|
Companies have devoted significant time and resources to achieve compliance with many pieces of legislation, such as HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley. An important element of compliance with specific regulations is achieving a compliance framework internally. Compliance with external mandates can be more easily met by first ensuring that the network is compliant with the internal security policies upon which the legislative compliance framework is built.
Good security is both reactive and proactive, but many security solutions lack the integration of these two components. One of the most important proactive elements of security is configuration compliance, an emerging field that automates the process of ensuring that every device, system, and pipeline in the network adheres to corporate security policies, is up to date, and configured appropriately. Configuration compliance defines a set of configuration standards and enforces those standards on a continuous basis.
The vast majority of security vulnerabilities occur because of improper configuration of existing servers, workstations, end-point devices, and security appliances or software. An all-too-common example is when a company deploys applications, servers, or firewalls, but neglects to change the default configuration, or even the easily-guessed default password. In addition to this problem, weak security settings or outdated security software can sometimes cause a vulnerability that allows an attacker to penetrate the enterprise. This is especially common in mobile computers, when users change settings to get their laptops to function with their home Internet connection or a piece of unauthorized software.
What happens if a remote worker using a home laptop changes security settings, because they want to use IM to chat with friends? There may be no malicious intent at all, but the results are the same. That home laptop becomes the "weak link" in the enterprise, and could ultimately compromise the whole network. Configuration compliance tools eliminate this problem by first checking the laptop to make sure all settings adhere to corporate policy before allowing the remote connection to be established.
To ensure proper compliance with both internal policies and external mandates, organizations must:
- Establish a security policy that encompasses all endpoints, and enforce that policy.
- Ensure that every endpoint, whether it is an internal device, home connection, or a connection from a client or partner, is also governed by the same security policy.
- Get a clear understanding of which computers and devices have deviated from the approved configuration policy, and have a mechanism in place to bring those devices back into compliance.
- Impose authentication and authorization controls over all connections.
Risk of identity theft
Achieving and maintaining the trust of the consuming public must be foremost in the strategies of organizations, from small businesses to enterprises, that do business online. The tools to conduct online commerce securely are available today, and given the right tools, adherence to best practices in security, and enforcement of a security policy, there's no reason why a company should fall victim to hackers intent on identity theft. Configuration compliance is an effective tool in the fight against identity theft.
It may seem impossible to stop identity theft. According to the Cyber Security Industry Alliance (CSIA), there were 3.4 million instances of identity theft in 2005, and victims spent an average of $834 and 77 hours to clear their names. But identity thieves are opportunistic and they look for the easiest targets. Rather than spend weeks trying to hack through a properly configured security system, their time is better spent moving on to an enterprise that is less well protected. One of the goals of these government regulations is to force organizations to keep customer data secure, thereby assuring the public and allowing the online economy to grow.
However, the recent e-commerce trends alarm the government regulators. While e-commerce has grown significantly in recent years, more recently it has taken a step backwards. The CSIA, in a recent report to Congress, noted that for the first time, there is a decrease in Americans' interest in doing business online. In addition, a survey conducted by Osterman Research showed that 44 percent of people who use computers at home use e-mail and the Web less often than they did a year ago. The main reason cited by the survey is the presence of spam, spyware, and other related problems.
|
