In these uncertain times of budget consciousness, it begs the question of how much security is too much security? That's a great question and here is the answer. It depends on how much you
value your data. How devastating would it be to your organization and your customers if that data was compromised? Can you survive your customer's personal data and/or your company's intellectual property getting into the wrong hands? Can you visualize the financial impact this could have and long-lasting damage to your company's business reputation? Can you envision the potential fines for failure to comply with government laws and regulations around data protection, user privacy and security breaches?
In reality, there is no such thing as too much security. All industries need to implement a robust, comprehensive defense-in-depth strategy -- where one safety net backs up another until it is virtually impossible for an attacker to penetrate your environment and have access to your data. Remember that a 100% impenetrable security infrastructure does not exist. Any security architecture can be compromised, it must always be based on “work factor.” Make your security so tough and your environment so hard to penetrate, that the attacker goes and looks for an easier target. Here’a an analogy to illustrate my point: If a burglar was standing in front of two buildings of equal value -- one with a 40-foot fence around it and one without -- which one do you think the burglar would try to attack? The one where he would have to first climb over a 40-foot fence to reach the front door or the one where he can walk right up to the front door?
Organizations must have the right security controls deployed end-to-end:
- Solid perimeter security controls such as firewalls, a DMZ, VPN for remote access, etc.;
- Intrusion prevention devices (IPS) analyzing data at all points within a network,
- Very locked down access controls,
- Data loss prevention (DLP) technology monitoring what their users are trying to do to move and use data,
- Multi-factor and adaptive authentication mechanisms,
- Correct data classification,
- A strong endpoint device anti-malware solution based on signature detection, heuristics, machine learning and intrusion prevention,
- A robust advanced next-generation malware EDR solution, coupled with a malware sandboxing technology to catch the unknown malware,
- And of course, a multi-layered encryption solution protecting their data.
Organizations must also invest in educating their users on the importance of security through robust security awareness training.
Security controls need to be constantly monitored and tested for efficacy and updated/upgraded as needed to maintain this level of protection. Organizations also require a robust SEIM and a 24-hour Security Operations Center (SOC) to monitor, corroborate, identify and mitigate all potential risks and attacks. Organizations must also try to internally penetrate their security solutions and use external services that simulate outside attackers to ensure their environment is protected. Security programs and the teams responsible should not design their controls as “set and forget” solutions.
Lastly, organizations need a thorough and competent Patch Management team to ensure that all software and Operating Systems across all their technology devices, such as servers, laptops, desktops, etc., are updated with the latest security patches.
This can all get quite costly. But remember, the attackers never let up and spare no expense to attack, so organizations need to be as vigilant. Let’s close with one final analogy: If you were going to the car dealership to by a new car and were being very cost-conscious you may not need power heated seats, a moon roof and satellite radio to drive your car safely. However, if given the option to put a less affective braking system in the car to save some money, would you do that? Of course not. The risk is too high. Your safety and the safety of others depend on it. Organizations must take the same approach to their security programs. If you need to cut costs, go look somewhere else.
As a member of the Center for Enterprise Security (CES) team, Anthony works closely with Teradata's strategic customers in the Americas to help them design the right security framework and strategy solutions to meet their security and privacy needs. This includes encryption, authentication, access control, etc. by building on the foundation of advocating, designing and delivering defense in depth, industry best-practices. As a Security/Privacy Architect, Anthony is responsible for articulating to customers all aspects of security and privacy to assist account teams with closing new and existing core opportunities by focusing on the customers’ business-enabled security, privacy and compliance requirements.
Anthony is a Certified Information Systems Security Professional (CISSP) and has been working exclusively within the security and privacy realm for 20 years. Previously, he ran the premier customer success organization for McAfee supporting North America which provided security consulting and support to the worlds largest companies including current Teradata customers.
Anthony loves boating, golf, home improvement and cars (classics and fast sports cars).
View all posts by Anthony Cicero