Archive for the 'Security' Category

Tips to Guard Against Hacks and Attacks

Published on April 29, 2013 in Events, Industry Events, Industry Expert, Layered Technologies, Security, Security News and Uncategorized. 0 Comments
Posted by Jeff Reich

I attended the 2013 InnoTech San Antonio Technology Innovation Conference & Expo on April 17th. InnoTech is the region’s largest business-to-business technology event.

This conference has grown to the point of needing to move to the Henry B. Gonzalez Convention Center.

Along with the tracks offered in Mobility, Women in Tech, Infrastructure, Big Data with Analytics and IT Leadership, I participated in the Cyber Security Symposium. I moderated a panel of experts on Security – It’s All About Perspective. The panel had representation from corporate leaders, consultants and higher education. The panel members were Mark Krisak, Director of Information Security, HEB; Chip Meadows, Sr. Security Analyst, UTSA; Joe Oranday, Vice President, Enterprise Information Security, Frost; Steve Werby, President and Senior Information Security Consultant, Befriend.

We had a lively discussion with the audience of around 100 people. Even though we discussed technology and some of the newer techniques to deal with hacks and attacks, the takeaway from the gathered experience on the panel was to focus on the basics. When the panelists were asked what the one best thing was that an organization can do to protect itself, the answers were:

Keep your patches current
Focus on user security awareness training
Deliver metrics on your program to track progress and get support
Work with your users

These solutions are not new and do not require deep technical knowledge. I think we can all learn a lot from these experts.

I will be presenting a session on Hacktivism at the 2013 ETA Annual Meeting & Expo on April 30th through May 2nd in New Orleans, LA. I hope to see you there.

About the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO, +Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.

Data Protection – Not Always a Slam Dunk

Published on April 4, 2013 in Layered Technologies and Security. 0 Comments
Posted by Kevin Van Mondfrans

It’s March Madness time, one of my favorite times of year. Maybe it’s playing college basketball brackets with friends and co-workers that has me thinking of infrastructure strategy in basketball terms. But anyway, it occurs to me that while backup and recovery isn’t sexy, it is critical — and not always a slam dunk.

In fact, dealing with backup windows, complex file systems, data encryption and compliance issues, and planning the solution to meet recovery point and recovery time objectives — well, doing all that is anything but a layup. In fact managing this area continually can really take you out of the game and away from what drives your business.

The ideal data protection backup and recovery service is something that’s worth defining. Here are the capabilities I think every business or enterprise should look for:

Backup service that is quick and reliable with minimal impact to client applications
Rapid recovery of files and entire systems, locally or to systems in an alternate datacenter, to minimize downtime or disruption
Secure transfer and storage of the backup data with strong encryption
Above all, real confidence in the people and platform protecting your data in the event of human error, malicious attack, system failures, or natural disaster

We recently refreshed our backup and recovery platform to offer faster backups, quicker recoveries, and options for offsite storage and recovery in a secure and compliant framework. Our objective is to make backup and recovery something you don’t think much about (unless you actually don’t have backups in place).

Peace of mind is a good thing. It’s also true that backup and recovery service of this caliber is vital in many cases:

When you need a scalable, usage-based model without any need to procure or manage a dedicated system, or provision excess capacity. For an expanding company it means that your system can grow as much as you need, cost-effectively.
To accommodate both file and system restores so you can recover from a variety of potential issues including system error, human error, malicious attack, or outage.
To accommodate clustered systems so you can back up your most complex environments with ease.
When you need to be prepared for both local and off-site recovery. We help you defend all your zones: you can make a quick file recovery to the local system, recover files and systems to off-site resources, or in a rare event like Hurricane Sandy, you can recover to an alternate site.
For quick cold-site recovery. Clients can replicate their backup data to another Layered Tech data center so they have the option to recover either to standby systems or to on-demand cloud resources. The Layered Tech eBusiness Cloud Data Center Service and eBusiness Data Protect Service give you a low-cost way to be disaster tolerant.
When you must provide an environment that is secure and aligned to compliance requirements. In such a situation, another copy of sensitive data may not be a good idea unless you know your data is secure! Our strong data encryption, robust access controls, and change management let you ensure that your data is secure and managed for compliance.

Here’s a data protection game plan: One, backup and recovery is not sexy but it is essential. Two, when selecting your service provider you need to choose one that provides the recovery scenarios (speed of recovery, recovery location, retention, security) your business requires. Three, the best offense is a strong defense.

We have your defense covered so you can get back to playing offense and driving your business without worrying if your data is protected.

Image Credit: Creative Commons

About the Author: As Vice President of Product Management at Layered Tech, Kevin Van Mondfrans (@VANMONDFRANS | +Kevin Van Mondfrans) is responsible for driving the Layered Tech portfolio of infrastructure as a service (IaaS) and managed service offerings. With more than 20 years of experience product development and marketing, Kevin has been delivering innovative computing, storage, cloud and service offering with companies such as HP, Dell, and Savvis.

Comparing Managed Service Providers – Full Service versus Service Ready

Published on February 14, 2013 in Compliant Hosting, PCI Compliance and Security. Closed
Posted by Ed Welsh

Managed services and compliance as a service: Service Sign One component of selling Layered Tech’s managed services is dealing with the competitive comparison issue, as prospective clients attempt to determine which service provider is the best fit for their IT management needs. The need to compare Layered Tech to our competition is understandable, but the breadth of our available capabilities makes direct comparisons difficult.

The old and overused “Apples to Oranges” comes to mind, but only partially describes the situation. Layered Tech is most often compared to “hosting” companies because we have hosting capabilities, but to say we are simply a hosting company is grossly inaccurate. Layered Tech is a managed services company with hosting capabilities. We provide an entire IT service and security capability. Most competitors, while they claim to offer a total solution are actually providing “service ready” solutions where most of the service is delivered by the client.

Maybe a metaphor using the auto repair industry can help clarify our situation as it relates to comparison shopping. Traditional hosting providers can be equated to a self-service auto shop where space, lifts, and tools are provided. You can rent the shop by the hour and fix up your ride. Layered Tech on the other hand, is a full service location with not only the space, but also expert mechanics ready to maintain and repair a wide range of issues. The difference between the examples above is stark, but not readily apparent until further research reveals the true nature of the service being offered.

There are a small handful of managed security service providers that take on the specialized tasks for regulatory compliance, yet you will find many others claiming to do so. They all use the same language to describe what they provide, but many simply provide the tools in a “service ready” environment. Since most regulatory requirements include an audit or review component, any service provider that is not doing event review along with data collection will not meet the requirements. They will advertise a fully compliant service offering by assuming the client will spend the time necessary to cover the review they have failed to provide. Just make sure you understand the gaps and how to fill them before your regulators tell you about them.

When Layered Tech states that a service we provide can meet a requirement, we mean that the service fully meets the requirement and that is demonstrated. The challenge is educating prospective clients on the difference when being compared to providers with less-developed ideas about services.

About the Author: As Director of Compliance and Security services, Ed Welsh maintains and guides a dedicated team in the delivery of Layered Tech’s compliance and audit services. Ed’s 16 years in IT security includes network and web application security experience from positions in the Financial Industry, HRBlock, Fishnet Security, and independent contracting. He holds a CISSP certification and has been successfully implementing PCI compliant hosting solutions for the last 5 years.

Hospital Data Breaches

Published on January 23, 2013 in Security. Closed
Posted by Jeff Reich

Earlier this month, Lisa Vaas published an article on the Naked Security web site on the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security funded by ID Experts. Ms. Vaas did a good job of summarizing the most significant finding in the report, that of increase of data breaches over the past three years are due mainly to a lack of secure devices and staff negligence (see graph from report below).

Data Breach Graph

I strongly suggest that you download and read this report. The Ponemon Institute always does a good job in these areas and if you are in healthcare, chances are you will see some trends similar to what happens in your organization in the report.

The takeaways here are that breaches are expensive, and it’s not just patient data. Just look at the numbers in the report.

In my opinion, the saddest statistic is that most of the breaches were discovered in an audit. One of the main reasons to conduct an audit is to demonstrate that these types of conditions do not exist. Employee discovery follows in second place. If an employee can discover it, an employee should be able to help prevent it.

Rather than try to scare you with FUD (Fear, Uncertainty and Doubt – see my blog post of January 3, 2013) – and there are plenty of items with which to scare you, I would like to see the community come together and share the ideas and practices that help protect data. We always work with our clients to ensure that they have an environment that is both compliant and secure but it takes everyone working together.

If you have seen a healthcare provider in the U.S. during the past six months, you probably noticed the additional type of paperwork needed and, in fact, the move away from paper. As healthcare related information transitions towards digitization, the opportunities for a breach increase unless we all take the necessary steps.

When you decide to host the data that you manage with a provider, demand that they secure the environment, demonstrate compliance and do it all with full transparency. Anything short of that, sells everyone short.

I will be attending HIMSS Conference in New Orleans on March 3-7 in order to help bring all of us to the right place with healthcare data. I hope to see you there!

Security as a Subset of Risk Management

Published on January 3, 2013 in Security. 3 Comments
Posted by Jeff Reich

What does Risk Management mean to you? If you have read my blog you know that I focus on topics like Security or Compliance. You may have noticed, as well, that my title is Chief Risk Officer and you may have wondered how this fits together. Compliance cannot exist without the appropriate controls (security) in place. Moreover, Risk Management can be said to be the art of balancing the value of the cost of a control versus the value of the benefit derived from the control.

I have spent most of my career dealing with security controls and compliance. After a while, it occurred to me that in order to convince someone, usually an executive, of the need for spending money on a control, I had to convince that executive of the value derived from implementing that control. The value of the cost for a control can have multiple factors. The most obvious being the cost to initially acquire the control, whether that is software, processes, personnel or any other number of costs. One sometimes ignored component of the cost of a control is the cumulative cost effect. Just about every control has costs associated with acquisition, administration, maintenance, and regression testing to name a few. Every time you add an additional control, the costs for administration, maintenance, testing and complexity are at a value greater than if the control were stand alone. This is because some controls conflict with others or make administration more complex.

Many executives see security professionals demonstrate this concept repeatedly. The rational used for justifying these costs are Fear, Uncertainty and Doubt (FUD). Claims of utter destruction and the end of the world (with all due respect to those that thought the Mayans were doing just that) are often used to generate FUD. These security professionals are often frustrated that executives do not support their programs or believe their claims.

Another perspective taken is that with more controls, you reduce your risks from the negative effect of attacks, calamities and such. Although this is true, to a degree, bringing those risks down to a negligible level often requires many controls. Now we circle back to the ever increasing costs of controls. Even if FUD is used successfully for the initiation of a security program, it can neither be sustained nor repeated for it would leave the executive out on a limb on the tree of FUD.

What is the best way to avoid FUD, put in enough controls and not spend too much on them? Consider the chart below. Life is never quite this simple but if we accurately articulate the costs of controls AND the associated reduction in potential losses, achieving the answer is always easy. Never spend more on a control than you would lose if you did not have the control.

Recognize that the value of the benefits is multi-faceted. Increased productivity, opportunity costs, competitive advantages are just some of the values that need to be factored in. By keeping this perspective in mind, good and effective security controls will play a vital part in your risk management program.

Fear, Uncertainty and Doubt (FUD)