Enterprise Security Trends Blog | HP Blogs

turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Subscribe
Article Options

Security or Assurance? What's in a name?

by NeilPass on 08-16-2011 09:54 AM - last edited on 08-16-2011 09:54 AM

Security or Assurance?

 

Can systems (and more importantly, information) ever be truly secure? The term “security” does imply that something is either secure or not.

 

However, in reality, there are degrees of security and lots of assumptions around this. Some people prefer the term “assurance” as this implies instead a certain level of protection which can be verified (to some degree).

 

In the Cloud world, we may always fall short of attaining bullet-proof security; however we can aspire to levels of assurance similar to those we would aim for in the non-Cloud world.

 

Security or Stewardship?

 

With the advent of the Cloud, some have started using the term “stewardship” with respect to securing Cloud usage, rather than "security". The former has connotations of responsibility, accountability and trade-offs.

 

I guess most people would recognise that the first two of these are desirable – but ‘trade-offs’? With limits on resources available and aspirations for increased business agility (e.g. collaborative ventures, consumerisation), many organisations are considering how trade-offs between “ideal security” and cost, for example, can be achieved – in a clear and controlled way. It’s based on the assumption that some information is more valuable than others.

 

There are, of course, many complications when operating in the Cloud.

  • ·         Ownership and valuation of information assets;
  • ·         Accountability.

Most of all, achieving good stewardship in the Cloud requires openness.

 

 

 

 

Labels:

We encourage you to share your comments on this post. Comments are moderated and will be reviewed and posted as promptly as possible during regular business hours.

To ensure your comment is published, please follow our community guidelines.

Comments
by Nadhan on 08-19-2011 02:18 PM
Options

This article punctuates the reasons why Applications Security Testing is vital to your enterprise.  Given that there are different levels of security, the testing must be alignment with the security requirements for the application which are a key determinant of its suitability for deployment to the Cloud.  See Right Application in Cloud Transformation Bill of Rights.

0
by NeilPass on 08-19-2011 11:24 PM
Options

I totally agree. As an ex-developer and pen-tester, I concur that app security testing is vital. Apps were always the easiest way into an enterprise - now they can be the doorway to much more! But if orgs didn't get their web apps tested before, will they now in the cloud world?

 

Good blog re Bill of Rights.

0
Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 

Find HP in Social Media

Facebook Twitter YouTube SlideShare Flickr
About the Author
  • After graduation from Oxford University, Paul developed laser technology for NASA satellites, before moving into IT Security at Cable & Wireless in 2000, where he led the development of Internet Security Services. In 2005, Paul joined Vistorm, now HP Enterprise Security Services, as a Security Architect, where he is technical lead for mobile device and endpoint security solutions. Paul is CISSP and ITPC certified, is a CLAS consultant and M.Inst.ISP. He has recently completed the MSc Information Security at Royal Holloway, University of London.
  • A business first, senior executive, with over 20 years of hands on experience in defending banks, governments and corporations against cyberwarfare. My career in security started when I was employed to crack a secure system, which had locked down the boot process, whitelisting of applications and encrypted disks. I linked TeamOffice (an ICL email and collaboration system) with Microsoft Word to send an email which allowed me to do anything the person reading the email could do and send the results back to me, all without there knowledge. Having proved this vulnerability, I worked with Peter Simpson to create Defuse, a tool that blocked inappropriate actions. This successfully blocked Winword Concept, the first known malicous code in the wild. From these begginings I have investigated all aspects of security to provide an holistic approach to security as a business enabler and currently advising organisations on the suitability of the cloud to their needs.