http://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2013-04-29T08:00:00ZUncle Sam is a leader in the secure use of cloud services. Here&#8217;s what FedRAMP and FISMA can teach you.http://www.informationweek.com/government/cloud-saas/follow-feds-to-the-cloud/240153756?cid=SBX_iwk_related_mostpopular_Application_Security_security<!-- KINDLE EXCLUDE --> <!-- April 29, 2013 InformationWeek Digital Issue--> <div id="inlineGreenPromoTop"> <div class="greenBand"></div> <div class="inlineGreenPromoContent"> <a href="http://www.informationweek.com/gogreen/042913?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/informationweek/1364/smallcov.jpg" alt="InformationWeek Green - April 29, 2013" title="InformationWeek Green - April 29, 2013" align="left" class="greenIssueImage" /></a> <a href="http://www.informationweek.com/gogreen/042913?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" title="InformationWeek Green" align="right" class="greenLeaf" /></a><br /> <div class="greenPromoText"> <strong><a href="http://www.informationweek.com/gogreen/042913?k=axxe&cid=article_axxe_os">Download the entire April 29, 2013, issue of <em>InformationWeek</em></a>, distributed in an all-digital format (registration required).</strong><br /><br /> </div> </div> <div class="greenBand"></div> </div> <!-- / April 29, 2013 InformationWeek Digital Issue--> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> <img src="http://twimgs.com/informationweek/1364/364coverart_110.jpg" width="110" height="110" alt="Follow The Feds" title="Follow The Feds" width="110" height="110" class="artInlineTopImage" /> <P> It's not often that IT teams charged with new projects and initiatives say, "Let's look at how the feds are doing things." The U.S. government's IT systems are seen as slow, archaic and overly complex -- think the Veterans Affairs Department's huge claims backlog and the sorry state of the National Instant Criminal Background Check System, which handles only 6% of requests electronically. But thanks to the "Cloud First" and open data sharing initiatives that former federal CIO Vivek Kundra mandated, the government is an innovator when it comes to cloud computing and data security. </p> <P> The benefits of that work aren't limited to government agencies. Businesses can take advantage of it, too, particularly with regard to security issues. Our 2013 <i>InformationWeek</i> <a href="http://reports.informationweek.com/abstract/5/10475/Cloud-Computing/research-2013-state-of-cloud-computing-.html?cid=pub_analyt__iwk_20130429" target="_blank">State of Cloud Computing Survey</a> of nearly 450 business technology professionals at companies with 50 or more employees shows there's a real need to address security concerns.</p> <P> On one hand, the percentage of respondents predicting their companies will use few or no IT cloud services has dropped seven points since our 2012 survey, to 31%. But just 18% populate the middle ground -- with a quarter to half of their services in the cloud -- even though that's what most CIOs we work say is the sweet spot for cloud uptake. Security is the top concern, specifically concerns about defects in cloud technology and the potential leakage of proprietary or customer data. Much lesser concerns are performance, vendor viability and vendor lock-in.</p> <P> <strong>Enter Uncle Sam</strong> </p> <P> The Federal Risk and Authorization Management Program, or FedRAMP, provides a framework for certifying the security of federal government cloud environments. To participate, a cloud service provider must hire an independent, government-certified auditor to verify that the provider complies with the standards framework. Once certified, fed agencies can buy services from the provider without having to go through a security review process. </p> <P> <!-- KINDLE EXCLUDE --> <!-- inline Report Promo --> <div class="inlineReportPromo right"> <div class="reportHeader"><a href="http://reports.informationweek.com/abstract/5/10475/Cloud-Computing/research-2013-state-of-cloud-computing-.html?cid=pub_analyt__iwk_20130429" target="_blank">Research: 2013 State Of Cloud Computing </a> </div> <img src="http://twimgs.com/informationweek/1364/364CSreportcover.jpg" width="175" height="113" alt="Report Cover" title="Report Cover" class="reportCover" /> <div class="reportInfo"> Our report on <a href="http://reports.informationweek.com/abstract/5/10475/Cloud-Computing/research-2013-state-of-cloud-computing-.html?cid=pub_analyt__iwk_20130429" target="_blank">the state of cloud computing</a> is free with registration. This report includes <strong>27</strong> pages of action-oriented analysis, packed with <strong>22</strong> charts.<br /><br />What you'll find: <ul> <li>Why some are still taking a cautious approach to the cloud</li> <li>The problem with service-level agreements</li> </ul> <center><strong><a href="http://reports.informationweek.com/abstract/5/10475/Cloud-Computing/research-2013-state-of-cloud-computing-.html?cid=pub_analyt__iwk_20130429" target="_blank">Get This</a> And <a href="http://reports.informationweek.com/">All Our Reports</a></strong></center> </div> </div> <!-- / inline Report Promo --> <!-- /KINDLE EXCLUDE --> <P> FedRAMP is being driven by the General Services Administration in collaboration with the Department of Defense, Office of Management and Budget, Federal CIO Council and other agencies. A rigorous governance structure was necessary to support government-wide adoption, and that's one of the reasons businesses are looking to the feds as a strong cloud computing reference model. </p> <P> FedRAMP's focus on trust verification is a big reason it will reverberate beyond the government. Within five years, FedRAMP-mandated controls will be the rule, not the exception, in both the private and public sectors.</p> <P> FedRAMP's real beauty is that it looks at use cases, not just providers. For example, if high-value data is involved in a project, then no cloud provider can be used, no matter how well vetted it is. </p> <P> Translated to the private sector, this approach takes the heat off IT. You won't have to be the no police or make a series of one-off decisions. Instead, you can focus on a more important issue: the movement of data and processes to the cloud. </p> <P> <!-- KINDLE EXCLUDE --> <center><strong>To read the rest of the article,<br /><a href="http://www.informationweek.com/gogreen/032513/?k=axxe&cid=article_axxe_os">download the April 29, 2013, issue of <em>InformationWeek</em>. </a></strong></center><br clear="all" /></p> <!-- /KINDLE EXCLUDE --> <P>2013-04-17T22:10:00Zhttp://reports.informationweek.com/abstract/166/9655/Professional-Development-and-Salary-Data/Research:-2012-Security-Staffing-Survey.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2013-02-07T01:42:00Zhttp://reports.informationweek.com/abstract/21/9736/Security/Strategy:-Cybersecurity-on-the-Offense.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2013-02-05T02:02:00Zhttp://reports.informationweek.com/abstract/21/8660/Security/Strategy:-How-to-Pick-Endpoint-Protection.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2013-01-28T12:06:00ZWhat does BlackBerry Enterprise Service 10 really bring to the table in terms of new enterprise management, security and true enterprise mobility?http://www.informationweek.com/hardware/handheld/rim-bes-10-too-little-too-late/240147106?cid=SBX_iwk_related_mostpopular_Application_Security_securityMost enterprises have moved past the value of mobility and are focused on execution. It can be a challenge to determine what tools, processes and other things they need to be able to support whatever mobile initiatives they have -- BYOD included. So with the <a href="http://www.informationweek.com/mobility/security/rim-launches-blackberry-enterprise-servi/240146791">recent BlackBerry Enterprise Service 10 announcement</a>, what does BB 10 bring to the table in terms of new enterprise management, security and true enterprise mobility? <P> Two key features are rolling out with BES 10 that are great for the enterprise and deliver good value; however, one is unique albeit some say a gimmick and another is part of most MDM solutions already. <P> First, the new BES 10 is now using an AES256 encrypted tunnel for all communications between BES and the device that is also FIPS140-2 certified (so the government can use these anywhere!). Think of this tunnel like a VPN tunnel. All data going over it is encapsulated so email, ActiveSync, file transfers, browsing, etc., all now are transported within this tunnel. This enables the enterprise to allow the browser on the BB device to route and access internal enterprise Web apps through the tunnel without the pain of having to configure a VPN profile or even provision a VPN username and password. Given that BB has one of the most advanced Web browsers in terms of HTML5 and other configuration options, this is a great win for enterprises that want to deliver HTML5 mobile Web application experiences to their corporate users without making the Web application public. <P> <strong>[ What can RIM do to regain its position as the enterprise smartphone? Read <a href="http://www.informationweek.com/development/mobility/blackberry-comeback-rim-must-win-develop/240147060?itc=edit_in_body_cross">BlackBerry Comeback: RIM Must Win Developer Support</a>. ]</strong> <P> The second, and more significant, announcement for the enterprise is that of BlackBerry Balance. Balance is a technology where the BlackBerry device is partitioned into two separate but always active worlds: Personal and Work. Each partition is encrypted and secure with the Work Partition being controlled remotely by a policy (Note there is no word on whether you can have multiple Work profiles). Apps such as Box.net can exist in one or both worlds and have completely separate application profiles enabling personal accounts for accessing your personal Box.net files and still have access to the corporate Box.net without data comingling. For example, you can have personal email from Gmail on your personal side and your corporate email on the work side and not have the pesky security restrictions enforced on your personal email as you do on the work email. <P> The BlackBerry Hub pulls this all together by giving the user a unified inbox, text messages and simple list of apps to run. The user doesn't need to be concerned what side of the device the app resides on. The Hub even securely unifies the work and personal profiles. The profiles are accessed by the sliding of your finger down the middle of the screen, allowing you to switch app screens from one side to another. This method allows for a quick switching between work and personal apps. <P> There are some settings to allow personal apps to access the work network and also set passwords for the work profile that don't exist in the personal profile. For example, you can use your personal profile all day Saturday and then when you flip to your work profile you enter your password before being able to access any work apps. All of these security items can be centrally managed from the BES 10 server.The other quick improvement for enterprises is that BES 10 now includes an enterprise App World that is separate from the Public App World, which can help limit what apps can be installed. <P> Balance is RIMs take on mobile device virtualization that we have seen from others such as Nokia and VMWare. It has the potential to be a great win for the enterprise; however, there are problems with the overall strategy that warrant discussion. First, balance requires BES10 and RIM could not confirm how many BES email hosting providers are planning to upgrade to BES10 or even support BES10 so if you are not an enterprise that wants to use BB Balance you may be out of luck until the major BES hosting providers catch up. Furthermore, for your enterprise to leverage Balance an upgrade to BES10 is required and all users have to use the new BB10 devices, which could be a deal killer depending on cost and the other BYOD initiatives. <P> The real question for the enterprise, "Is this too little too late?" <P> Last year, RIM released BlackBerry Fusion, which enabled an enterprise that was mostly blackberry to manage Android and iOS devices from the same console, which morphed into BES 10. Fusion was RIM's answer to all the MDM vendors making money off managing RIM devices and a way to stem the bleeding of enterprise's moving to Android and iOS. <a href="http://www.informationweek.com/global-cio/interviews/rim-mdm-review-beyond-bes-not-there-yet/240142451">We reviewed Mobile Fusion</a> in our BYOD story in December 2012 and found it isn't a great MDM solution by itself. It would be an okay solution for a heavy RIM shop to support a small amount of iOS and Android users and wasn't the best option available. The core problem with the solution was the lack of a unified console (which has been addressed in BES10, we are told, but have not verified) and that it did not have any features that the other MDM vendors didn't do. In other words, it was a me-too solution that just helped a BB organization deal with the pesky iOS and Android devices. <P> And that's the crux, unless you are a dedicated hardcore RIM shop -- the ability to manage iOS and Android devices with BES10 causes a problem for enterprise users looking to adopt BB 10 devices. Why would you? Since a user has to physically exchange their existing BB device to get the new features, and that same enterprise can now support iOS and Android, the user will have the option to upgrade to an iOS or Android device. With the experience being completely different on BB10 devices even hardcore BB users will need to relearn the entire device, a major detractor to just sticking with RIM. <P> Given that consumerization has led this trend to date, we don't think the new enterprise features -- which are really the only enhancements to the device as all of the consumer enhancements are just copycat functions of iOS and Android -- are going to be enough for the end user to stick with BB when facing the decision to change. BES10 is too little too late for most enterprises as the value proposition just isn't strong enough to overcome all the benefits of the other platforms for end users and RIM didn't do anything to reduce the costs and complexity associated with a BB infrastructure.2013-01-21T08:00:00ZTired of having malware punch you in the face? The time's not right to hit back, but here are moves to make now.http://www.informationweek.com/security/cybercrime/4-steps-for-proactive-cybersecurity/240146573?cid=SBX_iwk_related_mostpopular_Application_Security_security<!-- KINDLE EXCLUDE --> <!-- Jan. 21, 2013 InformationWeek Digital Issue--> <div id="inlineGreenPromoTop"> <div class="greenBand"></div> <div class="inlineGreenPromoContent"> <a href="http://www.informationweek.com/gogreen/012113?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/informationweek/1355/smallcov.jpg" alt="InformationWeek Green - Jan. 21, 2013" title="InformationWeek Green - Jan. 21, 2013" align="left" class="greenIssueImage" /></a> <a href="http://www.informationweek.com/gogreen/012113?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" title="InformationWeek Green" align="right" class="greenLeaf" /></a> <div class="greenPromoText"> <strong><a href="http://www.informationweek.com/gogreen/012113?k=axxe&cid=article_axxe_os">Download the entire Jan. 21, 2013, issue of <em>InformationWeek</em></a></strong>, distributed in an all-digital format as part of our Green Initiative<br /> (Registration required.)<br /> <center><div class="innerGreenPromoText" align="center">We will plant a tree for each of the first 5,000 downloads.</div></center> </div> </div> <div class="greenBand"></div> </div> <!-- / Jan. 21, 2013 InformationWeek Digital Issue--> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> <img src="http://twimgs.com/informationweek/1355/355CS_Coverart_flat_110.jpg" width="110" height="110" alt="Storage Innovation" title="Storage Innovation" width="110" height="110" class="artInlineTopImage" /> <P> In our dive into the <a href="http://www.informationweek.com/security/cybercrime/offensive-cybersecurity-theory-and-reali/240146617">theory behind offensive cybersecurity</a>, Gadi Evron summarized the legal and ethical problems of fighting back against an attacker. There are also some purely tactical problems: How do you know you're not blasting some grandmother in Akron whose PC is a zombie? Are you prepared to come under the glare of organized criminals? </p> <P> I share Evron's outlook that for most, if not all, nongovernmental entities it's too soon to go down the path of all-out, offensive security counterattacks. Many other security professionals agree, and you can get a good summary of the academic and government research on cyber espionage, cyber deterrence and cyber offense by reading a recent post by Dave Dittrich, a member of the HoneyNet Project: <a href="https://honeynet.org/node/1004" target="_blank">"No, Executing Offensive Actions Against Our Adversaries Really Does Have High Risk (Deal With It)."</a></p> <P> But you can do a lot more than read and hope. Here are some ways to take action now that will at least let your team start taking a more offensive security mindset. </p> <P> <strong>Step 1: Do active risk analysis to know what attackers may strike at, and how.</strong> </p> <P> Intelligence gathering is an arduous task for even well-funded government agencies, so it is highly unlikely that your company can achieve the level of detail required for true cyber intelligence about attackers. Further complicating intelligence gathering is that private-sector chief information security officers don't share details of successful breaches, even though such collaboration would be critical to understanding and linking methods and attackers. But that's another article.</p> <P> For now, focus your effort on the intelligence gathering you do control: knowledge of your own systems, networks and business. </p> <P> <!-- KINDLE EXCLUDE --> <div style="float:right;padding-left:10px;"> <div style="width:210px; border:1px solid #000000;"> <div style="margin:0; padding:5px; background-color:#CC0000; text-align:center; font-size:1em; color:#ffffff; font-weight:bold;"><a href="http://reports.informationweek.com/abstract/21/9736/Security/strategy-cybersecurity-on-the-offense.html?cid=pub_analyt__iwk_20130121" target="_blank" style="color:#ffffff;">Strategy: Cybersecurity on the Offense</a></div> <img src="http://twimgs.com/informationweek/1355/355CS_reportcover.jpg" width="175" height="110" style="margin:15px;"> <div style="font-size:.9em; margin:0px 1px 0px 10px;">Our full report on <a href="http://reports.informationweek.com/abstract/21/9736/Security/strategy-cybersecurity-on-the-offense.html?cid=pub_analyt__iwk_20130121" target="_blank">offensive cybersecurity </a> free with registration. <br /><br />This report includes 21 pages of action-oriented analysis. What you&#8217;ll find: <ul class="normalUL"><li>Strategic Security Survey data on the top reasons for increased vulnerability</li> <li>Top breach/espionage threats: cybercriminals tied for No. 1</li></ul> <center><strong><a href="http://reports.informationweek.com/abstract/21/9736/Security/strategy-cybersecurity-on-the-offense.html?cid=pub_analyt__iwk_20130121" target="_blank">Get This</a> And <a href="http://reports.informationweek.com/">All Our Reports</a></strong></center><br /></div> </div> </div> <!-- /KINDLE EXCLUDE --> <P> Conventional cyber defense involves security engineers trying to figure out what attackers can do, how they might break in and what system holes could be exploited. But this is where IT could learn from traditional engineering disciplines, which take a more proactive approach. For example, mechanical engineers are taught to approach problems using failure analysis. This technique involves identifying the conditions where a failure can occur instead of trying to figure out what failures can occur. Think of an explosion caused by an oily rag. Without oxygen, oil, the rag and fire that ignites everything, an explosion won't happen. Yet most security engineers trying to keep their networks from being blown wide open look for flames via log data (the attack) rather than finding the oxygen, oily rags and sparks -- what must be present for an explosion.</p> <P> Your intelligence gathering needs to focus on identifying hazardous conditions. You will then learn each condition also has a subset of conditions, and this chain continues until you have an addressable condition. For example, instead of trying to detect or prevent a zero-day exploit from installing malware on a machine, ensure that the conditions for a breach are not present. Eliminate easily guessed passwords, weak permissions on files and folders, and administrative permissions, all which are under your control, instead of trying to figure out where and how any given piece of malware, which you don't control, might strike.</p> <P> This approach requires that your security team know how attackers accomplish their mischief once inside, and that means spending time learning how exploits, penetration testing and underlying applications work. This isn't easy, but it's why mechanical engineers spend years being trained about potential conditions.</p> <P> While there are several failure-analysis methods, including Alex Hutton's Risk Fish, <a href="http://www.darkreading.com/security/news/240005182/introducing-the-riskfish.html" target="_blank">discussed recently in Dark Reading</a>, here's how we recommend you go about it:</p> <P> <!-- KINDLE EXCLUDE --> <center><strong>To read the rest of the article,<br /><a href="http://www.informationweek.com/gogreen/012113?k=axxe&cid=article_axxe_os">Download the Jan. 21, 2013 issue of <em>InformationWeek</em></a></strong></center><br clear="all" /></p> <!-- /KINDLE EXCLUDE --> <P>2012-12-18T02:49:00Zhttp://reports.informationweek.com/abstract/21/9457/Security/strategy-5-keys-to-painless-encryption.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2012-12-14T18:10:00Zhttp://reports.informationweek.com/abstract/18/9355/Mobility-Wireless/review-analysis-3-mdm-suites.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2012-12-10T08:00:00ZEven as mobility and cloud take off, too many companies still leave data in the clear, spooked by operational concerns. Yes, key management remains a problem. But can you really afford not to encrypt?http://www.informationweek.com/security/encryption/5-rules-for-almost-painless-encryption/240144008?cid=SBX_iwk_related_mostpopular_Application_Security_security<!-- KINDLE EXCLUDE --> <!-- Dec. 10, 2012 InformationWeek Digital Issue--> <div id="inlineGreenPromoTop"> <div class="greenBand"></div> <div class="inlineGreenPromoContent"> <a href="http://www.informationweek.com/gogreen/121012/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/informationweek/1353/smallcov.jpg" alt="InformationWeek Green - Dec. 10, 2012" title="InformationWeek Green - Dec. 10, 2012" align="left" class="greenIssueImage" /></a> <a href="http://www.informationweek.com/gogreen/121012/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" title="InformationWeek Green" align="right" class="greenLeaf" /></a> <div class="greenPromoText"> <strong><a href="http://www.informationweek.com/gogreen/121012/?k=axxe&cid=article_axxe_os">Download the entire Dec. 10, 2012, issue of <em>InformationWeek</em></a></strong>, distributed in an all-digital format as part of our Green Initiative<br /> (Registration required.)<br /> <center><div class="innerGreenPromoText" align="center">We will plant a tree for each of the first 5,000 downloads.</div></center> </div> </div> <div class="greenBand"></div> </div> <!-- / Dec. 10, 2012 InformationWeek Digital Issue--> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> <img src="http://twimgs.com/informationweek/1353/353F2ftocart2_110.jpg" width="110" height="110" alt="5 Rules For Painless Encryption" title="5 Rules For Painless Encryption" width="110" height="110" class="artInlineTopImage" /> <P> You can't talk about big IT trends without running into data protection worries. For the 728 business technology pros responding to our <a href="http://reports.informationweek.com/abstract/83/9475/IT-Business-Strategy/research-outlook-2013.html?cid=pub_analyt__iwk_20121210" target="_blank"><i>InformationWeek</i> 2013 Outlook Survey</a>, which explores spending and technology priorities for the coming year, "improve information security" ranked No. 1 among 19 projects. This makes perfect sense; whether your company is fixated on big data, public cloud, BYOD or mobile app development, security plays a key role.</p> <P> Yet even as mobility and cloud take off, many companies still leave data in the clear, worried about operational and performance concerns. Never mind that major compliance and regulatory frameworks either require or strongly recommend data encryption. Yes, key management remains a problem. But there are ways to use encryption without breaking your infrastructure while we wait on the ultimate solution: identity-based encryption. Here are five rules that help.</p> <P> <strong>Rule 1: Stop The Bleeding</strong></p> <P> <!-- KINDLE EXCLUDE --> <div style="float:right;padding-left:10px;"> <div style="width:210px; border:1px solid #000000;"> <div style="margin:0; padding:5px; background-color:#CC0000; text-align:center; font-size:1em; color:#ffffff; font-weight:bold;"><a href="http://reports.informationweek.com/abstract/21/9457/Security/strategy-5-keys-to-painless-encryption.html?cid=pub_analyt__iwk_20121210" target="_blank" style="color:#ffffff;">Strategy: 5 Keys to Painless Encryption</a></div> <img src="http://twimgs.com/informationweek/1353/353F2reportcover.jpg" width="175" height="107" style="margin:15px;"> <div style="font-size:.9em; margin:0px 1px 0px 10px;">Our full report on <a href="http://reports.informationweek.com/abstract/21/9457/Security/strategy-5-keys-to-painless-encryption.html?cid=pub_analyt__iwk_20121210" target="_blank">encryption</a> is free with registration. <br /><br />This report includes <strong>14</strong> pages of action-oriented analysis. What you'll find : <ul class="normalUL"><li>Top 13 security techs, rated by what matters: funding</li> <li>10 critical encryption decision factors, from interoperability to skills, or lack thereof</li> </ul> <center><strong><a href="http://reports.informationweek.com/abstract/21/9457/Security/strategy-5-keys-to-painless-encryption.html?cid=pub_analyt__iwk_20121210" target="_blank">Get This</a> And <a href="http://reports.informationweek.com/">All Our Reports</a></strong></center><br /></div> </div> </div> <!-- /KINDLE EXCLUDE --> <P> IT's natural inclination is to standardize on a single encryption vendor, since interoperability is notoriously spotty. But if you look at the top five types of encryption used by respondents to our <a href="http://reports.informationweek.com/abstract/21/8628/Security/research-data-encryption.html?cid=pub_analyt__iwk_20121210" target="_blank"><i>InformationWeek</i> 2012 Data Encryption Survey</a> -- VPN, email, backup, file and disk, in that order -- no single provider can cover all of them. That lapse is no excuse for a free-for-all, though. We see too many IT organizations letting individual project leads make decisions about what types of encryption to use, what products to buy and even how to manage these systems once they're in place. While we do encourage flexibility, complete decentralization rarely ends well. At minimum, require that a central team approve all new encryption software buys, rules and implementations. This same group must ensure that processes, such as certificate management, are updated to include the new software project that teams want to implement. This one simple change dramatically reduces the sprawl of encryption products and processes. And don't forget the vendor management group during this process.</p> <P> <strong>Rule 2: Pick Your Battles</strong></p> <P> Don't try to do everything within a narrow set of encryption best practices, and if you're lacking in this area, certainly don't try to put encryption everywhere at once. Instead, perform a risk assessment, prioritize requests and analyze the potential volume of keys and certificates to determine where to focus. The conventional approach is to pick an encryption system based on your data classification scheme and types of sensitive data, but you should also look at the ways encryption tool management can break down. Problems usually hit during key rotations and because of weak passwords or certificate expirations rather than the encryption algorithm itself being breached. Manage the weakest link.</p> <P> <!-- KINDLE EXCLUDE --> <center><strong>To read the rest of the article,<br /><a href="http://www.informationweek.com/gogreen/121012/?k=axxe&cid=article_axxe_os">Download the Dec. 10, 2012, issue of <em>InformationWeek</em></a></strong></center><br clear="all" /></p> <!-- /KINDLE EXCLUDE --> <P>2012-11-28T08:00:00ZHere's what to look for in MDM software and what limitations IT still faces in letting employees use personal devices for work.http://www.informationweek.com/global-cio/interviews/byod-why-mobile-device-management-isnt-e/240142450?cid=SBX_iwk_related_mostpopular_Application_Security_security Nine out of 10 technology pros think smartphones and tablets will become more important to business productivity in the next couple of years. Seventy-two percent expect to offer more bring-your-own-device options so that employees can access company data with their personal gadgets.</p> <P> But IT doesn't necessarily see mobile device management software as essential to coping with this proliferation of devices in the workplace. Only 26% of respondents to the <i>InformationWeek</i> Mobile Device Management and Security Survey say their companies have implemented MDM software, and another 17% say they're in the process of deploying it. </p> <P> Even those companies that have implemented MDM need to make sure their technology and policies really deliver the data security and management efficiency they seek. All MDM software offers the same basic capabilities, such as data wipe and device inventory, so look for additional features that fit with how you use mobile devices. For example, is it a priority for your company to build an app store, or will it need to get hundreds of new people a month on new devices? Buy MDM software optimized to deliver those outcomes.</p> <P> Too many IT shops are working without this strategic view. They're merely scrambling to meet pressure from the CEO on down to offer BYOD options or increase mobile app access. "Our deployment of mobile solutions is more of a reaction to 'want,' with many of the expected issues from poor planning becoming major issues," laments one of the 307 business technology pros who responded to our survey. </p> <P> What do employees want to access on their iPhones, Android phones and tablets? The four most-cited resources are email, Microsoft Office applications, VPN and company file servers. </p> <P> The common trait? Employees need access to corporate data to do work while they're away from the office, and with that data access comes all kinds of security questions: who can access what data, why, when and where -- and what happens when that device goes missing? But mobile data and mobile operating systems present a different security challenge from PCs, which is why just implementing MDM software won't solve IT's BYOD and mobile management headaches. This article spotlights some of the most important factors to consider for those 39% of IT shops now evaluating MDM software -- and even those that don't think they need MDM.</p> <P> <strong>Mobile Is Different</strong></p> <P> IT organizations first tried to solve the mobile security problem with the same processes they used for laptops and PCs -- tactics such as endpoint protection software, policy enforcement, password complexity and even data leak prevention software. But when your company doesn't own the device (BYOD) or has to deal with hundreds of versions of mobile operating systems, the PC approaches don't cut it. </p> <P> <!-- KINDLE EXCLUDE --> <div style="float:right;padding-left:10px;"> <div style="width:210px; border:1px solid #000000;"> <div style="margin:0; padding:5px; background-color:#CC0000; text-align:center; font-size:1em; color:#ffffff; font-weight:bold;"><a href="http://reports.informationweek.com/abstract/18/9355/Mobility-Wireless/review-analysis-3-mdm-suites.html?cid=pub_analyt__iwk_20121203" target="_blank" style="color:#ffffff;">Review & Analysis: 3 MDM Suites</a></div> <img src="http://twimgs.com/informationweek/1352/352CSreportcover.jpg" width="175" height="112" style="margin:15px;"> <div style="font-size:.9em; margin:0px 1px 0px 10px;">Our full report on <a href="http://reports.informationweek.com/abstract/18/9355/Mobility-Wireless/review-analysis-3-mdm-suites.html?cid=pub_analyt__iwk_20121203" target="_blank">mobile device management</a> is free with registration. <br /><br />What you'll find: <ul class="normalUL"><li>Three detailed reviews of MDM software suites, from Good Technology, Symantec and Research In Motion</li> <li>More data on MDM strategy, including goals, platforms supported, vendors used and architectures deployed</li> </ul> <center><strong><a href="http://reports.informationweek.com/abstract/18/9355/Mobility-Wireless/review-analysis-3-mdm-suites.html?cid=pub_analyt__iwk_20121203" target="_blank">Get This</a> And <a href="http://reports.informationweek.com/">All Our Reports</a></strong></center><br /></div> </div> </div> <!-- /KINDLE EXCLUDE --> MDM software vendors promise to enforce security policies, block employees from installing malicious apps and even encrypt data. But MDM is still young technology. No vendor dominates the market, which includes a mix of legacy security vendors and startups focused entirely on mobile.</p> <P> Among respondent companies using, planning to use or evaluating MDM, only BlackBerry Enterprise Server and Microsoft ActiveSync are currently deployed or planned for use by more than 14%. Some respondents doubt if MDM even belongs in enterprise IT: Among those who say their companies aren't using MDM, 47% say they have "no need." Says one consultant and former CIO in the survey: "A big reason for BYOD is to get out of the equipment business. If you implement MDM, you are back in the equipment business."</p> <P> We decided to do a hands-on assessment of MDM products.We sent invitations to more than 20 vendors, but only three agreed to take part. Most of the other vendors said they didn't want to participate until the next versions of their software were available. So when would that software be ready? Crickets. </p> <P> However, the three vendors that participated -- <a href="http://www.informationweek.com/global-cio/interviews/good-technology-mdm-review-tight-grip-on/240142461">Good Technology</a>, <a href="http://www.informationweek.com/global-cio/interviews/symantec-mdm-review-familiarity-a-sellin/240142453">Symantec</a> and <a href="http://www.informationweek.com/global-cio/interviews/rim-mdm-review-beyond-bes-not-there-yet/240142451">Research In Motion</a> -- are good industry representatives, as each approaches MDM in a different way. Symantec is a security vendor with experience in detecting and mitigating threats in large enterprises. Good uses a secure container approach, replacing the corporate email, calendar and file-sharing applications with its own. Its approach requires employees to learn a different interface, but it's the same across Android and Apple devices. RIM, the newest of the three to vendor-neutral MDM, acquired Ubitexx in 2011 to try to build on its enterprise IT customer base by letting customers deploy non-BlackBerry devices using its management software. We took each vendor's product and deployed it in our lab, with access to normal support but no special engineers or on-site techs. </p> <P> We tested the products for managing iPad 2, iPhone 4S, Android 2.3, Android-based Samsung Galaxy Tab 7, BlackBerry Bold phone and RIM's PlayBook tablet, where the products supported those devices. We left off Windows Mobile because most vendors don't have full support for those devices -- something to consider if you're a Windows shop. Our three reviews are on the accompanying pages; longer versions plus additional survey data are available in <a href="http://reports.informationweek.com/abstract/18/9355/Mobility-Wireless/review-analysis-3-mdm-suites.html?cid=pub_analyt__iwk_20121203" target="_blank">our free report</a>.</p> <P><strong>Security Is Pretty Much The Same</strong></p> <P> The main reason companies are turning to MDM software is security, cited by 72% of the respondents to our survey. The other three reasons we provided are greater mobile spending efficiency (12%), inventory/audit (8%) and cost savings (7%).</p> <P> The security controls for MDM software all do pretty much the same thing, because each mobile device's operating system limits what MDM vendors can do to a device. </p> <P> Some MDM vendors (including Good) require the user to access email within their application or a partner's application, rather than from the email application provided with the device. This setup lets the MDM vendor enforce certain policies the device's email application doesn't support, particularly encryption and selective email data wiping. All device vendors now allow encryption and wiping, but those features are controlled at the device level. What if you want to wipe company data only and not the phone user's personal pictures? You can do that only if all of the company data is isolated within the MDM vendor's application.</p> <P> The big limitation of MDM technology has to do with the fact that mobile applications, unlike PC applications, run in sandboxes. For the most part, each mobile application has to specifically request, at install time, the ability to access shared parts of the phone, such as contacts, phone records and other data. If the application doesn't request that type of access at install time, the application is denied access to those areas. It can't be altered later.</p> <P> The upside to this approach is that it greatly increases mobile device security. Most PC malware and security problems involve an application being compromised by an attacker, and the attacker using that application to access data or another application on the system. It's called "lateral movement" in the security world, and mobile operating systems were architected to prevent those attacks. </p> <P> This is why most malware needs to jailbreak, or root, the phone to cause real havoc. Without breaking out of the application jail or becoming root, the malware wouldn't be able to access anything on the device.</p> <P> MDM vendors have the same problem. They can't root or jailbreak your device, but they would like to control the security of the apps on the device. So when they want to add a capability, like remotely wiping data, they have to wait until the mobile operating system allows it. MDM vendors are at the mercy of mobile OS makers such as Apple and Google.</p> <P> This state of affairs doesn't mean MDM is useless -- quite the contrary. But IT leaders must understand MDM software's inherent limitations. MDM vendors are governed by the same policies and rules as all of your other mobile apps. So those vendors must think of creative ways to get around the mobile operating system security model to improve your phone's security. Kind of odd, isn't it?</p> <P> There's precedent for such a business model. Antivirus software, for example, uses the same techniques as many kernel malware and rootkits, and it completely violates the Windows kernel architecture, which is why in the early days of antivirus software it was so unstable and caused so many incompatibility problems. </p> <P> <center><img src="http://twimgs.com/informationweek/1352/352CS_chart2.jpg" width="580" height="403" alt="chart: What's the status ofmobile device management software deployment at your company?" hspace="0" vspace="0" border="0" style="margin-bottom:7px;" /><br /></center></p> <P><strong>The Features To Watch Closely</strong></p> <P> So when it comes down to picking the right MDM product for your company, the core security features aren't going to separate one from another. All MDM providers can let you remotely wipe the device, turn features such as the camera on and off, and enforce passcode requirements. The iPhone and Android operating systems pack more than 35 standard policy options, and every MDM vendor implements them. </p> <P> What makes the difference is all the other stuff, such as deployment capabilities, integration with your environment and ease of use. That's where we focus our product analyses and where you should focus yours. Here are some key factors to consider:</p> <P> <strong>&gt;&gt; Deployments: </strong>Assess how efficiently the MDM agent can be deployed on a new device. Deploying new phones isn't a one-time job; it's never-ending. Is your IT team going to face a blizzard of requests, complaints and workarounds every time a new iPhone or Samsung Galaxy comes out? Make sure your tool can keep up.</p> <P> <strong>&gt;&gt; Whitelist and blacklist filtering:</strong> You'll have apps that every employee must install, some that are banned and some apps that you insist are updated to at least a certain version. Application filtering and whitelists and blacklists let you control this process based on the device type.</p> <P> <strong>&gt;&gt; Custom app stores:</strong> People are trained in their personal lives to use the default Apple or Google app store for their devices, but your company might want to create its own store for in-house custom apps. Apple's and Google's approval processes might take too long for your company, or you may not want your app public. If so, look closely at MDM's support for installing custom, unapproved apps and setting up a company app store experience.</p> <P> <strong>&gt;&gt; App security screening:</strong> Apps can be malicious. What is the MDM vendor doing (if anything) to assess apps -- is it offering built-in scanning or application vetting?</p> <P> <strong>&gt;&gt; Browser security:</strong> If supported, mobile Web browsing can be filtered to lower the risk of attack on a device. Is the MDM provider you're considering implementing this level of security?</p> <P> <strong>&gt;&gt; Encryption levels: </strong>Every device manufacturer supports encryption, but the levels differ. Do you have to encrypt the entire device, or does the MDM provider let you encrypt only company data or specific files and folders?</p> <P> <strong>&gt;&gt; Data wiping: </strong>For employees who use their personal phones to access company data, you may want the ability to erase that company data without wiping the entire device. Capabilities vary.</p> <P> <strong>&gt;&gt; Auto-provisioning of devices:</strong> If a help desk engineer must spend considerable time with every new mobile device that needs access to company data, it's a recipe for disaster. Look closely at the MDM software's self-service and auto-provisioning capabilities. </p> <P> <strong>&gt;&gt; Architecture:</strong> Does the vendor take a sandbox, virtualization or integrated approach? This is important in understanding the vendor's technology and future road map.</p> <P> <strong>&gt;&gt; Location capabilities and network access restrictions:</strong> What if you want to let employees use their device's camera for personal use but not when they're at the office? You'll need a policy based on location. Look at whether the MDM software you're considering supports such policies and how robust those policies can be.</p> <P> <strong>&gt;&gt; Inventory management:</strong> Once you have hundreds of mobile devices under management, how easy is it to search, find and modify individual devices? Press on the type and rigor of filtering capabilities provided. </p> <P> <strong>&gt;&gt; Reports:</strong> Check for built-in reporting in such areas as new devices provisioned, apps out of compliance and devices that haven't checked in for a day or a week. </p> <P><strong>Data At The Core</strong></p> <P> The feature our survey respondents want the most is policy setting and compliance, followed by being able to push updates to devices and to remotely wipe data if a device is lost or someone leaves the company. One of the biggest concerns about BYOD and mobile device sprawl is that sensitive company data will leak out, so when assessing MDM suites, follow the data. We looked at where the MDM software's control of company data stops, and what assurances it gives that the device is secured according to company policy.</p> <P> Since many MDM features are the same across products, ask each vendor what its differentiating features are. For example, Symantec bundles in data loss prevention capabilities -- a challenge because the mobile operating system doesn't provide any native DLP capabilities. </p> <P> While your IT organization is asking all of these tactical and strategic questions, make sure to ask this final question: Should you even buy MDM, or will the market melt away in two years? As the MDM market matures, operating system vendors are starting to give away MDM-like features. Google says it will provide a level of MDM within Google Apps for free, and Microsoft's updated group policy for Windows 8 supports most MDM feature (though only on Microsoft devices for now). </p> <P> Some IT leaders still will see MDM as indispensable, given their data security risks and the pressure to offer more apps and device options to employees. But realize that you have options. </p> <P> <strong>All Articles In This Cover Story:</strong><br> <ul class="normalUL"> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/byod-why-mobile-device-management-isnt-e/240142450">BYOD: Why Mobile Device Management Isn't Enough</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/good-technology-mdm-review-tight-grip-on/240142461">Good Technology MDM Review: Tight Grip On Data</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/rim-mdm-review-beyond-bes-not-there-yet/240142451">RIM MDM Review: Beyond BES, Not There Yet</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/symantec-mdm-review-familiarity-a-sellin/240142453">Symantec MDM Review: Familiarity A Selling Point</a></b> </li></p> <P> <center><img src="http://twimgs.com/informationweek/1352/352CS_chart1.jpg" width="580" height="511" alt="chart: What company assets do you access via mobile devices?" hspace="0" vspace="0" border="0" style="margin-bottom:7px;" /><br /></center></p> <P> <P> <!-- KINDLE EXCLUDE --> <center> <div id="printfeaturePDFpromo"><div class="printfeaturePDFCover"><a href="http://reports.informationweek.com/abstract/18/9395/Mobility-Wireless/informationweek-december-3-2012.html?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/1352/smallcov2.jpg" alt="InformationWeek: Dec. 3, 2012 Issue" title="InformationWeek: Dec. 3, 2012 Issue" /></a></div> <div class="printfeaturePDFCopy"><strong><a href="http://reports.informationweek.com/abstract/18/9395/Mobility-Wireless/informationweek-december-3-2012.html?k=axxe&cid=article_axxe_os">Download a free PDF of <nobr><em>InformationWeek</em> magazine</nobr></a><br /> (registration required)</strong></div> <div class="clearBoth"></div> </div> </center> <!-- /KINDLE EXCLUDE --> <P>2012-11-28T08:00:00ZGood's on its way to data-centric security.http://www.informationweek.com/global-cio/interviews/good-technology-mdm-review-tight-grip-on/240142461?cid=SBX_iwk_related_mostpopular_Application_Security_securityGood Technology's sandbox approach is similar to the approach of most MDM providers in that it requires servers that sit in front of a company's email infrastructure and interact with mobile devices directly. But the agent Good installs on mobile devices does much more than enforce policies. It includes email, contacts, a calendar and a Web browser. Some complain that Good makes people learn a new email interface, but it's not a steep learning curve.</p> <P> In key IT scenarios -- enrolling many devices, updating devices frequently and giving device users access to company resources -- Good's software worked well in our test. With enrollment, admins can add a device manually or provide a file with all user names and devices for a mass import, or the software lets users do it through a portal. A weakness is that Good doesn't have enough built-in, automated reports on things like out-of-compliance devices.</p> <P> For security, Good's Dynamics architecture and APIs keep documents such as PDFs inside its container, instead of their opening on a device. Good needs more apps in this architecture, but its list is growing. It also puts a browser in its mobile agent so that admins can limit the URLs users can visit.</p> <P> As mobile devices proliferate, managing them will become less important; the focus will shift to managing company data on those devices. With steps like Dynamics and browser controls, Good is on its way to data-centric security.</p> <P> For a longer review, see our <a href="http://reports.informationweek.com/abstract/18/9355/Mobility-Wireless/review-analysis-3-mdm-suites.html?cid=pub_analyt__iwk_20121203" target="_blank">MDM Report</a></p> <P> <strong>All Articles In This Cover Story:</strong><br> <ul class="normalUL"> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/byod-why-mobile-device-management-isnt-e/240142450">BYOD: Why Mobile Device Management Isn't Enough</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/good-technology-mdm-review-tight-grip-on/240142461">Good Technology MDM Review: Tight Grip On Data</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/rim-mdm-review-beyond-bes-not-there-yet/240142451">RIM MDM Review: Beyond BES, Not There Yet</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/symantec-mdm-review-familiarity-a-sellin/240142453">Symantec MDM Review: Familiarity A Selling Point</a></b> </li></p> <P> <!-- KINDLE EXCLUDE --> <center> <div id="printfeaturePDFpromo"><div class="printfeaturePDFCover"><a href="http://reports.informationweek.com/abstract/18/9395/Mobility-Wireless/informationweek-december-3-2012.html?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/1352/smallcov2.jpg" alt="InformationWeek: Dec. 3, 2012 Issue" title="InformationWeek: Dec. 3, 2012 Issue" /></a></div> <div class="printfeaturePDFCopy"><strong><a href="http://reports.informationweek.com/abstract/18/9395/Mobility-Wireless/informationweek-december-3-2012.html?k=axxe&cid=article_axxe_os">Download a free PDF of <nobr><em>InformationWeek</em> magazine</nobr></a><br /> (registration required)</strong></div> <div class="clearBoth"></div> </div> </center> <!-- /KINDLE EXCLUDE -->2012-11-28T08:00:00ZUsers of Symantec security software will find similar interface.http://www.informationweek.com/global-cio/interviews/symantec-mdm-review-familiarity-a-sellin/240142453?cid=SBX_iwk_related_mostpopular_Application_Security_securitySymantec's MDM system builds on its PC Management Console interface, adding device support for Android, iOS and Windows Mobile devices. Because many companies use Symantec's security products, we wanted to test if IT benefits from using its existing enterprise security vendor instead of an MDM pure play.</p> <P> The big selling point for the Symantec product is that familiar management console, but at first we found it to be unintuitive, difficult to navigate and generally horrible. But when we asked an administrator steeped in Symantec to take a look, he knew exactly where items were and was navigating the system in seconds. </p> <P> Symantec's MDM requires an app to be installed on each device. Unlike other MDM systems, its agent provides only policy enforcement. Capabilities such as email, calendar and contacts are handled by NitroDesk's TouchDown for Android and iOS apps.</p> <P> Enrolling devices wasn't very automated, so the product's not ideal for BYOD. Its asset inventory is solid, reporting is basic and features are similar to those of other MDM products. Symantec boasts about integration with its Data Leak Protection suite, but since DLP forces all traffic across the VPN, we don't think it's practical for mobile, especially using 3G.</p> <P> Symantec's MDM product doesn't have a lot of unique features, but existing Symantec customers that don't require the most advanced MDM features should consider it. </p> <P> For a longer review, see our <a href="http://reports.informationweek.com/abstract/18/9355/Mobility-Wireless/review-analysis-3-mdm-suites.html?cid=pub_analyt__iwk_20121203" target="_blank">MDM Report</a></p> <P> <strong>All Articles In This Cover Story:</strong><br> <ul class="normalUL"> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/byod-why-mobile-device-management-isnt-e/240142450">BYOD: Why Mobile Device Management Isn't Enough</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/good-technology-mdm-review-tight-grip-on/240142461">Good Technology MDM Review: Tight Grip On Data</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/rim-mdm-review-beyond-bes-not-there-yet/240142451">RIM MDM Review: Beyond BES, Not There Yet</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/symantec-mdm-review-familiarity-a-sellin/240142453">Symantec MDM Review: Familiarity A Selling Point</a></b> </li></p> <P> <!-- KINDLE EXCLUDE --> <center> <div id="printfeaturePDFpromo"><div class="printfeaturePDFCover"><a href="http://reports.informationweek.com/abstract/18/9395/Mobility-Wireless/informationweek-december-3-2012.html?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/1352/smallcov2.jpg" alt="InformationWeek: Dec. 3, 2012 Issue" title="InformationWeek: Dec. 3, 2012 Issue" /></a></div> <div class="printfeaturePDFCopy"><strong><a href="http://reports.informationweek.com/abstract/18/9395/Mobility-Wireless/informationweek-december-3-2012.html?k=axxe&cid=article_axxe_os">Download a free PDF of <nobr><em>InformationWeek</em> magazine</nobr></a><br /> (registration required)</strong></div> <div class="clearBoth"></div> </div> </center> <!-- /KINDLE EXCLUDE -->2012-11-28T08:00:00ZIt's not an easy option unless you're a heavy-duty BlackBerry shop.http://www.informationweek.com/global-cio/interviews/rim-mdm-review-beyond-bes-not-there-yet/240142451?cid=SBX_iwk_related_mostpopular_Application_Security_securityBlackBerry in its heyday took our email mobile. And BlackBerry Enterprise Server was one of the most complete, secure and feature-rich mobile device management products around. Early this year, BlackBerry maker Research In Motion added the ability to manage Android and iPhone devices. </p> <P> The pitch was great: Keep using those BlackBerrys, but for employees who insist on using another kind of phone, say yes and still manage those with RIM tools. Unfortunately, the system disappointed in our test.</p> <P> Managing BlackBerrys is the same process, but RIM PlayBooks and non-BlackBerry devices require more work. The biggest problem was complex configuration and the lack of integration among platforms. BES manages BlackBerry phones, a platform called Mobile Fusion Studio handles PlayBooks, and Universal Device is for Android and iOS phones. Each has slightly different processes for activation and enrollment. </p> <P> RIM is working to fix the multiple-console problem; halfway through the review it released a new version that provides better integration and features, so the platform will get better.</p> <P> RIM's product includes standard MDM features for iOS and Android, including app whitelists and blacklists. But it doesn't include file vault or integrated corporate Web browsing, reporting is weak and enrollment isn't easy. Unless you're a heavy-duty BlackBerry shop, we advise skipping this option.</p> <P> For a longer review, see our <a href="http://reports.informationweek.com/abstract/18/9355/Mobility-Wireless/review-analysis-3-mdm-suites.html?cid=pub_analyt__iwk_20121203" target="_blank">MDM Report</a> <P> <strong>All Articles In This Cover Story:</strong><br> <ul class="normalUL"> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/byod-why-mobile-device-management-isnt-e/240142450">BYOD: Why Mobile Device Management Isn't Enough</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/good-technology-mdm-review-tight-grip-on/240142461">Good Technology MDM Review: Tight Grip On Data</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/rim-mdm-review-beyond-bes-not-there-yet/240142451">RIM MDM Review: Beyond BES, Not There Yet</a></b> </li> <li> <b><a href="http://www.informationweek.com/global-cio/interviews/symantec-mdm-review-familiarity-a-sellin/240142453">Symantec MDM Review: Familiarity A Selling Point</a></b> </li></p> <P> <!-- KINDLE EXCLUDE --> <center> <div id="printfeaturePDFpromo"><div class="printfeaturePDFCover"><a href="http://reports.informationweek.com/abstract/18/9395/Mobility-Wireless/informationweek-december-3-2012.html?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/1352/smallcov2.jpg" alt="InformationWeek: Dec. 3, 2012 Issue" title="InformationWeek: Dec. 3, 2012 Issue" /></a></div> <div class="printfeaturePDFCopy"><strong><a href="http://reports.informationweek.com/abstract/18/9395/Mobility-Wireless/informationweek-december-3-2012.html?k=axxe&cid=article_axxe_os">Download a free PDF of <nobr><em>InformationWeek</em> magazine</nobr></a><br /> (registration required)</strong></div> <div class="clearBoth"></div> </div> </center> <!-- /KINDLE EXCLUDE --> <P>2012-11-15T16:52:00Zhttp://reports.informationweek.com/abstract/166/9097/Professional+Development+and+Salary+Data/research-2012-application-security-survey.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2012-11-13T00:08:00Zhttp://reports.informationweek.com/abstract/21/8969/Security/windows-8-survival-guide-os-and-browser-security.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2012-10-26T09:06:00ZWindows 8 makes securing enterprise PCs and tablets easier--and shows that the future of enterprise Windows security is proper control of applications.http://www.informationweek.com/news/240009687?cid=SBX_iwk_related_mostpopular_Application_Security_securityFor years, the Windows platform has built an amazing security feature into the core of the operating system, one that has been both a bane and benefit to security professionals everywhere, Group Policy. The newest edition of Windows extends these capabilities, while also providing new enhancements to address the biggest threat in the enterprise: the browser. These features make Windows 8 a no-brainer upgrade for the enterprise. <P> <strong>Microsoft's App Mindset </strong> <P> The most significant change in Windows 8 security is not so much the actual features, but Microsoft's architecture and mindset. Windows 8's new security paradigms focus on the apps. Everything--the new AppContainer, Advanced ASLR, and even the Windows Store--indicates that the future of Windows security for the enterprise is about properly controlling applications. <P> This security mindshift is critical to the future of security professionals tasked with budget-friendly enterprise security. The growth of BYOD has many organizations rethinking how employees access corporate data. Microsoft's focus on application security within Windows 8 and Windows 2012 is a massive step forward in centralizing management of application security settings for enterprises (without having to purchase an additional product) under the familiar Group Policy interface. Oh, and the Surface tablet supports these features, too, so the new tablet, from day one, has centralized security and management capabilities. <P> <strong>[ For a deeper dive into Win8 security, see <a href="http://www.informationweek.com/windows/security/want-better-security-get-windows-8/240007720?itc=edit_in_body_cross">Want Better Security? Get Windows 8</a>. ]</strong> <P> <strong>Picture Passwords</strong> <P> There are some other new security features that have both utility and a cool factor for everyday users of Windows 8. A feature called <a href="http://www.youtube.com/watch?v=NQtG6d7rCSk">Picture Password</a>, which is similar to the Android Password Lock Pattern screen, where the user connects a set of dots with a finger, instead of typing in a password, is bundled with Windows 8. With Picture Password, the user draws a pattern made up of three gestures on a picture or photo that he or she provides. The gestures use points, lines, and circles. For example, you could choose a picture of your kids and draw a smiley face on your youngest child's face. Whenever you want to log in to your Windows 8 device, you simply draw the same smiley face on the proper child and you are logged in. <P> While this is mostly targeted as a tablet feature for consumers, it can also be used on PCs with a mouse, which gives companies a security option besides passwords for logins. The problem is that, according to our Windows 8 security survey, 21% of respondents with Windows 8 migration plans say they won't use Picture Password. Another 56% say maybe, but they will investigate its security first. We think it isn't ready for primetime yet, but is very promising. <P> <strong>Internet Explorer Enhanced Security</strong> <P> Five or six years ago, the operating system itself was most targeted by attackers, but now it's the browser. Drive-by downloads, malicious websites, etc., are the fastest-growing security vector and one that most security professionals deal with every day. Microsoft has listened and improved the Internet Explorer security model, too. <P> IE10 also has a much more aggressive application permission configuration. Named AppContainer, this operating system enhancement gives developers the ability to apply finely grained application access control. This feature can outright prevent Web-based exploits, or at least limit the extent of an exploit. <P> AppContainer is similar to application sandboxing on mobile operating systems such as iOS and Android. Under AppContainer, a developer must produce a manifest file that is linked directly to the application. This manifest file defines what the application can and cannot do. For instance, a developer might indicate on a manifest that an application can initiate outbound connections to the Internet, but cannot receive an incoming connection. If that application is subsequently exploited, and the exploit instructs the application to open a port for an inbound communication, the Windows 8 kernel will prevent the port from opening, thus limiting the potential damage that an exploit can inflict. <P> These new browser improvements don't come cheap. You'll need all of your systems to run the 64-bit version of Windows 8, as all of the features within IE10's new security model (named Enhanced Protection Mode) only work on 64-bit architectures for Windows 8. Microsoft has not provided guidance on whether it will back-port these features to IE10 on Windows 7 64-bit. <P> <strong>The Bottom Line</strong> <P> Microsoft has made some significant investments in security for Windows 8 that are applicable to desktops, tablets, and servers. While they are not revolutionary steps, and build on what Microsoft started with Windows 7, they are significant and can reduce risks for companies. Additionally, they don't incur additional costs (beyond the Windows 8 upgrade) and integrate with the existing Group Policy frameworks used by security professionals everywhere. <P> Our take: Don't simply ignore Windows 8 because of the <a href="http://www.informationweek.com/software/windows8/windows-8-you-can-handle-the-learning-cu/240009635">odd new interface</a>. It is worth your time to look under the hood and see how these new security features can help your company. <P> <i>Upgrading isn't the easy decision that Win 7 was. We take a close look at Server 2012, changes to mobility and security, and more in the new <a href="http://www.informationweek.com/gogreen/092412/?k=axxe&cid=article_axxt_os">Here Comes Windows 8</a> issue of InformationWeek. Also in this issue: Why you should have the difficult conversations about the value of OS and PC upgrades before discussing Windows 8. (Free registration required.)</i>2012-10-17T23:29:00Zhttp://reports.informationweek.com/abstract/5/8978/Cloud-Computing/research-cloud-security-verify-don-t-trust.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2012-09-24T08:00:00ZThe new OS and Internet Explorer 10 protect applications and limit the fallout of exploits.http://www.informationweek.com/news/240007720?cid=SBX_iwk_related_mostpopular_Application_Security_security<!-- KINDLE EXCLUDE --> <!-- InformationWeek Digital Issue--> <div id="inlineGreenPromoTop"> <div class="greenBand"></div> <div class="inlineGreenPromoContent"> <a href="http://www.informationweek.com/gogreen/092412/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/informationweek/1344/smallcov.jpg" alt="InformationWeek Green - September 24, 2012" title="InformationWeek Green - September 24, 2012" align="left" class="greenIssueImage" /></a><br /> <a href="http://www.informationweek.com/gogreen/092412/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" title="InformationWeek Green" align="right" class="greenLeaf" /></a> <div class="greenPromoText"> <strong><a href="http://www.informationweek.com/gogreen/092412/?k=axxe&cid=article_axxe_os">Download the entire Sept. 24, 2012, issue of <em>InformationWeek</em></a></strong>, distributed in an all-digital format as part of our Green Initiative<br /> (Registration required.)<br /> <center><div class="innerGreenPromoText" align="center">We will plant a tree for each of the first 5,000 downloads.</div></center> </div> </div> <div class="greenBand"></div> </div> <!-- / InformationWeek Digital Issue--> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> <img src="http://twimgs.com/informationweek/1344/344CSslot_110.jpg" width="110" height="110" alt="Here Comes Windows 8" title="Here Comes Windows 8" width="110" height="110" class="artInlineTopImage" /> <P> Windows 8 and Internet Explorer 10 may prove to be Microsoft's most secure OS and browser to date. The company began repairing its dismal reputation for security with Windows 7; this latest version takes significant steps to provide a more secure operating environment for PCs. Our advice? Upgrade desktops and laptops as soon as you can, especially if you're among the 20% of respondents to our latest <a href="http://reports.informationweek.com/abstract/7/9007/Enterprise-Software/windows-8-survival-guide-end-users-and-mobility.html?cid=pub_analyt__iwk_20120926" target="_blank"><i>InformationWeek</i> Windows 8 Survey</a> still clinging to Windows XP--a bad plan <a href="http://reports.informationweek.com/abstract/7/9000/Enterprise-Software/best-practices-5-reasons-to-dump-windows-xp-now.html?cid=pub_analyt__iwk_20120926" target="_blank">for multiple reasons</a>. </p> <P> Leading the list of improvements driving us to make this recommendation: enhanced application controls via a platform named AppContainer, in which Microsoft borrows a page from the mobile OS security playbook by forcing application developers to explicitly define what an app is allowed to do. Microsoft also introduces or enhances other security features, including a robust anti-malware package that comes standard with the OS--and must be giving antivirus vendors agita--and a new feature to make passwords easier to remember but harder for attackers to crack.</p> <P> However, the most significant security change we see in Windows 8 is not so much the actual features; it's Microsoft's mindset. The Win 8 security paradigm is built around applications, particularly those that run in browsers. To that end, Internet Explorer 10 for Windows 8 includes some significant security upgrades, a welcome development because most attacks that target users come from the Web. </p> <P> Of particular note is AppContainer, an aggressive application permission configuration feature introduced in IE10. AppContainer functions similarly to application sandboxing on mobile operating systems, such as iOS and Android. Under AppContainer, a developer must produce a manifest file that links directly to the application and defines what it can and cannot do. For instance, a developer might indicate on a manifest that an application can initiate outbound connections to the Internet, but it can't receive an incoming connection. If that application is subsequently exploited, and the exploit instructs the application to open a port for an inbound communication, the Windows 8 kernel will prevent the port from opening, thus limiting potential damage.</p> <P> There are many other permissions within the AppContainer model, including the ability to instruct that an app may talk only to the Internet and not the local network, or vice versa, or decide which Windows 8 libraries, such as music, videos, pictures, or even removable storage, the app can access. We expect Microsoft to add more options for AppContainer in subsequent releases and service packs.</p> <P> <!-- KINDLE EXCLUDE --> <center><strong>To read the rest of the article,<br /><a href="http://www.informationweek.com/gogreen/092412/?k=axxe&cid=article_axxe_os">Download the Sept. 24, 2012, issue of <em>InformationWeek</em></a></strong></center><br clear="all" /></p> <!-- /KINDLE EXCLUDE --> <P> <!-- KINDLE EXCLUDE --> <center> <div id="inlineReportPromo"> <div class="inlineReportPromo_headline"><a href="http://reports.informationweek.com/abstract/7/8969/Enterprise-Software/windows-8-survival-guide-os-and-browser-security.html?cid=pub_analyt__iwk_20120926" target="_blank" style="color:#ffffff;">Windows 8 Survival Guide: OS and Browser Security</a></div> <div class="inlineReportPromo_inner"> <img src="http://twimgs.com/informationweek/1344/344reportcover_sec.jpg" width="175" height="107" style="float:right;"> Our full report on <a href="http://reports.informationweek.com/abstract/7/8969/Enterprise-Software/windows-8-survival-guide-os-and-browser-security.html?cid=pub_analyt__iwk_20120926" target="_blank">Windows 8 and security</a> is available free with registration.<br /><br /> This report includes <strong>21</strong> pages of action-oriented analysis with <strong>13</strong> charts. What you'll find: <ul class="normalUL"><li>Detailed analysis of new and enhanced security features</li> <li>Exclusive survey results</li> </ul> <center><strong><a href="http://reports.informationweek.com/abstract/7/8969/Enterprise-Software/windows-8-survival-guide-os-and-browser-security.html?cid=pub_analyt__iwk_20120926" target="_blank">Get This</a> And <a href="http://reports.informationweek.com/">All Our Reports</a></strong></center> </div> </div> </center></p><br clear="all"> <!-- /KINDLE EXCLUDE --> <P>2012-08-20T08:00:00ZCompanies using cloud services need to verify, not trust, that a provider's controls will actually protect their data.http://www.informationweek.com/news/240005687?cid=SBX_iwk_related_mostpopular_Application_Security_security<!-- KINDLE EXCLUDE --> <!-- August 20, 2012 InformationWeek Digital Issue--> <div id="inlineGreenPromoTop"> <div class="greenBand"></div> <div class="inlineGreenPromoContent"> <a href="http://www.informationweek.com/gogreen/082012/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/informationweek/1341/smallcov.jpg" alt="InformationWeek Green - August 20, 2012 " title="InformationWeek Green - August 20, 2012 " align="left" class="greenIssueImage" /></a> <a href="http://www.informationweek.com/gogreen/082012/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" title="InformationWeek Green" align="right" class="greenLeaf" /></a> <div class="greenPromoText"> <strong><a href="http://www.informationweek.com/gogreen/082012/?k=axxe&cid=article_axxe_os">Download the entire August 20, 2012, issue of <em>InformationWeek</em></a></strong>, distributed in an all-digital format as part of our Green Initiative<br /> (Registration required.)<br /> <center><div class="innerGreenPromoText" align="center">We will plant a tree for each of the first 5,000 downloads.</div></center> </div> </div> <div class="greenBand"></div> </div> <!-- / August 20, 2012 InformationWeek Digital Issue--> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> <img src="http://twimgs.com/informationweek/1341/341F2_art_110.jpg" width="110" height="110" alt="Don't Trust Cloud Security" title="Don't Trust Cloud Security" width="110" height="110" class="artInlineTopImage" /> <P> A common question about the cloud is whether it's more secure than a data center. But that's the wrong question to ask. Instead, customers and potential customers of public cloud services--whether infrastructure-as-a-service, platform-as-a-service, software-as-a-service, or some other as-a-service--need to ask whether a cloud provider's controls are sufficient to limit the risk a customer is willing to take with its data.</p> <P> Most cloud providers say, "Trust us, we're secure." But you shouldn't take them at their word. A variety of options are available to assess a cloud provider's controls: basic questionnaires, standardized reports, technical audits, vulnerability scans, and full-blown penetration attempts that put a provider's security to the test.</p> <P> You must assess the pros and cons of each approach and find the provider that takes the same (or better) care with your data as you would. It's not easy, but it's a lot better than cleaning up the mess left by a breach.</p> <P> <strong>Get The Security You Need</strong></p> <P> Security is a top concern with the public cloud. Consider that 27% of respondents to the <a href="http://reports.informationweek.com/abstract/5/8978/Cloud-Computing/research-cloud-security-verify-don-t-trust.html?cid=pub_analyt_iwk_20120820" target="_blank"><i>InformationWeek</i> 2012 Cloud Security and Risk Survey</a> say they have no plans to use public cloud services. And 48% of those respondents say their primary reason for not doing so is related to security, including fears of leaks of customer and proprietary data.</p> <P> What about those who have adopted, plan to adopt, or are considering cloud services? They're worried, too. Security concerns easily trump other significant issues, including cloud performance, vendor lock-in, and the ability to recover data if a customer ends the service or a provider goes out of business, according to our survey. However, while security concerns are paramount, companies also see significant benefits to cloud adoption. When we asked why companies adopt or would adopt cloud computing, the top response was lower capital costs. A close second was the reduced burden on IT. Despite security concerns, companies are moving to the cloud for business reasons.</p> <P> In an ideal world, companies would carefully inspect any public cloud provider they intend to use. But that doesn't seem to be the case among all our survey respondents. We asked respondents using or planning to use a provider to compare the provider's security controls with their own; 20% say the provider has superior controls, and another 20% say the provider's controls are on par with their own. However, 31% say they have no idea, because they haven't examined the controls in depth. In other words, they're going on blind faith.</p> <P> But it doesn't have to be this way. At the very least, companies considering a cloud service should take advantage of the documentation that most providers make available to customers and potential customers. The most common is the Statement on Standards for Attestation Engagements 16, a set of auditing standards that replaced the well-known SAS 70. In an SSAE 16 report, a provider describes its security and technology controls, a third-party auditor reviews them, and the provider's management attests that the controls are in place.</p> <P> <!-- KINDLE EXCLUDE --> <center><strong>To read the rest of the article,<br /><a href="http://www.informationweek.com/gogreen/082012/?k=axxe&cid=article_axxe_os">Download the Aug. 20, 2012, issue of <em>InformationWeek</em></a></strong></center><br clear="all" /></p> <!-- /KINDLE EXCLUDE --> <P> <!-- KINDLE EXCLUDE --> <center> <div id="inlineReportPromo"> <div class="inlineReportPromo_headline"><a href="http://reports.informationweek.com/abstract/5/8978/Cloud-Computing/research-cloud-security-verify-don-t-trust.html?cid=pub_analyt_iwk_20120820" target="_blank" style="color:#ffffff;">Cloud Security</a></div> <div class="inlineReportPromo_inner"> <center><strong>Verify, Don't Trust</strong></center><br /> <img src="http://twimgs.com/informationweek/1341/F2-reportbox.jpg" width="175" height="112" style="float:right;"> Our full report on <a href="http://reports.informationweek.com/abstract/5/8978/Cloud-Computing/research-cloud-security-verify-don-t-trust.html?cid=pub_analyt_iwk_20120820">cloud security</a> is free with registration.<br /><br /> This report includes <strong>31</strong> pages of action-oriented analysis, packed with <strong>25</strong> charts. What you'll find: <ul class="normalUL"><li>Pros and cons of assessment tools</li> <li>How to make the most of SSAE 16 and other reports</li> </ul> <center><strong><a href="http://reports.informationweek.com/abstract/5/8978/Cloud-Computing/research-cloud-security-verify-don-t-trust.html?cid=pub_analyt_iwk_20120820">Get This</a> And <a href="http://reports.informationweek.com/">All Our Reports</a></strong></center> </div> </div> </center></p><br clear="all"> <!-- /KINDLE EXCLUDE -->2012-07-03T17:55:00Zhttp://reports.informationweek.com/abstract/21/8815/Security/research-2012-strategic-security-survey.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2012-05-11T01:29:00Zhttp://reports.informationweek.com/abstract/2/8758/Business-Continuity/strategy-why-nosql-equals-nosecurity*.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2012-05-11T00:36:00Zhttp://reports.informationweek.com/abstract/18/8711/Mobility-Wireless/fundamentals-the-mobile-payment-frontier.html?cid=SBX_iwk_related_mostpopular_Application_Security_security2012-05-09T08:00:00ZIdentify the right threats for effective risk management.http://www.informationweek.com/news/232901373?cid=SBX_iwk_related_mostpopular_Application_Security_security<!-- KINDLE EXCLUDE --> <div id="analytics_briefsPromoContainer"> <div id="analytics_briefsPromo"> <div class="analytics_briefsInner"> Get the full-length <i>InformationWeek</i> Strategic Security Survey<br /> <a href="http://reports.informationweek.com/abstract/21/8815/Security/research-2012-strategic-security-survey.html">Analytics Report</a></div> <div class="analytics_briefsBottom"><strong>&gt;&gt; <a href="http://reports.informationweeks.com" class="analytics_link">See all of our reports</a> &lt;&lt;</strong></div> </div> </div> <!-- /KINDLE EXCLUDE --> <P> Our <a href="http://reports.informationweek.com/abstract/21/8815/Security/research-2012-strategic-security-survey.html"><i>InformationWeek</i> Strategic Security Survey</a>, now in its 15th year, is a great trend spotter--when we see a double-digit, year-over-year percentage-point shift, we take notice. For example, based on 946 responses, only 15% feel they're more vulnerable than a year ago, which is the same percentage as in 2011. However, among those feeling more vulnerable, the percentage of IT pros worried that there are more ways to attack their networks plunged, from 76% to 62%. The concern that's on the rise is the growing amount of customer data to secure: up to 44% from 34% a year ago.</p> <P> IT's also paying closer attention to the security of public cloud service providers. Last year, just 18% conducted their own audits; now it's up to 29%. Use of providers' own audit reports is also up. To the 9% who want to conduct risk assessments but are stymied by uncooperative vendors, we say consider that resistance a big red warning flag. </p> <P> One area where we saw surprisingly little movement is mobile security: 25% say smartphones and tablets represent a significant threat, up just a tick from 24%. Loss or theft is IT's greatest concern, and for good reason, since end users are more likely to leave a tablet in a cab than they are to download a malicious app. That's why mobile device management software that can remotely wipe data, protecting the organization from a potentially messy information leak, is so critical.</p> <P> Another constant among our respondents is perceived cloud risks. Top worries include leaks of customer data and security defects in the providers' systems, unchanged from last year.</p> <P> Cloud and mobility may be hot-button issues, but our report goes deeper. Consider a secure software development life cycle (SDLC) process. We recommend investing in a process to ensure that your software isn't laden with flaws that attackers can exploit, yet just one-third of respondents have formal programs in place. That's one trend line that we hope angles up for 2013, aided by the fact that among respondents whose shops do use secure SDLCs, 33% rate them very effective.</p> <P> This year's survey also delves into why you should pay more attention to access control, the importance of user education, the benefits of collecting and analyzing security metrics, and the pros and cons of cyberbreach insurance. </p> <P> About 20% of respondents have taken out breach insurance policies, but that may not be money well spent. It's difficult to accurately estimate the costs of a breach, including cleanup and remediation, so your policy may not cover the true extent of damages. If you really want insurance, spend some of that cash on an SDLC and sound risk management practices and leave the actuarial tables to hurricanes and car crashes. </p> <P> <center><img src="http://twimgs.com/informationweek/1333/333ExecSummary_chart1.jpg" width="590" height="415" alt="chart: Top mobile device security concerns" hspace="0" vspace="0" border="0" style="margin-bottom:7px;" /><br /></center></p>2012-05-07T08:00:00ZWhether it's cloud computing, mobile devices, or insecure software, some threats are more prevalent than others. Our latest survey delves into where security pros are putting their resources.http://www.informationweek.com/news/232901435?cid=SBX_iwk_related_mostpopular_Application_Security_security<!-- KINDLE EXCLUDE --> <!-- May 7, 2012 InformationWeek Digital Issue--> <div id="inlineGreenPromoTop"> <div class="greenBand"></div> <div class="inlineGreenPromoContent"> <a href="http://www.informationweek.com/gogreen/050712/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/informationweek/1332/smallcov.jpg" alt="InformationWeek Green - Mar. 7, 2011" title="InformationWeek Green - Mar. 7, 2011" align="left" class="greenIssueImage" /></a> <a href="http://www.informationweek.com/gogreen/050712/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" title="InformationWeek Green" align="right" class="greenLeaf" /></a> <div class="greenPromoText"> <strong><a href="http://www.informationweek.com/gogreen/050712/?k=axxe&cid=article_axxe_os">Download the entire May 7, 2012 issue of <em>InformationWeek</em></a></strong>, distributed in an all-digital format as part of our <a href="http://www.informationweek.com/green/">Green Initiative</a><br /> (Registration required.)<br /> <center><div class="innerGreenPromoText" align="center">We will plant a tree for each of the first 5,000 downloads.</div></center> </div> </div> <div class="greenBand"></div> </div> <!-- / May 7, 2012 InformationWeek Digital Issue--> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> <img src="http://twimgs.com/informationweek/1332/332CSart_flat_110.jpg" width="110" height="110" alt="Pick Your Battles" title="Pick Your Battles" width="110" height="110" class="artInlineTopImage" /> <P> What's the biggest challenge facing security teams? It's not preventing breaches, meeting compliance demands, or even vying for executive attention. It's managing complexity, our <a href="http://reports.informationweek.com/abstract/21/8815/Security/research-2012-strategic-security-survey.html?cid=pub_analyt__iwk_20120507"><i>InformationWeek</i> 2012 Strategic Security Survey</a> finds. Now, we've been running this study for 15 years, and security has never, ever been simple. But over the past decade the threats have piled up; we have too many fancy technologies to deploy and long-winded policies to enforce--with no guarantee that any of them will reduce risk. </p> <P> So let's break it down. Prioritize the threats most likely to affect your company. If you try to block every conceivable attack, you'll stretch your people and resources so thin that something is bound to break. Stop worrying about what you can't control or predict and focus like a laser on where you can make an impact. That includes tried-and-true basics like strong access control. It includes taking a hard look at potential cloud providers' security claims, and writing Web apps and business software with an eye toward reducing vulnerabilities. It means being prepared for when a salesperson leaves an iPad in a taxi or has her phone snatched out of her hand.</p> <P> We'll provide guidance on these areas in this article and go into more depth in our full 2012 Strategic Security Survey report. We'll also delve into what 946 business technology and IT security professionals from companies with 100 or more employees told us in our latest in-depth look at the security landscape. </p> <P> <strong>What's In That Cloud, Anyway?</strong></p> <P> Our <a href="http://reports.informationweek.com/abstract/5/8658/cloud-computing/research-2012-state-of-cloud-computing.html?cid=pub_analyt__iwk_20120507">2012 State of Cloud Computing Survey</a> shows adoption of public cloud on a consistent upward pace; just 27% of 511 respondents from companies with 50 or more employees aren't in the market for these services. Unfortunately, in 2011, only 18% of our Strategic Security respondents actually assessed the security of cloud providers. This year, that number jumped to 29%. However, another 14% rely on the self-audit reports vendors provide. An example is the SSAE 16, a widely used set of auditing standards that providers say attest to controls they have in place. </p> <P> We don't recommend blindly accepting these reports. One reason is that SSAE 16 attestations contain different sets of scope and system descriptions, so one provider's SSAE 16 may be dramatically different from another's. A better bet? The Cloud Security Alliance explicitly lays out a set of security best practices for cloud providers across a variety of domains, including encryption, data center management, cloud architecture, and application security. The CSA's guidelines are much more prescriptive, and the group offers the Security Trust and Assurance Registry, a free, publicly accessible registry that documents the security controls inherent in various cloud offerings. All providers can submit self-assessment reports that document compliance with CSA-published best practices.</p> <P> When it comes to cloud computing risks, the most prominent concern among our survey respondents is unauthorized access to or leak of customer information. That's unchanged from 2011. Other top concerns include worries about security defects in cloud technology and the loss of proprietary data.</p> <P> <!-- KINDLE EXCLUDE --> <center> <div id="inlineReportPromo"> <div class="inlineReportPromo_headline"><a href="http://reports.informationweek.com/abstract/21/8815/Security/research-2012-strategic-security-survey.html?cid=pub_analyt__iwk_20120507" target="_blank" style="color:#ffffff;">Research: 2012 Strategic Security Survey</a></div> <div class="inlineReportPromo_inner"> <center><strong>Pick The Right Battles </strong></center><br /> <img src="http://twimgs.com/informationweek/1332/332CSreportcover.jpg" width="175" height="106" style="float:right;"> Our full <a href="http://reports.informationweek.com/abstract/21/8815/Security/research-2012-strategic-security-survey.html?cid=pub_analyt__iwk_20120507">2012 Strategic Security</a> report is available free with registration.<br /><br /> This report includes <strong>44</strong> pages of action-oriented analysis, packed with <strong>38</strong> charts. What you'll find: <ul class="normalUL"><li>Security guidance on cloud, mobile and more</li> <li>How to get value from collecting security metrics</li> </ul> <center><strong><a href="http://reports.informationweek.com/abstract/21/8815/Security/research-2012-strategic-security-survey.html?cid=pub_analyt__iwk_20120507">Get This</a> And <a href="http://reports.informationweek.com/">All Our Reports</a></strong></center> </div> </div> </center></p><br clear="all"> <!-- /KINDLE EXCLUDE --> <P> <!-- KINDLE EXCLUDE --> <center><strong>To read the rest of the article,<br /><a href="http://www.informationweek.com/gogreen/050712/?k=axxe&cid=article_axxe_os">Download the May 7, 2012 issue of <em>InformationWeek</em></a></strong></center><br clear="all" /></p> <!-- /KINDLE EXCLUDE -->2012-04-04T08:00:00ZIf it seems security is an afterthought in the big data ecosystem, you&#8217;re right. Here&#8217;s what to do about it.http://www.informationweek.com/news/232700412?cid=SBX_iwk_related_mostpopular_Application_Security_securityIf it seems that security is an afterthought in the big data ecosystem, you're right. And that's unfortunate, because attackers go where the data is. Our security surveys consistently show that even conventional structured databases aren't protected as well as they should be. And now we're piling up unstructured data.</p> <P> We understand how this state of affairs came about. The whole point of NoSQL databases and superfast key-value stores like Redis is to provide rapid, unfettered access to data. The mission statement says nothing about protecting all that data. </p> <P> This isn't a news flash to security pros, but those charged with managing big data seem unfazed. In our <i>InformationWeek</i> 2012 Big Data Survey of business technology professionals managing a minimum of 10 TB of data, we asked about a dozen management priorities. Robust security came in eighth, selected by just 17% of respondents. </p> <P> That would be less scary if the No. 1 application driving big data needs at respondents' companies weren't financial transactions. </p> <P> Clearly, the developers driving the NoSQL bus just don't get it. The only thing we've gotten from years of pushing to secure Hadoop and other big data technologies is integration with authentication frameworks such as Kerberos. Excuse us if we don't swoon with gratitude.</p> <P> As technologies like Hadoop and NoSQL go mainstream, this situation must be addressed. In 2010, only a handful of companies, notably Foursquare and Craigslist, were heavily into unstructured data, and they didn't deal with sensitive information. But 2011 was a turning point, says Max Schireson, president of 10gen, developer of the NoSQL database MongoDB. "We went from a handful of [employees] to over 100," says Schireson. "We can barely keep up with demand." </p> <P> 10gen's customer list has expanded to include financial services companies such as Intuit, big consumer brands like Disney, and the U.S. intelligence community. <i>InformationWeek</i>'s 2012 State of Database Technology Survey (conducted in November) confirms the upward trend. Among 760 respondents, the number with Hadoop in production, running pilots, or investigating it jumped 17 points from August 2010, to 39%. Use of MapReduce and BigTable also rose significantly. The industry most represented in our State of Database Technology poll was government, with healthcare, financial services, and education not far behind--even JPMorgan Chase is using NoSQL technologies to improve fraud detection.</p> <P> And yet, the NoSQL ecosystem is woefully behind in incorporating even basic security. MongoDB, for example, includes Secure Sockets Layer support only in the commercial offering. There's an outstanding request from January 2010 to add SSL to the open version. </p> <P> You're thinking, "OK, they must provide good guidance on how to harden the system, right?" Here's what MongoDB's documentation has to say: "The current version of Mongo supports only basic security." What's basic? "It is often valid to run the database in a trusted environment with no in-database security and authentication (much like how one would use, say, memcached)," MongoDB says. "Of course, in such a configuration, one must be sure only trusted machines can access database TCP ports."</p> <P> So firewalls are now considered sufficient protection for financial data? And it's not just MongoDB. The security page for Redis states that untrusted access to the key-value store should be mediated by a layer implementing access controls lists, validating user input, and deciding what operations to perform against the Redis instance.</p> <P> We asked a financial services firm that leverages a NoSQL database for trading information where it would put security controls. At the database or application, perhaps? Its answer: the operating system. </p> <P> So, yes, the NoSQL world has gone mad, and that's because the big data show is being run by developers, not architects or even system administrators. These developers clearly don't realize that 14% of all breaches last year were caused by compromised database servers. That's second only to point-of-sale servers in terms of a single point of weakness and well above the 9% of breaches that involved Web application servers, according to Verizon's Data Breach Incident Report. It seems developers are stuck in 1998, when perimeter security was state of the art.</p> <P> So do security teams need to go on a (probably doomed) mission to outlaw use of Hadoop, MongoDB, and other NoSQL technologies, at least until they mature? That depends on how willing you are to get your hands dirty.</p> <P> <!-- KINDLE EXCLUDE --> <center> <div id="inlineReportPromo"> <div class="inlineReportPromo_headline"><a href="http://reports.informationweek.com/abstract/2/8758/Business-Continuity/strategy-why-nosql-equals-nosecurity-.html?cid=pub_analyt__iwk_2011mmdd" target="_blank" style="color:#ffffff;">Strategy: Why NoSQL Equals NoSecurity </a></div> <div class="inlineReportPromo_inner"> <img src="http://twimgs.com/informationweek/1330/330F2reportcover.jpg" width="175" height="107" style="float:right;"> Our full report on <a href="http://reports.informationweek.com/abstract/2/8758/Business-Continuity/strategy-why-nosql-equals-nosecurity-.html?cid=pub_analyt__iwk_2011mmdd">NoSQL database security</a> is available free with registration.<br /><br /> This report includes 14 pages of analysis along with best practices and hardening tips. What you'll find: <ul class="normalUL"><li>Discussion of database and date encryption</li> <li>How to do security logging the right way</li></ul> <center><strong><a href="http://reports.informationweek.com/abstract/2/8758/Business-Continuity/strategy-why-nosql-equals-nosecurity-.html?cid=pub_analyt__iwk_2011mmdd">Get This</a> And <a href="http://reports.informationweek.com/">All Our Reports</a></strong></center> </div> </div> </center></p><br clear="all"> <!-- /KINDLE EXCLUDE --> <P><strong>If Developers Ran The World</strong></p> <P> Steve Ballmer had it right: It's all about the developers, and that's the first place to focus efforts to secure unstructured data environments.</p> <P> Schireson made it clear that security just wasn't part of the MongoDB thought process until recently, when 10gen's customer base expanded from Web 2.0 companies that generally don't store sensitive information to large financial service firms using NoSQL to mine customer data and patterns. Shireson's recommended approach to securing MongoDB installations is to implement an audit system, use SSL, and perform a system architecture review.</p> <P> That's not bad advice, but the first two points require custom coding, and the third might not help at all, depending on who's doing the review. </p> <P> Hint: It better not be a developer.</p> <P> We believe a much more tactical approach must be taken to hardening your NoSQL database infrastructure. First, as an authentication mechanism, most NoSQL systems support Kerberos, which is better than nothing because it lets you use Active Directory or a specially configured MIT Kerberos server for authentication.</p> <P> Unfortunately, in our experience working with clients that have NoSQL deployments, we've never seen Active Directory in use. We discuss how to do authentication, logging, and encryption right in <a href="http://reports.informationweek.com/abstract/2/8758/Business-Continuity/strategy-why-nosql-equals-nosecurity-.html?cid=pub_analyt__iwk_2011mmdd">our full report</a>. For now, let's focus on the difficult job of securing these databases.</p> <P> <strong>Frameworks To The Rescue</strong></p> <P> If there's one thing coders love it's rapid application development, and that quest for ease of use just might be the savior of big data security.</p> <P> As discussed, there aren't many security features built into NoSQL databases, so developers are left to write their own. Rapid application development frameworks such as Spring, Lithium, and Ruby On Rails enable developers to quickly interface with NoSQL technologies without having to worry about the complicated installation and database schema configurations that are part and parcel of conventional SQL databases like Oracle and Microsoft SQL.</p> <P> These frameworks implement the security features we wish were built into NoSQL databases, including authentication, role-based access control, and encryption. For example, the Spring security framework makes more than 20 capabilities available to developers. These frameworks provide a quick, reliable, and usually well-tested set of security features. Best of all, your developers don't need to reinvent the wheel.</p> <P> Here are the top security controls we recommend developers implement when using a NoSQL back end:</p> <P> <strong>&gt;&gt; Authentication. </strong> Unfortunately, even in 2012, most of the NoSQL installations we see have no passwords and allow anyone to access the database. At best, passwords are user-defined. If you can't use a built-in authentication capability within the NoSQL database, make sure you at least use authentication within the framework.</p> <P> <strong>&gt;&gt; Input validation. </strong> While NoSQL databases don't normally suffer from the SQL injection issues found in a conventional relational database management system, they can still be injected using JavaScript attacks and string concatenation. Filtering to remove JavaScript, or setting up the NoSQL database to not allow JavaScript within the store at all, will eliminate this attack vector.</p> <P> <strong>&gt;&gt; Data validation.</strong> Most NoSQL databases store documents or other objects that can contain dynamic structures. Leveraging the framework to validate data being written to and read from the database can prevent problems, such as when the system converts from one data type to another without the developer realizing it. Data-type conversions can trigger denial-of-service attacks.</p> <P> <strong>&gt;&gt; Role-based access.</strong> Store information on which users have access to what data outside the NoSQL database and have the application enforce these roles.</p> <P> Many developers argue that adding security decreases performance; that's the most common excuse we hear for why NoSQL deployments use no authentication or encryption. However, Owen O'Malley, a Hadoop engineer at Yahoo, says he saw less than a 3% performance hit in Hadoop when additional security features, such as ACLs and authentication, were enabled. That's well worth it, especially compared with the alternative of cleaning up after a successful attack.</p> <P> <center><img src="http://twimgs.com/informationweek/1330/330F2chart1.jpg" width="490" height="257" alt="chart: which of these analytic application and databases are you using or investigating?" hspace="0" vspace="0" border="0" style="margin-bottom:7px;" /><br /></center></p> <P> <P><strong>What About The OS?</strong></p> <P> The operating system on which any database runs should be hardened and locked down. Most NoSQL technologies leverage Linux, so there are a variety of options to choose from. When hardening an OS, focus on four areas: users, permissions, services, and logging. Mechanisms such as Bastille Linux or SELinux can help automate Linux hardening, but we recommend you follow a more structured approach, such as those from the Center for Internet Security or the Defense Information Systems Agency's Security Technical Implementation Guide for Linux. These guidelines have been reviewed and tested by thousands of people and are unlikely to cause problems like incompatibility.</p> <P> It's important to note that when it comes to Hadoop and MongoDB, properly configuring file system permissions is vital. The Hadoop Distributed File System can be securely configured to give only appropriate permissions to users running various jobs. For example, we recommend splitting MapReduce jobs and HDFS users into two groups, so that you have separation of access. HDFS needs to run NameNode, DataNode, and Secondary NameNode, but MapReduce users need to run only the JobTracker and TaskTracker applications. Creating Hadoop groups allows you to set up permissions, a critical part of any system-hardening process. Without the proper permissions, a user could potentially copy the entire Hadoop or MongoDB instance, load it on a new server, and bypass all of your authentication controls; this is also an argument in favor of encryption, as we discuss in our full report. </p> <P> Finally, don't run these databases as root. We have seen too many instances of this. Create a separate user, and lock down that user so the database has access to only those directories and executables it needs.</p> <P> Right now, open source NoSQL technologies just aren't ready for the enterprise when it comes to security. Can you make them ready? Sure, but it comes down to resources--do you have people with the right skills? If so and if you're willing to work closely with developers and analyze your organization's risk, you can implement NoSQL technologies securely. Otherwise, there are commercial NoSQL databases such as Vertica and eXist-db that have security controls built in. Just because some well-known Web 2.0 company uses an open source database doesn't mean you should. Their risks, data, and expertise are likely very different from yours.</p> <P> We're not trying to paint the future of big data and NoSQL as that of a security wasteland. There's precedent for a free-for-all market getting serious under pressure. We saw this happen in the public cloud, as enterprises forced providers to start caring about security controls and privacy. But the fact is that NoSQL technology is by developers, for developers. Unless companies make data protection a priority--and vote with their budget dollars--we don't foresee the NoSQL community suddenly getting security religion.</p> <P> <center><img src="http://twimgs.com/informationweek/1330/330F2chart2.gif" width="490" height="332" alt="chart: have you implemented database encryption?" hspace="0" vspace="0" border="0" style="margin-bottom:7px;" /><br /></center></p> <P> <!-- KINDLE EXCLUDE --> <center> <div id="printfeaturePDFpromo"><div class="printfeaturePDFCover"><a href="http://reports.informationweek.com/abstract/1/8742/Application-Performance-Optimization/informationweek-april-9-2012.html?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/1330/smallcov.jpg" alt="InformationWeek: Apr. 9, 2012 Issue" title="InformationWeek: Apr. 9, 2012 Issue" /></a></div> <div class="printfeaturePDFCopy"><strong><a href="http://reports.informationweek.com/abstract/1/8742/Application-Performance-Optimization/informationweek-april-9-2012.html?k=axxe&cid=article_axxe_os">Download a free PDF of <nobr><em>InformationWeek</em> magazine</nobr></a><br /> (registration required)</strong></div> <div class="clearBoth"></div> </div> </center> <!-- /KINDLE EXCLUDE --> <P>