Skip to main content

Preventative -v- Detective Security

There's an Italian proverb which reads 'vivere da malato per morire sano' - living like an invalid to die healthy.  Whilst that is looking at one lifestyle extreme, looking after your body is generally seen as a positive if you want to live a long and healthy life.  Prevention is indeed, generally seen as being better than the cure.  The same concept applied to information systems can produce some interesting results.

From a non-security perspective, I would say, most management approaches and project budgets, are focused on the reactive.  IT has historically, not always been seen as an efficiency provider for the business, with budget often only being assigned, when it's acknowledged that the business front line would be negatively impacted if a system, project or team would were not present.  From a security perspective, I think reactionary policy is still deep in the mindset too.

Reactionary Security

When you casually think of information security tools and products, how many are naturally related to post incident or reacting?  Security Information and Event Management (SIEM) and logging tools are generally post-incident, as if the event has been logged it's surely already occurred.  File Integrity Monitoring (FIM) another post-incident approach.  Anti-virus and anti-malware software, could arguably be reactive, as you are checking signatures for a known attack, indicating the software has already been spotted if an alert is triggered.  The flip side to something like anti-virus, is that although something malicious has been spotted, you are preventing the real impact, which would occur if the malware were left to spread.  Identity and Access Management (IAM) could be deemed to purely proactive however, as the process is attempting to restrict access before an issue could occur, either through malicious or non-malicious means.  

Ethical hacking and penetration testing is another more proactive industry, but often, these services are not engaged until after an organisation or application has been attacked and breached previously.  Budget release, especially for cyber security related technologies, is often easier, after an organisation has been attacked.

Moving to Proactive

Security has several issues from a proactive implementation perspective.  Like anything, a detailed return on investment, including both tangible and non-tangible benefits, is required in order to sanction a project which wont necessarily deliver something immediately.  Proactive security is more of a mindset and long term strategy, which can often be hindered if an organisation is then attacked after implementing a more proactive approach.

The implicit embedding of security in all software, projects and processes is often key to shifting to a more proactive standpoint.  This can be difficult at several levels.  Developers operating in the software development life cycle, are often more focused on time to delivery and software quality, with approaches such as Agile and eXtreme Programming (XP) not necessarily making security a high priority.  Security can often be seen to slow down the development process and take attention away from use cases the client wants completing.

From a business process perspective, security can often be seen as inhibitive or restrictive.  Again, time is a factor, but also, non-technical personnel are quite rightly more focused on their individual business use cases:  delivering products, realising revenue opportunities and keeping customers happy.  Unless, security is silently embedded into a process, it too can be see as time consuming and non-essential.  Until, of course, a breach of attack occurs.

Security awareness is often a key part of the progress towards a more proactive approach.  Awareness not only at every day non-technical personnel, via regular on line training and workshops, but also at the board level too.  Security metrics can be used to help promote the idea that security up front is often more cost effective and business efficient than spending thousands on post-incident consultancy and investigative products.

Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…