Archive for the ‘SaaS’ category

Security does not stop at the Firewall

April 10th, 2009

Many businesses have realized the risks involved with the loss of electronic data. Companies that have credit card or other personal data have been forced to manage security because of government regulations about the privacy of data. But while good security managers are watching their network and their staff, all too often nobody is minding the security policies of a company’s partners.

Today very few companies, small, medium or large, have the resources or interest in managing every aspect of their business – we bring in experts: Consultants, lawyers, call centers, companies providing software-as-a-service (SaaS) services and a myriad of other businesses. Lot of business and information takes place outside our security firewall and it’s a grey area as to whom, if anybody, should be watching out for this risk.

Just consider these scenarios:

  • When you hired an auditor, who reviewed the auditor’s security policy to make sure they would protect your data.  Don’t make assumptions here – I once refused to let an auditor’s PC on our network because we could visually see spyware on the browser. We did not even have to run any diagnostics – the spyware was visible on the browser and the desktop!
  • You probably have some type of legal counsel and they will get some pretty confidential data sent to them.  Who is checking out their data security (check out this blog on Can you trust your lawyer’s PC)
  • You might be using Software-as-a-Service tools, sometimes they might have been picked by the business unit and not by IT.  They are hosting your data – does anybody know about their security. And not just their data center security, but all aspects like how secure are their laptops.

Now if I (the admitted security geek) was a lawyer or accountant – I’ll make sure that I told prospective clients about my security, I wouldn’t even wait for them to ask.  I would highlight how we encrypt all information.  It is a selling point about how good your company is.

But since not every company is that good, I encourage companies to make this part of the process when they hire in outside help.  If you have an RFP it should certainly ask about security policies.  Even more than the RFP – test it out. When your sales rep visits the office ask if you can see their PC.  Then say, “I just stole your PC – do you know who to contact at your company to report this?”  Ask “How much confidential data will I be able to access without even needing a password?  Is the laptop encrypted?”

While one of your co-workers is busy providing CPR to your visitor, you will have time to print out a copy of your security policy and maybe even share a link to Alertsec Express.  We’re all part of a network – your business partner’s security is really your security as well.

2 comments »

Posted in Data Protection, Identity and Information loss, SaaS

Tags:

Analyzing the cost savings of a SaaS solution

March 30th, 2009

Software as a Service (SaaS) is such a buzzword these days.  It seems like everyone from established companies to start-ups are emphasizing how their products are SaaS-enabled and placed in the cloud.  With all of this buzz, surely there is something about SaaS that makes it something all IT Professionals should at least take a look at.  But why? What’s the big deal with SaaS and how does it provide real value to  IT Professionals?

The fact of the matter is this: IT Professionals are busier than ever.  Economic conditions have led to many layoffs, yet company’s business objectives have not changed.  Companies need to show their stakeholders that they will hit their business objectives, regardless of how many resources they have.  That means that even though IT Professionals were stretched thin before, they are even busier today.  Where there was once the luxury of specializing in a strategic niche area, companies are asking their employees to stretch and take on more responsibilities.

This is an area where SaaS can really help.  For traditional solutions, not only do you have to invest a lot of time in the evaluation phase of a project, but you also have to invest a considerable amount of time in the design and implementation phase.  SaaS solutions help you reduce the investment in the design and implementation phase of a project.  Now it would be irresponsible to say that it eliminates this investment because knowing how a solution works and is implemented is key to any evaluation, but it can certainly help reduce this investment.  Rather than having to worry about network requirements, hardware requirements, and the technical expertise needed to implement a project, IT Professionals can focus on the key areas that bring strategic value to the business.

Nonetheless, each organization should perform a cost/benefit analysis when investing in a SaaS solution vs. an on-premise solution.  Here are a few key areas where a SaaS may provide savings:

  • Hardware costs – At minimum, the SaaS server infrastructure will be in the cloud, so there is no need to purchase hardware, hardware space or power consumption.
  • IT Specialists – A SaaS solution may reduce the requirements to have someone specialize in this area.  You’re paying a vendor to provide the expertise and they should be a trusted partner you can count on.
  • Software costs – Most SaaS solutions are subscription based, so you usually pay per user and per year or per month.  The licenses are not perpetual.
  • Support costs – If the solution provides support as part of the fee structure, then that means less resource costs for Help Desk and other layers of support.  Also, there is less to worry about from an operations management or change and configuration management perspective.

There is another aspect to SaaS that organizations should think about: peace of mind.  Knowing that a trusted partner is backing the solution, and provides the expertise necessary to support it, means that you can worry less about a 2am call to your mobile that something isn’t working.  That’s something that is hard to put a price tag on.

There are many SaaS solutions out there.  Every organization should take a look at areas where they can optimize their business by implementing SaaS where appropriate and focus their IT workforce around projects that provide business value.  If you’re currently thinking about implementing a SaaS solution, let us know what you think so far.

I look forward to your comments as we start this new blog on AlertSec.

No comments »

Posted in SaaS

Laptop Protection Learned the Hard Way

March 26th, 2009

airport-laptopBack on a nice sunny day in July 2002 I was sitting in my office drinking my morning diet cola (I prefer my caffeine cold) when a “friend” called. With more than a little chuckle in his voice he asked if I really believed the old marketing saying “that any publicity is good publicity.” While still in the dark, it was quickly dawning on me that it was not going to be as nice a day as I hoped. After a few more comments, I was directed to the website for the New York Times where I read about one of our employees talking about how he lost his laptop with ”Almost everything I need to run my business was sitting on that laptop and I didn’t have a backup.”

Looking for the silver lining in this event, it did provide the impetus for us to speed up backup plans that we were working on. Within a short time period all laptops were scheduled with an enterprise software product making regular backup of all key data. With a fleet of over 80 laptops, we’ve had additional laptops lost and even a few technical failures. In each case these backups saved the employees and the company time and money.

However, even after this event it took us a few years to completely roll out laptop encryption. We tested out a variety of options and each one caused issues: employees having an even harder than normal time logging onto their laptops; employees running into cases where they could not access certain files; files that were emailed were still encrypted and the recipients could not use them; the technical staff pulling out their hair coordinating the installation of the encryption software. While we needed the security of encryption – the loss of usability was severe.

We eventually got all the laptops encrypted – but the time lost and hassles were still on my mind when I began doing IT consulting. I’ve made great use of Software-as-a-Service and I embarrassed that I never explored encryption via SaaS at an earlier time. However, once I stumbled upon Alertsec I immediately became a user and an Alertsec evangelist. The security of encryption, the convenience of a three step install and the reduced help desk issues because Alertsec handles the 24 hour support. For companies of any size this is a great value to increase the security of your organization.

Oh, and one more piece of advice. In addition to training your employees about what to do if a laptop is stolen or lost, remember to also mention that speaking to the press, twittering about it or blogging about it is not a way to keep security issues confidential. Just because it seems obvious to you, don’t assume it’s all that obvious to the rest of the world!

1 comment »

Posted in Data Protection, Encryption, SaaS

Data at rest

March 18th, 2009

data protectionLearning about how to defend information inside your computer or on your company network is easy. A closer look at the proper care of that information might not seem to be high priority until we start to consider that Identity theft is the fastest growing problem we face. If you wait until someone has stolen your identity – it will be too late.  Consider the consequences of having your bank account drained, credit cards maxed out, and the possibility of someone obtaining a new driver’s license and credit cards in your name. Think about them making big purchases that could easily destroy your good name and credit standing. Suddenly information protection becomes a top priority.

Your efforts at repairing your credit would include the time and expense of closing existing accounts and opening all new accounts and would reach beyond to possibly months and years. Also consider what happens to your credit and lifestyle during this type of mess. The news media is already filled with horror stories.  In the face of that possibility it makes sense to spend money on security controls that will have the greatest impact to avoid the potential losses that accompany identity theft.

So let’s start from the point that protecting data-at-rest is critical in today’s interconnected environment where we have highly mobile data and decreasing device size.  Personal identity information or sensitive information stored on devices such as laptops, thumb drives and PDAs is often unaccounted for and unprotected, and can pose a problem if these devices are compromised.

From an attacker’s point of view, that information inside your computer — data at rest – such as the data on your hard drive, in databases and computer file systems, those files stored on your Network Attached Storage (NAS) units or Storage Area Networks (SAN), and the information on company file servers — is much more attractive than what is found being sent across the Internet in encrypted form. That is because data at rest is typically not encrypted. That is – the information on your computer hard disk is readable by anyone with the ability to get into your file system.

When information is encrypted it is made unreadable and it takes effort on the part of the attacker to break the code to read the information. So the attraction of data at rest is that it is where the money is. No – you are not likely to hard dollars or Euros on your hard drive. You will, however, certainly have valuable information stored there.  This is because our computers store things like credit card numbers, social security numbers, intellectual property, financial information and company process information on the hard disks. Sometimes we save information on our computer hard disk without knowing about how it is done or even realizing what we have done. Anyway, those things we can’t afford to lose are exactly what the malicious attackers and rogue employees are trying to take from us.

As computer users become more aware of how certain types of technologies work – the information on our computer becomes more widely accessible and this makes our computers more vulnerable to attack. Reports of source code for commercial software being stolen and the loss of customer, employee and client data are so common that we no longer find these reports shocking.

Don’t get me wrong, other types of crimes are taking place and data in transit does have vulnerabilities but that is NOT the focus of this article. Good network managers everywhere are working hard to ensure that information sent across the wire is encrypted. There are some who are working to encrypt even the internal network traffic.  That is because the attackers are getting better at using sniffers anywhere on the network to enable them to see all traffic with ease. There are those attackers who have the expertise to break in and install a sniffer to and glean our network traffic remotely.

That brings us to the point – what should be done to thwart the attackers who are the most daring? Well, the short and easy answer is that encryption of data-at-rest is now possible and at a reasonable price.

So just what is Data-at-rest?  Data-at-rest is the term used to describe all the information inside your computer that is stored on the hard disk or other permanent storage media. This definition, of course, excludes the information that is traveling across a network or the information that is temporarily in the computer memory chips. Our focus here is to consider where the credit card information and social security numbers are kept and make that safe from prying eyes.

Let’s revisit the fact that Identify Theft is potentially devastating. The cost of a reliable data at rest solution such as Check Point´s FDE is nearly trivial. The call to action is clear – there is a tremendous value proposition so we should each be doing what we can to ensure we’ve closed the door on would-be attackers.

For a long time the businesses, government agencies, and other institutions have been (and are still) concerned about the ever-present threat posed by attackers to their important data at rest. In order to keep data at rest from being accessed, stolen, or altered by unauthorized people, security measures such as data encryption and specialized types of password protection schemes are commonly used.

One example of strong protection for data is found in the organizations that work with medical and financial information which requires special handling. These solutions are typically global and expensive and they are used in conjunction with specialized security measures that keep that type of information safe.  Now that data at rest is available for the home user and small business we simply need a formula to determine how much our data is worth. Companies will typically prioritize the importance of their data and create what is called a trade off study. The home user might not immediately think of the value of his or her information because the value of a picture of a certain kitten, a picture of our family, or a credit card number isn’t a precise amount.  However, the value of our time in correcting a stolen identity can be seen in term of the time it takes to change credit cards and then the burden of contacting every company we do business with to change all of our information.

Keep in mind that in today’s computing environment of the Internet that we are all interconnected. That means that the good guys and the bad guys are both on the wire that you use to connect to any peer service for things like music downloads, Facebook, MySpace, online banking, or other company for the purpose of performing any financial transaction. It is not paranoia if you really are being watched. Know it and act accordingly.  See this link to ALERTSEC solutions page with definitive pricing.

In another blog entry we will further discuss what browser cookies are, how they store information on your computer automatically, and how to think about protecting yourself with data at rest encryption.

Until then – Cheers!

1 comment »

Posted in Encryption, Identity and Information loss, SaaS

Tags:

Software as a Service (SaaS) – what makes an application worth subscribing to?

March 18th, 2009

1159613_85120857Not all applications work well as software service offering. However, Full Disk Encryption certainly is one of them!

So, what makes an application a good SaaS offering?
It needs to fulfil some of the following criteria:

  • The Service provider must be able to pass on cost reductions to customers when the service is scaled.
  • It must be available and functional both on and off-line
  • The application users should reap the benefit from large scale helpdesk and knowledge base
  • Targeted and flexible installations for specific short term projects or personnel must be available.

Normally, an installation and deployment of laptop encryption requires the IT staff to install the main component on a server, configure, and deploy it to the laptops. This not only require server hardware and software, but often external support engineers to go onsite as well as training the in-house staff.

Full Disk Encryption is a good application to subscribe to as a service instead of buying it outright, especially when you look at smaller installations. When customers can eliminate these costs, but at the same time reap the benefit of large scale licence purchases from the service suppliers, SaaS is offering both time and money savings. Alertsec also has a web-based deployment platform so customers do not need to install anything – everything is handled from an account on the Alertsec website.

To subscribe to an encryption service is fully flexible and can be used for as short as one month. The service is pre-configured so installations are standardized and users do not need any knowledge of software or encryption.

Encryption is one of those applications that are help-desk intensive as users continuously forget their passwords – often when travelling and in different time zones. The fact that hardware sometimes crash, result in the need for information recovery. To be able to rely on helpdesk personnel doing this daily, rather than perhaps doing it once a year, is a huge help and one of the real benefits of running encryption as a software service.

When users lock themselves out, customers need to have someone on call to help unlock the laptop, even if the caller is in a different time zone. When a user has a major fault on their computer, the customer does not have the skill or experience to recover the information which often results in it being lost.

Laptop encryption does not need to be in contact with a server to work as the encryption is implemented before the operating system start up and is able to reach any servers. That way the encryption implementation only relies on being online during the deployment and updates. However, the encryption hardly ever needs to be updated as users seldom change and the same user has the laptop throughout the lifecycle. Not even password reset requires the laptop to be online as the helpdesk can help users over the phone.

Try it for a month – you have nothing to lose.

1 comment »

Posted in SaaS

Tags: