Archivo de la categoría: compliance

Asia/Pacific Rim, Cloud & IT Management, compliance, Data Loss Prevention, High Tech Security, New Zealand

SmartRulesR DLP Thwarts email Distribution of Confidential Info

New Zealand-owned cloud email security and hosting company SMX has released SmartRules DLP, designed to safeguard confidential information against unauthorized email distribution.

SmartRules DLP (Data Loss Prevention) is one of a number of new service improvements currently being rolled out by SMX, following research and development support from Callaghan Innovation.

SMX’s co-founder and chief technology officer, Thom Hooker, says the R&D funding has enabled SMX to accelerate software development in several key areas. He says SmartRules® DLP has been given urgent priority, following the recent security breaches experienced by Government organizations.

“SMX is the leading cloud email security solution used by Government organizations with around 60 Government sector customers,” Thom Hooker says. “SmartRules® DLP meets the most stringent compliance requirements with easy-to-use rule building and related compliance processes.

“Email makes it very easy for employees to accidentally – or intentionally – send sensitive documents to recipients outside the organization,” Hooker says. “By deploying SMX’s SmartRules® DLP, customers can define rules to block and report on employees attempting to send sensitive documents externally. SmartRules® DLP can be configured to detect visible data as well as scanning for hidden metadata. The use of hidden metadata tags inside documents makes it harder for users to subvert DLP rules looking for visible text – that is, by changing the document name.”

Hooker says SMX’s SmartRules® DLP can also detect sensitive content embedded in archives – such as .zip, .rar, .tar, .gz, and so on – and can be configured to block emails containing archives that cannot be opened – for example, password protected or unknown document types.

Another significant new enhancement to the SMX Cloud Email Security Suite, Hooker says, will be beefing up the SMX email hosting platform with enterprise-grade security, reliability and new features. SMX will offer 100 percent availability, as well as enterprise-ready tools such as shared calendars, online data storage similar to Dropbox, global address books and support for ActiveSync to sync contacts, emails and calendars with mobile devices.

AvePoint, Collaboration, compliance, Information Management, Microsoft SharePoint, SharePoint

AvePoint DocAve Update Adds SharePoint Governance Automation Features

AvePoint, announced the latest version of DocAve Governance Automation Service Pack (SP) 2. DocAve Governance Automation SP2 allows business content owners to make content move or copy requests directly within SharePoint or through a newly enhanced graphical user interface that promotes a more intuitive, user-friendly experience.

Governance Automation enables organizations to close the custom code gap created by homegrown governance solutions, by providing Service Catalog Offerings such as site collection provisioning, site provisioning, site collection lifecycle management, permissions management, and now, content move or copy requests.

Through an automated approval process and execution, business content owners can now request to move, copy, and restructure SharePoint sites, content, and topology within or across SharePoint environments while maintaining valuable metadata, security and versioning.

“An organization’s SharePoint environment is only as good as its ability to govern the users and content it supports. Governance Automation SP2 provides unique business advantages that redefine SharePoint as a service, allowing organizations the ability to more effectively deliver business-critical workloads and truly monitor and track what is being done in SharePoint on a daily basis,” said George Petrou, Chief Technology Officer at AvePoint. “Governance Automation is another piece to help solve the enterprise collaboration puzzle, providing organizations with the information management solutions to meet their needs now and in the future.”

Governance Automation SP2 addresses evolving information governance policies and organizational change management by enabling end users to submit content move or copy requests through an enhanced user interface or directly within Microsoft SharePoint via a webpart, giving business users the ability to submit requests on their own, increasing ease of use and productivity.

Enhanced features include:

  • Content Move or Copy Service Request: Within a single request and through a fully auditable approval process, business content owners have the ability to comprehensively move, copy and restructure SharePoint sites, content, and topology, along with their corresponding security settings and metadata, across SharePoint farms. Governance Automation also provides developers the ability to request sample production data for in development or testing environments for increased application reliability and improved quality assurance. Requests are then automatically executed by Governance Automation, optimizing operational efficiency and proactively protecting against compliance infractions, thereby enabling your IT resources to perform higher business value activities while ensuring content is only changed by those with the proper permissions to do so.
  • Newly designed graphical user interface (GUI): Designed to mirror SharePoint 2013 and Microsoft Windows 8 style, the newly designed GUI provides users with a simple but contemporary workspace that is effective either as a standalone tool or as a webpart in SharePoint.  Governance Automation’s new GUI was designed for improved usability and intuitive user interaction in order to promote end user adoption and resolve ambiguity around requesting services from IT administrators.

DocAve Governance Automation SP2 is generally available today, March 5, 2013. For more information visit AvePoint’s website.

ActivIdentity, Authentication, CAM 2.0, compliance, Saas, Single sign-on, Web application security

SaaSID Releases CAM 2.0, Adding Audit Dashboard for Security, Compliance

Web application security provider, SaaSID, has launched Cloud Application Manager 2.0 (CAM), the latest version of its browser-based authentication, management and auditing solution. CAM 2.0’s comprehensive audit report is now displayed in CAM Analytics, an intuitive dashboard that provides clear visibility of Web application use throughout an organization. The new software simplifies administration of authentication, feature controls and password management to help CIOs comply with data security regulations, standards and internal policies, by making it easier to govern, monitor and audit every user interaction with Web applications.

CAM 2.0’s comprehensive suite of dashboards in CAM Analytics provide at-a-glance graphics, showing managers exactly how employees are interacting with Web applications and associated corporate data, regardless of whether employees are working on company workstations or personally-owned computing devices. Detailed analytics provide managers with a complete overview of Web application use and the ability to drill down into reports for additional information. Activities such as exporting customer lists, or attaching sensitive files to Webmail, are tracked and clearly displayed for compliance. A range of graphic elements show social media activity and interactions with corporate applications, providing managers with complete visibility of departmental and individual use of Web applications.

CAM 2.0 users can now be authenticated and logged into Web applications from the SaaSID server. This server-side authentication improves security by ensuring that log-in credentials are protected from malware that might be present on an unsecured device. Users do not know their login details, so they cannot write them down, share them, or access managed applications from unprotected devices. Once CAM 2.0 has authenticated a user, the session is handed to the device and the user works with the application as normal.

Additional new features within CAM 2.0 include:

  • The new Restriction Learning feature which allows in-house IT staff to apply their own restrictions to application features. The simple GUI allows administrators to test the effect of restrictions prior to implementation.
  • Support for more two factor authentication solutions, including offerings from RSA, Vasco and ActivIdentity.
  • The new Password Wizard which learns the workflow for Web application authentication processes, enabling automated password resets. Organisations can use this new feature to change passwords at chosen intervals and to enforce strong password security for all Web applications managed by CAM 2.0: saving administration time and support costs, without impeding productivity.

CAM is a browser extension that goes beyond single sign-on (SSO) by enabling IT staff to manage Web application features according to employee roles. CAM assists organisations in maintaining security and compliance when they adopt Web applications and implement bring your own device (BYOD) programmes, by creating a comprehensive audit trail of all employee interactions with these Web applications.

To request a free trial or a demo of SaaSID’s CAM 2.0, see www.saasid.com.

AvePoint, compliance, Document Management, Lotus Notes, Microsoft, Microsoft Office 365, Microsoft SharePoint, Office 365, SharePoint, SharePoint 2013

AvePoint’s DocAve 6 Service Pack 2 Enhances SharePoint, Office 365 Support

AvePoint today announced the general availability of DocAve 6 Service Pack (SP) 2, the next generation of the management platform for SharePoint governance, with expanded SharePoint 2013 and Office 365 support.

Designed to increase business productivity without sacrificing on security and compliance, DocAve 6 SP2 will support the migration, protection, and administration of data in your SharePoint 2013 environment, whether it’s on-premises, in the cloud, or a hybrid deployment. DocAve 6 SP2 supports migration into the latest online or on-premises SharePoint release from a variety of legacy sources, including previous versions of SharePoint, file shares, EMC Documentum, Lotus Notes, and Open Text (Livelink).

Making the move to SharePoint 2013 is just the beginning. DocAve 6 SP2 extends SharePoint’s native capabilities, enabling application development, scalable storage, compliance and records management, and geo-distributed collaboration with confidence. New SharePoint capabilities such as business intelligence, eDiscovery, mobile device support, and social computing are also focuses of DocAve 6 SP2, as AvePoint continues its quest to enable customers to take advantage of the latest platform releases that Microsoft has to offer.

“As with each previous release, AvePoint is focused on ensuring that our more than 10,000 customers worldwide have all of the tools necessary to realize the full potential of Microsoft SharePoint 2013,” said George Petrou, Chief Technology Officer at AvePoint. “The landscape of business collaboration is ever-changing, and now more than ever organizations need a trusted solution to help them overcome any challenges that may arise. With DocAve 6 SP2, our customers can remove the roadblocks to enterprise-wide collaboration.”

DocAve 6 is built upon all Microsoft technologies and standards, including .NET, WCF, and Silverlight, utilizing only fully supported Microsoft methodologies and APIs. With robust protection, management, optimization, integration, compliance, reporting, and migration capabilities for SharePoint, DocAve is the enterprise-class management platform for SharePoint governance.

DocAve 6 SP2 is generally available to customers today, February 20. For more information about all of the new features and functionality in DocAve 6 SP2, please visit http://www.avepoint.com/docave6/.

Archiving & Regulatory Retention, compliance, E-mail archiving, Microsoft Exchange, Microsoft Exchange Server, Microsoft Office 365, Mimecast, Research

Mimecast: Email Regulation Issues Leaving Businesses Confused

Corporate email archiving and retention policies are muddled and unclear, with many businesses leaving themselves exposed to potential litigation or compliance issues, according to new research launched today by Mimecast®, the leading supplier of cloud-based email archiving, security and continuity for Microsoft Exchange and Office 365.

The research, which surveyed IT managers on their organizations’ email policies and archiving practices, found that just 20 percent of businesses (23 percent globally) retain archived email for three years or more, with one in four businesses (25 percent U.S.; 26 percent globally) admitting that they do not have a clear policy on retaining email at all.

Key findings:

  • Email retention policies are often ad hoc or based on guesswork – Just
    one in four IT departments (30 percent U.S.; 26 percent globally) have
    an email retention policy designed to comply with industry regulations:
  • Forty-one percent of businesses surveyed (43 percent globally) say
    their archiving policies are based on ‘internal best practice’
    with no consideration given to industry or country specific
    regulations
  • Six percent of U.S. and global businesses admit to deciding their
    email retention policy around a ‘random future date’ with ‘no
    basis’
  • eDiscovery for email is a major area of concern – Many
    businesses are not confident that they would be able to identify all
    emails relating to a specific customer in a timely manner:

    • On average, it would take a U.S. business 15 working days to
      identify all emails relating to a potential litigation
    • Eighteen percent of U.S. businesses do not think they would be
      able to comply with this kind of email eDiscovery request within a
      month
  • Forty-one percent of businesses surveyed (43 percent globally) say
    their archiving policies are based on ‘internal best practice’
    with no consideration given to industry or country specific
    regulations
  • Six percent of U.S. and global businesses admit to deciding their
    email retention policy around a ‘random future date’ with ‘no
    basis’
  • On average, it would take a U.S. business 15 working days to
    identify all emails relating to a potential litigation
  • Eighteen percent of U.S. businesses do not think they would be
    able to comply with this kind of email eDiscovery request within a
    month
  • Concern around email compliance – IT departments are concerned
    that they are leaving their businesses exposed:

    • Just one in four (24 percent U.S.; 27 percent globally) IT teams
      are ‘completely confident’ that their email policies comply with
      all relevant regulations
    • Forty-eight percent (46 percent globally) are ‘mostly confident’
      with 34 percent (23 percent globally) ‘minimally confident’ or
      ‘not at all confident’
  • Just one in four (24 percent U.S.; 27 percent globally) IT teams
    are ‘completely confident’ that their email policies comply with
    all relevant regulations
  • Forty-eight percent (46 percent globally) are ‘mostly confident’
    with 34 percent (23 percent globally) ‘minimally confident’ or
    ‘not at all confident’

“Taking fifteen days to identify all relevant emails sent and received by a client is a massive and unnecessary resource drain,” said Jim Darsigny, CIO, Brown Rudnick LLP. “For IT departments, managing and enforcing email policies can no longer be an ad-hoc approach as the risk potential and time wasted is too high to ignore. In our organization, the cloud enables our business to significantly reduce the pain, costs and resources normally dedicated to sourcing archived email data. With a solid email eDiscovery strategy in place, we are not only able to better serve our clients, but we can also more accurately assess their level of risk.”

“IT departments can and should be doing more to protect their organizations by adopting a more rigorous approach to email archiving,” Eliza Hedegaard, Account Director Legal, Mimecast. “However, the businesses I speak to are not being helped by a regulatory system that is incredibly confusing and difficult to navigate. Regulators should be helping businesses by simplifying the regulatory framework and putting greater emphasis on clearly communicating what organizations need to do to in order to comply instead of adopting scare tactics that focus on what will happen if organizations fall foul of the rules.”

 


compliance, LogRhythm, Payment card industry, Payment Card Industry Data Security Standard, Qualified Security Assessor, Regulatory compliance, VMware, VMware vSphere

LogRhythm Partners with VMware to Automate Regulatory Compliance in Virtualized Environments

LogRhythm today announced that it has partnered with VMware to contribute to its newly introduced VMware Compliance Reference Architectures, a set of resources including solution guides and design architectures intended to simplify compliance for business-critical applications in the cloud era. As part of this initiative, LogRhythm has published the LogRhythm Solution Guide for Payment Card Industry (PCI), an addendum to the VMware Solution Guide for PCI. The LogRhythm solution addendum is a QSA-reviewed guide that outlines how the company’s SIEM 2.0 platform complements existing VMware security capabilities to help customers assure PCI compliance when virtualizing mission-critical business applications with VMware vSphere®.

“Security and compliance are top concerns for organizations seeking to virtualize critical business systems such as PCI payment processing,” said Parag Patel, vice president, Global Strategic Alliances, VMware. “We’re committed to helping customers address these concerns on their journey to the cloud, and partners like LogRhythm extend our native security capabilities to make this possible. Through our solution guides, VMware and LogRhythm are delivering a validated roadmap that details how organizations can achieve PCI compliance in virtualized environments.”

LogRhythm’s SIEM 2.0 platform delivers the visibility and insight needed to detect, defend against and respond to increasingly sophisticated cyber threats, efficiently meet compliance requirements, and proactively respond to operational challenges. The company provides out-of-the box compliance solutions that enable organizations to meet their requirements for log data collection, review, archive, reporting, and alerting under mandates such as PCI, HIPAA, NERC-CIP, GLBA, Sarbanes Oxley, GPG 13, and other regulatory regimes. LogRhythm’s PCI compliance package features specific investigations, alarms and reports designed to meet PCI reporting requirements, and directly addresses or augments at least 80 individual PCI controls. With fully integrated file integrity monitoring, advanced multi-tenant support, robust reporting, and rapid search and drill-down capabilities, LogRhythm is an ideal solution for addressing PCI compliance requirements in virtual environments. LogRhythm can ensure that sensitive data, such as credit card account information, is not inappropriately accessed by shared virtual resources or unauthorized individuals. LogRhythm is field-proven in numerous deployments where the solution is being used to automate and assure regulatory compliance in virtual environments.

“We’re very pleased to have been selected by VMware to help address the compliance requirements of customers moving their critical systems to virtual and private cloud environments,” said Matt Winter, vice president corporate and business development at LogRhythm. “LogRhythm has a significant track record helping customers meet their regulatory compliance obligations in virtual, physical and hybrid environments. Our compliance capabilities dovetail well with VMware’s native security offerings to create a robust and comprehensive solution. With the VMware Solution Guide for PCI and LogRhythm’s addendum solution guide, organizations can have confidence that there is a detailed, validated path to maintaining PCI compliance in virtualized environments.”

The LogRhythm Solution Guide for PCI has been reviewed by Coalfire, an independent Qualified Security Assessor specializing in IT audit, risk assessment and compliance management, and is available for download on the LogRhythm website and VMware Solution Exchange.


Cloud computing, compliance, Virtualization

A More Practical View of Cloud Brokers

#cloud The conventional view of cloud brokers misses the need to enforce policies and ensure compliance

cloudbrokerviews During a dinner at VMworld organized by Lilac Schoenbeck of BMC, we had the chance to chat up cloud and related issues with Kia Behnia, CTO at BMC. Discussion turned, naturally I think, to process. That could be because BMC is heavily invested in automating and orchestrating processes. Despite the nomenclature used (business process management) for IT this is a focus on operational process automation, though eventually IT will have to raise the bar and focus on the more businessy aspects of IT and operations.

Alex Williams postulated the decreasing need for IT in an increasingly cloudy world. On the surface this generally seems to be an accurate observation. After all, when business users can provision applications a la SaaS to serve their needs do you really need IT? Even in cases where you’re deploying a fairly simple web site, the process has become so abstracted as to comprise the push of a button, dragging some components after specifying a template, and voila! Web site deployed, no IT necessary.

While from a technical difficulty perspective this may be true (and if we say it is, it is for only the smallest of organizations) there are many responsibilities of IT that are simply overlooked and, as we all know, underappreciated for what they provide, not the least of which is being able to understand the technical implications of regulations and requirements like HIPAA, PCI-DSS, and SOX – all of which have some technical aspect to them and need to be enforced, well, with technology.

See, choosing a cloud deployment environment is not just about «will this workload run in cloud X». It’s far more complex than that, with many more variables that are often hidden from the end-user, a.k.a. the business peoples. Yes, cost is important. Yes, performance is important. And these are characteristics we may be able to gather with a cloud broker. But what we can’t know is whether or not a particular cloud will be able to enforce other policies – those handed down by governments around the globe and those put into writing by the organization itself.

Imagine the horror of a CxO upon discovering an errant employee with a credit card has just violated a regulation that will result in Severe Financial Penalties or worse – jail. These are serious issues that conventional views of cloud brokers simply do not take into account. It’s one thing to violate an organizational policy regarding e-mailing confidential data to your Gmail account, it’s quite another to violate some of the government regulations that govern not only data at rest but in flight.

A PRACTICAL VIEW of CLOUD BROKERS

Thus, it seems a more practical view of cloud brokers is necessary; a view that enables such solutions to not only consider performance and price, but ability to adhere to and enforce corporate and regulatory polices. Such a data center hosted cloud broker would be able to take into consideration these very important factors when making decisions regarding the optimal deployment environment for a given application. That may be a public cloud, it may be a private cloud – it may be a dynamic data center. The resulting decision (and options) are not nearly as important as the ability for IT to ensure that the technical aspects of policies are included in the decision making process.

And it must be IT that codifies those requirements into a policy that can be leveraged by the  broker and ultimately the end-user to help make deployment decisions. Business users, when faced with requirements for web application firewalls in PCI-DSS, for example, or ensuring a default «deny all» policy on firewalls and routers, are unlikely able to evaluate public cloud offerings for ability to meet such requirements. That’s the role of IT, and even wearing rainbow-colored cloud glasses can’t eliminate the very real and important role IT has to play here.

The role of IT may be changing, transforming, but it is no way being eliminated or decreasing in importance. In fact, given the nature of today’s environments and threat landscape, the importance of IT in helping to determine deployment locations that at a minimum meet organizational and regulatory requirements is paramount to enabling business users to have more control over their own destiny, as it were. 

So while cloud brokers currently appear to be external services, often provided by SIs with a vested interest in cloud migration and the services they bring to the table, ultimately these beasts will become enterprise-deployed services capable of making policy-based decisions that include the technical details and requirements of application deployment along with the more businessy details such as costs.

The role of IT will never really be eliminated. It will morph, it will transform, it will expand and contract over time. But business and operational regulations cannot be encapsulated into policies without IT. And for those applications that cannot be deployed into public environments without violating those policies, there needs to be a controlled, local environment into which they can be deployed.

Related blogs and articles:  
 
lori-short-2012clip_image004[5]

Lori MacVittie is a Senior Technical Marketing Manager, responsible for education and evangelism across F5’s entire product suite.

Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

She is the author of XAML in a Nutshell and a co-author of The Cloud Security Rules

 

F5 Networks

clip_image003[5]clip_image004[5]clip_image006[5]clip_image007[5]clip_image008[5]

read more

Cloud computing, compliance, risk management

Avoid the Security Umpire Problem

Have you ever been part of a team or committee working on an initiative and found that the security or compliance person seemed to be holding up your project? They just seemed to find fault with anything and everything and just didn’t add much value to the initiative? If you are stuck with security staff that are like this all the time, that’s a bigger issue that’s not within the scope of this article to solve.  But, most of the time, it’s because this person was brought in very late in the project and a bunch of things have just been thrown at them, forcing them to make quick calls or decisions.

A common scenario is that people feel that there is no need to involve the security folks until after the team has come up with a solution.  Then the team pulls in the security or compliance folks to validate that the solution doesn’t go afoul of the organization’s security or compliance standards. Instead of a team member who can help with the security and compliance aspects of your project, you have ended up with an umpire.

Now think back to when you were a kid picking teams to play baseball.  If you had an odd number of kids then more than likely there would be one person left who would end up being the umpire. When you bring in the security or compliance team member late in the game, you may end up with someone that takes on the role of calling balls and strikes instead of being a contributing member of the team.

Avoid this situation by involving your Security and Compliance staff early on, when the team is being assembled.  Your security SMEs should be part of these conversations.  They should know the business and what the business requirements are.  They should be involved in the development of solutions.  They should know how to work within a team through the whole project lifecycle. Working this way ensures that the security SME has full context and is a respected member of the team, not a security umpire.

This is even more important when the initiative is related to virtualization or cloud. There are so many new things happening in this specific area that everyone on the team needs as much context, background, and lead time as possible so that they can work as a team to come up with solutions that make sense for the business.