Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

2003 Survivor's Guide to Security

December 15, 2002
By Mike Fratto

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Flame the author

	In this article
	Introduction
	Living Dangerously
	Companies to Watch
	Standards
	Web Links

Consider stalled IT budgets and a lingering feeling of insecurity a mandate to get a handle on new security technologies and products in 2003. Of course, with vendors bombarding you with an ever-widening range of gee-whiz security gizmos, that's easier said than done.

The first step: Identify what you need to protect, from physical assets to digital data. Then consider how your applications function, what access these applications and your users need, and who will be using the information.

You're probably thinking, "Easy for you to say." Out there in the trenches, after you finish configuring your firewall, deploying your VPN, monitoring your IDS, updating your virus scanners, examining your logs, getting current on the latest vulnerabilities, keeping up with the endless stream of patches and putting out fires, there's precious little time to fine tune your security architecture.

The Solution: Know when to delegate. Many day-to-day tasks can be outsourced to an MSSP (managed security service provider), provided you do your homework and ensure the MSSP can offer 24x7 management and monitoring. Installing and configuring firewalls and deploying VPNs, for example, are prime candidates for outsourcing. As long as you have a view into the provider's configuration to ensure changes are made properly, you can safely shed some of your workload.

By outsourcing you'll not only free up time to focus on more important security issues, you'll gain additional benefits. Unless you're Superman, you can't do it all, nor can you be an expert in everything. Reputable outsourcing firms that focus on security can bring to bear some of the best talent and technology in the industry. Furthermore, multinational MSSPs, such as Symantec Real Time Managed Security Services (formerly Riptech) and Internet Security Systems, can detect new attacks early because of their broad view of traffic.

Although technology advances are valuable, without a road map you'll be deploying security products higgledy-piggledy. Security documents, like standards and acceptable-use policies, serve several functions critical to the management of your business. We know many of you have developed security policies and we know many of those security policies are gathering dust. And while there has been an increase in spending, the percentage of security dollars in most IT budgets remains relatively small, largely because security is seen as a cost. To argue for an increase in your budget, you must make it known that security functions support the business plan. That means keeping your security policy current and showing how it will support all other facets of your company's strategy.

Take a Risk

A key driver for increased security spending is risk management, which tries to mitigate overall risk, defined as "the probability that an organization will lose assets during a successful attack." Risk management entails a few tasks: First, determine the criticality of your assets. If a system is unavailable or if data is stolen, what will be the overall impact to the organization? Next, perform a risk assessment, examining your systems and operation policies to determine the likelihood of a successful attack. Then, define policies, implement procedures and deploy products to mitigate the risks you've discovered. By showing how you can protect business assets from loss, and what the potential loss could be, you will have a justification for increasing security spending.

Furthermore, your security policy may be used by external auditors to ensure that your business processes are run in a secure manner. Just like a financial audit examines profit, loss and the accounting methods used to calculate profit and loss, a security policy tells auditors what processes are in place and how your organization protects information assets. Regulations such as GLBA and HIPAA have privacy and protection requirements.