Security Fundamentals

Thanks to the Internet, most of our security perimeters are gone. Cloud apps are the current rage, but some of them have major security loopholes. You can’t spend enough time tweaking your firewalls, as every app is trying to leverage the Web to enter your network. Endpoints will continue to compromise your network, no matter how hard you try to lock them down. And your best people are also your biggest security threat, because they can either inadvertently or deliberately leave open doors to your corporate data.

Here’s a few trends to consider:

  • So much for IT policies. Cisco’s security annual report from late last year is most troubling. Gen Y is likely —  to the tune of 70 percent — to ignore promulgated IT policies when it comes to security posture. A third don’t have much respect for their IT departments at all. To this generation, everything is public, says David Evans, Cisco’s “chief futurist.” (Now that is a job title that I could enjoy.) Granted, “ten years ago, employees were assigned laptops and told not to lose them, and told not to tell anyone their password. End of security training,” as the report says somewhat simplistically. But it’s not far from the truth. Today, things have gotten a little bit better: Perhaps there is a self-service website that provisions the laptop, or an endpoint security agent that can manage the device. But still, if you can’t rely on your own employees, who can you trust?
  • Back to basics when it comes to securing Web apps. A report from security vendor Cenzic lists a number of vulnerabilities with popular cloud-based apps, including EyeOS, an open source cloud-based desktop, Plesk, a popular control panel that is used by many hosting providers, and a number of other apps used by millions of people. The issues aren’t some new exploit, but things that have been around for dozens of years, like SQL Injection or Cross Site Scripting. If your organization is deploying Web apps, someone needs to take ownership and make sure that they are secured properly.
  • Better endpoint protection may not be enough. In the past year, many traditional anti-virus vendors have improved their products by offering a series of features such as streaming their updates, integrated browser protection against phishing and session hijacking, and better ways to thwart zero-day exploits. But all this may still not be enough, since there are plenty of insecure endpoints that roam the corporate halls.
  • Bringing your own device is a security sink-hole. The popular trend these days is to allow anyone to bring any device and connect it to the corporate network. With all this mobility, we’ve gotten used to just making whatever copies we need of business documents to take with us. We don’t think about what happens if they fall into the wrong hands, or if our devices are lost, or if we use the same password on our personal cloud storage account as we do for our most super-secret corporate servers. We expect that our corporate data can be accessed just as easily as our emails and from any device we are using, no matter where we are located. This creates all sorts of security issues.
  • The great security dumping ground: Ports 80 and 443. The past few years have seen the rise of Software as a Service, Infrastructure as a Service, and even Platforms as a Service. But, for better or worse, these –aaS entities still run over ports 80 and 443 and piggyback on top of Web protocols. We have gotten used to having these ports carry all sorts of traffic that have nothing to do with ordinary browsing, and have to do a better job of sorting out the ways apps use the traditional Web ports, too. We need better firewalls and intrusion detection gear to figure it all out.
  • IT isn’t needed to deliver desktop apps anymore. We don’t need to buy any software or install it on our own desktops: Everything is available in the cloud at a moment’s notice. What’s more, we have gotten used to having the Web as the go-to place to get new tools, software drivers and programs. Software repositories such as GitHub and open source projects, like Apache, have blossomed into places that corporate developers use daily for building their own apps. And why not? They have large support communities and hundreds of projects that are as well tended as something out of Oracle or Microsoft (and some would argue better, too).

It is clear that IT security is still very much in need, and there are jobs out there for the right mix of skills and experience.