SURVEY: 1 IN 2 BUYERS REQUIRE CSR IN PROCUREM... » Almost half of buyer documents (48 per cent) seen by electrotechnical businesses with turnover above... G4S Africa supports small business development thr... » The latest product in the G4S Deposita range is a smart safe system called mini-pay that holds up to... Commissioner's statement following incident in Man... » This is an utterly appalling attack. My thoughts are with the people of Manchester as they try to co... UPDATE: Policing events in the Capital » Following the horrific terrorist attack in Manchester last night, in which 22 people were killed and... Statement from Assistant Commissioner » Statement from Assistant Commissioner Mark Rowley, Head of National Counter Terrorism Policing: The... Met intensifies policing activities in London fol... » The Metropolitan Police Service (MPS) has increased police numbers and operations across the Capital... OF FOOLS OF THE MIDDLE BELT, ONE NORTH AND PASTORA... » Please visit also: www.scorpionnewscorp.com SERIES: BUHARISM AND THE FIERCE URGENCY OF NOW A treat... Home Secretary’s statement on the Manchester attac... » I know that some people will only just be waking up to the news of the horrific attacks in Mancheste... Checkpoint Systems unveils Bug Tag 2 loss preventi... » Checkpoint Systems has announced the launch of Bug Tag 2 – an innovative loss prevention solution th... Edesix launches new head and torso mounted body wo... » Edesix has announced the launch of new head and torso mounted cameras. The X-100 is a side-mounta...

Our Guest Columnists

John Walker
Professor John Walker is the owner and MD of Secure-Bastion Ltd, a specialist Contracting/Consultancy in the arena of IT Security Research, Forensics, and Security Analytics. READ MORE >>


YORGEN EDHOLM
Yorgen Edholm is President and CEO of Accellion, a pioneer and leading provider of secure file transfer and collaboration solutions. READ MORE >>



Faitelson
Mr. Faitelson is responsible for leading the management, strategic direction and execution of the Varonis vision.
READ MORE >>

 


Mike Small

 

Mike Small has over 40 years experience in the IT industry. He is an honorary fellow analyst ....

READ MORE >>


Andy Cordial

Andy Cordial, managing director of secure storage systems specialist Origin Storage ...
READ MORE >>


Paul Steiner
Dr Paul Steiner joined Accellion in 2001 as Senior Vice President-Europe...
READ MORE >>


Durbin

Steve Durbin is Global Vice President of the Information Security Forum (ISF). He has served as an ...
READ MORE >>


David Gibson

David Gibson has been in the IT industry for more than fifteen years, with a breadth of experience in data governance, network management, network security, ..

READ MORE >>


Jane Grafton

Jane Grafton has more than twenty years experience in domestic and international sales, marketing and business development.

READ MORE >>


Mr Dimitriadis

Christos K. Dimitriadis, CISA, CISM, is the chief information security officer of INTRALOT S.A, a multinational supplier of integrated gaming and transaction processing systems based in Greece, ...

READ MORE >>


Philip Lieberman

Philip Lieberman, the founder and president of Lieberman Software, has more than 30 years of experience in the software industry.

READ MORE >>


Jon Mills

Jon Mills is the managing director and general manager of SEPATON for Europe, Middle East and Africa (EMEA).

READ MORE >>


Dr Rustom Kanga

Dr Rustom Kanga is co-founder and CEO of iOmniscient, one of the pioneers in the field of Video Analysis.

READ MORE >>

CLICK HERE TO

SOCIAL BOOKMARK

The Internet is a wonderful tool when it works, but we are increasingly at a loss when it encounters problems. Steve Durbin, Global VP at ISF (Information Security Forum) looks at what organisations should do to minimise the risks.

Server outages at global ISPs may be an extreme case, but they illustrate the challenge faced by businesses that are shifting a growing proportion of their information and transaction infrastructure online – often to cloud-based computing.

The growth in cloud computing is one example of the trend towards ever-greater reliance on the Internet.  Moving to the cloud and making use of virtualised servers makes sense financially, but organisations need to be aware of the inherent risks, and ensure they are prepared for infrastructure failure when it comes.

Threat of infrastructure failure

ISF’s Threat Horizon 2012 report highlighted infrastructure failure as one of its top 10 threat scenarios. The report highlights how companies have come to rely on Internet-only sales channels and mechanisms, to the extent that most people only have one way to perform their day-to-day transactions.  Poor Internet resilience, especially at ‘pinch-points’ in the network, results in frequent and sustained regional Internet outages and prolonged loss of service.

The threats to business come from loss or damage to communications links or services – often as a result of under-investment in infrastructure – and from malfunctioning equipment, associated with a lack of resilience.

The impact of such outages is a direct loss of business, and increased costs to provide work-arounds, potentially leading to reduced transaction integrity and associated fraud. In addition, there may be a loss of trust in the Internet, and customers moving to competitors able to offer an easy alternative.

While the threat of infrastructure failure is a future scenario, there are very real issues confronting organisations that want to move to cloud and Internet-based sales channels today.

Organisations that increasingly rely on the Internet to conduct business, or serve the public, will require some kind of quality of service (QoS) guarantees – which will add cost, as well as run into issues over net neutrality.  Also, who is going to fund the necessary investment in Internet infrastructure to deliver the capacity and ‘intelligence’ it needs, and what is the payback for anyone who does?

Another issue for Internet-based critical communications and online transactions is that networks are always susceptible to physical damage.  Internet channels are only as resilient as their weakest link.

Wireless Internet access has got people used to the idea of ‘always-on’ connectivity.  While this helps staff work more efficiently off-site, few consider how secure these connections are, so organisations need to ensure security is made easy for staff.

Finally, a vital element in the successful deployment of cloud computing and Internet-based services is supplier trust.  Buying cloud computing is just like buying any other service, and organisations must ensure they research and question potential suppliers thoroughly.

What can companies do?

Having established where the critical parts of IT infrastructure lie, and the risks associated with their loss or degradation, organisations should put in place a framework of controls for securing it, recognised at a senior level and based on the participation of critical infrastructure stakeholders – including information security practitioners.

Organisations should give special attention to the selection and application of a balanced set of controls to protect systems that support critical infrastructure.  Where it is not possible to apply a balanced set of controls, alternative measures should be used.

In selecting controls, organisations should adopt security architecture principles, such as: ‘defence in depth’; ‘least privilege’ (granting minimum possible privileges to users); ‘default deny’ (denying access to information systems by default to prevent unauthorised access).

Another important aspect to ensuring the resilience of critical infrastructure is to reduce single points of failure.  To ensure that critical infrastructure is available when required, supporting information systems should run on robust, reliable hardware and software, and supported by alternative or duplicate facilities.

When it comes to outsourced cloud computing services, it is crucial that third parties are well managed.  Measures that help reduce the information risks associated with using third parties include reviewing and, where necessary, updating contracts and agreements to include statements regarding security requirements, roles and responsibilities, the right to audit and incident reporting.

Organisations should consider the use of an internationally recognised information security standard, such as ISF’s Standard of Good Practice for Information Security.

While the Internet does have a high degree of resilience, experience shows that we cannot expect 100% uptime. Overall, the Internet is only as good as its weakest link, and preparing contingency plans to operate businesses in the event of failed or reduced Internet service should be a priority.

ABOUT STEVE DURBIN

Steve DurbinSteve Durbin is Global Vice President of the Information Security Forum (ISF).  He has served as an executive on the boards of public companies in the UK and Asia in both the technology consultancy services and software applications development sectors. He was latterly Ernst & Young’s sales and marketing director, focusing on the fast-growth entrepreneurial sector of the market across Northern Europe, the Middle East, India and Africa.

Steve has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner. As global head of Gartner’s consultancy business, he developed a range of strategic marketing, business and IT solutions for international investment and entrepreneurial markets.

Steve has been involved with mergers and acquisitions of fast-growth companies across Europe and the USA, and has also advised a number of global technology companies on IPOs both on NASDAQ and NYSE. He has worked strategically with clients in the pre/post sales environment and has developed and directed strategy to achieve rapid market share and profitable growth

Who can be our Guest Columnist?