We have reached the end of the line! After discussing the importance of a robust defined security policy in my last blog entry, in this post I’ll be tackling the fourth and final foundational element in an effective security program—technology.
Security technology can be broken down a number of different ways, but at Carousel, we find it is simplest to understand when broken into three distinct pillars:
1. Threat Security: This element focuses primarily on the threat and “keeping the bad stuff out.” This is where organizations typically spend the majority of their security budgets; and for good reason, as there were over 3 Million new malware variants last year alone.
2. Asset Security: The focus here is on the actual assets our IT organizations are trying to manage and leverage on a daily basis. This includes infrastructure, endpoints, and user identity. The point is to maintain the compliance of these elements with our security policies and controls such that we give them the best opportunity for defense against malicious threats and misuse.
3. Information Security: This pillar helps to us to answer the “Who, What, Where, When, How, and Why” of our critical information and data. Here we focus on protecting what is important and what we want to keep within the organization rather than what we are trying to keep out.
Most organizations are at least familiar with threat based security, as firewalls have long been top-of-mind during IT budget planning. Asset security technologies like Network Access Control (NAC) have also seen fairly widespread adoption especially since the boom of Bring Your Own Device (BYOD). If they haven’t done so recently, organizations should absolutely look at these two areas to determine if they have the necessary—and up-to-date—solutions in place. If an organization is still relying heavily on legacy threat based protection such packet-only filtering firewalls, it may be time to strongly consider upgrading to a Next Generation Firewall platform.
But in this post I want to focus primarily on the third pillar, because from what I hear when I’m out talking to IT professionals, organizations simply aren’t devoting enough of their budget to this area. Let’s go back to the original premise of this entire series, “Assumption of Breach.” If we are going to approach security with the understanding that some breaches will inevitably occur, we have to have a better understanding of where our most valuable information lives and how it is used so that we can better understand how we can protect it.
Data identification and classification technologies, for example, can locate sensitive information like credit card numbers and personal identifiable information (PII), and ensure not only that authorized users have access to it, but provide insight into how they are interacting with it as well. Additionally, with so many organizations now leveraging cloud services, information based security is growing increasingly more challenging to get our arms around. When all important data and intellectual property lived inside an organization’s four walls, information was “easier” to monitor.
Today IT has to understand what data should and shouldn’t live off-premises to effectively manage risk. But if we don’t know what that information and data is to begin with it, we can’t even begin to tackle that challenge.
I encourage you to read the entire blog series where we discuss how you can implement a strategy that allows your business to operate confidently and without fear: