The Good, the Bad, and the Secure
Jim Harris in Sponsored Blog Posts tagged Data Security, Enterprise CIO Forum, HP Monday, September 26, 2011 at 5:00PM This blog post is sponsored by the Enterprise CIO Forum and HP.
A previous post examined the data aspects of enterprise security, which requires addressing both outside-in and inside-out risks.
Most organizations tend to both overemphasize and oversimplify outside-in data security using a perimeter fence model, which, as Doug Newdick commented, “implicitly treats all of your information system assets as equivalent from a security and risk perspective, when that is clearly not true.” Different security levels are necessary for different assets, and therefore a security zone model makes more sense, where you focus more on securing specific data or applications, and less on securing the perimeter.
“I think that these sorts of models will become more prevalent,” Newdick concluded, “as we face the proliferation of different devices and platforms in the enterprise, and the sort of Bring Your Own Device approaches that many organizations are examining. If you don’t own or manage your perimeter, securing the data or application itself becomes more important.”
Although there’s also a growing recognition that inside-out data security needs to be improved, “it’s critical that organizations recognize the internal threat can’t be solved solely via policy and process,” commented Richard Jarvis, who recommended an increase in the internal use of two-factor authentication, as well as the physical separation of storage so highly confidential data is more tightly restricted within a dedicated hardware infrastructure.
As Rafal Los recently blogged, the costs of cyber crime continue to rise. Although the fear of a cloud security breach is the most commonly expressed concern, Judy Redman recently blogged about how cyber crime doesn’t only happen in the cloud. With the growing prevalence of smart phones, tablet PCs, and other mobile devices, data security in our hyper-connected world requires, as John Dodge recently blogged, that organizations also institute best practices for mobile device security.
Cloud, social, and mobile technologies “make business and our life more enriched,” commented Pearl Zhu, “but on the other hand, this open environment makes the business environment more vulnerable from the security perspective.” In other words, this open environment, which some have described as a multi-dimensional attack space, is good for business, but bad for security.
Most organizations already spend a fistful of dollars on enterprise security, but they may need to budget for a few dollars more because the digital age is about the good, the bad, and the secure. In other words, we have to take the good with the bad in the more open business environment enabled by cloud, mobile, and social technologies, which requires a modern data security model that can protect us from the bad without being overprotective to the point of inhibiting the good.
This blog post is sponsored by the Enterprise CIO Forum and HP.
Related Posts
Securing your Digital Fortress
Are Cloud Providers the Bounty Hunters of IT?
The Diderot Effect of New Technology
The IT Consumerization Conundrum
The IT Prime Directive of Business First Contact
A Sadie Hawkins Dance of Business Transformation
Are Applications the La Brea Tar Pits for Data?
Why does the sun never set on legacy applications?
The IT Pendulum and the Federated Future of IT
Reader Comments (1)
Thanks Jim for responding to me in such a thorough way.
Interestingly enough I was just listening to a podcast of the BBC's Start the Week show, which included a discussion with Misha Glenny who has just written a book on cybercrime. He believes that it is both on the rise and in fact that it may well grow exponentially in the next few years.
Are we ready for this? And are we ready for the rise in the sophistication of these attacks? Spear-phishing and targeted attacks are definitely on the rise for large enterprises (and of particular concern to government agencies). Add to this the increase in cyber-terrorism and cyber-espionage (both industrial and national) and you have a scary mix for data security.
Are we in the enterprise IT community prepared for this? Do our old security models support us in dealing with these kinds of threats? I suspect that the answer to both of these questions is "no".
Doug