What NOT to do for Information Security

information-security.jpg

 

In the midst of 20,000 users at RSA conference, as I speak with customers, partners, and competitors, I am learning what NOT to do for information security more than what should be done. Here let me share some notes from my meetings on best practices for what NOT to do for information security:

 

Over-reliance on analysis

It is very critical to analyze and tag all the data in your organization. Whether the data is generated by humans or machines, we cannot have enough analytics done on the data. However, over-reliance on analysis of data is  not a great idea.

 

If you are looking for specific patterns or rules through analysis, these are the things that bad guys can quickly overcome . A situation wherein the opportunity cost of decision analysis exceeds the benefits is pretty much what happens in these cases. For instance, a large retailer once analyzed the cost of adding and extending physical security to avoid shop ifts and found that doing nothing was, financially, far more beneficial.

 

Over-provisioning of access

While managing the role-based access control mechanisms for security or regulations, most customers look at exhaustive and comprehensive list-of-use cases that each of the roles would or may perform and give access. However, it is a good practice to be conservative while giving access--it's easy to provide simple, viewable reports upon request. At the same time, it is not a good practice to lock everything down  and prohibit collaboration. There is a way to provide a safe collaboration platform.

 

Treating data as shared enterprise

Data is an important asset of a company. Data is dynamic and it keeps moving between people, systems and applications. It is definitely not a shared enterprise and treating it like one without having everyone commit to the new way to do things, may not be good idea. When you use tools such as salesforce.com or eloqua.com and arm users with more information, it is important to educate the users on what they are capable of and what they should be careful about.

 

Mobility and corporate data

Your users want all of the corporate data on their mobile device of choice, but they may not comply with all of the company policies. They may not install the MDM (mobile or app device management) for battery or privacy issues or they simply may not have good security practices, such as strong passwords or hard drive encryption. The data breach or loss due to stolen or lost mobile devices has become a common issue and most of it is attributed to empowering full corporate data on badly provisioned mobile devices.

 

Over-reliance on cloud service providers

Whose responsibility is security? Is it the cloud service providers? Vendors? Applications on top of these clouds? Or users? The answer: all of the above. Most users assume that it is somebody else’s responsibility and end up in a fire-fight. Whether it is a public, private, or hybrid cloud, taking simple measures (such as log management and security event management) can reduce the risk by up to 97 percent (as stated by Verizon’s database investigation report). The next time you are thinking about cloud, ensure that it supports REST APIs so that you can pull security events from the cloud and analyze them in security analytics tools.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.