Balancing Security Against Productivity

What makes for great security? Is it about keeping the bad guys out or letting the good guys in? About defending attacks or preventing them? When IDG Research Services queried IT security professionals on the topic, intriguing insight into the effectiveness of security management came to light."Security encompasses all of that and more," says Richard Whitehead, director of product marketing for Identity and Security and Systems and Resource Management at Novell. "It's a delicate balancing act and CSOs are challenged with implementing just the right mix of technologies to help their businesses move forward." This balancing act requires a holistic, integrated approach to security--complete with security/events management, identity/access management and systems/change management. All three disciplines must interact automatically and seamlessly to ensure an effective level of service that enables good business. When IDG Research Services queried IT security professionals on the topic, intriguing insight into the effectiveness of security management came to light. Key findings include: ß Uptime is the most popular measure of effectiveness. ß An assortment of methods, including automated tools, are being used for monitoringand measurement.ß Confidence is lacking regarding whether the right IT controls are in place. ß Protecting information from theft or degradation is of utmost importance, while strategic initiatives such as reduced complexity, lower costs and automation rank lower. STRIKING THE RIGHT TECHNOLOGY BALANCE When it comes to striking the right balance in enterprise security management, successful CSOs are looking at the big picture.Take, for example, one survey respondent's learned perspective: "Our approach to security risk management is based on classic defense-in-depth concepts," says Isabelle Theisen, CSO of First Advantage Corporation. "Therefore, our strategic road map aims at identifying automated solutions, processes and resources that assist us in securing our assets." She says security/events management, identity/access management and systems/ change management are essential to any security risk management strategy and are all part of her program. "All are equally important, as they complement each other in addressing IT,regulatory and general business operations controls," she adds.Each discipline offers unique capabilities that add value to the overall security health of an enterprise:ß Security/events management tracks security and compliance issues such as policy violations and problems with service continuity management.ß Identity/access management controls network access with control over authorizations, roles and other access management challenges.ß Systems/change management monitors configuration and patch levels, and enacts change management as well as, potentially, release management processes. Many of those surveyed by IDG Research see the value of these disciplines, with nearly one-half of respondents rating security/events management and identity/access management as extremely or very effective in protecting enterprise networks. Only 7 percent, however, rate systems/change management equally effective--perhaps because the discipline is perceived to be closely linked to vendor patch management.83% cite uptime/reliabilityas the top metric for measuring IT effectiveness."The fact that respondents perceive these technologies to be effective is certainly evidenced by market growth in these technology segments," says Whitehead. "However, as a stand-alone solution, the effectiveness of any one discipline is significantly decreased." Security strategies, he says, must do it all: understand user privileges, monitor patch levels, initiate change management processes and even track issues or problems. What's more, security must apply to the desktop, the data center and everything in between, including the fast-growing arsenal of mobile devices.One respondent says that makes defense-in-depth--which to him means "having the right technology solutions to enable multiple layers of security"--one of the most effective methods for protecting information and services. MEASUREMENT TAKES DIFFERENT FORMS While security effectiveness is top of mind, its measurement remains somewhat subjective. "Metrics can be generated as needed to demonstrate risks, threats, compliance levels, remediation efforts, remediation costs, etc., across the organization and against multiple controls," Theisen says. "Uptime is the No. 1 way for IT to justify its job," says Whitehead. This is a metric that the market points to immediately for measuring IT effectiveness--perhaps, he says, because it's relatively easy to quantify. This certainly comes to bear in the survey, with respondents citing uptime/reliability (8 percent) as their top metric, along with other quantifiable statistics such as passing audits (69 percent) and help desk incidents (58 percent). "Conversely, business leaders rely on other metrics, often taking uptime as a given," Whitehead adds. Compliance and ROI, for example, are much more telling statistics for the business-minded. Yet they are harder to measure, so it's not surprising that survey respondents mention them less frequently (50 percent and 45 percent, respectively). "This finding suggests that the lowest common denominator--uptime or help desk incidents--is the most used form of measurement," concludes Whitehead. But CSOs can and should expect more from their efforts. In fact, the auditing and reporting tools needed for proper measurement are already included in many products, he says. Theisen takes measurement to new heights with a three-year security risk management strategic plan for which one of the major elements is the "gathering and distribution of security/privacy/ risk/threat metrics." She explains, "We are developing an enterprise-wide reporting back end that will pull data from various networks, systems, applications, databases, etc., into one centralized console and then match the data we have obtained against multiple controls." Of course, says Whitehead, the real value lies in tracking what will help the business move forward. This is best accomplished by mapping security initiatives to business processes in a way that transforms business objectives into IT implementations. As a result, every implementation directly supports top- and bottomline business goals and even provides justification for funding. AUTOMATION MEASURES UP With regard to measurements, it's clear that no single approach is the catch-all. The survey reveals that internal audit teams (69 percent), manual processes (65 percent) and automated tools (60 percent) are the methods most frequently used. UPTIME IS THE MOST COMMON METRIC USED TO MEASURE THE EFFECTIVENESS OF THE IT ENVIRONMENT With regard to measurements, it's clear that no single approach is the catch-all. The survey reveals that internal audit teams (69 percent), manual processes (65 percent) and automated tools (60 percent) are the methods most frequently used.4 This aptly demonstrates that every method brings something different to the table. For example, external audits can be very helpful for emulating historical "peer" performance, while internal audit teams perform common sense tactics that reflect the unique requirements of specific IT environments, and manual processes are important for documentation. "You need to know what you've got, so you can start with a foundation and automate from there. Many people choose to do manual tracking versus using automated tools." says Whitehead. Be warned, though, that manual processes can be manipulated and are prone to error. Automation with ongoing auditing and tracking capabilities often proves to be more effective. "Forwardthinking CIOs are basing their process management improvements around ITIL [IT Infrastructure Library]," says Whitehead. "ITIL provides best-practice guidelines to ensure that IT processes are closely aligned with business processes and that IT delivers the correct and appropriate business solutions." The framework sets the stage for IT plans, models and processes, and dictates the roles and relationships required to automate processes. Common ITIL components include configuration management, release management, change management, incident management, problem management and availability management. BUILDING CONFIDENCE Despite the vigorous focus on security effectiveness, respondents indicate that they are not wildly confi- dent that the right IT controls are in place to protect their enterprise. In fact, only 5 percent say that they are extremely confident. On the other hand, some 46 percent are somewhat confident, and 18 percent are not very or not at all confident.This lack of confidence is expected to a point. After all, there is always some risk present in any IT environment. "More telling,however, is the fact that most organizations work in silos," says Whitehead. "So no one individual or department has complete control over or visibility into every discipline." A very confident CSO--one of the 6 percent of respondents who indicate they are extremely or very confident--has likely put some safeguards in place. "These individuals have integrated their technologies and processes, eliminating silos with a holistic approach to security," Whitehead suggests. "They've probably put configuration and automation in place based on policies that map back to the business, and they're likely to have put IT products through proof-of-concept testing for IT controls." With confidence so low, what exactly is keeping CSOs awake at night? One respondent is very clear about his primary concerns: "Protecting information, enabling secure delivery of business services and supporting compliance." Protecting information from theft is top of mind for 5 percent of respondents, who rate it as extremely important. Following closely are other urgent, albeit tactical, initiatives, with ensuring regulatory compliance coming in at 5 percent and ensuring user privacy at 41 percent. Fewer respondents classify strategic imperatives to be extremely important. That includes improved security posture ( percent), lower costs ( percent) and reduced complexity (18 percent). Oddly, only 1 percent of respondents say automated processes are as important as these other factors. "Of course, that doesn't mean automation isn't happening today," says Whitehead. "CSOs Process Makes Perfect ITIL is important because it brings business processes and technology together through a series of interrelated management disciplines. Novell's Blueprint for Better Management shows how the following technology can be mapped to the ITIL process:ß Discover: Identify what is in the infrastructure at any given point in time.ß Relate: Know how resources interact with each other in terms of dependencies and capacity and bandwidth requirements. ß Contain and Instantiate: Provide life-cycle management for instantiation, usage and retirement of images.ß Manage: Manage silos through functional processes,including service delivery, service support and application management.ß Orchestrate: Allocate or reserve computing resources for the workload required to execute on business objectives.ß Virtualize: Offer executive dashboard views of the overall state of the system."This blueprint must cover all the computing resources in a typical enterprise, including desktops, servers, storage and network connections as well as personal, handheld and telecommunications devices," says Novell's Richard Whitehead.

About the Author

Vijay Kaul

Principal Consultant, Global Information & Communication Technology Industry. I have a Global Role for Research and Consultancy. on present day and future Best Practices in the ICT Domain for Total Enterprise Communication,(Data+voice+vedio) Integration which involves migration of all communication platforms to Internet Protocol(IP) and Enterprise Application Integration