techn o l o g y t r e n d s : security
■ protection tips
Data Security In A Real-Time World
Requires ‘Defense In Depth’ Strategy
Securing confidentiality, integrity and availability of data are all critical components
By vance huntley
oday, it may seem that insurance carriers and their independent
agent partners have harnessed technology and are effectively connecting
in real-time to automate and accelerate
routine processes while lowering the cost
of processing insurance.
However, as insurance carriers and agencies alike embrace information technology
advances that accelerate the speed at
which new business can be acquired
and existing business can be renewed or
processed, achieving and maintaining
adequate levels of information security
becomes more than an item on the “to
do” list. It’s now a strategic priority.
Addressing three core concepts of
information security—confidentiality, integrity and availability (CIA for
short!)—can reduce your risk, even in a
connected, real-time world.
E Confidentiality:
Confidentiality ensures only authorized individuals have access to data. With data breach
notification laws in many states— and the expanding applicability of federal laws including
the Gramm-Leach-Bliley Act and the Health
Insurance Portability and Accountability Act,
which include information security requirements—maintaining the confidentiality of
data in insurance systems is a civic duty.
E Integrity:
Integrity ensures information is accurate
and cannot be modified or manipulated
except by those authorized.
In the interest of being able to trust
internal data, it is critical every insurance
organization choose network protocols that
perform adequate error checking and exception reporting. Data integrity can be further guaranteed by eliminating redundant
data entry and potential errors caused by
manual processes.
The adoption of real-time tools and
automated workflows standard in any en-
T
terprise content management project can
help achieve data integrity as well.
E Availability:
Availability gives authorized users access to
data or systems when and where it is needed.
While insurer efforts to eliminate manual processes and paper files are certainly warranted
and beneficial, new automated processes and
electronic files make availability an even more
crucial concept to plan for going forward.
mobile devices), have quickly become one
of the weakest links in information security.
Trends show hackers are more often boobytrapping popular websites with malware that
steals confidential data and passwords from
visiting workstations as opposed to launching
direct attacks against well-protected servers.
User workstations are more susceptible
because they are often operated in a privileged
mode (a process that allows code to have
direct access to all hardware and memWhile the prospect of doing ory in the computer system), unpatched
when it comes to critical security expothis may feel a little overwhelming,
it is an essential part of responsible sures and malware, and operating on new
platforms including smart phones.
stewardship of the data entrusted
Therefore, it is important to take the folto you by your customers and it
lowing steps to protect your organization:
cannot be ignored.”
J Stay current on security patches
Vance Huntley, CTO, Vertafore
for workstations.
J Utilize hard-drive encryption.
If a catastrophe occurs and your main
J Use “kill-pill” technology, which can send
office location is without electric, phone or
a signal to a stolen device and scramble the
Internet service, proper business continuity
data on the hard drive.
and disaster recovery protocols--including
J Maintain up-to-date anti-malware.
system redundancy and geographic separaJ Be mindful of Internet usage by users.
tion between sites--will ensure you have
At the network perimeter of your organibackup systems that will work as usual if a
zation, you need adequate screening of traffic
catastrophe happens.
going out of the network as well as coming in
Working in a real-time world, today’s
to ensure sensitive data is transmitted only to
reality is that day-to-day business demands
those who are authorized to access it.
require a complex web of connectivity beThose devices--such as network firewalls,
tween customers, agencies, carriers and
Web application firewalls, intrusion detecmanaging general agents that can leave critition/prevention systems, data loss prevention
cal data susceptible to unauthorized access.
systems and e-mail filtering systems--help
Achieving these goals requires more block unauthorized traffic and alert security
than use of complicated passwords and
teams to suspicious activity.
isolating networks with firewalls. MainInternally, it is important to design a
taining CIA takes vigilant maintenance of
network with security zones in mind, and
security measures at every layer, combined to deploy network devices (such as switchwith implementing a “defense in depth” es and routers) in a hardened manner
strategy that puts controls around user using security benchmark guides such as
workstations, the network’s perimeter, inthose published by the Center for Internet
ternal network, host systems, applications, Security (http://cisecurity.org).
system interfaces and databases.
Consider the following:
J
Host
systems: Hosts need to be hardened
Let’s examine “defense in depth” in action.
by
changing
default configurations in accorUser workstations (including laptops and
18 | National Underwriter Property & Casualty | July 19, 2010
property-casualty.com
Knowledge is power.
How powerful are you?
Vance Huntley is the Chief Technology Officer
for Bothell, Wash.-based Vertafore. He can be
reached via email at vhuntley@vertafore.com.
property-casualty.com
It’s really pretty simple. When you’re more knowledgeable
you make better business decisions. And better business
decisions yield measurable and meaningful results.
The Institutes’ proven knowledge will help you achieve powerful
results with a variety of flexible, customer-focused options, including:
© 2010 American Institute For Chartered Property Casualty Underwriters
dance with best practices security benchmark
guides, and protected with host intrusion
detection systems, anti-malware, and data integrity tools that ensure critical system files are
not modified in an unauthorized manner.
It is also necessary that security patches
are maintained, not just for the operating
system, but also for other software, such as
Adobe products or open source tools.
J Applications: Besides security features such
as transmission encryption, role-based access and audit trails, it is important for applications to be developed and tested with
security in mind.
Observations of recent hacking activities
clearly indicate a move from hacking the
network and hosts to hacking applications by
exploiting security vulnerabilities in the code.
Use of a secure development life cycle, including risk assessments during design, secure
code reviews before release and ongoing web
application penetration testing are essential.
J System interfaces: Well thought-out workflows, appropriate use of encryption technologies and implementation of secure protocols
are necessary to maintain secure interfaces.
J Databases: The final layer of defense--appropriate use of encryption, data masking,
limits on direct connectivity and maintaining
Information
transaction audit trailssecurity has
become a strategic -are important.
The responsiveness
priority for agents
and
efficiency benefits
and carriers.
of a real-time world depend on the exchange of electronic data and
documents. To protect that data, a “defense
in depth” strategy with multiple layers of
security controls must be implemented.
While the prospect of doing this may
feel a little overwhelming, it is an essential
part of responsible stewardship of the data
entrusted to you by your customers and it
cannot be ignored.
All of the participants in this real-time
world must embrace this reality, including carriers, managing general agencies, independent
agents, and the vendors who serve them.
Fortunately, practices and technology
like those above are available today. Now,
it’s time to adopt and apply them. NU
• Respected Credentials—Only The Institutes have the wide range of
respected credentials including: CPCU®, INS, AIC, ARM, ARe, AU, AAI®
and many more. More than letters after your name, they provide
in-depth understanding and practical skills.
• Flexible Online Learning—Enhance your technical knowledge in
a few hours without leaving the office. The Institutes’ cost-effective
courses cover accounting to underwriting and everything in between.
• Continuing Education—Through our new CEU.com business unit, we
deliver quality, affordable, and convenient online CE courses. We’ll even
keep track of your credits for you. Visit www.CEU.com to learn more.
• Custom Applications—The Institutes collaborate with corporate
customers to leverage our unique content and develop customized
solutions that achieve their unique organizational goals.
• Insightful Analysis—Our IRC division conducts vital public policy
research on important current issues in property-casualty insurance
and risk management.
Visit www.TheInstitutes.org/options for more information and videos.
720 Providence Road, Suite 100 | Malvern, PA 19355
(800) 644-2101 | customerservice@TheInstitutes.org
www.TheInstitutes.org
July 19, 2010 | National Underwriter Property & Casualty |
19
Copyright of National Underwriter / Property & Casualty Risk & Benefits Management is the property of
Summit Business Media and its content may not be copied or emailed to multiple sites or posted to a listserv
without the copyright holder's express written permission. However, users may print, download, or email
articles for individual use.
Copyright of National Underwriter / P&C is the property of Summit Business Media and its content may not be
copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written
permission. However, users may print, download, or email articles for individual use.
practice
DOI:10.1145/ 2687878
Article development led by
queue.acm.org
Trust, but verify.
BY GEETANJALI SAMPEMANE
Internal
Access
Controls
to bring news of another dramatic
and high-profile security incident, whether it is the
discovery of longstanding vulnerabilities in widely
used software such as OpenSSL or Bash, or celebrity
photographs stolen and publicized. There seems to
be an infinite supply of zero-day vulnerabilities and
powerful state-sponsored attackers. In the face of such
threats, is it even worth trying to protect your systems
and data? What can systems security designers and
administrators do?
While these threats are very real, they are not the
biggest ones faced by most organizations. Most
organizations do not face targeted attacks from hostile
governments or criminals intent on stealing users’
data; their systems are more likely to be unavailable
EVERY D AY SEEMS
62
COM MUNICATIO NS O F TH E AC M
| JA NUA RY 201 5 | VO L . 5 8 | NO. 1
because of ill-timed software updates
or misconfiguration.2–4
People tend to overreact to dramatic
events like terrorist attacks, but they
underestimate mundane threats. This
is made worse by the fact the threat
landscape is evolving; security advice
that was once reasonable becomes
obsolete. For example, users are routinely advised to use long, complex
passwords, but account compromise
caused by password reuse is probably
a bigger threat these days than bruteforce password cracking, so choosing
different passwords for different sites
is a better strategy than creating a complex password, memorizing it, and using it everywhere.
In a former life, I helped organizations connect to the Internet, and, as
part of that process, warned administrators of new threats they now faced.
Those conversations convinced me
that practical systems security was
still too difficult for most people to get
right. In the years since, Internet connectivity has become more routine, but
methods for securing systems have not
kept pace.
This article argues in favor of relatively mundane tools that systems security designers and administrators
can use to protect their systems and detect attacks. The principles proposed
here are good internal access controls:
regular automated monitoring and
verifying of access configurations, and
auditing user access to data. At Google,
we use these techniques as part of our
security strategy, but the principles are
applicable to any organization with
data to protect.
The Problem
Systems security administrators, who
have more incentive than the average
user to get security right, have a difficult
job. With the increasing proliferation
of mobile devices, and increased expectation of anytime/anywhere access,
there are only a few high-security environments where users can be prohibited from bringing their personal phones
or devices into the corporate environ-
IMAGE BY LK PH OTOGRAP HERS
ment. Keyboard loggers and malware
on personal machines can thus be
a path to attack enterprise systems.
These devices can be used to exfiltrate
data, deliberately or accidentally.
Even when users are restricted to
using corporate-owned and -managed
devices for work, they still tend to reuse passwords on different systems,
and this can provide a vector of attack. Stashes of username/passwords
stolen from compromised servers can
be retried on other sites, so users who
have reused a username/password on
multiple sites can contribute to a bigger problem. People remain vulnerable to social engineering or phishing
attacks. Improved authentication systems, such as having a second factor
or one-time passwords, help some,
but the vast majority of systems do not
use those yet.
It is therefore reasonable to assume
that some user accounts will get com-
promised, and it is important to design
a system to be resilient to that. Such a
system also offers the benefit of providing some protection against malicious insiders. Insider attacks have the
potential to cause great damage, since
people cause them with authorized access and, often, knowledge of systems
and processes. Designing protections
against insider attacks, however, can
be difficult without making the system
very cumbersome to use or making users feel untrusted and, therefore, uncooperative with security measures.
Users of the system often do not
understand the threat models, so they
end up viewing security measures as
hoops they have to jump through.
Better explanations of the rationale
for restrictions may make users more
cooperative and dissuade them from
looking for ways around the hoops.
Another common problem is misconfigured security controls. As sys-
tems and security software grow more
complex, the chance of administrators
misunderstanding them increases.
This can lead to an increase in successful attacks based on such flaws as overlooked default passwords or misconfigured firewall rules.
Why Have Internal
Access Controls?
The case for good internal access controls, also called defense in depth, is
easy to understand but surprisingly
difficult to get right in practice. Internal access controls make it harder for
attackers to break in (it is not just the
firewall that needs to be breached) and
limits damage if a system is attacked
(one phished password will at most get
the attackers what that user has access
to, not necessarily everything on the internal network). Given that a common
way systems are attacked is via compromised legitimate user accounts, limit-
JA N UA RY 2 0 1 5 | VO L. 58 | N O. 1 | C OM M U N IC AT ION S OF T HE ACM
63
practice
ing the damage a single compromised
(or malicious) user can get away with
undetected is a useful goal.
The problem is that systems typically start out small, with little or no valuable data, and internal access controls
seem like overkill. A good firewall and
unrestricted access to (the small number of) authorized users seems like
more than enough. People get used
to that unrestricted internal access,
and processes and tools are developed
under that assumption, so adding internal security barriers as the system
grows can be disruptive and meet with
resistance from users. Removing permissions can also break systems, often
in unexpected ways. Retrofitting security into systems is difficult.
Most organizations have different
kinds of valuable information that
needs protecting—company-confidential code and documents, customer
information, or data entrusted to them
by their users (in the case of cloud service providers). Different employees
need access to different subsets of this
information, either for development
and debugging services, or to provide
customer service, or for routine activities such as indexing or backup. How
does the organization ensure people
have the right level of access they need
and no more?
Most organizations
have different
kinds of valuable
information that
needs protecting—
companyconfidential code
and documents,
customer
information, or data
entrusted to them
by their users.
Achieving the Right Granularity
of Permissions
Administrative usability is often
overlooked while designing access
schemes. Very fine-grained permissions seem like a good idea, since they
can grant exactly the necessary access,
but it can easily become too much work
to manage. Too many or too low-level
permissions can also result in clutter
and can be difficult to understand and
reason about.
On the other hand, the problem
with access that is too coarse-grained
is it can grant too much access. One of
the bigger problems with granting too
much access is not malicious use but
accidental use. Many systems do not
enable permissions on an as-needed
basis but, rather, have all the permissions a user is granted; this is the equivalent of always running as a superuser
rather than as a regular user. Again the
problem is one of granularity—having
to specify every permission needed be64
COMMUNICATIO NS O F TH E AC M
| JA NUA RY 201 5 | VO L . 5 8 | NO. 1
comes tedious, so the tendency is just
to leave permissions enabled.
Role-based access control systems1
help with this by grouping related sets
of permissions, but people who perform different roles still end up with
a lot of access and not-always great
ways of using the least-privileged access possible.
What can be done about this? Try
to understand the system well enough
to set up access controls at the right
places, but also recognize that you
will sometimes get this wrong and
will grant more or less access than is
needed. This may be because you want
to simplify administration or because
your mental model of permissions and
usage is wrong. It is thus useful to have
a system in place to review and monitor permissions, and correct the access
configuration as appropriate.
Monitoring Access Configurations
Too often, access requests are reviewed
at grant time and never again. People
in an organization move across roles
and projects, but old permissions do
not always expire. Removing unused
permissions rarely seems that urgent,
and guessing wrong about whether
something is unused can break running systems. Unused permissions are
not dangerous as long as they remain
unused, but they do make the access
configuration more difficult to understand.
At Google, we use regular monitoring of access configurations to identify
unexpected or unwanted permission
behavior. The principle of access-configuration monitoring is much like
unit testing for code. Like any type of
verification, this is most useful if the
verification uses a different approach
from the configuration—for example,
viewing the permissions in the live production configuration rather than just
viewing them as configured.
Administrators specify invariants
about the access configuration that
should be maintained, and automated
test infrastructure periodically verifies
these invariants hold. Preconfigured
alerts can be raised if any problems are
detected.
Access-configuration monitoring is
useful for a few different purposes:
˲˲ Catching differences between static
and live configurations. Some access
practice
systems require configuration changes
to be reviewed by administrators and
then “pushed” to take effect. Occasionally, changes are pushed to live systems
without changing the static configuration, or the configuration is changed
and not pushed. This sort of situation
can lead to unpleasant surprises when
long-running systems are restarted.
˲˲ Verifying the configuration is behaving as expected. Most configuration languages have their quirks, so it is good
to have tests to confirm they are doing
what you expect them to do. A common
example is firewall rules that block too
much or too little traffic.
˲˲ Tripwire-like monitoring to notify
people of changes. Typically, these are
expected changes, but this can catch
unauthorized or unexpected changes.
It is important that these not be too
noisy, or people who receive them will
tune them out.
˲˲ Catching drifts such as sudden (or
even gradual) increases in the number
of authorized people. People often create an ACL (access-control list) for a
particular reason, and, over time, tend
to use it for other reasons, and the size
grows. This sort of monitoring can be
useful for recognizing when a group
has grown too large, contains too many
permissions, and should be split.
˲˲ Verifying that separation of permissions holds. For example, you may want
to prevent any one person from having certain combinations of permissions (like being able to make changes
to code and push them to production
without review).
Auditing to Understand Access
Audit logs are a common part of systems security. Typically, all configuration changes and any access to sensitive data generate audit logs, which are
hard to subvert. These are often a requirement for regulatory compliance.
Many systems, however, stop at
generating the audit logs, using them
only for postmortem analysis when
something goes wrong. An “audit”
in these systems is a sign of trouble.
Therefore, access audits should be
much more routine, and not a hostile
process. Whenever an employee performs a nonroutine access, perhaps
for troubleshooting or debugging, the
access will be audited. In most cases,
this may involve just documenting
the reason for access. This develops
a culture of accountability, where users expect to have to justify access to
sensitive data.
Knowing that all accesses are audited makes granting permissions a
little easier. Restricting access to very
few people can make a system fragile. It would be more robust if more
people were granted emergency access but did not have to use it. Having
overbroad permissions, however, is
generally a problem. Users could accidentally or maliciously misuse their
accesses or become targets for socialengineering attacks because of it.
Having good audit logs at the time of
use of permissions mitigates this risk
somewhat, since inappropriate access
is unlikely to go undetected.
Routine access audits also help
identify access patterns and can help
tune access configuration. If all access is logged, it becomes possible to
identify unused permissions reliably
and prune them safely if needed. This
catches the cases where people move
jobs or roles without explicitly giving
up permissions.
Auditing accesses that are actually
used provides visibility into which accesses are needed for people to do their
jobs. This allows for the development
of better tools, sometimes reducing
the amount of access that needs to be
granted for a particular task.
Good tools are needed to prevent
access audits from becoming bureaucratic nightmares. Routine access can
be recognized, based on job roles or
access history, and only unusual access patterns can be flagged for extra or
manual review.
It is also worth noting that auditing
accesses is not a substitute for good
access controls; audits can recognize
inappropriate access only after it has
happened, unlike access controls,
which prevent it. As just described,
however, auditing all accesses can help
tune access configurations. Having to
justify access also helps prevent inappropriate access by authorized users.
Further, in the unfortunate event of inappropriate access, audit logs can help
administrators assess the damage.
Conclusion
While high-profile targeted attacks will
continue, organizations can do a lot
to protect their systems. Internal access controls at the right granularity,
combined with access logging and auditing, can help detect and prevent unwanted access. Access configurations
suffer from “bit rot,” and users often
accumulate unnecessary permissions
over time; therefore, regular monitoring, a la unit tests for code, can help
detect unwanted situations.
Making security goals and threats
clear to system users may encourage
their cooperation, rather than leaving
them to view security as a nuisance to
be worked around. Making the system
and security configuration easy for administrators to understand will likely
lead to fewer configuration errors, and
well-designed monitoring can catch
any remaining ones. Finally, making
access audits routine can help system
administrators understand access
patterns and notice unusual access,
whether it is a result of some nonroutine event or because a user account
has been compromised.
Related articles
on queue.acm.org
A Decade of OS Access-control Extensibility
Robert N. M. Watson
http://queue.acm.org/detail.cfm?id=2430732
Standardizing Storage Clusters
Garth Goodson, Sai Susarla, and Rahul Iyere
http://queue.acm.org/detail.cfm?id=1317402
Monitoring and Control of
Large Systems with MonALISA
Iosif Legrand, Ramiro Voicu, Catalin Cirstoiu,
Costin Grigoras, Latchezar Betev,
and Alexandru Costan
http://queue.acm.org/detail.cfm?id=1577839
References
1. Computer Security Resource Center. Role based
access control and role based security. National
Institute of Standards and Technology, Computer
Security Division, 2014; http://csrc.nist.gov/groups/
SNS/rbac/.
2. Hockenson, L. Facebook explains the cause behind its
early Thursday downtime. Gigaom; https://gigaom.
com/2014/06/19/facebook-explains-the-causebehind-its-early-thursday-downtime/.
3. Moscaritolo, A. Verizon billing system hit by major
outage. PC Mag UK, 2014; http://uk.pcmag.com/
news/33726/verizon-billing-system-hit-by-major-outage.
4. Wikipedia. RBS Group computer system problems,
2012; http://en.wikipedia.org/wiki/2012_RBS_Group_
computer_system_problems.
Geetanjali Sampemane (geta@google.com) belongs
to the Infrastructure Security and Privacy group at
Google. She started her career administering India’s first
connection to the Internet and then spent a few years
working for the United Nations Development Program,
helping developing countries connect to the Internet.
Copyright held by author. Publication rights licensed to
ACM. $15.00.
JA N UA RY 2 0 1 5 | VO L. 58 | N O. 1 | C OM M U N IC AT ION S OF T HE ACM
65
Copyright of Communications of the ACM is the property of Association for Computing
Machinery and its content may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express written permission. However, users may print,
download, or email articles for individual use.
adversaries both specializ e and shar e intelligence in or der to obtain sensitiv e data
and disrupt critical enterprise functions.
According to the 2013 Cost of C yber Crime
Study, advanced security intelligence tools
such as security information and event management (SIEM), networ k intelligence systems and big data analytics, can significantly
help to mitigate data threats and reduce the
cost of cybercrime.
The study also found:
• The average annualized cost of cybercrime incurred per organization was
$11.56 million, with a range of $1.3
million to $58 million. This is an increase
of 26 per cent, or $2.6 million, o ver the
average cost reported in 2012.
• Organizations experienced an av erage of
122 successful attacks per w eek, up from
102 attacks per week in 2012.
• The average time to resolve a cyberattack
was 32 days, with an average cost incurred
during this period of $1,035,769, or
Collaboration In Depth
nowing that there is no single cybersecurity silver bullet, we
advise our customers on the concept of security in depth – a
multi-layered approach to cyber defense that employs various solutions to provide the most comprehensive protection against today’s online threats.
Equally important in today’s enterprise is the
concept of collaboration in depth, through
which CSOs are increasingly sharing advanced
cyber-defense solutions with their CIOs and IT
Julian
Waits
departments. By sharing technology, CSOs are
breaking down institutional silos, freeing their teams to focus on
the most critical threats and making their organizations’ security
their top priority.
Take a customizable malware analysis sandbox for example.
Designed for identifying new malware, analyzing its behavior and
developing countermeasures to remediate those threats, this
technology has mostly been the exclusive domain of highly skilled
malware researchers. As these solutions have evolved and become
easier to use, we are seeing their application extend beyond CSOs
and their teams to become an increasingly valuable tool for IT
departments, where the majority of frontline network security
responsibilities still reside.
K
When Malware Strikes, Where Do You Start?
Consider the security challenges facing an enterprise IT department supporting thousands or even tens of thousands of employees doing business on endpoints in multiple geographies. You’re
talking about dozens or more different system configurations,
operating systems, language paks, different combinations of multiple versions of third-party applications, custom applications built
in-house and more. Now imagine that IT discovers malware slipping past your antivirus and other defenses. Users are complaining, productivity is slowing and your data is at risk.
Which Systems Globally are at Risk?
A customizable malware analysis sandbox can be deployed
by IT to address these situations more efficiently and effectively, enabling them to do more and know more before calling
your team for support. First, users customize their sandboxes
to replicate every endpoint configuration they manage, including the OS version and service paks, and whichever version of
third-party applications like Adobe Reader, Java or browser they
are using. Then, by submitting the malware to the sandbox,
it executes across all those system configurations, instantly
identifying which systems profiles are vulnerable. In minutes, an
IT department will know which systems need to be addressed
immediately.
All of this can easily be accomplished by most IT departments
with no advanced cybersecurity skills on staff. Moreover, they will
more quickly identify serious threats for CSOs and their teams to
address.
Be Proactive and Get Prepared
Another way IT departments are utilizing sandboxes is to
quantify their risk when new malware starts making headlines.
Before they even have reports of infection, teams obtain samples
of the latest malware scare and submit files to their sandbox to
test across all their endpoint profiles. In minutes they will know
what percentage of their endpoints are vulnerable to a new malware strain, enabling them to push out patches, alert local team
members, update perimeter defenses and take other preventative
measures.
Are We Ready To Patch?
Another security challenge IT departments contend with is
when to apply patches. Many teams are still reluctant to apply
patches as soon as they are issued, instead preferring to see how
the broader user-base reacts and what issues they report. From a
security standpoint, CSOs know that patching is critical. Again, a
malware analysis sandbox is proving to be a valuable tool to help
IT departments feel more confident about deploying patches without impacting security or productivity.
Making the Upgrade Argument
IT budgets aren’t what they used to be. Forget about the old
upgrade cycle; it’s long gone. IT professionals are squeezing every
last drop of value out of existing hardware and software.
A sandbox can help IT make a strong ROI argument for
upgrades that also ties with a topic increasingly on the mind of
senior management and board members: data breaches. Your
senior leadership is concerned about liability, fines and damaging headlines. By executing malware in your sandbox across your
entire application stack, you can quantify your risk profile and
make a compelling argument that it’s finally time to upgrade that
OS or long overdue to retire that old version of Microsoft Office,
no matter how resistant users are to change.
Strong collaboration between CSOs and CIOs is key to strengthening enterprises cybersecurity, which is why it is encouraging
to see more and more of these teams sharing technologies and
deploying them in innovative new ways to solve everyday security
challenges.
About the Author:
Julian Waits, Sr., is president and CEO of ThreatTrack Security Inc.
SecurityMagazine.com • SECURITY • February 2014
040-48 - Cyber Risk - Feat.indd 41
41
1/23/14 10:14 AM
Copyright of Security: Solutions for Enterprise Security Leaders is the property of BNP
Media and its content may not be copied or emailed to multiple sites or posted to a listserv
without the copyright holder's express written permission. However, users may print,
download, or email articles for individual use.
CASE 22
TEACHING NOTE
LVMH in 2016: Its Diversification
into Luxury Goods*
L
sh is
ar stu
ed d
vi y re
aC s
o
ou urc
rs e
eH w
er as
o.
co
m
Overview
ouis Vuitton Moët Hennessy (LVMH ) is the world’s largest luxury products conglomerate with a business
portfolio that includes some of the most prestigious brand names in wines, spirits, and champagnes, fashion,
watches and jewelry, and perfumes and cosmetics. The company began as Moët & Chandon, a French
champagne producer, in 1743. As of 2016, the French conglomerate’s business portfolio also includes a luxury
yacht producer, a 19th-century-styled French amusement park, two prestigious Parisian department stores, dutyfree stores, a retail cosmetics chain, high-end luxury hotels, and a variety of French media properties.
By making strategic acquisitions of iconic luxury brands, LVMH had grown from approximately €2.5 billion
in 1990 to €35.7 billion in 2015. The company had set revenue and operating profit records in 2015, with both
growing by 16 percent since 2014. LVMH’s revenues, operating profits, and free cash flows had produced
attractive returns for shareholders and had made its CEO, Bernard Arnault, the world’s 14th wealthiest person.
Arnault placed an emphasis on internal growth by exploiting common strategies and capturing synergies
across the portfolio in four key areas: product quality, innovation, image, and craftsmanship in the production
process.
Th
During the last half of 2016, LVMH’s performance had slowed from 2015, as revenue and operating profit
achieved 3 and 4 percent year-over-year increases, respectively. Revenues of LVMH’s fashion and leather goods
products declined by 1 percent during the first half of 2016, as terrorism across Europe greatly affected tourism
in that region. The company’s overall performance was negatively impacted by acquisitions of brands that were
once thought to be its “rising stars,” but that did not materialize. Some questioned the impact of LVMH’s
“Other” businesses outside its core on shareholder value. Investors and analysts had called for the divestiture of
nonperforming LVMH brands almost since the early 2000s, but with the exception of the divestiture of Omas
pens, the sale of the company’s art auctioning houses, and a planned sale of the DKNY brand in 2017, Arnault
had not been sympathetic to divesting underperforming brands.
Suggestions for Using the Case
The case pairs particularly well with the coverage of strategies for: (1) strengthening a company’s competitive
position in Chapter 6, (2) competing in international markets in Chapter 7, and (3) diversification in Chapter 8.
*This teaching note reflects the thinking and analysis of Professor Armand Gilinsky, Sonoma State University. We are most grateful
for his insight, analysis and contributions to how the case can be taught successfully.
https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/
–1–
1
Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods
There’s ample detail in the case for students to evaluate:
n LVMH’s international and diversification strategies
n How sustainable LVMH’s position is as leader in the branded luxury goods industry, in light of
environmental forces, competitive dynamics, and its current situation
n The company’s financial performance.
The assignment questions and teaching outline presented below reflect our thinking and suggestions about
how to conduct the class discussion and what aspects to emphasize.
To guide students in thinking about which analytical tools can be used to prepare the LVMH in 2016: Its
Diversification into Luxury Goods case for class discussion, we strongly recommend (1) providing class
members with a set of study questions and (2) insisting that they prepare good notes/answers to these questions.
sh is
ar stu
ed d
vi y re
aC s
o
ou urc
rs e
eH w
er as
o.
co
m
To facilitate your use of study questions and to make them available to students, we have posted a file of the
assignment questions contained in this teaching note for the LVMH case in the instructor resources section
of the Connect Library.
You may also find it beneficial to have your class read the Guide to Case Analysis that follows Case 31 and is
also posted in the instructor resources section of the Connect Library. Students will find the content of this Guide
particularly helpful if this is their first experience with cases and they are unsure about the mechanics of how to
prepare a case for class discussion, oral presentation, or written analysis.
The Connect-based Exercise for the LVMH in 2016 Case. A Connect case exercise has been developed
for all cases included in the 21st Edition. Each case exercise follows the assignment questions listed in the
teaching note for the case and require students to work through the entire analysis presented in the Teaching
Outline and Analysis section of the teaching note. The purposes of the case exercises is to help get students off
on the right track in understanding the demands of case analysis and what it takes to come to class fully prepared
for discussion of an assigned case (or to develop a substantive written analysis or oral team presentation).
All assignment questions are auto-graded with the exception of strategic recommendations, which is left as an
open-ended question for students to complete. You may find the Connect case exercise suitable for use with
written case assignments with the analysis component of the assignment auto-graded, leaving only the students’
recommendations left to be graded by the instructor.
This case is suitable for both written and oral presentations. Our recommended assignment questions are as
follows:
Th
1. As part of your internship requirements with LVMH, Inc., you have been asked to prepare an analysis of
LVMH’s competitive position in the luxury goods marketplace. Your report should contain 2-3 pages of
recommendations for continuing the company’s success in assembling a diversified portfolio of brands,
improving its financial position, and a recommendation about potential new areas for diversification or
divestment. Write an executive summary of recommendations of no more than 2–3 pages, accompanied
by supporting exhibits. These exhibits may include an overview of LVMH’s strategy, a competitive
strength assessment, and a financial analysis.
2. LVMH’s CEO Bernard Arnault has learned of your considerable skills in strategic analysis and has
hired you to develop a strategic plan that will enable LVMH to improve its position in the branded
luxury goods industry, continue to build a stronger financial position, and make a decision about
future diversification or retrenchment from its existing lineup of businesses. In developing your
recommendations, you should assess the luxury goods industry. You should also assess LVMH’s
portfolio of diversified businesses and analyze its recent financial performance. Finally, the plan should
offer specific, actionable recommendations that will allow LVMH to further improve its position. Your
recommendations should be well supported with arguments and justifications for each recommendation.
Your report should include 4-6 pages of recommendations and whatever supporting charts, tables or
exhibits you deem useful.
https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/
2
Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods
Assignment Questions
1. What are the major elements of LVMH’s competitive strategy in the branded luxury products industry? How
well do the pieces fit together? Is the strategy evolving?
2. How have LVMH’s corporate strategy choices strengthened or weakened its competitive position in the
branded luxury products industry?
3. Is LVMH’s international strategy best characterized as a multi-domestic strategy, global strategy, or
transnational strategy?
4. Does it make good strategic sense for LVMH to compete in all of its current segments? Which of its
product lines — Wine and Spirits, Fashion and Leather Goods, Perfumes and Cosmetics, Watches and
Jewelry, Selective Retailing, and Other — do you think is/are most important to LVMH’s future growth and
profitability? Should one or more of these current segments be discontinued? Why?
sh is
ar stu
ed d
vi y re
aC s
o
ou urc
rs e
eH w
er as
o.
co
m
5. What is your assessment of LVMH’s financial performance over the 2012 – 2015 period? (Use the financial
ratios in the Appendix of the text as a guide in doing your financial analysis.)
6. What strategic issues confront LVMH in 2016? What market or internal circumstances should most concern
CEO Bernard Arnault and his company’s senior leadership team?
7. What recommendations would you make to Arnault to address the strategic issues confronting LVMH in
2016 in order to sustain its impressive growth in revenues and profitability?
Teaching Outline and Analysis
1. What are the major elements of LVMH’s competitive strategy in the branded luxury products
industry? How well do the pieces fit together? Is the strategy evolving?
LVMH has an established portfolio of luxury brands, some of which have endured for decades, or even
centuries in several cases. Many of its iconic brands and logos have long traditions that contribute to demand
and provide difficult-to-replicate intangible assets. The company has expanded globally, with a particular
emphasis on growth areas in the Asia-Pacific region, most notably in China. Students should see that:
n LVMH’s strategy to confine retail store location to major cities and, via its DFS subsidiary, to major
international airports, provides its brands with a competitive advantage.
Th
n That said, the luxury business in China is not likely continue to grow by double-digits indefinitely,
accordingly some slowing of growth in the Asia-Pacific region appears inevitable.
2. How have LVMH’s corporate strategy choices strengthened or weakened its competitive
position in the branded luxury products industry?
This is a good time to review the concept of horizontal scope, which refers to the range of product and service
segments that a firm like LVMH serves for global markets, which are considerable due to its presence in
nearly every sector of luxury branded products in almost every region in the world. According to the text,
increasing a company’s horizontal scope can strengthen its business and increase its profitability in five
ways: (1) by improving the efficiency of its operations, (2) by heightening its product differentiation, (3) by
reducing market rivalry, (4) by increasing the company’s bargaining power over suppliers and buyers, and
(5) by enhancing its flexibility and dynamic capabilities. LVMH appears to be strong in many of these areas,
but there are some drawbacks. For an appraisal of LVMH’s horizontal diversification (scope), see Table 1.
https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/
3
Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods
TABLE 1. Appraising LVMH’s Horizontal Diversification Strategies
Plusses
Minuses
Leverage global scale economies
to improve efficiency
Reduced transport costs, increased
effectiveness of boutiques &
aftermarket support
Highly dependent on favorable
balances of trade, exchange rates,
interest rates; no particular evidence
of scale economies in production of
luxury branded goods
Heighten product differentiation
via Integrity & quality
Exclusivity is fundamental to strategy
& to protect global luxury productmarket leadership position
Unclear if culture and values will
be shared and implemented by
operators of retail outlets across
China, South America, and Russia
Better understanding customers to
reduce rivalry
Iconic global brands well recognized
across global markets, little need for
localized production
Cost to obtain access to global
markets
Increase bargaining power over
buyers & suppliers to boost market
share
Already global market share leader;
power of buyers and suppliers in the
luxury segment is already weak
Slowing demand for certain
categories of luxury goods due to
changes in fashion and tastes
Enhance flexibility & dynamic
capabilities via product innovation
Potential to develop ‘tailored luxury
products’ to serve focal markets in
emerging economies such as China
or Brazil
Unknown impacts of innovation on
existing luxury product life-cycles
(10 – 20 years)
sh is
ar stu
ed d
vi y re
aC s
o
ou urc
rs e
eH w
er as
o.
co
m
Strategic intent
Ultimately, it may become quite difficult for LVMH to maintain such a broad portfolio of luxury brands, and
some of the underperforming brands or groups may need to be sold or spun off.
n While luxury is a strong-return business, building yachts, developing and maintaining boutique hotels in
exotic locations, developing real estate for new stores, and providing customers with exclusive in-store
experiences can together be expensive and drag down returns on capital.
3. Is LVMH’s international strategy best characterized as a multi-domestic strategy, global
strategy, or transnational strategy?
Students should be directed to carefully review Figure 7.2:
n An international/global strategy is a strategy for competing in two or more countries simultaneously.
Th
n A multi-domestic strategy is one in which a company varies its product offering and competitive
approach from country to country in an effort to be responsive to differing buyer preferences and market
conditions.
•
This is a think-local, act-local type of international strategy, facilitated by decision making
decentralized to the local level.
n A transnational strategy (sometimes called “glocalization”) incorporates elements of both a globalized
and a localized approach to strategy making.
•
This type of middle-ground strategy is called for when there are relatively high needs for local
responsiveness as well as appreciable benefits to be realized from standardization.
•
A transnational strategy is a think-global, act-local approach that incorporates elements of both
multi-domestic and global strategies.
https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/
4
Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods
Of the three types of international strategies, LVMH is most evidently following a global/international
strategy. Some pros and cons and question marks of this approach are as follows:
Pros:
+ Transfer of distinctive competencies to foreign markets
+ Ability to exploit experience-curve effects
+ Ability to realize location economies
Cons:
–
Lack of local responsiveness
–
Inability to realize location economies
sh is
ar stu
ed d
vi y re
aC s
o
ou urc
rs e
eH w
er as
o.
co
m
Question marks:
?
Failure to exploit experience-curve effects
?
Continuously driven by pressures for cost reductions & challenges to integrate & convert local systems,
styles, cultures, processes, etc.
4. Does it make good strategic sense for LVMH to compete in all of its current segments?
Which of its product lines — Wine and Spirits, Fashion and Leather Goods, Perfumes and
Cosmetics, Watches and Jewelry, Selective Retailing, and Other — do you think is/are most
important to LVMH’s future growth and profitability? Should one or more of these current
segments be discontinued? Why?
LVMH has built strong intangible assets in most of its brands, which have shown up in its ability to maintain
high prices and deliver strong margins, though it is apparent that a number of brands in the portfolio tend
pull down the excellent returns of other brands.
Advanced or superior undergraduate students will analyze LVMH’s performance by business group, as
shown in Table 2.
Th
TABLE 2. Business Group Performance Analyses for LVMH, 2014 – 2015
Revenues,
Year-on-Year
Growth Rate, %
Wine & Spirits
15.9%
Fashion & Leather Goods
Perfumes & Cosmetics
Income from
Operations,
Year-on-Year
Growth Rate, %
Operating
Investments,
Year-on-Year
Growth Rate, %
Cash flows,
2015
(note 1)
Cash flows,
2014
(note 1)
18.8%
53.3%
€ 1,262
€ 1,114
14.2%
9.9%
-5.5%
3,593
3,159
15.3%
26.5%
3.6%
479
343
Watches & Jewelry
18.9%
52.7%
6.8%
427
263
Selective Retailing
17.8%
5.9%
2.6%
901
789
-7.3%
-23.4%
42.2%
(449)
(397)
16.4%
15.6%
10.1%
€ 6,213
€ 5,271
Other
ALL SEGMENTS
Note 1: Cash flows by segment = (Profit from Recurring Operations – Operating Investments) + Depreciation and
Amortization.
Calculated using data in case Exhibit 5.
https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/
5
Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods
n The analyses in Table 2 reveal that all of LVMH’s business groups—except “Other”—enjoyed doubledigit growth rates from FY2014 to FY2015
n The “Other” business group experienced negative growth in both Revenues and Income from Operations,
despite the highest increase in Operating Investment, from FY2014 to FY2015
n Although LVMH’s five primary business groups enjoyed increasing Cash Flows from FY2014 to
FY2015, the “Other” segment suffered increasingly negative Cash Flows during that period.
5. What is your assessment of LVMH’s financial performance over the 2012 – 2015 period? (Use
the financial ratios in the Appendix of the text as a guide in doing your financial analysis.)
Students should be able to use the financial information provided in case Exhibits 1 and 6, as well as
the financial ratios provided in the Financial Summary Table 4.1 (or the Appendix of the text) to make
calculations similar to those shown in Table 3.
sh is
ar stu
ed d
vi y re
aC s
o
ou urc
rs e
eH w
er as
o.
co
m
TABLE 3. Selected Financial Statistics and Ratios for LVMH, 2012 – 2015
Profitability
Gross margin
Operating margin
Net income, % sales (ROS)
2015
2014
2013
2012
64.80%
64.75%
65.50%
64.71%
17.90%
17.73%
20.22%
20.42%
10.02%
18.43%
11.79%
12.18%
-38.78%
-38.33%
-37.22%
-35.94%
General & administrative expenses, % sales
-7.47%
-7.75%
-7.63%
-7.70%
Operating income/Total assets (Operating ROA)
11.08%
10.18%
10.59%
11.49%
Marketing & selling expenses, sales
Net income /Total assets (ROA)
6.20%
10.58%
6.17%
6.86%
Return on Equity (ROE)
13.85%
24.55%
12.39%
13.34%
Total asset turnover (x)
0.62
0.57
0.52
0.56
Fixed asset turnover (x)
0.92
0.87
0.74
0.79
COGS/Inventories (x)
1.24
1.14
1.17
1.23
26
27
27
26
55.21%
56.89%
50.20%
48.60%
123.27%
131.98%
100.82%
94.54%
74.05%
79.05%
58.62%
57.59%
€ 6,251
€ 5,935
€ 4,382
€ 4,791
Current ratio (x)
1.49
1.49
1.37
1.51
Quick ratio (s)
0.70
0.71
0.64
0.65
Activity
A/R, days
Leverage
Total debt: Total assets, %
Total debt: Equity, %
Th
LT debt: Equity, %
Liquidity
Working capital (€ millions)
Calculated using data from case Exhibits 1 and 6.
Key highlights of these performance indicators include:
n LVMH’s relatively stable Gross Margins over the four-year period, peaking at 65.5% in FY2013 and
slightly dropping to 64.8% in fiscal years 2014 and 2015.
n Increasing Operating Expenses (primarily Marketing Expenses) as a percentage of total revenues,
causing Operating Margins (Operating Income as a percentage of Revenues) to drop from about 20% in
fiscal years 2012 and 2013 to about 18% in both fiscal years 2014 and 2015.
https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/
6
Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods
n LVMH’s Returns on Sales (ROS) have fluctuated considerably over the four-year period, from a low of
about 10% in FY2015 to a high of about 18% in FY2014.
n LVMH’s Operating Returns on Assets have shown stability over the four-year period at about 10%–
11%. With the sole exception of FY 2014, regular ROA have been stable at about 6%. Similarly, Returns
on Equity (ROE) have remained stable at about 12%–13% with the exception of FY 2014, when ROE
exceeded 24%. One possible explanation for the dissimilar results in FY2014 is that LVMH reported an
extraordinary net gain in non-operating financial income for that year of about €3 billion.
n The primary four Activity Ratios for LVMH have remained relatively consistent over the four most
recent fiscal years. Total Asset Turnover has remained at about .60x, Fixed Asset Turnover has ranged
from .74x to 92x, inventory Turnover (COGS/Inventories) have fluctuated from 1.14x in FY2014 to
1.24x in FY2015, and Accounts Receivable Collection Period (days) have hovered around 26 days.
sh is
ar stu
ed d
vi y re
aC s
o
ou urc
rs e
eH w
er as
o.
co
m
n Two primary measures of Liquidity—Current Ratio, and Quick (Acid-test) Ratio—have been consistent
from FY 2012 to FY 2015. LVMH’s Working Capital has steadily increased from €4.6 billion in FY
2012 to over €6.2 billion in FY2015.
n LVMH has steadily increased its debt leverage from FY 2012 to FY 2015, possibly due to management’s
conscious decision to take advantage of a combination of historically low interest rates (i.e. reducing the
cost of long-term debt and increasing the costs of equity, making new equity sales less attractive than
borrowings in the financial markets) over that period. Total debt as a percentage of total assets increased
from 48% in FY 2012 to nearly 57% in 2014 and about 55% in FY 2015. Total debt as a percentage of
equity has increased proportionately as well, from about 94% in FY2012 to 132% in FY 2014 and 123%
in FY2015. Long-term debt as a percentage of equity rose from 58% to about 75% over the four-year
period from FY2012 to FY2015.
n Returns on invested capital appear to have yielded sufficient free cash flow to pay down debt, pay
dividends, and/or fund acquisitions.
6. What strategic issues confront LVMH in 2016? What market or internal circumstances should
most concern CEO Bernard Arnault and his company’s senior leadership team?
Students should be pressed to present a balanced view of the strategic issues that Arnault faces, and consider
both the pros and cons of LVMH’s current portfolio strategy. These can be summarized as follows:
n Although LVMH is as of 2016 a dominant competitor in many luxury goods markets, its size may
ultimately become its enemy.
Th
n The company may find it hard to manage the creativity and exclusivity of brands that have become so
widely distributed.
n Certainly, some of the success of this company is due to synergy and management ideas being shared
across a portfolio of luxury brands, but it is our opinion that past success does not provide complete
assurance that these strategies can continue to be successful as LVMH grows.
7. What recommendations would you make to Arnault to address the strategic issues
confronting LVMH in 2016 in order to sustain its impressive growth in revenues and
profitability?
There is always the risk that LVMH may find that it cannot manage all of its brands, much less keep them
at the top of the pyramid of premium products forever. Global tastes in luxury drinks, watches and jewelry,
fashion, and accessories tend to ebb and flow. Demand for expensive items from drinks to diamonds to
watches can shift over time. As a global leader in luxury goods, LVMH has exposure to the macroeconomics
https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/
7
Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods
of Asia, tourism, and China’s long-term consumer growth in particular. Granted that wealthy consumers may
have savings to spend even in tough times, yet consumer sentiment can affect sales since ultimately many
luxury goods are not necessities. Furthermore,
n We believe that global expansion, renovation of existing retail outlets, and price increases that go with
product innovation will continue to be the key growth drivers for LVMH
n While luxury is a strong-return business, building yachts, developing and maintaining boutique hotels in
exotic locations, developing real estate for new stores, and providing customers with exclusive in-store
experiences can together be expensive and drag down returns on capital
n Selective divestitures may be required down the road in order to sustain growth and free cash flow, but
convincing CEO Arnault to part with any part of the existing portfolio is likely to be difficult
•
Rationalizing LVMH’s portfolio may well need to be put into abeyance until Arnault’s successor
comes on board
•
•
•
sh is
ar stu
ed d
vi y re
aC s
o
ou urc
rs e
eH w
er as
o.
co
m
n Owing to LVMH’s strong and increasing Free Cash Flows and the impending divestment of the DKNY
operations, the company may be in a good position to:
Increase dividends for investors
Repurchase shares to boost its stock price
Enter into selective acquisitions of other luxury brands that would complement its existing portfolio.
Epilogue
Th
Case updates can be found at LVMH’s website: https://www.lvmh.com. For investor information and recent
press releases, go to: https://www.lvmh.com/investors.
https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/
Powered by TCPDF (www.tcpdf.org)
8
Purchase answer to see full
attachment