Posts Tagged ‘health care’
From the desk of Perimeter E-Security CTO Andrew Jaquith: New -as-a-Service risks, the hot mess that is Android, why your password policy stinks, and two other sizzling security predictions.
In 2012, we saw increased worries about nation-state-sponsored cybercrime, mobile security, and the resurrection of an old tactic: the venerable denial-of-service attack. On the heels of our year in review post, in which we examined a number of topics that got and held our attention in 2012, last week we unveiled five new predictions for 2013.
Prediction 1: CISOs will wrestle with the risks of “as-a-Service” platforms
“The Cloud,” to many, has become a way of characterizing hosted applications and services that have had some “extras” added to them: elastic usage, geo-redundancy, instant-on, instant provisioning and by-the-drink pricing. Or to put it differently, ten years ago, when we talked about The Cloud, what we meant was a highly available application hosted by Somebody in a bunch of distributed Somewheres, the net effect of which was to create the effect of seamless availability; applications as a utility. Salesforce.com is the example par excellence of what The Cloud was to many observers just 10 years ago.
But as with every maturing technology, the cloud has split into three layers. At the top is what the cloud used to be: traditional web applications, such as Salesforce, and many cloud email vendors (including us!). At the bottom sit Infrastructure-as-a-Service (IaaS) vendors such as Amazon’s EC2 service that provides virtual machines for hosting your own servers; this category emerged five to seven years ago.
The cloud’s middle layer, Platform-as-a-Service (PaaS) is the newest to emerge, and by far the most vibrant and interesting. This layer includes application, storage and middleware services that customers can use without worrying about the underlying hardware. PaaS includes database-as-a-service vendors such as Cloudant and Platfora; Web framework cloud providers such as CloudBees, Google and Joyent; and mobile specialists such as Kinvey. More and more IT projects are moving to these types of vendors, and as a result, risk — and customer data — is moving out to these environments as well. Speaking as a weekend developer and observer of our own practices here at Perimeter, PaaS is by the most interesting area of IT today. It’s why the “Dev Ops” role, which has become the hottest job title for Internet-time companies, is also the hardest to fill.
Most CISOs have been insulated from, or have been willfully blind to, the adoption of PaaS by business units and internal development teams. It’s also safe to say that traditional risk auditors have no idea what to do with PaaS. But in 2013, we think that Platform as-a-Service will rocket to the top of CISOs’ list of concerns.
Prediction 2: Android’s security issues will force CISOs to take action
The numbers from Big Research are clear: the majority of email and Internet-capable devices sold today are smartphones and tablets, not traditional PCs. And the majority of smartphones are Android devices. Most are ActiveSync-capable and can access corporate email. It stands to reason that many employees will want to bring their Android devices to work.
Android has lots of problems, though. The first problem is that Android is highly fragmented. On the market today, one can find hundreds of devices from dozens of manufacturers running a dozen versions of the Android operating systems, and all with different security capabilities. Some have hardware-based encryption; most don’t. Customers have no guarantees what key security capabilities will be present, such as detailed password controls, encryption, app management or device restrictions. And then there’s the malware problem: without a centralized system for verifying application provenance, it is easy for malware writers to create and distribute malicious apps. In short, Android is a hot mess. We think that in 2013, increased malware, and limited corporate security and manageability features, will force CISOs to take drastic measures to deal with Android devices on their networks.
Prediction 3: Cloud application vendors will compete on metrics
If your CIO wants to move popular workloads to the cloud, such as customer care, email or Web hosting, you have many choices. But too often, the market for cloud services is an opaque one. Most cloud application vendors promise “availability” and “reliability,” but what does that mean? Actual, hard evidence is lacking. We’ve looked at the popular so-called “dashboards” that many cloud application vendors provide. Nearly all of them are terrible; most of the time, you see only crude checkboxes that say your service is up, or that it is down, or that it might be down. I call these types of displays “up, down, whoops” dashboards. Worse, you very rarely see time-series information about how services have been trending over time, and performance data (latency and throughput) is nearly always omitted. For customers that are seeking to justify their potentially career-limiting move to the cloud, this kind of opacity is no help at all. I can understand why opacity is the vendor’s default stance: publishing performance data gives customers more tools to measure against SLAs, and failure to meet SLAs costs the vendor money. But that’s a rotten deal for customers.
We think that in competitive markets, cloud vendors will find new ways to differentiate. Transparency is one area. We think cloud application vendors need to steal a leaf from developer platform vendor’s playbooks. For example, if you take a look at GitHub’s status page you can see a gorgeous chart with amazing detail, time-series analysis, commentary and performance data. It’s no secret why a developer-focused, Software-as-a-Service site might care a lot about their own performance: they are catering to people (developers, developers, developers!) who really, really care about performance too.
In short, in 2013 I predict that savvy cloud apps vendors will start treating their customers less like hostiles they need to hide things from, and more like audiences they must cater to. In 2013, expect to see “members-only” apps dashboards that offer far more than up/down/whoops.
Prediction 4: California will become the de facto privacy regulator
Data privacy is one of the CIO’s biggest challenges. Ten years ago (!), with SB 1386, California was the first state to adopt a data breach disclosure law that regulated personally identifying information. Forty-nine states have followed suit. The HITECH portion of the American Recovery and Reinvestment Act of 2009 (aka “The Obama Stimulus Bill”) did the same for protected health information, and it’s fair to say that 1386 served as a model for that, too.
In the last year, data privacy concerns have spread to the mobile realm. We wrote extensively about this topic in 2012. Now, with recent stories about the California Attorney General suing mobile app developers for failure to disclose mobile data collection policies, California is once again taking the lead in a new area of regulation. Indeed, we think that the scope of what is considered controlled information will spread to mobile user and location data.
That said, it would be foolish to wait for national regulation. Congress has bigger issues to think about (fiscal cliff, anyone?). In the absence of strong guidance from Washington, the government body that matters most is the state of California. As a result, we think CIOs at every U.S.-based B2C company will be forced to adopt the “high watermark” strategy for safeguarding customer data, using a “California first” strategy of establishing what that watermark should be.
Prediction 5: Your password policy will undergo a major overhaul
Every company’s information security policy starts with the need to have a “good” password. But passwords have been stuck in a time warp since the 1990s. Your policy probably looks like this: eight mixed-case letters and numbers, one special character and mandatory changes every 30 to 90 days. Why this formula? It is about the most complex password that employees can tolerate without clawing their eyes out in frustration.
But advances in password-cracking clusters mean that your decade-old password policy isn’t going to cut it for much longer. A 24-GPU cluster, for example, can break any conceivable Windows eight-character password in just a few hours. Many CISOs would conclude that logically, one can simply to require passwords to be longer, for example 12 characters. This would be the easy choice, but it would also be the wrong one.
Here’s why. When faced with a mandate to create a longer (“stronger”) password, we can safely predict that employees will attempt to cope by composing the weakest password they can possibly remember and change on a regular basis, for example, an 11-character English word with a number tacked on the end. Then each month, our fully-compliant employee will simply increment the number upwards by one. Paradoxically, this has the unintended consequence of making their passwords less random and therefore easier to crack.
There is another way out. Faced with the paradox that the need for longer — but still frequently changed — passwords will inevitably lead to weaker ones, many companies will do instead what they should have been doing all along: require longer passwords (16 characters), but eliminating the need to change then regularly unless there is a suspected compromise. This promotes “muscle memory” because a password that does not change can be committed to memory, and becomes automatic. Some companies may also take the opportunity to get rid of passwords entirely, and replace them stronger authentication methods such as certificates.
So, that is the quick rundown of our predictions for 2013. I’ve barely scratched the surface in this post; you can find much more texture, depth, nice-looking slides, color commentary and (yes!) a few jokes in our webinar recording. If you would like to hear how these fearless predictions issues will affect your business in 2013 — and most important, what you can do about them — check out our on-demand webinar here: Five Security Predictions for 2013.
See you in the New Year!
As the song goes, It’s The Most Wonderful Time of the Year. It’s the time of the year we write out our holiday cards, buy presents, think kind thoughts of our friends and family, and wax nostalgic.
Security is a big enough deal that it, too, warrants reflection and (dare I say it), a little bit of nostalgia. It’s the gift that keeps on giving. In that spirit, let’s dig up some of the tastiest chestnuts from the preceding 11 months, and gently roast them where appropriate. Given my sense of humor it’s going to be, shall we say, a dry roasting.
Here’s what got our attention in 2012. As is customary and appropriate, we spent a lot of time worrying about malware. The cloud — with all of its opportunities and challenges — was the second most important topic on our minds, along with mobile security. As you might expect, given our customer base of over 1,800 banks and credit unions, we analyzed financial services topics in depth. A variety of other topics got our attention, notably October’s National Cyber-Security Awareness Month and Mac security.
Each of these topics take time to review. So, let’s get nostalgic.
In 2012, it was clear that malware continued to be a problem for many companies. Of all of the topics we wrote about in 2012, we wrote about malware the most. Malware concerns came in four categories: web malware, new attacks, legacy malware and administrator-targeting malware:
- Web malware — because of the ubiquity and reach of ad networks, attackers have made it a priority to attempt to infiltrate and infect ad servers. My colleagues, analysts Evan Keizer and Grace Zeng, wrote extensively about a banner-add infection campaign that caused MLB.com to inadvertently serve malware. Unfortunately there are no easy fixes for banner infections; webmasters (and their colleagues in marketing) must be extremely vigilant.
- New attacks — the Flame malware family, which some have called the most sophisticated malware ever discovered, was discovered by our friends in May at Kaspersky and widely covered. We thought it was notable enough to write about, too. Just to show that I don’t have a monopoly on bad puns, my colleague Rick Westmoreland asked, “Flame: Is it getting hot in here?“
- Legacy malware — we saw campaigns targeting old-school programs like Symantec’s venerable PCAnywhere. (If you are asking yourself, “do they still make that?” you aren’t alone.) Malware targeting Microsoft’s RDP protocol also spread rapidly; we felt it was dangerous enough to issue an advisory.
- Administrator targeting malware — the most insidious malware campaign we saw in 2012 was one targeting Plesk, an administrative console for website operators. This was a little scarier than most campaigns because it obviously targeted people who have a high level of privileges already — your IT guy. This is the kind of thing that presages an industrial espionage campaign, a topic I covered at length in my webinar “The Hype and Reality of APTs,” something you should watch. (Ed: I am not joking. Really, go watch this; it deflates the APT hype balloon.)
In 2012, Cloud security topics were right up there with malware in our consciousness. Call me crazy, but to me “the cloud” is a fancy name for hosted services mashed up with virtualization, and juiced up with instant-on provisioning and elastic usage billing. It’s a new — and welcome — twist on an old concept. Companies want to use the cloud in areas where it makes sense — for hosted email, productivity, and sales automation — but they want to do it only when they can be assured that their data is secure.
My colleague, Grace wrote about a key class of cloud risks: the security of servers in the cloud. She performed experiments where she placed 12 unprotected servers in the Amazon cloud and watched what happened. The headline: on average, your new cloud servers will start seeing scans, probes and potential attacks within an hour! Scary stuff — if you haven’t already, you should read these posts.
On the positive side, Perimeter created a series of video blog posts called the Cloud Owners’ Manual that took strong points of view on how companies should think about the cloud, and what they should be asking their vendors. Looking spiffy in a suit, I spoke on camera about key customer concerns about the cloud, and gave prescriptive guidance on the cloud in general, customer fees, data protection, data privacy, contractual terms, and contract termination. As an analogy, I compared cloud security requirements to car safety belts. Did you know that since the advent of car safety technology, based on US DOT official statistics, people now drive faster and have fewer accidents? It shows how safety gear is a precondition for faster, safer driving. To put it differently: confidence requires security. And by analogy: so it is with the cloud.
From iPhones to iPads to Galaxies, mobile devices continued to move to the top of IT security managers’ list of concerns. Beyond the sheer proliferation of devices, we observed four key trends:
- Bring your own device. When I was an analyst at Forrester, my then-colleague Natalie Lambert coined the term BYOD and wrote quite a bit about it. That was four years ago. Now, it’s the hottest thing in IT. What do companies do about it? For our part, Perimeter answered the bell in September when we unveiled our Cloud MDM service in partnership with AirWatch. In the service, we included strong default policies and a unique BYOD Kit that provides prescriptive guidance for all of the areas employers need to worry about: data rights, support, confiscation, and many other topics. We think the right solution to BYOD is holistic, and encompasses the domains of policy, technology and law.
- Developer ecosystem concerns. In September, developer Blue Toad had 12 million Apple unique identifiers (UDIDs) stolen. This shined a spotlight on a fragmented, shadowy part of IT: the thousands of smallish, contract mobile app developers, very few of whom are likely following mobile app security best practices. Watch for this topic to explode in 2013 as the Mobile Backend-as-a-Service (MBaaS) category heats up.
- Data privacy. In the first quarter, we saw a controversy erupt over the Path app, which was uploading customer address book records to their servers unbeknownst to customers. I called Path an example of “nosy apps” and characterized data privacy as the “third rail of mobile.” These kinds of negative stories had an immediate impact on handset makers. Apple, for example, added significant opt-in controls to iOS6 that require customers to explicitly authorize app access to address books, photos, calendars, tasks, FaceBook account information and much more.
- iOS has been a benefit to security. Speaking of Apple, did you know that iOS is now over 5 years old? In that time, customers have gotten used to the idea of vendor-controlled app marketplaces, digitally signed and trusted operating system runtimes, and locked-down devices. We have Apple to thank for popularizing the concept, building on the kinds of concepts RIM and Symbian had initiated. See my in-depth 5-year iOS security retrospective for details about why I think iOS is overall an huge net win for companies and consumers alike.
Banks, credit unions, broker-dealers and other financial institutions continue to be a significant part of Perimeter’s customer base. We noted many, many threats to financial services customers in 2012. The rash of denial-of-service (DDoS) attacks in September prompted us to issue a critical advisory to our customers. We followed up on the DDoS story in October; my colleague Rick Westmoreland called it “the new reality” for financial services firms.
In July, we inaugurated our first-ever Financial Services Threat Report for the first half of 2012, which described the most important threat trends our customers were facing in the year to date. We will be doing more of these reports, and our second-half report will be coming out after year-end. To help our credit union customers, Andrew wrote a three-part series on credit union security topics.
Beyond these four main themes, Perimeter noted several other trends. We weighed in on this newfangled concept called “cyber security,” which is what happens when government-type people get their hands on an otherwise perfectly acceptable phrase — that thing that most of us used to call “information security” — and dumb it down. I suppose cyber-security is, to paraphrase Deng Xiaoping, Security With Government Characteristics.
Whatever you choose to call it, we helped celebrate National Cyber-Security Awareness Month in October with four posts by my esteemed colleague Mr Mike Flouton:
- Utilities and critical infrastructure and its importantce — see also John Viega’s post condemning the inclusion of automated SCADA exploits into MetaSploit, and my post on metrics (“What You Can Learn from Your Energy Supplier”).
- Government’s role in cyber-security
- Health care as a critical sector
- Financial services security imperatives
Lastly, Perimeter wrote about those devices your executives and developers are probably now carrying: Macs. In October, we released a survey showing that Mac usage is up, and that security concerns are increasing. Earlier in the year, alerted customers to something rather rare but important: real-life Mac Trojan outbreak in the wild: the Flashback Trojan.
As I noted at the top of this post, security is the gift that keeps on giving. That’s good and bad. It’s bad for the obvious reason because the threats, concerns and challenges that got our (and the industry’s) attention affect companies and their customers everywhere. If security were a solved problem, we wouldn’t need to spend the time, attention and effort that we do.
I choose to be positive, though. Security threats and challenges are also good things. They remind us that, as professionals, we need to keep upping our game. New business frontiers such as mobile cause us to expand our horizons, become more involved with our colleagues and take the longer view.
As we look ahead to 2013, we are thankful for the continued support of our customers, colleagues and families. We at Perimeter wish you, dear reader, all the best this holiday season.
A recent Wall Street Journal article highlighted the controversial debate around whether or not physicians should use email to communicate with their patients. The article has, no doubt, prompted discussions across the healthcare industry. In the piece, Dr. Joseph Kvedar, founder and director of the Center for Connected Health in Boston, describes how email can be a valuable tool for building rapport between doctors and their patients, while enabling clearer, more frequent communication. Kvedar admits that email presents a security challenge, but notes privacy can be adequately protected by encryption tools and secure messaging applications. Privacy concerns should not stand in the way of establishing greater trust with your patients. (We agree: our SaaS Email Encryption product works very nicely for exactly this purpose.)
Dr. Sam Bierstock, founder and president of health-care IT consulting group Champions in Healthcare, takes the opposite view. He argues that not only does “email communication eliminate the ability to interpret important signals,” but it introduces potential security and liability risks that are too high.
So who is right?
I read a lot of blogs. Skim, them, actually. In addition to the roughly 200 blog posts per day on security that strafe my consciousness like little daily meteor showers (courtesy of the Security Bloggers Network and about 60 other blogs I subscribe to), I also skim posts from another 70 blogs in areas ranging from politics and economics, to design, architecture, programming, food and sports. I do this because it’s important to synthesize widely from a lot of sources, and it because it gives me a broader view of (among other things) how technology is affecting society.
One of the “professional hobby” topics I watch closely is health care. One of my main sources of insight are the posts of local “geek doctor” John Halamka, who is CIO of Beth Israel Deaconess Medical here in Boston. He always writes good stuff. If you haven’t checked out his blog, you should. Although he isn’t a security professional per se, much of the work he does touches at least tangentially on security. For example, he has written extensively about the security controls needed to safely govern Meaningful Use, which describe how hospitals and clinics should be using electronic medical records in order to qualify for stimulus funds made available for modernizing their systems.
I find it hard to believe that a man who receives 1000 emails per day (as he says he does) is able to bang out blog posts with the regularity that he does, but there you are. Amazing.
Anyway: John’s latest post is a good one. Simply titled “More BYOD Worries,” John cites the multitude of Android malware stories (much in the press lately), vulnerabilities in Siri, and various iPad woes. These stories, and other concerns, have caused him to raise the alarm about investments that will be be needed to be successful with Bring-Your-Own-Device (BYOD) programs. Succinctly put:
It’s very clear that in 2012 and beyond we will have to move beyond policy-based controls and we’ll have to implement technology based controls that may cost up to $10 per device per month. Given our 1000+ mobile devices, that could be a $150,000/year increased operating expense to protect consumer devices brought from home.
John is right about the need to secure consumer mobile devices with policy-based controls, by which he means mobile security software, or more broadly: mobile device management (MDM) software. I’ve written about this topic before as an analyst. The challenge, put simply, is this: how do you secure data on devices you don’t own? These software controls provide the solution. Here’s why.
The key insight here is that CISOs need to plan for a future where they don’t own any mobile computing devices. They should assume all mobile devices will be employee-owned. Of course, that won’t really happen. There will always be clinical systems that are company owned, and the “fleet management” ethos for laptops, desktops, and servers will be with us forever. But by using own-nothing as a base case assumption, you can successfully plan for every other scenario where any non-company device needs to get on your network for any reason. Got outside contractors that need access to your wireless network? Long-term consultants that are on-site for a month or more? Executives bringing their iPads to work? If you assume that you all mobile devices on your network are owned by someone else, all of these possibilities are addressed. This isn’t a genius insight: the Jericho Forum has been advocating this posture for years, as has Mr Bruce Schneier, and my former colleague John Kindervag has written extensively about the “Zero Trust” network, a concept I was proud to help him articulate while I was at Forrester.
John’s post essentially reminds us all that Zero Trust, aka BYOD, means that health care CISOs need to buck up and buy MDM or mobile security software. But in hospitals, they should have been doing that anyway: consumerization isn’t the only reason. Look at the iPad: its increasing pervasiveness in hospitals is due to its ideal form factor for e-Prescribing, portable imaging, and other clinical applications. If you are a hospital CIO with fleets of iPads on the horizon, you know you need to have these devices under control. So you probably are already well acquainted with companies like MobileIron, BoxTone, AirWatch and Zenprise. Right?
But in citing the cost of the software, John doesn’t mention that he will save money on the other side of the equation: carrier wireless contracts that the hospital no longer has to pay. With BYOD, most companies do not pay the full share of the employee’s monthly bill. Some pay nothing at all, or make it the employee’s responsibility to remember to expense their bills. In my experience, employees at firms with BYOD programs are generally willing to share at least some expenses, because they get to use the device for personal email, photos and music, and apps. Partial or full cost-shifting of wireless expenses from the employer to the employee, in exchange for more convenience and satisfaction, makes sense for the business, and for the employee. It’s a win-win.
When you look at it like that, mobile device management software looks like a bargain: spend $10 per employee per month, get much better security than you had before, and save $40-100 depending on how much the employee pays. That’s the biggest no-brainer in the history of earth.
Microsoft’s Security Intelligence Report, Volume 11
I don’t have the patience to read through long security intelligence reports like I used to, partly because I’m a little cynical, but mostly because I just don’t have time. However, I usually skim through the periodic threat reports from Microsoft, Symantec, McAfee, Websense to see what they have to say about threat trends. Microsoft’s 168-page Security Intelligence Report, Volume 11 report contains a lot of the things you would expect: summaries of vulnerabilities, taxonomies of threats, and so on. Vinny and his team, as always, continues to do a nice job. What I like about Microsoft’s reports is that they are very keen to figure out how certain classes of “feature abuse” tie back to the Windows operating system. The current report validates, for example, that the decision to shut down Windows’ USB AutoRun feature was a wise one. The other part of the report I really liked was on page 14, Zero-Day Exploits: A Supplemental Analysis. Microsoft notes that true zero-day exploits (that is, exploits for which the vendor has not issued a notice) comprise less than 1% of attacks they detected. Another part of the report I liked was on pages 53-55, where Microsoft compares infection rates by country. Unfortunately, the infection rate (worldwide, just 11 infections per thousand PCs scanned, at 0.1%) is far too low to be credible; at Perimeter, we estimate infection rates are probably twenty times higher based on the botnet traffic we see. Still, the report is very interesting when comparing by operating system (pages 57-60), it confirms what we know: Windows 7 is more secure that Vista was, which in turn was more secure than Windows XP. Good to see quantifiable progress.
United States Marine Corps Social Media Guidelines
You might think that the US military would have an incredibly draconian policy with regards to participation in social media networks. But you would be wrong! Recently, the US Marines Corps published a very thorough, comprehensive set of guidelines on how the Corps can use social media effectively and safely. While it is geared towards the needs of military service members, the guidance is nonetheless highly applicable to every organization. Best of all, it is extremely well written and contains a good deal of common sense. The guide is quite long, but if you are impatient just skip to page 36, “15 Tips to Stay Safe and Out of Trouble Online”. Tip of the cap to Marc Handelman for spotting this.
The BIDMC FY12 Operating Plan
Boston “geek doctor” John Halamka, whose healthcare-meets-technology blog I’ve read for several years, puts together a nice, succinct post on Beth Israel Deaconess Hospital’s budget priorities for 2012. I appreciate John’s transparency and clarity, of course, but I also look for clues in his posts for a sense of how a busy health care CIO balances his priorities. His responsibilities span the entire gamut of technical services ranging from clinical to back-end systems. As you can see from his post, data protection ranks among his top priorities for 2012, particularly the interplay with personally owned devices. John has tried to make Beth Israel Deaconess among a “consumer-friendly” organization, so this is an important issue. Worth a read.