Security Process/Planning

Archived Posts from this Category

May 28, 2009

PKI In-House or 3rd Party?

Posted by cdmerritt under Business Practices, Compliance, PKI, Security Process/Planning | Tags: , , , , , , , |
Leave a Comment 

The question of taking advantage of a third-party vendor or developing public key infrastructure (PKI) within our your organization is a pretty tough question that doesn’t seem to have a clear-cut answer.  Each method has its own pros and cons that I’ll try to outline for you here, and there are a lot of factors that could go into this decision.

Some of the good points on sourcing a public key infrastructure through a third-party vendor could include:

  • Guarantees and service level agreements on uptime and availability of the infrastructure they are providing your organization.
  • Pricing is often based on volume where larger organizations can take advantage of better rates than organizations with smaller user populations.
  • The majority of companies out there providing this kind of service often have very thorough disaster recovery and business continuity plans that help to ensure that what you’re paying for is always available and remains as secure as possible.
  • These vendors can also supply key management services that are streamlined and efficient to help minimize the overhead costs associated with implementing and sustaining the program.

Bad points of using third-party vendors to implement PKI could include:

  • You’d have to trust an outside agency to handle a business area of your organization that, if compromised, could be very costly to your company.
  • You’ll
  • You’d most likely have pay per-user fees.

Research seems to indicate that implementing a solution in-house can be far more costly up front than taking advantage of a third-party solution.  That being said, in the long run, it may be less expense because the only costs associated with the project would be maintenance and sustainment costs long term.  Also keep in mind that if your company experiences heavy growth in personnel in the future, the cost of your PKI would not significantly change if managed in-house.  By implementing a PKI program yourself, you’d also maintain control of how the program is implemented and would not have to necessarily trust anyone outside of our company with something so integral to the overall security posture of your information and resources.

There have been a lot of studies on this particular question, and they do not all agree on a suggested implementation plan.  I suppose the questions that need to be seriously considered prior to making a decision would include:

  •  Do we have the capital to invest in an in-house solution at this point in time?
  • Can we support the implementation of PKI, and do we have the expertise in-house to stand something like this up?
  • Are there vendors that can provide this service to us at a reasonable and affordable cost to our organization?
  • Do we expect the size of our employee population to increase or decrease significantly in the foreseeable future?
 

May 18, 2009

The Cost of Protecting Business

Posted by cdmerritt under Security Process/Planning | Tags: , , , , , , |
1 Comment 

Security professionals work in an ever-changing environment where a primary goal is always to be one step ahead of those who might seek to harm the assets and resources they seek to protect.  It is an uphill battle that never ceases and that fundamentally requires planning as well as a multitude of resources – both human and technical. 

At the technical level, security professionals seek to deploy and manage automated systems that through heuristics, known signatures, and specific rules help to protect infrastructure components.  Much of this technology can be expensive to acquire and maintain, however many executive managers have come to the realization that in this technology age of today, investment in security technologies  is part of the cost of doing business.

Accompanying the implementation of automated security solutions comes the requirement (and subsequent cost) of supporting those systems on a daily basis.  This means staff to perform duties like firewall management, audit log review, public key infrastructure management and sustainment, etc.  These folks are responsible for ensuring that the technological solutions in place to protect the company’s assets remain up to date and as comprehensibly functional as possible.  They must have a complete understanding of the infrastructure they are protecting and they must stay on top of the ever changing arena of information security. 

Outside of staff requirements to support automated security investments are those attempting to help mitigate vulnerabilities and risk that cannot be addressed through technical means.  Unfortunately it is tougher to sell executive management on this sort of security investment, because typical mitigation practices on this front include the development of policy and standard operating procedure, training, certification and accreditation, etc.  Part of the reason for this tougher buy-in from executive management is due to the inability to truly assess the return on investment.  With technical solutions, it is easy to see how many viruses were quarantined or how many intruders were stopped at the firewall or the number of packets dropped by the host-based intrusion prevention system.  Those sorts of details are quantifiable and can be presented to management in ways that they can easily comprehend.

How does one talk about the effectiveness of a policy or of certification and accreditation?  Quantifiable results geared toward justifying the investment in these sorts of strategies are attainable, but at a much slower rate than those of a technical nature.  The fact that they are not easily quantifiable or even that they may inhibit some areas of operation does not mean they should be negated or dismissed altogether.

Forward planning through standard operating procedure, policy implementation, awareness and training are all fundamental components of any information assurance or security platform.  Enterprises have to be capable of protecting their assets when technical measures fail.  Management has to realize that threats no longer dominate from outside of the environment, but rather from within.  They have to understand that there are very few technical mechanisms to mitigate the human element of the security equation.

Implementing policy and standard operating procedure not only displays movement towards due diligence, but it also embraces a proactive operational mentality that will inevitably help an organization pull through tough times.  Every security practitioner knows that no enterprise or organization can ever be one hundred percent secure.  Given this fact, it is only a matter of time before an incident or compromise occurs.  Contingency planning, incident response, and other key areas of information assurance can all be planned for and can all help to preserve the operations of the company in times of desperate need.

Organizations that refuse to make the investment in preplanning for future events that are capable of bringing operations to its knees are at the mercy of the technology they employ.  Choosing to believe that they are not a target or that their organization is too small to be concerned with these sorts of policy-based or procedural activities leaves little room for rebound if and when an incident occurs.