The Data Confidential perspective is that we should consider IT and infrastructure security an ongoing process to maintain confidentiality, integrity, and availability. There are many products available that claim to provide security; these are often poorly configured, and sometimes poorly designed.
In other words, "Security is a process, not a product".
360 Degree Security
This process must consider internal threats and non-human risks as well as the possibility of external attackers. And IT security must integrate into the comprehensive Enterprise security system, which includes the physical and personnel security mechanisms and processes. And the key to successful security must include security awareness training for the entire work force -- security is too important to be left to the few security professionals.
Security by Design
The best approach, when possible, is to design security into a system, as part of the basic architecture. This enables both the most cost effective application of resources and the highest level of security at any given expense level.
Secure IT Architectures
Whether designing a new system or improving the security of existing systems, there are IT and infrastructure architectures and frameworks that most security experts agree will improve an organization's ability to deter and defeat attempts to penetrate. The most secure organization is not always the one that spends the most money -- it is more important to apply resources in an intelligent manner.
Security Is Based On Management and Process
There is no substitute for adequate security management, diligence in following approved processes to completion, and maintaining accurate system configuration records. And we have learned through experience that essential security management systems include project management and workflow tools, team and Enterprise collaboration systems, and a good knowledge management system. Without these the left hand doesn't know what the right hand is doing, and sometimes management doesn't know what either hand has been up to, creating opportunities for missed vulnerabilities and wasted resources.
Continuously Secure Infrastructure
There has been a lot of media attention given to security failures including penetrations and infrastructure takeovers. What the media don't report is even more frightening.
But it is possible to design and operate infrastructure that is verifiable as continuously secure. This requires the application of a set of processes that rely on a command and control system to enforce and continuously verify that approved configurations are in place on all infrastructure elements.
The effect is to is lock down a complex network of complex elements to an approved architecture of approved configurations. One of the benefits is a reduced operations cost, at the expense of increased costs when building the system and adding new elements, and reduced flexibility, by preventing ad hoc changes in the field.
Does every enterprise need continuously secure infrastructure? Perhaps not. Does yours?
How to start securing your information systems?
The way to start this process is to identify assets and risks (including the likelihood of each threat, i.e. the probability of each vulnerability being exploited). For each asset and risk combination we must quantify the potential loss to the organization. This data can be used to make an informed decision as to the level of investment and the type of security defenses.
The next step is to establish a baseline of policies and guidelines, then a security architecture. Too many organizations rush into implementation projects without a roadmap. These organizations gain a false sense of security through successful deployment of point solutions, such as firewalls, IDS's, anti-virus, and update/patch management mechanisms; these do not provide security, they merely secure some of the ways attackers may penetrate.
The DAIS philosophy is to design security into the system, not bolt it on. Even an existing system can be rethought, redesigned, if there is tolerance for some degree of reengineering of business process and information flow.
