By Ruby Bayan
Topnotch companies wield cutting-edge technology to stay ahead of the pack. But with the breakneck speed at which technologies roll out, an enterprise's supposedly robust security architecture could quickly become ill prepared for the new milieu. At the same time, technologies purportedly ready for deployment could be ushering in new vulnerabilities and exposures.
Diana Kelley, security technology strategist at Computer Associates, and Jim Walker, adjunct professor of computer security at Carnegie Mellon University and manager of product marketing at ServGate Technologies, provided some advice for keeping your security architecture efficient and at par with the IT industry's best practices. Further, they provided some guidance for ensuring that your security environment remains effective as you integrate new technologies.
Start with standards, guidelines, and tools
"To ensure that a company's security policies are in line with best practices, the IT manager must be knowledgeable of the latest standards," Walker said. Security technology vendors are a good source for information regarding standards, since their products and services most likely help companies comply with these standards, he said.
"Consult with knowledgeable professionals in the area for focused and specific guidance that meets both the best practice standards as well as the individual needs of the business," she advised.
Walker emphasized that education is ultimately the key to assessing one's security policies. "The more knowledge an IT manager has about security the better," he said. "Having an IT support that is knowledgeable in security and proper security constructs will help keep things in line. If the company's IT staff is a one-woman army, becoming aware of available analysis tools for gauging her security practices with the industry's best practices is imperative."
Match the business need to the technology
According to Kelley, whenever a new technology is evaluated for inclusion in an enterprise IT architecture, managers should first establish the business need that will be met by the new technology: the business case for implementation and the success metrics associated with this new technology. Then they can move into reviewing their existing policies, management frameworks, and legacy systems to see where the intersection points occur, she said.
"Oftentimes, new technology will cause exceptions in policy due to legacy or other restraints," Kelley said. "Match the business need to the technology, to the restraints and exceptions, and revise policies and procedures as needed."
Kelley said it's important to note that an entire security policy needn't be rewritten every time a new technology is introduced. However, the new technology must fit in with the overall policy and management framework or have exception handling for non-compliance, she said. Sometimes a subpolicy or an addendum can be a good way to establish the policy for the new technology.
Scrutinize the new technology
Kelley said managers should familiarize themselves with the technology itself and any known vulnerabilities inherent in the technology. For example, if an enterprise is going to deploy wireless, understanding the IEEE 802.11 specification is critical, as well as checking on the related standards, such as the Wi-Fi alliance's WPA and the 802.1X standard—IEEE as well, but not exclusive to wireless—which can be used with WPA.
"Another example of a new technology that bears study before deployment is VoIP," Kelley said. "How does the technology work? What are the risks? VoIP considerations would include the effect on the organization if downtime occurs due to a DoS or poor bandwidth management."
Kelley suggested online resources, conferences, and other educational outlets, and the vendors who provide the new technology.
Walker said that when deploying a new technology, it is important to review it for proper security constructs. "Find out if the new technology has undergone security certifications, such as Common Criteria and ICSA," he said. "These certifications have been developed so that a common level of security could be established."
For example, the U.S. government requires a level of Common Criteria to be attained before a new technology is considered for deployment in any government network, he said.
Don't forget the details
Walker stressed attention to factors that should be considered part of an overall security policy for the organization before and after implementing any new technology.
He said IT managers should ask themselves the following questions:
- Does the technology require a connection?
- If so, does it use only specified ports on a machine?
- Does the technology's database encrypt important information such as passwords or customer information—credit card numbers, Social Security numbers, etc.?
Consider security assessment and management solutions
Walker said that a good alternative to determining the robustness of your security architecture is to outsource security risk assessment. "Many consulting firms, such as IBM Global Services, provide vulnerability assessment services," he said.
However, Kelley said that if a third-party auditor finds a problem, it's too late. "The best practice for an organization is to use their own management tools to proactively assess the health of the systems on an ongoing basis," she said. She recommended that organizations use the management tools from Computer Associates such as the eTrust Policy Compliance, eTrust Audit, and eTrust Vulnerability Manager.
Keep abreast with best practices
To stay tuned in to the latest standards and best practices on security architecture effectiveness, Kelley recommended that IT managers read standards-based documents, such as ISO 17799, final rulings for HIPAA and SOX, etc.
"Firms specializing in best practice controls, such as the 'Final Four' audit firms (KPMG, E&Y, D&T, and PWC) are also a good resource, as are industry conferences on auditing and security such as those offered by MIS Training Institute," she said.
However, Kelley provided one caveat: Managers must always keep in mind that industry best practices may not always synch with business best practices.
"An effective security architecture must serve the business," she said. "This may require strict compliance to certain regulations, such as SOX, but there is no single, most effective best practice for all organizations."