Security In The IoT Age: Makers Vs. Operators

Tyler Shields

Check out my latest research on IoT security: An S&R Pros Guide To IoT Security

Internet of Things (IoT) security is a hot topic among security and risk professionals. It seems as if every "thing" on the market is becoming smarter and more interactive. As the level of IoT device maturity increases so does the level of risk of data and device compromise. The scary thing is that we really have no idea what IoT devices are in our environment let alone the correct way to secure them. 

Both IoT product makers and IoT product operators need to understand the security implications of IoT devices. Security in IoT involves product makers rethinking how they create technologies, secure code and hardware, develop new offerings, and ensure the privacy of the data they collect. These areas of security are not typically areas that automobile, manufacturing, and retail technology makers have had to consider in the past.  The scale of IoT devices in each vertical is enough to employ a small army of developers who are yet not up to speed on the latest secure code and hardware concepts.

On the other side of the coin, enterprises have the unenviable position of implementing these poorly coded and built technologies. Overwhelming pressure will come from competing enterprises causing an increase in IoT adoption to improve business efficiencies. IoT will become pervasive, and mandatory, throughout every vertical from gas and electric to automotive. The threat landscape in these areas will be immense.

Read more

Reflections on CA World 2014: CA Technologies Is Going All Disco

Eveline Oehrlich

We attended the recently held CA World 2014 in Las Vegas which we estimate had about 5000 customers. Over and over we kept asking: What’s the intention of CA Technologies for this year’s event?

It’s not just that the event had Magic Johnson speaking about his past career and how he transformed from a world class athlete to a successful business man or the Tuesday night music event by Fray, a rock band from Denver, Colorado.  It was the entire atmosphere of the showcase, keynotes and presentation styles which gave us the feeling this is really a new CA – a CA that wants to shed the image of suits and complex solutions and replace it with T-shirts, jeans and cool, digital solutions. 

Envision a large solution floor scattered with CA Technology solutions and some of their partners; coffee, food and snack stations, surrounded by presentation theaters which featured topics like Business Intelligence, DevOps, Mobility, Security and Business Intelligence.  Very different, very vogue and very modern! Most important we saw a CA which stressed that “every company is a software company and innovation is key to create a powerful advantage” (quote from Amit Chatterjee, CA Technologies during keynote on Tuesday).  Sentences like “we are living in the application economy” and “mobile, the new interface for your mainframe” puzzled and excited both legacy installed base, prospects and other clients. 

As analysts we have to say “Well done CA Technologies”.  For attendees , next steps are how to transform into the digital business.  Keynote presenters from Twitter, Facebook, Nike and Samsung made it sound like a walk in the park – reality is proving us differently, but CA is driving innovation in today’s application economy.  

Proofpoint Acquires Nexgate: SRC Market Matures, But Still Lots Of “Points To Prove”

Nick Hayes

Yesterday, Proofpoint announced it will acquire social risk and compliance (SRC) vendor Nexgate for approximately $35 million.

The Acquisition Signals The SRC Market Is Maturing

This acquisition points to a budding and rapidly evolving SRC market. With the proliferation of social media, organizations face a slew of emerging regulatory challenges, brand threats, and security vulnerabilities – just look at recent incidents with Cole Haan, Zarbee’s, US Airways, British Gas, among countless others, even including our own US military. While once a niche market helping financial services firms meet FINRA obligations, SRC solutions now offer more than just compliance support, helping organizations better manage today’s wide gamut of social risks with social threat detection, account protection, and risk monitoring.

Proofpoint Has To Prove The Sum Is Greater Than Its Parts

Read more

It’s Time For Healthcare CISOs To Close The Faucet Of Data Loss

Christopher Sherman

By all accounts, we’re approaching a new order of integration between technology and medicine. Real-time medical diagnostic data obtained from our mobile phones will soon be integrated directly into our electronic medical records where clinicians can use the data to make more-accurate (and potentially dynamic) treatment plans. Hospital staff can communicate and react to changing patient conditions faster and with less disruption to the patient experience than ever before, thanks to increasingly integrated mobile messaging systems and other mobile applications (for both the patients and clinical staff).

Applying big data analytics to PHI promises to improve patient outcomes and lead to more efficient —and less costly — patient care. It’s hard not to feel a level of excitement as this convergence of healthcare, mobile technology, and big data progresses at an accelerated rate. However, with all of this new patient data being collected by insurance payers, medical providers, and third-party services, healthcare employee endpoints have become an especially vulnerable source of data loss.

In our recently published brief, “Stolen And Lost Devices Are Putting Personal Healthcare Information At Risk,” we present a number of findings related to healthcare data loss from our latest Forrester surveys as well as those from our data partners. Most notably:

Healthcare records are five times as likely to be lost due to device theft/loss.¹ If you’re a CISO at a healthcare organization, endpoint data security must be a top priority in order to close this faucet of sensitive data. Consequences will increasingly be more than just a mere slap on the wrist with fines, as consumers fight back.

Read more

Containerization Vs. App Wrapping - The Tale Of The Tape

Tyler Shields

If you have implemented or used either application wrapping or containerization technologies, please COMPLETE THIS SURVEY.

Application wrapping versus containerization: Which technology provides better security to an enterprise mobile deployment? What are the use cases for each technology, and which technology has a longer shelf life when it comes to being the de facto standard for enterprise mobile security? Are there times when containerization provides a better user experience than application wrapping? And more simply speaking . . . what the heck is the difference between these two technologies, and which one should you purchase?

In the sport of boxing, "the tale of the tape" is a term used to describe a comparison between two fighters. Typically, this comparison includes physical measurements of each fighter as taken by a tape measure before the bout, thus the term "the tale of the tape." I'm currently conducting research for a "tale of the tape" report between mobile containerization technologies and mobile application wrapping. There has been a significant amount of discussion lately regarding which of these technologies is better suited for enterprise deployment. In order to settle this dispute, I'm going to get out the virtual tape measure and analyze the fighters!

Read more

If You Are CEO Of A Consumer Organization, You Have A New Job Responsibility -- Security

Stephanie Balaouras

On May 5, 2014, Target announced the resignation of its CEO, Gregg Steinhafel, in large part because of the massive and embarrassing customer data breach that occurred just before the 2013 U.S. holiday season kicked into high gear. After a security breach or incident, the CISO (or whoever is in charge of security) or the CIO, or both, are usually axed. Someone’s head has to roll. But the resignation of the CEO is unusual, and I believe this marks an important turning point in the visibility, prioritization, importance, and funding of information security. It’s an indication of just how much:

  • Security directly affects the top and bottom line. Early estimates of the cost of Target's 2013 holiday security breach indicate a potential customer churn of 1% to 5%, representing anywhere from $30 million to $150 million in lost net income. Target's stock fell 11% after it disclosed the breach in mid-December, but investors pushed shares up nearly 7% on the news of recovering sales. In February 2014, the company reported a 46% decline in profits due to the security breach.
  • Poor security will tank your reputation. The last thing Target needed was to be a permanent fixture of the 24-hour news cycle during the holiday season. Sure, like other breached companies, Target’s reputation will likely bounce back but it will take a lot of communication, investment, and other efforts to regain customer trust. The company announced last week that it will spend $100 million to adopt chip-and-PIN technology.
Read more

Singapore SMBs Get A Big Boost To Upgrade Mobile And Digital Platforms

Clement Teo

by Clement Teo with Ng Zhi Ying

The government of Singapore has released its 2014 budget, which includes S$500 million (US$400 million) to help drive economic changes at small and medium-size businesses (SMBs). This spending will focus on:

Read more

And The Next Punch Is Thrown By .... VMware?!

Tyler Shields

After reading this blog post, if you would like more detail, fellow Forrester analyst Christian Kane and I have collaborated on two short reports describing the acquisition of AirWatch through the lens of mobile workforce enablement and a second report through the lens of mobile security. Enjoy the reports, and as always... we love to read your comments!

On January 22, 2014, a new mobile security player was born. This is the date that VMware announced its intention to purchase the mobile device management (MDM) firm AirWatch. With a price tag of $1.5 billion, this acquisition confirms that the mobile security market is scorchingly hot. This news comes on the heels of the November acquisition of Fiberlink by IBM. I expect additional mobile security market consolidation to occur throughout the remainder of 2014. This acquisition is a shot across the bow of any other major vendor looking to play in the mobile security market. If you don't step up and spend now, you might just be left holding the bag.

Read more

Symantec EMEA Industry Analyst Conference: Shifting The Tack Of Dealing With Security Issues

Dan Bieler

With Enza Iannopollo

Symantec held its EMEA Industry Analyst Conference in the UK recently. Symantec saw targeted attacks increase by 42% during 2013. Although it’s always mentioned among the top concerns by businesses in surveys, security is still often treated in a somewhat blasé way by many of those businesses in reality. We took several messages away from Symantec’s conference:

  • Security is not just a simple IT issue but has wider business implications. Digital security has many facets, including cybercrime and online privacy. Security is an economic and societal dimension for the digital ecosystem. Just think of privacy legislation -- customers expect the businesses with which they interact to adhere to it. This also means that the future security manager will be someone who understands business requirements and employee wishes well enough to balance them against specific security threats and compliance obligations. The security officer who just “shuts the gates” and says “no” to requests like accessing video websites or installing software is damaging to what we call the connected business.
  • There is a need for Symantec to engage effectively with a partner ecosystem. Symantec is moving beyond products to become a solution provider. Symantec knows that integrated solutions need to work in a multivendor landscape across third-party and competitor products in a legacy environment. Such integration challenges hold back ecosystem ambitions. To strengthen its offering, Symantec has established partnerships with Hitachi Data Systems (data storage and interpretation), PwC (threat intelligence, incidence response, and digital loss prevention), and Colt (joint go-to-market offering for security-as-a-service). As part of these partnerships, Symantec sees a growing interest in the managed services option.
Read more


NASA Flunked Its Cloud Computing Audit: Are You Next?

Renee Murphy

Ok, so NASA failed an audit. Don’t we all? I think it is important to understand the government’s cloud computing adoption timeline before passing judgment on NASA for failing to meet its cloud computing requirements. And, as someone who has read NASA’s risk management program (and the 600 pages of supporting documentation), I can say that this wasn’t a failure of risk management policy or procedure effectiveness.  Clearly, this was a failure of third-party risk management’s monitoring and review of cloud services.  

The Cloud Is Nebulous

Back in 2009, NASA pioneered cloud technology with a shipping container-based public cloud technology project named Nebula -- after the stellar cloud formation. (I love nerd humor, don’t you?)

Photo Source: NASA

During 2009, NASA, to determine if current cloud provider service offerings had matured enough to support the Nebula environment, did a study. The study proved that commercial cloud services had, in fact, become cheaper and more reliable than Nebula. NASA, as a result of the study, moved more than 140 applications to the public sector cloud environment.

In October of 2010, Congress had committee hearings on cybersecurity and the risk associated with cloud adoption.  But remember, NASA had already moved its noncritical data (like or the daily video feeds from the international space station, that are edited together and packaged as content for the NASA website) to the public cloud in 2009.  Before anyone ever considered the rules for such an adoption of these services.

Audit Recommendations

Read more