There are five forces of change which are increasing risk, complexity, and costs resulting in the need to rethink and re-implement defense-in-depth. These five forces are:
- Business needs – improve collaboration among staff and with customers, partners, and suppliers; increase efficiency and reduce data center administration and operations costs
- Technology – Web 2.0 applications and social networking; virtualization
- Threats – have shifted to criminal financial gain: credit card and identity theft, funds transfer fraud, trade secrets theft
- Compliance – New regulations including Red Flag Rules, Mass 201 CMR 17, ARRA/HITECH, HEOA
- Economy – Recession requires we do more with less
What follows is a more detailed description of each of these five forces of change:
BUSINESS NEEDS
Collaboration
A major general trend we see across organizations is the desire to improve efficiency and reduce costs by improving collaboration. Forrester says it best:
“Collaboration may be the hottest trend to hit the enterprise this year.” But what makes it so hot? Why now?
According to “Benchmarking Your Collaboration Strategy,” a new report from Forrester Research, two key trends make collaboration important to the enterprise right now:
The amount of content that people produce is morphing, especially as the advent of social computing becomes more commonplace.
Second, inefficiencies are swamping the enterprise with the need to create collaborative strategies that provide a more structured approach to how information is managed.
Four Key Factors
Innovation: The poor economy is playing an important factor in how companies view the ways they develop products. Management is looking for more efficient and creative ways to innovate. And they are looking to Web 2.0 technologies for answers. According to Forrester, discussion forums and idea management tools are the top two Web 2.0 technologies being considered and piloted by IT decision-makers this year.
Efficiency: Information workers are high-paid, valuable members of the enterprise. But they have a hard time finding information to get their job done, with 83% saying they waste time searching for information vital to their work projects. There is growing importance for tools that provide the ability to better find information and connect more easily with co-workers who can provide expertise to solve problems and drive efficiencies.
Email Woes: A huge need is emerging for better ways to reuse information that normally would be lost in email communication. Email is used to share information but it only goes so far as the people in the email chain. Once in the chain, it’s locked away. Changing email behavior is no easy task but collaboration technologies hold promise for more information to be shared throughout the enterprise.
Governance: Managing business information is becoming a legal necessity. Communication is becoming so widespread that it is becoming difficult to track. According to Forrester, only 20% of businesses report that they’re very confident that if challenged, they could demonstrate that their digital information is accurate, trustworthy and accessible
Data Center Efficiency
While the costs of computers and storage have dropped dramatically over the years, the costs of administration and operations continue to increase. And the traditional design of dedicated computers for functions has led to large numbers of inefficiently utilized computers.
As Information Technology continues to represent an ever increasing share of capital budgets, organizations are looking to save money by increasing the efficiency of their data centers.
TECHNOLOGY
Web 2.0 Applications and Social Networking
A major change in technology in the last several years has been the rise of social networking.
Forrester says, “Social technologies continue to grow substantially in 2009. Now more than four in five US online adults use social media at least once a month, and half participate in social networks like Facebook. While young people continue to march toward almost universal adoption of social applications, the most rapid growth occurred among consumers 35 and older.
This means the time to build social marketing applications is now. Interactive marketers should influence social network chatter, master social communication, and develop social assets — even if their customers are older.”
Daniel Nations sums it up this way: “The social web represents a fundamental change in how we use the Internet. Instead of using it as a tool to look up information or purchase merchandise online, we are inserting ourselves into the web and using it to connect with other people.
“This change has had a far reaching effect that has touched a number of different areas from the use of social networks to create our own special place on the web to the use of wikis to collaborate and create a global collective intelligence and repository of knowledge.
“Think about this: Wikipedia is many times larger than the full set of Encyclopedia Britannica books, is completely free, and according to a 2005 study by Nature, is just as accurate. This demonstrates the power of the social web.”
Virtualization
Virtualization is sweeping through data centers all over the world. It represents a big opportunity to increase efficiency and reduce administration, operations, space, and electrical costs.
THREATS
Over the last several years we have witnessed two important changes in the threat landscape:
1. The motivation of bad actors has shifted from fame and glory to profit.
As IBM puts it: “Information security solutions used to protect organizations from hackers intending to generate front page news about a successful denial of service attack or a web site defacement. In the new era of Internet threats, attackers are motivated by profit or politics and use cutting edge technology to probe networks undetected for as long as possible. The longer attacks go unnoticed, the more opportunity for success in data theft and other profit-generating activities”.
2. The threat vector has shifted from outside-in to inside-out.
When the Internet first became popular in the mid- to late-90′s the main threat vector used by bad actors was directly penetrating the enterprise at the network level through open ports and exploiting operating system vulnerabilities. We call this attack methodology outside-in. In the last several years, with increased popularity of social networking, the primary attack vector shifted to enticing users to malware-infested web-pages capable of compromising users’ systems via their browsers. We call this inside-out because the user inside the network is reaching out to an external web site.
Comparison of Attack Characteristics
This figure illustrates how today’s attacks are different from earlier attacks.
| Attack Characteristics | Earlier Attacks | New Era of Attacks |
| Motivation | Glory and fame | Profits |
| Complexity | One dimensional | Multi faceted |
| Scope | Widespread for maximum publicity (carpet bombing or shotgun approach) | Targeted attacks to go unnoticed (surgical strikes or sniper approach) |
| Primary Risk | Network downtime to clean and repair | Direct financial loss; Theft of trade secrets or corporate strategy; Customer data breaches and disclosure |
| Targets of Attack | High profile / Widespread | Laser focus on firms and individuals |
| Effective Defense | AV signatures; Reactive approach | Multi layer protection; Pre-emptive and behavioral approach requiredFocus on users, applications, and data |
| Recovery | Scan and remove | Not always possible – once trade secrets are lost, they are lost; legal remedies may be used; may require re-image of system |
| Types of Attacks | Virus, Worms, Spyware | Designer malware, Root kits, ransomware, spear phishing, attacks via social networking sites, web site drive-by, SQL Injection, XSS, CSRF |
| Attack Approach | Network traffic – Tell everyone the threat is here | Malicious code – stealth like operation to avoid discovery |
COMPLIANCE REQUIREMENTS
While the major regulatory compliance regimes like Sarbanes-Oxley, HIPAA, GLBA, PCI, and NERC/FERC were put in place years ago, the compliance landscape continues to change. Three examples are FTC’s Red Flag Rules, Massachusetts 201 CMR 17, and ARRA/HITECH.
Red Flags Rules
The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.
Mass 201 CMR 17
This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.
Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.
ARRA/HITECH
President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA) on Tuesday, February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA in Title XIII include important changes in Privacy (Subtitle D). Our focus in this posting is the change related to business associates under HIPAA Administrative Simplification that is specified in Section 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities. In this section, administrative, physical, and technical safeguards, and policy, procedure, and documentation requirements of the HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.
The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” The additional requirements include civil and criminal penalties, notification provisions for a breach, and application of “guidance on the most effective and appropriate technical safeguards” as determined by the Secretary of Health and Human Services (HHS), amongst other requirements. These changes become effective one year after enactment of ARRA on February 17, 2010.
THE ECONOMY
The “recession’ is officially over. Here is a chart that maps corporate profits and unemployment, from Citi’s Steven Weiting via BusinessInsider.
As shown below, since 1980, employment (in red) has fallen after corporate profits (in black) have risen, and vice versa. The relationship is very clear.
Problem is, there’s about a one-year lag between the two trends. This highlights what should simply make sense — companies hire people once they see profits rebounding, and more importantly once they believe that adding more people will lead to higher profits. Still, this fact of economics isn’t fun for the unemployed.
But here’s the good news. Given the recent rebound in corporate profits the U.S. has already experienced, there is a very high chance that employment will get better over the coming twelve months. One can’t stress enough the fact that employment is a lagging indicator:
And here is a comparative unemployment chart as of March 2011:
