Emerging Trends and Security Threats

by Paula Parker paula.parker@enfopoint.com

ADOPTION of the Government’s Cloud First Policy requires agencies to evaluate cloud options first, over traditional IT approaches. Is this right for your organization? According to CIO Magazine, in their June 15, 2011 edition, “Putting the Cloud First”, the magazine reported that 48% of IT Leaders surveyed were putting more money towards the cloud services. Still, some IT Leaders want to hold off on moving mission critical applications to the cloud. There is good reason for that concern. However, the reasons for the concerns can be remedied.

There are too many positive arguments for Cloud services not to consider the compelling value proposition; the main one being that it helps to reduce cap ex spending when gross profits continue to shrink or remain stagnant. This can be amplified when an organization is still suffering from operating losses from the Great Recession and could still be dealing with multi-year depreciation of capital goods purchased prior to the economic climate change and need a better way to manage cash flow as the organization continues to recover from the recession.

A second big reason to consider Cloud services is because the Cloud Service provider shares the cost of security. Many may believe that keeping the upgrades of the network up to date to stay current in protecting against more and more sophisticated threats is the responsibility of the cloud provider. However, in cases where businesses are required to adhere and comply with Industry Regulatory Requirements, such as HIPAA/HITECH, SOX and PCI DSS, it becomes a shared responsibility.

For example, the newest revision for PCI DSS compliance 2.0 was updated in the fall of 2010 specifically to address virtualization and how Cardholder Data should be treated in a Cardholder Data Environment (CDE) when the data is being processed, stored and/or transmitted. Essentially, cloud computing, both private and public, has an underlying platform based on virtualization. The PCI Security Standards Council released their “Information Supplement: PCI DSS Virtualization Guidelines”  in June of 2011 stating that the responsibility should be shared but weighted differently depending on the type of service the cloud is providing. See the graph below for the Council’s guidance for Infrastructure As A Service (IAAS), Platform As A Service (PAAS), and Software As A Service (SAAS)

Putting mission critical workloads on the cloud often implies that organizations will be having the cloud host their virtual machines (VMs). Cloud computing utilizes virtualization because of the innate ability to maximize and optimize the performance of their network through resource pools and clustering for high availability, high performance computing, load balancing and utility grid computing. This however, also suggests a potential area of vulnerability and perhaps a security gap if security managers for both VMs and the cloud, public and private, have not taken all the due diligence necessary to secure the virtualized environment. The concern is heightened when sensitive data is being stored, processed and/or transmitted through both the cloud and in scope VMs, which have become virtualized instances in host containers.

In order to mitigate the security gap, a defense in depth strategy needs to take place. It is important to take the necessary precautionary measures. One way to do this is to assume that certain network components will fail due to unforeseen and ever-growing threats that arise out in the wild and around the world. The security of the network should be assessed by the ability to quickly alert to an anomalous event, contain it, and then mitigate and restore security in order to maintain business continuity and consumer trust.

Why is maintaining high levels of security so important? Consider the case of TJ MAX. In January of 2007 they had a breach where approximately 94 million credit cards were stolen. They were fined 9.75 million dollars because of the breach. If you think that is a big fine, consider other costs the company had to endure such as the cost of their reputation being damaged and the marketing expensed endured to restore their image. There was a cost too, of loss of stock value that could have been directly related to the breach. At the time the breach took place the stock was trading around $30.04. A two month window look at their stock shows a dramatic drop in the stock value with the stock closing around $26.77. By the third month it was still trying to regain its value prior to the breach. If the drop in the stock price was directly related to the drop in consumer confidence after the breach took place, then that represented a considerable amount of money since 413 million shares were outstanding at the time. The drop from $30.04 per share to $26.77 represented a difference of $3.27. Taking that amount and multiplying it against 413 million shares represents a loss in value of approximately 1.35 billion dollars.
Source: dailyfinance.com

TJX COS INC NEW ( TJX ) prices

Fortunately for TJ Max, consumer confidence seems to have been restored and the stock is doing quite well now, but that is not always the case for every business that experiences a breach in their network. What is troubling is that there seems to be a growing trend where there seems to be a battle of “speed vs. security” within many large organizations. A recent survey result indicated that speed still wins. Security News from Help Net Security www.net-security.org reported July 19, 2011 that the results of a Crossbeam Systems survey which polled nearly 500 participants of enterprises and service providers resulted in data suggesting that “Ninety percent of respondents admit to making a trade-off between security and throughput performance.” That puts the organization, partners, employees and customers potentially at risk.

There has been a sophisticated outburst of security breaches during 2011. HBGary Federal was breached in February of 2011, supposedly by the internet activist group “Anonymous”. In March, RSA endured a security breach from a targeted phishing attack compromising RSA’s SecurID authentication tokens which put at risk many Fortune 500 companies. Lockheed Martin and Northrup Grumman also endured attacks on their respective systems. Epsilon endured a breach in April, putting at risk those whose names were on millions of e-mail addresses that were stored by the company. Epsilon happens to be one of the world’s largest e-mail service marketing service providers.

Also during April, Sony’s Playstation Network was reported to have leaked personal information of over 70 million subscribers. The company then again endured another breach in May. And, most recently, in June of this year, Citibank announced that personal and account information of an estimated 200,000 bank card customers in North America had been breached. Could the Citibank breach been linked to the massive Epsilon breach in April since it was reported that Citibank was one of Epsilon’s customers? The world is getting smaller and it would appear the attack footprint is getting bigger.

enfoPoint Solutions offers compelling value propositions that help to address and minimize the security gaps from the issues above. Both hardware and software solutions are offered by the company that can literally address the security and performance concerns from layer 1 of the OSI model all the way through layer 7, providing not only defense in depth protection of physically connected servers but also purpose built security protection of virtual devices in a VMware environment that helps to maintain high throughput with minimal impact on the performance of organization and/or service provider’s network. To see how enfoPoint Solutions can better address the security concerns of your organization, please contact Tom Spear, CEO and founder of enfoPoint Solutions or send an e-mail requesting information to info@enfopoint.com.