03:39 PM
Connect Directly

Changes in IT and Computing Platforms Drive New Concerns and Approaches to Security

Ernst & Young's 2010 Global Information Security Survey finds organizations are increasing security spending in response to new risks from mobile, cloud and social networking.

Mobile communications, cloud computing and social networking are among the hottest topics in banking right now. As financial institutions try to figure out how they might benefit from these innovative technologies, they also need to understand their security implications. According to Ernst & Young's 13th annual Global Information Security Survey, while progress has been made on this count, in terms of increased security spending and updated corporate policies. At the same time, there's a long way to go before banks are really up to speed on the security implications of what Ernst & Young describes as a borderless business world.

"Borderless Security: Ernst & Young's 2010 Global Information Security Survey" is based on a survey of nearly 1,600 senior executives in 56 countries. Banking and capital markets executives represented by far the largest segment of the sample, accounting for 329 respondents; followed by technology (139) and insurance (137 respondents).

Sixty percent of the survey respondents said they perceived an increase in the level of risk they face due to use of social networking, cloud computing, personal devices in the enterprise; 37 percent said they perceived a relatively constant level of risk. At the same time, 46 percent of those polled indicated their annual investment in information security is increasing as a percentage of total expenditures, while 48 percent said it is relatively constant.

"IT is changing, and when IT changes, the security game changes," notes Jose Granado, Ernst & Young's Americas practice leader for Information Security Services. The most important implication of these IT changes, Granado states, is that "The outsider is the insider -- there are no more walls."

Elaborating on this observation, Granado argues that in a "borderless security" environment there is "a lack of control, a lack of standards, and a lack of understanding of true vulnerability of devices." Accordingly, he adds, there are a number of changes organizations should make in how they approach security. "Develop a plan, prioritize risk and make it real and associated with the threats," he says. "Keep the plan fresh, validate and review it [regularly] -- six months may be too long" to go between updates. And, Granado stresses,"take an information-centric view. Understand the life cycle of your data from creation to archive or destruction."

As corporations adopt a different approach to security, the biggest change, according to Granado, is that "the goal today is not to be secure but to be secure enough. There is no such thing as 100 percent secure. That's the key."

Looking specifically at the rise of mobile computing and communications, "the biggest issues relate to a lack of control," reports George (Chip) K. Tsantes, principal, financial services, at Ernst & Young. Fifty-three percent of the study respondents said that increased workforce mobility is a significant or considerable challenge to effectively delivering their information security initiatives. One of the reasons why there is so much concern is that when it comes to privacy and protecting sensitive information, he says, is that "consumers have different views about sensitive information. Do you use the old paradigm that everything is protected? Or do you change the model and assume everything is compromised?"

The struggle to answer these questions is a big reason why the Ernst & Young research shows "a big increase on data loss prevention, especially in financial services," Tsantes says. Sixty-four percent of the respondents indicated that data or disclosure of sensitive data was one of their top five areas of risk, while 50 percent said they plan to spend more over the next year on data leakage and/or data loss prevention technologies and processes.

If the security concerns relating to cloud computing do not seem quite as urgent, that probably is because for now most businesses are limiting their adoption to the private cloud. According to the Ernst & Young study, 54 percent of respondents who said they use cloud services indicated they are using private clouds, compared to 29 percent who said they are using the public cloud, and 45 percent using encapsulated/hybrid cloud. Those numbers could shift as more applications are made available in a cloud environment.

"Security folks need to wrap their heads around this," says Ernst & Young's Granado. "From a traditional security point of view, supporting cloud is counter-intuitive. How do I know at any point in time where my data is? Who are my neighbors? How do I really know my stuff is protected? This requires a mindset change in security professionals to let go." According to Tsantes, 90 percent of financial services professionals who participated in the research said they think potential data loss is the biggest potential problem with cloud computing. This is compared to the 52 percent of total respondents who identified data leakage as the top cloud risk.

At the same time, Granado emphasizes, the vendor community also needs to step up to the plate, security-wise. "Solution providers need to be more transparent about testing of their environment -- what are the known issues? Let us see the incident logs."

Standards -- or rather, lack of standards -- are another concern when it comes to security in the cloud. "Right now, there are no set standards to ascertain level of security [in the cloud]," Granado says. "Standards are going to have to play a big part."

Katherine Burger is Editorial Director of Bank Systems & Technology and Insurance & Technology, members of UBM TechWeb's InformationWeek Financial Services. She assumed leadership of Bank Systems & Technology in 2003 and of Insurance & Technology in 1991. In addition to ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.