/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsConcern area: With most enterprises now being sensitized to having a security
culture in their organizations, many CIOs are now wondering how can they
maximize the security level of their networks.
CIO recommendations: The first thing to remember is never try securing
only the network, but always try to secure the enterprise. Security problem
should not be compartmentalized into components like network access, physical
access to applications and processes but should be looked upon holistically
across the enterprise. Do not get swayed by marketing pitches of vendors, since
very few of them advise on securing the entire enterprise.
/dq/media/post_attachments/f45fd5faa8aa356eb7946c5ec763cb3cff55d990c45253c5a55c5acad0080f85.jpg)
Once you devised mechanisms to secure your enterprise, do not go overboard in
an attempt to maximize the levels of security. First thing to keep in mind is
that there cannot be any foolproof security. There might be absolute insecurity,
but enterprises can only tend towards the other extreme. More important is to
judge the threat scenario properly and devise a strategy to guard against
different levels of threat. Attach more importance to malicious attacks from
internal sources, which can be potentially much more dangerous than occasional
snoopers/hackers from outside. Also, CIOs should remember that security is not
only about pre-empting an attack, sometimes a post mortem of a breach can also
bring valuable information.
Hence the emphasis should be on audit trails or forensics that would enable a
reconstruction of the attack so that it never occurs again in future. One thing
to be kept in mind is that too much security across the network would
drastically reduce its efficiency. The need is to have a trade off between
effective functioning of the network and security of the enterprise.
Concern area: With a rapid increase in the number of mobile users in
each organization, security itself has taken a new perception. The moment these
mobile users are accessing the enterprise resources remotely, there is an
increased security hazard. Implementation of different Web applications across
the enterprise is also a common feature today. Both mobile users and Web
applications having become business imperatives, how can security be reconciled
best to the current scenario?
CIO recommendations: Server side security in today’s days of the
Internet is not in your control and this means not much is in the CIO’s
control with respect to Web applications. In addition, with remote access even
client side security is compromised, since you cannot control situations where
your server is being accessed from vulnerable sites like cyber cafés.
In the best possible scenario, whatever access mechanisms you deploy should
not unduly interfere or decrease the efficiency of the business processes. The
need of the hour is to take a call as to how much security can be sacrificed as
a trade off for portability and mobility of users without impacting the business
finances. Follow simple steps like separating the internal and Web databases as
a basic level of security. More crucial is to give Web-based applications a
separate treatment from those given to internal resources that are completely
under CIO control. Ultimately, it boils down to a judgment based on how much the
business is gaining and whether that commensurate with the security compromises
being made.
|
/dq/media/post_attachments/119f050c54f87dd90a503e6b5265f40a997924f49d9eff8671de4983407f5c80.jpg)
"Security/dq/media/post_attachments/18a1951146963b27bd365c94eade036db26bf893994c5faf957ebd823348ff58.jpg)
"The/dq/media/post_attachments/7db5d7988f1eba2b33c87400790c15803fe9b596cae427245ccb84afb838ce91.jpg)
"An/dq/media/post_attachments/8c070c21d26d6c4bbcf9970f22560e554cc6171f720e028c447a6f43698389e8.jpg)
"To/dq/media/post_attachments/87bb116a0f623b3a83af476e2e867ee607e86e9d30ceb2e0f9000447480f0df0.jpg)
"Make/dq/media/post_attachments/a946b8d4ebd94a924b308e481e9ed4ea4a2f1ee8b2d48aca26600093d1f67c41.jpg)
"WhileConcern area: With substantial increase in outsourcing
to third-party vendors, how to maintain the sanctity of critical information
outsourced?
CIO recommendationS: Not much can be done about
security in an outsourcing scenario, since no way it is possible to monitor the
security level of the third party. This is indeed the cost of outsourcing, and
before hand there is therefore the need to take a business call. Generally,
outsourcing is done on the scale of economics or availability of skilled
resources, and security compromise should be judged against these parameters.
You cannot expect to have complete security and get it cheap too. One simple
solution technology offers today is that some form of data you send outside can
be encrypted and only the relevant persons can have the private decrypting key.
Concern area: With increasing adoption of open source
software across enterprises, many CIOs are debating whether open source scores
over proprietary software in terms of identifying and handling vulnerabilities.
CIO recommendationS: By the very nature of the open
source movement where 20,000 academically inclined people are working around the
world, chances are the sources of vulnerability are identified and patches
devised by the good guys before the bad guys bent on intruding into resources.
However, in terms of business practicality, this might not always work out in
your favor, since the people associated with the open source movement are not
answerable for your business. On the other hand, in many such cases a
proprietary vendor might be able to offer you a faster and more concrete
security solution.
Another argument can be that since proprietary software is
currently more widespread than open source, the attacks are also more widespread
on the former.
Concern area: Many CIOs are not sure whether to opt
for an IP-based VPN or a SSL-based VPN, or whether these two can complement each
other.
CIO recommendation: There can be no clear cut answer
to whether IP-based VPN or SSL VPN is more or less vulnerable than the other.
Depending on business requirements, the two can work in perfect synergy too.
Typically in a branch to branch enterprise network kind of scenario, IP VPN is
the better alternative, while SSL VPN fits mobile user environment more
perfectly. That is because a SSL client is lighter to fit on mobile devices.