Organizations, from small through medium businesses (SMB), to large global enterprises, must control access: to systems, environments, resources, and data. Access is limited to, and by, individuals and groups; this means that access is effectively denied as well – or had better be!
In addition to security concerns – that is, the controls and monitoring necessary to ensure data and resources are breached and corrupted, exposing individuals/the organization to harm – there exist legal and ethical reasons for protecting these things.
Naturally, Identity and Access Management (IAM) procedures and related policy is key and central to protection. Enabling users to access data and resources securely, appropriately, and with full knowledge for appropriate use (often overlooked – training) isn’t just a goal of IAM – it is the whole of it.
Your organization must strive to remain within best practices regarding IAM – and in so doing, the IT leader, allied vendors, and savvy business leaders must stay abreast of emerging standards and vet them for incorporation to their environments and overall security policies and plans.
Of particular interest to me are robust credentialing systems that allow entrée to several, perhaps a dozen or more, discreet systems, whether those systems are within the physical control of the organization, or scattered amongst vendors and other allied agencies that have granted access to portions of their environment and assets.
Gone are days of faith in a simple Single Sign-on, with breach of an ID and password granting access to all manner of allied systems. The ultimate is an ID and password solution that forces security questions and answers, with subsequent splay of discreet (for each system) randomly generated IDs and passwords, with special keys, for transmission to systems with appropriate handshake – all transparent to the user.
If you’re examining security and IAM (and you should be):
- How do you currently link physical and electronic identities? Are you comfortable with your present authenticating system(s)?
- What can you reasonably do to create stronger links between physical and electronic identities?
- How do you verify other agency’s electronic identities?
- Are your IAM products, processes and policies flexible; both in accommodating evolving roles and in general longevity for emerging and new best practices?
- Where is the optimal balance of effort between managing strict IAM and simple utilization of commonly distributed, wide-access, resources?
- What accommodation does your IAM strategies and policies need to make for single sign-on, etc., with externally hosted and cloud-based applications and resources?
August 30th: On this day in 1797, Mary Wollstonecraft Shelley was born in London, England (author, Frankenstein)
IT and Business folks: Whether you’re a C-Level executive, or positioned at, say, a HelpDesk, or you’re a network manager, account executive, etc., you can help with something very important these days given the economic climate.
You can help to make budgets more efficient.
Today, efforts to reduce cost in the face of difficult economic times cannot be handled with temporary cuts, or episodes of suspended or revolving service – at least not entirely. Further, once you’ve eliminated the obvious budget “fluff” and other “nice to haves”… we find that we really get down to the skinny. We have to put on our thinking caps… we have to get truly imaginative.
Let’s also mention: The smart organization provides incentives and (usually cash) awards to those who help to make the organization more efficient and cost-effective.
In scrubbing for savings and efficiencies, look to similar organizations to see what they’ve done. Also, participate wherever possible in strategic groups, inside and out, that not only can help to create your future – but to create that future as economically and as powerfully as possible.
Keep these traits firmly fixed in mind when reviewing expenditures against that which must be done: Quality, effectiveness and efficiency… and necessity. Ever run across something that runs great, is perfectly sized (in terms of optimization and reliability), and does a great job of production… of something… that no one is using?? Or that gets produced elsewhere, in a discreet, tandem system? Or that comes from one area, and with minor re-purposing, could serve other areas?
I’ve seen that plenty – and likely so have you. Regardless, watch for redundancies and wasted efforts and resources. So –
1. Survey for reusable frameworks and solutions that can be repurposed, or whose deliveries and services can be widened, for other areas.
2. Look for strategic partners and constituent groups who can partner with you in leveraging ideas, resources, and solutions to the common good of the whole – granting economies of scale.
3. IT leaders: Lead discussions in “business language” in seeking negotiation, acquiescence, collaboration, and potential compromise between business units and departments in capitalizing on best leverage of resources and best returns.
4. All should be looking to understand as wide an enterprise context as possible in seeking to capture best quality, efficiency and effectiveness; within practicable limits (that is, in view of your authority, available time, etc. – don’t enter a zone of diminishing return).
5. Watch for opportunities to educate external controlling or influencing bodies, such as boards and governing agencies. Seek their help, or at least their understandings, regarding your efforts for budget efficiencies, thereby thwarting inadvertent harming circumstances that can damage your efforts of spending control.
6. Ensure “right sourcing” of core services, procurements of product, etc. If there is something you haven’t shopped in awhile, shop around!
Also keep in mind that, for some areas, there are likely new directions to go in reaching destinations of “new normals.” New normals that are more effective and efficient. These will differ according to your organization’s mission, size, and related suite of products, services, and other resources that enable the conduct of your organization’s business. Again, look to like-organizations for ideas, and churn through the list above.
Effective budgets are always in fashion, but now more than ever there is real opportunity to shine in this area. I hope you score some great ideas, and… I hope your organization is savvy enough to provide meaningful rewards.
August 28th: On this day in 1922, WEAF in New York City airs the first radio commercial (Queensboro Realty – $100 for 10 minutes).
Awareness, Action and… Imagination
In Pt. II of this series, we ended by saying that we need awareness and action. We need collaboration with other organizations in mounting a broad front of proactive protection. We need everyone’s engagement as a stakeholder and owner of the organization’s health and surety: You don’t want to work in an unsecured environment, do you? You want business healthy and whole today, tomorrow, next year, and so on…
Almost any action is preceded by awareness. But being aware of threats, so as to mount prudent action of protection, still isn’t enough. Imagination is key. Prudent imagination.
The Security field continues to mature. The security-leader and his or her team can take advantage of best knowledge through review and appropriate sizing of solutions that have been evidenced elsewhere. This can be achieved by assessing peer solutions. Also look to partner with other corporate, community, and even law enforcement entities: stay alert for leverages that drive down cost, and grant sharing of solutions.
When participating with local, national and even global IT/Security entities and resources, be certain to consider new, growing, and evolving threats – and your required level of protection and response.
Watch for evolving expectations regarding privacy, confidentiality, and associated protections vis-à-vis developing threats (the key here is “developing” threats – not manifest ones that have already popped your security bubble).
In your Finite inside world, battling the outside’s Infinite, how do you determine the appropriate investment in mounting efficient, effective, security? Try comparing your investment to that being spent by peer institutions – and measure against their return.
Be certain your organization engages staff (the joint owners of security) to boost security awareness and responsibility.
As follow-on, use real breach incidents, both internal to the organization and external, to highlight “lessons learned” in mounting prevention of similar events.
Engage staff by asking them to research and teach security seminars within the organization – regularize the schedule. This helps to keep costs down while creating a real security force within the organization.
Measure your security campaign’s effectiveness through survey.
Of course, the real test and measure will be your organization’s overall immunity to breach and loss.
August 25th: On this date in 1922, the Cubs beat the Phillies, 26-23, in the highest scoring major-league game.
In battling the Infinite with the Finite (that is: battling expanding, limitless, threats – with your budgeted, and therefore limited, resources) we must recognize that:
- Cost per incident is increasing.
- Malicious attacks rival human error as the #1 cause of breaches.
- Keeping up with threats, by sheer number and evolution, is ever more difficult.
- Scams are more targeted; to business and individuals based on who they are, what they do, and how.
- Scams look ever-more like legitimate communications and solicitations (by virtue of “inside” information and references, as well as things such as format, style, aesthetics, etc.).
The best defense is not a sole-source protection. What good is a robust IT awareness when threats are streaming into the face of Business? IT is but one department among a host of departments and outside entities with whom the organization does business.
The business of securing business is handled by Business… and IT.
A marching, head-on, approach and broad front engagement is necessary: a “community” awareness and shared responsibility amongst all departments and users is necessary. Everyone is a stakeholder in having a secured organization, and everyone has a responsibility in maintaining and advancing security. Everyone must own security.
This includes knowledge – and understanding – of organization-wide security policies, procedures, treatments (of assets and data), and reportage and remediation of issues.
This is not only the best defense… it must be the best offense. Proactivity is key in the face of strategic threats.
Defense is too often static and reactionary. An offensive security posture means that the organization is scanning the horizon looking for threats to engage and thwart: Meet the threat before it matures and where the organization has a natural security momentum for meeting, engaging, and defeating the threat before it manifests as a bad outcome.
As an example of this dynamic, imagine a specific scam that is targeting organizations/business such as yours: Given the organization’s forward security posture, everyone in the org is keenly aware of security news and reportage of gathering threats. Someone, anyone, in the organization reports the threat through e-mail, raises it in an all-staff meeting, trots into IT on their way to get a cup of coffee… IT downloads a patch, updates malware protection, sends out a community-wide communication with sanction from governance… updates policy… and so on.
That is where awareness and action comes in – through the knowledge shares (such as this one), through collaboration with other organizations, through actualizing everyone’s engagement as a stakeholder, an owner, of the organization’s health and surety.
In battling the Infinite, this is what it is going to take. This is what it already takes.
Get on it.
August 23rd: On this day in 1617, the first one-way streets were established (London).
It’s an unsecured world. That is, until you establish security… somewhere… in some small measure. And maintain it. And grow it in response to ever expanding and stronger threats. Nothing starts out secured.
You have limits: budget, personnel, time… these are finite things. Finite things against the Infinite: Threats are continual – never ending – ever more imaginative, and limitless. In our response, we must even grant that there are limits to our awareness of threats. That’s why we continually educate ourselves regarding new perils. That’s why we participate in knowledge shares, such as the IT Knowledge Exchange.
As security threats grow in scope and severity, everyone in IT and Business must actualize a fresh awareness and view every activity through security’s prism.
But what does the IT leader deliver in these regards? How to keep security front and center without seeming pushy? Paranoid? And… how not to hobble business with crippling security measures? Where are the thresholds of best returns vs. diminishing return?
In the coming days, let’s explore how to battle the Infinite (that which is “out there”) with the Finite (the resources at your disposal).
August 22nd: On this day in 1906, the first Victor Victrola was manufactured.
Something interesting happened to me the other day. There was an unauthorized debit made to my checking account in the amount of $150 and some change by an entity that was unknown to me. I was reasonably certain that I hadn’t conducted any business with any such business.
These days, as most here probably know, breaches involving bank accounts usually involve modest amounts; the “breachers” hope that this allows an unauthorized withdrawal to fly under the radar, and they’d rather hit several accounts for these modest amounts than to hit one account for a massive withdrawal – sure to garner unwanted attention and, hopefully (for us), thwart.
When I called my bank of 30+ years to report an unauthorized transaction, the initial contact was with a representative who was concerned with telling me what he (and the bank) could not do for me – their customer. He explained that he could “delete” the transaction, but that the offending party could simply resubmit. He suggested that I call the entity and discuss the transaction with them. I patiently explained that they might not be the originating party – that it could be someone spinning the unauthorized transaction through them. His counsel was to contact them none-the-less. Having already Googled them, I called…
That entity, a web services company, was sympathetic – and of course, in order to validate whether I was a customer or not, they wanted… my name and address; the last six digits of the debit card; the three security digits on the back – as well as other things. All of this to “look me up” in determining if I was even a customer of theirs – before getting to the question of the transaction.
My question to them was – how do I know you are who you say you are? And, how do I know you’re a legitimate company, and not simply gleaning personal details and financial authentication information from people? Fortunately, they were ultimately able to determine that I was not a customer with my name, primarily, and that they had not issued the charge to my account.
I called my bank back, and I’d like to credit the second representative with some intelligence. He deleted the transaction and, in his words, “blew the bridge” to the card by cancelling the card and reissuing a new one. Thank you. I wish I had thought of it. But that first rep had me thinking that the transaction had to be honored by the bank. Hmmm… after all, what good is my word? I’m just a customer in good standing for more than 30 years.
But – my question to you, dear reader, is… when you call your bank, or any business such as the one I had to contact, or any agency that wants things such as address, last four of SSN, mother’s maiden name, birth date – and essentially wants exposure of all sorts of security data and answers to security questions: How do you know to whom you are speaking? What is your security question to them?- with attendant, and correct, security answer(s) as provided to you for your comfort and identification of them?
Phone numbers can be hijacked – what if, when you call your bank’s number, you instead reach a nefarious party out to harm you? Consider: What if your bank’s web page is taken over, or substituted, and you dial a number posted there that goes to a hacking agency out to grab your details, and your money?
As breaches and thefts become ever more clever, watch for breaches to be mere springboards: A theft that causes an individual to launch a call, which in-turn may be hijacked into some spurious realm for further gleaning of confidential information.
Security needs to be a two-way street. Presently, in these circumstances, it is one-way and therefore only mounted half-way. True security demands a face-to-face meeting in a physical location, to establish security questions that the bank, for example, must answer correctly to YOUR satisfaction when dealing with a disembodied voice on the phone.
Of course, even that authenticating standard can be breached, but every layer helps.
August 21st: On this date in 1841, John Hampson patents the venetian blind.
[Note: My promised security prediction will be in my next post]
I was reading an interesting chapter in a book entitled The Tower and the Cloud [Editor Richard N. Katz, © 2008, Educause, ISBN: 978-0-9672853-9-9]. That chapter is Beyond the False Dichotomy of Centralized and Decentralized IT Deployment, by Jim Davis.
He makes the effective case for two fundamental requirements:
1) Consistency and control by virtue of centralized authority, and;
2) Autonomy of sorts for requirements that pertain solely to various units’ independent needs, thus engendering local control (independent of “institutional” involvement).
Large enterprises, as opposed to SMB, certainly need a more rigid (for lack of a better word) control: a “Wild West” bloom of independent, redundant, and overlapping programs, content, and control is neither efficient nor productive. And yet, local business units and departments often have unique, even insular, requirements as they deliver, produce and serve. Mr. Davis talks about “horizontally layered”… “locally managed service components on top of institutional service components to form complete services.” I suspect this happens in most organizations – whether by hook or by crook… but hopefully by some sort of design. Most local twists to the “bouquet” of solutions provided by the enterprise rest on common general supports.
Small and Medium businesses aren’t faced with quite the same challenge: They may be wholly “local,” a one-spot reference on a map, with an IT department that can effectively manage and control with a simple stroll through a plant or office, and a peruse through assets in a central computer room. However, medium business likely has a similar challenge if only differing in scale. In fact, in the medium realm, IT leadership often finds departments or locations bristling at a lack of freedom. Mr. Davis’ term, “coordinated autonomy,” sounds a little gimmicky and trendy to me but there needs to exist a certain freedom for imagination and problem solving – and within prudent limits there does exist a need to improvise on occasion.
I liken it to a home project I had going the other weekend. Wouldn’t you know, I had tools that were sooooo close to serving a specific project need… but – I sprang for the purchase of the right tool, and possibly its use on a one-time basis. (It wasn’t too expensive). But what else are you going to do in those circumstances? You have to get the job done. In the case of coordinated autonomy, and decentralized deployment, a happy balance can be established. Set a template for:
1) Requests and permissions
3) Prudent additions for customized needs
4) Understandings regarding management (maintenances and forward progressions) of local deployments and solutions
There are always exceptions to policy: Lubricate your sticking points. Don’t blunt any individual’s imagination, or your organization’s collective imagination, in furthering business and IT’s support to that business.
I cycle back to my Business Implementation Team (BIT). Here we bring qualified members of the senior executive class (including C-Level from time-to-time), and IT leadership representatives along with suggestions from the “where the rubber meets the road” business and user class. We can brainstorm in the BIT forum, but we are here primarily to move business and allied technology forward in a meaningful way. The entire thrust is for moving forward.
Authority and permission for deployments, and the twists and stripes throughout the organization regarding procurement, support, control of content, sanctioned solutions, etc., can always be navigated and negotiated.
But do not allow old constraints and old-school thinking to keep you in an outdated box.
August 11th: On this day in 1866, the world’s first roller rink opens (Newport, RI)
According to the Associated Press (AP), hackers are targeting power plants in order to seize control. Presumably, on my part, “control” here means to disable them and create power outages to large areas; I doubt they’re looking to deliver benevolence through efficiencies and reduced bills, for example.
In fact, malicious code and worms are targeting all manner of industrial plants and systems. The Department of Homeland Securtiy (DHS) is urging companies to improve security practices. When reviewing weaknesses as identified by the DHS, it’s rather amazing to see that one of the highlighted security breaches, and spread of a botnet to almost 100 computers, was accomplished through an infected file as delivered to a laptop via a flash drive. The user then connected his laptop to his company’s network and the botnet spread.
It would seem that in this day and age there would be a regularized update of patches for vulnerabilities, but also: In the example cited, the user was returning from an outside conference where the laptop had been in use. I suggest a thorough review by IT for any items that have been offsite, prior to granting access to the overall enterprise.
Perhaps it’s time for monthly security refreshers for all staff; the time involved is a burden, for sure, but it’s time well spent. Perhaps a 10 minute security brief by the IT leader at the end of the monthly all-staff meetings is prudent. For any particular high-profile malware that needs immediate addressal, ad-hoc meetings or e-mail blasts could warn users to be especially cautious, particularly within scopes and activities the malware seems to target.
Being that a good portion, perhaps most, of security breaches are due to human actions (and error), there’s something I’ve noticed: When you call your bank, credit card company, etc., they ask you a security question (it might be mother’s maiden name, name of your first school, etc.). Several questions usually follow on: What is your date of birth? What are the last four (or six) digits of your card? What are the three numbers on the back? What is the expiration date? However, how do you vet the party on the other end of the line that’s soliciting (and collecting) all of this personal, and authenticating, information?
My next post will raise a rather interesting security question, along with a prediction…
August 5th: On this day in 1861, the U.S. levies its first income tax (3% of incomes over $800).
The power at the desktop is increasing by leaps and bounds. How do you get your user class to “leap and bound” in maximizing your return in this arena? Ensuring that your user class knows about the full range of supports available, and making maximum use through best knowledge, is a sort of Index of User Awareness. How to increase this index, and its use?
First, let’s realize that there’s been a definite shifting of burden within the realm of the daily business grind. This shift has been happening over the course of decades. Twenty or thirty years ago, users would fill out a reports form, or a programming request sheet, for submittal to an information services department in order to receive output: a report, or a change to “the system” for example.
Now, users can design and deliver their own reports. In many organizations, authorized users can create such things as their own rapid entry screens specifically tailored to their own job’s needs. They can invoke new business rules through simple selects. They can update constants such as pricing, shipping, discounts – and much more – when possessing appropriate business authority.
In other words, users are their own information service agents – and in many cases their own system configuration agents. Given the evolution and effectiveness of customizations, online help, training, tutorials, and knowledge-shares – the sheer power at the desktop – there is increasing expectation and necessity that users take full advantage of this power.
Some organizations leverage this power very effectively. Others cannot seem to harness it. IT must help Business make full use of the lever that this power at the desktop represents. Business must access, use, and benefit from this full desktop potential in achieving the best return on investment for these technologies.
In cycling back to business’ modern responsibilities in The Business-Technology Weave, we can see that it’s not only necessary for the business C-level execs to bring a readiness to the table, but also for junior, middle, and upper management to qualify themselves for the swim in the accelerating stream of business-technology planning and use.
August 3rd: On this day in 1790, the US Coast Guard is founded (as the Revenue Cutter Service)
In matters of ignorance, consider that your organization is at tremendous risk for inefficient operation. Any entity in the modern Business-Technology Weave that is not keeping up with new knowledge and emerging concepts in the mutually reinforcing business and technical realms will contribute to an imbalance. All of this helps us to understand two basic things required of Business (and thus for the enterprise) in the modern Weave:
1) With the increase in sophistication of business information systems, and their comprehensive reach and weave into every corner of your operations, IT needs Business’ help more than ever in sizing and fitting support to business. The organization needs an engaged business element that makes a strong, good faith effort to self-motivate in maintaining a base of knowledge. This knowledge includes common information, technical and otherwise, that is necessary for Business to help plan its own support in the Weave through a Business-driven IT Strategy. We’re not trying to create a duplication of effort and knowledge between IT and Business, but Business needs a solid qualification upon which to draw so they can pilot the Business-driven IT strategy. As we come to define this posture, we will begin to speak of the IT Enlightened Organization.
2) More and more power, knowledge, and tools are being delivered to the desktop. The assumption by your surrounding industries – that is, training vendors, software developers, value added remarketers, and competitors – is that your user body is going to seize the initiative and make effective use of this “front side of the screen” power. Product developers draw assumptions upon which to scale their products and, increasingly, they assume your users remain informed, educated, and self-motivated. IT needs Business users to actively engage within the zone of desktop power – the zone that has been scaled and marketed specifically for the user class. This frees IT to assume greater and expanded capacities for support to the increasingly sophisticated and time-consuming backoffice support requirements, while simultaneously casting about for better supports to business and subsequent discussion and planning. Also, Business users must realize a full return on investment from this power – that is, the organization must capture the potential and make full use of these tools in making your business run at full efficiency and effectiveness. Users must also understand data, and be able to responsibly use, vet, and manage data. Let’s call all of this the Index of User Awareness.
In the coming days, let’s explore the Index of User Awareness, and ensconce everything within the IT Enlightened Organization.
August 1st : On this day in 1903 the 1st coast-to-coast automobile trip was completed – from San Francisco to New York.