Home > Uncategorized > Considerations in Planning for and Using Security Technology

Considerations in Planning for and Using Security Technology

Keeping up with the various technologies designed to boost security is one of the most important things that an information security professional can do. Security risks have become increasingly technical in nature, making technical solutions increasingly essential. For example, PC security without anti-virus software and personal firewalls is for all practical purposes an oxymoron. Additionally, today’s security threats have necessitated developing security measures that for various reasons operating system and application vendors have not incorporated into their products.

At the same time, however, a temptation to view security technology as a panacea always exists. Too often I hear an information security manager make a statement such as: “We have a secure environment—we have firewalls, intrusion detection and intrusion prevention systems, anti-virus software, virtual private networks, third-party authentication, and other technology.” As good as security technology has become, none of it is capable of completely mitigating security risk. Humans pose the greatest risk to computing systems and resources; as long as humans are in computing environments, at least some degree of uncontrolled risk will be present. Additionally, humans must nearly always be in the loop when technology is installed, configured, maintained, and ultimately at some point removed, resulting in an elevated probability that someone will in some way subvert the technology.

Security technology is indeed no panacea, yet information security practices that use it properly reap immense benefits. The trick is to achieve the right balance between security technology and non-technical sides of a security practice. In many respects using non-technical controls such as using policy, standards, procedures and guidelines is potentially less costly from a financial standpoint. If, for example, a provision in a security policy directs users to avoid visiting Web sites that promote racial and ethic hatred, it is not unreasonable to assume that the vast majority of employees will abide by this provision. A small percentage will not, but given that most employees will, this solution could very well be much more cost effective than implementing a set of technical controls that monitor Web access and abort sessions in which users visit hate sites. Assuming that sufficient resources for security controls exist (something that in real life settings is seldom true), the following considerations need to be taken into account in planning for and using security technology:

  • Costs versus benefits. How much will the technology cost in terms of purchase and maintenance costs over its lifetime? What liabilities does the technology introduce? Do the benefits, primarily business benefits, sufficiently outweigh the costs?
  • Amount of risk mitigation. Some security technology is intrinsically better than others because it leaves less residual risk when it is deployed. For example, some security technology (such as single sign on technology) does not do nearly as well in reducing risk related to falsified identities as do most types of third-party authentication.
  • Availability of human resources. Security technology offers a potentially huge advantage in that it can serve as a resource multiplier in an arena in which there are never enough resources. There is no better example than monitoring, which is one of the most labor-intensive tasks in information security. Technology such as intrusion detection and intrusion prevention tools as well as security event management technology automates the monitoring process, freeing technical staff to work on other important tasks.
  • Integration with other technology. Technology that fits in with existing technology is best. “Point solutions” are unsatisfactory in that they require too much independent “care and feeding” and are likely to cause more disruption.
  • Longevity. Some technologies quickly come and go, whereas others are likely to persist even though it is likely that they will change over time. Selecting the technologies that promise longevity is thus also essential.
  • Flexibility and adaptability. Business needs and technology both change over time. Technology must be sufficiently flexible and adaptable to be able to change as business needs change.
  • Usability. Security technology that maximizes usability should in general be chosen. Training costs are likely to be substantially lower and user resistance, one of the potentially greatest problems information security practices face, will diminish.
  • Defense in depth. No control, whether or not it is technological in nature, is in and of itself all sufficient. In time one or more weaknesses or limitations in a control will result in the ability to defeat or bypass it. Defense in depth is thus an extremely important consideration. If a control is defeated or bypassed, additional controls need to be in place to deter attacks.

In closing, it is important to remember that using security technology does not ensure high levels of security. Many organizations do not correctly use security technology; accordingly, they reap few if any benefits from it. However, for reasons mentioned earlier, good security without suitable security technology is impossible. The trick is to learn about, plan for and deploy suitable security technology. Paying attention to the considerations discussed in this paper will greatly increase the likelihood of success. 

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.