Security Assessment: Demystifying the Process

April 27th, 2015 12:00 am
Don’t Be Afraid of the ‘Audit’

Information security laws are still a patchwork nationwide, but an increasing number of industry organizations are finding that they need our assistance to comply with laws and other applicable requirements. The purpose of this post is to help demystify the process.

Many industry organizations are just realizing all of the requirements that apply to them. For example, the latest Payment Card Industry Data Security Standards (PCI DSS) now require compliance even from organizations that outsource their e-commerce transaction-processing functions to a third-party service provider, but where the organization’s website controls the redirection to that provider. Understanding those types of compliance requirements, as well as those mandated by federal, state. or provincial legislation, is a starting point for any assessment.

A lot of clients take comfort in my approach to assessing security. For many organizations, especially for the IT people, a security assessment can seem daunting. What if issues are found? Will we look bad in front of the assessor? All I can do is assure clients that I’m there to help, not to judge. Yes, typically issues are found, especially if it’s an organization’s first assessment or if they haven’t had an assessment in a few years. Finding issues is simply the first step toward addressing them. Some assessors spend most of their time by themselves using their assessment tools, then presenting a report that feels like an adversarial “Gotcha!” to clients. I take a very different approach, one where I’m working alongside my client, using tools and checklists in collaboration with them. This has some important benefits. Without there being any surprises at the end of the assessment, there’s less of an adversarial feeling. Also, by educating my client in the use of common and free (or inexpensive) assessment tools and other security resources, they become empowered. IT staff are left feeling more educated and valuable, rather than feeling defeated by an outsider finding issues. The best part is that, by empowering my clients to be able to perform at least some level of ongoing self-assessment, they are more likely to maintain better security in the long run.

Before the visit: Typically, I schedule two to three days for a visit with my client. A few weeks before the visit, I ask for any security-related information the organization might have: a list of websites and apps, information security policies (usually a part of an employee handbook), a list of third-party service providers and parts of contracts that are relevant to security, and the office and data center internet address (IP) ranges. If some of that information isn’t available, that’s okay. If I’m going to do any testing of applications hosted by third parties, at that point I need my client to coordinate that testing with their service provider. Then I review the materials provided and perform some initial “external” testing prior to my visit. If assistance with PCI DSS compliance is requested, I work with my client to start that process as well.

During the visit: I like to start discussions with management – looking together at staffing practices, physical security, policy and procedure, contracts, and other less-technical aspects of security. Then I dive into the technology with the staff (or sometimes contractors) who are responsible for managing it. Together, we’ll look at everything from routers and firewalls all the way down to the operating systems, and everything between. If PCI DSS compliance is in progress, we will review any outstanding questions my client needs assistance with. At the end of the visit, if everyone is available, I like to bring everyone involved together to discuss findings and the process of planning issue remediation.

After the visit: Sometimes there are subsequent discussions of findings after the visit. Also, I provide a lot of phone and email support and follow up, to ensure that the organization is efficiently moving forward in their efforts to improve security and to answer questions that arise along the way.

Hopefully this post has demystified the security assessment process. When it comes to information security, our industry has a lot of work to do. I benchmark the industry regularly in a number of ways. One small measure I take is “What percent of websites are running on known insecure web server platforms?” My present benchmark for that measure is: 28% of the top 50 MLSs (by subscriber count), 46% of the top 50 brokers (by transaction volume), 40% of top local associations, and 35% of our state associations. That measure is just the tip of the iceberg, too –again, there’s a lot of work to do! Contact me (612-747-5976), and let’s start working on it together.

Tags:

Security and the Great Flywheel of Convenience

October 30th, 2014 12:00 am
Security Lets Us Provide a Better User Experience

A Ten-Year Journey

In James C. Collins’ bestselling business book, “Good to Great”, he introduces the concept of the flywheel. Outside of business, a flywheel is a heavy wheel that, once momentum is built, can store and provide consistently great power to a machine even when regular power is interrupted. The tricky thing about a heavy flywheel is that it can take great effort to overcome its initial inertia, and sometimes it takes a long time of pushing to get it up to full speed. Collins uses the flywheel as a metaphor for business, describing how, with consistent effort and persistence, a company can achieve great things.

Clareity Security has been pushing on some great flywheels for some time, and it is perhaps overdue to describe those efforts to the industry at large. 

The flywheel pushing began ten years ago. A client of Clareity Consulting needed to solve the issue they were having with unauthorized system access and theft of data, which had become a national epidemic due – in part – to lax password-only security. Clareity Security was highly successful at solving this problem, and after a few years was protecting logins for half of the industry with the SafeMLSÒ product. However, there was always some pushback on information security measures as inconvenient. Security in every context is always a bit inconvenient – it would surely be convenient to never have to remember house keys and just leave the door unlocked, but we don’t want someone walking in and taking our possessions. Still, Clareity Security was listening, and started exploring new ways to provide security more conveniently, though the new authentication technology would take some time to develop and deploy. 

The push for greater convenience also led the way for something which is now a common term in our industry, “Single Sign-On” (SSO). Clareity Security, with NAR’s support, created an open-source toolkit and reference implementation for secure “SAML” SSO in 2007. Vendors started to deploy more secure single sign-on in more places, making life easier for real estate professionals, while still ensuring best practices for data security and authentication.

While SSO was gaining momentum, starting in 2009 Clareity Security began to deploy a new, “zero footprint authentication” solution – a way to provide security while providing the minimum inconvenience to end-users possible. Using new technologies, security could be provided without carrying around hardware “key fobs” to generate one-time-use passwords and without software installation.

But one of the greatest breakthroughs occurred in 2010, when Clareity Security integrated Miami REALTORS®’ various applications using SSO technology to create a single dashboard for their members. Thus, began Clareity Security’s SSO Dashboard initiative, which allows MLSs, Associations, brokers and others to present all the tools they provide to their subscribers (members, etc.) in one convenient location, and provide secure, convenient SSO.

Keep in mind that what you are seeing today is just the first version of the SSO Dashboard – what is coming in 2015/2016 will make our industry look back and say, “That was a good starting place.” Clareity Security is committed to growing and enhancing the SSO Dashboard to meet the changing needs of the busy real estate professional.

But, that was a lot of background – let’s look at this history in terms of what industry issues are being addressed with all this technology: 

  1. The Value Proposition Problem. MLSs, Associations, and brokers now have a platform for expressing the value they provide by keeping their whole offering in front of users and giving them convenient access through SSO.
  2. The 90/10 problem. Traditionally, 90% of users use 10% of the offering. The SSO Dashboard improves significantly adoption of tools by users. In a recent case study, adoption of certain applications rose by an average of 75% within the first month of Dashboard implementation.
  3. The Robust “Site License” Offering vs. Differentiation problem. There has always been a strain between MLSs wanting to provide everything needed for agents to be professional yet leaving room for brokers and agents to differentiate using tools not in use by others in their market. The SSO Dashboard allows organizations to provide a platform that provides just the right balance.
  4. The Convenience / Security problem. SSO, by its very nature, creates an increased security risk: more resources – including platforms holding the most sensitive information our industry handles (document & transaction management) are available behind a single login. Because Clareity Security provides a great security solution that can be combined with the SSO Dashboard, this risk can be mitigated.
  5. Centralized Identity. With the introduction of SSO Dashboard including a SAFEMLS Identity Provider (IdP), everyone benefits from not having to remember and synchronize different user IDs and passwords across multiple platforms.
  6. The Revenue Assurance problem. When logins are shared, the honest folks pay for the resources being stolen by others. Clareity Security makes sure everyone pays only their fair share by reducing the number of “freeloaders” and reducing unauthorized access.

Clareity Security continues to push hard on the flywheel and innovate. In 2014, we released SAFEMLS Plus, providing even better security, especially for mobile users – plus an improved interface for customers’ staff. Clareity Security is working with specialist interface designers now on creating an even more amazing experience to be unveiled in 2015. And that’s just the beginning. If we keep pushing and the industry pushes with us, we can expect that widespread SSO Dashboard deployments should eventually provide a personalized dashboard experience for the individual real estate professional. A tool that combines franchise, broker, MLS, association, and eventually even personal apps are the ultimate in convenience and power for real estate professionals.

It has been an amazing ten years for Clareity Security, growing from just being a security company to an integration company to a convenience and user experience company while retaining the best parts of its past while quickly moving toward its future.

When Clareity Security started on its journey, we had some good things in mind for our industry. But now that Clareity Security has been pushing for ten years, we can see great things ahead. An industry colleague once said, “We’re an industry driven too often by our fears and not enough by our dreams.” 

Tags:

Profile

mattsretechblog: matt cohen (Default)
Matt's Real Estate Tech Blog

Most Popular Tags

Links

Legal

This blog is for informational purposes only. The author shall have no liability in connection with any inaccuracies or omissions herein. All trademarks are the property of their respective holders. The views expressed on this blog are those of the author and do not necessarily reflect the views of his employer. Non plaudite, modo pecuniam jacite.