Feeds

Process, not just product, will save your IT department

RTFM is not enough

  • alert
  • submit to reddit

Security for virtualized datacentres

So, you’ve bought your firewall. You’ve spent thousands on an intrusion prevention system, and you’ve got expensive data leak prevention software. Are you dead sure that your sensitive customer data hasn’t been leaked?

In IT security, capital expenditure on products can help to protect your systems, but it isn’t enough. Thinking about security when designing and executing your everyday IT processes is a key part of guarding your infrastructure. Moreover, it might help to reduce your overall security expenditure.

“CISOs spend a lot of money on firewalls and anti-virus,” says Jeremiah Grossman, chief technology officer at at WhiteHat Security, which carries out penetration testing services on client systems.

Grossman argues that large companies typically invest lots of money on developing software, and desktop and server infrastructure, with less spent on network infrastructure. Conversely, he argues that the CISO targets security dollars on network infrastructure first, investing in expensive firewalls, with less spent on desktop security infrastructures, and even less on things like secure development lifecycle in software. “So he’s out of phase with the business,” Grossman concludes.

This doesn’t mean that you shouldn’t buy a firewall, of course. Nevertheless, focusing purely on throwing tools at the problem rather than thinking more generally about security processes risks making security more reactive, and piecemeal. What does a properly orchestrated set of processes look like?

There are a variety of operational maturity models to choose from, each with their own strengths and weaknesses. ISO 27001 covers enterprise security in the broad sense, and ITIL includes useful points on security within a services framework. These can be effectively integrated with other models to create an operational maturity model for security. For example, it is possible to map ISO 27K and ITIL against the Capability Maturity Model Integration (CMMI), which provides the framework for assessing operational maturity. Using this mapping, you can frame your security processes according to five levels of capability. The Control Objectives for Information Related Technology (COBIT) also provides a framework of governance and control that encompasses security practice.

Systems integration consultancy CIBER uses a seven-layer model as the basis for its operational security maturity programme. It starts with a programme layer that covers funding, strategic planning, and cross-functional oversight. The management layer covers asset risk management, security skills, roles and responsibilities, while the next layer, documentation, involves asset classification, procedures, and policies. Atop these layers sit the others: education, protection, detection, and response.

Documentation is an important part of implementing standard security models across the enterprise, according to CIBER, which talks about an umbrella security framework that allows for traceability for security regulations and external requirements. Documenting your assets is important if you are to fold them into processes that help to protect your corporate infrastructure.

CIBER advises companies to create a roadmap for use as part of its ‘protection’ layer, which will link the technologies that you invest in to your long-term security goals.

What processes should you focus on when defining these long-term security goals? Much will depend on your company’s unique business requirements, but broadly speaking, we can identify some common critical areas. Vulnerability management and intrusion protection are important, as is identity and access management. Here are some key things to keep in mind when designing security processes that will guide your roadmap:

Know your infrastructure A sound asset inventory and configuration management database is a critical piece of the puzzle. Without this, you won’t know what you have, which makes it impossible to manage it properly. This becomes a serious problem if, for example, someone plugs an unauthorised access point into the network,or downloads un-verified applications,or hooks up a USB hard drive for instance . Is it yours, or is it theirs? How would you know, if you did a wireless networking audit?

Automate its management Ensure that critical processes such as patch management are as automated as possible across servers and PCs, operating systems and applications beyond just Microsoft (third party applications are the greatest sources of risk), so that procedures necessary to bolster corporate security happen quickly. Automating other processes such as the scanning of new devices connected to the network will help to ensure that rogue devices don’t pollute your environment. This is one area where process and product intersect, but it is also an area where security budgets can be wisely applied.

Use systems management tools as your eyes and ears Effective governance includes discovery of devices on the network, so that they you can first of all figure out if they’re yours or not. Make sure that your management tools watch your network and systems for you, alerting you to problems that could indicate a security issue. Why, for example, is that newly-attached PC suddenly blasting out traffic to every PC in the local subnet on an unusual port?

Check your logs Mine your logs for useful information, possibly using log analysis software. Drawing intelligence from your logs can help you to identify attempted attacks (and perhaps successful ones).

Positive Feedback Loops It may seem obvious, but above all do remember to learn from your experiences. If you encounter an incident make sure that the relevant holes are plugged, that configurations are tweaked and users educated. You might be able to buy software that will do most things for you, but process – of which positive feedback loops are one – are the things that really keep you secure.

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.