FT : Security 2.0

Monday, December 10, 2007

The more money and resources we seem to throw at security, the more the bad guys seem to catch up.  With every technology advance, comes a new – and sometimes worse – threat to business.  It simply comes in a different form.  Loud, large-scale virus attacks launched for glory have been replaced with stealthy, financially motivated attacks seeking confidential information.  Spam is no longer just touting free Viagra.  It is a delivery mechanism for phishing attacks, identity theft and malicious code.  And malicious code propagates not just in e-mail, but through web plug-ins, instant messaging, smartphones and USB drives – to name just a few.  The biggest threats to a company’s brand and bottom line these days comes not from hackers, but from internal sources…..The range of risks can be mind-numbing, but it is not unmanageable.  Security just needs to be handled differently…..There is no longer an impenetrable wall around organisations.  People are the new perimeter.  Employees are everywhere, partners are faceless, and your brand is not just in your hands.  Companies are forced to trust their data to third parties and secure data that are not always under their control.  In this environment, security cannot only be about locking things down.  Security should help guide organisations, enabling them to thrive and have confidence that their infrastructure, information and interactions are protected.  This is Security 2.0…..Security 1.0, which focused on making systems safe and keeping the bad guys out, is necessary but no longer enough.  Security 2.0 builds on 1.0, but expands protection to the information and interactions themselves.  This requires a more dynamic view of security, which involves technologies and processes that adapt to the reputation or behaviour of devices, people and applications.  Security 2.0 is driven first by policy, then by technology, and it will be operationalised to speed progress and lower costs.  The devices and systems we use are simply a suitcase for the real asset we are trying to protect: the information.  Since the perimeter cannot be locked down, security needs to focus on protecting the information itself.  This requires knowing where your information is, what is sensitive or confidential, who has access to it, who needs access to it and how you make sure it is protected and available when you need it.  Answering these questions requires security, operations and the business to work together. 

…..A variety of options are available to prevent data loss – solutions that enable companies to discover where information is in their organisation, to set policies around entitlement or access, to filter confidential information from e-mails and instant messaging, or to monitor security incidents and database patterns that could indicate malicious activity.  But there is no silver bullet.  Data loss prevention cannot be addressed with a single piece of technology, and there is no substitute for understanding potential process weaknesses and training your people.  Security should scale to the situation…..Take information controls.  You would not spend thousands of dollars protecting snaps of the company picnic, but you would to protect design documents, source code or credit card numbers.  In Security 2.0, cover adapts to the level of risk, what needs to be protected, and the reputation of those entities trying to access your systems and information.  Security parameters should automatically change depending on whether a user is connecting to a network from inside the firewall or from an airport kiosk.  Decisions should be made based on the behaviour of users, historical information and the policies that are in place.  We see this happening already with anti-spam solutions, which analyse the behaviour and reputation of IP addresses to determine which messages get blocked.  Technologies such as whitelisting and proactive threat protection in products such as Symantec Endpoint Protection are another example of reputation-based security.  These technologies consider both good and bad behaviour to determine which applications and executables are permitted.  Probably the biggest shift in Security 2.0 is how it is driven within an organisation.  Today, most organisations are addressing security and risk in silos, with groups implementing distinct and often disconnected processes and technologies to mitigate the risks.  These risks are often interconnected, but unfortunately the processes and technologies are not.  In order to lower operational costs and make security more effective, proactive and measurable, it needs to be embedded throughout business processes from the start.  Policies have to be consistently defined and socialised before controls can be put in place.  The most successful companies look at policy first, and then implement the technology to automate it.  Not the other way round.  By operationalising security – standardising, automating and driving down the cost of day-to-day security activities – companies and IT can be much more proactive when it comes to protection.

Reference : http://www.ft.com/cms/s/0/b262ff4a-a2d4-11dc-81c4-0000779fd2ac.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: