Is this why there is a move away from simple perimeter protection to device-level safeguards?
“Yes, I think it’s really coming down to two things. The perimeter-level protection is no longer a valid defense and when you do a proper protection at the end node … then you are reasonably well protected.”
With so many attacks still spread via email, where does the importance of employee education efforts fall on the security scale?
“It’s actually quite an important one. If you look at security it’s not a pure-play technology issue. It’s people, process and technology. We continually need to do a better job on educating people about how to use technology in a secure manner and to again repeat what has been told so many times before, not to click on email attachments coming in even if their coming from friends. It has to be a general policy for the organization.”
What more can be done?
“Many organizations are starting to put separate guest networks in place where (temporary and contract employees) have limited access to resources within the organization applying the same techniques we have been doing on the Internet for a long time. This is happening as we speak. There is no need for a temporary consultant to have access to whole network.”
With the popularity of Web services gaining ground daily, does that technology make your network more or less secure?
“Web services … have enforcement mechanisms built in by nature and therefore those Web services have an ability where you don’t need to worry about internally structuring access instead its basically part of what the Web service provide to you.”
What effect are ever-expanding network access points and Web services having on security?
“This is a big, big problem companies have today: to notice on a methodical and regular basis … ‘What does my perimeter look like?’ What devices are there, what resources are exposed, what services are out there? I wouldn’t necessarily say this is related to Web services. This is more like a general process issue companies have today. This could happen with any application. It’s not limited to Web services.”
Finally, what is more important for good security, governance or technology?
“I think the technology is the means to deliver (services). It’s all about the respective processes around it. It’s really, again, the combination of people, process and technology. The process part is definitely a very important and significant part. You can build the greatest technology (but) if it’s not properly leveraged, if it’s not properly configured and it’s not properly maintained, you are not going to get the benefit if you had, on the other hand, done a good job of putting the right processes around it.”
Want to discuss the issues raised in this Q&A? Take it over to our IT Management Forum.