Author(s): Sowmya Murthy, Posted 06/8/12
“Anonymous hacks Department of Justice, leaks 1.7GB of data”
“Security Breaches Shake Confidence in Credit-Card Safety”
“Britain’s Serious Organized Crime Agency website hit by cyber- attack”
“Survey by Ponemon Institute reveals that information theft continues to represent the highest external cost. On an annualized basis, information theft accounts for 40% of total external costs.”
Gloom in the headlines and statistics that don’t shock us anymore – representative of a world that we all have to live in, organizations have to operate in, and economies have to flourish in.
Cyber criminals are deploying deadlier cyber weapons at a brisk pace and designing malicious software for a spectrum of devices. It’s no surprise then that, a recessionary environment coupled with a competitive market and demanding customers, is making most enterprises feel a heightened sense of insecurity.
The need of the hour is to raise protection levels against cyber-crime with visibility across all aspects of security operations. Deploying a comprehensive security solution that properly assesses and mitigates security risks, monitors and responds to persistent attacks from the outside or inside, and safeguards what the organization values, will go a long way in achieving your enterprise security goals.
The motivation for change is clear. So, what next? How does one define, design, and deploy a comprehensive security solution? How much security is enough?
In an environment where organizations spend millions of dollars on deploying a combination of security solutions from different vendors that create complexity and system overhead, such questions need to be answered. We at Unisys believe that a security posture based on the following 7 security principles is a good place to start:
- Confidentiality – Make data and systems accessible to only authorized users, or restrict information access to unauthorized users
- Integrity – Importance of accurate information can’t be over stated in today’s business environment. Possess the assurance that data being accessed hasn’t been tampered with, and is trustworthy and dependable.
- Availability – Enterprise data must be available at the required level of performance at all times (in security events ranging from normal to catastrophic). Lack of availability is loss of use.
- Authentication –Validate a user’s unique identity to confirm that the end-user is genuine. A strong authentication approach does this by combining two or more authentication factors – “something you know” (password/pin), “something you have” (smartcard), “something you receive” (one-time-password), “where you are” (GPS), and “something you are” (multi-modal biometrics – face, voice).
- Authorization – Once a user is authenticated, ensure that his/her activities within the network are limited to what has been authorized. The idea is to establish a well-defined authorization mechanism with the means of detecting unauthorized activity.
- Non-repudiation – An organization’s information assurance systems must provide a mechanism by which a sender or recipient of a message is able to prove that their counterpart did in fact take the action in question. Systems must ensure that a user cannot deny undertaking a transaction at a later stage.
- Auditing – The security posture must ensure the traceability of every single transaction on the network. In case of a dispute, it should be possible to work back through each step in the process to determine where the problem occurred and who was responsible.
Such an approach helped Spain’s Ministerio de Empleo y Seguridad Social (government agency) develop the solution it needed to monitor the status of key security vectors in real time across data centers separated by several kilometers. The new capabilities ensure that only trusted, credentialed individuals are able to gain access to these facilities, monitor activity inside the data centers, and enable subsequent audit processes.
They now know that anything less, will not do.
The statements posted on this blog are those of the writer alone, and do not necessarily reflect the views of Unisys.
To prevent spam and inappropriate or offensive content, please note that all comments are moderated. Thank you.