Rings Of Security For Protection Or Bling For Appearance?

By   ISBuzz Team
Writer , Information Security Buzz | Feb 13, 2014 03:25 am PST

Let’s face it, we all have some form of data addiction whether it is watching videos on real or virtual TV. Add to that list doing social media networking, listening to music or podcasts, not to mention more traditional home and work information needs tied together by the Internet of Things (IoT) and Internet of Devices (IoD).

Question is how well do you protect your information including having copies, maintaining privacy and securing access. In my last piece, I mentioned protecting data at rest as well as in transit wrapping up with a quick discussion around self-encrypting devices (SEDs).

lost data

However let’s take a quick step back and revisit your basic  data protection premise which is do you rely on others to give your safety and security, or take care of it yourself, or leverage a shared responsibility model?

For example, do you feel comfortable, safe and secure (as well as do your information assets feel safe) sitting behind your organizations (or home) firewall, or do you have more layers of defense? Is your thinking along the lines of if you are behind the fortress walls, then all is safe as external threat risks are the main issue?

castle walls

On the other hand, do you believe and subscribe to a multiple layers or rings of defense for data protection including both in side as well as outside the firewall, from end-points to destination and points in between?

In other words do you also subscribe to or simply doing what have been told to guard and protect your information assets from both internal as well as external threats, physical or logical, man-made or acts of nature, accidental or intentional including machine to machine attacks?

I am still amazed talking with people around the world many who have concerns with data privacy, security, government eavesdropping, clouds and others that believe they are safe inside their own walls (physical or logical including firewalls). The ones that really amaze me are those that call themselves security experts who actually subscribe to the notion of just leave everything wide open, no need to protect which perhaps in their case maybe they do not have anything to protect anyways.

Another common trend or theme is that when something wrong, blame the technology, tool, vendor, var, consultant, service provider or service which chances are there can be some blame, however what about the person who made the decisions? What I mean is that a technology, tool, vendor, var, consultant, service or cloud provider can have issues, and work around however if you don’t take their advice and then something goes wrong, where’s the shared responsibility?

MaskedRobber

Not surprisingly, I subscribe to a shared responsibility model, which means the tool, technology, service, or provider has responsibilities to make sure their pieces are working. However, I also assume that I have the responsibility to listen to their recommendations, best practices and make smart or at least informed decisions on what to do or not do. This also means having different layers of protection ranging from multiple copies of different versions of data to enabling end-point security, access controls, firewalls as well as security within the walls.

Bingo

This is where the buzzword bingo lists appears with VPN, VLAN, IPsec, SED, AES, Encryption, IAM and rights management among others (yell Bingo when your favorite buzzword is mentioned). In addition setting up detection and monitoring to tell if something happens, or if there is an exposure of a possible threat risk for my local servers, storage, networks, hardware and software, both physical and virtual as well as cloud services. Granted there is room for improvement, which should be part of a shared responsibility of staying current on both new technologies versions (hardware, software, firmware, updates, and plugins) as well as new techniques, best practices.

Bling

This comes back to the premise of if you are doing information security and data protection for real, or for show and bling. If you are serious vs. just for bling or show, take steps to protect your information assets from both internal and external threats. Likewise, make data protection part of your everyday processes as opposed to an afterthought.

Ok, nuff said (for now)

About the author

Greg Schulz is Founder and Sr. Analyst of independent IT advisory and consultancy firm Server and StorageIO (StorageIO). He has worked in IT at an electrical utility, financial services and transportation firms in roles ranging from business applications development to systems management and architecture planning. Mr. Schulz is author of the Intel Recommended Reading List books “Cloud and Virtual Data Storage Networking” and “The Green and Virtual Data Center” via CRC Press and “Resilient Storage Networks” (Elsevier) and a four time VMware vExpert. Learn more at www.storageio.com

Subscribe
Notify of
guest
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

0
Would love your thoughts, please comment.x
()
x