quick start guide to it security for businesses

www.comptia.org/communities


Q U I C K S TA R T G U I D E

P O W E R E D B Y :


Eight Steps to IT Security SuccessA prActicAl guide for solution providers

www.comptia.org/communitiesP O W E R E D B Y :

2 www.comptia.org/communitieswww.comptia.org/communitiesP O W E R E D B Y :

Eight Steps to IT Security Success

solution provider Jacob K. Braun prefers a reasoned approach when selling it security

to clients. rather than trying to scare clients, Braun appeals to their sense of ethics.

“i ask them: ‘What would your clients say if they knew you didn’t have security in

place?’” says Braun, the president and chief operating officer of Wakadigital Media

corp., a managed services provider (Msp) based in Amherst, MA.

“You can approach it from the fear factor, but the fear factor can backfire pretty quickly,” he says. Scare tactics put clients on the defensive, and that makes it much harder to sell them the solution they need, he adds.

No one really questions the need for security, even if too many clients still don’t have a good grasp of everything it entails, say Braun and others in the IT channel. The onus, therefore, is on solution providers to educate clients on security risks, assess those risks, and address them in a comprehensive way. They also need to ensure their clients comply with a growing set of federal and state data-protection regulations.

“Security is much more than perimeter firewalls and anti-virus protection. A truly secure approach must be multi-faceted and comprehensive,” says Jim Hamilton, senior director of member communities at the Computer Technology Industry Association (CompTIA). CompTIA is based in Downers Grove, IL, and is known as the largest nonprofit trade association in IT.

A truly secure environment provides protection, prevention, and remediation. To achieve all that, say security experts, a security platform has to perform multiple functions in what is called a multi-layer approach: firewalls to control network access, tools that filter Web content and e-mail, encryption protocols, and intrusion prevention and detection. Security also entails policies and tools that control the use of passwords,

mobile and VPN connections, which users access which data, and how to react when a data breach or leak occurs.

The proliferation of cloud-based solutions and technologies such as social networking and virtualization, say security experts, make the already-complex endeavor of securing IT environments even more intricate. New challenges such as protocols for using social media and how to apply security policies to virtualized networks have to be addressed, says Tim Larocque, director of sales at Ottawa-based Interwork Technologies, a distributor of IT security solutions.

“Those are significant challenges that I don’t think most solution providers are taking the time to address,” Larocque says.

step 1: leverage compliance regulations for security growth

Solution providers that take the time to understand security requirements stand to gain from a healthy, growing market. The need for security never goes away. It keeps increasing as hackers find new ways to break into networks.

Market research firm Gartner predicts 4 percent growth in 2010 in security-related software sales and 3 percent in security services. Those are healthy enough numbers,



3

quicK stArt guide IT SecurITy

especially on the heels of a major recession, but MSPs and providers of cloud-based services say they are seeing growth rates of 25 percent or more.

“We’re seeing very, very healthy growth in the security market,” says Larocque. “It’s a very predictable and recession-proof market.” Interwork partners, he says, are enjoying growth rates of as much as 40 to 50 percent.

One major driver, according to IT security experts, is the need for organizations large and small to comply with data protection laws. Businesses that handle sensitive data, be it financial information, medical records or legal documents, have to comply with a growing set of regulations, both at the state and federal levels, imposing strict requirements on how to handle the data.

Federal laws enacted since 1996, such as the Sarbanes-Oxley Act, which applies to accounting practices, and HIPAA (Health Insurance Portability and Accountability Act), which addresses medical records, have created a cottage industry of compliance-focused solutions and services.

Forty-five states and the District of Columbia also have passed regulations designed to prevent breaches and protect privacy. More laws are on the way, including a data breach-prevention bill now under consideration in Washington, D.C.

step 2: don’t ignore the cloud, celebrate it

Next to compliance, the increasing popularity of cloud computing is the biggest driver of the IT security business, say security experts. Gartner predicts cloud-related business will grow to $150 billion in 2013, more than triple what it was two years ago at $46 billion.

Interestingly enough, security and the cloud have a paradoxical relationship, says Earle Humphreys, chief executive officer of ITEEX, a channel development company with a strong focus on security. Many end-user organizations, accustomed to having all their hardware and software on premise, where they can keep a close eye on them, have reservations about tapping the cloud for business-critical applications. They worry about whether their applications and data are secure enough in the cloud. As a result, says Humphreys, some put off cloud computing plans.

“If you take a look at the top reason not to adopt the cloud, it is security,” he says.

Still, and here is the paradox, while security may hamper the adoption of cloud computing, the business of security receives a significant boost once end users decide to go ahead with cloud-based implementations. For one thing, the cloud makes it possible to centralize management of entire IT environments.

on patrol With the comptiA it security communityTo help solution providers stay abreast of developments in IT security, both at the regulatory and business level, CompTIA recently created a collaborative group to foster discussion among peers and share resources.

The CompTIA IT Security community, which developed the CompTIA Security Trustmark business credential, keeps members informed of IT security developments through a regularly updated blog. The community also encourages members to share best practices, help solve collective problems, and build relationships that can lead to valuable partnerships. Members include VARs, managed services providers, distributors, vendors, and other industry experts.

Through the community blog, members have been able to keep track of significant industry discussions, such as the national data-breach legislation proposed in Washington D.C. While different states are addressing specific actions when a data breach occurs, no Federal law has yet been established. Though Congress has discussed the legislation, it’s unlikely that anything will be passed until late 2011. CompTIA is lobbying for passage of the bill on behalf of the industry and will continue to provide frequent updates to the IT Security Community.

The group is also working to establish a code of conduct, a one-page document intended to help members meet their obligations to the industry and their constituents. These responsibilities include the protection of customers and their IT environments, reliable service, and the advancement of community and CompTIA goals. A draft of the code has been distributed to the group, and members are expected to ratify it in short order.

Other activities the group is currently engaged in include creating end user education for compliance and regulations, identifying security issues related to new technologies, developing security education tracks for solution providers, and developing an industry awareness campaign for the CompTIA Security Trustmark business credential.

Find out more about the CompTIA IT Security community at




As a result, security is at least as good or better than in strictly on-premise environments.

In addition, the cloud eliminates most upfront on-premise software and hardware investments, which makes it irresistible to organizations under constant pressure to maximize their IT dollars without adding staff or expensive equipment.

Making the cloud even more attractive from an economic standpoint is that as cloud-based solutions proliferate, the cost of the solutions decreases, says Scott Barlow, vice president of sales and marketing at Reflexion Networks, a vendor of hosted e-mail services based in Woburn, MA.

The cloud is changing the security business, and solution providers are cashing in. The technology itself, be it e-mail filtering, intrusion detection, or anti-virus, often is sold at cost or even at a loss, says Interwork’s Larocque. Providers make up for the upfront loss by packaging the technology with monitoring and management services that they perform remotely and charge users for on a subscription basis.

step 3: Weave security into every opportunity

For solution providers, security is both a requirement and an opportunity. It’s a requirement because of clients’ regulation compliance needs and an opportunity because of those needs and the expansion of the cloud.

So while security traditionally has been considered a specialty in the IT channel, the market dynamics now require at least a basic level of security competency. “Security must be an element of every solution implemented and managed by solution providers,” says Hamilton.

Especially if you’re delivering managed services or hosted solutions, there is simply no way of skirting client security needs. “Security should be sold as part of every MSP sale because security touches everything in a customer’s enterprise,” says Todd Jones, general manager of Watchman Computer Services, a security-focused MSP in Denver, CO.

When taking over part or all of a client’s IT environment remotely through a managed services arrangement or delivering applications over the cloud, solution providers

Master the comptiA security trustmark

Since its launch in 2008, the CompTIA Security Trustmark business credential has become the industry standard for solution providers wanting to assure customers they have the experience and know-how to secure their IT environments.

The vendor-neutral, business-level credential identifies solution providers that follow best practices, established protocols, and documentation methods in delivering security solutions to clients.

For solution providers, there is no better way to stand out from the crowd when delivering security services and technology to clients, says Todd Jones, general manager at Watchman Computer Services, a Denver-based managed services provider.

“Security touches just about everything,” he says. “It’s really important in the marketplace to have a standard of security best practices.”

Earle Humphreys, chief executive officer of Information Technology Executive Exchange (ITEEX), a security-focused channel development organization, says the Security Trustmark program solved a problem in the IT channel. End users often were reluctant to engage solution providers because they had doubts about the providers’ level of expertise in security.

“There was a credibility issue that was hurting vendor sales,” says Humphreys, who worked on contract with CompTIA to help develop the Security Trustmark credential. Now, he says, end-user clients have a reliable way to vet IT security services providers, while the providers stand to get more businesses by achieving a business credential.

To earn the Security Trustmark credential, solution providers have to complete a comprehensive review process that includes an online assessment and the submission of various documents detailing company processes and practices. Security Trustmark applicants also are subject to unannounced audits, and once they receive the credential, they have to undergo an annual review process.

The Security Trustmark business credential differs from the various CompTIA certifications, such as CompTIA A+, CompTIA Network+ and CompTIA Security+, in that it covers an entire organization, versus validating individual competency.

Find out more about the CompTIA Security Trustmark at www.comptia.org/securitytrustmark



5


accept a level of liability that didn’t exist in the old break/fix, project-based client engagements. “If you don’t do some basic security for your client, you’re putting your business at risk,” says Humphreys.

“Security is a discipline. It is part of the fabric, the expertise that you are selling your customer,” says Jones. “Any provider that approaches this as anything else is on the verge of doing a disservice to their customers and short-changing themselves. It is not a ‘bolt-on, set-it and forget it’ product that can be sold, installed, and then you’re on to the next sale.”

To help solution providers meet their security requirements, CompTIA in 2008 launched a business credential, the CompTIA Security Trustmark. The vendor-neutral, business-level credential identifies solution providers that have proven they follow security best practices in accordance with CompTIA standards (see sidebar on page 6). The Security Trustmark gives solution providers credibility, says Humphreys, who worked under contract for CompTIA to develop the Security Trustmark credential.

step 4: embrace best practices

Much like their clients’ networks, solution providers are handling a heavy load when it comes to security. To ensure they do right by their clients, security experts recommend that solution providers adopt certain practices.

Achieving a Security Trustmark credential, say experts, goes a long way to show clients you have the proper expertise and employ the best practices to protect their IT environments. In addition, solution providers should do the following:

• Educate customers

• Perform vulnerability assessments

• Make sure tools from different vendors work together

• Set policies for clients on safe computing practices

• Know security regulations

• Partner with other solution providers for expertise

• Maintain communication with clients

More and more solution providers are giving up on trying to squeeze profits out of IT security technology. But they don’t mind, so long as they get to charge the customer monthly or quarterly fees to deliver security as a service.

Tim Larocque, director of sales at Interwork Technologies, an Ottawa-based distributor of IT security solutions, says deals in which solution providers sacrifice profits upfront in the expectation of future recurring revenue are increasingly common. Over time, the recurring revenue more than makes up for the upfront profit loss, he asserts.

Whether they lump security with an overall managed services package or sell security as separate hosted services as part of a SaaS contract, the primary goal is to establish a recurring revenue stream from the customer. Clients in recent years have warmed up to the idea of paying subscription fees for cloud-based services that would cost a lot more if they had to deploy and maintain the technology on premise.

In addition, handing over to a solution provider that can handle remotely the burdens of updating anti-virus and spam-filtering

subscriptions, maintaining firewalls and managing patch manage-ment keeps in-house IT staffing budgets down and allows compa-nies to better focus on their core business. To be sure, the cloud-based security model is gaining traction, say security providers, but education is still necessary for clients who fear that cloud-based solutions are less secure.

Larocque says Interwork’s most successful partners have concluded that their security focus needs to be on service, not technology. As a result, they are enjoying security business growth rates of as much as 40 to 50 percent, he says.

Scott Barlow, vice president of sales and marketing at Reflexion Networks, a Woburn, MA,-based vendor of hosted e-mail security, is seeing similar trends. Reflexion partners, he says, are enjoying growth rates of 25 percent or more. “We’ve seen significant growth in the past 12 to 18 months,” Barlow says.

Like Larocque, Barlow says he is seeing solution providers bundle their security services into managed services packages that also include remote monitoring and management of PCs, servers, network devices, and applications. Embedding security into man-aged services contracts, says Barlow, makes it easier to address the client’s security needs.

subscription-based it security services gain traction



step 5: re-educate customers

Especially among small and medium-sized business (SMB), network and data security requirements often are only partly addressed, and in the worst cases, almost completely ignored. Business owners, for the most part, understand threats such as viruses and spam, but they lack a comprehensive approach to protect their data, prevent intrusion, and implement policies on how to react to breaches.

“Small businesses are too trusting,” says Jones. “They’re not as a concerned as they need to be. They don’t understand the risk unless you continuously hammer it away at them.”

“Customers need to understand that security is not a technical solution you purchase,” says CompTIA’s Hamilton. “Security is a complex problem that requires a holistic approach to be effective.”

In their role as educators, solution providers also need to point out the economics of security—that breaches can incur high remediation costs and in the worst cases put a company’s future at risk.

“You’re essentially selling insurance,” says Barlow.

Awareness is key, says Larocque. Business owners may lull themselves into thinking their data is safe if a breach hasn’t already happened to them, and as a result, not make the necessary investment. But they don’t realize, for instance, that malware is released every five seconds and an attack on their network could be only a matter of time. Solution providers must impress on clients that security threats are real, relentless, and constantly evolving, Larocque says.

In fact, breaches take place practically daily, as attested by the Web site DatalossDB.org, which lists and documents all reported incidents and the number of records, from zero to the millions, exposed in each case.

“Breaches are a regular occurrence,” says Hamilton. “Customers cannot afford to be blasé about the potential risks.”

step 6: promote regular assessments

Security has to be part of the conversation whenever a solution provider is pitching its offerings to a prospective customer, says Hamilton. “It can’t be sidestepped anymore.”

As such, it’s a good practice to conduct an assessment of the customer’s security environment, including desktops and mobile devices, before deploying any technology. Assessments typically include checking the subscription status of anti-virus and anti-spyware tools and testing existing firewalls for effectiveness.

“It probably wouldn’t take your average VAR more than a day or two to do a basic security assessment for their clients,” says Humphreys.

Depending on the size of the client’s IT environment, an assessment may include vulnerability scanning to identify holes in the network and potential risks related to applications and Web services. Penetration testing to see how easy it is to break into the network may also be advisable.

Assessments should look beyond technology to also cover policies, say security experts. Solution providers may find that a client has no policies in place covering how to react to data breaches or that an organization has never instructed its users not to share their individual network-access information.

Assessment findings should be compiled in a report to share with the client to demonstrate current vulnerabilities and formulate a strategy to eliminate the vulnerabilities and build a solid security environment.

Harmony in security

Humphreys counsels due diligence in deciding which security products solution providers should use for their clients. Solution providers may prefer a firewall from one vendor and anti-virus software from another, but they need to make sure the different pieces work together.

Otherwise, the result is unwanted complexity or, even worse, an environment that adds to the vulnerabilities it is supposed to be addressing. The history of IT is littered with cases of applications that were supposed



7


to be compatible but failed to communicate, as well as environments with different sets of hardware and user interfaces that turn into real nightmares for administrators.

Hamilton says solution providers must think about the overall security landscape and how their solution fits into the bigger picture.

For solution providers delivering security as part of their managed services offerings, the easiest way go about this is to pick a managed services vendor that bundles security tools such as anti-virus, e-mail filtering, and firewalls, into its remote monitoring and management (RMM) tool. “That way you know they picked the friendly products and you know they work,” Humphreys says.

step 7: stick with clear policies

Security transcends technology in that breaches and leaks often result from human error. A company may have the best technology available to secure its networks, but if users are sharing passwords, accessing Web sites that may contain virus, or e-mailing unencrypted documents with sensitive information, the technology won’t help them.

Aside from day-to-day safe computing practices, policies also must address how to react when a threat is detected, a virus gets through or an application malfunctions and creates a point of exposure. Watchman Computer Services’ Todd Jones says the discipline of security entails three main elements: protection, detection, and response.

“Without response you do not have security,” he says. “Every door can be kicked in, every safe can be cracked, every fortress can be breached, and every treasure can be stolen if there is no response. It’s no different with computer and network security. You can bolt in all the latest and greatest products, but installed without response, you do not have security.”

Protocols need to be in place so that users and administrators know what to do when they receive an alert, says Jones, who believes that is where security as a managed service really makes a difference.

For solution providers monitoring their clients’ environments remotely, that means having a policy in place prescribing action when an alert comes through. Be it a remediation

names and organizations to Know

Solution providers looking for tips about how to deliver security solutions to their clients face no shortage of sources of information. Following are some suggestions on where to get information tailored specifically to solution provider needs.

Find information about the CompTIA Security Trustmark here:

www.comptia.org/securitytrustmark

For updates on the CompTIA public advocacy efforts, including lobbying for security regulations, check out the public advocacy section of the association’s web site:

www.comptia.org/publicpolicy.aspx

The CompTIA IT security blog keeps updated on the association’s IT security community, whose work includes development of the Security Trustmark business credential and collaboration with the CompTIA Public Advocacy Office:

blog.comptia.org/category/subtopics/it-security

CompTIA IT Security Community


Noel Eberline, director of the CompTIA IT security community, publishes a blog in which he addresses myriad security-related topics. Access the blog here:

blog.networkwatchman.com

The Open Security Foundation keeps tabs on security breaches across the world and publishes a database of all known incidents causing data losses. The database is updated just about daily and accessible here:

datalossdb.org

ITEEX, founded in 2002 as a peer-to-peer organization, is a security-focused channel development company. ITEEX chief executive officer, Earle Humphreys, worked with CompTIA on developing the Security Trustmark credential. Access the company website here:

www.iteex-channel.com

And the ITEEX blog here:

www.iteex-channel.com/blog



cleanup, file quarantine, or a patch application, specific rules should be in place for response and escalation.

step 8: study up on regulations

Knowing the regulations that affect IT security business is easier said than done, considering that federal standards are still evolving and there isn’t yet a national regulation that covers breach notifications. However, a number of states have enacted regulations addressing data breaches, with Massachusetts boasting the most stringent laws on the books.

But, as the saying goes, ignorance of the law is no excuse.

“It’s important for the solution provider to know what the regulations are all about, what they apply to,” says Reflexion’s Barlow.

Even though solution providers need to become de facto experts on the law, achieving that status isn’t easy. Solution providers operating in multiple states have to contend with regulations that differ from state to state.

Massachusetts mandates that organizations handling sensitive data, such as finance and medical records, implement data leak prevention. New Jersey has a regulation that many in the industry consider bizarre: When a leak occurs, the affected company is required to notify the state police before even its clients or partners.

What’s needed is a national standard covering data leaks, say security experts. CompTIA has been lobbying congress to pass data-leak legislation now under consideration, and while there is a chance a bill could be approved this year, most likely passage will occur next year.

Barlow suggests that solution providers uncertain about which regulations affect their clients should leverage their vendor partners. Security vendors have people in their staffs (with knowledge about regulations and compliance requirements) who can help solution providers make the right decisions for their clients, he says.

partner for expertise

In delivering security solutions and services, solution providers in some cases should seek partners that have

the expertise they lack, says WakaDigital’s Braun. A partner that specializes in security, such as WakaDigital, can train, assess, and set policies for the client, he says.

In cases where it makes sense, the security partner can stay in the picture in a consultative role, either as a silent partner in the background or in a more visible way in front of the partner, Braun says.

Humphreys believes there are several advantages to working with a partner. Those include avoiding infrastructure costs and making up for lack of expertise in building solutions. A security partner bringing in a solution already has tested the technology so you don’t have to and already has experience with issues that you may never have encountered, Humphreys says.

Of course partnering carries some risks, so it’s important to ensure a prospective partner “doesn’t have a history of working to come between you and your clients,” he says. Humphreys recommends doing your homework by checking with other companies that have worked with the prospective partner.

In addition, says Humphreys, though a solution provider would partner with another to add expertise, the provider still needs to know enough about the technology. You want to make sure the solution the partner is bringing works, or that it isn’t a new, unproven release with bugs that haven’t been worked out.



9


Keep talking

Barlow advises solution providers meet with customers monthly or quarterly to review the work the provider does to protect clients’ IT environment. Especially for solution providers delivering security as a managed or hosted service, periodic meetings can be key.

MSPs say clients tend to forget the work that goes on behind the scenes to keep their IT environments in shape and, at invoice time, question what they are getting for what they are paying. During the meetings, for instance, solution providers should go over how they prevented a network attack by responding to system alerts or how they stopped unsafe Web surfing by detecting it and alerting the client about it.

Communication with the client should keep business value at the forefront. Barlow suggests using security arguments to implement business process improvements, such as replacing tax and financial forms with electronic files.

Braun agrees with the need for communication. Remind the client, he says, of how security helps protects their business investments by talking to them about how much it costs to remediate breaches that could have been prevented with right technology and security policies in place.

“At the end of the day,” he says, “you’re not providing IT, you’re providing business-process management.”

About comptiA

CompTIA is the voice of the world’s information technology

(IT) industry.

As a non-profit trade association advancing the global interests

of IT professionals and companies, we focus our programs

on four main areas: education, certification, advocacy and

philanthropy. We:

• Educate the IT channel: Our educational resources,

comprising instructor-led courses, online guides, webinars,

market research, business mentoring, open forums and

networking events, help our members advance their level of

professionalism and grow their businesses.

• Certify the IT workforce: We are the leading provider of

technology-neutral and vendor-neutral IT certifications, with

more than 1.4 million certification holders worldwide.

• Advocate on behalf of the IT industry: In Washington, D.C.,

we bring the power of small- and medium-sized IT businesses

to bear as a united voice and help our members navigate

regulations that may affect their businesses.

• Give back through philanthropy: Our foundation enables

disadvantaged populations to gain the skills they need for

employment in the IT industry.

Our vision of the IT landscape is informed by more than 25

years of global perspective and more than 2,800 members

and 1,000 business partners that span the entire IT channel.

We are driven by our members and led by an elected board

of industry professionals.

All proceeds are directly reinvested in programs that

benefit our valued members and the industry as a whole.

Headquartered outside of Chicago, we have offices across

the United States and in Australia, Canada, China, Germany,

India, Japan, South Africa and the United Kingdom. For more

information, visit comptia.org.



www.comptia.org

© 2011 CompTIA Properties, LLC, used under license by CompTIA Member Services, LLC. All rights reserved. All membership activities and offerings to members of CompTIA, Inc. are operated exclusively by CompTIA Member Services, LLC. CompTIA, A+, Authorized Service Center, Breakaway, Network+, Security+, and Security Trustmark are registered trademarks

of CompTIA Properties, LLC in the U.S. and internationally. Other brands and company names mentioned herein may be trademarks or service marks of CompTIA Properties, LLC or of their respective owners. Reproduction or dissemination prohibited without written consent of CompTIA Properties, LLC. Printed in the U.S. Feb 2011 1721-US