À propos du ROI du BYOD

À propos du ROI du BYOD, j'ai lu cela dans Les Échos :

La généralisation du Byod (« Bring your own device », littéralement, « Apportez votre propre matériel ») impose d'établir une ligne de conduite. Enjeu de réduction des frais pour l'entreprise - supprimer un poste informatique génère un gain de 1.500 euros par an et par salarié - l'introduction dans l'entreprise de l'équipement personnel du salarié pose la question de la confidentialité des données véhiculées et de la protection des serveurs contre les cyberdélinquants.

Et là je dis attention ! Si l'on considère généralement que le coût d'un poste informatique est de l'ordre de 1 500 €, voire plus, c'est que l'on inclut dans ce coût total bien autre chose que le matériel. Le coût d'un poste informatique est composé de l'achat du matériel, qui peut être aussi bas que 300 € dans certains cas, de l'infrastructure centrale (serveurs, stockages, licences...), de l'infrastructure de distribution (réseaux internes, WiFi, accès Internet), des salaires du personnel et d'autres éléments, tels que les prestations de sociétés de services, qui peuvent représenter davantage de quantité de travail au sein d'une DSI que celle des employés à proprement parler.

Or, c'est en supposant qu'un poste traditionnel a le même coût d'entretien qu'un poste BYOD qu'on introduit une bonne dose d'erreur dans les prévisions de réduction de frais.

En effet, qui dit BYOD dit aussi :

• Nouveaux accès réseaux : extension du WiFi, mise en place systématique de VPNs...
• Mise en place d'infrastructures centrales : logiciels de gestion spécifiques aux smartphones, app stores internes, web-isation d'anciennes applications métier...
• Augmentation de l'hétérogénéité des terminaux du SI, entraînant une surcharge de travail dans l'administration, la maintenance, le help desk... Là où on avait une hyper-majorité de Windows, on obtient très vite : Windows (XP, Seven, Phone), Android, iOS (iPhones et iPads). Plus le Mac OSX d'un directeur qui y tient et les restants de BlackBerry d'il y a quelques années !
• Nouvelles compétences d'administration à acquérir. Si on a une charge de travail, il faut avoir les compétences nécessaires pour s'en acquitter. Et là où il est très facile de recruter des gens connaissant Windows et Linux, on trouve peu de monde pour les autres OS.
• Nouvelles compétences de développement à acquérir. Ce point est souvent complètement oublié par les décideurs. Tant pour l'administration que pour l'exploitation, de nombreux petits logiciels sont souvent développés par une DSI. Il va falloir acquérir les compétences sur le tas ou recourir à des formations rares ou à des prestations coûteuses.

En conclusion, je dirais que, comme le BYOD est de toutes façons inévitable,  les décideurs devraient tout particulièrement bien peser le poids financier d'une bonne uniformisation des flottes de mobiles. Le coût d'achat étant mineur dans le coût total de possession d'un terminal, l'incitation, même financière, des employés à se munir d'un modèle ou d'une marque données me semble très rentable.

Saving Money with IT Security Processes. Example 13/26: Avoid Misleading Vendor Advice with Security Awareness

Article number 13 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Vendors are doing their job: they try and sell security solutions and services. Ideally, they prefer to sell solutions rather than services. It's more concrete, more helpful to convince non-security people and it implies additional services in order to implement and maintain them.
In order to do so, they demonstrate the profitability by showing critical examples of security breaches and/or outages. This could be a kind of Awareness if it weren't so biased. It's biased to:

• Concentrate fear on the subject that's addressed by the solution they're trying to sell. (Whereas the subject may not be a major concern for the company nor even a concern at all.)
• Concentrate fear on the little points in the whole subject that the solution actually helps solving. (Letting 95% of the actual subject unsolved.)

CISOs are used to this kind of manipulation. They just go though it without even noticing anymore. For instance, as a CISO, I used to receive every day up to 30 dedicated e-mails from real people I actually met before. I didn't mind.

So, in order to still sell "solutions", vendors attack easier targets: high placed executives outside of IT Security. More precisely, they try and sell solutions wherever the CISO cannot constantly reach:

• IT managers of remote sites where there is no permanent security team,
• Users of packaged "IT tools not considered IT" like Telephony, Document Management, Technical Services from Logistics...
• People interested in closely related matters: Quality, Compliance.
• And sometimes even through service providers!

That's the costly point. If vendors are able to sell solutions, they'll sell unfit solutions:

• Costly,
• Uneffective,
• Ill-centered on minor points,
• Duplicate with what's already implemented,
• Sometimes completely irrelevant...

Through a correct Awareness process, you'll not only touch end-users, but also management. It does the following:

• Communicate around what you already do, → no more duplicates
• Communicate around what you don't do and why (we'll do it later, we don't do it because it's not relevant, it's not a major concern), → no more irrelevant solutions.
• De-mystify buzzwords, → no more ill-centered solutions.
• Communicate about real threats and the associated risk.→ no more haste resulting in cost-ineffectiveness.

Saving Money with IT Security Processes. Example 12/26: Avoid Website Defacement with Vulnerability Management

Article number 12 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Vulnerability Management is the process that helps your information system stay up to date with patches that fix vulnerabilities in the software you use. One striking example is: with correct Vulnerability Management, you won't get any of your websites defaced.

Please note that it can't be reduced to just using another piece of software to update it all. No single piece of software can possibly fix everything on a regular basis, nor can it fix problems with the best acumen. It's the Vulnerability Management process. It does the following:

• Technological Watch for all currently used pieces of software and technologies. This means subscribing to newsletters or feeds from every single related vendor and reading them.
• Whenever a new vulnerability has been spotted, identify whether the company is affected or not.
• If it's affected, check how much it would cost to suffer from the exploitation of the vulnerability and compare with the cost of applying the patch or workaround.
• Have it put in action.

The Vulnerability Management process is not always identified as a process per se, but sometimes distributed in the Technological Watch and Patch Managements processes.

Saving Money with IT Security Processes. Example 11/26: Avoid a Technology SPOF with License Management

Article number 11 in a series dedicated to giving examples of the way IT security processes can help your company save money.

What's License Management got to do with SPOFs?

It's got to do with the Technology SPOF.  "Technology SPOF" is the name I gave to all incidents that trigger a failure on all systems of a similar technology. For instance, if two redundant servers share a single storage bay that's full, both servers will suffer the same disk full failure.

Licences are a major source of technology SPOFs. Many products, once their paying period is expired, just stop functioning at all. For instance, antivirus software suites. Many products, once reached their usage limit, also just stop functioning at all. For instance, a dedicated appliance that can host 100 concurrent users.
That's the time when you'd wish you had a sound License Management process.

The License Management process does the following:

• It inventories all current licenses and their limitations.
• It monitors their use so that they don't reach limitations.
• It purchases new licenses in time and quantity.
• It installs new licenses and updates the inventory.

The Licence Management could be seen as a part of a larger Procurement process, however I see fit to put it in Security and not Procurement, because it requires active monitoring, capacity planning and some administation, which are more IT related.

Saving Money with IT Security Processes. Example 10/26: Preventing Massive Outages with Electricity Management

Article number 10 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Electricity Management is the process that ensures correct availability of electric power for all IT needs.

"Green IT" is the fancy name for it nowadays. We've come to a level of risk awareness where it's common sense that ensuring reduction of consumption and availability of power (that come together, think of it) can make good money for companies. If we can make a point by calling it ecology or eco-friendliness or environmentalism, that's an asset.

To correctly operate Electricity Management process and prevent massive power failures that would cause your company huge losses in downtimes, the following duties must be accomplished:

1. Assess power purchase and power producing capabilities.
2. Put in action a set of load balancing items.
3. Supervise the electric load of all sources. SNMP is a possible choice.
4. Make sure you have recovery documentation for major possible outages.

Saving Money with IT Security Processes. Example 9/26: Preventing the Angry Administrator Revenge

Article number 9 in a series dedicated to giving examples of the way IT security processes can help your company save money.

The incident that I refer to when I speak about the "Angry Administrator Revenge" is the one that happens when you sack an admin and that he uses his administrative rights to wreak havoc in your Information System. That's a pretty common case:

• Example 1: Ex-Gucci IT Employee Seeks Revenge on a $200,000 Hacking Spree
• Example 2: 10 Ways Fired Employees Got Their Revenge On Their Ex-Bosses / Former Firms
• Example 3: Disgruntled employees may seek IT revenge

This is when the IT Security process of Password Management comes in. (It's sometimes part of a larger Identity and Access Management process.)

Basically, almost everything in IT is protected by a password. Rare exceptions are the things that are not protected at all or the things that require more than just a password. However, password is the rule.
There are two kinds of passwords to be distinguished:

• The personal passwords, that are known by one person only.
• The shared passwords, that are known by multiple people.

Whatever your degree of maturity, shared passwords can't be eliminated completely. So, virtually any Information System in this world has both personal and shared passwords and they give access to virtually every server, storage, application...

The Password Management process does the following:

• It knows who's supposed to know (be in the shared secret) each password.
• It knows how to change them.
• It does change them whenever someone who knows them is no more in charge (or has been sacked).
• And, because there are sometimes more people who know a password than the few supposed to know it, it changes all passwords on a regular schedule, like once a year, or more for critical data.

So, with a sound Password Management process, you can avoid what's happened to Gucci and so many other companies.

Saving Money with IT Security Processes. Example 8/26: Quick Recovery from Backup

Article number 8 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Recovering a server or user data from backed up copy is a well known activity in IT. Not doing so would cause huge losses to the company, including downtimes and manual recovery (double work from the end user). However, you can't ensure that your copies will be functional without a proper Disaster Recovery process. The duties of the Disaster Recovery process manager are the following:

1. Include all new data and servers into the saving mechanisms. This may require that backup people be at the conception phase of each project to ask corresponding questions: what's to be saved? How often? How to access it?
2. Test the recovery mechanisms. Although what's backed up is backed up, you may not be able to use it if only a tiny bit of it is missing or backed up incorrectly. So, recovery should be tested at least once for every business applications and recovery machinery and media should be tested very often.
3. Review the list of what's to be backed up. The copying of older applications can be stopped. Newer versions of the same applications may require new data to be copied.

Saving Money with IT Security Processes. Example 7/26: Early Notice of Regulatory Compliance Changes through Technological and Legal Watch

Article number 7 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Regulatory Compliance requirements are a pain in the back for companies. They've got to reach some government-imposed or industry-imposed requirements and they sometimes have to reach them by using imposed means, tools, technologies...

However, the most costly is not to put the requirements in practice if you know them from the start of projects. The most costly is to modify production afterwards, in haste, in order to comply:

• The production may incur downtimes and bugs because of the hasty patches.
• Besides, the architecture may have to be reviewed to support the requirements, and the previous architecture may be obsolete before it has paid off.
• Eventually, the patched system may be more expensive to operate than if it had been thought about correctly from the beginning.

A good way to prevent such blunders and losses of money from happening is the Technological and Legal Watch process. The goal of the process is to identify emerging threats. Threats can be:

• Technical, like a new vulnerability.
• Commercial, like a vendor no more supporting a product.
• Trends, like the emergence of a new kind of attacks (think XSS a few years ago).
• Regulatory, like the validation of an industry standard.
• Legal, like the imposition of a new legal requirement.

The best tool for Technological and Legal Watch process is the RSS feed. Feeds can be collected from related web sites. Feeds can also be created from Google searches (with keywords).

Saving Money with IT Security Processes. Example 6/26: Reducing Project Delays with Secure Project process

Article number 6 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Projects have a conception phase. In this phase, networks are designed, interactions with users are designed and so on. This is a moment when thinking critically with a security mindset is most valuable.

If you let the conception phase evolve without a security engineer, IT people will think about networks but not about intrusions. They'll think about users but not about attackers. Because that's the security job. So, they will design vulnerable software, networks and/or servers.

Then the vulnerable conception will be implemented and put into production. Then either the Security Audit will spot vulnerabilities and ask for a costly patch (or re-design) or the Security Audit will miss it and a security incident is going to happen soon. Both cases are very expensive for a company.

If you have a sound Secure Project process, with a goal to secure developing projects, this will not happen and the company will save a lot of money.


The whole case in this article is based on two little known asymmetries:

1. You can look for a vulnerability at the conception phase or at the production phase. But doing it in production is longer (more expensive) and is more likely to just fail spotting the vulnerability.
   
   
2. You can patch a vulnerability at the conception phase or at the production phase. But doing it in production is longer (more expensive), may require stopping production (lost business hours) and may trigger side-effects.

Saving Money with IT Security Processes. Example 5/26: Reducing Help Desk calls and duration with Patch Management

Article number 5 in a series dedicated to giving examples of the way IT security processes can help your company save money.

The Help Desk is the service provided by people who are there to collect user calls about IT incidents, answer them when possible and, when not, transmit to people who can. A typical Help Desk receives thousands of calls a month. Companies lose percents of their annual revenue in these incidents: incident ⇒ business is down, user (employee) is demotivated + Help Desk must be paid to intervene.

There are three levels of difficulty for a user call handled by the Help Desk:

1. The Help Desk knows how to solve the incident described by the user, or they know to whom they should redirect it. This takes a few minutes and represents an important part of the whole lot.
   
   
2. They don't know precisely how to solve incident nor whose help they should ask for. So they must investigate, take a lot of time to understand the real root of the incident and to act accordingly. Along the time, the Help Desk will build a database of knowledge about these incidents and, so, will improve its overall performance. However, this second level of difficulty represents the biggest part of all calls.
   
   
3. The incident is just overly complex, the Help Desk knows they won't be able to solve the incident, so they just redirect it to the regular IT team and ask for help. This is a small part of all calls.
   
   

Improving on this may seem like climbing an impossible mountain.

However, IT Security can simplify the work of the Help Desk and save company's money this way: accelerate work ⇒ downtimes decrease + Help Desk teams can be reduced. One way is the Patch Management process.
Albeit unrelated at first sight, the Patch Management process keeps your software up-to-date. If it's up-to-date on all workstations, then it's precisely the same on all workstations. Then two workstations will have the same set of possible incidents, instead of two different sets of possible incidents. Now, if the Information System is 30 software pieces on 1,000 desktop PCs, then instead of having, say 5 different versions per software, you'll have just one. So, instead of 30 x 5 = 150 sets of possible incidents, you'll have just 30.

This means that the database of incidents (for level 2 difficulty) will grow faster compared to the total number of possible incidents. So a larger part of level 2 incidents will be treated as fast as level 1 incidents, resulting in a significant increase in Help Desk performance:

• Users will be more satisfied,
• Help Desk will find its job more rewarding,
• Help Desk will save time, that can be put onto something else.

This is a very often forgotten side of security. Most people will just see Patch Management as a protection against vulnerabilities or vendors no more supporting old versions of software, but will overlook the virtuous circle of simplifying the information system.

Saving Money with IT Security Processes. Example 4/26: Identifying SPOFs with Network Architecture

Article number 4 in a series dedicated to giving examples of the way IT security processes can help your company save money.

SPOF is a very hackneyed expression, nowadays. However, a certainty remains: SPOFs must be addressed, or your company will loose a lot of money in downtimes. To address them, you must first identify them. One of the objectives of the Network Architecture process is to prevent SPOFed architectures to go into production and to identify SPOFs in the existing production architectures.

This, contrary to the opinion of many, is not a lost race. There is a finite number of 4 kinds of SPOFs, that you must all look for:

1. The hardware SPOF: your hardware (whether servers, network equipments, etc.) is not redundant.
2. The network SPOF: your hardware is redundant, but the network links that connect equipments are not crossed. They should normally deserve all redundant hardware just as well.
3. The configuration SPOF: your hardware is redundant, the network deserves it well but the clients are not aware that they should be connecting to the failsafe servers if the main ones are not available. In my experience, this one type of SPOF accounts for a huge part of forgotten SPOFs and related losses in unplanned downtimes.
4. The technology SPOF: one of your technologies fails (whether hardware, software or network). As it is the same in the main architecture and in the redundant architecture, both suffer from the same downtime.

Please read my previous article for sample network diagrams of these types of SPOFs. With a sound Network Architecture process, you can reduce downtimes by identifying SPOFs before crashes occur.

Saving Money with IT Security Processes. Example 3/26: Identifying Low Use or Unused Servers

Article number 3 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Maintaining servers is often costly. Electricity is a point and complexity is another: various technologies, various network connections, etc. The use a few years ago was to have 1 server per business applications.

The flaw of IT services is often to just let things how they are until something bad happens. But losing money day after day is a bad thing, and you can do better with a strong Supervision process. Supervision of servers must include graphs of intensive values: number of connected users, CPU usage, memory usage, inbound network flows, etc. With these graphs, you can identify:

• Low use deprecated servers and effectively unused servers (happens, sometimes), which you can decide to just stop.
• Low charge but important servers, which you can virtualize. You'll then reduce hardware costs and decrease complexity through homogeneity.

Saving Money with IT Security Processes. Example 2/26: Retrieving Stolen Smartphones and Laptops

Article number 2 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Companies lose a lot of money in stolen smartphones and laptops. It does not just amount to the price of hardware, it also includes the quantity of time lost by workers without their tools, the quantity of work needed to report the incident and to, optionally, declare it to the police and to an insurer. Besides, the devices can contain valuable information that the company will miss and that may be dangerous to put on the public place or in a competitor's hands.

It's possible to address the loss of smartphones and laptops with a sound BYOD* process. I'm not talking about a policy, I'm talking about a process, that includes:

• Securing information flows from/to devices with appropriate extranet and telecommuting tools.
• Making sure devices that will save company's property locally do have encryption features, access control features and geographical tracking activated.
• Inventory the types of devices and establish required procedures for each type, because the list is ever-growing, you can't do without managing it clearly.

* I'm talking about BYOD because it's time to face it: most devices are now no longer company devices.

Saving Money with IT Security Processes. Example 1/26: Reducing Virus Crises

Article number 1 in a series dedicated to giving examples of the way IT security can help your company save money.

IT services lose a lot of time and money in virus crises. You can save this time and money with a sound Antivirus process.
I'm not talking about software, I'm talking about process. The process is:

• To have a baseline antivirus, make sure it's configured optimally and installed on every workstation and laptop.
• To have a requirement in RFPs that machines your IT service will not maintain will have a running, up-to-date, antivirus, and to ensure service providers do follow this requirement.
• To analyse unusual network-capable hardware (like tablets, old servers, smartphones, CCTV, storage bays, etc.), inventory them and decide whether they deserve an antivirus or not.