Category Archives: Contributors

Cross-Site Scripting – Why Is It A Serious Security Threat For Big Data Applications?

Cross-Site Scripting – Why Is It A Serious Security Threat For Big Data Applications?

Security Threat And Big Data Applications

IBM, Amazon, Google, Yahoo, Microsoft – and the list goes on. All these leading IT enterprises have been affected by Cross-Site Scripting (XSS) attacks in the past. Cross-Site Scripting ranks third in the list of top-10 web application vulnerabilities listed by the Open Web Application Security Project (OWASP) – a worldwide non-profit community focused on improving the security of web applications.

What is Cross-Site Scripting?

dark-dataThe history of ‘Cross-Site Scripting’ vulnerability dates back to the middle of 90’s decade. It was Microsoft who first introduced the term to refer to a security flaw specific to ASP.NET environment that made dynamically generated HTML pages vulnerable to malicious scripting attacks.

Cross Site Scripting (XSS) can be defined as the process of inserting malicious code to a web environment to compromise the security of the system. It is a client-side attack where an attacker injects specifically coded scripts through a web browser program. The code appears to have originated from a trusted source and the browser executes the script – resulting in the attacker gaining access to the system. A host of scripting languages, including JavaScript, VBScript, Flash or HTML/CSS, can be used to launch XSS attacks on vulnerable web-based systems and applications.

How Cross-Site Scripting Relates to Big Data Projects?

Cross-Site Scripting is a web-based vulnerability that can affect all Big Data Projects that use web-based systems, tools or applications. As most of the data analytics and business intelligence applications are interactive web-based solutions (that accept and execute user inputs), there is always the possibility of cross-site scripting attacks if the inputs are executed without validation.

security-tips

(Image Source: Shutterstock)

Web-based applications continue to fall prey to Cross-Site Scripting attacks as they are mostly interactive. That means, they need to accept inputs from the users and return the output based on the inputs received. This gives an attacker the opportunity to manipulate the inputs and insert malicious scripts or commands through normal input channels.

Cross-Site Scripting – Behind the Scene:

Cross-Site Scripting attacks mainly exploit authentication bugs in the application layer to insert scripts that are executable on the client side. Typically the attack vector is based on brute force to hijack legitimate user sessions. Such attacks bypass access control policies to help the attacker take the identity of a valid user. Cross-site scripting has the ability to elevate the hacker in gaining administrative control on the application server – thus compromising the security of the entire environment.

The risk of XSS is not limited to Big Data applications alone. All types of web-based solutions are vulnerable to cross-site scripting attacks. By injecting malicious executable scripts into the application layer, a hacker can gain control of underlying databases, user credentials and other sensitive information that are maintained by the application. Information gathered from the initial attack can subsequently be utilized for conducting more sophisticated hacking attempts to compromise the security of the entire project.

How to Prevent Cross-Site Scripting Attacks?

Contextual Input Encoding (Escaping) Techniques:

Escaping techniques, if implemented correctly, can significantly alleviate the prospect of XSS attacks. It is a form of contextual input encoding where the web browser is informed to treat specific strings of code as plain text characters.

In case an attacker manages to insert an executable script as an input to the application, the browser would first validate the input before executing. If it matches with the specific strings that are supposed to be interpreted as plain text, it would terminate the session without executing the script.

HTML, CSS, JavaScript – all have their own set of escaping libraries. Instead of rolling out your own escaping codes, it is better to make use of a reputable escaping library.

Vulnerability Scanner:

Quite a few reputed anti-virus software manufacturers have come up with vulnerability scanner suites that can detect possible XSS attack areas. You should seriously consider getting one for your project. The scanner crawls the entire set-up, consolidates all the findings and lists down the weak areas which are susceptible to cross-site scripting attacks.

Penetration Testing:

Another effective measure to identify XSS vulnerability is penetration testing. Find out the possible gateways from where an attacker could gain entry to the application and try from your end to exploit those vulnerable areas. If you are successful in breaking into the system, then you need to investigate the issue further to find the root cause. Once the root cause gets identified, you can engage your developers to come up with a preventive measure.

Browser Security Features:

All major web browser programs have a built-in security feature – Response Header – that can be used to combat XSS attacks. You could make use of Content-Security-Policy header to specify how the browser would deal with script tags. You can enable execution of scripts from specific domains, while block this functionality for other domains. This technique is also known as whitelisting.

By Jack Danielson,

Jack is a tech enthusiast, geek and writer. He is particularly interested in the proliferation of Big Data tips ­ tricks around the web. He holds the position of consultant writer at Satellite Broadband ISP, a resource site to help people living in rural areas find high speed satellite Internet service providers in their area such as Wilblue Exede and HughesNet Gen4.

Adopting A Cohesive GRC Mindset For Cloud Security

Adopting A Cohesive GRC Mindset For Cloud Security

Cloud Security Mindset

Businesses are becoming wise to the compelling benefits of cloud computing. When adopting cloud, they need a high level of confidence in how it will be risk-managed and controlled, to preserve the security of their information and integrity of their operations. Cloud implementation is sometimes built up over time in a business, while the technology and cybersecurity around it constantly evolves. This can lead businesses to finding themselves with a fragmented approach to cloud control and security, and this needs to be avoided through the implementation of a cohesive governance, risk and compliance (GRC) framework.

Cloud services are big business. In 2019, IDC predicts that worldwide spending on public cloud services will be $141 billion while last year, Amazon Web Services achieved net sales of $7.88 billion. Businesses get on board with cloud to perform better, to meet targets and objectives by being leaner, faster and more cost-effective.

Cloud helps businesses minimize the capital investment and maintenance costs of hardware and infrastructure. It supports rapid scaling up and down as needs dictate and brings elasticity to business operations, facilitating the addition and removal of user access more quickly and easily. Project deployment with cloud can be a more agile and faster affair. Efficient business operations are supported through improved access and information retrieval, while disaster recovery measures include robust backup and controls.

Being clear on risk

In the early days of cloud there were security concerns. It seemed to follow that assets residing ‘somewhere else’ were more at risk. Ownership and control of infrastructure gives a perception of security. However, the walls of a data center can be vulnerable to professional hackers, therefore it doesn’t automatically follow that infrastructure ownership provides greater security.

hacker-cloud

(Image Source: Shutterstock)

Cloud is a service based delivery model typically involving an infrastructure provider, a platform provider and a software provider. While service procurement of an IT solution delivers some benefits it also comes with some of its own risks. These include shared technology issues, the risk of insufficient due diligence and service reliability. And of course, it cannot be immune to the threat of data breaches and other potential security issues or data loss.

Clarity on the division of labor between company and service provider is an essential first checkpoint of a robust cloud service model – what are you responsible for? What is the service provider? This covers situations that include incident handling and virus infection on storage. Who manages such situations, should they arise, depends on the chosen service model. And this needs to be completely clear and transparent – there is nothing more valuable to a business than its data; its protection can’t be only half understood, governance around all aspects is essential.

Secure cloud service provision

The right cloud architecture is a second critical consideration. Virtualization was the first phase of cloud adoption now, isolation of data is also an imperative. While we saw multi-tenant solutions adopted first, the call is now for multi-instance to guarantee separation of company data. This is important because some regulation requires proof of data segregation and it also provides greater flexibility with faster implementation of changes.

A cloud solution should also provide federated identity management so that the business has control over the access its users and devices have. As users move around in the organization the system needs to be resilient to managing segregation of duties.

For continuous security assurance, quarterly or monthly testing is not enough. Real-time dashboards are needed and should be a part of the service model.

Cloud service providers are now adopting industry standard GRC solutions that include segregation of duties, change management, continuous monitoring and reporting and analytics. For best practice secure cloud implementation, businesses should start with a robust GRC framework, assess cloud service providers meeting industry standards against that framework, and then ensure governance and control through service level agreements and continuous monitoring.

The GRC framework

compliance-cloud

For a single source of truth on regulatory compliance, security and control, the company’s GRC framework should apply across the complete cloud infrastructure and cover:

  • Continuous system controls monitoring – as business data and applications are mission critical
  • Penetration testing and audit management – conducted to a defined schedule
  • Incident response management – this is the norm with internally controlled assets and there should be no difference with cloud implementation. The process needs to detail response activities that kick-in immediately in the event of a security problem
  • Compliance controls testing – the specifics of this will depend upon the industry as particular requirements will apply in the likes of healthcare and finance
  • Disaster recovery and business continuity – this is about more than demonstrating disaster recovery on paper, the theory needs to be tested through disaster recovery operations
  • Onsite and offsite backup audits – on a regular basis.

In addition, a comprehensive GRC framework will also cover data encryption audits, forensics log management and reporting, elasticity and load tolerance testing, advanced cyberattack prevention measures and advanced cloud security analytics.

Resilience and control

Effective governance and control is integral to business success and growth. A risk-managed company is more resilient to market and situational change. The culture and practice of risk management and control has to come from the top down, permeating the organization’s entire operations. As well as defining and enforcing the policies for complete cloud implementation across all instances and cloud providers, the GRC framework should also serve as the template against which future providers can be evaluated.

With a GRC framework on cloud, businesses can expect enhanced information security, compliance and risk management, the highest levels of reliability and operational control and continuous transparency and confidence. Business continuity will be robust with disaster recovery measures in place. Also, regulatory mandates will be complied with.

GRC on the cloud is a way of ensuring security risks are completely understood, and that management through manual processes and firefighting in the event of an incident are avoided. It is also a way of smoothly managing change when business decisions require it.

The right GRC approach will support informed decision-making and ongoing management, putting your business in a better position to reduce risk and to realize the benefits of cloud in enhancing business performance.

By Vidya Phalke, Chief Technology Officer at MetricStream

Cloud Access Management: Access Everywhere

Cloud Access Management: Access Everywhere

Cloud Access Management

As the utilization of cloud applications has become a standard of using in nearly every industry, there needs to be solutions available to help manage these applications. One way for admins to effectively manage their organization’s applications is to use an automated account management solution for both in house and cloud applications. This ensures ease of provisioning, making changes and de-provisioning user accounts, while also ensuring security by ensuring correct access rights.

While this ensures ease of use for account admins, what about for the end users? They also need a way to easily manage, and access, their cloud applications. Think about a user who has numerous applications they use on a daily basis. They need to open a new page for each application and then sign in. In today’s work environment, in virtually every industry, employees frequently access work applications outside of the company network. While this might not be so much an inconvenience in the office regularly, for those who are working on the go it can be extremely annoying. Solutions are available to allow users to easily manage and access their applications from any location.

shutterstock_433276825
(Image Source: Shutterstock)

How does it work?

A web-based single sign-on (SSO) solution is one method ends users can to easily handle cloud applications. Users can easily access a portal where all applications they can access are available. They simply provide a single set of credentials for authentication and can then access any of their applications by simply clicking on the icon. This allows them to easily access their applications from anywhere that they are working, whether inside or outside of the company’s network from one place.

This is extremely convenient for users who are using mobile devices. Think of an employee who is quickly trying to gain access on their smartphone or tablet. To open each application in a new tab and enter credentials is an extremely time consuming process. Many vendors offer the ability for users to download an app on their device and the app will prompt the user to enter a single set of credentials to get to the portal where they can access their applications. For users who are on the go and use tablets or smartphones this can be a tremendous help. They can access what they need, from anywhere, at any time, without having to be inconvenienced.

A cloud SSO solution is helpful in many different types of organizations. For example, in education, students complete a large majority of their work outside of the school’s network and often use many mobile devices. In the healthcare industry, clinicians will be going room to room visiting patients. Sometimes caregivers are logging into terminals, other times they may use a tablet and need to quickly access the applications and systems they need. For a sales associate for a large organization, they may be meeting customers at their office or other locations and need to access customer information. Many industries nowadays have employees who are not working from one single computer and need quick convenient access.

How Can This Actually Enhance Security?

security-threat

A major concern of every organization when implementing any type of solution is also security. While yes, they want their employees to be more productive and be able to more easily perform task and access resources they need, they don’t want this to interfere with the security of their network.

The first big concern people always have with SSO solutions is that they are nervous that it leaves the network unsecure, as users only use one set of credentials. Think, though, about the user who has several sets of complex credential for the multitude of applications that they need. Chances are that they write them down or save them in their phones to remember these passwords. It is actually more secure to have a single set of credentials that the user does not need to write down since they can easily remember them.

Customization

If security is a top priority, this type of solution can be customized to ensure additional levels of security measures. In some industries certain employees handle highly sensitive information so security is the utmost concern. For example, for an employee working in the financial department handling company or customer finances, it is very important to add additional security methods while it may not be as important to ensure security for applications that an intern uses. Depending on the level of security needed there can be different methods of authentication required.

cloud-security

For the user working in the financial department, the solution can be set up so that it can be required that they enter their credentials and then have to provide a second form of identification. This can be some a one time use PIN, access card or maybe a biometric method such as a fingerprint or face scan.

Cloud SSO solutions can also be customized to meet the needs of the many different groups and positions which many organizations have. For example, it is obvious that certain departments within the organization use different applications than others. The organization can easily add and delete applications for each group. They can also break down groups differently depending on their organizational needs. Different levels of employees within a department will probably need different access to systems and applications. The company can easily develop groups so that each employee only has the applications in their portal that they need.

Cloud single sign-on solutions allow employees to easily see which applications they have, and access them with a single click and one set of credentials. This improves efficiency and productivity while also keeping the organization happy by ensuring security.

By Dean Wiech

Cloud Services Providers – Learning To Keep The Lights On

Cloud Services Providers – Learning To Keep The Lights On

The True Meaning of Availability

What is real availability? In our line of work, cloud service providers approach availability from the inside out. And in many cases, some never make it past their own front door given how challenging it is to keep the lights on at home let alone factors that are out of your control. But in order to effectively provide quality services with the focus on the customer, providers need to ensure availability from all perspectives, this is what we like to call real availability. Real availability captures the real user experience from end to end. This includes everything within our control (our infrastructure and network) and things out of our control (customer or third party providers).

It’s not enough to only consider the factors within our own infrastructure that might lead to more down time or further disruption. Even when achieving 100 percent uptime within your own network, you have to recognize the services being used by the customer are only as good as the weakest point in the process. A hardware failure on the customer side or an outage at the internet service provider are all factors that impact the overall availability of the services. And while you should do all you can to not be the weak link, from a customer’s point of view, a disruption is a disruption regardless of the source.

Looking Through the Eyes of the Customer

customers-eyes-tech

(Image Source: Shutterstock)

By shifting your focus to see the situation as the customer sees it, and providing a real world view of their availability, cloud service providers should take the necessary steps to change the way the industry looks at and measures availability. To determine real availability for your customers, providers need to look at every incident that results in a customer disruption. In our experience, incidents in a customer’s network fall into one of the following four categories:

Service provider’s infrastructure This includes any and all disruptions that occur on the service provider’s end, within their infrastructure.

Software on a service providers’ platform – Additional software programs from the service provider that experiences a glitch or outage.

Third-party provider Includes third-party solutions such as a customer’s internet service provider or your chosen data center management or hosting services provider.

The customerWhen customers have internal network issues, authentication issues, or when they use the service providers’ offering in ways that impacts their own service.

Moving From Supplier to Partner is Good Business

Where you come in is helping your customers manage the situation when those disturbances occur, including identifying the source. By considering all points of the process when identifying factors that could lead to downtime, you are proactively partnering with your customers. This partnership and transparency is critical to your customer relationships and will dramatically improve the customer experience.

lose-customers-lrg

(Infographic Source: Kissmetrics)

By evolving your status from supplier to a partner dedicated to a customer’s success also makes good business sense. While many cloud providers focus on new customer/user acquisition, industry studies show it can cost 7x more than customer retention. Broadening a focus to the real availability and health of a cloud service can pay off for providers in the long run.

By Allan Leinwand

Do Not Rely On Passwords To Protect Your Online Information

Do Not Rely On Passwords To Protect Your Online Information

Password Challenges 

Simple passwords are no longer safe to use online. John Barco, vice president of Global Product Marketing at ForgeRock, explains why it’s time the industry embraced more advanced identity-centric solutions that improve the customer experience while also providing stronger security.

Since the beginning of logins, consumers have used a simple username and password to secure their sensitive information across the Internet. This approach made do in the early days of ecommerce, but with the rampant growth of phishing and other fraudulent activity, it’s time for a new industry standard. For businesses everywhere, this need for change has created important questions about how to protect sensitive information in a cost-effective manner, without diluting customer usability and convenience.

Everyone is on mobile, which calls for more security on-the-go

cloud_200The mass adoption of mobile devices presents the most obvious need for greater online security control. The sheer number of mobile devices around the world means organizations can implement more robust, two-factor or multi-factor authentication systems without having to worry about the high cost of providing the devices to consumers themselves. Under a two-factor authentication system, traditional usernames and passwords remain the first step in identity verification, but users are then required to input a second authentication factor to further verify who they are. This involves sending a unique code or password to a user’s mobile device; the user must input this along with his or her credentials to be granted access. Multi-factor authentication systems such as the Apple iPhone TouchID add a biometric factor such as a fingerprint.

Mobile-based authentication, which is gradually becoming the benchmark standard for online businesses, gives peace of mind to consumers. However, such authentication is not without its issues. Mobile devices are not always secure, and unfortunately, a growing volume of malware is specifically programmed to target them. Such malware can allow criminals to scrape verification codes directly from devices if the codes are sent over data networks. The impact of mobile-based authentication on the user experience is also a concern, as many consumers do not want to have to enter multiple passwords every time they access their online accounts.

Next-gen security goes biometric

Adding biometric layers such as fingerprint or facial recognition technology, or messaging-based authentication processes could be the answer to the woes of mobile-based authentication. Biometrics could further boost security, with minimal impact on the user experience. As pointed out in a recent Gartner report, “Smartphone devices can make use of network-based push notification services that provide a secure out-of-band authentication channel. Authentication servers send notifications via the smartphone OS vendor. These messages are routed to a preregistered device and awaken a local app that can further authenticate the user via contextual information, PIN/password or biometric method. After successful local authentication, the app notifies the requesting authentication service of success, which completes the out of band (OOB) loop.” High-end smartphones offer these capabilities, but until they are more widely available, biometric authentication is unfortunately unlikely to be a viable solution for the majority of consumers.

Another alternative is to add extra layers, such as push authentication, to the two-factor process; this increases security but does not impact the customer experience. When first-time consumers sign into a website that uses push authentication, they will be asked to scan an on-screen Quick Response (QR) code with their mobile devices. This creates an ‘ID tether’ between users and their devices. The next time the user logs in, a push notification is sent to his or her device; all the user has to do is tap ‘approve’ in order to proceed. Importantly, these messages are usually sent over a different network, usually the cellular network, making interception by malware or other criminal monitoring of data activity extremely difficult.

Behavior-based monitoring will become an industry standard

password

(Image Source: Shutterstock)

End users’ demand for multifactor authentication has accelerated in recent months, and businesses are more aware of the threats posed by online criminal activity, which makes major news headlines almost daily. Multifactor authentication, however, still relies upon a lock and key approach to online security. This means that once someone is through the front door (i.e., they have gained entry to the account), there are usually no other obstacles between them and the sensitive data contained within. For these reasons the most forward-thinking organizations are looking to implement solutions that offer adaptive risk authentication and continuous security.

Adaptive risk authentication and continuous security provide an on-going view of online security. Which means that just because someone has gained access to an account, it does not mean they have full and free access to the data within the account. Adaptive risk authentication scores user behavior based on key criteria such as IP address, device ID, number of failed login attempts and more to establish if the behavior is consistent with established ‘normal’ user behavior patterns. Any deviations outside of the norm result in a higher risk score, which triggers additional security questions, re-authentication or, if necessary, the removal of the token assigned to the online session. Most importantly, algorithms responsible for scoring each session run silently in the background. Users are only made aware of them if their behavior is deemed to be suspicious. The user experience is not compromised in any way, despite the higher levels of security in place.

Usernames and passwords are not dead just yet. They will continue to have their place online for a while, but it is increasingly obvious that in isolation, they are no longer enough to keep sensitive information safe. Thankfully for consumers, advanced security such as multifactor authentication, adaptive risk and continuous security is on the horizon. Inevitably, even the most robust lock-and-key solutions will give way to more reliable behavior-based monitoring, as the fight to keep sensitive data secure online continues to evolve.

By John Barco

John Barco, ForgeRock _headshotJohn Barco is vice president of Global Product Marketing at ForgeRock. John has 20+ years of experience building innovative products for enterprise customers, focusing on identity and access management for the last 12 years. Prior to joining ForgeRock, he served as Senior Director of Product Management for the Identity Management group at Sun. John has also held leadership positions at iPlanet, Silicon Graphics, NComputing, and IronKey. He holds a degree in industrial engineering from Missouri State University.

3 Developing Expectations For The IoT

3 Developing Expectations For The IoT

IoT Expectations

The Internet of Things, or IoT, has received a lot of attention from tech analysts and curious consumers lately, in large part because its concept is so promising and exciting.

The IoT is based on the idea that all kinds of household objects could have embedded Wi-Fi capabilities, allowing them to go online and communicate with each other. Let’s take a look at a few things people have speculated about that might occur soon, all thanks to the IoT.

1. Prevention and Management of Chronic Diseases Could Improve

Healthcare is characteristically an industry crippled by high costs. It’s also a sector that could greatly benefit from the IoT. Such technology could prevent people from becoming chronically ill, plus improve care management for patients already diagnosed with ongoing illnesses.

medical-ioT

(Image Source: Shutterstock)

Most of the nation’s healthcare budget goes toward treating chronic diseases, so it makes sense that programs which encourage smoking cessation, weight loss or other healthy lifestyle choices are a big business opportunity. Even so, most chronic diseases are treated reactively, rather than proactively, and the IoT could change that.

Wearable devices, like those offered by Apple, Fitbit and Withings, currently make it easy and fun for people to set and reach their wellness goals. A company called Omada Health also offers similar devices to pre-diabetic patients, urging them to lose weight in hopes of avoiding chronic blood sugar issues.

Another way the IoT could improve the healthcare industry is through the use of “smart” devices that are worn on the body and are able to detect abnormalities. Theoretically, these gadgets could alert the wearer that something may be amiss with his or her health, allowing the person to seek medical intervention before it’s too late.

Furthermore, data collected by the devices could be automatically sent to the cloud via API, so healthcare providers might examine it without the device’s user having to do anything. That means the IoT could also play a role in helping healthcare workers make more informed and relevant decisions about the treatment plans of their patients.

The IoT could help physicians make diagnoses more efficiently, too. This will become possible when emerging technology leads to a decrease in the manufacturing costs of expensive equipment, such as MRI machines.

2. Inadequate Cyber Security Measures Could Adversely Impact Health-Related Benefits

Despite the exciting possibilities discussed above about chronic illness management, some experts still have concerns about patient data getting compromised. Analysts warn it may be very hard to implement proper security measures on very tiny devices. Furthermore, IoT gadgets are going through such a rapid revolution that they could be used on a massive scale within just a few months.

ksenia-votinovaKsenia Votinova, Technology Entrepreneur & Chief Marketing Officer at Le VPN, says that Virtual Private Networks (or VPNs) could be used to keep personal data secure as it gets transferred from users’ home devices to the cloud:

Installing a VPN on a home router would allow people to secure the internet connection of all their devices that connect to this router – like computers, mobile devices, smart TVs, game consoles, etc

It works like this: a VPN encrypts the internet connection of all the devices, making any online activity secure and private. This is done through the most sophisticated encryption algorithm (AES-256), which is impossible to hack. Therefore nobody can hack all the devices that are connected to the router secured by a VPN

So, even though security concerns about the IoT have arisen, we can acknowledge that tech has also been developing to counteract potential security threats imposed by IoT.

3. Some Jobs Will Become Obsolete, While New Careers Get Created

New technologies can create jobs, or take them away. When smartphones became popular, there was a sudden need for people who could design and test apps for mobile platforms, for example.

On the other hand, as technology improves, it can make some jobs irrelevant. That happened to many grocery clerks and baggers when self-checkout stations became popular. Although most grocery stores still have human staff members at the checkouts, self-checkout lanes often dominate those workers, especially during certain hours of the day.

We can expect the IoT will reduce the need for low-skilled workers engaged in repetitive jobs. However, the IoT doesn’t solely spell bad news for people in the job market. Target is one well-known retailer that recently offered a position for someone to be in charge of using the IoT to develop consumer solutions.

Another new job title you can expect to see soon is Chief IoT Officer. That person will likely set out the framework for a company’s IoT strategy, and then implement the associated technology that aligns with current business goals. Additionally, the worker will gather data from IoT devices and make decisions based on those analytics.

These are just three likely outcomes driven by the IoT. In the weeks and months to come, there will surely be many more fascinating possibilities to ponder.

By Kayla Matthews

Despite Record Breaches, Secure Third Party Access Still Not An IT Priority

Despite Record Breaches, Secure Third Party Access Still Not An IT Priority

Secure Third Party Access Still Not An IT Priority

Research has revealed that third parties cause 63 percent of all data breaches. From HVAC contractors, to IT consultants, to supply chain analysts and beyond, the threats posed by third parties are real and growing. Deloitte, in its Global Survey 2016 of third party risk, reported that 87 percent of respondents had faced a disruptive incident with third parties in the last two to three years.

cloud-infosec-report

In May this year, Ponemon Institute published the results of a 617 person survey that revealed that 75 percent of IT and security professionals said the risk of a breach from a third party is serious and increasing.

The infamous Target breach that occurred during the 2013 holiday shopping season is a prime example of a catastrophic third party data breach. Target confirmed that payment card information from roughly 40 million customers was stolen, as well as 70 million customer records. The root cause of the data breach was compromised network credentials that linked back to the company’s third party HVAC systems subcontractor. The breach cost Target millions of dollars, damage to its brand and reputation, and the resignation of both its CEO and CIO. In the past 12 months, organizations represented in the Ponemon report spent an average of $10 million each to respond to a security incident that was the result of negligent or malicious third parties.

Despite these warnings, a recent study conducted by the Soha Third Party Advisory Group, which consists of industry security and IT experts from Aberdeen Group; Akamai; Assurant, Inc.; BrightPoint Security; CKure Consulting; Hunt Business Intelligence, PwC; and Symantec, found that just two percent of respondents consider third party access a top priority in terms of IT initiatives and budget allocation. The report, which surveyed over 200 enterprise IT and security C-Level executives, directors and managers from enterprise-level companies, uncovered a few reasons for this apathy.

Breaches Happen to Other Organizations

Data Breach Comic

While CVS, American Express and Experian are just a few of the recognizable organizations that have recently suffered through a significant third party breach, the negative news stories published about them and others has not done much to motivate today’s IT personnel. Sixty-two percent of respondents to the Advisory Group report said they do not expect their organization to be the target of a serious breach due to third party access, but they believe 79 percent of their competitors will suffer a serious data breach in the future. Interestingly, 56 percent acknowledged they had concerns about their ability to control and/or secure their own third party access.

Providing Third Party Access Is Difficult

The complexity of providing secure access to applications spread across many clouds or in multiple data centers, and to contractors and suppliers who do not work for you, using devices IT knows nothing about, is a challenge. The Third Party Advisory Group report found that most of those polled believe that providing third party access was a complex and tedious process. The survey found IT needs to touch five to 14 network and application hardware and software components to provide third party access. Fifty-five percent said providing third party access to new supply chain partners or others was a “Complex IT Project,” and on average, they have to touch 4.6 devices, such as VPNs, firewalls, directories, and more. Forty percent described the process as tedious or painful, and 48 percent described it as an ongoing annoyance. This is a problem that will not go away anytime soon, as 48 percent of respondents saw third party access grow over the past three years, while 40 percent said they see growth continuing over the next three years.

People Are Not Afraid of Losing Their Jobs

When the Advisory Group survey asked IT professionals “If a data breach occurred in your area of responsibility, would you feel personally responsible,” 53 percent said they would, because they felt it would reflect poorly on their job performance. However, only 8 percent thought they might lose their jobs if a data breach occurred during their watch. The survey showed that IT professionals takes their jobs seriously, but it is unclear who is being held accountable for data breaches and how this ambiguity might affect attitudes and behavior in ensuring organizations are safe from outside threats.

Four Must-Have Features for Secure Third Party Access

When evaluating a secure third party access platform, it’s important the solution be able to navigate and manage a complex maze of people, processes and technologies. The solution should provide a convenient, simple and fast way to manage the platform, policies and security. And at minimum, the solution under evaluation should include the following four features:

  • Identity Access: Identity Access confirms that the third party vendor accessing the IT network has the right to do so. The goal is to provide authenticated end user access only to the specific applications the vendor needs, not to the whole network.
  • Data Path Protection: Rather than building a unique access string through an organization’s firewall, data path protection allows existing security measures to stay as they are, without having to be altered. This feature provides a secure pathway for vendors to access the parts of the network that they need for work purposes. And in the event that credentials are compromised, the direct pathway prevents outside attackers from scanning through the network.
  • Central Management: Keeping track of vendor access can be a challenge, but a centrally managed solution allows organizations to manage and control third party access in a simple and uncluttered fashion. The elimination of complexity means easy, functional connections that provide fundamentally better security that allows for detailed audit, visibility, control and compliance reporting.

The divide between IT priorities and the need to mitigate third party data breaches affects all industries. IT professionals must recognize that the threat from third parties accessing their infrastructure is very real. The good news is that with the right access platform with the appropriate feature sets, organizations can significantly mitigate their risk.

0015Soha-Mark-June-2015-head-shotBy Mark Carrizosa, chief information security officer (CISO) and vice president of security for Soha Systems.

Mark joined Soha in 2015 from Walmart, where, as principal security architect, he developed and implemented the company’s global e-commerce security architecture framework. Prior to Walmart, Carrizosa was operational risk consultant at Wells Fargo, where he analyzed the company’s infrastructure and application compliance to improve the security risk posture of both customer-facing and internal systems.

How To Humanize Your Data (And Why You Need To)

How To Humanize Your Data (And Why You Need To)

How To Humanize Your Data

The modern enterprise is digital. It relies on accurate and timely data to support the information and process needs of its workforce and its customers. However, data suffers from a likability crisis. It’s as essential to us as oxygen, but because we don’t see it, we take it for granted. Because we take it for granted, we don’t often think we need to go open a window for fresh air.

We work with data constantly but often don’t see how that data is used. Thus, it’s difficult to visualize the tedious work behind the product, which affects what we are “selling” as an experience or an outcome.

Consider a company that calls itself “the company that cares for its workforce.” This is the type of company that should know its employees. But consistently getting names, notifications, and other basic information wrong could make that company seem like it doesn’t care.

Why Humanizing Data Is Important

Why would an organization expend the effort to humanize data? The simple answer is that it reduces risk, improves business performance, and (to an increasing degree), it’s a necessity in transitioning to digital excellence. Every industry will have laggards who change slowly, but the best examples are organizations that recognize the data is underutilized within their businesses.

business-meet

This is important to acknowledge, as according to Gartner research, inaccurate and low quality data can result in millions of dollars of lost benefits per year for the average enterprise.

More specifically, data needs to feel personal because:

  • Intangibles are often dynamic and require context. For example, consider the data that makes up a customer record. Attributes such as a company name, address, and contact information seem basic, but the reality is these attributes change at an alarming rate when you look at a customer population as a whole. Customers have growing, shrinking, and changing businesses, too.
  • A customer isn’t just a record. Attached to a customer are orders, opportunities, and interactions that all build on the context of how a company serves and benefits from a customer. Learning and visualizing that context takes time, especially if it’s only supported through tribal knowledge.
  • It helps to bridge the likability gap and manage the organizational change to a digital enterprise. Stories that humanize data are essential in outlining the expectations for adding value, managing risk, and providing services to the customer. Humanizing data provides meaningful stories that quickly capture the context of data value and use.

How to Humanize Data

It doesn’t have to be complicated. These three basics will take your business a long way.

1. Spread the word. I’ve seen some spectacular examples of organizations humanizing data through videos, tent cards, gamification, and other messaging techniques that revolve around the “so what” and connect the data driving the event. There is no universal way to do this; each company culture responds to communication differently. However, companies simply need to make sure their methods start conversations.

2. Start during the orientation. Most organizations expend their change management efforts when change becomes necessary for more experienced workers. But there is a steady stream of younger, more digitally savvy employees entering the picture. Spell check and text messages are the norm for them, and these team members will be trusted to steward data in systems that were implemented around the time they got their first cell phones. The systems are neither smart nor agile and don’t have a sense of humor for what Siri misinterpreted. They do exactly what you tell them, whether you mean to say it or not.

3. Communicate every data issue by starting with the human elements and outcomes. Repetition and practice are important for reinforcement. Those who can best communicate contextual use and value of information and insights will determine leadership in the digital era. If we want to develop digital leaders, we have to practice and become versed in understanding data context and how it applies to problem-solving and innovation in the future.

There’s little question that data is vital for today’s companies. That’s why it’s troubling that so few companies are using it well. For example, only 36 percent of companies use it to guide strategic initiatives. Further, 41 percent of high-growth firms reported that data quality issues represent a barrier to using it for strategic planning.

Humanizing data might be the solution. It will give employees a sense of how important it is, which in turn will make them more likely to identify with data outcomes. In the long run, humanizing data will lead to a leaner, more efficient company.

###

Will-CrumpBy Will Crump

As president and CEO of DATUM, Will Crump brings more than 15 years of experience in building high-performance, cross-functional teams to compete in global venues. He is a sought-after voice in the areas of software product development, OEM and enterprise B2B web application technologies. For information on advisory services and DATUM’s SaaS, Information Value Management, visit DATUM’s website.

CloudTweaks Comics
Driving Success: 6 Key Metrics For Every Recurring Revenue Business

Driving Success: 6 Key Metrics For Every Recurring Revenue Business

Recurring Revenue Business Metrics Recurring revenue is the secret sauce behind the explosive growth of powerhouses like Netflix and Uber. Unsurprisingly, recurring revenue is also quickly gaining ground in more traditional industries like healthcare and the automotive business. In fact, nearly half of U.S. businesses have adopted or are planning to adopt a recurring revenue model,…

Using Big Data To Analyze Venture Capitalists’ Ability To Recognize Potential

Using Big Data To Analyze Venture Capitalists’ Ability To Recognize Potential

Big Data To Analyze Using Big Data to Analyze Venture Capitalists’ Ability To Recognize Potential For those who are regularly involved with SMEs, venture capital, and company valuations, it is common knowledge that start-ups that exit for more than $1 billion dollars are extremely rare – often termed ‘unicorn’ companies. Despite their rarity, it should…

Why Small Businesses Need A Business Intelligence Dashboard

Why Small Businesses Need A Business Intelligence Dashboard

The Business Intelligence Dashboard As a small business owner you would certainly know the importance of collecting and analyzing data pertaining to your business and transactions. Business Intelligence dashboards allow not only experts but you also to access information generated by analysis of data through a convenient display. Anyone in the company can have access…

Shadow IT To Remain A Focus For Both Cloud Vendors And CIOs

Shadow IT To Remain A Focus For Both Cloud Vendors And CIOs

Shadow IT To Remain A Focus Shadow IT, a phenomenon defined as building internal IT systems without the official organizational approval has been a growing concern for CIOs over the last few years. In 2015, it climbed to the top of the list of the emerging IT threats, with as much as 83% CIOs reporting…

M2M, IoT and Wearable Technology: Where To Next?

M2M, IoT and Wearable Technology: Where To Next?

M2M, IoT and Wearable Technology Profiling 600 companies and including 553 supporting tables and figures, recent reports into the M2M, IoT and Wearable Technology ecosystems forecast opportunities, challenges, strategies, and industry verticals for the sectors from 2015 to 2030. With many service providers looking for new ways to fit wearable technology with their M2M offerings…

Cloud Infographic – The Internet Of Things In 2020

Cloud Infographic – The Internet Of Things In 2020

The Internet Of Things In 2020 The growing interest in the Internet of Things is amongst us and there is much discussion. Attached is an archived but still relevant infographic by Intel which has produced a memorizing snapshot at how the number of connected devices have exploded since the birth of the Internet and PC.…

15 Cloud Data Performance Monitoring Companies

15 Cloud Data Performance Monitoring Companies

Cloud Data Performance Monitoring Companies (Updated: Originally Published Feb 9th, 2015) We have decided to put together a small list of some of our favorite cloud performance monitoring services. In this day and age it is extremely important to stay on top of critical issues as they arise. These services will accompany you in monitoring…

4 Industries Being Transformed By The Internet of Things

4 Industries Being Transformed By The Internet of Things

Compelling IoT Industries Every year, more and more media organizations race to predict the trends that will come to shape the online landscape over the next twelve months. Many of these are wild and outlandish and should be consumed with a pinch of salt, yet others stand out for their sober and well-researched judgements. Online…

The Future Of Cybersecurity

The Future Of Cybersecurity

The Future of Cybersecurity In 2013, President Obama issued an Executive Order to protect critical infrastructure by establishing baseline security standards. One year later, the government announced the cybersecurity framework, a voluntary how-to guide to strengthen cybersecurity and meanwhile, the Senate Intelligence Committee voted to approve the Cybersecurity Information Sharing Act (CISA), moving it one…

Beacons Flopped, But They’re About to Flourish in the Future

Beacons Flopped, But They’re About to Flourish in the Future

Cloud Beacons Flying High When Apple debuted cloud beacons in 2013, analysts predicted 250 million devices capable of serving as iBeacons would be found in the wild within weeks. A few months later, estimates put the figure at just 64,000, with 15 percent confined to Apple stores. Beacons didn’t proliferate as expected, but a few…

7 Common Cloud Security Missteps

7 Common Cloud Security Missteps

Cloud Security Missteps Cloud computing remains shrouded in mystery for the average American. The most common sentiment is, “It’s not secure.” Few realize how many cloud applications they access every day: Facebook, Gmail, Uber, Evernote, Venmo, and the list goes on and on… People flock to cloud services for convenient solutions to everyday tasks. They…

The Future Of Cloud Storage And Sharing…

The Future Of Cloud Storage And Sharing…

Box.net, Amazon Cloud Drive The online (or cloud) storage business has always been a really interesting industry. When we started Box in 2005, it was a somewhat untouchable category of technology, perceived to be a commodity service with low margins and little consumer willingness to pay. All three of these factors remain today, but with…

3 Keys To Keeping Your Online Data Accessible

3 Keys To Keeping Your Online Data Accessible

Online Data Data storage is often a real headache for businesses. Additionally, the shift to the cloud in response to storage challenges has caused security teams to struggle to reorient, leaving 49 percent of organizations doubting their experts’ ability to adapt. Even so, decision makers should not put off moving from old legacy systems to…

Ending The Great Enterprise Disconnect

Ending The Great Enterprise Disconnect

Five Requirements for Supporting a Connected Workforce It used to be that enterprises dictated how workers spent their day: stuck in a cubicle, tied to an enterprise-mandated computer, an enterprise-mandated desk phone with mysterious buttons, and perhaps an enterprise-mandated mobile phone if they traveled. All that is history. Today, a modern workforce is dictating how…

Connecting With Customers In The Cloud

Connecting With Customers In The Cloud

Customers in the Cloud Global enterprises in every industry are increasingly turning to cloud-based innovators like Salesforce, ServiceNow, WorkDay and Aria, to handle critical systems like billing, IT services, HCM and CRM. One need look no further than Salesforce’s and Amazon’s most recent earnings report, to see this indeed is not a passing fad, but…

Cloud Security Risks: The Top 8 According To ENISA

Cloud Security Risks: The Top 8 According To ENISA

Cloud Security Risks Does cloud security risks ever bother you? It would be weird if it didn’t. Cloud computing has a lot of benefits, but also a lot of risks if done in the wrong way. So what are the most important risks? The European Network Information Security Agency did extensive research on that, and…

Achieving Network Security In The IoT

Achieving Network Security In The IoT

Security In The IoT The network security market is experiencing a pressing and transformative change, especially around access control and orchestration. Although it has been mature for decades, the network security market had to transform rapidly with the advent of the BYOD trend and emergence of the cloud, which swept enterprises a few years ago.…

Three Factors For Choosing Your Long-term Cloud Strategy

Three Factors For Choosing Your Long-term Cloud Strategy

Choosing Your Long-term Cloud Strategy A few weeks ago I visited the global headquarters of a large multi-national company to discuss cloud strategy with the CIO. I arrived 30 minutes early and took a tour of the area where the marketing team showcased their award winning brands. I was impressed by the digital marketing strategy…