Leading computer security expert, Gene Spafford once said: "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.” This happens to be increasingly relevant. More businesses are connecting to internal networks and the need to secure both software and hardware has not just become more important than ever, it has also become harder.
New security concerns come hand in hand with the rise of the cloud. There is trepidation over cloud delivery models and it is still unclear where data is stored and transacted once it is "up there”. Vern Hue, IDC security analyst, believes that with time, security concerns around the cloud will ease. "With strong SLAs and reassurance from cloud service providers, this will help to gain more trust,” he says.
Hue goes on to say that we should all be sitting up and taking notice of biometrics, an important but still-emerging trend in the ANZ region. "The increased level of sophisticated attacks on both corporate and individual’s identity, in the form of theft, has been a major and growing concern and, as a result, organisations are considering biometrics as another layer and means of protection.”
Banks have begun using voice biometrics recognition software, and fingerprinting and imaging submission for electronic visa applications is also being implemented in high-risk countries. However, this security concept is still in the early stages. It will be interesting to watch how quickly it is adopted by more mainstream organisations over the next few years.
For such an important ongoing issue, security was placed at just eighth on the 2009 CIO agenda and ninth on the 2010 agenda.
Gartner Research Director for Security and Infrastructure, Rob McMillan, suggests that this doesn’t mean security is any less important now than it has been in the last few years. "Security is pervasive and interweaves with a lot of other things in a business. It’s not the kind of thing that goes away; you can guarantee it’s on people’s minds,” he told IT Brief.
Backing this up, Frost & Sullivan recently reported that the use of email filtering services and web security services is growing significantly. The emergence of Web 2.0 technologies and the importance of the web in business processes mean that enterprises need to place more of an emphasis on securing web fronts beyond traditional methods, such as URL filters.
Gartner is predicting that by 2014 over 50% of enterprises will have some form of data leakage protection (DLP) capability. The need to comply with corporate, industry and government regulations is the main motivation for enterprises employing DLP policies, although protecting intellectual property and other sensitive information is also a contributing factor.
There are two types of DLP solution you should take note of: enterprise offerings and channel offerings. Enterprise offerings attempt to address all DLP deployment scenarios, while channel offerings make up part of existing security solutions, such as e-mail and web gateways.
Global 2000 enterprises will find enterprise offerings appealing as they usually have larger DLP requirements along with the resources to manage large-scale deployments. Channel solutions are enough to meet compliance requirements, especially when they are linked with encryption solutions, making this the DLP capability that most businesses will adopt.
Before choosing a solution you need to carefully assess your DLP needs. Gartner points out that when evaluating e-mail security, endpoint security and secure web gateway solutions, enterprises "should consider DLP functionality and integrated encryption capabilities that will meet their near-term DLP requirements’ key selection criteria”.
One of the biggest developments when it comes to your organisation’s security is the merging of business and personal devices. It’s clear that boundaries are becoming increasingly blurred with many employees using personal devices for at work, as well as at home.
Security guru, Bruce Schneier, says more and more companies are allowing employees to buy whichever laptop they want and connect to the corporate network, or use personal phones or portable email devices, creating a completely overwhelming security issue.
"Security is hard enough when you have control of the hardware, operating system and software. Lose control of any of those things, and the difficulty goes through the roof,” he states on his blog.
"How do you ensure that the employee devices are secure, and have up-to-date security patches? How do you control what goes on them? How do you deal with the tech support issues when they fail? How do you even begin to manage this logistical nightmare? Better to dig your heels in and say "no”.”
Losing control of where your data might be ending up, or having information compromised is an unpleasant thought for any CIO. "Organisations need to have technical and administrative controls in place,” says McMillan. "It is a question of the duty of care.”
McMillan suggests that the best way to protect your devices, servers and gateways is to "maintain, maintain, maintain”, emphasising that it is best not to underestimate triedand- tested techniques, such as high quality maintenance.
"You need to teach people what good user habits are. The main thing is keeping your machines well maintained and keeping your attack target systems small. Anywhere that there might be gaps, you need to protect as well as possible, whether it be through antivirus, point control or something similar.”
Linked to this is the use of mobile devices. Whether it’s a notebook, Smartphone or a PDA, mobile devices are playing a very dominant role in business processes. Loss or theft of data on these devices is one of the largest and publicly damaging data exposure risks that a company can face. Gartner has reported that enterprises are finally waking up to the fact that security measures need to be implemented on smaller devices, as well as PCs, however security policy enforcement is still quite low.
The laws that are coming in to play, and the harsh penalties that go along with them, mean that data protection should be one of the first investments made on a mobile platform. Remember to include data protection for the standard image, administration and maintenance for all mobile devices. In the long term, the initial cost of setup far outweighs the cost of embarrassment, lost data and lost business deals and reputation.
Think about this: a company that wants to become more data-driven in its decision making should invest in mobile data protection, data leakage protection and device control technologies that minimise the chances of leaking any critical information.
Investments are now being made into security technologies that are aimed at better controlling and minimising risks, and with the social and technological changes occurring around us, we are demanding more control over our IT products and services, such as security. The reality is organisations want technology solutions that are going to give them the competitive edge, and it is the organisation’s strategy to achieve this that is a driving force behind how IT resources are allocated.