Cloud computviagrag is poised to create new business models across many industries.
As with all new models, there are some obstacles. A Global Risk Survey conducted by IBM’s Institute for Business Value found that cloud computing raised serious concerns about the access to and use and control of data: 77% of respondents believe that adopting cloud computing makes protecting privacy more difficult; 50% are concerned about a data breach or loss; and 23% worry about a weakening of corporate network security.
Whether it’s a public cloud on the Internet or a private cloud that dwells behind a corporate firewall, cloud resources are subject to the same risks as any shared resource, and they require the same protections. To capture the promise of cloud computing, issues of privacy, authentication and security must be addressed. And a one-size-fits-all approach-one that treats enterprise e-mail the same as tweets, or healthcare data the same as uploaded photos-will not work.
The good news is, enterprises and governments around the world are realizing this, and are pioneering approaches that should bring cloud computing into the mainstream of the way our world works. The United States Air Force (USAF) has adopted a new project to design and demonstrate a mission-oriented private cloud environment. The 10-month project demonstrates advanced security and analytics technologies currently in use in commercial sectors.
Two multinational corporations are using a public cloud collaboration service to apply smart technologies, including mobile phones, text messaging and intuitive Web sites, to combat malaria in sub-Saharan Africa.
McGill University Health Centre is implementing a private storage cloud to securely house patient data. Over 800,000 patient cases at multiple sites are provided to clinicians around the clock-providing a strategic and single view of data, including clinical images.
A large U.S. payroll service is expanding its payroll-based tax service to new markets with an on-premises, private cloud. Its current tax service will now be available for the first time to many medium-sized businesses that never previously had access to their solutions. The same cloud integration will drive more business process outsourcing and other secure services in the coming years.
This list could go on, with examples in areas from retail to banking to education. If this is done correctly-if appropriate reliability, security and privacy are engineered into the design-then our cloud-based systems, both public and private, have the potential to bring new efficiencies to our business-based systems.
Reference: ibm.com/smarterplanet
Computers have long been indispensable for running a small or midsize business (SMB). Although information technologies introduce new risks and management challenges, most businesspeople have a general understanding of those risks—and they do their best to address them.
More often than not, this means using a network firewall, adding an antivirus and
possibly an antispam solution, and implementing some sort of backup schedule.
Admittedly, it is difficult to run a business and keep protection up to date at the same time.
New research documents the gap: a recent survey showed that 33 percent of small and
midsize businesses lack even basic antivirus protection, 47 percent fail to back up desktop PCs, and 20 percent maintain no server backups of any kind.
Yet the risks increase, and the business protection gap grows. More complex threats and
attacks, some focused on individual businesses, have become routine. The value of data
and the cost of losing it are both on the rise. Meanwhile, the technology environment keeps changing as wireless networks, mobile computing devices, Mac OS® and Linux® machines in the workplace, and Web gateway and server hardware are added to the infrastructure—and none of these additions are covered by basic protection.
Symantec’s recent Security and Storage survey noted the low adoption of basic security measures.
Findings on storage showed that 70 per cent of these SMBs are extremely concerned with backup and recovery of data, followed by disaster recovery planning and strategy (64 per cent), and archiving data and e-mails (56 per cent). Yet the majority of SMBs have not deployed desktop backup and recovery solutions, and 45 per cent perform backup on a weekly or less frequent basis.
These gaps in basic levels of security, despite an awareness of the current internal and external threats among SMBs, are driving an increase in security breaches, with the most common causes being system breakdowns and hardware failure, human error and improper or out-of -date security solutions. Lack of budget (41 per cent) and employee skills (40 per cent) were cited as the main barriers to securing the SMB environment.
The report also indicated that 52 per cent of SMBs has previously suffered a security breach and also revealed that the top three concerns of SMBs are viruses, data breaches, and loss of confidential or proprietary information through USB and other devices.
“Small and medium businesses usually have limited time, money and expertise to secure and manage their information from external and internal threats. Often, more pressing business needs will take precedence over security, backup and recovery for computer and network systems, leaving businesses vulnerable to data and system losses and causing serious damage and business interruption,” said Bernard Kwok, Symantec’s senior vice president for Asia Pacific and Japan.
“By automating key processes such as backup and recovery, endpoint protection and data loss prevention, SMBs can improve cost efficiencies and streamline manageability that allow them more resources and time to focus on their core businesses,” he said.
Perimeter e-Security has recently added a new feature to the popular MailSafe™ email encryption service. MailSafe™ clients can receive secure responses directly into their Outlook Inbox without having to login to their Mailsafe™ account. Recipients, however, will continue to retrieve their secure messages in the Mailsafe portal.
Perimeter’s MailSafe™ service allows every outgoing message to be scanned by a content filtering engine. The filtering engine checks for “Secure:” in the Subject: field as well as any other Rules that the client sets. Once a secure email is “sent” it is automatically encrypted and, stored on a secure MailSafe™ server. The email’s recipient is then sent a link and to a registration page to create login credentials or a login page if previously registered. The MailSafe™ server infrastructure is well-protected by multiple layers of intrusion defense systems. The system also allows an administrator to congfure the entire system and review information about all users’ MailSafe™ activity.
Kaliber, a leading reseller for Perimeter e-Security, has installed over 3000 seats of MailSafe™ in support of compliance strategies which require the encryption of emails containing Personally Identifiable Information. This success can be attributed to the ease of installation, set up and use of MailSafe. There is no hardware to purchase and no software to install. Plus end users do not have to modify their work processes in order to send a secure email. This most recent update will help improve MailSafe™ usability and integrate it even more seamlessly into users’ work processes.
There are many benefits for small or midsize companies or even branch offices of large companies that use a managed security service. First of all, it’s a great way to get the security expertise that would be too expensive to hire and retain in-house. The same goes for technology. A small company might not be able to afford to buy the best technology, but it can rent the use of the technology from a service provider. Moreover, the company can get a broader range of solutions that otherwise might not be in the budget — solutions such as intrusion detection and prevention (IDP/IDS), antivirus and antispam, content filtering, encrypted email and secure VPNs.
Further, the ever-changing regulatory requirements associated with Massachusetts 201 CMR 17.00, HIPAA, Sarbanes Oxley, and various state data breach notification laws, has significantly complicated many organizations’ ability to effectively manage their risk. Whether they need to meet regulatory requirements or to maximize the risk reduction impact of their spending on security. Kaliber Data Security and its partner Perimeter eSecurity has a solution for your business. We assist our clients by developing a comprehensive yet practical set of services to meet their specific regulatory or risk reduction needs. These services are designed to help ensure that regulatory processes are followed while risks are managed and controlled appropriately.
Need a solution to encrypt your current USB flash drives? With the new Massachusetts Data Privacy regulations just around the corner you may want to look at a FREE application from Rohos (www.rohos.com). Rohos Mini Drive creates a hidden, encrypted partition on USB flash drive memory devices. This free, portable encryption tool allows you to work with files on the hidden partition without opening a special program.
Rohos Mini Drive is easy to setup and easy to use. The intuitive Setup Wizard automatically detects your USB flash drive and builds the encrypted partition properties. Simply, plug in your portable drive and start the program. Setting up the drive requires choosing a password–that’s it. One click - and you can save your first file into protected volume. Encryption is automatic and on-the-fly.
Despite the name “Mini” the program provides a decent portable data security solution and is well designed even for newbie users.
Operating Rohos Mini Drive is fairly straightforward. Depending on the size of the drive, creating the partition should happen reasonably quickly. Once the partition has been created, you can change the disk size and partition drive letter. The Rohos Disk Browser displays and manipulates items in the protected partition. Single-click functions include open, saving, deleting, and displaying file properties. Searching and opening the partition is also easily selected from a short pull-down menu.
Rohos Mini Drive includes features to open the protected drive on systems where the user doesn’t have administrator rights. That makes this app easy to use anywhere from public library labs to your best friend’s system. This is a great app for anyone needing to transport personal files and doesn’t want the expense of buying new USB drives.
A national data breach notification bill was passed in the U.S. House of Representatives on Tuesday, December 8, 2009.
The Data Accountability and Trust Act (http://thomas.loc.gov/cgi-bin/bdquery/z?d111:h.r.02221:/)
would require any organization that experiences a breach of electronic data containing personal information to notify all U.S. individuals whose information is breached. The law requires that the Federal Trade Commission to also be notified.
In addition, organizations would be required to designate an information security officer and establish a data security policy. The policy would have to address the collection of personal information and include a process for identifying and correcting system vulnerabilities and disposing electronic data.
Under the bill, personal information is defined as, “an individual’s first name or initial and last name, or address, or phone number,” along with at least one of the following: Social Security number; driver’s license number or other state identification number; financial account number, credit or debit card number, along with the security/access code or password needed to access the financial account.”
The bill was introduced April 30 by Rep. Bobby Rush D-Ill., chairman of the House Subcommittee on Commerce, Trade and Consumer Protection. Next, it will go to the Senate for a vote.
”For the past five years, the Privacy Rights Clearinghouse contends that nearly 340 million records containing sensitive personal information have been involved in security breaches,” Rush said Tuesday on the House floor. “However, there is no comprehensive federal law that requires all companies that hold consumers’ personal information to implement reasonable measures to protect that data. Also, there is no federal law that requires companies that experience a data breach to provide notice to those consumers whose personal information was compromised.”
There have been a number of similar bills recently introduced in Congress, including two federal data security laws, which have cleared the U.S. Senate Judiciary Committee. None, however, have previously passed a vote on the House floor.
”The ball is in the Senate’s court,” Kellogg said. “There will need to be some work in the Senate to bring together different proposals to move this legislation forward. Hopefully we can finally see a federal law.”
The act would be enforced by the FTC, the bill states. Also, the FTC would be required to place a notice on its website about breaches that would be of public interest. Organizations that do not fall under the FTC’s jurisdiction are not required to notify breach victims.
Developed by the AICPA but applicable to all types of businesses, GAPP is designed to assist firms in creating an effective privacy program that addresses their privacy obligations, risks, and business opportunities.
GAPP can be used by organizations for the following:
- Designing, implementing, and communicating privacy policy
- Establishing and managing privacy programs
- Monitoring and auditing privacy programs
- Measuring performance and benchmarking
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use, retention, and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
6. Access. The entity provides individuals with access to their personal information for review and update.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.
Special thanks to viagra PC GUY. See his post @ http://www.northjersey.com/news/business/thepcguy_102309.html
Secretly tucked away in the innards of the Windows operating system is a handy utility. It’s called onscreen keyboard. You access it by clicking the Start button and then clicking Run.
The Run function is used by technical folks to execute diagnostic commands based on old, pre-Windows DOS code. Though ancient, these commands often yield helpful information.
When the Run window opens, type the letters “osk” (without the quotes) and press Enter. A replica of a keyboard will appear onscreen.
You can type as you normally would by clicking on each key. To get capital letters, click on the shift key, and the keyboard will display all capital letters and other shift-related characters: Shift 4 yields a dollar sign, Shift-/ (forward slash) yields a question mark, etc.
This virtual keyboard is handy not only for when your regular keyboard malfunctions, but also when you need an extra layer of security to enter passwords and other sensitive information.
If you use a shared or a public computer, for instance, you never know if a tech-savvy creep will uncover data you entered. Data can be surreptitiously monitored by several means, including the use of key-logging software that records every letter you type.
But you can avoid detection by using a virtual keyboard, since it leaves no tracks; key-logging software does not record mouse-click content. Furthermore, you can add an extra layer of security by moving the virtual keyboard around the screen periodically. In the highly unlikely, but theoretically possible instance that someone can track the location of your cursor and attempt to deduce which letters you are clicking on, shifting the position of the keyboard will make detection of what you type just about impossible.
Using a mouse on a virtual keyboard won’t allow you to set any speed-typing records, but when you’re in a pinch with a flagging keyboard or require an extra degree of security, it’s a perfect alternative.
Here in Massachusetts we are faced with a first in the nation Personal Data Privacy Protection regulation which is meant to motivate businesses to institute best practices with regard to protecting the personal information of residents of the Commonwealth.
The regulation outlines some specific things a business should do to become compliant with the law. Step 1: Designate an Information Security Officer. Step 2: Develop a Written Information Security Plan, etc.
At a seminar on the subject which I recently attended, a prototype plan was handed out. Upon reading it, I was reminded of an old joke:
A helicopter was flying around Seattle when a malfunction disabled all of the aircraft’s electronic navigation and communications equipment. Due to the clouds and haze, the pilot could not determine the helicopter’s position and course to steer to the airport. The pilot saw a tall building, flew toward it, circled, drew a handwritten sign, and held it in the helicopter’s window. The pilot’s sign said “WHERE AM I?” in large letters.
People in the tall building quickly responded to the aircraft, drew a large sign, and held it in a building window. Their sign said “YOU ARE IN A HELICOPTER OVER SEATTLE.”
The pilot smiled, waved, looked at his map, determined the course to steer to the Seattle airport, and landed safely.
After they were on the ground, the co-pilot asked the pilot how the “YOU ARE IN A HELICOPTER” sign helped determine their position? The pilot responded “I knew that had to be the MICROSOFT building, because similar to their help-lines, they gave me a technically correct but totally useless answer!”
The sample WISP which was handed out at the seminar met these criteria exactly. It was technically correct but totally useless. It simply regurgitated the law without offering any specific guidelines or guidance on how an employee should behave and what actions were or were not necessary.
A WISP should not just lay out general platitudes about the desire of the company to protect data. It should be a useful tool that employees can learn from and refer to in case of a question regarding data security.
Topics which should be covered include:
- E-mail and Internet Acceptable Use
- Social Media Site Usage
- Anti-Virus – What to do if one is detected
- Phishing and Pharming – How to discern and how to react
- Remote Access Policy
- E-Mail retention Policy
- Information Sensitivity Policy (Protecting an organization’s information)
- Password Policy (Strength and Renewal)
- Laptop Protection
- USB port Encryption
- Wireless Encryption Policy
Each individual section should outline the issue, the risks associated, actions which should be taken and penalties for non-compliance.
Only by creating meaningful, actionable policy will businesses move away from seeing data privacy protection as a burdensome government intrusion and treat it more like it should be: as a best practice for businesses that operate in the modern information age.
To many, data security is seen as merely an effort to protect against data loss or exposure. Consequently, this perspective unfairly positions data security as a cost for which the benefit is: “So far as we know, nothing happened.”
A better approach would be to associate the value of the data with the business process it supports and thereby derive significant additional organizational benefits from improved data security.
The Aberdeen Group has identified four high-level categories for potential business value from investments in IT security: manage risk, achieve and sustain compliance, enhance revenue and reduce costs.
By managing risk, firms avoid the monetary loss from systems downtime, the inability to bill and/or collect, and the inability to communicate with customers. Further, proper risk management will help avoid negative publicity, loss of sales, cost of reporting and fines for non-compliance.
Efforts toward achieving compliance will generally result in enhanced business reputation by demonstrating respect for customers’ and employees’ information, achievement of service level agreements and the implementation of industry best practices.
But how can data security efforts enhance revenue? Because data security efforts which focus on process often expose areas of shared information. These areas can then be exploited for cross-selling opportunities, improved transaction time, identification of new services and higher customer retention rates.
Besides revenue enhancement, the other holy grail, of business investment is cost savings. A process-based approach to data security can yield cost savings by identifying ways to streamline activities, scale processes larger and faster, reveal potential efficiencies and improve productivity.
According to the Aberdeen Group, “Organizations with top performance in data protection initiatives allocate the time and resources necessary to succeed well beyond the deployment of enabling technologies.” These organizations make investments in process analysis, awareness, training and reporting and consistently measure and monitor their results to assure that the entire organization benefits from the IT security program.
