VIEW FROM THE TOP

Jagdish Saxena on how IT drives Elder

Pharma’s business.Page 66

BIG DATA CHOICES

Make the right storage decisions

for big data. Page 77

AUGUST 15, 2012 | `100.00

WWW.CIO.IN

BU

SIN

ES

S

T

EC

HN

OL

OG

Y

L

EA

DE

RS

HIP VOL/07 | ISSUE/10

ASISH KARUNAKARAN, CIO, SBI Capital Markets,

is combatting mobile insecurity with VDI.

The six key battles IT leaders are going to have to win if they want to protect their enterprises. Page 38

CIO-PWC SECURITY SURVEY Indian data from the world’s largest security survey reveals how CIOs are coping with new technologies.

Cover_August2012_Security_Big_Wars.indd 84 8/16/2012 9:47:47 AM

Þ Inbound Response ManagementPriya Sharma v:1800 209 3062 f:022 66765553

THE NEW NETWORK IS SECUREToday’s users have gone through a rapid shift in expectations. Now they want to connect to your network with any device – be it their laptop, smartphone or tablet. Being able to support more types of mobile devices while providing secure, pervasive connectivity, with the right mix of wired and wireless access that’s right for your business has quickly become critical for success.

Juniper Networks builds the new network that can help you solve the connectivity conundrum by managing security without having to control the device, with a simple, single client that works on almost all devices.

Find out about moving to the new network that is built for present and future demands. Get the story at juniper.net

JN_India_CIO_V1.1.indd 7 7/23/2012 11:57:11 AM

Vijay Ramachandran, Editor-in-Chiefvijay_r@cio.in

FROM THE EDITOR-IN-CHIEF

"If you can keep your head when all about you, Are losing theirs

and blaming it on you,... you'll be a Man, my son!"

—'If' by Rudyard Kipling

Have you ever come across this equation: Crisis = danger + opportunity? If you have, it would typically

have been followed by an explanation about the Chinese

ideogram for crisis (wieji) having two parts—one that

stands for danger and the other for opportunity. Then

comes a bit of seemingly oriental wisdom: In a crisis,

be aware of the danger but look for the opportunity.

Profound? Absolutely. Smart strategy? For sure.

Except that it isn't so really.

Wieji actually breaks down as danger + crucial point. What it really stands for is that

in a crisis, you need to stay alert because you are at a critical juncture that can potentially

break you.

Color me cynical but an unstable state of affairs is hardly the time to be looking out

for how to 'benefit' from them. Survival? Undeniably. Business Continuity? Entirely.

Learning? You bet. But converting catastrophe into opportunity? Not really.

These are the bits about a crisis that make it interesting. Business crises test the best of

executives and CIOs are no exception. It's remarkable the shapes and forms business crises

can take these days, apart from the uncertainty that our economic landscape is witnessing.

I’ve heard horror tales of structured cabling in hospitals being chewed through by rodents

to whole kilometers of optic fibre being stolen overnight to a server farm getting fried

when the power polarity reversed to even 70 percent of an IT team quitting en masse. It's

these low-frequency, yet high-impact events that test a CIO's mettle, his skill and ability to

remain calm and look for the way forward.

Amongst the immortal lines of Kipling's If are also these: "If you can force your heart

and nerve and sinew, To serve your turn long after they are gone, And so hold on when

there is nothing in you, Except the Will which says to them: 'Hold on!' "

Hold Your NerveEvents that test a CIO's mettle, skill and ability to remain calm are great opportunities for survival and learning.

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to

IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an

IDG (International Data Group) company.

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027.

Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.

IDG Offices in India are listed on the next page

PUBLISHER, PRESIDENT & CEO Louis D’Mello ASSOCIATE PUBLISHER Rupesh Sreedharan

E D I TO R I A L EDITOR-IN-CHIEF Vijay Ramachandran EXECUTIVE EDITOR Gunjan Trivedi DEPUTY EDITOR Sunil Shah ASSISTANT EDITOR ONLINE Varsha Chidambaram CHIEF COPY EDITOR Shardha Subramanian SENIOR COPY EDITOR Nanda Padmanabhan COPY EDITOR Vinay Kumaar PRINCIPAL CORRESPONDENTS Gopal Kishore SENIOR CORRESPONDENT Sneha Jha CORRESPONDENTS Debarati Roy, Shweta Rao, Shubhra Rishi, Ankita Mitra, Kartik Sharma

D E S I G N

LEAD DESIGNERS Jinan K.V., Vikas Kapoor, Jitesh C.C SENIOR DESIGNER Unnikrishnan A.V DESIGNERS Amrita C. Roy, Sabrina Naresh, Lalita Ramakrishna

SA L E S & M A R K E T I N G

PRESIDENT SALES & MARKETING Sudhir Kamath VP SALES Parul Singh GM MARKETING Siddharth Singh MANAGER KEY ACCOUNTS Jaideep Marlur, Sakshee Bagri, Varun Dev MANAGER- SALES SUPPORT Nadira Hyder MARKETING ASSOCIATES Anuradha Iyer, Benjamin Jeevanraj

C U STO M S O LU T I O N S & AU D I E N C E D E V E LO P M E N T

SR. MANAGERS PROJECTS Ajay Adhikari, Chetan Acharya, Pooja Chhabra, Ajay Chakravarthy MANAGER Tharuna Paul SENIOR EXECUTIVE Shwetha M PROJECT COORDINATORS Archana Ganapathy, Saurabh Pradeep Patil, Rima Biswas

F I N A N C E & O P E R AT I O N S

FINANCIAL CONTROLLER Sivaramakrishnan T. P SR. MANAGER ACCOUNTS Sasi Kumar V SR. ACCOUNTS EXECUTIVE Poornima MANAGER CREDIT CONTROL Prachi Gupta SR. MANAGER PRODUCTS Sreekanth Sastry ASSISTANT MANAGER PRODUCTS Dinesh P SR. MANAGER PRODUCTION T.K.Karunakaran SR. MANAGER IT Satish Apagundi

2 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Networks are complex. Your network performance management shouldn’t be. Decomplexify it with Riverbed Cascade.

Go to www.Riverbed.com/Cascade to see how Riverbed is Decomplexifying network performance management by enabling end-to-end visibility into the performance and troubleshooting of critical business applications.For any queries, please contact

marketingindia@riverbed.com or+91 9845652826, +91 80 40300567

Challenges bring a plethora of oppor-tunities along with them. The current economic

uncertainty is helping CIOs accelerate plans for

the future. And, believe me, it’s easy to capitalize on

them. The answer lies in focus.

One great approach with regard to this is to have

a triangular union of the following action elements:

Economize, empower, and build IT. The first element

focuses on identifying areas to purge; the second on

selecting projects to invest on, and the third is to

focus on training programs to build skills and keep

IT morale up. Here are some pointers that may come handy:

Take Stock: CIOs must take periodic stock of their organizations' financial

situation themselves. They must ensure that IT expenditure has the same importance

it had a few months ago. Otherwise, CIOs are likely to lose touch with the dynamic

economic reality.

Predict: CIOs need to keep their teams focused on two main areas for effective pre-

emptive planning: Marrying IT and business priorities, and being lithe enough to keep

IT steady when priorities change. For example, one can maintain a dashboard of all

projects that calculate priorities on the basis of capital investment, time required, and

risk factors. It will help make the available alternatives clearer as conditions change.

Communicate: It’s a great practice to spend time with business to gauge its

sensitivity. There is a fine line between authoritative and “mother-may-I?” attitude.

One stops being a CIO in the realm of both the extremes. CIOs will have to judicially

balance the two without jeopardizing critical business functionalities.

Train: A leader is known by his team. We often forget that the staff that constitutes

the IT team needs emotional training apart from technical expertise. Companies may

not cut costs, but it is the CIO’s duty to prepare his IT team for that possibility. Also,

avoid indulging in unnecessary resource spends.

Fine-tune: CIOs might want to edge back some cash spends, pushing to the next

year. Begin to bias new-project selection towards short-term, and low-risk. This will

augment the team’s response time.

Rajeev Batra is CIO, Sistema Shyam Teleservices (MTS India)

GOVERNING BOARD

ALOK KUMAR

VP & Global Head-Internal IT& Shared Services, TCS

AMRITA GANGOTRA

Director-IT (India & South Asia), Bharti Airtel

ANIL KHOPKAR

VP-MIS, Bajaj Auto

ATUL JAYAWANT

President Corporate IT & Group CIO, Aditya Birla Group

C.N. RAM

Group CIO, Essar Group

DEVESH MATHUR

COO, HSBC

GOPAL SHUKLA

VP-Business Systems, Hindustan Coca-Cola

MANISH CHOKSI

Chief-Corporate Strategy & CIO, Asian Paints

MURALI KRISHNA K

SVP & Group Head CCD, Infosys Technologies

NAVIN CHADHA

IT Director, Vodafone Essar

PRAVIR VOHRA

Group Chief Technology Officer, ICICI Bank

RAJEEV BATRA

CIO, Sistema Shyam Teleservices (MTS India)

RAJESH UPPAL

Executive Officer IT & CIO, Maruti Suzuki India

S. ANANTHA SAYANA

Head-Corporate IT, L&T

SANJAY JAIN

CIO & Head Global Transformation Practice, WNS

Global Services

SUNIL MEHTA

Sr. VP & Area Systems Director (Central Asia), JWT

V.V.R. BABU

Group CIO, ITC

FROM THE GOVERNING BOARD

The uncertain economy is an opportunity for CIOs to rise above troubled waters. Here’s how.

Beat the Economy Blues

Bangalore: Geetha Building, 49, 3rd Cross, Mission Road, Bangalore 560 027, Phone: 080-3053 0300, Fax: 3058 6065

Delhi: New Bridge Buisness Centers, 5th and 6th Floor, Tower-B, Technolopolis. Golf Course Road, Sector 54 Gurgaon- 122002, Haryana

Phone: 0124-4626256, Fax: 0124-4375888

Mumbai: 201, Madhava, Bandra Kurla Complex,Bandra (E), Mumbai 400 051, Phone: 022-3068 5000, Fax: 2659 2708

4 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

2

3

1

4

5

1 2 3 4 5Power Modular power distribution and paralleling capabilities on UPS for loads from 10 kW to 2 MW.

Physical security A single-seat view for monitoring and surveillance.

Management End-to-end monitoring and management software for greater efficiency and availability.

Racks systems ‘Any-IT’ vendor-compatible rack enclosures and accessories for high densities.

Cooling Rack-, row-, and room-based cooling options for greater efficiency.

Introducing Next Generation InfraStruxure Whether you have just acquired a new company or must increase its ever-expanding customer or inventory database capacity, you’re most likely facing pressing demands on your company’s IT infrastructure. Your existing data centre infrastructure may not be able to handle these up-to-the-minute changes. That’s where Schneider Electric™ steps in with its proven high-performance, scalable data centre infrastructure. As the industry’s one-of-a-kind, truly modular, adaptable, and ‘on-demand’ data centre system, only InfraStruxure™ ensures that your data centre can adapt effectively, efficiently, and, perhaps most important, quickly, to business changes.

InfraStruxure data centres mean business! A data centre means business when it is available 24/7/365 and performs at the highest level at all times, is able to adapt at breakneck speed, lets you add capacity without waiting on logistical delays (e.g., work orders), enables IT and facilities to keep pace with the business in a synchronised way, continues to achieve greater and greater energy efficiency — from planning through operations — and is able to grow with the business itself. What’s more, our comprehensive life cycle services help InfraStruxure data centres retain business value at all times.

The triple promise of InfraStruxure deployment InfraStruxure fulfils our triple promise of superior quality, which ensures highest availability; speed, which ensures easy and quick alignment of IT to business needs; and cost savings based on energy efficiency. What better way to mean business than to enable quality, speed, and cost savings — simultaneously?

Only InfraStruxure adapts quickly to your specific business needs

Now, align your data centre architecture to your business needs in just seconds

Discover which physical infrastructure management tools you need to operate your data centre. Download White Paper #104 today and 10 lucky respondents can WIN a free telescope.

©2012 Schneider Electric. All Rights Reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies.email: esupport@apc.com • Schneider Electric India Pvt Ltd, 9th Floor, DLF Building No. 10, Tower C, DLF Cyber City, Phase 2, Gurgaon – 122002 • 998-5037_A_IN-GB

Visit www.SEreply.com Key Code 45504y Call 1800-4254-272/877

Extend the life of your data centre. Existing data centres can add on InfraStruxure components to existing architecture and, for increased value, use our management software.

Scale up with step-and-repeat modular architecture for large data centres. Medium/large environments can deploy InfraStruxure as a zoned, ‘pay-as-you-grow’, scalable architecture solution.

Turn any room into a world-class data centre. InfraStruxure can be deployed on its own as a modular, scalable, customised solution that’s easy to design, build, and install for small first-time data centre environments.

The flexibility of the InfraStruxure architecture:

APCTM by Schneider Electric is the pioneer of modular data centre infrastructure and innovative cooling technology. Its products and solutions, including InfraStruxure, are an integral part of the Schneider Electric IT portfolio.

Business-wise, Future-driven.™

CIO_magazine_0801_45504y_IN.indd 1 2012-7-23 14:29:29

VOL/7 | ISSUE/106 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

38

CO

VE

R:

PH

OT

OG

RA

PH

BY

KA

PIL

SH

RO

FF

/ C

OV

ER

IM

AG

ING

BY

UN

NIK

RIS

HN

AN

AV

SECURITYSPECIAL

48 | Firing a Round for BYODMOBILITY Enterprise IT is targeting personal devices and maximizing their ROI potential.By Tom Kaneshige

52 | The Cloud Under Attack CLOUD COMPUTINGGaping holes in the cloud are making it easier for hackers to launch their missiles. And a lack of security awareness isn't helping. By Jeff Vance

56 | Defensive Lines APPLICATIONSSecuring your apps has never been more important, and there are lots of ways to do that.By Michael Fitzgerald

60 | Assault on Non-compliance GOVERNANCE, RISK, COMPLIANCEGRC can be a complex undertaking. But for Fiserv, the alternative was even more complicated.By Bob Violino

64 | Dynamiting DataGOVERNANCE, RISK, COMPLIANCEA critical part of securing IP is the timely elimination of data you no longer need. By Bob Violino

68 | For Your Eyes OnlyGOVERNANCE, RISK, COMPLIANCE IP is the new hot target, under attack by hackers and inadequately secured. Here’s how to protect it.By Lauren Gibbons Paul

71 | Security’s Buy-in ObstaclePEOPLE SKILLSEven well-run organizations can be resistant to new ideas. Nine ways to cross this hurdle. By Mary Brandel

76 | Militants of the Web WorldCRIMEIf your employees are using the corporate network to transact in the online black market, your organization is in severe trouble.By Brandon Gregg

38 | Security’s Big Wars COVER STORY | SECURITYIn the battle to secure their enterprises CIOs are fighting a six-front war. And CIOs seem to be winning. Find out how.Feature by Team CIO

40 | The Three-cornered Fight for Mobile SupremacyMOBILITYFour Indian CIOs take on BYOD’s security threats with the three different strategies. Here are the pros and cons of each.By Debarati Roy

44 | Beating the Guerillas at Their GameMOBILITYHow to ensure that your enterprise isn’t blindsided by consumer devices.By Serdar Yegulalp

AUGUST 15, 2012 | VOL/7 | ISSUE/10contents

Our Zero Data Loss Solution ensures that your business doesn’t lose even a single byte of data or precious minutes getting your service back on track in the event of a downtime.

No More Data Lost in transit

To know more, Write to us: marketing@ctrls.com | Call us: 040-42030583

Data lost in transit during a downtime is irretrievable. Traditional Disaster recovery services take at least 4 to 5 hours to initiate the recovery process, putting a great deal of data at risk.

Which is why a Zero Data Loss Solution makes perfect business sense.

DR on demand | MyCloud - Private cloud on-demand | Managed Services | Messaging SolutionsCtrlS Business Solutions

Visit www.ctrls.in/mumbai-data-center

Zero Data Loss DR solution

10101010101000101011001011001

10101001011110001010110010110

10001010010011110101010001010

10101010101000101011001011001

10100001010111101000101011001

10101010101000101011001011001

10111000101010101000101011001

10101010101000101011001011001

10101001011110001010110010110

00111100100010101000101011001

10001010010011110101010001010

DEPARTMENTS

contents (cont.)

52

32

ALTERNATIVE VIEWS:Should CIOs KISS?Security policies are long-winding and hard to read. Would simpler versions encourage compliance? Two CISOs debate.

VOL/7 | ISSUE/108 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

2 | From the Editor-in-Chief Hold Your Nerve By Vijay Ramachandran

4 | From the Governing Board IT Strategy| Beating the Economy Blues

By Rajeev Batra, Sistema Shyam Teleservices (MTS)

11 | Trendlines Privacy | British Airways Stalks Passengers Quick Take | Taking Rogue IT Down Compliance | French Faux Pas Costs it €10,000 Devices | Ads Spy on Mobile Users Internet | Anti-Social Networking Malware | Access (Not) Denied Internet | God More Harmful Than Porn Passwords | It’s the Default’s Fault Censorship | Google’s Schmidt Takes on China By The Numbers | Beefing up Online Security

20 | Alert Data Privacy | One ID Card, Many Pockets

People | Generation Gap = Security Abyss?

98 | Essential Technology Security | The New Perimeter

Social Media | Social Insecurity

104 | 5 Things I've Learnt The Voice of Experience | Sundaram Krishnan, Former CIO, Universal Sompo General Insurance

Columns26 | Crossing the Cloud Security’s I’s and T’sCLOUD COMPUTING As organizations migrate more and more critical functions to the cloud, it's becoming crucial for IT—in conjunction with business and cloud providers—to ensure that security's i's are dotted and it's t's crossed. Column by Pallavi Anand

27 | A CIO’s Guide to the WorldUNDERCOVER OFFICER Is it possible to adhere to local business customs without compromising security? Yes, but only if the CSO has a little creativity and a lot of trust.Column by Anonymous

30 | Security Bootcamp STRATEGIC CIO Skip the boring lectures and understand how people really learn new information and habits.Column byJoe Ferrera

2012: The New Battle FrontsSURVEY | GLOBAL INFORMATION SECURITY SURVEYCloud computing, social media, and mobility: They are all yesterday’s emerging technologies—and today’s emerging threats. find out how Indian organizations are countering this multi-front attack.

By Sunil Shah and Shardha Subramanian

THE NEWTHE NEW

BBAABABBAB TTATAATA TTLLE E FFFRROOORORROR NNONOONO TTSSTHE NEW

BATTLE FRONTS

2 2 2 2 2 11112222 122 2 2 2 2

ADVERTISER INDEX

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

[CIO HOMEPAGE]

CIO.in Revamps!To serve your needs better, we've redesigned cio.in. Now you'll be able to navigate content more easily, and quickly see the stories that demand your attention. We also have more surveys and more case studies!

CIO Online

[BOOK CLUB]Conversation Starter

Books have been known to spark conversations and on our website you can find the genesis of one. Learn what your peers think of a book and then visit the all new CIO Book Club section online and join the conversation with your peers. >> www.cio.in/bookclub

[CIO DEBATES]Should CIOs KISS?We invited two CISOs to kick-start a debate on whether making user security policies simpler would encourage compliance. Read all about it in Alternative Views (page 32). Which side are you on? We also have more debates for you on www.cio.in

Is the Economy Pushing for New Models of Funding IT?Ayes Vs Nays Job Rotation: Harmful or Helpful?Ayes Vs Nays>> www.cio.in/cio-debates

Must Read @cio.in

>> Alert: Generation Gap = Security Abyss?>> Column: Cloud Security’s I’s and T’s >> Feature: Bombarded: The Cloud Under Attack

CIO.inO.in

Bharti Airtel 23

Boston Limited(India) 1

Check Point Software Technologies 25

Ctrl S Datacenters 7

Eaton Power Quality 13

EMC Data Storage 34,35,36 & 37

Fortinet 49

Galaxy Business Solutions 67

Gartner India Research & Advisory

Services 9 + Flap

HID India 51

IBM India BC

Juniper Networks India IFC

Lenovo India IBC

McAfee India Sales Security Survey

Nelco 47

Oracle India 15

Panasonic India 59

Riverbed Technology India 3

SAS Institute (India) 75

Schneider Electric India 5

Trend Micro India 21

Verizon Communications India 31

VMWare Software India 19

[Cover Story] Security's Big WarsA fierce battle between CIOs and the six most potential threats—mobility, cloud, apps, GRC, people and crime—is on.And looks like CIOs are winning this one. Find out how. >> www.cio.in

VOL/7 | ISSUE/101 0 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

P R I V A C Y We’ve all Googled ourselves from time to time, but British Airways has crossed the creepy line for looking up its own passengers on Google Image Search.

The airline is rolling out a new program, called Know Me, that tries to improve passenger recognition through Google search and other methods. British Airways will create dossiers on passengers, and will use the profile data to offer 4,500 personal recognition messages by the end of the year, the London Evening Standard reports.

For instance, flight attendants may reference Google image results to greet a high-profile, first-class passenger when he or she boards the plane. British Airways will also dig into its own passenger data, so if a regular customer experienced a delay on a previous flight, airline staff can offer a personal apology.

Not surprisingly, some privacy advocates are upset. “Since when has buying a flight ticket meant giving your airline permission to start hunting for information about you on

the Internet?” Nick Pickles, director of Big Brother Watch, told the Standard. Some customers just don’t want to be bothered—especially famous ones—so it’s presumptuous for the airline to think no one will mind being stalked on Google for the purpose of a greeting.

A better way might be to let people opt-in to such a service through Facebook. That way, the information would be more reliable and less creepy, and would only affect willing participants.

Using Google for image search is also a slippery slope that could lead to broader Internet data mining.

British Airways should draw the line at image recognition, and think of smarter ways to provide

personalized service that doesn’t revolve around Internet stalking.

—By Jared Newman

N E W * H O T * U N E X P E C T E DN E W * H O T * U N E X P E C T E D

I N S I D E R T H R E A T Take one look at the Batman Rogues Gallery and you will be able to recognize the Mad Hatter, Bane, Clayface and the Joker. All real, visible rivals. Unfortunately for CIOs, the IT Rogues Gallery still remains in the shadows. Rogue IT is gradually making its presence felt in enterprises. Gopal Kishore spoke to Rohan Deshpande, CIO, Ogilvy & Mather, to find out how to combat it.

How serious is the threat of rogue IT? Call it rogue IT or shadow IT or by any other name, but when users try to circumvent the IT department, it is definitely a matter of concern. Today, anybody with a credit card can get access to cloud services. We try to prevent this trend by making it mandatory for employees to get all IT reimbursement cleared by the IT department.

Is it fueling the cloud or is the opposite true?It‘s not just rogue IT users, but SMEs and entrepreneurs who are fuelling the cloud. The growth of shadow IT

Taking Rogue IT Downhas been facilitated by a range of feature-rich tools such as project management, online backup, and other valuable services that are available through the ubiquitous Web browser. These can be procured and integrated into current business practices without IT’s involvement. However, we see that this is usually done by tech savvy users within the organization for their personal requirements.

Would it be easier to prevent rogue IT if IT adheres to user needs? The role of IT is that we understand the business need and we understand technology. As long as the requested service fits into the company’s IT policy, we don’t reject it. We do deny certain requests, as there is a very thin line between official and personal. Some employees take advantage of this and charge the organization for some service which was used for personal benefits. IT refuses to oblige only because it has to safeguard the company’s interest. So, keeping these considerations into account, we either reject or oblige to user requests.Rohan Deshpande

E D I T E D B Y S H A R D H A S U B R A M A N I A N

QUICK TAKE:

British Airways Stalks Passengers Online

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2 1 1VOL/7 | ISSUE/10

ILL

US

TR

AT

ION

BY

VIK

AS

KA

PO

OR

TR

EN

DL

INE

S

B R E A C H Passwords are essentially the root of all data breach evils. Strong passwords with random capital letters, numbers and special characters confuse people and they resort to creating a passwords file, which is the first thing hackers look for. Is it time to move away from traditional password protected identification to biometric identification? Debarati Roy asked some of your peers and here’s what they had to say:

RAMNATH IYERDirector-IT, CRISIL

“Single factor authentication isn’t adequately secure and is not preferred outside a gated environment. SAML (security assertion markup language) combined with biometric authentication on local host is promising. But my bet will be on biometrics as the long-term

solution for data privacy.”

KALPANA MANIARHead-Business Solutions & IT ,Edelweiss Capital

“Biometric is still evolving. We are yet to see effective

biometric readers that provide quality results. Though

work-arounds are available, security threats pertaining to biometric implementations remain contentious.”

SANKARANARAYANAN RAGHAVANDirector-IT, Aegon Religare Life Insurance

“The future of password protection and authentication lies in biometric validation. Currently, it can be implemented on laptops and ATMs, but it would be expensive and complex to deploy on online apps and portals. However, I do believe that when both the complexity and the cost to implement reduce, biometrics will be the future of password protection and security.”

VOICES: IS BIOMETRIC AUTHENTICATION FEASIBLE?

C O M P L I A N C E A French company must pay a €10,000 (about Rs 6.8 lakh) fine for failing to provide an employee with GPS data tracking the movements of his company vehicle, according to the French National Commission on Computing and Liberty (CNIL).

The man wanted the data in order to prove that a traffic accident in which he had been involved took place while he was on business for Equipements Nord Picardie, a regional water utility.

France has strict laws governing what personal data businesses may store on a computer, and provides that anyone may request a copy of data relating to them. Typically, access requests are made by persons wishing to correct or delete personal data held about them, two other rights enshrined in French law.

However, in this case, the man hoped to use the tracking data gathered by his employer to convince a court that he had been the victim of a workplace accident.

Eleven weeks after his initial request to his former employer, he complained to the CNIL, which asked the company to turn over the data four times over the following six months. Another month passed, still with no reply. The CNIL gave the company formal notice to turn over the data within two weeks, but it refused, saying the employee could consult the data in its office.

“Through its stalling tactics, the company took the risk of depriving the plaintiff of the possibility of accessing data, the storage of which was only guaranteed for six months after its recording,” the CNIL said in its ruling.

That could have left the employee without the means to prove to his health insurance provider that the accident had been sustained on company business.

In view of th e company’s procrastination, and its refusal to provide the copy of the data required by law, the CNIL decided to impose a €10,000 fine.

—By Peter Sayer

French Faux Pas Costs it €10,000

VOL/7 | ISSUE/101 2 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

IMA

GIN

G B

Y V

IKA

S K

AP

OO

R

I N T E R N E T Yet another criminal has managed to get himself caught after posting on Facebook. Convicted robber James Tindell skipped out of Oregon earlier this year to avoid court-ordered drug treatment and other conditions he had accepted so as to avoid prison.

But instead of flying under the radar, Tindell made Facebook posts that taunted his probation officer, complained about the judge who sentenced him, and ranted about the criminal justice system. Not only that, he also posted things such as “I’m in Alabama,” and a sonogram of his unborn child that showed the name of the hospital in Alabama where it was taken.

His probation officer spotted the posts and asked prosecutors to issue a nationwide arrest warrant. Tindell was then apprehended after getting pulled over for speeding—another genius move by someone running from the law.

In the end, the clueless criminal was ordered to reimburse the state $2600 (about Rs 1.4 lakh) for flying him back to Oregon and sent to prison for two-and-a-half years.

It’s far from an isolated case.Last year, a thief in Georgia used a cell phone he found

in a stolen purse to post a picture of himself on the victim’s Facebook page. He likely didn’t know the phone’s owner had it set up to automatically post photos to the social network.

And in April, a dim-witted British crook was busted after a friend posted a photo of him on Facebook with a TV he’d stolen.

Charles Holden stole a plasma TV, a PlayStation, and some games from a house in which he formerly had roomed. He then sold the goods right outside the door while one of his friends snapped a picture of the transaction.

The victim, suspecting Holden, snooped around on his Facebook page as well as those of his friends and spotted the incriminating photo, which led to an arrest.

And this one is classic: A Pennsylvania man, back in 2009, stopped to check his Facebook account on a computer in the home he was in the process of robbing. He forgot to log out before taking off with his loot. Of course, the victim later noticed his mistake and gave police identifying information to make a speedy arrest.

Although you’d think enough of these stories have surfaced that malefactors would wise up, apparently stupidity is perennial. If nothing else, they’re good for chuckles.

—By Christina DesMarais

D E V I C E S Some ads inside free apps for smartphones pose a threat to consumer privacy, according to a company that makes security software for mobiles.

More than 50 percent of free apps embed ads in their offerings provided by ad networks, according to Lookout Mobile Security. Some of those networks access personal information on the phones they’re running on without clearly explaining what they’re doing to users, research by Lookout revealed.

It also noted that 5 percent of the apps on smartphones, which represent 80 million downloads, are embedded with “aggressive” ad networks that perform “non-kosher” acts on a smartphone, such as changing bookmark settings and delivering ads outside the context of the app they are embedded in.

An analysis of free apps in GooglePlay showed that the leading user of aggressive ad networks was wallpaper apps (17 percent), followed by entertainment (8 percent) and games (7 percent).

The security vendor has also released a set of comprehensive guidelines for mobile advertisers. They outline “best practices” for the pitch firms to follow and govern transparency and clarity, individual control, ad delivery behavior, data collection and other topics.

In addition to collecting personal data from smartphones, ad networks have also been reported to push “scareware,” such as battery upgrade warnings, and shove marketing icons onto a phone’s start screen.

—By John P. Mello Jr.

Ads Spy on Mobile Users

Source: Indian Information Security Survey

I N T R U S I O N The good news: Unknown attacks have come down. The bad news: Employees are still the biggest source of security breaches.

TR

EN

DL

INE

S

Anti-Social Networking

Enemy at the Gates

VOL/7 | ISSUE/101 4 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Estimated Likely Source of Incidents 2012 2011

Employees (current and former) 86% 76%

Hacker 33% 32%

Competitors 28% …..

Customers 26% 15%

Service providers/ consultants/contractors 21% 20%

Unknown 12% 27%

Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates.

Runs Oracle10x Faster*

The World’s Fastest Database Machine• Hardware by Sun

• Software by Oracle

* But you have to be willing to spend 50% less on hardware.

10x faster based on comparing Oracle data warehouses on customer systems vs. Oracle Exadata Database Machines.

Potential savings based on total hardware costs. Oracle Database and options licenses not included. Actual results and savings may vary.

PRODUCTION NOTES

Fonts: Univers LT Std. 75 Black, 65 Bold, 55 Roman, 45 Light, 67 Bold Condensed, 57 Condensed

PUB NOTE: Please use center marks to align page.

Please examine these publication materials carefully. Any questions regarding the materials, please contact Darci Terlizzi (650) 506-9775

READER

01LASER% RELEASED

1/242012

Print Ad Resize

22.23 x 27.6cmCIO

(1st Right Hand Page Ad)

Job No.:Headline:

Date:Project:

Type:Live:Trim:

Bleed:

312M_EXD_10xFaster_CIORuns Oracle 10x Faster* 01/24/2012 APAC Regional FulfillmentMagazine 20.32cm x 25.72cm22.23cm x 27.6cm22.86cm x 28.26cm

I N T E R N E T Religious and ideological websites can carry three times more malware threats than pornography sites, according to research from security firm Symantec. The firm’s annual Internet Security Threat Report also found that threats to mobile devices continue to grow, almost exclusively for Google’s Android mobile OS.

Internet security reports from companies that also sell anti-virus solutions should be taken with a pinch of salt, given the potential of conflict of interest, but Symantec’s authoritative findings are nevertheless interesting.

Symantec found that the average number of security threats on religious sites was around 115, while adult sites only carried around 25 threats per site—a particularly notable discrepancy considering that there are vastly more pornographic sites than religious ones. Also, only 2.4 percent of adult sites were found to be infected with malware, compared to 20 percent of blogs.

“We hypothesize that this is because pornographic website owners already make money from the Internet and, as a result, have a vested interest in keeping their sites malware-free—it’s not good for repeat business,” said the report.

Be it as it may, malware threats are only increasing. Symantec measured an increase of more than 81 percent in malware in 2011 over 2010, while the number of malware variants increased by 41 percent.

On the flip side, spam volumes have decreased from 88.5 percent of all e-mail in 2010 to 75.1 percent in 2011—thanks to law enforcement action which shut down the Rustock worldwide botnet that was responsible for sending out large amounts of spam.

Android smartphone users should also be wary of malware, as Symantec says mobile vulnerabilities, almost exclusive to Google’s open mobile OS, increased by more than 93 percent. The report found more than half of all Android threats do two things: Collect device data or track users’ activities.

A quarter of the mobile threats identified were designed to make money by sending premium SMS messages from infected phones, which could be even more lucrative than stealing your credit card details.

— By Daniel Ionescu

God More Harmful Than Porn

IMA

GE

BY

PH

OT

OS

.CO

M

Access (Not) DeniedM A L W A R E The security vendor Trusteer is warning banks to look out for a sophisticated Trojan that can empty the account of online users.

The criminal scheme perpetrated through the Tatanga Trojan has already attacked the sites of several German banks, and Trusteer expects it to be reconfigured in time for banks in other countries, including the US. “Many [US and Indian banks] are using the exact same framework as German banks, so they should care,” Oren Kedem, director of product marketing for Trusteer.

The cyber-criminals are taking advantage of the text messaging German and Indian banks use to authenticate an online transaction. When a person transfers funds, the bank first sends a transaction authorization number (TAN or an Online Authentication Code in India) to the customer’s mobile phone. That

number has to be typed into a Web form before the transfer is completed.

When a victim logs into his banks’ site, the malware displays a screen saying the bank is performing a security check and asks that at a TAN or OAC be punched into a form on

the page. Behind the scene, the Trojan checks the victim’s accounts for the one with the most money and then requests an OAC from the bank, so the money can be transferred to the hackers’ account.

From the victim’s perspective, the bogus page says the amount of money and the receiving account are only test data and nothing will actually happen. However, once the OAC is inputted into the form, the unsuspecting bank immediately completes the transfer to the fraudulent account. To cover its tracks, the malware changes the account balance report in the online banking application to hide the transaction.

The malware creators still have some work to do to improve the effectiveness of the scam. The fraudulent page is littered with grammar and spelling mistakes, which should be a tip off for many victims.

—By Antone Gonsalves

TR

EN

DL

INE

S

VOL/7 | ISSUE/101 6 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

TR

EN

DL

INE

S

P A S S W O R D S KPN, a Dutch telecom company, closed a self-service portal for corporate ADSL customers recently after it discovered that 120,000 of its 180,000 business clients were still using default passwords, all variants of ‘welkom01’, demonstrating once again how lax security can get.

The security vulnerability could have given unauthorized persons easy access to the corporate accounts, for which the corresponding usernames could be easily derived from the businesses’ street addresses.

KPN said it was unaware that the vast majority of its 180,000 ADSL business clients were still using a default password for the online Customer Self Care portal.

Dutch IT news site Webwereld alerted KPN about the trend after a tip from Robert Schagen of Robert 4U IT, who discovered the security leak. By continuing to use default passwords such as “welkom01,” “welkom1” or “welkom001”, customers risked unauthorized persons gaining access to their accounts, KPN said.

Corporate clients were provided with a default password to gain access to the online self care portal as a standard practice, but KPN did not make it mandatory to change the password, and so a lot of their customers never did.

Businesses’ user names consist of their zip code and street number, said KPN spokesman Steven Hufton. And a list of KPN’s corporate customers could easily be obtained by querying the database of the regional Internet registry, Webwereld reported.

With access to an account on the portal, it is possible to change a customer’s contact e-mail address and connection speed and turn services on and off, Hufton said. Besides that, the portal also contains bank account numbers and it is possible to change the password, giving malicious persons the opportunity to take over the account, Webwereld wrote.

“This is unacceptable,” said Eddy Willems, security evangelist at G Data. KPN should have made it mandatory for users to change the default password when the account was activated.”

KPN’s problem was probably a historical one, Willems said, adding that at the time of the implementation probably nobody thought about the consequences. While this is an easy problem to solve, companies should think of good security before they implement a system, he said.

—By Loek Essers

Passwords Farce: It’s the Default’s Fault

Google’s Schmidt Takes On China C E N S O R S H I P After carefully working with China for the past two years, Google Chairman Eric Schmidt bluntly predicted the fall of the Great Firewall of China. “I believe that ultimately censorship fails,” Schmidt said in an interview with Foreign Policy magazine. “China’s the only government that’s engaged in active, dynamic censorship. They’re not shy about it.”

In the interview, Schmidt predicted that once China’s Internet censorship policies fall, an influx of free-flowing information could cause great political and social changes in the country.

“I personally believe that you cannot build a modern knowledge society with that kind of behavior. That is my opinion,” said Schmidt.

“I think most people at Google would agree with that,” he added. “The natural

next question is when [will China change], and no one knows the answer to that question. [But] in a long enough time period, do I think that this kind of regime approach will end? Absolutely.”

Schmidt’s comments about the Chinese government and its efforts to keep its citizens from reading or viewing information on specific subjects come after Google has spent

more than two years in talks with the Chinese government.

In March of 2010, Google announced that it would no longer censor search results as the government requested. At the time, Google’s chief legal officer, David Drummond, said the company stopped censoring on multiple Google.cn sites.

Google rethought its agreement to censor search results inside China’s walls after a major attack against its network was launch in late 2009 from inside the country. The attack was aimed at exposing the Gmail accounts of Chinese human rights activists.

However, Google executives at the time also continued talks with Chinese officials in an attempt to maintain a link to the country’s vast business potential.

—By Sharon Gaudin

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2 1 7VOL/7 | ISSUE/10

COMPILED BY GOPAL KISHORE

IMPLEMENT e-mail authentication to reduce the incidence of spoofed and forged e-mail, which may lead to identity theft.

PREVENT cybercriminals from snooping and eavesdropping on public wireless connections. Always-on SSL (AOSSL) ensures this by encrypting all communication.

ENCRYPT all data files containing customer profiles, e-mail address and PII, which are transmitted externally or stored on portable devices or media including flash and USB drives.

Best Practices

1

2TThe year 2011 has become known as the Year of the Breach. According to the Verizon 2012 Data Breach Investigations Report, 2011 saw 855 online data breach incidents and 174 million compromised records across 36 countries. The trend continued into 2012, starting in January with Zappos, which experienced a breach of 24 million records.

To combat this trend, the Online Trust Alliance (OTA), a member-based non-profit representing the global Internet ecosystem reviewed over 1,200 sites. The OTA’s aim was to create a progress report—and include organizations in its Online Trust Honor Roll & Online Trust Index—on best practices to help protect online consumers from security and privacy threats. Of the companies evaluated by the OTA, less than 30 percent were named in the Honor Roll for successfully implementing several key best practices. Social media showed the greatest increase in percentage of companies making theHonor Roll (from 12 percent in 2011 to 52 percent in 2012). Their adoption of e-mail authentication protocols and robust SSL implementations have contributed to their high scores.

But 75 percent of online retailers are still failing to adopt best practices, exposing users to security, privacy and social engineering threats.

Beefing Up Online SecurityTo encourage e-commerce and social media sites to adopt best practices to protect consumer data, the Online Trust Alliance introduced the Online Trust Honor Roll.

3

SOURCE: VERIZON 2012 DATA BREACH REPORT AND ONLINE TRUST ALLIANCE

TR

EN

DL

INE

S

A Web of Security ThreatsThe increase in the number of online breaches have made organizations more security-aware but not cautious.

Hacking

Malware

Physical Attacks

VOL/7 | ISSUE/101 8 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

75% OF ONLINE RETAILERS are still failing to adopt online security best practices

40% INCREASE in the number of social media companies making the Honor Roll in 2012

$2.1 BILLION Estimated cost of breach in 2011

855 INCIDENTS of breaches across 36 countries

Online Attacks Shot Up in 2011

50%

2010 2011

49%

29% 10%

69%

81%

Thought Leadership on

Evolving to the Cloud Without Endangering Your Enterprise

CLOUD CORNER

VMWARECUSTOM SOLUTIONS GROUP

Business priorities entail that we constantly strive to reduce turnaround time to set up IT space for our clients, and lower costs while ensuring agility. Our journey to achieve these goals led us to the adop-tion of a hybrid cloud, one that is secure, scalable and agile. Our main datacenter already has over 100 virtualized servers. The next step is to virtualize our co-located datacenters. The aim is to create self-service environment for our users and clients.

We handle a lot of sensitive client data, so cloud security will always demand that additional effort. There are concerns around some applications we want to put up which process highly-sensitive data.

However, the technology is evolving and manag-ing security for standard applications on the cloud is not a big hindrance anymore. That said, moving mission-critical apps is largely dependent on indus-try vertical, organizational risk appetite, and indus-try compliances, among others.

The cloud is not a new concept; and most CIOs have a fair idea of it. CIOs who don’t have the in-house skills might face some challenges like delays in execution, manageability, day-to-day support or deriving maximum value from their investments, but these hurdles can be overcome with the help of solution architects from vendor organizations.

SACHIN JAINCIO & CISO, Evalueserve

Evalueserve is moving fast on its cloud journey and Jain says that other CIOs—even those without the in-house skills—can too, if they get help from vendors.

Virtualization is an essential catalyst for cloud computing. It abstracts complexity and creates an elastic pool of compute, storage, and networking resources, all of which accelerate an organization’s transition to the cloud.

Using VMware’s three-tiered approach, CIOs can gradually acclimatize their organizations to the technology. They begin by virtualizing tier-II and tier-III applications. Then they virtualize mission-critical applications and start saving a lot of money. The third phase is what we call the agility phase, which is about speed and responsiveness.

About the cloud itself, we believe that a one-cloud-fits-all approach won’t work. No single cloud can provide all the answers to an organization’s dy-namically changing IT needs and also alleviate concerns around data privacy, loss of control over data, vendor lock-in, lack of interoperability, and latency. To deliver a competitive advantage, cloud computing must be tailored to an organization’s needs. We believe that a hybrid cloud is the way ahead because it allows CIOs to address some of their security and availability concerns, while le-veraging existing IT investments.

T. SRINIVASANManaging Director, VMware India & SAARC

The hybrid cloud is the way forward, says Srinivasan, because it allows CIOs to address security and availability concerns and leverage existing IT investments.

alert

Make no mistake, your personal data isn’t your own. When you update your Facebook page, “Like” something on a website, apply for a credit card, click on an ad, listen to an MP3, or comment on a YouTube video, you are feeding a huge and growing beast with an insatiable appetite for your personal data, a beast that always craves more. Virtually every piece of personal information that you provide online will end up being bought and sold, segmented, packaged, analyzed, repackaged, and sold again.

The “personal data economy” comprises a menagerie of advertisers, marketers, ad networks, data brokers, website publishers, social networks, and online tracking and targeting companies, for all of which the main currency—what they buy, sell, and trade—is personal data.

And the databases that collect this information are increasingly

hyperconnected—they can trade data about you in milliseconds.

Data Beeline, Online and OfflinePersonal data has become far easier to access and aggregate than it used to be. Long before we started cataloging our lives on the Internet, much of the information about us lived in hard-copy public records documents at the city hall or the county courthouse. Those public records, which include birth data, real estate records, criminal records, political affiliation and voting records, and more, have in recent years been scanned, digitized, and otherwise fed into databases. That data is now being combined with our online personal data.

A whole industry of public records data companies has sprung up to aggregate public records data from every city, county, and state in the

union, and to make the data easily available online (for a price). Some of these firms, such as Intelius.com and Spokeo, are combining public records data with online data such as personal data from social networks.

Not Really a Private AffairWhat may be a dark side to this mashup of public records and social networking data is this: Public records sites such as Intelius, Spokeo, and PeopleFinders.com distribute the kind of data that landlords, insurers, employers, or creditors could easily use to screen applicants—but the sites insist that their content is not intended for such uses.

ENTERPRISE RISK MANAGEMENT

IM

AG

ES

BY

PH

OT

OS

.CO

M

One ID Card, Many Pockets

FIN

DIN

GS

VOL/7 | ISSUE/102 0 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

SOURCE: The CIO Insomnia Project - Robert Half

Uninvited Guests According to a US survey, nearly 65 percent of the respondents estimate that an average firm experiences three or more IT security breaches annually.

24%

The Number of Security Breaches in US Enterprises in a Year

10%

12%

21%

17%

6%

7%

14%

13%

0

1 - 2

3 - 5

6 - 10

11 - 15

16 - 20

over 21

Don’t know

The number of CIOs who said their topmost worry is data security

and protection.

Ranked #1 inServer Security*yet again.

As businesses continue their journey to the cloud,analysts and security experts agree that risk managementpractices must change. Trend Micro leads the way inprotecting businesses against today’s sophisticatedcyber attacks by providing real-time, actionable threatintelligence and network-wide visibility and control. Withour solutions you gain the ceratinty that your data is alwayssecure across all environments-physical, virtual and cloud.

trendmicro.com/journey

Scan to downloadIDC Analyst Connection: Server Securityfor Today’s Datacenters

For more informationCall : 1800 103 6778email : marketing_in@trendmicro.comDelhi : 91-11-42699000Mumbai : 91-22-26573023Bangalore : 91-80-40965068

www.trendmicro.co.in

*IDC, Worldwide Endpoint Security 2011-2015 Forecast and 2010 Vendor Shares©2012 Trend Micro, Inc. All rights reserved. Trend Micro and the t-ball logo aretrademarks or registered trademarks of Trend Micro, Inc.

“The use of our service to screen potential employees, tenants, or for any other purpose that’s restricted by the Fair Credit Reporting Act is in violation of our Terms & Conditions,” Intelius’s Adler says.

But many people suspect that personal data offered at public records sites is being used for exactly such purposes. And in truth, the public records sites would have no way of knowing if this happened—and may not want to know.

Big Data, Bigger ImpactSo-called Big Data is one of the few big concepts that will define technology and culture in the first part of the 21st century. The term refers to the capture, storage, and analysis of large amounts of data. Among people involved in the personal data economy in one way or another, one anecdote—“Target pregnancy prediction”—comes up over and over again, and beautifully demonstrates both the possibilities and the dangers of Big Data.

Observation and InferenceIn the Target case, future parents were served with highly relevant ads and offers, and the retailer found a new

ENTERPRISE RISK MANAGEMENTalert

way to reach its customers and pump up sales. No problem, right?

Wrong, say privacy advocates. The warehousing and analysis of so much data, and so many types of data, might lead the curators of the databases to infer things about us that we never intended to share with anybody.

Experts say that in the future, predictive analysis will advance to the point where it can tease out information about people’s lives and preferences using far more, and far more subtle, data points than were used in the Target case.

Clear as a CrystalLack of transparency may be the single biggest objection to consumer tracking and targeting today. Advertisers are spending millions to combine, transmit, and analyze personal data to help them infer things about consumers that they would not ask directly. Their practices with regard to personal data remain hidden, and they’re acceptable only because people don’t know about them.

Such tracking and targeting also feels arrogant. Consumers may not mind being marketed to, but they don’t want to be treated as if they were faceless numbers to be manipulated by uncaring marketers. Even the term “targeting” betrays a not-so-friendly attitude toward consumers.

Grow up, Internet!Still, many people—on both the privacy and advertising sides of the fence—believe there is room both for consumer privacy and for Web advertisements and content targeting using personal data. But the veil of secrecy around the use of personal data would have to be lifted.

For that to happen, many believe, everybody in the personal data economy must be more realistic about the economics of the Internet.

The online advertising industry needs to become much more transparent about the ways it collects and uses our personal data. If it did so, we might be more inclined to believe its claim that carefully targeted ads actually help us by making Web content more relevant and less spammy.

The challenge now is for everyone involved—consumers, advertisers, Internet companies, and regulators—to understand how the personal data economy really works.

Only then can we start getting busy developing some rules of the road that balance the business needs of advertisers with the privacy needs of consumers. CIO

Mark Sullivan writes for PCWorld (CIO’s sister

publication). Send feedback to editor@cio.in

“Today, social media sites have toolbars plugged into Internet browsers. It is evident that these tool operators are interested in tracking ‘what we do when’. To control what gets uploaded and who gets access to social media sites, CIOs should implement rights management and DLP.”

—SESANKA PEMMARAJU, IT DIRECTOR & CISO, HITACHI CONSULTING

[ONE :: LINER]

VOL/7 | ISSUE/102 2 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

marketed to, but they don’t want to be treated as if they were faceless numbers to be manipulated by uncaring marketers. Even the term “targeting” betrays a not-so-friendly attitude toward consumers.

with the privacy needs of consumers. CIO

Mark Sullivan writes for PCWorld (PCWorld (PCWorld CIO’s sister

publication). Send feedback to editor@cio.in

oday, social media sites have toolbars nternet browsers. It is

evident that these tool operators are interested in tracking ‘what we do

o control what gets uploaded and who gets access to social media

Os should implement rights

CTOR & CISO, CONSULTIULTIUL NG

ENTERPRISE RISK MANAGEMENTalert

Young, tech-savvy peoplepay substantially less attention to online security risks, and are, therefore, more likely to experience security problems than older people.

That’s the surprising finding of a survey conducted by ZoneAlarm, a unit of security vendor Check Point Software Technologies.

ZoneAlarm polled 1,245 young and older tech users from the US, Canada, United Kingdom, Germany, and Australia to find generational differences in attitudes towards computer security.

About 40percent of the participants were between 18 and 35 years old, while about 20percent were between 56 and 65 years old. The rest ranged in age from 36 to 55.

The survey found that respondents aged 18 to 25 generally tend to overestimate their knowledge about computer security, spend less than other age groups on security products, and do less than Baby Boomers (those who were born during the post-World War II baby boom from 1946 to 1964) to protect themselves online.

While more than one out of three Baby Boomers admit being “very concerned” about security and privacy issues, only one in five younger users felt the same way.

Similarly, only 31percent of the younger respondents ranked security as the most important tech consideration, compared to 58percent of Baby Boomers.

The survey also found that the younger respondents were less likely than the older ones to pay for antivirus products, third-party firewalls, or integrated security suites. In general, older Internet users appeared to be more concerned about email-borne attacks, while younger users were concerned about threats emanating from social media channels and file-sharing networks.

However, when it came to actual security incidents, about 50percent of Gen Y respondents said they had experienced virus infections and other security

breaches in the last two years, compared to 42percent of Baby Boomers.

“Gen Y people are sophisticated, technically savvy online users,” said Bari Abdul, vice president and head of ZoneAlarm. “We expected them to have figured out security. What really came as a surprise to us is that Baby Boomers are doing better than Gen Y.”

Most of the Gen Y participants in the survey said that entertainment and social media interactions are more important issues for them than security, he said. The younger people often turn off security tools such as anti-virus products and firewalls if they believe the tools are hampering online gaming or social media activities.

Bari said IT executives should be aware that many younger employees bring their

security beliefs to work as well. Companies should also make sure to secure the increasing social networking use of the latest generation of workers, he added.

Securosis analyst Rich Mogull, questioned the validity of such surveys

and the conclusions reached by ZoneAlarm.

“User behavior studies are usually skewed [depending on] the questions asked,” he said, adding that survey questions often don’t correlate to real behavior, or don’t tie to behavior that reflects real security risks.

He added that security technologies such as firewalls are built into and turned on by default in every operating system. CIO

Lucian Constantin is a news reporter for IDG News.

Send feedback to editor@cio.in.

A computer worm that propagates by exploiting a 2010 Windows vulnerability is responsible for some of the recent incidents involving network printers suddenly printing useless data, according to security researchers from Symantec.

On June 21, Symantec reported that the rogue printouts were the result of computers being infected with a Trojan program called Trojan.Milicenso.

However, the company’s researchers have since determined that the propagation routine of a separate piece of malware, a worm called W32.Printlove, can cause similar problems, Symantec researcher Jeet Morparia mentioned in a blog post.

W32.Printlove infects other computers on the local network by exploiting a remote code execution vulnerability in the Microsoft Windows Print Spooler service. The rogue printing behavior can occur when W32.Printlove unsuccessfully attempts to infect a Windows XP computer connected to a shared network printer.

Fortunately, the failed infection attempts leave behind .shd files in the printer spool directory that contain details about printing jobs, including the names of computers that initiated them. Administrators can inspect SHD files with a free tool called SPLViewer after shutting down the Print Spooler service, Morparia said.

— By Lucian ConstantinP

rin

t. R

epea

t. P

rin

t.

VOL/7 | ISSUE/102 4 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Generation Gap = Security Abyss?

How Secureis Your Network?

The adoption of cloud computing is rapidly gathering momentum. However as cloud computing becomes more mainstream, security concerns are being raised.

A recent Robert Half survey of 150 CIOs and CTOs in APAC revealed that security was the most prevalent concern among the respondents when migrating to the cloud.

In fact 44 percent of those surveyed in Hong Kong were concerned most about security. Other concerns included data integrity (26 percent), lack of internal knowledge on cloud computing (18 percent) and migration cost (8 percent). (According to CIO research, 53 percent of Indian CIOs say security is their top concern with the cloud.)

While cloud computing is deemed to improve business processes and increase company competitiveness, security in the cloud continues to remain a global challenge, particularly as more and more critical functions are migrated. So what can be done? Here are some tips on dealing with security issues in a cloud-enabled organization.

Ensure Your Data is SecureMake sure your cloud computing provider takes proper measures to secure your company data and any applications that are used in the cloud. While providers have an obligation to do this for their clients, a review should be done to confirm that your expectations on cloud security are being met.

Companies and providers need to ensure that all critical company data is masked and that only authorized users have access to it. They also need to ensure that individual identities and credentials are protected. At the same time, they must comply with company compliance procedures, as well as laws relating to data protection in the markets they operate in.

Apps that are accessed via the cloud also need to be secure. Companies need to work with their providers to make sure computers that are used to access data in the cloud are secure.

Mitigate Against DisasterWhen choosing a provider, make sure they have data continuity and data recovery plans in place in case the worst case scenario happens and their systems crash, which could render all of your data inaccessible and, in rare case, unrecoverable.

The same rings true for any applications used in the cloud. A company can survive if a non-mission-critical application goes offline, but what happens if a mission-critical one does?

Hire the Right StaffWhen hiring IT staff, it is essential that they understand the security models and security technology needed to manage in a cloud environment. Depending on the size of the organization, it may be possible to hire a cloud security specialist whose main responsibility is to keep the company's operations in the cloud as secure as possible. (About 40 percent of Indian CIOs say that they do not have staff dedicated to their cloud computing initiatives, according to CIO research.)

Along with the requisite technical expertise, we see more employers looking for candidates with strong management and communication skills. These candidates are in demand as they will be able to collaborate and communicate effectively with non-technical business managers.

In addition, your organization should create a security policy for all in-house staff to follow when accessing and working in the cloud. Best practices should be shared broadly and continuously reinforced. All staff should also be encouraged to keep up with any changes in technology advancements within cloud computing. This will allow them to more effectively work with, and monitor, the service provider.

Whilst cloud computing is deemed to improve business processes and increase company competitiveness, security in the cloud remains a challenge. In order to remain competitive, the IT function—in partnership with management and providers—needs to continue to work closely to identify, assess, monitor and mitigate these new and emerging risks appropriately. CIO

Pallavi Anand is director at specialized recruitment firm Robert Half. Send feedback on

this column to editor@cio.in

Cloud Security's I's and T's

For more on cloud security read

Cloud Computing: You Can't Outsource Your Compliance Obligations on www.cio.in c o.in

Cloud Compliance

As organizations migrate more and more critical functions to the cloud, it's becoming crucial for IT—in conjunction with business and cloud providers—to ensure that security's i's are dotted and its t's crossed.

Pallavi Anand CLOUD COMPUTING

VOL/7 | ISSUE/102 6 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Coloumn_Cloud_Security.indd 27 8/13/2012 2:54:04 PM

Undercover Officer ANONYMOUS

A CSO’s Guide to the WorldIs it possible to adhere to local business customs without compromising security? Yes, but only if the CSO has a little creativity and a lot of trust.

I once tried to standardize the global procedures for the forms of identification that visitors to our facilities had to show. Based on my experience in the US, I thought that a policy requiring a driver’s license, government-issued picture ID or passport would be sufficient. Surely, most visitors—no matter the country—would have at least one of these forms of identification. Not so. In Tokyo, some visitors never carry government-issued picture ID cards. Not only that, the Japanese routinely rely on business cards as a means of identifying themselves. This custom works very well within the culture of the Japanese business world, because it would be unthinkable for someone to print a false business card.

The last time I checked, al-Qaida was not listed in the Japanese business directory. This procedure would never do. After much discussion with the Japanese security guards and the receptionists, I compromised and altered the policy so that if a government-issued picture ID was not available,

then business cards could be used to identify visitors. However, those visitors were not allowed into the building until the employees whom they wished to see came to the lobby and physically escorted them inside. The policy thus adhered to local business customs without compromising security.

Then there was the issue of the guard force. Security guards in Japan are taught to be deferential toward visitors, and it is actually illegal for them to use force or try to restrain people in any way. I discovered this when I did a penetration test on the physical security of my company’s Tokyo office. I pretended to be someone off the street and then sneaked past the guards and into the building. As the guards spotted me, they called out “sumimasen, sumimasen” (excuse me, excuse me), but when I didn’t stop, they remained at their posts and took no further action. Needless to say, we retrained the guards to react by keeping contact with the intruder and simultaneously reporting the intrusion to police.

I’m usually not one who gets into bumper sticker logic, but I like the idea of a CSO acting globally but thinking locally. By that I mean a CSO needs to devise and enforce global security policies, but also put some thought into how those policies will be implemented locally around the world. Otherwise, variations in national customs and culture can short-circuit even the

most well-intentioned security policies. I found that out the hard way.

REAL CIO WORLD | A U G U S T 1 5 , 2 0 1 2 2 7VOL/7 | ISSUE/10

Anonymous_Column_August2012.indd 3 8/13/2012 4:48:07 PM

Undercover Officer

World CultureOf the countries where I’ve been

responsible for security, Japan easily has

the most trusting society—so much so

that I simultaneously admire them and

fear for their safety. But it wasn’t the only

country where I had something to learn.

Many other cultures, while considerably

less trusting than the Japanese, have

markedly different views of security

than our own.

In China and Singapore, for example,

civil liberties are not considered

sacrosanct, and law enforcement will

not hesitate to arrest and indefinitely

imprison, without trial, people who

are suspected of being terrorists. In

Indonesia, following several high-profile

bombings from an al-Qaida-linked group

called Jemaah Islamiyah, the security

in office buildings has been beefed up

to levels far surpassing those of most

American and European companies.

While Australia is much less militant,

there I found the local police to be

much more involved in anti-terrorism

programs with local building security

guards than almost any other country

where I’ve worked. I’m not sure why.

Perhaps it is because most of Australia’s

population is located in six major cities,

making co-ordination easier.

Europe’s history raises its own

set of issues. Citizens there tend to

have much stricter notions of privacy

than Americans, probably because

Europeans suffered through the abuses

of Nazi and Communist regimes and

therefore have higher standards for

how personal data can be collected

and for what purpose. To be sure, most

Americans value privacy, but they also

view themselves as a nation of business.

They are therefore more ready to

compromise privacy in the interest of

business or security.

Different cultural attitudes, of course,

translate into different regulatory

environments. In Europe, both

information and physical security are

very much influenced by a privacy

regulation known as the European Data

Protection Act (DPA). Most Americans

are under the impression that in Europe

there is only one DPA, but that’s not the

entire story. Under European Union

laws, the European Commission and

European Parliament pass legislation

such as the DPA, but it is then up to

the member states to enact national

legislation that implements, and does

not conflict with, the overarching EU

legislation. The member states are

also tasked with enforcing their own

national DPA. As a result, regulations

and their enforcement can vary widely.

Asian countries have typically

passed legislation that is very close

in nature to the EU’s Data Protection

Act. However, enforcement of the laws

can vary widely. Japan, Hong Kong,

Singapore and Australia all have DPA

laws on the books, but I’ve found that

companies are very rarely taken to task

for violating those regulations.

No Standard for StandardsOutside of data protection issues, there

tend to be far fewer differences in

information security, primarily because

there are few differences in technical

systems. After all, a Windows 2003

server in one country is just about the

same as in any other. Where I did find

differences, though, is in the method of

implementing an information security

program. Europeans are much more

likely to follow an international standard

than are Americans.

I’m sure an entire book could be

written about this phenomenon, but

it probably stems from the fact that

Europe is composed of many countries

that, historically, have had to cooperate

in order to ensure that their technical

systems worked with one another. The

telegraph and gauge of railroad tracks

are two examples of European nations

agreeing on and building a common

standard. If they hadn’t, then imagine

having to stop at each border and board

a different train.

Americans, by contrast, tend to view

themselves as rugged individualists. We

often place priority on getting to market.

Just think back to the introduction of

video cassette recorders. In the late

1970s and early 1980s, there were

two competing standards, VHS and

Betamax. Rather than compromise

on a common standard, American

companies slugged it out in the

marketplace. Eventually, VHS gained

the upper hand, and Betamax died out–

ah, American Darwinian capitalism at

its finest.

In the field of information security,

these cultural differences play

themselves out with Europeans being

much stronger proponents of ISO 20000

than are Americans. If an American

The native country’s cultural norms do not apply to foreign offices as well. It is best to cultivate close relationships with individuals around the world and to listen to their advice.

ANONYMOUS

To know more about what it means

to be a global CSO, read So You Want to be a Global CSO? Visit www.cio.in

c o.in

Take on the World

VOL/7 | ISSUE/102 8 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Anonymous_Column_August2012.indd 4 8/13/2012 4:48:08 PM

company goes for any type of third-

party certification, it is more likely to be a

Statement on Auditing Standards (SAS)

70. Unlike ISO 20000, however, the SAS

70 is not a “best practices” standard.

Instead, it documents the controls in

place that satisfy the company’s internal

control objectives. The company defines

its own control objectives, and the

auditor checks to see if the controls the

company has implemented are sufficient

to achieve its objectives. Once again, we

see the American practice of “going it

your own way.”

A Difference of ControlThe major cultural differences in

information security that I have

seen between Asian countries

and Western countries arises over

the documentation of controls.

Many times, I have met with my

Asian counterparts to go over the

controls they have in place. Yet,

upon auditing the systems, I will

find major discrepancies between

what is written and what is actually

implemented eventually.

I can only ascribe this difference to

the practice of “saving face,” which is

prevalent in the Chinese and Japanese

cultures. Japanese and Chinese IT

professionals are sometimes so eager

to please me, the global CSO, that they

tell me what they think I want to hear

rather than bring up actual problems.

It takes some time to read between the

subtleties of language and the culture

of maintaining respect.

After discussing the issue with

several of my Japanese and Chinese

IT colleagues, I found that the best

way is to encourage participants

to practice self-examination (that

is, criticize themselves but not

colleagues) and seek ways upon

which their job performance might be

improved. Also, I publicly praise the

groups when they bring up problems

and propose solutions. This way, I

make it clear that I welcome critical

analysis and am not just looking

to hear that everything is going

swimmingly well.

A global CSO who assumes that his

native country’s cultural norms apply

to his foreign offices will quickly

learn that they do not translate

well. Instead, it is best to cultivate

close relationships with individuals

around the world and to listen to

their advice. If a CSO understands a

culture and trusts the professionals

working in that culture, he will find it

easier to implement policies that meet

the spirit of the company’s control

objectives, and that hold true the

world over. CIO

This column is written anonymously by a real CSO.

Send feedback on this column to editor@cio.in

Undercover Officer ANONYMOUS

Anonymous_Column_August2012.indd 5 8/13/2012 4:48:08 PM

Information security people think that simply making users aware of security issues will make them change their behavior. But security pros are learning the hard way that awareness rarely equals change.

One fundamental problem is that most awareness programs are created and run by security professionals, people who were not hired or trained to be educators. These training sessions often consist of long lectures and boring slides—with no thought or research put into what material should be taught and how to teach it. As a result, organizations are not getting their desired results and there's no overall progress.

It's important to step back and understand how people most effectively learn subject matter of any type. Applied to security training, these techniques can provide immediate, tangible, long-term results in educating employees and improving your company's overall security posture.

Serve Small BitesPeople learn better when they can focus on small pieces of information that the mind can digest easily. It's unreasonable to cover 55 different topics in 15 minutes of security training and expect someone to remember it all and then change their behavior.Short bursts of training are always more effective.

Reinforce LessonsPeople learn by repeating elements over time—without frequent feedback and opportunities for practice, even well-learned abilities go away. Security training should be an ongoing event, not a one-off seminar.

Train in ContextPeople tend to remember context more than content. In security training, it's important to present lessons in the

same context as the one in which the person is most likely to be attacked.

Vary the MessageConcepts are best learned when they are encountered

in many contexts and expressed in different ways. Security training that presents a concept to a user multiple times and in different phrasing makes the trainee more likely to relate it to past experiences and forge new connections.

Involve Your StudentsIt's obvious that when we are actively involved in the learning process, we remember things better. If a trainee can practice identifying phishing schemes and creating good passwords, improvement can be dramatic. Sadly, hands-on learning still takes a backseat to old-school instructional models, including the dreaded lecture.

Give Immediate FeedbackIf you've ever played sports, it's easy to understand this one. "Calling it at the point of the foul" creates teachable moments and greatly increases their impact. If a user falls for a company-generated attack and gets training on the spot, it's highly unlikely they'll fall for that trick again.

Tell a StoryWhen people are introduced to characters and narrative development, they often form subtle emotional ties to the material that helps keep them engaged. Rather than listing facts and data, use storytelling techniques.

Make Them ThinkPeople need an opportunity to evaluate and process their performance before they can improve. Security awareness training should challenge people to examine the information presented, question its validity, and draw their own conclusions.

Let Them Set the PaceIt may sound clichéd, but everyone really does learn at their own pace. A one-size-fits-all security training program is doomed to fail because it does not allow users to progress at the best speed for them. CIO

Send feedback on this column to editor@cio.in

Security Boot Camp

To learn more about security

workshops, read Security Training 101 on www.cio.in

c o.in

Security Conditioning

Skip the boring lectures and understand how people really learn new information and habits.

Joe Ferrara STRATEGIC CIO

VOL/7 | ISSUE/103 0 A U G U S T 1 5 , 2 0 1 2 | REAL CIO WORLD

Coloumn_Ten_Commandments.indd 26 8/13/2012 3:02:21 PM

This interview is brought to you by the IDG Custom Solutions Group

in association with

CLOUD COMPUTING AND BYOD: STAYING SAFE AND SOUND John Samuel, Director–India & SAARC Region, Verizon Enterprise Solutions, on how enterprises can harness the powers of the cloud and mobility while effectively addressing security concerns.

EXECUTIVE VIEWPOINT

John Samuel Director–India & SAARC Region,Verizon Enterprise Solutions

With over 20 years of management and sales experience behind him, Samuel’s responsibilities at Verizon include growing the company’s customer base and revenues in India and the SAARC region, and ensuring significant market presence. Prior to joining VES, Samuel was country manager, India, at BT Infonet India.

VERIZONCUSTOM SOLUTIONS GROUP

How can CIOs who want to leverage the cloud effectively secure data?Data security has always been a key consid-eration among CIOs who want to move to the cloud—and rightly so. A cloud provider with proven security expertise can make the cloud a safer place to conduct business. The right cloud provider makes security its business, so that enterprises focus on ways to make the best use of the cloud to gain an edge over rivals.

CIOs need to stay abreast with the latest security threats, and devote powerful tools as well as expertise to maintain the safety of data in the cloud. To support this, CIOs should back their strategies with stringent SLAs for availability, and define liability for unplanned outages. They would do well to ask for high levels of real-time visibility into systems that reside in the cloud and ensure that the solutions they buy into offer a high degree of reliability.

Revamping security infrastructure can be expensive. Is there a more cost-effective alternative? Building an enterprise’s infrastructure can be expensive. Yet most businesses delib-erately over-engineer their infrastructure because they have suffered from unex-pected system failures and unavailable ap-plications, resulting from unplanned usage spikes. From a security perspective, over-engineering makes sense, but it can lead to cost implications. It is essential for en-terprises to strike a balance between initial investments in security infrastructure and budgeting for disaster recovery.

While cloud computing offers the poten-tial to solve these challenges, CIOs need to

choose the right fit for their businesses from an array of solutions. IT capabilities offered through cloud computing such as PaaS, SaaS, and IaaS can help organizations deploy Web-based applications without purchasing, in-stalling, and managing supporting hardware. It can help them gain efficiencies by standard-izing certain functions, like