Security from the Cloud – Saas Solutions

Emerging Information Security Challenges

- Strategies for Securing the Enterprise in the New Economic Era

MENA Information Security Conference 2011

Amman, 19 Sep 2011

Ranjit Rajan Research Director - Software IDC Middle East, Turkey & Africa Introduction to IDC

• IDC is the premier global ICT market intelligence, events, and advisory firm

• 1,100+ analysts in 50 countries; delivering IT intelligence, industry analysis, market data, and strategic guidance since 1964

• A division of IDG, the world's leading technology media, research, and event company

• Global HQ at Framingham, Massachusetts, USA.

• HQ for Middle East, Turkey & Africa in Dubai. Analysts based in South Africa, Turkey, Nigeria & Kenya.

• Over 100 analysts in MEA offices

• Research coverage of 25+ countries in MEA

• IDC Conferences reach out to 4000+ IT executives in MEA

IT Security Market Dynamics - Key Technology Themes Shaping IT Security - Emerging Security Technology Trends

IT Security Market in the Middle East - IT Security Spending - Forecasts

Security Viewpoints from CIOs - Challenges & Priorities Ahead

Essential Guidance

Sep-11 3 IT Security Market Dynamics

Sep-11 4 IT Markets in Context

IT Spending Growth 2007 - 2015 (%)

20%

15%

10%

0% 2007 2008 2009 2010 2011 2012 2013 2014 2015

-5% Worldwide Middle East

Source : IDC Worldwide Black Book, Q1 2011; growth in constant currency Sep-11 5 Top IT Investments Across Markets

IT reliability and efficiency Improving security Increasing productivity Reducing operating costs for non IT functions Increasing revenue Executing business strategy Meeting compliance requirements/industry… Aligning business and IT Business process re-engineering Introducing new and/or improved products and… Reducing capital costs for non IT functions Improving business agility Retaining existing customers Merger and acquisition(s) activities Implementing environmental sustainability (e.g.,… Expanding into new geographic regions/countries Improving the effectiveness of marketing Other

0% 5% 10% 15% 20% 25% 30% 35%

Sep-11 6 Key Themes that will shape Enterprise IT Security

Sep-11 7 Mobilution

Laptops and Smart Phones in Use Worldwide (Mn)

Multiple devices per person is the new reality

Billions of Connected Devices, 2020

Total Potential Market

Embedded 23 billion 200B Big Things

1-5 x People Other CE 3.3 billion Phones 2.6 billion <1 x People

PCs 2.0 billion <.5 x People

Viruses More Devices Trojans OS:s Enterprise Apps

Increased Vulnerabilities Increased

Office Apps

Mobile Phones & PDAs

email VoIP

Increased Network Traffic

Web Apps Spam Spyware More Applications IT Departments Need to Plan Ahead

Who Decides What Device Gets Access? How much access? - Enforcement of acceptable use policies How much support (if any)?

How to Secure Multiple Devices? Malware defence, protection of sensitive data, remote wipe, and remote kill How to deal with Mobile Apps explosion?

What About BYOPC? Who owns the device if the employee leaves? How do you keep data on a personal device secure?

Users Don’t Care About IT Boundaries They just want to use what they want to use

Cost of mobile data

Cost of devices

Concerns over security, device management or support

No additional demand from users

No clear ROI

Lack of useful business applications

Usability of devices

There are no barriers

Decision sits in wrong part of organization

Others

Don't know

0% 5% 10% 15% 20% 25% 30% 35% 40% % of organizations

Cross-site attacks

As a growing Spam number of Social Media applications make their way into the enterprise, they bring with them even more Hackers security concerns and attack vectors.

Malicious Code Phishing

86% of CIOs in Middle East are scoping Virtualization projects for the next 12 months

Security Enabler Security Challenges

Hypervisor Vulnerabilities Test and Patch Environment Guest Machine Infection Application Isolation Denial of Service Forensics HyperJacking Honeypots Audit & Compliance Issues

Source: IDC Middle East CIO Survey (Dec2010/Jan 2011) N=97 Sep-11 15 Cloud : the Brave New World

of CIOs in the Middle East are scoping Cloud Computing projects in 2011

Interest mostly around Private Cloud in the region

Data privacy/security a major hurdle to Public Cloud adoption Amazon EC2 disruption, PSN hack adding to concerns

Security in the Cloud - Endpoint Security Will Move to the Cloud

Security from the Cloud – SaaS solutions

Emerging IT Security categories an organization expects to spend in the next 2 – 3 years

Others, 2% Biometric solutions for Security as IT access a service, control, 23% 41%

Security for virtual environment s, 34%

© 2010 IDC Source: IDC IT Security Road show Dubai 2010, N=143 Sep-11 17 IT Security Threats Perception among IT Security Managers Please rate the following threats in terms of their seriousness for your organization's network, data and Internet security. (1 – not a significant threat at all ……… 5 – very significant

Malware (Trojans, Viruses, worms, and other malicious code)

Spyware

Spam

Data loss through employee error (unintentional)

External Hackers

Data theft by employee or business partner

Insider system sabotage System failures through employee or business partner error

Application Vulnerabilities Cybercrime: denial of service, cyber ransom, cyber terrorism

Casual Intruders 0.00 0.20 0.40 0.60 0.80 1.00

5 4 3 2 1

Corporate Data Loss happens thru’ employees - accidentally and deliberately

Loss can cause severe damage to reputation, intellectual property loss, legal penalties etc.

Several avenues of data loss: Corporate email Laptops Mobile devices Web portals USBs Wikileaks incident shows it can Instant Messaging happen to the best

Sep-11 19 Reasons for Data Loss

Q. What are the primary internal factors due to which your organization loses data?

Easy to send corporate data via corporate email

Data can easily be carried or copied onto DVD or USB

Company data can be easily transferred to personal email

Use of social networking and web 2.0 technology

Non-existence of user defined rights on data

0% 10% 20% 30% 40% 50% 60%

Source: IDC IT Security Roadshow 2011 Dubai Sep-11 20 Preventing Data Loss

Data Classification will be needed What data is sensitive? Who can access the data? What data can be shared?

Data loss prevention (DLP) solutions at the endpoint. File and Disk Encryption technology to prevent data access from stolen or misplaced hardware sources

DLP emerging as a feature in messaging security platforms Deploying robust messaging solutions to track inbound & outbound communication.

Most data loss incidents are accidental Tools focus on end-users education to and to stop obvious violations of e-mail/instant messaging use policies

Sep-11 21 Factors driving DLP Spending

If planning to invest in DLP, what do you consider to be the top factors driving your data loss prevention investment plans?

Ensuring data is stored where it is supposed to be

Ensuring data is classified & accessed by authorised staff only

Contol / monitor data leaving the organization via web & email

Reporting capability on incidents

Control / manage data at end-point

Support for Arabic data

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Extremely important Important Neutral Less Important Not Important n=30

Source: IDC-Symantec CIO Study 2010 N=40 Sep-11 22 Regulatory Compliance Requirements Continue to Grow

GOVERNMENT REGULATIONS Data protection laws

INTERNATIONAL REGULATIONS

Sarbanes Oxley, Basel II & III

INDUSTRY STANDARDS

PCI DSS, ITIL, ISO 27002

Source: IDC-Symantec GCC CIO Study 2010, N=40 Sep-11 24 Identity Management becoming essential….

To meet regulatory compliance demands, Identity & Access Management (IAM) architecture becoming essential.

Enterprise Password SSO Management IAM integral component of governance, risk, and compliance (GRC) Network Access Collision of cloud platforms Control and traditional systems pressures enterprises to better handle IAM Mixtures of SaaS with internal applications, such as ERP and CRM IT Security Market in the Middle East

Sep-11 26 IT Security Market in the Middle East

IT Security (SW & Appliance) Spending Secure Content & Threat in the Middle East (2010) = US$ 210Mn Management Software forms the largest segment of the market Network security – firewalls, VPNs End point security – client anti-virus 13.8% & anti-spyware, end point DLP 0.4% 18.1% Messaging security – anti-malware, content filtering Web security - Web filtering, Web antimalware, Web 2.0 security

Fastest growing categories Identity & Access 67.7% Management Software – password mgmt, single sign-on (SSO) etc Identity & Access Management Security & Vulnerability Secure Content and Threat Management Software– Management compliance, risk mgmt, patch mgmt Others etc.

Source: IDC Gulf States Software and Security Market Report 2009 Sep-11 27 IT Security Spending Outlook - Middle East

Total IT Security Spending (SW & Appliances), Middle East

14.8% 400 14.2% 15% 14.0% 350 354 13% 300 12.4% 310 250 272 11% 237 200 210 150 9%

US $ Million 100 7% 50

0 5% 2010 2011F 2012F 2013F 2014F

IT Security Spending YoY Growth

Sep-11 29 CIO/IT Head’s Strategic Priorities 2011

Q. What are your ICT expenditure priorities over the next 12 months? 1 means lowest priority and 5 means highest priority.

Increased availability and performance of IT supporting business systems Standardization of technology infrastructure, applications and processes Alignment of applications to specific business metrics

Better communication with customers Improved security of information and information systems Analysis and reporting of internal decision data

Streamlining of internal business processes

Improved insight into customer trends

Cost control within the organization

Q. Which of the following technologies are you scoping for projects in 2011? (Multiple responses)

Virtualization (server, storage, network,… Business intelligence and analytics Unified Communications and/or video conferencing Mobility technologies BCDR (Business Continuity and Disaster Recovery) Integrated network, compute and storage… Managed services or outsourcing Cloud Computing WAN optimization/Application acceleration 360 security Customer care and analytics Green IT and sustainability (energy savings, cost… Intelligent/Smart networks Open source technologies Social media or New media BPO (Business Process Outsourcing) 0% 20% 40% 60% 80% 100%

Q. What are your key challenges with regards to investment in security solutions?

Lack of skills

Lack of support from business / senior management

Complexity: Staying ahead of threat landscape

Budget constraints

ROI of security regarded as low

Identifying appropriate solutions / partners

Vendor support

Lack of awareness / education

Regulatory compliance

Lack of technology

Managing client/employee expectations

0% 5% 10% 15% 20% 25%

Source: IDC-Symantec CIO Study 2010 N=37 Sep-11 32 Challenges with Security Policy Implementation

Q. What are the primary reason that hinders the proper implementation of an IT Security Policy?

Non-existence of policy

Employees do not receive proper training in terms of the security policy

The user rights changes constantly making it hard to have a propery security policy in place

Policy is too complex for employees to follow

Others

0% 10% 20% 30% 40% 50% 60% 70% 80%

Source: IDC IT Security Roadshow 2011 Dubai Sep-11 33 Essential Guidance

Sep-11 34 Essential Guidance

The dynamics around ―Virtual, Mobile, Social require a new way of thinking of security Security in a virtualized environment Device Management, Mobile Security Raise awareness of security implications of Virtualization & Cloud Traditional approach to network security, identity & access etc. may not be sufficient If your orgn is planning for Cloud, get involved. Take the lead on Data Loss Prevention seriously  Don’t wait for incidents Start small – Endpoint solns IT should take lead on data classification – look for easy wins to begin

• Align security strategies & policies with fast-evolving business needs • Benchmark & incorporate best practices; Enforce policies • Educate, Educate, Educate!! – Not just the average user but also senior management

Image Source: Scott Adams Sep-11 36 Thank you!

Questions?

Contact:

Ranjit Rajan Research Director - Software IDC Middle East, Africa and Turkey [email protected]