SlideShare une entreprise Scribd logo
1  sur  9
Télécharger pour lire hors ligne
1
Safeguarding the Enterprise: a new approach
Sanjay Sahay
Introduction
Attacks on the enterprise are getting increasingly sophisticated. Current solutions
available do not seem to be adequate given the innovativeness, precision and
persistence of these attacks in different forms and of different dimensions.
Organisations thus want to increase the sophistication of their employees and also of
the solutions to be deployed given this backdrop.
Facts & Challenges
Research shows that 55% of the breaches requires months to years to contain
(Verizon 2010 Data Breach report), 16% of breaches are discovered via active and
deliberate action. Only 24% of APT malware is detected by an anti-virus solution.
(Mandiant 2010) Logs are at the heart of monitoring and use of logs for the right
purpose and in the right directions can come handy immensely. Mining of logs throws
up data which the professional can make a meaning of. The signs are there, we just
need to get better in recognizing them.
This is the challenge of safeguarding the enterprise. “We watch these attackers and
we know them. Some are very fast moving…, if you lose track of them in your
system, you can lose them for months if not forever. The impact of damage cannot
be gauged at a later date and real impact would remain unknown forever. This brings
us to the primary question of why safeguard the enterprise. The enterprise has to be
safeguarded primarily for two reasons the first being the physical security, it cannot
exist in a vacuum and the second being the safeguarding of the data.
Structure
During the course of this article I will take you through my definition of a
safeguarded enterprise, the new approach – Gartner White Paper, goals, security
risks and key success factors, security architecture, data center, connectivity and
application, application data security life cycle, security information and event
management, single sign on, the future- cloud computing and the final thoughts based
on the discussion gone through this article.
2
What is a safeguarded enterprise
Safeguarded Enterprise is the sum total of a clear – cut perception,
appropriate/integrated planning, documentation, meticulous execution ad
dynamic/robust maintenance of enterprise security policy at awareness, attitudinal,
physical, systems, processes, application and data dimensions throughout the
enterprise creating a near fail safe enterprise.
Silo
Silos have ruled the world till we realized what a silo is and the way it feeds like a
termite on a system, which is an integrated system, for namesake. So was the case
of security in the Enterprise Business Architecture. Business, information and
technology (BIT) were the three components. The new approach emanates from a
Gartner White Paper in the year 2006 titled ‘Incorporating Security into the
Enterprise Architecture Process’. This led to the creation of Enterprise Information
Security Architecture with four critical components of Business, information,
technology and security (BITS). BIT changed to BITS and security became a design
component itself.
S E a new approach
Enterprise Information Security Architecture
• Architecture• Architecture
• Architecture• Architecture
Business Information
SecurityTechnology
3
In the midst of the clamor for a fail safe data regime which would be nonetheless be
a mirage, the importance of physical security should not be diluted. My visit to
Indian IT companies in Bangalore has helped me confirm by belief that physical
security stands at par with data security though the two are distinctly different
thought processes, are different in execution and would remain to be complimentary
for all times to come. 9/11 has been a watershed in modern human history, the
location of the Taliban attack Ground Zero as is its called was a rubble of what was
best of the companies in the world housed in the World Trade Center towers 1 & 2.
Whatever come may… physical security will always count, whether on land, in air or on
water. This does not in any way bring down the importance of the Disaster Recovery
process of our state of art data centers which were able to retrieve nearly all the
data which was physically located on the servers and computer systems in the two ill
fated buildings.
Goals
The goals of Enterprise Information Security Architecture is to provide a structure
that is coherent and cohesive. As the business motive is predominant in a business
enterprise, the business to security alignment in critical. Any disconnect would be
critical to profitability and at times to the existence of the enterprise itself. The
details ought to neatly spelt out, top down which should be synchronous in itself and
synergize with the business strategy. At the end of the day, this approach helps
establish a common language for information, for its free flow, clarity of
communication and timely and effective response mechanism for information security
within the integrated enterprise.
Risks
The common risks which the enterprise faces today is all too well known. This can
broadly be summarized as mentioned below:
Email attachments
VPN Tunnel vulnerabilities
Blended attacks
Diversionary tactics
Download from websites
Supply chain and partners added to the network
Microsoft’s SOAP
4
Renaming documents
Peer to peer applications
Music and video browsers
Key Success Factors
Awareness of the impending danger is the initiation of diagnosis and objective
diagnosis can only lead objective treatment and maintenance of a healthy enterprise
both form the point of view of physical and data security. Security awareness in all
its dimensions creates an environment where all success factors fall in place like a
jigsaw puzzle, the people, the processes and technology. One the security awareness
human platform are the two main technical components of Network Security and
Application Security. Operating system security, Patch and AV management and SIEM
are the three components of the final layer which can be termed as the operating,
functional and the analytical layer.
Security Architecture
The key success factor is the synergy of People, Processes and Technology creating a
seamless security architecture which is optimally functional and has the capability to
propel the enterprise to the next level. The people part comprises of user awareness,
guidance, administration and effective monitoring of the system. The processes part
comprises of policies, standards, guidelines and audit capabilities. Last and the most
important component in a technology driven world is technology itself manifested by
the use of IPS, Firewall, AV, DLP and SIEM.
Defense of Depth
“Defense of Depth” is a concept used to describe layers of defense strategies. The
components at each layer work in tandem to provide one cohesive security mechanism.
This layered approach also helps localize the impact if one element of the mechanism
is compromised. The defense of depth layers concentric circles begins moving
outwards with the Data at the bull or the innermost circle. The circles from the
innermost to the final outside circle are data, application, host, internal network,
perimeter, physical and policies, procedures and awareness.
5
At the Core
Data Center, Connectivity and the Application are at the core of the enterprise
security. The main purpose of a data center is running the applications that handle
the core business and the operational data of the organization. Secure application
usage is the key to the creation of a secure enterprise.
Secure connectivity is the backbone. The Karnaktaka State Police broadband
networking is a intranet named KSPWAN which is a combination of 39, 2 Mbps MPLS
leased lines for big offices, 512 Kbps 1400 VPNoBB connections covering all police
stations and small offices and 8Mbps internet leased line with and aggregation
bandwidth of 32 Mbps working as a single network of 5000 computers across the
state working out of a single server located at the KSP Data Center. The choice of
intranet over internet is the first decision towards security of the enterprise which is
slowly becoming the norm in enterprises across the globe.
6
S E a new approach
KSP Connectivity
Application/s is at the heart of the enterprise. An ERP created for the enterprise
aligns to all its tasks and activities also takes care of all the staff functions which
run co-terminus with the business functions. Secure ERP on an intranet is what we
are all heading for.
The Application Data Security Lifecycle (ADSL)
SE a new approach
The Application Data Security Lifecycle
Assess Set Policies/Controls
Measure Monitor / Enforce
The Application
Data Security
Life Cycle
7
The diagram clearly elucidates the role of different components of the ADSL. The
lifecycle as is the case with concept and process starts with the assessment
encapsulating the configuration/usage of servers and data, test configuration,
evaluate the inherent risks and also assess how and by whom the data and
applications are used.
Setting polices and controls is the subsequent task. The policies should be
automatically created considering the right mix of business and security
considerations with the flexibility to adapt to user changes and support granular
policies and controls. Monitoring and enforcing is more important than creating the
policies itself. The separation of duties should be ensured simultaneously with user
accountability. The transaction details should be in a comprehensive manner and alerts
and blocks should be resorted to in real time. Measure is a tool, an utility which
provides the appropriate usage, levels of effectiveness and the depth of the impact
of the system put in place which is conducted by way of built in and custom reports,
roll up and drill down data, security event analysis and the compliance workflow.
Security Information & Event Management (SIEM)
SIEM, an intelligence platform helps safeguard the business by giving complete
visibility into the activities across the IT infrastructure. It fulfills the functionalities
which would be not be emanated out of single activity logs and without this software
system no correlation can be mapped or understood leave aside taking any correctional
action. Logs are the cornerstone of all activities and making meaning of the logs as
per our requirements is the real professional tool. The functionalities being attended
to by this software are asset discovery, threat detection, vulnerability assessment,
event collection, correlation, event management and log storage. The SIEM
capabilities comprise of data aggregation, correlation, alerting, dashboards,
compliance and retention.
Single Sign On
Single Sign On, SSO, is a property of access control of multiple related, but
independent software systems. Conversely, Single Sign Off, is the property whereby
the single action of signing out terminates access to multiple software systems. The
benefits we derive out of this system are as follows:
More secure
Reduces password fatigue
Reduces time spend for re-entering passwords
8
Reduces IT costs – helpdesk calls pertaining to passwords etc
Security on all levels of entry/exit/access to systems
Centralized reporting for compliance adherence
Cloud – The Final Frontier
Cloud computing has turned out to be the final frontier as on date, with advantages
to so many but procedurally and technically still not seeming to full secure.
Enterprises my still take sometime to switch over to complete cloud environment.
There are large number of security issues/concerns associated with cloud computing
which can grouped into two, firstly security issues faced by cloud providers and
secondly security issues faced by their customers. The provider must ensure that
their infrastructure is secure and client’s data and applications are protected. The
customer must ensure that the provider has taken proper security measures to
protect their information.
Cloud - Virtualization
The extensive use of virtualization in implementing cloud infrastructure brings unique
security concerns for customers of a public cloud service. Virtualization alters the
relationship between the OS and the underlying hardware – be it computing, storage
or even networking. The use of this technology introduces an additional layer –
virtualization – that itself must be properly configured, managed and secured.
Specific concerns include the potential to compromise the virtualization software.
While the concerns are largely theoretical, they do exist.
Challenges
What we are witnessing today is advanced cyber threats are advanced cyber threats,
collaboration is the key in dealing with them. No single organization can respond
positively given the nature of the challenge posed on enterprises today. There is need
for the creation of an Advanced Cyber Security Center (ACSC) for cross sector
collaboration organized to help protect the country’s enterprises from the rapidly
evolving advanced and persistent cyber threats.
ACSC would strengthen short term defenses and long term capability. Actionable
intelligence to bolster an organizations defense in the short term and generate new
defensive strategies and R&D in the longer term would be the logical guiding principle.
9
The near term results would be application of front line analytics, medium term
results would be the application of New “ Predictive Analytics” Development and the
long term results would true Research & Development which would throw up innovative
security solutions for the enterprise. Though it would time taking yet it would be
worthwhile to leverage on sustainable and continuous research improving the enterprise
security by leaps and bounds.
The other challenges include cloud computing with virtualization which I have already
discussed in detail. With mobility becoming the order of the day, this would remain
an area exclusive concern and most gadgets would be internet enabled where
compromising security is easier than in a closed environment.
Country standards are a must and only international benchmarking which is generally
not enforced can be relied upon completely. The protocols so created, which would
have the sanctity of the law would be universally enforced to bring into existence a
business enterprise regime in this country thriving on its protocol and enforcement
and the enterprise relying on the BITS architecture wherein security would be a
design element from the stage of the concept itself. Secure software with all inbuilt
security features has been be emphasized all throughout this article.
Conclusion
Complexity is our life and making it simple our goal. Technology gains the highest end
with simplistic products and services. The complexity of IT security gets confounded
with innumerable applications, the processing power, the world wide web interface,
cross enterprise collaboration and the like. Cloud computing, though in its nascent
stage has thrown a major challenge to IT security, the success of which would be
epochal and the IT services would take a well deserving leap forward.

Contenu connexe

Tendances

Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
The Economics of IT Risk and Reputation
The Economics of IT Risk and ReputationThe Economics of IT Risk and Reputation
The Economics of IT Risk and ReputationIBM Security
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gapxband
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
 
Safeguardsintheworkplace
SafeguardsintheworkplaceSafeguardsintheworkplace
SafeguardsintheworkplaceAdam Richards
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET Journal
 
Security Best Practices for Small Business
Security Best Practices for Small BusinessSecurity Best Practices for Small Business
Security Best Practices for Small BusinessValiant Technology
 
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...IJNSA Journal
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelKoen Maris
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTripwire
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School	FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School FDMagazine
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based securityArun Gopinath
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 

Tendances (17)

Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
The Economics of IT Risk and Reputation
The Economics of IT Risk and ReputationThe Economics of IT Risk and Reputation
The Economics of IT Risk and Reputation
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gap
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for Java
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in Retrospect
 
Safeguardsintheworkplace
SafeguardsintheworkplaceSafeguardsintheworkplace
Safeguardsintheworkplace
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
 
Security Best Practices for Small Business
Security Best Practices for Small BusinessSecurity Best Practices for Small Business
Security Best Practices for Small Business
 
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
 
develop security policy
develop security policydevelop security policy
develop security policy
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School	FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based security
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
 

En vedette (8)

Secure Cities 2013
Secure Cities 2013Secure Cities 2013
Secure Cities 2013
 
National Police IT Center
National Police IT CenterNational Police IT Center
National Police IT Center
 
Towards Making Smart Policing a Reality for India
Towards Making Smart Policing a Reality for IndiaTowards Making Smart Policing a Reality for India
Towards Making Smart Policing a Reality for India
 
e-gov: Secure IT 2014
e-gov: Secure IT 2014e-gov: Secure IT 2014
e-gov: Secure IT 2014
 
Asymmetric warfare for geoworld
Asymmetric warfare for geoworldAsymmetric warfare for geoworld
Asymmetric warfare for geoworld
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
CCTNS & Homeland Security
CCTNS & Homeland SecurityCCTNS & Homeland Security
CCTNS & Homeland Security
 
Secure it0001
Secure it0001Secure it0001
Secure it0001
 

Similaire à Safeguarding the Enterprise

Securing a mobile oriented enterprise
Securing a mobile oriented enterpriseSecuring a mobile oriented enterprise
Securing a mobile oriented enterpriseinfra-si
 
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docxvickeryr87
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructureAnton Chuvakin
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
Key elements of security threat
Key elements of security threatKey elements of security threat
Key elements of security threatAraf Karsh Hamid
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxrtodd599
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxjeffsrosalyn
 
A Note On Computer Science And Engineering
A Note On Computer Science And EngineeringA Note On Computer Science And Engineering
A Note On Computer Science And EngineeringAngela Roberts
 
Similarities And Weaknesses Of Vulnerability Scanners
Similarities And Weaknesses Of Vulnerability ScannersSimilarities And Weaknesses Of Vulnerability Scanners
Similarities And Weaknesses Of Vulnerability ScannersJennifer Slattery
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloJohn Intindolo
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019Ulf Mattsson
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedTiffany Graham
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness              .docxRunning Head SECURITY AWARENESSSecurity Awareness              .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
The Competency Of Quantum Technologies Information...
The Competency Of Quantum Technologies Information...The Competency Of Quantum Technologies Information...
The Competency Of Quantum Technologies Information...Maggie Turner
 
The Steps Of Good Computer Security Operations
The Steps Of Good Computer Security OperationsThe Steps Of Good Computer Security Operations
The Steps Of Good Computer Security OperationsAllison Weaver
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
Analysis Of Network Concepts For A Small Accounting Firm
Analysis Of Network Concepts For A Small Accounting FirmAnalysis Of Network Concepts For A Small Accounting Firm
Analysis Of Network Concepts For A Small Accounting FirmApril Wbnd
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
The Nsa Should Create A Privilege Management Program
The Nsa Should Create A Privilege Management ProgramThe Nsa Should Create A Privilege Management Program
The Nsa Should Create A Privilege Management ProgramDana Boo
 

Similaire à Safeguarding the Enterprise (20)

Securing a mobile oriented enterprise
Securing a mobile oriented enterpriseSecuring a mobile oriented enterprise
Securing a mobile oriented enterprise
 
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
1Running Header ORGANIZATIONAL SECURITY 4ORGANIZATIONAL SEC.docx
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
Key elements of security threat
Key elements of security threatKey elements of security threat
Key elements of security threat
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docx
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docx
 
A Note On Computer Science And Engineering
A Note On Computer Science And EngineeringA Note On Computer Science And Engineering
A Note On Computer Science And Engineering
 
Similarities And Weaknesses Of Vulnerability Scanners
Similarities And Weaknesses Of Vulnerability ScannersSimilarities And Weaknesses Of Vulnerability Scanners
Similarities And Weaknesses Of Vulnerability Scanners
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_Intindolo
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness              .docxRunning Head SECURITY AWARENESSSecurity Awareness              .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
The Competency Of Quantum Technologies Information...
The Competency Of Quantum Technologies Information...The Competency Of Quantum Technologies Information...
The Competency Of Quantum Technologies Information...
 
The Steps Of Good Computer Security Operations
The Steps Of Good Computer Security OperationsThe Steps Of Good Computer Security Operations
The Steps Of Good Computer Security Operations
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Analysis Of Network Concepts For A Small Accounting Firm
Analysis Of Network Concepts For A Small Accounting FirmAnalysis Of Network Concepts For A Small Accounting Firm
Analysis Of Network Concepts For A Small Accounting Firm
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
The Nsa Should Create A Privilege Management Program
The Nsa Should Create A Privilege Management ProgramThe Nsa Should Create A Privilege Management Program
The Nsa Should Create A Privilege Management Program
 

Plus de ADGP, Public Grivences, Bangalore

Plus de ADGP, Public Grivences, Bangalore (20)

Secure IT 2014
Secure IT 2014Secure IT 2014
Secure IT 2014
 
Secure IT 2014
Secure IT 2014Secure IT 2014
Secure IT 2014
 
Wipro and KSP - Police IT Change Management Workshop
Wipro and KSP - Police IT Change Management Workshop Wipro and KSP - Police IT Change Management Workshop
Wipro and KSP - Police IT Change Management Workshop
 
KSP Composite Computerization Model
KSP Composite Computerization ModelKSP Composite Computerization Model
KSP Composite Computerization Model
 
Cyber security and Homeland security
Cyber security and Homeland securityCyber security and Homeland security
Cyber security and Homeland security
 
CCTNS Karnataka Overview
CCTNS Karnataka OverviewCCTNS Karnataka Overview
CCTNS Karnataka Overview
 
Xime erp creation & change management 18082013
Xime erp creation & change management 18082013Xime erp creation & change management 18082013
Xime erp creation & change management 18082013
 
Technological framework
Technological frameworkTechnological framework
Technological framework
 
Cii iq's national business excellence conclave 2013
Cii   iq's national business excellence conclave 2013Cii   iq's national business excellence conclave 2013
Cii iq's national business excellence conclave 2013
 
E gov championship workshop bangalore 21082013
E gov championship workshop bangalore 21082013E gov championship workshop bangalore 21082013
E gov championship workshop bangalore 21082013
 
Homeland security – A Robust Counter Terrorism Mechanism
Homeland security – A Robust Counter Terrorism MechanismHomeland security – A Robust Counter Terrorism Mechanism
Homeland security – A Robust Counter Terrorism Mechanism
 
Leadership casestudy
Leadership casestudyLeadership casestudy
Leadership casestudy
 
Reaching out to the unreached
Reaching out to the unreachedReaching out to the unreached
Reaching out to the unreached
 
LTC Word
LTC WordLTC Word
LTC Word
 
Homeland security – A robust counter terrorism mechanism
Homeland security – A robust counter terrorism mechanismHomeland security – A robust counter terrorism mechanism
Homeland security – A robust counter terrorism mechanism
 
LTC - 1
LTC - 1LTC - 1
LTC - 1
 
HLS Perspective. Safer cities for a better tomorrow
HLS Perspective. Safer cities for a better tomorrowHLS Perspective. Safer cities for a better tomorrow
HLS Perspective. Safer cities for a better tomorrow
 
LTC - 2
LTC - 2LTC - 2
LTC - 2
 
Unreached
UnreachedUnreached
Unreached
 
Reaching out to the unreached
Reaching out to the unreachedReaching out to the unreached
Reaching out to the unreached
 

Dernier

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 

Dernier (20)

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 

Safeguarding the Enterprise

  • 1. 1 Safeguarding the Enterprise: a new approach Sanjay Sahay Introduction Attacks on the enterprise are getting increasingly sophisticated. Current solutions available do not seem to be adequate given the innovativeness, precision and persistence of these attacks in different forms and of different dimensions. Organisations thus want to increase the sophistication of their employees and also of the solutions to be deployed given this backdrop. Facts & Challenges Research shows that 55% of the breaches requires months to years to contain (Verizon 2010 Data Breach report), 16% of breaches are discovered via active and deliberate action. Only 24% of APT malware is detected by an anti-virus solution. (Mandiant 2010) Logs are at the heart of monitoring and use of logs for the right purpose and in the right directions can come handy immensely. Mining of logs throws up data which the professional can make a meaning of. The signs are there, we just need to get better in recognizing them. This is the challenge of safeguarding the enterprise. “We watch these attackers and we know them. Some are very fast moving…, if you lose track of them in your system, you can lose them for months if not forever. The impact of damage cannot be gauged at a later date and real impact would remain unknown forever. This brings us to the primary question of why safeguard the enterprise. The enterprise has to be safeguarded primarily for two reasons the first being the physical security, it cannot exist in a vacuum and the second being the safeguarding of the data. Structure During the course of this article I will take you through my definition of a safeguarded enterprise, the new approach – Gartner White Paper, goals, security risks and key success factors, security architecture, data center, connectivity and application, application data security life cycle, security information and event management, single sign on, the future- cloud computing and the final thoughts based on the discussion gone through this article.
  • 2. 2 What is a safeguarded enterprise Safeguarded Enterprise is the sum total of a clear – cut perception, appropriate/integrated planning, documentation, meticulous execution ad dynamic/robust maintenance of enterprise security policy at awareness, attitudinal, physical, systems, processes, application and data dimensions throughout the enterprise creating a near fail safe enterprise. Silo Silos have ruled the world till we realized what a silo is and the way it feeds like a termite on a system, which is an integrated system, for namesake. So was the case of security in the Enterprise Business Architecture. Business, information and technology (BIT) were the three components. The new approach emanates from a Gartner White Paper in the year 2006 titled ‘Incorporating Security into the Enterprise Architecture Process’. This led to the creation of Enterprise Information Security Architecture with four critical components of Business, information, technology and security (BITS). BIT changed to BITS and security became a design component itself. S E a new approach Enterprise Information Security Architecture • Architecture• Architecture • Architecture• Architecture Business Information SecurityTechnology
  • 3. 3 In the midst of the clamor for a fail safe data regime which would be nonetheless be a mirage, the importance of physical security should not be diluted. My visit to Indian IT companies in Bangalore has helped me confirm by belief that physical security stands at par with data security though the two are distinctly different thought processes, are different in execution and would remain to be complimentary for all times to come. 9/11 has been a watershed in modern human history, the location of the Taliban attack Ground Zero as is its called was a rubble of what was best of the companies in the world housed in the World Trade Center towers 1 & 2. Whatever come may… physical security will always count, whether on land, in air or on water. This does not in any way bring down the importance of the Disaster Recovery process of our state of art data centers which were able to retrieve nearly all the data which was physically located on the servers and computer systems in the two ill fated buildings. Goals The goals of Enterprise Information Security Architecture is to provide a structure that is coherent and cohesive. As the business motive is predominant in a business enterprise, the business to security alignment in critical. Any disconnect would be critical to profitability and at times to the existence of the enterprise itself. The details ought to neatly spelt out, top down which should be synchronous in itself and synergize with the business strategy. At the end of the day, this approach helps establish a common language for information, for its free flow, clarity of communication and timely and effective response mechanism for information security within the integrated enterprise. Risks The common risks which the enterprise faces today is all too well known. This can broadly be summarized as mentioned below: Email attachments VPN Tunnel vulnerabilities Blended attacks Diversionary tactics Download from websites Supply chain and partners added to the network Microsoft’s SOAP
  • 4. 4 Renaming documents Peer to peer applications Music and video browsers Key Success Factors Awareness of the impending danger is the initiation of diagnosis and objective diagnosis can only lead objective treatment and maintenance of a healthy enterprise both form the point of view of physical and data security. Security awareness in all its dimensions creates an environment where all success factors fall in place like a jigsaw puzzle, the people, the processes and technology. One the security awareness human platform are the two main technical components of Network Security and Application Security. Operating system security, Patch and AV management and SIEM are the three components of the final layer which can be termed as the operating, functional and the analytical layer. Security Architecture The key success factor is the synergy of People, Processes and Technology creating a seamless security architecture which is optimally functional and has the capability to propel the enterprise to the next level. The people part comprises of user awareness, guidance, administration and effective monitoring of the system. The processes part comprises of policies, standards, guidelines and audit capabilities. Last and the most important component in a technology driven world is technology itself manifested by the use of IPS, Firewall, AV, DLP and SIEM. Defense of Depth “Defense of Depth” is a concept used to describe layers of defense strategies. The components at each layer work in tandem to provide one cohesive security mechanism. This layered approach also helps localize the impact if one element of the mechanism is compromised. The defense of depth layers concentric circles begins moving outwards with the Data at the bull or the innermost circle. The circles from the innermost to the final outside circle are data, application, host, internal network, perimeter, physical and policies, procedures and awareness.
  • 5. 5 At the Core Data Center, Connectivity and the Application are at the core of the enterprise security. The main purpose of a data center is running the applications that handle the core business and the operational data of the organization. Secure application usage is the key to the creation of a secure enterprise. Secure connectivity is the backbone. The Karnaktaka State Police broadband networking is a intranet named KSPWAN which is a combination of 39, 2 Mbps MPLS leased lines for big offices, 512 Kbps 1400 VPNoBB connections covering all police stations and small offices and 8Mbps internet leased line with and aggregation bandwidth of 32 Mbps working as a single network of 5000 computers across the state working out of a single server located at the KSP Data Center. The choice of intranet over internet is the first decision towards security of the enterprise which is slowly becoming the norm in enterprises across the globe.
  • 6. 6 S E a new approach KSP Connectivity Application/s is at the heart of the enterprise. An ERP created for the enterprise aligns to all its tasks and activities also takes care of all the staff functions which run co-terminus with the business functions. Secure ERP on an intranet is what we are all heading for. The Application Data Security Lifecycle (ADSL) SE a new approach The Application Data Security Lifecycle Assess Set Policies/Controls Measure Monitor / Enforce The Application Data Security Life Cycle
  • 7. 7 The diagram clearly elucidates the role of different components of the ADSL. The lifecycle as is the case with concept and process starts with the assessment encapsulating the configuration/usage of servers and data, test configuration, evaluate the inherent risks and also assess how and by whom the data and applications are used. Setting polices and controls is the subsequent task. The policies should be automatically created considering the right mix of business and security considerations with the flexibility to adapt to user changes and support granular policies and controls. Monitoring and enforcing is more important than creating the policies itself. The separation of duties should be ensured simultaneously with user accountability. The transaction details should be in a comprehensive manner and alerts and blocks should be resorted to in real time. Measure is a tool, an utility which provides the appropriate usage, levels of effectiveness and the depth of the impact of the system put in place which is conducted by way of built in and custom reports, roll up and drill down data, security event analysis and the compliance workflow. Security Information & Event Management (SIEM) SIEM, an intelligence platform helps safeguard the business by giving complete visibility into the activities across the IT infrastructure. It fulfills the functionalities which would be not be emanated out of single activity logs and without this software system no correlation can be mapped or understood leave aside taking any correctional action. Logs are the cornerstone of all activities and making meaning of the logs as per our requirements is the real professional tool. The functionalities being attended to by this software are asset discovery, threat detection, vulnerability assessment, event collection, correlation, event management and log storage. The SIEM capabilities comprise of data aggregation, correlation, alerting, dashboards, compliance and retention. Single Sign On Single Sign On, SSO, is a property of access control of multiple related, but independent software systems. Conversely, Single Sign Off, is the property whereby the single action of signing out terminates access to multiple software systems. The benefits we derive out of this system are as follows: More secure Reduces password fatigue Reduces time spend for re-entering passwords
  • 8. 8 Reduces IT costs – helpdesk calls pertaining to passwords etc Security on all levels of entry/exit/access to systems Centralized reporting for compliance adherence Cloud – The Final Frontier Cloud computing has turned out to be the final frontier as on date, with advantages to so many but procedurally and technically still not seeming to full secure. Enterprises my still take sometime to switch over to complete cloud environment. There are large number of security issues/concerns associated with cloud computing which can grouped into two, firstly security issues faced by cloud providers and secondly security issues faced by their customers. The provider must ensure that their infrastructure is secure and client’s data and applications are protected. The customer must ensure that the provider has taken proper security measures to protect their information. Cloud - Virtualization The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers of a public cloud service. Virtualization alters the relationship between the OS and the underlying hardware – be it computing, storage or even networking. The use of this technology introduces an additional layer – virtualization – that itself must be properly configured, managed and secured. Specific concerns include the potential to compromise the virtualization software. While the concerns are largely theoretical, they do exist. Challenges What we are witnessing today is advanced cyber threats are advanced cyber threats, collaboration is the key in dealing with them. No single organization can respond positively given the nature of the challenge posed on enterprises today. There is need for the creation of an Advanced Cyber Security Center (ACSC) for cross sector collaboration organized to help protect the country’s enterprises from the rapidly evolving advanced and persistent cyber threats. ACSC would strengthen short term defenses and long term capability. Actionable intelligence to bolster an organizations defense in the short term and generate new defensive strategies and R&D in the longer term would be the logical guiding principle.
  • 9. 9 The near term results would be application of front line analytics, medium term results would be the application of New “ Predictive Analytics” Development and the long term results would true Research & Development which would throw up innovative security solutions for the enterprise. Though it would time taking yet it would be worthwhile to leverage on sustainable and continuous research improving the enterprise security by leaps and bounds. The other challenges include cloud computing with virtualization which I have already discussed in detail. With mobility becoming the order of the day, this would remain an area exclusive concern and most gadgets would be internet enabled where compromising security is easier than in a closed environment. Country standards are a must and only international benchmarking which is generally not enforced can be relied upon completely. The protocols so created, which would have the sanctity of the law would be universally enforced to bring into existence a business enterprise regime in this country thriving on its protocol and enforcement and the enterprise relying on the BITS architecture wherein security would be a design element from the stage of the concept itself. Secure software with all inbuilt security features has been be emphasized all throughout this article. Conclusion Complexity is our life and making it simple our goal. Technology gains the highest end with simplistic products and services. The complexity of IT security gets confounded with innumerable applications, the processing power, the world wide web interface, cross enterprise collaboration and the like. Cloud computing, though in its nascent stage has thrown a major challenge to IT security, the success of which would be epochal and the IT services would take a well deserving leap forward.