Jon Collins, originally published on Computing
While the principles of IT security are relatively timeless and straightforward to understand, technology itself is rapidly evolving. The effect is as if, once every couple of years, we need to learn all the old rules from scratch, and work out how they apply all over again.
Ten years ago, the most discussed risks were around viruses and how the fledgling internet was opening up systems that were never designed for public access. Since then, we’ve seen a wave of malware, phishing and social engineering attacks. So what challenges exist today, and how should we adapt our security thinking accordingly?
You may think I’m going to say the answer is the cloud, but I’m not, as I believe we’ll look back on the cloud hype as merely a symptom of what’s going on, rather than the cause. A number of revolutions are happening in IT today that are far more interesting and having a greater impact – not least miniaturisation of IT technology, and consumerisation and virtualisation – and each has security ramifications.
Let’s take miniaturisation and its impact first. Now of course, computers have been getting smaller since the dawn of IT, nothing new there. But it is only recently that it has become possible for a more significant proportion of individuals to afford, and therefore carry one, two or more devices, each of which is a pretty powerful computer. The cost of personal computing will continue to drop, and new form factors such as the iPad/slate are indicators that computing devices will proliferate further. From a security perspective this just makes for fragmentation, an increased threat surface, more interfaces to monitor and a greater likelihood that protection will fall between the cracks.
Next we have consumerisation. We can talk about this in two ways – first, the propensity for people to use their own kit in a work context, and second, the expectation that work equipment will offer similar levels of usability as personal devices. From a hardware perspective, we can see this through highly paid execs wanting to run Apple Mac computers whether or not they are capable of delivering the expected baseline of manageability and security from a corporate perspective. Meanwhile, we have the software perspective, with instant messaging and social networking applications raising the bar when it comes to how people expect to collaborate.
Finally, a number of organisations are starting to adopt virtualisation, in particular for x86 servers. While the commonly quoted benefits are around cost savings and increased operational flexibility, what makes it feasible is that computers are now powerful enough to allow for an additional layer to be incorporated between operating systems and hardware. This layer, known as the hypervisor, enables multiple virtual computers to run on a single box – enabling a level of flexibility that many organisations appreciate. A similar benefit is to be had with storage and desktop virtualisation. It’s not all going to be roses for virtualisation, however – the downside of flexibility is complexity, and as we know, complexity is the worst enemy of security.
To sum it all up from the security point of view, technology users are rushing ahead on a number of tracks. Generally this is for good reason, as there are visible, tangible benefits to be had. But the downside is that the already-shaky security architecture in many organisations is being taken into account only as an afterthought, if at all.
People must be the primary focus
So, where on earth should organisations start when it comes to dealing with security risks? The timeless principles still apply, not least considering security in terms of people-process-technology. However, perhaps in the past there has been a tendency to think about these in reverse order, putting technology first and dealing with the sticky issues around people last. Good security practice recognises that if you can get people thinking and acting properly, technology can assist the process, whereas if people are acting in inappropriate ways, no amount of technology will help.
The second timeless principle to apply is that information security is – or should be – centred on information. IT security is all about protecting the information and systems that an organisation uses to go about its business. So, if you can think about what information you are trying to secure, then all other activities can lead on from this: we know from our research that organisations that understand what information they have and need are better off than those that don’t.
From this point on, security is as much about process as anything. The challenge faced by many security professionals today is not that technology is less secure than in the past; it’s more that it’s being implemented without sufficient due diligence. This may be because traditional security practice is perceived as being too slow and onerous, and organisations are actively deciding they don’t want to miss the boat and are prepared to take the risk. Or, it may be because senior business managers are being ignorant and in denial of their responsibilities. The fact is that if something goes wrong, the consequences have to be dealt with by business people, not the techies. But do your senior business execs really understand the extent to which they are responsible for the information held by your organisation?
Note that this is very different to establishing senior buy-in. If you’re thinking your organisation needs to acquire a certain security technology, say log management or behavioural analysis, you may think that you need to get the buy-in of senior stakeholders so the procurement can take place. I would suggest this is putting the cart before the horse. If the board understands that it, ultimately, is responsible and will be held to account, then it may take more of an interest in the risks, and consequently how to mitigate them – which may involve procuring behavioural monitoring software.
If we insist on starting with technology, we will always be running after the curve. But at least if we start with people and process, and remember this is fundamentally about the information businesses use on a day-to-day basis, we give ourselves an anchor point to which we can return whenever things change.