We've seen a lot of movement in information security trends in the past year, not all of it good. Particularly disturbing is the notion that good security policy is in many cases an output of these trends, rather than an input that sets into motion tactical responses designed to implement your overall security strategy.
Put more simply, don't run your security program like some companies run their IT projects, where someone falls in love with a technology or gadget, then tries to wedge it into their infrastructure without much regard to the business problem you're trying to solve.
There are risks in this world, and you can't anticipate or prepare for them all. The sooner you acknowledge that, the better off you'll be. Corporate information risk and control is a dynamic environment, and you need to be agile in your security posture to ensure it adjusts not only to the changing threat landscape, but to your firm's developing business needs.
Which brings us back to some key things to consider as we move into a new year.
Security policies - it's time for a review to ensure that your policies for data privacy and protection are clearly articulated, meet overall business requirements, and are adequate in the face of both a rapidly changing business/financial environment and shifting regulatory landscape.
Security processes - have you successfully deployed solutions that implement your policies? Do you have the right people, in the right roles, employing the right technology in a standard, repeatable manner? Let's not forget the accepted definition of a process - it's standard and repeatable.
Audit trails - are you collecting the right data for audit purposes, and can you demonstrate a clear, defined audit trail for external examiners, regulators, and third-party assessment teams? Do you keep your security teams honest by having their work evaluated from the outside, and can you demonstrate compliance to good security practices like separation of duties, span of control, and job rotation?
Prevention - do we go beyond detective controls, where we learn after the fact that something is wrong, to employ preventive measures such as access controls, encryption, digital signing, IDS, IPS, and so on? A layered security posture not only makes it more difficult for the black hats to compromise your data, it also increases the probability that one or more of your early warning systems will alert you to an attack in progress. You can then kick in your robust incident response team process. You do have one of those, don't you?
So what do I see on the horizon? Here's the top 5 things that will make noise in 2009.
- Endpoint security - we've spent so much time, effort, and money trying to secure our knowledge repositories, data warehouses, server farms, and storage environments that we've begun to overlook what happens when this data is pulled to a client system where it's processed, analyzed, and otherwise at risk. I'm not talking just about the evolution of antivirus, antispyware, and personal firewalls here. Data control elements need to be part of that equation - what's happening to the information, how is it being used, and where is it going? Are you spending millions to harden your data centers only to have your sensitive information breached on a desktop, laptop, or handheld device, or is it being passed out via email, FTP, SSH tunnels, and so on?
- Secure virtualization - with a strong move to Virtual Desktop Instances (VDI) and server OS virtualization, we need better ways to lock down these emerging environments. In many cases, legacy approaches to solutions like role-based access controls, identity and access management, network-layer security, and state monitoring leave significant gaps when operated in a virtual world.
- Secure software - when are software vendors going to begin to be held accountable for selling us insecure software offerings? Probably not in 2009 - but that doesn't mean the push can't start. Think of how much less security you'd have to implement if operating systems and applications were hardened out of the box, and you weren't continuously running on the treadmill of vulnerability identification, patching, and repeating? How many times have you taken a secure box, loaded an app, and found huge security holes had opened, or you had to dial down your security settings in order to get the app to work correctly? Let's keep pushing software vendors to do the right thing, but while we're at it, let's ensure we're building robust security parameters into our internal software development lifecycle. The best executed security program can easily be short-circuited by a crappy web app or user developed tool. Run your internally-generated code through a rigorous application security assessment and pen test program, one that's separate and distinct from the app dev groups.
- Information lifecycle approach - think of your firm's information in the same manner that the Secret Service thinks of executive protection. Information is the target, so how do we protect the target at all times, from when the information is first created, through its use and transmission, following it through storage and eventually to destruction? What are the threats that exist at every phase, and what controls are in place at every single step to mitigate those threats? How effective are the controls, and are they constantly tested and revised in the face of new and emerging vectors? How do you substantiate your controls effectiveness?
- The business of security - how integrated is your information systems risk and control program with the overall business plan and strategy? Do you know what's on the horizon, and is your security infrastructure ready to support it? The cost of implementing a new business strategy can be staggering, and having it fail due to security breach or incompatible security architecture is simply unacceptable. As a security professional, it's your responsibility to understand the business drivers and to present effective control solutions that protect the firm's information and systems while allowing the business to grow and prosper. If you don't understand the business roadmap, there's no way your technology path will succeed.
Leveraging the Internet has completely changed business, and security with it. No longer is a network viewed as a medieval castle, with tall strong walls, surrounded by a deep moat, with the good guys on the inside of the castle and the bad guys on the outside.
Walls don't exist in cyberspace. There are only barriers, and everyone knows there are ways around them. It's time to get away from the fortress mentality when it comes to security. Today, some of the bad guys are on the inside, and a lot of the good guys are on the outside, needing in to be able to do their jobs.
If you're dedicated to prevention - the fortress - you'll soon learn there's no such thing as Camelot. It's such a silly place. Make sure you're spending a big chunk of your time on detection and response, too.