Day: December 7, 2016

Posted on

Support Design Should Begin at the Start

Everyone can think of a moment when they have experienced a problem with goods or services. Everyone can also think of a moment after the problem that…wait for it (drumroll)…there was poor customer support or no support at all.

So where does the disconnect between an enterprise’s strategic objectives and its failure in the eyes of the customer begin? Could this failure have been avoided from the start?

Here’s how it happens:  Oftentimes an enterprise reviews its strategic plan, which is a process that often generates new ideas and a new focus on how to achieve its objectives. A critical factor in achieving these objectives is IT. As part of this effort business cases are created and reviewed with due diligence and care, focusing on risk analysis, costing and other key planning issues. Approvals are given at various levels, and once the green light is reached, we then develop the product/service/upgrade, with implementation to follow.

Imagine that all of the above stages are completed and the enterprise has just successfully launched a new service to customers through its digital channel. The product is marketed well and it is disruptive, so this results in huge demand from customers. At this point it may seem that all is well and good; however, as with all things, problems are going to occur and customers (internal/external) will be affected.

This is where the true test begins and where many enterprises fail because proper support systems were not put in place at the start. There are several reasons why this can occur, including a lack of foresight at the beginning, a focus on being first to market over competition, improper resource analysis, a lack of training, a poorly developed service level agreement (SLA) or no SLA review.

Just as security and risk are key considerations, proper support mechanisms should be considered when implementing your enterprise IT governance structure since this is a form of risk mitigation in itself. You can implement the most state of the art IT infrastructure that strategically aligns with your enterprise’s objectives and delivers super-fast service; however, if there is no support for the 100 percent certainty that something will go wrong, then all becomes useless. Design your framework so that failures are welcomed and not left to chance.

Ammett Williams CCIE, CGEIT, Telecommunication Team Leader – First Citizens, TT

[ISACA Now Blog]

Posted on

3 Fundamentals for Secure Cloud Adoption

Organizations must concentrate on a prevention-focused security architecture for cloud deployment — designed to stop threats across all potential attack vectors.

The key questions to consider when adopting cloud services include:

1. Who’s really responsible for our data?
You. In public cloud environments, as the data owner, you’re responsible for your data — not the cloud service provider (CSP). And although the CSP will secure the underlying infrastructure, the safety of your applications and data is your responsibility. So you need a consistent security posture.

2. Who has access to our applications and data?
A role-based access policy can help mitigate the risk of data loss. Although the CSP will have authorisation messages in place, it’s important you decide who should have access and whether additional assurance is required.

3. What happens if there’s a security breach?
What kind of support will the CSP give if there’s a breach? It’s important to know this before launching a cloud strategy.

Understanding the risks, and the challenges is a vital first-step as your organization moves to make the most of the cloud. Get your copy of our new whitepaper with BT Security, “Securely Enabling Cloud Adoption” and start your next conversation.

[Palo Alto Networks Research Center]

Posted on

2017 Cybersecurity Predictions: Financial Sector Attackers Exploit Cracks in Blockchain Technology

This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.  

This year saw some notable cybersecurity events in the financial services industry, including thefts from a number of SWIFT (Society for Worldwide Interbank Financial Telecommunication) member banks and from malware-infected ATMs in Asia. As we look ahead to 2017, I predict that we’ll see the following cybersecurity trends in the financial services industry.

Sure Things

  • Growing Adoption of Public Cloud – The financial services industry is the final frontier for public cloud computing. After years of saying it will never happen due to information security concerns, the industry has slowly warmed up to the use of the public cloud. Both Amazon Web Services (AWS) and Microsoft Azure already publicize a number of financial institutions as customers. Many organizations have been testing, evaluating, and conducting proofs-of-concept in 2016 with a critical eye on appropriate cybersecurity practices. A significant number of these institutions will finally adopt the public cloud for computing workloads in 2017. Initially, these may include applications that handle less sensitive data. Although there are still pockets of resistance out there in the financial services industry, they are definitely getting smaller. The appeal of agility, scalability, and cost-benefits offered by public cloud computing is irresistible, especially when security can be architected into the solution instead of bolted on.
  • Common Use of Multi-Factor Authentication (MFA) – As we saw with the recent fraudulent transactions at several SWIFT member banks, legitimate login and password credentials were somehow stolen and used to initiate fund transfers. This basic authentication technique is prone to compromise and allows account takeover (ATO) attacks. Financial institutions will finally take note and adopt more robust MFA techniques – at least internally for critical applications and sensitive data, and certainly for privileged accounts, such as root, administrator. Although not all MFA techniques are created equally, any form will create another hurdle that the cyber adversary cannot easily clear. MFA techniques are based on presenting evidence – at least two of the following:
    • Something you know (e.g., login/password, PIN)
    • Something you possess (e.g., one-time password token, mobile phone)
    • Something you are (e.g., fingerprint, retina scan)

Long Shots

  • Broad Implementation of Zero Trust Networks – Forrester Research first introduced the Zero Trust (ZT) model in 2009, but as of the end of 2016, implementations are still not widely seen. Conceptually, the information security value of restricting traffic to only known, legitimate flows between various portions of the network is difficult to refute. Any malicious activity will then be constrained by the nearest segmentation gateway.  However, the challenges with the ZT model include: difficulty in completely identifying the legitimate traffic patterns (both initially and in perpetuity); necessary cooperation across multiple disciplines (e.g., IT, security, business); and the potential for business disruptions, especially in brownfield environments. In spite of this, financial institutions will warm up to the idea of ZT for their networks and take some big strides in 2017. This will start off with pockets of network segmentation that limit traffic to/from more sensitive portions of each environment. These efforts will limit the exposure and restrict lateral movement after a compromise. In the end, it will be a question of how far down the ZT path a financial institution will go within its own network.
  • Blockchain Opens Another Attack Vector – There continues to be significant buzz regarding blockchain technology within the financial sector. Blockchain is certainly bigger than Bitcoin and is a distributed ledger technology that is being considered for payment processing, trade settlement, virtual wallets, etc. In addition to start-ups, traditional financial institutions are actively working to understand this technology and the potential impact on their organizations. Some of the benefits include greater expediency as well as reduced costs for cross-border payments, securities trading, and settlement as a result of cutting out the intermediaries. Other benefits include greater transparency and audit trails for compliance officers, auditors and regulators. Even with the best of intentions in mind, early financial industry adopters of this technology will create another attack vector, despite the inherent mechanisms for cryptography and immutability. Vulnerabilities in nascent implementations of blockchain technology will be discovered by malicious actors who will exploit them in an effort to compromise the security and confidentiality of financial transactions in 2017. This provides a segue to the next prediction.
  • Better Results from Coopetition – FinTech start-ups continue to challenge financial institutions for a share of their customers’ wallets. FinTech brings lower costs and innovative approaches to a segment of the banking and investing population. However, they often lack brand recognition, access to a large customer base, and experience with regulatory matters. On the other hand, traditional financial institutions clearly have those qualities, but often lack the agility and capacity for innovation. Traditional financial institutions are trying to embrace cloud computing to remove some of the drag, and some have even launched their own (autonomous) FinTech units. Others have embarked on collaborative efforts with FinTech companies as a means to marry the core competencies of both sub-sectors. This approach may very well be the best path to innovative solutions in 2017, which are industrial-grade in terms of scalability, enterprise architecture, cybersecurity, etc. Ultimately, this will provide lower cost financial products or services and improved customer experiences, but with safety, soundness, and regulatory compliance fully baked in.

What are your cybersecurity predictions for the financial services industry? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for EMEA.

[Palo Alto Networks Research Center]

English
English
Exit mobile version