Posts Tagged ‘cloud security resources’

The Cloud Intensifies the Conversation About Cyber Insurance

No Comments
February 22, 2012 · by Duane Craig · Security

In December 2011, the New York Times reported that only one third of companies had insurance against losses related to their information technology. Generally called, Cyber Insurance, this protection gained a foothold during the 1990s. For AEC businesses using the cloud, cyber insurance can be the backstop to scenarios where the best laid security plans didn’t work out.

According to a U.S. government report:

Cyber-insurance is an insurance product used to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies. Coverages provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security audits, post-incident public relations and investigative expenses, and criminal reward funds.

While estimates of total premiums being paid for cyber insurance currently rest in the hundreds of millions range, there are those who are predicting a 50 percent growth in that number during the next 12 months, according to the New York Times article. The thing is that, IT has not been traditionally involved in insurance planning, yet those are the people who are most familiar with the potential risks. When you add a general low understanding of just what is covered and what is not covered by insurance policies, the stage is set for surprises when things go wrong. Just like with homeowners’ policies, business policies have many exclusions. In one example cited in a Computerworld article this year, the cost of a damaged server is generally covered under business insurance policies, but not the cost of liability associated with NOT providing contracted services to a customer. Likewise, data loss, and not being able to access data is usually not covered.

While cyber insurance was initially focused on protecting companies when data breaches occurred, today’s adoption of the cloud adds a whole new level of complexity to insuring against cyber losses. Vendors of cloud computing products and services aren’t going to insure your losses, so it falls to you. But the risks now extend beyond the cloud and to all of those mobile consumer devices being brought to the job by employees. You can bet your standard business insurance isn’t going to cover any problems that arise from company data breached on an employee’s hardware. So far though, it is generally assumed that cyber insurance policies will follow the risks to their natural destinations.

In 2010, every breached data record cost companies more than $20 and the costs can be staggering, going beyond just the data loss or compromise to lawsuits for damages brought by those whose data was affected. One sobering example was Sony’s experience with more than 100 million records breached. Cyber insurance in many cases should be a no-brainer with that kind of potential for loss. However, many companies resist buying the coverage because cyber insurance policies can cost up to 4 percent per million. With potential losses running in the hundreds of millions for large events, the outlay could appreciably increase a firm’s annual insurance expenses.

The experts say a thorough assessment of the risks is the place to start when deciding if a cyber insurance policy is needed. For those moving to the cloud the urgency in doing that is increased, and it might even be considered as a final component to a complete cloud security plan.

BeyondTrust Awarded Significant Patent for PowerBroker Desktops

No Comments
January 4, 2012 · by Duane Craig · Security

BeyondTrust announced it was awarded U.S. patent number 8,006,088 covering key technologies that allow administrator privileges to be limited on a per-application basis on Microsoft Windows computers.

BeyondTrust is committed to innovation and thought leadership in the privileged identity management market, demonstrated by this latest patent, said John Mutch, CEO at BeyondTrust. The patent, which makes claims in connection with our technology for granting and removing user rights on a per-application basis, demonstrates our clear leadership in this market, and proves we are ahead of the competition in technology innovation and the fight against insider threats.

The patent covers the technology in BeyondTrust’s PowerBroker Desktops product for the network-based management of application security by modifying a Windows security token on a per-application basis. Specifically, the patent covers the methods by which PowerBroker Desktops modifies application security tokens by adding or removing permissions or privileges from the security token on a per-process basis, based on a set of rules that are enforced by an agent on the client.

Today’s marketplace is growing increasingly competitive with the introduction of new technologies almost daily, and the most successful businesses will be those that leverage their intellectual property to give customers the assurances they need when buying new products and services, continued Mutch. BeyondTrust has a number of patents covering our technology, and we are anticipating strong revenue growth as IT departments increasingly adopt the least privilege model of defending against insider threats.

Demand for Windows privilege management in particular is growing rapidly as more IT departments look for ways to mitigate insider threats (as well as reducing external threats from hacking or malware) as part of their Windows 7 deployments.

Here’s more information about the patent.

About BeyondTrust - Founded in 1985, BeyondTrust is the global leader in privilege authorization management, access control and security solutions for physical, virtual, cloud and infrastructure computing environments. The company’s products mitigate insider threats and secure the perimeter within across the enterprise, empowering IT governance to strengthen security, improve productivity, drive compliance and reduce expense. BeyondTrust, the BeyondTrust logo and PowerBroker are trademarks or registered trademarks, in the United States and certain other countries of BeyondTrust Software. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.

Study Reveals Enterprises Want Cloud Security and Service Levels

1 Comment
December 20, 2010 · by Duane Craig · Cloud Computing News

Three-fourths of companies either currently employ enterprise-grade cloud computing solutions or plan to implement enterprise-grade cloud over the next five years, according to a new study commissioned by Savvis, Inc. (NASDAQ: SVVS), a global leader in cloud infrastructure and hosted IT solutions for enterprises.

IDG Research Services and CIO Custom Solutions Group surveyed 172 chief technology officers, chief information officers and IT managers from around the globe. The report, entitled “Enterprise-Grade Cloud Computing Adoption: Trends and Purchase Requirements,” can be downloaded at http://www.savvisknowscloud.com/information-center.

“This independent study validates the industry notion that enterprises want customizable cloud solutions that go beyond the application level and comprehensively address requirements such as security and service levels,” said Bryan Doerr, chief technology officer at Savvis.

The study found that IT usually identifies projects and areas that could benefit from cloud and informs the business. However, 23 percent of respondents reported that business leaders sometimes bypass IT and purchase solutions on their own.

Other key findings from the survey include:

  • 60 percent consider it extremely or very challenging to find the right cloud computing solution for their companies
  • 69 percent perceive cloud computing solutions as offering greater flexibility
  • 64 percent expect spending on hosted, on-demand and/or cloud-based software at their companies to increase over the next year
  • 62 percent rate security as a critical factor when evaluating cloud solutions

Cloud Security By The Numbers

No Comments
August 21, 2010 · by Duane Craig · Security

Trust, security and privacy are three terms that surface quickly when people are discussing cloud computing. A survey, reported on by McAfee here and done by IDC showed more than 85 percent of Software-as-a-Service users were uncomfortable adopting cloud services because of security concerns. For those in construction, architecture and engineering the stakes are high.

From the cloud computing trust perspective AEC firms are concerned about uptime, file availability and bandwidth, not to mention the need for some reassurance that the company housing the data and providing the links is in business for the long haul.

But it’s the security and privacy implications of cloud computing that make those in construction businesses shiver the most. Security of files and documents that hold sensitive company and customer information is of top concern. Especially with companies in the AEC industries, the types of files where the information may be stored are expansive. Email, memos, images and contract documents might seem innocuous on the surface, but when you scrutinize them closely there are many opportunities for information compromise.

Where privacy is concerned there are compliance regulations that have to be followed, and for companies doing business across national borders the complexity of managing the privacy needs of the information gets increasingly difficult. Governments, standards organizations and computer software and hardware associations are grappling with the issues of trust, security and privacy for the cloud.

Data Security Policy

One key player is the Cloud Security Alliance that includes individuals, corporations and industry groups organized into chapters.

The U.S. Federal government has stepped up to the plate and thrown its weight behind the cloud computing concept. The recently appointed federal CIO, Vivek Kundra, is bullish on getting the government out of data center operations and on to the cloud provided by outsiders. Classified data will be handled on a platform designed by NASA called Nebula.

The National Institute of Standards and Technology (NIST) released a draft of its “Guide to Security for Full Virtualization Technologies,” July 21, 2010. In brief the recommendations outlined in the press release were:

  • Secure all elements of a full virtualization solution and maintain their security;
  • Restrict and protect administrator access to the virtualization solution;
  • Ensure that the hypervisor, the central program that runs the virtual environment, is properly secured; and
  • Carefully plan the security for a full virtualization solution before installing, configuring and deploying it.

Brian Anderson, chief marketing officer for BeyondTrust, a solutions provider for privilege authorization management, access control and security solutions for virtualization and cloud computing environments suggests attending to security in this order:

  • Be sure data is encrypted
  • Provide transmission security
  • Maintain physical security of devices holding data
  • Use secure authentication to ensure the identities of those with access
  • Give the least amount of authorization to administrators as possible

You can also download the Cloud Security Alliance’s “Cloud Security Guide,” for very in-depth cloud security guidance and advice on the right questions to ask of cloud providers and managed security services.