Problem solve Get help with specific problems with your technologies, process and projects.

A security integrator's checklist for evaluating customer security

These 10 things will enable security integrators and resellers to determine which security threats are applicable to a customer's business.

Security integrators and resellers are being challenged by the constantly evolving threat landscape, and at times find it difficult to satisfy a customer's security needs. The threat environment requires more depth than traditional endpoint or Web gateway protection provide, in most cases.

Channel partners can provide an important value-add by helping customers first understand which threats are relevant to their business, and then combat those threats with the proper mix of endpoint, gateway and data protection products.

This checklist can be used to help determine what threats are relevant to your customer's business:

Is the customer currently doing, or planning to do any of the following:

  1. Maintaining credit card or patient health records: If so, the customer should be thoroughly familiar with the Payment Card Industry Data Security Standard (PCI DSS) for credit cards or the Health Insurance Portability and Accountability Act (HIPAA) for health records. In both cases, achieving compliance is not the end of the story. Since both standards are continually updated, channel partners specializing in customers with PCI DSS or HIPAA requirements can be a valuable resource and keep customers informed of upcoming changes and tightened requirements, while helping them plan required upgrades.
  2. Moving some processing to the cloud: Cloud computing imposes a new set of security challenges. Review issues, such as data protection, access control and vendor management, with the customer and plan for how to address them.
  3. Using virtualized servers and networks: If so, applications and data that formerly resided on a restricted set of devices may now be moving from device to device as processing loads vary. Network security tools must be upgraded to deal with the increasing complexity.
  4. Has virtualized end nodes: Most customers maintaining wireless networks have already upgraded to WPA2 and understand the need to scan periodically for rogue APs. But now the move to end node virtualization creates another avenue for hackers. Virtualization features such as Windows 7's Virtual WiFi Adaptor enable an end node to function simultaneously as a client and an AP and act as a bridge from a hacker's node into the enterprise network. Customers need to upgrade to wireless protection devices that can detect this type of attack.
  5. Is publically traded or about to go public: Public companies understand the need to strictly limit access to financial information. But an idle remark on Facebook, such as, "We've been working overtime for weeks, got a big flood of orders." can reveal that the quarter will exceed expectations. Employee training is the key to avoiding these situations.
  6. Provides website access to internal records: Any site with an interactive interface to sensitive internal data must maintain an intrusion prevention system (IPS) to guard against attacks such as cross-site scripting and SQL injection. A site that provides only public information, such as descriptions of products, does not need to install an IPS but may still require defense against denial-of-service attacks.
  7. Allows remote access by employees: Do employees take laptops out of the building? Remote access, whether from employee-owned workstations or company-owned systems requires VPN software on workstations and on the internal host receiving calls. A network access control (NAC) solution is also required to protect against viruses picked up outside the company network.
  8. Has replaced traditional phone service with VoIP: A customer with an internal Voice over Internet Protocol (VoIP) PBX must defend against eavesdropping and theft of service. Theft of service is the greatest danger. Hackers gain access to the PBX to make expensive phone calls that will be billed to the customer. In addition to measures to keep attackers out of the PBX, audit software should be in place to detect unusual patterns of calls. Overseas calls to places where the customer does not do business are an obvious tipoff.
  9. Is in a highly sensitive security environment: Defense contractors developing plans for new weapons are being continually attacked by extremely sophisticated hackers, possibly representing foreign governments. There are no specific compliance standards for defense data, but customers must deploy a variety of defenses and possibly most important, continually train employees to carefully limit access to websites while at work and to keep work and personal email completely separate.
  10. Is concerned about statements posted on the Internet: Channel partners can consider adding additional services such as scanning the Web, blogs and social networking sites for customer employee statements about their employer. Consider also offering to send targeted spam or make phone calls that would lead an unsuspecting employee to answer with non-public information.

Review evolving security threats with customers
After identifying and addressing the relevant threats, maintain an ongoing relationship with customers. Periodically review the latest threats and develop plans to address them. Review how changes in technology affect security. Employees who previously logged in from laptops via a VPN may now prefer to log in from their smartphones. Can the same VPN solution be used? If not, what are the alternatives?

Review changes that have taken place in the business or legal environment. For example, the recent health care law extends HIPAA requirements to business associates of health care providers. A firm providing data processing services to a medical office may not be aware that it is now subject to HIPAA compliance. Another data processing firm may previously have had no need to be aware of HIPAA, but now has taken on a medical office customer.

Review security procedures and staff training. It's easy to gradually relax the level of vigilance. Someone from outside the organization may be more effective in noticing that incidents are no longer being thoroughly reviewed or logs are not being kept up to date. New employees may not have been trained, and existing employees may not have received training on new product versions.

Opportunity knocks. The expertise you will develop in reviewing customer requirements and installing products can open the door to new services. While channel partners must today provide customers with more than endpoint protection, there is tremendous opportunity to broaden your skills, while dramatically increasing revenue potential and enhancing customer relationships.

About the author:
David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups. 

Dig Deeper on Regulatory compliance with cybersecurity laws and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.