Nov 152011
 

As I have been travelling and visiting various CIOs around the country I have been struck by the impact of mobile devices, primarily because 10 years ago I would have been laughed at by the CIOES group to suggest topics related to phones and smart computing devices. Right now I am seeing a thirst among CIOs to understand and navigate the vast confusion that mobility presents to an organization. The risks are too great to simply assign this to a tech to go research on their own. Mobility impacts corporate culture and is infiltrating from the top of the organization. A seemingly simple decision about allowing a tablet device like an iPad to access corporate resources triggers all sorts of questions.

I see fear as the underlying factor. The fear that corporate data will leak. The fear of buying products that do a little but not everything. The fear that the correct infrastructure platform needs to be chosen. Here are the choices that my CIOs are seeing: Android tablets and phones, ‘i’ products like iPhone and iPad, Symbian phones, Blackberry phones and playbook tablet, MAC laptops and Intel based laptops. Work at home PCs. Is the business giving you more people to chase down mobility security and manage non-Microsoft devices? What I have seen is that these waters can be navigated. Some of the following questions spawn the most vigorous and worthwhile debates that I have seen:

• What if you could stop caring about the end point and invest in DLP technologies to ensure your data and more importantly the correct data makes it to the endpoint?
• Are my remote users un-tethered or connected to persistent connections? What impact does this have on your decision making?
• What if you knew exactly who was entering your network?
• A strategy for Mobile Workspace Virtualization is needed. Untethered users are the bain of IT’s existence. How can you rein this in?
• What strategy for Mobile device backup is needed?
• What strategy for Firewalling outbound data is needed?
• How do you approach data at rest versus data that is moving? Enabling data at rest Data Loss Prevention is different than data in motion.
• Board packets can be accessed securely during meetings without needing to print out 5 inch thick board presentation packets.
• How can you turn iPads and tablet devices from consumption devices to devices that support creativity? What about being able to access Microsoft applications, and edit, share, and save documents on non-Microsoft operating systems?

Technologies that will be discussed in our upcoming educational session are:
SharePlus – to make SharePoint usable on tablets
Quick Office Pro to make Office docs usable on tablets
Code Green for DLP
Bluecoat Proxy SG – for DLP
MokaFive for Workspace Virtualization
VMWare Viewpoint – VDI
SonicWALL – Email Inspection and DLP Engine
ZIX – Email Encryption and DLP
Sonicwall NSA – SSL cracking

REGULAR AND NEW CIO EXECUTIVE SERIES MEMBERS ARE INVITED TO JOIN US ON DECEMBER 21st FOR AN IMPORTANT AND INTERESTING ROUNDTABLE DISCUSSION AND LUNCH. CHECK OUR EVENT REGISTRATION PAGE FOR THIS AND OTHER GREAT EVENTS!

Jan 172011
 

As the old fashioned firewall concept has morphed into one that is a multi faceted security perimeter, I have developed a series of questions that can uncover the correct answers to you as you continue to refine and define what the security edge should look like for you. Use the reference architecture for this post that I have built that you can find HERE

From an ease of digestion perspective, I am going to release this in two parts since there are 22 questions. As always, if you have questions email me at billm@cioes.org or post a question to my blog below. Thanks, Bill

Reference Architecture Intelligent Perimeters: Edge Sites, Private WAN, Internet, Public WAN, Cloud Access Control.

Sample Technologies covered are: Firewalls, UTM Firewalls, App Proxy, IDP/IDS, DLP Systems, SPAM Filters, Load Balancers, Content Filters

1. Are DMZs deployed for network segmentation for interfacing with Internet customers, and partners?

2. Confidence level of DMZ on a scale of 1-10. (10 is very confident)

3. Has a detailed cable trace been done to validate the DMZ?

4. Preferred Firewall manufacturer?
•Do the firewall rules explicitly deny traffic to and from the DMZ?
•Is the version level current with the offering of the manufacturer?

5. Are services like Ecommerce sites and other systems hosted in the DMZ?
Are there any concerns about architecture?

6. On a scale of 1-10 does your DMZ match the security policy of the organization?

7. Where does standard VPN access terminate? Have they been reviewed?
•DMZ
•Firewall
•LAN

8. Firewall – Is it a UTM (Unified Threat Mgmt device) providing IPS, Gateway anti-virus, anti-spyware?
If no,
•What is the approach for IPS?
•What is being used for Anti-virus/
•What is the approach used for anti-spyware?

9. Do you have redundancy on the following?
•ISP – inbound
•ISP – outbound
•Firewalls
•Load Balancers
•Content Filters
•VPNs
•SSL VPNs

10. Is there a dedicated device for web content filtering?
•For What? Check all that apply? Web, Email, DLP
•Is it AD Aware?

11. How is Anti spam and Phishing handled?

Jan 062011
 

What happens to your employees, 1099 contractors, partners, work at home employees, travelling users, remote sites, in which you don’t back haul internet users through corporate? What happens if these users leave the company and want to access applications that you have in the Cloud? How do you deprovision them from all the different Cloud touchpoints that exist? I realize you have a solution for some of them, but what about ALL of them? In this video, I review a few options that you have.

The CIO is in charge of SIP – Security Identity and Privacy Strategy….right? Well, someone is. Someone is taking on the responsibility. CIOs may not get into the nitty gritty technical minutia or product selection, but my point is that Cloud Access Control and security is about architecture and design. And for the most part, the points that I am making ,most serious SSL VPN vendors support, so we don’t need to go down the product path here.

Security Architecture and design matter first, no matter how close you may be to the board level meetings that we all aspire to.

A directory based approach is critical and I will make this point here and in future TV spots. And yes, I would agree that federation is the best approach overall, but I would prefer to discuss what is real and practical today for 100 % of the CIOs and this is why I want to review SSLVPNs and the power this gives you for access control into Cloud Services. I would like to emphasize these are YOUR Cloud services with capital letters. How can you manage risk that the cloud represents with simple access control?

I want you to be in a position of control. We are giving up enough control via Social Media infiltration into the enterprise. We have our hands full, but let’s take one concern off the plate. When you push apps into the cloud you now need to know who and what people have access to various services outside of your directory.