Late last year, market researcher IDC reported that by 2015 more U.S. Internet users will access the Internet through mobile devices than through PCs or other wireline devices. Judging by the eager embrace of smartphone and tablets since then, I’d guess their prediction may be conservative.
And unquestionably, this kind of mobility in business is a game-changer both in terms of how we do business and how we do information security.
Cloud computing gets immense attention these days as a profound agent of change affecting how IT serves the business. In particular, Cloud computing has begun the untethering of employees from their desks and their offices. Because the mobility of today’s, and tomorrow’s workforce cannot happen without the Cloud.
Yet worries about Cloud security abound, and for good reason: Cloud computing that involves processing sensitive or regulated data in shared environments needs extra scrutiny in terms of security (as well as codifying requirements, defining a cloud services contract, managing the transition from in-house to cloud, and overseeing the resulting mixed IT environment).
Where once IT departments were the sole source when it came to technology implementation, today technology is finding its way into corporate America through nearly every department.
Marketing folks may have been among the first to leave the IT department fold when they ditched cumbersome CRM systems for easy-to-use Salesforce.com, but they were just the tip of what has grown into a pretty big iceberg.
Virtually every day sees a new app available to help workers be more productive — and those workers aren’t hesitating to download those apps and get on with business.
Odds are your IT environment is somehow engaged in virtualization — either directly in your data center or indirectly via the service providers you’ve engaged.
But how much have you — or your IT people — thought about virtualization security? This matters more than you may think. One Gartner analyst has estimated that 60% of virtualized servers will be less secure than the physical servers they’ve replaced.
Two kinds of security threats have emerged of late that need special attention, even if you’re running a small enterprise: Targeted zero-day attacks and advanced persistent threats .
Targeted zero-day attacks
Microsoft’s recent Internet Explorer security flaw (see my last blog post) is a fine example of a zero-day attack. The attackers got their edge from speed, since reactive countermeasures that depend on threat signatures — such as patching and tools like antivirus software and intrusion prevention — couldn’t be updated fast enough to halt the flaw.
Last September 18th, Germany’s Federal Office for Information Security warned that nation’s population not to use Internet Explorer because of an IE security flaw “is already being used for targeted attacks” designed to lure users to an infected website which, when visited, allows hackers to take control of the user’s computer. Soon after, the Swedish government issued a similar warning.
Even worse, Microsoft was not immediately able to fix the problem. First came a temporary patch, said to be less that complete.
