Building a Mobile Computing Security Strategy
Part two: Who Needs to Know What
One Size Fits None
These days more organizations than should, are spending more money than necessary, on securing more resources than are practical, from more risks than make sense.
Yes, it is true that:
- Security breaches are on the rise.
- There are laws to obey, standards to uphold, best practices to follow.
- Bad things sometimes do happen to good people.
But it is also true that:
- Statistically speaking it’s not happening as often, or to as many, as you may think.
- From a liability standpoint negligence is not to blame nearly as much as may suspect.
- Legally, there may not be as much that you can do about it as you may hope.
So how much security is enough?
It depends on who you are and what you do, according to an in-depth InfoWorld report [1] on the subject released in March 2011. If you happen to be the leader of the free world or Agent 007, then by all means deploy everything you can get your hands on. If not, a more practical, “who needs to know what” approach proves to be far more effective. Especially when you take these game-changing realities into account:
- Not all information is sensitive or valuable.
- Not all people have access to sensitive or valuable information.
- Not all information can/should be protected in the same ways.
Here is a quick look at the four basic security risk groups InfoWorld suggests that you consider addressing (when appropriate) in every area of security planning, including your Mobile Security Strategy:
People who deal with routine business information
(Rarely have access to anything personal or sensitive)
- Types of professionals: Truck drivers, graphic designers, restaurateurs etc.
- Types of issues: Lost devices etc.
- Types of solutions: PINS, etc.
People who deal with important business information
(Could cause harm worth preventing, but won’t sink the ship)
- Types of professionals: Mid-level managers, IT professionals, consultants
- Types of issues: Access to somewhat sensitive systems, lost devices
- Types of solutions: Complex passwords. SSL encryption, remote wipe, etc.
People who deal with sensitive business information and technology
(Can cause significant harm)
- Types of professionals: Finance, medical, regulatory, product developers
- Types of issues: Access to somewhat sensitive systems and devices
- Types of solutions: Complex passwords. SSL encryption, remote wipe, access control
People who deal with top secret information and technology
(Can jeopardize lives, or national security)
- Types of professionals: Military, government, spies
- Types of issues: Access to extremely sensitive systems, lost devices
- Types of solutions: Military grade encryption, discreet lockdown control
_______________
InfoWorld Deep Dive: Mobile Device Management, March 2011
|
|
Register for an event! To see what events are upcoming, please visit our event page here
brightstack is hiring! To view our job openings, please visit our job center here
|
A Guide to Building a Relationship with the Right Provider - Part II
The information contained in this two-part guide provides a step-by-step plan to help you build a relationship with the right provider, regardless of whether you are looking to:
- Outsource your IT functions so you can focus time and resources elsewhere
- Strengthen or refresh your existing IT infrastructure without tying up capital
- Access specific capabilities without worrying about technological obsolescence
This documents focuses on everything you need to know to choose the right provider for the job -- as well as detailed information about subsequent steps you can take to keep this valuable relationship on the right track.
Part Two
Step three: do your homework.
Evaluate candidates on the basis of meaningful business indicators. Sure, price matters. But considering that financial insecurity and employee turnover are among the most common reasons IT outsourcing relationships fail, due diligence matters even more. Here are just some of the many types of operational questions you should ask:
- How long have you been in business/profitable?
- What percentage of revenue comes from your largest client?
- What is your rate of voluntary turnover and why?
- Do you have employee satisfaction and retention programs in place? What tools and processes are used?
- What is your service delivery model? How are issues reported, tracked, closed and reported?
- What are the service levels and coverage windows?
- How often do you conduct customer satisfaction surveys? What are the historical scores?
- What is your on-boarding process? Is a project manager assigned?
- What is included? What is not? Anti-virus and Anti-spyware? Email filtering?
Step four: establish service metrics before the start of your contract. Have a quantitative measure of how things are going.
Follow through by asking your IT Service Provider to report on these kinds of metrics on a regular basis:
- System uptime
- Tickets and ticket detail. How many were opened? Resolved?
- Support response times
- End-user satisfaction
In addition, you should expect your Provider to submit documentation that confirms that proactive maintenance tasks are performed on a regular basis to ensure that your network is running well.
|
|
Security in the Clouds
“There is no security on this earth, there is only opportunity.”
General Douglass MacArthur
Think about it. If a five-star general with more than a passing acquaintance with the Sherman tank wasn’t convinced security existed even after winning WWII, who can blame IT professionals for still having a few doubts about the safety of cloud computing? Unlike previous computing revolutions IT has weathered (mainframe to client-server, client-server to Web), cloud computing challenges traditional security assumptions and approaches. For starters, there are actually three models of cloud computing, each with its own level of exposure, risk and security needs. Here’s a quick look at each and how the Cloud Security Alliance (CSA) describes their individual security concerns.
Infrastructure as a Service (IaaS)
IaaS providers deliver complete computing platforms over the Internet for use on VMs. These platforms can include any or all these resources:
- Operating system
- Memory storage
- Processing power
- Applications
- Other fundamental computing resources
Although consumers do not manage or control the underlying cloud infrastructure with IaaS, they do have control over operating systems, storage and deployed applications. There are typically few integrated security capabilities in IaaS. Users are responsible for managing and securing operating systems, applications and content.
Software as a Service (SaaS)
SaaS providers deliver software functionality over the Internet, enabling end users to gain access via a Web browser and use without having to install the software locally. Consumers do not manage or control servers, operating systems, storage or individual application capabilities. That means providers have total responsibility for security. In other words, if the provider does not encrypt data, user data is not encrypted.
Platform as a Service (PaaS)
PaaS providers deliver complete development environments in which developers code, host, and deliver applications. In addition to the underlying infrastructure, this environment typically includes development tools, Application Programming Interfaces (APIs) and related services. Although developers do not manage or control the infrastructure—the network, servers, operating systems or storage — they do have control over deployed applications and in some cases the application-hosting environment configurations. Typically there are few built-in security features with PaaS, Developers do, however, have the flexibility to add more and should pay attention to application security, as well as security issues surrounding APIs.
The brightstack Approach
brightstack’s approach is to treat each of these under our umbrella of “Technology as a Service.” As such, the management of security becomes much more about the tools, processes and people rather than the specific technologies implemented.
|
