techn o l o g y t r e n d s : security ■ protection tips Data Security In A Real-Time World Requires ‘Defense In Depth’ Strategy Securing confidentiality, integrity and availability of data are all critical components By vance huntley oday, it may seem that insurance carriers and their independent agent partners have harnessed technology and are effectively connecting in real-time to automate and accelerate routine processes while lowering the cost of processing insurance. However, as insurance carriers and agencies alike embrace information technology advances that accelerate the speed at which new business can be acquired and existing business can be renewed or processed, achieving and maintaining adequate levels of information security becomes more than an item on the “to do” list. It’s now a strategic priority. Addressing three core concepts of information security—confidentiality, integrity and availability (CIA for short!)—can reduce your risk, even in a connected, real-time world. E Confidentiality: Confidentiality ensures only authorized individuals have access to data. With data breach notification laws in many states— and the expanding applicability of federal laws including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, which include information security requirements—maintaining the confidentiality of data in insurance systems is a civic duty. E Integrity: Integrity ensures information is accurate and cannot be modified or manipulated except by those authorized. In the interest of being able to trust internal data, it is critical every insurance organization choose network protocols that perform adequate error checking and exception reporting. Data integrity can be further guaranteed by eliminating redundant data entry and potential errors caused by manual processes. The adoption of real-time tools and automated workflows standard in any en- T terprise content management project can help achieve data integrity as well. E Availability: Availability gives authorized users access to data or systems when and where it is needed. While insurer efforts to eliminate manual processes and paper files are certainly warranted and beneficial, new automated processes and electronic files make availability an even more crucial concept to plan for going forward. mobile devices), have quickly become one of the weakest links in information security. Trends show hackers are more often boobytrapping popular websites with malware that steals confidential data and passwords from visiting workstations as opposed to launching direct attacks against well-protected servers. User workstations are more susceptible because they are often operated in a privileged mode (a process that allows code to have direct access to all hardware and memWhile the prospect of doing ory in the computer system), unpatched when it comes to critical security expothis may feel a little overwhelming, it is an essential part of responsible sures and malware, and operating on new platforms including smart phones. stewardship of the data entrusted Therefore, it is important to take the folto you by your customers and it lowing steps to protect your organization: cannot be ignored.” J Stay current on security patches Vance Huntley, CTO, Vertafore for workstations. J Utilize hard-drive encryption. If a catastrophe occurs and your main J Use “kill-pill” technology, which can send office location is without electric, phone or a signal to a stolen device and scramble the Internet service, proper business continuity data on the hard drive. and disaster recovery protocols--including J Maintain up-to-date anti-malware. system redundancy and geographic separaJ Be mindful of Internet usage by users. tion between sites--will ensure you have At the network perimeter of your organibackup systems that will work as usual if a zation, you need adequate screening of traffic catastrophe happens. going out of the network as well as coming in Working in a real-time world, today’s to ensure sensitive data is transmitted only to reality is that day-to-day business demands those who are authorized to access it. require a complex web of connectivity beThose devices--such as network firewalls, tween customers, agencies, carriers and Web application firewalls, intrusion detecmanaging general agents that can leave critition/prevention systems, data loss prevention cal data susceptible to unauthorized access. systems and e-mail filtering systems--help Achieving these goals requires more block unauthorized traffic and alert security than use of complicated passwords and teams to suspicious activity. isolating networks with firewalls. MainInternally, it is important to design a taining CIA takes vigilant maintenance of network with security zones in mind, and security measures at every layer, combined to deploy network devices (such as switchwith implementing a “defense in depth” es and routers) in a hardened manner strategy that puts controls around user using security benchmark guides such as workstations, the network’s perimeter, inthose published by the Center for Internet ternal network, host systems, applications, Security (http://cisecurity.org). system interfaces and databases. Consider the following: J Host systems: Hosts need to be hardened Let’s examine “defense in depth” in action. by changing default configurations in accorUser workstations (including laptops and 18 | National Underwriter Property & Casualty | July 19, 2010 property-casualty.com Knowledge is power. How powerful are you?  Vance Huntley is the Chief Technology Officer for Bothell, Wash.-based Vertafore. He can be reached via email at vhuntley@vertafore.com. property-casualty.com It’s really pretty simple. When you’re more knowledgeable you make better business decisions. And better business decisions yield measurable and meaningful results. The Institutes’ proven knowledge will help you achieve powerful results with a variety of flexible, customer-focused options, including: © 2010 American Institute For Chartered Property Casualty Underwriters dance with best practices security benchmark guides, and protected with host intrusion detection systems, anti-malware, and data integrity tools that ensure critical system files are not modified in an unauthorized manner. It is also necessary that security patches are maintained, not just for the operating system, but also for other software, such as Adobe products or open source tools. J Applications: Besides security features such as transmission encryption, role-based access and audit trails, it is important for applications to be developed and tested with security in mind. Observations of recent hacking activities clearly indicate a move from hacking the network and hosts to hacking applications by exploiting security vulnerabilities in the code. Use of a secure development life cycle, including risk assessments during design, secure code reviews before release and ongoing web application penetration testing are essential. J System interfaces: Well thought-out workflows, appropriate use of encryption technologies and implementation of secure protocols are necessary to maintain secure interfaces. J Databases: The final layer of defense--appropriate use of encryption, data masking, limits on direct connectivity and maintaining Information transaction audit trailssecurity has become a strategic -are important. The responsiveness priority for agents and efficiency benefits and carriers. of a real-time world depend on the exchange of electronic data and documents. To protect that data, a “defense in depth” strategy with multiple layers of security controls must be implemented. While the prospect of doing this may feel a little overwhelming, it is an essential part of responsible stewardship of the data entrusted to you by your customers and it cannot be ignored. All of the participants in this real-time world must embrace this reality, including carriers, managing general agencies, independent agents, and the vendors who serve them. Fortunately, practices and technology like those above are available today. Now, it’s time to adopt and apply them. NU • Respected Credentials—Only The Institutes have the wide range of respected credentials including: CPCU®, INS, AIC, ARM, ARe, AU, AAI® and many more. More than letters after your name, they provide in-depth understanding and practical skills. • Flexible Online Learning—Enhance your technical knowledge in a few hours without leaving the office. The Institutes’ cost-effective courses cover accounting to underwriting and everything in between. • Continuing Education—Through our new CEU.com business unit, we deliver quality, affordable, and convenient online CE courses. We’ll even keep track of your credits for you. Visit www.CEU.com to learn more. • Custom Applications—The Institutes collaborate with corporate customers to leverage our unique content and develop customized solutions that achieve their unique organizational goals. • Insightful Analysis—Our IRC division conducts vital public policy research on important current issues in property-casualty insurance and risk management. Visit www.TheInstitutes.org/options for more information and videos. 720 Providence Road, Suite 100 | Malvern, PA 19355 (800) 644-2101 | customerservice@TheInstitutes.org www.TheInstitutes.org July 19, 2010 | National Underwriter Property & Casualty | 19 Copyright of National Underwriter / Property & Casualty Risk & Benefits Management is the property of Summit Business Media and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. Copyright of National Underwriter / P&C is the property of Summit Business Media and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. practice DOI:10.1145/ 2687878 Article development led by queue.acm.org Trust, but verify. BY GEETANJALI SAMPEMANE Internal Access Controls to bring news of another dramatic and high-profile security incident, whether it is the discovery of longstanding vulnerabilities in widely used software such as OpenSSL or Bash, or celebrity photographs stolen and publicized. There seems to be an infinite supply of zero-day vulnerabilities and powerful state-sponsored attackers. In the face of such threats, is it even worth trying to protect your systems and data? What can systems security designers and administrators do? While these threats are very real, they are not the biggest ones faced by most organizations. Most organizations do not face targeted attacks from hostile governments or criminals intent on stealing users’ data; their systems are more likely to be unavailable EVERY D AY SEEMS 62 COM MUNICATIO NS O F TH E AC M | JA NUA RY 201 5 | VO L . 5 8 | NO. 1 because of ill-timed software updates or misconfiguration.2–4 People tend to overreact to dramatic events like terrorist attacks, but they underestimate mundane threats. This is made worse by the fact the threat landscape is evolving; security advice that was once reasonable becomes obsolete. For example, users are routinely advised to use long, complex passwords, but account compromise caused by password reuse is probably a bigger threat these days than bruteforce password cracking, so choosing different passwords for different sites is a better strategy than creating a complex password, memorizing it, and using it everywhere. In a former life, I helped organizations connect to the Internet, and, as part of that process, warned administrators of new threats they now faced. Those conversations convinced me that practical systems security was still too difficult for most people to get right. In the years since, Internet connectivity has become more routine, but methods for securing systems have not kept pace. This article argues in favor of relatively mundane tools that systems security designers and administrators can use to protect their systems and detect attacks. The principles proposed here are good internal access controls: regular automated monitoring and verifying of access configurations, and auditing user access to data. At Google, we use these techniques as part of our security strategy, but the principles are applicable to any organization with data to protect. The Problem Systems security administrators, who have more incentive than the average user to get security right, have a difficult job. With the increasing proliferation of mobile devices, and increased expectation of anytime/anywhere access, there are only a few high-security environments where users can be prohibited from bringing their personal phones or devices into the corporate environ- IMAGE BY LK PH OTOGRAP HERS ment. Keyboard loggers and malware on personal machines can thus be a path to attack enterprise systems. These devices can be used to exfiltrate data, deliberately or accidentally. Even when users are restricted to using corporate-owned and -managed devices for work, they still tend to reuse passwords on different systems, and this can provide a vector of attack. Stashes of username/passwords stolen from compromised servers can be retried on other sites, so users who have reused a username/password on multiple sites can contribute to a bigger problem. People remain vulnerable to social engineering or phishing attacks. Improved authentication systems, such as having a second factor or one-time passwords, help some, but the vast majority of systems do not use those yet. It is therefore reasonable to assume that some user accounts will get com- promised, and it is important to design a system to be resilient to that. Such a system also offers the benefit of providing some protection against malicious insiders. Insider attacks have the potential to cause great damage, since people cause them with authorized access and, often, knowledge of systems and processes. Designing protections against insider attacks, however, can be difficult without making the system very cumbersome to use or making users feel untrusted and, therefore, uncooperative with security measures. Users of the system often do not understand the threat models, so they end up viewing security measures as hoops they have to jump through. Better explanations of the rationale for restrictions may make users more cooperative and dissuade them from looking for ways around the hoops. Another common problem is misconfigured security controls. As sys- tems and security software grow more complex, the chance of administrators misunderstanding them increases. This can lead to an increase in successful attacks based on such flaws as overlooked default passwords or misconfigured firewall rules. Why Have Internal Access Controls? The case for good internal access controls, also called defense in depth, is easy to understand but surprisingly difficult to get right in practice. Internal access controls make it harder for attackers to break in (it is not just the firewall that needs to be breached) and limits damage if a system is attacked (one phished password will at most get the attackers what that user has access to, not necessarily everything on the internal network). Given that a common way systems are attacked is via compromised legitimate user accounts, limit- JA N UA RY 2 0 1 5 | VO L. 58 | N O. 1 | C OM M U N IC AT ION S OF T HE ACM 63 practice ing the damage a single compromised (or malicious) user can get away with undetected is a useful goal. The problem is that systems typically start out small, with little or no valuable data, and internal access controls seem like overkill. A good firewall and unrestricted access to (the small number of) authorized users seems like more than enough. People get used to that unrestricted internal access, and processes and tools are developed under that assumption, so adding internal security barriers as the system grows can be disruptive and meet with resistance from users. Removing permissions can also break systems, often in unexpected ways. Retrofitting security into systems is difficult. Most organizations have different kinds of valuable information that needs protecting—company-confidential code and documents, customer information, or data entrusted to them by their users (in the case of cloud service providers). Different employees need access to different subsets of this information, either for development and debugging services, or to provide customer service, or for routine activities such as indexing or backup. How does the organization ensure people have the right level of access they need and no more? Most organizations have different kinds of valuable information that needs protecting— companyconfidential code and documents, customer information, or data entrusted to them by their users. Achieving the Right Granularity of Permissions Administrative usability is often overlooked while designing access schemes. Very fine-grained permissions seem like a good idea, since they can grant exactly the necessary access, but it can easily become too much work to manage. Too many or too low-level permissions can also result in clutter and can be difficult to understand and reason about. On the other hand, the problem with access that is too coarse-grained is it can grant too much access. One of the bigger problems with granting too much access is not malicious use but accidental use. Many systems do not enable permissions on an as-needed basis but, rather, have all the permissions a user is granted; this is the equivalent of always running as a superuser rather than as a regular user. Again the problem is one of granularity—having to specify every permission needed be64 COMMUNICATIO NS O F TH E AC M | JA NUA RY 201 5 | VO L . 5 8 | NO. 1 comes tedious, so the tendency is just to leave permissions enabled. Role-based access control systems1 help with this by grouping related sets of permissions, but people who perform different roles still end up with a lot of access and not-always great ways of using the least-privileged access possible. What can be done about this? Try to understand the system well enough to set up access controls at the right places, but also recognize that you will sometimes get this wrong and will grant more or less access than is needed. This may be because you want to simplify administration or because your mental model of permissions and usage is wrong. It is thus useful to have a system in place to review and monitor permissions, and correct the access configuration as appropriate. Monitoring Access Configurations Too often, access requests are reviewed at grant time and never again. People in an organization move across roles and projects, but old permissions do not always expire. Removing unused permissions rarely seems that urgent, and guessing wrong about whether something is unused can break running systems. Unused permissions are not dangerous as long as they remain unused, but they do make the access configuration more difficult to understand. At Google, we use regular monitoring of access configurations to identify unexpected or unwanted permission behavior. The principle of access-configuration monitoring is much like unit testing for code. Like any type of verification, this is most useful if the verification uses a different approach from the configuration—for example, viewing the permissions in the live production configuration rather than just viewing them as configured. Administrators specify invariants about the access configuration that should be maintained, and automated test infrastructure periodically verifies these invariants hold. Preconfigured alerts can be raised if any problems are detected. Access-configuration monitoring is useful for a few different purposes: ˲˲ Catching differences between static and live configurations. Some access practice systems require configuration changes to be reviewed by administrators and then “pushed” to take effect. Occasionally, changes are pushed to live systems without changing the static configuration, or the configuration is changed and not pushed. This sort of situation can lead to unpleasant surprises when long-running systems are restarted. ˲˲ Verifying the configuration is behaving as expected. Most configuration languages have their quirks, so it is good to have tests to confirm they are doing what you expect them to do. A common example is firewall rules that block too much or too little traffic. ˲˲ Tripwire-like monitoring to notify people of changes. Typically, these are expected changes, but this can catch unauthorized or unexpected changes. It is important that these not be too noisy, or people who receive them will tune them out. ˲˲ Catching drifts such as sudden (or even gradual) increases in the number of authorized people. People often create an ACL (access-control list) for a particular reason, and, over time, tend to use it for other reasons, and the size grows. This sort of monitoring can be useful for recognizing when a group has grown too large, contains too many permissions, and should be split. ˲˲ Verifying that separation of permissions holds. For example, you may want to prevent any one person from having certain combinations of permissions (like being able to make changes to code and push them to production without review). Auditing to Understand Access Audit logs are a common part of systems security. Typically, all configuration changes and any access to sensitive data generate audit logs, which are hard to subvert. These are often a requirement for regulatory compliance. Many systems, however, stop at generating the audit logs, using them only for postmortem analysis when something goes wrong. An “audit” in these systems is a sign of trouble. Therefore, access audits should be much more routine, and not a hostile process. Whenever an employee performs a nonroutine access, perhaps for troubleshooting or debugging, the access will be audited. In most cases, this may involve just documenting the reason for access. This develops a culture of accountability, where users expect to have to justify access to sensitive data. Knowing that all accesses are audited makes granting permissions a little easier. Restricting access to very few people can make a system fragile. It would be more robust if more people were granted emergency access but did not have to use it. Having overbroad permissions, however, is generally a problem. Users could accidentally or maliciously misuse their accesses or become targets for socialengineering attacks because of it. Having good audit logs at the time of use of permissions mitigates this risk somewhat, since inappropriate access is unlikely to go undetected. Routine access audits also help identify access patterns and can help tune access configuration. If all access is logged, it becomes possible to identify unused permissions reliably and prune them safely if needed. This catches the cases where people move jobs or roles without explicitly giving up permissions. Auditing accesses that are actually used provides visibility into which accesses are needed for people to do their jobs. This allows for the development of better tools, sometimes reducing the amount of access that needs to be granted for a particular task. Good tools are needed to prevent access audits from becoming bureaucratic nightmares. Routine access can be recognized, based on job roles or access history, and only unusual access patterns can be flagged for extra or manual review. It is also worth noting that auditing accesses is not a substitute for good access controls; audits can recognize inappropriate access only after it has happened, unlike access controls, which prevent it. As just described, however, auditing all accesses can help tune access configurations. Having to justify access also helps prevent inappropriate access by authorized users. Further, in the unfortunate event of inappropriate access, audit logs can help administrators assess the damage. Conclusion While high-profile targeted attacks will continue, organizations can do a lot to protect their systems. Internal access controls at the right granularity, combined with access logging and auditing, can help detect and prevent unwanted access. Access configurations suffer from “bit rot,” and users often accumulate unnecessary permissions over time; therefore, regular monitoring, a la unit tests for code, can help detect unwanted situations. Making security goals and threats clear to system users may encourage their cooperation, rather than leaving them to view security as a nuisance to be worked around. Making the system and security configuration easy for administrators to understand will likely lead to fewer configuration errors, and well-designed monitoring can catch any remaining ones. Finally, making access audits routine can help system administrators understand access patterns and notice unusual access, whether it is a result of some nonroutine event or because a user account has been compromised. Related articles on queue.acm.org A Decade of OS Access-control Extensibility Robert N. M. Watson http://queue.acm.org/detail.cfm?id=2430732 Standardizing Storage Clusters Garth Goodson, Sai Susarla, and Rahul Iyere http://queue.acm.org/detail.cfm?id=1317402 Monitoring and Control of Large Systems with MonALISA Iosif Legrand, Ramiro Voicu, Catalin Cirstoiu, Costin Grigoras, Latchezar Betev, and Alexandru Costan http://queue.acm.org/detail.cfm?id=1577839 References 1. Computer Security Resource Center. Role based access control and role based security. National Institute of Standards and Technology, Computer Security Division, 2014; http://csrc.nist.gov/groups/ SNS/rbac/. 2. Hockenson, L. Facebook explains the cause behind its early Thursday downtime. Gigaom; https://gigaom. com/2014/06/19/facebook-explains-the-causebehind-its-early-thursday-downtime/. 3. Moscaritolo, A. Verizon billing system hit by major outage. PC Mag UK, 2014; http://uk.pcmag.com/ news/33726/verizon-billing-system-hit-by-major-outage. 4. Wikipedia. RBS Group computer system problems, 2012; http://en.wikipedia.org/wiki/2012_RBS_Group_ computer_system_problems. Geetanjali Sampemane (geta@google.com) belongs to the Infrastructure Security and Privacy group at Google. She started her career administering India’s first connection to the Internet and then spent a few years working for the United Nations Development Program, helping developing countries connect to the Internet. Copyright held by author. Publication rights licensed to ACM. $15.00. JA N UA RY 2 0 1 5 | VO L. 58 | N O. 1 | C OM M U N IC AT ION S OF T HE ACM 65 Copyright of Communications of the ACM is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. adversaries both specializ e and shar e intelligence in or der to obtain sensitiv e data and disrupt critical enterprise functions. According to the 2013 Cost of C yber Crime Study, advanced security intelligence tools such as security information and event management (SIEM), networ k intelligence systems and big data analytics, can significantly help to mitigate data threats and reduce the cost of cybercrime. The study also found: • The average annualized cost of cybercrime incurred per organization was $11.56 million, with a range of $1.3 million to $58 million. This is an increase of 26 per cent, or $2.6 million, o ver the average cost reported in 2012. • Organizations experienced an av erage of 122 successful attacks per w eek, up from 102 attacks per week in 2012. • The average time to resolve a cyberattack was 32 days, with an average cost incurred during this period of $1,035,769, or Collaboration In Depth nowing that there is no single cybersecurity silver bullet, we advise our customers on the concept of security in depth – a multi-layered approach to cyber defense that employs various solutions to provide the most comprehensive protection against today’s online threats. Equally important in today’s enterprise is the concept of collaboration in depth, through which CSOs are increasingly sharing advanced cyber-defense solutions with their CIOs and IT Julian Waits departments. By sharing technology, CSOs are breaking down institutional silos, freeing their teams to focus on the most critical threats and making their organizations’ security their top priority. Take a customizable malware analysis sandbox for example. Designed for identifying new malware, analyzing its behavior and developing countermeasures to remediate those threats, this technology has mostly been the exclusive domain of highly skilled malware researchers. As these solutions have evolved and become easier to use, we are seeing their application extend beyond CSOs and their teams to become an increasingly valuable tool for IT departments, where the majority of frontline network security responsibilities still reside. K When Malware Strikes, Where Do You Start? Consider the security challenges facing an enterprise IT department supporting thousands or even tens of thousands of employees doing business on endpoints in multiple geographies. You’re talking about dozens or more different system configurations, operating systems, language paks, different combinations of multiple versions of third-party applications, custom applications built in-house and more. Now imagine that IT discovers malware slipping past your antivirus and other defenses. Users are complaining, productivity is slowing and your data is at risk. Which Systems Globally are at Risk? A customizable malware analysis sandbox can be deployed by IT to address these situations more efficiently and effectively, enabling them to do more and know more before calling your team for support. First, users customize their sandboxes to replicate every endpoint configuration they manage, including the OS version and service paks, and whichever version of third-party applications like Adobe Reader, Java or browser they are using. Then, by submitting the malware to the sandbox, it executes across all those system configurations, instantly identifying which systems profiles are vulnerable. In minutes, an IT department will know which systems need to be addressed immediately. All of this can easily be accomplished by most IT departments with no advanced cybersecurity skills on staff. Moreover, they will more quickly identify serious threats for CSOs and their teams to address. Be Proactive and Get Prepared Another way IT departments are utilizing sandboxes is to quantify their risk when new malware starts making headlines. Before they even have reports of infection, teams obtain samples of the latest malware scare and submit files to their sandbox to test across all their endpoint profiles. In minutes they will know what percentage of their endpoints are vulnerable to a new malware strain, enabling them to push out patches, alert local team members, update perimeter defenses and take other preventative measures. Are We Ready To Patch? Another security challenge IT departments contend with is when to apply patches. Many teams are still reluctant to apply patches as soon as they are issued, instead preferring to see how the broader user-base reacts and what issues they report. From a security standpoint, CSOs know that patching is critical. Again, a malware analysis sandbox is proving to be a valuable tool to help IT departments feel more confident about deploying patches without impacting security or productivity. Making the Upgrade Argument IT budgets aren’t what they used to be. Forget about the old upgrade cycle; it’s long gone. IT professionals are squeezing every last drop of value out of existing hardware and software. A sandbox can help IT make a strong ROI argument for upgrades that also ties with a topic increasingly on the mind of senior management and board members: data breaches. Your senior leadership is concerned about liability, fines and damaging headlines. By executing malware in your sandbox across your entire application stack, you can quantify your risk profile and make a compelling argument that it’s finally time to upgrade that OS or long overdue to retire that old version of Microsoft Office, no matter how resistant users are to change. Strong collaboration between CSOs and CIOs is key to strengthening enterprises cybersecurity, which is why it is encouraging to see more and more of these teams sharing technologies and deploying them in innovative new ways to solve everyday security challenges. About the Author: Julian Waits, Sr., is president and CEO of ThreatTrack Security Inc. SecurityMagazine.com • SECURITY • February 2014 040-48 - Cyber Risk - Feat.indd 41 41 1/23/14 10:14 AM Copyright of Security: Solutions for Enterprise Security Leaders is the property of BNP Media and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. CASE 22 TEACHING NOTE LVMH in 2016: Its Diversification into Luxury Goods* L sh is ar stu ed d vi y re aC s o ou urc rs e eH w er as o. co m Overview ouis Vuitton Moët Hennessy (LVMH ) is the world’s largest luxury products conglomerate with a business portfolio that includes some of the most prestigious brand names in wines, spirits, and champagnes, fashion, watches and jewelry, and perfumes and cosmetics. The company began as Moët & Chandon, a French champagne producer, in 1743. As of 2016, the French conglomerate’s business portfolio also includes a luxury yacht producer, a 19th-century-styled French amusement park, two prestigious Parisian department stores, dutyfree stores, a retail cosmetics chain, high-end luxury hotels, and a variety of French media properties. By making strategic acquisitions of iconic luxury brands, LVMH had grown from approximately €2.5 billion in 1990 to €35.7 billion in 2015. The company had set revenue and operating profit records in 2015, with both growing by 16 percent since 2014. LVMH’s revenues, operating profits, and free cash flows had produced attractive returns for shareholders and had made its CEO, Bernard Arnault, the world’s 14th wealthiest person. Arnault placed an emphasis on internal growth by exploiting common strategies and capturing synergies across the portfolio in four key areas: product quality, innovation, image, and craftsmanship in the production process. Th During the last half of 2016, LVMH’s performance had slowed from 2015, as revenue and operating profit achieved 3 and 4 percent year-over-year increases, respectively. Revenues of LVMH’s fashion and leather goods products declined by 1 percent during the first half of 2016, as terrorism across Europe greatly affected tourism in that region. The company’s overall performance was negatively impacted by acquisitions of brands that were once thought to be its “rising stars,” but that did not materialize. Some questioned the impact of LVMH’s “Other” businesses outside its core on shareholder value. Investors and analysts had called for the divestiture of nonperforming LVMH brands almost since the early 2000s, but with the exception of the divestiture of Omas pens, the sale of the company’s art auctioning houses, and a planned sale of the DKNY brand in 2017, Arnault had not been sympathetic to divesting underperforming brands. Suggestions for Using the Case The case pairs particularly well with the coverage of strategies for: (1) strengthening a company’s competitive position in Chapter 6, (2) competing in international markets in Chapter 7, and (3) diversification in Chapter 8. *This teaching note reflects the thinking and analysis of Professor Armand Gilinsky, Sonoma State University. We are most grateful for his insight, analysis and contributions to how the case can be taught successfully. https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/ –1– 1 Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods There’s ample detail in the case for students to evaluate: n LVMH’s international and diversification strategies n How sustainable LVMH’s position is as leader in the branded luxury goods industry, in light of environmental forces, competitive dynamics, and its current situation n The company’s financial performance. The assignment questions and teaching outline presented below reflect our thinking and suggestions about how to conduct the class discussion and what aspects to emphasize. To guide students in thinking about which analytical tools can be used to prepare the LVMH in 2016: Its Diversification into Luxury Goods case for class discussion, we strongly recommend (1) providing class members with a set of study questions and (2) insisting that they prepare good notes/answers to these questions. sh is ar stu ed d vi y re aC s o ou urc rs e eH w er as o. co m To facilitate your use of study questions and to make them available to students, we have posted a file of the assignment questions contained in this teaching note for the LVMH case in the instructor resources section of the Connect Library. You may also find it beneficial to have your class read the Guide to Case Analysis that follows Case 31 and is also posted in the instructor resources section of the Connect Library. Students will find the content of this Guide particularly helpful if this is their first experience with cases and they are unsure about the mechanics of how to prepare a case for class discussion, oral presentation, or written analysis. The Connect-based Exercise for the LVMH in 2016 Case. A Connect case exercise has been developed for all cases included in the 21st Edition. Each case exercise follows the assignment questions listed in the teaching note for the case and require students to work through the entire analysis presented in the Teaching Outline and Analysis section of the teaching note. The purposes of the case exercises is to help get students off on the right track in understanding the demands of case analysis and what it takes to come to class fully prepared for discussion of an assigned case (or to develop a substantive written analysis or oral team presentation). All assignment questions are auto-graded with the exception of strategic recommendations, which is left as an open-ended question for students to complete. You may find the Connect case exercise suitable for use with written case assignments with the analysis component of the assignment auto-graded, leaving only the students’ recommendations left to be graded by the instructor. This case is suitable for both written and oral presentations. Our recommended assignment questions are as follows: Th 1. As part of your internship requirements with LVMH, Inc., you have been asked to prepare an analysis of LVMH’s competitive position in the luxury goods marketplace. Your report should contain 2-3 pages of recommendations for continuing the company’s success in assembling a diversified portfolio of brands, improving its financial position, and a recommendation about potential new areas for diversification or divestment. Write an executive summary of recommendations of no more than 2–3 pages, accompanied by supporting exhibits. These exhibits may include an overview of LVMH’s strategy, a competitive strength assessment, and a financial analysis. 2. LVMH’s CEO Bernard Arnault has learned of your considerable skills in strategic analysis and has hired you to develop a strategic plan that will enable LVMH to improve its position in the branded luxury goods industry, continue to build a stronger financial position, and make a decision about future diversification or retrenchment from its existing lineup of businesses. In developing your recommendations, you should assess the luxury goods industry. You should also assess LVMH’s portfolio of diversified businesses and analyze its recent financial performance. Finally, the plan should offer specific, actionable recommendations that will allow LVMH to further improve its position. Your recommendations should be well supported with arguments and justifications for each recommendation. Your report should include 4-6 pages of recommendations and whatever supporting charts, tables or exhibits you deem useful. https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/ 2 Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods Assignment Questions 1. What are the major elements of LVMH’s competitive strategy in the branded luxury products industry? How well do the pieces fit together? Is the strategy evolving? 2. How have LVMH’s corporate strategy choices strengthened or weakened its competitive position in the branded luxury products industry? 3. Is LVMH’s international strategy best characterized as a multi-domestic strategy, global strategy, or transnational strategy? 4. Does it make good strategic sense for LVMH to compete in all of its current segments? Which of its product lines — Wine and Spirits, Fashion and Leather Goods, Perfumes and Cosmetics, Watches and Jewelry, Selective Retailing, and Other — do you think is/are most important to LVMH’s future growth and profitability? Should one or more of these current segments be discontinued? Why? sh is ar stu ed d vi y re aC s o ou urc rs e eH w er as o. co m 5. What is your assessment of LVMH’s financial performance over the 2012 – 2015 period? (Use the financial ratios in the Appendix of the text as a guide in doing your financial analysis.) 6. What strategic issues confront LVMH in 2016? What market or internal circumstances should most concern CEO Bernard Arnault and his company’s senior leadership team? 7. What recommendations would you make to Arnault to address the strategic issues confronting LVMH in 2016 in order to sustain its impressive growth in revenues and profitability? Teaching Outline and Analysis 1. What are the major elements of LVMH’s competitive strategy in the branded luxury products industry? How well do the pieces fit together? Is the strategy evolving? LVMH has an established portfolio of luxury brands, some of which have endured for decades, or even centuries in several cases. Many of its iconic brands and logos have long traditions that contribute to demand and provide difficult-to-replicate intangible assets. The company has expanded globally, with a particular emphasis on growth areas in the Asia-Pacific region, most notably in China. Students should see that: n LVMH’s strategy to confine retail store location to major cities and, via its DFS subsidiary, to major international airports, provides its brands with a competitive advantage. Th n That said, the luxury business in China is not likely continue to grow by double-digits indefinitely, accordingly some slowing of growth in the Asia-Pacific region appears inevitable. 2. How have LVMH’s corporate strategy choices strengthened or weakened its competitive position in the branded luxury products industry? This is a good time to review the concept of horizontal scope, which refers to the range of product and service segments that a firm like LVMH serves for global markets, which are considerable due to its presence in nearly every sector of luxury branded products in almost every region in the world. According to the text, increasing a company’s horizontal scope can strengthen its business and increase its profitability in five ways: (1) by improving the efficiency of its operations, (2) by heightening its product differentiation, (3) by reducing market rivalry, (4) by increasing the company’s bargaining power over suppliers and buyers, and (5) by enhancing its flexibility and dynamic capabilities. LVMH appears to be strong in many of these areas, but there are some drawbacks. For an appraisal of LVMH’s horizontal diversification (scope), see Table 1. https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/ 3 Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods TABLE 1. Appraising LVMH’s Horizontal Diversification Strategies Plusses Minuses Leverage global scale economies to improve efficiency Reduced transport costs, increased effectiveness of boutiques & aftermarket support Highly dependent on favorable balances of trade, exchange rates, interest rates; no particular evidence of scale economies in production of luxury branded goods Heighten product differentiation via Integrity & quality Exclusivity is fundamental to strategy & to protect global luxury productmarket leadership position Unclear if culture and values will be shared and implemented by operators of retail outlets across China, South America, and Russia Better understanding customers to reduce rivalry Iconic global brands well recognized across global markets, little need for localized production Cost to obtain access to global markets Increase bargaining power over buyers & suppliers to boost market share Already global market share leader; power of buyers and suppliers in the luxury segment is already weak Slowing demand for certain categories of luxury goods due to changes in fashion and tastes Enhance flexibility & dynamic capabilities via product innovation Potential to develop ‘tailored luxury products’ to serve focal markets in emerging economies such as China or Brazil Unknown impacts of innovation on existing luxury product life-cycles (10 – 20 years) sh is ar stu ed d vi y re aC s o ou urc rs e eH w er as o. co m Strategic intent Ultimately, it may become quite difficult for LVMH to maintain such a broad portfolio of luxury brands, and some of the underperforming brands or groups may need to be sold or spun off. n While luxury is a strong-return business, building yachts, developing and maintaining boutique hotels in exotic locations, developing real estate for new stores, and providing customers with exclusive in-store experiences can together be expensive and drag down returns on capital. 3. Is LVMH’s international strategy best characterized as a multi-domestic strategy, global strategy, or transnational strategy? Students should be directed to carefully review Figure 7.2: n An international/global strategy is a strategy for competing in two or more countries simultaneously. Th n A multi-domestic strategy is one in which a company varies its product offering and competitive approach from country to country in an effort to be responsive to differing buyer preferences and market conditions. • This is a think-local, act-local type of international strategy, facilitated by decision making decentralized to the local level. n A transnational strategy (sometimes called “glocalization”) incorporates elements of both a globalized and a localized approach to strategy making. • This type of middle-ground strategy is called for when there are relatively high needs for local responsiveness as well as appreciable benefits to be realized from standardization. • A transnational strategy is a think-global, act-local approach that incorporates elements of both multi-domestic and global strategies. https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/ 4 Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods Of the three types of international strategies, LVMH is most evidently following a global/international strategy. Some pros and cons and question marks of this approach are as follows: Pros: + Transfer of distinctive competencies to foreign markets + Ability to exploit experience-curve effects + Ability to realize location economies Cons: – Lack of local responsiveness – Inability to realize location economies sh is ar stu ed d vi y re aC s o ou urc rs e eH w er as o. co m Question marks: ? Failure to exploit experience-curve effects ? Continuously driven by pressures for cost reductions & challenges to integrate & convert local systems, styles, cultures, processes, etc. 4. Does it make good strategic sense for LVMH to compete in all of its current segments? Which of its product lines — Wine and Spirits, Fashion and Leather Goods, Perfumes and Cosmetics, Watches and Jewelry, Selective Retailing, and Other — do you think is/are most important to LVMH’s future growth and profitability? Should one or more of these current segments be discontinued? Why? LVMH has built strong intangible assets in most of its brands, which have shown up in its ability to maintain high prices and deliver strong margins, though it is apparent that a number of brands in the portfolio tend pull down the excellent returns of other brands. Advanced or superior undergraduate students will analyze LVMH’s performance by business group, as shown in Table 2. Th TABLE 2. Business Group Performance Analyses for LVMH, 2014 – 2015 Revenues, Year-on-Year Growth Rate, % Wine & Spirits 15.9% Fashion & Leather Goods Perfumes & Cosmetics Income from Operations, Year-on-Year Growth Rate, % Operating Investments, Year-on-Year Growth Rate, % Cash flows, 2015 (note 1) Cash flows, 2014 (note 1) 18.8% 53.3% € 1,262 € 1,114 14.2% 9.9% -5.5% 3,593 3,159 15.3% 26.5% 3.6% 479 343 Watches & Jewelry 18.9% 52.7% 6.8% 427 263 Selective Retailing 17.8% 5.9% 2.6% 901 789 -7.3% -23.4% 42.2% (449) (397) 16.4% 15.6% 10.1% € 6,213 € 5,271 Other ALL SEGMENTS Note 1: Cash flows by segment = (Profit from Recurring Operations – Operating Investments) + Depreciation and Amortization. Calculated using data in case Exhibit 5. https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/ 5 Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods n The analyses in Table 2 reveal that all of LVMH’s business groups—except “Other”—enjoyed doubledigit growth rates from FY2014 to FY2015 n The “Other” business group experienced negative growth in both Revenues and Income from Operations, despite the highest increase in Operating Investment, from FY2014 to FY2015 n Although LVMH’s five primary business groups enjoyed increasing Cash Flows from FY2014 to FY2015, the “Other” segment suffered increasingly negative Cash Flows during that period. 5. What is your assessment of LVMH’s financial performance over the 2012 – 2015 period? (Use the financial ratios in the Appendix of the text as a guide in doing your financial analysis.) Students should be able to use the financial information provided in case Exhibits 1 and 6, as well as the financial ratios provided in the Financial Summary Table 4.1 (or the Appendix of the text) to make calculations similar to those shown in Table 3. sh is ar stu ed d vi y re aC s o ou urc rs e eH w er as o. co m TABLE 3. Selected Financial Statistics and Ratios for LVMH, 2012 – 2015 Profitability Gross margin Operating margin Net income, % sales (ROS) 2015 2014 2013 2012 64.80% 64.75% 65.50% 64.71% 17.90% 17.73% 20.22% 20.42% 10.02% 18.43% 11.79% 12.18% -38.78% -38.33% -37.22% -35.94% General & administrative expenses, % sales -7.47% -7.75% -7.63% -7.70% Operating income/Total assets (Operating ROA) 11.08% 10.18% 10.59% 11.49% Marketing & selling expenses, sales Net income /Total assets (ROA) 6.20% 10.58% 6.17% 6.86% Return on Equity (ROE) 13.85% 24.55% 12.39% 13.34% Total asset turnover (x) 0.62 0.57 0.52 0.56 Fixed asset turnover (x) 0.92 0.87 0.74 0.79 COGS/Inventories (x) 1.24 1.14 1.17 1.23 26 27 27 26 55.21% 56.89% 50.20% 48.60% 123.27% 131.98% 100.82% 94.54% 74.05% 79.05% 58.62% 57.59% € 6,251 € 5,935 € 4,382 € 4,791 Current ratio (x) 1.49 1.49 1.37 1.51 Quick ratio (s) 0.70 0.71 0.64 0.65 Activity A/R, days Leverage Total debt: Total assets, % Total debt: Equity, % Th LT debt: Equity, % Liquidity Working capital (€ millions) Calculated using data from case Exhibits 1 and 6. Key highlights of these performance indicators include: n LVMH’s relatively stable Gross Margins over the four-year period, peaking at 65.5% in FY2013 and slightly dropping to 64.8% in fiscal years 2014 and 2015. n Increasing Operating Expenses (primarily Marketing Expenses) as a percentage of total revenues, causing Operating Margins (Operating Income as a percentage of Revenues) to drop from about 20% in fiscal years 2012 and 2013 to about 18% in both fiscal years 2014 and 2015. https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/ 6 Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods n LVMH’s Returns on Sales (ROS) have fluctuated considerably over the four-year period, from a low of about 10% in FY2015 to a high of about 18% in FY2014. n LVMH’s Operating Returns on Assets have shown stability over the four-year period at about 10%– 11%. With the sole exception of FY 2014, regular ROA have been stable at about 6%. Similarly, Returns on Equity (ROE) have remained stable at about 12%–13% with the exception of FY 2014, when ROE exceeded 24%. One possible explanation for the dissimilar results in FY2014 is that LVMH reported an extraordinary net gain in non-operating financial income for that year of about €3 billion. n The primary four Activity Ratios for LVMH have remained relatively consistent over the four most recent fiscal years. Total Asset Turnover has remained at about .60x, Fixed Asset Turnover has ranged from .74x to 92x, inventory Turnover (COGS/Inventories) have fluctuated from 1.14x in FY2014 to 1.24x in FY2015, and Accounts Receivable Collection Period (days) have hovered around 26 days. sh is ar stu ed d vi y re aC s o ou urc rs e eH w er as o. co m n Two primary measures of Liquidity—Current Ratio, and Quick (Acid-test) Ratio—have been consistent from FY 2012 to FY 2015. LVMH’s Working Capital has steadily increased from €4.6 billion in FY 2012 to over €6.2 billion in FY2015. n LVMH has steadily increased its debt leverage from FY 2012 to FY 2015, possibly due to management’s conscious decision to take advantage of a combination of historically low interest rates (i.e. reducing the cost of long-term debt and increasing the costs of equity, making new equity sales less attractive than borrowings in the financial markets) over that period. Total debt as a percentage of total assets increased from 48% in FY 2012 to nearly 57% in 2014 and about 55% in FY 2015. Total debt as a percentage of equity has increased proportionately as well, from about 94% in FY2012 to 132% in FY 2014 and 123% in FY2015. Long-term debt as a percentage of equity rose from 58% to about 75% over the four-year period from FY2012 to FY2015. n Returns on invested capital appear to have yielded sufficient free cash flow to pay down debt, pay dividends, and/or fund acquisitions. 6. What strategic issues confront LVMH in 2016? What market or internal circumstances should most concern CEO Bernard Arnault and his company’s senior leadership team? Students should be pressed to present a balanced view of the strategic issues that Arnault faces, and consider both the pros and cons of LVMH’s current portfolio strategy. These can be summarized as follows: n Although LVMH is as of 2016 a dominant competitor in many luxury goods markets, its size may ultimately become its enemy. Th n The company may find it hard to manage the creativity and exclusivity of brands that have become so widely distributed. n Certainly, some of the success of this company is due to synergy and management ideas being shared across a portfolio of luxury brands, but it is our opinion that past success does not provide complete assurance that these strategies can continue to be successful as LVMH grows. 7. What recommendations would you make to Arnault to address the strategic issues confronting LVMH in 2016 in order to sustain its impressive growth in revenues and profitability? There is always the risk that LVMH may find that it cannot manage all of its brands, much less keep them at the top of the pyramid of premium products forever. Global tastes in luxury drinks, watches and jewelry, fashion, and accessories tend to ebb and flow. Demand for expensive items from drinks to diamonds to watches can shift over time. As a global leader in luxury goods, LVMH has exposure to the macroeconomics https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/ 7 Case 22 Teaching Note LVMH in 2016: Its Diversification into Luxury Goods of Asia, tourism, and China’s long-term consumer growth in particular. Granted that wealthy consumers may have savings to spend even in tough times, yet consumer sentiment can affect sales since ultimately many luxury goods are not necessities. Furthermore, n We believe that global expansion, renovation of existing retail outlets, and price increases that go with product innovation will continue to be the key growth drivers for LVMH n While luxury is a strong-return business, building yachts, developing and maintaining boutique hotels in exotic locations, developing real estate for new stores, and providing customers with exclusive in-store experiences can together be expensive and drag down returns on capital n Selective divestitures may be required down the road in order to sustain growth and free cash flow, but convincing CEO Arnault to part with any part of the existing portfolio is likely to be difficult • Rationalizing LVMH’s portfolio may well need to be put into abeyance until Arnault’s successor comes on board • • • sh is ar stu ed d vi y re aC s o ou urc rs e eH w er as o. co m n Owing to LVMH’s strong and increasing Free Cash Flows and the impending divestment of the DKNY operations, the company may be in a good position to: Increase dividends for investors Repurchase shares to boost its stock price Enter into selective acquisitions of other luxury brands that would complement its existing portfolio. Epilogue Th Case updates can be found at LVMH’s website: https://www.lvmh.com. For investor information and recent press releases, go to: https://www.lvmh.com/investors. https://www.coursehero.com/file/29828228/ThompCES21eTN-Case22pdf/ Powered by TCPDF (www.tcpdf.org) 8
Purchase answer to see full attachment