Thank you, Target! It's a pity that security managers have to capitalize on other organizations' misfortunes to broker change within their own enterprises, but the notorious Target breach of late last year just might get me some things I think my company has needed.
Stories by Mathias Thurman
Every fall, I conduct a policy review. I think it's a good idea to have this on my calendar, because no policy, no matter how well crafted, is meant to last for all time. New standards arise and old ones are modified, making some policies deficient. Or a security incident, an audit or some business reality that was previously unacknowledged emerges to demonstrate how a policy falls short.
BlackBerry plans to release a larger tablet and two phone-tablets, or phablets, over the next year, according to a leaked roadmap presentation slide.
A competitor suddenly seems to know a lot about the customers of our manager's company. Did a former employee take sensitive data when he left?
I love my iPad, but I hate what it represents.
I'm a big fan of search. The ability to use the internet to cull information on virtually any topic with just a few clicks has made me more efficient and better informed. And "information" can come in the form of pictures, documents, videos, news feeds -- whatever you need.
We have a major problem, which explains why I'm sitting in an airport right now. I'm heading off to visit some third parties that develop portions of our software for us.
This week, my company began deploying new firewalls. The old ones have been in place for more than six years; the new ones will allow us to take advantage of the next generation of features.
Three months into my new job, I've had a chance to assess the landscape and establish some priorities. No. 1 will be the way we handle data.
An issue vying for my attention early on is the company's heavy use of software as a service (SaaS). At my last company, we used four SaaS vendors. This company far exceeds that number, because it tends to choose a SaaS option ahead of either building applications in-house or buying them. As a result, we currently use more than 30 SaaS offerings. It's a nightmare from a security perspective, for many reasons.
I've mentioned <a href="http://www.computerworld.com/s/article/349968/It_All_Comes_Down_to_Patching">network access control</a> several times in this column over the past few months. If you've been following along, you know that I like the functionality it offers but am leery of the difficulty and cost of deploying it, as well as the resources required to manage it properly.
It can take a bit of luck sometimes to find out about a security problem. A recent incident illustrates this and the need to do more to eliminate luck from the matter.
If my CIO had his way, he would move the entire company to a virtual desktop environment. In his mind, it would be a cure-all for the costs of supporting thousands of PCs and the headaches caused by software distribution, security patching and configuration management.
Our VDI deployment would involve installing a small software plug-in on each PC. When such a PC is connected to our internal network, a virtual desktop environment will run on top of the PC -- a Windows desktop displayed within Windows.
My conclusion was that our security posture should be unaffected, and possibly enhanced, but only if VDI is properly implemented.
My first and most important requirement is that data can't be allowed to move in either direction between the virtual desktop and the host PC or any external devices.
Next is the question of the integrity of the host PCs. No one should think that VDI will free us from the headaches associated with configuration management, patch distribution and anti-malware software updates. That's because in our deployment, VDI is simply an application that runs on a PC. Security patches and antivirus updates will still have to be applied to the host PCs.
The virtual desktop environment of a general employee shouldn't be the same as the virtual desktop environment set up for a contractor, partner, supplier, vendor or other affiliate. Some high-level order will need to be in place to satisfy my "rule of least privilege" requirement so that we don't expose critical applications and data to unauthorised people.
Another consideration for me involves the log-on banners that users must read before clicking "accept" and logging in. We can't lose this feature, since we have a legal requirement to let users know about their responsibilities and our practice of monitoring activity.
We also can't compromise our remote access policy, which calls for two-factor authentication and the use of a VPN.
The same goes for application and screen timeouts.
Mathias Thurman is the pseudonym of an IT security professional
I don't like surprises. I wish projects wouldn't get launched without the sponsors seeking my advice on security measures first. If you read this column regularly, you've heard me say all of this before. I try to keep an eye on everything, but companies are complex organizations, and it's inevitable that something will sneak by.