Opinion: Security priorities are changing for Canadian organizationsBy: Todd Kutzke, senior director, Information Security, Microsoft Corporation(May 13, 2008 06:00:00)
Information is fast becoming more ubiquitous and tightly interconnected within the vast networks of cables and hosts distributed worldwide. This translates into an urgent requirement for more secure transactions and exchanges between international government bodies, in order to foster stronger B2B and B2C commerce.
And as the technology used to host and deliver the information evolves, new avenues of data access are providing a richer tapestry with which to build interfaces for more secure access to highly sensitive information.
While this infrastructure presents new prospects for today's business and consumers, it also presents opportunities for "hackers" to realize their motives - ranging from notoriety to downright criminal. The new breed of computer criminal is most likely a member of an international crime syndicate, employed alongside other skilled people who specialize in illegal cyber activities such as software virus development, phishing, creating and distributing malware and spyware, and, now, digital identity theft.
In addition to cyber criminals becoming more organized, there are two major trends impacting information security.
First, given the huge variety of interfaces available today through rich applications, the majority of today's attacks on government and corporate IT installations are targeted at the application layer versus infrastructure and second, everyday Internet users are now being targeted by hackers.
Taking stock of security
The security priorities of many Canadian organizations have changed considerably from years ago when technical infrastructure was seen as the major focus of defence against cyber crime. Today, most attacks are either aimed at the application layer of an organization's software or at specific individuals through targeted social engineering tactics such as phishing.
As a result, organizations are now looking at different ways to strengthen their application layer by developing in-house applications that meet their unique needs. What is needed is a holistic, integrated solution to address security in the application lifecycle that encompasses people, process and technology.
The very first thing that needs to be evaluated is the existing processes around application development as well as the need for new processes. Security must be considered an integral part of the entire application lifecycle starting from the envisioning or rationalizing phase down to support and retirement of the application. It is critical to view security as just another attribute of an application like performance, scalability, usability, accessibility, etc.
The key is to evaluate the importance of the security attribute in line with the business requirements of a given application and develop a strategy that builds and maintains the acceptable security posture. There are never enough security resources to go around so it is absolutely imperative to understand the business requirements of a given application along with the technical composition so, overall, the security resources of your organization are appropriately distributed amongst your entire enterprise application portfolio to eventually develop and maintain an acceptable security posture of the entire portfolio.
During the envisioning or rationalizing phase of an application, for example, it's critical to evaluate the cost of maintaining an acceptable assurance level of the application with introduction of security controls. This exercise helps tease out cases where the cost of maintaining an acceptable assurance level of an application is actually greater than the value the application brings to the organization. In cases like this, the application proposal fails its rationalizing and should not be developed.
When designing IT applications, it's also important to determine the kind of processes that are in place to help articulate the security requirements of the application and align these requirements with security controls that need to be introduced to maintain an acceptable assurance level of the application.
A process needs to be established, during the testing phase to help evaluate the security posture of the application from an objective perspective. This can include an independent security assessment or vulnerability scanning tools that are run against the application code. The process of assessment also needs to take into account remediation as well as exceptions to provide an end-to-end management of the results of the security assessment.
It is not enough to simply enforce patch management of the underlying infrastructure; the application itself needs to be managed to ensure its security posture is maintained even through change requests. After the application is deployed in production, processes need to be followed to ensure the application maintains the acceptable assurance levels even through the discovery of new attack vectors or exploits.
Secure technology, secure processes
After processes have been established, technology should be evaluated in support of them. It is not effective to simply apply technologies to security problems without an underlying process to govern them. It is important to understand the limitations and benefits of such a technology in the context of processes established to assess the security posture of an application.
At the same time, training and knowledge must be provided to staff, so they are empowered to make security part of their job. The goal is to establish an independent governance and enforcement body in the organization, work towards managing security policies and drive compliance in an effective and proactive manner.
In the end, the security of your organization is only as good as your weakest link. As such, it's critical to maintain an overall holistic view of security and incorporate security into every aspect of your application lifecycle. At the same time, it's important not to get overwhelmed by the scope.
Security approaches can be adopted in piecemeal fashion starting with process tweaks to existing development processes, for example. From there, government organizations should start evaluating how technology can be introduced into different aspects of the development lifecycle to bring about efficiencies.
Todd Kutzke is the senior director of Information Security for Microsoft Corporation.
Related content:
Auditor general finds feds failing security safeguards
Top 10 security traps
U.K. politicians want to criminalize data leaks |
|
Have something to say about this article?   
Find an inappropriate comment? You can notify the moderator by clicking the  icon.
| 
|  | how can i donlood it?????????? plz | |
Written by: younis`, from cairo | |
|
| | good luck from kenneth fromfeld | |
Written by: fromfeldkenneth, from schofeld | |
|
| | i need a serious anti virus ,that will hapen me protect my computer which is a | |
Written by: maduka, from kuching | |
|
| | ther are many problem for vista like as it make blocking for many programs that I use them like yahoo messenger and it dosent give reason for this blocking . I hate vista so much and I think that the group whose invite this vista are not qualified | |
Written by: mohamed, from dubai | |
|
| | l necesary the anti-riks, very thanks, bu | |
Written by: javier garcia hernandez, from morelia | |
|
| | nice | |
Written by: heidar , from susangerd | |
|
| | please help me for one antivirus complet
thank you | |
Written by: issa, from | |
|
| | knowledge about windos security | |
Written by: Nomo, from Ghana | |
|
| | Hi I need help to load anti virus and protection against worms and anti spy devices on my computer. I have neely 3000 infected widows or programs and registry Smart will not fix these unless I get full cover but I just can not aforward payment for such things. Windows XP 2003 | |
Written by: Ronnie Of Christchurch RONALD, from WOODS | |
|
| | Use Norton 2009 version available free of cost with free activation before they stop offering this version, It pretty much is updated against all thrests till date . and its free !! Cheers | |
Written by: Deep, from Bangalore | |
|
| | I want learn more about windows security | |
Written by: Agbegninou, from Ghana | |
|
| | mon windowa media n'est plus activC)e, et comment securiser mon ordinaeur | |
Written by: denise bonin, from Repentigny | |
|
| | Get Support for security. | |
Written by: Aaron Samuel, from Toronto | |
|
| | comment remettre en fonction windows media, et securiser les site, s.v.p. reponse en francais merci | |
Written by: denise bonin, from Repentigny | |
|
| | GOOD | |
Written by: ENOCH SHIN, from ORINDA | |
|
| | | |
Written by: josjhh, from | |
|
| | I got this problem today Aug 25th 08 i tried to download this file and it started giving me some big viruses its like controlling my computer and when i did scan it kept doing same thing wont let me open any site in the internet so please someone reply i need a solution for it cause i wanna use the computer i wont it keep showing on my way and tells me your computer is in danger i don't know why and the website is secure no viruses but i hate Windows Vista for this reason . | |
Written by: Kenny, from Philadelphia | |
|
| | the error was inesplicable | |
Written by: geralda raymond, from irvington | |
| | |
 | |  | | Blog Spotlight: Sandford Borins |  | As Professor of Strategic Management at the University of Toronto, Sandford Borins brings InterGovWorld.com readers exclusive insights into how and why the public sector is changing. You'll find new perspectives and questions, observations and objectives, lessons and answers. Cover to Cover, the blog by Prof. Sandford Borins, appears every Thursday. Inside Cover to Cover | |
| | | Unified Communications |  | Unity is a word often heard in the public sector, with myriad agencies and departments looking to foster collective thinking around some of today's most pressing issues. The word, however, doesn't usually get mentioned in the same breath as technology. That's a situation, though, that might soon be changing, thanks to a new software platform known as unified communications.
| |
|  | |  | |
|
| | | |
| | |  |  | Knowledge Centres at a Glance |  | | | | |  | |  |  | | | | | |
|
|
|
Opinion: Security priorities are changing for Canadian organ..
RE: Opinion: Security priorities are changing for usa
