Shaking that false sense of (IT) security

Shaking that false sense of (IT) security

Summary: Through better utilization of identity, system log, and real-time security event information, higher levels of IT security and regulatory compliance can be reached while related costs are cut, says Novell's Ben Goodman.

TOPICS: Security
Commentary - Through better utilization of identity, system log, and real-time security event information, higher levels of IT security and regulatory compliance can be reached while related costs are cut.

For the past decade, organizations have invested millions in their security and compliance management programs. The unfortunate reality is that they've spent too much to get too little security or regulatory compliance. To this day, many still don't have the ability to ensure — and validate — that their systems are secure from breach and compliant with legal mandates. Why? Because many have thrown people and technology at these problems often in a tactical or ad-hoc manner, but have not tackled security and compliance as the systemic challenges they are.

The predicament so many find themselves in today is understandable because security vulnerabilities and attack vectors always change, as do regulations. In fact, many of our customers must remain compliant with a number of separate regulations that include HIPAA, Sarbanes-Oxley, various state data breach notification laws, the European Union Directive, PCI DSS, and many others. And the costs associated with compliance are high and rising — because enterprises rely too heavily on disparate management frameworks and costly, duplicate manual efforts. Research firm AMR states that two-thirds of budget for governance, risk, and compliance efforts is earmarked for people-related expenses, such as labor and services.

There are a number of reasons why it is so costly. Companies have too many ill-conceived and duplicate compliance controls. Their security data lies dormant in log files. And there's little, if any, synergy among all of the point security products they've deployed. The result? Teams of people running around the office manually updating clipboards and spreadsheets that are often out of date before the final audit report even is printed.

Also, regrettably, too many organizations equate this level of compliance with being "secure." The Verizon Business RISK Team's 2009 Data Breach Investigations Report, which evaluated 90 breaches that affected 285 million records, found that in an astounding 82 percent of those incidents, the data that could have pointed to the pending compromise was available, but not identified or acted upon.

To avert that unenviable position, mitigate or avoid breaches altogether, and cut the costs of attaining regulatory compliance, organizations need to find a way to improve, consolidate, and coalesce all of the people, processes, and technology already in place for these efforts.

That means putting in place the security and compliance policies that make sense for the organization, and then leveraging the technology — such as identity management, log management, and security information and event management —to automate security and policy compliance enforcement and validation. This doesn't mean deploying new security application after security application; it means establishing a program in which the right people and processes are in place for security and compliance, and that the technology is there to make certain that people and processes are operating within set policies.

Additionally, by mapping internal polices to the requirements of specific regulations, regulatory compliance efforts can be streamlined while reducing risk. An example could be the way that privileged accounts, such as administrative system accounts, are managed. How access to these accounts is managed could affect many different regulations, and an optimal approach would be to create a single privileged user account policy that is used throughout the company. This policy should meet, if not exceed, the requirements of every applicable regulation. Other examples include vulnerability, log, identity, and firewall change management policies. In all of these cases, it could be established that when the internal policy is tailored to the optimal security the organization needs, all regulatory burdens subsequently are met. This cuts costs —as well as the number of teams running around with clipboards and spreadsheets in hand — while increasing security and regulatory compliance.

Three classes of technologies are essential to have in place and working together, to ensure that security and regulatory compliance can be proactively managed in that way: identity and access management, log management, and security information and event management. Here's why:

  • Identity and access management, with access certification capabilities. Whether it's security, compliance, or just good management, knowing and controlling who has access to what is foundational. We often joke, that if an employee stays at a company long enough, he or she eventually will be given access to everything. The more rights an employee is given, the harder it is to remove those rights when an employee leaves or changes responsibilities. This creates serious security weaknesses and regulatory compliance gaps. It is simple, excess application or system rights leads to excess organizational risk. That's why it's crucial that every organization understands who has access to what. Implementing automated controls to tune employee access as their jobs and roles change, along with a certification process that continuously ensures appropriate levels of access will assure employees have the correct access to applications and resources at all times.
  • Log management. All enterprises store a wealth of information about the activities occurring on their networks, platforms and applications. This includes both security and regulatory compliance within application and database logs, identity and access management repositories, network device logs, and other systems. In fact, it's quite common for enterprises to store more information than they can manage. A compounding concern is that these logs are often stored and processed in “silos”. This segregation of security data mean that those analyzing the logs are usually receiving an incomplete view of the enterprise’s true security posture.

    As the Data Breach Investigations Report showed, organizations have the data that could warn, if not avert, data breaches. They just can't cull and correlate the right information from these data stores in a meaningful way.

  • Actionable, real-time security event information. Through real-time identification and integration of security-related information and events across the enterprise, suspicious activities and events can be identified and mitigated immediately. These can include everything from unusual log-on attempts to malicious network activity. This capability is essential for security and compliance mandates. Using reports from the three-month-old compliance audit to verify security policy do not get the job done. This is the equivalent of documenting the barn door was left open 90 days after the cows escaped. Real-time analysis allows us to close the barn door before the livestock exit. That is what any good IT security program should have as its goal.

Leveraging identity, system logs, and real-time security information in this way makes it much easier to discover when systems fall out of policy compliance and set them right before there's an audit finding or even more damaging, a data breach. It also makes it possible to execute an overall risk governance program successfully. In addition to increasing security and compliance, these efforts will cut costs. By correlating all of this information, duplicate processes can be eliminated and ineffective processes improved. It also becomes possible to document adherence to security and policy compliance better, and thus streamline the audit process and cut additional costs. This allows an organization to address the regulations and security threats of today while providing an infrastructure to prepare for the compliance needs and risks of tomorrow. In short, organizations will be able to achieve what they need: fewer people running around with clipboards and an improved, most cost-effective path to sustainable security and compliance.

Ben Goodman is marketing solutions manager of Compliance Management at Novell.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • They Need Responsible Employees

    Not people that take home the customer database on their laptop so they can lounge at the pool in their apartment complex and look like their working while they surf the net. Thats IF the laptop makes it home from the drive from work to the apartment, when Joe stops off to buy his beers and leaves the laptop on the seat of his unlocked car. Yea - this is one generalization of what happens but it IS what happens and no matter how many millions are spent on securing the network - it only takes one bozo to take the entire system down, compromise the security of the entire system and leak important data out the door.
    • "Woah there, this is not my fault"

      I read this and thought it was a great article, but also thought like everyone else, "Woah there, this is not my fault"?I think these posts respond with exactly that sort of opinion. I mean this is so on the mark. But we all know the first thing managers will do is pressure the CIO?s when things don?t work, they in turn blame the technicians, and the technicians blame the in-users. The in-users blame the software, so the managers buy different software. Then the CIO?s have to figure out how to support it. The techs get blamed when it fails, and the cycle repeats itself.

      So, if that's the point, who cares? We all know this won?t be fixed with technology until the people are completely replaced. IT is no different then any other department. Most companies will not fire the 60 year old about to retire because he can?t use a computer or spreadsheet. When IT staff become outdated are moved into management or given assistants, not usually let go. Managers could also use good products if they wanted to but will always want to use the windows Firewalls, the personal AV packages, and mail clients that come with every PC then streamline and rely more on the central appliances they installed to do the job in the first place.

      Companies would have to have a global, long term view of technology, people that could see the big picture, a lot of cash up front, and not just be trying to survive another day. People would have to never act in a manner that preserved themselves over the company. It?s stupid, it's socialistic, and the reality is that I?ve rarely met a manager with that kind of energy, resources, or intelligence nor an IT person willing to admit when they can no longer do the job. If that is the case, what can you really do but wallow in your own inefficiency?
  • IT Security is a joke played on the ignorant

    Yes yes yes.. you do need some IT security.. and yes there are laws and regulations.. humorously written by people who for the most part dont know or understand security. Fact of the matter is, if security means keeping your server, pc, or data safe, there is no absolute way to do it even with the most cutting edge technology or people. All we do is make it harder and when someone applys enough resources, they can and do get in. It is the nature of the beast and the cruel joke we call "security".
  • RE: Shaking that false sense of (IT) security


    I think you are exactly right. But let's be clear: this is an issue that needs be addressed from the top down. The policies you speak of need to be adopted at the highest levels so funding can be granted and enforcement can have a foundation. So this message is not targeted as much to the in-the-trench folks as it is to C-level folks: get serious about information security, and it'll reap financial rewards.
    Curtis Spears