We were very impressed with a new report published by the McKinsey Global Institute (MGI) entitled ‘Big Data: the next frontier for innovation, competition and productivity’.
As auditors with extensive experience in database technology (e.g. IBM DB2, Oracle, Sybase), we were especially struck with the concept of ‘Big Data’ as managed through commercial databases.
McKinsey argues that just like capital and labor are integral factors of modern production, so too data has become an integral factor of production. Successful companies going forward will be those that manage ‘big data’ to strategic advantage.
Established industries such as health care and manufacturing are being disrupted by IT firms that have found a way to leverage data strategically. Google Health and Microsoft Health Vault are cited as examples in healthcare. There is potential for huge savings in the US and European health care systems through the use of ‘big data’ to manage personal health information on a massive scale.
This concept of ‘big data’ makes sense to us. However, the risks associated with sensitive and private information are not hard to identify. The integrity of data is another area of risk that must be understood as part of this strategic shift.
In short, ‘big data’ is on the march. The risks and controls around this data are critical if the hoped for gains are to be realized.
‘Big Data: the next frontier for innovation, competition and productivity.’ McKinsey Global Institute. May 2011. www.mckinsey.com
Sunday, June 12, 2011
Thursday, May 5, 2011
Recent attacks on Global companies
The recent attack on Sony which revealed credit card information, names, addresses and passwords on approximately 77 million accounts has far-reaching consequences. A separate attack on major websites hosted by Amazon resulted in outages at many of the hosted sites. We feel that this is yet another indication of the importance of understanding the risks and controls in an IT environment. Note that risks may be an external threat or an internal vulnerability.
Our audit services are laser-focused on IT risks and controls with the specific objective of improving security. We feel that effective IT auditing and risk control strategies applied to IT environments could probably have prevented these successful attacks.
www.sony.com
www.amazon.com
Our audit services are laser-focused on IT risks and controls with the specific objective of improving security. We feel that effective IT auditing and risk control strategies applied to IT environments could probably have prevented these successful attacks.
www.sony.com
www.amazon.com
Saturday, April 16, 2011
Improved Security in IBM DB2 databases
We recently came across a ‘tech center report’ published by InformationWeek Analytics (posted on the DarkReading.com) titled ‘DB2 Gets Safer’. The report makes the point that the traditional ‘moat’ based security model used for IBM DB2 databases
is undergoing a transformation – the moat is gone as well as the related perimeter security concept. DB2 on z/OS and iSeries was widely deployed within a secure network topology behind firewalls. Now with deployments in virtual server and cloud environments (e.g. “Blue Cloud” deployments on Amazon’s EC2 platform, the z/VM hypervisor and WebSphere Web App Server on z/OS) DB2 is becoming more vulnerable.
IBM is now making major efforts to improve DB2 database security – note the recent IBM acquisitions of BigFix and Guardium. New security features in DB2 include automation of compliance tasks, capability of non-database administrators to audit database activity and the ability to block Web-based attacks.
References:
http://analytics.informationweek.com
http://www.darkreading.com
http://www.securosis
http://www.ibm.com
http://www.bigfix.com
http://www.guardium.com
http://aws.amazon.com/ec2/
is undergoing a transformation – the moat is gone as well as the related perimeter security concept. DB2 on z/OS and iSeries was widely deployed within a secure network topology behind firewalls. Now with deployments in virtual server and cloud environments (e.g. “Blue Cloud” deployments on Amazon’s EC2 platform, the z/VM hypervisor and WebSphere Web App Server on z/OS) DB2 is becoming more vulnerable.
IBM is now making major efforts to improve DB2 database security – note the recent IBM acquisitions of BigFix and Guardium. New security features in DB2 include automation of compliance tasks, capability of non-database administrators to audit database activity and the ability to block Web-based attacks.
References:
http://analytics.informationweek.com
http://www.darkreading.com
http://www.securosis
http://www.ibm.com
http://www.bigfix.com
http://www.guardium.com
http://aws.amazon.com/ec2/
Wednesday, February 16, 2011
Total data storage now measured in ‘exabytes’
A recent study done at the University of Southern California found that total data storage on planet earth is estimated to be approximately 295 billion gigabytes (or 295 exabytes). The study also found that the year 2002 is considered the start of the digital age when data stored on digital media surpassed the data stored in analog format e.g. videotapes, cassettes, photographs. The digital data referred to in the study consists of hard disk drive storage, optical storage and digital tape storage.
This volume of data presents a wide range of issues. Our perspective as IT auditors prompts us to consider the risks and controls around the security of this data, especially the data that is most valuable, sensitive and critical.
http://www.computerworld.com/s/article/9209158/Scientists_calculate_total_data_stored_to_date_295_exabytes
This volume of data presents a wide range of issues. Our perspective as IT auditors prompts us to consider the risks and controls around the security of this data, especially the data that is most valuable, sensitive and critical.
http://www.computerworld.com/s/article/9209158/Scientists_calculate_total_data_stored_to_date_295_exabytes
Saturday, January 29, 2011
'Lessons Learned From Five Big Database Breaches In 2010' - excellent article
A recent article on TechWeb's DarkReading entitled 'Lessons Learned From Five Big Database Breaches In 2010' provides a brief history of database breaches. The five breaches described include databases at a sheriff's office, a university, a marketing company a healthcare company and a media network. Almost all of the breaches could have been prevented with moderate controls.
Organizations need to understand that more often than not, its most valuable and sensitive information assets reside in its databases. It is therefore logical that databases are a prime target for attacks.
Database security should be taken seriously. Risks must be understood and controls implemented. Security can be improved dramatically with some effort. Our Continental Audit database services can have a huge impact.
http://www.darkreading.com/database-security/167901020/security/attacks-breaches/228900094/lessons-learned-from-five-big-database-breaches-in-2010.html
Organizations need to understand that more often than not, its most valuable and sensitive information assets reside in its databases. It is therefore logical that databases are a prime target for attacks.
Database security should be taken seriously. Risks must be understood and controls implemented. Security can be improved dramatically with some effort. Our Continental Audit database services can have a huge impact.
http://www.darkreading.com/database-security/167901020/security/attacks-breaches/228900094/lessons-learned-from-five-big-database-breaches-in-2010.html
Friday, January 7, 2011
Ernst & Young survey on outsourcing/cosourcing the internal audit function
The recent article published by Ernst & Young (EY) on the outsourcing or co-sourcing of the corporate internal audit function caught our attention. According to an EY survey, 77% of senior executives see outsourcing or co-sourcing as worthwhile, yet only 28% are actually taking action in this area by using external service providers. EY goes on to discuss seven myths of why companies are skeptical including the fear of losing control, the expected high cost and the thinking that internal auditors know better.
Our opinion at Continental Audit, is that it is very worthwhile and cost-effective for companies to outsource or co-source internal audit functions. This is especially true when it comes to specialized IT auditing like the areas in which we work. Some IT specialists are hard to find and deploy for IT audit purposes e.g. database auditors.
We encourage companies to explore their options in this area. There is a high probability that the conclusion will be to outsource/cosource some functions especially in the IT audit space.
Reference: http://www.ey.com/GL/en/Services/Advisory/Risk/Internal-Audit/To-cosource-or-not-to-cosource---Fact-or-fiction--Seven-cosourcing-myths-exposed
Our opinion at Continental Audit, is that it is very worthwhile and cost-effective for companies to outsource or co-source internal audit functions. This is especially true when it comes to specialized IT auditing like the areas in which we work. Some IT specialists are hard to find and deploy for IT audit purposes e.g. database auditors.
We encourage companies to explore their options in this area. There is a high probability that the conclusion will be to outsource/cosource some functions especially in the IT audit space.
Reference: http://www.ey.com/GL/en/Services/Advisory/Risk/Internal-Audit/To-cosource-or-not-to-cosource---Fact-or-fiction--Seven-cosourcing-myths-exposed
Subscribe to:
Posts (Atom)