A Strategic View of IT Security: Access vs. Control
by Sunil Misra, Chief Strategy and Delivery Officer, Emtec
Two recent security engagements presented the Emtec team with very different challenges. In one, we were asked to isolate, assess and remediate a significant network security breach for a large local government. In another, we were enlisted to assess the current security posture of a large global financial services organization, and then design and implement a strategic plan for the ongoing governance, control and protection of the company’s information assets.
While these projects required vastly different tools and skill sets, they represent bookend views of the continuum of services that Emtec delivers to help customers reduce risk, complexity and exposure to their network infrastructure in today’s plugged-in world.
The ability to marshal a broad range of resources and far-reaching technical skills is imperative in the new age of information security. The days when organizations could focus entirely on perimeter security with firewalls, antivirus and intrusion prevention are long gone.
The growth of Web applications, cloud services and other new technologies has fundamentally altered the IT landscape. Opening up internal applications and data to employees, customers and business partners via the cloud gives organizations exciting opportunities to improve productivity, increase collaboration and drive growth.
However, these practices also introduce an element of danger. The constantly connected enterprise faces increased risk from information leaks, compliance violations, identity management lapses and access control loopholes. The National Institute for Standards and Technology reports that 92 percent of exploitable vulnerabilities are in software, while the research firm Gartner estimates that application vulnerabilities account for three out of every four security breaches.
Consequently, IT security organizations are left with an awkward dilemma. How do you shut the door on would-be intruders while leaving it open to legitimate access? Clearly, you can’t give hackers an unobstructed path into the heart of your network. Yet too much security can make your apps so rigid and cumbersome that your intended audience won’t bother using them.
Establishing a balance between access and security is the key. To a great degree, achieving such balance is a matter of risk analysis. Every decision and investment in the security of your organization’s information assets should be based upon an analysis of the risk and an honest evaluation of your tolerance for that risk.
In risk analysis, key people in the organization must be brought together to consider the impact of potential threats, such as loss of information, loss of reputation and unexpected downtime. A value is attached to potential losses, risks that might cause those losses are identified and security protections are now able to be justified in a business context, rather than a technical context.
Identifying risks and the cost/benefit justification of the countermeasures then forms the foundation of an overall risk mitigation strategy and provides a quantifiable standard for striking a balance between security and access. Most important, it moves organizations beyond a tactical/technical view of information security as collection of products and practices and into a comprehensive, strategic approach comprising high-level organization principles and policies, risk tolerance metrics, performance requirements and the technical safeguards required to protect your business.
Assess your risk, understand the impact and build an overall security strategy that will dictate the security investments that will protect your current assets and future growth.
