The Fraud Blog with Tracy Kitten

Emerging Tech and Risk Assessment

Security Is About Understanding the Gaps, Not Filling Compliance Holes

"Emerging" technology - and I'll use my adjectives carefully - gets a lot of attention these days.

Cloud computing, mobile banking, chip and near-field payments, tokenization ... each is talked about in security circles, though none is hardly new or emerging.

But with all these so-called emerging technologies floating around, how sure can we be that they are working in tandem, to actually improve an organization's security, rather than hinder it?

The short answer: We can't. I had the opportunity recently to speak to several industry thought-leaders, and we talked a lot about these technologies.

IBM's Marc van Zadelhoff, for instance, says more interconnectivity lends itself to more insecurity. "How secure am I, really? When I take on new initiatives, I have to consider the security risks," he says. "Everyone is speaking about the cloud ... but even in the cloud, you still have to think about traditional layers of security."

The cloud is not the security catch-all it's been touted to be. And the more organizations move to the cloud, the more diligent they must be about service level contracts, platform and network interoperability, and clear and transparent security measures.

An organization is only as secure as its weakest link, and if the cloud provider you're working with does not share your same stringent security guidelines, then your organization inevitably will have security gaps.

And then there's mobile.

"Mobile is a bigger concern," van Zadelhoff says. "It comes down to assessing risk."

Assessing risk. Not something many organizations have, up to this point, done especially well. It's a concern I discussed at length with several emerging technology experts, including van Zadelhoff, during the Gartner Security and Risk Management Summit near Washington, D.C.

Risk management and security are the new focus, rather than mere check-box compliance. And since no significant number of standards currently exists for emerging technologies, approaching new technologies with risk rather than compliance in mind is definitely a good thing.

When it comes to risk management, more strategy revolves around detecting, preventing and responding to insider threats. It's a topic we're hearing a lot about these days, and it's one that came up during 90 percent of the interviews I conducted at the Gartner Summit. [See Citi Case Exposes Insider Risks.]

Michelle Shannon, vice president of product management and marketing at BeyondTrust, says banking institutions need to adopt a standard of "least privilege," when it comes to controlling insider threats

"Monitoring what people are doing is critical," she says.

Internal threats don't have to be intentional. Well-meaning employees are often duped by socially engineered schemes or inadvertently expose some piece or part of information that gives fraudsters access to massive amounts of data.

"Most users with privileges have root access, which means they have a group password. Once that password is exposed, someone can compromise the root database," Shannon says. By limiting privileges and access, and uniquely identifying users, the risk of compromise of controlled.

That's why it's so important for institutions to have a comprehensive view of what's going on across all channels at all times, says McAfee's Dave Anderson. "This is why integrating all of the devices, the access points to the network, is so important," he says. "You have to have a single analytical dashboard that brings all of this together."

It's the only way to catch anomalous patterns.

But how much of this are organizations really doing? It seems the philosophical foundation that supports security plans is changing. Most business leaders accept that security and risk trump compliance. But old habits are hard to break.

At the end of the day, I wonder how willing organizations will be to put their best feet forward, when the compliance standard only calls for them to stand still.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.