A+ A A-
Reduce scope to ease the pain of PCI compliance

Businesses that process credit card transactions are under increasing pressure to comply with global Payment Card Industry (PCI) security standards – and if our experience at PayGate is anything to go by, the journey is likely to be a painful one. Anybody considering it should prepare themselves for at least two years of intense effort.

Published in Security
Tuesday, 16 April 2013 12:30

To leverage the BYOD trend and protect the business, corporates need mobile device management software

To leverage the BYOD trend and protect the business, corporates need mobile device management software

The Bring Your Own Device (BYOD) phenomenon, which sees individuals bring their own mobile devices into the workplace, is part of a new business paradigm. It allows business to be conducted remotely, from anywhere, at any time. It drives productivity and competitiveness. But BYOD also poses a significant challenge to organisations,  from the large corporate to the Small Medium Enterprise (SME). As we enter the era of mobile computing, a composite security solution that addresses device management, application management, and threat protection has become vital.


More people own mobile devices and use them as personal productivity tools in their private and business lives. To refuse to allow employees to use these tools for work purposes would strategically disadvantage the business. However, if these devices are allowed to connect to the corporate network and access precious business data, the organisation is opening itself up to considerable security risks.


Besides basic protection from viruses or corruption of data, the organisation needs to be in a position to remove or ‘wipe’ corporate data from a device that is lost or stolen, and prevent access of company data by anyone no longer employed by the organisation. There are also privacy issues to consider. The owner of the device is unlikely to want the organisation to be able to access his or her private data or have any control over it. Finding a way to split access and control over personal and business data is thus important.


The answer lies in finding a solution that will assist the business to secure all mobile devices within the organisation, enforce organisational policy and maintain control of the IT environment. The solution should ideally address security of devices, applications and data across personal and corporate devices.


The right management software will ensure the company is positioned for mobility. It should:

  • Enable devices for use in corporate environment by providing access to key corporate assets, such as email, calendars, critical mobile applications, documents, and media content.
  • Secure devices and data on all devices, including activating appropriate password and access controls, and maintaining separation of corporate data and personal data.
  • Manage all devices in the enterprise from a single centralised solution. This includes visibility and control over all phases of device lifecycle with needed administrative and helpdesk options.

The range of tools available to control information and devices is quite large and implementing these tools is becoming a trend throughout business as corporates realise that they are at risk and that people will use their own devices whether they want them to or not.

Enable, secure, manage – the key features

There are some key features to look out for in the solution you select. In terms of enablement, enterprise enrolment will help prevent unauthorised shadow enrolments and provide a standard and automated provisioning process, while self-service activation will reduce IT handholding. A business email feature should include automatic configuration for native and third-party email clients that connect to various mail servers. An in-house enterprise application store will provide the ability to distribute internal or public applications. An enablement solution should also facilitate access to corporate network resources like Wi-Fi and VPN with support for all protocols and authentication methods. A mobile collaboration feature is also vital to makes content available on an end user device of choice.


When it comes to security, ensure the solution’s policy management feature can drive corporate compliance by enabling advanced security settings on devices. All policy options including passwords, remote wipe, and resource and application restrictions should be available and should be able to target specific users, devices, OS’ or groups. Strong authentication, secure email access, data separation and compliance and remediation features are also crucial.


Effective and efficient management of devices is going to be essential. The management features that will make the biggest difference are: centralised management for all mobile devices; integrated management of all the computing devices in the enterprise; management of all enterprise applications through the lifecycle phases with over-the-air (OTA) control; application curation to keep the enterprise mobile ecosystem safe with policy driven blacklisting; dashboards and reports to provide exact details of enterprise mobile assets at all times as well as comprehensive user, device, app, and profile details; and automation of administrative and operational tasks.


The message to corporates is: if you are using mobile devices in your organisation, you are at risk. Leverage the advantage the BYOD trend offers by investing in the software you need to better manage the devices and protect the organisation.

Published in Security
Monday, 08 April 2013 10:36

Security trends: guarding the physical and the virtual environment

Security trends: guarding the physical and the virtual environment

Most businesses have physical premises to protect – warehouses, offices or stores that are vulnerable to crime – as well as virtual “assets” and information. Technology can play a crucial role in protecting both.

Published in Security
An end-to-end approach is critical to securing cloud computing

Cloud computing is predicted to be the future of the technology world, and analyst reports abound on the expected growth of the uptake of these solutions. However, security issues remain one of the dominant barriers with the adoption of cloud solutions. Many organisations are hesitant to migrate to the cloud in light of the ever-increasing number of attacks on cloud-based solutions as well as the risk of downtime cause by natural disasters and other issues in the regions where cloud data is stored. When making the transition to the cloud, it is critical to adopt an end-to-end approach that focuses on IT security, data protection and availability, enabling organisations to leverage the multiple benefits of the cloud while minimising the risks. Furthermore, it is crucial to factor in both the internal and external risks associated with cloud computing which too requires a holistic approach.


This in turn requires that all potential threats be identified, and structured protection mechanisms are put into place which go beyond technology and incorporate processes and people across multiple areas. There are 12 elements that should be considered to ensure the security of both data and applications when moving to a cloud platform.


  1. Identity management

Identity management, including roles and rights, end-point security and access control, is a cornerstone of any ICT security solution, but is particularly important when it comes to the cloud. If employees can access business critical information, there is always a risk that this will be misused, and if outside persons can access this information the danger is even greater. Thus applying stringent identity management, security and access control on a need-to-know basis is a vital foundation component of an end-to end cloud security solution.


  1. Secure communication into the cloud

With cloud services it is essential that data not be compromised when transferring between the user and the service provider. When data is sent over public networks such as the Internet, it must be encrypted to prevent access by unauthorised parties, to safeguard integrity and confidentiality. Secure remote access should be enabled using a Virtual Private Network (VPN). Security can also be enhanced using a Multi-Packet Label Switching (MPLS) VPN, which ensures that data streams sent by different users and services are strictly segregated. Before migrating to the cloud, organisations need to appraise their requirements to identify business critical applications, to ensure that necessary bandwidth, Quality of Service (QoS) and prioritisation are delivered to ensure seamless service.


  1. Transparent contracting within the cloud

Cloud applications can be distributed across multiple data centres, and the availability, confidentiality and integrity of data exchanged by cloud services and distributed applications within the cloud must be protected at all times. Data can also be moved from one data centre to another in order to create back-ups or improve resource utilisation. More complex cloud offerings often integrate third-party services, which makes visibility and transparency into the value chain critical. It is essential to clearly specify in contracts which services will be delivered by whom, and who is legally responsible in the event of any issues.


  1. IT systems in data centres

When deploying cloud solutions, additional security measures are required at the data centre. Cloud computing is based on multiple clients sharing the same hardware and software, therefore, it is important to implement mechanisms to safeguard systems, applications and data. This requires virtual segregation of users to ensure that they cannot access another user’s data and compromise the integrity of systems. Data should also be isolated in dedicated network storage areas, similar to hard drives, which are accessed by the users’ servers via the network. These should be connected in such a way as to ensure that customers can only access their own data, as though they had their own dedicated drive.


  1. Protecting IT systems on the service provider side

To ensure the right level of security, mechanisms that protect systems, platforms and applications must be implemented at the data centre. In addition, there needs to be a secure link between the IT components stored at the data centre and the connection to the outside world. To ensure effective protection of the network segments, service providers need to employ two different types of firewall. Firstly, they require firewalls that perform stateful inspections of communications, ports and applications. Secondly, they need deep-inspection firewalls that can scan data transfer protocols for “good” and “malicious” queries. Further key mechanisms include proxy servers and reverse proxies that filter and convert both incoming and outgoing data traffic, shield sensitive information, minimise vulnerabilities and help make ICT more secure.


  1. Data centre security

Buildings and hardware assets at the data centre require physical security as well as technology security, including physical access control and intrusion detection. Data centres must be constructed to enable the building to withstand natural hazards, such as storms and hailstones, potential physical sabotage and fire. The facility must be located away from regions that are susceptible to heavy storms, flooding and earthquakes, and must meet a host of other criteria to ensure smooth operations and customer data security. Data centre protection should also include alarms, fire detection, surveillance, vehicle monitoring and control, and extensive staff checks to prevent attacks from within.


  1. Security management and secure administration

The human factor not only plays a pivotal role in the security of cloud services for users. It is also an extremely important issue for the service providers themselves. For this reason, providers should operate a dedicated information security management system (ISMS) which defines processes and rules for the effective management of information security. Cloud providers must also draw up rules that ensure employees meet security requirements and specify which users can access which systems and data and who is responsible for which operational and security-related tasks.


  1. Service management and availability

Application downtime can be detrimental for business, particularly when mission critical systems are affected. As a result, organisations using the cloud must be involved in the definition of appropriate service levels. Service providers need to safeguard availability by creating redundant systems and backups that allow for system recovery following downtime.


  1. Contracts, process integration and migration

The scope and type of ICT services must be defined in a written agreement.

Requirements must be outlined and any necessary changes need to be implemented and monitored. Organisational structures and processes must be in place to enable a rapid response to security incidents or threats. Services must be clearly defined in a service level agreement (SLA), and mission critical applications need to be identified to ensure the correct levels of availability and security. Documents should also outline emergency procedures, including the sequence in which systems will be reactivated following failure or downtime.


  1. Security and vulnerability management

To avoid migration issues, any weaknesses or faults in infrastructure must be identified and addressed from the outset. This involves comprehensive testing and risk assessment. Security is a central issue across the entire lifecycle of an ICT system. This begins with documentation and correct management of configuration data. In addition, installation and configuration processes are key concerns. The proactive management of vulnerabilities and other developments designed to offer visibility into and enhance security and eliminate breaches in advance are also critical.


  1. Security reporting and incident management

Visibility into the degree of security achieved is critical for mitigation of business and legal risks with regard to the impact on IT-supported business operations and potential compliance breaches. Security reporting provides this visibility, offering insights into the effectiveness of the protection mechanisms in place. Analysing this data enables measures to be modified, replaced or enhanced as required, leveraging the information available for proactive corporate risk management.


  1. Requirements management and compliance

Users must comply with legal, regulatory and industry-specific requirements, including in-house policies, contracts with customers, suppliers and partners, and other obligations. Users need to verify that their cloud service provider can meet these imperatives. Data protection legislation varies widely from country to country. Organisations also differ in terms of processes and potential threats, and the extent to which security incidents would negatively impact the business. A strong cloud service provider partner should offer a secure and assured route to the cloud, aligning it with the company’s specific business context and requirements.


To end

In light of the ever-growing threats, IT security is becoming increasingly complex, costly and time consuming, and increasingly complex technical requirements and rising costs of ensuring effective security are set to make outsourcing and cloud computing ever-more popular alternatives to in-house operation. However, organisations need to select cloud service providers carefully, in order to ensure services are delivered in a secure, compliant manner and that risks both internal and external can be minimised.


For more information, click on the url below to download T-Systems Cloud Security white paper:


Published in Security
Friday, 12 October 2012 10:44

Zero outage computing in digital clouds

Zero outage computing in digital clouds

The cloud is everywhere. And it is the main topic of discussion at IT conferences and trade shows. Nevertheless, a number of business enterprises are still sceptical when it comes to security and availability requirements in cloud environments. Cloud providers are responding to these worries with the zero outage strategy.


The seriousness of the matter became evident during CeBIT in March 2012: Facebook suffered a major outage and was unavailable for hours. Millions of users worldwide could not access the social network due to technical problems. Today mobile applications for smartphones and tablets are also at risk.


Outages of this magnitude can be very costly. In 2010 the Aberdeen Group surveyed 125 enterprises worldwide and discovered that outages of just a few minutes per year can cost an average of USD 70,000. Surprisingly, only four percent of the businesses surveyed had guaranteed IT availability of 99.999 percent. This should be unsettling, especially since experts claim that one hour of downtime in production costs some USD 60,000, and for an online shop the figure is USD 100,000. Banks are at the top of the list. They can lose up to USD 2.5 million in one hour of downtime.


Zero outage is only possible in private clouds

To win the trust of cloud sceptics despite these kinds of worst case scenarios, external data centre operators are striving to implement consistent management of their IT systems based on a zero outage principle. This includes high availability of services which, according to a definition by the Harvard Research Group, means that systems should be running at an availability level of 99.999 percent – that translates into one outage lasting a maximum of five minutes per year. The only exceptions to the principle of "zero outage computing" are agreements made with customers that govern new releases, updates or migrations. But are such high levels of availability realistic, and if so, how can they be achieved and maintained?


Those attempting to provide the perfect cloud must be able to discover errors or failures before they arise – and take every technical step possible to prevent them from occurring. What's more, the cause of every possible failure must also be carefully analysed. It should be noted that more outages result from software issues rather than problems in the cloud architecture itself. And there are a number of inherent differences – for example, users should not expect zero outages in the public cloud, which by nature is in the public Internet and susceptible to downtime. The trade-off for that are the many services offered at no charge in the public cloud. You can have almost limitless gigabytes of storage capacity without having to pay for it. However, you will have to do without support services.


Multiple security

But things are much different in the private cloud: Using their own individually designed end-to-end network solutions, providers can guarantee high availability if their ICT architectures are based on fault resilience and transparency, with integrated failure prevention functions and constant monitoring of operations and network events. What's more, having intelligent, self-healing software is also essential, enabling automatic rapid recovery in critical situations without any manual intervention so that system users are able to continue working without noticing any kind of interruption.


One example of high fault resilience are RAID (Redundant Array of Independent Disks) systems. They automatically mirror identical data in parallel on two or more separated storage media. If one system fails, this has no impact on the availability of the entire environment – because the mirrored systems continue running without interruption. The user is completely unaware of any issues. In addition, RAID configurations have early warning systems, and most of the incidents that occur are automatically corrected without the need for support from a service engineer.


However, the so-called SPoF (single point of failure) is especially critical for the overall IT environment. These SPoFs include individual storage, computing or network elements, installed only once in the system, that can completely shut down operations if they fail. Since mirroring these components is relatively expensive and complex, some IT providers do not install mirrored configurations – and that is extremely risky. But with zero outage this risk must also be eliminated. Zero outage also means safeguarding the data centre against a catastrophic failure through the use of a UPS (Uninterruptible Power Supply).


If one application fails, however, there will be a processing gap, for example in the form of lost transactions, no matter how fast operations are shifted to an alternate system. The failed system must be able to automatically take action to fill this gap by repeating all of the processing steps that were skipped at a later time, after the shift to the alternate system.


Data protection is just as important

The seriousness of the matter and urgency to mitigate the risk of data loss or leakage is evident in the South African market from the requirements for full disaster recovery and fail-over capabilities in solutions. In many cases organisations look to cloud solution providers for an IT business continuity solution. The solution is, however, not in using cloud services for disaster recovery but to source cloud solutions that have disaster recovery capabilities engineered into the solution.  


The same awareness and requirement for data protection is seen in the regulatory developments that applicable to sourcing IT services and specific cloud services. The Protection of Personal Information act (POPI) and King III, relevant to the South African market is becoming a major consideration when sourcing IT services and looking for a provider who is compliant with the relevant acts or frameworks. In addition, existing related certification such as ISO 27001 and Sarbanes Oxley (SoX)/ Statement on Auditing Standards 70 (SAS 70) compliance, should be mandatory when considering a cloud service provider who views data protection as critical part of their solution. 


Quality needs dedicated employees

Cloud providers must make sure that their employees adhere to the same standards and processes at all locations and even across multiple time zones. Studies indicate that more than 50 percent of all outages are the result of human error. That is why training is being focused on quality management as a basic integral element of company culture. This approach requires a central training plan, globally standardised manuals and comprehensive information provided by top management.


Every employee must do everything possible to prevent a potential failure or incident from even happening. And that also means having an understanding of what causes outages. They should act in accordance with the old saying "fire prevention is better than fire fighting." If the worst case should ever occur, employees must not be afraid to admit their mistakes, so that they can avoid making them again in the future. It is also vital to have a centrally organised specialist team that is ready to go into action, finding solutions to problems that arise unexpectedly and implementing these solutions throughout the enterprise. When faced with a serious outage, the shift manager can quickly call the team together to begin the recovery process. Employees working at the affected customer site can follow the action being taken via a communications system.


Quality management is an ongoing process ensuring that required knowledge is always systematically updated and expanded. It will never really be possible to guarantee zero outages in cloud processes – not even the best in class can do this – but delivering system availability that goes beyond 99.999 percent can be achieved. Businesses can be sure of this by concluding service level agreements with their service providers.

Published in Mobile
Thursday, 02 August 2012 10:09

Securing the Mobile Enterprise

Securing the Mobile Enterprise

Mobile devices have infiltrated nearly every aspect of people's lives. The amount of personal and corporate data stored on these devices, makes securing the information on the device a priority. A survey conducted in January 2012 by Dimensional Research explored the impact of mobile devices on information security in corporate environments, noting that 94 percent of companies have seen an increased number of personal mobile devices, such as smartphones or tablets, connecting to corporate networks. Increased employee productivity and mobility are the main benefits for organisations that allow these devices in the workplace, but those benefits come with their own set of risks.

The threats associated with mobile devices can come in many forms, including:

  • Mobile operating system – Every OS, including Android, iOS, BlackBerry and Windows, comes with their own set of security challenges. Threats can originate from mobile apps, the mobile browser, as well as insecure Bluetooth and Wi-Fi hotspot usage.
  • Employees – that the lack of security awareness amongst employees is often the leading factor impacting the security of mobile data. Many employees simply aren't aware of the mobile security risks and corporate policies associated with mobile devices, such as storing corporate data, customer information or access to business applications.
  • Personal mobile devices – The consumerisation of IT brings forth another layer of complexity as more employees want to leverage their personal mobile device for business purposes. While companies begin to accept the "BYOD" (Bring Your Own Device) trend, there are significant concerns about the privacy of sensitive data stored on the devices that IT must handle.

The first step businesses should consider when safeguarding against these security challenges is developing and enforce best practices and corporate policies for the mobile enterprise. This should include a list of approved devices that can access corporate data, the types of data that can be stored on mobile devices and taken out of a corporate environment, which types of mobile apps can be downloaded onto devices, procedure for theft or loss of a device, a routine for updating operating systems patches, requiring mobile passwords, as well as having the capability to wipe a lost or stolen device.

Mobile device usage in the workplace is a trend that has staying power because it un-tethers employees from their offices, allowing them to work more efficiently while on the go. As with any emerging trend, organisations will need to be careful about striking the right balance between mobility that empowers employees and the new security concerns that arise from it.

Published in Security
UC projects fail when they don’t heed cultural impact on organisations

Unified communications (UC) is changing the way organisations operate, as their employees tend to be more available, productive and effective when invested with UC tools.

But report published in July from analyst firm Canalys points out that many UC deployments fail or don’t meet their goals because their cultural (people) impact and the related contexts of IT consumerisation ‘BYOD’ (bring your own device) and workforce mobility are ignored.

In Tellumat, we are in agreement that many UC failures can be avoided by approaching projects as a business transformation process in which the user experience is central.

Three key trends

Consumerisation is the increasing use by employees of technologies like smart phones, iPads, video and social networking tools in the enterprise.

As Canalys points out, organisations that fail to assimilate and take advantage of consumerisation (for instance, with a BYOD strategy) will find themselves increasingly at a disadvantage against competitors.

For example, organisations that aren’t visible on in social media will become remote from customers who want to communicate via an increasing number of channels. (Conversely, UC solution providers that do not recognise the touch points of the technology with consumerisation and BYOD will at the very least miss the opportunity to leverage existing consumer platforms.)

Vendors and partners must also advise customers on the impact of workforce mobility, on processes and information accessed by employees.

Workforce mobility is not a new concept, but due to the consumerisation of IT and BYOD, it is a rapidly accelerating trend, making it an IT priority.

The proliferation of mobile devices provides employees with greater access to tools like video collaboration. Increasingly, employees want to access business applications and social media while on the move. If mobility is not considered as an integral part of future UC strategies, then the investment will be wasted.

Expert guidance

To accommodate these trends in employees’ everyday workflow, organisations will need guidance from experienced UC partners. Issues that have to be thrashed out include:

  • The decision about which platforms to support (iOS, Android or BlackBerry),
  • The changing security ecosystem, and
  • Networking (the number of devices without Ethernet ports is on the increase).

But it goes deeper than processes and architecture, touching the very core of an organisation’s objectives. Technologies like UC, BYOD and mobility have impact far beyond the scope of just an IT department purchasing decision. They affect management, HR, marketing, sales, R&D and back-office integration, in countless new ways.

To prepare for the impact of the new technologies and accommodate them, organisations must ask themselves what they want the technologies to achieve, and within what parameters. The following considerations are common:

  • Organisations must work through changing access modes and trust accords very closely and apply corporate policies as well as IT security measures accordingly.
  • Education of employees is a crucial aspect of a holistic UC deployment: employees must understand their responsibilities and obligations in a world where they are able to freely move sensitive data from device to device and location to location.
  • Equally, the corporate culture of the organisation must embrace trust and openness in a mobile, UC-driven, BYOD environment, so that employees are able to take more rapid but well-informed decisions.
  • UC deployments that incorporate collaborative tools and social media work most effectively when the deployment is aligned with business goals such as improving customer satisfaction or streamlining decision-making processes.
  • Collaboration must enable individuals to identify other individuals in order to be able to freely form communities that can quickly come together to tackle specific company issues.

All these and more must be keen focus areas in the purchasing decision, to ensure that the organisation is prepared for the big changes that UC can bring, and that benefits will be realised.

Published in Mobile
Copyright © 2014 gdmc (Geoffrey Dean Marketing Corporation cc). All rights reserved. Material may not be published or reproduced in any form without prior written permission. Use of this site constitutes acceptance of our Terms & Conditions and Privacy Policy. External links are provided for reference purposes. SALeader.co.za is not responsible for the content of external Internet sites.

Login or Subscribe