What you don’t know won’t hurt you, goes an old adage. In IT security, what end-users don’t know won’t hurt the company — that’s based on a security strategy that one Canadian market research firm has proposed.
Dubbed Adaptive Security, this IT security model promotes the use of tightly integrated security tools within and between computing platforms, from desktops to network devices to servers.
Developed by London, Ont.-based Info-Tech Research Group, the Adaptive Security model eases the responsibility of end-users when it comes to information security. The model adheres to the principle that enterprise security should ultimately be the responsibility of a designated group or individual, said James Quin, a senior research analyst at Info-Tech. “[Enterprises tend to] push a lot of responsibilities of security to the end-user, such as patch updating or making the decision as to what file attachments can and can’t be opened,” Quin explained.
Although users are always expected to adhere to corporate policies, it is “unfair” to expect them to become a big part of the IT security solution, the Info-Tech analyst added.
The Adaptive Security model recommends implementing out-of-band security operation, where all security devices are solely the security manager’s responsibility and operating in the background. The security tools, including those installed at the endpoint, essentially become invisible to the end-user, preventing them from changing the security configurations or disabling the security features.
The model also advocates the adoption of hardware-based encryption protection enabled by the trusted platform module (TPM) chips, and the deployment of ubiquitous security agents that interact with the TPM to validate data and establish secure connections with devices and the network.
The Info-Tech analyst stressed, however, that the Adaptive Security model does not directly solve social-engineering-related problems. It reinforces protection against these types of attacks but ultimately, users are still going to have to make some kind of decision that can affect security, he said. “All we can do is to minimize the impact that that decision can have to [IT security].”
Minimizing the impact of user action to security is enabled by establishing a unified security management system that pushes down IT security policies to the endpoint. These devices must then be able to report back to the same central repository where all security data and incidents across the enterprise are stored, explained Quin.
This will enable consolidated information gathering and centralized security auditing so IT managers can track down an incident more quickly and more efficiently, and perform immediate remediation.
Adaptive Security also aims to enhance the organization’s regulatory compliance initiatives, as enterprise security increasingly becomes a policy issue. “Security enables compliance and at the end of the day, it is a business issue,” said Ross Armstrong, a senior research analyst at Info-Tech specializing in compliance and risk management.
He suggested organizations establish a link between security and compliance as security threats, such as identity theft and loss of confidential corporate information, have a direct effect on regulatory compliance.
“Without policy, security isn’t going to help much,” Armstrong said. Linking security with compliance is only going to be more significant as experts predict that within the next 10 years, every company will be subjected to some form of regulation, he added.
A recent global survey of C-level executives by CIO, CSO and PricewaterhouseCoopers entitled, The Global State of Information Security 2006, showed that a larger percentage of companies are aligning security objectives with business goals and prioritizing data sets based on sensitivity of the information contained in each application.
Armstrong urged organizations to focus their IT security budgets on “the right solutions” that can provide the enterprise a holistic view of security through centralized policy enforcement, automated reporting and auditing and integrated security and compliance infrastructure.
A projected US$65 billion will be spent by companies worldwide on IT security next year, representing a little over seven per cent of the total global IT budget, according to Info-Tech’s Armstrong.