Feeds

Using systems management tools in IT security

Chisel or sharpened screwdriver?

  • alert
  • submit to reddit

The essential guide to IT transformation

Workshop Every IT professional recognises the importance of securing the IT systems that are now at the heart of many business processes. This recognition goes beyond simple deployment of security technologies.

As Register readers have told us, drivers such as compliance with regulatory pressures, minimising financial risks, securing corporate data and protecting a company’s brand are all important aspects of what we might term 'IT Security' today. No wonder, then, that its significance in continuing day to day operations is now recognised as a fact of IT life.

This recognition places greater stress on the overall management strategies that organisations need to secure IT operations. Such strategies generally depend upon using systems and security management tools effectively; the alternative is to implement labour intensive processes using scarce human resources.

It is also a fact that organisations are looking to continuously deploy new and updated services and to make use of an ever-growing range of tools and devices. Specialist tools do exist to deal with security itself, but we are seeing pressure from various quarters to consider security as one element of the broader IT management discipline. Against this background, then, how should IT security be tooled up?

Perhaps the most obvious starting point is to revisit some of the solutions at the heart of good systems management, with respect to their specific security role. Amongst these are, for example, identity management, asset management and data classification technologies. Where do these capabilities fit from a security perspective, as organisations look to deploy new solutions and work in rapid response to volatile business conditions?

Let’s take identity management first, given that it has the most obvious direct connection to securing IT operations and services. Few organisations have implemented identity management policies and solutions that can span the entire IT infrastructure, so its role in security management will be inevitably limited as a result. Even fewer have policies or tools in place capable of working with identities of individuals outside of the organisation who may require access to corporate information.

Meanwhile, the potential benefits of using well maintained asset management tools to help secure the organisation have not been widely recognised in the security sphere. Yet a little thought illustrates how the asset / inventory / configuration information held in such repositories can be exploited to support the management of security as a whole.

Simply checking that operating systems and applications are running the latest patches has obvious security benefits, especially when you take into account that identifying un-patched machines without such tools is both time consuming and prone to manual errors. Knowing who is using which machine and whether the device is loaded with the software appropriate for the job could also help highlight areas of potential exposure.

This can be aided by ensuring that all software utilised in the business is properly licensed: not only knowing what you have, but also paying for the requisite levels of software assurance, patching and support all contribute to minimising risk. As illustrated by the research quoted earlier in this article, licensing also links to protecting the company’s brand values: no commercial organisation wants to be hauled up for theft.

The final example of using systems management tools to help ensure security management policies are enacted in the real world, concerns data classification. We know that increasing amounts of sensitive corporate data are being held outside of central storage platforms, for example on laptops and mobile devices. Unless the organisation has some means, manual or automated, of establishing the sensitivity of data held on such machines it is a difficult task to ensure that sensitive data is adequately secured and protected. However, with new disclosure legislation looking likely in various countries, together with increased penalties for data loss and data breaches, organisations are under increasing pressure to do so.

This is an area where the solutions available are still developing, particularly in terms of making it simpler to classify data types and set appropriate policies. In the future we may see solutions that take the pain out of data classification, but in the meantime and when starting out, organisations are tending to adopt more broad brush approaches to data protection. For example, rather than attempting to undertake sophisticated data classification projects they may decide on implementing encryption across all mobile devices.

So, there are systems management tools available which can help raise the level of security in IT services delivery, but this approach can only take things so far as such tools were not designed specifically for the job. If the tools offer only the means and not the end, this raises the challenge of how to ensure that security management needs are comprehensively covered, particularly if the potential use case scenarios are not widely understood outside the domain of security specialists?

This latter point is especially important when considering security management in relation to the increasing burden of compliance. Regulatory and external compliance pressures require IT professionals to define systems and processes that will help the organisation meet its obligations.

Hence the problem for many IT staff, who are not usually legal eagles, becomes one of trying to define the requirements for management tools and policies that are actually going to work to any practical extent. Even getting to this stage needs the input from those with knowledge of the compliance drivers, preferably translated into language that mere mortals can comprehend such that management tools can be pointed at exactly what needs to be administered.

The way forward, one might naively assume, would be to get the experts together – for example bringing together specialist staff from a compliance monitoring department to work with systems management staff within the business, or employing external consultants who have done it before.

Equally there is a place for the IT vendors themselves, systems integrators and other partners to educate their own customers on how systems management solutions can address the challenges defined by the policy makers. There are also some independent forums of experts from within end-user organisations who are tussling with these challenges – the Jericho Forum is worthy of mention, for example. Right now however, nobody has a monopoly on all the answers.

As ever we are keen to hear how you are dealing with these issues. How do you actually govern the security of your IT services? Who is involved and who shouldn’t be? What tools do you find useful and to whom do you turn for advice? Please let us know how you are working to improve your security governance of IT services. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?