As 2014 unfolds, leading CTOs are sharing their vision for the New Year. A common thread in all these write-ups is regarding Information Security compliance. As the world of Information Technology innovates to transform human lives, threats surrounding the misuse of this infrastructure has become a major action item for those governing these information assets.
Around 2005, we saw IT usage patterns exponentially rise due to people using the internet for banking, shopping and other financial transactions. We also saw the arrival of social networking which hit the scene as a major digital force. Today, users are moving from wired infrastructure to wireless; from big desktop PCs to small mobile devices and tablets for their day to day needs. These IT innovations and many others have changed the technology landscape. Along with all these wonderful assets, technology also attracts unwanted identity theft, financial fraud, lawsuits, data compromise, regulatory fines, and IP theft. Security breaches have plagued the corporate world as of late, putting their reputation at stake. Case in point, Target estimates (security) breach affected up to 110 million customers.
One tends to ponder on the accurate strategy for information security which will ensure confidentiality and integrity of information is not intentionally or unintentionally compromised. Although there are several articles on internet and solution models to address these concerns, there is no silver bullet to prevent these threats. Each organization needs to formalize its own strategy as per its current and historical risks which will also meet the necessary regulatory and compliance requirements.
A review of security models implemented in different corporations reveal that apart from budget the information security decisions of CTOs have been influenced by three broad factors:
1. Opportunities for Improvement
As the years are progressing, the volume of data is increasing. Attacks and threats are becoming more sophisticated.
The traditional approach was mostly reactive in nature (i.e. when the incident would take place, the appropriate controls will be applied). Organizations should take a proactive approach where the technology environment eliminates the possibility of an incident. Imagine building an application which has inbuilt security rather than applying a separate software to protect the application. On similar lines, I can think of couple of good examples which I observed during my internal audits at BitWise. The most important of them was MAC binding of devices on the network. This eliminates the possibility of an unknown or a rogue device to get connected with the network.
Another solution applied to many clients of BitWise is a combination of solutions which has significantly eliminated the risks related to malicious activity by users. The desktop solution to users is a combination of zero compute thin client and virtualization. This solution has ensured that all compliance requirements of BFSI clients are met. The beauty of this is that there is no possibility of any manual oversights in the policies and no malicious activity is possible at user end. Apart from security this solution has also reduced the cost on electricity bills by 60%
These proactive approaches ensure that the information security team focusses not only on known risks but also on the unknown risks. Another advantage of these proactive approach is that it significantly decreases internal audit costs as the scope is limited and centralized. Adapting to solutions like preventing data leakage and virtualization are efforts towards this direction. The advent of Big Data will play a significant role in this approach as analysis of information security data will help organizations understand the hidden vulnerabilities and addressing them in timely fashion.
2. Vision for the Future
Cost plays a vital role in information security solutions. Surveys allude to the fact that there is always a gap between the current level of information security and the necessary level of information security. This gap will depend how closely information security goals are aligned with business goals.
New digital forces like social networking and wireless devices are business priorities for most organizations. The vulnerabilities and risks associated with these forces are best handled when security teams are involved at the conceptualization stage of these initiatives. This way the team is provided a sufficient window to include these risks in their existing plans; working with infrastructure teams to create a roadmap which will set the foundation for safe implementation of these modern day concepts. Rather than a onetime investment in security of these apps and tools, the cost is spread across many years and often are “piggy backed” on to other capital investments.
Hardware refresh or upgrade is a very common practice for an IT organization and the decision for the new hardware dictates the future of the environment for at least the next 3-4 years until the next refresh takes place. This standard practice by itself is a good example of how information security can be included in decision making and future planning. By drawing up the business vision along with Information security team the associated risks from the envisioned environment can be included in the process of decision making while working with infrastructure team during hardware refresh policies. The same applies for physical security where business goals like new facilities, data centers can be included while deciding capacity of new equipment.
3. Innovativeness in the Security Model
With social networking sites and blogs, enough personal and corporate information is moving to the internet to act as fodder for the cyber criminals. Standard security features with standard options are implemented to reduce the associated risks. This at times can be the weak link in the cat and mouse race with the bad guys who often tend to observe and exploit vulnerabilities. An organization can allocate certain efforts for security in its innovation center which will allow a certain degree of uniqueness in the security setup of the organization. It could be a simple training or a tweak in the process which will make things more efficient.
For example, while dealing with a unique compliance requirement from a client who did not want RSA tokens to move outside BitWise premises there was a lengthy workflow associated to keep a track of a single key. The innovation center suggested attaching a wooden block to each RSA stub and label it. The size of the block was in itself a discouragement for people to carry the RSA token with them. Moreover even if they carry it outside the floor area, there were CCTV cameras can clearly capture the event.
In another training initiative the information security team conducted an event on security incidents where users of social networking sites were impacted. This resulted in wide acceptance of locking down these sites on certain sensitive terminals. The effect was so prominent that security team received responses coming back from employees on terminals where these sites were not blocked and were missed.
A proactive approach towards information security with a vision for future will ensure that an organization is capable of meeting the security requirements associated with emerging and future technologies. A breach in security can cause the reputation of the entire company to be at stake. Small innovations can go a long way in making security processes effective and streamlined. BitWise provides innovative solutions to clients in meeting their information security compliance requirements. The solutions are tailored to ensure clients information assets are secured in the Bitwise environment.