Using systems management tools in IT security

Chisel or sharpened screwdriver?

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Workshop Every IT professional recognises the importance of securing the IT systems that are now at the heart of many business processes. This recognition goes beyond simple deployment of security technologies.

As Register readers have told us, drivers such as compliance with regulatory pressures, minimising financial risks, securing corporate data and protecting a company’s brand are all important aspects of what we might term 'IT Security' today. No wonder, then, that its significance in continuing day to day operations is now recognised as a fact of IT life.

This recognition places greater stress on the overall management strategies that organisations need to secure IT operations. Such strategies generally depend upon using systems and security management tools effectively; the alternative is to implement labour intensive processes using scarce human resources.

It is also a fact that organisations are looking to continuously deploy new and updated services and to make use of an ever-growing range of tools and devices. Specialist tools do exist to deal with security itself, but we are seeing pressure from various quarters to consider security as one element of the broader IT management discipline. Against this background, then, how should IT security be tooled up?

Perhaps the most obvious starting point is to revisit some of the solutions at the heart of good systems management, with respect to their specific security role. Amongst these are, for example, identity management, asset management and data classification technologies. Where do these capabilities fit from a security perspective, as organisations look to deploy new solutions and work in rapid response to volatile business conditions?

Let’s take identity management first, given that it has the most obvious direct connection to securing IT operations and services. Few organisations have implemented identity management policies and solutions that can span the entire IT infrastructure, so its role in security management will be inevitably limited as a result. Even fewer have policies or tools in place capable of working with identities of individuals outside of the organisation who may require access to corporate information.

Meanwhile, the potential benefits of using well maintained asset management tools to help secure the organisation have not been widely recognised in the security sphere. Yet a little thought illustrates how the asset / inventory / configuration information held in such repositories can be exploited to support the management of security as a whole.

Simply checking that operating systems and applications are running the latest patches has obvious security benefits, especially when you take into account that identifying un-patched machines without such tools is both time consuming and prone to manual errors. Knowing who is using which machine and whether the device is loaded with the software appropriate for the job could also help highlight areas of potential exposure.

This can be aided by ensuring that all software utilised in the business is properly licensed: not only knowing what you have, but also paying for the requisite levels of software assurance, patching and support all contribute to minimising risk. As illustrated by the research quoted earlier in this article, licensing also links to protecting the company’s brand values: no commercial organisation wants to be hauled up for theft.

The final example of using systems management tools to help ensure security management policies are enacted in the real world, concerns data classification. We know that increasing amounts of sensitive corporate data are being held outside of central storage platforms, for example on laptops and mobile devices. Unless the organisation has some means, manual or automated, of establishing the sensitivity of data held on such machines it is a difficult task to ensure that sensitive data is adequately secured and protected. However, with new disclosure legislation looking likely in various countries, together with increased penalties for data loss and data breaches, organisations are under increasing pressure to do so.

This is an area where the solutions available are still developing, particularly in terms of making it simpler to classify data types and set appropriate policies. In the future we may see solutions that take the pain out of data classification, but in the meantime and when starting out, organisations are tending to adopt more broad brush approaches to data protection. For example, rather than attempting to undertake sophisticated data classification projects they may decide on implementing encryption across all mobile devices.

So, there are systems management tools available which can help raise the level of security in IT services delivery, but this approach can only take things so far as such tools were not designed specifically for the job. If the tools offer only the means and not the end, this raises the challenge of how to ensure that security management needs are comprehensively covered, particularly if the potential use case scenarios are not widely understood outside the domain of security specialists?

This latter point is especially important when considering security management in relation to the increasing burden of compliance. Regulatory and external compliance pressures require IT professionals to define systems and processes that will help the organisation meet its obligations.

Hence the problem for many IT staff, who are not usually legal eagles, becomes one of trying to define the requirements for management tools and policies that are actually going to work to any practical extent. Even getting to this stage needs the input from those with knowledge of the compliance drivers, preferably translated into language that mere mortals can comprehend such that management tools can be pointed at exactly what needs to be administered.

The way forward, one might naively assume, would be to get the experts together – for example bringing together specialist staff from a compliance monitoring department to work with systems management staff within the business, or employing external consultants who have done it before.

Equally there is a place for the IT vendors themselves, systems integrators and other partners to educate their own customers on how systems management solutions can address the challenges defined by the policy makers. There are also some independent forums of experts from within end-user organisations who are tussling with these challenges – the Jericho Forum is worthy of mention, for example. Right now however, nobody has a monopoly on all the answers.

As ever we are keen to hear how you are dealing with these issues. How do you actually govern the security of your IT services? Who is involved and who shouldn’t be? What tools do you find useful and to whom do you turn for advice? Please let us know how you are working to improve your security governance of IT services. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.