I just finished reading an interesting Blog post by Andrew Braunberg of Current Analysis titled “Placebos, Dogs, Burglars and Security”. Andrew makes the point that “Vendors need to get serious about risk management and data-centric protection schemes. And they need to address remediation.” I couldn’t agree more.
Risk management is about managing risk not eliminating it. In the Internet connected world of today there is no such thing as absolute security – if we are being completely honest there has never been anything approaching absolute security since the time of the caveman. In the real world risks can be managed but they are part of life and they cannot be eliminated. Technology provides a set of tools to manage risk and enforce security policies. A key part of defining a security policy is to determine how much risk is acceptable. One size does not fit all and it’s up to each enterprise to determine how much risk they are willing to tolerate.
The first step in risk management is to identify the company’s intellectual property and resources and assign them a risk tolerance. At one end of the risk tolerance spectrum is information or resources so critical or sensitive that they should never be stored on an Internet connected computer or device and at the other end of the spectrum is the marketing information designed to be shared with the world. After inventorying and classifying the information and resources the next step is to define the protections, both physical and networked, that should be applied to different risk classes. For example, it’s probably acceptable to store marketing information on an Internet-facing web server on the corporate DMZ, but engineering information should be encrypted and stored on a dedicated server behind an internal firewall or IPS.
After the information and resources have been assigned risk categories it’s time to go to the technology toolbox and design a security solution. The security solution should provide three key elements:
• Visibility is the ability to detect everything and everyone connected to the network, identify the applications they are using and which resources they are accessing.
• Enforcement involves applying the principle of least privilege to network access
• Detection is the ability to detect both know and Day Zero threat
Risk management is not magic – we make risk management choices all the time. For example, I have windows in my house. I recognize that it would be more secure without them but I am willing to trade the benefits of natural light and fresh air for reduced security. I have to admit that the fact that my wife would object strenuously if I decided to brick up the windows had a strong influence on my decision. So I have very nice first floor windows in my house.