Moving Towards Pervasive Protection  9 13Pervasive Protection comprises the security solutions and operational capabilities needed to provide balanced, end-to-end security in an increasingly perimeter-less environment. At the heart of any Pervasive Protection implementation is a unified security policy that guides both systems and staff:

  • how various systems should implement controls and monitor events
  • how staff should maintain security systems, analyze security data, respond to incidents, and mitigate risks.

The key is, one policy, many enforcement points and layers of protection, working together and managed holistically.

Most organizations recognize the need for pervasive protection but not even one in three has it.

Pervasive Protection is the key to reducing the risk to the enterprise of information being stolen or leaked, as it pushes the closing of permissions loopholes and discrepancies when security for some systems (say, laptops) is managed separately from other systems (say, mobile devices).

It also entails assessing the true risk of any new technology or service delivery approach (such as BYOD), including the capital investment of gearing up to secure a new service or operating model, to be weighed against the potential costs of not making the change, such as a loss of revenue.

However, IT security teams are mostly still focused on preventing and responding to security problems, though they sometimes are not the folks who evaluate risks, and are rarely the folks who define an organization’s risk tolerance. When a security team evaluates a new application, if it introduces significant new levels of risk or security exposure, they’ll still try to quash it. This culture of “No” is deeply shortsighted from an enterprise perspective. There is, after all, a hidden cost—an opportunity cost—to avoiding useful technologies for security reasons.

IT needs to be the engine of innovation for the enterprise. Facing the growing array of newer technologies with the potential to have transformative impact on business-line processes, such as cloud, mobility, big data, and unified communications (UC), IT security needs to cultivate a culture of “Yes, here’s how” rather than “No.”

What to do next?
  • Clearly identify your company’s overall “risk profile,” particularly in the context of “return on risk,” and who is responsible for making the call on whether something is too risky. How much risk, and especially, risk of loss or exposure of information, can be tolerated in exchange for what types of rewards? And remember, this is a corporate risk-assessment not limited to IT.
  • Launch a “Pervasive Protection” initiative that seeks to unify security policy, drive all security measures according to that policy, and foster a holistic end-to-end view of security and risk management. Identify in particular areas of conflict or ambiguity (e.g. are documents protected one way when stored on-site, but differently if in cloud services? Are policies different regarding what information can be emailed versus shared collaboratively? Are policies different for mobile and desktop devices) and resolve them.
  • Read the following summary “Security FAQ:Evaluating and Planning for Pervasive Protection’ How to adopt this new security paradigm”. by Henry Svendblad Principal Research Analyst, Nemertes.

 

John Burke is a Principle Research Analyst at Nemertes Research. He has written this guest post for the Networking Exchange Blog.