Information Week 2012-05-07

7/31/2019 Information Week 2012-05-07

1/19

Next >>

Bring your own cloud >

Teradata acquires marke

Wish list for Apples iOS 6

Infor remade in Oracles

Table of contents >>

May 7, 2012

Plus

From clouds to mobile to software development,

threats can be found everywhere. Well help you

prioritize. >>

By Michael A. Davis

informationweek.com

THE BUSINESS VaLUE OF TECHNOLOGy

15th Annual Strategic Security Survey


2/19

CONTENTSTHE BUSINESS VALUE OF TECHNOLOGY May 7, 2012 Issue 1,332

This all-digital issue ofInformationWeekis part of our 10-year strategy to reduce the publications carbon footprint

COVER STORY

QUICKTAKES

6 Infors Oracle MakeoverThe CEO of Infor, Charles

Phillips, is remodeling it in

the image of his old company

8 Apple Wish ListWhat wed like to see in the

next version of Apples

mobile operating system

9 Digital Marketing DealTeradatas acquisition shows

the rising importance of

marketing technology

3 Research And ConnectInformationWeeks in-depth reports, events,

4 CIO ProfilesTheres more we can do to transform busine

mobile, says Sybases CIO

5 Global CIOThe world is quickly moving from bring you

to bring your own cloud

CONTACTS

18 Editorial Contacts 19 Business Contacts

6

informationweek.com

4

Previous Next

10 Pick Your BattlesSome threats are more dangerous

than others. Our Strategic Security

Survey offers guidance on where

to focus your efforts.


3/19

Links

Top Th

Hackti

crimin

threats

our sur

are figimplementing continuous monitoring and t

informationweek.com/gogreen/042312gov

GET INFORMATIONWEEK GOVER

Federal Government Cybersecurity Just released

Amazon S3: Web Hosting On The Cheap Just released

NoSQL Everywhere? Not So Fast Just released

Boost Security Via FFIEC Compliance Just released

IT Spending Priorities Coming May 14

Mobile Security Coming May 14

NEVER MISS A REPORT

State Of Storage

We highlight technologies that might

not yet be on your radar and offer advice

as you plan your 2012 storage strategy.

informationweek.com/reports/storage2012

Safeguard VM Disk Files

Get our best practices for backing up

virtual machine disk files and building a

resilient infrastructure.

informationweek.com/reports/vmbackups

Integrated Security Services

Find out how to choose a securitypartner without getting burned.

informationweek.com/reports/integrated

Monitor Your

Cloud Providers

IT pros must find

ways to measure

the performance

of cloud providers. The challenge is to

define a strong governance model for

cloud offerings while ensuring that

security is maintained.

informationweek.com/reports/cloudmonitor

Manage ID In The Public Cloud

As companies use of public cloud-based

services increases, identity management

becomes a more complicated issue forenterprise IT professionals.

informationweek.com/reports/cloudid

INFORMATIONWEEK REPORTS

informationweek.com

Get our 800-plus reports at reports.informationweek.com

FOLLOW US ON TWITTER AND FA

Next Steps In Cybersecurity

In this InformationWeek Governmentv

experts will assess the state of cybers

government. It happens May 24.

informationweek.com/gov/cyberevent

Enterprise 2.0 Conference

The Enterprise 2.0 Conference brings t

experts to explore the latest innovatiosocial software, analytics, and more. In

e2conf.com/boston

MORE INFORMATIONWEEK

Previous Next

Resources to Research, Connect, CommentTable of Contents

@informationweek fb.com/inform

What you need to k now.Now.

Download Our Free iPad App


4/19

informationweek.com

JIM SWARTZVP of IT and CIO, Sybase

Degrees: Muskingum

College, BA in political

science

Leisure activities:

I volunteer at a state

park, where I help

visitors and patrol trails

on horseback

Best book read recently:Steve Jobs, by Walter

Isaacsonit improved

my appreciation of the

reality distortion field

and the intersection of

technology and the

humanities

If I werent a CIO, Id

be ... a cowboy heading

into the sunset

CAREER TRACK

How long at Sybase: 11 years

Career accomplishment Im most proud of:

Creating an environment where IT is a test

bed and first adopter of the technology the

company sells. IT interacts with engineering

to give feedback for product development

before general availability.

Most important career influencer: Dr. J.R.

Beyster, founder of SAIC, taught me that al-

though my team and I may make many mis-

takes, well certainly fail if were not afforded the

opportunity to correct them. New ideas leading

to success often come from the corrections.

Decision I wish I could do over: I wish Id

given more attention to how the separation of

peoples personal and business lives has be-

come blurred by the introduction of new tech-

nologies, such as mobility and the real-time

access to information. Theres a lot more we

can do to transform business processes by

thinking mobile first.

ON THE JOB

IT budget: $52 million

Size of IT team: 200

Top initiatives:

>> Moving Sybase onto SAP Business Suite.

Well retire our legacy business applications in

favor of adopting the systems and many of the

processes of our parent company. This will give

us the best tools to sustain our growth.

>> Extending mobile device management to

include new flavors of operating systems, in

support of our bring-your-o

gram. Well expand our supp

Android, RIM, and Windows

How I measure IT effective

satisfaction is a great indica

community at large at least

gauge how were doing and

to improve.

VISION

One thing Im looking to do

better collaboration. Comm

be simple and direct.

What the federal governm

priority should be: Digitize

allow digital signatures. In th

would improve process time

and save money. In the long

would allow the governmen

and intelligence from the da

doable from a technology p

Ranked No. 38 in the 2011

CIO

profilesPrevious Next

Table of Contents


5/19

globalCIOPrevious Next

Table of Contents

State Of Storage

Did you know 32% of companies

have more than 100 TB of data?Or that 24% have data growing at

25% or more a year? Learn more

about these and other findings inour State of Storage report, free

with registration.

DownloadDownload

informationweek.com

I recently interviewed Chris Yeh, VP of plat-

form for Box, about the big news that Google

has entered the cloud storage market with

Google Drive. I took notes on my iPad using

the Penultimate handwriting app, and when I

was done, I backed the file up to Dropbox, a

cloud storage rival for Box.

To let my far-flung colleagues know I was

writing this column, I posted a message to our

Google Groups message board, an online app

that lets staff writers and our dedicated free-

lancers see what everyones working on.

Did I mention were a Microsoft collaborationsoftware shop? So when I wanted to know if my

much-faster colleagues had filed their Google

Drive articles yet, I IMd an editor using Microsoft

Messenger, and he sent me their stories using

Microsoft Entourage email. I wrote this column

in Word. To post to InformationWeek.com , I

pasted the text into a Web-based content man-

agement system, TeamSite. I used Quark soft-

ware to publish in this digital magazine.

Is this insane? To get these 600 words to you,

I used two consumer cloud services, one en-

terprise cloud service, and three on-premises

enterprise software packages.

Actually, I think this is increasingly common,

and office workers at your company would tell

similar stories of piecing together enterprise

and consumer software to get their jobs done.

And Im not complainingI felt incredibly ef-

ficient using all these tools. This is just reality

in a world thats fast moving from bring your

own device to bring your own cloud.

BYOC pressure will force IT to deal with

cloud storage, whether its Google Drive, Mi-

crosoft SkyDrive, Apple iCloud, Dropbox, Box,

or some other. All these services let peoplesave files online, access them from different

devices, and share them with other people. All

of them offer some level of free storage, with

additional storage and in some cases admin-

istrative controls for business IT (for a price).

Yeh, of Box, thinks one of the make-or-break

factors for business adoption of cloud storage

will be which services build healthy developer

communities and close ties with other soft-

ware-makers. Remember that backup I did of

my notes to Dropbox? I used Dropbox be-

cause the Penultimate app has an integration

with Dropbox. Box has sim

taking app PaperPort Note

Yeh says Box isnt fretting G

tryits validation of the

terizes Drive as an extensi

appealing mostly to heavy u

ductivity apps. Box position

player completely focused o

what it needs. Yeh notes tha

led to massive fragmentat

Quickoffice to work in Offi

Expert to mark up PDFs, an

mented world, its really heplatform-agnostic approach

IT organizations have a lo

ing through features and

that works for the compan

remember is that employe

that process before they

into cloud storage. BYOC h

ITs involved or not.

Chris Murphy is editor of Informatio

by him at informationweek.com/ch

[email protected] or on Twit

Google Drive: Bring Your Own Cloud Is Here
http://prevpage/http://prevpage/


6/19

Charles Phillips, Oracles former co-president

and now CEO of Infor, reintroduced his com-

pany at its recent Inforum customer event in

Denver as the worlds largest software startup.

In reality, its an old company being remade in

the image of Oracle: aggressive, product-ori-

ented, and acquisition-minded.

At about $2.8 billion in revenue, Infor is the

third-largest enterprise applications vendor. It

started buying up dozens of enterprise applica-

tions in 2002, and some of its ERP systems dateback to the green-screen era.

Phillips and his lieutenants, many of whom are

former Oracle executives, swooped in to redirect

the company during the last 16 months. Duncan

Angove, one of two former Oracle executives

serving as co-presidents (sound familiar?),

quipped that theres no truth to the rumor that

theyre renaming the company Inforacle.

Infors transformation kicked into high gear

when it acquired Lawson Software last July for

$2 billion, making Infor the biggest name in

ERP after SAP and Oracle. Infors primary ven-

ture capital backer is Golden Gate Capital.

Golden Gate and Summit Partners have in-

jected more than $1 billion into the companyin the last six months.

The new money has fueled hiring and ag-

gressive growth plansabout 1,700 of the

companys 13,000 employees have been hired

within the past year, includ

opers to ramp up new prod

Infors ERP strategy is sp

try. Rivals like Epicor, Mic

SAP also talk up industry-sp

but Phillips says Infors mu

better cover micro-verticafor doesnt just serve the f

industry, it has functionality

bakery, and meat processing

Infor isnt alone in offering

informationweek.com

LARRY 2.0

Execs Remake Infor In Oracles Image

QuicktakesPrevious Next

Hiring? Job Hunting?Check Our Salary Survey

Our free report on U.S. IT salaries

includes detailed breakdowns ofmedian compensation by skills,

geography, job title, experience,

and more.

DownloadDownload

Previous Next

Table of Contents


7/19


8/19

Apple sold out its Worldwide Developers Con-

ference being held in June in just two hours.

Why all the interest? WWDC is where devel-

opers learn how to take advantage of Apples

forthcoming desktop operating system, OS X

10.8, dubbed Mountain Lion.

The next version of Apples mobile operating

system, iOS 6, is also being worked on. Whether

Apple reveals anything about iOS 6s features

at WWDC remains to be seen. But whenever

iOS 6 arrives, here are a few features we hope

will be included:Siri API:This would let third-party develop-

ers add voice interaction to their apps. While

there are ways to write apps that interface with

Siri, it would be better to have full Apple sup-

port for Siri integration.

Intent system: What are Intents, you ask?

Theyre a way for apps to find out about and

communicate with each other. Intents are useful

because they allow apps to borrow functions

from other apps and exchange data in a stan-

dardized way.Apple needs to write its own ver-

sion of Android Intents. Theres already an equiv-

alent project for HTML5, called Web Intents.

Scripting: The Web has ifttt.com. Android

has Tasker. What iOS needs is a way to script

app actions based on certain conditions. For

example, if app A issues a notification, auto-

matically send this type of SMS message. There

are ways to enable automation in specific iOS

apps, but a condition-monitoring mechanism

really ought to be run at the operating system

level. Such a system could support listening for

external requeststo do things like silence

your iPhone upon entering a movie theater.Support for external storage: While iCloud

is nice, nothing beats having data in hand; iOS

should add support for MicroSD cards.

Auto app updating: If you have a lot of apps

on an iOS device, youve probably had days

when you had more updates than you do fin-

gers. While this isnt an impossible burden, it

would be nice to have the option to let specific

apps update themselves in the background au-

tomatically during low network usage.

Programmable call handling: Perhaps this

could be part of the scripting system. Wouldnt

it be nice to be able to rout

people to voice mail at spe

in specific locations?

Configurable audio aler

gle audio notification whe

why not allow the user to cu

played upon receipt of a m

Browser choice: Support

mobile browser plug-ins. A

iOS in, too, should Google

such a beast. Competition

tion and helps users.Alternate keyboard sup

can make use of innovati

Swype. Should iOS users be

size fits all?

Better (or replaceable)

apps for YouTube, Weathe

functional but uninspired. If

let users uninstall default ap

update its own apps more f

from competition, Apples n

the way Microsoft Internet

1990s. Thomas Claburn

informationweek.com

10 FEATURES WE WANT

Our Wish List For Apples Next Mobile Operating System

QuicktakesPrevious NextTable of Contents

Previous Next

It took 2 hours to sell out ApQUICKFACT
http://prevpage/http://prevpage/http://prevpage/


9/19

Teradatas acquisition of eCircle, a European

digital messaging business, offers the latest

sign of how mobile and social are driving a

surge in digital marketing.

Like competitors Exact Target, Responsys,

and Silverpop in North America and Emailvi-

sion in Europe, eCircle delivers digital ads and

marketing pitches via email, social channels,

and websites. Teradatas digital marketing unit

Aprimo already had some of eCircles capabil-

ities, but Teradata thinks eCircles technologyis more mature and capable.

The idea is to build out our capabilities and

extend our reach into the channels weve

been trying to grow into around social, mo-

bile, and the Web, says Teradata CMO and ex-

ecutive VP Darryl McDonald.

Based in Munich, eCircle is a privately held firm

with about 1,000 customers and 400 employ-

ees, and it will be merged with Teradatas Ap-

rimo unit, expanding that firms geographic and

services footprint. Terms of the deal, expected to

close in the next two months, werent disclosed.

In addition to mobile and social capabilities,

eCircle brings us content-creation and con-

tent management capabilities, says Stephanie

Miller, VP of digital messaging at Aprimo. That

content might include microsites, landing

pages, websites, and other mechanisms for in-

teracting with consumers. Of course, all the

data generated in digital marketing campaigns

has to be gathered and analyzed, and thats

where Teradata comes in.

Tera dat a acquire d Aprim o in Decembe r

2010 to gain access to deeper digital market-

ing capabilities, but Aprimo still operates as a

standalone business.

In big data-oriented digital marketing, Tera-

datas Aster Data platform

ing the multistructured d

analyzing email, Web, and

keting campaigns. Aster

doop-style MapReduce pro

in analysis of unstructured,

media comment streams a

Teradata also recently in

data 700 Appliance for SAS

Analytics, the latest from a

ship with SAS. Purpose-banalysis teams who develo

tomer segments, the ap

tackle within a matter of

analysis that would take

dreds of hours on a conv

server.

In a marketing scenario, fo

using SAS could take adva

700 speed to develop fine

segmentations and mode

sponsive campaigns.

Doug Henschen (dh

informationweek.com

ECIRCLE ACQUISITION

Teradata Deal Points To Social And Mobile Marketing Push

QuicktakesPrevious NextTable of Contents

Previous Next

Of course, all the data generated

in digital marketing campaignshas to be gathered and analyzed,

and thats where Teradata comes in.


10/19

Some threats are morelikely than others.Our survey offers

guidance on whereto focus your efforts.

Whats the biggest challenge facing security

preventing breaches, meeting compliance dem

vying for executive attention. Its managing co

InformationWeek2012 Strategic Security Surv

weve been running this study for 15 years, an

never, ever been simple. But over the past deca

have piled up; we have too many fancy techn

ploy and long-winded policies to enforcewithBy Michael A. Davis

Next

Table of Contents

Previous

2012 Strategic Security Survey


11/19

informationweek.com

that any of them will reduce risk.

So lets break it down. Prioritize the threats

most likely to affect your company. If you try

to block every conceivable attack, youll

stretch your people and resources so thin

that something is bound to break. Stop wor-

rying about what you cant control or pre-

dict and focus like a laser on where you can

make an impact. That includes tried-and-

true basics like strong access control. It in-

cludes taking a hard look at potential cloud

providers security claims, and writing Web

apps and business software with an eye to-

ward reducing vulnerabilities. It means be-

ing prepared for when a salesperson leaves

an iPad in a taxi or has her phone snatched

out of her hand.Well provide guidance on these areas in this

article and go into more depth in our full 2012

Strategic Security Survey report. Well also

delve into what 946 business technology and

IT security professionals from companies with

100 or more employees told us in our latest

in-depth look at the security landscape.

Whats In That Cloud, Anyway?

Our 2012 State of Cloud Computing Survey

shows adoption of public cloud on a consis-

tent upward pace; just 27% of 511 respon-

dents from companies with 50 or more em-

ployees arent in the marke

Unfortunately, in 2011, only

gic Security respondentsthe security of cloud provi

number jumped to 29%.

14% rely on the self-aud

provide. An example is th

used set of auditing stand

SECURITY SURVPrevious Next

Get This AndAll Our Reports

Our full 2012 Strategic Security

report is free with registration.This report includes 44 pages of

action-oriented analysis, packed

with 38 charts.

What youll find:

> Security guidance on cloud,mobile, and more

> How to get value from collecting

security metrics

DownloadDownload

Previous Next

Table of Contents

2012 2011

Are Mobile Devices A Threat To Your Companys Security?

Yes, a significant threat

Yes, a minor threat

Not yet, but they will be

No

Data: InformationWeek Strategic Security Survey of 946 business technology and security professionals at compani

employees in March 2012 and 1,084 in March 2011

25%

24%

21%

20%

10%

10%


12/19

informationweek.com

say attest to controls they have in place.

We dont recommend blindly accepting these re-

ports. One reason is that SSAE 16 attestations contain

different sets of scope and system descriptions, so

one providers SSAE 16 may be dramatically different

from anothers. A better bet?The Clou d Securi ty

Alliance explicitly lays out a set of security best prac-tices for cloud providers across a variety of domains,

including encryption, data center management,

cloud architecture, and application security. The

CSAs guidelines are much more prescriptive, and the

group offers the Security Trust and Assurance Reg-

istry, a free, publicly accessible registry that docu-

ments the security controls inherent in various cloud

offerings. All providers can submit self-assessment

reports that document compliance with CSA-pub-

lished best practices.When it comes to cloud computing risks, the most

prominent concern among our survey respondents is

unauthorized access to or leak of customer informa-

tion. Thats unchanged from 2011. Other top concerns

include worries about security defects in cloud tech-

nology and the loss of proprietary data.

BYOD Is No Big Deal

Even as the cloud transforms the way IT delivers ser -

vices to end users, mobile devices are transforming the

way end users consume services. And as with any tech-

nological upheaval, mobile devices introduce their

[COVER STORY]SECURITY SURVEYPrevious Next

Table of Contents

Previous Next


13/19


14/19

informationweek.com

Previous Next

Table of Contents

Previous Next

ing (see our latest MDM research here).

While were all for using MDM software, IT must un-

derstand its limits. In a heterogeneous bring-your-own-

device environment, not every security feature will be

available for every device typethere are more than

200 versions of Android in the wild. No MDM vendor

could keep up, so shop based on what you support.Mobile malware is also a risk, though not to the

same degree as it is on PCs. For now, the architecture

and security controls on smartphones and tablets sig-

nificantly reduce the impact that mobile malware can

have. And because most mobile malware comes dis-

guised as legitimate apps rather than attempting to

exploit a software vulnerability within the devices

OS, a little prevention goes a long way. Curated app

stores, such as Apples, tend to do a good job of

screening out malicious apps. The Android market ismore like the Wild West, but Google has been making

an effort to remove bad apps. One option is to lever-

age MDM software that includes application white-

listing, which allows only IT-approved apps to be

loaded. However, given that most users own their mo-

bile devices, you may have limited success.

Build Secure Software

Most vulnerabilities that let attackers get in affect

Web and desktop software. If your organization writes

such applications, youd better find exploitable flaws

before the bad guys do. However, our respondents

[COVER STORY]SECURITY SURVEY

Copyright 2011 Hewlett-Packa rd Development Company, L.P.

For more information go towww.hpenterprisesecurity.com.

HP Enterprise Security has what youneed to secure your applications,information and operations. Backedby our unparalleled security researchteam, we can help you protect your

enterprise and identify risks beforeyou even know they exist.

cyber threats.

mobilty. cloud.

social media.

introducing more

than just a little risk

to your business?


15/19

informationweek.com

arent exactly optimistic: Whether an applica-

tion or architecture is done internally or by a

vendor, it is rare that an application is even

mostly secure, says a senior systems manager

with AT&T, who adds that many products and

architectures have yet to catch up with best

practices that are a decade and a half old. Andthe problem is only getting worse as we adopt

cloud. How can we expect vendors who are

still stuck in the mid-90s or earlier to give us

anything with some semblance of security and

integrity in the cloud environment? he asks.

If that strikes close to home, youre probably

among the majority of respondents who have

yet to establish a secure software develop-

ment life cycle (SDLC) and run application se-

curity reviews. Thirty-three percent of respon-dents do use secure SDLCs, with most of them

saying the tactic is somewhat or very effec-

tive. Why just 33%? We suspect many of those

without SDLCs have run into a significant bar-

rier: their developers.

Developers arent anti-security per se, but

they arent incentivized to care about it. Most

live and die by how fast and bug-free they

produce new applications or add features to

existing apps. They care about functionality

and delivery dates. Security doesnt directly

support those objectives. Furthermore, most

security pros are lost when it comes to com-

municating with developers. And there are a

multitude of SDLC frameworks out there, in-

cluding agile, waterfall, and scrum; we rarely

run across people trained to take an SDLC and

customize it to include security components.

Thats not to say you should give up. We rec-ommend a two-step process to increase the

security of your software. First, focus on train-

ing and encouraging developers to use se-

cure coding practices, so that they dont write

vulnerable code in the first

wards for bug-free apps. Se

and static source code a

vendors such as Veracode

of your quality assurance p

allow a security or QA tea

tions and identify vulnerathen be remediated befor

While 61% of respondent

opment processes implem

metrics gathered from co


Table of Contents

Previous Next

2012 2011

Does your company perform its own risk assessments of cloud service providers?

Risky Business

Yes, we conduct our own audits

We want to conduct our own audits but providers are generally uncooperative

No, we use providers self-audit reports

No

We dont use cloud services

Data: InformationWeek Strategic Security Survey of 946 business technology and security professionals at compani


29%

18%

9%

6%

14%

9%

15%

28%

3


16/19

informationweek.com

than half of those using secure SDLCs integrate

those metrics into developer training. That

number should be closer to 100% because its

vital to identify recurring problemswhen de-

velopers see what mistakes they keep making,

they can adjust their practices accordingly.

Security Insurance

Even if your company does all the right

things, its still possible to get breached. And

those breaches can be expensive, particularly

if personally identifiable data is stolen. No one

wants to have to notify customers and take

other steps, such as setting up credit monitor-

ing services.

In response, some companies are turning to

cyber-risk or cyber-liability insurance to recover

some costs. The way these insurance plans work

is simple: Your company implements security

policies and processes, then the insurance

provider reviews them and places a ranking on

the company. Based on the ranking, you pay a

premium to receive a certain insurance value.While it sounds straightforward, the process

can be complicated. You know how difficult

it is to evaluate the controls of a cloud ven-

dor, so you can imagine what an insurance

carrier or agent will have to go through to

scope and assess your environment. In gen-

eral, we think cyber-risk policies are over-

priced and generally not worth the cost of

the premiums. Survey respondents seem to

agree: only 18% have cybe

If your company intend

with this kind of insurance

exercise to stage a mock br

you analyze the types of

stolen and provide a base

potential costs. A mock bdouble duty as a test of

sponse program.

Insurance policies will di

and the language and trig

these policies are comple

have lawyers on hand, and

cussions around determi

breach and the resulting

the carrier will pay out. M

cover the cost of fixing sycessful attack, for example

count for that in your incid

Most Valuable Practice: A

Security pros chose ident

agement as the most valu

tice in our 2012 survey. Thi

encouraging result, becau

in fact, the most important

every company, yet very

spend enough time on it.

Lets walk through a b


Table of Contents

Previous Next

2012 2011

Does your company have a formal secure software development life cycle policy and process?

Secure Development

Yes

No

Dont know

Data: InformationWeekStrategic Security Survey of 946 business technology and security professionals at companies with 100 or more


33%

38%

44%

46%

23%

16%


17/19

informationweek.com

access control is so critical.

A nonadministrative user opens a phishing

email on his workstation and is infected by

malware. The malware connects to a com-

mand-and-control server, and the attacker

starts to execute commands on the compro-

mised workstation. In the case of an advancedattacker, the next step might be to upload a

tool that looks for weak service account per-

missions. Or the attacker could look for pass-

word hashes on the workstation, in the hopes

that an administrator logged in to the work-

station at one time and the password hash

was left behind. An even easier route is for the

attacker to impersonate the user and start

browsing through the network.

Each of these attacks can be prevented by ac-cess control measures. First, properly configur-

ing permissions on service accounts can pre-

vent a nonadministrative user from escalating

his privileges on the workstation. Permissions

are a critical portion of identity management,

but too often companies focus only on user

identities. Permissions are just as important.

The next possible attack vector can be pre-

vented by password management for admin-

istrative users. Its easy enough to set policies

requiring two-factor authentication for do-

main administrators or for password rotation

to occur in a given timeframe (say, every 30

days) or simply to require a very complex

password with 15 or more characters. These

policies can thwart password cracking or pre-

vent an attacker from using the password toelevate privileges.

And even if an attacker manages to gain

control of the user account on the worksta-

tion, other identity management controls can

still come into play. One option is negative de-

tection, which looks for actions that users

shouldnt be taking based on their roles. For

example, if the attacker, posing as the work-

station user, attempts to access an accounting

file server, but the user is in the engineering

department, negative detection controls

would alert the security team.

Pedestrian tools such as

word management may la

citement of more cutting-e

ucts, but they represent th

managing risk in a sane wFocus on elements of yo

that you can control. You c

when an attacker might co

or what fancy zero-day m

with. But those unknow

much when youve taken s

most likely risks and put

those areas. If you have to

position of strength.

Michael A. Davis is CEO of consult

Write to us atiwletters@techweb.


Table of Contents

Previous Next

Identity or password management

End user security awareness training

Patch management

Log analysis, security information management, vulnerability analysis, or research

Virus or worm detection and analysis

Data: InformationWeek 2012 Strategic Security Survey of 946 business technology and s ecurity professionals at orgemployees, March 2012

4

38%

35%

What Security Practices Are Most Valuable To You?


18/19

informationweek.com

Print, Online, Newsletters, Events, Research

UBM TECHWEB

Tony L. Uphoff CEO

John Dennehy CFO

David Michael CIO

Scott Vaughan CMO

David BerlindChief Content Officer,TechWeb, and Editor inChief, TechWeb.com

Ed Grossman Executive VP,

InformationWeek BusinessTechnology Network

Martha Schwartz ExecutiveVP, Group Sales,InformationWeek BusinessTechnology Network

Joseph Braue Sr.VP,Light ReadingCommunications Network

Beth Rivera Senior VP,Human Resources

John Ecke VP of Brand andProduct Development,InformationWeek BusinessTechnology Network

Fritz Nelson VP andEditorial Editor,InformationWeek BusinessTechnology Network, andExecutive Producer,TechWeb TV

UBM LLC

Pat Nohilly Sr.VP, StrateDevelopmentand Business Administra

Marie Myers Sr.VP,Manufacturing

INFORMATIONWEVIDEO

informationweek.com/v

Fritz Nelson [email protected]

INFORMATIONWEBUSINESSTECHNOLOGYNETWORK

DarkReading.comSecurityTim Wilson, Site [email protected]

READER SERVICESInformationWeek.comThe destination forbreaking IT news, and instant analysis

Electronic Newsletters Subscribe toInformationWeek Daily and other newsletters atinformationweek.com/newsletters/subscribe.jhtml

Events Get the latest on our live events and Netevents at informationweek.com/events

Reports reports.informationweek.comfor original research and strategic advice

How to Contact Us

informationweek.com/contactus.jhtmlEditorial Calendar informationweek.com/edcal

Back IssuesE-mail: [email protected]: 888-664-3332 (U.S.)847-763-9588 (Outside U.S.)

Reprints Wrights Media, 1-877-652-5295Web:wrightsmedia.com/reprints/?magid=2196Email: [email protected]

List Rentals Specialists Marketing Services Inc.Email: [email protected]: (631) 787-3008 x3020

Media Kits and Advertising Contactscreateyournextcustomer.com/contact-us

Letters to the Editor [email protected] name, title, com-pany, city, and daytime phone number.

Subscriptions

Web: informationweek.com/magazineEmail: [email protected]: 888-664-3332 (U.S.)847-763-9588 (Outside U.S.)

REPORTERSDoug Henschen Executive Editor

Enterprise software

[email protected] 201-660-8467

Charles BabcockEditor At Large

Open source, infrastructure, virtualization


Thomas Claburn Editor At Large

Security, search, Web applications


Paul McDougall Editor At Large

Software, IT services, outsourcing

[email protected]

Andrew Conry-Murray Editor At Large

Information and content management


Marianne Kolbasuk McGee Senior Writer

IT management and careers


J. Nicholas Hoover Senior Editor

Government IT, cybersecurity,

federal IT policy


Eric Zeman

Mobile and Wireless

[email protected]

CONTRIBUTORS

Michael Biddick [email protected]

Michael A. Davis [email protected]

Jonathan [email protected]

Randy George [email protected]

Michael Healey [email protected]

Kurt Marko [email protected]

EDITORS

Jim Donahue Chief Copy [email protected]

ART/DESIGNMary Ellen Forte Senior Art Director

[email protected]

Sek Leung Associate Art Director

[email protected]

INFORMATIONWEEK REPORTSreports.informationweek.com

Art Wittmann VP and Director


Lorna Garey Content Director, Reports


Heather Vallis Managing Editor, Research


INFORMATIONWEEK.COM

Paul Travis Managing Editor


Roma NowakSenior Director,

Online Operations and Production


Tom LaSusa Managing Editor,

Newsletters

[email protected]

Jeanette Hafke Web Production Manager

[email protected]

Joy CulbertsonWeb Producer

[email protected]

Nevin Berger Senior Director,

User Experience

[email protected]

Steve Gilliard Senior Director,

Web Development

[email protected]

Pleasedirectallinquirestoreporters

intherelevantbeatarea.

Copyright2012 UBM LLC.Allrightsreserved.

Rob Preston VP and Editor In [email protected] 516-562-5692

John Foley [email protected] 516-562-7189

Chris Murphy [email protected] 414-906-5331

Art Wittmann VP and Director, [email protected] 408-416-3227

Laurianne McLaughlin Editor In Chief,[email protected] 516-562-7009

Stacey Peterson Executive Editor, [email protected] 516-562-5933

Lorna Garey Content Director, [email protected] 978-694-1681

Fritz Nelson VP and Editorial [email protected] 949-223-3608

Eric Lundquist VP and Editorial Analyst,InformationWeek Business Technology [email protected] 978-289-7306

David Berlind Chief Content Officer, [email protected] 978-462-5315

ADVISORY BOARD

Dave Bent

Senior VP and CIO

United Stationers

Robert Carter

Executive VP and CIO

FedEx

Michael Cuddy

VP and CIO

Toromont Industries

Laurie Douglas

Senior VP and CIO

Publix Super Markets

Dan Drawbaugh

CIO

University of Pittsburgh

Medical Center

Jerry Johnson

CIO

Pacific Northwest Natio

Laboratory

Kent Kushar

VP and CIO

E.&J.Gallo Winery

Carolyn Lawson

CIO

Oregon Health

Authority

Jason Maynard

Managing Director

Wells Fargo Securities

Randall Mott

CIO

General Motors

Previous Next

Table of Contents
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://prevpage/mailto:[email protected]://prevpage/http://prevpage/


19/19

Executive VP of Group Sales,InformationWeek Business Technology Network,Martha Schwartz(212) 600-3015,[email protected]

Sales Assistant, Salvatore Silletti(212) 600-3327,[email protected]

SALES CONTACTSWESTWestern U.S.(Pacific and Mountain states)

and Western Canada (British Columbia,Alberta)

Western Regional Director, JohnHenry Giddings(415) 947-6237,[email protected]

Strategic Account Director, Mark Glasner(415) 947-6245,[email protected]

Account Manager, Kevin Bennett(415) 947-6139,[email protected]

Account Manager, Ashley Cohen(415) 947-6349,[email protected]

Account Executive, Silas Chu(415) 947-6330,[email protected]

Account Executive, Rose Lin(415) 947-6157,[email protected]

Strategic Accounts

Account Director, Sandra Kupiec

(415) 947-6922,[email protected]

Sales Manager, Vesna Beso(415) 947-6104,[email protected]

Account Executive, Matthew Cohen-Meyer(415) 947-6214,[email protected]

SALES CONTACTSEASTMidwest, South, Northeast U.S.and Eastern Canada(Saskatchewan, Ontario, Quebec, New Brunswick)

District Manager, Jenny Hanna(516) 562-5116,[email protected]

District Manager, Michael Greenhut(516) 562-5044,[email protected]

District Manager, Cori Gordon(516) 562-5181,[email protected]

Account Executive, Kevin McIver(212) 600-3036,[email protected]

Inside Sales Manager East, Ray Capitelli(212) 600-3045,[email protected]

Sales Assistant, Bill Myers(212) 600-3163,[email protected]

Sales Assistant, Ryan Delaney(212) 600-3193,[email protected]

Strategic Accounts

District Manager, Mary Hyland

(516) 562-5120,[email protected]

Account Manager, Tara Bradeen(212) 600-3387,[email protected]

Account Manager, Jennifer Gambino(516) 562-5651,[email protected]

Strategic Account Manager, Amanda Oliveri(212) 600-3106,[email protected]

Account Executive, Elyse Cowen(516) 562-3051,[email protected]

Account Executive, Kathleen Jurina(212) 600-3170,[email protected]

Sales Assistant, Michelle Freeman(212) 600-3157,[email protected]

SALES CONTACTSNATIONALDr.Dobbs

Sales Director, Michele Hurabiell(415) 378-3540,[email protected]

District Sales Manager, Steven Sorhaindo(212) 600-3092,[email protected]

SALES CONTACTSMARKETINGAS A SERVICEDirector of Client Marketing Strategy,Jonathan Vlock(212) 600-3019,[email protected]

Director of Client Marketing Strategy,Julie Supinski(415) 947-6887,[email protected]

SALES CONTACTSEVENTSSenior Director,InformationWeek Events,Robyn Duda(212) 600-3046,[email protected]

MARKETINGVP, Marketing, Winnie Ng-Schuchman(631) 406-6507,[email protected]

Director of Marketing, Angela Lee-Moll(516) 562-5803,[email protected]

Senior Marketing Manager, Monique Kakegawa(949) 223-3609,[email protected]

AUDIENCE DEVELOPMENTDirector, Karen McAleer(516) 562-7833,[email protected]

Subscriptions: informationweek.com/magazineEmail: [email protected]: (888) 664-3332 (U.S);(847) 763-9588 (outside U.S.)

ADVERTISING AND PRODUCTIONPublishing Services Manager, Lynn Choisez(516) 562-5581 Fax: (516) 562-7307

MAILING LISTSSpecialists Marketing Services Inc.(631) 787-3008 [email protected]

REPRINTS AND RIGHTSFor article reprints, e-prints, and permissions, pleasecontact: Wrights Media, (877) 652-5295,[email protected]

Back Issues Phone: (888) 664-3332 (U.S.);(847) 763-9588 (outside U.S.)Email: [email protected]

BUSINESS OFFICEGeneral Manager, Marian Dujmovits

EDITORIAL OFFICE(Fax) 516-562-5200

United Business Media LLC600 Community DriveManhasset, N.Y.1 1030 (516) 562-5000Copyright 2012. All rights reserved.

UBM TECHWEBTony L. Uphoff CEO

John Dennehy CFO

David Michael CIO

Scott Vaughan CMO

David Berlind Chief CoTechWeb, and Editor in C

Ed Grossman Executive Business Technology Ne

Martha Schwartz ExecInformationWeek Busine

Joseph Braue Sr.VP, LigCommunications Netwo

Beth Rivera Senior VP, H

John Ecke VP of Brand aInformationWeek Busine

Fritz Nelson VP, EditoriaInformationWeek BusineNetwork, and Executive

UBM LLCPat Nohilly Sr.VP, StrateAdmin.

Marie Myers Sr.VP, Man

informationweek.com

Business ContactsPrevious Next

Table of Contents
http://prevpage/http://prevpage/

Information Week 2012-05-07

Documents

Transcript of Information Week 2012-05-07