Developing a smart approach to SMAC security

As businesses look to take advantage of SMAC (social, mobile, analytics, and cloud) platforms, they first need to consider the risks and security implications of the technologies involved

social network exec

Few security executives at global enterprises—or even at smaller organizations—have not had to deal with issues related to social media, mobile technology, big data/analytics, or cloud computing.

Now, a growing number of businesses are looking at leveraging all of these technologies as part of a SMAC (social, mobile, analytics and cloud) platform that would involve creating a new foundational infrastructure that supports these different areas.

[OAuth weakness threatens users of social media sites]

What are the implications for security, and how involved should CSOs and CISOs be in the planning of SMAC strategies? These are key questions, because if security isn’t a priority in these efforts, they might become major risks.

“The [data] analytics element is what elevates the risk,” says Michael Daly, CTO for cybersecurity and special missions at Raytheon Co., a provider of defense and aerospace systems. “When you have so much information converging in [platforms] like this to enable the analytics, and you have less direct visibility into the platforms, then the risk definitely does increase.”

Here are some practices to consider when addressing the information security implications of an SMAC platform:

Create a cohesive, comprehensive security strategy that accounts for all the elements of SMAC

At a high level, attempting to manage the security of SMAC components in separate buckets isn’t a good idea.

“SMAC is not a bunch of individual technologies, but technologies that overlap one another rather strongly,” says Chris Christiansen, program vice president of security products and services at research firm IDC.

“Security, risk assessment, policies and controls should be consolidated and should apply to all the elements of SMAC in a collective way,” Christiansen says. “Organizations should not manage each component of SMAC as an individual item with security policies, controls and technologies being separate. That’s pretty much a formula for disaster.”

[Why password managers are not as secure as you think]

A smart thing for organizations to do is assess where their information is now and what SMAC-related services they think they might migrate to, “and draw lines that connect them,” Daly says. “When you start drawing these lines you will understand the risk you will have in your environment, because you will be able to see where new controls need to be applied.”

Make access control and authentication a high priority for SMAC platforms

One of the biggest vulnerabilities of services and applications is weak access controls. Failing to control and monitor who has access to sensitive data, mobile apps, analyses, etc. is an invitation for trouble when you’re talking about a comprehensive platform such as SMAC.

“You need proper access controls not only for individual users, but for IT administrators as well,” Christiansen says. “Commonly that’s account names and passwords, both of which are usually shoddily managed. Passwords are not looked at in terms of how robust they are; they’re focused on convenience.”

An effective strategy is to use a variety of authentication mechanisms, even if some of those are weak, Christiansen says. In some cases you could have a simple personal identification number that the user has to supply if the risks are relatively low, and for more sensitive situations you might require a hardware- or software-based token, he says. For extremely sensitive situations a biometric access system might be appropriate.

“Putting together a variety of fairly weak authentication mechanisms into a multi-factor authentication strategy that’s risk based can actually produce very strong authentication,” Christiansen says.

One area where strong authentication might be overlooked is social media. It’s important that companies ensure that the people who are blogging or posting information on behalf of the company are authenticated, to avoid spoofing and other risks, Christiansen says.

Identity and access management should be a key component of every SMAC strategy, Daly says. “If you’re going to integrate all these different services across networks, then you also need to integrate strong ID and access management to enable consistent data protection schemes,” he says.

Develop an SMAC security policy that crosses over multiple areas of the company

The technologies of SMAC have the capability of providing a huge competitive edge, and businesses leaders are going to be eager to exploit SMAC platforms to add value. But this has to be balanced with strong security policies.

[Bad bots on the rise: A look at mobile, social, porn, and spam bots]

“Policies must exist as guardrails to help employees and consumers of these technologies understand what is permissible,” says Jay McLaughlin, CSO and senior vice president at Q2, a provider of software for the financial services industry. “A comprehensive risk assessment should be conducted to identify various security concerns that may exist for a particular organization.”

Security executives need to coordinate with the CIO and other C-level and line-of-business leaders to create and implement the policy, keeping in mind the security/business opportunity balance. “They need to work with all the different groups and stakeholders to come up with a reasonable compromise across the entire company,” so that users can leverage SMAC and still keep data and systems safe, Christiansen says.

“The process of doing this is fairly simple to explain and extremely difficult to do,” Christiansen says. “It requires a degree of diplomacy and the ability to navigate organizational dynamics, which can be incredibly difficult.”

A key step in creating an effective policy is discovery; identifying the users, applications, devices, etc., that will be part of the SMAC strategy. Another key is determining how SMAC fits in with regulatory compliance efforts and the organization’s overall risk management strategy. Then companies can look at the specific technologies and processes they will need to have in place to counter risks.

“With all that information you can look at SMAC in its totality,” and the potential impact it will have on the organization, Christiansen says. “At that point there should be a meeting among senior management and possibly at the board level to get support [for the SMAC security policy]."

Deploy cross-domain solutions (CDS) for security

CDS solutions are integrated hardware and software systems that provide the ability to access or transfer information between two or more different security domains or levels of classification.

[Decoding threat intelligence]

The three main goals of CDS are data confidentiality, data integrity, and data availability.

As Raytheon prepares to leverage SMAC capabilities in the future, the company will rely on cross-domain systems to ensure adequate security, Daly says. “This is an important capability when you start moving into these [SMAC] systems,” he says.

CDS can be likened to “kind of a fancy firewall, but more finely tuned,” Daly says. “These are firewalls that act like smart egg cartons, inspecting each egg as it enters or exits. If you’re going to have all these systems interconnected you need to have some way of containing lateral contamination by establishing intelligent boundaries.”

This capability will become all the more important once companies expand their use of analytics across wider sets of data generated by their cloud-based applications and social media, and then make this converged intelligence available to mobile device users.

“When you have so many different systems and they’re all generating data, processing data and storing data, the risk increases,” Daly says.

Get involved from the beginning

Security and privacy executives should be involved in all major steps of the SMAC initiative.

“This means during the evaluation phase you should be demanding that vendors address your security/privacy concerns and provide specific information in evidence of the assertions they make,” says Jason Taule, CSO at FEI Systems, a provider of information and analytics services for government entities dealing with behavioral and mental healthcare.

“It also means reviewing the legal terms and conditions and working with counsel to make sure that legal and intellectual property risks are addressed and flowing down contractual requirements to the vendor, to ensure that they comply with the same requirements that you yourself are subject to,” Taule says,

This involves working with IT and engineering to ensure that the structure, architecture and data flows are all acceptable, and where appropriate, insisting on encryption and multifactor access controls.

[Wearables: Are we handing more tools to Big Brother?]

“If possible, you should try to run it in a test environment first,” Taule says. “If not, you should deploy in phases with limits on interconnectedness, user population and data involved. The point is you need to be evaluating network traffic and logs to see how and what’s actually happening and verify that things are actually within company risk appetite.”

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)