IBMSaaSAssist

SaaS & Security
Using SaaS security software to gain an advantage
Guy Clapperton
What can an ISV do to reassure prospects of the security of their code? (ISVs welcome to comment!)
PeterJopling
look a secure deops, designer malware is platform specific
PeterJopling
finding bugs as you write code saves time and money at the preproduction phase
PeterJopling
you also need to secure the app binary against advanced malware
Guy Clapperton
Useful thoughts. Are these specific to the cloud or were they issues before, with on-premise?
PeterJopling
designer malware targets mobile devices primarily
Jim Adam
Developing an app with security in mind applies to both
Guy Clapperton
What are your concerns regarding EU General Data Protection Regulation and the Cloud?
Mike Spradbery @ IBM
isn't this a case for UK to stay in EU??
PeterJopling
cross border and sovereignty need to be accommodated
Guy Clapperton
@MikeSpradbery (GETS POPCORN, PULLS UP CHAIR)
PeterJopling
make sure you have a Data Controller in place as they're accountable for your data
Mike Spradbery @ IBM
@The_SaaSsist regulation more simple across borders? businesses say stay http://www.itv.com/n... @itv
Guy Clapperton
@MikeSpradbery So does the President of the USA - there are certain controversies about this, so I understand.
Mike Spradbery @ IBM
yes... just a thought, not necessarily my position! but will impact Cloud & regulation I think
Guy Clapperton
What are the security considerations of using Public Cloud Platforms?
Mike Spradbery @ IBM
who owns data, where is it stored, how backed-up, who can access, who can audit...
PeterJopling
makes sure the service is legitimate and not a bogus site
Mike Spradbery @ IBM
are mobile apps secure, is data in transit secure, privileges, data retention...
PeterJopling
look at the T&Cs regarding the data, you may loose control
Guy Clapperton
Also the SLAs and exit agreements seem important to me. Remember 2E2 going belly-up a few years back?
Guy Clapperton
...you do need to know what happens when a company ceases to exist - that's true of private and hybrid, too.
PeterJopling
where's the site hosted. There maybe local legal issues to data retention /access by 3rd parties
Guy Clapperton
@PeterJopling Yes. The US Patriot Act is well known but are there other examples?
PeterJopling
ensure the site complies with the regulations for your business
PeterJopling
PCI compliance for retail
Guy Clapperton
The Internet of Things will have its effect on security as objects can be hacked. Has anyone come up against this yet?
Mike Spradbery @ IBM
yes; interesting, esp where safety is more important than security
Mike Spradbery @ IBM
also, some #IOT devices have very long life, 10+ yrs. Makes future-proofing hard
Guy Clapperton
@The_SaaSsist Imagine being able to hack the emergency services' vehicles. But is there substance to this or is it panic?
Guy Clapperton
What are your concerns regarding the Cloud threats from malware/Zeroday attacks?
PeterJopling
detecting zero day needs advanced heuristics and analystics
PeterJopling
threat actors are constantly changing the malware to evade signature based detection
Mike Spradbery @ IBM
who is likely to have better protection, your org or the cloud provider?
PeterJopling
ensure the service utilises horizon based detection and real time update service
PeterJopling
Most legacy IOT devices, ie process control, were never designed to be IP enabled/secured
PeterJopling
Look at the 3rd party compliance to Security and what's the DR plan
Guy Clapperton
DR meaning disaster recovery - a good point.
Guy Clapperton
The crowd has been relatively quiet but I hope the insights on offer have been valuable. The entire chat will be available online afterwards.
Mike Spradbery @ IBM
MEAP - mobile enterprise application platform, provides security and much more
Guy Clapperton
What can third parties do to reassure people about the security of their mobile solutions?
Mike Spradbery @ IBM
use a MEAP to detect hacked apps, block jailbroken devices, provide encryption...
Guy Clapperton
Let's pretend I don't know stuff...what's a MEAP?
Jim Adam
You'll need measures at app, data and device level
PeterJopling
BYOD adds greater flexibility to the organisation, beware of Jailbroken and older OS on devices
Guy Clapperton
@PeterJopling I know very few tech support people who really welcome BYOD all that enthusiastically.
PeterJopling
@MikeSpradbery MDM is critical for BYoD
Jim Adam
@PeterJopling Mobile Device Management
Jim Adam
@PeterJopling What can you do with MDM to protect yourself?
PeterJopling
thats because they may not understand that technology can reduce the risk considerably
Mike Spradbery @ IBM
@PeterJopling yes, but often not welcome. Has to be low-touch & low-impact to users
Guy Clapperton
@MikeSpradbery Even if something's high impact, they'll accept it if someone has explained it properly. It's the "unexplained complex upgrade" that causes most of the friction, I find.
PeterJopling
@The_SaaSsist make sure the OS is uptodate , and be aware of free wifi hotspots!