Tag Archives: enterprise security

ISNow – Enterprise Security

The following introduction was originally published in the BCS Information Security Now Magazine, Spring 2008 issue (Volume 2, Issue 3), which was on the topic of Enterprise Security:

“I feel that to be effective enterprise security needs to have a broad focus; moving beyond a rigid infrastructure and network boundaries to take on a much more holistic view, encompassing how employees actually interact with and use corporate information and resources. No longer should it be limited to company controlled hardware and applications, with its perennial issues of configuration and patch management, access control, onsite support contracts, perimeter and desktop security, in-house application development, but go even wider.

The brave new world has already brought us deperimeterisation, the erosion or blurring of network edges; off-shoring and outsourcing, with control being less direct and more reliant on third party contracts; VoIP, removing boundaries as voice and data merge; virtualisation, bringing issues of properly designing resilience and security into a more logical architecture; online services, such as software as a service (SaaS) and web 2.0, commercially attractive but how do you ensure that your data is protected and available when you want it?

Recent incidents of large-scale information leakage are partly a result of the move towards everything being digital, but without the associated changes needed to staff education and data controls. Increasing use of the social web, instant messaging, online games, messaging boards, blogs, photo sites et al means that users – your staff – expect ready, user controlled, transfer and publishing of information. Businesses need to account for this when those same users are handling your information and data. Shouldn’t this also form part of what we call enterprise security?”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-spring08.pdf

ISNow – Enterprise Security

The following introduction was originally published in the BCS Information Security Now Magazine, Autumn 2006 issue (Volume 1, Issue 1), which was on the topic of Enterprise Security:

Enterprise security
The main topic of this issue has nothing to do with a star ship, but nonetheless is about a voyage of discovery into the new and unknown. As businesses become more interconnected and mobile, network boundaries erode, providing more ways for attackers to compromise them. Enterprises need to find new ways of understanding, and coping with, this brave new world.

Businesses are now often wholly reliant on electronic processing of information for their existence and financial well-being. It is more critical than ever for enterprises to take the necessary measures to ensure information remains private, accurate and available at the point of need.

This information is now distributed among known critical business systems, other systems, the (often mobile) workforce and third (and fourth) parties. Ensuring appropriate contractual, procedural and technical controls are in, and remain in, place is a skill that all enterprises need to master.

We face a growing and changing landscape of exposure to vulnerabilities which attackers are more eager than ever to exploit, often before there is a direct mitigation. Financial gain is a great motivator – maybe defenders should learn this lesson as well as the attackers.

The enterprise has to realize that the demilitarized zone (DMZ) has been occupied and the concept of a trusted network needs consigning to the history books. Every system must be able to defend itself from its neighbour, because it will often be impossible to identify friend or foe.

Innovate – don’t legislate
Over recent years, there has been an increase in legislation and regulation, both national and international, affecting businesses.The coverage has been broad and shows no sign of abating.Technology is no fix in itself and poorly drafted and misapplied rules do little to help, and often hinder.

As we see increased demands for data privacy, protection, interception, retention, breach notifications and computer misuse, some governments are working around their own rules to access or share information in a way that might be incompatible with legal and official procedures.

No one should have the moral or legal authority to both enforce the law and evade it.The spirit is equally, if not more, important than the letter of the law, and governments should remember this when requiring the rest of us to operate within it.

We should engage more in consultations and lobbying related to forthcoming legislation and regulations that may affect us. If bad ideas or drafting reach the statute book, unintended consequences may well impact on us in a way that damages our ability to be effective businesses, and countries.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isNOW_autumn2006.pdf