Contrary to common belief, when it comes to the basic model of information security not much has changed in a very long time. In a nutshell, People (or programs initiated by people from a device) need access to Data (information) exposed via Applications hosted on Infrastructure connected via Networks. Information Security wrappers the environment and:
- Ensures that People are who they say they are and have the authority to request the information they are asking for.
- Protects the data both at rest and as it travels through the network.
- Routinely monitors the environment including applications, infrastructure and the network for vulnerabilities and alerts appropriate individuals or systems when there is a problem.
An organization looking to address its regulatory and compliance gaps should start by looking at its security strategy and in the absence of one, spend some time developing it. Cutting corners and wading directly into solving tactical issues to meet auditors’ needs will more than likely result in lurching mindlessly through an ever changing morass of false alarms, contradicting advice from pundits and analysts and overall industry misinformation. Is it any wonder that in such cases security teams start randomly throwing different products and solutions that address immediate problems, into an already wildly overflowing shopping cart?
A senior security manager in an organization told me that as part of an identity and access management initiative in his organization, he had purchasedsolutions for identity management, privileged identity management, web access management, and monitoring, pickingtools based on analyst recommendations on best of breed. He then spent the next few years, sorting through his technology arsenal, with countless resources and a lot of service dollars, in a futile attempt to integrate these technologies to give him a semblance of what he needed. Needless to say requirements changed with passing time and he was always chasing a moving target. Finally frustrated at the complete lack of delivery the entire program was canned. The next attempt at a solution consisted of turning it all over to a group of third party cloud vendors. When I last got an update they were still there redefining the organization’s problem space to match their offerings, much to the dismay of the above mentioned security manager! And believe me his story is just the latest in a long line of similar stories I get to hear.
Technology vendors and consulting companies are aggressively competing with each other selling security offerings; in organizations where there is little to no oversight or overarching plan, divisions and departments end up buying disparate solutions to solve similar problems. The net result is multiple technologies and tools getting deployed in the same environment, with overlapping functionality, stepping on each other’s toes and giving rise to a whole new set of issues. Buying different security solutions and hoping some combination of them will magically integrate and address gaps in compliance is misplaced optimism.
The point of this rant is simple – merely by taking a step back and starting with a strategy you can exponentially raise your chance of success. Working methodically through a plan you can optimally leverage your technology investments and solutions to meet more than just one tactical need. In the process you will save not just money on software and services but also get much closer to protecting your organizational assets and achieving compliance goals, all the while maintaining control of your journey. And if that is not the ultimate goal, I need to get back to the roses I was tending earlier today.