Enterprises around the globe are increasingly concerned about the risk in cyber threats and the rising number of incidents shared publicly justifies their worries. In today's economy, budgets are being reduced and technology departments are being asked to cut resources. So, risk up, budgets down. The risk realities are exploited by anyone who uses the downturn in security enforcement to step up the pace of exploitation. Disgruntled employees are also walking away with valued information assets, while businesses scale back on defense in an effort to become more productive. And it's happening at a time when an enterprise can ill afford downtime, decreased productivity, stolen data, lost sales, and a damaged enterprise reputation.
This is what we call the "security paradox" or "productivity versus security." This debate is becoming harder to resolve as single point external attacks have moved toward multi-source external attacks and the model of the "trusted employee" is being eroded.
IT's primary purpose is to make the enterprise employees as productive, efficient and effective at doing their jobs as possible. Laptops, portable memory and even smart devices are part of that efficiency/productivity environment, allowing for work to get done on the train, plane, at a client site or at an employee's home.
Now, the top IT security purpose is at odds with that primary purpose. IT security's primary purpose is to protect company data, whether from a power outage, an inadvertent erasure, a disk glitch or more evil efforts, such as sabotage or intentional theft. Another example, the traditional defined enterprise network perimeter around an enterprise's information assets is no longer realistic. The enterprise mobile workforce demands that data be portable and instantly accessible from anywhere. In doing so, this negates the physical barriers designed to keep information secure.
Every security professional knows that nothing we do with respect to information security will eliminate all of the risks inherent within the enterprise. At best, we can mitigate the risks and bring them down to an acceptable level. So what is an acceptable level of risk? Every asset owner needs to decide that for themselves and it will vary by industry, organization, perceived and real threats, the software in use, and many more factors.
The point is that security is an ongoing balancing act. Often the balancing act is between security needs and the culture of the organization. Some enterprises have a goal of allowing the employees a great deal of freedom within the work place and that "freedom" is often extended to the network - even though the enterprise has a stated policy that the network is for business use only and that there should be no expectation of privacy for any network activity. Applications such as instant messaging (IM) and peer-to-peer services, such as KaZaA music downloads, are known to have security implications yet their use is allowed even though there is generally no good business reason for them.
Why would an enterprise want to use software that exposes its business data to a possible security breach? Perhaps, instead, you should consider purchasing a secure version of the proper application rather than using non-secure (albeit free) software that only approximates the right functionality - and provides a significant exposure. Wait. That points to the same balancing act about "productivity" versus security. Enterprises use software known to be security nightmares - but use them anyway, ostensibly for "user productivity."
The dilemma of productivity versus security also makes the compliance challenge a daunting obstacle for companies struggling to stay competitive. The enterprise demand for a more mobile workforce exposes the networks to increases in the risk of potential data leakage. The basic purpose of addressing security in a productivity environment is to ensure the continued effective protection of sensitive information and the systems critical processes. The adequacy of automated system security is examined through periodic audits, evaluations, risk analyses, and approval reviews. Evaluations and reviews should be performed in conjunction with follow-on tests and evaluations, self-inspections, and other required evaluations. Yet, how much security can be implemented without affecting the enterprise's productivity.
Let's look at the CobIT model. Using the CobIT model when advancing technological implementations or trying to stay ahead of the curve for technology, the enterprise should:
- Plan and organize. The enterprise must perform an assessment of the existing infrastructure to determine its strengths and weaknesses. The ideal solution to satisfy these requirements should be to increase performance and productivity. Do not forget about including the enterprise security requirements.
- Acquire and implement. The next step is evaluation, selection and implementation of the solution that best matches the requirements.
- Deliver and support. Hopefully, some of the requirements included security and security is part of the selected and implemented solution. Ideally, the solution adopted should protect the confidentiality, integrity and availability of sensitive information by managing user privileges and restricting the transfer of information to users and unauthorized devices.
- Monitor and evaluate. The final component of CobIT controls focuses on the ability to continuously measure the performance of an enterprise's established IT infrastructure.
To achieve the highest possible protection levels and the lowest possible risk and cost, while keeping the enterprise productive, the enterprise must consider an approach that incorporates these elements:
- Integrated and layered defense across systems and networks
- Real-time threat intelligence and reputational analysis
- Centralized security management platform that provides a singular management console
- Real-time network monitoring to ensure response times and employee productivity
- All network monitoring and administration backed by a dedicated team of security research experts and competent administrators.
What is an enterprise to do when balancing productivity and security? Enterprises need to look for a cost-cutting environment opportunity to make their IT security solutions streamlined and effective. The enterprise result is fewer security breaches, less downtime and revenue loss, and less risk in tough economies.
Combining consolidated information assurance protection with centralized management is one of the best security practices. The enterprise needs to be proactive in identifying potential risks and stemming loss of productivity and revenue. Identifying potential risks gives the enterprise the greatest visibility into compliance status while lowering costs. When looking at technology, the enterprise must review
- Integration: Do not look for specifically for the one-size fits all product. Look at security vendors who offer integrated suites rather than siloed products
- Centralized Management: Gain greater visibility and increased control via a single management console and limit the required staff for monitoring
- Lower Costs: Integrated solutions, many times, are more economical, resulting in savings in license and support costs and more efficient administration and management.
Using this approach can extend to many types of threat vectors: email, Web, networks, systems, and data. In reviewing vendors, the enterprise should also ensure some form of auto-updating to ensure that the protection is current. Enterprise solutions should cover every security element: system protection beyond antivirus, Web and email security, network defense with firewalls, host intrusion prevention, network access control and data protection.
With an integrated set of security offerings, centrally managed, an IT administrator can still dedicate the same number of hours per week while gaining a more proactive and comprehensive security coverage. A good practice when integrating security practices into an IT administrator's work environment is to ensure that security is part of an everyday practice and does not exceed more than 15-30 minutes of their daily activities.
Looking at productivity from an enterprise user's point of view also requires some consideration. How much security will the enterprise user tolerate? Many times, what users do not know will not hurt them. Well, yes and no. Additional auditing, logging, and compliance are a requirement for many enterprise environments. Enterprise users begrudgingly accept having to perform extra steps as part of the daily duties. On the other hand, some enterprise users still challenge the concept by statements like 'I am a trusted employee, why are you checking up on my work'. In today's enterprise environment, the concept of the trusted employees needs to be challenged. Loss of intellectual property, mistakes in data entry, and loss of data integrity, whether accidental or deliberate needs to be evaluated within an enterprise.
What are security activities that can be implemented to lower enterprise risk while not impacting enterprise user productivity? Baseline the environment. To ensure there is a balance of productivity and security, the enterprise needs to baseline the network activities. Once a baseline is completed and additional production or security is implemented on the network, the enterprise can see the impact of the activities. Once the baseline is completed, then a few additional activities and solutions for consideration are listed below:
- Turning on auditing and logging. But not so much as to slow network traffic and use lots of hard drive space. Ensuring there is staff to monitor those logs or reports.
- Using role-based access control. Knowing which users are accessing a network resource limits risk and administrators have an easier job maintaining access control.
- Using the role-based access control makes the authorization process more efficient, because an asset owner can review who is accessing their assets more easily and frequently.
- Using whitelisting, rather than blacklisting, with a request process for adding additional resources limits the risk, yet ensures enterprise users can still access what they need for productivity.
- Using something similar to a single sign-on for access control will assist in users being more productive in not having to use multiple user-ids and passwords for access to applications and resources.
Yes, balancing productivity and security takes careful planning and review. To tie everything together when balancing productivity and security, first recognize that information security is not an add-on to a network, project, or application. It is something that should be considered throughout the idea, requirements, architecture, and implementation phases. Second, security takes time and some money, but, most times, not as much as some would think. Finally, a widely-stated mantra in the security field is that "security is a process not a product." Even if you have the best, most comprehensive security hardware and software available, it is soon useless unless it is maintained, updated, and integrated into the larger system for productivity. When balancing productivity and security, if the enterprise gets it right, the enterprise has innovation; get it wrong and the enterprise has trouble.
Sandy Bacik, CISSP-ISSMP, CISM, CGEIT, CHS-III, author and former CSO, has over 14 years direct development, implementation, and management information security experience in the areas of audit management, disaster recovery and business continuity, incident investigation, physical security, privacy, regulatory compliance, standard operating policies and procedures, and data center operations and management. Ms. Bacik has managed, architected and implemented comprehensive information assurance programs and managed internal, external, and contracted and outsourced information technology audits to ensure various regulatory compliance for state and local government entities and Fortune 200 companies. She has developed methodologies for risk assessments, information technology audits, vulnerability assessments, security policy and practice writing, incident response, and disaster recovery.
This is from Information Security Management Handbook, Sixth Edition, Volume 5
, published by Auerbach Publications in September 2011.