Tweet

While the global economy slows down, network security spending continues to be robust as business and IT leaders seek to protect corporate assets, thus avoiding a major distraction when market focus is needed most. Recent analyst numbers suggest that data loss can result from myriad corporate security vulnerabilities. It’s getting harder to protect a company’s intellectual property as the modern concept of work is based upon anywhere and anytime electronic collaboration and the borderless enterprise. Nasrin Rezai, Senior Director of Information Security for Cisco Systems is my guest as we discuss PPT or People, Process and Technology as the strategy to mitigate data from being lost or stolen from your company.

To understand best practices of data loss prevention, you need to listen to this podcast.

Listen to the Podcast

Tweet

While the global economy slows down, network security spending continues to be robust as business and IT leaders seek to protect corporate assets and achieve compliance, thus avoiding a major distraction at a time when market focus is needed most. The largest corporate security vulnerability is data loss and it’s getting harder to protect it. Here’s why.

The concept of work has changed significantly in the last decade. Gone for good are the days of nine-to-five working hours located in a headquarter facility. The modern concept of work is based upon anywhere and anytime electronic collaboration as computing and networking have gone mobile. Laptops and smartphones allow work to be done everywhere and work means sharing data and information from every place work happens to occur. Therein lies the rub; with greater work flexibility comes greater vulnerability to data loss. Employees are encouraged to share information and spread it freely between those with a need to know; but this comes with risk as information, potentially even customer information, is intellectual property, which becomes more vulnerable as employees work in the field and remotely.

But protecting data is not limited to mobile employees; it spans to all employees independent upon where they work. For example, compliance to regulatory, presidential directives and legislative initiatives require business and IT leaders to protect data loss or face significant penalties. Business and IT leaders need workable strategies to protect their intellectual property and customer data. The problem with implementing a data loss prevention solution is that data is everywhere and so too are vulnerabilities and harsh consequences. For example, details of 25 million child benefit recipients have been lost after two discs containing the data were sent from HM Revenue and Customs to the National Audit Office (NAO) but never arrived. The data included details of millions of bank accounts. In another example confidential records from more than 40 global businesses were stolen and stored on an unprotected server by a Russian cyber thief. The files came from Germany (621), France (322), India (308), Great Britain (232), Spain (150), Canada (86), Italy (58), the Netherlands (46), and Turkey (1,037), among others.

It gets worse. Consider the following statistics:

70% of IT leaders say the use of unauthorized programs results in as much as half of data loss incidents.

44% of employees share work devices with others without supervision.

39% of IT leaders said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.

46% of employees transfer files between work and personal computers.

18% of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy.

Data loss incidents are usually high profile embarrassments with large consequences, such as an Eli Lilly executive who inadvertently sent confidential M&A documents to a NY Times reporter, costing the company tens of millions of dollars as the reporter wrote about the deal before an agreement had been signed. An Ohio State University administrator inadvertently e-mailed an attachment containing faculty and staff Social Security numbers to hundreds of students. A rogue Kaiser Permanente employee cut and pasted personal patient information on a blog in a successful effort to trigger a HIPPA violation and penalty. In the UK a hospital reported a staff member losing a USB memory stick which contained the medical records of 4,000 patients. The largest records storage management company, Iron Mountain, lost a GE Money back-up tape containing 230 different retailers’ customer information, including Social Security numbers and credit cards. All told the unencrypted tape contained information on approximately 650,000 customers and held Social Security numbers for 150,000. GE Money is paying for a year of credit monitoring services to help protect those whose Social Security numbers were compromised. And everyone remembers TJ Max’s wireless LAN breach where 45 million customer credit card numbers were stolen and used to buy over $8 million worth of merchandise.

Incidents like the above are difficult in good times and can be catastrophic in bad economic cycles, which serve only to give customers spending pause with your company. Clearly businesses are not the only entities vulnerable; governments and their agencies are too. Not all data loss is intentional, but accidental loss occurs as well with unfortunately the same consequences. Further, data loss is not just concerned with loss of electronic information but the loss of information contained in physical documents or portable storage entities, all of which need protection as well.

What is Data Loss Prevention?

So what is data loss prevention or DLP? It’s a business problem that starts with the concerns of executive management about intellectual property and customer information being lost or stolen. For many business leaders DLP is intellectual property protection, avoidance of unwelcome media coverage of a security breach and regulatory compliance assurance. DLP discussions usually start with executive management, in order to understand data loss concerns which leads to a comprehensive DLP strategy. A DLP strategy does not include just one technology; to mitigate data loss risk a successful DLP strategy needs to include people, process, and technology. A DLP strategy is about educating and managing employee behavior, then using policy to enforce that behavior which is accomplished via security technology.

From a risk perspective most executives think of DLP in terms of communication channels such as e-mail, web, and devices such as end-points, USB sticks and encrypting backup tape compromises. Another way to think about DLP is to protect data when in motion, while at rest on storage media or in use on end-points and portable storage devices such as USB, iPods, MP3 players, etc. All of these areas of risk need to be mitigated and assessed from a regulation compliance perspective such as HIPPA, GLBA, PCI, Basel II, etc.

A Governance Philosophy of Non-Disciplinary Communications

In addition to DLP technical solutions, addressed below, governance and corporate culture play a large part in a DLP mitigation strategy. Changing behavior is difficult without a significant event, such as some of the firms mentioned above have experienced. The risky behavior statistics, again mentioned above, will not change overnight, but one approach has proven helpful. Educating employees to the dangers and risk of data loss is an important step in its prevention. By instilling a culture of non-disciplinary communications between employees and IT where employees feel comfortable reporting a real or potential data loss to IT is a huge step in containing damage when it occurs. The quicker the data loss is identified the quicker its damage can be contained. The reality is that data is going to get out. With all the data that flows throughout a corporation on a daily basis, there will be an accidental case periodically. The larger problem for business and IT leaders is when employees are fearful about acknowledging their mistakes and don’t sound an alarm; then all of a sudden business and IT leaders find their company in the news, in damage control mode and answering uncomfortable questions from regulators.

Two Technical Approaches to DLP

The DLP Overlay Approach

DLP technology is based upon content-level inspection which is fundamental to the DLP overlay and network-based approaches presented here. The DLP overlay is based upon IT identifying content it needs to monitor and the DLP overlay does so at every point in the IT infrastructure to prevent data loss. DLP overlay solutions provide large amounts of information concerning how data is used and is thus effective at protecting against accidental data loss. But DLP overlays have to be used in conjunction with other data security technology to protect against all types of data loss such as accidental, negligent, data theft, identity theft, etc. Therefore, DLP overlay delivers auditing and compliance in respect to monitoring specific content throughout the network, but it ultimately cannot solve the business problem of data loss prevention unless it is paired with other security technology.

Over the past several years firms such as Vontu and Reconnex, which have been acquired by Symantec and McAfee respectively, specialized in the overlay approach. But these overlay solutions are complex, require too much time to deploy and are costly to manage; many business leaders realize that the overlay approach cost them $10.00 to protect $5.00 worth of data. In short, the DLP overlay is an additional layer of content security on top of an existing security infrastructure. As a result few DLP providers are still in business as IT and business leaders recognize that DLP needs to be implemented as part of a broader system rather than a point solution for larger enterprises. The question is what kind of broader system?

The Network-Based DLP Approach

McAfee, Symantec and others believe that DLP is a separate security system while others such as Cisco believe that data loss is best mitigated by understanding what data needs to be protected, and then leveraging the network to prevent data loss as the network touches every IT asset. In short Cisco believes that DLP is best achieved by leveraging existing investments in network infrastructure, which already contains key security technology which mitigates data loss. For example, a strong security network contains web application firewalls, VPN, Network Admission Control (NAC), data link encryption and extensive security for data in motion with technologies such as TrustSec.

By examining DLP from a risk-perspective, and integrating content analysis plus targeted data security into the network fabric, data protection within all communication channels is achieved, providing the broadest defense of loss. For the above-mentioned content analysis Cisco has recently acquired IronPort, an e-mail security concern, which allows Cisco customers to implement content aware policy within security technology in an effort to mitigate unauthorized e-mails from being sent out of their corporation. Its Cisco Security Agent (CSA) offers an approach to mitigate unauthorized documents, data and applications from being copied on USB sticks and other personal data storage devices too in a single end-point security solution.

The network-based DLP approach is an efficient and reasonable way to achieve data loss prevention. The network approach to DLP allows IT leaders to measure risk by identifying its most valuable data and then creating the right strategy to prevent data loss. In addition data security policy is augmented while providing content monitoring and inspection over high-risk channels in the network. This affords a broad approach to DLP as every corporation has unique data loss vulnerabilities it needs to mitigate.

The network-based DLP approach is both comprehensive and does not require a large capital outlay; nor does it increase operational spend for its management as the overlay approach does. In short, DLP controls are distributed throughout the network infrastructure with data loss prevention achieved by configuring existing networking devices, turning on features, adding policy rules, and taking advantage of new security features added to existing network products and appliances. Network infrastructure policies can be changed to address different risks with different profiles all within the existing network. For example, web application firewall is not addressed by many DLP strategies, but web applications are most compromised. As hackers get through the web application firewall to a back-end credit card database, a company will find itself in a nightmare scenario. A network-based DLP approach addresses the widest range of risk with the tools to lock data down.

Enforcing content policies at high-risk points is an effective data loss defense, which is very useful for auditing and accident loss control. For example, content filtering of e-mail, web traffic and end-point devices ensure that accidental data loss is mitigated. With content filtering Outlook mail may notify a user that he/she tried to send an e-mail to the wrong person and it contained Social Security numbers. Or content enforcement over the e-mail channel may notify the user that there are Social Security numbers in the e-mail they are sending which is not supposed to be sent externally, thus providing a strong warning to prevent data loss. Putting content enforcement over channels where employees can easily leak information is an important aspect of a network-based DLP strategy of risk mitigation. Cisco, for example, has integrated content enforcement into security devices rather than forcing customers to buy a separate device to monitor e-mail.

Reasonable Steps To Maximize Data Loss Prevention

Data loss events are increasing thanks to today’s mobile corporate environment, which offers many ways to lose data. For large global and multi-national firms, there are different social, cultural and business practices in various countries that need to be factored into a DLP solution. In addition, in today’s global economy many business leaders do not have the patience or the budget to undergo a large complex and costly DLP overlay project. The network-based approach to DLP offers a wide range of defenses and solutions to mitigate data loss while leveraging existing network infrastructure and personnel investments.

We offer the following considerations to develop a network-based DLP implementation.

Identify Data Loss Risks: Business and IT leaders should identify data loss risk and associated liability. This is perhaps the easiest part of DLP, as high visibility data loss scenarios are straightforwardly identified. Working together, business and IT leaders with their strategic network vendor should identify all the risk scenarios that are of concern. This includes data at rest, in motion and in use as well as regulatory compliance requirements for data and applications. Consider communication channels such as e-mail, web, remote access, personal data storage such as USBs, mobile devices, lost or stolen laptops, physical security such as building access, and data resident on physical assets too, which if lost or stolen would constitute a security breach of intellectual property and/or customer data.

Network-Based DLP Planning: With data loss risk scenarios identified IT leaders can now review their network infrastructure to assess its ability to mitigate these liabilities. Two important network-based DLP areas for IT leaders to focus on are e-mail and storage. Clearly large firms have deployed switches, WLANs, firewalls, routers and remote access network infrastructure devices. But has Network Admission Control and TrustSec been turned on? These are two important DLP network features providing authorized access to data and network encryption protecting data in motion, at rest and in use. Content enforcement of e-mail via the network mitigates both unauthorized and accidental data loss from e-mail systems. Other considerations are the network’s ability to provide remote access via SSL VPN ensuring that remote connections are encrypted or ensuring that remote desktop applications are cleared of confidential information after use, mitigating specific data loss scenarios. There are numerous opportunities for data loss; IT leaders can close these vulnerabilities by leveraging their network.

Employee Data Loss Prevention Training/Education: IT leaders are encouraged to develop training that sensitizes employees to risky behavior. Many may not view their behavior as risky. Usually it’s not until events such as those presented earlier take place that employees fully understand the risk that they put their corporation in with password sharing, accessing unauthorized applications, sharing computers, transferring files between home and work computers, etc. Boundaries and acceptable use policies on better data usage are often viewed favorably, as most employees are good corporate citizens.

Data loss governance: Consider a corporate culture that encourages employees to inform managers and IT leaders of a data loss without incrimination. This will allow IT to react quickly to data loss, contain damage and even potentially avoid its consequences.

Most IT leaders are concerned about losing data over personal storage devices such as USB sticks and through email systems. A good DLP solution needs to provide strong risk mitigation solutions to these two concerns plus additional risk scenarios identified by business and IT leaders. The global economy is entering a difficult cycle, which can be made worse with the high profile visibility associated with data loss security breaches. The opportunities for breaches are increasing as corporations have expanded the diameter of their business processes and operations thanks to mobile devices and remote access network solutions. The network-based approach to DLP offers a rational method that expands data loss defense options by leveraging existing investments in network equipment and skilled personnel.

Tweet

By InsightExpress

This presentation is a detailed market research of the perceptions and behaviors of remote workers. The data is based upon a study of employees and IT professionals around the world. As part of the study, surveys were conducted in 10 countries because of the differences in social and business cultures. In each country, 100 end-users and 100 IT professionals were surveyed, producing a total of 2000 respondents. Security considerations for IT organizations are identified.

View the Presentation

Tweet

By InsightExpress

This presentation is detailed market research identifying the risks and challenges of data leakage for businesses and employees around the world. The data is based upon a study of employees and IT professionals around the world. As part of the study, surveys were conducted in 10 countries because of the differences in social and business cultures. In each country, 100 end-users and 100 IT professionals were surveyed, producing a total of 2000 respondents. Risky employee behaviors are identified along with mitigation approaches.

View the Presentation

Tweet

By InsightExpress and Cisco Systems

Data loss resulting from employee behavior poses a much more extensive threat than many IT professionals believe. Commissioned by Cisco and conducted by U.S.-based market research firm InsightExpress, the study polled more than 2000 employees and information technology professionals in 10 countries. In the hands of uninformed, careless, or disgruntled employees, every device that accesses the network or stores data is a potential risk to intellectual property or sensitive customer data. Magnifying this problem is a disconnect between the beliefs of IT professionals and the realities of the current security environment for countless businesses. The new findings show that “insider threats” have the potential to cause greater financial losses than attacks that originate outside the company.

Get the White Paper

Tweet

By InsightExpress and Cisco Systems

A set of findings from a global security study on data leakage revealed that many companies do not have security policies—and that security policies that are in place are often ineffective. The survey included more than 2000 employees and information technology professionals in 10 countries. The findings offer insight into how the use and effectiveness of security policies affect data leakage: As the lines blur between work and home, and as employees use an increasing number of interactive applications and devices, data loss has become one of the most prominent concerns for businesses around the world. Creating, communicating, and enforcing sensible security policies are critical to protecting corporate assets.

Get the White Paper

Tweet

By InsightExpress and Cisco Systems

To understand the challenge that increasingly distributed and mobile businesses face in protecting sensitive information, Cisco commissioned third-party market research firm InsightExpress to conduct a study with employees and IT professionals around the world. As part of the study, surveys were conducted in 10 countries because of the differences in their social and business cultures. The research discovered that despite the security policies, procedures, and tools currently in place, employees around the world are engaging in risky behaviors that put corporate and personal data at risk. To reduce data leakage, businesses must integrate security into the corporate culture and consistently evaluate the risks of every interaction with networks, devices, applications, data, and of course, other users.

Get the White Paper

Tweet

By Cisco Systems

The Cisco Virtual Office solution enables organizations to extend the campus or headquarters office network environment to remote sites or teleworkers. The solution includes voice-enabled and video-enabled IP communications and collaboration applications enabled by advanced network and security services that are easy to deploy and maintain. As part of the Cisco Virtual Office solution, Cisco and their approved partners can help you successfully deploy and integrate headend solution components and guide you through automating the deployment and management of remote sites by providing support for planning, design, and implementation. They also help you reduce operating costs; keep devices working efficiently; and continually assess, tune, and evolve your Cisco Virtual Office to keep pace with changes in your business and evolving security threats through ongoing operational support and optimization.

To find out more about Cisco Virtual Office Services download this paper.

Get the White Paper

Tweet

By Cisco Systems

The Cisco Virtual Office solution provides secure network services to workers at locations outside of the traditional corporate office, including teleworkers, full- and part-time home-office workers, mobile contractors, and executives. By providing extensible network services that include data, voice, video, and applications, the Cisco Virtual Office effectively creates a comprehensive office environment for employees regardless of their location. This short white paper is an overview of Cisco Virtual Office. Give it a few minutes and you will have a great understanding of its offering.

To find out more about Cisco Virtual Office download this paper.

Get the White Paper

Tweet

By Miercom

Cisco Systems engaged Miercom to evaluate the Enterprise-class Teleworker (ECT) solution, the precursor to Cisco’s new Cisco Virtual Office. ECT is a highly scalable Cisco IOS Software solution that securely integrates network and management infrastructures and applications all within a single device. The folks at Miercom run ECT through its paces. With many of the same features of CVO, this is a good testing report that demonstrates some of the important CVO features.

To find out more about Cisco Virtual Office download this paper.

Get the White Paper

Tweet

By Cisco Systems

Cisco Virtual Office is a highly scalable solution for medium and large organizations looking to provide teleworkers, small offices, and mobile users with an office-like experience combining voice, video, wireless, and real-time data applications in a secure environment. Cisco Virtual Office features zero-touch deployment, allowing enterprise IT staff to provision and manage large-scale deployments with improved efficiency. Multiple access methods for workers at home, workers at remote offices, or mobile workers can be aggregated into a converged VPN without the need for separate aggregation and management models. The solution integrates layered identity services that provide control over the devices and users that use the network as well as the extent to which various users have access to resources in trusted and untrusted domains.

To find out more about Cisco Virtual Office download this paper.

Get the White Paper

Tweet

Working from home has always been a different IT experience than being in the office. Home connectivity was restricted to dial-in, VPN and client-based solutions. Voice service was usually the house phone. Then broadband came to the market and connection speeds ramped up, offering faster application performance, which was better but still a major downgrade from the office IT experience. This poor experience dampened the growth of teleworking, which was good news for most IT leaders as their concerns were security vulnerabilities and management. But with advanced integration of networks and communications the gap between office and home IT experience is closing fast. In addition a confluence of factors ranging from green initiatives to governmental requirements, work-home life style changes, business expense controls, business continuity and new teleworking solutions are giving business and IT leaders the motivation to embrace and massively deploy teleworking solutions.

There have long been inhibitors to massive teleworking deployment. IT management has been concerned with the lack of security measures to close vulnerabilities and mitigate exploits from propagating into corporate IT assets from thousands if not more home connections. Operating and managing thousands of far-flung connections is their other inhibitor. Business managers have been concerned with a potential drop in productivity as home workers may be distracted from their work. In short business managers did not have the proper level of trust with their staff and were unfamiliar with a remote working model. Employees need a certain amount of face time with other employees to establish relationships and trust before they can be productive working at home too.

For teleworking solutions to be successful they need to bring office-caliber resources and the office experience to employees working at home or in very small offices. Teleworking individuals also gain value by reducing their commute times and gasoline consumption, and experiencing a more balanced lifestyle in a work/home environment. IT leaders need to be assured that back-doors into their IT assets are closed and secure and that managing thousands to tens of thousands of remote home connections do not require new IT staff or overburden their existing operations. For business leaders teleworking offers a range of benefits including access to a larger labor pool, office expense reduction, increased productivity, a green initiative, gaining tax incentives, business continuity and much more. In short business leaders are starting to understand the value and benefits of the remote working model.

And it’s good that there is something positive for all three stakeholders — users, IT and business leaders — because the world market of teleworking individuals is large and getting larger. The worldwide corporate teleworking population of individuals who spend at least one day a month teleworking from home will show a compound annual growth rate (CAGR) of 4.3% between 2007 and 2011, according to Gartner Group. This population will reach over 112 million by the end of 2011. In the same period, the worldwide corporate teleworking population of individuals who spend at least one day a week teleworking from home will show a CAGR of 4.4% ballooning to 46.6 million by year end 2011. The big teleworking markets are the US, Western Europe and Japan with Asia/Pacific lagging behind.

There are five fundamental drivers fueling the above growth in teleworking:

Business Dynamics and Benefits: A few fundamental business trends are feeding the need for increased teleworking. One strong trend is globalization being prevalent throughout many different industries which forces business managers to keep their operations agile by attracting and finding talent wherever they reside. The old model of hiring skills that are local to physical facilities is outdated as business leaders are both forced to expand their labor pool reach by plugging remote employees into the corporation. The workforce has and will continue to be distributed. In fact, 62% of corporations have added new branch offices, accounting for an 11% year over year

growth in their deployments according to a recent Nemertes Research study. Further, the majority of new hires are now targeted to branch office staffing ranks. Eight out of ten new hires are staffed into non-headquarter facilities with telecommuting being the natural extension of this new business model. The motivation? Simply to be close to customers, talent attraction, gaining the best skills available on the global stage and maintaining operations when or if man-made and/or natural disaster hits.

Business and IT leaders are continually reviewing operations to reduce expense. For telecommuting initiatives real estate downsizing and energy consumption are two of the largest operational benefits. From a cost of deployment point of view, the relationship between Total Cost of Ownership (TCO) and Return on Investment (ROI) is inversely proportional to each other. Upfront capital acquisition is off set by lower operational facility cost plus higher productivity, returning the investment over time. In fact, American Century Investments justified the acquisition cost of its 100-plus teleworking solution with reductions in wide area facilities cost. In short, wide area cost savings of reduced PSTN lines and bulk broadband purchases provided the dollars to fund the capital cost of its teleworking solution.

With teleworking solutions scale is important and centralization of complexity allows for a quicker return as new remote sites are added with essentially the cost of the teleworking equipment (a network device and IP phone).

Technology Enablement: The convergence of multiple services and technologies into one small package that exploits a broadband connection are the main contributors to the high growth in teleworking. Being able to integrate unified communications, IP video services, firewall, intrusion prevention, content filtering, routing, switching, wireless LANs services and application delivery into one device that operates over a high speed broadband connection nearly eliminates the office-home IT experience gap. This advanced integration of networks and communications enables teleworkers to be just as productive as they are in the office by delivering nearly the same application performance and communication options available in the office. In short some teleworking solutions are delivering a virtual office experience such as Cisco’s new Cisco Virtual Office announced September 9, 2008.

For IT management, new teleworking offerings provide solutions to network security and scale. Some teleworking solutions have centralized complexity and distributed functionality so that adding new home users is straightforward and does not require user configuration. The use of tunnels for voice, data and management allow IT personnel to perform routine tasks such as updates, download policy rules, new configurations, etc. to thousands or tens of thousands of telecommuters with zero user touch. Layered identity- based security authenticates and identifies both user and device, isolates domains and locks out stolen/lost or hacked devices. In addition updated exploit signatures are distributed to teleworkers centrally by IT operations assuring business managers that their IT assets are protected with the latest defenses. All of these operations are performed without the teleworker having to touch their computer, network device or IP phone, a huge advantage for both teleworkers and IT management and a departure from past approaches.

Productivity: With high speed networks and integrated communications teleworkers now have access to all the resources, tools and technologies that they need to be as efficient and productive in a home office as they are in their corporate offices. Many find that they are more productive in their home office as they are able to focus with minimal interruptions. To address business manager concerns about keeping remote employees productive and plugged in, there are a wide range of communication tools available including UC, social networking sites such as Facebook and twitter, instant messaging, IP Video conferencing, etc.

In particular Facebook pioneered a concept called the News Feed which has been widely adopted by other networks. When you log into Facebook, you’re treated to an immediate stream of information about other people in your network. You immediately know about changes in their lives or schedule, when and where they’ve gone on vacation, what project they’re working on, what they’re reading, what conferences they’re attending and what they think you should be reading and attending. Other services like FriendFeed have expanded this idea to a broad range of online services. Twitter adds immediacy that other services don’t. The “friending” feature of social networks is the single most important factor that can keep remote employees plugged into the organization. Instant Messaging (IM) is the replacement for the water cooler, offering quick messages between staff or small talk. Unified Communications (UC) brings all the corporate voice services such as presence, direct dial, call log, directory, click-to-call and click-to-conference to the home office. In addition corporate collaboration tools such as webex allow remote employees to host or be a guest in customer and employee presentations and meetings while click-to-conference enables life video sessions between teleworkers and other employees.

Business Continuity: Business continuity or employee resiliency is another important driver for teleworking. Having a large teleworking infrastructure allows businesses to be productive and continue essential operations during disasters such as pandemics and massive storms plus man-made disasters by keeping key employees networked from home.

Regulation and Corporate Green Initiatives: Consider that a typical US employee commutes approximately 7,000 miles per year. On average there are .45 tons of CO2 emitted into the atmosphere for every 1,000 miles driven. Gartner says that there are 13.3 million US telecommuters working at home at least one day a week. These teleworkers save some 8.5 million tons of CO2 from being emitted into the atmosphere and as the price of gasoline rises they also save disposable income.

This math is becoming well understood around the globe. Many governments including the US, Japan, France, Sweden, Germany, et al have mandatory requirements for government workers to telework while providing business incentives to do the same. In central London a congestion charge is imposed on motorists in downtown areas to provide additional incentive to telecommute. The same was proposed in NY City. States like Washington are legislating telecommuting, requiring Seattle to penalize companies for not reducing year-over-year average employer commute times. Look for only more business incentives and regulations to cut down CO2 emissions and traffic congestion.

Some business and IT leaders questioned the energy savings benefits of teleworking as they believed that energy consumption shifted from corporate to personal. Sun Microsystems commissioned a study to address this question and found that an employee working from home consumed less than 50 percent of the energy that would have been spent if they had come into the office. The findings of this study put an end to questions about teleworking energy conservation.

The above five drivers are replacing old inhibitors with strong motivation to business and IT leaders to develop and deploy massive teleworking initiatives. In Part 2 of “Deploying Teleworking Solutions in Scale” we’ll focus on different uses of teleworking and provide a teleworking architectural view and framework that business and IT leaders can use as they plan their own initiatives.

Tweet

Working from home has always been a different IT experience than being in the office. Home connectivity was restricted to dial-in, VPN or client-based solutions with voice service usually being the house phone. This poor experience dampened the growth of teleworking, which was good news for most IT leaders as their concerns were security vulnerabilities and management. But with advanced integration of networks and communications in a small appliance the gap between office and home IT experience is closing fast. A confluence of factors ranging from green initiatives to governmental requirements, work-home life style changes, business expense controls and new teleworking solutions are giving business and IT leaders the motivation to embrace and massively deploy teleworking solutions. Mr. Calvin Chai, Senior Marketing Executive at Cisco is my guest as we discuss Cisco’s new Cisco Virtual Office offering, a teleworking solution that can be deployed in scale.

Listen to the Podcast

Tweet

In this Lippis Report we offer an update to Network Access Control (NAC). The NAC market is at a pivotal point, as a key piece of technology that offers a third mode of operation is about to enter the market. This third mode, based upon authentication and distribution of NAC functions across existing appliances and network infrastructure will enable NAC to scale across an enterprise from its early deployments of guest, wireless and remote access to headquarter and campus LAN environments. We offer a view of how the NAC market is progressing and detail this distribution of NAC functions and enabling mode of operation which will allow business and IT leaders to build strong defenses in one of their most critical IT assets, the campus LAN.

Network Access Control (NAC) has gone through the typical cycle of new IT technologies. When a new IT technology is first introduced industry analysts and press are euphoric over its potential to solve a hard problem. This euphoria is replaced by disillusionment when the speed of deployment is much slower than first anticipated, usually due to implementation difficulties and/or feature deficits. After a period of disillusionment IT suppliers fix problems and repackage solutions while analysts and press set the right expectations for buyers. IT buyers, armed with a realistic view of the IT technology, start to implement en mass. This is what I call the reality phase.

NAC is now at the reality phase with many industry observers believing that over the next two years (2008 to 2010) there will be aggressive NAC deployments. For example, IDC estimates that LAN-based NAC shipments over a 7-year period will grow at a Compound Annual Growth Rate (CAGR) of 45% with 2007-9 being peak years. Infonetics predicts a 68% CAGR over the next 5 years, while Gartner is very bullish with a +100% year over year projection. The size of the NAC market is difficult to predict as it varies widely depending upon what is counted. For example, do you count the Ethernet switch for network-based enforcement? Some may count Microsoft 2008 Windows Server as part of NAC equipment as well. So the overall NAC market is on the order of a few billion dollars with NAC appliances sized in the hundreds of millions of dollars range. With high CAGRs and large market size, NAC is shaping up to be a very explosive market fueled with high-octane growth.

It took some time for NAC to get to this point and there had to be an industry shake up with Lockdown Networks closing its doors, ConSentry Networks changing executive management a few times, Cisco focusing on its NAC appliance offering and the linking between NAC and Microsoft's NAP. 2008 is the launch year for NAC as there are substantial and improved solutions being introduced. For example, Microsoft recently released their NAP product, which builds their solution into an overall infrastructure offering. Cisco is doing the same by unifying its NAC infrastructure and appliance portfolio, which combines both together with what is called the "œNAC portfolio unification".

NAC deployments will accelerate this year because IT leaders are being offered comprehensive offerings and options as they move forward with their developments. With system wide access control solutions available, IT and business leaders are now looking at a bigger picture. They are asking how they can use NAC not only as a single point solution, but also as part of their overall security strategy and infrastructure. Clearly most firms have two main IT layers. Microsoft's represents the desktop and end-point layer while Cisco is the dominant infrastructure layer. These two layers represent big portions of most enterprise IT budgets. It's no wonder that most dollars spent on NAC and NAP will flow to these two firms. Case in point, NAC solutions are transitioning from point appliance and use solutions to a comprehensive system approach offering greater defense across more use scenarios.
What is driving NAC deployments? Well it's a few things: the need for identity-based access control, to enforce end-point policy requirements, to configure guest and unmanaged users and compliance reporting. Most NAC deployments start with VPN, wireless and guest access moving onto remote offices and the campus LAN. NAC was first deployed in areas that had high security concerns, wireless access, guest access and protecting campus LANs from remote users. Many start-up concerns focused on these opportunities with the result being that NAC is deployed around campus and headquarter facilities. With NAC surrounding campus LANs and with comprehensive system solutions, NAC is now ready to be deployed within campus LANs to provide both inside and outside access control.

What NAC Provides

NAC provides a level of control around users and devices based upon access policy. NAC, governed by access policy, verifies who the users are and what kind of devices they bring to the network. To accomplish this, a complete NAC solution should cover the following four functional areas:
Authentication plus Authorization: This function enforces authorization policies and privileges and supports multiple user roles such as guest, accountant, consultant, board member, assistant, etc.

Scanning plus Evaluation: This function provides an agent scan for required versions of hot-fixes, anti-virus, et al. In addition to device scans, network scans for virus and worm infections plus port vulnerabilities are included here.

Quarantine plus Enforcement: This important function isolates non-compliant devices from the rest of the network by either MAC or IP-based quarantine, effective at a per-user level.

Updating plus Remediation: This function provides network-based tools for vulnerability and threat remediation plus help-desk integration.

Most of the established NAC vendors have all four functional areas covered, with some providers stronger in one area or another. Some of the smaller NAC appliances focus on one or two of the above functional components. For example, Lockdown Networks, who recently wound down their operations, was strong in Authentication and Authorization plus Quarantine but was weak in Scanning plus Evaluation and Update and Remediation. When Microsoft finally brought NAP to market, Lockdown's value proposition became too weak to sustain its operations and it was forced to shut down. ConSentry is similar but they also provide network-based enforcement via their own Ethernet switches and controllers, which has proved to be a good approach for them thus far. They need a good scanning and remediation engine, however. There are many NAC providers such as HP ProCurve with their NAC appliance sourced from StillSecure, Counter ACT from ForeScout Technologies, Dynamic NAC Suite from InfoExpress, EasyNAC from NetClarity, EdgeWall from Vernier Networks, Juniper's Unified Access Control, Nortel's Secure Network Access and many others. Here we focus on Cisco due to its size and efforts.

Cisco's NAC Portfolio

Cisco defined and created the NAC market and it now has some 3,000 NAC customers. Cisco started with an infrastructure-based approach and subsequently added the appliance-based approach. Cisco and the market are now at a point where they are ready to combine the two sides together with what is called the "œNAC portfolio unification". NAC portfolio unification is designed to take the appliance-based focus and infrastructure-based focus and make the best out of both worlds.

Cisco's NAC components are organized into three categories:

Policy: The policy component is the largest category, including its NAC Manager, which delivers centralized management, configuration, reporting and policy store. The NAC Server is tasked with posture assessment and enforcement. Its Ruleset updates provide scheduled automatic rulesets for anti-virus, Microsoft hot-fixed, etc. More on Ruleset updates below. The NAC Profiler profiles unmanaged devices and applies policy based upon device type. The NAC Guest Server is a full-featured guest provisioning server.

Optional End-point Client: Cisco offers a NAC Agent that is either persistent, meaning that it is permanent on the end-point or dissolvable, meaning that it dissolves after access is granted. It also offers a web agent and 802.1x Supplicant. There is no client cost for these end-points. Another optional end-point component from Cisco is its Cisco Security Agent (CSA). CSA is a desktop application similar to either McAfee or Symantec, but it uses a different algorithm to mitigate threats. Instead of relying on the static threat signature-based approach, CSA uses a behavioral approach. It monitors the user and the system behavior to determine what mitigation actions should be taken.

Communications: This is an important component as it provides network enforcement in routing and switching infrastructure and access policy for 802.1X termination and identity-based access control. Providing the latter is Cisco's Access Control Server (ACS). Look for more from Cisco in this area during 2008.

A few highlights on the above product portfolio. While Cisco delivers on the above-mentioned four capabilities through its product set, it's particularly strong in quarantine and remediation plus policy configuration and management. Cisco's remediation is strong due to automated threat update signatures and remediation enforcement support thanks to its Ruleset Update service. There are two points here.

First, automated threat Ruleset Updates are built into the Cisco NAC appliance. When IT deploys a Cisco NAC appliance, it periodically contacts Cisco, automatically pulling threat updates directly from a Cisco database which is updated every few hours. Cisco NAC Manager downloads the Ruleset Updates from Cisco as it provides new vulnerability signatures, Microsoft updates, hot-fixes, etc., off-loading this task from the IT organization.
Second, Cisco offers built-in enforcement support. The Cisco database supports policies for over 350 applications including Microsoft hot-fixes, nearly all anti-virus vendors, and others. When IT accesses Cisco NAC Manager, they are presented with a comprehensive list of security updates. If IT wishes to enforce any item on the list, all they need to do is point and click and the applications are updated during remediation. This process stands out in the industry as the best remediation engine available.

Its NAC manager allows IT to create and manage policies, an ability that also rises above other NAC providers. Role-based access is defined in the NAC policy manager. Cisco can easily place users into multiple groups depending on their initial job function, different network segments or both for example. Single sign-on is particularly nice too. When a user attempts to enter the network, they can perform a Windows logon and network/NAC sign-on at the same time as one process, independent of their access media, be it VPN, wireless, wired, etc.

Cisco NAC Profiler and Guest Server

The NAC Profiler and NAC Guest Server are optional components to a Cisco NAC solution. Cisco NAC Guest Server is a dedicated guest server where IT provides initiation configuration policy; then individual business units can tailor their guest or contractor access to their particular needs, which is very efficient. Cisco NAC Guest Server works with either Cisco NAC Appliance or Cisco wireless LAN controllers to manage the lifecycle of guest access, including account provisioning, user notification, access management and reporting.

The Cisco NAC Profiler identifies all end-point devices on the network including printers, scanners, network devices, all end-points and mobile devices. Profiling all of these devices manually, assigning the policy and maintaining this is unrealistic and needed to be automated, which is what NAC profiler does. NAC Profiler combines end-point recognition technology with Cisco NAC to automatically profile and identify all end-point devices and create a policy to dynamically provide access, such as a printer category.

Linking NAC Appliance and Infrastructure: A New Mode of Deployment Needed

To link NAC appliances with NAC infrastructure a more scalable deployment option is needed. For example, Cisco NAC appliance supports two deployment options today. One is called in-band and the other is out-of-band. In-band mode is when the Cisco NAC Server is always in the data path. Its benefits are that it's easy to deploy with highly reliable enforcement, as there are no other dependencies for enforcement. Out-of-band is when Cisco NAC Server is used to control initial authentication and posture checking. Once a device's posture passes conformance, data does not have to pass through Cisco NAC Server. Enforcement is provided by another entity. For most IT leaders, the choice between in-band/out-of-band is based upon the size of deployment. If it's a simple and small-scale deployment, in-band is the better choice. If it's large and a more extended infrastructure, then out-of-band is best for scale.

But to leverage network infrastructure and NAC appliances a new mode of deployment is needed. This new deployment option provides user authentication and device posture compliance status. To process user authentication, 802.1X is the standard approach which should be used. For device posture and end-point security policy compliance status would be the responsibility of a NAC Server. Combining NAC Server for assessing device posture and a Radius server system for 802.1x authentication, a third deployment option that glues together NAC appliances and NAC infrastructure is enabled. This provides a scalable way to deploy NAC and 802.1X authentication in large campus LAN environments. End-points would be authenticated via an 802.1x server, then posture assessed via NAC Server and have enforcement of policy by routing and switching infrastructure while providing a transparent experience to the end user.

This third deployment option will be available in 2008 and will contribute to the spike many expect in NAC deployments. NAC deployments around VPN, guest access, wireless, etc will be linked together so that NAC not only surrounds a corporation but is mitigating threats within the campus too.

Tweet

By Cisco Systems and Microsoft Corporation

Cisco Systems, Inc. and Microsoft Corporation have developed an interoperability architecture that allows customers to deploy both the Network Admission Control (NAC) platform available from Cisco and the Network Access Protection (NAP) platform developed for Microsoft Windows Vista© and Windows Server. The result is a set of components that interoperate, allowing customers to enforce health requirements for network access using a combination of components from Cisco and Microsoft. This white paper describes the set of characteristics that will support the interoperability architecture and how the interoperability architecture works. This paper was written in 2006 and thus much progress has been made in Cisco NAC/Microsoft NAP interoperability since its publication. Yet it still offers an excellent framework which will prepare architects for a major update during 2008.

Get the White Paper

Tweet

By Cisco Systems and The City of Dublin, Ohio

The city of Dublin, Ohio is home to more than 3,000 businesses, and continually strives to create an attractive economic environment. Information technology plays an important role in Dublin's efforts to bring the best and most promising businesses to the city, and it was important to provide access anytime, anywhere. "œA major emphasis has always been enhancing economic development and establishing a significant tax base that will take us into the future," says Mayor Marilee Chinnici-Zuercher. "œAccess to technology is a key element of our strategy, because we have a lot of small businesses that are global in their missions and purposes." Adds Jane Brautigam, City Manager, "œWe believe that providing better access to the Internet, via our network infrastructure, will bring companies to the city, and encourage them to grow their business here."

Get the White Paper

Tweet

By Cisco Systems and Jones-Onslow Electric Membership Corporation

Jones-Onslow Electric Membership Corporation (JOEMC) is a member-owned electric utility cooperative with a vital technology infrastructure. The cooperative's network supports a variety of critical applications, including an IP contact center, customer support and financial applications, and an outage management system that alerts JOEMC employees to service problems. All of these systems are essential to providing the electric service on which 60,000 JOEMC customers depend every day, and those customers demand the utmost reliability and security. However, one of the biggest challenges for JOEMC is supporting all applications and customers with just a four-person IT staff.

"œBecause we are a small department, we are always looking for solutions that can keep the network secure, but that do not require extensive support from our team," says Carrie Peters, Vice-President of IT/IS, JOEMC. To meet these requirements, JOEMC works with a variety of third-party vendors who provide technology, financial, and business services vital to the daily operation of the co-op. All vendors require access to the JOEMC network, ranging from periodic on-site visits to VPN links supporting managed services that must remain open at all times. Despite the number of outside parties that require access to the network, JOEMC lacked sophisticated tools to monitor and control vendor access. The safeguards that were in place (such as checking vendor PCs for viruses and malware before allowing them to connect to the co-op's network) were also labor intensive and time consuming.

Get the White Paper

Tweet

By Cisco Systems and Del Monte Foods

Del Monte Foods is one of the largest, most well-known producers and distributors of premium food products in the United States. Founded in San Francisco in 1916, the company's net sales were US $3.4 billion in 2007. With a powerful portfolio of brands, Del Monte products are found in nine out of ten U.S. households. Like most leading companies, Del Monte depends on its network to support its key business operations, from enterprise resource planning (ERP) to data warehouse and customer relationship management (CRM) applications. Employees need frequent access to these systems, regardless of their location. However, Del Monte has a dynamic workforce. "œAbout 70 percent of our computers are laptops, and enabling our users to work remotely is a growing priority," says Dennis Tokarski, Manager of Telecommunications and Network Operations at Del Monte. "œWe have approximately 500 users who work out of the home office, a remote sales office, or a combination of both."

Get the White Paper

Tweet

by Cisco Systems and the University of Pisa

At today’s colleges and universities, a growing number of research, communications and basic educational functions are supported and enhanced by the campus network. But with thousands of users, end-points and applications active at any one time, campus networks are becoming more difficult to protect. Propagation times are also shrinking, as is the window for responding to an attack before it causes widespread damage.

A survey conducted by Gartner and The Chronicle of Higher Education revealed that nearly all respondents had experienced virus and worm attacks in the past year, with 73 per cent saying that those attacks are accelerating. Not only that, but attacks are becoming more malicious. Some 53 percent reported that attackers had tried to cripple campus networks and 41 per cent confirmed that hackers had succeeded in penetrating their systems.

Get the White Paper

Tweet

In this Lippis Report we offer industry best practices for Payment Card Industry Compliance (PCI) for the mid-market commercial corporation. We'll explain PCI benefits, the severe consequences of non-compliance enforced by the largest banks through fines plus increased transaction fees and how to avoid them. PCI is a big issue for all corporations that transact business with credit cards. According to industry sources, "œthe average corporation under budgets PCI by 40%." Who needs to worry about PCI? Any corporation that processes credit card information in any of these three ways: 1) processes credit card information; 2) transmits and/or; 3) stores credit card information. If your corporation does any one of the three or all three you need to be PCI compliant. Penalties for non-compliance are severe and are enforced by banks such as Visa, MasterCard, American Express and others through fees plus increases in transaction cost. For the mid-market, a doubling of the transaction fee charged by banks for non-compliance will have a large negative impact on profit.

The PCI Security Standards Council maintains the standard and certifications, but it is the large banks such as MasterCard, Visa, JCB, American Express, Discover, et al that enforce PCI by issuing fines and higher transaction fees for those in non-compliance. The two heavyweight banks behind PCI are Visa and MasterCard. The first thing to notice is that PCI is industry versus government regulated. It is a worldwide standard that protects credit card information and provides, in essence, the Good Housekeeping seal with which safe businesses conduct transactions. But while PCI is worldwide, its standard varies between countries, with even Canada and US versions being extremely different. PCI applies to nearly every industry in the world economy. Any business that processes, transmits and/or stores cardholder data needs to be PCI compliant and the deadline for mandatory compliance of its Data Security Standard (DSS) version 1.2 — October 2008 — is fast approaching. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Merchant Levels

VISA categorizes US merchants into levels. Level 1 merchants are big firms that process 6 million or more transactions per year while Level 2 processes between 1 and 6 million transactions, Level 3 processes between 20k to 1 million transactions and Level 4 is everyone else. The PCI security standards council issues updates to the standard that specify when a particular requirement needs to be compliant. For example, on June 30, 2008 the web application firewall requirement update will be considered best practice and becomes mandatory for corporations to either deploy a web application firewall or undergo a source code review of all web applications on a regular basis. Note that to date: less than 25% Level 1 merchants are compliant. The other 75% have submitted an initial Report on Compliance. By September 30th 2008 Level 1 merchants need to be in compliance while Level 2 merchants have until December 30, 2008. Asia has until December of 2009 while Europe Level 2 and 3 have until December 31, 2008. Bottom line: the compliant deadlines are coming fast.

PCI industry deadlines are mandatory and if a corporation does not meet the requirement date then the bank can start issuing fines. This pressures business and industry to bring about change to adopt PCI. Pressure previously was placed on IT staff but they were placed between a rock and a hard place. Executive management was reluctant to appropriate budget to address the requirement. So the PCI community took the hard line approach of providing deadlines and for non-compliance estimated what fines would cost if the deadlines were not met. Overnight, PCI became a business level issue because the fines would subtract from profits, pushing PCI forward by a large degree. Executive management realizes that PCI and security are something they can't avoid any longer.

What is PCI?

The PCI data security standard is segmented into six categories with twelve requirements. They are:

Build and Maintain a Secure Network: There are two requirements under this category: 1) Install and maintain a firewall configuration to protect data; and 2) Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data: There are two requirements to comply with this category: 3) Protect stored data; and 4) Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program: There are two requirements to comply with this category: 5) Use and regularly update anti-virus software; and 6) Develop and maintain secure systems and applications.

Implement Strong Access Control Measures: To satisfy this PCI category there are three requirements: 7) Restrict access to data by business on a need-to-know basis; 8) Assign a unique ID to each person with computer access; and 9) Restrict physical access to cardholder data.

Regularly Monitor and Test Networks: Two requirements ensure that merchants regularly monitor and test their networks: 10) Track and monitor all access to network resources and cardholder data; and 11) Regularly test security systems and processes.

Maintain an Information Security Policy: There is one requirement to satisfy the security policy category: 12) Maintain a policy that addresses information security.

While the above provide six categories and 12 "œheadline" requirements, there are over 200 actual requirements when one dives into the PCI standard. PCI specifies in detail a large range of security IT. PCI covers anti-virus, firewall, AAA, IPS, disk encryption, web application firewall, etc. PCI spans all these security technologies and more. There isn't any security technology left out of PCI. PCI was developed by some of the best IT security minds in the world and just this one fact makes PCI the foundation of what a security best practice should be. Not that PCI is the end game for IT defense; compliance like anything is the lowest common denominator, but PCI delivers a solid foundation of security best practices that at least defines the first baseline for corporations to meet as PCI specifies mandatory deployment of security IT.

For example, the PCI Security Standards Council may issue a page and a half explaining firewall settings that a corporation needs to deploy which may include ingress and egress, stateful firewalls, etc. For wireless deployments, corporations are required to implement a stateful firewall in between wireless AP and card data. PCI details the security IT deployment required and while the standard may be 17 pages long, it's written in English, providing more guidance than any other government compliance regulation.

The PCI standard is a living standard. There is a large PCI standard revision due out in October 2008. PCI was first published in January 2005, and was updated September of 2006, with significant changes to support WLANs. PCI is not a standard that is implemented and then forgotten; it will be with businesses for as long as transactions are conducted with credit and debit cards and scanners.

Compliance Validation

The PCI Security Standards Council (SSC) requires validation of compliance. Each of the above mentioned merchant levels are to meet the same PCI 12 requirements, but how compliance is validated differs. For example a Level 1 merchant is required to have an annual onsite PCI data security assessment conducted by a PCI Qualified Security Assessor (QSA) from an independent company. Level 1 merchants also need to conduct quarterly network scans. Levels two through four are required to conduct quarterly network scans and annual self-assessments. While it is not mandatory for Level two through four merchants to conduct an onsite audit, it is highly recommend they do to ensure compliance, assess vulnerabilities and avoid fines. At a minimum, Level two through four merchants have to conduct a quarterly network scan performed by a scanning vendor, which is called an Approved Scan Vendor (ASV).

The PCI SSC is responsible for training and certifying QSA and ASV individuals and firms. QSA and ASVs have to pass a certification program to perform audits and scans. For PCI to work, the division of labor is that the PCI SSC defines and maintains the standard, trains and certifies QSA and ASVs while banks enforce PCI.

Getting into Compliance

As PCI details specific security IT solutions, all vendors of such products and services have offered PCI programs. As a network scan is required for all firms, networking vendors are in a particularly influential PCI position. Some networking concerns such as Cisco have developed a PCI validated architecture and a services group to perform vulnerability identification, gap analysis and solution suggestions. Cisco is also a participating organization on the PCI council.

PCI can be a tricky standard. The standard itself is written in English and fairly easy to understand. Then the standard needs to be translated into security products with specific configurations to defend transaction data and be PCI compliant. The translation from English to device selection and configuration is left to interpretation. To address this, Cisco has developed a PCI validated architecture.

Cisco PCI Validated Architecture

Cisco built an architecture made up of three remote location scenarios, an Internet edge where E-commerce is conducted and data center which offers a best practice for PCI validation. The security and wireless architecture was developed according to the spirit of PCI and in many cases went above PCI keeping with security best practices. Cisco used partners as no single company can address all PCI requirements. Cisco's PCI validated architecture includes point of sale, application servers, wireless devices, internet connection, security systems, etc. with retail partners such as IBM, Wincor Nixdorf, NCR, Intermec, VeriFone and others. RSA provides key management, factor authentication and encryption. Once the PCI validated architecture was build, Cybertrust performed an audit on the technology components of the standard to validate compliance. The approach in which Cisco has deployed the technology in the architecture meets PCI requirements. Cisco and its partners offer a PCI guide of how best to deploy security technology, configure devices, monitor systems and implement authentication management to meet PCI compliance.

Merchants can use the architecture as a guide to review security device selection, placement, configuration, etc. The Cisco PCI solution for retail is an end-to-end architecture that includes firewalls, IPS, CSA, server access, web application firewall, VPN, wireless LANs, Ethernet switching and routing, a wide range of retail end-points, transport options, etc. This architecture provides views of a retail store, data center, server access, internet edge, storage and remote access for partners, customers and teleworkers.

What you find with PCI is that compliance with its twelve recommendations means that a merchant needs to distribute security technology throughout their enterprise. This includes remote locations, internet edge, main offices and network management center(s). PCI forces merchants to view IT security from a holistic consistent approach rather than a box-by-box or requirement-by-requirement knee jerk reaction to threat mitigation. The piece meal approach will not work.

Small Private Firms Need To Be PCI Compliant Too

One thing to keep in mind is that PCI is not a big company issue. It's systemic through the economy and is required for all firms that process credit card information. Small firms need to be PCI compliant too, even private family owned companies such as restaurants. While this may be a burden for smaller firms, and many will be reluctant to invest in PCI compliance, unfortunately they simply no longer have a choice. But putting this into perspective, smaller firms will have the same requirements, but their spend will be much smaller than larger firms as the more complex a business is the more expensive it tends to cost to secure it.

Smaller firms may be more vulnerable too, especially privately owned firms, as compliance has never been important to them. Typically small commercial enterprises haven't had to participate in Sarbanes-Oxley or other government regulations. Their security concerns have been primarily physical security and theft.

PCI is increasingly important to the healthcare industry too as their business is changing. Patients pay their insurance co-pay with credit cards and at times their entire medical bill. Many healthcare institutions are requiring self-registration versus the typical interview process that occurs during hospital admittance. These two processes and others are pulling the healthcare industry into PCI.

Recommendations

We provide the following recommendations for those responsible for PCI compliance within commercial establishments.

Systems Approach: Think in terms of a holistic and distributed approach to security versus a box-by-box or requirement-by-requirement approach.

All Should Do Audits: Level 2 through 4 firms should perform audits at least twice a year and scan their networks once a quarter, as required. Even if your firm does not support WLANs, you still have to scan for APs to ensure that there are no network breaches. Audits and scans should mitigate this potential breach and others.

Security Gap Analysis: Perform a PCI security gap analysis to identify vulnerabilities before the audit so that either a remediation analysis can be performed to gain compliance or to ensure that your firm is compliant. Consider an annual gap analysis as firms are required to re-certify PCI compliance every year.

Quarterly Health Check: Consider a quarterly health check to ensure configuration changes made during the quarter do not change conformance status. If a breach occurs a bank will start its fines back to the time of the breach, if the firm was not in compliance when the breach occurred. It's important to document that the firm is in compliance at regular intervals of time to demonstrate compliance if a breach event occurs.

Auditor With Security Competence: Consider PCI auditors who started off as a security practice first, and then decided to enter into auditing as they will possess the competency to analyze security systems and work with you to address shortfalls. Beware there are many auditors that started auditing without security practice experience. These audits usually are equipped with a checklist versus competence. These are usually the auditors that inform management of a need for ten different products to meet all of the checklist requirements when in reality a single device may be all that's required.

When it comes down to it PCI is about protecting customers and customer information. Being PCI compliance signals to customers that the establishment cares enough to protect customer privacy. This in turn protects the establishment's reputation and signals to customers that they are conducting business with a safe establishment. PCI is good for building brand, customer loyalty and improved customer experience.

Tweet

By Cisco and RSA

No single device can be PCI compliant. Cisco, RSA and the other partners secure sensitive data throughout the transaction flow and provide the audit trail for central management and policy control. Other PCI solutions cover only part of the overall steps needed for compliance. The PCI Solution for Retail includes a set of configured and audited architectures that incorporate technology from Cisco and RSA to help retailers meet the requirements of the Payment Card Industry (PCI) Data Security Standard. Since RSA and Cisco are top technology providers to retailers, both are focused on providing PCI Solutions to customers. Cisco is the network provider to more than 90% of the top 25 global retailers while RSA is the leading provider of technology solutions that enable companies to secure their most critical business assets.

View the Presentation

Tweet

By Darrik Cupps, Securestate

The PCI Currents: Staying Afloat presentation provides information on the need for PCI, case studies, PCI defined, PCI best practices and strategies for compliance. It's a presentation that gets one up to speed on PCI, the threats it mitigates and how to get into compliance.

View the Presentation

Tweet

By Securestate

Securestate is an information security assessment firm that specializes in the Payment Card Industry's Data Security Standards. As a Qualified Security Assessor, QSA Securestate has performed assessments and audits for PCI merchants and service providers of all levels. Securestate does not sell or implement products, therefore maintaining ethical independence and segregation of duties. In this overview, Securestate provides a process and check to ensure PCI compliance.

Get the White Paper

Tweet

By Cisco, HEIT Consulting and DriveSavers Data Recovery

With HEIT Consulting, DriveSavers deployed a Cisco Self-Defending Network to better protect network assets, employee end-points, and customer data. When Michael Hall says of his company, DriveSavers Data Recovery, "œWe regularly, literally save businesses," he is not exaggerating. DriveSavers is one of the premier data recovery companies in the world"”with a track record of rescuing data from hard drives that have been through warehouse fires, bus crashes, and even several days at the bottom of the Amazon River. Given the nature of DriveSavers' business, the company must worry not only about the security of its own applications, but also the rescued customer data that resides on its network, much of which is highly sensitive. Many customers now require any company handling their data to comply with SAS 70 security audits, detailed internal examinations of a company's security processes and systems. However, DriveSavers traditionally relied on security solutions from a variety of vendors, making auditing difficult. To meet customer requests, DriveSavers' engineers frequently had to take time away from their regular duties to retrieve and manually compile information from dozens of different sources in the network.

Get the White Paper

Tweet

By RSA

When consumers think about hotel security, they often think about door locks and safes. In general, consumers don't think about how crucial it is for hotel operators to protect the credit card information they're given. As a critical security requirement for hotel operators, Accor North America selected RSA® Key Manager with Application Encryption which is designed to centralize the provisioning and lifecycle management of encryption keys and enable end-to-end encryption. According to Harvey Ewing, Senior Director of Information Technology Security, "œOne of my primary responsibilities is to make sure Accor North America complies with Payment Card Industry (PCI) requirements for protecting consumer information".

Get the White Paper

Tweet

According to industry sources, "œthe average corporation under budgets PCI (Payment Card Industry Compliance) by 40%". Any company, from mom and pop shops to Fortune 50 corporations that processes credit card information needs to be PCI compliant. Penalties for non-compliance are severe and are enforced by banks such as Visa, MasterCard, American Express and others through fees plus increases in transaction cost. For the mid-market, a doubling of the transaction fee charge will have a much larger impact on its cost to productivity. Terry Quinn-Andry, Compliance Solutions Manager for Cisco Systems joins me to discuss PCI requirements for mid-market corporation. We'll explain PCI benefits, exposure of non-compliance and how to avoid penalties.

Listen to the Podcast

Tweet

The conventional wisdom in IT threat mitigation is to build a layered "œdefense in-depth" approach with security technology such as firewalls, IPS, network access control, anti-x client software, alarm aggregation and event correlation, etc. And while the layered approach to defense is a useful threat mitigation strategy, the threat landscape has changed, forcing conventional wisdom to shift toward a systems approach to protecting corporate assets.

The traditional layered approach was built upon deploying best-of-breed products, which were best-of-breed only until other products emerged and relegated them to either stand-alone appliances and/or loosely coupled security silos such as the linking of IPS and firewall devices. The systems approach builds upon this IT security investment by wrapping it with System Management for policy, reputation and identity that transcend end-pointss, networks, content and application security. The systems approach promises to:

1. Enforce business policies and protect critical assets
2. Decrease IT/secops administration burden and reduce TCO
3. Reduce IT security and compliance risk
4. Protect corporations from new pervasive threats

Complex World With A New Threat Landscape

We conduct business in a complex and ever-connected world. New applications such as unified communications, collaboration and conferencing drive deeper levels of engagement between employees, partners, suppliers and customers. Mobile and nomadic workers connect to their business network from any geographic point on the planet. Web 2.0 applications enable new combinations of dissimilar content and communications, which were once separate, to offer new ways to communicate and connect. All these trends are wonderful new economic productivity advances but they also create a new set of security threats and challenges.

Net Security 2.0: What Are The New Threats?

Network Security 1.0 infected the communication and collaboration tools dominant at the time, that being email, IM, the web and infrastructure with exploits such as malware, worms, viruses and other exploits. Hackers attacked using these communication tools to cause damage, so IT leaders built a perimeter defense with firewall and IPS network security technology. But hackers were able to bypass perimeter defense by targeting employee behavior of using IM, email, visiting websites or using other applications which become a great target for hackers to attack with spam, malware, etc. In short, hackers found new ways to target behavior and circumvent firewall policies and rules reducing the perimeter's defensive strength. Thus Network Security 2.0 was born.

Hackers have matured well beyond thrill seeking mischief to cyber-criminal which is the basis of the new threat landscape called Network Security 2.0. Clearly, organized on-line crime groups are profit-driven and motivated to cash in on their exploits. On-line crime groups seek ways to access corporate databases rich in identity, social security and/or credit card information and either sell or mine this information. Other on-line crime groups seek to run a service bureau by building a large botnet to send spam or engage in other illegal activities.

From a corporate perspective the main IT security concern is loss of data and data theft as this damages corporate brand and complicates business relationships with customers, partners and suppliers, not to mention regulatory and legislative consequences. For business leaders, data loss and theft is a lose, lose scenario since executives are obligated to communicate a breach to their customers and government officials in the most public of arenas even if they only think or assume a data loss has occurred. Even if the data loss is not maliciously used, the board of directors (BoD) is required to communicate the loss via mass media, which creates the same risk as if the data loss is actually used maliciously. At times the lack of malicious use can be worse for corporations as customers are left wondering when their identity will be stolen thanks to the breach.

Because of the new type of brand and reputation threat environment that is associated with Network Security 2.0, network security is now a high-level business issue. Business and IT leaders have responded with risk management and in particular IT risk management positions, which focus on defense, compliance and security management which are funded through compliance and departmental budgets appropriated at the board level. In particular the payment card industry (PCI)projects, which refers to the Payment Card Industry Security Standards Council, are BoD top down projects which dictate specific network security requirements to safeguard debit, credit, ATM, POS, confidential information, et al.

Most boards around the globe are worried about compliance, PCI compliance in particular, data loss and theft and they are asking their IT and business leaders what are we doing to defend against these exploits and be compliant? What are our policies, what technologies do we have in place or need to acquire to build up our defenses against malware, spyware, botnets or something inside our corporation potentially contributing to data leakage or non-compliance?

What's different about Network Security 2.0 is that the defenses of the year 2000 era will no longer work. In early 2000 if a corporation was infected with an Internet worm propagating through its network, IT could simply buy an IPS with good signature coverage, deploy it, and it would block the worm and the problem went away. There are multiple Network Security 2.0 threats with imbedded policy to circumvent single purpose defenses such as firewalls, spam filters, IPS devices, etc. To defend against "œsmart threats" the totality of network security devices need to work together. To defend against smart threats or exploits a systems approach to security that builds upon prior investments of layered defense security is required. In short, an orchestration function is needed that uses the defense intelligence already in the network to mitigate against this new class of threats.

Systems Approach To IT Security

End-point, network, content and application security are the four architectural components to the systems approach of network security. Each of these components are part of a layered security defense. End-points are protected with anti-x software. Networks are defended with firewalls, IPS, NBAD, NAC and NAP security technology. The network needs to be defended at the protocol level to look deep into flows for anomalistic behavior and act upon it.

Content security is a new and emerging threat defense approach, which protects users from content in email, web sites, IM etc as it's the content flow that can be the threat needing mitigation. New email servers come on line and go away very rapidly, as do web servers that host malware. This requires a reputation-based defense approach versus one based on signature, and the ability to respond to a very large number of variants since the attacks are often very targeted, yet changing rapidly based on environments. This requires the capability to address many different unique attacks, as each attack is different. Gone are the days of wide spread, single pattern attacks like NIMDA, being replaced with varying attacks with policy affording them to change to defeat defenses. These collaboration applications attacks come from email, web, IM or other emerging communication applications. With the attacker now relying on users to propagate attacks, versus self-propagating, content security focuses on inspecting the content to protect users from actions that may fuel a successful attack.

The application and data they access are forecasted to be the next target attackers go after. With more and more Web 2.0 and SOA/Web Services enabled in organizations, attackers are expected to target these applications, especially given the customer information, business data and intellectual property that resides there.

The systems approach is focused on orchestrating these existing threat defense technologies to work together as a system much like Tivoli does for IT. To achieve this, system management capabilities tie all four components together via policy, reputation, services and identity. System management can push common policy across all four components. Products such as Cisco's MARS 6.0 aggregate alarm information creating correlated events delivering either automated or actionable remediation suggestions to network operations. These security alarm aggregation and event correlation security products upload alarm information from each of the above four components and correlate the data providing scenarios of possible threats in the network and then proactively either address a policy or respond to a threat.
The system's approach is based upon exploiting "œbest-of-breed" security products already implemented within a corporation but managing them via system management. The systems approach enforces business policies across the four components and protects critical IT assets while decreasing IT operational burden and cost. The end result is reduced security and compliance IT risk. This approach frees security buyers from the dilemma of do I buy "œbest-of-breed" or build a systems approach to IT defense?

Start-ups Can't Keep Up

Every new wave of security threats has provided a market for start-ups to develop a best-of-breed product designed to mitigate that threat. These firms are usually very good at engineering a defense to a particular threat but do not possess the resources to address the next wave of threats. In short, these start-ups are in an arms race with attackers and as the attackers have evolved to on-line criminals equipped with large financial resources which outpace that of start-up budgets, the on-line criminals always win. The result of this cycle is that best-of-breed-products by themselves are dead ends. They become a stand-alone device/appliance such as a firewall, NBAD, IPS, NAC appliance etc or they attempt to expand their threat mitigation portfolio in a small number of areas via internal development or partner and build a loosely coupled security silo. For example, 3Com's IPS Tipping Point partnership with Lancope's StealthWatch is a loosely coupled security silo of IPS and NBAD threat mitigation.

Mitigating Emerging Threats or Pervasive Threats?

This is not to say that best-of-breed is bad. But best-of-breed when implemented as part of a holistic system approach extends the life of these security products and improves the security posture of the company. For example, consider Cisco. Cisco offers a NAC appliance that is a best-of-breed product but to gain greater value from the NAC appliance it can become part of the systems approach, which allows the NAC appliance to work with other security products such as Cisco's TrustSec. In a systems approach, the NAC appliance touches everything the network connects extending its diameter and usefulness. For Cisco, their security strategy is to offer both best-of-breed products that can operate and migrate over time into a systems approach delivering greater value to customers. For example, a Cisco customer may implement Cisco's IronPort, which may not be part of its common management framework, or Cisco Security Manager may not manage IronPort at day one, but it is a best-of-breed email security product that over time will become part of the systems approach. In short, Cisco has developed a vision and strategy for a network security platform that places their customers on a journey.

Cisco promises that the security posture of this company will improve as they move through this journey. For example, to provide data loss prevention (DLP), a customer can leverage their IronPort email security best-of-breed solution with CSA (Cisco Security Agent) capabilities, plus storage media encryption and put these best-of-breed solutions together as a system to deliver an effective DLP solution. That's a systems approach built on best-of-breed products. This approach increases the value of best-of-breed solutions, which excel at mitigating existing and near term emerging threats to providing a defense to pervasive threats such as DLP.
Don't look to any standards bodies to define standard security interfaces or architecture. The industry does not have such an organizing principal. Business and IT leaders need to look toward large IT providers such as Cisco, EMC, IBM, HP, Microsoft et al to provide vision, a platform and partners to address these smart threats. All the big IT providers are realizing that security is a common thread throughout IT and needs to be a part of an overall systems approach. That's good because to defend against Network Security 2.0 exploits, a systems approach is needed. Don't think of the systems approach as providing automated threat response by shutting down ports, IP address, subnets or changing ACLs. Think in terms of an autonomic system to understand the new direction is system wide threat defense.

Autonomic Network Security

The industry vision is to think in terms of an autonomic effect which increases over time as more and more of the four components are connected into the system approach. As the four components start to work together under system management, the autonomic effect will increase. Much like the human nervous system which automatically responds to sensors, action the brain doesn't need to think about before it is taken. For example, a person places their hand on a hot stove, the nervous system automatically responds by telling your hand to get off the hot stove. There is no thought needed. Nor is there thought required for the immune system to mitigate a virus or infection or for the lungs to breath air and the heart to beat. These are autonomic systems. This is the way that networks will start to behave as best-of-breed security products are plugged into the systems approach.

How to Start Building A Systems Approach to Network Security

The beauty of the systems approach is that it builds upon existing defense infrastructure and does not require early retirement of exiting security investments. Cisco is leading this approach with investments in its MARS Monitoring, Analysis, and Response System and CSA products. Existing customers of these products can start their deployment without the acquisition of new products. Other large security and IT suppliers such as IBM, Microsoft, HP and CA will respond with offerings and an ecosystem of their own. What will differentiate these solutions will be the particular company's strengths. Microsoft's solution will be desktop and server-based while IBM and HP may be data center focused; CA could be application-based. Cisco is the only firm that will be network-based and with all IT assets connected via the network, it's a strong position to defend against threats.

Business and IT leaders need to make a systems management supplier decision. Cisco's MARS is mentioned above, but there is Q1 Labs QRader too which is a security event management and correlation system which may evolve into a Systems Management system. Nortel and Juniper partner with Q1 while Enterasys OEMs its system to provide its Dragon Security Command Console. Independent of a feature set to deliver policy, reputation and identity, Nortel, Juniper and Enterasys lack the vision, platform, ecosystem and completeness of solution to realistically deliver a systems approach to network security.

Tweet

By Cisco and Synacor

Synacor used Cisco network infrastructure and security solutions to enhance network protection and streamline compliance. Fast-growing Internet businesses cannot afford network failures or security breaches. This is especially true for Synacor, a leading technology company that advances the delivery of meaningful content and technology solutions for multiple system operators (MSOs), telecommunication companies, and Internet service providers (ISPs) around the globe. Through Synacor's private label portals, subscribers can access a broad range of published and premium content, including entertainment, education, and family-oriented offerings from their homepages.

Today, through its service providers, Synacor's products and services reach more than 20 million broadband subscribers worldwide. With Synacor's business built around Internet products and services, network security is essential. The company must meet strict service uptime agreements and cannot afford to have its back-office assets or production networks disabled by a network attack. Additionally, as the company's business evolves, its security exposure has evolved as well.

"œAs we move to higher band-width media, movies, and especially gaming services, we are opening ourselves up to more threats," says Adam Howell, Director of Network Engineering and Systems Operations for Synacor. "œOne of our new accounts launching in 2007 will support more than one million subscribers right out of the gate and host a million e-mail accounts at our headquarters. We need to help ensure that there is no disruption or service degradation because of an attack on our network."

Synacor has heightened internal compliance standards. The company continues to be indirectly and directly involved in content sales, and with this enhanced activity maintains the protection of credit card information and complies with the Payment Card Industry (PCI) data security standard. As the company and systems grow and develop, Synacor's IT team is committed to making the technical infrastructure compliant with the U.S. Sarbanes-Oxley Act governing financial and accounting disclosure.

Get the White Paper

Tweet

By Cisco and The Menninger Clinic

One of the world's premier psychiatric hospitals for over 80 years, The Menninger Clinic has earned a reputation as a leader in mental health treatment, research, and education. Information technology plays a vital role in supporting Menninger's state-of-the-art treatment programs. The network at its location in Houston serves 400 employees and spans seven buildings on 14 acres. Each building is connected via a fiber-optic backbone to a central server facility on campus that hosts information critical to treatment and hospital management.

Network integrity and security are essential to keeping Menninger's medical operations running. Like most healthcare organizations, Menninger must comply with the Health Insurance Portability and Accountability Act (HIPAA), which establishes stringent regulations for handling and safeguarding patient records. "œOur biggest issue is HIPAA compliance," says Michael Farnum, information security manager at Menninger. "œHIPAA requires that we document any network incidents and report them in a timely manner."
Menninger is a medium-sized psychiatric hospital with an IT staff of six. Manually tracking and reporting the dozens of network events that occurred each day made HIPAA compliance an increasing burden. "œOne of the main issues that I was confronting was simply checking logs and keeping track of all the day-to-day activity on our network," says Farnum. "œI am the only dedicated security person, so it was a huge challenge." Farnum further commented, "œWe depend on our network and servers to support our patient information databases and our medication administration applications. We also depend on our network to document patient care on a daily basis."

Get the White Paper

Tweet

By Cisco and Premier Valley Bank

Premier Valley Bank (PVB) uses a Self-Defending Network and 24-hour monitoring from HEIT to create an adaptable, end-to-end defense system. Protecting against network attacks makes good sense for any business, but for financial services companies, it's not just a good idea"”it's the law. PVB must comply with a broad range of information security regulations from the Federal Financial Institutions Examination Council (FFIEC) and the California Department of Financial Institutions. In periodic audits, PVB must demonstrate that it has deployed strong network defenses and must provide detailed records documenting every security event that the bank encounters, as well as the response. Although PVB's previous network security solutions provided an acceptable level of protection, the reporting capabilities were sorely lacking, making preparations for regulatory audits a time-consuming, cumbersome task.

Get the White Paper

Tweet

By Cisco and State of Oregon

The state of Oregon is committed to improving the quality of life for all of its citizens. A national model for improving government, the state strives to deliver the highest level of service to its residents. More than 100 agencies are responsible for day-to-day government concerns such as education, public safety, human services, transportation, business, finances, and the environment. Information technology plays a key role in helping all of these agencies work efficiently, collaborate, and respond to constituents. Traditionally, each organization has been responsible for maintaining its own IT environment. Different systems and staff were dispersed across the state, each using its own business approach. However, this model left the state of Oregon vulnerable to network security issues that could bring government operations to a standstill.

Get the White Paper

Tweet

By Cisco and Virginia Commonwealth University

Securing a network for any large organization is fraught with challenges. In a university environment, however, where the need for security must be balanced with the need for academic freedom, those challenges can be even more complex. "œOur security environment is very dynamic," says Mark Willis, chief information officer for Virginia Commonwealth University (VCU), a Richmond, Virginia-based university with 32,000 students and 10,000 faculty and staff. "œAt a regulatory level, we have increasing requirements to secure our networks and data. That is almost an anathema to an academic environment, which, by its nature, needs to be very open. We struggle to balance these needs and protect our assets from security risks."

The VCU network is far-flung and complex. The university stretches across two campuses, encompassing more than 140 buildings, 1800 network switches, more than 500 servers, and more than 42,000 users. Portions of the network connect with a large regional medical campus, meaning that many network segments must comply with strict data security regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and industry requirements such as protection of copyrighted materials. In addition, several areas of the university deal with credit card transactions and must meet Payment Card Industry (PCI) requirements. Although the university had long employed strong perimeter security, mitigating the risk from internal threats was a constant challenge.

Get the White Paper

Tweet

The conventional wisdom in IT threat mitigation is to build a layered defense with security technology such as firewalls, IPS, network access control, anti-x client software, alarm aggregation and event correlation, etc. Conventional wisdom is starting to shift toward a systems approach to protecting IT assets. The layered approach was built upon deploying best-of-breed products, which were best-of-breed only until other products emerged and relegated them to either stand-alone appliances and/or loosely coupled silos such as the linking between IPS and firewalls. The systems approach builds upon IT security investment by wrapping it with System Management for policy, reputation and identity that transcend end-pointss, networks, content and application security. Fred Kost, Cisco's Director Security Marketing is my guest as we explain the new IT security model and provide IT leaders with guidance on building a more secure IT infrastructure.

Listen to the Podcast