Is Your Organization Living Below the Information Security Poverty Line?
By Steven Wolford
As the 2012 U.S. presidential election looms ever closer, I’d like to borrow shamelessly from topics in the political debate with a look toward the state of information security.
According to CNN (Poverty Rate Rises as Incomes Decline), the number of U.S. citizens living below what is considered the bare essentials is on the increase. I believe we can say the same for information security programs. According to the SANS Institute, the top security controls can be boiled down to 20 critical controls (Top 20 Critical Controls). These are regarded as the “poverty line” for an information security program – the bare essentials needed for a program to live at a level regarded as a minimum standard.
Have you turned down a security control because it was too expensive?
ENSIA (the European Network and Information Security Agency) has stated, “the same amount of investment in security buys better protection” (Cloud Computing, Benefits, Risks, and Recommendations for Information Security). We have long understood that scale brings cost optimization. By spreading the cost of controls over a larger number of organizations, cloud service providers (CSPs) are able to either deliver equivalent controls at a lower price or enhanced controls at a similar price.
Work with your CSP to understand the controls already implemented, those that are planned, and those that you require for the assets you are moving to the CSP. The different cloud models (software/platform/infrastructure as a service) will each be able to deliver a different set of controls. You should expect to bring more controls to an information as a service (IaaS) provider than to a security as a service (SaaS) provider. However, you should still expect to see cost efficiencies with IaaS.
What if the chosen CSP doesn’t offer the controls you need? Reinvest the capital expenditure or operating expenditure savings into providing your own controls or, even better, negotiate with the CSP to get the controls installed and leveraged across all of their customers. Security is moving from “build your own” to “assemble your own.” There is even a growing industry in SaaS that is a cloud-computing model that delivers managed security services over the Internet. Technopedia defines SaaS as “based on the software as a service (SaaS) model but limited to specialized information security services.” Engaging an SaaS provider is yet another way to help lower the cost of living at the information security poverty line.
Have you not implemented a security control because your environment is too complex?
Your business does not have to be listed on the NYSE to have not implemented a security control because your existing IT feels too complicated to integrate with a control or for the cost of applying a control to become cost prohibitive due to IT sprawl.
Most security frameworks today recommend taking a risk-based approach to identifying the controls that are appropriate for any given environment. In order to first identify risk, you must know all of the components that collectively create an information system. Often the cost of implementing a proper set of controls spirals out of control when attempting to apply them to a complex or spread out system.
Moving an information system into an IaaS CSP is the perfect opportunity to identify, consolidate, and simplify an information system. Identifying all the components of an information system is potentially the most significant step toward proper control selection; you cannot protect what you do not know about.
It is still not uncommon to hear about a critical business system that relies on the spreadsheet saved on a folder on the hard drive in someone’s workstation. As an example, when you plan for the security of your current monthly billing, do you in fact remember this critical component or do you go about happily installing the latest intrusion detection system on the accounting server and congratulating yourself along the way for protecting the company's financial systems.
Consolidating components is at the same time a risk and a benefit. Personally, I see far more benefits and, with the concept of cloud brokering, there are ways to enjoy the benefits while minimizing the risks. Let’s get the scary stuff over with first. The risk is that consolidation puts all your eggs in one basket, so to speak. The target becomes a higher-value target because the reward of breaching (or the cost of loss) becomes higher. Enter the cloud broker and enjoy the benefits of consolidation but spread the risk by sprinkling your information systems over different CSPs.
What are the benefits that outweigh the risks? Reduced complexity to install, manage, and monitor the controls used to protect the system. There is a reason why banks put valuables into a safe – the same risks identified above, but even bankers know it is far easier and less costly to put them into a central location.
That leads us to simplify. By moving your information system to a CSP, you are able to simplify the implementation of appropriate security controls. One of the leading causes of delay in detecting and responding to a security incident is an overly complicated control implementation. Even if controls are properly implemented in a complicated system, gathering the control information in one place can be difficult (if your environment was such that getting data in one place was easy, you would probably already have the information system simplified).
Craig Balding in his cloudsecurity.org blog even lists centralized data as the number one security benefit of “The Cloud.” I think this understates the real benefits. While Craig believes reduced data leakage and monitoring benefits are the winners, I would extend that to improved knowledge of how the system as a whole works and is architected. Move the financial system into an IaaS provider and you will quickly find that critical spreadsheet on that workstation.
Have you not implemented a security control because it was too difficult?
Many modern security controls require infrastructure just as complex as the information systems they protect. Network, application, data, access, logging, and much more all require technical solutions to be implemented, updated, managed, monitored for relevant information, and then responded to when an interesting event happens. It is not surprising at all that some have had to make the decision that applying all of this is just far too difficult. You make a decision that doing that one thing for security is just too hard to digest into your other business responsibilities.
CSPs can help ease that pain. Many security vendors offer solutions that take advantage of cloud architectures and make the implementation process much easier.
Take anti-virus (AV) for example. Most major vendors today offer a cloud ready solution where AV can be offered as an SaaS or in cloud-optimized versions to let you maintain total control over the AV solution. Either way, actually implementing the AV solution can be as easy as installing the client in a base image and deploying that client with each and every server turned on.
As we hear the political messages of the day, I encourage you to consider the “information security poverty line.” Take a look at your security posture and tolerance for risk. Are you forcing the information security program to live below the poverty line? If so, is there something that you can do about that?
I would say YES! The first step, to paraphrase political consultant James Carville, is to remember, “It’s the risk, stupid.” Stay tuned for more on that politically inspired theme.
Steven Wolford is director of information security for 6fusion (www.6fusion.com). 6fusion provides a utility-metered cloud management platform that enables global workload distribution by turning public, private and hybrid clouds into pay-per-use billable utilities.
Wolford has more than 20 years of experience in IT infrastructure management, security design, network management, system administration and technical support. He currently leads corporate operational risk management activities, including managing the development and implementation of global security policy, standards, guidelines and procedures.