BEST OF THE WEB

12 steps to reducing security risk with a limited budget

CISOs regularly complain they don’t have enough money to do everything they want to secure the enterprise. But is more money the only answer?

No, argues Todd Bell, VP of enterprise architecture and security for Intersec Worldwide, a California based security consulting firm, and CISO for Forticode Ltd in Australia. You can go a long way to reduce risk by having a crafty IT architecture.

He’s not arguing that improved security won’t cost money: In fact, some of his recommendations, such as implementing a zero-trust model of security may be expensive depending on your current architecture. But his point remains: Buying the latest technology may not bring the result you need.  “More tools are not stopping security breaches,” he argues, “they only slow them down.

His first point is to stop assuming the internal network is safe after all the firewalls and endpoint protection you’ve erected. That’s the hallmark of a zero-trust network — don’t trust where the data is going internally. And, as an industry analyst told me, a zero trust network is designed to work with off the shelf technology, Kindervag said. Because its data-centric the network doesn’t have to be ripped apart.

Bell’s other steps include
–Focusing on the critical systems (those with personal, credit card and intellectual property) that matter for data protection “Do your best with the rest of the company environment,” he says, “but don’t put your career on the line with battles that don’t matter.”

–Using the concept of virtualization to overlay the desired security architecture into the existing architecture — no need to move any systems. Create a “security zone” around every server with sensitive data that becomes isolated from the rest of the internal network.

–The security zone is a low-cost firewall in front of the server with very few rules or ACLs. The security zones communicate with each other through point-to-point encryption. Other connections for monitoring server health/status go through non-encrypted communications through the security zone firewall.

–Creating a virtual “network overlay” using the security zones to compartmentalize sensitive data for existing systems instead of migrating them into a traditional security enclave/VLAN and to avoid disrupting the business. Security zones will communicate via VPN or TLS between each other through a protected encrypted tunnel.

–Utilizing a “jump-box” in front of each sensitive data server to track all access. Add two-factor authentication for critical servers for each security zone. The jump box will log and control all access to each security zone.

Other parts of the strategy include application level encryption, not database encryption, so a database administrator can’t look at sensitive data;  use the slit-key method of storing encryption keys on different servers with file directory permissions; consider splitting data for improved security; and use asymmetrical network routing to the Internet by splitting network traffic to reduce the threat of malware packet sniffing.

Read the full article here

The bottom line is there are many strategies a CISO can take to reduce a risk profile and still stay within an existing budget. See if this approach meets your needs.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web