Compliance

Free Unified Communications Security Webinar

If you’re free next Wednesday, October 28, you should mark your calendar and plan on attending The Final Frontier: Secure Unified Communications to Any Device in Any Place at 12pm Eastern time (9am Pacific).

Unified communications, like just about any useful technology, can be a double-edged sword. Often, for every benefit or convenience there is a tradeoff of increased risk and exposure. As organizations work to extend unified communications to smart phones and wireless devices, they face even more security and compliance challenges.

The webinar is being presented by Sipera Systems and Aberdeen Research and will include the latest research and industry trends, real-world scenarios from actual deployments, and best practices for deploying unified communications securely.

Secure Your Mobile Devices with DUST

Mobile devices are a critical component of enterprise communications and a core element of unified communications. They used to just be phones, but now they are more like tiny micro-laptops that fit in a pocket. With that increased functionality and ability to store massive amounts of data comes an acutely greater need for security.

An industry analyst firm has developed a model for managing mobile security and compliance. The DUST Model for Managing the Risk to Enterprise Mobility establishes guidelines and provides a framework for end-to-end compliance practices and security controls.

The guidelines have four primary components that make up the DUST:

• Devices
• Users
• Sessions
• Transactions

You can get more details on the DUST Model from this CRG Research Brief.

UC and Security Compliance

Some organizations have a firm grasp of the regulatory landscape that affects them. They have systems and processes in place to ensure that data is protected and that their I.T. infrastructure and business processes are compliant with the respective mandates and guidelines that impact them. Throwing unified communications into the mix might add some complexity and confusion though. Voicemail may not be required to be retained, but what about when the voicemail is sent to the user as an email attachment. Instant messaging may be a separate issue from email, but when the conversation history from the instant messaging is stored on the email server, the rules may change. Companies also need to be aware of how UC might expose additional risk of data leakage or theft of intellectual property. The risk is nt pervasive in my opinion, nor does it represent a reason to not deploy UC. Unified communications delivers benefits that outweight the risks, and the security issues are really more of a shift in focus than a new threat. Voice communications that were previously separate are now part of the data network, but sound data network security practices remain the same.

Compliance Impact on Intrusion Detection

Intrusion detection, despite being declared dead by a Gartner analyst in 2003, remains alive and kicking in 2007…almost 2008. Actually, not only is it still around and being used in various forms by many organizations, it is actually mandated by some security regulations and standards. In this Computerworld article, Dr. Anton Chuvakin takes a look at the state of intrusion detection as it relates to security compliance. Exploring FISMA, HIPAA, and PCI DSS, Chuvakin spells out the intrusion detection requirements of each. Where things get tricky, or sticky, for some organizations is where the standards and regulations meet. Organizations that fall under HIPAA, and SOX, and PCI DSS, etc. have to compare and contrast the requirements to make sure the security they implement meets all requirements simultaneously and that there are no overt conflicts. Check out Intrusion Detection in the Age of Compliance for more information.