Wednesday, January 30, 2008

A Secure Enterprise is Also a Well Managed One!

I’m dying to get into the meat of Security 2.0 but before I go there I think we need to talk about how the foundation of good IT management links to Security 2.0, or what I will call good Infrastructure Hygiene.

The reason that this discussion is relevant to Security 2.0 is that without a good foundation in our IT's infrastructure we cannot completely solve the data leakage problem**.

** Data leakage is the current buzz name for data that leaves the enterprise in an unmanaged manner.

So let’s talk about the infrastructure elements of Security 2.0. By infrastructure I mean the underpinning, or better yet, underbelly of IT's operation. IE: the technology that information uses to move throughout and in and out of the enterprise.

Three dimensions of infrastructure hygiene come to mind:
  • Systems Management
  • Storage Management
  • Security Management
The need for this Trillium seems pretty remedial to some of us because these are the technologies and process that we have been working to put in place all our career.

So why even mention it and what does this have to do with Security 2.0?
Answer: A well managed enterprise is a also a secure one!
Try this logic...

  • For security technology to know what is going on at an end node, a sensor must be placed there.
  • For the sensor to get there a method of deploying and keeping the sensor at the end node must be active.
  • If anything happens to the endnote it must be able to be quickly restored to a known configuration.
  • If the end node is not configured properly it must not be allowed to connect to the data sources.

Security systems that have no sensors [eyes] are blind. Therefore something in the Security 2.0 architecture must provide and manage those eyes [sensors] if the security system is not to be blind to data breaches.

In this context the Trillium of IT technologies must operate in concert with each other if we have any chance to plug Data Leaks.

Thursday, January 10, 2008

Swedish Army data breach ......

On the heals of my post on "pure-play" I couldn't resist highlighting another data breach event. These kind of security problems cannot be solved by traditional security solutions.

The post on modeling the movement of data in our enterprises highlights the danger of data moving on mobile devices, more specifically, USB devices.

Check out this breach highlighted by "Schneier on Security" [this is an interesting blog that covers a broad security discussion].

The mobility and accessibility to our information is one of the benefits of the "cyberframe" era.

There is a dark side however. Its the ease with which sensitive information can be moved and therefore compromised.

Big Risks Come in Small Packages" [from Schneier] makes some excellent points on the subject.

This breach is just another example of why we need new Security 2.0 thinking and technology!

As I come across data breaches I will log them into this site

Don on Data

Sunday, January 6, 2008

The "pure-play" security debate ....

Happy New Year!

I spent some down-time over the holidays reviewing some security blogs and I see that a debate has arisen that is directly relevant to the discussion here about Security 2.0.

It seems that we want to debate the issue of whether the "pure-play" security companies will continue to be the market leaders.

First off I am guessing that by pure play we mean companies that provide anti-products [anti-virus, anti-spam] and other traditional security products?

In this provocative article, Troubled Waters, Symantec is positioned as a pure play security company that has drifted from the straight and narrow. The article suggests that Symantec may have lost its focus on security while on an acquisition expedition that has nothing to do with security.

I can provide a different view - perhaps security has simply evolved!

This "pure-play" discussion completely discounts the concept of Security 2.0! Does it suggest that we should ignore the newer security issues that are being created by the global use and distribution of sensitive information? That we should only be concerned with protecting infrastructure and machines, and not the data itself ?

Security 2.0 is about creating "full-on" security system that has the knowledge and ability to protect information whether it's in-use, moving and at-rest. This requires protecting the underlying infrastructure as well as the information itself and the policies around that information. It is an advancement on pure-play security not a replacement and therefore not a detour.

Ok, humor me and let’s just assume for a minute that Security 2.0 thinking is the right trajectory. With that assumption in tow let’s make a list of important technologies needed to fulfill that vision.

  • To properly monitor the data on an endpoint, scanners must be present so the configuration of that endpoint must be secured. Systems management expertise would be useful would it not?
  • To properly monitor the data at rest, scanners should be installed close to the storage should they not? Storage and storage management technologies that are installed in most of the globe's file servers, databases, messaging servers and desktops could have a role here, right?
  • Email security and archiving systems have a role in filtering and archiving message traffic that moves through networks. Email gateways would provide good expertise in this schema.
  • It 's also necessary to traffic the flow of this information in a policy driven way so it would be useful to have a centralized policy function.
  • And finally let’s throw in some of the traditional pure-play technologies with the addition of a network access control mechanism that insures the end node is correctly configured and vulnerabilities are remediated before they connect.

If we look back at the list above it is easy to see that the pure-players will have to acquire - and hopefully integrate some new technologies if they are to make Security 2.0 a reality for their customers!

I suggest it’s the security companies that stay "pure-play" that are in danger of ignoring the emerging security needs of their customers.

It's companies like Symantec and some other large companies that comprehend the future and realize that the anti-stuff alone cannot meet the demanding needs of protecting the infrastructure AND the information.

Symantec isn't simply trying to be a "one shop stop for all IT needs"; they have simply recognized that the emerging security problem is bigger than just keeping the bad stuff out. Protecting data and the infrastructure it resides on is a more complex security problem that will require the integration and cooperation of security, storage and systems management.

In the end the question of "Troubled Waters" is not "to diversify or not", its to "converge or not". IT technologies need to converge around the real security needs of their customers ..... Security 2.0.

Another article on this subject can be viewed at New threats call for a fresh approach....

Next post I will get back on track and discuss Data hygiene as a preface to digging deep into Security 2.0.

Don on Data