By Paul Vincent
Don’t get me wrong, I’m a tecchie.
There was a time (and it wasn’t that long ago!) when I could name and identify the function of pretty much every Group Policy Object setting in Windows XP.
However, Information Security is more than setting every security related configuration to it’s highest setting. In many cases doing so is likely to break essential services that your systems rely on. This in turn will have a negative or possibly disastrous impact on the functionality the business your IT department serves depends upon.
Information Security professionals have in the past had a bad reputation. The number of times I have entered a room and Project Managers have rolled their eyes, ‘Here comes security to make our lives more difficult’, I can almost hear going through their minds.
We need to change this opinion. John Sherwood agrees and he gives the excellent example of the brakes on a car. Sure, the brakes are there to stop the vehicle, but think for a moment what they enable. A high performance set of ceramic brakes enable you to drive faster, safe in the knowledge you can stop quickly and in a controlled manner should the need arise.
Many of my clients are large Financial Institutions. Without physical security they could not do business. Imagine for a moment if a Bank removed all its vaults and counter staff. Then they placed all the money on a table in middle of a room with a book for customers to write down their account numbers and how much money they have taken!It’s safe to say that physical security enables a Bank to do business. Information Security is no different.
Our challenges include delivering to our business, remote access from any device at any time anywhere in the world. This cannot take place unless we provide high levels of assurance that only authorised individuals can access the information and that it is protected all the time in its journey from our data centres along the communication medium and finally protected when it is stored on a mobile device.
Other challenges include the increased demand to outsource development and support to third party offshore companies. Allowing partners to access information from outside the EU has Data Protection Act implications as well as a raft of technical challenges to provide a ‘least privilege’ model.
We now have a plethora of tools to control our environment. GPO’s have matured into a technology that provides exceptionally granular control over the enterprise environment. We have more tools than ever before for GPO diagnosis, change control, rollback and archiving.
With great power comes great responsibility. Every setting should have an owner and we should be clear about why we have configured it. An excellent resource is the ‘Threats and countermeasures’ document produced by Microsoft. This can help us as professionals to decide whether a setting is necessary in our particular environment.
Information Security is an exciting field to be involved in now. The challenge is there to be taken. We have a significant part to play in demonstrating that Information Security is here to enable our businesses succeed in their dreams and aspirations.
This post will help me explain these concepts to my management; thanks.
Happy to have helped.
I can thoroughly recommend the book 'Enterprise Security Architecture - A Business Driven Approach'
If you don't read anything but the first 3 Chapters it is worth it. It really opens your eyes to how wide the scope of Security is and how availability of services is as critical as their security.
There are some very interesting case studies of what not to do in the first chapter.