Security Experts:

Connect with us

Hi, what are you looking for?



A Compliance with a Complex Problem

In an interview earlier this year, Kristin Lovejoy, Vice President of Security Strategy at IBM, addressed growing security concerns across the North American business landscape. Lovejoy focused on global security threats facing organizations, unique challenges of managing security across IBM, and how security leaders can improve in 2011 and beyond.

In an interview earlier this year, Kristin Lovejoy, Vice President of Security Strategy at IBM, addressed growing security concerns across the North American business landscape. Lovejoy focused on global security threats facing organizations, unique challenges of managing security across IBM, and how security leaders can improve in 2011 and beyond.

“This is potentially the most dramatic trend,” Lovejoy told BankInfosecurity. “There is a lot of complexity out there, and if you ask a customer what their biggest problem is, it isn’t compliance, it’s complexity.”

Lovejoy goes on to say that while the global compliance landscape creates unique challenges for organizations across the industry, the greater issue is prioritizing the response to these mandates.

In other words, compliance!

Lovejoy, who is responsible for the overall security portfolio market direction and strategy at IBM, among other positions, says that with new regulations upping the ante on new compliance, the problem will be more complex — customers may be asking what to do, when to do it, and how…

In the end, what are the benefits?

That’s a good question, one that has been asked since June 30, 2007– the deadline for companies to show that they were in compliance with the Payment Card Industry Data Security Standards, or PCI-DSS. According to Chris Farrow, Board Member at PCI Security Vendor Alliance, the Payment Card Industry required all organizations that store, process or transmit credit card payments to demonstrate compliance with PCI-DSS by that date.

In a 2008 article, Farrow states, “There has been much more positive awareness by banks and merchants. There’s been much more media coverage on this issue, and all of it adds up to PCI-DSS being a higher priority focus for these institutions and merchants. That in turn is helping to improve the state of information security.”

Security through moving parts

Compliance doesn’t mean you’re secure; it’s a baseline to say that you’ve done an average job at securing the corporation, Certainly, tighter security requires several moving parts including patch management, end-point security, identity management and security information and event management (SIEM).

To keep up with fixing, automated patch management systems should be in place, sided with a similar lab environment so that patches can be tested properly and rolled out for production in a short period of time.

An appropriate lab is not always up and running. Hired by a software vendor, where I spent ten years, my clients averaged 50-600 servers with 200-25,000 users, at any time, of which two had a proper lab set up for testing.

Testing is not something to be overlooked. As we all know, a new patch would most likely break something else. The problem lies in the interim. For example, security groups expect a patch on the system to help mitigate a system compromise, but the IT staff may have to wait weeks to test it because they don’t have a proper lab set up.

This has the potential to create company in-fighting

Most corporations have IT staff who are overworked and underpaid. If something is left unchecked and running wild, they are handed the task of security. In most cases, these people lack the proper training.

Security on the “go”

Mobile is becoming critical. It isn’t easy to control how corporate smartphones are used. What applications are being installed and operated by end-users adds, or in these cases depletes, what security is available.

Those driving the enterprise IT strategy should have legitimate concerns about how to handle inventory, protect and comply with any corporate policies, and fulfil privacy and confidentiality requirements. Regardless of whether the employer or the employee owns the devices, their permanent position within the enterprise landscape means that they require comprehensive security protection, just like any other device in the network.

Heal thy self

Moving towards a self-healing infrastructure is key.

In a created scenario, a user logs in from any location, the system validates this user by a two or three-way factor authentication through SIEM-monitored identity management. Elsewhere in the system, the inventory and asset management processes are checking all servers, workstations and mobile devices for their patch and virus definition levels.

Once a discrepancy is found, the corporate patch management service automatically deploys the patch. Should the endpoint be infected or the user is disgruntled, then the Network access control; intrusion detection; SIEM with user activity monitoring configured; and other monitoring devices are policing the network for malicious signatures that would then shutdown access. Once this event occurs, the Log manager can then log a ticket and advise the IT staff in real time of what’s going on.

Indeed, Lovejoy’s future outlook is vital. While she recommends we look to 2011, companies need to see where they are now, where they need to be and from there, where they should be. In a fast changing world, where technology and new systems spin in and spin out, it seems, on a weekly basis, the look ahead may be 2012.

This will require being “on the job” 24 hours a day, seven days a week. In the end, it will take more than a checklist to lock down the environment.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...