Stories by Mathias Thurman

Security Manager's Journal: Time to tweak the security policies

Every fall, I conduct a policy review. I think it's a good idea to have this on my calendar, because no policy, no matter how well crafted, is meant to last for all time. New standards arise and old ones are modified, making some policies deficient. Or a security incident, an audit or some business reality that was previously unacknowledged emerges to demonstrate how a policy falls short.

Opinion: Security Manager's Journal - the perils of enterprise search

I'm a big fan of search. The ability to use the internet to cull information on virtually any topic with just a few clicks has made me more efficient and better informed. And "information" can come in the form of pictures, documents, videos, news feeds -- whatever you need.

Opinion: Tightening up SaaS security is vital

An issue vying for my attention early on is the company's heavy use of software as a service (SaaS). At my last company, we used four SaaS vendors. This company far exceeds that number, because it tends to choose a SaaS option ahead of either building applications in-house or buying them. As a result, we currently use more than 30 SaaS offerings. It's a nightmare from a security perspective, for many reasons.

As plans for NAC deployment get under way, keep it simple

I've mentioned <a href="http://www.computerworld.com/s/article/349968/It_All_Comes_Down_to_Patching">network access control</a> several times in this column over the past few months. If you've been following along, you know that I like the functionality it offers but am leery of the difficulty and cost of deploying it, as well as the resources required to manage it properly.

Virtual PCs still need real security

If my CIO had his way, he would move the entire company to a virtual desktop environment. In his mind, it would be a cure-all for the costs of supporting thousands of PCs and the headaches caused by software distribution, security patching and configuration management.
Our VDI deployment would involve installing a small software plug-in on each PC. When such a PC is connected to our internal network, a virtual desktop environment will run on top of the PC -- a Windows desktop displayed within Windows.
My conclusion was that our security posture should be unaffected, and possibly enhanced, but only if VDI is properly implemented.
My first and most important requirement is that data can't be allowed to move in either direction between the virtual desktop and the host PC or any external devices.
Next is the question of the integrity of the host PCs. No one should think that VDI will free us from the headaches associated with configuration management, patch distribution and anti-malware software updates. That's because in our deployment, VDI is simply an application that runs on a PC. Security patches and antivirus updates will still have to be applied to the host PCs.
The virtual desktop environment of a general employee shouldn't be the same as the virtual desktop environment set up for a contractor, partner, supplier, vendor or other affiliate. Some high-level order will need to be in place to satisfy my &quot;rule of least privilege&quot; requirement so that we don't expose critical applications and data to unauthorised people.
Another consideration for me involves the log-on banners that users must read before clicking &quot;accept&quot; and logging in. We can't lose this feature, since we have a legal requirement to let users know about their responsibilities and our practice of monitoring activity.
We also can't compromise our remote access policy, which calls for two-factor authentication and the use of a VPN.
The same goes for application and screen timeouts.
Mathias Thurman is the pseudonym of an IT security professional

Security Manager's Journal: iPad intro brings nasty surprise

I don't like surprises. I wish projects wouldn't get launched without the sponsors seeking my advice on security measures first. If you read this column regularly, you've heard me say all of this before. I try to keep an eye on everything, but companies are complex organizations, and it's inevitable that something will sneak by.

[]