Strong Authentication, Defined Authorisation: Keys To Data Security

Howard Schmidt, President, Information Security Forum, talks about the finer aspects of Information Security in a one-on-one with Biztech2.com.

What are the major threats in the current scenario?

One of the major threats lies in end point data that resides everywhere and no one in the organisation has a clue as to where the actual data is stored. As an enterprise, it is critical to know where the data is actually placed for reasons of protecting it. The other concerns are around wireless security and mobile devices; we’ve not paid a lot of attention to these things.

If you take the instance of coffee shops and places like that, the wireless connectivity over there is usually not encrypted, which is a big threat and a known secret to the bad guys, who can misuse this information. The other threat that we see today is a result of the global economic problems, which have trickled down to affect the end user; this threat is manifested when users want to apply for jobs online or need to give away financial information online.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

What are the looming security issues with popular technologies?

The main issue with popular technologies such as virtualisation and others is that specific threat areas associated with them have not yet been defined. We generally tend to pay more attention to these technologies after someone does something against them. The important question to ask is whether we need to take into confidence a security professional. The security professional would examine the technology and sit down with the IT team and talk about the security measures to be kept in mind. Once we do this, we can get a better handle of what virtualisation really means or what cloud computing is or any other technology for that matter. The other thing that’s really important is to understand that it’s not always the same for all environments.

What kind of access controls can enterprises put in place to secure information within and without the organisation?

While looking at access controls, one of the things that have to be understood is that there should be not only strong authentication but also defined authorisation to get access to data. There have to be access controls to ensure auditing. Once this is in place, we can define the environments and where exactly the fraud is taking place. With access and auditing controls in place, a lot of threats can be identified in advance, which can save concerned authorities both time and money.

What is the best approach to enterprise security?

Security should be approached in a holistic way. There should be processes in place to check log-ins, authentication, authorisation, network access controls and one should have the ability to block malware too. What we are seeing is that while enterprises are getting more secure, end points are getting less secure.

What advice would you give CIOs to have a balanced security strategy?

CIOs and CTOs have to understand that security is not just about technology. Security is a business process. People, business processes, policies and technologies are all interwoven into the security process. So, if you are looking at a technological solution, then it is only a part of the answer because you have to have the trained people to deploy it effectively and you have to understand that the business units involved should have a demand for security. Over the years, when we look at the way security has moved, CIOs have realised that it has helped them to speed up business, be more profitable and increase market share.