As you likely have read, or in some cases actually notified, the level of security threats is again in the press. It is easy to suggest that we are doing all that we can in terms of prevention, but as reported, it may be time to get back to the basics.
But first, the disclaimer. The opinions and comments expressed on this blog are mine and do not represent those of my employer.
For IT, the playbook has been solidly written for some time in regards to our charter for security- protect the corporate intellectual property, protect the customer information, protect the end user information, and in general the integrity of IT information and access.
With all of the trends in client computing that we discuss in this and other blogs and industry white papers, strategies for security and fulfilling the requirements of regulations and our companies can get very confusing. Recent breaches discussed the password conventions used by the end users as a contributing issue.
I thought that it might be useful to suggest that it is once again time to get back to basics. I would sincerely like your thoughts as well on this topic.
Below in bulleted format are 10 (nothing magic really about the number) suggestions on the back to basic thoughts for this posting.
1. Asset Management- Businesses need to reinvest in asset management as a part of the overall security strategy. One cannot protect the data unless we know where and how the access is coming into the enterprise.
2. Encrypt- Do not spend time agonizing over which desktops and laptops to encrypt, encrypt everything.
3. User Segmentation- Risk and security issues will vary by the end user. End users such as executives will have all sorts of confidential and sensitive information.
4. Security as as Service Level- Think of a service levels for the segments that align to risk. Asset management, encryption, TPM, password (of course), dual level authentication, Lojak(TM), and other access level counter measures.
5. Centralize Security- There is critical mass in managing the security issues centrally. Certain lifecycle operations such as help desk, asset management, disposition, and security need to be delivered by corporate IT.
6. Single Point of Accountability- There needs to be a single authoritative point of repsonsbility in the enterprise, security while a shared responsibility with the lines of business, needs to remin a corporate function with full accountability.
7. BYOC/BYOD- Understand that BYO programs are inherently less secure and go against most of the principles of centralization. For BYO strategies to be secure, the same governance that applies to corporate devices need to apply to BYO devices. Virtualization is certainly suggested.
8. Reasonable Risk - There is no such thing as reasonable risk in today's IT environment. IT is either secure or not. Reasonable Risk suggest that security is qualitative and not governed by law and regulation (sorry third party consultants, we disagree on this point significantly).
9. Knowledge Base- It should not assume that others who might either be responsible for enterprise wide security or lines of business, truly understand the technology or implications of technology decisions.
10. Windows 7- Windows 7 is significantly more secure and stable than XP SP3, get on this operating system as soon as the enterprise can migrate.
This year 2012, will be more sensitive to cyber- attacks, viruses, spam and other issues simply because of the trends in client computing. Consumer devices and mobility are easier targeted to identify for the "bad guys".
Virtualization and cloud computing remain the enabling technologies for greater scaled security for the enterprise.