Feeds

Using systems management tools in IT security

Chisel or sharpened screwdriver?

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Workshop Every IT professional recognises the importance of securing the IT systems that are now at the heart of many business processes. This recognition goes beyond simple deployment of security technologies.

As Register readers have told us, drivers such as compliance with regulatory pressures, minimising financial risks, securing corporate data and protecting a company’s brand are all important aspects of what we might term 'IT Security' today. No wonder, then, that its significance in continuing day to day operations is now recognised as a fact of IT life.

This recognition places greater stress on the overall management strategies that organisations need to secure IT operations. Such strategies generally depend upon using systems and security management tools effectively; the alternative is to implement labour intensive processes using scarce human resources.

It is also a fact that organisations are looking to continuously deploy new and updated services and to make use of an ever-growing range of tools and devices. Specialist tools do exist to deal with security itself, but we are seeing pressure from various quarters to consider security as one element of the broader IT management discipline. Against this background, then, how should IT security be tooled up?

Perhaps the most obvious starting point is to revisit some of the solutions at the heart of good systems management, with respect to their specific security role. Amongst these are, for example, identity management, asset management and data classification technologies. Where do these capabilities fit from a security perspective, as organisations look to deploy new solutions and work in rapid response to volatile business conditions?

Let’s take identity management first, given that it has the most obvious direct connection to securing IT operations and services. Few organisations have implemented identity management policies and solutions that can span the entire IT infrastructure, so its role in security management will be inevitably limited as a result. Even fewer have policies or tools in place capable of working with identities of individuals outside of the organisation who may require access to corporate information.

Meanwhile, the potential benefits of using well maintained asset management tools to help secure the organisation have not been widely recognised in the security sphere. Yet a little thought illustrates how the asset / inventory / configuration information held in such repositories can be exploited to support the management of security as a whole.

Simply checking that operating systems and applications are running the latest patches has obvious security benefits, especially when you take into account that identifying un-patched machines without such tools is both time consuming and prone to manual errors. Knowing who is using which machine and whether the device is loaded with the software appropriate for the job could also help highlight areas of potential exposure.

This can be aided by ensuring that all software utilised in the business is properly licensed: not only knowing what you have, but also paying for the requisite levels of software assurance, patching and support all contribute to minimising risk. As illustrated by the research quoted earlier in this article, licensing also links to protecting the company’s brand values: no commercial organisation wants to be hauled up for theft.

The final example of using systems management tools to help ensure security management policies are enacted in the real world, concerns data classification. We know that increasing amounts of sensitive corporate data are being held outside of central storage platforms, for example on laptops and mobile devices. Unless the organisation has some means, manual or automated, of establishing the sensitivity of data held on such machines it is a difficult task to ensure that sensitive data is adequately secured and protected. However, with new disclosure legislation looking likely in various countries, together with increased penalties for data loss and data breaches, organisations are under increasing pressure to do so.

This is an area where the solutions available are still developing, particularly in terms of making it simpler to classify data types and set appropriate policies. In the future we may see solutions that take the pain out of data classification, but in the meantime and when starting out, organisations are tending to adopt more broad brush approaches to data protection. For example, rather than attempting to undertake sophisticated data classification projects they may decide on implementing encryption across all mobile devices.

So, there are systems management tools available which can help raise the level of security in IT services delivery, but this approach can only take things so far as such tools were not designed specifically for the job. If the tools offer only the means and not the end, this raises the challenge of how to ensure that security management needs are comprehensively covered, particularly if the potential use case scenarios are not widely understood outside the domain of security specialists?

This latter point is especially important when considering security management in relation to the increasing burden of compliance. Regulatory and external compliance pressures require IT professionals to define systems and processes that will help the organisation meet its obligations.

Hence the problem for many IT staff, who are not usually legal eagles, becomes one of trying to define the requirements for management tools and policies that are actually going to work to any practical extent. Even getting to this stage needs the input from those with knowledge of the compliance drivers, preferably translated into language that mere mortals can comprehend such that management tools can be pointed at exactly what needs to be administered.

The way forward, one might naively assume, would be to get the experts together – for example bringing together specialist staff from a compliance monitoring department to work with systems management staff within the business, or employing external consultants who have done it before.

Equally there is a place for the IT vendors themselves, systems integrators and other partners to educate their own customers on how systems management solutions can address the challenges defined by the policy makers. There are also some independent forums of experts from within end-user organisations who are tussling with these challenges – the Jericho Forum is worthy of mention, for example. Right now however, nobody has a monopoly on all the answers.

As ever we are keen to hear how you are dealing with these issues. How do you actually govern the security of your IT services? Who is involved and who shouldn’t be? What tools do you find useful and to whom do you turn for advice? Please let us know how you are working to improve your security governance of IT services. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.