Chao
Chaoss Theor
Theoryy
IT Security Management
White Paper: Security Management
Chao
Chaoss Theor
Theoryy
IT Security Management
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chaos Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Managed Chaos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The SaaS Rewards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
SaaS Creates and Reinforces Acceptable Use Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
SaaS Aids in Risk Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
SaaS Tackles Chaos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chaos Theory
IT Security Management
Introduction
Information security and compliance officers face numerous challenges. Complexity may be the biggest. After all, every
solution – firewalls, antivirus software, spam prevention software, intrusion detection systems, back-up and recovery
solutions, etc. – must be implemented, updated, maintained, monitored and managed. And all of this takes place within
an environment that changes at warp speed and is under constant assault from attackers continuously looking for and
finding the next weak link. In short, the efforts of information security and compliance officers are akin to managed chaos.
But Software as a Service (SaaS) has great potential to help create and maintain order in that chaos. Instead of relying on
software offered via traditional premise-based licensing models, organizations can ease the complexities associated with
information security and compliance with SaaS-based models. SaaS delivers services much in the same way utilities
deliver water or electricity and lets companies subscribe only to those software applications they need, when they need
them, paying only for what they use. SaaS leverages the Internet as the development and delivery platform and uses a payas-you-go subscription structure. Need to update the antivirus software on the scores of scattered desktops in your
organization? A SaaS model makes doing this so much easier, and ensures all the antivirus software is installed and
current. Need to add a new remote office or employee into your IT fold? SaaS makes it easier to ensure all the hardware,
systems and applications are in compliance with your corporate information security standards, giving you less
management headaches and uniform security policy enforcement.
The number of organizations adopting SaaS is growing at a healthy clip. In fact, worldwide SaaS revenue within the
enterprise application software market is forecast to hit $10.7 billion in 2011, up 16.2 percent from the expected $9.2
billion in 2010.1
SaaS holds a lot of promise in tackling and overcoming IT management chaos. In this paper, we’ll discuss how SaaS is a
cost-effective way to ease complexity while managing and even boosting the success of any organization’s information
security and compliance endeavors.
Chaos Explained
The origins of chaos theory – a scientific principle describing the unpredictability of systems – date back to well before
computers and information systems.2 According to an article on www.referenceforbusiness.com, French mathematician
Henri Poincaré (1854–1912) left writings hinting at the unpredictability of systems; more than a half a century later
Edward Lorenz (b. 1917) and a few other scientists were taking note of "odd behavior" in complex systems such as the
earth's atmosphere and the human brain. The article goes on to say that today the primary tool for understanding chaos
theory (and complexity theory as well) is the dynamic systems theory, which is used to describe processes that constantly
change over time (e.g., the ups and downs of the stock market). Processes that constantly change over time… does that
sound like information security and compliance? Without any control, the answer to the above question is a resounding
“yes.” But information security and compliance officers have worked hard over the years to leverage software and tools to
exert control over the chaos. What’s left, no doubt, is managed chaos.
1-http://www.gartner.com/it/page.jsp?id=1406613 Gartner report - "Forecast Analysis: Software as a Service, Worldwide, 2009-2014
2-http://www.referenceforbusiness.com/management/Bun-Comp/Chaos-Theory.html
1
Chaos Theory
IT Security Management
Managed Chaos
Inconsistencies in information security and compliance initiatives can be caused by a number of issues:
• Little or no control over software versions
• Mismanaged software licenses
• Security policies that are not uniform, consistent or vetted and agreed upon among both business leaders and
technical staff
• Threats that change constantly and quickly, making it difficult to keep up
• Regulatory requirements that continue to evolve
• The number of regulatory agencies, business partners, customers, and others that require compliance reports
continues to grow
The fallout from all these issues, and resultant managed chaos, range from merely bothersome spam to virus attacks to
even more sinister security breaches. The demands on information security and compliance professionals continue to
escalate. According to a survey conducted by Enterprise Management Associates (EMA) in 2010, “threats are becoming
more difficult to manage” was the issue most frequently identified as a top security concern.3 EMA points out that the
increased complexity is taking its toll on an organization’s costs, time and expertise. Many professionals wind up
performing information security and compliance tasks manually, taking time away from more strategically valuable
priorities.
The SaaS Rewards
At a high, very important level, SaaS promises to reduce the complexities associated with information security and
compliance. SaaS reduces the complexity by outsourcing – to the service providers themselves – most of the
infrastructure required to run software applications.4
Therefore, in a SaaS implementation, the vendor takes care of the support, training, maintenance and security costs
associated with managing the infrastructure in exchange for the recurring subscription fees.5
Additionally, SaaS provides more automated and controlled software versioning. Because SaaS is an “always-on” service
model that can deliver updates to software as needed, if new viruses require antivirus software updates, a SaaS model
ensures that all the desktops supported by that service are updated – even those that might be working from home or in a
remote location. All of this makes for more coherent and seamless operation of the applications.
Implementation and deployment times are reduced and simplified. The very nature of a SaaS offering – that the software
is owned and maintained by a third party – means organizations can rid themselves of software ownership and all that
comes with that ownership. When an on-premise application needs to be upgraded or completely replaced, the one-time
costs associated with that can be extensive, and the disruption and time-to-implement can be very taxing to an IT
department. Not so with SaaS.
3-http://eval.symantec.com/mktginfo/enterprise/other_resources/b-ema_symantec-ccsr-0410_ib_OR.en-us.pdf
4-http://www.focus.com/articles/information-technology/saas-model-right-you/
5-http://www.gartner.com/resId=1393813-- Gartner report "Forecast Analysis: Software as a Service, Worldwide, 2009-2014"
2
Chaos Theory
IT Security Management
Organizations can also more effectively and efficiently plan for and manage growth. According to the Software &
Information Industry Association, “SaaS applications grow with you as your business grows."6 Organizations that leverage
SaaS have quick access to a range of applications, there are no major software implementation efforts required, and the
barriers to entry are lowered.
Reporting requirements and management changes related to information security and compliance can all be managed
through a single console. The SaaS model also provides more seamless and automated end-to-end processes for meeting
an organization’s demands of security, compliance, audit and risk management needs. Further, SaaS offerings typically
provide extensive audit logs.
Finally, complexity is eased because with SaaS, there are no software keys or licenses to manage or control. And when new
employees come aboard, they can have immediate access to the software as new licenses don’t have to be acquired or
transferred.
SaaS Creates and Reinforces Acceptable Use Policies
As policies are defined, set, and preached, organizations need to implement security tools and services that are able to
enforce those policies. SaaS offerings make it easier to enforce policies that meet the information security and compliance
standards set by an organization via automated capabilities to enforce end user policies. For example, policies can be set
to scan any executable programs that end users receive or download, and those policies can be enforced automatically,
across an organization.
SaaS models enable information security and compliance officers to apply different standards to different groups. In the
above example, enforced scans can be set to occur daily to groups that often work remotely, or from home. For groups
whose desktops rarely leave the office, scans can be set to occur once a week, for instance.
When policies must change, SaaS models can easily adopt the changes. Information security and compliance officers can
define and change the policies through an easy-to-use, Web-based policy management console.
SaaS Aids in Risk Prevention
These days, without email, business can grind to a halt. So if a distributed-denial-of-service (DDoS) attack or some other
trouble brings your email service down, it’s vital to have a backup plan, and to have that backup plan be an established
and well thought-out part of your overall business continuity plan.
Many organizations run back-ups of email servers, but the tasks can sometimes take second place to other, supposedly
more strategic backup and recovery efforts. Databases and applications that are home to corporate financials, for
example, are viewed as top-tier security responsibilities. But organizations underestimate just how important email is
(businesses can rarely function anymore without it), or how email operations can potentially expose organizations to
trouble. Moreover, billions of spam messages are sent each year, clogging inboxes, affecting productivity, and adding
clean-up work to already burdened IT staff. SaaS offerings make email continuity and security easier and more
comprehensive. Continuous synchronization with an organization’s primary email system means that a standby system is
up-to-date and ready to go at any time, should something happen. The synchronization also creates a secure archive of an
6-Software & Information Industry Association, "Software-as-a-Service: A Comprehensive Look at the Total Cost of Ownership of Software Applications", Prepared by the Software-as-a-Service Executive Council,
September 2006
3
Chaos Theory
IT Security Management
organization’s email, should the need arise to recover email for reporting or compliance purposes. SaaS-based email
filtering can substantially reduce spam infiltrations.
SaaS Tackles Chaos
The chaos theory does include elements of order in seemingly random, unpredictable systems, but organizations need
more assurances than theory. They need highly functioning, secure IT systems that work as needed 99.999 percent of the
time. They need as close to bulletproof as they can get. SaaS offerings provide a level of certainty against unforeseen
events. The ever-increasing complexities involved with information security and compliance are taxing organizations more
and more. For some time, the stewards of security and compliance have worked among managed chaos. But security and
policy inconsistencies as well as never-ending, more intelligent and more insidious attacks are threatening to bring down
that managed chaos. SaaS offerings, with outsourcing aid, version control, quicker time to market, single console
management and other benefits, promise to end chaos and help organizations run successful information security and
compliance programs.
Symantec.cloud offers a flexible and scalable platform that simplifies maintaining and operating security solutions for
email, Web and instant messaging communication. It also provides on-demand reporting and administrator capabilities
through a single Web-based portal.
Symantec.cloud offers a subscription-based licensing model, which allows for predictable payments without sacrificing
flexibility and control. Symantec.cloud will allow small and medium organizations to leverage all the benefits of an onpremise security solution without the hassles that generally comes with on-site installation.
4
Chaos Theory
IT Security Management
More Information
AMERICAS
UNITED STATES
512 Seventh Avenue
6th Floor
New York, NY 10018
USA
Toll-free +1 866 460 0000
CANADA
170 University Avenue
Toronto, ON M5H 3B3
Canada
Toll-free :1 866 460 0000
NETHERLANDS
WTC Amsterdam
Zuidplein 36/H-Tower
NL-1077 XV
Amsterdam
Netherlands
Tel +31 (0) 20 799 7929
Fax +31 (0) 20 799 7801
HEADQUARTERS
HONG KONG
Room 3006, Central Plaza
18 Harbour Road
Tower II
Wanchai
Hong Kong
Main: +852 2528 6206
Fax: +852 2526 2646
BELGIUM/LUXEMBOURG
Support: + 852 6902 1130
Symantec Belgium
Astrid Business Center
Is. Meyskensstraat 224
1780 Wemmel,
Belgium
EUROPE
ASIA PACIFIC
Tel: +32 2 531 11 40
Fax: +32 531 11 41
1270 Lansdowne Court
AUSTRALIA
Level 13
207 Kent Street,
Sydney NSW 2000
Main: +61 2 8220 7000
Fax: +61 2 8220 7075
Support: 1 800 088 099
Gloucester Business Park
DACH
Gloucester, GL3 4AB
Humboldtstrasse 6
United Kingdom
Gewerbegebiet Dornach
Tel +44 (0) 1452 627 627
85609 Aschheim
Fax +44 (0) 1452 627 628
Deutschland
Freephone 0800 917 7733
Tel +49 (0) 89 94320 120
Support :+44 (0)870 850 3014
LONDON
SINGAPORE
6 Temasek Boulevard
#11-01 Suntec Tower 4
Singapore 038986
Main: +65 6333 6366
Fax: +65 6235 8885
Support: 800 120 4415
3rd Floor
NORDICS
40 Whitfield Street
St. Kongensgade 128
London, W1T 2RH
1264 Copenhagen K
United Kingdom
Danmark
Tel +44 (0) 203 009 6500
Tel +45 33 32 37 18
Fax +44 (0) 203 009 6552
Fax +45 33 32 37 06
Support +44 (0) 1452 627 766
Support +44 (0)870 850 3014
JAPAN
Akasaka Intercity
1-11-44 Akasaka
Minato-ku, Tokyo 107-0052
Main: + 81 3 5114 4540
Fax: + 81 3 5114 4020
Support: + 852 6902 1130
5
About Symantec.cloud
Symantec.cloud uses the power of cloud computing
to secure and manage information stored on
endpoints and delivered via email, Web, and instant
messaging. Building on the foundation of
MessageLabs market leading software-as-a-service
(SaaS) offerings and proven Symantec technologies,
Symantec.cloud provides essential protection while
virtually eliminating the need to manage hardware
and software on site.
More than ten million end users at more than
31,000 organizations ranging from small
businesses to the Fortune 500 use Symantec.cloud
to secure and manage information stored on
endpoints and delivered via email, Web, and instant
messaging.
Symantec.cloud helps IT professionals to protect
information more completely, manage technology
more effectively, and rapidly respond to the needs
of their business.
For specific country offices
Symantec.cloud North America
and contact numbers, please
512 7th Ave.
visit our website.
6th Floor
New York, NY 10018 USA
1 (646) 519 8100
1 (866) 460 0000
www.MessageLabs.com
Symantec helps organizations secure and manage
their information-driven world with security
management, endpoint security, messaging security,
and application security solutions.
Copyright © 2011 Symantec Corporation. All rights
reserved. Symantec and the Symantec Logo are
trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their
respective owners.
4/2011 21184103