– Frank Cabri, vice president of marketing and business development at Centrify (www.centrify.com), says:
Regardless of how fast your systems, how capacious your storage or how sophisticated your applications, if your security is inadequate and you experience a breach that compromises your data or worse, your customers’ data, your organization will lose money, its reputation, and possibly its viability. Estimates of the cost to TJ Maxx of a security breach ranged from $1.7Bn to $4.5Bn. As a priority, security considerations must automatically accompany every decision you make about your data center. Ideally, they are designed in versus “bolted on.”
The highest priority security concern in an organization is access control. This includes preventing outsiders from getting to your data at all and limiting insiders to the information they need to do their jobs – nothing more. After all, not everyone that works in a bank has access to the vault. Design access control using the least privilege access model.
For instance the GAO recently dinged the IRS for lax access control. For example, the GAO stated that the IRS continues to:
• use passwords that are not complex,
• ineffectively remove application accounts in a timely manner for separated employees,
• allow personnel excessive file and directory permissions,
• allow the unencrypted transmission of user and administrator login information
IT Security must include these key components: firewall, intrusion prevention system, anti-malware, authentication, authorization, and auditing. These components will meet the vast majority of the security threats. Beyond this baseline you will need to assess your tolerance for risk, the value of what you have to lose, the expectations of your customers and the demands of your business. You can however, reduce the complexity, labor and associated costs with conscientious planning and a clear understanding of the requirements in all areas: data protection, access control through reliable authentication and policy enforcement, and physical protection.
Often an organization has the technology it needs, but it is underutilizing it. Based on the needs identified in your risk assessment, do an inventory of the solutions you already have available and ensure that they are applied broadly and appropriately. Even without major investments, organizations are frequently able to eliminate vulnerabilities with more acute use of their current expertise and products.
After doing all that you can in terms of applying your current solution set and enforcing policies, look for ways to extend those current solutions to cover other systems and bring them within your security framework. For instance, if you have a cross-platforms environment and are using Active Directory, those non-Microsoft systems can be managed from Active Directory, and Group Policy applied to ensure that they meet your security standards. The advantage of centralizing administration is that you can apply policies uniformly. This reduces administrative overhead and increases copliance. Also, by using Active Directory for authentication and access control for Windows and non-Windows systems alike, you are able to leverage both established staff expertise and technology.