Cyber security is a multinational problem

02 Feb 2016
'Security is a huge concern because the risk is huge. Outside of financial and healthcare information, intellectual property protection is probably the top cause for security concern'
 
In the last two years, more than 20,000 China-based Websites have been consistently hacked with over 8 million servers hijacked. India is ranked amongst the top 5 countries affected by cybercrime. Experts feel that the security issues in APAC region are high due to reluctance of businesses to talk about such breaches.
 
Jean Turgeon, VP and Chief Technologist of Software Defined Architecture, Worldwide Sales at Avaya in an interaction with ETTelecom's Muntazir Abbas spoke on the role of governance, implications of security breaches and its impact on organizations. Edited excerpts
 
Some analysts say that without intergovernmental cooperation and political and economic willingness to stop cybercrime, businesses will continue to be at risk. What are your views?
JT: Security is all about governance. Think about your home. A simple door lock in itself is a relatively easy thing for a thief to get past. It's the holistic aspect of the alarm system. Internet security is much the same and since the Internet is a true multinational entity, security for it is true multinational problem.
 
In the macro-economic climate, security, more than ever, is a key element for economic growth. How do you view it?
 
JT: Security is a huge concern because the risk is huge. Outside of financial and healthcare information, intellectual property protection is probably the top cause for security concern. We also need to realize that each organization is going to have a different classification of exactly what intellectual property is. As an example for oil and gas, it would be geological data whereas for an electronics firm it might be a patent in chip design. It is critical that information is secure but it also has to be usable. With the rise of remote workers, BYOD, shadow IT and the rest, this must be placing an increasingly higher risk on businesses' infrastructure and their customers' data.
 
What are the first defense mechanisms that businesses need to take deploy?
 
JT: First, organizations need to identity exactly what information they are looking to protect. You would be surprised on how many organizations just do not have a handle on the location or even the types of data that they need to protect.
 
Next, they need to work towards creating strong segment boundaries and be certain that the users and systems generating or using the confidential information stay within those boundaries. Avaya has very good networking technology to help an organization achieve those goals. But we also need to incorporate some form of identity management to control access to these confidential data domains and hence the need of a very strong identity management system to provide controlled access as well as audit records of that access.
 
When businesses choose the disclosure option when experiencing an attack, what is the short term vis-a-vis long term impact?
 
JT: Absolutely. There is really no good rationale for hiding an intrusion event, particularly if you can demonstrate due diligence and solid forensics. You most certainly don't want to hide it and then have it come to light through other means. This can show blatant irresponsibility as an owner of the confidential data. If an organization reacts in a proactive and forward fashion the impact of the event from a business perspective can be drastically reduced. Of course, it's always better to be attacked and have systems in place that thwart the attacker or minimize the damage.
 
As an expert in the area, what according to you should be the checklist for businesses and IT managers to protect themselves and their customers?
 
JT: It's not just about the data center. Information that just sits in the data center does nothing. It brings no value. Information can only bring value to an organization if it is accessible and use-able. So security has to be an end to end thing. But it does not have to be all or nothing. There are steps that you can take to minimize the investment and protect the information that really needs it.
 
First, get a handle on your data. What data should be treated as confidential? Where is it? What systems generate it or use it? Once you get a good accounting and inventory of all of the systems you need to establish which users need to have access. All of this together comprises what is termed as the 'data footprint'. The given information should always stay within these bounds and should never leave it without due reason, process and audit
 
The next step is to create a network segment that encompasses these systems and all communication paths. Avaya's SDN Fx can greatly assist in not only the segmentation requirements but also by providing a cloak of invisibility to the service topology. From there, an identity access practice should be established that governs access control policies into the confidential data footprint.
 
Also be sure to include solid audit logs of the access into these confidential domains of interest. Avaya's Identity Engines portfolio can greatly ease the burden in both areas. Lastly, get proactive with security. Embed it into your daily business practice. Be sure to have clear policies established and just as importantly be sure everyone understands their role within those practices.
 
Hackers today have evolved into very serious organizations that are capable of delivering a lot of damage. As we begin to move critical infrastructure to networks as an evolution to the Internet of Things, in reality we are adding new rich and interesting targets that could prove be very costly in not only dollars but possibly human lives if compromised. We need to start taking this seriously.

This article appeared in ETTelecom , February 02, 2016