The Art of Effective POC – Part 1 (Pre-POC)

Today technologies are playing most important role in meeting strategic business objectives. Over the period of last 5 to 10 years, there is a significant increase in IT & Security budget. Technologies are now considering for NEW BUSINESS INITIATIVES by organization’s management. Today most of the organizations are heavily dependant on technology.

Wrong selection of technology might lead to significant negative impact on strategic business objectives.

Q: How to select RIGHT TECHNOLOGY or PRODUT?

A: Effective POC (Proof of Concept)

Q: What if POC?

A: Testing procedure to ensure whether Technology/Product is suitable for particular business environment.

I would not say, effective POC needs long duration, rather I would say effective POC MUST follow certain steps as mention below.

Sr	Phase	Steps
1	Pre POC	Identify business requirement and its weightage Multiple products & feature analysis Organization’s budget Vs Cost Product in Architecture
2	During POC	Test users Test scenario Simulate test scenario in
3	Post POC	Evaluate weightage score Walk through to CISO Risk communication Decision

This Blog’s focus on Pre POC, I will post blog on phase 2 and phase 3 as well in coming days.

Identify business requirement and its weightage:

Needless to say, one must decide destination prior to start journey. Effective requirement gathering helps decision maker to make decision without any stress. Hear I have given an approach that helps an organization to evaluate POC result in qualitative manner once POC is completed. Requirements with higher weightage / CRITICAL and HIGH category cannot be compromised. Product MUST meet business requirement of such requirements.

Organization may choose any one of two method, weightage or category.

Sr.	Requirement	Weightage	Category
1	Requirement 1	30%	CRITICAL
2	Requirement 2	20%	HIGH
3	Requirement 3	15%	MEDIUM
4	Requirement 4	10%	MEDIUM
5	Requirement 5	10%	MEDIUM
6	Requirement 6	10%	MEDIUM
7	Requirement 7	5%	LOW
TOTAL		100%

Multiple products & feature analysis (preferably 2 or more for POC)

Never consider SINGLE product for POC. Now a days all companies are designing product with lots of features which are not only meeting business requirement but are quite user friendly and with lots of add-ons, I would say value added features. Each product vendor has its own fact sheet or comparison sheet with its competitor.   

Budget Vs Cost

It is good to refer your budget and product cost. You may not want to spend time in POC if cost is higher than budget. It is very important to consider various cost e.g. Capex, Opex, Yearly support, license cost, type of license, hardware cost etc. It is always ideal to prepare Capex and Opex cost summary for 3 years.

Sr	Description	Capex	Opex	Remarks
1	Year 1
	Hardware (3 server)	2,00,000	50,000
	Product license for 100 users (100*5000)	5,00,000	-
	Installation	1,00,000
2	Year 2
	Yearly support		2,00,000
3	Year 3
	Yearly Support		2,00,000
Total		8,00,000	4,50,000

Capex: Capital expense, for betterment for business

Opex: Operating expense, occurs every year

Negotiate hard and make sure that you includes all including training to IT team and users etc.

Architecture

Prepare high level network architecture diagram. Identify where product is going to seat in network, how data or request is going to flow, understand relationship with other network components and analyze the impact.

With this you are all most DONE with Pre POC preparation.

I shall also share COMPLETE POC TEMPLATE IN XLS format in "Post POC (Phase 3)" blog.

Hope this would be helpful to all.

Security Considerations while Procuring BYOD Solutions for Mobile Phone

Bring Your Own Device (BYOD) is the latest trend in many companies. Business requirements for Working from Home, accessing E-mail 24*7, instant customer support etc are increasing and future trend looks like this is continue to be increasing.

In early 2010, most companies were using BlackBerry as company provided mobile phone device. Few months later smartphone took over all most entire market of BlackBerry. Smartphone has made life easy, user friendly and cost effective. Companies realized going cost of BlackBerry server, user license, device cost and Service cost. From a security perspective, BlackBerry is reasonably secured due to lots of security policy options available on BlackBerry Server but too costly as compared to smartphone.

Further it is also a headache for IT team to manage inventory of such mobile devices. There are other issues as well e.g. finance to maintain book value, depreciation in device is lost or stolen, IT team to maintain Asset Allocation Form, repair in case device is faulty, coordination with vendor, follow purchase procedure etc. After all of these headache and spending lots of money, business users are not satisfied due to quality of company phone, restriction and controls over company provided phone.

Just to avoid these many hurdles and cost saving, many companies have started allowing users to use their smartphone device.  However I have seen many companies implemented BYOD policy without even thinking of “Information Security Risk”.

Risk Assessment (Without implementing any BYOD Security Solution)

Threat	Vulnerability	Business Risk
Information Leakage through BYOD	No segregation between “Corporate Information” and “Personal Information”	There is risk of Information sharing (Intentional or Unintentional) with unauthorized person or competitor due to absent of security controls over BYOD mobile; this may lead to loss of business / reputation.
	User can download any attachments on BYOD phone memory card.
	In case of user separation, IT Team cannot delete files stored on personal memory card.
	Single user can configure company’s E-mail account on multiple mobile phone devices without IT/Security Team’s knowledge.

I hope above table is enough to alert business stakeholders on information security assurance. No Firewall can help to prevent Information Leakage if this is not taken care.

So many security companies have developed BYOD security solution. It is important for the company’s security officer to choose right solution to protect information. When we think of allowing user owned device for official purpose, Follow MUST be taken care:

1. Ensure company's information is protected on user owned device
2. Ensure user’s privacy. At the end, its user’s device, company has no rights to monitor what’s store on use’s mobile phone.

Most recognized BYOD Security Solutions are providing THE MOST IMPORTANT SECURITY FEATURE CALL – SECURE CONTAINER.

Such tool creates “Corporate Space” within phone memory to segregate the company’s information and personal information. User can access “Corporate Space” through BYOD client installed on their device. The magic of this control is: “User cannot copy and paste any information from “Corporate Space” to “Personal Space”.

Following are TOP 10 security controls MUST be considered on your BYOD security solution

Sr	Control	Description
1	Secure Container	As mentioned above. Please don’t even do POC if solution does not provide secure container feature. All business E-mail attachments to store on corporate space only and not on personal space. Copy and paste should not be allowed from corporate space to personal space.
2	Restrict screenshot	No screenshot on corporate space
3	Integrate with company’s central authentication control	BYOD security solution should be able to integrate with company’ AD to access E-mails. This feature reduce IT team’s headache to maintain separate user management system.
4	Remote wipe-out	In case of theft of stolen, company’s IT team should be able to wipe out device remotely without anybody’s intervention.
5	Selective wipe-out	There should be option of “Selective Wide-out” to wide only “Corporate Space”. No personal data should be wiped out.
6	Password Policy	Few BYOD Security solutions do ask for “Password” while accessing corporate emails. This is separate from phone lock password.
7	Device Restriction	User should be restricted to configure company’s email account only on ONE device. In case users attempts to configure another device, BYOD security solutions should prevent and through alert to security administrator.
8	Audit Logs	Various logs: Last sync Date and Time Device details e.g. Mobile no, IMIE etc Activity logs Security logs User ID and E-mail ID Also check of log retention, access to logs, security of logs etc.
9	Compatibility	Does your solution support IOS, Android, and Windows Phone etc.
10	User’s Private data	BYOD solutions should not access user’s private space. Solution should respect user’s privacy

Security checklist can be further enhanced along with BYOD security solution vendor and security officer based on need. Once solution is implemented, organization’s HR team rollout BYOD policy with eligibility criteria, does and don’ts etc.

There are lots of BYOD security solutions in market; generally CISO function should lead BYOD security solution assessment.

Hope this would be useful…..

Business Information @ Risk @ Dropbox or Similar Personal Storage Sites

Dropbox… an amazing stuff came into market some where around 2007. This has been into limelight for last three to four years for its features like file storage, file sharing and file collaboration, and mobility (access anywhere, anytime) features.

In simple language, do anything with you data anytime and anywhere. Wow. I have seen many companies have started using this as a cost effective collaboration tool where multiple users are working on same files. 

One of the MOST MOST user friendly feature is “Multi Platform Support”. This works on Microsoft Windows, Mac OS X, Linux, Android, iOS, BlackBerry OS, Windows Phone and web browsers”.

Every technology has its own BENEFITS and RISKS

Legal and Regulatory Risk:

Dropbox data center/ data storage is located in some part of the world. If you are into financial industries or BPO, KPO, IT/ITES-Services Company and dealing with customer/end user’s PII (Personally Identifiable Information) or Sensitive PII (SPII), you could be in danger risk if you are using Dropbox for business operation or process. Few legal concerns could be:

·         Does your country’s law/regulation allow to store citizen’s PII or SPII out side of country’s border?

·         Have you communicated your customer – “Where their PII or SPII is going to store” and “How it is going to be protected”?

You could be serious legal & regulation implication if this is not taken care.

Data Retention:

Many People believes that “delete means deleted permanently”, but people are forgetting the backup tapes where data is lying for many years.

I am 100% sure all organization has its own Data Retention policy based on the type of industry and legal and regulatory requirements. The objective Data Retention Policy is to flush out data (older / not required) from the environment completely. However I would also like to see this from “Risk Mitigation” perspective as well. The moment you have flushed out data, you have mitigated your organization’s risk from “Intentional / Unintentional Leakage of Information”. No organization would be happy if their data gets leaked (no matter whether 7 or 10 years old). At the end, data could be PII or SPII or any customer’s report.

I have seen many business level agreements where customer wants service provider to destroy data as soon as engagement is over.

But case is very much different with data stored on Dropbox,

 

Have a look Retention Section: this indicates Dropbox is not bounded to delete/destroy your customer’s data even if your engagement is over with customer. So RISK here is your customer’s data is still lying on Dropbox backup tapes. It further implies that they are bounded only to follow their on “data retention policy”. This could lead to customer’s dissatisfaction, reputation loss if data gets leaked from Dropbox server.

Accessibility:

As I said the most most user friendly feature. But to me this is most most serious “Business Information Leakage Risk”. Dropbox is available in almost for every platform. You can access Dropbox from any device.

 “Internal Employees are the biggest threat to the organization”

Let’s take an example

A person call Bob is Sr .Execution and managing multiple key customer accounts at XYZ Company. Company has provided laptop and smart phone to Bob to work remotely. Due to global business, company has decided to use Dropbox for file sharing and collaboration.

One day Bob forgot to carry smart phone (company provided) so he used his personal smart phone to Access Company’s information stored on Dropbox.

BIGGEST RISK is company’s information has been downloaded on personal device without anybody’s knowledge and without any traceability.

Now let’s assume a case where Bob is disgruntle employee.

BIGGEST RISK could be Bob can download all company’s information stored on Dropbox without anybody’s knowledge and without any traceability. This is as good as theft of information and this can be sold for misuse.

User Management:

Most of the companies have central authentication server to grant and revoke accesses. If any person leaves, you can simply disable or delete user ID from central authentication server.

But with Dropbox this becomes cumbersome. You have to manually delete or disable access. This method is definitely prone to human error. If this is not followed, Bob would be enjoying all access even after not being part of organization. Dropbox do have “Event” features shows recent events but if user is only viewing information, I don’t think any “Event” would be triggered.

Your organization’s Name on Dropbox’s website:

This is very clear. Not further explanation needed. But question arises is “Is this acceptable to your organization? What if your customer’s comes know? How customer is going to react? What immediate response comes to your mind if your customer is react negatively? Just Think…. 

As of now I could see these FOUR KEY RISKS, this risks are also applies to other site/services generally we call personal storage category site.

If I have to use Dropbox, I shall use only for sharing PUBLIC classified information. I shall NEVER EVER put my personal contacts or personal information or any confidential information.

Hope this would be useful.....