Security Experts:

Managing Security of Evolving Technology

Like any business decision, make a plan on what new technology you are going to use, then support that plan with enabling security controls to put it into reality.

Evolution. In nature, plants and animals evolve or die. This is pretty much the way of the world. Yes, you get places like the Galapagos Islands where time stands still, and there are specific exceptions like the alligator which has not changed dramatically in about a bajillion years, but this is a good general rule.

Managing Security StrategyThe same is true for businesses. We evolve. We adapt to new demands, to new needs, to changes in culture, and to updated technology. Technology changes are now combining with culture to place some pretty strong demands on businesses.

1. Cloud Computing is suddenly the biggest new business model that should be designed to allow companies to dynamically grow their support infrastructures to more easily adapt to changing business and market needs.

2. Social Media has become part of our life, driven by younger generations as potentially more effective means of communication that meet “immediate gratification” needs.

3. Mobile Devices are designed to provide more flexible support of required office and Internet-based services to a mobile staff.

10 years ago, if you walked into an RSA or other big security conference and told them that these three technologies would dominate the 2011/2012 world, they would probably have laughed you out of the session. Today, companies must figure out how to deal with these technologies: adapt or die.

The first problem is figuring out if, then how you are going to adopt the new technology. As cool as they sound, just migrating to a new technology without a plan is not a good answer. And, yes, unfortunately, part of that must be answering why.

A few years back, “outsourcing” was all the rage, and it seemed like everyone was outsourcing development work to India. I was working on the security side of a company with a sizable IT investment, and they jumped on the outsourcing bandwagon. They found an Indian company with a good reputation, signed a contract that would theoretically enable them to cut their development costs in half, and started moving or laying off internal staff. Their problem was that they did not know how to actually manage the outsourced resources. When they developed internally, their requirements and specifications were weak, but they had a strong enough culture of open communications that developers could pick the brains of their counterparts and get the work done on a reasonably timely basis. Now, they were sending the same quality of requirements and specifications to India. Language barriers and time zone differences plagued them constantly. Requirements and specifications were negotiated. Development was rejected. Project deadlines were missed. Change requests that had taken days suddenly took weeks. Their development costs actually rose.

Outsourcing is definitely an option, and can save money. In this particular case, for this particular company, it was the wrong decision. They had decided they “needed to” outsource to save money, without really figuring out what that meant to the company, or how they were actually going to successfully complete the process. If they had taken the time to see how they could best use their outsourced resources, then made sure that they had the capability and capacity to manage those resources, the process probably would have gone dramatically differently.

So, know why you are going to be using Social Media, Cloud Computing, or Mobile Devices. Build your business case, even if it is an informal one, but include enough details that you can set reasonable expectations on the level of service you will get returned, for the cost of implementation and ongoing management of the technology. And, offering support of Social Media and/or Mobile devices purely for the sake of improving the work experience is a perfectly valid reason, as long as you know that is functionally impossible to quantify the “quality of life” issues.

All three of these technologies bring with them their own “security nightmare”. That is not to say that any of them are inherently insecure, it is more to point out that they are most likely issues different than your organization faces in its own operational environment. You ultimately have two options for dealing with these security concerns, since I am just going to throw away the option to “ignore” security. You can mitigate/manage security issues, or you can insulate yourself from them with contracts and insurance.

In all of this, your consistent message should not let security “get in the way” of what you want to do. This is the same as for your normal business environment and needs. The entire purpose of security is to support your ability to do business in a secure manner. Security is an enabler, not a limiter. If security is a limiter, you are using it wrong/abusing it. The good news is that ultimately, the security controls related to these evolutions are not really all that new.

1. Identify your data. Identify what data you have, along with its real and relative value. Identify the systems and applications that support that data and provide access to it. (If you have not done so, do a Business Impact Analysis, Information Asset Inventory, or whatever you want to call it. Now please. ) Identify your regulatory compliance requirements, based on the data.

2. Isolate your systems/data. This is really not so terribly complicated a concept. You segment your environments and otherwise take actions to isolate your data (and supporting systems) from threats. This can include everything from firewalls to physical air-gaps.

3. Encrypt your data.

4. Yes, write, approve, distribute, and maintain a concise yet accurate Information Security Policy.

5. Train your staff on your policy, proper data usage and protection, and procedures.

6. Maintain your technical environment. This includes all of your backups, preventive maintenance, anti-virus, anti-malware, continuity management and other technology driven controls that are designed to protect your environment.

7. Monitor your environment. Monitor your systems for security relevant events and potential issues, as well as for proper regulatory compliance.

Yes, this is a little bit of an oversimplification. But look at it from the point of the new technology:

1. The single biggest security issue related to cloud computing is the isolation/segmentation of your data from everyone else’s. How do you make sure that unauthorized people do not get access to your data and/or systems?

2. The single biggest security issue related to social media is the isolation of your private corporate data from the social media. How do you make sure that only approved information makes it to the social media you are using and that your truly private data stays truly private?

3. The single biggest security issue related to mobile device security is the retention of controls over your data and systems. How do you make sure that a lost or stolen device does not allow access by an unauthorized person to your private systems and data?

See a trend here?

Obviously, the exact circumstances are a little different in each case. The implementation of security controls are not exactly the same, but the goal is.

1. When you use Cloud Computing, you rely on the cloud company to have security in place that guarantees the isolation of your data from all other clients. You help ensure that happens by doing due diligence on the capabilities of the cloud company, then by including those guarantees in any contract you sign.

2. When you use social media, you have two main mitigating controls. You define your classification and data handling policies, and then train your staff in the use and enforcement of those policies. You ensure that every one knows what can be shared via social media, and what cannot. And, that if there is any question about what can be shared (or not) that everyone knows what the approval process is. Then you have the option of supporting those policies procedurally, or by adding filtering or data loss prevention technology that can help control social media sites and content.

3. When you use mobile devices, you have several mitigating controls. You have the same policy and procedural controls as before, but you are also including appropriate use of the mobile devices. You are also adding technology support for those devices. The most effective means of managing these devices is through the use of a central mobile device management system. This helps simplify the process of protecting the devices themselves, including any appropriate malware protection, backups, encryption, access control, device tracking and remote wiping.

In a nutshell, the process is simple. Like any other practical business decision, make a conscious plan on what new technology you are going to use, then support that plan with enabling security controls to turn that plan into reality.

Given the choice between adapt or die, I choose adapt.

view counter
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.