This is the third in a series of interviews with C-level executives responsible for cyber security and privacy in business and government, who also happen to be thought leaders. (Remember, as I mentioned previously, "C-level executive" and "thought leader" are not synonyms.)In this issue, I discuss a range of issues related to the hard work of web security with Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security. He is responsible for web application research and development, and is a high-profile industry evangelist, taking his message far and wide from the familiar haunts of BlackHat Briefings and other cyber security venues even unto the rarified air of TEDxMaui. A founding member of the Web Application Security Consortium (WASC), Grossman is a leading voice in web application security. Before launching WhiteHat, Grossman worked as an information security officer at Yahoo! Richard Power: You have a unique vantage point to assess the "facts on the ground" in … [Read more...] about What’s real and what’s not in web security
Cloud web security
When technology manager Lincoln Cannon wants to give his company's employees and business partners controlled access to various internal resources or cloud-based services the company uses, he goes to one cloud-based single sign-on security service to assign access privileges."Our users have a portal for single sign-on access," says Cannon, director of sales and marketing technology for medical-device manufacturer Merit Medical Systems, who notes both employees and distributors can gain access to this portal via PC or mobile devices such as the Apple iPad. "You just load up our single sign-on app."BY THE NUMBERS: Corporate security threats many times come from customersThe cloud security service for single sign-on is provided by Symplified and today about 350 employees and more than 50 distributors for the medical-device manufacturer log on to designated internal resources or external cloud services, such as Google Docs or eLeap training, through the one portal. In use for several … [Read more...] about Cloud-based security as a service: Why it’s catching on
Organizations are increasingly looking to cloud computing to improve operational efficiency, reduce headcounts, and help with the bottom line. But security and privacy concerns present a strong barrier-to-entry. In an age when the consequences and potential costs of mistakes are rising fast for companies that handle confidential and private customer data, IT security professionals must develop better ways of evaluating the security and privacy practices of cloud services. Cloud computing comes in many forms: There are SaaS providers like salesforce.com; platform-as-a-service (PaaS) like Amazon's SimpleDB; Web services that offer application programming interfaces (APIs) that enable developers to exploit functionality over the Internet, such as Yahoo! Maps and Flickr; and infrastructure as service plays like those offered by Rackspace, Terramark, and Savvis. Different from traditional outsourcing where it is still very much standalone computing, cloud decouples data from infrastructure … [Read more...] about Forrester: A Close Look At Cloud Computing Security Issues
The rush of businesses to move their operations to the cloud is creating a slipstream that's pulling security services into the nimbus."People have become more comfortable now with the cloud so they're feeling more comfortable leveraging certain cloud services for security," said Brian Contos, CISO for Blue Coat, a web filter appliance company.That comfort will be driving a rapid growth in the market for cloud-based security services in the next few years. The market, according to Gartner, will jump by a billion dollars in the next two years from $2.1 billion in 2013 to $3.1 billion in 2015.Market research firm Infonetics Research also has a rosy forecast for cloud-based security services. It predicts revenues for them will climb by a compound annual growth rate of 10.8 percent, from 2012 to 2015, when it will reach $9.2 billion."There's increasing pressure on organizations to have services in the cloud, and the only way really to manage some of the risk in the cloud is with cloud … [Read more...] about Cloud-based security services poised for rapid growth
Cloud Access Security Brokers are products that can be described as firewall plus identity management plus anti-malware plus DLP plus encryption control/implementation plus threat management.CASB products have becoming increasingly important as enterprises look to extend their on-premises security policies to their cloud-based assets. We looked at three products -- CipherCloud, Bitglass, and Netskope. Each one takes a different, yet ingenious, approach to the task of stopping unauthorized, inappropriate, or uncontrolled cloud asset access and manipulation.+ MORE ON CASB: What is a cloud access security broker (CASB) and why do I need one? +Security brokers require varying degrees of work, we found in our review, but they pay off in important ways. While it’s impossible for us to test all use cases and to scale as high as vendor claims, we were able to get a good feel for both the features of these products and for potential scalability.If you’re part of a huge organization, … [Read more...] about Cloud access security brokers deliver must-have protection for your SaaS apps
According to analysts from Gartner and elsewhere, every enterprise with a significant cloud presence needs a cloud access security broker (CASB) to protect its cloud-based data. CASB products can sit either on-premises or live in the cloud, but they all have the same basic function – providing a secure gateway for data traveling to and from the cloud, particularly with respect to SaaS applications and common cloud storage services like Box or Dropbox. CASB products provide a variety of security measures, including access control, firewall, identity management, anti-malware, DLP, encryption and threat management. So, what are the basic use cases for CASB? Basic CASB authenticates users, sitting between users and cloud resources for purposes of audit and control. As cloud apps become increasingly popular with end users, the risk increases for inadvertent data transfer, actual data theft and infection by cloud apps and data. + REVIEW: CASB delivers must-have protection for … [Read more...] about What is a cloud access security broker and why do I need one?
Businesses in new study were five times more likely to have decreased spending on managing security over three years.As part of its marketing strategy for selling to small- and medium-size businesses (SMBs), Microsoft this week released the results of a study on the use of cloud-bases security. The survey of SMBs, whether from Microsoft or other vendors, found that they were five times more likely to have decreased spending on security over the last three years, as a percentage of their overall IT budget. They also spent 32 percent less time managing security than those that used on-premise software.SkyWire, which started using Microsoft's cloud-based security service Windows Intune 14 months ago, develops and sells web-based marketing tools across several industries, so it makes sense the Internet company would adopt cloud-based security.The switch from on-premise software cut has cut its security costs from $90,000 over the last six months, including IT staff, to $330 … [Read more...] about Is cloud-based security really cheaper?
For all the talk about public clouds versus private clouds, many organizations will likely end up with a mixed IT environment that includes both types of cloud as well as non-cloud systems and applications--at least for a next several years. Cloud Computing in 2011: 3 Trends Changing Business Adoption [Registrationrequired] Security remains a concern for many CIOs, but if the business case supports it, companies are going to move all but the most sensitive and high-risk data to the cloud. Those executives that have started weaving together cloud and non-cloud environments say they've taken steps to ensure that security is an early consideration, have included security provisions in service-level agreements (SLAs) and contracts, and have worked to maintain compliance and secure integration.Also read 5 cloud security trends for 2011Industry experts say that despite the well-publicized worries about security, the mixed IT environment will likely appeal to many organizations, … [Read more...] about Hybrid Cloud Computing Security: Real Life Tales
Continuous monitoring is becoming a very popular term, both among security vendors and CISOs. In a constantly changing and hostile network environment where new zero-day exploits appear almost every couple of days, continuous monitoring of your organization’s infrastructure is vitally important. The main role of continuous monitoring is to keep your security team constantly aware of newly detected vulnerabilities, weaknesses, missing patches and configuration flaws that appear to be exploitable. [ ALSO ON CSO: How to maintain security in continuous deployment environments ]Various products, solutions and services exist today to assure the continuous monitoring process within both large and small organizations. However, when examining the efficiency of such solutions, we should initially try to understand how competitive those solutions are on the market: and not [only] against other vendors’ solutions, but with Black Hats. Yes, you heard right – with Black Hats, who … [Read more...] about Continuous monitoring and web security: Are you competitive with Black Hats?
The City of Aspen in Colorado has a networkof over 500 devices and a dedicated network staff of three employees. It is oneof many lean IT organizations throughout the U.S. that continuously look foroutside services that can add security capabilities and are affordable."Everythingis connected to our network," said City of Aspen Network Coordinator JohnSobieralski. He added that a major challenge the network constantly faced was agrowing number of malware attacks. "It reached a point where we wereexperiencing as many as four or five security episodes a day," Sobieralskisaid. "As a small staff, we were working as fast as we could to clean upinfections."In the City ofAspen's case, a major source of malware invasions was websites employees accessedthat contained a lot of malware, which was then passed into the corporate network. Another majorsecurity concern for all SMBs is the impact of intrusions; this has become evenmore worrisome of late as the number of mobile … [Read more...] about SMBs drive interest in cloud-based security solutions