Centralization, automation, problem prioritization--many IT-security professionals are embracing those concepts as they fight off the never-ending onslaught of threats. Security products can help businesses stem the flood of vulnerabilities, but IT teams also have to put in place processes to ensure that they're responding appropriately and being proactive in warding off potential dangers. Fact is, some companies spend too much on some parts of their organization and not enough on more-vulnerable areas.
Security pros are under increasing pressure to do the job right and cost-effectively as networks extend beyond firewalls to remote users, partners, and customers, and to cell phones, PDAs, and other mobile devices; regulatory requirements to safeguard data have risen; and concerns about identity theft are at an all-time high. Hackings and other unauthorized access contribute to the approximately 10 million instances of identity theft each year in this country, according to the Federal Trade Commission. "How sensitive is a company about being on the front page of the paper?" asks Pete Lindstrom, founder and analyst at Spire Security. InformationWeek and others have reported on a rash of cases involving inadequate security and poor handling of customer data. "If the value of assets is high, companies should follow security best practices," Lindstrom says.
To understand how companies are managing it all, InformationWeek interviewed business-technology professionals on the front lines to see how they're handling some common security issues. From the higher-level picture of risk management to the nitty-gritty details of patching, here's how they do it.
Start With A Master Plan
It doesn't make sense to spend $10,000 to protect a $10 asset. That's the way Christofer Hoff, chief information security officer at Western Corporate Federal Credit Union, sees it. Every security-remediation plan requires knowing how important a specific asset is to the company before time and money are spent securing it. For example, an E-commerce server that brings in millions of dollars in sales is more important than a print server, so it's higher on the fix and secure lists.
CISO Hoff worked with business-unit managers to set security priorities.
For many businesses, implementing a risk-management plan should be at the top of their security to-do list, says Jon Oltsik, an analyst at Enterprise Strategy Group. But few have taken that step, he says. Instead, the most common reaction to a new threat is to buy more technology. "It's like you're sick, but you just buy medicine instead of going to the doctor," he says.
"With vulnerability assessment before, we'd sift through hundreds of pages for the E-commerce server or the print server," Hoff says. "Now Qualys shows us where we're vulnerable in business terms." For example, when Microsoft issues patches for its Windows operating system, the credit union uses Qualys VM to identify the first servers to patch. Other security risk-management vendors include Consul, eEye Digital Security, and Trusecure.
As far as security technology has come, passwords may still be the weakest link in the security chain. "Passwords are the easiest way in," says Andy Jaquith an analyst at the Yankee Group. "Bad guys get into accounts and try to escalate to a higher level." There's also potential for rogue employees to attempt to access sensitive data. That leads to an endless cycle where passwords are regularly changed to avoid trouble.
It all adds up to the need to deploy smart identity-management tools and establish savvy practices. At Vitas Healthcare Corp., with a workforce of 6,000 and operations across 15 states, authorized employees enter as many as a half-dozen passwords a day to access multiple databases. While it's important to maintain password discipline to secure customers' health-care data, maintaining and managing the situation creates a drag on the IT department. "Our help desk spends 30% of their time on password management and provisioning," says John Sandbrook, senior IT director at Vitas. The company is changing that using Fischer International Corp.'s Fischer Identity Management Suite 2.0 to manage passwords and comply with data-access regulations such as the Sarbanes-Oxley Act. Vitas implemented the suite last fall, and it expects to cut help-desk time spent on passwords by 25%.
The ID-management product includes automated audit, reporting, and compliance capabilities, and a common platform for password management, provisioning, and self-service. "Any company must have unique user IDs and passwords that change frequently," Sandbrook says. With the software, Vitas can enforce strong passwords that some legacy systems won't require on their own, such as those with seven, eight, or nine characters, numbers, and capital letters. And when Sandbrook does an audit, "I see who changed [password] information with good practices, and I feel assured."