Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

Jon Seals

Enterprise Web Application Firewall for AWS

HOUSTON, TX – Alert Logic (www.alertlogic.com), a leading provider of Security-as-a-Service solutions for the cloud, today announced availability of its web application firewall (WAF), Web Security Manager on Amazon Web Services (AWS). Alert Logic’s Web Security Manager, along with Threat Manager and Log Manager, provide a comprehensive suite of security & compliance solutions for AWS customers, who are able to take advantage of hourly or a monthly billing directly from Alert Logic.

Web Security Manager protects cloud environments by blocking web application attacks—such as SQL injection and cross-site scripting—with a combination of signature-based detection and application behavior profiling, stopping unauthorized application activity before an attack compromises an application. Unlike CDN-based "cloud WAFs" that rely on simplistic blocking policies, Web Security Manager provides the same full WAF functionality previously available only in traditional environments. Designed for elastic cloud environments, Web Security Manager auto-scales the same way as the application it protects. Along with WAF protection, Alert Logic also offers ActiveWatch services that provide 24x7 management by experienced web application security analysts to optimize protection, to relieve users of a critical but challenging function.

“With the launch of Web Security Manager, Alert Logic makes available a full enterprise-ready suite of Security-as-a-Service solutions built for the cloud,” said Misha Govshteyn, chief strategy officer & co-founder at Alert Logic. “Now enterprises with cloud-enabled IT infrastructures can leverage all of our cloud-based web security & compliance solutions engineered for easy implementation through AWS.”

“We are pleased that Alert Logic will be offering its entire suite of managed security products on AWS,” said Terry Wise, Director, Worldwide Partner Ecosystem, AWS. “The addition of Alert Logic’s Web Security Manager enhances our shared-responsibility security model and gives customers additional security capabilities and convenience, via the AWS on-demand, pay-as-you-go cloud infrastructure.”

The inclusion of Web Security Manager in Alert Logic’s offerings for AWS builds on the powerful foundation of AWS that customers like Chargify, a recurring billing management company, use. The company will launch Web Security Manager to further protect its web applications in the AWS cloud.

“Alert Logic has built a differentiated security model for AWS that further helps customers like ourselves,” said Drew Blas, head of operations at Chargify.“As the only web application firewall that offers auto-scaling architecture with AWS, Web Security Manager is exactly what we need in our cloud environment.”

 About Alert Logic Web Security Manager

Web Security Manager delivers inline protection of web applications from dangerous cyber threats such as SQL Injection and Cross Site Scripting, along with full coverage of OWASP Top Ten attacks. Using a combination of both positive and negative security models, Web Security Manager blocks malicious traffic while allowing legitimate traffic to pass unaffected. Key benefits of Web Security Manager are:

·       Designed and built for AWS, Web Security Manager auto-scales with protected cloud instances

·     Web Security Manager satisfies PCI DSS requirement 6.6, providing protection against the OWASP Top 10 vulnerabilities without resource-intensive code review

·     Because Web Security Manager profiles application and traffic behavior, it provides immediate protection against zero-day attacks that signatures cannot detect – unauthorized application activity is blocked automatically

·     Optional ActiveWatch service provides 24x7 Security Operations Center monitoring of all activity and ongoing WAF tuning to optimize protection, removing the biggest challenge of WAF utilization

A presentation given by Alert Logic and AWS on the new Web Security Manager offering is available athttp://youtu.be/-Vr9BmDYSWo. More information about Alert Logic’s Web Security Manager, Threat Manager and Log Manager, which can be purchased through AWS or directly through Alert Logic, can be found at www.alertlogic.com.

About Alert Logic

Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, provides solutions to secure the application and infrastructure stack. By integrating advanced security tools with 24×7 Security Operations Center expertise, customers can defend against security threats and address compliance mandates. By leveraging an “as-a-Service” delivery model, Alert Logic solutions include day-to-day management of security infrastructure, security experts translating complex data into actionable insight, and flexible deployment options to address customer security needs in any computing environment. Built from the ground up to address the unique challenges of public and private cloud environments, Alert Logic partners with over half of the largest cloud and hosting service providers to provide Security-as-a-Service solutions for business application deployments for over 2,300 enterprises. Alert Logic is based in Houston, Texas, and was founded in 2002. For more information, please visit www.alertlogic.com.

with Dan Zitting

5 Steps to Integrating Governance, Risk Management and Compliance Activities Across the Organization

Governance, risk management and compliance (GRC) efforts are often spread across an organization. Each department takes a different approach with its own systems, technologies and tools to engage in risk management activities. Senior management is often stymied in trying to get a clear picture of risk across the organization, having to compare apples and oranges served up from various silos of GRC activity.

Without a consistent way to look at the universe of risk across the organization, how can you weigh impact and likelihood and keep up to date on ever-changing risk profiles?



October 16, 2013

Recovery Strategies

Ian Charters
Continuity Systems Ltd

It is a pity that the term ‘recovery strategy’ was ever coined. It gives the impression that an organisation has one high level recovery strategy which will provide a response to all BC issues and around which all recovery plans and procedures will be based. For example – “in the event a disruption the organisation will move priority staff to operate from its recovery centre at...” which is seen as a solution to all problems.

Instead the ‘recovery strategy’ of an organisation is likely to be a whole raft of measures put in place before an incident occurs that will, hopefully, give it some workable options for response when an incident occurs whatever the circumstances.



Cyclone Phailin made landfall on October 12th, striking the East coast of India including the states of Odisha and Andhra Pradesh.  Wind speeds reached 130 miles per hour and the storm surge reached 10 feet in some areas.

The storm triggered India’s biggest evacuation operation in 23 years with close to one million people evacuated by government authorities with support from the Indian Red Cross.  More than 110,000 are taking refuge in Red Cross run cyclone shelters. Phailin had a devastating impact damaging or destroying more than 250,000 homes and nearly 1 million acres of crops. 

The emergency response has been constrained by the cancellation of air-flights and trains, damage to highways and roads along the coastline, and disruption to mobile communication.

The Indian Red Cross (IRCS) has deployed teams to assess the affected areas and is mobilizing emergency relief items, clean water, and shelter materials.  More than 2,500 volunteers are responding. Three water treatment units have been deployed along with 11,000 tarps. The IRCS is planning to support some 200,000 people with initial assistance including distribution of shelter and relief supplies, health checks and provision of safe water.

The cyclone affected 11 million people but due to intensive preparedness efforts few lives were lost. In 1999 Cyclone Orissa made landfall in a similar area and killed more than 10,000 people.  Since that time the Indian Red Cross has increased its disaster preparedness efforts and training in the communities. 

 “Disaster risk reduction interventions for the last many years in Odisha, especially the construction of 75 cyclone shelters and training of large number of volunteers made it possible for nearly 110,400 people to get protection in these Red Cross Cyclone Shelters during the evacuation,” said Dr. S.P. Agarwal, Secretary General of the Indian Red Cross.



I have worked for a few organizations where the concept of the CEO was to help customers improve their business by understanding their business and business needs, create solutions via services with hardware and software, and provide support throughout the entire life-cycle.  Using these concepts in addition to my own beliefs, I recently presented to a group of prospects and customers.  I have long been convinced that selling a widget only goes so far.  Solving business problems, embeds you into the fabric of an enterprise.

Far too often, people believe in what they are doing without understanding it.



By Loraine Lawson

You hear it all the time: There simply aren’t enough trained data scientists to support the demand for Big Data analytics.

But here’s an interesting fact from TDWI’s best practices report on “Managing Big Data”: The data scientists aren’t really managing it now.

Actually, there’s an incredible range of job titles that manage Big Data. Out of 297 responses from 166 respondents (they could choose multiple options), only 6 percent said data scientists manage Big Data in their organizations.



You've probably been hearing a lot lately about the Internet of Things (IoT). The IoT (see: "The IoT: A Primer" at the end of this piece), while still in the early stages of development, is slowly making its way into the mainstream as more objects become connected via technology such as radio frequency identification (RFID) and the iniquitousness of the Internet.

By Bob Violino


CSO — You've probably been hearing a lot lately about the Internet of Things (IoT). The IoT (see: "The IoT: A Primer" at the end of this piece), while still in the early stages of development, is slowly making its way into the mainstream as more objects become connected via technology such as radio frequency identification (RFID) and the iniquitousness of the Internet.

Regardless of how the development of the IoT plays out in the months and years to come, or what specific plans organizations have for deploying related projects, there will clearly be security implications. IT and security executives might want to start thinking about the security aspects of IoT today, even if they have no immediate plans to link objects via the Internet.



Any employee with access to sensitive data is a potential threat, whether they know it or not. Even if they don't have malicious intentions, the inherent nature of their privilege is what makes them so dangerous.

By Grant Hatchimonji

CSO — Any employee with access to sensitive data is a potential threat, whether they know it or not. Even if they don't have malicious intentions, the inherent nature of their privilege is what makes them so dangerous.

Vormetric recently published its 2013 Insider Threat Report exploring the very nature of these dangers while also tallying the results of a survey it conducted over two weeks in August of this year. The numbers, which were tabulated in September, indicated the responses from 707 IT professionals to questions regarding insider threats and they choose to combat them. Needless to say, the pervasive theme of the survey results was that insider threats are a very serious concern to just about everyone.



Tom Davison looks at how failures can be used to boost security and help business continuity: if approached in the right way.

We’ve all heard the old saying: “If you fail to plan, you’re planning to fail.” Of course, it’s true: and from a security viewpoint, it’s also interesting to turn the cliché on its head. Shouldn’t a major part of any robust IT security strategy be about planning to fail? About preparing for the ‘what if’ scenarios that can disrupt normal business operations, and attempting to mitigate the potential impact of those disruptions?

A majority of businesses already do this to some extent, by performing regular vulnerability scans and penetration tests on their networks. But all too often these tests will look only at issues such as vulnerabilities on Internet gateways, systems with out-of-date patches or the presence of malware. They don’t include other security problems that are just as capable of causing outages, failures and damage – such as DDoS attacks, phishing attempts and more – which almost always strike seemingly at random and unexpectedly.

So how do you widen the scope of your security planning to ensure you’ve covered all the outage and security scenarios that could have a catastrophic effect on your business?



The Business Continuity Institute has published the shortlist for its annual Global Awards, which will be presented at a ceremony on 6th November in London.

The BCI Global Awards ‘recognise the outstanding achievements of business continuity professionals and organizations worldwide and pay tribute to some of the finest talent in the industry’.

The shortlist for the BCI Global Awards is as follows:

Business Continuity Consultant of the Year

  • Louise Theunissen MBCI
  • Thomas Keegan MBCI, Director of Business Resilience, PwC
  • Saul Midler MBCI, Managing Director, LINUS Information Security Solutions
  • Muhammad Ghazali MBCI, Head of BCM Services, Protiviti
  • Pierre Wettergren AMBCI, Senior Consultant, 5G Continuity AB

Business Continuity Manager of the Year

  • Millington Gumbo MBCI, Head of BCM, Standard Bank
  • Arnab Kumar Mukherjee MBCI, Business Continuity Manager, Colt Technology Services India Pvt. Ltd.
  • David Clarke MBCI, Business Continuity Manager, Telefónica UK Limited
  • Neyaz Ahmed MBCI, Ag. Director – Business Continuity, Etihad Etisalat - Mobily
  • Tom Clark MBCI, Director of IT Business Continuity Management Services, Liberty Mutual Insurance
  • Elaine Tomlin MBCI, Business Continuity Manager, Certus
  • Abdulrahman Alonaizan MBCI, Business Continuity Manager, Arab National Bank
  • Nisar Ahmed Khan MBCI, Manager – Business Continuity Management, Kuwait Finance House

Business Continuity Team of the Year

  • BT
  • Orion Group
  • Standard Life plc

Public Sector Business Continuity Manager of the Year

  • Glen Redstall CBCI, Manager, Business Continuity & Emergency Management, Inland Revenue
  • Mary-Ellen Lang MBCI, Resilience Manager, The City of Edinburgh Council
  • Brian Duddridge MBCI, Business Continuity Manager, Welsh Government
  • Alan Jones MBCI, Head of Resilience & Emergencies, West Sussex County Council

BCM Newcomer of the Year

  • Akintade Ayelomi AMBCI, Senior Manager, Business Continuity Management, MTN Nigeria (MTNN) Communications Limited
  • Andrew MacLeod AMBCI, Consultant, Needhams 1834 Ltd
  • Maan Al Saqlawi, Head of BCM, Bank Muscat
  • Nicola Huxley, Security Risk and Resilience Manager, British-American Tobacco (Holdings) Limited

Business Continuity Innovation of the Year (Product/Service)

  • Blue Zoo
  • Fusion Risk Management, Inc.
  • Vocal Ltd
  • Everbridge

Business Continuity Provider of the Year (BCM Service)

  • NCS Pte Ltd
  • Continuity Shop
  • SunGard Availability Services

Business Continuity Provider of the Year (BCM Product)

  • IBM
  • LINUS Information Security
  • eBRP Solutions Network, Inc.

Most Effective Recovery of the Year

  • Etihad Etisalat - Mobily
  • NHS Blood and Transplant
  • Citi
  • NCB Capital

Industry Personality of the Year

  • Abdulrahman Alonaizan MBCI
  • Richard L. Arnold
  • Tim Janes MBCI
  • Mark Penberthy FBCI
  • Iain Taylor (Hon) FBCI

More details.