It is generally accepted that cloud computing technology is the future of IT: Cloud technology makes it possible for IT to deliver new servers in minutes rather than months and to purchase computing and storage only when they
are needed and to pay for only what is used. However, cloud services are not without risk: they must be planned
and implemented with due care. Mobility is also completely changing the way firms use IT; it is predicted that by 2015 there will be more tablets in use than there are smartphones today. Mobile computing brings with it a whole new set of challenges for the IT security department; it upsets the traditional security approach of maintaining a
secure perimeter and requires a completely new approach to securing corporate data.
2. TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure
Executive Summary
It is generally accepted that cloud computing technology is the future of IT: Cloud technology makes it possible for
IT to deliver new servers in minutes rather than months and to purchase computing and storage only when they
are needed and to pay for only what is used. However, cloud services are not without risk: they must be planned
and implemented with due care. Mobility is also completely changing the way firms use IT; it is predicted that by
2015 there will be more tablets in use than there are smartphones today. Mobile computing brings with it a whole
new set of challenges for the IT security department; it upsets the traditional security approach of maintaining a
secure perimeter and requires a completely new approach to securing corporate data. Tech:Touchstone carried
out an on-line survey in advance of the Executive Summit on Information Security, which was held on 28 and 29
February 2012 at Richmond Hill hotel. Respondents to the survey reported that cloud and mobile security were
the topics that concerned them the most; however, the hot topic at the 9th Cloud Expo held in Santa Clara in
November 2011 was not stand-alone cloud computing or mobility: it was the convergence of mobile, cloud and
social media. Industry experts predicted that by the end of 2012, cloud apps that are not “socially aware” and
without mobile support will be looked down as “legacy apps”. There is however a downside to this Nirvana: the
convergence of cloud and mobility has the potential to significantly increase business risk, with Lauren States,
VP and CTO of Cloud Computing at IBM predicting that “there will be a security breach in 2012 that will force
organizations to rethink how they secure their data and applications.”
2011 was a Wake-up Year for Security
2011 was the year when Internet Security issues became centre-stage. In January stock exchanges turned to
the security services for help after discovering they were the victims of terrorist plots and attempted cyber attacks
designed to spread panic in the markets. In May Sony revealed that its PlayStation Network had been hacked
and 100 million customers’ data had been stolen and in June Citigroup said that a hacker had accessed personal
information on more than 200,000 card holders. According to Infoworld, “Cyber crooks raided networks, pillaged
data and wreaked havoc in 2011, thanks to our persistently shoddy IT security practices”. Advanced persistent
threats remained a huge problem in 2011: Infoworld said it had documented coordinated, long-term, successful
attacks against much of our critical infrastructure, including central government, military targets, nuclear labs
and the chemical sector and energy and water utilities. It reported that hackers were focusing on breaking into
applications, helped by the weakness that end-users often have the same password for most of their websites.
Attackers were eagerly compromising the weakest websites to swipe credentials for breaking in to into the
more secure, more popular websites. Unfortunately, traditional network security tools like firewalls and network
vulnerability scanning can’t detect application level vulnerabilities.
How much does cyber crime cost businesses? According to PricewaterhouseCoopers, as reported in their study
“(The) Global State of Information Security Survey 2010”, the losses from each security incident average $833,000.
But the damage is not just financial: the firms surveyed reported that 30% of security incidents had impacted their
brand or reputation, and 29% had involved the theft of intellectual property.
Security budgets are in the spotlight
Chief information Security Officers (CISOs) have always found it difficult to justify any proposed increase to their
IT security budgets. Spending money on IT security is a bit like taking out insurance; it is often hard to see what
benefit you get from, until there is an incident. It is an old saying in the IT security industry that the best time to
ask for a budget increase is just after a major security breach. It is always difficult to answer the question “how
much should we spend on IT security?”, but one way is to compare your spending with that of other comparable
firms. In 2008 Forrester Research surveyed decision makers in the US and Europe and asked them how much
of the IT operations budget they would spend on IT security in 2009; the response was 12.6%, against reported
spend levels of 7.2% in 2007. In December 2011, however, Forrester was less bullish, and stated that “The global
02
3. TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure
downturn has negatively affected security budgets for several years now, and chief information security officers
(CISOs) have become accustomed to accommodating increasing responsibilities with minimal change to resource
levels.” Gartner Inc on the other hand announced the results of a survey showing increasing budgets, albeit
from a lower historical level: “...Last year’s budget expectations were for a 6 per cent share of the total IT budget
expenditure to be allocated to the security function. In this year’s survey, that allocation has increased to a mean of
10.5 per cent.”
Tech:Touchstone carried out its own survey in advance of the Executive Summit on Information Security, which
was held on 28 and 29 February 2012. Respondents answered the question “What percentage of the IT
operations budget will you spend on IT security in 2012?” The average percentage spend on security was 7%, but
there was huge variation:
• 39% were in the range 0 to 5%. And that was after we removed the responses that said their security
spend was 0% of their IT budget, in the hopeful belief that these responses were in error.
• 28% were in the range 5 – 7.5%
• 17% were in the range 10 – 12.5%
• 14% were above 15%
We also asked respondents about the direction of spend. 7.5% said the security budget was falling as a
percentage, 45% said no change and 28% said it was increasing. Last year none of the respondents reported
falling budgets, so we conclude that budgets are generally getting tighter.
It is clear that the tough times we are in demand heightened security. We are seeing more insider theft, a greater
cyber threat and a higher risk associated with loss of reputation. At the same time business demands on the
security function are growing, with an increased focus on business priorities, more reporting and coordination with
business leaders, together with growing compliance and legal obligations around privacy & data protection. To
make matters worse, the security baseline keeps moving as threats evolve, so that without new initiatives, security
effectiveness decreases.
How are firms coping with the need to increase security effectiveness without increasing budgets? We hear that
they are:
• Extending their efforts to operationalize repeatable aspects of security
• Opening up to outsourcing tasks that are not strategic or where they lack the skills in-house
• Seeking to justify projects and measure the security program itself in business terms
• Finding business sponsors that are prepared to fund security work from their own budgets
Data Security and Business Continuity are Top of Mind
To help us to decide of the key themes for the Summit, we asked survey respondents about their security priorities
for 2012. We gave them a list of topics and asked them to put them in priority order with 1 indicating their top
priority, 2 indicating their second most important priority and so on. If an item was not important at all to them they
were asked to leave it blank: We then added the scores up and divided the total by the number of responses to
each, so the lowest average score indicated the highest priority. (See Figure 1). We found that the top two priorities
were Data Security and Business Continuity/ Disaster Recovery, with Regulatory Compliance a close third. All
three of these priorities are related to legal and regulatory compliance in one form or another; it should come as no
surprise that CISOs are focusing first on the issues that the business needs them to address in order to operate
legally.
We also compared this year’s answers with those obtained last year in a survey of delegates for the comparable
event this time last year. We found that ‘Business Continuity/ Disaster Recovery’, ‘Regulatory Compliance’,
‘Mobile Security’, and ‘Cloud Computing Security’ were up in priority, and ‘Application Security’, ‘Aligning IT
security with the Business’,’ External Threats’, and ‘Identity and Access Management’ were down.
03
4. TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure
How do these reported priorities align with what the analysts recommend? According to Gartner, 75 percent of
security breaches are now facilitated by applications. The National Institute of Standards and Technology raises
that estimate to 92 percent. So we were somewhat surprised to see application security down in priority in our
survey. Computer Weekly recently carried an article predicting that this year promises to be one that will be
remembered as the year that outsourcing to the cloud gained significant momentum. But it could also be the year
that cyber-attackers target the cloud and send shockwaves through corporations by causing a huge cloud security
breach. Hence increased focus on cloud security is clearly no surprise. The CIO Custom Solutions Group notes
that the increased use of mobile devices, such as laptops and handhelds, and removable media, such as USB
memory sticks and iPods, has also made it easier for rogue insiders to walk away with large amounts of corporate
data. So an increased focus on mobile security makes sense, but it seems to be anomalous that the bottom three
priorities were Identity and Access Management, IT security staff recruitment and training, and user security training
and awareness; staff issues and policies are at least as important as the deployment of security technology.
Figure 1
Top Security Priorities for 2012
Data Security 2.00*
Business Continuity / Disaster Recovery 2.22
Regulatory Compliance 2.24
Application Security 2.45
Aligning IT security with the Business 2.50
Mobile Security 2.53
External Threats 2.60
Cloud Computing Security 2.62
Identity and Access Management 2.62
IT Security Staff Recruitment, Training, etc 3.14
User Security Training and Awareness 3.14
* Delegates scored each item on a scale of 1 – 5; these are average scores
Base: UK CISO’s/ IT Executives
Source: Survey for Tech:Touchstone Executive Summit on Information Security, January 2012
04
5. TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure
CISOs Focus on Virtualisation/Cloud Security
and Mobile Security
However, current departmental priorities are not the same thing as topics that will have the most impact in the
future. We asked respondents about their main areas of interest. Mobile security topped the poll, followed by
virtual infrastructure/ cloud security (see Figure 2).
Figure 2
CISOs’ top areas of interest
“What are your main areas of interest?
(Please indicate all those that apply)”
Base: UK CISO’s/ IT Executives
Source: Survey for Tech:Touchstone Executive Summit on Information Security, January 2012
In November 2011 we surveyed delegates attending the Tech:Touchstone November 2011 Virtualisation/ Cloud
Computing Executive Summit; they told us that security concerns are a major barrier that hinders and delays firms
from entering the cloud world; the survey also confirmed that cloud security is an issue for those already spending
IT budget on cloud services. In fact security is the top topic about which both existing adopters and firms new to
cloud computing firms seek information and help. So why are CISOs so concerned about cloud? The fundamental
issue is that Cloud is more risky than traditional IT outsourcing, because:
Traditional outsourcing/managed services are static and bounded. You know exactly where your data/host is, and
multitenancy does not usually come into play.
Cloud computing decouples data from infrastructure. It obscures operational details (e.g., location, replication). It
emphasizes APIs, and multitenancy is frequently used.
Many industry leaders consider that getting security right is the key issue for cloud adoption. In September 2011,
Intel’s IT Center Cloud Security Insights for IT Strategic Planning reported that 80% of respondents in a survey they
carried out reported that the security component offered by the Cloud Service Provider was extremely important
or very important in their vendor selection decision. In our own January 2012 survey for the Tech:Touchstone
Executive Summit on Information Security we asked about the main inhibitor that they faced in extending the
business to the cloud. 26% were concerned about ensuring that critical information was only accessed by
authorised individuals. 21% were worried about maintaining compliance requirements in a cloud environment. IDC
agrees. They say that “Security is top of mind for the vast majority of IT organisations looking into public cloud
delivery models”.
05
6. TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure
Cloud Computing and its Security Needs to
Mature
Cloud computing services today are immature. User firms need to be confident that cloud service providers will
deliver a service that meets their needs for security, performance, and availability. Many services today offer ‘best-
efforts’ performance and availability, rather than backed by a contractual SLA with financial penalties. Customers
for such services will be taking a business risk that they will need to weigh against the potential cost savings.
However, in addressing security, there can be no best efforts where legal and regulatory compliance is concerned
or potential damage to brand and reputation. In December 2010, the Ponemon Institute asked a number of cloud
service providers about their own confidence in whether the cloud applications and resources supplied by their
organisation were secure. The results were not encouraging; only 43% of vendors surveyed were confident that
their private services were secure; for public cloud services their confidence was even lower, at 29%. Users will not
want to rely on vendors assurances, however confidently voiced. We conclude that:
• There will be increasing demand for third-party, unbiased cloud security evaluation. An external
independent audit is the only tool that will give potential customers confidence in cloud service
providers’ security arrangements.
• Specialist Cloud evaluators, aggregators, and integrators will emerge. Hyperic: (now part of VMware)
Cloud status measures performance, throughput, latency, and HP has a “cloud assurance” service.
• The industry needs to have a series of standards that govern key performance parameters. Including
SLAs, auditing procedures, Cloud performance and service metrics, and operational interfaces.
• Firms need to buy cloud services with the due diligence they would apply to outsourcing. This will
involve a change of mindset; Cloud service purchasing will be subject to all the same disciplines that
apply to any other major IT purchase, including the formal involvement of the procurement and legal
department, and probably the finance department as well to assist in the construction of a business
case and financial model.
Mobile Computing Raises a Whole New Set of
Security Issues
Traditionally, CISOs and their security teams thought about how best to defend security perimeters using such
tools as firewalls, network intrusion detection systems and intrusion prevention systems (IDS and IPS). The
approach was to keep the crown jewels – the company’s proprietary data and applications – protected inside
the perimeter. Mobile computing busts this concept wide open. Mobile users will be outside the perimeter, will be
accessing data and applications over the Internet and often from a device over which the CISO has no control,
such as a ‘bring your own device’ (BYOD) laptop, tablet, or smart phone; a PC in an Internet cafe, or an Internet
TV in a hotel bedroom. In our survey for the Summit we asked respondents: “By 2015 there will be more tablets
in use than there are smartphones now, so do you have a policy in place to manage the corporate data stored on
tablets and personal devices without compromising the security of your network?” They responded as follows:
• 18% said “We have a comprehensive DLP policy in place that addresses all devices including tablets”.
These firms are ready for the mobile working revolution.
• 11% said “We have a DLP policy in place but do not allow the use of tablets” and 20% said “We do
not allow the use of tablets in our network”. We wonder how long that will last; it is usually the CEO
or another board member that brings his iPad to work and demands immediate access to email and
company data.
06
7. TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure
• 51% said “We are working on a policy and plan to allow the use of tablets within 12 months”. Sounds
fine in theory, but the longer it takes, the more risk the company is exposed to.
Several companies have said to us that they do not currently allow the use of tablets or home working. However,
these policies are increasingly out of line with staff expectations and risky behaviour often is the result. For
example:
• Staff wishing to work at home will often send confidential material to their personal email accounts.
They often know it is against company policy, but justify it to themselves because they will be more
productive if they can work at home.
• Staff wishing to work on a device they own will transfer confidential material using USB stick or other
media. Quite apart from the risk of the media being lost or stolen, it may be installed on a device with
inadequate anti-virus protection and be subject to attack.
Whether or not your organisation has a comprehensive DLP policy in place, the policy cannot prevent user
error, whether careless or fraudulent, in ignorance or deliberately done. The following checklist is based on one
produced by Symantec to put in place the basic requirements for a mobile security policy:
• Policy management around passwords, remote wipe and application blacklisting. At the summit
a speaker talked about a senior manager in his IT department that had an iPad with no password
protection active. To reduce risk, strong passwords should be forcibly changed regularly, company
devices should be remotely managed with remote data wiping, and best policy limits app downloads
to an approved white list.
• Personal-Corporate data separation on end-user devices. Reasonable personal use of mobile
devices is the norm. Data partitioning on laptops will keep the corporate data away from private email
accounts.
• Minimise corporate data on devices – zero is best. The use of VDI tools like Citrix will remove the need
to store any corporate data on the device. It is true that this security is not perfect – it will not prevent
users taking and storing screen shots, but that requires the deliberate breaking of company policy.
• Graduate user access rights based on trust, need, and device. Basing access rights on the “need-
to-know” will reduce risk. Many firms limit access based on the type of device: a fully managed
smartphone may have access to the data the user requires; a BYOD smartphone, over which the firm
has no management access and control, should have no corporate data access at all.
• Widespread use of encryption and managed PKI. Hard disk encryption is no longer restricted to
regulated parts of firms like finance departments; best practice is to encrypt the hard disks on all
devices and extend encryption to USB sticks. Encryption security is only as good key management;
start with a managed PKI policy.
Managed Security Services: Work with a partner
that you trust
In Tech:Touchstone’s survey for the Security Summit, respondents indicated that their top choice for a provider
of security services was a global specialist provider of security consulting & managed security services (MSS).
Second choice was a Local Specialist Provider of security consulting & MSS. Last year Summit delegates put a
global Systems Integrator such as IBM or HP in second place; this year they are in third place, behind the local
security specialist. Global telcos such as Orange or Verizon were in fourth place, up from fifth last year. Both these
latter types of vendor certainly have the in-depth skills and services, including security services, to meet end-user
needs across multiple countries; however they may not always be the most cost-effective or most flexible in a
07
8. TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure
single country, where local specialist security firms may have the edge. Whichever type of supplier they choose,
firms should purchase security consulting and managed security services with exactly the same diligence and skills
that they would apply to negotiating an IT outsource contract. In particular they should:
• Carry out due diligence on the proposed cloud vendor’s security policy and defences. The general
test is to ask whether the policy and defences are at least as good as the user firm already has in
place.
• Audit the cloud vendor’s security. Words in a contract or SLA are not proof. They may be a statement
of intent, or they may be more marketing fluff than solid process. An external independent audit will
establish the reality. Leading vendors are investing in third party audit assurance themselves. For
suggestions on best practice: see the cloud security alliance http://cloud-security.org.uk/
Appendix A: Methodology
For this study, Tech:Touchstone conducted an online survey of senior IT executive respondents in advance of its
February 2012 Information Security Executive Summit, held at the Richmond Hill Hotel. Respondents included
UK- and Netherlands-based CISOs and other IT security decision-makers directly involved in their organization’s
security architecture, management, and/or operations strategy decisions, in national and global organizations
in both the private and public sectors. The online survey provided to participants included questions about their
strategy, priorities, adoption, budgets, and preferred suppliers for security products and services.
08
9. TECH:TOUCHSTONE | The Future is Cloudy, Mobile and Insecure
If you are involved in infrastructure / enterprise communication & collaboration
initiatives for your organisation you might be interested in a VIP invitation to attend
our Virtualisation and Cloud Computing Executive Summit being held in
Richmond, Surrey on 23rd-24th May 2012 or one of our other summits.
Or our other Executive summits:
Join the Techtouchstone Group
to keep updated on the latest industry news, white papers and events.
Follow us on