short of the ‘it’s just like an outsourced datacentre’ attitude.

“Compliance is still a big issue,” he says, “it’s not going to go away. Companies are still struggling to do it in an automated and efficient way rather than a firedrill method. That’s still a problem, largely because of the volume and diversity of systems they have to deal with, with large volumes of data.”

Classifying that data is also a struggle for many firms — at least those that are bothering to try. When I ask Borrett how many people are doing data classification, and doing it properly, he laughs and is reluctant to answer at first, but finally says: “I’d be speculating … but there’s a lot of work to be done. It’s a big gaping hole. I’m surprised there isn’t a lot more focus on it given what a big problem it potentially is. Maybe organisations don’t see the risk, and maybe the regulations don’t cover it specifically.”

He adds: “It is coming up the radar. There are certain organisations in Europe, particularly worried about Wikileaks syndrome, very concerned about pieces of information ending up on Wikileaks, and they’ve got vast amounts of information not necessarily very well classified or controlled, and they’re struggling with it. Certain industries that generate big volumes of data are particularly susceptible to this.”

Auditing challenge

There are other considerations with cloud, too. Borrett points to the problem over where data is located — not just because of the well-debated issue of regulatory compliance, but also because of the difficulty of ensuring that data is in the right state. Where service suppliers are employing multiple datacentres, for availability, efficiency and resilience, your data may be moved constantly between them, or between servers within them. With a traditional, outsourced datacentre, you pretty much know where your data is and if, for example, you delete some information, you can be sure that it’s gone and isn’t still on a machine somewhere.

“With cloud, there’s more distribution of resources, more virtualisation,” says Borrett, and he sees that virtualisation technology as being under increasing attack.

Then there’s the thorny issue of auditing cloud suppliers. I ask him if IBM will allow customers’ auditors into its cloud service datacentres. The answer, of course, is no. Like many other cloud suppliers, IBM trades on its reputation, backed up by SLAs — and the fact that its cloud services have evolved out of many years of experience with datacentre outsourcing.

“Taking your question in a different direction,” he says, “while we don’t let external auditors into our environment, I don’t think they’d have a big problem there. But I think with other cloud providers, they could find it quite difficult to audit the cloud environment. I’ve spoken to some auditors and they are not comfortable with cloud.”

IBM’s environment is configured much like a traditional datacentre, he says. “But in some of these cloud environments, it’s not like that at all. You can’t be sure where the application’s running. In fact, the application’s being scaled down on this rack of servers and scaled up over there because the workload’s picking up — it’s being reprovisioned. I don’t think auditors have got their heads around that.”