Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Thursday 17 April 2008, 1:34 PM
Security is moving beyond the perimeter
It seems we’ve finally moved away from the perimeter and are focusing on the data that’s inside it.
Of course the edge of the network is still important. Firewalls, intrusion detection and identity and access management are still more widely deployed by the 6,523 certified information security professionals surveyed globally for the survey. The majority of organizations have good perimeter security technologies in place.
It’s what’s driving this change that’s most interesting. I believe increasing compliance and greater awareness of it by top level management is one of the main drivers. Company bosses know that if they lose confidential data it could not only leave them liable, but it could damage customer relationships, business reputation and future growth. There’s nothing like threat of jail or business failure to get the CEO to sit up and ask what’s being done to secure customer data. The other driver is probably the payment card industry data storage standards (PCI DSS). These standards are being mandated by Mastercard and VISA and are impacting on any organization that transacts money online. It’s iteresting that the suppliers are dictating security standards to their customers.
Securing specific data with encryption and storage security such as access controls is also a response to more and more companies falling foul of their customers by letting lapse security procedures put data at risk (e.g. TK Maxx last year, HMRC last month and HSBC last week).
I will be discussing the full results at INfosecurity Europe on Tuesday 22nd April in the keynote theatre at 15:45.
John Colley
(ISC)2 Managing Director, EMEA
PreviousComments on this post
Deperimeratisation, or focusing on the data where it is stored - unless you pay attention to the people who have access, the procedures they use, and just as important, the language they use, you'll still be at risk. I was chatting to an analyst earlier this week who focuses heavily on application development but who has extensive experience in security consulting, who relayed a short story about one experience with a Certain Government Department. OK, it was GCHQ. When asked whether they had done proper penetration testing on a partiucular system they said yes, of course they had, which all sounded fine and dandy until my consultant colleague asked them to define penetration testing. Easy, they said, we test whether you can get physical access to the data - ie physically plug another computer into the immediate network. Forget software tools that can be used from afar; forget social engineering. It's scary stuff.
