The promise of managed security services

FEATURE tops iOS as most popular platform on global ad network; iPhone, iPad still top devices’. TechCrunch, 18 July 2012. Accessed Aug 2012. http://techcrunch.com/2012/07/18/ adfonic-android-tops-ios-as-mostpopular-platform-on-global-adnetwork-iphone-ipad-still-topdevices/ 3. ‘Mobile Threat Report Q2 2012’. F-Secure. Accessed Aug 2012. www.f-secure.com/weblog/archives/ MobileThreatReport_Q2_2012.pdf. 4. Kan, Michael. ‘Mobile malware cases nearly tripled in first half of 2012, says NetQin’. Computerworld, 31 Jul 2012. Accessed Aug 2012. www.computerworld.com/s/ article/9229802/Mobile_malware_ cases_nearly_triple_in_first_half_ of_2012_says_NetQin. 5. ‘McAfee Threats Report: First Quarter 2012’. McAfee Labs. Accessed Aug 2012. www. mcafee.com/us/resources/reports/ rp-quarterly-threat-q1-2012.pdf.

6. ‘2011 Mobile Threats Report’. Juniper Networks, Feb 2012. Accessed Aug 2012. www.juniper. net/us/en/local/pdf/additionalresources/jnpr-2011-mobile-threatsreport.pdf. 7. Genes, Raimund. ‘DEFCON 2012: Android malware in Luckycat servers’. TrendLabs Malware Blog, 27 Jul 2012. Accessed Aug 2012. http://blog.trendmicro.com/defcon2012-android-malware-in-luckycatservers/. 8. ‘Luckycat Redux: Inside an APT campaign with multiple targets in India and Japan’. Trend Micro Research Paper. Accessed Aug 2012. www.trendmicro.com/cloud-content/ us/pdfs/security-intelligence/whitepapers/wp_luckycat_redux.pdf. 9. ‘AVG Technologies Q2 Community Threat Report’. AVG. Accessed Aug 2012. http://mediacenter.avg.com/ en/press-tools/avg-threat-reports/ avg-community-powered-threatreport-q2-2012.html.

The promise of managed security services

10. Urban, J; Hoofnagle, C; Li, S. ‘Mobile phones and privacy’. BCLT Research Paper Series, UC Berkeley Public Law Research Paper No. 2103405, 10 Jul 2012. Accessed Aug 2012. http://papers. ssrn.com/sol3/papers.cfm?abstract_ id=2103405. 11. ‘Zeus-in-the-Mobile – Facts and Theories’. SecureList, 6 Oct 20122. Accessed Aug 2012. www.securelist. com/en/analysis/204792194/ZeuS_ in_the_Mobile_Facts_and_Theories. 12. ‘New ZitMo for Android and Blackberry’. SecureList, 7 Aug 2012. Accessed Aug 2012. www. securelist.com/en/blog/208193760/ New_ZitMo_for_Android_and_ Blackberry. 13. Trail of Bits research page. Accessed Aug 2012. www.trailofbits.com/ research. 14. Black Hat Europe 2012. Accessed Aug 2012. http://www.blackhat.com/ html/bh-eu-12/bh-eu-12-archives. html#guido.

Colin Tankard

Colin Tankard, Digital Pathways The market for managed security services is showing strong levels of growth. According to a report issued by Infonetics Research in 2012, the worldwide market for managed security services was worth $11.7bn in 2011 and will grow to $18bn in 2016.1 Among the reasons for the growth are the increased importance of network security and risk management owing to the growing volume and sophistication of network security incidents. According to the author of the Infonetics report, the increase in attacks developed for web applications is another key driver, especially as organisations need to manage and protect an ever-growing number of Internet-enabled devices connecting to their networks, including desktops, laptops, servers, smartphones and tablets. By outsourcing security 10

Network Security

needs to a managed service provider, organisations can achieve consistent protection regardless of device type, the location of the user, the operating system or browser. At the same time, corporate governance and regulatory compliance requirements are forcing organisations to ensure that data and systems are

adequately protected and to monitor the effectiveness of controls. However, many organisations lack the resources or knowledge to effectively manage such needs, leading them to seek out specialists who can help them.

Rise of clouds Managed services have long been used by large enterprises for a variety of needs. More recently, the managed service model has been adapted to the needs of small and medium-sized organisations, especially given the rise in cloud computing. Such a model

September 2012

FEATURE not only provides organisations of all sizes with access to the technology services that they need, it can also be a more cost-effective way of accessing services than performing functions in-house – not least because the services are provided through a subscription, generally paid for on a monthly or annual basis. In addition, organisations using such services need not fork out on expensive hardware and software licences in order to access the technology services that they need. The use of managed security services brings many benefits, of which the most often cited is reduced cost. However, there are many other advantages to be gained, including the ability to focus on the core competencies required to run the business. The main benefits offered are shown in Figure 2.

Figure 1: Main drivers for the take up of managed security services. Source: Nemertes Research, 2011.

the benefits of managed services. The research suggests that such resellers need to better explain their proposition to the business owner or corporate officer of smaller businesses, rather than the IT department, with the focus more on the business benefits than the technology issues.

“When managed in-house, encryption deployments are seen as costly, and interoperability and key management remain significant challenges”

Encryption as a service

However, a recent report by Forbes Insights in conjunction with CIT found that there are still significant barriers to the take-up of managed security services, of which the most frequently cited is the lack of understanding among small and medium companies (Figure 3).2 The research surveyed 100 value-added resellers that serve small and medium businesses and found that more than 60% of respondents agree or strongly agree that most of their customers don’t really understand

There are numerous services that are suited to delivery via a managed services model – in fact, any service where a third party can provide better security at a lower price than can be achieved in-house, while still ensuring that the organisation is able to meet its regulatory and business obligations. For example, suitable services can include vulnerability scanning, penetration testing, network monitoring, DDoS protection, threat intelligence alert services, forensics, product installation

and configuration, and patch management. One particular security need that is well suited to the use of managed services is encryption. When managed in-house, encryption deployments are seen as costly, and interoperability and key management remain significant challenges. Many encryption vendors specialise in a particular area, such as full-disk or database encryption, meaning that many organisations are managing several distinct encryption systems, and this is a significant management challenge. Many such legacy products do not support standardised key management protocols – such as those from Oasis – that allow communication between encryption systems and enterprise applications, including email, databases and storage devices. This adds to the interoperability challenges. In addition, it is not uncommon for

In-house

Outsourced

Capital investment

Hardware and software

None

Operational costs

Staff, training, supervision and equipment maintenance

Monthly or annual fee

Expertise

General and non-specialist knowledge

Broad and extensive knowledge with specialist knowledge

Responsiveness

Competing priorities

Complete focus on security and monitoring of alerts

Best practices

Limited knowledge

Expertise

Budget

Subject to unforeseen expenses

Known annual fixed costs

Scalability

Major effort

Easily scalable

Control

Direct management

Management via service-level agreement

Table 1: Weighing in-house versus outsourced security. Source: InformationWeek, ‘Finding the right security outsourcing balance’.

September 2012

Network Security

11

FEATURE

Figure 2: Most compelling benefits of managed security services for SMBs. Source: Forbes/CIT.

encryption products to be deployed in particular parts of the organisation without IT or central approval. Some of the key challenges in managing enterprise encryption deployments are shown in Figure 4.3

Managing keys One of the primary headaches associated with encryption technologies is that of managing the encryption keys. Should encryption keys be lost,

the data being protected is effectively lost as well. Key management involves creating, securely storing, distributing, handling and deleting encryption keys that are no longer needed and the process needs to be effectively monitored throughout to ensure that keys cannot be accessed by unauthorised parties, which could lead to data being compromised. According to the 2011 global encryption trends study published by the Ponemon Institute, the most important

standard of due care cited by 74% of respondents for encryption deployments is to know exactly where keys are and who/what systems can access them at all times.4 This is exacerbated by the fact that many legacy encryption products require different keys or vendors to be managed for each system or application. The use of a managed encryption service can smooth out many of the problems involved with managing encryption systems in-house. Many organisations lack the in-house expertise or capacity required for managing data encryption and its related issues such as the storage of keys and policy enforcement. And, facing ongoing budgetary pressures, many do not have the capital available to purchase the necessary equipment and licences. Subscribing to a service managed by experts is a far more attractive option for many – especially for smaller organisations or those with distributed operations, since such services are highly scalable. They are also able to handle the full range of encryption needs both for data in transit and at rest, including encryption of emails and their attachments, and encryption of databases and storage backups, and covering both structured and unstructured data sources.

“One issue that has been gaining in importance in recent years is the use of intelligence-gathering legislation by foreign governments that can be used to subpoena corporate records”

Figure 3: Primary barriers faced in selling managed services to SMBs.

12

Network Security

What this means is that encryption and key management are provided as a unified service across all encryption needs, which simplifies the tasks of key management. An example would be a managed service that provides an option where the security server appliances are stored within a secure network centre where all encryption keys and security policies are also stored. The encryption is enforced at the point of data access, whether that is in the cloud or on client

September 2012

FEATURE premises. This effectively provides separation of duty between security management and the data service provider.

Selecting a managed services provider When looking for a managed encryption provider, there are a number of capabilities and services that should be offered. Since the provider hosts servers and applications on behalf of the customer, they must maintain a highly secure network operations centre with many layers of security, including physical, personnel and information security controls. The datacentre and its failover facilities should be located in a geographical region that satisfies the requirements of the data protection regulations with which the organisation using its services must comply and it should provide assurances that data will be processed and stored only in certain jurisdictions, even though all data is held in encrypted form, as some country’s regulations are particularly onerous. However, one issue that has been gaining in importance in recent years is the use of intelligence-gathering legislation by foreign governments that can be used to subpoena corporate records. Among such legislation, the Patriot Act of the US is one that causes considerable concern – especially since requests for information to be handed over can be accompanied by a gagging order that precludes a service provider that is subject to such a request from telling its customers that it has been forced to hand over such information. Some of the very largest cloud hosting providers have recently acknowledged that they have been subject to such requests and it is their policy to comply with them. In order to ensure that their data cannot be handed over to the authorities under legislation such as this, organisations looking to contract managed encryption services should ensure that the encryption keys are not stored with the data, but are retained

September 2012

Figure 4: Key challenges in managing enterprise encryption deployments. Source: InformationWeek.

Unauthorised access

“For the most effective monitoring and logging capabilities, organisations should look for a provider that offers security information and event management capabilities as part of the package”

Ensuring that encryption keys are kept by the organisation, or its managed service encryption provider, in a central, highly secure location will also help to solve problems of unauthorised access to data. According to a recent report by Cyber-Ark, 74% of respondents believe the insider threat to be greater than from external sources and 63% of recent attacks experienced by respondents involved the exploitation of privileged account access.5 When using a managed service provider, the insider threat is extended to the provider’s staff as well. By ensuring that no-one at the service provider has access to the encryption keys, no staff will be able to access the data by decrypting it, reducing the danger of data being taken from these sources.

Any managed service provider chosen should offer services complementary to encryption. Of particular importance are its network monitoring, log management and reporting capabilities. For the most effective monitoring and logging capabilities, organisations should look for a provider that offers security information and event management capabilities as part of the package, generally using an appliance placed at the customer’s premises to monitor activity and gather logs into one central location. The service provider will perform the analysis of the resulting data on behalf of the customer, sending back regular reports for management and audit purposes. For best results, these should be capable of being tailored to various criteria and should support major

by the customer or its managed encryption service provider in secure storage. Should the cloud service provider be forced to hand over data to authorities without the customer’s knowledge, it will be unintelligible.

Network Security

13

FEATURE industry standards such as PCI DSS and government regulations such as those pertaining to data protection. All such data should be stored in a central archive for more detailed analysis should an organisation require it so that the data can be mined for ad hoc reports or if it has an audit pending. One further area to consider is the provision of services by the hosting provider, such as support with backend integration into systems installed on the customer’s network, especially for organisations that lack the resources or expertise to do this themselves. This is something that should be negotiated at the start of the process, since most of the implementation must be performed up front, including deciding what devices are needed and how they fit into the network architecture of a particular organisation. To ensure that this is done in the most efficient and effective manner possible, the organisation will need to work with the service provider to ensure that accurate and complete network documentation is available to them in order to design the best solution.

Contractual issues Organisations – and especially those that are looking to use managed services for the first time – should also pay close attention to some contractual issues to ensure that the service meets the needs of their business. Researcher company IDC has identified four important elements that should not be overlooked when selecting the most appropriate managed service provider:6 UÊ ˜ÃÕÀiÊ Ì…>ÌÊ >˜Ê >}Àii`‡Õ«œ˜Ê iÛiÊ of customer service is guaranteed: large companies typically negotiate service-level agreements that specify the level of performance they require and are prepared to pay for. Organisations should consider whether they need ‘five nines’ (99.999%) availability or whether they can make do with lower levels of performance to save money. In making this judgement, they should consider what 10 minutes or a half an hour of service interruption on 14

Network Security

a regular basis would mean to their specific business. UÊ ˜ÃÕÀiÊ Ì…>ÌÊ vi݈LˆˆÌÞÊ Ài}>À`ˆ˜}Ê Ì…iÊ length and structure of the agreement is offered: if the business is changing rapidly, organisations should ensure that the terms of the agreement are appropriate for the business as it changes. UÊ ˆ}…Ê ۈÈLˆˆÌÞÊ ˆ˜ÌœÊ ̅iÊ >VÌÕ>Ê VœÃÌÊ breakdown of the service should be provided: organisations need to understand the billing basics and how different levels of service and use are billed, including the number of users, as this will change the costs. Although the predictability of costs is one of the most important benefits of the use of outsourced services, it is up to the customer to make sure that it understands all the cost components from the start. UÊ "À}>˜ˆÃ>̈œ˜ÃÊ Ã…œÕ`Ê i˜ÃÕÀiÊ Ì…>ÌÊ they have an exit strategy in order to ensure a smooth transition for the end of the relationship with the provider: changes in an environment may make it necessary to bring capabilities back in-house. Therefore, organisations should look when selecting a service for guarantees regarding the secure return of data and other resources under the care of the service provider.

service. They also provide organisations with reduced costs in terms of encryption deployment, maintenance and management, and provide more effective oversight through provision of centralised monitoring, logging and reporting capabilities.

About the author Colin Tankard is managing director of data security company Digital Pathways, specialists in providing managed encryption services that allow clients to separate security management from data services. This enables access to the benefits from the vast array of cloud- and ground-based data services without the worry of securing the data or remaining compliant.

Resources UÊ >ÀiˆÃÃ]Ê,œLˆ˜°Ê¼œÜÊ6œ*]Ê1-Ê>˜`Ê mobility are enabling the distributed enterprise’. Nemertes Research, 2011. Accessed Aug 2012. https:// www.eiseverywhere.com/file_upl oads/1fb2a647f48ce2fad10b43a9 b81e8a40_ITR_NY_2011_The_ Connected_Enterprise_Robin_ Gareiss.pdf. UÊ œLL]ʈV…>i°Ê¼ˆ˜`ˆ˜}Ê̅iÊÀˆ}…ÌÊ security outsourcing balance’. InformationWeek, May 2012. Accessed Aug 2012. http://twimgs. com/darkreading/securityservices/ S4970512Secureoutsource.pdf.

Conclusion

References

The use of managed security services is growing rapidly, putting enterpriseclass services within the reach of organisations of any size, allowing them to improve their security posture and achieve governance and compliance objectives such as data protection. An example of such a service is encryption as a managed service. Encryption technologies are complex to manage, as many organisations, especially small and medium-sized, lack the expertise or budget to manage them. Managed encryption services take away many of the pain points, including interoperability, as many handle all encryption needs in a single

1. ‘Cloud and CPE managed security services forecast to hit $18 billion by 2016’. Infonetics Research, 26 Apr 2012. Accessed Aug 2012. www.infonetics.com/ pr/2012/2H11-Cloud-and-CPEManaged-Security-Services-MarketHighlights.asp. 2. Are SMBs ready to embrace managed services?’. Forbes Insights in association with CIT, 2011. Accessed Aug 2012. www.cit.com/ about-cit/thought-leadership/citoutlook-series/managed-services/ index.htm. 3. Davis, Michael. ‘Data encryption: ushering in a new era’. InformationWeek, 2012. http://

September 2012

FEATURE reports.informationweek.com/ abstract/21/8628/security/researchdata-encryption.html. 4. ‘2011 global encryption trends study’. Ponemon Institute, 14 Mar 2012. Accessed Aug 2012. www. nymity.com/Free_Privacy_Resources/ Previews/ReferencePreview.

aspx?guid=bb7b5c14-1220-4ea1ac76-1216661262c4. 5. ‘Cyber-Ark Global Security Survey: Privileged Account Exploitation the Common Link in Enterprise Assaults’. Cyber-Ark, 12 Jun 2012. Accessed Aug 2012. www.cyber-ark. com/news-events/pr_20120612.asp.

6. ‘Improving small business profitability by optimising IT management’. IDC, Mar 2011. Accessed Aug 2012. http:// resources.idgenterprise.com/ original/AST-0059847_b-idc_ small_business_it_optimization_ WP.en-us.pdf.

Seek and destroy Tracey Caldwell, journalist Organisations are going to great lengths to protect data on their networks. But many are falling at the final hurdle by failing to delete data properly from endof-life equipment. This leaves them vulnerable – not just to the leak of sensitive information, but also potential fines and other legal ramifications. The UK Information Commissioner’s Office (ICO) has shown it is willing to fine organisations that breach the Data Protection Act by not deleting data on end-of-life kit. In June 2012 it fined Brighton and Sussex University Hospitals NHS Trust £325,000 following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site. The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked with destroying approximately 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual. An investigation by the ICO found that one in 10 secondhand hard drives sold online might contain residual personal information. The ICO asked a computer forensics company – NCC Group – to source around 200 hard drives, 20 memory

September 2012

sticks and 10 mobile phones. The devices were searched, initially without any additional software, and then interrogated using forensic tools freely available on the Internet. The research found that, while 52% of the hard drives investigated were unreadable or had been wiped of data, 48% contained information and 11% of that data was personal information. In total, 34,000 files containing personal or corporate information were recovered from the devices. At least two of the hard drives contained enough information to enable someone to steal the former owner’s identity. The data included scanned bank statements, passport details, information on previous driving offences and some medical details. A further four hard drives contained information about the employees and clients of four organisations, including individuals’ health and financial details.

Misplaced complacency Part of the problem appears to be that on the face of it, it appears easy to delete data securely. Users no longer have to be computer experts to destroy an electronic file and technologies and software have made it far easier for even

Tracey Caldwell

a moderately tech-savvy individual to ensure the complete destruction of a single copy of a file. “Wiping programs and file shredders are easily accessible to anyone with an Internet connection and are easy to use,” says Spencer Lynch, director of digital forensics with Stroz Friedberg in the UK. “In fact, there is a secure erase utility built into some operating systems, such as Mac OS X.”

“Cloud-based services can automatically sync files, creating multiple, sometimes unknown, copies that make it more difficult to fully eradicate data” However, he adds: “Even when using a wiping utility, files may still be found by experts. The propagation of files and data across hard drives, computer networks and the cloud has become increasingly difficult to manage. Recent versions of Microsoft Windows and OS X include automatic backup features that create copies of files that can remain even after the [original] files are deleted. Users are often unaware that their computers create these backups. Other cloud-based services can automatically sync files, creating

Network Security

15