Tuesday, January 19, 2010

7 guiding principles for redefining information security

Data center virtualization, cloud computing, the growth of mobile applications and social computing are just some of the hot topics at the 2009 RSA Conference Europe that is currently under way in London - and they are redefining the way information security is applied.

To embrace them and seize the opportunity to build better security into the information infrastructure, RSA proposes Seven Guiding Principles encompassing the critical elements required to build an effective information security strategy within today's evolving security landscape - and this are the principles that they themselves apply:

1. Security must be embedded into the IT Infrastructure -- Security should not just be integrated within the infrastructure, it should be embedded within it. Teams from RSA and Cisco have joined forces to embed data loss prevention into devices such as the Cisco IronPort email security gateway. RSA and VMware have also engaged in a technology partnership to embed core security controls into the virtual infrastructure.

2. Develop ecosystems of solutions -- Ecosystems must be formed to enable products and services from multiple organizations to work together to solve common security problems. RSA has invested in the RSA eFraudNetwork community, an ecosystem created in collaboration with thousands of financial institutions across the globe to spot fraud as it migrates between and among financial institutions on a worldwide scale.

3. Create seamless, transparent security -- Making security largely transparent to users and systems that it is designed to protect is critical to bridging the gap between the rate of technological advancement and the ability people have to keep up with it. RSA and First Data recently announced a service designed to secure payment card data from merchants by eliminating the need for merchants to store credit card data within IT systems. This service is being built into First Data's payment possessing system, making it seamless and transparent to merchants and their customers.

4. Ensure security controls are correlated and content aware -- In the EMC Critical Incident Response Center, security information management is centralized so it can correlate data from information controls such as data loss prevention, identity controls like risk-based authentication, and infrastructure controls such as patch, configuration and vulnerability management systems. This approach to security operations is designed to accelerate how quickly security analysts can get the intelligence required to distinguish a benign security event from something more threatening to the business.

5. Security must be both outside-in and inside-out focused -- RSA argues security must include a two-pronged approach that protects both the perimeter (the outside-in) and the information itself (inside-out). Since users are accessing information from a variety of devices inside and outside the network as well as in the cloud, security policy and controls must adhere to information as it moves throughout the information infrastructure.

6. Security has to be dynamic and risk-based -- Organizations need to be positioned to dynamically correlate information from a number of sources and respond to real-time risks related to both infrastructure and information. RSA will announce this week that it is offering new consultative and advisory services to help enterprises implement or improve their security operations function to more effectively manage both risk and IT compliance programs.

7. Effective security needs to be self-learning -- The dynamic nature of IT infrastructures and the malicious attacks launched against them is outpacing the ability of human beings to keep up with their speed and complexity. For this reason, information security strategy must be dynamic and behavior-based. To help support this goal, RSA today also announced it is teaming up with Trend Micro to leverage real-time intelligence of spyware, viruses, spam and other data generated by their Trend Micro's Threat Resource centers.

No comments:

Post a Comment