Moving Towards Proactive and Holistic Security
Last week, I attended ArcSight’s Protect 10 User Conference, and just like last year, it was an exciting and informative event. Without a doubt, HP’s acquisition of ArcSight brought more excitement to this event this year.
Throughout the conference, a consistent theme emerged, which seems reflective of IT security world nowadays: “a new approach is needed”. Not really new news.
During the initial keynote at Protect 10, ArcSight’s CEO Tom Reilly was joined by HP’s Bill Veghte. What stuck with me from Bill Veghte’s speech were his statements that this new IT Security model needs to be proactive and holistic. He must feel very strongly about this paradigm shift to justify a $1.5B price tag for ArcSight in just over 5 months at the job for HP.
Over the last few days, I have been digesting and internalizing this notion, particularly from an Identity and Access Management (IAM) perspective. Evidently, I concur with this view, but I would like to explain my viewpoint.
Context: Are we Doomed?
If you have been hearing about the impact, focus and sophistication of new attacks, and the term “Cyberwarfare”, then you would be very concerned to see how increasingly real the threats and damages are, and how vulnerable we are. – Some good examples are the Aurora vulnerability, which severely impacted Google and other companies in February 2010; and more recently, the Stuxnet malware, who’s sophistication level and precise focus on industrial plants as targets, has earned it the nickname of “cyber super weapon”. “Malware Exposed” provides a good reference on how modern malware works, and how today’s security tools and mechanisms are quickly becoming obsolete and ineffective.
During Protect 10, I attended a keynote panel on “global Cybercrime”, featuring Joseph Menn, Author of “Fatal System Error”, along with Barrett Lyon, CEO of 3Crowd Technologies, and Andy Crocker, former Investigator, UK National Hi-Tech Crime Unit. This engaging session discussed specific attacks against banks and the ATM network in graphical detail, both from a technical perspective, but more interestingly, from a business and jurisdictional standpoint. It was really fascinating to see how cybercrime transcends the technical world into cross-border and national sovereignty matters.
So it should come as no surprise, that after this dose of cyber doom, one feels more concerned and worried about the future, and the risks that a more vulnerable and interconnected society brings with it. With all the great things the Internet has brought us, it seems like we are now awakening to the extent and severity of its’ undesirable by-products.
So, does this mean that we are all doomed then to just accept these risks? Is it possible we just won’t be able to prevent great losses from happening? Should we accept this as the price of global interconnectivity?
There is Hope: Think Risk Awareness and Convergence
One approach towards a better model is where organizations create a strong baseline, leveraging traditional security controls. This mitigates some risks, but to effectively protect from more sophisticated attacks, the organization must complement this baseline with a more modern solution.
But how much does it cost? And for organizations struggling to answer basic questions such as “who has access to what?” and “is this the level of access that this person should have?” – how can this model be achieved?
I view the shift towards proactive and holistic security as the combination of risk awareness and convergence of security tools.
In the end, information security is about risk mitigation. The effectiveness of the security strategy will be predicated on whether the risks have been properly identified and assessed, and how well their potential impact is being mitigated. This way, the organization can determine the strength of each security control it requires.
Risk awareness helps with the “proactive” part of the new security paradigm shift. And while feasible, this is easier said than done of course, since risk tolerance varies widely, and it is difficult to really identify the risks the organization needs to mitigate.
This is where regulation, standards and auditing frameworks come into play – they identify a baseline for the risks and controls that need to be in scope. As an input to scoping risks, data classification is essential such that the various stakeholders define the sensitivity of a particular transaction or information asset. Beyond that, approaches such as continuous auditing can help broaden the inventory of risks over time on a more proactive basis.
From an IAM perspective, identity assurance is a practical concept that can help organizations classify and address identity-related risks and, thanks to available identity assurance frameworks, such as Kantara Initiatiave’s Identity Assurance Framework, organizations can streamline the adoption of identity-related security controls that can mitigate defined risks levels.
Being the Chair of Kantara Initiative’s Identity Assurance Work Group, I am a big proponent of identity assurance as a pragmatic approach to effectively mitigate identity-related risks, as I have stated in prior blog posts.
|In fact, I will be presenting via a webcast on this very topic next week on October 7th, 2010 at 12:00 pm ET, hosted by BrightTALK. The title of my session is “Identity Assurance in Everyday Life”. The session is intended to be interactive, allowing for real-time Q&A. Hope you can join me
In the context of this article, I mean the convergence of security tools. The idea is that as security solutions evolve and become more sophisticated, they should intersect and integrate more seamlessly and synergistically; such that by integrating otherwise silo’d security tools, an organization can gain greater insight and visibility to potential threats and attacks as they unfold.
Convergence affords organizations the ability to better detect and prevent attacks at a much larger scale and in near real-time. Hence, convergence helps with the “holistic” part of the new security paradigm shift. It is a trend that we are seeing at play in IAM. For some years now, we have seen new approaches to information security emerge and become mainstream, such as Data Loss Prevention (DLP) as well as Governance Risk Management & Compliance (GRC); each of which combines different security technologies that have been integrated over time.
In IAM, here are some examples worth noting:
So, in conclusion, I believe that we are inevitably marching forward towards a proactive and holistic security model, and that this model will rely on traditional security solutions, and by leveraging their seamless integration and collaboration will afford organizations an agile and adaptable approach to mitigating risks as they are continuously identified and assessed.
Your comments to this discussion are most welcome.