-
VIEW FROM THE TOP
Jagdish Saxena on how IT drives Elder
Pharma’s business.Page 66
BIG DATA CHOICES
Make the right storage decisions
for big data. Page 77
AUGUST 15, 2012 | `100.00
WWW.CIO.IN
BU
SIN
ES
S
T
EC
HN
OL
OG
Y
L
EA
DE
RS
HIP VOL/07 | ISSUE/10
ASISH KARUNAKARAN, CIO, SBI Capital Markets,
is combatting mobile insecurity with VDI.
The six key battles IT leaders are going to have to win if they
want to protect their enterprises. Page 38
CIO-PWC SECURITY SURVEY Indian data from the world’s largest
security survey reveals how CIOs are coping with new
technologies.
Cover_August2012_Security_Big_Wars.indd 84 8/16/2012 9:47:47
AM
-
Þ Inbound Response ManagementPriya Sharma v:1800 209 3062 f:022
66765553
THE NEW NETWORK IS SECUREToday’s users have gone through a rapid
shift in expectations. Now they want to connect to your network
with any device – be it their laptop, smartphone or tablet. Being
able to support more types of mobile devices while providing
secure, pervasive connectivity, with the right mix of wired and
wireless access that’s right for your business has quickly become
critical for success.
Juniper Networks builds the new network that can help you solve
the connectivity conundrum by managing security without having to
control the device, with a simple, single client that works on
almost all devices.
Find out about moving to the new network that is built for
present and future demands. Get the story at juniper.net
JN_India_CIO_V1.1.indd 7 7/23/2012 11:57:11 AM
-
Vijay Ramachandran, [email protected]
FROM THE EDITOR-IN-CHIEF
"If you can keep your head when all about you, Are losing
theirs
and blaming it on you,... you'll be a Man, my son!"
—'If' by Rudyard Kipling
Have you ever come across this equation: Crisis = danger +
opportunity? If you have, it would typically
have been followed by an explanation about the Chinese
ideogram for crisis (wieji) having two parts—one that
stands for danger and the other for opportunity. Then
comes a bit of seemingly oriental wisdom: In a crisis,
be aware of the danger but look for the opportunity.
Profound? Absolutely. Smart strategy? For sure.
Except that it isn't so really.
Wieji actually breaks down as danger + crucial point. What it
really stands for is that
in a crisis, you need to stay alert because you are at a
critical juncture that can potentially
break you.
Color me cynical but an unstable state of affairs is hardly the
time to be looking out
for how to 'benefit' from them. Survival? Undeniably. Business
Continuity? Entirely.
Learning? You bet. But converting catastrophe into opportunity?
Not really.
These are the bits about a crisis that make it interesting.
Business crises test the best of
executives and CIOs are no exception. It's remarkable the shapes
and forms business crises
can take these days, apart from the uncertainty that our
economic landscape is witnessing.
I’ve heard horror tales of structured cabling in hospitals being
chewed through by rodents
to whole kilometers of optic fibre being stolen overnight to a
server farm getting fried
when the power polarity reversed to even 70 percent of an IT
team quitting en masse. It's
these low-frequency, yet high-impact events that test a CIO's
mettle, his skill and ability to
remain calm and look for the way forward.
Amongst the immortal lines of Kipling's If are also these: "If
you can force your heart
and nerve and sinew, To serve your turn long after they are
gone, And so hold on when
there is nothing in you, Except the Will which says to them:
'Hold on!' "
Hold Your NerveEvents that test a CIO's mettle, skill and
ability to remain calm are great opportunities for survival and
learning.
All rights reserved. No part of this publication may be
reproduced by any means without prior written permission from the
publisher. Address requests for customized reprints to
IDG Media Private Limited, Geetha Building, 49, 3rd Cross,
Mission Road, Bangalore - 560 027, India. IDG Media Private Limited
is an
IDG (International Data Group) company.
Printed and Published by Louis D’Mello on behalf of IDG Media
Private Limited, Geetha Building, 49, 3rd Cross, Mission Road,
Bangalore - 560 027.
Editor: Louis D’Mello Printed at Manipal Press Ltd., Press
Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.
IDG Offices in India are listed on the next page
PUBLISHER, PRESIDENT & CEO Louis D’Mello ASSOCIATE PUBLISHER
Rupesh Sreedharan
E D I TO R I A L EDITOR-IN-CHIEF Vijay Ramachandran EXECUTIVE
EDITOR Gunjan Trivedi DEPUTY EDITOR Sunil Shah ASSISTANT EDITOR
ONLINE Varsha Chidambaram CHIEF COPY EDITOR Shardha Subramanian
SENIOR COPY EDITOR Nanda Padmanabhan COPY EDITOR Vinay Kumaar
PRINCIPAL CORRESPONDENTS Gopal Kishore SENIOR CORRESPONDENT Sneha
Jha CORRESPONDENTS Debarati Roy, Shweta Rao, Shubhra Rishi, Ankita
Mitra, Kartik Sharma
D E S I G N
LEAD DESIGNERS Jinan K.V., Vikas Kapoor, Jitesh C.C SENIOR
DESIGNER Unnikrishnan A.V DESIGNERS Amrita C. Roy, Sabrina Naresh,
Lalita Ramakrishna
SA L E S & M A R K E T I N G
PRESIDENT SALES & MARKETING Sudhir Kamath VP SALES Parul
Singh GM MARKETING Siddharth Singh MANAGER KEY ACCOUNTS Jaideep
Marlur, Sakshee Bagri, Varun Dev MANAGER- SALES SUPPORT Nadira
Hyder MARKETING ASSOCIATES Anuradha Iyer, Benjamin Jeevanraj
C U STO M S O LU T I O N S & AU D I E N C E D E V E LO P M E
N T
SR. MANAGERS PROJECTS Ajay Adhikari, Chetan Acharya, Pooja
Chhabra, Ajay Chakravarthy MANAGER Tharuna Paul SENIOR EXECUTIVE
Shwetha M PROJECT COORDINATORS Archana Ganapathy, Saurabh Pradeep
Patil, Rima Biswas
F I N A N C E & O P E R AT I O N S
FINANCIAL CONTROLLER Sivaramakrishnan T. P SR. MANAGER ACCOUNTS
Sasi Kumar V SR. ACCOUNTS EXECUTIVE Poornima MANAGER CREDIT CONTROL
Prachi Gupta SR. MANAGER PRODUCTS Sreekanth Sastry ASSISTANT
MANAGER PRODUCTS Dinesh P SR. MANAGER PRODUCTION T.K.Karunakaran
SR. MANAGER IT Satish Apagundi
2 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD
-
Networks are complex. Your network performance management
shouldn’t be. Decomplexify it with Riverbed Cascade.
Go to www.Riverbed.com/Cascade to see how Riverbed is
Decomplexifying network performance management by enabling
end-to-end visibility into the performance and troubleshooting of
critical business applications.For any queries, please contact
[email protected] or+91 9845652826, +91 80
40300567
-
Challenges bring a plethora of oppor-tunities along with them.
The current economic
uncertainty is helping CIOs accelerate plans for
the future. And, believe me, it’s easy to capitalize on
them. The answer lies in focus.
One great approach with regard to this is to have
a triangular union of the following action elements:
Economize, empower, and build IT. The first element
focuses on identifying areas to purge; the second on
selecting projects to invest on, and the third is to
focus on training programs to build skills and keep
IT morale up. Here are some pointers that may come handy:
Take Stock: CIOs must take periodic stock of their
organizations' financial
situation themselves. They must ensure that IT expenditure has
the same importance
it had a few months ago. Otherwise, CIOs are likely to lose
touch with the dynamic
economic reality.
Predict: CIOs need to keep their teams focused on two main areas
for effective pre-
emptive planning: Marrying IT and business priorities, and being
lithe enough to keep
IT steady when priorities change. For example, one can maintain
a dashboard of all
projects that calculate priorities on the basis of capital
investment, time required, and
risk factors. It will help make the available alternatives
clearer as conditions change.
Communicate: It’s a great practice to spend time with business
to gauge its
sensitivity. There is a fine line between authoritative and
“mother-may-I?” attitude.
One stops being a CIO in the realm of both the extremes. CIOs
will have to judicially
balance the two without jeopardizing critical business
functionalities.
Train: A leader is known by his team. We often forget that the
staff that constitutes
the IT team needs emotional training apart from technical
expertise. Companies may
not cut costs, but it is the CIO’s duty to prepare his IT team
for that possibility. Also,
avoid indulging in unnecessary resource spends.
Fine-tune: CIOs might want to edge back some cash spends,
pushing to the next
year. Begin to bias new-project selection towards short-term,
and low-risk. This will
augment the team’s response time.
Rajeev Batra is CIO, Sistema Shyam Teleservices (MTS India)
GOVERNING BOARD
ALOK KUMAR
VP & Global Head-Internal IT& Shared Services, TCS
AMRITA GANGOTRA
Director-IT (India & South Asia), Bharti Airtel
ANIL KHOPKAR
VP-MIS, Bajaj Auto
ATUL JAYAWANT
President Corporate IT & Group CIO, Aditya Birla Group
C.N. RAM
Group CIO, Essar Group
DEVESH MATHUR
COO, HSBC
GOPAL SHUKLA
VP-Business Systems, Hindustan Coca-Cola
MANISH CHOKSI
Chief-Corporate Strategy & CIO, Asian Paints
MURALI KRISHNA K
SVP & Group Head CCD, Infosys Technologies
NAVIN CHADHA
IT Director, Vodafone Essar
PRAVIR VOHRA
Group Chief Technology Officer, ICICI Bank
RAJEEV BATRA
CIO, Sistema Shyam Teleservices (MTS India)
RAJESH UPPAL
Executive Officer IT & CIO, Maruti Suzuki India
S. ANANTHA SAYANA
Head-Corporate IT, L&T
SANJAY JAIN
CIO & Head Global Transformation Practice, WNS
Global Services
SUNIL MEHTA
Sr. VP & Area Systems Director (Central Asia), JWT
V.V.R. BABU
Group CIO, ITC
FROM THE GOVERNING BOARD
The uncertain economy is an opportunity for CIOs to rise above
troubled waters. Here’s how.
Beat the Economy Blues
Bangalore: Geetha Building, 49, 3rd Cross, Mission Road,
Bangalore 560 027, Phone: 080-3053 0300, Fax: 3058 6065
Delhi: New Bridge Buisness Centers, 5th and 6th Floor, Tower-B,
Technolopolis. Golf Course Road, Sector 54 Gurgaon- 122002,
Haryana
Phone: 0124-4626256, Fax: 0124-4375888
Mumbai: 201, Madhava, Bandra Kurla Complex,Bandra (E), Mumbai
400 051, Phone: 022-3068 5000, Fax: 2659 2708
4 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD
-
2
3
1
4
5
1 2 3 4 5Power Modular power distribution and paralleling
capabilities on UPS for loads from 10 kW to 2 MW.
Physical security A single-seat view for monitoring and
surveillance.
Management End-to-end monitoring and management software for
greater efficiency and availability.
Racks systems ‘Any-IT’ vendor-compatible rack enclosures and
accessories for high densities.
Cooling Rack-, row-, and room-based cooling options for greater
efficiency.
Introducing Next Generation InfraStruxure Whether you have just
acquired a new company or must increase its ever-expanding customer
or inventory database capacity, you’re most likely facing pressing
demands on your company’s IT infrastructure. Your existing data
centre infrastructure may not be able to handle these
up-to-the-minute changes. That’s where Schneider Electric™ steps in
with its proven high-performance, scalable data centre
infrastructure. As the industry’s one-of-a-kind, truly modular,
adaptable, and ‘on-demand’ data centre system, only InfraStruxure™
ensures that your data centre can adapt effectively, efficiently,
and, perhaps most important, quickly, to business changes.
InfraStruxure data centres mean business! A data centre means
business when it is available 24/7/365 and performs at the highest
level at all times, is able to adapt at breakneck speed, lets you
add capacity without waiting on logistical delays (e.g., work
orders), enables IT and facilities to keep pace with the business
in a synchronised way, continues to achieve greater and greater
energy efficiency — from planning through operations — and is able
to grow with the business itself. What’s more, our comprehensive
life cycle services help InfraStruxure data centres retain business
value at all times.
The triple promise of InfraStruxure deployment InfraStruxure
fulfils our triple promise of superior quality, which ensures
highest availability; speed, which ensures easy and quick alignment
of IT to business needs; and cost savings based on energy
efficiency. What better way to mean business than to enable
quality, speed, and cost savings — simultaneously?
Only InfraStruxure adapts quickly to your specific business
needs
Now, align your data centre architecture to your business needs
in just seconds
Discover which physical infrastructure management tools you need
to operate your data centre. Download White Paper #104 today and 10
lucky respondents can WIN a free telescope.
©2012 Schneider Electric. All Rights Reserved. All trademarks
are owned by Schneider Electric Industries SAS or its affiliated
companies.email: [email protected] • Schneider Electric India Pvt
Ltd, 9th Floor, DLF Building No. 10, Tower C, DLF Cyber City, Phase
2, Gurgaon – 122002 • 998-5037_A_IN-GB
Visit www.SEreply.com Key Code 45504y Call 1800-4254-272/877
Extend the life of your data centre. Existing data centres can
add on InfraStruxure components to existing architecture and, for
increased value, use our management software.
Scale up with step-and-repeat modular architecture for large
data centres. Medium/large environments can deploy InfraStruxure as
a zoned, ‘pay-as-you-grow’, scalable architecture solution.
Turn any room into a world-class data centre. InfraStruxure can
be deployed on its own as a modular, scalable, customised solution
that’s easy to design, build, and install for small first-time data
centre environments.
The flexibility of the InfraStruxure architecture:
APCTM by Schneider Electric is the pioneer of modular data
centre infrastructure and innovative cooling technology. Its
products and solutions, including InfraStruxure, are an integral
part of the Schneider Electric IT portfolio.
Business-wise, Future-driven.™
CIO_magazine_0801_45504y_IN.indd 1 2012-7-23 14:29:29
-
VOL/7 | ISSUE/106 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD
38
CO
VE
R:
PH
OT
OG
RA
PH
BY
KA
PIL
SH
RO
FF
/ C
OV
ER
IM
AG
ING
BY
UN
NIK
RIS
HN
AN
AV
SECURITYSPECIAL
48 | Firing a Round for BYODMOBILITY Enterprise IT is targeting
personal devices and maximizing their ROI potential.By Tom
Kaneshige
52 | The Cloud Under Attack CLOUD COMPUTINGGaping holes in the
cloud are making it easier for hackers to launch their missiles.
And a lack of security awareness isn't helping. By Jeff Vance
56 | Defensive Lines APPLICATIONSSecuring your apps has never
been more important, and there are lots of ways to do that.By
Michael Fitzgerald
60 | Assault on Non-compliance GOVERNANCE, RISK, COMPLIANCEGRC
can be a complex undertaking. But for Fiserv, the alternative was
even more complicated.By Bob Violino
64 | Dynamiting DataGOVERNANCE, RISK, COMPLIANCEA critical part
of securing IP is the timely elimination of data you no longer
need. By Bob Violino
68 | For Your Eyes OnlyGOVERNANCE, RISK, COMPLIANCE IP is the
new hot target, under attack by hackers and inadequately secured.
Here’s how to protect it.By Lauren Gibbons Paul
71 | Security’s Buy-in ObstaclePEOPLE SKILLSEven well-run
organizations can be resistant to new ideas. Nine ways to cross
this hurdle. By Mary Brandel
76 | Militants of the Web WorldCRIMEIf your employees are using
the corporate network to transact in the online black market, your
organization is in severe trouble.By Brandon Gregg
38 | Security’s Big Wars COVER STORY | SECURITYIn the battle to
secure their enterprises CIOs are fighting a six-front war. And
CIOs seem to be winning. Find out how.Feature by Team CIO
40 | The Three-cornered Fight for Mobile SupremacyMOBILITYFour
Indian CIOs take on BYOD’s security threats with the three
different strategies. Here are the pros and cons of each.By
Debarati Roy
44 | Beating the Guerillas at Their GameMOBILITYHow to ensure
that your enterprise isn’t blindsided by consumer devices.By Serdar
Yegulalp
AUGUST 15, 2012 | VOL/7 | ISSUE/10contents
-
Our Zero Data Loss Solution ensures that your business doesn’t
lose even a single byte of data or precious minutes getting your
service back on track in the event of a downtime.
No More Data Lost in transit
To know more, Write to us: [email protected] | Call us:
040-42030583
Data lost in transit during a downtime is irretrievable.
Traditional Disaster recovery services take at least 4 to 5 hours
to initiate the recovery process, putting a great deal of data at
risk.
Which is why a Zero Data Loss Solution makes perfect business
sense.
DR on demand | MyCloud - Private cloud on-demand | Managed
Services | Messaging SolutionsCtrlS Business Solutions
Visit www.ctrls.in/mumbai-data-center
Zero Data Loss DR solution
10101010101000101011001011001
10101001011110001010110010110
10001010010011110101010001010
10101010101000101011001011001
10100001010111101000101011001
10101010101000101011001011001
10111000101010101000101011001
10101010101000101011001011001
10101001011110001010110010110
00111100100010101000101011001
10001010010011110101010001010
-
DEPARTMENTS
contents (cont.)
52
32
ALTERNATIVE VIEWS:Should CIOs KISS?Security policies are
long-winding and hard to read. Would simpler versions encourage
compliance? Two CISOs debate.
VOL/7 | ISSUE/108 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD
2 | From the Editor-in-Chief Hold Your Nerve By Vijay
Ramachandran
4 | From the Governing Board IT Strategy| Beating the Economy
Blues
By Rajeev Batra, Sistema Shyam Teleservices (MTS)
11 | Trendlines Privacy | British Airways Stalks Passengers
Quick Take | Taking Rogue IT Down Compliance | French Faux Pas
Costs it €10,000 Devices | Ads Spy on Mobile Users Internet |
Anti-Social Networking Malware | Access (Not) Denied Internet | God
More Harmful Than Porn Passwords | It’s the Default’s Fault
Censorship | Google’s Schmidt Takes on China By The Numbers |
Beefing up Online Security
20 | Alert Data Privacy | One ID Card, Many Pockets
People | Generation Gap = Security Abyss?
98 | Essential Technology Security | The New Perimeter
Social Media | Social Insecurity
104 | 5 Things I've Learnt The Voice of Experience | Sundaram
Krishnan, Former CIO, Universal Sompo General Insurance
Columns26 | Crossing the Cloud Security’s I’s and T’sCLOUD
COMPUTING As organizations migrate more and more critical functions
to the cloud, it's becoming crucial for IT—in conjunction with
business and cloud providers—to ensure that security's i's are
dotted and it's t's crossed. Column by Pallavi Anand
27 | A CIO’s Guide to the WorldUNDERCOVER OFFICER Is it possible
to adhere to local business customs without compromising security?
Yes, but only if the CSO has a little creativity and a lot of
trust.Column by Anonymous
30 | Security Bootcamp STRATEGIC CIO Skip the boring lectures
and understand how people really learn new information and
habits.Column byJoe Ferrera
2012: The New Battle FrontsSURVEY | GLOBAL INFORMATION SECURITY
SURVEYCloud computing, social media, and mobility: They are all
yesterday’s emerging technologies—and today’s emerging threats.
find out how Indian organizations are countering this multi-front
attack.
By Sunil Shah and Shardha Subramanian
THE NEWTHE NEW
BBAABABBAB TTATAATA TTLLE E FFFRROOORORROR NNONOONO TTSSTHE
NEW
BATTLE FRONTS
2 2 2 2 2 11112222 122 2 2 2 2
-
ADVERTISER INDEX
This index is provided as an additional service. The publisher
does not assume any liabilities for errors or omissions.
[CIO HOMEPAGE]
CIO.in Revamps!To serve your needs better, we've redesigned
cio.in. Now you'll be able to navigate content more easily, and
quickly see the stories that demand your attention. We also have
more surveys and more case studies!
CIO Online
[BOOK CLUB]Conversation Starter
Books have been known to spark conversations and on our website
you can find the genesis of one. Learn what your peers think of a
book and then visit the all new CIO Book Club section online and
join the conversation with your peers. >>
www.cio.in/bookclub
[CIO DEBATES]Should CIOs KISS?We invited two CISOs to kick-start
a debate on whether making user security policies simpler would
encourage compliance. Read all about it in Alternative Views (page
32). Which side are you on? We also have more debates for you on
www.cio.in
Is the Economy Pushing for New Models of Funding IT?Ayes Vs Nays
Job Rotation: Harmful or Helpful?Ayes Vs Nays>>
www.cio.in/cio-debates
Must Read @cio.in
>> Alert: Generation Gap = Security Abyss?>> Column:
Cloud Security’s I’s and T’s >> Feature: Bombarded: The Cloud
Under Attack
CIO.inO.in
Bharti Airtel 23
Boston Limited(India) 1
Check Point Software Technologies 25
Ctrl S Datacenters 7
Eaton Power Quality 13
EMC Data Storage 34,35,36 & 37
Fortinet 49
Galaxy Business Solutions 67
Gartner India Research & Advisory
Services 9 + Flap
HID India 51
IBM India BC
Juniper Networks India IFC
Lenovo India IBC
McAfee India Sales Security Survey
Nelco 47
Oracle India 15
Panasonic India 59
Riverbed Technology India 3
SAS Institute (India) 75
Schneider Electric India 5
Trend Micro India 21
Verizon Communications India 31
VMWare Software India 19
[Cover Story] Security's Big WarsA fierce battle between CIOs
and the six most potential threats—mobility, cloud, apps, GRC,
people and crime—is on.And looks like CIOs are winning this one.
Find out how. >> www.cio.in
VOL/7 | ISSUE/101 0 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
-
P R I V A C Y We’ve all Googled ourselves from time to time, but
British Airways has crossed the creepy line for looking up its own
passengers on Google Image Search.
The airline is rolling out a new program, called Know Me, that
tries to improve passenger recognition through Google search and
other methods. British Airways will create dossiers on passengers,
and will use the profile data to offer 4,500 personal recognition
messages by the end of the year, the London Evening Standard
reports.
For instance, flight attendants may reference Google image
results to greet a high-profile, first-class passenger when he or
she boards the plane. British Airways will also dig into its own
passenger data, so if a regular customer experienced a delay on a
previous flight, airline staff can offer a personal apology.
Not surprisingly, some privacy advocates are upset. “Since when
has buying a flight ticket meant giving your airline permission to
start hunting for information about you on
the Internet?” Nick Pickles, director of Big Brother Watch, told
the Standard. Some customers just don’t want to be
bothered—especially famous ones—so it’s presumptuous for the
airline to think no one will mind being stalked on Google for the
purpose of a greeting.
A better way might be to let people opt-in to such a service
through Facebook. That way, the information would be more reliable
and less creepy, and would only affect willing participants.
Using Google for image search is also a slippery slope that
could lead to broader Internet data mining.
British Airways should draw the line at image recognition, and
think of smarter ways to provide
personalized service that doesn’t revolve around Internet
stalking.
—By Jared Newman
N E W * H O T * U N E X P E C T E DN E W * H O T * U N E X P E C
T E D
I N S I D E R T H R E A T Take one look at the Batman Rogues
Gallery and you will be able to recognize the Mad Hatter, Bane,
Clayface and the Joker. All real, visible rivals. Unfortunately for
CIOs, the IT Rogues Gallery still remains in the shadows. Rogue IT
is gradually making its presence felt in enterprises. Gopal Kishore
spoke to Rohan Deshpande, CIO, Ogilvy & Mather, to find out how
to combat it.
How serious is the threat of rogue IT? Call it rogue IT or
shadow IT or by any other name, but when users try to circumvent
the IT department, it is definitely a matter of concern. Today,
anybody with a credit card can get access to cloud services. We try
to prevent this trend by making it mandatory for employees to get
all IT reimbursement cleared by the IT department.
Is it fueling the cloud or is the opposite true?It‘s not just
rogue IT users, but SMEs and entrepreneurs who are fuelling the
cloud. The growth of shadow IT
Taking Rogue IT Downhas been facilitated by a range of
feature-rich tools such as project management, online backup, and
other valuable services that are available through the ubiquitous
Web browser. These can be procured and integrated into current
business practices without IT’s involvement. However, we see that
this is usually done by tech savvy users within the organization
for their personal requirements.
Would it be easier to prevent rogue IT if IT adheres to user
needs? The role of IT is that we understand the business need and
we understand technology. As long as the requested service fits
into the company’s IT policy, we don’t reject it. We do deny
certain requests, as there is a very thin line between official and
personal. Some employees take advantage of this and charge the
organization for some service which was used for personal benefits.
IT refuses to oblige only because it has to safeguard the company’s
interest. So, keeping these considerations into account, we either
reject or oblige to user requests.Rohan Deshpande
E D I T E D B Y S H A R D H A S U B R A M A N I A N
QUICK TAKE:
British Airways Stalks Passengers Online
REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2 1 1VOL/7 |
ISSUE/10
ILL
US
TR
AT
ION
BY
VIK
AS
KA
PO
OR
-
TR
EN
DL
INE
S
B R E A C H Passwords are essentially the root of all data
breach evils. Strong passwords with random capital letters, numbers
and special characters confuse people and they resort to creating a
passwords file, which is the first thing hackers look for. Is it
time to move away from traditional password protected
identification to biometric identification? Debarati Roy asked some
of your peers and here’s what they had to say:
RAMNATH IYERDirector-IT, CRISIL
“Single factor authentication isn’t adequately secure and is not
preferred outside a gated environment. SAML (security assertion
markup language) combined with biometric authentication on local
host is promising. But my bet will be on biometrics as the
long-term
solution for data privacy.”
KALPANA MANIARHead-Business Solutions & IT ,Edelweiss
Capital
“Biometric is still evolving. We are yet to see effective
biometric readers that provide quality results. Though
work-arounds are available, security threats pertaining to
biometric implementations remain contentious.”
SANKARANARAYANAN RAGHAVANDirector-IT, Aegon Religare Life
Insurance
“The future of password protection and authentication lies in
biometric validation. Currently, it can be implemented on laptops
and ATMs, but it would be expensive and complex to deploy on online
apps and portals. However, I do believe that when both the
complexity and the cost to implement reduce, biometrics will be the
future of password protection and security.”
VOICES: IS BIOMETRIC AUTHENTICATION FEASIBLE?
C O M P L I A N C E A French company must pay a €10,000 (about
Rs 6.8 lakh) fine for failing to provide an employee with GPS data
tracking the movements of his company vehicle, according to the
French National Commission on Computing and Liberty (CNIL).
The man wanted the data in order to prove that a traffic
accident in which he had been involved took place while he was on
business for Equipements Nord Picardie, a regional water
utility.
France has strict laws governing what personal data businesses
may store on a computer, and provides that anyone may request a
copy of data relating to them. Typically, access requests are made
by persons wishing to correct or delete personal data held about
them, two other rights enshrined in French law.
However, in this case, the man hoped to use the tracking data
gathered by his employer to convince a court that he had been the
victim of a workplace accident.
Eleven weeks after his initial request to his former employer,
he complained to the CNIL, which asked the company to turn over the
data four times over the following six months. Another month
passed, still with no reply. The CNIL gave the company formal
notice to turn over the data within two weeks, but it refused,
saying the employee could consult the data in its office.
“Through its stalling tactics, the company took the risk of
depriving the plaintiff of the possibility of accessing data, the
storage of which was only guaranteed for six months after its
recording,” the CNIL said in its ruling.
That could have left the employee without the means to prove to
his health insurance provider that the accident had been sustained
on company business.
In view of th e company’s procrastination, and its refusal to
provide the copy of the data required by law, the CNIL decided to
impose a €10,000 fine.
—By Peter Sayer
French Faux Pas Costs it €10,000
VOL/7 | ISSUE/101 2 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
IMA
GIN
G B
Y V
IKA
S K
AP
OO
R
-
I N T E R N E T Yet another criminal has managed to get himself
caught after posting on Facebook. Convicted robber James Tindell
skipped out of Oregon earlier this year to avoid court-ordered drug
treatment and other conditions he had accepted so as to avoid
prison.
But instead of flying under the radar, Tindell made Facebook
posts that taunted his probation officer, complained about the
judge who sentenced him, and ranted about the criminal justice
system. Not only that, he also posted things such as “I’m in
Alabama,” and a sonogram of his unborn child that showed the name
of the hospital in Alabama where it was taken.
His probation officer spotted the posts and asked prosecutors to
issue a nationwide arrest warrant. Tindell was then apprehended
after getting pulled over for speeding—another genius move by
someone running from the law.
In the end, the clueless criminal was ordered to reimburse the
state $2600 (about Rs 1.4 lakh) for flying him back to Oregon and
sent to prison for two-and-a-half years.
It’s far from an isolated case.Last year, a thief in Georgia
used a cell phone he found
in a stolen purse to post a picture of himself on the victim’s
Facebook page. He likely didn’t know the phone’s owner had it set
up to automatically post photos to the social network.
And in April, a dim-witted British crook was busted after a
friend posted a photo of him on Facebook with a TV he’d stolen.
Charles Holden stole a plasma TV, a PlayStation, and some games
from a house in which he formerly had roomed. He then sold the
goods right outside the door while one of his friends snapped a
picture of the transaction.
The victim, suspecting Holden, snooped around on his Facebook
page as well as those of his friends and spotted the incriminating
photo, which led to an arrest.
And this one is classic: A Pennsylvania man, back in 2009,
stopped to check his Facebook account on a computer in the home he
was in the process of robbing. He forgot to log out before taking
off with his loot. Of course, the victim later noticed his mistake
and gave police identifying information to make a speedy
arrest.
Although you’d think enough of these stories have surfaced that
malefactors would wise up, apparently stupidity is perennial. If
nothing else, they’re good for chuckles.
—By Christina DesMarais
D E V I C E S Some ads inside free apps for smartphones pose a
threat to consumer privacy, according to a company that makes
security software for mobiles.
More than 50 percent of free apps embed ads in their offerings
provided by ad networks, according to Lookout Mobile Security. Some
of those networks access personal information on the phones they’re
running on without clearly explaining what they’re doing to users,
research by Lookout revealed.
It also noted that 5 percent of the apps on smartphones, which
represent 80 million downloads, are embedded with “aggressive” ad
networks that perform “non-kosher” acts on a smartphone, such as
changing bookmark settings and delivering ads outside the context
of the app they are embedded in.
An analysis of free apps in GooglePlay showed that the leading
user of aggressive ad networks was wallpaper apps (17 percent),
followed by entertainment (8 percent) and games (7 percent).
The security vendor has also released a set of comprehensive
guidelines for mobile advertisers. They outline “best practices”
for the pitch firms to follow and govern transparency and clarity,
individual control, ad delivery behavior, data collection and other
topics.
In addition to collecting personal data from smartphones, ad
networks have also been reported to push “scareware,” such as
battery upgrade warnings, and shove marketing icons onto a phone’s
start screen.
—By John P. Mello Jr.
Ads Spy on Mobile Users
Source: Indian Information Security Survey
I N T R U S I O N The good news: Unknown attacks have come down.
The bad news: Employees are still the biggest source of security
breaches.
TR
EN
DL
INE
S
Anti-Social Networking
Enemy at the Gates
VOL/7 | ISSUE/101 4 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
Estimated Likely Source of Incidents 2012 2011
Employees (current and former) 86% 76%
Hacker 33% 32%
Competitors 28% …..
Customers 26% 15%
Service providers/ consultants/contractors 21% 20%
Unknown 12% 27%
-
Copyright © 2010, Oracle and/or its affiliates. All rights
reserved. Oracle and Java are registered trademarks of Oracle
and/or its affiliates.
Runs Oracle10x Faster*
The World’s Fastest Database Machine• Hardware by Sun
• Software by Oracle
* But you have to be willing to spend 50% less on hardware.
10x faster based on comparing Oracle data warehouses on customer
systems vs. Oracle Exadata Database Machines.
Potential savings based on total hardware costs. Oracle Database
and options licenses not included. Actual results and savings may
vary.
PRODUCTION NOTES
Fonts: Univers LT Std. 75 Black, 65 Bold, 55 Roman, 45 Light, 67
Bold Condensed, 57 Condensed
PUB NOTE: Please use center marks to align page.
Please examine these publication materials carefully. Any
questions regarding the materials, please contact Darci Terlizzi
(650) 506-9775
READER
01LASER% RELEASED
1/242012
Print Ad Resize
22.23 x 27.6cmCIO
(1st Right Hand Page Ad)
Job No.:Headline:
Date:Project:
Type:Live:Trim:
Bleed:
312M_EXD_10xFaster_CIORuns Oracle 10x Faster* 01/24/2012 APAC
Regional FulfillmentMagazine 20.32cm x 25.72cm22.23cm x
27.6cm22.86cm x 28.26cm
-
I N T E R N E T Religious and ideological websites can carry
three times more malware threats than pornography sites, according
to research from security firm Symantec. The firm’s annual Internet
Security Threat Report also found that threats to mobile devices
continue to grow, almost exclusively for Google’s Android mobile
OS.
Internet security reports from companies that also sell
anti-virus solutions should be taken with a pinch of salt, given
the potential of conflict of interest, but Symantec’s authoritative
findings are nevertheless interesting.
Symantec found that the average number of security threats on
religious sites was around 115, while adult sites only carried
around 25 threats per site—a particularly notable discrepancy
considering that there are vastly more pornographic sites than
religious ones. Also, only 2.4 percent of adult sites were found to
be infected with malware, compared to 20 percent of blogs.
“We hypothesize that this is because pornographic website owners
already make money from the Internet and, as a result, have a
vested interest in keeping their sites malware-free—it’s not good
for repeat business,” said the report.
Be it as it may, malware threats are only increasing. Symantec
measured an increase of more than 81 percent in malware in 2011
over 2010, while the number of malware variants increased by 41
percent.
On the flip side, spam volumes have decreased from 88.5 percent
of all e-mail in 2010 to 75.1 percent in 2011—thanks to law
enforcement action which shut down the Rustock worldwide botnet
that was responsible for sending out large amounts of spam.
Android smartphone users should also be wary of malware, as
Symantec says mobile vulnerabilities, almost exclusive to Google’s
open mobile OS, increased by more than 93 percent. The report found
more than half of all Android threats do two things: Collect device
data or track users’ activities.
A quarter of the mobile threats identified were designed to make
money by sending premium SMS messages from infected phones, which
could be even more lucrative than stealing your credit card
details.
— By Daniel Ionescu
God More Harmful Than Porn
IMA
GE
BY
PH
OT
OS
.CO
M
Access (Not) DeniedM A L W A R E The security vendor Trusteer is
warning banks to look out for a sophisticated Trojan that can empty
the account of online users.
The criminal scheme perpetrated through the Tatanga Trojan has
already attacked the sites of several German banks, and Trusteer
expects it to be reconfigured in time for banks in other countries,
including the US. “Many [US and Indian banks] are using the exact
same framework as German banks, so they should care,” Oren Kedem,
director of product marketing for Trusteer.
The cyber-criminals are taking advantage of the text messaging
German and Indian banks use to authenticate an online transaction.
When a person transfers funds, the bank first sends a transaction
authorization number (TAN or an Online Authentication Code in
India) to the customer’s mobile phone. That
number has to be typed into a Web form before the transfer is
completed.
When a victim logs into his banks’ site, the malware displays a
screen saying the bank is performing a security check and asks that
at a TAN or OAC be punched into a form on
the page. Behind the scene, the Trojan checks the victim’s
accounts for the one with the most money and then requests an OAC
from the bank, so the money can be transferred to the hackers’
account.
From the victim’s perspective, the bogus page says the amount of
money and the receiving account are only test data and nothing will
actually happen. However, once the OAC is inputted into the form,
the unsuspecting bank immediately completes the transfer to the
fraudulent account. To cover its tracks, the malware changes the
account balance report in the online banking application to hide
the transaction.
The malware creators still have some work to do to improve the
effectiveness of the scam. The fraudulent page is littered with
grammar and spelling mistakes, which should be a tip off for many
victims.
—By Antone Gonsalves
TR
EN
DL
INE
S
VOL/7 | ISSUE/101 6 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
-
TR
EN
DL
INE
S
P A S S W O R D S KPN, a Dutch telecom company, closed a
self-service portal for corporate ADSL customers recently after it
discovered that 120,000 of its 180,000 business clients were still
using default passwords, all variants of ‘welkom01’, demonstrating
once again how lax security can get.
The security vulnerability could have given unauthorized persons
easy access to the corporate accounts, for which the corresponding
usernames could be easily derived from the businesses’ street
addresses.
KPN said it was unaware that the vast majority of its 180,000
ADSL business clients were still using a default password for the
online Customer Self Care portal.
Dutch IT news site Webwereld alerted KPN about the trend after a
tip from Robert Schagen of Robert 4U IT, who discovered the
security leak. By continuing to use default passwords such as
“welkom01,” “welkom1” or “welkom001”, customers risked unauthorized
persons gaining access to their accounts, KPN said.
Corporate clients were provided with a default password to gain
access to the online self care portal as a standard practice, but
KPN did not make it mandatory to change the password, and so a lot
of their customers never did.
Businesses’ user names consist of their zip code and street
number, said KPN spokesman Steven Hufton. And a list of KPN’s
corporate customers could easily be obtained by querying the
database of the regional Internet registry, Webwereld reported.
With access to an account on the portal, it is possible to
change a customer’s contact e-mail address and connection speed and
turn services on and off, Hufton said. Besides that, the portal
also contains bank account numbers and it is possible to change the
password, giving malicious persons the opportunity to take over the
account, Webwereld wrote.
“This is unacceptable,” said Eddy Willems, security evangelist
at G Data. KPN should have made it mandatory for users to change
the default password when the account was activated.”
KPN’s problem was probably a historical one, Willems said,
adding that at the time of the implementation probably nobody
thought about the consequences. While this is an easy problem to
solve, companies should think of good security before they
implement a system, he said.
—By Loek Essers
Passwords Farce: It’s the Default’s Fault
Google’s Schmidt Takes On China C E N S O R S H I P After
carefully working with China for the past two years, Google
Chairman Eric Schmidt bluntly predicted the fall of the Great
Firewall of China. “I believe that ultimately censorship fails,”
Schmidt said in an interview with Foreign Policy magazine. “China’s
the only government that’s engaged in active, dynamic censorship.
They’re not shy about it.”
In the interview, Schmidt predicted that once China’s Internet
censorship policies fall, an influx of free-flowing information
could cause great political and social changes in the country.
“I personally believe that you cannot build a modern knowledge
society with that kind of behavior. That is my opinion,” said
Schmidt.
“I think most people at Google would agree with that,” he added.
“The natural
next question is when [will China change], and no one knows the
answer to that question. [But] in a long enough time period, do I
think that this kind of regime approach will end? Absolutely.”
Schmidt’s comments about the Chinese government and its efforts
to keep its citizens from reading or viewing information on
specific subjects come after Google has spent
more than two years in talks with the Chinese government.
In March of 2010, Google announced that it would no longer
censor search results as the government requested. At the time,
Google’s chief legal officer, David Drummond, said the company
stopped censoring on multiple Google.cn sites.
Google rethought its agreement to censor search results inside
China’s walls after a major attack against its network was launch
in late 2009 from inside the country. The attack was aimed at
exposing the Gmail accounts of Chinese human rights activists.
However, Google executives at the time also continued talks with
Chinese officials in an attempt to maintain a link to the country’s
vast business potential.
—By Sharon Gaudin
REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2 1 7VOL/7 |
ISSUE/10
-
COMPILED BY GOPAL KISHORE
IMPLEMENT e-mail authentication to reduce the incidence of
spoofed and forged e-mail, which may lead to identity theft.
PREVENT cybercriminals from snooping and eavesdropping on public
wireless connections. Always-on SSL (AOSSL) ensures this by
encrypting all communication.
ENCRYPT all data files containing customer profiles, e-mail
address and PII, which are transmitted externally or stored on
portable devices or media including flash and USB drives.
Best Practices
1
2TThe year 2011 has become known as the Year of the Breach.
According to the Verizon 2012 Data Breach Investigations Report,
2011 saw 855 online data breach incidents and 174 million
compromised records across 36 countries. The trend continued into
2012, starting in January with Zappos, which experienced a breach
of 24 million records.
To combat this trend, the Online Trust Alliance (OTA), a
member-based non-profit representing the global Internet ecosystem
reviewed over 1,200 sites. The OTA’s aim was to create a progress
report—and include organizations in its Online Trust Honor Roll
& Online Trust Index—on best practices to help protect online
consumers from security and privacy threats. Of the companies
evaluated by the OTA, less than 30 percent were named in the Honor
Roll for successfully implementing several key best practices.
Social media showed the greatest increase in percentage of
companies making theHonor Roll (from 12 percent in 2011 to 52
percent in 2012). Their adoption of e-mail authentication protocols
and robust SSL implementations have contributed to their high
scores.
But 75 percent of online retailers are still failing to adopt
best practices, exposing users to security, privacy and social
engineering threats.
Beefing Up Online SecurityTo encourage e-commerce and social
media sites to adopt best practices to protect consumer data, the
Online Trust Alliance introduced the Online Trust Honor Roll.
3
SOURCE: VERIZON 2012 DATA BREACH REPORT AND ONLINE TRUST
ALLIANCE
TR
EN
DL
INE
S
A Web of Security ThreatsThe increase in the number of online
breaches have made organizations more security-aware but not
cautious.
Hacking
Malware
Physical Attacks
VOL/7 | ISSUE/101 8 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
75% OF ONLINE RETAILERS are still failing to adopt online
security best practices
40% INCREASE in the number of social media companies making the
Honor Roll in 2012
$2.1 BILLION Estimated cost of breach in 2011
855 INCIDENTS of breaches across 36 countries
Online Attacks Shot Up in 2011
50%
2010 2011
49%
29% 10%
69%
81%
-
Thought Leadership on
Evolving to the Cloud Without Endangering Your Enterprise
CLOUD CORNER
VMWARECUSTOM SOLUTIONS GROUP
Business priorities entail that we constantly strive to reduce
turnaround time to set up IT space for our clients, and lower costs
while ensuring agility. Our journey to achieve these goals led us
to the adop-tion of a hybrid cloud, one that is secure, scalable
and agile. Our main datacenter already has over 100 virtualized
servers. The next step is to virtualize our co-located datacenters.
The aim is to create self-service environment for our users and
clients.
We handle a lot of sensitive client data, so cloud security will
always demand that additional effort. There are concerns around
some applications we want to put up which process highly-sensitive
data.
However, the technology is evolving and manag-ing security for
standard applications on the cloud is not a big hindrance anymore.
That said, moving mission-critical apps is largely dependent on
indus-try vertical, organizational risk appetite, and indus-try
compliances, among others.
The cloud is not a new concept; and most CIOs have a fair idea
of it. CIOs who don’t have the in-house skills might face some
challenges like delays in execution, manageability, day-to-day
support or deriving maximum value from their investments, but these
hurdles can be overcome with the help of solution architects from
vendor organizations.
SACHIN JAINCIO & CISO, Evalueserve
Evalueserve is moving fast on its cloud journey and Jain says
that other CIOs—even those without the in-house skills—can too, if
they get help from vendors.
Virtualization is an essential catalyst for cloud computing. It
abstracts complexity and creates an elastic pool of compute,
storage, and networking resources, all of which accelerate an
organization’s transition to the cloud.
Using VMware’s three-tiered approach, CIOs can gradually
acclimatize their organizations to the technology. They begin by
virtualizing tier-II and tier-III applications. Then they
virtualize mission-critical applications and start saving a lot of
money. The third phase is what we call the agility phase, which is
about speed and responsiveness.
About the cloud itself, we believe that a one-cloud-fits-all
approach won’t work. No single cloud can provide all the answers to
an organization’s dy-namically changing IT needs and also alleviate
concerns around data privacy, loss of control over data, vendor
lock-in, lack of interoperability, and latency. To deliver a
competitive advantage, cloud computing must be tailored to an
organization’s needs. We believe that a hybrid cloud is the way
ahead because it allows CIOs to address some of their security and
availability concerns, while le-veraging existing IT
investments.
T. SRINIVASANManaging Director, VMware India & SAARC
The hybrid cloud is the way forward, says Srinivasan, because it
allows CIOs to address security and availability concerns and
leverage existing IT investments.
-
alert
Make no mistake, your personal data isn’t your own. When you
update your Facebook page, “Like” something on a website, apply for
a credit card, click on an ad, listen to an MP3, or comment on a
YouTube video, you are feeding a huge and growing beast with an
insatiable appetite for your personal data, a beast that always
craves more. Virtually every piece of personal information that you
provide online will end up being bought and sold, segmented,
packaged, analyzed, repackaged, and sold again.
The “personal data economy” comprises a menagerie of
advertisers, marketers, ad networks, data brokers, website
publishers, social networks, and online tracking and targeting
companies, for all of which the main currency—what they buy, sell,
and trade—is personal data.
And the databases that collect this information are
increasingly
hyperconnected—they can trade data about you in
milliseconds.
Data Beeline, Online and OfflinePersonal data has become far
easier to access and aggregate than it used to be. Long before we
started cataloging our lives on the Internet, much of the
information about us lived in hard-copy public records documents at
the city hall or the county courthouse. Those public records, which
include birth data, real estate records, criminal records,
political affiliation and voting records, and more, have in recent
years been scanned, digitized, and otherwise fed into databases.
That data is now being combined with our online personal data.
A whole industry of public records data companies has sprung up
to aggregate public records data from every city, county, and state
in the
union, and to make the data easily available online (for a
price). Some of these firms, such as Intelius.com and Spokeo, are
combining public records data with online data such as personal
data from social networks.
Not Really a Private AffairWhat may be a dark side to this
mashup of public records and social networking data is this: Public
records sites such as Intelius, Spokeo, and PeopleFinders.com
distribute the kind of data that landlords, insurers, employers, or
creditors could easily use to screen applicants—but the sites
insist that their content is not intended for such uses.
ENTERPRISE RISK MANAGEMENT
IM
AG
ES
BY
PH
OT
OS
.CO
M
One ID Card, Many Pockets
FIN
DIN
GS
VOL/7 | ISSUE/102 0 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
SOURCE: The CIO Insomnia Project - Robert Half
Uninvited Guests According to a US survey, nearly 65 percent of
the respondents estimate that an average firm experiences three or
more IT security breaches annually.
24%
The Number of Security Breaches in US Enterprises in a Year
10%
12%
21%
17%
6%
7%
14%
13%
0
1 - 2
3 - 5
6 - 10
11 - 15
16 - 20
over 21
Don’t know
The number of CIOs who said their topmost worry is data
security
and protection.
-
Ranked #1 inServer Security*yet again.
As businesses continue their journey to the cloud,analysts and
security experts agree that risk managementpractices must change.
Trend Micro leads the way inprotecting businesses against today’s
sophisticatedcyber attacks by providing real-time, actionable
threatintelligence and network-wide visibility and control. Withour
solutions you gain the ceratinty that your data is alwayssecure
across all environments-physical, virtual and cloud.
trendmicro.com/journey
Scan to downloadIDC Analyst Connection: Server Securityfor
Today’s Datacenters
For more informationCall : 1800 103 6778email :
[email protected] : 91-11-42699000Mumbai :
91-22-26573023Bangalore : 91-80-40965068
www.trendmicro.co.in
*IDC, Worldwide Endpoint Security 2011-2015 Forecast and 2010
Vendor Shares©2012 Trend Micro, Inc. All rights reserved. Trend
Micro and the t-ball logo aretrademarks or registered trademarks of
Trend Micro, Inc.
-
“The use of our service to screen potential employees, tenants,
or for any other purpose that’s restricted by the Fair Credit
Reporting Act is in violation of our Terms & Conditions,”
Intelius’s Adler says.
But many people suspect that personal data offered at public
records sites is being used for exactly such purposes. And in
truth, the public records sites would have no way of knowing if
this happened—and may not want to know.
Big Data, Bigger ImpactSo-called Big Data is one of the few big
concepts that will define technology and culture in the first part
of the 21st century. The term refers to the capture, storage, and
analysis of large amounts of data. Among people involved in the
personal data economy in one way or another, one anecdote—“Target
pregnancy prediction”—comes up over and over again, and beautifully
demonstrates both the possibilities and the dangers of Big
Data.
Observation and InferenceIn the Target case, future parents were
served with highly relevant ads and offers, and the retailer found
a new
ENTERPRISE RISK MANAGEMENTalert
way to reach its customers and pump up sales. No problem,
right?
Wrong, say privacy advocates. The warehousing and analysis of so
much data, and so many types of data, might lead the curators of
the databases to infer things about us that we never intended to
share with anybody.
Experts say that in the future, predictive analysis will advance
to the point where it can tease out information about people’s
lives and preferences using far more, and far more subtle, data
points than were used in the Target case.
Clear as a CrystalLack of transparency may be the single biggest
objection to consumer tracking and targeting today. Advertisers are
spending millions to combine, transmit, and analyze personal data
to help them infer things about consumers that they would not ask
directly. Their practices with regard to personal data remain
hidden, and they’re acceptable only because people don’t know about
them.
Such tracking and targeting also feels arrogant. Consumers may
not mind being marketed to, but they don’t want to be treated as if
they were faceless numbers to be manipulated by uncaring marketers.
Even the term “targeting” betrays a not-so-friendly attitude toward
consumers.
Grow up, Internet!Still, many people—on both the privacy and
advertising sides of the fence—believe there is room both for
consumer privacy and for Web advertisements and content targeting
using personal data. But the veil of secrecy around the use of
personal data would have to be lifted.
For that to happen, many believe, everybody in the personal data
economy must be more realistic about the economics of the
Internet.
The online advertising industry needs to become much more
transparent about the ways it collects and uses our personal data.
If it did so, we might be more inclined to believe its claim that
carefully targeted ads actually help us by making Web content more
relevant and less spammy.
The challenge now is for everyone involved—consumers,
advertisers, Internet companies, and regulators—to understand how
the personal data economy really works.
Only then can we start getting busy developing some rules of the
road that balance the business needs of advertisers with the
privacy needs of consumers. CIO
Mark Sullivan writes for PCWorld (CIO’s sister
publication). Send feedback to [email protected]
“Today, social media sites have toolbars plugged into Internet
browsers. It is evident that these tool operators are interested in
tracking ‘what we do when’. To control what gets uploaded and who
gets access to social media sites, CIOs should implement rights
management and DLP.”
—SESANKA PEMMARAJU, IT DIRECTOR & CISO, HITACHI
CONSULTING
[ONE :: LINER]
VOL/7 | ISSUE/102 2 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
marketed to, but they don’t want to be treated as if they were
faceless numbers to be manipulated by uncaring marketers. Even the
term “targeting” betrays a not-so-friendly attitude toward
consumers.
with the privacy needs of consumers. CIO
Mark Sullivan writes for PCWorld (PCWorld (PCWorld CIO’s
sister
publication). Send feedback to [email protected]
oday, social media sites have toolbars nternet browsers. It
is
evident that these tool operators are interested in tracking
‘what we do
o control what gets uploaded and who gets access to social
media
Os should implement rights
CTOR & CISO, CONSULTIULTIUL NG
-
ENTERPRISE RISK MANAGEMENTalert
Young, tech-savvy peoplepay substantially less attention to
online security risks, and are, therefore, more likely to
experience security problems than older people.
That’s the surprising finding of a survey conducted by
ZoneAlarm, a unit of security vendor Check Point Software
Technologies.
ZoneAlarm polled 1,245 young and older tech users from the US,
Canada, United Kingdom, Germany, and Australia to find generational
differences in attitudes towards computer security.
About 40percent of the participants were between 18 and 35 years
old, while about 20percent were between 56 and 65 years old. The
rest ranged in age from 36 to 55.
The survey found that respondents aged 18 to 25 generally tend
to overestimate their knowledge about computer security, spend less
than other age groups on security products, and do less than Baby
Boomers (those who were born during the post-World War II baby boom
from 1946 to 1964) to protect themselves online.
While more than one out of three Baby Boomers admit being “very
concerned” about security and privacy issues, only one in five
younger users felt the same way.
Similarly, only 31percent of the younger respondents ranked
security as the most important tech consideration, compared to
58percent of Baby Boomers.
The survey also found that the younger respondents were less
likely than the older ones to pay for antivirus products,
third-party firewalls, or integrated security suites. In general,
older Internet users appeared to be more concerned about
email-borne attacks, while younger users were concerned about
threats emanating from social media channels and file-sharing
networks.
However, when it came to actual security incidents, about
50percent of Gen Y respondents said they had experienced virus
infections and other security
breaches in the last two years, compared to 42percent of Baby
Boomers.
“Gen Y people are sophisticated, technically savvy online
users,” said Bari Abdul, vice president and head of ZoneAlarm. “We
expected them to have figured out security. What really came as a
surprise to us is that Baby Boomers are doing better than Gen
Y.”
Most of the Gen Y participants in the survey said that
entertainment and social media interactions are more important
issues for them than security, he said. The younger people often
turn off security tools such as anti-virus products and firewalls
if they believe the tools are hampering online gaming or social
media activities.
Bari said IT executives should be aware that many younger
employees bring their
security beliefs to work as well. Companies should also make
sure to secure the increasing social networking use of the latest
generation of workers, he added.
Securosis analyst Rich Mogull, questioned the validity of such
surveys
and the conclusions reached by ZoneAlarm.
“User behavior studies are usually skewed [depending on] the
questions asked,” he said, adding that survey questions often don’t
correlate to real behavior, or don’t tie to behavior that reflects
real security risks.
He added that security technologies such as firewalls are built
into and turned on by default in every operating system. CIO
Lucian Constantin is a news reporter for IDG News.
Send feedback to [email protected].
A computer worm that propagates by exploiting a 2010 Windows
vulnerability is responsible for some of the recent incidents
involving network printers suddenly printing useless data,
according to security researchers from Symantec.
On June 21, Symantec reported that the rogue printouts were the
result of computers being infected with a Trojan program called
Trojan.Milicenso.
However, the company’s researchers have since determined that
the propagation routine of a separate piece of malware, a worm
called W32.Printlove, can cause similar problems, Symantec
researcher Jeet Morparia mentioned in a blog post.
W32.Printlove infects other computers on the local network by
exploiting a remote code execution vulnerability in the Microsoft
Windows Print Spooler service. The rogue printing behavior can
occur when W32.Printlove unsuccessfully attempts to infect a
Windows XP computer connected to a shared network printer.
Fortunately, the failed infection attempts leave behind .shd
files in the printer spool directory that contain details about
printing jobs, including the names of computers that initiated
them. Administrators can inspect SHD files with a free tool called
SPLViewer after shutting down the Print Spooler service, Morparia
said.
— By Lucian ConstantinP
rin
t. R
epea
t. P
rin
t.
VOL/7 | ISSUE/102 4 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
Generation Gap = Security Abyss?
-
How Secureis Your Network?
-
The adoption of cloud computing is rapidly gathering momentum.
However as cloud computing becomes more mainstream, security
concerns are being raised.
A recent Robert Half survey of 150 CIOs and CTOs in APAC
revealed that security was the most prevalent concern among the
respondents when migrating to the cloud.
In fact 44 percent of those surveyed in Hong Kong were concerned
most about security. Other concerns included data integrity (26
percent), lack of internal knowledge on cloud computing (18
percent) and migration cost (8 percent). (According to CIO
research, 53 percent of Indian CIOs say security is their top
concern with the cloud.)
While cloud computing is deemed to improve business processes
and increase company competitiveness, security in the cloud
continues to remain a global challenge, particularly as more and
more critical functions are migrated. So what can be done? Here are
some tips on dealing with security issues in a cloud-enabled
organization.
Ensure Your Data is SecureMake sure your cloud computing
provider takes proper measures to secure your company data and any
applications that are used in the cloud. While providers have an
obligation to do this for their clients, a review should be done to
confirm that your expectations on cloud security are being met.
Companies and providers need to ensure that all critical company
data is masked and that only authorized users have access to it.
They also need to ensure that individual identities and credentials
are protected. At the same time, they must comply with company
compliance procedures, as well as laws relating to data protection
in the markets they operate in.
Apps that are accessed via the cloud also need to be secure.
Companies need to work with their providers to make sure computers
that are used to access data in the cloud are secure.
Mitigate Against DisasterWhen choosing a provider, make sure
they have data continuity and data recovery plans in place in case
the worst case scenario happens and their systems crash, which
could render all of your data inaccessible and, in rare case,
unrecoverable.
The same rings true for any applications used in the cloud. A
company can survive if a non-mission-critical application goes
offline, but what happens if a mission-critical one does?
Hire the Right StaffWhen hiring IT staff, it is essential that
they understand the security models and security technology needed
to manage in a cloud environment. Depending on the size of the
organization, it may be possible to hire a cloud security
specialist whose main responsibility is to keep the company's
operations in the cloud as secure as possible. (About 40 percent of
Indian CIOs say that they do not have staff dedicated to their
cloud computing initiatives, according to CIO research.)
Along with the requisite technical expertise, we see more
employers looking for candidates with strong management and
communication skills. These candidates are in demand as they will
be able to collaborate and communicate effectively with
non-technical business managers.
In addition, your organization should create a security policy
for all in-house staff to follow when accessing and working in the
cloud. Best practices should be shared broadly and continuously
reinforced. All staff should also be encouraged to keep up with any
changes in technology advancements within cloud computing. This
will allow them to more effectively work with, and monitor, the
service provider.
Whilst cloud computing is deemed to improve business processes
and increase company competitiveness, security in the cloud remains
a challenge. In order to remain competitive, the IT function—in
partnership with management and providers—needs to continue to work
closely to identify, assess, monitor and mitigate these new and
emerging risks appropriately. CIO
Pallavi Anand is director at specialized recruitment firm Robert
Half. Send feedback on
this column to [email protected]
Cloud Security's I's and T's
For more on cloud security read
Cloud Computing: You Can't Outsource Your Compliance Obligations
on www.cio.in c o.in
Cloud Compliance
As organizations migrate more and more critical functions to the
cloud, it's becoming crucial for IT—in conjunction with business
and cloud providers—to ensure that security's i's are dotted and
its t's crossed.
Pallavi Anand CLOUD COMPUTING
VOL/7 | ISSUE/102 6 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
Coloumn_Cloud_Security.indd 27 8/13/2012 2:54:04 PM
-
Undercover Officer ANONYMOUS
A CSO’s Guide to the WorldIs it possible to adhere to local
business customs without compromising security? Yes, but only if
the CSO has a little creativity and a lot of trust.
I once tried to standardize the global procedures for the forms
of identification that visitors to our facilities had to show.
Based on my experience in the US, I thought that a policy requiring
a driver’s license, government-issued picture ID or passport would
be sufficient. Surely, most visitors—no matter the country—would
have at least one of these forms of identification. Not so. In
Tokyo, some visitors never carry government-issued picture ID
cards. Not only that, the Japanese routinely rely on business cards
as a means of identifying themselves. This custom works very well
within the culture of the Japanese business world, because it would
be unthinkable for someone to print a false business card.
The last time I checked, al-Qaida was not listed in the Japanese
business directory. This procedure would never do. After much
discussion with the Japanese security guards and the receptionists,
I compromised and altered the policy so that if a government-issued
picture ID was not available,
then business cards could be used to identify visitors. However,
those visitors were not allowed into the building until the
employees whom they wished to see came to the lobby and physically
escorted them inside. The policy thus adhered to local business
customs without compromising security.
Then there was the issue of the guard force. Security guards in
Japan are taught to be deferential toward visitors, and it is
actually illegal for them to use force or try to restrain people in
any way. I discovered this when I did a penetration test on the
physical security of my company’s Tokyo office. I pretended to be
someone off the street and then sneaked past the guards and into
the building. As the guards spotted me, they called out “sumimasen,
sumimasen” (excuse me, excuse me), but when I didn’t stop, they
remained at their posts and took no further action. Needless to
say, we retrained the guards to react by keeping contact with the
intruder and simultaneously reporting the intrusion to police.
I’m usually not one who gets into bumper sticker logic, but I
like the idea of a CSO acting globally but thinking locally. By
that I mean a CSO needs to devise and enforce global security
policies, but also put some thought into how those policies will be
implemented locally around the world. Otherwise, variations in
national customs and culture can short-circuit even the
most well-intentioned security policies. I found that out the
hard way.
REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2 2 7VOL/7 |
ISSUE/10
Anonymous_Column_August2012.indd 3 8/13/2012 4:48:07 PM
-
Undercover Officer
World CultureOf the countries where I’ve been
responsible for security, Japan easily has
the most trusting society—so much so
that I simultaneously admire them and
fear for their safety. But it wasn’t the only
country where I had something to learn.
Many other cultures, while considerably
less trusting than the Japanese, have
markedly different views of security
than our own.
In China and Singapore, for example,
civil liberties are not considered
sacrosanct, and law enforcement will
not hesitate to arrest and indefinitely
imprison, without trial, people who
are suspected of being terrorists. In
Indonesia, following several high-profile
bombings from an al-Qaida-linked group
called Jemaah Islamiyah, the security
in office buildings has been beefed up
to levels far surpassing those of most
American and European companies.
While Australia is much less militant,
there I found the local police to be
much more involved in anti-terrorism
programs with local building security
guards than almost any other country
where I’ve worked. I’m not sure why.
Perhaps it is because most of Australia’s
population is located in six major cities,
making co-ordination easier.
Europe’s history raises its own
set of issues. Citizens there tend to
have much stricter notions of privacy
than Americans, probably because
Europeans suffered through the abuses
of Nazi and Communist regimes and
therefore have higher standards for
how personal data can be collected
and for what purpose. To be sure, most
Americans value privacy, but they also
view themselves as a nation of business.
They are therefore more ready to
compromise privacy in the interest of
business or security.
Different cultural attitudes, of course,
translate into different regulatory
environments. In Europe, both
information and physical security are
very much influenced by a privacy
regulation known as the European Data
Protection Act (DPA). Most Americans
are under the impression that in Europe
there is only one DPA, but that’s not the
entire story. Under European Union
laws, the European Commission and
European Parliament pass legislation
such as the DPA, but it is then up to
the member states to enact national
legislation that implements, and does
not conflict with, the overarching EU
legislation. The member states are
also tasked with enforcing their own
national DPA. As a result, regulations
and their enforcement can vary widely.
Asian countries have typically
passed legislation that is very close
in nature to the EU’s Data Protection
Act. However, enforcement of the laws
can vary widely. Japan, Hong Kong,
Singapore and Australia all have DPA
laws on the books, but I’ve found that
companies are very rarely taken to task
for violating those regulations.
No Standard for StandardsOutside of data protection issues,
there
tend to be far fewer differences in
information security, primarily because
there are few differences in technical
systems. After all, a Windows 2003
server in one country is just about the
same as in any other. Where I did find
differences, though, is in the method of
implementing an information security
program. Europeans are much more
likely to follow an international standard
than are Americans.
I’m sure an entire book could be
written about this phenomenon, but
it probably stems from the fact that
Europe is composed of many countries
that, historically, have had to cooperate
in order to ensure that their technical
systems worked with one another. The
telegraph and gauge of railroad tracks
are two examples of European nations
agreeing on and building a common
standard. If they hadn’t, then imagine
having to stop at each border and board
a different train.
Americans, by contrast, tend to view
themselves as rugged individualists. We
often place priority on getting to market.
Just think back to the introduction of
video cassette recorders. In the late
1970s and early 1980s, there were
two competing standards, VHS and
Betamax. Rather than compromise
on a common standard, American
companies slugged it out in the
marketplace. Eventually, VHS gained
the upper hand, and Betamax died out–
ah, American Darwinian capitalism at
its finest.
In the field of information security,
these cultural differences play
themselves out with Europeans being
much stronger proponents of ISO 20000
than are Americans. If an American
The native country’s cultural norms do not apply to foreign
offices as well. It is best to cultivate close relationships with
individuals around the world and to listen to their advice.
ANONYMOUS
To know more about what it means
to be a global CSO, read So You Want to be a Global CSO? Visit
www.cio.in
c o.in
Take on the World
VOL/7 | ISSUE/102 8 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
Anonymous_Column_August2012.indd 4 8/13/2012 4:48:08 PM
-
company goes for any type of third-
party certification, it is more likely to be a
Statement on Auditing Standards (SAS)
70. Unlike ISO 20000, however, the SAS
70 is not a “best practices” standard.
Instead, it documents the controls in
place that satisfy the company’s internal
control objectives. The company defines
its own control objectives, and the
auditor checks to see if the controls the
company has implemented are sufficient
to achieve its objectives. Once again, we
see the American practice of “going it
your own way.”
A Difference of ControlThe major cultural differences in
information security that I have
seen between Asian countries
and Western countries arises over
the documentation of controls.
Many times, I have met with my
Asian counterparts to go over the
controls they have in place. Yet,
upon auditing the systems, I will
find major discrepancies between
what is written and what is actually
implemented eventually.
I can only ascribe this difference to
the practice of “saving face,” which is
prevalent in the Chinese and Japanese
cultures. Japanese and Chinese IT
professionals are sometimes so eager
to please me, the global CSO, that they
tell me what they think I want to hear
rather than bring up actual problems.
It takes some time to read between the
subtleties of language and the culture
of maintaining respect.
After discussing the issue with
several of my Japanese and Chinese
IT colleagues, I found that the best
way is to encourage participants
to practice self-examination (that
is, criticize themselves but not
colleagues) and seek ways upon
which their job performance might be
improved. Also, I publicly praise the
groups when they bring up problems
and propose solutions. This way, I
make it clear that I welcome critical
analysis and am not just looking
to hear that everything is going
swimmingly well.
A global CSO who assumes that his
native country’s cultural norms apply
to his foreign offices will quickly
learn that they do not translate
well. Instead, it is best to cultivate
close relationships with individuals
around the world and to listen to
their advice. If a CSO understands a
culture and trusts the professionals
working in that culture, he will find it
easier to implement policies that meet
the spirit of the company’s control
objectives, and that hold true the
world over. CIO
This column is written anonymously by a real CSO.
Send feedback on this column to [email protected]
Undercover Officer ANONYMOUS
Anonymous_Column_August2012.indd 5 8/13/2012 4:48:08 PM
-
Information security people think that simply making users aware
of security issues will make them change their behavior. But
security pros are learning the hard way that awareness rarely
equals change.
One fundamental problem is that most awareness programs are
created and run by security professionals, people who were not
hired or trained to be educators. These training sessions often
consist of long lectures and boring slides—with no thought or
research put into what material should be taught and how to teach
it. As a result, organizations are not getting their desired
results and there's no overall progress.
It's important to step back and understand how people most
effectively learn subject matter of any type. Applied to security
training, these techniques can provide immediate, tangible,
long-term results in educating employees and improving your
company's overall security posture.
Serve Small BitesPeople learn better when they can focus on
small pieces of information that the mind can digest easily. It's
unreasonable to cover 55 different topics in 15 minutes of security
training and expect someone to remember it all and then change
their behavior.Short bursts of training are always more
effective.
Reinforce LessonsPeople learn by repeating elements over
time—without frequent feedback and opportunities for practice, even
well-learned abilities go away. Security training should be an
ongoing event, not a one-off seminar.
Train in ContextPeople tend to remember context more than
content. In security training, it's important to present lessons in
the
same context as the one in which the person is most likely to be
attacked.
Vary the MessageConcepts are best learned when they are
encountered
in many contexts and expressed in different ways. Security
training that presents a concept to a user multiple times and in
different phrasing makes the trainee more likely to relate it to
past experiences and forge new connections.
Involve Your StudentsIt's obvious that when we are actively
involved in the learning process, we remember things better. If a
trainee can practice identifying phishing schemes and creating good
passwords, improvement can be dramatic. Sadly, hands-on learning
still takes a backseat to old-school instructional models,
including the dreaded lecture.
Give Immediate FeedbackIf you've ever played sports, it's easy
to understand this one. "Calling it at the point of the foul"
creates teachable moments and greatly increases their impact. If a
user falls for a company-generated attack and gets training on the
spot, it's highly unlikely they'll fall for that trick again.
Tell a StoryWhen people are introduced to characters and
narrative development, they often form subtle emotional ties to the
material that helps keep them engaged. Rather than listing facts
and data, use storytelling techniques.
Make Them ThinkPeople need an opportunity to evaluate and
process their performance before they can improve. Security
awareness training should challenge people to examine the
information presented, question its validity, and draw their own
conclusions.
Let Them Set the PaceIt may sound clichéd, but everyone really
does learn at their own pace. A one-size-fits-all security training
program is doomed to fail because it does not allow users to
progress at the best speed for them. CIO
Send feedback on this column to [email protected]
Security Boot Camp
To learn more about security
workshops, read Security Training 101 on www.cio.in
c o.in
Security Conditioning
Skip the boring lectures and understand how people really learn
new information and habits.
Joe Ferrara STRATEGIC CIO
VOL/7 | ISSUE/103 0 A U G U S T 1 5 , 2 0 1 2 | REAL CIO
WORLD
Coloumn_Ten_Commandments.indd 26 8/13/2012 3:02:21 PM
-
This interview is brought to you by the IDG Custom Solutions
Group
in association with
CLOUD COMPUTING AND BYOD: STAYING SAFE AND SOUND John Samuel,
Director–India & SAARC Region, Verizon Enterprise Solutions, on
how enterprises can harness the powers of the cloud and mobility
while effectively addressing security concerns.
EXECUTIVE VIEWPOINT
John Samuel Director–India & SAARC Region,Verizon Enterprise
Solutions
With over 20 years of management and sales experience behind
him, Samuel’s responsibilities at Verizon include growing the
company’s customer base and revenues in India and the SAARC region,
and ensuring significant market presence. Prior to joining VES,
Samuel was country manager, India, at BT Infonet India.
VERIZONCUSTOM SOLUTIONS GROUP
How can CIOs who want to leverage the cloud effectively secure
data?Data security has always been a key consid-eration among CIOs
who want to move to the cloud—and rightly so. A cloud provider with
proven security expertise can make the cloud a safer place to
conduct business. The right cloud provider makes security its
business, so that enterprises focus on ways to make the best use of
the cloud to gain an edge over rivals.
CIOs need to stay abreast with the latest security threats, and
devote powerful tools as well as expertise to maintain the safety
of data in the cloud. To support this, CIOs should back their
strategies with stringent SLAs for availability, and define
liability for unplanned outages. They would do well to ask for high
levels of real-time visibility into systems that reside in the
cloud and ensure that the solutions they buy into offer a high
degree of reliability.
Revamping security infrastructure can be expensive. Is there a
more cost-effective alternative? Building an enterprise’s
infrastructure can be expensive. Yet most businesses delib-erately
over-engineer their infrastructure because they have suffered from
unex-pected system failures and unavailable ap-plications,
resulting from unplanned usage spikes. From a security perspective,
over-engineering makes sense, but it can lead to cost implications.
It is essential for en-terprises to strike a balance between
initial investments in security infrastructure and budgeting for
disaster recovery.
While cloud computing offers the poten-tial to solve these
challenges, CIOs need to
choose the right fit for their businesses from an array of
solutions. IT capabilities offered through cloud computing such as
PaaS, SaaS, and IaaS can help organizations deploy Web-based
applications without purchasing, in-stalling, and managing
supporting hardware. It can help them gain efficiencies by
standard-izing certain functions, like