It’s particularly galling when a company specializing in security issues gets monumentally hacked. That was the case for Stratfor, which suffered a massive data breach just before the holidays that exposed thousands of client names, e-mail addresses and credit card numbers. Adding insult to injury, hacktivist group Anonymous revealed on Twitter that it was able to get at the data because the company hadn’t encrypted them, according to the Associated Press. Stratfor’s travails serve as a reminder to all companies that they need to get their cyber security policies and practices in order. Here are some issues to consider.

1. Beware of the mobile threat.

Mobile devices have become ubiquitous and more powerful. Companies can no longer just protect employees’ laptops, but must be aware of tablets, smartphones, iPods and anything else with a brain and wireless connectivity. Inadequately secured devices, if stolen, can give thieves access to corporate networks, allowing them to steal sensitive data.

Employees downloading new apps may download keystroke-logging software as well, giving hackers access to their credentials—but few people have anti-virus software installed on these devices.

“2012 is going to be a significant year for mobile threats enterprise-wide because so many devices are being adopted,” says Dave Marcus, director at security firm McAfee Labs. Companies “have to start looking at mobile devices like other devices—‘If it’s got data on it, it’s got my corporate data on it, then I’ve got to manage and secure it like every other device on my network,’” he adds.

2. Review privileges.

Do all users really need all the access rights they now have? Keeping privileges to a minimum limits the damage hackers can do if they get into a user’s account, as well as the damage employees can do on the way out the door.

Controlling privileges can also help with compliance since “most regulations, including SOX, HIPAA, GLB and PCI, have a clause on the level of access to key IT assets,” says Jim Zierick, executive vice president at security vendor BeyondTrust.

But privileges can be hard to manage, especially in big organizations with lots of applications. “Users are proactive about acquiring access they need or want, but rarely ask for access to be taken away even if they no longer need it,” says Michael Bennett, chief information officer for the U.S. unit of defense contractor BAE Systems.

One option is to roll out a centralized system to allocate and manage privileges, which allows for quick changes if employees are hired, fired, move internally or temporarily need special access for a project.

Companies should move beyond automated provisioning, access control and auditing solutions to add a new security control and abstraction layer that sits between the information and the people who use it, Bennett says. This allows the data to be displayed in a way that the particular user—and device—needs to see it, “while denying access to anything not specifically required by and permitted to the user,” he adds. “Apart from the huge security gains, this architecture makes it much simpler to support the many different kinds of access devices that users want to bring to work.”

3. Prepare for breaches.

No system is completely hacker-proof. If a security hole—or human error—allows key data to leak out, companies must be ready to deal with it quickly and effectively. And that’s going to require more effort than before.

The Securities and Exchange Commission’s guidance issued in October reminds public companies that breaches could be considered material events that need to be disclosed, says Richard Bortnick, an attorney at Cozen O’Connor. Private firms may be affected if they are suppliers or partners of a public company.

States are also rolling out or toughening up disclosure laws, including California, Bortnick says.

After a breach disclosure, companies should be prepared for lawsuits, says Bob Parisi, senior vice president at consultancy Marsh. As the result of a recent court ruling, plaintiffs no longer need to show actual harm or imminent threat of harm, but simply increased risk of potential harm to take their cases to trial, he says.

And lawsuits are now being filed faster, just days or even hours after a breach is disclosed rather than months later, Parisi says. Companies need to respond quickly to a breach, which may involve more than just offering credit monitoring to clients whose information has been compromised, he says, and remedies should be relevant.

“If you’re a hospital losing patient data, offering credit monitoring might not be the most appropriate response,” Parisi says. “If what you offer is the wrong remedy or no remedy at all, you’re basically waiving a red flag in front of the potential plaintiff class.”

4. Encrypt, encrypt, encrypt.

In the past, encryption slowed down systems and inconvenienced users, so it was used only to protect data traveling over the Internet. Technology has improved to the point where companies can encrypt data that’s stored on mobile devices, moving across internal networks, even stored inside databases, without adding lag or hindering productivity.

The new technology operates on a more basic level, even embedded into the hardware. If a breach occurs, the stolen information can’t be used and no disclosure is required.

One organization taking this approach is AGS Capital Group. “The risks and penalties of breach laws are increasing, so we are looking at increased and mandatory encryption on all employee computers and laptops,” says Allen Silberstein, CEO and chief investment officer at AGS. “So if the hard drive gets into the wrong hands, the information remains protected.”

5. Add new authentication mechanisms.

Most applications require only a user name and password. Companies have been reluctant to ask customers to use a second form of authentication, such as an additional password sent by text message.

As breach notification requirements and costs escalate, companies should take another look at second-factor authentication, says David Miller, chief security officer at Covisint.

In the past, the second form was often key-chain fobs that generated one-time passwords—and employees who misplaced their keys would be locked out of the system. But the solution now could be a cell phone.

“A mobile device can run a one-time password-generating app to supply a PIN for network access, hold a digital certificate that uniquely identifies the device or can receive an automatically generated text message with a one-time password to authenticate each login,” says BAE’s Bennett. “Using a mobile device that a user already has, as opposed to issuing another physical device for authentication, makes a lot of sense.”

For a look at what the Securities and Exchange Commission wants companies to disclose if they’ve been hacked, see SEC Provides Guidelines for Disclosing Cyber Attacks.

Article originally published at Treasury & Risk.

This can have serious consequences for a company. For example, employees who move to different jobs within the company may retain access rights associated with their previous role. This may allow them to bypass the company’s checks-and-balances system.

Or an employee might leave the company altogether. It’s hard to turn off all access if you do not have an up-to-date list of things that the employee could access. This is particularly important when it comes to outside applications that do not require access to the company network, such as Dropbox or Salesforce.com.

Then there’s the case where an employee’s account is compromised. In the best-case scenario, when the problem is discovered, the company acts quickly to shut off access and review sensitive systems for unauthorized activity. In the worst-case scenario, the company doesn’t know which systems the employee can access, and appropriate security responses are delayed. Then the hacker can abscond with data to which the employee had access, including data the employee no longer needed and should have lost access to long before.

Finally, overprivileged employees may pose compliance problems for companies in regulated industries such as healthcare and financial services.

In a recent survey of more than 5,000 IT operations and security managers by the Ponemon Institute, 52 percent said that they were “likely” to be provided access to restricted, confidential information beyond the requirements of their position, and more than 60 percent said privileged users access sensitive or confidential data because of their curiosity, not because of their job function.

The Ponemon Institute also released a report outlining security best-practices, in which technology that focuses on privileged users was listed as a top critical factor in the success of a data protection program.

A CIO at a defense company told me that “least privilege” is one of the fundamental building blocks of information security.

I recently talked with Jim Zierick, executive vice president at the security systems vendor BeyondTrust. He also suggested that companies embrace a “least privileges” policy. For example, instead of giving IT administrators blanket access to servers for maintenance or software installation, companies could give them policy-based access that allows them to make changes under specific circumstances, with all access logged in detail.

The key is to restrict privileges without taking away critical rights, Zierick said. Your company might not want to give employees administrator rights to their computers, but this policy would prevent them from, say, adding a printer driver. A policy-based solution like those BeyondTrust offers would give employees just the rights they need while allowing rapid, across-the-board changes when employees leave or change jobs or responsibilities, he said.

This article originally appeared at The IT Services Site.

It’s like betting your company on Beta right before VHS went big. Or betting on VHS right before everyone switched to DVDs. Or betting on… anyway, you get the idea.

In a perfect world, we’d be able to accurately predict which technology will dominate, and make our investments accordingly. But, in practice, people just wait. They sit and watch other guys place their bets, and they continue to sit and watch until a clear winner emerges.

But, what if there is no clear winner? What if you have a technology with multiple — and incompatible — approaches? That’s the situation with clouds right now. There’s the Amazon approach to cloud computing. The Microsoft approach. The IBM approach. The Google approach. And, the ever-popular VMware approach.

Picking a vendor too early can cost the company significant amounts of money down the line when it is time to switch. So after the early adopters have all adopted, if there’s still no clear winner, someone has to take a step to break the logjam. This is usually when the vendors — all except the market leader — get together and decide on a standard.

That’s what seems to be happening now in the cloud computing space. Amazon is the market leader. But its cloud platform is proprietary, which means its customers aren’t going anywhere. So, Amazon’s name isn’t popping up in any of the standards discussions, except when people discuss whether Amazon will actually be the standard. It’s like Windows was the standard for office computing for decades.

So Amazon’s competitors, including IBM, Cisco, EMC, CA, SAP, and Red Hat, have just gotten together and agreed on a cloud standard called Topology and Orchestration Specification for Cloud Applications (TOSCA). In November, VMware and partner SAP also said they would support TOSCA.

For companies still sitting on the cloud sidelines, this is good news in three ways. First, if they pick a vendor that supports TOSCA, and later want to move their cloud to another vendor, they will be able to do it at a lower cost than if they were moving between proprietary platforms.

Second, if they have a private cloud running on their own servers, they can move processes from it to a public cloud, and back again, to handle sudden spikes in demand, to use as backup systems, or to roll out new applications faster. This is the “hybrid cloud” approach, and many companies are looking at doing clouds this way so they have the control and security they need, when they need it, while still being able to benefit from public cloud infrastructure.

Third, companies will be able to buy pre-packaged cloud-friendly software systems that can be deployed with any of a number of cloud vendors. That would reduce the dependence on a cloud vendor’s own solutions, allowing more choices, and, in the end, lowering costs for everyone.

It remains to be seen how many other cloud vendors will support TOSCA, and to what degree they will implement it. If they don’t support it, enterprises will be stuck paying extra for cloud middlemen, vendors that package up cloud applications for customers in a way that enables them to be deployed to different clouds. Sure, those vendors add more value, as well. For example, they might monitor cloud performance and automatically redistribute applications as needed. But if the middleware vendor itself uses a proprietary system, that’s just stepping out of one quagmire right into another.

Article originally appeared at The IT Services Site.

Organizations lack critical cloud computing skills such as assessing the risks associated with cloud computing and managing cloud initiatives, according to a new KPMG Sourcing Advisory report.

The data was based on a survey of more than 400 KPMG consultants working on cloud-related projects for customers, as well as from top executives at more than 20 other global business and IT service provider, said Stan Lepeak, research director in KPMG’s shared services and outsourcing advisory group.

Read full article at Cloud Computing Exchange.

The Open Cloud Initiative, a non-profit organization established to advocate for open standards in cloud computing, officially launched last week and announced a 30-day public comment period on its Open Cloud Principles, which are focused on interoperability, avoiding barriers to entry or exit, and ensuring technological neutrality.

The principles, however, are not intended to point the way to specific cloud standards, according to organization president Sam Johnston.

Read full article at Cloud Computing Exchange.

The service — which was previously available only in English — allows individual users to opt for a second login step, which sends an authorization code to an iPhone, Android or BlackBerry device. Enrolment is done by the individual users by registering a cell phone number, in a process that Google says takes about 15 minutes. After registration, users can have a confirmation code sent to their mobile device each time they log into Google Apps, or when they access it from a new device, or once every 30 days. Users also get back-up codes in case they can’t get service on their phones.

Read full article at Cloud Computing Exchange.

Enterprise use of smart phones and tablets is exploding, but letting employees buy applications on their own from the iTunes or Android app stores can become a logistical and security nightmare. Instead, companies are setting up their own stores so they can centralize app procurement; automatically provision and de-provision software; and even distribute their own custom-made apps to employees.

Merit Medical Systems, a Utah manufacturer, began looking at mobile technology a couple of years ago to improve collaboration and training for its sales and marketing staff. At first, it used Web-based tools, which don’t require downloading apps.

“But if users need access if they lose their Internet connections, they need to go the native app route,” says Lincoln Cannon, Merit’s director of sales and marketing technology.

But several companies are working to change that, offering business-friendly virtual meeting platforms that work right in a Web browser, no software download required, with prices starting at around $50 a month.

Read full article at Network World.

Read full article at Network World.

The Amazon Elastic Compute Cloud (EC2) outage that brought down a number of major Websites in mid-April, including social network sites Foursquare, HootSuite and Reddit, underscores the value of backup for cloud users—on traditional servers, another cloud or even another zone of their provider’s cloud. Amazon took the blame for the disruption, which involved the cloud’s Elastic Block Store (EBS) storage services, and said in a statement it will compensate customers.

Read full article at Treasury & Risk.