How Zappos Breach May Affect How Organizations Handle Customer Data

A data breach at Zappos.com that exposed information about more than 24 million customers has led to a lawsuit, filed in Kentucky, against the company and its parent, Amazon.com, charging that the company was entrusted with "safeguarding plaintiff's and class members' PCAI [personal customer account information]." It claims the companies are in violation of the Fair Credit Reporting Act. No credit card account numbers were exposed, according to the company.

The suit claims that Zappos and Amazon didn’t adopt and maintain adequate procedures to protect information and limit its dissemination only for the “permissible purposes set forth in the Act.”

According to Todd Thiemann, senior director of product marketing for enterprise encryption specialist Vormetric, Inc., the lawsuit could have serious security implications for any organization that handles customer data. “If this lawsuit progresses and the decision is against Zappos-Amazon, it could invoke a sea change in data security requirements for organizations that maintain personal customer account information. Today, organizations are typically securing just cardholder data and are required to do so by the Payment Card Industry Data Security Standard.

“This lawsuit could force organizations to have to protect other PCAI data beyond credit card numbers.” Thiemann says that includes e-mail addresses, shipping addresses, and phone numbers.

“From a brand equity standpoint, this lawsuit is likely to significantly increase the costs associated with not securing PCAI.”

Thiemann also points out that the lawsuit “will likely cause enterprises to reevaluate their definitions of what constitutes sensitive information and how much they should invest to protect it. The downside associated with data breaches involving non-regulated PCAI just got a whole lot worse. Zappos clearly met the requirements of PCI DSS, so it will be interesting to see whether the lawsuit prevails.”

Thiemann praises the company for their incident response; they “quickly notified affected parties of the breach and explaining the steps they are taking to remediate the problem.” Among other things, the company forced all users to reset their passwords.

When I went to find links to any information on Zappo’s site, I found nothing on the home page. A Google search did turn up the original e-mail sent to employees here.

Thiemann points out that the lawsuit signals to the industry that a Zappos-style post-breach response isn't good enough anymore from a customer perspective.”

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell0 comments


Closing the Consumer App Security Gap

Security administrators know that external threats are just one of the vulnerabilities they must control. However, internal sources (read: employees) are often a bigger threat.

There's no greater evidence than the growing, unauthorized use of free consumer applications in the enterprise. Employees frustrated by limited IT budgets and lengthy project queues for simple functionality are turning to free consumer applications, especially for document storage. 'This poses a security red flag like no other.

The application vendors themselves tout how documents will remain "safe and secure" on their servers. That's not the security problem. The problem is that employees are using these services to store and share documents -- often confidential or sensitive documents -- that should remain on premises.

These risky services are easy to set up. Employees need no credit card, just a browser and Internet connection.

How fast are these services -- and these problems -- growing? Gil Zimmermann, CloudLock CEO and co-founder, put it succinctly: "It's huge and growing."

He confirms that the consumerization of IT is real and that many enterprises do understand "that they need to embrace the latest consumer offerings rather than block them for several reasons, the primary of which is end-users demanding tools that increase their efficiency and collaboration, those they're familiar with already, and are readily available." Such consumer services democratize IT, giving end users "far greater control," and Zimmermann praises their ability to increase "the speed of business."

"The down side is that the liability and corporate duty to protect sensitive data cannot be democratized. It's still the businesses' responsibility to secure their data and their customers' data, regardless of the IT tools being used by the organization."

Robert Hamilton, senior manager for product marketing, data loss prevention at security giant Symantec, is more cautious but no less concerned. "We don't really know how big this problem is, but what we do know is that the majority of employees who leave their jobs take confidential data with them (59 percent) and file sharing services make it very easy to transfer large amounts of confidential data to a repository that is easily accessed or shared in the future.

"Having file transfer capability opens up a whole new avenue for 'saving' confidential data -- and unless the employee is monitored with a product such as data loss prevention (DLP), the company may never know such transfers are occurring."

Zimmermann points out that cloud is just one of three vulnerable areas imposed on the enterprise from the consumer realm. In addition to cloud storage from desktops, consider the rise of smartphones, making mobile document storage a similar threat. Furthermore, "e-mail is outdated," he says, and "the new generation of knowledge workers is growing up with social networking as their primary communication and collaboration platform. Asking them to forgo it when they come to work is an artificial productivity barrier."

At least many enterprises aren't taking a "head-in-the-sand" approach to the problem. Zimmerman says that cloud and SaaS providers are helping educate IT about viable alternatives, citing Google Apps with his company's CloudLock as one example of consumer apps for business (Gmail, Docs, Sites, Google+) that offer the ability to add on enterprise controls and compliance (which is where CloudLock comes in).

Why isn't IT taking a more active role in proactively enabling an enterprise cloud-storage solution? One problem for many enterprises is that security is among the greatest concerns preventing them from adopting cloud storage -- at least according to 81 percent of IT decision makers surveyed by Nasuni, an enterprise storage company, back in November. Control over data was the second highest concern (at 48 percent). These two problems were listed consistently across industries, which included "business services, education, financial services, government, health care, manufacturing, and software and telecommunications."

What steps should IT admins take to better protect their enterprise's assets?

Paul Madsen, senior technical architect within the Office of the CTO at Ping Identity, says there's not much enterprises can do beyond blocking the sites of consumer-service sites to prevent employees from signing up. However, visibility is one key to regaining control.

For the enterprise, Madsen says IT should look for more powerful solutions that control document sharing applications installed onto devices, including bring-your-own devices (BYODs).

"However, if the document-sharing SaaS application was to only accept single sign-on (SSO) as the authentication mechanism (i.e., not accept individual sign-ups), then the enterprise would have greater visibility (through audit and logs, for example) into what documents the employees were uploading. In addition, the enterprise would be able to enforce roles-based access control of those docs if employees were SSOing in to the SaaS applications. Enterprise would also be able to kill access if an employee leaves, which is vitally important whether the employee's termination is voluntary or via dismissal."

Oded Valin, product line manager at Cyber-Ark Software, points out that "IT and security [admins] are using data loss prevention tools (DLP) to inspect each file being transferred." Unfortunately, Valin admits, "this does not ensure the secure transfer of sensitive files once in transit. By integrating secure file exchange processes with DLP and scanning tools file exchange can be secured end-to-end."

Symantec's Hamilton is also a DLP proponent. "The problem could be on IT's radar, even if they don't have DLP. Many organizations have Web monitoring and filtering capability and with this they can get a rough idea of whether these file transfer applications are being used and how often they are used. However, unless they have DLP they would not have visibility into the content that was being sent to these file sharing sites."

On Hamilton's list of best practices: First, "use data loss prevention to monitor who is sending data to these sites and what type and content are they sending." You also need to put "DLP policy (controls) in place that limit a user's ability to transfer confidential data to these file transfer sites. The idea is not to blacklist these sites but to use 'content-aware' monitoring. After all, there may be legitimate business uses for these sites, and IT does not want to get in the way of legitimate use."

Is that enough?

"I'd go further. IT needs to get in front of the problem, now. Yes, DLP is a good option," and Valin says by using the Cyber-Ark product, "enterprise policies can be defined [that] are flexible enough to satisfy the varying business processes within an organization. By pre-defining segregation of duties, every access is being controlled and audited, while business users have a variety of interfaces to choose from to access the files anywhere, anytime."

Valin says that tools such as his Cyber-Ark's sensitive information management suite can provide that surety. "The solution is based on a secure digital vault for storing the sensitive documents where IT cannot access the content of the files but can still audit activities and integrate it with content filtering solutions."

However, let's not forget that these consumer apps typically offer an enterprise version, and it would be wise for IT to give business users a simple-to-use solution that can be deployed quickly. For example, Box claims on its Web site that "over 100,000 companies -- including 82 percent of Fortune 500s -- rely on Box to access, share and manage critical content."

In a drive to improve business collaboration using the cloud, Hewlett-Packard (HP) is offering Box's "cloud content-management and collaboration platform on select small and midsize business and enterprise PCs." HP says Box offers 99.9 percent network up time, SSL encryption, configurable permissions, and redundant storage. It constantly monitors production systems and makes "ongoing threat assessments."

Dropbox's Dropbox for Teams is their enterprise equivalent, though the company's Web site doesn't explain what "admin controls" are offered. Another option: Central Desktop lets users share documents in the cloud; its Enterprise Edition's Security Pack provides more granular security to comply with everything from corporate governance to HIPAA.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell0 comments


Storage Wars Episode IV

Thinking about replacing your tape library with a de-duplicating virtual tape appliance? It seems to be a pretty trendy idea, but not necessarily well-understood in terms of its potential consequences or outcomes. This video explores the arguments for and against the decision – in what we hope you will find to be an entertaining format. It is a mash-up of tech speak, Star Wars, and the Annoying Orange (ask your kids about that one).

It is also the first installment of what will surely become an epic series of minor motion pictures designed to tickle your funny bone while stimulating some important questions. From Jon Toigo, storage columnist for ESJ.com and Toigo Partners International.

Posted by Jon William Toigo0 comments


Analysis: IBM Acquires a Green Hat

IBM Corp.’s recent acquisition of Green Hat Software Ltd. seems like a head-scratcher on a couple of levels, starting with the comparative obscurity of the acquisition -- Green Hat, a UK-based purveyor of software testing tools.

Big Blue’s latest buy invites head-scratching in at least one other respect, however. Nine years ago, IBM acquired one of the biggest and best-known names in the software development business, the former Rational Software Corp. Rational, too, marketed (and continues to market) a wide range of software testing technologies.

What does Green Hat bring to the table that IBM Rational doesn’t?

A good deal, IBM officials say, starting with its focus on testing for cloud, service-oriented architecture (SOA), and highly virtualized environments.

“Green Hat’s virtualization testing technology addresses the entire development lifecycle and helps accelerate the delivery of business-critical software at a lower cost to the business,” said IBM Rational General Manager Kristof Kloeckner, in a statement released just one week after Big Blue first announced -- and subsequently closed on -- the Green Hat deal.

In a “Technology Audit” published last year, Ovum Research analyst Rob Hailstone described Green Hat’s GH Tester as “the most comprehensive testing solution” in the SOA or cloud market. “Most SOA, BPM, and emerging cloud platforms offer limited testing functionality that might be adequate for early-stage deployments, but will not help the organization to prepare for a dynamic environment of end-to-end processes with constant change and heavy mission-critical workloads,” Hailstone wrote.

Industry veteran Paul Herzlich, a principal with Creative Intellect Consulting, acknowledges that Big Blue’s acquisition of Green Hat seems like a textbook headscratcher. After all, he points out, “[IBM] already has its own suite of Jazz-based IBM Rational tools covering test execution, test management and test lab management.” That being said, Herzlich argues, Green Hat focuses on an ill-served or neglected aspect of test automation.

“[T]he development world is embracing numerous ‘agile’ methodologies [and] the current generation of QA tools simply can‘t keep pace,” he maintains. “Agile processes require early testing and frequent, if not continuous, integration. Slavishly following the old V-model of testing is inefficient, and postponing serious QA until system testing is a recipe for usually unwelcome, often expensive surprises.”

GH Tester permits programmers to build a virtual test environment in which to simulate external interfaces or resources, along with conflicts, dependencies, and other potential monkey-wrenches. Although it’s possible to do this informally using VMWare or other virtual sandbox tools, and although many software development and testing tools provide some support for virtual sandboxing, GH Tester offers native support for cloud, SOA, or business process management (BPM) offerings from Software AG, TibCo Software, IBM, Oracle Corp., Microsoft Corp., SAP AG, and Progress Software.

“Think about the difference between provisioning a physical test environment with, for example, a full instance of SAP versus a simulator which mimics the traffic in a SAP instance. In essence, Green Hat‘s approach is lightweight, quick to provision, provides good control, is simple to reset and can be made to test error conditions easily,” explains Herzlich.

For this reason, Herzlich argues, Big Blue’s acquisition of Green Hat could well turn out to be a Very Big Deal. “Green Hat is a good acquisition for IBM, if for no other reason than it shows that IBM recognises that today‘s testing tool suites -- majoring, as they do, in test management and test execution -- look tired in an increasingly agile world and ineffectual in the face of the complexity storm raging out there,” he writes.

That said, Herzlich concludes, Big Blue’s quick closing on its acquisition of Green Hat belies a disappointingly long integration path.

“[T]he roadmap for integration is disappointingly long. The Green Hat software is already certified to interoperate with the Rational test suite,” he concludes. “For a company that promotes 'agile' so much, requiring a year from closing seems a long time to integrate with the Rational portfolio and to brand a release of Green Hat products as IBM.”

-- Stephen Swoyer
Contributing Editor, ESJ

Posted by Stephen Swoyer0 comments


Mobile Computing No Passing Fad

We all know that Bring Your Own Device (BYOD) is going to be a hot topic this year. Sure, mobile can increase the effectiveness of workers and give them access to data anywhere at any time. The question is -- how big is this trend and how is it affecting security administrators?

A new study commissioned by Check Point Software Technologies sheds light on the size and scope of BYOD. It’s bigger than you think, and there are plenty of risks to go around.

Mobile computing is no fad: 89 percent of respondents report that mobile devices were connected to their corporate network. The devices weren’t just company-issued; most respondents (65 percent) said that devices personally owned by employees were connected. Respondents in Japan are the least likely to allow connectivity of personal devices (46 percent); Germany is most likely to allow such connections (81 percent). Connectivity is growing: 94 percent say they’ve seen a rise in personal mobile-device use on corporate networks and 78 percent say use has more than doubled in the last two years (36 percent site a fivefold increase).

Apple iOS (30 percent) and BlackBerry (29 percent) were the most common platforms; Android is used at 21 percent of enterprises to access corporate networks. Ironically, Android was named as the platform with the greatest risk (43 percent), and BlackBerry was the safest (only 22 percent put it at the top of their “greatest security risk” list). Those surveyed say those risks are growing: most (64 percent) said the number of security threats to their organizations had increased over the last two years; 34 percent said the threat level remained the same, and just 3 percent said it has declined.

Of those claiming an increase, almost three-fourths (71 percent) said mobile devices were a “contributing factor” to the rise.

The study asked participants to rank several factors that affect mobile data security. “a lack of employee awareness about security policies” topped the list (at 62 percent), followed close behind by “insecure Web browsing” (61 percent), “insecure Wi-Fi connectivity” (59 percent), and “lost or stolen mobile devices with corporate data” (58 percent).

What kind of corporate data, you ask? I wasn’t surprised to read that that corporate e-mail was the most frequent response ((79 percent), followed by and business contact data (65 percent). More troubling: customer data was on nearly half (47 percent) of devices, followed by network login credentials (38 percent), and “corporate information made available through business applications” (32 percent). No wonder lost or stolen devices keep security admins awake at night.

Security pros know that internal forces can often be more important than external forces when it comes to keeping enterprises safe. The survey confirmed this popular belief: “Careless employees” pose a greater risk to security (according to 72 percent of respondents) than do hackers who “intentionally try to steal corporate information” (the response of just 28 percent of respondents). I found it interesting that the survey responses varied by geography: UK respondents were most concerned about careless employees (79 percent), Germany was less concerned (at 55 percent, it’s still greater than concern about hackers).

The global survey, conducted by Dimensional Research, polled 768 IT professionals in the U.S., Canada, the UK, Germany, and Japan. Respondents were responsible for IT security (either as their full-time job or part of their overall responsibilities) and included “IT executives, IT managers, and hands-on IT professionals and represented a wide range of company sizes and industry verticals,” according to Check Point.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell0 comments


Most Popular Stories on ESJ in 2011

#1: Windows on Mainframes Due December 16: Windows on the Big Blue's hardware is almost here.

#2: 10 Reasons Why Architects and Developers Should Care about Cloud Computing: Cloud computing isn’t just about outsourcing IT resources. We explore ten benefits IT architects and developers will realize by moving to the cloud.

#3: IBM Bringing Windows to the Mainframe Later This Year: IT mainframe pros will have to wait until Q4 to get their first look at IBM's Windows-on-zBX offering. Will it be worth the wait?

#4: Enterprise Systems Salary Survey 2011 Part 2: IT Staff Salaries: IT staff salaries remain flat, but bonuses rise; premiums highest in supply chain and data warehouse environments

#5: Careers: The Hot Jobs for 2011: As a new list of “Promising Jobs” proves, some IT skills never go out of style.

#6: ESJ Salary Survey 2011 Part 1: Management Salaries: Most management salaries stagnated or dropped, though bonuses saw a bounce; business-to-business and ERP skills command highest premiums.

#7: How Total Architects Enable Project Success (Part 1 of 4): Introducing the "Total Architect" and the benefits this position can bring to your enterprise.

#8: Traits of a Total Architect ... And All That Jazz (Part 2 of 4): How a Total Architect is like a musician.

#9: Q&A: SOAP and REST 101: What are SOAP and REST? What do these Web services have in common and where is each best used? We take a closer look.

#10: 5 Steps to a Continuously Compliant Data Center (Part 1 of 2): These five steps provide a road map for continuous compliance in the data center.

Posted by Jim Powell0 comments


New Research Validates Seriousness of Insider Threats

Venafi, an enterprise key and certificate management solutions provider, released more results from its InfoSecurity 2011 survey recently. The study found that more than 500 IT professionals reported that CEOs “often lack access to their own sensitive data.”

Who has the easiest access? According to 65 percent of respondents, it’s the IT department. The figure was just 30 percent for CEOs and 8 percent for manager. (HR came in third at 7 percent; employees in the legal department garnered 5 percent of the vote.)

Unfortunately, other findings are troubling. The survey found that if the employee who manages their organization’s encryption keys were to leave, 23 percent of respondents expect that they’d lose access to their valuable, encrypted data. (The result is in line with the company’s previous survey, which revealed that 40 percent of IT staff “admitted that they could hold their employers hostage 00 even after leaving for other employment -- by withholding or hiding encryption keys, making it difficult or impossible for management to access vital data.”)

Security professionals have repeatedly warned organizations that although an enterprise may be protected from outside threats, there’s even more danger from inside the enterprise. Case in point: “A third of survey respondents said that their knowledge of and access to encryption keys, coupled with their organizations’ lack of oversight and poor key and certificate management controls, meant they could bring the company to a grinding halt with minimal effort and little to stop them.”

Nearly one-quarter (24 percent) of enterprises said that their fear of losing encryption keys “was deterring them from investing in encryption technologies. This shows that recent major data breaches have almost paralyzed some organizations, which are afraid to improve their IT security for fear of making things worse -- or just do not trust their IT departments to handle encryption technology effectively.”

Warning Signs

Need more proof? A new report, Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall investigated “the high level of organizational anxiety surrounding potential theft of sensitive, proprietary, intellectual property or similar critical data by employees.”

Symantec says intellectual property (IP) thefts cost businesses in the United States over $250 billion yearly. “FBI reports confirm that insiders are a major target of opponent efforts to steal proprietary data and the leading source of these leaks,” the company said.

The Symantec report, written Dr. Eric Shaw and Dr. Harley Stock, was based on a review of empirical research and identifies several “key behaviors and indicators that contribute to intellectual property theft by malicious insiders.” Stock and Shaw are experts in psychological profiling as well as employee risk management

Among the patterns the authors identified:

  • Thieves are often in technical positions. “The majority of IP theft is committed by current male employees averaging about 37 years of age who serve in positions including engineers or scientists, managers, and programmers. A large percentage of these thieves had signed IP agreements. This indicates that policy alone -- without employee comprehension and effective enforcement -- is ineffective.”

  • Thieves have secured new jobs when they commit the crime. “About 65 percent of employees who commit insider IP theft had already accepted positions with a competing company or started their own company at the time of the theft. About 20 percent were recruited by an outsider who targeted the data and 25 percent gave the stolen IP to a foreign company or country. In addition, more than half steal data within a month of leaving.”

  • Thieves steal what they can access. The authors say three-quarters of insiders stole material for were authorized to access.
  • Trade secrets are the most-purloined items. Trade secrets were stolen in over half (52 percent) of incidents. Business information (for example, billing information and price lists) was stolen in nearly a third (30 percent) of incidents, followed by source code (20 percent), proprietary software (14 percent), customer information (12 percent), and business plans (6 percent).

  • Thieves use standard data transfer media. Most subjects (54 percent) used a network to commit the theft; they use e-mail, remote network access, or network file transfers to move their stolen data.

  • IP theft was discovered by non-technical staff members.

There are some key patterns of behavior that can help you spot (and prevent) insider theft. “Common problems occur before insider thefts and probably contribute to insider’s motivation. These precipitants of IP theft support the role of personal psychological predispositions, stressful events, and concerning behaviors as indicators of insider risk.” Among the triggers: employees getting tired of “thinking about it” and deciding to act, or solitication by others. “This move often occurs on the heels of a perceived professional set-back or unmet expectations,” according to the report.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell0 comments


Cloud Storage Benchmark Report: Amazon S3 is Standout

Not all cloud storage providers (CSPs) are created equal. That’s the unmistakable conclusion of a 26-month stress test of 16 major providers in which only six could meet the test’s minimum performance, stability, availability, and scalability requirements. The six included (alphabetically) Amazon S3, AT&T Synatpic Storage as a Service (powered by EMC ATMOS), Microsoft Azure, Nirvanix, Peer1 Hosting (also powered by EMC ATMOS), and Rackspace Cloud.

The intensive tests were conducted by Nasuni, an enterprise storage company that combines on-premise security and storage resources from leading CSPs. The tests looked at how the services perform for mid-sized enterprises in three areas: performance (including response time), stability/availability (how often is the service down, and for how long), and scalability (does the service truly offer unlimited capacity).

Nasuni wrote a custom connector using Python using the CSP’s API documentation, broke down the service into components for unit testing (to test basic functions such as reading and writing files of different sizes, using a different connection to re-read previously written data, and simultaneous access). Six providers failed in these tests; services designed for archiving files were severely stressed by the system, “sometimes to the breaking point” according to the report.

The company tested performance for concurrency, object size, and type of workload (reads only, writes only, and a combination of the two tasks). The benchmarks adjusted for location bias by running the benchmarks from a trio of geographic areas and hosts. Of the 10 providers that based the basic functions tests, two were eliminated because their performance was “too low to be acceptable to the vast majority of end-user organizations.”

Performance speeds showed significant differences in only some tests. For example, the average write speed for 1 MB files varied among providers between 2.0 and 2.38 MB/sec (except for Peer1, in last place with a speed of just 1.49 MBs/sec); read speed variability for 1MB files was more distinctive, with Nirvanix and Azure leading the pack (at 13.3 and 13.2 MB/sec respectively) and Amazon coming in third (at 11.28 MB/sec); Peer1 again was in last place at just 3.1MB/sec). Peer1’s performance was also 70 percent slower than first-place Azure when writing 128KB files and less than 25 percent as good as first-place Amazon in reading those files.

The report warns that organizations may be satisfied with slower speeds depending on how the enterprise actually uses the service; sometimes slower performance is just fine (especially if premium performance comes at a premium price).

Stability tests checked re-reading files written to ensure no data loss as well as how frequently CSPs experienced unplanned outages. Scalability checked how many objects can be placed in the cloud and whether performance is maintained as more objects are added; it wrote small (1KB) files using concurrent threads until 100,000,000 objects were written.

I asked Nasuni’s CEO, Andres Rodriguez, what the low "pass" rate says about these services. Did he, for example, expect the 10 service providers that failed to eventually shut down? Will there be more competition in the industry?

“I think the biggest lesson is that, while it’s easy to make something that looks like cloud storage, it’s very difficult to create a service with the performance, scalability, and stability that enterprises require for primary storage. We do expect that the market will continue to consolidate, but as quality improves, competition will intensify and, like any commodity market, prices will come down.”

The survey targeted mid-size enterprises. Would the results have differed for larger enterprises? Rodriguez said that Nasuni focuses on “the mid-size enterprise because they are the ones facing the most challenges -- they are most resource-constrained in terms of investment ability and size of their IT staff, and thus their pain around adopting the cloud is most acute.

“The cloud, in many ways, is not usable by itself and thus why we package it as part of an overall solution. Our evaluation wouldn't vary based on whether the organization is small, medium, or large. For organizations that need access to their data from anywhere in the world, at any time, and want to leverage the cloud for redundancy, scalability, and its on-demand benefits, the tests performed reflect that and are appropriate regardless of an organization's size.”

-- James E. Powell
Editorial Director, ESJ

0 comments