IT Compliance Advisor


July 21, 2011  7:50 PM

What’s in a name? Why ’private‘ clouds may not be secure as you think

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Cloud is a word that has helped to misclassify IT operations. Throw the word private in front of cloud, and now you really have some confusion, especially when it comes to security. The problem is that the word cloud implies a nebulous entity that allows information to be shared freely, while private indicates the exact opposite.

Today, social networking and cloud technologies are all about sharing information — much to the chagrin of those responsible for keeping intellectual property safe and secure. For those seeking to share information freely using cloud technologies, private clouds become an ideology of choice. However, private clouds can be anything but private, especially if they’re using the Internet as a connection methodology between sites.

In effect, this means that private clouds will always have some form of connectivity to the outside world. Of course, a properly configured private cloud will incorporate several virtual and logical carriers that are designed to prevent unauthorized access to the content contained within (that’s the theory, at least).

Nevertheless, those managing and attempting to secure private clouds have to ask themselves a few questions, including: How can I be sure my cloud is protected from intrusion? Is my firewall, VPN or other security technology effective? How can I remediate any security problems?

The answers to those questions would dictate how to proceed with a security ideology that effectively protects data contained within private clouds. For many, the answer comes in the form of layered protection. By combining the benefits of a stateful packet inspection firewall, encrypted access, secure logins and extensive auditing, compliance managers should be able to achieve effective protection to secure private clouds. Yet, some will find that may not be enough.

Luckily for IT managers, the security market is evolving, bringing new technologies to the market that help prevent, remediate or detect security issues. Of course, the best approach is to avoid a breach altogether — a task that may be impossible but is nevertheless a worthwhile goal.

Companies such as Palo Alto Networks are re-engineering firewall technology to be more effective, and are offering new products that seem to be a more effective fit within the cloud community. Naturally, Cisco, Juniper, Check Point and many others are also hardening their security products to better protect IT assets, all of which will help make it easier to secure private clouds.

Nevertheless, cloud security still needs to be validated and maintained, and those tasks usually require auditing, forensics, continual testing and effective monitoring. These tasks usually fall to compliance officers and security administrators. Luckily, the tools in these arenas are evolving as well.

For example, networking forensics vendor NIKSUN launched a forensics platform that promises to give IT managers full insight into network activity. Ideally, administrators could use NIKSUN’s forensics utilities to diagnose breaches, gather evidence and plug holes.

Keeping private clouds private demands that IT managers take a different look at how security is enforced across a network and how interaction between networks is monitored. This requires effective monitoring and analysis that goes beyond validating firewall and user account settings. The key here is to catch anomalies as they occur, or taking a more proactive approach to protection.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.

July 18, 2011  5:01 PM

As Web access expands, experts say new malware threats cause concern

Ben Cole Ben Cole Profile: Ben Cole

It seems nobody is safe from malware attacks these days –even the White House is taking notice. Last week, a Department of Homeland Security official acknowledged the threat of pre-existing malware on imported electronic and computer devices sold within the U.S. With the availability of malware entry points expanding — including ubiquitous IT such as emails, social media, smartphones and tablet computers — the threat is not going anywhere anytime soon.

Eighty-seven percent of 2,277 surveyed smartphone owners used their device to access the Web or email at least once a day, according to a recent report issued by Pew Research Center. Of those smartphone owners, 25% said that they mostly go online using their phone, rather than with a computer. Also last week, Trusteer CEO Mickey Boodaei told eWeek Europe that as smartphones grow in popularity, hackers are increasingly researching Apple iOS and Android for vulnerabilities. One in 20 Android mobile phones and iPhones will be infected by financial malware and Trojans within the next 12 months, he added.

Budget constraints, unawareness of the severity of new malware threats and a reactive attitude to malware contribute to the problem, according to reps from M86 Security in their report on new malware threats.

Despite a high level of concern expressed about the security of mobile devices, 14% of 382 companies surveyed in M86’s report have no solutions in place to protect users from Web-based threats. Researchers found that 78% of the organizations surveyed had experienced at least one malware attack during the preceding 12 months.

In addition, 49% of survey respondents acknowledged that although security breaches occur, they accept this as part of the cost of doing business. This complacent attitude toward malware could result in additional costs, bad press and lost revenue opportunities for companies involved.

The M86 report recommended that organizations consider addressing malware prevention, detection and remediation in two ways:

  1. Train users on how to properly surf the Web, what they should do when they encounter a threat (such as a spam email that contains a link to a website), how they should be wary of emails whose source is not known, how to spot phishing attempts, etc.
  2. Address the long-term, strategic impacts, such as malware detection and remediation at every ingress point, including email, smartphones, Web browsers and the growing multitude of other platforms from which malware can enter the network.

This probably does not have to be pointed out, but as IT becomes more sophisticated, so do malware attacks. More people have access to the Web, often in the palm of their hand. This makes their personal information — and sometimes, that of their employers — increasingly vulnerable to hackers. New malware threats are coming, and IT departments need to be on the look out and proactive about protecting themselves.


July 7, 2011  6:48 PM

Adhering to PCI DSS 2.0 requirements affects costs, IT operations

Ben Cole Ben Cole Profile: Ben Cole

There’s one big problem for IT departments seeking guidance related to PCI DSS 2.0. The best advice, as Payment Software Co. principal Tom Arnold points out, is often “it depends.”

That makes it difficult for companies trying to get definitive answers on budgeting for IT expenditures connected to PCI DSS, Arnold said during a recent webcast exploring IT impacts under PCI DSS.

“Depending on the technology being used, depending on the environment and how the environment works and specifically how your business model works, there can be variances,” Arnold said.

PCI DSS 2.0 requirements affect IT costs due to an expansion of existing requirements (increased testing procedures) and a redefinition of past requirements (a greater emphasis on processes), Arnold said. There were new requirements as well, such as the introduction of metrics to evaluate vulnerabilities. Increased regulations surrounding network security, protecting stored data and developing secure systems and applications can impact capital expenditures as well, Arnold said.

The new and revised requirements have logistical effects as well. Arnold estimated that collecting evidence for a PCI DSS compliance assessment could now take twice as long as before. Also, reporting requirements on Qualified Security Assessor (QSA) mandates require a large amount of additional information. This could result in PCI DSS compliance budgeting to be two to three times higher than in previous years, Arnold added.

To deal with these changes (and the extra funds involved), Arnold advises companies to:

  • Engage a QSA to perform gap analysis based on PCI DSS 2.0 requirements.
  • Define architecture to close gaps between requirements and areas that are lacking.
  • Define solutions for both retail and remote sites.
  • Identify capital exposures surrounding PCI DSS 2.0.
  • Budget appropriately for exposures (and plan to implement them by Jan. 1).

Despite this sound advice, the “it depends” factor still looms. This subjectivity fueled significant criticism of PCI DSS and PCI DSS 2.0, with some critics saying that the rules were too dependent on the makeup of organizations trying to achieve PCI DSS compliance. It doesn’t help that companies already tightening their belts face the added expense of adapting to the new PCI DSS 2.0 requirements.

Still, following the PCI DSS rules could benefit a business’ bottom line. As recent data breaches have shown, not adequately protecting customer information can be quite a bit more costly than spending on compliance.


June 20, 2011  8:42 PM

How forensics technology ties to your regulatory compliance needs

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Most people associate the term forensics with security or law enforcement. However, the concept of forensics and forensics technology lends itself very well to compliance. Adhering to compliance regulations is about managing the access to data and ensuring that data is not corrupted, misdirected, intercepted or used in any fashion that falls outside of policy. This concept is relatively easy to grasp.

However, compliance becomes more complex once you are asked to prove its existence (or, more correctly, its adherence). For many, proof takes the path of forms, check boxes and simple audits (yep, we did that; OK, that’s been checked) and other relatively easy validations. Nevertheless, we all know that really isn’t enough — a stack of papers and lists of check boxes really prove little more than someone filled out some forms. That is where in-depth auditing comes into play. To prove compliance, you must be able to effectively audit events in the past, as well as in the present.

That is where forensics comes into play — not just as a process, but as a technology as well. For the typical business bound by compliance regulations, the amount of data and the number of transactions can be massive, and therein lies the real problem: How does one apply the process of forensics to a system without creating a technical and physical nightmare that can cost thousands of dollars and man-hours? The simple answer is to apply forensics technology to the process.

Take security and forensics hardware vendor Niksun, for example. The company has developed appliances that are designed to capture all activity on a network, allowing administrators to re-create events at will. What’s more, Niksun’s devices can operate at line speed and offer real-time analysis. This allows administrators to not only apply forensics, but also identify anomalies that may open windows into potential compliance violations. In other words, administrators can not only prove compliance, but they can also proactively protect it.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.


June 10, 2011  7:06 PM

As social media expands, beware of social networking risks

Ben Cole Ben Cole Profile: Ben Cole

Social media use by businesses and their employees is on the rise, and with good reason — social networking tools can easily help companies reach millions of new customers. New information, however, suggests that companies are also beginning to acknowledge social networking security risks.

Last week, Peak Advisor Alliance announced survey results that found respondents’ biggest challenge is differentiating and marketing to generate new business — but adhering to social media compliance was deemed “too risky” by over half of respondents.

This week, Regus released a survey showing a rise in U.S. companies using social networks to win new business. According to the survey, 43% of firms are successfully using social networking to win new customers, an 8% increase from the 2010 survey. Fifty percent of businesses in the U.S. use social media to connect with customers, and the survey found a 7% global increase in the proportion of businesses successfully recruiting new customers through social networks.

And the social networking security risks do not end with business-related social media. Last month, the Society of Corporate Compliance and Ethics and its affiliated Health Care Compliance Association released findings from a survey among compliance and ethics professionals. The survey found 42% of respondents reported that their organizations have had to discipline an employee for behavior on social networking sites, up from 24% that reported the same in 2009. At the same time, only about one-third of survey respondents report that their organizations have adopted policies specifically addressing the use of social media sites outside of work.

All this comes as the U.S. Department of Commerce released a report June 8 that proposes “voluntary codes of conduct” to strengthen the cybersecurity of “companies that increasingly rely on the Internet to do business.” The report notes that “cyberattacks on Internet commerce, vital business sectors and government agencies have grown exponentially,” and addressing these issues in a way that “protects the tremendous economic and social value of the Internet, without stifling innovation, requires a fresh look at Internet policy.”

The Internet’s vulnerability to online activity attacks, including social media use, is mentioned several times in the Commerce Department report.

With the attention social network security risks are getting, it is very possible more attention will be paid by legislators, and social media compliance rules for business could follow. In the coming weeks, SearchCompliance.com will be examining social networking security risks and social media compliance. Check back for information on what you need to wary of when using this lucrative – but risky – innovation.


June 3, 2011  9:00 PM

Business takes heed as Internet privacy laws and regulations go global

Ben Cole Ben Cole Profile: Ben Cole

High-profile data breaches earlier this year captured the attention of both corporations conducting online business and the legislators charged with overseeing key Internet privacy laws and regulations. Now, countries all over the globe are pushing to expand consumers’ Internet privacy rights.

Late last month during the G8 summit in France, French President Nicolas Sarkozy led the call for tougher Internet privacy rights and copyright laws. Sarkozy even organized the two-day-long “eG8,” held just prior to the G8 summit, designed specifically “for debate and collective reflection on a wide number of key themes involving the Internet.”

Both Facebook founder Mark Zuckerberg and Google Executive Chairman Eric Schmidt attended the G8 summit and spoke out against acting hastily when implementing Internet privacy laws and regulations. They warned that new rules could potentially hinder innovation if the ramifications of such rules were not carefully considered.

Also last month, the U.K.-based Information Commissioner’s Office announced that organizations and businesses that run websites aimed at U.K. consumers have up to 12 months to “get their house in order” before enforcement of the new E.U. “cookies” law begins. The new European Union requirements demand that U.K. businesses and organizations running websites in the U.K. get the consent of their sites’ visitors prior to storing cookies on their computers.

In April, India adopted new privacy rules as part of the country’s Information Technology Act. Under the mandates, organizations must notify individuals when their personal information is collected, make a privacy policy readily available and take steps to secure personal information. The Washington Post reported that companies that outsource to India or have offices could view the rules as too restrictive, and several companies (including Google) voiced displeasure regarding the Indian privacy mandates.

These examples, coupled with a slew of “Do Not Track” proposals being discussed in the U.S., indicate that businesses across the globe will eventually be forced to adhere to many more Internet privacy laws and regulations than in the past. And this process will not be without its headaches.

As more countries explore the depth and scope of Internet privacy rights, several questions will have to be answered. If one country adopts a set of Internet privacy rights, how does this affect foreign businesses that conduct business there? Is there any way to establish global Internet privacy mandates? How can Internet privacy be balanced with online commerce? In addition to the concerns voiced by Schmidt and Zuckerberg, there have been questions raised by businesses and marketers about how compliance with Internet privacy laws and regulations will affect the bottom line.

There’s no question that something must be done to protect online consumers from Internet piracy. There just has to be the right balance between the Internet privacy rights and business continuity — which is most definitely easier said than done.


May 25, 2011  6:22 PM

Plug compliance requirement holes caused by remote control services

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

How compliant are you? That is one of the first questions a newly minted compliance manager should ask themselves about their businesses and associated procedures. Nevertheless, many assume that a simple audit or inventory may be enough of an indicator that compliance requirements are fully enforced. However, there are many twists and turns in the world of compliance, some that go unnoticed and leave gaping holes in security.

Take, for example, remote control applications. They are used primarily for tech support to take control of a PC to troubleshoot a problem, and have become common in many organizations. It is pretty straightforward to secure a tech support-initiated remote control session, because many safeguards are built in and everything usually takes place inside the corporate firewall to keep data secure.

Yet there are times when remote control services/software can become a compliance manager’s biggest enemy — especially those trying to adhere to compliance requirements that specifically target a remote access system. The problem stems from the PCI DSS regulation, which contains specific requirements on how access to personally identifiable information links to payment accounts. One of the key requirements is that data isn’t compromised from an unsecured remote access system.

Unsecured is a broad term, but compliance officers can rest assured that an unsecured connection includes any end-user installed remote access service or application, such as GoToMyPC or LogMeIn. End users install those services for a number of reasons, ranging from collaboration to working from home to getting support from an outside source. Nevertheless, if the target PC deals with information that falls under compliance requirements, odds are those regulations are being broken.

So, what does all of this mean to the compliance officer? Simply put, better control over what end users can do with their PCs and comprehensive software inventories are a must-have. What’s more, advanced technology that blocks remote control services at the firewall is something that must be considered.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.


May 16, 2011  6:19 PM

Use virtualization technologies to remove the hassle of e-discovery

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Compliance affects numerous technologies in the enterprise. Many compliance officers already know this and strive to make sure that data is properly protected, secured, audited and archived. Nonetheless, some are finding out that data security and storage are just not enough.

The primary tenants of compliance involve data security and storage, yet many overlook why that data is actually preserved. The reason is relatively simple — e-discovery — but the process is far from it, especially if an e-discovery probe involves any significant amount of time.

Take, for example, a situation where three years worth of financial transactions and related information needs to be recovered for an audit initiated by an e-discovery request. On the surface, the request may seem simple: Just run some reports from your applications and you are good to go, right? That sounds like a practical process that entails reasonable efforts surrounding data security and storage. However, let’s throw a monkey wrench into the works: In the past three years, IT switched mail servers, implemented new applications and performed OS upgrades — meaning you can’t just simply spit out a report.

Now, that may seem like an impossible situation, and for some it may very well be as it costs thousands of dollars to recreate the systems needed to retrieve that data. However, with a little bit of technology and a lot of planning, the process can be bought back under control. Let’s take a look at how to accomplish that very task.

First, compliance officers need to take a point of view where they can effectively recreate the past (sort of an information systems time machine). The trick to doing that involves regularly preserving data in a format that remains accessible with little effort. Perhaps a better way to describe it would be to use the phrase “virtual information systems time machine” — the key word being the word virtual.

I think you can see where I am going with this: I’m talking about leveraging virtualization technologies (server, storage and application) to recreate the past. It sounds complex, but actually isn’t. There are a few moving parts to keep track of and a few technologies that need to be implemented that will have an impact on IT operations.

First, let’s talk about preserving the data. The fastest way to go about that is with “snapshots,” whereby a snapshot of the data can be taken and stored at a certain point in time. But it doesn’t end with a data snapshot — that snapshot needs to be managed and preserved in a fashion where it can be remounted as a volume. With that technology in place, not only can the data be made readily assessable, but the supporting software can be as well. That is where virtualization technologies come into play.

Simply put, if you are running your servers, applications and databases under a hypervisor, you can just take a snapshot of the virtual hard drives involved and have the ability to recreate the environment at any time to ease e-discovery tasks. Until recently, attempting to do something along those lines involved a boatload of technologies and products. But, recently, some new ideas in storage have come along – namely, the combination of tier 1 and tier 2 storage technologies under a single platform. What’s more, physical-to-virtual conversion technologies have come on the scene to help simplify the move to virtual environments.

On the storage side, a high-speed storage area network (SAN) is probably the best way to handle the needs of accessing the data. However, that SAN solution should incorporate both tier 1 and 2 of the storage subsystem. Currently, one vendor comes to mind: Nimble Storage Inc., a storage-management manufacturer who has incorporated tier 1 and tier 2 into a single appliance that also supports snapshot technology.

The next piece of the puzzle can come from many different vendors, and that is the physical-to-virtual conversion technology (only needed if your systems are not yet virtualized). Backup vendors such as Paragon Software Group, Acronis Inc. and Symantec Corp. offer P2V applications (many as part of a disaster recovery suite). Most vendors of virtualization technologies, such as VMWare Inc., Citrix Systems Inc. and Microsoft Corp., also offer P2V utilities.

Thanks to these new virtualization technologies, e-discovery can become a simple process of assembling the proper pieces of the puzzle and recreating the past.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.


May 6, 2011  5:41 PM

Products try to prove productivity links to smart compliance strategy

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

Lexmark is looking to prove that compliance strategy and productivity are not mutually exclusive concepts. The company is launching three new back-office solutions under the guise that automation, which improves productivity, can directly influence the level of compliance.

That’s probably a sign of things to come for the compliance market. A multitude of vendors are trying to assign value to the compliance strategy process or, at the very least, make purchasing new systems more palatable by extolling the virtues of productivity to help reduce the compliance burden.

I expect that most vendors in the compliance market will follow Lexmark’s lead and start to discuss processes instead of individual solutions.  After all, there is a lot of room to improve capabilities in the compliance market, and Lexmark seems to make some good points with its concepts.

Lexmark’s three new end-to-end, back-office solutions are designed to accelerate the flow of information and enable companies to improve compliance and productivity. This is done by leveraging the integration of Lexmark’s smart multifunction products (MFPs) and Perceptive Software’s ImageNow, which can merge generated data into enterprise systems.

The arrangement potentially reduces paper use, cuts down on processing time and automates some of the compliance requirements for businesses dealing with both printed and electronically transmitted data.

To begin with, Lexmark is focusing on solutions that are notorious for the amount of paper printouts created and the amount of data that can cross multiple desks, creating compliance concerns. The products offered include:

  • Recruitment and onboarding: Automates many of the manual tasks associated with the hiring process, making the process more efficient for managers, as well as HR staff. On the compliance strategy end, the solution automatically detects missing information such as critical forms, reports or signatures, and reduces risk associated with managing and storing hard-copy documents.
  • Invoice processing: Uses Lexmark’s MFP intelligent capture during invoice processing at the point of receipt to speed the process and reduce the cost of moving hard-copy invoices. The solution accelerates matching, approval and payment by automating manual tasks in order to capitalize on vendor discounts. It also synchronizes data with ERP and financial systems to ensure real-time visibility to payables.
  • Travel and expense: Eliminates paper and postage expenses by electronically capturing receipts in distributed locations. The solution reduces employee inquiries by providing self-service visibility to the report’s status and also eases reporting, reconciliation and audit preparation by collecting documentation in a single repository.

Ultimately, Lexmark’s goal is most likely aimed at getting enterprises to buy more Lexmark products and the associated supplies.  Compliance tinted with productivity is arguably one of the best ways to make that happen. Each of the above solutions does require Lexmark hardware and, in turn, the supplies and support that goes along with it.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


April 28, 2011  7:16 PM

Don’t become a victim of your corporate compliance program

Fohlhorst Frank Ohlhorst Profile: Fohlhorst

For many executives, corporate compliance programs can be a double-edged sword. Take, for example, the recent resignation of Gary D. Henley, president and CEO of orthopedic device maker Wright Medical Group Inc.

Henley tendered his resignation as president and chief executive just prior to the board of directors reviewing an ongoing corporate compliance program at the company. Wright Medical said the board accepted Henley’s resignation but deemed it to be without “good reason,” and thus Henley isn’t entitled to severance pay. The board also fired another executive for issues related to the company’s corporate compliance program.

The Arlington, Tenn., company didn’t describe the specific compliance issues being reviewed. However, as part of a deferred prosecution agreement with the U.S. government over allegations that Wright Medical improperly paid doctors to use its devices, the company agreed to meet certain compliance obligations. This included subjecting its physician consulting arrangements to review by a federally appointed monitor.

In addition to the CEO resignation, the board fired Frank S. Bono, senior vice president and chief technology officer (CTO), for “failing to exhibit appropriate regard for the company’s ongoing compliance program.”

The Wright Medical story — and others like it — highlights how severe an impact compliance problems can have on an organization. That should prompt CTOs and other executives to consider the impact of compliance problems and if their jobs are indeed on the line.

The key here is not to minimize the importance of corporate compliance programs or think that others may take the fall if a compliance initiative fails. Use the example above to plan for the worst and to make sure the appropriate budget and resources are in place to prevent compliance problems from taking your job.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: