Our industry has been discussing the need for updates to critical public electronic communications laws and policies; reductions in corporate liability for intelligence sharing; national data breach legislation to replace the morass of US state laws; and increases in funding for cybersecurity education, research and standards for many years.
There are two milestones that make a transition from conversation and confusion to clear and decisive action so important now. The first is that we’ve reached critical mass in both corporate and consumer understanding and perception of the importance of cybersecurity. While mega breaches are not new, consumers’ inconvenience of swapping credit card numbers has largely been the extent of impact for most Americans in the past and attention has quickly waned. This year, consumers and corporate citizens at all levels experienced multiple breaches that created a saga of compounding and widespread impact—from credit cards, to corporate espionage, to threats of physical terrorism—and sustained attention for months.
The second, more troubling factor is escalation. While some of the nation state saber- rattling may be just that, the ease with which cybercriminals compromised a significant footprint of the retail and digital advertising sector—and the aggressive and calculated manner in which they compromised and then meted out damage on Sony and other very mature organizations—is a major milestone and also an unsettling indicator of things to come.
It is critical that we begin to disrupt the cyber adversaries and their economic and political incentives. This disruption requires a concerted effort , and the government either can play a modern and effective leadership role or be a passive bystander commenting on the state of affairs. In the State of the Union speech President Barack Obama will provide a clear indicator of which direction the US government is heading on this issue.
ISACA is seeking to address cybersecurity challenges, including the global skills gap and need for guidance, in 2015 and beyond. With the critical skills gap in cybersecurity and the need for greater industry engagement and peer conversations around security governance, cyber career progression, standards, training curricula and professional certification, ISACA’s Cybersecurity Nexus(CSX) plays a pivotal role in bringing practitioners together worldwide and creating a launchpad for cybersecurity experts and solutions of the future.
Eddie Schwartz, CISA, CISM, president of WhiteOps and chair of ISACA’s Cybersecurity Task Force
2014 has been called the year of the breach, with organizations from Home Depot to Sony experiencing attacks.
Information technology failures are serious—to the point that companies can lose customers and market share.
Now the question is: what measures should be taken to encounter severe threats? After having a lot of experience through years of working with diverse people from multinational financial institutes, I conclude that only having effective and efficient IT governance in place can fulfill the expectations of stakeholders. Why do we need governance?
Stakeholders expect:
Business is secure and creates value
The organization is responsive to changing business paragons.
What do we get from governing?
The board and executives have a better understanding of IT and have a clear picture of its performance as every opportunity and mishap are totally based on decision making. This enables them to make effective decisions regarding the investment and also assures the required IT objectives. “Effective governance” leads management toward better execution of strategies to achieve a desired behavior. “Transparency in governance” develops stakeholder confidence in responsibility and accountability, provides a competitive edge to the enterprise, and is helpful in improving the customer satisfaction level.
Enterprise IT governance provides balanced operations, which means IT can respond to the business needs and at the same time maintain and improve the stability and quality of services in a cost-effective manner. Outsourced services can be directed and controlled clearly as this approach enables effective, efficient and adaptable relationships.
Effective governance (improved return on investment and value on investment) helps to minimize failures, optimize productivity, enhance efficiency, and provide a compliance with rules and regulations by eliminating redundancy, overlap and lack of clarity.
How do we implement enterprise governance of IT?
Companies based on matured IT strategic plans that enable the business tend to be the most successful, having an established and fully integrated operating environment. With these best practices they are securing their information assets in terms of their confidentiality (reveal to authorized individuals only), integrity (confidence in data and assets) and availability (accessible when required).
So, taking all these benefits into account, how do we get started in generating, transforming and sustaining IT governance? First and foremost, one thing we must keep in mind is that we cannot adopt IT governance using a one-size-fits-all approach. Each organization is distinctive, with unique needs and priorities, so it should adapt or form its own governance model based on the nature of its business. Organizations that have no IT governance at all should take a slow start (perhaps with an advisory body, external consultant with strategic planning, standards making, and project prioritization) and add more functions to the governing body as the organization matures. Those organizations that are employing some variety of IT governance may wish to widen their body further into decision-making and performance management.
Best practices for information system governance can be evaluated within the perspective of industry-wide accepted standards, such as processes like information workflow, application and infrastructure development and maintenance, and support services (both operational in-house and external). These need to be gauged and then should be benchmarked with similar industry leaders and peer organizations of a similar size and IT infrastructure. After benchmarking, performance advancement activities can be started using industry standards and/or frameworks such as ITIL. I personally prefer and recommend ISACA’s COBIT 5 as a framework for effective governance and management of enterprise IT.
COBIT 5 has integrated all industry best practices into one framework, and this single integrated framework makes the point that to achieve alignment of best practices to business requirements COBIT 5 can be used at the highest as well as lowest level. This provides a framework for overall control based on a model of IT processes that should generically suit most organizations regardless of industry and whether private or public.
Security breaches? Their proactive/reactive defensive approaches? Strategic alignment? Value delivery? Risk and resource management? Performance measurement? The only answer to all these questions is to have effective and efficient enterprise governance of IT in place.
Organizations with highly effective IT governance prioritize and communicate the structure and essential changes across the organization. Involving both IT and business leaders and bringing them together at the upper management level is vital for ensuring how closely IT is related to business performance. Effective IT governance is a journey, but success can be realized by those who understand the path and the best IT governance practices that keep them on course.
Ali Nouman, CISA
Information Security at The Bank of Punjab, Pakistan
Large-scale network architectures, including private cloud and service provider networks, rely on a complex mix of routing protocols, virtualization, SDN, and Orchestration/Programmability priorities to function properly. Palo Alto Networks virtual firewalls fit into many of these large-scale network architectures, supporting multiple hypervisors, private and public cloud vendors, multiple routing protocols, and orchestration integration via our open APIs.
In this interview by Ivan Pepelnjak, we talk about some of these networking priorities and how Palo Alto Networks virtual firewalls can be deployed into these architectures, without adding unnecessary complexity. Networking teams are focused largely on scale, routing support, and orchestration, and Ivan’s interviews have a wide reach into this community and what these teams care about.
Please listen to hear a broad overview of how Palo Alto Networks integrates into these large-scale network environments.
Many retailers, large and small, brick-and-mortar and online, had their brands tarnished by cyberattacks in 2014. While news stories focused on Point-of-Sales (POS) breaches, often the initial intrusion took place in the back-office and through a business partner. Bottom line, to protect their reputation and the trust of their customers, retailers must reevaluate the level of security currently in place not only in their POS environments but also throughout their value chain and across their business partners and customer touch points.
As a crucial starting point, all applications and servers in the datacenter that generate traffic with a POS should be segmented in one if not several network zones to allow for better scrutiny. Palo Alto Networks next-generation firewall can effectively manage, control, and inspect all traffic coming in and out of the POS datacenter zone(s) and apply security policies that eliminate unnecessary applications, ensure least-privileged access by users (including contractors), and inspect all traffic for malicious payloads to identify and block known and unknown malware.
This segmentation step is critical to prevent cyberattacks, which penetrate the enterprise network through a weak point, and then move laterally into zones that communicate with POS terminals and handle sensitive information such as customer data or credit card information.
Additionally, we recommend additional security for the edge of the network and endpoints. Palo Alto Networks offers two products that are natively part of our Enterprise Security Platform and strengthen security at the POS:
Our advanced endpoint protection product, Traps, can be deployed on POS endpoints to prevent malware infection. Taking an innovative approach that is completely different from traditional AV products, Traps detects and blocks malware before it installs on the endpoint. Traps can be updated with the latest from the threat intelligence available through Wildfire, our threat detection service.
Our remote access solution, GlobalProtect, can be deployed on mobile devices and remote computers to enable a security team to enforce enterprise policies at the POS and ensure consistency of policies and security from the core to the edge of your network. GlobalProtect can also be used to enforce a secure VPN connection from the device it is installed on to your core infrastructure.
Finally, to complete the security of the POS environment and the communication between individual stores and the retailer’s datacenter, we support the following options depending on the chosen architecture for distributed stores:
For stores linked back to a central datacenter via MPLS, our Enterprise Security Platform should be deployed at the core to manage and secure all traffic going back and forth to stores. For this traditional and most common case, the security is centralized on one of our high-end next-generation firewalls.
For retailers that want to offer richer customer experiences directly at the POS with WiFi access and other advanced services or need to allow store employees to connect directly to the internet, they can deploy one of our smaller appliances like the PA-200, at the store level and benefit from more advanced security features.
Retailers often maintain a hybrid approach to support a broad range of small to large stores in a cost effective manner. They can easily combine any of the above scenarios to support a mixed environment with minimal to no integration as all offered alternatives:
Are based on the same underlying technology
Can be centrally managed with our administration console Panorama
Can easily exchange traffic logs
Use consistent security policies regardless of the appliance deployed
Seamlessly share threat intelligence
This deployment flexibility with minimal integration overhead is one key advantage of relying on the Palo Alto Networks Enterprise Security Platform.
Watch for upcoming blogs and webinars to learn how Palo Alto Networks can best secure retail operations and the highly target payment process.
