I hate to do this, but today we need to start on a down note. Security is the one aspect of IT where no one is ever done.
The constant stream of new security concerns and challenges means that security must and will remain on the front burner in every IT shop. Especially with the evolving Digital Age.
The key reason for this is that there is no such thing as absolute security. New threats appear with shocking regularity. This means — no matter what the operational requirements, security technologies, or application constraints may be — eternal vigilance is, and always will be, the price of success in any organization.
As the Digital Age proceeds, all systems, networks, and applications require a thorough and continuous review of all aspects of security. This activity includes everything from policy and planning, to technologies, deployment, verification, operations, upgrades, and evolution.
No aspect of IT should ever be changed without a complete review and consideration of the underlying security ramifications involved.
Let’s look at the lifecycle of security in the Digital world:
Requirements and Policy:
A workable security policy is essential before any other activities are started. This does not need to be an elaborate or complex document. Rather, it must focus on only three key items:
- What information is classified as sensitive and requires at least some degree of protection.
- Who has access to this information and under what circumstances.
- What to do in the event of a breach.
A security policy should not define what specific technologies, tools and solutions are required. That’s the job of security professionals within IT.
But it does need to assure compliance with the overall organizational mission and objectives. It’s vital that the policy be widely communicated within the organization, via distribution of the document, online or classroom training, and/or regular reinforcement.
The security team needs to monitor behaviors and practices that may compromise security, as any security implementation is only as good as those working under it.
The increased use of third-party cloud apps in everyday work, such as file storage and sharing services like Dropbox and collaboration apps like Box, need to extend the same data security policies and protections that are applied to information stored in the enterprise.
Consideration must be given to how the Policy will be implemented, and its impact on users. Onerous solutions always invite personal workarounds that may result in a compromise to security objectives. Not to mention sensitive information. Security must be as transparent as possible, with implementations rather than individual user decisions driving results. For example, if users are not permitted to copy or print files containing information defined in the Security Policy as sensitive, operational implementations should prevent such, rather than relying on the cooperation of users alone.
Technologies and techniques:
At the core of any security implementation are two fundamental functions:
- Authentication: This is the act of one party in a transaction proving its identity to the other – ideally, this should be mutual. The most common technique here is, the traditional username/password pair. A better technique is two-factor authentication, often described as “something you have plus something you know.” This might take the form, of a USB key plus the username/password technique, or sending a message to an authorized cell phone and waiting for the proper response.
- Encryption: This is the coding of information so that only authorized parties can read and use it. A wide variety of standard techniques exist here (https, for example), but it is critical that all information defined as sensitive in the Security Policy be encrypted wherever and whenever in residence or in transit. Failure to encrypt data when it’s sitting on a disk drive in a server or on a handset is a fundamental (and sadly common) error that is a frequent source of compromise. Today, the use of virtual private networks (VPNs) is so available and easy that there is little excuse for not applying this technology in every Digital application.
Deployment and verification:
It’s never a good idea to roll out a new Digital service or application en mass without “pilot” or “beta” testing. That means making it available only to a small group of users, verifying all aspects of the capability as it is applied and closely monitored. Support groups must always be in the loop here to identify common problems than can be eliminated before they become major production-scale supports costs and headaches.
Using “white hat” or “ethical” hackers to attack the security of the new solution from every conceivable angle is also a good idea. It is usually impossible for those on the inside to know every possible attack vector and to explore every possible vulnerability.
The security landscape is so complex today that specialists must almost always be involved. Up-front testing and verification can be very cheap insurance. That’ because the cost of dealing with a breach or related challenge can be incalculable.
Once the Digital solution is live and in large-scale production, it’s vital to monitor for anomalies of any form. Security challenges can creep in at any time. This is the domain of management consoles and other tools that monitor performance, security, and other locally-defined constraints. The current trend towards Software-Defined Networking (SDN) will provide significant benefits in the domain of operational assurance over time, and the advantages of this technology should be considered during regular refresh cycles and any other major equipment-purchasing events.
Upgrades and evolution:
Security must be carefully evaluated during all reconfigurations, upgrades, enhancements, new-feature rollouts, and related large-scale changes. This is also true when deploying updates to applications – regression and other testing can be relatively small components in calculating the price of security success.
And, of course, a regular (at least twice a year) review of the overall security policy is essential. This helps in verifying that it remains consistent with and in the service of overall organizational objectives.
Remember, security is the one area of IT where you’re never, ever done.
The economic and functional benefits of moving to an all-Digital world make the Digital evolution a key IT priority for essentially every organization everywhere. Security must remain a core focus – forever.