It's been three weeks since the RSA Conference. Majority of the discussions and sessions at RSA centred on cybersecurity and state-sponsored attacks, hacktivism, advanced socially engineered attacks and increasingly sophisticated malware.
This research note will not discuss these topics. Most of you who are familiar with my research know that I analyse and write about technology and security developments through the GRC lens.
In addition to attending the official keynotes, sessions, and vendor briefings, I had the opportunity to attend the ISSA CISO Executive Forum and Cloud Security Alliance Summit. These end-user-focused sessions provided plenty of opportunities for in-depth discussions with customers about their current and emerging security, compliance and risk management concerns.
My discussions with several enterprise customers attending RSA 2012 point to a shift in how these organisations view security, compliance and risk management. The following themes encapsulate these emerging issues:
There were several sessions and offline discussions on the opportunities to leverage big data for enhancing existing security analytics capabilities. For example, security practitioners and vendors discussed scenarios for using the big data technology back-end to analyse and correlate a broader set of data sources and data points, beyond security state and event-driven information. Others discussed using the technology to address the limitations that stem from using a relational database back-end to power a SIEM application.
However, a small subset of customers was asking questions around the vulnerabilities that would stem from the use of these technologies. Customers are aware of traditional database security technologies that monitor and audit logs and events as well as scan for database vulnerabilities. These customers are curious to find out if these security capabilities extend to big data.
Customers also expressed a desire to learn more about the scenarios when they should be concerned about potential vulnerabilities from the deployment of big data. For example, customers were curious to find out what security controls could be employed to detect and block malware if they were to use streaming technologies.
Enhanced assurance from public cloud service providers
Enterprise customers have embraced private clouds for some of their critical processes and data. I spoke with enterprise customers from regulated industries that indicated their interest in using third party public cloud infrastructures to support their customer-facing applications.
However, concerns over liability and risks in the event of malicious attacks against the website are often cited as one of the primary adoption impediments. Customers also indicated that they would like more clarity regarding the customer's rights to access third party infrastructure forensic information.
Industry organisations like the Cloud Security Alliance have rolled out initiatives such as the Cloud Controls Matrix and Cloud Security Alliance Security, Trust & Assurance Registry (STAR). These initiatives are designed to allay some of those fears and encourage adoption by providing better transparency on the security controls and practices of cloud service providers (CSPs). However, these industry-led efforts are still in their infancy.
Some CSPs even suggested that, until there is greater participation from the hardware platform vendors (in networking, storage and servers), most CSPs are only able to deliver assurances on 20% to 30% of the requirements stipulated in these initiatives.
Static and siloed security compliance and risk management approaches are futile in porous and dynamic IT environments
Customers are aware that the convergence of mobility and cloud computing demands a reassessment of their existing standards and protocols for security, compliance and risk management. Customers expressed concerns that mobile malware in combination with socially engineered attacks through social networking applications could be used as an infection vector to penetrated cloud-based and traditional data centres.
A handful of the more prescient attendees also expressed concerns over the looming impact of intelligent connected devices (such as WiFi-enabled cars, TVs and medical devices) that are controlled and accessed through the IP networks, especially as organisations transition to IPv6.
Questions on potential legal liabilities when malware is introduced through a social platform app store
As social applications like Google and Facebook evolve to become platforms that connect businesses and consumers, businesses with a strong online presence are starting to ponder if they could also create their own app stores for ancillary products and services.
These enterprises are starting to look for guidance regarding their responsibilities and potential liabilities, should a rogue developer use the partner app store as an infection vector or when a legitimate application in the app store is hijacked and used as an infection vector.
This was the proverbial elephant in the room. Enterprise customers were looking at applications and startups that would enable them to have better visibility on the individual customers.
There were a handful of organisations who were trying to investigate how to monetise online behavioural information. These organisations were aware of looming changes to digital privacy rights. There were also publicly listed organisations who were concerned over recent SEC requirements to disclose the nature and material impact of data breaches. These organisations were trying to figure out how to best leverage their existing security and compliance programmes to support their privacy initiatives.
These developments portend a shift in current compliance and risk management. I anticipate that corporations facing these challenges are adjusting their existing risk management frameworks to enable more dynamic assessments of uncertainty and close to real time remediation of risks.
By Vivian Tero