The problem with much of what you read is that you no longer know just what to believe. If, like me, you occasionally visit the website which happens to be offering the latest and greatest gadget to improve your life, you understand the problem.
I recently bought this wonderful gadget that you plug into the cigarette lighter in your car, and with a standard USB token you now have an instant MP3 player that works with your car radio. Sounded great, promised to solve all my problems. Unfortunately, the reality is not quite what I had hoped for! Maybe if I'm in the middle of the Antarctic it just might work brilliantly, but right in the heart of Western Europe, the results are less than ideal.
Now you may wonder what an MP3 player has to do with IT security. Well actually quite a lot. The product I foolishly wasted my money on promised to solve my entertainment implementation problems, and much of what we see in IT security is often promoted in the same way. It seems as if every vendor has the panacea for all IT security problems.
There Are No Silver Bullets
Whether we're talking about "Sox in a Box", or "No Hassle with Basel", it seems the IT security industry always has a solution looking for a problem, and "IT Governance" has become the problem that everyone is rushing to solve. So the warning to unsuspecting CIOs is to be on the look out for "FUD" business strategies. The consequences of noncompliance are sufficiently alarming for many corporations, and senior executives, without having vendors generating mass hysteria.
And we are drowning under regulatory requirements. Whether we're talking Sarbanes Oxley, Basel II, SAS 70, NYSE Rule 446, there are enough regulatory requirements to keep us going for the rest of our lives, and the problem for most of us is to try and understand what this means in practice. Is there some mysterious new technology lurking out there that I haven't yet come across? Have I finally met my nemesis, the IT problem that I'm too old to understand?
Is It As Bad As It Seems?
In reality, it seems that there really is not too much to worry about, as long as you have been applying a bit of common sense to your IT security. Without going into the detail, an IT department can go a long way towards demonstrating compliance with Sarbanes Oxley by effectively controlling access to assets against unauthorized external and internal use, using technology that is readily available. And those assets can be loosely defined as information recorded on, processed by, stored in, shared by, and transmitted and retrieved in electronic form, and the systems that provide access to the information.
Ultimately it would seem that most compliance requirements for IT hinge on effective access control, and being able to demonstrate that appropriate precautions have been taken. For example, allowing a server administrator to have access to confidential data by simply logging on to a server using a password is not taking appropriate precautions. A further look at the Sarbanes Oxley requirements for IT Security deal with demonstrating that there are processes in place to prevent unauthorised changes to information, and systems, which in turn brings back to effective security. And there is not some mystical security solution out there that has a Sarbanes Oxley label.
The situation with Basel II is similar. Basel II requires that adequate systems are in place to protect sensitive information. And these systems are covered by solutions such as encryption to ensure that sensitive information is secure; hash-codes and digital signatures (identity management) to ensure integrity and identity; time-stamping so we know who did what, and when; two factor authentication based on a hardware device.
Of course this does not mean you simply ignore these issues. Not only are these regulations applicable to an organization's internal IT infrastructure, but also to outsourced partners, and any business that looks to outsource IT should look to use agencies that have been independently audited, and approved. The same standards of security that you expect from your own staff, should equally apply to any third party that is dealing with your assets.
Start by tackling the problem at the source
So where do you start? Well one of the prime culprits when it comes to creating security holes are the very companies selling you solutions to plug those holes. In order to ease the process of delivering products to customers, virtually all IT security products are delivered with pre-defined administration /super user accounts, and frequently these powerful accounts fall into a black hole when it comes to change management. Additionally change management can be such a mammoth task in many organisations that there simply is not the human resource available to control the hundreds, and in some cases thousands of devices that can be used to access business assets.
And this is not simply the device where the information is stored. Every component that is a link in the chain to the information is a potential hole. So from your firewall at the edge of the network, the router that provides access to various segments, and the workstation that is used by employees; each one can be used to exploit.
However, like my MP3 player, my advice is to understand your requirements, and select solutions that help you achieve the desired result. Don't follow my example of buying a product in the hope that it will solve all your problems.
The author is an IT Consultant for Cyber-Ark