Workshop Every IT professional recognises the importance of securing the IT systems that are now at the heart of many business processes. This recognition goes beyond simple deployment of security technologies.

As Register readers have told us, drivers such as compliance with regulatory pressures, minimising financial risks, securing corporate data and protecting a company’s brand are all important aspects of what we might term 'IT Security' today. No wonder, then, that its significance in continuing day to day operations is now recognised as a fact of IT life.

This recognition places greater stress on the overall management strategies that organisations need to secure IT operations. Such strategies generally depend upon using systems and security management tools effectively; the alternative is to implement labour intensive processes using scarce human resources.

It is also a fact that organisations are looking to continuously deploy new and updated services and to make use of an ever-growing range of tools and devices. Specialist tools do exist to deal with security itself, but we are seeing pressure from various quarters to consider security as one element of the broader IT management discipline. Against this background, then, how should IT security be tooled up?

Perhaps the most obvious starting point is to revisit some of the solutions at the heart of good systems management, with respect to their specific security role. Amongst these are, for example, identity management, asset management and data classification technologies. Where do these capabilities fit from a security perspective, as organisations look to deploy new solutions and work in rapid response to volatile business conditions?

Let’s take identity management first, given that it has the most obvious direct connection to securing IT operations and services. Few organisations have implemented identity management policies and solutions that can span the entire IT infrastructure, so its role in security management will be inevitably limited as a result. Even fewer have policies or tools in place capable of working with identities of individuals outside of the organisation who may require access to corporate information.

Meanwhile, the potential benefits of using well maintained asset management tools to help secure the organisation have not been widely recognised in the security sphere. Yet a little thought illustrates how the asset / inventory / configuration information held in such repositories can be exploited to support the management of security as a whole.

Simply checking that operating systems and applications are running the latest patches has obvious security benefits, especially when you take into account that identifying un-patched machines without such tools is both time consuming and prone to manual errors. Knowing who is using which machine and whether the device is loaded with the software appropriate for the job could also help highlight areas of potential exposure.

This can be aided by ensuring that all software utilised in the business is properly licensed: not only knowing what you have, but also paying for the requisite levels of software assurance, patching and support all contribute to minimising risk. As illustrated by the research quoted earlier in this article, licensing also links to protecting the company’s brand values: no commercial organisation wants to be hauled up for theft.

The final example of using systems management tools to help ensure security management policies are enacted in the real world, concerns data classification. We know that increasing amounts of sensitive corporate data are being held outside of central storage platforms, for example on laptops and mobile devices. Unless the organisation has some means, manual or automated, of establishing the sensitivity of data held on such machines it is a difficult task to ensure that sensitive data is adequately secured and protected. However, with new disclosure legislation looking likely in various countries, together with increased penalties for data loss and data breaches, organisations are under increasing pressure to do so.

This is an area where the solutions available are still developing, particularly in terms of making it simpler to classify data types and set appropriate policies. In the future we may see solutions that take the pain out of data classification, but in the meantime and when starting out, organisations are tending to adopt more broad brush approaches to data protection. For example, rather than attempting to undertake sophisticated data classification projects they may decide on implementing encryption across all mobile devices.

So, there are systems management tools available which can help raise the level of security in IT services delivery, but this approach can only take things so far as such tools were not designed specifically for the job. If the tools offer only the means and not the end, this raises the challenge of how to ensure that security management needs are comprehensively covered, particularly if the potential use case scenarios are not widely understood outside the domain of security specialists?

This latter point is especially important when considering security management in relation to the increasing burden of compliance. Regulatory and external compliance pressures require IT professionals to define systems and processes that will help the organisation meet its obligations.

Hence the problem for many IT staff, who are not usually legal eagles, becomes one of trying to define the requirements for management tools and policies that are actually going to work to any practical extent. Even getting to this stage needs the input from those with knowledge of the compliance drivers, preferably translated into language that mere mortals can comprehend such that management tools can be pointed at exactly what needs to be administered.

The way forward, one might naively assume, would be to get the experts together – for example bringing together specialist staff from a compliance monitoring department to work with systems management staff within the business, or employing external consultants who have done it before.

Equally there is a place for the IT vendors themselves, systems integrators and other partners to educate their own customers on how systems management solutions can address the challenges defined by the policy makers. There are also some independent forums of experts from within end-user organisations who are tussling with these challenges – the Jericho Forum is worthy of mention, for example. Right now however, nobody has a monopoly on all the answers.

As ever we are keen to hear how you are dealing with these issues. How do you actually govern the security of your IT services? Who is involved and who shouldn’t be? What tools do you find useful and to whom do you turn for advice? Please let us know how you are working to improve your security governance of IT services. ®