Infrastructure Services are definitely undergoing a major transformation. How does one navigate the web of emerging technology trends and stay ahead of the game? Read on to learn more on our Infra Matters blog.

Main

August 7, 2015

Driving down IT and Business risk from unsecured endpoints

In the Cloud and Bring Your Own Device (CBYOD) age, securing endpoints both inside and outside the corporate network is equally important. This is where Secure-Ops comes into play - ie the combination of secure practices integrated within regular service operations.

 

In the past I have written about how to deal with privileged IT endpoints. Again practicing sound IT Risk Management will lead one to the look at compensating controls which this post deals with.

 

Consistent processes drive effective controls. Change management is unique in that it is both a process and a control. The 10 questions for Enterprise change will open key areas within IT Service Management for further analysis. And it will complement evolving Trust Models for effective governance.

 

The 2015 Annual GRC conference is collaboration between the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA).

 

The conference is being held between Aug 17th to 19th at Phoenix, AZ and will be a great forum to learn more about emerging trends in IT compliance and controls.

 

I'm equally excited for having the opportunity to speak in my session on Aug 17th, 'Attesting IT Assets and key Configuration items as a pre-audit measure: The why and the how'.

 

More in my next post.

October 22, 2014

Developing operational controls through an ACM practice

 

In my last entry I talked about the need to have a sound Asset and Configuration Management (ACM) practice as the foundation for an effective Cyber Security strategy. So what does this start to look like? As simple as it may sound, designing, setting up and managing an ACM practice is actually a complex endeavor.

Why? ACM faces multiple ongoing and evolving challenges. Here are a few

-          Proliferation of IT devices and form factors- both fixed and mobile

-          Product vendors running varied licensing models for software product

-          Multiple asset "owners"- almost every operational entity has an interest in the device - e.g.- Audit, Access Control, Information Security, Network Operations, Change Management & Facilities

-          Focus on one-time 'catchup efforts' at inventory vs an ongoing accounting and reconciliation based systems approach.

-          Multi-sourced operational vendors begin their own ACM silos for contractual and service level needs which makes it hard to see a single picture across the organization

-          Emphasis on asset depreciation and cost amortization resulting in a 'we don't care, as long as finance has it depreciated on the books' view

Will going to the cloud make all these challenges go away? - Or even better will cloud make the need for an ACM practice go away? Hardly! Just ask IT Security or even better the External Auditor. As ACM evolves within major Fortune 500 organizations, so will the need for the cloud vendors to support the customer's ACM efforts through sound management, accurate reporting and alerting.

 So what does an organization need? The below is an attempt to list down the key components that will comprise an effective ACM practice

-          Discovery capabilities for internal environments

-          Service Provider discovery feeds for outsourced environments

-          Any other manual feeds- e.g. data from a facilities walkthrough

-          Direct asset input/output system feeds from procurement and asset disposal

-          Automated Standardization Engine

-          System for device normalization and accurate identification

-          Reconciliation rules for comparisons between overlapping feeds, comparison between auto discovery and feeds

-          A dedicated Asset Management database (AMDB)- this is asset information for a distinct set of stakeholders ( procurement, IT planning and finance, DC Facilities, Asset receiving and Asset disposal)

-          A dedicated Configuration Management database (CMDB) tracking asset and attribute relationships and for requirements of specific stakeholders (Change management, Release management, Information Security, Software license management, incident and problem management, capacity management, application support, enterprise architecture)

-          Automated business service modeling tool

-          Asset analytics platform for standard and advanced reporting

-          Integration with change management module

-          Release management module integration

-          Business as usual processes and governance mechanisms

Bringing these components together requires dedicated investment, time and resources but when done, dramatically improve the overall level of control that the organization has over its IT investments. Let's explore how that is achieved in my next note..

September 29, 2014

The foundation for effective IT Security Management

 Of late the news on the IT Security front has been dominated by the mega hacks. Retailers in particular have taken the brunt of bad press with a large US home Improvement Company, the latest in the process of admitting to being compromised. The cyber criminals in all these cases took away credit card data belonging to retail customers. This in turn has resulted in a chain reaction where Financial Services firms are battling the growth of credit card fraud. The resulting bad press, loss of reputation and trust has affected the companies and their businesses.

The tools and exploits in these attacks were new, however the overall pattern is not. Cyber criminals have a vested interest in finding out new ways to penetrate the enterprise and that is really not going to go away anytime soon. What enterprises can do is to lower the risk of such events happening. That seems like a simple enough view but in reality the implementation is complex. Reactive responses to deal with security breaches involve investigations in collaboration with law enforcement on the nature of the breach, source, type of exploit used, locations, devices, third party access etc. But that along does not address the issue of enterprise risk.

Yes, a comprehensive approach is required. Many pieces of Enterprise Security have to come together to work as a cohesive force to reduce the risk of future attacks. These components include Security Awareness and Training, Access Control, Application Security, Boundary Defense and Incident Response amongst others. But effective IT Security Management is incomplete without the addressing one vital element. As an enterprise the understanding of 'what we own', 'in what state', 'where' and 'by whom' is often lost between the discussions and practices of penetration testing, discovery and audit.

These 4 elements coupled with the fifth one of 'management' on a 24*7 basis is typically in an area not within IT Security.  It is within IT Service Management (ITSM)- Asset & Configuration Management (ACM).  The foundation for effective IT Security begins with a strong collaboration and technology integration with the ACM practice. Without a capable ACM presence, IT Security Management is left to answer these questions by themselves.

So why have enterprises ignored or enabled for a weak ACM practice. Over the last decade, there are several reasons-  technological, structural and business related. From a technology standpoint, the available solutions had partial answers, long implementation times and not seen as robust enough. From a structural standpoint, the focus within ITSM was on 'Services' with Incident Management taking the lion's share of the budget and focus. From a business standpoint, multi-sourcing has played a huge role in the compartmentalization of the enterprise. Rightly so, Service providers focus is on achievement of service levels and watching what they are contracted to do and no more.

I would also argue that effective ACM is a key pillar to effective IT governance. The ability to know exactly what areas are being governed and how, from a non-strategic view, also depends on a sound ACM practice.  Again in a software centric world there is no application software, without effective Software Configuration Management (SCM) and tools like Git and Subversion.  So ignoring ACM, undermines the very functionality and availability of the software.

But our focus is on IT Security, so where does one start? Depending on the state of the ACM practice in the enterprise, there are may be a need to fund this central function, expand it's scope and bring in greater emphasis on tools, technology and people. More in my next blog .....

July 16, 2007

Your word versus mine

Last month I was speaking at the CSI Net Sec 2007 conference around Identity and Access Management a key topic within IRM domains. Overall this was a very well attended event featuring various themes and topics.

It dawned on me during the show, that fundamentally what was happening was a very well structured collaboration forum. People coming in and sharing a range of experiences in different industries, initiatives and focused content.

Continue reading "Your word versus mine" »