Friday, August 26, 2011

Security Controls and Lessons Learned from the Financial Crisis


Security Controls and Lessons Learned from the Financial Crisis (IBM)

Bryan Casey |  Today 10:43 PM | Tags:  financial mortgage security ibm crisis
Comments (0)  |  Visits (61)
You know one of the interesting things I've noticed, and it's not really specific to security, is that the more interconnected the world becomes, the harder it is to find the root cause when something goes wrong.  If we look at the financial/mortgage crisis for example, if you wanted to point the finger at one person or event, could you do it?  I've wanted to for a long time, tracing this chain back to some single point of failure, but it's really not possible.  When something like this happens, where there isn't one root cause, accountability becomes a big mess because everyone can push the problem onto someone else.  The problem is that if everyone pushes around problems, problems never get solved.  So, the way that we need to look at it is that instead of there being limited accountability, there needs to be a lot of accountability. 





This type of complex interconnected failure isn't so different from what we see in the news around data breaches.  People want security to be simpler and they want to find that single point of failure, and sometimes it's there, but often times, it's really not.  Our technology world has grown to become a complex systems of systems where legacy systems are communicating with new systems, the notion of a perimeter is dissolving, new consumption and delivery models are popping up all the time and we have to secure all of this. 



Let's face it, the majority of attacks today don’t operate in little silos.  They can cross users and endpoints, applications, networks, databases, etc.  So despite the fact that you might have different teams responsible for all of these areas of your system, and you might see them as separate, attackers see this as one, connected system.  As a result, when breaches happen, often times it is often a combination of insufficient security controls, problematic policy and even things like a lack of user education. When we live in a world of complex and networked technologies, the notion of a single point of failure is disappearing.



So what do we do about this?  Obviously a layered defense is imperative.  You need to think about your data, how it moves, where it rests, how it gets accessed, which data is most important and how you can apply security controls all along the way.  Moving away from just the technology, one of the other things that people talk about is accounting for the human element in security.  When people are talking about this they are generally referring to the fact that users will click on just about anything, so security has to acknowledge that users are going to constantly put their organizations at risk.  But there's another side of that human element that I think is important, and that is establishing a culture in your organization that security needs to be top of mind, and that everyone is responsible.  Whether you are a developer, a DBA, an executive who might be targeted or an IT manager, security is something you need to consider.  Yes, new technologies will help, but changing culture and process, while never easy, is almost always an essential element of dealing with systemic issues, whether they be financial markets or security concerns. 




The last bit worth acknowledging is the dangers of ignoring something that appears broken, but ignoring it because it hasn’t actually broken yet.  So in this case we’re talking about warning signs around the economy but the market still going up, and IT decision makers saying, "well we haven’t been breached, so we must be secure," regardless of their actual security posture. 



Despite what we would all like, these aren’t issues you can just sweep under the rug and cross your fingers hoping that a problem won’t pop up.  Organizations need to confront these issues. 

1 comment:

Anonymous said...

its nice to read a useful article for beginner like me. Some of points from this article are very helpful for me as I haven’t considered them yet. I would like to say thank you for sharing this cool article. Bookmarked and sharing for friends.
Chevy W-Series Turbo

Great Escape on DVD

Chana Systems can Help you.

Chana Systems Ltd. Blog and IT News.



Deals 2012 for Medium Sized Business and Organizations

Up to 40 Percent Lower Project Prices to Improve your Business.



CHANA Systems will

Help you Upgrade

Consolidate and Enhance your Organization or Business and

Brings Cost's Down. This is our Specialization.

Ask us about it.



New with IBM Linux Thin Client Solutions- Link Here

With IBM-System Integration and Consolidation Solutions

Special from Chanasys with IBM , Lenovo and other Leading Brands

Click Here for Small and Medium Business Solutions with IBM Software, Hardware

Lenovo Laptops and Desktops
and Other Leading Brands this Month.
With or without Linux + Windows and our Expert Support


Thin Client Solutions are more secure cost less and are popular in large organizations
and use a lot less energy. We can offer leading Thin Client Computers.
Any Questions? Send us an e-mail with "Linux Solutions" as subject.
ASUS eeePC BIG HIT BestSeller Now in Israel
With Linux
Best as a Portable Second Computer for e-mail
and Browsing Wireless WiFi

Lenovo Laptops from 2000 Shekel
with Windows 7 Vista or XP and
Linux with our expert Support
Get in Touch for similar Packages for Business and Desktop Computers




NEW CHANA Amazon Bookstore

Tip'd