Video Screencast Help
Security Community Blog

Data Hygene

Created: 17 Jan 2008 • Updated: 02 Mar 2009
Don_on_data's picture
0 0 Votes
Login to vote

I’m dying to get into the meat of Security 2.0 but before I go there I think we need to talk about how the foundation of good IT management links to Security 2.0, or what I will call good Data Hygiene.

The reason that this discussion is relevant to Security 2.0 is that without this foundation we cannot completely solve the data leakage problem, this notion will become clear as we march through the dialog.
<font style="font-style: italic;">
Note: Data leakage is the current buzz name for data that leaves the enterprise in an unmanaged manner.</font>

So I am resisting the urge to talk about the elements of Security 2.0 until we do some house cleaning.
Some might suggest that Security 2.0 is different than security as we have known it to date. Stop it! Security 2.0 is advancement not a replacement. So let’s talk about the infrastructure elements of Security 2.0.

Three dimensions of hygiene come to mind:
<ul><li>Systems Management</li><li>Data Protection</li><li>End point Security</li><li>Compliance</li></ul>
I will focus this post on the Systems Management dimension.

<font style="font-weight: bold;">Systems Management</font>
In this context Systems Management is the provisioning, patching and configuring of the end node.

End nodes are all those computing devices that are/can be sitting on the network and are inclusive of servers, laptops, desktops and mobile devices. Maybe even devices like IPOD and NES’s that can get onto a wireless network.

Here is a simple postulate: “an infrastructure cannot be secure if it’s not well managed”. This notion is critical to having success with Security 2.0.

Hygiene rule #1: Implement an automated Systems Management function

If you have a formal way to build (image), deploy, patch and then configure every end node in your enterprise, then go directly to security 2.0. I’m not talking about the two guys/girls in the back room that have the corporate image waiting for your hard drive to fail so they can save the day by replace all the stuff you have been working on and all the cookies you have collected for the last month :). I mean an automated system that monitors and controls the configuration of the end nodes on a scheduled basis. I put Systems Management at the head of the hygiene list because if you can’t guarantee the end nodes configuration you might as well not waste your money on a security initiative.

Why is this important?

I thought you would never ask ….  To have a secure infrastructure the security platform needs to have an acute vision of what is going on at each end node. Monitors on each end node provide the “EYES” needed for the security infrastructure to match the end node activity to a security policy.

Let’s put this rule into a Security 2.0 context using a simple example.

I have a laptop that has sensitive information on it.

• They are the SSN’s of employees that I manage.
• I got them from HR in a spreadsheet analysis they did for me where I was planning bonuses. I didn’t ask for the SSN’s but HR used a standard database query that included them.
• So HR just hid the column.
• The company’s data security policy does not allow SSN’s on mobile devices.
• I don’t know that I am carrying sensitive information!

Why don’t I know? Well because my laptop does not match the systems management policy which provides for a file system monitor that scans and checks file content for sensitive information. Basically my laptop has no eyes, and neither do I.

So my career is exposed and my employees are exposed and we don’t even know it. This is a simple case where a bad configuration creates a data leakage vulnerability. If I loose or have my laptop stolen I have “leaked data”.

If this breach happens then I loose my job and my company has to reconcile with the employees and provide protection against SSN theft, a multimillion dollar embarrassing event. Consider that I did not do anything fraudulent, deliberate or premeditated. All of this was because my machine was not configured properly.

No excuses
So do you have an automated systems management infrastructure? Why not! Frankly you have no excuses not to implement systems management; there are plenty of technology choices. Is this just a matter of money? Well I can calculate for you that one event will cost will pay for the damage caused by a breech.

Take a look at Symantec’s Altiris solution; this is an example of stellar technology that meets the needs of systems management in the context of a security setting in a security company. It’s important to choose systems management technology that is aware of, integrated and cognizant of Security 2.0 thinking.

The next post will discuss rule # 2 Implement Data Protection

Don on Data